On 28 June 2017, Advocate General Sanchez-Bordona (AG) presented his opinion in case C-329/16 Syndicat national de l’industrie des technologies médicales and Philips France following a request for preliminary ruling from the Conseil d’État (France) to the Court of Justice of the European Union (CJEU) concerning the laws governing the classification of software medical devices.

On Friday, July 28, FDA announced a new Software Pre-certification (Pre-Cert) Pilot Program in a Federal Register notice.  The Pre-Cert program is one of three main action items discussed in the agency’s recently-released Digital Health Innovation Action Plan.  CDRH also held a webinar on August 1 to provide an overview of the program and answer stakeholder questions.

In an accompanying FDA Voice blog post, Commissioner Gottlieb acknowledged that “FDA’s traditional approach to medical devices is not well suited” to digital health products.  The agency is looking to develop a new regulatory framework that “accommodates the distinctive nature of digital health technology, its clinical promise, the unique user interface, and industry’s compressed commercial cycle of new product introductions.”

The Pre-Cert pilot program is the agency’s first step in developing the Pre-Cert program that the agency initially announced last month.  The Pre-Cert program will replace the agency’s current product-by-product premarket review process with a process to pre-certify software developers who demonstrate sufficient quality performance.  Pre-certified developers would be able to market their software devices with no, or streamlined, premarket review.  The program is intended to allow manufactures of software devices to get to market faster and have greater flexibility to iterate product design based on real world experience.

To move the Pre-Cert program from concept to implementation, the agency is initiating a pilot program.  The goal of the pilot is to leverage input from the participating companies to help the agency establish the appropriate criteria for pre-certification and appropriate review process for pre-certified companies.  Thus, participating companies will have a remarkable opportunity to shape the program and the agency’s regulatory approach to digital health products.

The Pre-Cert program’s developer-based approach represents a significant shift from the agency’s longstanding, fundamental approach to regulating medical products on a product or category basis regardless of the manufacturer.  We expect that there will be significant interest in the pilot, although FDA will only select nine companies to participate.  FDA also strongly encourages companies who do not participate in the pilot to submit feedback through the public docket.

Continue Reading FDA Initiates Software Precertification Pilot Program

On July 27, FDA published its Digital Health Innovation Action Plan. The plan provides details and timelines for the agency’s Digital Health Innovation Plan, announced by FDA Commissioner Scott Gottlieb last month.

The action plan describes the agency’s “next steps” over the coming year to “encourage digital health innovation by redesigning [FDA’s] policies and

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business

On 15 July 2016, the European Commission updated MEDDEV 2.1/6 (the “MEDDEV Guidance), its medical device guidance on the qualification and classification of stand alone software used in the healthcare setting. The updated version replaces an earlier version of MEDDEV 2.1/6 issued by the European Commission in January 2012.

MEDDEV 2.1/6 generally stands as a valuable resource to assist software developers in the assessment of whether software is a medical device. However, some have expressed disappointment that the updated guidance did not go further in clarifying the picture, particularly those operating within the mobile health (mHealth) space.

Indeed, the main changes consist of additions to the definitions section of the MEDDEV Guidance. There is now a definition to clarify that “software” is a “set of instructions that processes input data and creates output data“. There are also accompanying definitions of “input data” and “output data”.
Continue Reading EU Updates MEDDEV 2.1/6 Guidance on Standalone Software

Earlier this month the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), released a report to Congress highlighting “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by certain “mHealth technologies” and “health social media.”

mHealth technologies

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

On April 5, the Federal Trade Commission (FTC), in conjunction with the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS), released a new web-based interactive tool to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy.

The interactive tool consists of 10 questions designed to identify whether a particular mobile health app is subject to any of the following federal laws:

  • the privacy, security and breach notification rules issued under the Health Insurance Portability and Accountability Act (HIPAA);
  • the Food, Drug, and Cosmetic Act (FDCA);
  • the Federal Trade Commission (FTC) Act; and
  • the breach notification rules issued by the FTC.

Regardless of whether mobile apps are subject to any of these federal laws, the guidance directs app developers to newly issued FTC best practices for protecting the privacy and security of consumer data.

Continue Reading FTC Releases Online Tool to Help Health App Developers Identify Applicable Laws