To avoid a real and imminent risk of shortages of devices on the EU market, the European Commission recently adopted Regulation (EU) 2023/607, extending the transitional provisions in Regulation (EU) 2017/745 (the “MDR”) and removing the sell-off period in the MDR and Regulation (EU) 2017/746 (the “IVDR”).  The Commission has published a Q&A on the practical aspects of the latest changes (the “Q&A”).  Below we set out the top 10 questions to think about when assessing how the changes to the MDR and IVDR may impact you and your medical devices.

As explained in our prior post, the Commission’s changes aim to address concerns regarding Notified Body capacity and the significant number of medical devices yet to transition to compliance with the MDR.

  1. What are the key changes?

The Commission has extended the transition period granted by the MDR for certain devices CE marked under the prior Medical Devices Directive 93/42/EEC (the “MDD”) and Active Implantable Medical Devices Directive 90/385/EEC (“AIMDD”).  It does not change the existing transition periods in the IVDR.  However, it removes the “sell-off” period from both the MDR and IVDR, meaning that legacy devices and IVDs already placed on the market can continue to be made available or put into service without being withdrawn.

In essence, the changes extend the period companies have to obtain MDR-compliant certificates and also provides more time for Notified Bodies to clear the backlog in their conformity assessments.  However, given that the transition period does not apply to new  medical devices the lack of Notified Body capacity may still lead to delays in bringing new products to market.

  1. Is my device covered by the transition periods?

The revised transition periods apply to legacy devices that meet certain criteria.  However, they do not apply to (i) Class I devices that are not up-classified under the MDR, (ii) new devices nor (iii) devices intended to substitute an MDD device where the manufacturer has made significant changes with regard to the design or intended purpose of the MDD device. 

  1. My device is a legacy device in Class IIa / Class IIb / Class III under the MDD.  What are the new transition periods?
  • Devices with Notified Body certificates valid on 20 March 2023

If a device has a Notified Body certificate of conformity that was granted on or after 25 May 2017, and which was still valid (and not withdrawn) on 20 March 2023, provided the manufacturer satisfies the requirements set out in question 5 below, the certificate shall remain valid after its expiry date until:

(a) “31 December 2027, for all class III devices, and for class IIb implantable devices except sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips and connectors;

(b) 31 December 2028, for class IIb devices other than those covered by point (a) of this paragraph, for class IIa devices, and for class I devices placed on the market in sterile condition or having a measuring function.” (emphasis added)

  • Devices with Notified Body certificates that expired before 20 March 2023

If a device has a Notified Body certificate that was granted on or after 25 May 2017, which was valid on 26 May 2021 but expired before 20 March 2023, it can also benefit from the extended transition periods above but only if:

(a) before the date of expiry of the certificate, the manufacturer signed an agreement with a Notified Body in accordance with section 4.3 of Annex VII MDR covering the device with the expired certificate or the device intended to substitute it; or

(b) the Competent Authority of a Member State has granted a derogation under Article 59 MDR or has required the manufacturer, in accordance with Article 97(1) MDR, to carry out the applicable conformity assessment procedure within a specified period of time.[1]

In addition, the manufacturer must satisfy the requirements in question 5 below.

  1. My device is Class I under the MDD/AIMDD but has been up-classified under the MDR.  Do I have additional time to comply with the MDR?

Devices that are self-assessed under MDD/AIMDD but require a Notified Body certificate under the MDR (“up-classified devices”) (including software medical devices) can also benefit from the transition periods provided the manufacturer drew up a declaration of conformity for the relevant device before 26 May 2021.  In such cases, the manufacturer can continue to place the device on the market until 31 December 2028, provided it satisfies the requirements set out in question 5 below.

  1. What conditions do I have to comply with to benefit from the transition period?

Eligible legacy devices will only benefit from the transition period if they comply with all the conditions set out in new Article 120(3c) MDR.  This requires:

(a) the devices must continue to comply with MDD, as applicable;

(b) there are no significant changes to design or intended purpose;

(c) the devices do not present an unacceptable risk to health and safety of patients, users or other persons, or to protection of public health;

(d) by 26 May 2024 the manufacturer must have a quality management system (“QMS”) in place; and

(e) by 26 May 2024 the manufacturer must have submitted an application and entered into a written agreement with a Notified Body.

  1. What are the new rules that apply to Class III custom-made implantable devices?

Under the MDR, the conformity assessment of Class III custom-made implantable devices requires the involvement of a Notified Body.  In light of this, the Commission has proposed an extension to the transition period for such devices.  Class III custom-made implantable devices can be placed on the market/put into service until 26 May 2026 so long as:

  • by 26 May 2024 the relevant manufacturer lodges a formal application with a Notified Body; and
  • by 26 September 2024 the manufacturer and Notified Body sign a written agreement.
  1. How do I evidence my device benefits from the extended transition period?

If you meet the relevant conditions, the extension of the transition period will be applied automatically by law.  During the transition period, Notified Bodies cannot

issue new MDD/AIMDD certificates.  However, they can provide written confirmation correcting or complementing information on an existing certificate.  As such, you can ask your Notified Body to update existing certificates to include the new expiry date. 

