On May 13, 2025, the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services’ Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) announced a request for information seeking stakeholder input on the market of digital
Continue Reading CMS & HHS Health IT Office Issue Request for Information on Digital Health Products and Health Technology InfrastructureFDA Requests Comments on Substantial Proposed Changes to Data Standards
FDA has issued two Federal Register notices in under two weeks that seek comments on updates to FDA data standards.
Continue Reading FDA Requests Comments on Substantial Proposed Changes to Data Standards
Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices
On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog
Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical DevicesFTC, HHS, and FDA Update Tool to Help Mobile Health App Developers Understand Legal Requirements
On December 7, 2022, the Federal Trade Commission (“FTC”), along with the U.S. Department of Health and Human Services (“HHS”) and the U.S. Food and Drug Administration (“FDA”), announced updates to the Mobile Health App Interactive Tool—a questionnaire designed to help mobile health app developers identify federal laws and
Continue Reading FTC, HHS, and FDA Update Tool to Help Mobile Health App Developers Understand Legal RequirementsHITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
On January 5, 2021, an amendment to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act was signed into law. The amendment requires the U.S. Department of Health and Human Services (“HHS”) to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For organizations subject to HIPAA, the amendment provides substantial incentives to establish or improve their cybersecurity programs. While it does not establish a complete safe harbor from HIPAA enforcement, the amendment does offer organizations a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Continue Reading HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website. The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health
Continue Reading HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency
On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020. This joint announcement was made
Continue Reading HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency
Patient Access to Electronic Health Data at the Forefront of Two HHS Proposed Rules
On March 4, 2019, the Department of Health and Human Services (HHS) published two proposed rules to improve patient access to personal health data. The two rules, issued by the HHS Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC),
Continue Reading Patient Access to Electronic Health Data at the Forefront of Two HHS Proposed Rules
UK Government publishes new policy paper outlining vision for digitizing health care and becoming a global leader in healthtech
On 17 October, the UK Government’s Department of Health and Social Care (DHSC) published a policy paper entitled “The future of healthcare: our vision for digital, data and technology in health and care” (the Policy Paper). The Policy Paper outlines the DHSC’s vision to use
Continue Reading UK Government publishes new policy paper outlining vision for digitizing health care and becoming a global leader in healthtech
UK Government publishes “Initial code of conduct for data-driven health and care technology” for consultation
On 5 September, in response to the opportunities presented by data-driven innovations, apps, clinician decision support tools, electronic health care records and advances in technology such as artificial intelligence, the UK Government published a draft “Initial code of conduct for data-driven health and care technology” (Code) for consultation. The Code is designed to be supplementary to the Data Ethics Framework, published by the Department for Digital, Culture, Media and Sport on 30 August, which guides appropriate data use in the public sector. The Code demonstrates a willingness of the UK Government to support data sharing to take advantage of new technologies to improve outcomes for patients and accelerate medical breakthroughs, while balancing key privacy principles enshrined in the GDPR and emerging issues such as the validation and monitoring of algorithm-based technologies. For parties considering data-driven digital health projects, the Code provides a framework to help conceptualise a commercial strategy before engaging with legal teams.
The Code contains:
- a set of ten principles for safe and effective digital innovations; and
- five commitments from Government to ensure the health and care system is ready and able to adopt new technologies at scale,
each of which are listed further below.
While the full text of the Code will be of interest to all those operating in the digital health space, the following points are of particular note:
- the UK Government recognises the “immense promise” that data sharing has for improving the NHS and social care system as well as for developing new treatments and medical breakthroughs;
- the UK Government is committed to the safe use of data to improve outcomes of patients;
- the Code intends to provide the basis for the health and care system and suppliers of digital technology to enter into commercial terms in which the benefits of the partnerships between technology companies and health and care providers are shared fairly (see further below); and
- given the need of artificial intelligence for large datasets to function, two key challenges arise: (i) these datasets must be defined and structured in accordance with interoperable standards, and (ii) from an ethical and legal standpoint, people must be able to trust that data is used appropriately, safely and securely as the benefits of data sharing rely upon public confidence in the appropriate and effective use of data.
The Code provides sets out a number of factors consider before engaging with legal teams to help define a commercial strategy for data-driven digital health project. These factors include: considering the scope of the project, term, value, compliance obligations and responsibilities, IP, liability and risk allocation, transparency, management of potential bias in algorithms, the ability of the NHS to add value, and defining the respective roles of the parties (which will require thinking beyond traditional research collaboration models).
Considering how value is created and realised is a key aspect of any data-driven digital health project, the Code identifies a number of potential options: simple royalties, reduced payments for commercial products, equity shares in business, improved datasets – but there is also no simple of single answer. Members of Covington’s digital health group have advised on numerous data-driven collaborations in the healthcare sector. Covington recently advised UK healthcare technology company Sensyne Health plc on pioneering strategic research and data processing agreements with three NHS Trust partners. Financial returns generated by Sensyne Health are shared with its NHS Trust partners via equity ownership in Sensyne Health and a share of royalties (further details are available here).
The UK Government also intends to conduct a formal review of the regulatory framework and assessing the commercial models used in technology partnerships in order to address issues such as bias, transparency, liability and accountability.
The UK Government is currently consulting on the Code (a questionnaire on the Code is available here) and intends to publish a final version of the Code in December.Continue Reading UK Government publishes “Initial code of conduct for data-driven health and care technology” for consultation