Bipartisan Bill Introduced in Senate Would Regulate COVID-19 Apps

Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced bipartisan legislation this week to address privacy issues in the COVID-19 era.  The proposal, entitled the “Exposure Notification Privacy Act,” would regulate “automated exposure notification services” developed to respond to COVID-19.  This bipartisan legislation comes on the heels of dueling privacy proposals from both political parties.  We previously analyzed the Republican “COVID-19 Consumer Data Protection Act” proposal introduced by Senate Commerce Chairman Roger Wicker (R-MS) on this blog and the Democratic “Public Health Emergency Privacy Act” proposal on this blog.

Below are descriptions of the notable provisions in the Exposure Notification Privacy Act:

  • In contrast to the Wicker proposal and the proposal introduced by House and Senate Democrats, both of which would cover symptom tracking and other apps, this new bipartisan proposal would be narrower by only regulating operators of so-called “automated exposure notification services.”  This is defined as any website or mobile application designed for use or marketing to digitally notify “an individual who may have become exposed to an infectious disease.”  Operators can be both for-profit and non-profit entities.
  • However, the definition of covered personal data is broader than some earlier proposals that only covered certain categories of health and location data. The new proposal covers all data linked or reasonably linkable to any individual or device that is “collected, processed, or transferred in connection with an automated exposure notification service.”  This definition is broader than the Republican proposal, which defined covered data to include health information, geolocation data, and proximity data.  It is also broader than the Democratic proposal, which included the same data elements as the Republican proposal while also covering certain medical testing data and contact information.
  • Like the Democratic and Republican proposals, many of the bipartisan proposal’s key requirements are consistent with existing federal or state privacy requirements or norms, including obligations to post a clear and conspicuous privacy policy and to maintain reasonable data security policies and practices.  It also requires data minimization.
  • Under the bipartisan bill, operators may not enroll individuals in automated exposure notification services without their affirmative express consent, which is the same as both the Democratic and Republican proposals.
  • However, the new proposal could curtail the ability of technologies to collect, process, or share an actual, potential or presumptive positive diagnosis of an infectious disease except when such diagnosis is confirmed by a public health authority or a licensed health provider.
  • The proposal requires operators to “collaborate with a public health authority in the operation” of their notification service.
  • The bill includes certain transfer restrictions.  Covered data may only be transferred for certain enumerated purposes, such as to notify enrolled individuals of potential exposure to an infectious disease, or to public health authorities or contracted service providers.
  • The bill obligates operators to delete all covered data upon request of the individual, as well as within 30 days of the receipt of such data, on either a rolling basis or “at such times as is consistent with a standard published by a public health authority within an application jurisdiction.”  Such deletion requirements do not apply to data retention for public health research purposes.
  • The bill distinguishes between operators and service providers, and only a subset of obligations—such as data deletion requirements—apply to service providers.  Service providers with “actual knowledge” that an operator has failed to adhere to certain standards required under the proposal would be obligated to notify the operator of the potential violation.
  • Similar to the Democratic proposal, this bill makes it unlawful for “any person or entity” to discriminate on the basis of “covered data collected or processed through an automated exposure notification service” or their choice “to use or not use” such a service.
  • While the Democratic and Republican proposals imposed public reporting obligations on covered entities, this bipartisan proposal would require such an obligation on the federal Privacy and Civil Liberties Oversight Board.  Under the proposal, the Board would be required to issue a report within one year after enactment that assesses “the impact on privacy and civil liberties of Government activities in response to the public health emergency related to” COVID-19 and makes recommendations for the future.

As with both the Republic and Democratic proposals, the Exposure Notification Privacy Act enforcement provisions name both the Federal Trade Commission and state Attorneys General.  Notably, the Act preserves the right for individuals to bring claims arising under various state laws, including consumer protection laws, health privacy or infectious diseases laws, civil rights laws, state privacy and data breach notification laws, and under contract or tort law.

White House Hosts G7 Science and Technology Ministerial on COVID-19

On May 28, the White House Office of Science and Technology Policy (OSTP) hosted a meeting of the G7 Science & Technology (S&T) Ministers to collaborate on COVID-19 response and recovery.  The G7 S&T Ministers emerged from the meeting with a declaration, in which they expressed their intent to:

  • Enhance cooperation on shared COVID-19 research priority areas, including public health and clinical studies;
  • Make government-sponsored COVID-19 epidemiological and related research data accessible to the public in machine-readable formats;
  • Strengthen the use of high-performance computing for COVID-19 response;
  • Exchange best practices to advance broadband connectivity; and
  • Advance the Global Partnership on Artificial Intelligence (GPAI).