To demonstrate validity of the MDD/AIMDD certificate to third parties, you could also consider:

  • Providing a self-declaration confirming that the conditions for the extension are fulfilled and stating the end date of the transition period.  The self-declaration should clearly identify the devices covered by the extension and certificates concerned.
  • Obtaining a ‘confirmation letter’ from your Notified Body confirming receipt of the application for conformity assessment and the conclusion of a written agreement.
  1. What does removal of the “sell-off” period mean?

There is no longer a “sell-off” period in either the MDR or the IVDR.  This means that devices and IVDs placed on the market before the entry into force of the MDR or IVDR, as applicable, or during the transition period can continue to be made available/put into use without any limitation on time (subject to their shelf-life/expiry date).

  1. Do I still need to comply with the MDR post-marketing requirements?

Yes.  Manufacturers of devices benefitting from the revised transition periods still need to comply with the MDR’s requirements on post-market surveillance, market surveillance, vigilance, registration of economic operators and of devices.

  1. Does the transition period apply in the United Kingdom?

Changes to the MDR and IVDR automatically apply in Northern Ireland under the Northern Ireland Protocol.  Devices placed on the market in Northern Ireland can therefore benefit from the extension to the transition period.

The MDR and IVDR do not apply in Great Britain (England, Scotland and Wales).  However, the UK Medicines and Healthcare products Regulatory Agency (“MHRA”) confirmed certificates extended in compliance with EU rules “will also be recognized as valid for placing CE marked devices on the GB market.”  This is in line with the MHRA’s plans set out in the 2023 Spring Budget.  In this, the Chancellor stated the UK would move towards a system for rapid sign-off of technologies when approved by trusted regulators, including the EU.  See our blog discussing the Spring Budget here


[1] The Q&A states that “Even if the national derogation is limited in time or the manufacturer has been required to carry out the conformity assessment procedure within a given period of time, the device benefits from the full transitional period until 31 December 2027 or 31 December 2028, as applicable, provided the conditions set out in Article 120(3c) MDR are fulfilled. The certificate is deemed to be valid until the end of the applicable transitional period, unless it is withdrawn.”

Last week, Jeremy Hunt, Chancellor of the Exchequer, published his Spring Budget for the UK.  It identified life sciences and digital technologies as “high growth sectors,” which the UK Government wishes to prioritize.  Among other things, the Budget outlined the Government’s plans to simplify medicines and technology approvals, plus changes to the regulation and support of digital technologies and artificial intelligence (“AI”).  Essentially, the Government wants “the UK to be the best place in Europe for companies to locate, invest and grow” and has announced plans to “strengthen [our] technology and life science sectors.”  The Government intends to support those working in these sectors through regulatory changes, as well as better infrastructure and additional funding.  This blog post summarizes some of the key announcements.

Quick and simple medicines and technologies approvals

First, the Government’s ambition is for the UK to have the “quickest, simplest, regulatory approval in the world.”  Mr Hunt envisions achieving this through two key changes to UK medicines and technology regulations:

  1. Reliance on foreign approvals.  
    • The UK Medicines and Healthcare products Regulatory Agency (“MHRA”) will implement “rapid, often near automatic sign-off” for medicines and technologies approved by other trusted regulators, such as the United States, Europe and Japan.  
    • Going forwards, developers of medicines may be able to prioritize their regulatory approvals in the United States, EU or Japan, rather than preparing a standalone marketing authorization application (“MA”) for the UK.  The UK currently has reliance procedures in place for medicines that are centrally authorized by the European Commission or authorized in the EU through decentralized and mutual recognition procedures.  The new Government policy will significantly expand the scope of the MHRA’s reliance procedures so that it includes other foreign regulators, potentially increasing the speed to market for pharmaceutical products.
    • These new policies will also extend to “technologies.”  Given the MHRA has little involvement in the pre-market approval of medical devices, it is unclear to what extent this term includes medical devices.  However, we assume there would be scope for the UK to automatically recognize a regulatory approval of a medical device in the United States (such as a 510(k)) or an EU CE-mark for the purpose of obtaining a UKCA mark.  It might also give software medical devices benefiting from innovations in regulation, such as the U.S. FDA’s Software Pre-Cert Pilot Program, rapid access to the UK market. 
    • In any event, the intended upshot of these proposals is that global developers of medicines and technologies will be able to avoid UK-specific regulatory procedures, associated costs and concerns about navigating unique regulatory requirements for the UK market.  
    • Absent mutual recognition of UK approvals by other regulators, of course, a potential downside of more expansive reliance by UK is that this could limit the MHRA’s opportunities to be a truly innovative regulator.  Mindful of this risk, the Chancellor announced some rapid review initiatives. 
  1. Accelerated approval process.
    • From 2024, the MHRA will also implement a “swift approval process” for the most impactful new medicines and technologies, such as “cancer vaccines and AI therapeutics for mental health.”  In respect of medicines, we note that the MHRA currently offers a 150-day assessment route for high-quality national MA applications and the option for applications to be fast tracked if there is compelling evidence of benefit in a public health emergency or if there is a shortage of supply of an essential medicine.  We will need to wait for further detail before we know whether the MHRA will be able to accelerate these timelines even further and what the specific product criteria will be for this accelerated assessment route.

