Vital Signs: Digital Health Law Update | Spring 2020
Note From the Editors
As we publish this Spring 2020 issue of Vital Signs, we would like to take a moment to express our gratitude for all the health care and life science organizations around the globe that are caring for the sick and racing to advance testing and treatment in response to the COVID-19 pandemic. Without a doubt (and as is highlighted in this issue), digital health is serving as a key tool in our arsenal for the COVID-19 battle. Asia and the United States are advancing telehealth utilization and reimbursement coverage, while the United States and Europe are also focusing on legal and policy support for developments in artificial intelligence, clinical trials, and data sharing capabilities. Although various jurisdictions have adopted some of these unique digital health focused legal and regulatory allowances in specific response to the COVID-19 pandemic, we believe many of these legal modifications and an increased policy focus on digital health are likely to remain after the COVID-19 pandemic has come to an end. As providers, patients, and governments experience the impact of digital health utilization during these times, it is hard to imagine a health care and life science infrastructure ahead without digital health as a core component. There are, however, likely to be many legal and policy details to solve along the way. Jones Day's digital health team will undoubtedly be closely involved, integrated, and ready to help clients with these varied and nuanced digital health law topics.
As consistent with our "One Firm Worldwide" mission at Jones Day, this publication is a broad effort by our global digital health team, who is tracking all things digital health. As with our last issue, we hope you find this to be a thoughtful and curated one-stop resource for the latest developments in digital health law.
A Pivot to Telehealth
As we observed in communications early in the COVID-19 crisis (see Commentaries here and here), telehealth can and should play a significant role in delivering health care and life sciences services at a time when in-person options are limited and collaboration among health providers is crucial.
As the crisis evolved, regulators and policymakers from around the globe recognized the benefits of telehealth and worked to understand and remove many long-standing legal barriers, including reimbursement, technology options, and multijurisdictional practice capabilities. As we look ahead, telehealth methods within health care delivery and life science development are likely here to stay, and it is time to seriously approach implementation of these deployment strategies in a post-public health emergency environment for the sustainable delivery of health care, treatment, and wellness services.
First and foremost, telehealth is not limited to just one type of offering or a one-size-fits-all model. It is a set of methods and technologies enabling the deployment of various clinical services with operations unique in function, capability, and workflow given the clinical service involved. The goals may include: provider-to-provider collaboration across facilities or jurisdictions; patient initiated care from home, remote monitoring of chronic patients; remote clinical trials; support for surgical procedures; access to second opinions; or a combination of these and others. Depending upon the program goals, developing a successful and lasting telehealth strategy requires: (i) understanding operational goals; (ii) educating your team on unique legal, compliance, and reimbursement considerations; (iii) engaging in carefully crafted transactions; and (iv) establishing tailored policies and protocols.
As telehealth methods evolved over the last three to four decades, a variety of unique legal and reimbursement requirements attached. Specific to telehealth activities, some jurisdictions and regulators have, among other things, limited prescribing of certain medications, required certain real-time technology encounters to establish provider relationships, mandated unique telehealth-specific patient consents, and instituted onerous practice standards. Further, government reimbursement programs have been slow to embrace telehealth for fear of overutilization, lack of clinical effectiveness, and medical necessity concerns. That said, acceptance by government programs has slowly increased in recent years with the development of value-oriented strategies and clinical data confirming the cost-effectiveness of various telehealth strategies. Additional barriers exist, however, as organizations and regulators are faced with interpreting and complying with long-standing legal policies (such as professional licensure, credentialing, supervision, facility certification, device development, privacy, tax, and testing structures) designed for a prior era when single jurisdiction bricks-and-mortar delivery was the only option for health and wellness services. While many jurisdictions have waived such restrictions and limitations during the COVID-19 public health crisis, it remains unclear how legal and regulatory authorities will modify these historically cumbersome legal structures to meet the needs of telehealth providers (especially across jurisdictions) after the public health emergency.
