Procurement Tenders in the Health Sector: More Protection for Patient Data

On March 6, 2020, the Italian Data Protection Authority (“Garante”) reported on new measures designed to protect the health data of patients in the context of Government procurement efforts (calls for tender) to acquire medical equipment and devices. The new measures are the result of a collaboration between the Garante and Consip, a company wholly owned by the Ministry of Economy that supports public administration in the area of procurement.

According to the Garante, calls for tender for medical equipment and devices must include clauses prohibiting suppliers who perform remote maintenance services from directly accessing patient “master data” in diagnostic images. The tender must also designate the awarded supplier as a data processor of patient health data processed in the context of the maintenance services. Finally, tenders must contain specific language on the appropriate modalities for suppliers to obtain anonymized diagnostic images.

According to the Garante, Consip will initiate discussions with the sector on how to implement features in their equipment that respect principles of privacy by design and default in the context of remote assistance and maintenance services.

This follows from a decision issued by the Garante in September 2019, in which it found that a healthcare institution unlawfully disclosed CT images to a company supplying medical equipment for diagnostic purposes. The Garante determined that there was no adequate legal basis for the disclosure of this health data of the patients affected. The Garante also found that the company used the data for purposes other than those for which it was permitted as a data processor (e.g., in support of its tender applications).

UK Government’s Advisory Committee Publishes Report on Public Sector Use of AI

On February 10, 2020, the UK Government’s Committee on Standards in Public Life* (the “Committee”) published its Report on Artificial Intelligence and Public Standards (the “Report”). The Report examines potential opportunities and hurdles in the deployment of AI in the public sector, including how such deployment may implicate the “Seven Principles of Public Life” applicable to holders of public office, also known as the “Nolan Principles” (available here). It also sets out practical recommendations for use of AI in public services, which will be of interest to companies supplying AI technologies to the public sector (including the UK National Health Service (“NHS”)), or offering public services directly to UK citizens on behalf of the UK Government. The Report elaborates on the UK Government’s June 2019 Guide to using AI in the public sector (see our previous blog here).

Continue Reading

European Commission’s Plans for AI and Data: Focus on Digital Health (Part 4 of 4)

In this final instalment of our series of blogs on the European Commission’s plans for AI and data, announced on 19 February 2020, we discuss some potential effects on companies in the digital health sector. As discussed in our previous blog posts (here, here and here), the papers published by the European Commission cover broad concepts and apply generally — but, in places, they specifically mention healthcare and medical devices.

The Commission recognizes the important role that AI and big data analysis can play in improving healthcare, but also notes the specific risks that could arise given the effects that such new technologies may have on individuals’ health, safety, and fundamental rights. The Commission also notes that existing EU legislation already affords a high level of protection for individuals, including through medical devices laws and data protection laws. The Commission’s proposals therefore focus on addressing the gap between these existing rules and the residual risks that remain in respect of new technologies. Note that the Commission’s proposals in the White Paper on AI are open for public consultation until 19 May 2020.

Continue Reading

NHSX Consults on Draft Digital Health Technology Standard

On February 27, 2020 NHSX, the technology and digital unit of the NHS, published its draft Digital Health Technology Standard (the “Standard”) for consultation to stakeholders in the digital health space (the “Consultation”). The Consultation is open until 22 April, 2020 (and is available here).

The Standard, which is based on existing industry and health standards, is intended to streamline how digital health technologies are reviewed and commissioned by the NHS and social care.

Continue Reading

European Commission’s plans on data and Europe’s digital future (Part 3 of 4)

On 19 February 2020, the new European Commission published two Communications relating to its five-year digital strategy: one on shaping Europe’s digital future, and one on its European strategy for data (the Commission also published a white paper proposing its strategy on AI; see our previous blogs here and here).  In both Communications, the Commission sets out a vision of the EU powered by digital solutions that are strongly rooted in European values and EU fundamental rights.  Both Communications also emphasize the intent to strengthen “European technological sovereignty”, which in the Commission’s view will enable the EU to define its own rules and values in the digital age.  The Communications set out the Commission’s plans to achieve this vision.

Continue Reading

European Commission’s White Paper on Artificial Intelligence (Part 2 of 4)

The European Commission, as part of the launch of its digital strategy for the next five years, published on 19 February 2020 a White Paper On Artificial Intelligence – A European approach to excellence and trust (the “White Paper”).  (See our previous blog here for a summary of all four of the main papers published by the Commission.)  The White Paper recognizes the opportunities AI presents to Europe’s digital economy, and presents the Commission’s vision for a coordinated approach to promoting the uptake of AI in the EU and addressing the risks associated with certain uses of AI.  The White Paper is open for public consultation until 19 May 2020.

Continue Reading

EHR Vendor Admits to Soliciting and Receiving Kickbacks in Exchange for Promoting Prescription Opioids

Practice Fusion, Inc. (Practice Fusion), an electronic health record (EHR) vendor acquired by Allscripts in 2018, recently agreed to pay $145 million to resolve criminal and civil investigations related to an illegal kickback arrangement with a major opioid company.

