Vital Signs Digital Health Law

Vital Signs: Digital Health Law Update | Winter 2021

Note from the Editors

Digital technologies have transformed almost every aspect of the health care and life sciences industry—from electronic health records and telemedicine, to diagnostics and therapeutics augmented by artificial intelligence, and to remote clinical trials. The year 2020 witnessed the COVID-19 pandemic catalyzing unprecedented levels of digital health innovation and adoption. The digital health industry is entering 2021 with optimism for even greater advancement, reductions in regulatory burdens, and continued widespread adoption of digital health technologies. In the Industry Insights contribution for this issue, several of our digital health experts briefly summarize the major advancements in four key digital health areas that took place over 2020, as well as expectations for 2021. 

In the remainder of this issue of Vital Signs, you will read about the myriad of policy actions already in place for 2021 across the EU and in the United States at the federal level. Although we do expect significant U.S. state activities on topics like telehealth in the months ahead (check-back for more in our next issue), none rose to the notable level since our last issue. Buckle-up and stay-tuned as 2021 promises to be quite active on digital health legal and regulatory actions. Our team, recognized as Law360’s Health Care Practice Group of the Year, will continue to monitor and bring you this curated one-stop resource quarterly on the most notable digital health law updates. The editors would like to, once again, thank contributors globally. 

Industry Insights

2020 Year End Review and New Year Resolutions for Digital Health in 2021

Maureen Bennett, Alexis Gilroy, Colleen Heisey, Cristiana Spontoni


The delivery of clinical services across audio and visual technology mediums has typified both inpatient and outpatient health care delivery in 2020 throughout the world. Telemedicine has replaced or augmented in-person clinical care for a large range of outpatient services including chronic disease management and acute care; intensive care units and emergency departments have implemented telemedicine models to reduce exposures between patients and care providers; and inpatient care units have amplified their clinical management efficiencies and capabilities through the use of telemedicine systems. It has become routine for patients around the globe to seek and receive health care using remote monitoring technologies and interactions with health providers using a smartphone.

Regulatory barriers have relaxed to allow for reimbursement of telemedicine and greater remote management of mental health conditions, opioid abuse disorders, and chronic pain. Health providers have been permitted to practice across state and international borders without seeking multi-jurisdictional licensure. In addition, there have been some efforts toward permanent changes, such as expansions to Medicare reimbursement for various telemedicine services in the United States and massive funding opportunities for the advancement of telemedicine systems in Europe.

In 2021, we are expecting a greater focus on permanently reducing barriers to multijurisdictional licensure, a continued relaxation of otherwise rigid technology requirements, greater attention to reimbursement barriers, and rapid development of technology platforms and augmenting "big-data" diagnostic support devices. We also expect that the data collected from the use of telemedicine technologies throughout the pandemic will result in a broad array of outcomes-based studies being published in the peer-reviewed literature to further support expanded adoption and reimbursement coverage.

Remote Monitoring Technologies & Remote Testing Technologies

Remote monitoring technologies and remote testing devices promise to be the next major leap in revolutionizing and augmenting clinical services delivered remotely through telemedicine methods. In 2020, the U.S. FDA issued multiple Emergency Use Authorizations ("EUA") for remote and wearable patient-monitoring devices designed to reduce patient and health provider exposure risks amid the COVID-19 pandemic. The U.S. FDA also issued broader enforcement discretion guidance for certain non-invasive remote monitoring device types, helping to increase their availability during the pandemic. Furthermore, as we highlight in this issue, in December 2020, the U.S. FDA issued an EUA for a prescription, at-home COVID-19 test for self-collected nasal swab samples, which is to be used in conjunction with a telehealth provider who takes users step-by-step through the sample collection process and provides assistance in reading and understanding the results. Similarly, the U.S. FDA issued the first EUA for a non-prescription at-home COVID-19 test. Significantly, with respect to the latter test, test results are automatically reported to relevant public health authorities in accordance with local, state, and federal requirements via a software application. The EU and Asia have also seen activity in this area—providing funding opportunities to a number of projects focused upon remote COVID-19 diagnosis and monitoring. As more remote monitoring devices and home testing technologies (whether prescription or non-prescription) emerge as reliable methods of clinical evaluation and medical diagnosis, patients will be afforded a greater autonomy in clinical engagement from the convenience, comfort, and privacy of their homes. We expect 2021 to offer numerous worldwide funding opportunities from both public and private sources for the advancement of such technology development, thereby augmenting the provision of and capabilities of remote clinical services.