One thing is certain—telehealth is here to stay given the demonstrated capacity for connecting patients and providers to meet needs during this public health emergency. Telehealth has validated its role as a critical delivery method and established its place within ongoing frameworks for comprehensive individual and community health care capabilities. As organizations look to develop long-term and sustainable telehealth strategies, they must understand and address the myriad legal and reimbursement considerations for successful transactions and compliant operational processes. This often involves coordinating cross-organizational telehealth teams, including representatives from clinical, IT, legal, and payor contracting departments, in order to select appropriate technologies, negotiate third party arrangements, assess different telehealth use cases, and ensure the legal and regulatory compliance of those structures (including compliance of potential third party vendors). Additionally, organizations should give serious forethought to implementing telehealth technologies and strategies for interoperability with electronic medical records and remote monitoring technologies across sites and potentially with the technologies of other community providers.
Finally, because the telehealth legal, regulatory, and reimbursement landscape continues to evolve, it is essential that organizations periodically revisit policies, procedures, and guidance materials to incorporate necessary updates. Suffice it to say that, although telehealth has only slowly emerged in the past several decades, it is now likely to play a rapidly progressive role in health care and life sciences delivery given the widespread proliferation and uses of telehealth systems during the COVID-19 public health emergency. Organizations are well-advised to begin the process of actively adapting and developing sustainable telehealth systems, policies, and processes now.
United States Developments
U.S. COVID-19 Response
The United States has taken various actions, at both the federal and state level, impacting digital health to address the COVID-19 public health emergency. These actions include significant efforts to temporarily authorize and increase the use of telehealth tools and remote technologies for expanded access to care while limiting person-to-person spread of the virus.
At the United States federal level, since the Secretary of the Department of Health and Human Services ("HHS") declared a public health emergency on January 21, 2020:
- The Centers for Medicare & Medicaid Services ("CMS") temporarily waived Medicare conditions of participation and payment for many virtual care services and expanded the types of Medicare covered services that can be provided remotely, including telehealth services, virtual check-ins, telephone services, e-visits, and remote monitoring. Additional information is available on the CMS current emergencies website and in the recent COVID-19 interim final rule.
- The Office for Civil Rights ("OCR") announced that it will temporarily exercise enforcement discretion and waive potential penalties for Health Insurance Portability and Accountability Act violations against health care providers that serve patients through everyday communications technologies, such as FaceTime and Skype, during the COVID-19 public health emergency, so long as certain "good faith" measures are taken. Additional information is available on the OCR website.
- The Office of Inspector General ("OIG") announced that physicians and other practitioners will not be subject to administrative sanctions for reducing or waiving any cost-sharing obligations for federal health care program beneficiaries for telehealth services furnished during the COVID-19 public health emergency consistent with then applicable coverage and payment rules. Additional information is available on the OIG website.
- The Drug Enforcement Administration ("DEA") announced that DEA-registered practitioners across the United States may, during the COVID-19 public health emergency, issue prescriptions for all schedule II-V controlled substances to patients for whom they have not conducted an in-person medical evaluation, based on a telemedicine visit, if certain conditions are met.
- The Food and Drug Administration ("FDA") issued enforcement policies effective during the COVID-19 public health emergency: to help expand the availability and capability of noninvasive remote monitoring devices to facilitate remote patient monitoring; to help expand the capability of remote ophthalmic assessment and monitoring devices to facilitate patient care while reducing patient and healthcare provider contact; and to expand the availability of digital health therapeutic devices for psychiatric disorders to facilitate consumer and patient use while reducing in-person contact. FDA also issued guidance regarding the conduct of clinical trials of medical products during the COVID-19 public health emergency, which included considerations for using remote communication and monitoring devices.
- Federal legislative and agency actions established funds to support health providers incurring unique costs and dealing with lost profits during the COVID-19 crisis. Such funding included $100 billion appropriated under the CARES Act as the Public Health and Social Services Emergency Fund (the "$100B Health Provider Fund") and $200 million under the Federal Communications Commission for the acquisition of telehealth technologies. The first $30 billion of the $100B Health Provider Fund was released on Friday, April 10, and requires that providers either attest to certain terms and conditions of payment or remit the funds. Information on certain other federal funding programs is summarized here.