The Government announced £10 million extra funding for the MHRA over the next two years to implement the above ambitions.

The UK also announced its intent to do more to promote innovation and the digital economy.  It highlights Patrick Vallance’s Pro-Innovation Regulation of Technologies Review: Digital Technologies Report, noting that the Government accepts all nine of Sir Patrick Vallance’s recommendations.  Notably, for those in the life sciences sector, these include the implementation of: (1) regulatory sandboxes (to allow innovators and entrepreneurs to experiment without the heavy burden of regulation and the risk of fines); (2) a clear policy position on the relationship between intellectual property law and generative AI (to provide confidence to innovators and investors); and (3) greater industry access to public data.

The Budget also highlights a number of specific ways it will support AI and digital technologies:

  • Investment in infrastructure.  “AI needs computing horsepower.” As such, the Chancellor committed to investing around £900 million to build an exascale supercomputer and to establish a new AI Research Resource.  This should provide significant computer power for the UK AI community and allow researchers to work on areas such as new drug discovery.
  • Quantum Strategy.  The UK launched its Quantum Strategy, which includes a research and innovation programme and £2.5 billion of Government investment over 10 years.
  • Funding innovation accelerator programmes.  The Government will provide £100 million funding for the Innovation Accelerators programme (which covers 26 transformative R&D projects).
  • Critical areas of AI.  The Government will award £1 million every year for 10 years to researchers that drive progress in critical areas of AI.  There is currently no detail of what these areas are nor what is considered as “driving progress.”
  • Taskforce on foundational models.  The Government acknowledges the importance of foundation models and will establish a taskforce to advance UK sovereign capability to ensure the UK is at the cutting edge of the technology.
  • Metaverse.  The Government plans to lead the way on regulation of AI and the future of web technology.

The Government’s announcements are a positive step in the right direction.  However, as always, the devil will be in the detail.  The Covington Life Sciences team is following these developments and will provide further updates in due course.

Innovative digital solutions intended to address health issues typically experienced by women have been an area of increased focus.  Ranging from reproductive-related mobile applications to AI-enabled breast cancer screening devices, digital solutions for women+ health show promise to serve an enormous market with medical needs that have often failed to get the level of attention that women deserve.  Experts estimate that the women+ health market could skyrocket in worth in the coming years — potentially reaching $475 billion by 2027.[1]  And women’s health in general has gained attention at the federal level, with FDA’s Center for Devices and Radiological Health sharing a “Health of Women Program Strategic Plan”[2] in 2022 and the Biden Administration making women’s health a stated priority.  International governments also are increasingly focusing on women’s health issues.[3]  This post outlines five reasons digital solutions for women+ health should be a front-burner digital health focus in 2023.

