Software development can teach us a lot about streamlining the research and development (R&D) process in other industries. “Agile development”, or the process of dividing up an R&D project into smaller, more iterative segments instead of planning the entire project at its inception, is a hallmark of the software development process. In a recently published article in Food and Beverage Insider entitled “The ‘Agile’ Path to Market: An Alternative Approach to Food Industry R&D”, Nigel Howard and Chase Brennick show how agile development can be valuable for R&D in many different contexts. The article focuses on the suitability of agile development for R&D within the food industry, but illustrates the benefits of an agile R&D process for industries that are subject to evolving consumer preferences and rapidly changing regulatory landscapes – characteristics that are also present for companies in the digital-health space. As described in the article, agile development could be a powerful tool to help digital health companies make their R&D more nimble and maintain greater oversight of the development process on a near-real-time basis.
On 3 July 2020, the German parliament passed a draft bill (German language) for patient data protection and for more digitalisation in the German healthcare system (Patientendaten-Schutz-Gesetz). The draft bill is currently in the legislative procedure and is expected to enter into force in autumn 2020.
One of the main objectives of the bill is to make everyday life easier for patients and healthcare professionals by increasing use of innovative digital applications, while protecting sensitive health data. It is assumed that increased digitalisation in the healthcare sector will open up opportunities at all levels of healthcare, both for patients and healthcare providers. As such, it is expected that digitalisation will help to take care of the growing number of chronically ill patients, to relieve the burden on specialists, to make better use of resources and to prepare the healthcare system for the challenges of the future.
A series of documents that so far has only been provided and used in hardcopy, such as certain prescriptions or patient files, will now be made available in digital form. In addition, a special app shall be made available to enable patients to redeem digital prescriptions in pharmacies. Alternatively, patients may present a 2D barcode on paper. In this case, the prescription will also be transmitted to the pharmacy in digital format. Further, the law aims to enable patient referrals from one doctor to medical specialists to be made in digital form (currently this is done in writing and requires the referral to be collected from the doctor’s office).
From 2021, statutory health insurance providers will be obliged to offer their insured persons electronic patient files (ePA). To ensure that this is effectively used, patients may request that their doctor include their medical records in their personal ePA. In addition, from 2022, the ePA will also be able to display other information that is currently only documented in hardcopy, for example, maternity logs, paediatric health records and vaccination cards. To incentivise doctors, they will be paid to use ePAs. Patients will ultimately have control over their ePAs and be able to decide which data is stored there and who will have access. For example, patients may specify that a doctor may have access to the ePA, but that certain findings are not displayed. The protection of the processed patient data is ensured by a gapless regulation of the chain of responsibilities.
From 2023 onwards, patients will have the option of voluntarily making the data in their ePAs available to researchers as part of a “data donation”. The donation could become an important element to increasing the availability of real-world evidence on new treatments and medicines. Informed consent will be required from each of the patients, and it will be possible for that consent to be given digitally. Patients will be free to choose the scope of their data donation and can limit access to certain information. The data that is released will be restricted to certain research purposes, like research on improving the quality of healthcare.
This new law will have a significant impact on the digitalisation of the entire German healthcare system. It will also create a better infrastructure for research with patient data and for collecting real-world-evidence for scientific and regulatory purposes.
Healthcare companies, providers and payors as well as technology and research companies should closely follow the next steps of this legislative development in Germany.
Public-health researchers, officials and medical professionals rely on data to track outbreaks, advance research, and evaluate prospective treatments. One critical source of patient data comes from electronic health records (EHRs). EHR data in the U.S. has traditionally been siloed within hospital IT systems, but the federal government and key healthcare stakeholders have recently ramped up efforts to implement greater EHR data-sharing capabilities and improve patient access to their own electronic health information. Though the potential public-health benefits of EHR interoperability are many, these stakeholders must carefully balance these benefits against their imperative to protect and maintain the privacy of patient health data.