At the state level, governors across the country have declared states of emergency and waived or directed state agencies to waive many requirements impacting the delivery of remote care and services across states, including:
- Professional licensure waivers to enable out-of-state practitioners who are not licensed in the state to practice on a temporary basis, including via telehealth technologies (typically issued and/or carried out by state medical and other professional boards);
- Telehealth practice waivers, including waivers impacting modality and cybersecurity requirements (typically issued and/or carried out by state medical and other professional boards);
- Waivers pertaining to state privacy requirements; and
- Insurance waivers, including expanding coverage, waiving modality requirements, and waiving copays for telehealth services (typically issued by insurance departments and state Medicaid agencies).
ONC and CMS Release Final Rules on Interoperability and Information Blocking
On March 9, 2020, HHS released two long-anticipated final rules designed to facilitate information sharing among payers, providers, and patients. The rules have many different effective dates ranging from the next few months to the next three or so years.
Under the rule issued by the HHS Office of the National Coordinator for Health Information Technology ("ONC") to implement provisions in the 21st Century Cures Act, the ONC addresses interoperability, information blocking, and the ONC Health IT Certification Program by, for example: (i) defining information blocking prohibitions and limited exceptions; (ii) replacing the Common Clinical Data Set with the United States Core Data for Interoperability as the standard for interoperability; (iii) updating the 2015 Edition Health IT Certification criteria by removing or revising existing criteria while adding new criteria, such as for Electronic Health Information Export; (iv) establishing conditions of maintenance for certification to prevent health IT developers' information blocking practices and other restrictions on communications, and imposing standards on application programming interfaces ("APIs"); (v) requiring real-world testing; and (vi) adding voluntary certification of health IT for pediatric care.
Under the rule issued by CMS, CMS will require CMS-regulated payers (e.g., Medicare Advantage organizations, qualified health plans, etc.) to meet its interoperability requirements by, for example: (i) implementing APIs to permit electronic availability of patient health information and provider directory information; and (ii) implementing data exchange processes with other payers. Additionally, CMS will, as a Medicare condition of participation, require Medicare and Medicaid participating hospitals and critical access hospitals to have the capability to send electronic notifications of patient events (e.g., admission, discharge, transfer) to certain other providers and will publicly report providers that may have engaged in information blocking or those that do not provide digital contact information in the National Plan and Provider Enumeration System.
FDA Raises Awareness of Cybersecurity Risks Associated With Certain Medical Devices
In a safety communication on March 3, 2020, FDA informed patients, health care providers, and manufacturers that security researchers had identified a family of 12 cybersecurity vulnerabilities, named "SweynTooth," associated with a wireless communication technology known as Bluetooth Low Energy ("BLE"). BLE allows two devices to pair and exchange information to perform their intended functions while preserving battery life. According to the communication, the SweynTooth vulnerabilities may allow an unauthorized used to wireless exploit the vulnerabilities to crash or deadlock the device or to have security bypassed. The communication includes recommendations for impacted parties.
FDA Hosts Public Workshop on Extended Reality Technologies in Medicine
On March 5, FDA hosted a public workshop entitled "Medical Extended Reality: Toward Best Evaluation Practices for Virtual and Augmented Reality in Medicine" to identify gaps in medical extended reality ("XR") development and advance FDA's evaluation of medical XR devices and applications. At the workshop, industry stakeholders presented on topics ranging from the technical challenges of optical engineering in XR to the regulatory considerations posed by the interdependent nature of XR software and XR hardware. Presenters also showcased their respective medical XR devices and applications, including Brainlab's Mixed Reality Viewer, Medivis's SurgicalAR, and Philips's Azurion image-guided therapy platform. Ultimately, FDA emphasized its goal of working with industry to accelerate the development of safe and effective medical XR devices benefitting patients. FDA concluded the workshop by inviting input and assistance from industry stakeholders and developers and encouraging collaborative regulatory science in the precompetitive space. Though the scope of FDA's oversight of medical XR still remains to be determined, industry should view FDA's interest in this topic as an opportunity to educate the regulator on the challenges and considerations relevant to regulating these technologies. Interested parties can find more information regarding the workshop on FDA's website and at Docket No. FDA-2020-N-0169.
