Photo of Phil Bradley-Schmieg

Philippe Bradley-Schmieg’s practice covers a range of commercial, regulatory and intellectual property matters affecting the IT, e-health, internet media and telecoms sectors, often with a multi-jurisdictional scope.  He advises on intellectual property, compliance and policy matters such as online consumer rights, liability for third party content, patent, copyright and database right licensing, privacy and data protection, medical confidentiality, cybersecurity, data breach responses, and law enforcement data disclosure.  Mr. Bradley-Schmieg advises on UK, EU and international law, and has worked in London and Brussels.

The UK Government has opened a consultation, running until September 7, 2016, regarding how UK National Health Service (NHS) patient data should be safeguarded, and how it could be used for purposes other than direct care (e.g. scientific research).

The consultation comes after two parallel-track reviews of information governance and data security arrangements in the NHS found a number of shortcomings, described below.  The  Care Quality Commission (CQC) and the National Data Guardian (NDG, led by Dame Fiona Caldicott) made a range of recommendations, including new security standards, stronger inspection and enforcement around security lapses and re-identification of anonymized patient data, and an eight-point process around assuming and respecting patient consent decisions.

Following the public consultation, the new security standards could eventually be required and audited by government inspectors from the CQC, and imposed under revised standard NHS England contract terms.  CQC inspectors could potentially act on tip-offs from NHS Digital (formerly known as the NHS Health and Social Care Information Centre, ‘HSCIC’).  Those tip-offs could be based on low scores obtained by organizations in their annual NHS Information Governance Toolkit (IGT) self-assessments.  The IGT, which the reviewers said should be redesigned, applies both to NHS bodies and their commercial vendors.

The new consent model, meanwhile, could provide more streamlined, system-wide consents for use of patient data for purposes including quality assurance and research.

The CQC and the NDG’s findings and twenty-four recommendations were jointly presented in a covering letter to the UK government, available here, and fuller reports, available here and here (CQC and NDG, respectively).  This post provides a brief summary of their main findings and recommendations.  For the consultation questions themselves, see here.
Continue Reading UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

On 15 July 2016, the European Commission updated MEDDEV 2.1/6 (the “MEDDEV Guidance), its medical device guidance on the qualification and classification of stand alone software used in the healthcare setting. The updated version replaces an earlier version of MEDDEV 2.1/6 issued by the European Commission in January 2012.

MEDDEV 2.1/6 generally stands as a valuable resource to assist software developers in the assessment of whether software is a medical device. However, some have expressed disappointment that the updated guidance did not go further in clarifying the picture, particularly those operating within the mobile health (mHealth) space.

Indeed, the main changes consist of additions to the definitions section of the MEDDEV Guidance. There is now a definition to clarify that “software” is a “set of instructions that processes input data and creates output data“. There are also accompanying definitions of “input data” and “output data”.
Continue Reading EU Updates MEDDEV 2.1/6 Guidance on Standalone Software