Public-Health Benefits of Interoperability
Electronic exchange of de-identified EHR data has already yielded real-world public-health benefits. For example, effective sharing of patient data can play a major role in large-scale responses to pandemics such as COVID-19. A group of medical professionals published an article in the Journal of the American Medical Informatics Association illustrating the importance of cross-border data sharing in responding to pandemics. The authors note that EHR travel screening questionnaires can help identify patients who have recently visited areas where community spread is present. This travel data can be used to track the spread of the disease and evaluate the effectiveness of travel restrictions and other mitigation measures. Based on this data, public-health leaders can determine how to allocate resources such as masks and pop-up hospitals.
Researchers can also use large-scale patient data to evaluate the efficacy of potential treatments. A team of researchers at Columbia University analyzed 30 years of medical records (representing over six million patients) to determine the effectiveness of hydroxychloroquine as a treatment for patients hospitalized with COVID-19. Recognizing the utility of EHR data as a tool for pandemic research, several EHR vendors – including Epic and Cerner (through its HealtheDataLab) – are making aggregated patient data available to researchers in the search for treatments and vaccines for COVID-19.
For medical providers, data-sharing across sites enables more efficient patient care, which in turn helps manage patient loads. The U.K.’s National Health Service recently contracted for Cerner to supply its Millennium EHR system in the temporary Nightengale Hospital in London. Providers at Nightengale Hospital can access patient records and results from other sites due to data-sharing capabilities between the temporary hospital and other providers in the Barts Health NHS Trust, which already incorporates data from local and community care providers via Cerner’s Health Information Exchange. Providers at the pop-up hospital plan to use this data to “drive quicker discharge of recovered patients and maximi[z]e hospital capacity.”
Access to unified EHR datasets, when properly leveraged, can even help to triage patients. In Israel, Maccabi Healthcare Services – in a partnership with AI company Medial EarlySign – is using data gleaned from millions of Maccabi’s patient health records to predict which of its 2.4 million members are high-risk for severe COVID-19 complications, so those patients can be fast-tracked for testing. Maccabi is currently talking to U.S. entities about using the system to fast-track their own patients for testing.
Balancing The Public-Health Benefits Against Patient Privacy Considerations
Patient privacy should be top-of-mind when leveraging EHR data in pursuit of the aforementioned (or other) public-health benefits. Legal frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) and the EU’s General Data Protection Regulation (GPDR) safeguard individuals’ rights with respect to the exchange of their protected health information (“PHI”) (which includes individually identifiable health information generated by certain covered entities). While privacy laws could have the effect of stemming the flow of EHR data-sharing, these laws are intended to strike a balance between individual rights and the public health: The U.S. Department of Health and Human Services (HHS) describes HIPAA as “balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.” Thus, these privacy laws should not prevent use of EHR data for the public good if the proper measures are taken with respect to individual patients’ data.
To ensure such measures are in place, EHR interoperability stakeholders must consider a couple of key issues:
- De-Identifying Patient Data
Entities using and sharing EHR data may use proper de-identification or anonymization techniques to steer clear of privacy law violations. Different laws present different legal frameworks for proper protection of EHR data. In the U.S., HHS clarifies that HIPAA “does not restrict the use or disclosure of de-identified health information, as it is no longer considered protected health information.” De-identification refers to the process of removing personal identifiers that could be used to trace data back to the individual. This can include removal of names, geographic identifiers smaller than a state, telephone numbers and e-mail addresses, medical record numbers, and other types of potentially identifying data.
From a European perspective, Recital 26 of the GDPR states that “the principles of data protection should…not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Anonymization under GDPR is a difficult standard to achieve: Data is not treated as anonymous under the GDPR unless both (1) the data is anonymized in such a way as to make identification of the subject impossible (or extremely impractical), even for the party responsible for anonymizing the data, and (2) the process is irreversible. However, the GDPR also includes the concept of “pseudonymization” that may be useful in mitigating the legal risks posed by data-sharing. Article 4(5) of the GDPR defines as “the processing of personal data in such a manner that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.” Because pseudonymized data may be re-identifiable if the “additional information” is not properly separated from the de-identified data set, it poses a greater risk than anonymization. Nevertheless, if the proper technical and organizational measures are implemented to protect pseudonymized data, such data may be usable for public-health purposes: under some circumstances, Article 6(4)(e) of the GDPR permits the processing of pseudonymized data “for a purpose other than that for which the personal data [was] collected.”