Federal Enforcement Agencies Continue Focus on Software and EHR Vendors, Telemedicine
Beginning in 2017 with the historic $155 million eClinicalWorks settlement, federal investigators continue to scrutinize software and electronic health record ("EHR") vendors for compliance with federal law. As described in our previous issue of Vital Signs, this trend continued in 2019 with EHR vendor Greenway Health LLC entering into a settlement for $57 million to resolve allegations that Greenway deceived the certification body into believing its EHR software complied with certification requirements, and that Greenway knowingly sold software that reported inaccurate performance data to its users, causing them to falsely attest to their eligibility for Meaningful Use incentive payments. This was followed a few months later by IBM and Cúram Software entering into a settlement for $14.8 million related to misrepresentations made during the contract procurement process for the development of Maryland's Health Insurance exchange website and IT platform. Most recently, in 2020, the EHR vendor Practice Fusion Inc., entered into a $118 million settlement to resolve civil allegations similar to those brought against Greenway last year: a fraudulent certification process that caused its healthcare provider clients to falsely attest that they were eligible for Meaningful Use incentive payments, as well as civil and criminal allegations that the company received payments from various pharmaceutical manufacturers in exchange for implementing alerts within the EHR system that were intended to increase drug sales.
In February of this year, senior DOJ lawyers gathered and spoke on various False Claims Act ("FCA") enforcement topics at the Federal Bar Association's annual Qui Tam Conference in Washington. Notably, in a luncheon session, Michael Granston, Deputy Assistant Attorney General, Commercial Litigation Branch, opined on the types of increased enforcement activity and singled out telemedicine as an area of focus for current government efforts this year. Similarly, during a keynote speech, Jody Hunt, Assistant Attorney General for the DOJ's Civil Division, flagged that EHR is one of the three top target areas for FCA enforcement in 2020. Granston's and Hunt's comments reinforce the need for telemedicine providers and software and EHR vendors to continue to proactively take measures to ensure compliance and have procedures in place if state or federal officials inquire into particular practices.
U.S. Department of Defense Releases Long Awaited Cybersecurity Maturity Model Certification Requirements
On January 31, 2020, the U.S. Department of Defense ("DoD") released the long-awaited final Model Version 1.0 of the Cybersecurity Maturity Model Certification ("CMMC") framework, which requires all companies and organizations doing business with DoD (including subcontractors) to institute and maintain certain cybersecurity compliance programs. The CMMC is DoD's recognition that cybersecurity is a fundamental priority. DoD has stated that the CMMC is intended to build upon existing regulation and to consolidate a variety of existing cybersecurity frameworks into "one unified standard for cybersecurity."
Under the CMMC process, all DoD contractors and subcontractors (including Commercial Item contractors) must be certified to one of five CMMC Levels, ranging from Level 1, "Basic Cyber Hygiene," through Level 5, "Advanced Practices," which is characterized as a substantial and proactive cybersecurity program that includes significant controls like real-time asset tracking, autonomous initial response actions, network segmentation, and a 24x7 Security Operations Center. CMMC Levels 1 and 2 are intended for contractors and subcontractors that may handle or have access to Federal Contract Information, with Level 2 specifically being a transition step in cybersecurity maturity progression to protect Controlled Unclassified Information ("CUI") or Sensitive But Unclassified information. CMMC Level 3 is intended for contractors and subcontractors that handle or generate CUI and Covered Defense Information. CMMC Levels 4 and 5 are for contractors supporting critical programs and technologies.
CMMC certification will be performed by independent third party commercial assessment organizations, with some higher level assessments potentially being performed by "organic DoD assessors." DoD intends to include CMMC in Requests for Information released in and after June 2020 and expects to include CMMC as a go/no-go requirement in solicitations beginning in Fall 2020. Contractors and subcontractors can expect DoD to issue a proposed rule incorporating the CMMC soon, with the final rule before year's end.