  1. The growing women+ health sector is normalizing the conversation around women’s health, leading to much-needed innovation in key areas.  Research suggests that people sometimes shy away from discussing health topics historically labeled as “taboo” — such as reproductive health, pregnancy loss, female sexual health and pleasure, period health, infertility, postnatal depression, incontinence, pelvic floor dysfunction, breastfeeding, and menopause.  Even well-intentioned healthcare providers are sometimes insufficiently informed to create and offer effective solutions and support for women+.[4]  The recent attention to digital solutions for women+ health serves to change these dynamics  — challenging and dispelling existing taboos, stigmas, and practices surrounding women’s health.  Digital solutions for women+ health can also help address social stigma and legal hurdles for the delivery of care, for example with telemedicine consultations on sexual health, abortions and menopause.  Innovators in the women+ health space aim to put women’s needs and voices at the core of products and services, thus empowering women to prioritize and openly discuss their health and wellness.  Increased and improved knowledge of women’s health issues, as well as growing access to women’s health data through digital offerings, will accelerate innovation in this area.
  2. Digital solutions for women+ health are advancing health equity among gender and racial lines.  History has shown disparities in both health access and outcomes among gender and racial lines, particularly for women of color.  Indeed, a recent literature review found that females “remain broadly under-represented in the medical literature, sex and gender are poorly reported and inadequately analyzed in research, and misogynistic perceptions continue to permeate the narrative.”[5]  Additionally, a 2022 study demonstrated that while women make up 50.8% of the U.S. population, only 41.2% of clinical trial participants from 2016-2019 were female.[6]  This is particularly concerning considering that the percentage of women affected by the diseases and disorders at issue in the clinical studies ranged from 49-60%.  For example, 60% of people with psychiatric disorders are women, but just 42% of participants in trials for psychiatric drugs were female.  The explosive growth of digital solutions in the women+ health arena is already helping to drive attention to these gaps in medical research and will be critical to addressing these issues — facilitating clinical trial participation from a broader scope of women and the generation of women-forward data sets.[7] 
  3. The expanding range of digital solutions for women+ health is creating opportunities for better and more cost effective health outcomes.  A variety of digital solutions for women+ health are on the market already, including menstrual period and symptom trackers, digital therapeutics for sexual wellness, fitness apps for pregnant and postpartum women, pelvic floor trainers, wearable technology for menopause support, digital contraceptives that enable women+ to track fertility and predict ovulation windows, innovative breast pumps, AI-enabled breast cancer screening software, and more.  As an example, in 2018 FDA permitted marketing of the first direct-to-consumer app as a method of contraception to prevent pregnancies, with another app to follow in 2021.[8]  More recently in late 2022, FDA cleared a device that uses AI and machine learning to flag areas on mammograms that are suggestive of the presence of at least one suspicious finding to categorize exams and allow for prioritization.[9]  Professionals have stated they plan to use this technology to “address data bias regarding breast health and imaging.”[10]  Similar products are making their way to the international market.  With healthcare costs a constant area of focus, some digital health solutions may offer a less expensive and more accessible option, and the breadth of solutions makes clear that innovators are thinking about ways to both address historically unmet medical needs, while also delivering solutions in cost effective ways.
  4. The women+ health sector is innovating to address the need to protect women’s privacy.  In the aftermath of the Supreme Court’s Dobbs decision, the privacy of women’s health information has never been more important.  Many digital solutions for women+ health are on the cutting edge of deploying privacy-by-design strategies to minimize the collection and retention of identifiable health and location information.  Last summer, many period tracking and fertility solutions announced innovations to better protect women’s privacy.[11]  These innovations are consistent with trends in regulation and enforcement.  Even prior to Dobbs, the FTC[12] and state attorneys general[13] have focused some of their enforcement activity on digital solutions for women+ health.  However, the Dobbs decision has accelerated that interest, as illustrated by President Biden’s Executive Order Protecting Access to Reproductive Health Care Services, which directs federal agencies to take various steps to protect consumer privacy in response to “this health crisis.”[14]  The FTC[15] and HHS[16] subsequently issued guidance on what is required by the pre-existing regulatory frameworks and reaffirmed the particular sensitivity of reproductive health data, and HHS Secretary Xavier Becerra has indicated that this area is an “enforcement priority.”[17]  State legislatures have also taken an increased interest in the privacy of women’s reproductive health and have proposed legislation to protect health data.  For example, Washington’s state legislature introduced a bill that would prevent sharing of certain women’s health data — including reproductive health data — without a consumer’s consent.[18]
  5. Digital solutions for women+ health will lead to more sex-specific data.  The physiology of a woman’s body is different than that of a man’s.  For example, women have unique presentations for serious conditions such as stroke and diabetes, but to date medical research and therapies have typically failed to take into account sex.  Additionally, as noted above, women have been underrepresented in clinical trials.  Changing clinical trial recruitment to recruit a higher percentage of women is a long-term challenge.  But digital solutions for women+ health could help solve some of the imbalance by collecting valuable data and creating communities of users for recruitment.  For example, real world data sets, such as those coming from wearables, could be used to develop sex-specific insights, and those insights could be used for sex-based protocols that could customize digital care responses.

In short, as digital solutions for women+ health continue to expand, the opportunities to serve unmet needs for women’s health, improve medical research, and deliver better, cost efficient care increases.  Of course, the rise of these solutions also implicates a host of regulatory considerations, such as how companies will ensure privacy of women’s health data and whether certain digital solutions for women+ health will be considered medical devices subject to regulatory oversight in the U.S. and elsewhere.  As women+ health solutions continue to grow, we expect federal and international guidance to develop as well — including advancements on CDRH’s Health of Women Program Strategic Plan.  Navigating those developments will be key to realizing those opportunities.


[1] https://www.law.com/thelegalintelligencer/2022/10/08/femtech-what-to-watch-for-womens-wellness/.

[2] https://www.fda.gov/media/155461/download.

[3] See, e.g., https://www.gov.uk/government/publications/our-vision-for-the-womens-health-strategy-for-england.

[4] Id.

[5] https://www.liebertpub.com/doi/10.1089/whr.2021.0083.

[6] https://www.sciencedirect.com/science/article/pii/S1551714422000441?via%3Dihub; see also https://www.washingtonpost.com/health/2022/06/27/underrepresentation-women-clinical-trials/.

[7] https://www.mobihealthnews.com/news/clinical-trials-have-historic-gender-gap-tech-could-help.

[8] https://www.fda.gov/news-events/press-announcements/fda-allows-marketing-first-direct-consumer-app-contraceptive-use-prevent-pregnancy; https://www.accessdata.fda.gov/cdrh_docs/pdf19/K193330.pdf.

[9] https://www.accessdata.fda.gov/cdrh_docs/pdf22/K220080.pdf.

[10] Id.

[11] https://www.cnn.com/2022/07/08/tech/period-tracking-apps-data-privacy/index.html.