When using patient data for public-health purposes, the data should be protected to the most secure extent that still allows the research, and the user and sharer of such data should query whether their strategy of de-identification, anonymization or psuedonymization (in conjunction with the data security measures discussed below) is sufficient to protect patient privacy.
- Data Security
Securing patient data is critical. Although patient data is less likely to be subject to HIPAA or the GDPR if it is de-identified and/or aggregated, even de-identified and aggregated data should be secured to mitigate the risk that the data could be traced back to individual patients in the event of a security breach. The steps to properly secure EHR data can be largely broken into three categories: (1) physical safeguards (e.g., locks on servers and laptops), (2) administrative safeguards (e.g., designing comprehensive security plans, conducing security trainings), and (3) technical safeguards (e.g., firewalls, two-factor authentication). When storing and sharing EHR data, some combination of all three categories of safeguards is likely needed to ensure proper data security.
Although obstacles remain in the push to implement EHR interoperability, the public-health benefits of effective patient data-sharing are undeniable. Aggregated patient data can enable nimbler pandemic responses, streamline the research process, and help hospitals provide more efficient and effective treatment. With the pandemic driving stakeholders across the healthcare industry to make patient data more accessible, large-scale aggregated EHR data may someday be widely available to benefit public health efforts. At the same time, the use and sharing of such data presents real questions of privacy, and safeguards will need to be put in place to protect and secure patient data. As we move toward a world with more readily accessible healthcare data, it will be important to maintain a balance that maximizes the public-health benefits of such data while also upholding the privacy rights of individuals.
 In recognition of this balance, and in light of the acute public-health needs presented by the COVID-19 pandemic, HHS announced that it would relax HIPAA enforcement against certain covered entities that chose to participate in Community-Based Testing Sites during the pandemic.
On July 13, 2020, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.” Under Part 2, federally assisted substance use disorder (SUD) treatment programs are prohibited from disclosing patient identifying information without the individual’s written consent except in a few limited circumstances. According to SAMHSA, the “emergence of the opioid crisis, with its catastrophic impact” has underscored “the need for thoughtful updates to [Part 2].” The final rule also “takes important first steps toward the greater flexibility for information sharing envisioned by Congress in its passage of § 3221 of the [Coronavirus Aid, Relief, and Economic Security (CARES)] Act,” discussed in more detail below.
The Part 2 regulations were originally promulgated in 1975 to ensure the confidentiality of SUD treatment records, prior to the enactment of broader health privacy laws and regulations, such as the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Part 2 restrictions are generally more stringent than the HIPAA restrictions, since HIPAA allows the disclosure of protected health information for certain purposes without an individual’s authorization. SAMHSA’s final rule revises the Part 2 regulations in an effort to more closely align the privacy requirements of Part 2 and HIPAA, as well as to better address the needs of individuals with SUD and facilitate coordinated care.
The final rule does not change Part 2’s general framework for protecting the confidentiality of SUD patient records. Disclosure of SUD treatment records is still prohibited without patient consent, except in a few limited circumstances (e.g., medical emergencies). In addition, law enforcement officials are still prohibited from using SUD patient records in a criminal prosecution brought against the patient, unless they obtain a court order.
The final rule does revise certain aspects of the Part 2 regulations:
- Applicability: The final rule clarifies applicability to certain non-Part 2 providers (e., providers of treatments that are not regulated as programs under Part 2). Pursuant to the final rule, records created by a non-Part 2 provider containing information about a SUD—based on such provider’s own patient encounters—are not subject to the Part 2 restrictions, as long as the non-Part 2 provider segregates any specific SUD records received from a Part 2 program. In addition, the definition of “Records” is modified to create an exception for information conveyed orally by a Part 2 program to a non-Part 2 provider for treatment purposes with patient consent. Under the revised definition, such information does not become subject to Part 2 restrictions just because it is reduced to writing by the non-Part 2 provider.