Proposed Stark and Anti-Kickback Regulatory Reforms Notable for Potential Broad Health Industry Implications
In October 2019, OIG and CMS published large packages of proposed reforms to modernize the regulations that interpret the federal Anti-Kickback Statute and the federal Stark Law, respectively. Jones Day has published a series of Commentaries to summarize the more significant proposals within the packages. We included links to some of these in our January 2020 Vital Signs Issue, but we are including links to the entire collection of Commentaries here. Though only a narrow set of the proposed reforms specifically impact the digital health industry, all proposed reforms impact the health care space generally and may have implications for various digital health initiatives. See our Commentaries on the New Exception for Dialysis-Related Telehealth Technologies; Changes to Valuation Terms Under the Federal Stark Law; Newly Proposed Protections for Cybersecurity Technology Under the AKS and Stark Law; Newly Proposed AKS and Stark Law Protections For Value-Based Care Models; Proposed Revisions to Stark Law and AKS Protections for Electronic Health Records Donations; CMS Proposes New Limitations to the Isolated Transactions Exception to the Stark Law; and OIG Proposes Modifications to Personal Services Safe Harbor Under the AKS.
U.S. IP Institutions Grapple With AI Issues
IP institutions around the world are addressing a variety of issues associated with artificial intelligence ("AI"). For a U.S. perspective, see recent Jones Day Commentaries on Protecting Artificial Intelligence IP: Patents, Trade Secrets, or Copyrights?; When Innovation Invents: Artificial Intelligence Issues at the U.S. Patent and Trademark Office; When Innovation Creates: Additional Developments in Artificial Intelligence at the U.S. Patent and Trademark Office; and AI and the Biopharmaceutical Industry.
States Adopt Changes Supporting Broader Telehealth Modalities
Several states recently adopted legislation or regulations expanding the modality options available to health providers when delivering care via telehealth. On the legislative front, Idaho adopted legislation, effective July 1, 2020, modifying the requirement that providers use two-way audio and visual interaction to establish a provider-patient relationship, to instead allow two-way audio or audio-visual interaction. In Maryland, legislation signed by the governor and effective April 3, 2020, authorizes certain health care practitioners, including physicians, to establish a practitioner-patient relationship and perform a clinical evaluation for treatment or prescribing through either a synchronous or an asynchronous telehealth interaction. The legislation overrides regulations adopted by the Maryland Board of Physicians in 2019 requiring that a physician perform a "synchronous, audio-visual" patient evaluation prior to providing treatment or prescribing medication. On the regulatory front, the Georgia Composite Medical Board proposed changes to its telehealth regulations (360-3-.07) permitting a physician to practice through electronic or other such means so long as the physician is able to examine the patient using "technology or peripherals." The regulations currently require the use of both technology and peripherals. The amendment is currently awaiting the governor's approval. Finally, in Alabama, recent changes to Alabama's pharmacy regulations (680-x-2-.33) remove dated language on dispensing consistent with the Alabama Medical Board's approach to remaining silent on any particular modality requirement for services delivered via telemedicine. Specifically, modifications effective February 14, 2020, removed the requirement that a pharmacist refrain from dispensing a prescription drug if the drug order "was issued on the basis of an internet-based questionnaire, an internet-based consultation, or a telephonic consultation, all without a valid preexisting patient-practitioner relationship" and instead generally provide that a prescription must be issued pursuant to a valid patient-practitioner relationship. Alabama medical board regulations are silent regarding telemedicine beyond acknowledging that prescribing medications for a patient whom a physician has not personally examined may be suitable during electronic encounters, such as those in telemedicine.
Notably, in Utah, legislation effective May 12, 2020, will prevent a provider offering telemedicine services from diagnosing, treating, or prescribing drugs for new patients based solely on an online questionnaire, an email, or a "patient-generated medical history," except as specifically provided in Utah's Online Prescribing, Dispensing, and Facilitation Licensing Act (governing questionnaires). The phrase "patient-generated medical history" is defined broadly as medical data about a patient that the patient creates, records, or gathers.