[12] https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about.

[13] https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93.

[14] https://www.govinfo.gov/content/pkg/FR-2022-07-13/pdf/2022-15138.pdf.

[15] https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal.

[16] https://www.hhs.gov/about/news/2022/06/29/hhs-issues-guidance-to-protect-patient-privacy-in-wake-of-supreme-court-decision-on-roe.html.

[17] Id.

[18] https://lawfilesext.leg.wa.gov/biennium/2023-24/Pdf/Bills/House%20Bills/1155.pdf?q=20230109060119.

On December 19, 2022, the U.S. Department of Health and Human Services (“HHS”) through the Centers for Medicare & Medicaid Services (“CMS”) issued a proposed rule to adopt standards for certain electronic health transactions.  Specifically, the proposed rule would adopt standards for health care attachment transactions (e.g., medical charts, x-rays, provider notes) and electronic signatures to be used in conjunction with health care attachments, and modify the standard for referral certification and authorization transaction.  The proposed rule would apply to entities regulated by the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), and would implement certain requirements of the Administrative Simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act (“ACA”) that require the Secretary of HHS to adopt and update standards for electronic health transactions, code sets, unique identifiers, as well as the electronic exchange for health information.

Continue Reading HHS Proposes Rule to Improve Standards for Electronic Prior Authorizations and Other Transactions with Health Care Attachments

On December 7, 2022, the Federal Trade Commission (“FTC”), along with the U.S. Department of Health and Human Services (“HHS”) and the U.S. Food and Drug Administration (“FDA”), announced updates to the Mobile Health App Interactive Tool­—a questionnaire designed to help mobile health app developers identify federal laws and regulations that may apply to their products.

The tool is designed for mobile apps that access, collect, share, use, or maintain information related to a consumer’s health through features such as fitness tracking, medical record sharing, sleep monitoring, disease diagnostics, and more.

The tool guides developers through fifteen questions, including:

  • Does/will your app collect, share, use, or maintain health information?
  • Is your app for use by consumers?
  • Does your app include a device software function that is the focus of FDA’s oversight?

Based on the answer to each question, the tool directs the user to other relevant questions and highlights at each step the laws and regulations that may apply to the mobile app.  The tool covers, among other laws and regulations, the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), the Food, Drug, and Cosmetic Act (“FD&C Act”), the FTC Act, and the 21st Century Cures Act.

The tool was first released in 2016 and included ten questions to help developers determine whether their apps would be subject to HIPAA, the FD&C Act, the FTC Act, and/or the FTC’s Health Breach Notification Rule.  The latest update to the tool adds new questions to help mobile developers understand legal requirements for their apps under the Children’s Online Privacy Protection Rule (“COPPA Rule”) and the 21st Century Cures Act but does not refine the analysis for the laws covered in the original version.  The tool is not intended to offer legal advice and is provided for informational purposes only.

On December 2, 2022, the U.S. Department of Health and Human Services (“HHS”), through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), issued a proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under 42 C.F.R. Part 2 (“Part 2”) with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).  

Section 3221 of the CARES Act amended several provisions of the statute underlying the Part 2 regulations to better align Part 2 with HIPAA.  For example, as amended, the statute permits an individual’s substance use disorder records regulated by Part 2 (“SUD Records”) to be used and disclosed in accordance with a single prior consent and allows HIPAA covered entities and their business associates to disclose SUD Records for treatment, payment, and health care operations in accordance with HIPAA when an individual has provided consent to the disclosure of his/her SUD Records.  Prior to the changes made by the CARES Act, the disclosure of SUD Records required a specific, written consent for each proposed disclosure, and it was permissible to disclose SUD Records without consent only in limited circumstances (e.g., medical emergency or court order).  As a result, entities subject to both HIPAA and Part 2 were required to follow different, more restrictive procedures for the disclosure of SUD Records than for the disclosure of other protected health information (“PHI”). 

The CARES Act required HHS to engage in rulemaking to implement various statutory changes.  Specifically, the proposed rule would modify Part 2 in accordance with the CARES Act by:

  • Generally allowing for the redisclosure of SUD Records in the same manner permitted by the HIPAA Privacy Rule (i.e., allowing for a single consent to suffice for Part 2 covered entities as it relates to further disclosures of SUD Records for treatment, payment, and health care operations), though the proposed rule requires any disclosures of SUD Records to non-HIPAA covered entities or business associates be pursuant to contractual or legally equivalent restrictions on the recipient’s use and disclosure of SUD Records in accordance with those permissible under Part 2;
  • Giving individuals a right to an accounting of and restriction on disclosures of SUD Records, in accordance with the rights individuals have under HIPAA with respect to their PHI;
  • Expanding the prohibition on the use and disclosures of SUD Records in civil, criminal, administrative, and legislative proceedings against patients unless patient consent or a court order is issued;
  • Applying the same civil and criminal penalties to violations of Part 2 as apply to violations of HIPAA (e.g., the imposition of civil monetary penalties);
  • Applying the same breach notification standards to breaches of SUD Records as apply to breaches of PHI in accordance with the HIPAA Breach Notification Rule;
  • Modifying the requirements for a Part 2 patient confidentiality notice to more closely align with the requirements and content of a HIPAA Notice of Privacy Practices (“NPP”); and
  • Aligning the requirements for a valid written consent under Part 2 with the requirements for a valid HIPAA authorization under the Privacy Rule.