- Consent Requirements: The final rule revises the consent requirements to permit patients to consent to the disclosure of their information to any entity (e.g., the Social Security Administration) without requiring that the consent identify a specific individual to receive the information on behalf of the entity. The final rule also includes special instructions for consents relating to disclosures to information exchanges and research institutions, as well as additional guidance for consents relating to disclosures for the purpose of case management and care coordination.
- Re-Disclosure: The final rule changes the notice language required to accompany disclosures to clarify that non-Part 2 providers are not required to redact SUD information contained in a non-Part 2 record, and to allow for re-disclosure with express written consent or as otherwise permitted by the regulations.
- Disclosure Permitted with Written Consent: The final rule expressly permits disclosures for purposes of “payment and health care operations” with the patient’s written consent, and provides an illustrative list of 18 activities that are considered payment and health care operations, such as “patient safety activities,” “activities relating to addressing fraud, waste and/or abuse,” and “care coordination and/or case management services in support of payment or health care operations.”
- Disclosure to Central Registries and PDMPs: The final rule amends the disclosure requirements to (A) allow non-opioid treatment providers to access central registries, in order to determine whether a patient is already receiving opioid treatment; and (B) allow opioid treatment providers to disclose dispensing and prescribing data, as required by applicable state laws, to prescription drug monitoring programs (PDMPs), subject to patient consent.
- Medical Emergencies: The final rule expands a “bona fide medical emergency” to include situations where normal operation of a Part 2 program is suspended, and the program is unable to obtain the required written consent due to a state of emergency declared by the state or federal authority as the result of a natural or major disaster. Disclosures without consent are permitted until the Part 2 program is able to resume operations.
- Research: The final rule amends the research exception to permit disclosures by a HIPAA covered entity or business associate, without patient consent, to individuals or organizations who are not HIPAA covered entities or subject to the Common Rule, for the purpose of conducting scientific research, provided the disclosures are made in accordance with the HIPAA requirements at 45 C.F.R. § 164.512(i).
- Audit and Evaluation: The final rule clarifies the specific situations that fall within the scope of permissible disclosures for audits and/or evaluations by federal, state, and local government agencies and third-party payers.
- Undercover Agents and Informants: The final rule amends the period of time for court-ordered placement of an undercover agent or informant in a Part 2 program from 6 months to 12 months, and clarifies that the time period begins when the agent/informant is placed in the Part 2 program.
In addition, the final rule provides guidance for Part 2 program employees, volunteers, and trainees regarding the receipt of incidental communications from SUD patients on personal devices. SAMHSA recognizes that patients may reach out to employees through personal devices or email accounts that are not used in the regular course of business. The guidance clarifies that such personal devices/accounts do not become part of the Part 2 record or subject to Part 2’s sanitization standards. Instead, the employees (or volunteers or trainees) should immediately delete the communication from their personal device/account and respond to the patient only through an authorized channel provided by the Part 2 program, unless responding from the personal device/account is in the best interest of the patient. If the communication contains patient identifying information, it should be forwarded to such authorized channel and then deleted.
Finally, SAMHSA notes that Section 3221 of the CARES Act amended several provisions of the Part 2 authorizing statute, including the requirements for consent, restrictions for the use of records in legal proceedings, and penalties for violations of the statute under sections 42 U.S.C. 290dd–2(b), (c) and (f), respectively. The amended provisions allow greater flexibility for the sharing of SUD records, but the provisions do not go into effect until March 27, 2021. Therefore, SAMHSA has stated that it intends the standards in this month’s final rule to “serve as interim and transitional standards,” until SAMHSA is able to engage in future rulemaking to implement the new changes enacted by the CARES Act.
On June 4, 2020, Representatives Anna Eshoo (D-CA-18), Anthony Gonzalez (R-OH-16), and Mikie Sherrill (D-NJ-11) introduced the National AI Research Resource Task Force Act. This bipartisan bill would create a task force to propose a roadmap for developing and sustaining a national research cloud for AI. The cloud would help provide researchers with access to computational resources and large-scale datasets to foster the growth of AI.
“AI is shaping our lives in so many ways, but the true potential of it to improve society is still being discovered by researchers,” explained Rep. Eshoo. “I’m proud to introduce legislation that reimagines how AI research will be conducted by pooling data, compute power, and educational resources for researchers around our country. This legislation ensures that our country will retain our global lead in AI.”