With this declaration, the U.S. became the last G7 nation to join the GPAI.  The concept for the GPAI, which was developed under the 2018 and 2019 G7 Presidencies of Canada and France, centers on the development of a permanent forum – one that includes stakeholders from the public and private sectors as well as academia – to shape global policy on AI.  U.S. Chief Technology Officer Michael Kratsios recently wrote an op-ed in the Wall Street Journal about the GPAI, in which he outlined the plan for G7 leaders to collaborate to “shape the evolution of AI in a way that respects fundamental rights and upholds our shared values.”   At the outset, the GPAI will focus on leveraging AI to combat COVID-19, including through expediting drug discovery, improving diagnosis and assisting with telemedicine.

The White House also announced that two members – U.K. Research and Innovation and the Swiss National Computing Centre – have joined the COVID-19 High Performance Computing Consortium.  The Consortium is a public-private collaboration spearheaded by the White House OSTP, and the U.S. Department of Energy, and is designed to help researchers leverage a range of computing resources (including the world’s most powerful supercomputers) to accelerate scientific research and discovery and stop COVID-19.  The Consortium will also begin a new data-sharing initiative with the Partnership for Advanced Computing in Europe for the purpose of accelerating global research.

The White House’s efforts to explore the potential of supercomputing come on the heels of the newly introduced Advancing Quantum Computing Act (AQCA), proposed by Representative Morgan Griffith (R-VA-9) on May 19.  James Yoon and Lee Tiedrich discuss the AQCA, which would require the Secretary of Commerce to conduct a study on quantum computing, in a post on Covington’s Inside Tech Media blog.

For more information about AI, please see our “AI Toolkit.”

Recent AI Developments in the Fight Against COVID-19

Artificial Intelligence (AI) has played an important role in battling COVID-19 since the initial outbreak: HealthMap – an AI tool from Boston Children’s Hospital that scans news reports, social media, and other data for signs of disease outbreaks – first sounded the international alarm after picking up reports of an emerging virus in Wuhan, China. As the virus evolved into a global pandemic, scientists, researchers, and medical professionals have increasingly integrated AI into their efforts to combat the disease.

The following are just a few examples of recent AI developments and AI’s role in the fight against COVID-19.

AI as a Partner in COVID-19 Testing Efforts

AI might help leverage population data to help assess patients’ symptoms:  A group of researchers from King’s College London, Massachusetts General Hospital, and health science company ZOE developed an AI tool that compares a patient’s symptoms against crowd-sourced symptom data from the COVID Symptom Study app to predict whether that patient is likely to have COVID-19.  This tool is set to enter clinical trials in the U.S. and U.K., and the researchers believe that this AI tool may be particularly useful for populations with limited access to testing.

AI also is being used to analyze medical imaging and differentiate between diagnoses with symptoms similar to those of COVID-19.  Researchers from the University of Chicago and Argonne National Laboratory, relying on a grant from the new Digital Transformation Institute, are developing an AI tool to analyze chest X-rays and thoracic CT scans in order to spot the disease and differentiate between its various stages.  UCSD Professor Albert Hsiao has applied his own AI approach to chest X-rays from patients in a research study enabled by a cloud services provider.  In China, radiologists are working on a learning model that can distinguish between COVID-19 and community-acquired pneumonia based on chest CT scans.

AI to Identify High-Risk Patients

As hospital systems face an influx of COVID-19 patients, major players in the healthcare industry are turning more and more to AI tools to assist with patient management.  Of course, providers already use AI to offer clinical decision support: for example, in 2017, electronic health record vendor Epic released a “Deterioration Index” predictive model to identify patients whose condition is likely to deteriorate.  With the onset of COVID-19, Stanford University Professor Ron Li and his team have begun to test the Deterioration Index for triage of COVID-19 patients.

On the payer side, Israel’s Maccabi Healthcare Services partnered with AI company Medial EarlySign to identify which of its 2.4 million members were high risk for severe COVID-19 complications so those patients could be fast-tracked for testing.  The organization says it is currently talking to U.S. entities about using the system to fast-track their own patients.

AI as a Research Assistant

AI also can serve as a critical tool in the search for reliable treatments for COVID-19.  A research team at Northwestern University developed a machine model that allows researchers to bypass conventional prediction markets and more quickly identify and dedicate resources to the most promising research studies for treatments and vaccines for COVID-19.