The proposed rule would also modify the HIPAA Privacy Rule to require covered entities that receive and maintain SUD Records—and thus must comply with Part 2 requirements for these records—to modify their NPPs to reference patients’ rights with respect to SUD Rrecords.  For example, impacted covered entities would be required to disclose the uses and disclosures of SUD Records that are permitted or required without an authorization.

The CARES Act also contained certain antidiscrimination provisions related to SUD Records that HHS intends to implement as part of a separate rulemaking process.

Comments on the proposed rule are due by January 31, 2023.

On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services. 

Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information

The UK has reaffirmed its commitment to leading the way in regulatory innovation in software as a medical device (“SaMD”) and artificial intelligence as a medical device (“AIaMD”).  On 17 October 2022, the UK Medicines & Healthcare products Regulatory Agency (“MHRA”) published its Guidance on “Software and AI as a Medical Device Change Programme – Roadmap.”  It builds on the Government response to consultation on the future regulation of medical devices in the UK and follows on from the Software and AI as a Medical Device Change Programme, which was published in 2021.  The MHRA has provided deliverables, which map out a course for change to the regulation of this sector.

Aim:

The MHRA’s primary aim is “to protect patients and public whilst ensuring that we accelerate responsible innovation.”  To achieve this, MHRA places emphasis on (A) safety; (B) clarity and streamlined processes (facilitated through guidance and designated standards); and (C) removing friction through a joined up offering for digital health in the UK and strengthening international convergence.

Approach:

At its core, the MHRA’s approach to developing the Roadmap is “patient centred” (noting that AIaMD raises broad questions for society) and highlights need for innovation in this sector to be inclusive across all populations.  The MHRA also wants to support manufacturers and so wants to provide tools to demonstrate conformity (working with BSI to develop standards and tools) and wants to reduce regulatory burdens on industry by driving international consensus.  To achieve this the MHRA intends to update the legislative regulatory framework for SaMD/AIaMD.  However, the majority of changes will be introduced through guidance.  The MHRA highlights that this approach is supported across the government and it has considered related areas of law when developing this framework for medical devices.

Work Packages:

The MHRA sets out a number of work packages (some as standalone packages and others nested within others).  Each package includes (i) a problem statement; (ii) the objectives that breakdown the problem; and (iii) specific deliverables that the MHRA will use to meet the objectives.  We have not covered them in detail but, in summary, these work packages cover:

  • WP 1 Qualification – the MHRA will address the lack of clarity on what qualifies as SaMD and software in a medical device, help manufacturers craft an intended purpose and clarify the concept of “manufacturer” for SaMD.
  • WP 2 Classification – reclassify software so the classification rules are proportionate to the risk.  The MHRA will reform the classification rules, explore the “airlock process” and provide guidance.
  • WP 3 Premarket Requirements – premarket requirements for software will be clarified so the requirements fit software.  The MHRA list six deliverables including reviewing the essential requirements, providing “Best practice” for development and deployment plus providing guidance on a number of topics (retrospective non-interventional studies, joint guidance with the Health Research Authority on governance of research and the importance of human-centered SaMD).
  • WP 4 Post Market – the MHRA highlights that it needs to obtain stronger safety signals for SaMD.  The MHRA will look at adverse incidents for SaMD, change management plus predetermined change control plans/protocols and best practice for expanding the intended purpose of medical devices.
  • WP 5 Cyber Secure Medical Devices – the current regulations do not consider cyber security vulnerabilities.  The MHRA will consider cyber security requirements, management of unsupported software devices (i.e., when manufacturers exit the market) and reporting of vulnerabilities.
  • WP 9 AI RIGOUR – the MHRA notes the lack of clarity on how devices using AI can best meet medical device requirements.  The MHRA intends to develop good machine learning guidance to supplement the good machine learning guiding principles published last year (see our previous blog post here).  Alongside BSI, it will map out and develop standards.  It will also develop best practice guidance and consider experimental work to detect, measure and correct for bias.
  • WP 10 Project Glass Box (Interpretability) – current regulatory requirements do not consider adequately interpretability of AIaMD and the impact this has on safety and efficacy.  The MHRA will develop best practice guidance on “human-centered SaMD” and will produce standards on the development of trustworthy AI.
  • WP 11 – Project Ship of Theseus (Adaptivity) – current systems on the notification and management of change do not fit AIaMD.  The MHRA will thus create guiding principles on adaptivity and change management, explore the concept of “drift” and significant/substantial change and set out proposals for predetermined change control plans for SaMD and AIaMD.

The MHRA intends to publish deliverables in a step-wise manner.  Industry should expect to see the first sub-set of deliverables by the end of this year. 