The sponsors of the bill cited the recommendations from the National Security Commission on AI submitted to Congress in March 2020 as one of the original motivations for the bill. The Commission described China’s increasing investment in global AI research and development and recommended that Congress launch a “National AI Research Resource infrastructure.”
The bill directs that the task force be composed of equal representation from academia, government, and industry. The roadmap would specify how the U.S. should build, deploy, administer, and sustain the research cloud. There is particular focus on proper infrastructure for the portal, including security requirements and capabilities to facilitate access to computing resources for researchers across the country. The bill also directs the task force to consult with key organizations like the National Science Foundation and the National Institute of Standards and Technology.
Notably, the bill has garnered support from leading technology companies and research universities that work on AI-related issues across all sectors, including healthcare. Senators Rob Portman (R-OH) and Martin Heinrich (D-NM) have also introduced a companion bill—National Cloud Computing Task Force Act (S. 3890)—in the Senate.
To learn more about AI, please access our AI Toolkit.
Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced bipartisan legislation this week to address privacy issues in the COVID-19 era. The proposal, entitled the “Exposure Notification Privacy Act,” would regulate “automated exposure notification services” developed to respond to COVID-19. This bipartisan legislation comes on the heels of dueling privacy proposals from both political parties. We previously analyzed the Republican “COVID-19 Consumer Data Protection Act” proposal introduced by Senate Commerce Chairman Roger Wicker (R-MS) on this blog and the Democratic “Public Health Emergency Privacy Act” proposal on this blog.
Below are descriptions of the notable provisions in the Exposure Notification Privacy Act:
- In contrast to the Wicker proposal and the proposal introduced by House and Senate Democrats, both of which would cover symptom tracking and other apps, this new bipartisan proposal would be narrower by only regulating operators of so-called “automated exposure notification services.” This is defined as any website or mobile application designed for use or marketing to digitally notify “an individual who may have become exposed to an infectious disease.” Operators can be both for-profit and non-profit entities.
- However, the definition of covered personal data is broader than some earlier proposals that only covered certain categories of health and location data. The new proposal covers all data linked or reasonably linkable to any individual or device that is “collected, processed, or transferred in connection with an automated exposure notification service.” This definition is broader than the Republican proposal, which defined covered data to include health information, geolocation data, and proximity data. It is also broader than the Democratic proposal, which included the same data elements as the Republican proposal while also covering certain medical testing data and contact information.
- Under the bipartisan bill, operators may not enroll individuals in automated exposure notification services without their affirmative express consent, which is the same as both the Democratic and Republican proposals.
- However, the new proposal could curtail the ability of technologies to collect, process, or share an actual, potential or presumptive positive diagnosis of an infectious disease except when such diagnosis is confirmed by a public health authority or a licensed health provider.
- The proposal requires operators to “collaborate with a public health authority in the operation” of their notification service.
- The bill includes certain transfer restrictions. Covered data may only be transferred for certain enumerated purposes, such as to notify enrolled individuals of potential exposure to an infectious disease, or to public health authorities or contracted service providers.
- The bill obligates operators to delete all covered data upon request of the individual, as well as within 30 days of the receipt of such data, on either a rolling basis or “at such times as is consistent with a standard published by a public health authority within an application jurisdiction.” Such deletion requirements do not apply to data retention for public health research purposes.
- The bill distinguishes between operators and service providers, and only a subset of obligations—such as data deletion requirements—apply to service providers. Service providers with “actual knowledge” that an operator has failed to adhere to certain standards required under the proposal would be obligated to notify the operator of the potential violation.
- Similar to the Democratic proposal, this bill makes it unlawful for “any person or entity” to discriminate on the basis of “covered data collected or processed through an automated exposure notification service” or their choice “to use or not use” such a service.
- While the Democratic and Republican proposals imposed public reporting obligations on covered entities, this bipartisan proposal would require such an obligation on the federal Privacy and Civil Liberties Oversight Board. Under the proposal, the Board would be required to issue a report within one year after enactment that assesses “the impact on privacy and civil liberties of Government activities in response to the public health emergency related to” COVID-19 and makes recommendations for the future.
