Product liability considerations are not likely the first concerns that spring to mind for the many companies working to develop digital health countermeasures and other products related to COVID-19.  Yet even while putting together solutions on an accelerated timeline, there are some straightforward actions that companies can take that may reduce litigation risk down the road.

PREP Act Immunity

First, a company preparing medical countermeasures for COVID-19 should consider whether its activities are immune from suit under the federal Public Readiness & Emergency Preparedness Act (“PREP Act”).[1]  The PREP Act applies to a broadly defined set of activities related to “Covered Countermeasures,” including “the manufacture, testing, development, distribution, administration, and use of the Covered Countermeasures.”[2]  “Covered Countermeasures” include drugs, devices, or biologics used to treat COVID-19, as well as “product[s] or technolog[ies] intended to enhance the use or effect of such” treatments, but only as long as FDA has approved the countermeasure or authorized it for emergency use.  The PREP Act also includes other limitations and restrictions, including the requirement that the activity in question must have a nexus with a federal, state, or local government authorization or agreement.[3]  However, the immunity it provides, if an activity qualifies, is broad.

Regardless of whether the PREP Act applies to a particular digital health application, developers of such applications should consider other measures they can take to reduce liability risk.  Many of the common product liability theories under which a company might be sued, such as design defect and failure to warn, apply a rule of reasonableness, such that a claim often will not succeed if the company took reasonable precautions under the circumstances.  What “reasonable” means in this context will depend on the facts of a particular case, but a company can take several steps to increase the likelihood that a potential litigant or court will view its conduct as reasonable.  These considerations apply to any digital health solution, but especially in the rapidly-evolving COVID-19 environment where there are unlikely to be clear industry guidelines or precedents to follow.

Accuracy and Understandability

First, a company should ensure that its application provides accurate and understandable information.  In addition to carefully reviewing content to confirm its accuracy, a digital health company should conduct testing before consumers use a new product.  Similarly, if an application includes medical content, the company should consider consulting with a healthcare professional.  Such a consultation will help ensure accuracy and completeness and also mitigate the risk of an allegation that individuals with relevant training and expertise were not involved in the design of the product.

Further, if  the application offers medical recommendations or recommendations about seeking medical care, a company should 1) thoroughly vet any external sources for accuracy and 2) transparently inform users about the bases for any recommendations.  For example, if the software incorporates (or relies upon) data from external sources, such as the Centers for Disease Control (“CDC”) or the World Health Organization (“WHO”), the application should disclose its use of such sources.  The company should also consider taking the additional step of providing links to such external data sources in the application, which could reduce the risk of a failure-to-warn claim by providing the user with additional independent sources of information.  Finally, companies should develop and present content with the end user in mind.  For instance, the company should present any complex or technical information in a format that an ordinary person could understand.  All of the above steps could serve as evidence that the company took reasonable precautions when developing its product.

Terms of Use/End User Agreement

Terms of use or an end user agreement for the product can provide important legal protections.  A digital health application should require users to review and affirmatively consent to the terms of use, and should require acknowledgment of any disclaimers or warnings, some examples of which are discussed below.  Further, a company should consider including a limitation of liability in the terms of use or end user agreement, as well as a requirement that users indemnify the company for damages resulting from unauthorized or unlawful uses, or any breach of the terms of use.  For example, a clause might limit liability to the fullest extent permissible under the law, including by expressly limiting damages arising from lost profits, lost data access, or lost revenue as a result of using the product.

Warnings and Disclaimers

An application should include appropriate warnings and disclaimers.  Most jurisdictions require a product manufacturer to warn of all known or knowable risks that present a substantial danger when one uses the product in a reasonably foreseeable way.  A digital health company should consider presenting the most important warnings, such as those concerning the health of the consumer, as part of the user experience, rather than in the terms of use or end user agreement.  For example, if the user base includes patients or consumers, the application should advise users to seek medical attention if they experience serious symptoms, and that they could be carriers of COVID-19 even if they remain asymptomatic.  In addition, if the product or software relies on an external data source, such as the CDC or WHO,  it should advise users that the information and recommendations provided depend on the accuracy of a third-party data source for which the company does not have responsibility.  Any warnings should also caveat that information about COVID-19 evolves constantly.  Companies should consider taking the additional step of including links to authoritative public health authorities, such as the CDC or WHO, and specifically direct users to access such sources for the most up-to-date information.[4]

Additionally, proper disclaimers can reduce potential liability for breach of warranty.   Generally, there are two types of warranties: 1) express warranties (statements made by the manufacturer or seller of the product to the consumer), and 2) implied warranties (implied in the sale of the product).  A company’s application should explicitly disclaim such warranties, including (in particular) the implied warranties of merchantability and fitness for a particular purpose.

Monitoring for Issues

Finally, a digital health company should consider creating policies and procedures to monitor performance of the application and assess any problems that might arise.  Such steps could serve as important evidence that the company behaved reasonably.  Ideally, this would include a system for users to report problems or concerns, as well as policies to guide the company’s review of such reports and a notification plan for affected users.  Even if a company cannot create such a comprehensive monitoring system, it should at least consider designating an individual with responsibility for monitoring the application’s performance and developing a plan to address any issues that may arise.  Further, a company should consider whether any employees — such as those who might review or evaluate medical information from users — should have medical training or be supported by employees with appropriate medical training.

[1] 42 U.S.C. § 247d-6d.

[2] 85 Fed. Reg. 15201.

[3] 85 Fed. Reg. 15,198, 15,199 (Mar. 17, 2020).

[4] For example, at the time of publication, the CDC maintains a webpage devoted to information on COVID-19.  See CDC, Coronavirus Disease 2019 (COVID-19), https://www.cdc.gov/coronavirus/2019-ncov/index.html.  The WHO maintains a similar website.  See WHO, Coronavirus Disease 2019, https://www.who.int/emergencies/diseases/novel-coronavirus-2019.