Patient Access to Electronic Health Data at the Forefront of Two HHS Proposed Rules

Digital health record

On March 4, 2019, the Department of Health and Human Services (HHS) published two proposed rules to improve patient access to personal health data. The two rules, issued by the HHS Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), are intended to increase interoperability of electronic health information. These long-anticipated proposals follow legislative action undertaken in the 21st Century Cures Act. HHS indicated that, by increasing interoperability, it intends to empower patients with ownership of their medical histories and increase efficiency and quality of care in the health care industry.

CMS’s proposed rule on interoperability and patient access to health data would require Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA), and Affordable Care Act federally-facilitated exchange (FFE) health plans to ensure patient access to electronic health information (EHI) by 2020. Key provisions of the proposed rule include:

  • Requiring plans to implement application programming interfaces (APIs), which are platforms that allow the transfer of electronic information between different computer systems. Last year, CMS established an API for Medicare fee-for-service plans through the MyHealthEData initiative. The proposed rule extends this initiative to other federal government-funded health plans. CMS indicated that, through the use of an API, it intends for patients to maintain access to their EHI throughout their “healthcare journeys,” even if they switch health plans.
  • Requiring Medicaid, CHIP, and MA health plans to make their entire provider directory available through API technology to facilitate patient access to in-network providers and providers’ ability to coordinate care with other providers. (FFE plans are already required to make their provider directories available and are excepted from this provision.)
  • Requiring MA organizations, Medicaid managed care plans, CHIP managed care entities, and issuers in the FFEs to participate in trust networks that allow the free and secure exchange of information over the internet, despite the use of different health IT networks.
  • Making publicly available a list of clinicians and hospitals that engage in information blocking practices that may prevent the disclosure and use of EHI and therefore undermine the aims of interoperability. By making the information publicly available, CMS hopes to incentivize providers to refrain from information blocking.
  • Requiring that states increase the frequency with which they share data on dually eligible Medicaid and Medicare beneficiaries from monthly to daily.
  • Requiring Medicare-participating hospitals to provide other providers and facilities with “electronic notifications when patients are admitted, discharged or transferred,” in order to improve patient care during transitions between settings and providers.

ONC’s proposed rule focuses on the more technical aspects of increasing interoperability. Key provisions of the rule include:

  • Providing standardized criteria for APIs to help health IT developers build apps patients can use to easily access their data. To reduce financial barriers to API adoption for government health plans, the rule also limits the fees API suppliers can charge and establishes pro-competitive conditions.
  • Establishing the following seven “reasonable and necessary” exceptions to the 21st Century Cures Act’s prohibition of information blocking:
    • Preventing patient harm
    • Promoting the privacy of EHI
    • Promoting the security of EHI
    • Recovering costs reasonably incurred in making EHI accessible
    • Responding to infeasible requests that impose a substantial burden
    • Licensing of interoperability elements on reasonable and non-discriminatory terms
    • Maintaining and improving health IT performance.
  • Establishing Conditions of Certification and Maintenance of Certification for health IT developers. These conditions prohibit information blocking, require assurances that developers will not engage in information blocking, prohibit developers from restricting communications about health IT, require compliance with API technical requirements, require real world testing, and require attestation to compliance with the Conditions and Maintenance of Certification requirements.

These proposed rules are part of a long-term plan to ensure safe and efficient exchange of EHI. Comments on the proposed rules are due May 3, 2019.

EMA-HMA joint taskforce publish report outlining recommendations for using ‘big data’ for medicines regulation

On 15 February 2019, the European Medicines Agency (EMA) and Heads of Medicines Agencies (HMA) published their Joint Big Data Taskforce’s summary report (available here) setting out recommendations for understanding the acceptability of evidence derived from ‘big data’ in support of the evaluation and supervision of medicines by regulators.