Researchers also are using AI to scour molecular modelling data and EHR data to evaluate whether existing drugs may be repurposed as treatments for COVID-19.  AI already has identified at least one prospect.   Specifically, BenevolentAI, a London startup, used AI to identify the rheumatoid arthritis drug baricitinib as a possible treatment for severe symptoms of COVID-19.  Based on this research, a major pharmaceutical company announced that it will conduct a large-scale clinical trial of the drug as a treatment for COVID-19, in collaboration with the U.S. National Institute of Allergy and Infectious Diseases.

Creating Trustworthy AI

AI development, which was already a high-activity sector pre-COVID-19,  has ramped up further in the effort to battle the virus.  At the same time, stakeholders have continued to focus on AI trustworthiness.    Lee Tiedrich and Lala R. Qadir share “10 Steps to Creating Trustworthy AI Applications” in an article for Law360.

For more information about AI, please see our “AI Toolkit.”

Client Alert: FDA Issues Temporary Guidance on New CARES Act Provision Requiring Certain Device Notifications to CDRH

The following guidance could be relevant to manufacturers of software as a medical device (SaMD).  The recently-enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act) added new section 506J to the Federal Food, Drug, and Cosmetic Act (FDCA). This section requires manufacturers of certain devices to notify FDA of an interruption or permanent discontinuance in manufacturing during, or in advance of, a declared public health emergency. On May 6, FDA’s Center for Devices and Radiological Health (CDRH) issued a direct-to-final guidance document addressing: (1) who must notify CDRH, (2) devices for which CDRH requires notification, (3) when to notify CDRH, (4) what information to include in the notification, and (5) how to notify CDRH. This guidance is intended to remain in effect only for the duration of the COVID-19 public health emergency.

Read the Full Article

FTC to Consider Changes to the Health Breach Notification Rule

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.

Over the past decade, the FTC has not brought an enforcement action under the Rule and has only received two notifications of data breaches involving more than 500 individuals.  According to the FTC’s notice, this lack of enforcement is due to the fact that PHR vendors and related entities are often HIPAA-covered entities or business associates, and therefore subject to HIPAA’s Breach Notification Rule.  However, more entities may fall within the scope of the FTC’s Rule as the PHR market expands to include more direct-to-consumer technologies and services, such as mobile health applications, platform health tools, and virtual assistants.

The FTC’s review includes standard questions about the benefits and effectiveness of the Rule and whether it should be maintained, revised, or eliminated.  In addition, the FTC is soliciting comments regarding:

  • whether there has been under-notification, over-notification, or an appropriate level of notification as a result of the Rule;
  • whether the Rule’s definitions should be updated to account for legal, economic, or technological changes;
  • whether the Rule’s timing requirements and reporting methods are sufficient;
  • the possible enforcement implications related to direct-to-consumer services and technologies; and
  • if and how the Rule should consider COVID-19-related developments in health care products or services.

The FTC will be accepting comments for a period of 90 days after the notice is published in the Federal Register.

NHSX Publishes “Buyer’s Checklist” for AI Solutions

NHSX recently published “A Buyer’s Checklist for AI in Health and Care” (Guidance) that sets out 10 key questions which will be of use to parties deploying AI solutions or conducting data driven projects (in a health and care setting or otherwise).  For example, the Guidance highlights:

  • key data-related considerations, such as can the outcome of AI solutions trained on a given dataset be validated against other data, accounting for bias in training data, and reflecting the value of data as an input to an AI product in commercial terms; and
  • the importance of assessing regulatory considerations at the outset of a digital health project, such as the potential need for a research ethics committee approval, a CE mark (if a medical device is to be used in the project), and a data protection impact assessment.

The Guidance’s 10 questions are:

  1. Is AI the right solution for the type of problem you need to solve?
  2. Can this technology be procured through a transparent, fair, competitive process?
  3. Can this product do what it claims it can?
  4. Are the users of this product primed to use it?
  5. Does this product meet regulatory standards?
  6. What information sharing and data protection protocols would need to be in place to comply with your information governance policy?
  7. What agreements should you put in place to protect any intellectual property generated by your organisation through its use of this AI product?
  8. Do you have the necessary storage and computing requirements?
  9. Will your existing systems work effectively alongside the new technology to ensure a clear and reliable workflow?
  10. Can you manage the maintenance burden of this new technology?