Artificial Intelligence & Machine Learning

The global regulatory landscape for artificial intelligence and machine learning ("AI/ML") in the healthcare space is still in its infancy. In 2020, regulatory agencies throughout the world acknowledged the import of AI/ML for advancing medical therapeutics and diagnostics generally and specifically as an effective tool in responding to public health crises. The U.S. FDA continued its commitment to developing a regulatory framework for the oversight of AI/ML-based medical devices. FDA hosted several public meetings dedicated to soliciting feedback on AI/ML topics throughout the year, including: a public workshop in February to identify the benefits, risks, and best practices associated with use of AI in radiological imaging; a public workshop in March to discuss applications of Extended Reality ("XR") in medicine, evaluation techniques for hardware, standards development, and assessment challenges; and a Patient Engagement Advisory Committee ("PEAC") meeting in October, which focused on gaining insight from patients into what factors influence their trust in AI/ML-based devices. FDA also granted 510(k) clearance to a number of AI/ML products in 2020, including Eko Analysis Software, which analyzes ECG and heart sounds to support a physician’s evaluation; EyeArt, retinal diagnostic software used to automatically detect certain retinopathies; and qEr, a computer-aided triage and notification software used to flag certain suspected positive findings of pathologies in head CT images. The U.S. FDA’s 2020 efforts in the AI/ML space culminated in its release of the first Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan in January 2021, which is detailed further in this issue of Vital Signs. In 2021, we look forward to further guidance from U.S., European, and Asian regulatory agencies regarding oversight and development of AI/ML-based therapeutics and diagnostics.

Digital Clinical Trials

The research world has not yet realized the full promise of "remote" or "decentralized" clinical trials. This is, in part, because major regulatory agencies such as the U.S. FDA and European Medicines Agency ("EMA") have historically been cautious about whether such trials can assure human subject protection, data integrity, and reliability, including through patient reported outcomes. The COVID-19 pandemic, however, fueled rapid development in the digital clinical trial space in 2020 as the need to conduct human subject research on patients with or suspected of having COVID-19 uncovered the benefits to both patients and clinical trials staff of innovating toward fully remote clinical trials (i.e., "contactless" clinical trials). Indeed, in the latter half of 2020, both the New England Journal of Medicine and the Journal of the American Medical Association reported results of a couple of novel contactless remote clinical trials. Both studies evaluated the effectiveness of strategies for addressing COVID-19 in the outpatient setting and both studies conducted remote recruitment, obtained virtual informed consents, and conducted remote data collection. The onset of COVID-19 also catalyzed FDA to issue guidance regarding remote clinical trials. FDA’s guidance provides numerous recommendations for sponsors, investigators, and IRBs to consider for adapting ongoing trials or when preparing for the launch of a new trial, during the COVID-19 public health emergency, with subject safety and data integrity being paramount considerations. Among many other issues, FDA addresses the potential use of telemedicine modalities and identified important considerations for trial visits conducted through video conferencing. Other international regulatory authorities, including the EMA and MHRA also issued related guidance in 2020. As more reliable remote monitoring and remote diagnostic innovations enter the market and are proven effective, the promise of greater digitization of clinical trials grows. Notwithstanding, there still remain important concerns and regulatory hurdles that we believe will pave the way for greater advancement in 2021. In 2021, we expect potential new guidance from regulatory authorities on conducting remote trials and we expect further focus on the patchwork of state regulations impacting telemedicine and remote-to-home aspects of decentralized trials.

All told, 2020 has been an exciting year for digital health and we expect 2021 to be equally as eventful and positive for the digital health industry.