The Taskforce has sought to clarify the meaning of ‘big data’ within the medicines regulatory context, defining it within the report as: “extremely large datasets which may be complex, multi-dimensional, unstructured and heterogeneous, which are accumulating rapidly and which may be analysed computationally to reveal patterns, trends, and associations. In general big data sets require advanced or specialised methods to provide an answer within reliable constraints”.

The Taskforce was split into seven sub-groups, each focusing on different categories of datasets:

  1. Clinical trials and imaging;
  2. Observational (or ‘Real World’) data;
  3. Spontaneous adverse drug reports (ADR);
  4. Social media and mobile health;
  5. Genomics;
  6. Bioanalytical ‘omics (with a focus on proteomics); and
  7. Data analytics (this work is ongoing and cuts across the above six sub-groups; a further report is expected in Q1 2019).

The sub-groups were each asked, amongst other thing, to characterise their respective datasets; consider the specific areas where big data usability and applicability may add value; assess the existing competencies and expertise present across the European regulatory network regarding the analysis and interpretation of big data; and provide a list of recommendations and a ‘Big Data Roadmap’.

Continue Reading

Reconciling Personalized Nutrition with the GDPR

As with anything personalized, be it advertising, medicines or training schedules, also personalized nutrition — using information on individual characteristics to develop targeted nutritional advice, products, or services — risks being affected by the feared GDPR.  Kristof Van Quathem discusses the topic in Vitafoods’ Insights magazine of January 2019, available here.

NMPA Releases Draft Good Manufacturing Practice Appendix on Standalone Software

On January 3, 2019, the National Medical Products Administration (“NMPA”) published a draft standalone software appendix of medical device good manufacturing practice (“Draft Standalone Software GMP” or “Draft Appendix”) for public comment (available here).  Comments are due on January 30, 2019.

China revised its medical device GMP in 2014, which apply to all classes of devices regardless of whether they are imported or made in China.  Subsequently, NMPA added various appendices (fulu) to articulate special requirements for certain types of devices, including sterile, implantable, and in vitro diagnostic devices.    The Draft Appendix sets out proposed special requirements for software that falls under the definition of medical device.

In China, the definition of a medical device covers software that either itself constitutes a device (i.e., standalone software) or is an accessory/component of a device (i.e., component software).  The Draft Standalone Software GMP expressly applies to standalone software and it states that it applies, “by reference,” (mutatis mutandis) to component software.  If finalized, the Draft Standalone Software GMP would be effective on an undetermined date in 2020.

The Draft Appendix is a relatively simple document with four main sections:

  • scope and general principles of the Draft Appendix ;
  • special requirements for various aspects of the manufacturing and post-market processes (see below);
  • definitions of key terms; and
  • miscellaneous provisions.

Key features of the Draft Standalone Software GMP include the following:

Continue Reading

Are Wearables Medical Devices Requiring a CE-Mark in the EU?

Wearable watches that help consumers obtain a better understanding of their eating patterns; wearable clothes that send signals to treating physicians; smart watches: they are but a few examples of the increasingly available and increasingly sophisticated “wearables” on the EU market. These technologies are an integrated part of many people’s lives, and in some cases allow healthcare professionals to follow-up on the condition or habits of their patients, often in real-time. How do manufacturers determine what wearables qualify as medical devices? How do they assess whether their devices need a CE-mark? Must they differentiate between the actual “wearable” and the hardware or software that accompanies them? In this short contribution, we briefly analyze some of these questions. The article first examines what “wearables” are, and when they qualify as a medical device under current and future EU rules. It then addresses the relevance of the applicability of EU medical devices rules to these products. The application of these rules is often complex and highly fact-specific.

Continue Reading

EU Working Group Publishes Draft Guidance on AI Ethics

On 18 December 2018, the EU High-Level Expert Group on Artificial Intelligence (the “AI HLEG”) published new draft guidance on “AI Ethics” (the “guidance”).  The AI HLEG is a European Commission-backed working group made up of representatives from industry, academia and NGOs, and was formed as part of the Commission’s ongoing work to develop EU policy responses to the development, challenges and new opportunities posed by AI technologies.  Stakeholders are invited to comment on the draft through the European AI Alliance before it is finalized in March 2019.

