AI Update: Medical Software and Preemption

In light of the rapidly expanding field of medical software technology, and its recognition that traditional approval mechanisms for hardware-based medical devices may not be well suited to regulating such technology, FDA is piloting a new, streamlined regulatory approach for digital health technologies. The initiative, currently a “working model” and known as the Software Precertification Program, is meant to encourage the development of health and medical software, including potentially software using artificial intelligence.

As currently envisioned, the Precertification Program creates a voluntary, organization-based approach to FDA review of digital health software. FDA will pre-certify organizations as having a “culture of quality” based on FDA’s review of the software developer’s R&D and monitoring systems. Under the working model, pre-certified organizations could submit less information in premarket submissions to FDA than currently required or may qualify for an exemption from premarket review by FDA.

Although it is unknown what specific metrics will be assessed in FDA’s review of organizations in the Precertification Program, the agency has asserted that it will seek to measure Product Quality, Patient Safety, Clinical Responsibility, Cybersecurity Responsibility, and Proactive Culture. Each of these elements will be evaluated in an evidence-based manner and FDA will make a determination regarding certification. Certification status will also be subject to monitoring and revision based on real-world performance data.

FDA’s intent to certify or pre-clear organizations rather than individual products on these safety and effectiveness elements opens a new potential arena for product liability litigation surrounding medical devices. In particular, medical devices are currently governed by an express preemption scheme under which federal law preempts certain state laws that are “different from, or in addition to, any requirement” of federal law. Under that standard, certain lawsuits concerning the safety of a medical device may be preempted, including (1) state-law claims premised on an allegation of fraud on the FDA, and (2) state-law claims involving devices that require pre-market approval, except to the extent those claims simply argue for design or warning requirements that “parallel” federal mandates.

To the extent that lawsuits alleging injury from medical device software (e.g., misdiagnosis) are brought against software developers, resolution of those tort claims will almost invariably involve evaluation by finders of fact of the very elements that FDA intends to examine and pre-certify:  whether the software developer has developed, tested, and maintained the software in a fashion that will provide safe and effective patient care. Such suits may, therefore, seek to impose under state law requirements for a particular product that are “different from, or in addition to,” the requirements that FDA has imposed on the development organization as a whole in the pre-certification process. And although courts have not yet considered the applicability of organizational requirements versus product-level requirements in this context, imposing tort liability on software developers who have met FDA’s requirements and are compliant with ongoing oversight programs may disrupt the federal regulatory scheme in the same way that tort lawsuits regarding premarket approved medical devices would. The Supreme Court has previously recognized that such disruption is impermissible.

The outcome of this legal issue will likely depend in part on the methods by which FDA implements the Precertification Program — which are yet to be determined — and on the specificity of its evaluation of individual organizations. Nevertheless, developers should be aware that compliance with the Precertification Program, if and when it is implemented, may have benefits not only in the regulatory setting but also in future litigation down the road.

EMA publishes “A Common Data Model for Europe? – Why? Which? How?” Workshop Report

On 8 October, the European Medicines Agency (EMA) published a report (available here) setting out the progress it has made towards applying a common data model (CDM) in Europe. The EMA defines a CDM as “a mechanism by which raw data are standardized to a common structure, format and terminology independently from any particular study in order to allow a combined analysis across several databases/datasets”. The report follows an EMA-hosted workshop in December 2017 to examine the opportunities and challenges of developing a CDM.

The report acknowledges that the use of ‘Real World Data’ (RWD) (data relating to patient health status or delivery of health care data that is routinely collected from sources other than clinical trials) has become an increasingly common source of evidence to support drug development and regulatory decision making for human medical use in Europe. However, Europe currently has no pan-European data network, despite the wealth of data generated through various national healthcare systems that provide access for all. Many multi-database studies currently performed are typically slow and still allow for substantial variability in the conduct of studies. Further, there are a growing number of innovative products that no longer align with customary drug development pathways. This may create uncertainty in their data packages required for authorization, and subsequent tension between facilitating earlier access for patients with limited treatment options against the requirement for proactive robust pharmacovigilance of medicines for wider clinical use across the product life cycle (the existing EMA Patient Registry Initiative addresses this need in part). Continue Reading

China Expands Regulations on e-Healthcare Issues

China continues to advance policy supporting e-healthcare services and resources.  On September 14, 2018, National Health Commission (“NHC”) and the National Administration of Traditional Chinese Medicine (“NATCM”) publicly released three new rules on internet based medical services and telemedicine.  These rules cover the areas of e-diagnosis (“e-Diagnostic Rules”), internet-based hospitals (“e-Hospital Rules”) and telemedicine services (“Telemedicine Service Standard”) (collectively “e-Healthcare Rules”).[1]

Although the government issued a draft of these rules in 2017, the final e-Healthcare Rules appear to have been prompted by the Opinion on Improving the Development of “e-healthcare” Industry (“Opinion”) issued by China’s chief executive branch, the State Council on April 25, 2018.  That Opinion requires enhancement and improvement of e-health services (including the application of artificial intelligence in the diagnostic process).