FCC Waives Equipment Authorization Rules for GE Healthcare to Address COVID-19 Supply Chain and Testing Challenges

Yesterday, the Federal Communications Commission (“FCC”) granted GE Healthcare (“GEHC”) a waiver of its equipment authorization rules to allow for the importation, marketing, and operation of certain medical devices that have yet to receive authorization under applicable FCC requirements. The GEHC devices at issue include bedside and wearable patient monitors; telemetry transmitters; antenna infrastructure; wireless sensors; diagnostic testing ECG analysis systems; mobile radiology equipment; and portable X-rays.

The FCC granted the waiver due to the “unprecedented strain” that the COVID-19 pandemic has placed on the U.S. healthcare system. In doing so, the FCC recognized that GEHC now has to rely on alternative component suppliers to maintain a robust supply chain of devices, and that doing so has and will continue to require GEHC to pursue and secure new or modified equipment authorizations under the FCC’s rules. By waiving these rules for a temporary period, subject to certain conditions, the FCC enabled GEHC to import, market, and operate these devices before they are fully authorized, thereby improving the speed at which GEHC can bring them to market.

The FCC’s order imposed certain conditions on the grant of the waiver, including that:

    • GEHC continue to pursue testing for compliance with applicable rules, though GEHC can rely on non-accredited laboratories for such testing if it ensures that they use good engineering practices;
    • the devices at issue be operated only on the premises of healthcare facilities (including field hospitals) at the direction of authorized healthcare providers;
    • GEHC submit an equipment authorization application to the FCC within 180 days after initially marketing a device (based on the date the device was first distributed to a healthcare facility);
    • each affected device include a label noting the waiver terms and its limitations;
    • once a device receives authorization it be labeled in accordance with the FCC’s existing rules;
    • the waiver be limited to 18 months, subject to extension upon a detailed showing that further relief is warranted; and
    • GEHC maintain a list of all covered devices and the healthcare facilities to which they are distributed, and report on the status of those devices within 30 days of the order’s expiration.

Information about the specific rules that the FCC waived and its rationale for doing so follows.

Importation. The FCC’s rules permit entities to import 4,000 or fewer units of an unauthorized device that emits radiofrequency emissions for testing and evaluation purposes, provided it is not offered for sale or marketed. The FCC granted GEHC a waiver of this 4,000 unit limit along with the testing and evaluation requirement (and sale or marketing prohibition), provided GEHC limits the operation of these devices to healthcare facilities, performs limited compliance testing on them, and complies with the other conditions described above.

Marketing. The FCC’s rules permit the marketing of a pre-authorized device in the conceptual, development, design, or pre-production stage under certain circumstances. The FCC granted GEHC a waiver of the conceptual, development, design or pre-production stage requirement, permitting GEHC to market a broader array of devices so long as (in addition to the other conditions described above) the devices are marketed for a limited period of time, eventually receive authorization, and, if not, are tracked and disposed of or removed from the marketplace.

Operation. The FCC’s rules contain a general prohibition against operating a radiofrequency device prior to its authorization, subject to certain exceptions. One of those exceptions permits pre-authorization operation if the device is intended to operate under Parts 15, 18 or 95 of the FCC’s rules; complies with applicable rules, waivers of such rules, or rules that have been promulgated but have not yet taken effect; would be retrieved or rendered inoperable at the conclusion of its operation, and is operated for one of two purposes: at a trade show or exhibition (with appropriate disclosures), or during the developmental, design or pre-production states to evaluate performance or determine customer acceptability. Although the FCC’s order is not especially clear on this point, it appears that the FCC granted GEHC a waiver of the purposes requirement — that such operation be at a trade show or exhibition or during the developmental, design or pre-production states to evaluate performance or determine customer acceptability — provided the devices are operated on the premises of healthcare facilities at the direction of healthcare providers, and adhere to the other conditions described above.

It appears that yesterday’s waiver order was granted very quickly, within 24 calendar days of filing and without being docketed or being subject to a request for public comment. It is among a range of actions the FCC has taken over the past two months to address COVID-19 concerns expeditiously.

Germany Establishes a Simplified Procedure for Reimbursement of Digital Health Applications

On April 21, 2020, the “Regulation on the Requirements and the Process for the Examination of the Eligibility of Digital Health Applications for Reimbursement by the State Health Schemes” (Digitale Gesundheitsanwendungen-Verordnung – „DiGAV“) came into force in Germany. It is accompanied by an extensive Guidance (Leitfaden) issued by the Medicines and Medical Devices Agency “BfArM”.

Continue Reading

HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency

On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020.  This joint announcement was made by the Office of the National Coordinator for Health IT (“ONC”), the Centers for Medicare & Medicaid Services (“CMS”), and the HHS Office of Inspector General (“OIG”).