States Relax Physician Assistant Supervision and Delegation Laws
States have historically required close physician supervision of physician assistants, including, among other things, chart review requirements, co-location of physicians on-site with physician assistants, and limiting physician assistant scope of practice. Many states have significantly reduced the supervision and delegation burdens upon physicians wishing to practice with physician assistants in recent months. Among these are California, Hawaii, Illinois, Missouri, and Rhode Island. See here for a more detailed Commentary on this topic.
States Impose Tax Liability on Remote Providers of Software-Based Services – Massachusetts Joins the Ranks
States are increasingly attempting to assess sales and use tax for customer access to many of the technologies that are used by digital health and telemedicine providers, such as cloud computing and software as a service ("SaaS"). A 2018 US Supreme Court decision expanded states' jurisdiction to force remote businesses with no physical presence in the state to collect such sales and use taxes (South Dakota v. Wayfair, 585 U.S. ___, 138 S. Ct. 2080 (2018)). Recently, Massachusetts joined the many states now imposing such taxes. The Supreme Judicial Court of Massachusetts held in its recent decision (Citrix Systems., Inc. v. Commissioner, 139 N.E.3d 293 (Mass. 2020)) that, in the absence of a challenge to the applicable tax regulation, subscription fees for the remote access of software for videoconferencing services through a SaaS platform were subject to sales tax in the state. Digital health and telemedicine providers should monitor state tax laws and trends given evolving taxing regimes may lead to the assessment of such sale and use taxes against a range of digital health provider offerings.
Iowa Law Mandating Electronic Transmission of Prescriptions Takes Effect
Effective January 1, 2020, Iowa law requires every prescription for a controlled substance in the state to be transmitted electronically. Practitioners or their authorized agents must transmit the prescription in compliance with federal law and regulations for electronic prescription of controlled substances. Prescriptions for those residing in a nursing home, long-term care facility, correctional facility, or jail are exempted from the requirement. Prescriptions dispensed at a veteran affairs pharmacy or authorized by a licensed veterinarian are also exempt. Practitioners who violate the mandate may be subject to financial penalties, and those unable to timely comply with the requirement may petition the Iowa Board of Pharmacy for an exemption.
Europe COVID-19 Response
European countries and the European Union have taken various actions to combat the COVID-19 crisis. Most notably as it relates to digital heath:
- On April 8, 2020, the European Commission adopted a Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications the use of anonymized mobility data (available in English here). The Recommendation sets up a process for developing a common approach, referred to as a Toolbox, to use digital methods for addressing the COVID-19 crisis. The Toolbox will consist of practical measures guided by privacy and data protection principles and aims to make effective use of technologies and data, with a particular focus on: (i) the development by Member States and the Commission of a pan-European approach for the use of mobile applications by April 15, 2020; and (ii) the creation of a common scheme for using anonymized and aggregated data on mobility of populations in order to map and predict the diffusion of the disease and the impact on needs in the health systems, to monitor the effectiveness of the measures adopted by Member States, and to inform a coordinated strategy for exiting from the COVID-19 crisis.
- On April 7, 2020, the European Data Protection Board issued a mandate to its expert subgroups calling for the development of guidance on several aspects of data processing in the fight against COVID-19, including: (i) processing health data for research purposes in the context of COVID-19; and (ii) use of geolocation and other tracing tools in the context of the COVID-19 outbreak (available in English here).
- The Medicines and Healthcare products Regulatory Agency ("MHRA") in the United Kingdom has authorized temporary flexibilities for clinical trials to support research and manufacture in potential treatments for COVID-19, including authorizing remote access to medical records (with appropriate security measures). Additional information is available on the MHRA website.
New Procurement Guidelines Issued For Cybersecurity In Hospitals
On February 24, 2020, the European Union Agency for Cybersecurity ("ENISA") published "Procurement Guidelines for Cybersecurity in Hospitals" (available in English here). The Guidelines shed light on cybersecurity tools and good practices in the context of procurement (e.g., assets, products, or services) for healthcare professionals with technical positions in hospitals and manufacturers of medical devices. The Guidelines also provide practical cybersecurity advice for the different phases of the procurement lifecycle (i.e., the plan, source and manage phases), lists industry standards, and highlights cybersecurity challenges in the specific context of procurement. Finally, the Guidelines present a threat taxonomy and a list of key risks associated with procurement. The document is very practical as it concludes with a comprehensive set of good practices that hospitals are encouraged to use.