The settlement included $26 million in criminal fines and forfeiture to resolve two felony charges related to Anti-Kickback Statute (AKS) violations.  Pursuant to the settlement, Practice Fusion admitted that “it solicited and received kickbacks from a major opioid company in exchange for utilizing its EHR software to influence physician prescribing of opioid pain medications.”  Practice Fusion acknowledged that it implemented CDS alerts with the intention of increasing the likelihood that doctors would prescribe extended release opioids (“EROs”).  The criminal fine is the largest in the history of the District of Vermont.

Christina E. Nolan, U.S. Attorney for the District of Vermont stated that the arrangement allowed the opioid company “to inject itself in the sacred doctor-patient relationship.”  She added, “The companies illegally conspired to allow the drug company to have its thumb on the scale at precisely the moment a doctor was making incredibly intimate, personal, and important decisions about a patient’s medical care, including the need for pain medication and prescription amounts.

As part of its three-year Deferred Prosecution Agreement, Practice Fusion agreed to adopt a comprehensive compliance program to prevent such abuses from occurring in the future.  Practice Fusion also agreed to pay $118.6 million to resolve civil federal and state False Claims Act (FCA) claims that Practice Fusion misled the government certifying body regarding certain functionalities of its EHR software.

The Practice Fusion settlement represents DOJ’s third civil EHR vendor settlement in recent years, following the eClinicalWorks settlement in May 2017 and the Greenway Health settlement in February 2019.  The U.S. Attorney’s Office for the District of Vermont and DOJ’s Commercial Litigation Branch, Fraud Section, led both matters.  In announcing the eClinicalWorks settlement, U.S. Attorney Nolan stated that “EHR companies should consider themselves on notice.”  This is the first time DOJ has taken criminal action against an EHR vendor.

European Commission Presents Strategies for Data and AI (Part 1 of 4)

On 19 February 2020, the European Commission presented its long-awaited strategies for data and AI.  These follow Commission President Ursula von der Leyen’s commitment upon taking office to put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within the new Commission’s first 100 days.  Although the papers published this week do not set out a comprehensive EU legal framework for AI, they do give a clear indication of the Commission’s key priorities and anticipated next steps.

The Commission strategies are set out in four separate papers—two on AI, and one each on Europe’s digital future and the data economy.  Read together, it is clear that the Commission seeks to position the EU as a digital leader, both in terms of trustworthy AI and the wider data economy.

Continue Reading

New Report Recommends Putting Public Engagement at the Heart of NHS Health Data Strategy

The Institute of Global Health Innovation at Imperial College London has published a report called “NHS data: Maximising its impact on the health and wealth of the United Kingdom” (the “Report”).[1] The Report begins from the premise that the knowledge gleaned from the combination of patient health data and “big data” technologies has incredible potential for “transformative …impact” on patient health, scientific advancement and the UK’s economy. However, the Report argues that the current efforts of scientists, medical professionals and the UK government to develop the UK’s capacities are not sufficiently coordinated to maximise that potential. To address this, the Report presents a single, high-level, strategic framework for the collection, governance and use of patient health data in the NHS. Continue Reading

Germany Publishes Draft Regulation on the Reimbursement of Digital Health Applications

Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting out the procedure for examining the eligibility of health apps to receive insurance reimbursements, as well as the requirements that such health apps must fulfill.

Notably, among its various obligations, the draft regulation and its Annex 1 include a number of data protection and data security requirements that health app developers must comply with if their health apps are to benefit from the reimbursement scheme.

According to the draft regulation, developers must:

  • implement appropriate data protection and security measures, taking into account the state of the art, the categories of personal data processed and the risk level;
  • carry out a Data Protection Impact Assessment;
  • obtain the explicit consent of the patient to process their health data (Art. 9(2) (a) GDPR);
  • not disclose data outside the European Economic Area to countries that do not provide an adequate level of protection of personal data pursuant to an adequacy decision of the European Commission (transfers on the basis of standard contract clauses or BCRs are apparently not allowed);
  • impose an obligation of confidentiality on all persons under its authority that have access to the personal data of the user; and
  • ensure the portability of the personal data.

The patient’s data may be used by the developer of the health app only:

  • for the intended use of the health app and for the reimbursement procedure;
  • to prove the benefit of the application (in the framework of specific procedures regulated under Book V of the Social Security Code);
  • to comply with legal obligations imposed by the EU Medical Devices Regulation 2017/745 and the German Medical Devices Implementation Act, and
  • to ensure, on an ongoing basis, the technical functionality and user-friendliness of the health app.

The health app must be free of advertising and the patient’s data must not be used for advertising purposes whatsoever.

Developers must fill out a detailed checklist (Annex 1 of the draft regulation) explaining how they comply with the above requirements when applying for registration with the Federal Institute for Drugs and Medical Devices (BfArM).

Updates to the draft regulation and the procedure to register a health app for reimbursement will be published on a dedicated page of the BfArM’s website.