United States Developments


Reports Verify Marked Adoption of Telehealth in the United States Amid COVID-19 Pandemic

In our Summer 2020 issue of Vital Signs, we highlighted actions taken by the Centers for Medicare & Medicaid Services ("CMS") to extend authorizations of telehealth services during the COVID-19 pandemic and to expand access to remote care. As a year in pandemic passes, both the Centers for Disease Control and Prevention ("CDC") and the Department of Health and Human Service’s ("HHS") Office of the Assistant Secretary for Planning and Evaluation ("ASPE") have released statistics on the increased utilization of telehealth services and predicted the transformative nature of telemedicine to outlast COVID-19. The CDC study, published on October 30, 2020, found that telehealth visits increased by 50% during the first quarter of 2020, as compared with the same period in 2019. It also found a 154% uptick in visits during late March 2020, hypothesizing that the increase was related to regulatory waivers from CMS and provisions of the U.S. Coronavirus Aid, Relief, and Economic Security ("CARES") Act implemented in mid- to late-March. The CDC noted that "[w]ith expanded access and improved reimbursement policies in place, as well as ongoing acceptability by patients and health care providers, telehealth might continue to serve as an important modality for delivering care during and after the pandemic." Similarly, the ASPE report, released on July 28, 2020, identified utilization trends of telehealth services for primary care delivery in Fee-for-Service Medicare from January through June 2020. HHS found that in April 2020, nearly half (43.5%) of Medicare primary care visits were provided through telehealth, as compared with less than one percent (0.1%) in February, an increase represented in both urban and rural counties. Commenting on the report, CMS Administrator Seema Verma stated, "Countless clinicians and beneficiaries received important care while avoiding unnecessary exposure to the virus. Now that providers and patients have had a taste, it's difficult to imagine the telehealth genie going back into the bottle." Additional insights on telehealth utilization in 2020 and policy actions ahead were recorded during the first Federal Telehealth Innovation Summit hosted by HHS in December, in which Jones Day participated as a digital health expert.

CMS Broadens Medicare Coverage for Digital Health Clinical Services for CY 2021

CMS made a number of changes affecting coverage for remote health care services as part of the Physician Fee Schedule for Calendar Year 2021. First, effective January 1, 2021, CMS added seven services to the permanent list of Medicare telehealth services, including group psychotherapy, psychological and neuropsychological testing, low-intensity home visits, and prolonged services. CMS also provided for temporary coverage for twelve services through the end of the year in which the COVID-19 Public Health Emergency ("PHE") concludes. These include, among others, high-intensity home visits, emergency department visits, and hospital discharge day management. Second, CMS adopted specific changes to further define coverage under the "remote physiologic monitoring" ("RPM") services codes (e.g., remote monitoring of weight, blood pressure, pulse oximetry, and respiratory flow rate). Third, through the latter of the end of the year in which the COVID-19 PHE concludes or December 31, 2021, CMS adopted a definition of direct supervision that includes the virtual presence of the supervising physician or practitioner using interactive audio/video real-time communications technology. Fourth, CMS indicated that coverage for audio-only E/M services will extend through the "conclusion of the PHE for COVID-19," but will be terminated thereafter. Finally, CMS clarified that telehealth coverage rules do not apply to services furnished via telecommunications where the patient and physician are in the "same institutional or office setting," and confirmed that clinical social workers, psychologists, physical therapists, and speech-language pathologists are not statutorily limited from coverage when utilizing online assessments and management services as well as virtual check-ins and remote evaluation services, as CMS does not consider these technology methods to be "telehealth" for coverage purposes.

Congress Expands Coverage for Mental Health Services Furnished Through Telehealth, Following the End of the COVID-19 PHE

As part of the 2021 Consolidated Appropriations Act, Congress authorized Medicare coverage for telehealth services furnished for the diagnosis, evaluation, or treatment of a mental health disorder, in certain instances, following the expiration of the COVID-19 PHE. Further, while the Medicare telehealth statue generally limits Medicare coverage for telehealth services by the geographic location of the patient (the patient must be located in a Rural Health Professional Shortage Area located outside of a Metropolitan Statistical Area or in a rural census tract), the new authorization under this most recent Appropriations Act provides that the geographic restrictions will not apply for purposes of diagnosis, evaluation, or treatment of a "mental health disorder." Importantly, however, this extension of Medicare covered telehealth mental health services outside of rural areas only applies if the provider furnishing the service has previously furnished in- person services to the patient within the six-month period prior to the telehealth services; and continues to do so periodically after the first telemedicine services are furnished to the patient.