As we previously discussed, the final rules are intended to improve patient access to electronic health information (“EHI”) and to standardize the modes of exchanging EHI.  These rules greatly affect hospitals and other healthcare stakeholders, who are working at the forefront of the COVID-19 pandemic.  HHS considers the decision to exercise enforcement discretion as one of many steps “taken to ease [the] burden on the healthcare industry as it fights COVID-19.”  HHS will continue monitoring implementation of the rules to decide if additional actions are necessary.

CMS’s Enforcement Discretion

CMS announced that it will be extending by six months the time periods for implementing certain aspects of the Interoperability and Patient Access Final Rule.  Accordingly, the admission, discharge, and transfer notification Conditions of Participation rules, which were initially scheduled to take effect six months after the publication of the final rule, will now be effective 12 months after publication.

CMS will also exercise discretion for six months regarding the Patient Access API and Provider Directory API requirements for Medicare Advantage, Medicaid, and the Children’s Health Insurance Program (“CHIP”) under 42 C.F.R. Parts 422, 431, 438, and 457.  The requirements, which were to become effective on January 1, 2021, will not be enforced until July 1, 2021.  CMS will similarly defer enforcement of the new requirements for the Patient Access API for Qualified Health Plan (“QHP”) issuers under 45 C.F.R. Part 156 until July 1, 2021.

These are the only requirements for which CMS has announced it will exercise enforcement discretion.  Other policies and requirements must be implemented as set out in the final rule, including the payer-to-payer data exchange deadline of  January 1, 2022.

ONC’s Enforcement Discretion

ONC announced that it will exercise enforcement discretion for three months following the original compliance date for all new requirements in the ONC Final Rule. Therefore, ONC will not enforce such requirements, found at 45 C.F.R. Part 170, for three months after the initial date or time period provided in the final rule.  A detailed list of the requirements and new compliance deadlines can be found here.

Republicans Poised To Introduce COVID-19 Privacy Bill

Senate Commerce Committee Chairman Roger Wicker is working on draft legislation that would regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19.   Some key highlights of the tentatively titled “COVID-19 Consumer Data Protection Act” include:

  • For the duration of the public health emergency, the bill would regulate companies that collect, process, or transfer certain health and location information for any of the following purposes: (1) to track the spread, signs, or symptoms of COVID-19; (2) to measure compliance with social distancing guidelines or other government-imposed requirements related to COVID-19; or (3) to conduct contact tracing for COVID-19 cases.
  • Many of the key requirements are consistent with existing federal or state privacy requirements or norms, including obligations to post a clear and conspicuous privacy policy, to obtain affirmative consent to collect the covered data elements, and to maintain reasonable data security policies and practices.
  • However, regulated companies would have certain new obligations. The most notable of these include the following:
    • An obligation to provide individuals the ability to revoke their consent to the collection, processing, or transfer of covered data for COVID-19 purposes. There are limited exemptions to this requirement.  For example, there is not an express exemption from opt-out obligations for medical information collected by or on behalf of employers in connection with efforts to maintain a safe workplace.  The U.S. Equal Employment Opportunity Commission issued guidance on March 18 stating that employers are allowed to conduct body temperature checks due to the pandemic and issued guidance on April 23 stating that employers may conduct diagnostic testing for COVID-19.
    • An obligation to delete covered data that is collected, processed, or transferred for COVID-19 purposes when it is no longer being used for such purpose. The draft does not expressly address a company’s obligations to delete covered data that is collected and processed for both COVID-19 and non-COVID-19 purposes.
    • An obligation to issue public reports every 30 days with certain information, including the aggregated number of individuals whose data has been processed for COVID-19 purposes.
    • Express data minimization requirements.
  • There are specific exemptions for aggregated, de-identified, and publicly available information. Otherwise covered health and location information is defined to include the following:
    • Personal health information, which is defined as either genetic information or information relating to the diagnosis or treatment of past, present, or future physical, mental, health, or disability of the individual that identifies or is reasonably linkable to an individual, but excluding information that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Family Educational Rights and Privacy Act of 1974 (“FERPA”).
    • Precise geolocation data, which is defined as technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.
    • Proximity data, which is defined as technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another.

The draft would rely on the Federal Trade Commission to enforce violations under Section 5 of the FTC Act, although common carriers and non-profit entities also would be regulated expressly even though they generally are not subject to Section 5 jurisdiction.  In addition, state attorneys general would have the right to enforce the obligations, including to obtain civil penalties.