This blog entry focuses on key features of the e-Healthcare Rules.

Continue Reading

ICO consults on privacy “regulatory sandbox”

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”.  The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey).  Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.

Continue Reading

UK Government publishes “Initial code of conduct for data-driven health and care technology” for consultation

On 5 September, in response to the opportunities presented by data-driven innovations, apps, clinician decision support tools, electronic health care records and advances in technology such as artificial intelligence, the UK Government published a draft “Initial code of conduct for data-driven health and care technology” (Code) for consultation.  The Code is designed to be supplementary to the Data Ethics Framework, published by the Department for Digital, Culture, Media and Sport on 30 August, which guides appropriate data use in the public sector.  The Code demonstrates a willingness of the UK Government to support data sharing to take advantage of new technologies to improve outcomes for patients and accelerate medical breakthroughs, while balancing key privacy principles enshrined in the GDPR and emerging issues such as the validation and monitoring of algorithm-based technologies.  For parties considering data-driven digital health projects, the Code provides a framework to help conceptualise a commercial strategy before engaging with legal teams.

The Code contains:

  • a set of ten principles for safe and effective digital innovations; and
  • five commitments from Government to ensure the health and care system is ready and able to adopt new technologies at scale,

each of which are listed further below.

While the full text of the Code will be of interest to all those operating in the digital health space, the following points are of particular note:

  • the UK Government recognises the “immense promise” that data sharing has for improving the NHS and social care system as well as for developing new treatments and medical breakthroughs;
  • the UK Government is committed to the safe use of data to improve outcomes of patients;
  • the Code intends to provide the basis for the health and care system and suppliers of digital technology to enter into commercial terms in which the benefits of the partnerships between technology companies and health and care providers are shared fairly (see further below); and
  • given the need of artificial intelligence for large datasets to function, two key challenges arise: (i) these datasets must be defined and structured in accordance with interoperable standards, and (ii) from an ethical and legal standpoint, people must be able to trust that data is used appropriately, safely and securely as the benefits of data sharing rely upon public confidence in the appropriate and effective use of data.

The Code provides sets out a number of factors consider before engaging with legal teams to help define a commercial strategy for data-driven digital health project.  These factors include: considering the scope of the project, term, value, compliance obligations and responsibilities, IP, liability and risk allocation, transparency, management of potential bias in algorithms, the ability of the NHS to add value, and defining the respective roles of the parties (which will require thinking beyond traditional research collaboration models).

Considering how value is created and realised is a key aspect of any data-driven digital health project, the Code identifies a number of potential options: simple royalties, reduced payments for commercial products, equity shares in business, improved datasets – but there is also no simple of single answer.  Members of Covington’s digital health group have advised on numerous data-driven collaborations in the healthcare sector.  Covington recently advised UK healthcare technology company Sensyne Health plc on pioneering strategic research and data processing agreements with three NHS Trust partners. Financial returns generated by Sensyne Health are shared with its NHS Trust partners via equity ownership in Sensyne Health and a share of royalties (further details are available here).

The UK Government also intends to conduct a formal review of the regulatory framework and assessing the commercial models used in technology partnerships in order to address issues such as bias, transparency, liability and accountability.

The UK Government is currently consulting on the Code (a questionnaire on the Code is available here) and intends to publish a final version of the Code in December.

Continue Reading

Medicare Policies Modified to Support Smart Devices Use for Sharing Glucose Data

The Centers for Medicare & Medicaid Services (CMS) recently announced that Medicare coverage policies would be revised “to support the use of [continuous glucose monitors] in conjunction with a smartphone, including the important data sharing function they provide for patients and their families.” In turn, the agency’s contractors, known as Medicare Administrative Contractors (MACs), modified their policies in part to recognize “the use of smart devices (watch, smartphone, tablet, laptop computer, etc.)” (see CMS and MAC announcements here and here). This recent shift is an important precedent for technologies that incorporate the use of electronic devices to display and share medical data, and may foreshadow flexibility in future federal policy development to support the important role smart devices are increasingly playing in communicating medical data.