Congress Authorizes Additional Funds for FCC COVID-19 Telehealth Program

As part of the 2021 Consolidated Appropriations Act, Congress appropriated an additional $250 million in funds for the Federal Communications Commission ("FCC") COVID-19 Telehealth Program (the "Program"). The Program, which was established under the authority of the CARES Act, provides support to eligible health care providers responding to the COVID-19 pandemic by fully funding their telecommunications services, information services, and devices necessary to provide critical connected care services to patients at their homes or mobile locations. The FCC is required to seek public comment on the metrics the FCC should use to evaluate applications for the additional funding and how the FCC should treat applications filed during previous funding rounds. In addition, the Act requires that (i) to the extent feasible, the FCC ensure that at least one applicant in each of the 50 states and Washington, D.C., has received Program funding since its inception; (ii) the FCC afford each applicant from prior funding rounds the opportunity to update or amend its application as necessary; (iii) to the extent feasible, the FCC provide each applicant, if requested, with information on application status and funding decision rationale; and (iv) if the FCC denies funding, the FCC must first issue notice to the applicant of FCC’s intent to deny and grounds for the decision, provide the applicant with ten days to submit any supplementary information that the applicant determines relevant, and consider any supplementary information submitted in making any final decision. On January 6, 2021, the FCC issued a public notice seeking input on the Program, with comments due January 19.

FDA Issues EUAs for Prescription and Non-Prescription At-Home COVID-19 Tests

In late 2020, the FDA issued several EUAs for at-home COVID-19 tests. On November 17, 2020, FDA issued its first EUA for a prescription at-home COVID-19 test that can be self-administered and provides rapid results. The EUA requires prescribing health care providers to report all test results they receive from individuals who use the test to their relevant public health authorities in accordance with local, state, and federal requirements. Subsequently, on December 15, 2020, the FDA issued its first EUA for an over-the-counter diagnostic test for COVID-19. Pursuant to the EUA, the test uses an analyzer that connects with a software application on a smartphone to help users perform the test and interpret results, as well as report the results as appropriate to public health authorities to monitor disease prevalence. Finally, on December 16, 2020, the FDA issued its first EUA for a prescription at-home COVID-19 test offered in partnership with a telehealth service that takes users step-by-step through the sample collection process, provides assistance in reading and understanding the results, and reports all test results to the relevant public health authorities. These EUAs and technologies make remote COVID-19 evaluation and care a reality, paving the way for digital health companies to engage in entirely contactless care for patients with COVID-19 infection and exposure concerns. Stakeholders should watch carefully for additional at-home COVID-19 test kits to enter the market, which will increase access and permit competitive pricing for patients and insurers.

FDA Releases Artificial Intelligence/Machine Learning (AI/ML) Action Plan

On January 12, 2021, the FDA released a new AI/ML Action Plan. The AI/ML Action Plan is in direct response to industry inquiries regarding an April 2019 FDA discussion paper outlining a proposed regulatory framework for the evaluation and oversight of AI/ML-based medical software. Following release of the 2019 discussion paper, FDA has frequently interacted with the public on broad digital health issues, but had not indicated whether it planned to move forward with the proposed framework. The newest Action Plan does little to solidify FDA’s plans to regulate AI/ML medical software. Instead, it outlines five actions that FDA intends to take, including: (i) further developing the proposed regulatory framework, including issuing draft guidance on predetermined change control plans (FDA’s goal is to publish the draft in 2021); (ii) supporting the development of good machine learning practices to evaluate and improve machine learning algorithms; (iii) fostering a patient-centered approach, including device transparency to users; (iv) developing methods to evaluate and improve machine learning algorithms; and (v) advancing real-world performance monitoring pilots. Of the enumerated action items, the draft guidance is the most consequential for industry, as it should begin to officially define a regulatory framework that can be relied upon during AI/ML product development.