EU Commission Publishes AI White Paper and Communication Regarding European Strategy
On February 19, 2020, the EU Commission published a White Paper on "Artificial Intelligence: a European approach to excellence and trust" (available in English here) in which the EU Commission details its strategies regarding the use of AI. The White Paper highlights the increasing role of AI necessary to improve healthcare quality for citizens (e.g., by making diagnosis more precise or enabling better prevention of diseases) and further develop healthcare businesses. The White Paper also stresses that the EU should leverage its strengths to expand its position (e.g., the production of industrial and professional service robots for precision health). To achieve these goals, the EU Commission is of the view that the current legal framework must be revised, including, for example, to limit the scope of existing EU legislation such as the Medical Device Regulation (Regulation (EU) 2017/745). In addition, the White Paper refers to the creation of a new regulatory framework for AI applications which would consist of a "risk-based" approach. Under this framework, criteria would be set to determine whether or not an AI application would qualify as presenting a "high risk," including assessment of both the sector, such as healthcare, and the intended use of the AI application. Finally, the future regulatory framework will include mandatory legal requirements actors (e.g., training data, data and record keeping, robustness and accuracy, etc.) applicable to high-risk AI applications only and imposed on the relevant actors.
Also in February 2020, the European Commission adopted a Communication on a European strategy for data (available in English here) proposing the creation of a common European health data space. The purposes of the Communication are: (i) to facilitate the establishment of a Code of Conduct for processing personal data in the health sector (in accordance with GDPR Article 40); (ii) to deploy data infrastructures, tools, and computing capacity (specifically in relation to the use of EHRs; (iii) to scale up cross-border exchange of health data, such as electronic health records, genomic information, electronic patient summaries, electronic prescriptions, medical images, laboratory results, and discharge reports; and (iv) to support big data projects promoted by regulators.
On February 21, 2020, MedTech Europe issued a statement welcoming the European Commission's White Paper on AI and the EU data strategy. In order to maximize the benefits of AI in the health sector, MedTech Europe further called on the EU Commission to focus on: (i) building data and infrastructure for research and AI; (ii) establishing a harmonized governance framework based on ethical principles; (iii) AI funding; and (iv) equipping healthcare workforce and patients with the necessary skills to embrace the ongoing technological developments.
EU Commission Releases Guidance on Evaluation of Medical Device Software
In March 2020, the European Commission published a guidance document endorsed by the Medical Device Coordination Group, "Guidance on Clinical Evaluation (MDR) / Performance Evaluation (IVDR) of Medical Device Software" (available in English here). The Guidance provides for the determination of the appropriate level of clinical evidence required for medical device software to fulfill the requirements set out in the MDR and IVDR. Software that is intended to drive or influence a medical device falls out of the scope of the document.
Asia Pacific COVID-19 Response
China and Japan have both taken temporary actions applicable to digital health for combating the COVID-19 crisis:
- In China, on February 28, 2020, the Chinese central government issued a directive entitled the "Guidelines on Expanding Internet Plus Healthcare Services in Response to the COVID-19 Virus." According to the Guidelines, online follow-up medical consultation services performed by qualified internet hospitals to treat common or chronic diseases may be reimbursed by the Chinese social insurance fund. The Guidelines also encourage internet hospitals to provide online payment and door-to-door delivery services for prescription medicines purchased online from qualified internet hospitals. Accordingly, several provinces (including Shanghai, Hubei, and Jiangsu) started to authorize reimbursements for online medical care. Although these Guidelines were enacted in response to the COVID-19 outbreak, it is widely expected that they will continue to apply after the crisis and that year 2020 may be a turning point for the Chinese telemedicine market.