Comment:

The UK indicated a potential benefit of leaving the EU was that it could develop a world-leading regulatory framework.  However, there has been little in the Government’s response to the Consultation on the future regulation of medical devices in the UK that would make the UK “world-leading.”  Arguably, at best many of the suggested changes merely align the UK with other jurisdictions and at worst add additional regulatory hurdles.  However, the MHRA’s latest announcements suggests that for the SaMD and AIaMD space the UK Government is committed to being world-leading and supporting innovation in a patient centered way.  The MHRA is driving forward the development of practical guidance and standards, the lack of which is often bemoaned by those working in this sector.  However, the MHRA seems alive to the issue of creating frameworks/requirements that add burdens and so is emphasizing its aim to align not only with other areas in the UK (including NICE, CQC and HRA) but also internationally.  This could be an area in which the UK is able to take a leading role in creating a regulatory system to protect patients and promote innovation.

Digital health technologies, including algorithms for use in health care, are being developed to aid healthcare providers and serve patients, from use with administrative tasks and workflow to diagnostic and decision support.  The use of artificial intelligence (“AI”) and machine learning algorithms in health care holds great promise, with the ability to help streamline care and improve patient outcomes.  At the same time, algorithms can introduce bias if they are developed and trained using data from historical datasets that harbor existing prejudices.  Both state and federal governments have taken steps to address the potential for racial and ethnic disparities in use of algorithms by healthcare facilities, demonstrating that this continues to be a top priority as new technologies are deployed in health care.

California Attorney General Rob Bonta recently sent letters to 30 hospital CEOs across the state requesting information about how healthcare facilities and other providers are identifying and addressing racial and ethnic disparities in software they use to help make decisions about patient care or hospital administration.  The press release stressed the importance of identifying and combatting racial health disparities in healthcare algorithms, and the AG’s letter seeks information such as a list of all decision-making tools or algorithms the hospitals use for clinical decision support, health management, operational optimization, or payment management; the purposes for which these tools are currently used and how they inform decisions; and the names of the persons responsible for ensuring they do not have a disparate impact based on race.  Responses are due to the AG by October 15. 

The federal government also has made disparities in health care a top priority.  For example, the Department of Health and Human Services (HHS) recently issued a proposed rule regarding nondiscrimination in health programs and activities.  Amongst other proposals aimed at combatting discrimination, HHS proposed provisions related to nondiscrimination in the use of clinical algorithms in healthcare decision-making and in telehealth services.  Proposed § 92.210 states that “a covered entity must not discriminate against any individual on the basis of race, color, national origin, sex, age, or disability through the use of clinical algorithms in its decision-making.”  The proposed rule notes that a covered entity would not be liable for clinical algorithms they did not develop, but HHS proposes to impose liability for any decisions made in reliance on clinical algorithms if they rest upon or result in discrimination.  The proposed rule noted that the Department “believes it is critical to address this issue explicitly in this rulemaking given recent research demonstrating the prevalence of clinical algorithms that may result in discrimination.”  Comments are due to HHS by October 3.  HHS specifically seeks input on whether the provision should include additional forms of automated decision-making tools beyond clinical algorithms; whether the provision should include potential actions covered entities should take to mitigate discriminatory outcomes; and recommendations on how to identify and mitigate discrimination resulting from the usage of clinical algorithms.

These state and federal actions, as well as the associated responses, could inform ongoing dialogue about how to advance the use of digital health technologies while in parallel making progress to address inequities in health care.

The Medical Device Coordination Group (“MDCG”) has published a new position paper (MDCG 2022-14) acknowledging the significant and urgent lack of capacity of EU notified bodies.  It acknowledges the risk that this could lead to many existing and new medical devices and in vitro diagnostic medical devices (“IVDs”) not undergoing timely conformity assessments under Regulation (EU) 2017/745 (the “MDR”) or Regulation (EU) 2017/746 (the “IVDR”) (together, the “Regulations”)).  In turn, this could mean patients miss out on access to, potentially, lifesaving medical devices and IVDs.  As such, the MDCG has suggested actions for mitigating such challenges.  Importantly, there is a focus on flexibility and pragmatism.

Background

The introduction of the Regulations has meant that many new and existing medical devices and IVDs will need to undergo a conformity assessment by a notified body in the next few years in order to continue to be placed on the market in the EU. Additionally, the Regulations require the re-designation of notified bodies to allow them to conduct conformity assessments under the Regulations. The time-consuming process of such re-designation has led to there being an insufficient number of notified bodies available to conduct conformity assessments under the Regulations.

Thus, a lack of notified body capacity and a large number of devices requiring conformity assessment means there is a risk devices will not be CE marked prior to expiry of applicable transitional provisions, which could result in a disruption to the supply of devices and a significant knock-on impact for patients. 

The MDCG’s latest publication both recognizes and attempts to assuage these concerns by proposing counter-actions aimed to “enhance notified body capacity, access to notified bodies and manufacturers’ preparedness in order to facilitate transition to the MDR and IVDR and to avoid shortage of medical devices”.