By way of background, in January 2017, CMS issued a Ruling that therapeutic CGMs—i.e., those capable of monitoring blood glucose levels for making diabetes treatment decisions—may be covered by Medicare Part B as Durable Medical Equipment (DME). The Ruling also provided that, among other things, there must be a durable component capable of displaying the trending of the continuous glucose measurements. A continuous glucose monitor, or CGM, includes a dedicated receiver that tracks and displays glucose levels throughout the day. Several CGM systems currently on the market are capable of connecting to an individual’s smart device, which in turn allows patients to visualize their glucose measurements via app-based communication.

When the MACs issued a coverage policy to implement CMS’s Ruling, they limited the payment of supplies that are used in conjunction with CGMs relying on smart devices because the smart devices were not viewed as medical in nature given they were useful in the absence of an illness. After stakeholders voiced concerns about the restrictions, CMS revisited the issue to address concerns about the inability to share the displayed data with family members, physicians, and caregivers. In a revised Policy Article, the MACs address coverage for CGM systems that use a smart device to provide information, describing two scenarios where the CGM system would be covered:

  1. CGM supplies would be covered if the glucose data is displayed on the CGM receiver that meets the definition of DME, and is also transmitted to a smart device.
  2. Coverage of CGM supplies would be available in a situation where the beneficiary uses a CGM receiver on some days to review their glucose data, but also uses their smart device on other days. (If the beneficiary never uses the receiver that comes with the glucose monitor and qualifies as DME under the regulatory definition, then the CGM supply allowance is not covered by Medicare.)

Although the smart device is not considered DME, and use of supplies and accessories are covered only when the smart device is used in conjunction with a dedicated DME receiver, nevertheless, this policy acknowledges the practicalities of data sharing using smart devices. We continue to monitor this and other reimbursement developments relating to the use of smart devices.

Medicare Advantage Organizations Provided New Opportunities to Offer Telehealth Benefits

Earlier this year, President Trump signed into law the Bipartisan Budget Act of 2018 (BBA), which incorporates provisions from the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 and improves access to telehealth services in Medicare Advantage. Pub. L. No. 115-123. Among other provisions impacting Medicare Advantage Organizations (MAOs), the BBA authorizes MAOs to offer additional telehealth benefits as basic benefits beyond original Medicare (Part A and Part B) limitations. Id. at Div. E., Title III, Subtitle C, § 50323.

Continue Reading

What physicians are reading about digital health

There are two papers in the May 15 volume of the Annals of Internal Medicine that discuss digital health applications and are illustrative of the topics being considered by physicians as they evaluate the adoption and impact of digital solutions.  These papers serve as examples of the active dialogue taking place around the appropriate regulatory framework for digital health solutions and the increasing awareness of the need to embrace rapid innovation while at the same time ensuring these solutions work appropriately for the patients that use them.

The first is a paper by Dr. Andrew Auerbach, UCSF Division of Hospital Medicine, Dr. Aaron Neinstein, University of California, and Dr. Raman Khanna, University of California, entitled “Balancing Innovation and Safety When Integrating Digital Tools Into Health Care.”  The paper proposes a “local evaluation” framework, which the authors believe “will likely replace formal evaluations” by the FDA, to ensure digitals tools are safely and effectively introduced into patient care at a particular institution or system.  Specifically, recognizing that digital tools “evolve rapidly” and are “unlikely to be supported by evidence from preclinical trials,” the authors propose forming “digital diagnostics and therapeutics committees” at individual institutions to evaluate and monitor digital health tools.  These committees would be modeled on existing pharmacy and therapeutics committees and would consist of groups of professionals with specific key competencies for analyzing digital tools, including information technologists and specialists in privacy and security.  The committees would be responsible for evaluating digital tools prior to and following local deployment to ensure patient safety, data protection and the feasibility of using the solution from a financial perspective, including by assessing the lifetime cost of the solution.  The authors suggest that local evaluation strikes the right balance between the need to maintain patient safety while encouraging and accommodating the rapid adoption of digital health solutions.

