Digital Health

In the first of a three-part series, Covington’s global cross-practice Digital Health team answers key questions that companies across the life sciences, technology, and communications industries should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.

Key Regulatory Questions About Digital Health Solutions

1. What are your digital health solution’s intended uses?
Understand whether the components of the solution (or in some cases, the sum of the parts) are regulated by one or more regulatory authorities and, if so, the associated regulatory classification and requirements.

In various jurisdictions, including the U.S., EU, and China, a digital health solution could potentially be regulated as a medical device or a drug-device combination product, or it could be a consumer product not regulated under medical product authorities. Much would depend on the solution’s intended use and functionality, and the claims made by the product’s manufacturer. U.S., EU, and Chinese laws acknowledge that standalone software can be a medical device. A digital health software solution could be regulated as a medical device if is intended by the manufacturer to have a medical purpose or otherwise affect patient care. If the solution is intended to “e-enable” a drug or otherwise intended for use with a drug, it could create a drug-device combination product. In the U.S. and China, such drug-device combinations may be regulated under the drug marketing application or under a separate device marketing application. In the EU, such drug-device combinations are regulated as medicines. Alternatively, the solution could be a consumer product that is not subject to medical product regulation if it is not intended for use with a drug and is positioned as a “lifestyle/general wellness” tool, rather than a tool with a medical purpose.

2. What kind of claims can you make about your digital health solution?
Also establish what level of substantiation is required for those claims. If you are a pharmaceutical company, consider whether your or your collaborator’s digital health solution may impact the marketing of your drug(s) (e.g., would the digital solution be considered by FDA, EMA, DOJ, FTC, China’s CFDA or SAIC and/or another regulatory authority to be drug advertising, promotion, or labeling; does testing it require an investigational application; do you need to file a supplemental drug application or variation to a marketing authorization).

Permitted claims will depend on the regulatory classification of your solution. For example, e-enabling and other digital health components of approved/authorized medicines can create combined drug-device combination products, which will need to comply with U.S. and EU drug laws. This will impact permitted advertising and promotion and will often require specific product labeling. It could also require a supplement or variation to an existing marketing authorization.

In the U.S., if your solution is a medical device, its advertising and labeling will be subject to FDA and/or FTC regulation. Both agencies have authority to take action against false or misleading promotion, including claims that are not supported by appropriate clinical data. There are no harmonized EU medical device advertising rules. You will need to consider at an EU member state level whether there are any restricted audiences before promoting your device. In China, any therapeutic claims would be subject to restrictions under China’s drug and/or device regulations and its Advertisement Law, and CFDA must pre-approve all advertisements and medical information websites.

3. Are your warnings and disclosures tailored to your intended audience and use(s), not merely boilerplate?
Understand whether they reasonably warn about possible adverse health consequences to patients. Even in the absence of regulatory labeling requirements, you may have duties to your customers under tort law or general consumer protection legislation.

The adequacy of warnings will depend on the risk and classification of the solution and the purpose of the disclosure. Different considerations apply depending on whether the disclosure is intended to provide legally mandated information or to warn against unintended uses or functions. For example, in certain instances a manufacturer may accept that its solution is a regulated product and seek to include appropriate warnings in associated materials. In other cases, the solution could be unregulated and warnings and disclosures could be applied as protection against unintended use of the product.

4. What other regulations apply to your digital health solution?
Depending on the nature of the digital health solution, several other laws and regulations may apply. For instance, if the solution is offered through health care providers or health plans or if it interacts with the electronic health record systems of health care providers, compliance with the HIPAA privacy and other data privacy laws, security and breach notification rules may be required.

In the U.S., federal laws intended to protect against fraud and abuse, such as the Anti-Kickback Statute and the Stark physician referral statute, may also be implicated. In addition, consideration should be given to analogous state laws and to state laws governing the practice of medicine.

In the EU, the digital health solution may also be a regulated health service. Many jurisdictions will require that entities or organizations delivering a health service have some kind of register or permit from a relevant regulator. This would include, for example, the Care Quality Commission in the UK, which will register an entity as a health service provider only once it has carried out an audit and subject it to periodic re-inspections. Moreover, if that health service provider wishes to provide services specifically to a national or regional health service provider, it may need to hold other permits or meet certain additional standards.

Additional laws and regulations may also apply in China. For example, similar to the EU, in China health services are subject to strict regulation. These services must typically be managed through an institution with a health care institution license, and advertisements for health services must be submitted by that institution to the provincial-level health authorities for pre-approval. Health information websites must also meet specific regulatory and pre-approval requirements. China’s increasing body of regulation on cybersecurity, Internet information, and health privacy may also impose requirements on the flow of personal health information to and from a medical device or consumer product.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.

Photo of Wade Ackerman Wade Ackerman

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA…

Through more than a decade of experience in private practice and positions within the FDA and on the Hill, Wade Ackerman has acquired unique insights into the evolving legal and regulatory landscape facing companies marketing FDA-regulated products. Mr. Ackerman advises clients on FDA regulatory matters across a range of sectors, including drugs and biologics, cosmetics, medical devices and diagnostics, and digital health products and services associated with drugs and traditional devices. He serves as one of the leaders of Covington’s multidisciplinary Digital Health Initiative, which brings together the firm’s considerable resources across the broad array of legal, regulatory, commercial, and policy issues relating to the development and marketing of digital health technologies.

Photo of Nigel Howard Nigel Howard

Nigel Howard’s practice focuses on technology, outsourcing, and intellectual property issues. He represents clients in complex technology transactions, including outsourcing, licensing, corporate partnering, and strategic alliance transactions. Mr. Howard also has experience representing clients during IP property purchases and sales, and in reviews…

Nigel Howard’s practice focuses on technology, outsourcing, and intellectual property issues. He represents clients in complex technology transactions, including outsourcing, licensing, corporate partnering, and strategic alliance transactions. Mr. Howard also has experience representing clients during IP property purchases and sales, and in reviews of IP portfolios in relation to corporate financing and merger and acquisition transactions. His experience includes cross-border technology transfers, development and testing arrangements, distribution channels, technology deployment, and electronic commerce as well as privacy laws with regard to electronic databases and online services.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.