As with both the Republic and Democratic proposals, the Exposure Notification Privacy Act enforcement provisions name both the Federal Trade Commission and state Attorneys General. Notably, the Act preserves the right for individuals to bring claims arising under various state laws, including consumer protection laws, health privacy or infectious diseases laws, civil rights laws, state privacy and data breach notification laws, and under contract or tort law.
On May 28, the White House Office of Science and Technology Policy (OSTP) hosted a meeting of the G7 Science & Technology (S&T) Ministers to collaborate on COVID-19 response and recovery. The G7 S&T Ministers emerged from the meeting with a declaration, in which they expressed their intent to:
- Enhance cooperation on shared COVID-19 research priority areas, including public health and clinical studies;
- Make government-sponsored COVID-19 epidemiological and related research data accessible to the public in machine-readable formats;
- Strengthen the use of high-performance computing for COVID-19 response;
- Exchange best practices to advance broadband connectivity; and
- Advance the Global Partnership on Artificial Intelligence (GPAI).
With this declaration, the U.S. became the last G7 nation to join the GPAI. The concept for the GPAI, which was developed under the 2018 and 2019 G7 Presidencies of Canada and France, centers on the development of a permanent forum – one that includes stakeholders from the public and private sectors as well as academia – to shape global policy on AI. U.S. Chief Technology Officer Michael Kratsios recently wrote an op-ed in the Wall Street Journal about the GPAI, in which he outlined the plan for G7 leaders to collaborate to “shape the evolution of AI in a way that respects fundamental rights and upholds our shared values.” At the outset, the GPAI will focus on leveraging AI to combat COVID-19, including through expediting drug discovery, improving diagnosis and assisting with telemedicine.
The White House also announced that two members – U.K. Research and Innovation and the Swiss National Computing Centre – have joined the COVID-19 High Performance Computing Consortium. The Consortium is a public-private collaboration spearheaded by the White House OSTP, and the U.S. Department of Energy, and is designed to help researchers leverage a range of computing resources (including the world’s most powerful supercomputers) to accelerate scientific research and discovery and stop COVID-19. The Consortium will also begin a new data-sharing initiative with the Partnership for Advanced Computing in Europe for the purpose of accelerating global research.
The White House’s efforts to explore the potential of supercomputing come on the heels of the newly introduced Advancing Quantum Computing Act (AQCA), proposed by Representative Morgan Griffith (R-VA-9) on May 19. James Yoon and Lee Tiedrich discuss the AQCA, which would require the Secretary of Commerce to conduct a study on quantum computing, in a post on Covington’s Inside Tech Media blog.
For more information about AI, please see our “AI Toolkit.”
Artificial Intelligence (AI) has played an important role in battling COVID-19 since the initial outbreak: HealthMap – an AI tool from Boston Children’s Hospital that scans news reports, social media, and other data for signs of disease outbreaks – first sounded the international alarm after picking up reports of an emerging virus in Wuhan, China. As the virus evolved into a global pandemic, scientists, researchers, and medical professionals have increasingly integrated AI into their efforts to combat the disease.
The following are just a few examples of recent AI developments and AI’s role in the fight against COVID-19.
AI as a Partner in COVID-19 Testing Efforts
AI might help leverage population data to help assess patients’ symptoms: A group of researchers from King’s College London, Massachusetts General Hospital, and health science company ZOE developed an AI tool that compares a patient’s symptoms against crowd-sourced symptom data from the COVID Symptom Study app to predict whether that patient is likely to have COVID-19. This tool is set to enter clinical trials in the U.S. and U.K., and the researchers believe that this AI tool may be particularly useful for populations with limited access to testing.
AI also is being used to analyze medical imaging and differentiate between diagnoses with symptoms similar to those of COVID-19. Researchers from the University of Chicago and Argonne National Laboratory, relying on a grant from the new c3.ai Digital Transformation Institute, are developing an AI tool to analyze chest X-rays and thoracic CT scans in order to spot the disease and differentiate between its various stages. UCSD Professor Albert Hsiao has applied his own AI approach to chest X-rays from patients in a research study enabled by a cloud services provider. In China, radiologists are working on a learning model that can distinguish between COVID-19 and community-acquired pneumonia based on chest CT scans.