The second is a paper by Theodore Lee at the Yale Law School and Dr. Aaron Kesselheim from the Program on Regulation, Therapeutics, and Law (PORTAL), at Brigham and Women’s Hospital entitled “U.S. Food and Drug Administration Precertification Pilot Program for Digital Health Software: Weighing the Benefits and Risks.”  The paper assesses the potential effects of the FDA’s Digital Health Software Precertification (Pre-Cert) Program and highlights the risk that, without modification, the program will “ascribe FDA validation” to digital health products “that have not established actual clinical benefits.”  The key issue identified by the authors is that “a company may follow best practices for internally testing software but still develop products that prove to be unsafe” and, therefore, the Pre-Cert Program’s reliance on the quality of a company’s internal processes as a substitute for the standard clinical study process is, in the view of the authors, insufficient.  Thus, while the authors recognize the benefits of the Pre-Cert Program and the need to expedite regulatory review of medical software more generally, they conclude that “safety and effectiveness standards for critical technologies cannot rely on manufacturer metrics over product performance” and that “adequate study of safety and effectiveness is needed at some point in [the product] lifecycle.”  The paper provides some data to back up its words of concern, including citing a study that showed only 12 of 117 mobile apps intended to treat depression offered support based on accepted standards of care and that even those 12 apps inconsistently adhered to the standards.  The authors are also somewhat critical of the Pre-Cert Program’s postmarket surveillance requirements and advocate augmenting those requirements with prospective trials and continual monitoring of real-world data.

These papers are good reminders of the need to balance the nimbleness and speed of digital innovation with the underlying objective of producing safe and effective products that provide real reductions in healthcare costs and improved patient outcomes.  The papers also illustrates a range of perspectives on the topic—highlighting how regulators, physicians, developers and legal professionals continue to grapple with these competing factors and foreshadow a future in which regulation is continually calibrated as digital health offerings evolve and the impact on patients becomes more readily discernable. As our Digital Health team recently reported, FDA is continuing with the Pre-Cert Program and Commissioner Gottlieb made significant announcements last month and released FDA’s first draft of a Working Model for the Pre-Cert Program.

Summary of the CPS Paper on the Integration of Technology in the UK’s National Health Service

On 1 May, 2018 the Centre for Policy Studies (the “CPS”) published its latest paper on the UK’s National Health Service (the “NHS”) entitled “Powerful Patients, Paperless Systems: How New Technology Can Renew The NHS” (the “Paper”). The Paper advocates a “digital first NHS” that adopts a paperless system and enables patients to take full advantage of the continuing digitisation and integration of technology, often referred to as the Fourth Industrial Revolution (“4IR”).

To facilitate this change the Paper outlines three key targets that should be set by the Department of Health and Social Care, to be achieved by 2028:

  1. Move the NHS to a “digital first” platform and to aim to ensure that all interactions within the health service are digitally driven.
  2. Build an ecosystem of apps and innovation within and around the NHS, to improve patient service and control.
  3. Ensure that the savings made from automation and innovation are put back into frontline services and that budgets for staff R&D and technology training rise in line with overall NHS spending.

Continue Reading

Inside FDA’s Latest Digital Health Developments: Gottlieb Sees “Vast Potential” Ahead

On April 26, Commissioner Gottlieb addressed the agency’s progress on FDA’s Digital Health Innovation Action Plan and announced several additional steps the agency is taking to advance the potential benefits of digital health. Here is a recap of the key updates:

(1) Launch of New FDA Program to Apply Digital Health to Drugs

As our readers are aware, FDA has provided little public insight to date around the Agency’s regulatory approach to digital health associated with pharmaceuticals (click here for information about our Digital Health team’s webinar on the topic). Commissioner Gottlieb recognized the regulatory uncertainty and announced that FDA will seek public input “on the right approach to incorporating software that’s designed to be used with prescription drugs” and “expand the opportunities to use digital health tools as part of drug development.” Specifically, FDA intends to:

  • Request input on how FDA can support development of digital health tools for approved drugs, including how to properly regulate software that undergoes rapid cycles of innovation;
  • Establish clear policies around how digital health tools can be baked into drug development programs;
  • Clarify that not all FDA requirements apply every time a digital health tool is employed in relation to a prescription drug or by a pharmaceutical manufacturer;
  • Enable sponsors to comply with regulatory requirements using digital health tools, such as post-market surveillance requirements; and
  • Allow for new safety and efficacy claims to be supported by data collected through digital health solutions (e.g. increased activity, improved mood, or greater social interactions for patients treated for severe depression).

FDA has not yet opened the public docket, but stakeholders should consider providing input to FDA given the significance of the regulatory issues involved. The Commissioner noted that FDA intends to advance a new framework through guidance, presumably after seeking input through the public docket.