This blog post seeks to summarize the MDCG’s recommendations.

Increase notified body capacity

The MDCG makes eleven (11) recommendations that aim to increase notified body capacity.

It advises that notified bodies:

  • use hybrid audits;
  • avoid unnecessary duplication of work (e.g., by leveraging evidence and previous assessment results generated under the prior directives);
  • rationale and streamline internal administrative processes; and
  • be flexible when carrying out “appropriate surveillance” of legacy devices (e.g., by combining audits under the prior directives and the Regulations).

Relevant parties are advised to:

  • foster capacity-building in new and existing notified bodies; and
  • make every effort to speed up the process for designation and notification of conformity assessment bodies.

The MDCG commits to:

  • review its guidance to “eliminate [the] administrative workload” of notified bodies”;
  • explore ways of adding codes to the designation of notified bodies in a timely manner (looking at the depth of assessment and ways to make it faster); and
  • prioritize its own actions aimed at contributing to notified body capacity (including revision of its guidance on the meaning of “personnel employed by the notified body”, MDCG 2019-6 rev. 3).

Additionally, the MDCG calls for the Eudamed framework, which allows machine-to-machine upload of information, to be developed and deployed as soon as possible.

Finally, and importantly, the MDCG clarifies the status of its guidance and how it should be used.  It states:

As regards the status of MDCG guidance documents, MDCG reminds that their main objective is to assist economic operators, notified bodies and competent authorities to apply the legal requirements in a harmonised way, providing possible solutions endorsed by the MDCG. Having regard to the status of guidance documents, economic operators and notified bodies should be allowed flexibility as to how to demonstrate compliance with legal requirements. Moreover, reasonable time needs to be given to integrate new guidance in the relevant systems and/or to apply them. That means that new guidance should not be applied to ongoing processes or applications already launched by a conformity assessment body for designation and/or a manufacturer for conformity assessment, unless application of such guidance yields increased efficiency of the process.” (emphasis added)

Thus, the MDCG takes a pragmatic approach by indicating that those undergoing assessments under the Regulations should not have to contend with new guidance published after an application has been submitted moving the goal posts mid-assessment.  Rather, new guidance should apply only to subsequent applications.


Increase access to notified bodies

The second category of MDCG suggestions are those focusing on “access to notified bodies”. The first of these emphasizes the obligation of notified bodies to make their standard fees publicly available, to allow manufacturers, particularly SMEs that may have fee concerns, to make informed decisions. The MDCG also suggests that notified bodies develop schemes to allow allocation of capacity for SME manufacturers and first-time applicants, ensuring that such entities have access to the requisite conformity assessments.

Increase preparedness of manufacturers

The MDCG’s position paper also offers suggestions with respect to increasing the preparedness of manufacturers.  The MDCG reiterates its previous advice of ensuring timely compliance with MDR and IVDR requirements (MDCG 2022-11).  However, it notes that notified bodies can support this as the MDCG also encourages “structured dialogues” between notified bodies and manufacturers both before and during the conformity assessment, where these will enhance the efficiency and predictability of the process.

The MDCG recommends that all parties involved in the assessment process increase communication and educational offerings to manufacturers via webinars, workshops, and targeted feedback sessions. The MDCG provides the example of notified bodies working on common application guidelines for manufacturers, alongside national authorities promoting engagement with relevant stakeholders at national level.

Other actions facilitating transition to MDR/IVDR and/or shortage of devices

In its final category of recommendations, the MDCG generally encourages greater pragmatism and a reduction in the complexity of conformity assessments for safe and effective legacy devices (including orphan devices). In pursuit of such, the MDCG proposes:

  • The publication of additional guidance in respect of the practical application of Article 61 MDR (clinical evaluation), and possibly Article 56 IVDR (performance evaluation and clinical evidence), and to make appropriate use of the MDCG’s guidance on clinical evaluation equivalence for legacy devices.
  • The publication of specific guidance (including a definition) on so-called ‘orphan devices’.
  • Encouraging medicines authorities to accept and efficiently process consultations by notified bodies regarding medical devices incorporating ancillary medical substances and companion diagnostics.  In particular, allowing expedited reviews for devices already certified following consultation with a medicines authority under the prior directives.  

The MDCG also notes that it will endeavour to formulate a “coordinated, transparent and coherent approach” in respect of derogations from applicable conformity assessment procedures (i.e., in the interest of public health, patient safety or patient health).

Comment

Although this is merely a position paper, it shows that the MDCG and regulators are acutely aware of the lack of capacity of notified bodies and the impact of the delay in notified body review. Whether these recommendations will lead to any concrete changes is yet to be seen but the recommendations may encourage notified bodies to take a more pragmatic and flexible approach to the conformity assessment of medical devices and IVDs.  This could help manufacturers complete the conformity assessment (and ultimately CE mark their devices) under the Regulations more efficiently. The further guidance that the MDCG indicates is forthcoming is also encouraging.