The guidance recognizes the potential benefits of AI technologies for Europe, but also stresses that AI must be developed and implemented with a “human-centric approach” that results in “Trustworthy AI”. The guidance then explains in detail the concept of “Trustworthy AI” and the issues stakeholders should navigate in order to achieve it.  A more detailed summary of the guidance is set out below.

This guidance is not binding, but it is likely to influence EU policymakers as they consider whether and how to legislate in the AI space going forwards. AI HLEG also envisages that the final version of the guidance in March 2019 will include a mechanism to allow stakeholders to voluntarily endorse its principles.  The guidance also states that the AI HLEG will consider making legislative recommendations in its separate deliverable on “Policy & Investment Recommendations,” due May 2019.

Continue Reading

EESC supports the digital transformation of EU healthcare sector, emphasising data access and ownership as ‘crucial’ to the process

On 6 December 2018, the European Economic and Social Committee (EESC) published an opinion (“Opinion”) addressing the European Commission’s recent Communication on the digital transformation of health and care in the Digital Single Market (issued 25 April 2018).

The EESC is an advisory body of the European Union (“EU”) comprising representatives of workers’ and employers’ organisations and other interest groups.  It issues opinions to the European Commission, the Council of the EU, and the European Parliament. Although not legally binding, these opinions may serve to inform the legislative process.

This EESC Opinion voices strong support for the Commission’s vision to transform the healthcare sector across the EU through digitalisation and technological innovation. It lists a variety of benefits that the EESC believes will accrue from this modernisation effort – including more time for patient care, greater health literacy, new digital tools, and the improved interoperability of systems. But hand-in-hand with this endorsement, the EESC also raised several issues that it believes lawmakers should address to ensure that people remain “at the centre of care” throughout the process.

First, it noted that the right to access one’s health data and the ability to control the onward sharing of that data should be at the core of digital health transformation. Here, the Opinion cited the EU’s General Data Protection Regulation (“GDPR”) and said its rules must be adhered to whenever designing and implementing new technologies in this sector.

Furthermore, the Opinion presents a discussion on the ownership of health data. It offers a list of questions to consider whenever examining this concept, namely:

  • who owns the data?
  • who has the right to use the data?
  • under what conditions can other service providers use the data?
  • can the user freely use the data?

Notably, the EESC maintains that the original health data of each user “must be regarded as an original product generated by [that user]” which merits the protections of intellectual property law. Here, the Opinion calls for a “right to free copying” of data generated on digital health platforms, which can then be reused and re-aggregated in other services and algorithms as the individual may see fit. The Opinion argues that such a right would not only enable people to take back their digital identity, but also create a more robust freedom of choice in the marketplace of digital health platforms that would spur competitive innovation. It will certainly be interesting to see how (and whether) this concept of one’s health data as an “original product” will evolve over time.

The Opinion closes by considering the challenges and opportunities that await on the horizon of digital health transformation. These include not only the great promise of enabling technologies (such as 5G) and the possibility to rebalance the “socioeconomic asymmetries” of a data-sharing economy, but also the ethical issues of data mining and automated decision-making, as well as the ever-present risks of cybersecurity threats.

Key Takeaways from FDA’s Framework for Real-World Evidence for Pharmaceuticals

On December 7, FDA published the much-anticipated “Framework for FDA’s Real-World Evidence Program” for drugs and biological products (the “Framework”).  In a statement announcing the Framework, Commissioner Gottlieb recognized the opportunities and challenges of using real-world data (“RWD”) and real-world evidence (“RWE”) to enhance regulatory decision-making and noted that leveraging this information is “a top strategic priority for the FDA.”  FDA opened a docket for public comments on the Framework through February 5, 2019.