(2) Expansion and Public Input on the Pre-Certification Pilot Program

FDA took another step in developing the novel model for pre-market review of software devices and released a draft working model for the Pre-Certification program. The model describes four components: (1) excellence appraisal and precertification; (2) review pathway determination; (3) streamlined premarket review; and (4) real world performance. Under the model, developers of software as a medical device (SaMD) would be certified into one of two levels based on objective demonstration of commitment to five excellence principles and the developer’s prior experience delivering SaMD or medical devices. Whether a particular SaMD product by that developer requires premarket review would depend on the precertification level, the seriousness of the healthcare situation or condition addressed by the product, and the significance of the information provided by the product to a healthcare decision.

The working model includes a number of “challenge questions” on which the agency seeks input from stakeholders. The agency has stressed that the Pre-Cert program is intended to be an iterative, collaborative experience and is actively seeking stakeholder comments. FDA requested comments on the challenge questions for the working model by May 31, 2018. Comments may be submitted to the public docket electronically.

The agency also published a roadmap for next steps in the development of the program, under which the agency will launch “Pre Cert 1.0,” a first version of the program by the end of 2018, with further refinement of the program in 2019. There’s also been congressional interest in the program, which we’ll also continue to monitor for our clients.

On May 10, 2018, FDA will host an interactive user session to discuss the agency’s progress on the Pre-Cert pilot program, the working model, and the roadmap.

(3) New Framework for FDA’s Approach to Artificial Intelligence

Given the rapidly expanding use of AI-based technologies in health care, Commissioner Gottlieb announced that FDA was “actively developing a new regulatory framework to promote innovation . . . and support the use of AI-based technologies.” This includes applying the Pre-Cert program in a way that accounts for the ability of machine learning-based technologies to improve over time, by allowing pre-certified companies to make certain minor changes without premarket review. In addition, the agency will ensure that other aspects of the regulatory framework, “such as new software validation tools, are sufficiently flexible to keep pace with the unique attributes of this rapidly advancing field.”

FDA expects an increasing number of AI-based premarket submissions. The agency is working with AI experts to understand how AI-based technologies can be validated and “and how patients and providers can be confident that they’re reliable, unbiased, and will help improve health outcomes.” In addition, FDA will consider how to communicate to patients and providers the connection between decision-making in traditional health care settings and the use of these advanced technologies.

(4) Continued FDA Guidance Implementing the Cures Act: Multiple Functions Guidance

Pursuant to the agency’s Digital Health Innovation Action Plan, FDA issued a draft guidance, “Multiple Function Device Products: Policy Considerations,” addressing products that contain multiple functions, some of which are subject to FDA regulatory oversight as medical devices and others of which are not.  The Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER) issued the draft guidance, but the Center for Drug Evaluation and Research (CDER) did not join.  The 21st Century Cures Act outlined a function-by-function approach to determining appropriate FDA regulation of health and medical software, and the Cures Act permits FDA to regulate only those software functions that meet the definition of a device, although the agency may consider the impact of the non-device software functions on the regulated device functions. While the Cures Act provision is specific to software, the new draft guidance applies to other types of products that include both device and non-device functions.

Stakeholders can submit comments on the draft guidance in the electronic docket through June 26, 2018.

(5) New Digital Safety Reporting for Drug and Biologic Clinical Trials

FDA will implement a new program to enable a unified data standard for meeting electronic reporting requirements under the expedited safety-reporting regulations of an Investigational New Drug application (IND). According to FDA, the program builds off a recently-completed pilot program assessing the feasibility of a digital submission process in which IND safety reports were transmitted to FDA as data that can be easily visualized and analyzed. The goal of the new digital framework is to significantly improve the efficiency and accuracy of the premarket safety submission and review process.

(6) New Digital Health Incubator at FDA: INFORMED

The agency is creating an internal data science incubator called the Information Exchange and Data Transformation, or INFORMED. Launched in collaboration with HHS Innovation, Design, Entrepreneurship and Action (IDEA) Lab, the incubator will focus on the “conduct of regulatory science research in areas related to health technology and advanced analytics related to cancer” to help modernize the framework for “advancing promising digital health tools.”


  • Examine “modern approaches in evidence generation to support regulatory decisions,” with a special emphasis on oncology regulatory science;
  • Develop new clinical endpoints and signal detection methods for evaluation of the safety and effectiveness of therapies;
  • Develop new approaches for understanding variations in individual patient experience using diverse data sets from clinical trials, EHRs, and biometric monitoring devices; and
  • Develop principles and definitions for the validity and strength of AI -derived evidence in the context of product approval and regulations.