AI to Identify High-Risk Patients
As hospital systems face an influx of COVID-19 patients, major players in the healthcare industry are turning more and more to AI tools to assist with patient management. Of course, providers already use AI to offer clinical decision support: for example, in 2017, electronic health record vendor Epic released a “Deterioration Index” predictive model to identify patients whose condition is likely to deteriorate. With the onset of COVID-19, Stanford University Professor Ron Li and his team have begun to test the Deterioration Index for triage of COVID-19 patients.
On the payer side, Israel’s Maccabi Healthcare Services partnered with AI company Medial EarlySign to identify which of its 2.4 million members were high risk for severe COVID-19 complications so those patients could be fast-tracked for testing. The organization says it is currently talking to U.S. entities about using the system to fast-track their own patients.
AI as a Research Assistant
AI also can serve as a critical tool in the search for reliable treatments for COVID-19. A research team at Northwestern University developed a machine model that allows researchers to bypass conventional prediction markets and more quickly identify and dedicate resources to the most promising research studies for treatments and vaccines for COVID-19.
Researchers also are using AI to scour molecular modelling data and EHR data to evaluate whether existing drugs may be repurposed as treatments for COVID-19. AI already has identified at least one prospect. Specifically, BenevolentAI, a London startup, used AI to identify the rheumatoid arthritis drug baricitinib as a possible treatment for severe symptoms of COVID-19. Based on this research, a major pharmaceutical company announced that it will conduct a large-scale clinical trial of the drug as a treatment for COVID-19, in collaboration with the U.S. National Institute of Allergy and Infectious Diseases.
Creating Trustworthy AI
AI development, which was already a high-activity sector pre-COVID-19, has ramped up further in the effort to battle the virus. At the same time, stakeholders have continued to focus on AI trustworthiness. Lee Tiedrich and Lala R. Qadir share “10 Steps to Creating Trustworthy AI Applications” in an article for Law360.
For more information about AI, please see our “AI Toolkit.”
The following guidance could be relevant to manufacturers of software as a medical device (SaMD). The recently-enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act) added new section 506J to the Federal Food, Drug, and Cosmetic Act (FDCA). This section requires manufacturers of certain devices to notify FDA of an interruption or permanent discontinuance in manufacturing during, or in advance of, a declared public health emergency. On May 6, FDA’s Center for Devices and Radiological Health (CDRH) issued a direct-to-final guidance document addressing: (1) who must notify CDRH, (2) devices for which CDRH requires notification, (3) when to notify CDRH, (4) what information to include in the notification, and (5) how to notify CDRH. This guidance is intended to remain in effect only for the duration of the COVID-19 public health emergency.
On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”). The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”
The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”). A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.” See 16 C.F.R. § 318.2(d). Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Over the past decade, the FTC has not brought an enforcement action under the Rule and has only received two notifications of data breaches involving more than 500 individuals. According to the FTC’s notice, this lack of enforcement is due to the fact that PHR vendors and related entities are often HIPAA-covered entities or business associates, and therefore subject to HIPAA’s Breach Notification Rule. However, more entities may fall within the scope of the FTC’s Rule as the PHR market expands to include more direct-to-consumer technologies and services, such as mobile health applications, platform health tools, and virtual assistants.
The FTC’s review includes standard questions about the benefits and effectiveness of the Rule and whether it should be maintained, revised, or eliminated. In addition, the FTC is soliciting comments regarding:
- whether there has been under-notification, over-notification, or an appropriate level of notification as a result of the Rule;
- whether the Rule’s definitions should be updated to account for legal, economic, or technological changes;
- whether the Rule’s timing requirements and reporting methods are sufficient;
- the possible enforcement implications related to direct-to-consumer services and technologies; and
- if and how the Rule should consider COVID-19-related developments in health care products or services.
The FTC will be accepting comments for a period of 90 days after the notice is published in the Federal Register.