FDA Issues Updated Guidance on the Regulation of Digital Health Technologies

On September 26, 2019, the FDA issued two revised guidance documents addressing its evolving approach to the regulation of digital health technologies. These guidances primarily describe when digital health solutions will or will not be actively regulated by FDA as a medical device. In parallel, FDA also updated four previously final guidance documents to ensure alignment with the new approaches being adopted by the Agency.

As background, FDA issued draft guidance documents in December 2017 that sought to implement section 520(o)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), which was enacted by Congress in the 21st Century Cures Act of 2016 (the “Cures Act”). Those guidance documents raised a number of issues that we discussed on this previous alert.

After receiving comments from stakeholders, the Agency responded by issuing: (i) a revised draft guidance document for clinical decision support (CDS) software (“Clinical and Patient Decision Support Software” or the “CDS Draft Guidance”) and (ii) a final guidance document for other software functions exempted by the Cures Act (“Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act” or the “Software Policies Guidance”).

Here are key takeaways on FDA’s newly-issued guidance: Continue Reading

Ideation Question #2: Who Will Provide Aspects of the Offering?

This is the second of our video posts on 10 questions that can help lawyers contribute to the digital health ideation process.  Today’s video explores the question: who will provide the various components of the offering?

European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI

On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI.  Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue.  The paper summarises recent calls in the EU for adopting legally binding instruments to regulate AI, in particular to set common rules on AI transparency, set common requirements for fundamental rights impact assessments, and provide an adequate legal framework for facial recognition technology.

The briefing paper follows publication of the European Commission’s high-level expert group’s Ethics Guidelines for Trustworthy Artificial Intelligence (the “Guidelines”), and the announcement by incoming Commission President Ursula von der Leyen that she will put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within her first 100 days in office.

Continue Reading

Top 10 Questions During Ideation of Digital Health Solutions

Our clients increasingly apply agile product and business development methodologies when they are developing digital health solutions.  “Ideation” is the part of that process and involves the rapid identification and creation of ideas for digital health solutions, which are then prototyped and tested.  Covington has created a Top 10 Questions for Ideation of Digital Health Solutions that can help lawyers contribute to the digital health ideation process.

In today’s video post we discuss intended use of the digital health solution and how lawyers can play a key role in discussing this topic.  Over the next nine weeks, we will post a video explaining each of our 10 questions.

Commission relaunch of eHealth Stakeholder Group

On 13 August 2019, the European Commission opened a call for expression of interest to relaunch the eHealth Stakeholder Group with a view to supporting the “digital transformation of healthcare in the EU”. The eHealth Stakeholder Group was first launched in 2012 and in its first iteration (between 2012 and 2015), contributed to the development of the Digital Agenda for Europe on eHealth and the eHealth Action Plan. In 2016, the Commission relaunched the Stakeholder Group, and between 2016 and 2018, the group assisted with the Digital Single Market Strategy and the eHealth Action Plan 2012-2020.

The Commission is now seeking representatives of European umbrella organisations active in the eHealth sector to relaunch the stakeholder group for a term of three years. Selected stakeholders will be expected to provide advice and expertise contributing to policy development in particular in relation to the following areas:

  • Health Data.
  • Digital health services.
  • Health data protection and privacy issues.
  • Cybersecurity for health and care data.
  • Digital tools for citizen empowerment and person centred care.
  • Artificial intelligence and health.
  • Other cross cutting aspects linked to the digital transformation of health and care, such as financing and investment proposals and enabling technologies.

The group will also engage with, and seek input from representatives and organisations across society including academics, healthcare professionals, patient groups and the tech industry sector.

The call is open until 27 September 2019 and the selections criteria can be viewed on the Commission’s website here.

ICO publishes blog post on AI and trade-offs between data protection principles

On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”).  The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions.  The blog identifies notable trade-offs that may arise, provides some practical tips for resolving these trade-offs, and offers worked examples on visualizing and mathematically minimizing trade-offs.

The ICO invites organizations with experience of considering these complex issues to provide their views.  This recent blog post on trade-offs is part of its on-going Call for Input on developing a new framework for auditing AI.  See also our earlier blog on the ICO’s call for input on bias and discrimination in AI systems here.

Continue Reading

ICO Launches Public Consultation on New Data Sharing Code of Practice

On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws.  The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors.  The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).

Continue Reading

French medicines regulator produces first in Europe medical devices cybersecurity guidelines

France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.

The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.

In overview, the draft guidelines require manufacturers to undertake risk assessments using both IT and medical device risk management methodology, and then align these approaches as part of manufacturers’ implementation of quality management systems. The recommendations are subdivided into areas representing different parts of the product life cycle, including: software design activity; initialization (first use); monitoring (post market management); and medical device software end of life.

The draft guidelines also make reference to the French ‘General Security Framework’ from which “the criteria of availability, integrity and confidentiality are the baseline objectives to fulfil in terms of security” and that “various documents and tools provided by the ANSSI [the French National Security Agency] are also applicable to [medical devices].” Further, the draft guidelines introduce a criterion of ‘auditability’ to be additionally addressed by medical device manufacturers.

ANSM has shared its work within this area with the European Commission in the hope that “the [European] regulations evolve to integrate [ANSM’s work]” as it is the first time that such recommendations have been drafted in the EU. The draft guidelines are currently subject to public consultation until 30 September 2019.

German Government Enacts Digital Care Act

The new Digital Care Act (Digitale-Versorgung-Gesetz) is part of Germany’s efforts to expand the digitization of the healthcare system in Germany. Germany has already been pursuing this path since the so-called ‘E Health Act’ from 2016. The aim of the ‘E-Health Act’ was to establish information and communication technology in healthcare. It focuses in particular on the development of the ‘electronic health card’ and the corresponding ‘electronic patient file’ for statutory health-insured people (see below for more information on such applications), the protection of the data stored in such files against unauthorised use, the creation of a secure ‘telematics infrastructure’, the improvement of the interoperability of healthcare IT systems, and the provision of telemedical services. The ‘telematics infrastructure’ will be an interoperable and compatible information, communication and security infrastructure for the use of the ‘electronic health card’ and the corresponding ‘electronic patient file’, its applications and other electronic applications in healthcare and health research.

The new Digital Care Act builds upon the ‘E-Health Act’ by focusing on the following: medical doctors will not only be allowed to prescribe traditional medicines and treatment methods to their patients, but also health apps. Such health apps may, for example, remind chronically ill people to take their medicine regularly, or provide a diary function where users can note their daily well-being. In the future, German statutory health insurances funds have to reimburse the costs of health apps under certain conditions. Initially, the health app shall be tested for data security, data protection and functionality by the German Federal Institute for Drugs and Medical Devices (‘BfArM’). After the successful test and launch, statutory health insurances will reimburse the costs provisionally for one year. During this period, the manufacturer of the health app must prove to the BfArM that its health app improves patient care. The reimbursement amount will be negotiated with the German Association of Health Insurance Funds (GKV-Spitzenverband).

Continue Reading