The Framework focuses in particular on the use of RWE to support regulatory decisions about effectiveness.  The agency outlines three considerations that will guide its overall RWE Program and inform the agency’s assessment of individual drug applications.  The Framework also offers background on the agency’s previous use and current initiatives with respect to RWE and related topics, such as innovative clinical trial designs.  This blog post provides an overview of FDA’s proposal and highlights a few initial takeaways noted by Covington’s Digital Health team.

Continue Reading

NICE adopts evidence standards for the development and assessment of digital health technologies (DHTs)

The UK’s National Institute for Health and Care Excellence (NICE) has recently published an evidence standards framework for DHTs (the Standards), available here.  It did so through a working group led by NHS England, but supported by representatives from Public Health England, MedCity and DigitalHealth.London.

The Standards cover DHTs, such as apps, programs and software – both standalone or combined with other products like medical devices or diagnostic tests – intended for use within the UK’s health and care system.  They seek to address some of the challenges faced by both companies developing DHTs and those within the UK healthcare system that commission and deploy these new technologies.  Both sides needed guidance on the criteria and evidence to demonstrate and assess the performance of DHTs and to measure their cost impact, so that all stakeholders assess these new technologies consistently.

The Standards classify DHTs in three tiers by function. The lowest tier 1 comprises DHTs with no measurable patient outcomes but that provide services to the health and social care system.  Tier 2 comprises DHTs that provide information, resources or activities about a condition or general health and lifestyle.  Tier 2 also includes DHTs that perform simple monitoring of general health using fitness wearables and simple symptom-measuring devices and DHTs that allow two-way communication.

The third tier is split into tier 3a, which includes DHTs intended to facilitate preventative behaviour change to address public health issues like smoking, alcohol, sexual health, eating, sleeping and exercise.  It also covers DHTs that allow people to self-manage a condition.  Tier 3b includes DHTs that guide treatment, e.g., that perform calculations that impact treatment diagnosis or care, and DHTs that diagnose conditions, including those involved in active monitoring of a specified condition.

For each tier, the Standards provide guidance on the evidence required to demonstrate effectiveness or performance.  Obviously, the lower the tier, the lower the evidentiary burden, required to demonstrate performance, reliability and accuracy.  In all cases the Standards set out the “minimum evidence standard” and a “best practice standard.”  At tier 1, “a plausible mode of action that is viewed as useful and relevant” by those in the relevant field may suffice as the minimum evidence required. At tier 3b, the best practice standard is “high-quality randomized controlled study or studies done in a setting relevant to the UK health and social care system, comparing the DHT with a relevant comparator and demonstrating consistent benefit including in clinical outcomes to the target population…

From an economic impact perspective, NICE offers some guidance based on its current experiences of digital health offerings and its experience in evaluating other medical technologies, such as devices and diagnostics.  Again, NICE uses a tier-based approach, but one based on whether the DHT presents a low or high financial risk to a payer or commissioner.  For low financial risk DHTs, a simple budget impact analysis may suffice. For high-risk, publicly funded DHTs, an estimated incremental cost-effectiveness ratio (ICER) or some other formal health economic assessment may be necessary.

NICE and the DHT working group intends to release further educational, case study and other supporting resources in early 2019.

IoT Update: The UK Government’s Response to Centre for Data Ethics and Innovation Consultation

On 20 November 2018, the UK government published its response (the “Response”) to the June 2018 consultation (the “Consultation”) regarding the proposed new Centre for Data Ethics and Innovation (“DEI”). First announced in the UK Chancellor’s Autumn 2017 Budget, the DEI will identify measures needed to strengthen the way data and AI are used and regulated, advising on addressing potential gaps in regulation and outlining best practices in the area. The DEI is described as being the first of its kind globally, and represents an opportunity for the UK to take the lead the debate on how data is regulated. Continue Reading