- In Japan, on February 28 and March 19, 2020, the Japanese government issued administrative notices temporarily expanding the scope of permissible telemedicine services in order to mitigate the risk having patients infected with COVID-19 at hospitals. For example, under the March 19 administrative notice, a medical practitioner is allowed to issue a new prescription for patients without a medical examination under certain conditions. On April 7, the Japanese government further expanded the scope of telemedicine permitted as a part of its COVID-19 emergency economic measures to authorize telemedicine examinations.
Expanded Scope of Telemedicine Reimbursed by Japanese National Health Insurance
On March 5, 2020, the Japanese Ministry of Health, Labour and Welfare published its 2020 revisions of medical fees under the national health insurance system. Under the new rules, the conditions for telemedicine to be reimbursed by Japanese national health insurance were relaxed. For example, under the 2019 rule, six months of face-to-face treatment was a prerequisite for telemedicine. This requirement was relaxed to three months under the new rule. The new rule became effective on April 1, 2020.
Cabinet of Japan Submits Bill to Amend Personal Information Protection Act to the National Diet
On March 10, 2020, the Cabinet of Japan approved and submitted to the National Diet a bill to amend the Personal Information Protection Act. The proposed amendment includes, among other things, establishment of data breach reporting obligations, expansion of an individual's right to request erasure and cease use, an increase in fines, and more stringent informed consent and other requirements in case of cross border transfer.
Japanese MIC and METI Publish Draft Security Management Guidelines for Information System Service Providers Handling Medical Information
On March 5, 2020, the Japanese Ministry of Internal Affairs and Communications ("MIC") and the Ministry of Economy, Trade and Industry ("METI") jointly released a draft of Security Management Guidelines for Information System Service Providers Handling Medical Information. The MIC and METI had separately issued guidelines concerning security and management regarding medical information that cloud service providers or other third party service providers should follow. Now METI and MIC have worked together to integrate the existing two guidelines into one new guidelines document. Public comments on the guidelines were due on April 6, 2020.
Block Chain and Big Data in Healthcare in China: Legislation and Implementation
China has recently passed legislation governing the use of block chain and big data in healthcare. For example, on December 28, 2019, China passed the Law of the People's Republic of China on the Promotion of Basic Medical and Health Care, which governs the digitalization of healthcare, including topics such as medical big data, AI, telehealth, and medical information infrastructure. Under this law, medical institutions that have flawed medical information security system or measures, leading to disclosure of medical information, can be subject to legal liabilities. A separate legal provision prohibits the transfer of healthcare big data outside of China without approval from the Chinese government. "Healthcare big data" is defined broadly as healthcare related data generated in the course of human disease prevention, treatment, or management. Finally, the Chinese equivalent of the FDA (the National Medical Products Administration, or NMPA) issued regulations, "Notice on the Construction of Vaccine Information Traceability System," which govern the quality and safety of vaccines. Pursuant to the regulations, an information traceability system covering the supply chain for vaccines, including production, distribution, and vaccination, is to be established. A "Collaborative Service Platform," which acts as a "bridge" or "hub" in the information traceability system, is one component. Market authorization holders of vaccines will bear the primary responsibility under the new regulations, including for coding vaccine products, providing traceability data for production and distribution, and meeting the needs of public inquiry.
Recent and Upcoming Speaking Engagements
- ICLE 27th Annual Health Law Update―Federal Regulatory Update, Plymouth, Michigan (March 2020). Jones Day Speaker: Ann Hollenbeck
- Jones Day and the American Telemedicine Association―Opportunities and Risks for Telehealth Under HIPAA and State Privacy Responses to the COVID-19 Pandemic, Webinar (April 14 and 21, 2020). Jones Day Speakers: Alexis Gilroy, David Kopans, Kristen McDonald, and Mauricio Paez
- ATA2020―Direct-to-Consumer Virtual Care: When Regulation, Patient Preference, and Innovation Collide, Virtual Program (May 2020). Jones Day Speaker: Alexis Gilroy
- National Association of Certified Valuators & Analysts Annual Conference― Regulatory Overview for Valuation Professionals and The Valuation of Healthcare Enterprises in a Changing Reimbursement Environment, Virtual Program (June 2020). Jones Day Speakers: John Kirsner and Lisa Han
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.