The Department of Health and Human Services Proposes Changes to the HIPAA Privacy Rule

On December 10, 2020, HHS’s Office of Clinical Research issued a Notice of Proposed Rulemaking proposing significant changes to the HIPAA Privacy Rule. The proposed changes, if adopted, would provide individuals with greater access to their health information and improve information sharing for care coordination and case management for individuals. See Jones Day’s Alert for more detailed information.

OIG and CMS Finalize Stark and Anti-Kickback Regulatory Reforms with Broad Health Industry Implications

More than a year after proposing a package of reforms to modernize the regulations that interpret the federal Anti-Kickback Statute, the Physician Self-Referral Law (the "Stark Law"), and the federal Civil Monetary Penalties Law, HHS’ Office of Inspector General ("OIG") and CMS concurrently published final rules amending these regulations on November 20, 2020. Jones Day is publishing a series of Commentaries to summarize the more significant amendments within the final rules. Though only a narrow set of the reforms specifically affect the digital health industry, all reforms affect the health care space generally and may have implications for various digital health initiatives. For more information, see our Commentaries on:

Jones Day Prepares Tool to Help Health Care Providers Fight Human Trafficking

Monday, January 11, was Human Trafficking Prevention Awareness Day. As part of the Firm’s ongoing, multidisciplinary initiative to fight human trafficking, Jones Day has prepared a free tool to help health care providers (especially those operating in multiple states) navigate the complex roadmap of their reporting and education obligations related to trafficking victims across jurisdictions. With the increased role of telehealth and multistate practitioners in the anti-trafficking effort, the need for this type of resource is growing. The tool outlines the U.S. federal and state statutes and corresponding regulations for certain mandatory reporting and education requirements for health care providers that may apply in trafficking circumstances. The tool can be accessed, free of charge, from the Jones Day, American Hospital Association, and HEAL Trafficking websites.

OIG Work Plan Update Focuses on Medicare Integrity Risks from Telehealth Services

In October 2020, the OIG announced an update to its Work Plan, under which the agency will focus on providers’ billing patterns for Medicare telehealth services and identify characteristics that pose a risk to the integrity of the Medicare program. Specifically, OIG plans to base its review on Medicare Parts B and C data. This addition to the Work Plan reflects, in part, the agency’s response to the expansion of telehealth services available to Medicare beneficiaries amid the COVID-19 pandemic, including virtual check-ins, e-visits, and remote monitoring services. Additionally, however, OIG has publicly documented a significant uptick in telehealth fraud since 2016 and has placed corresponding emphasis on enforcement over the past several years. This includes nationwide, billion-dollar telemedicine takedowns such as Operation Brace Yourself and Operation Rubber Stamp, both of which centered on the use of digital platforms to order inappropriate durable medical equipment and bill medically unnecessary tests and services to federal health care programs. In light of this increasing focus, now formalized in the updated Work Plan, careful review and recordkeeping is crucial for documenting past and ongoing appropriate use of telehealth services under the Medicare program.

HHS Launches False Claims Act Working Group to Address COVID-19 Relief Effort Fraud

On December 4, 2020, the HHS announced the creation of a False Claims Act Working Group, enhancing its existing partnership with the Department of Justice ("DOJ") and the OIG to combat fraud and abuse. According to HHS’s press release, the Working Group will help identify potential False Claims Act ("FCA") violations and refer them to DOJ and OIG for possible action, as well as "provid[e] HHS’ views on the intricate legal frameworks of the agency’s numerous funding programs" with respect to FCA matters. HHS emphasized that the coordination between agencies is more important than ever as they administer billions of dollars in supplemental funds to combat COVID-19, such as through Operation Warp Speed and the Provider Relief Fund. Staffing of the Working Group is unique, including HHS lawyers and former healthcare fraud prosecutors, as well as former private counsel for health care and life sciences companies. While HHS indicates that the vast majority of actors have used funds in good faith while responding to the pandemic, the False Claims Act Working Group signals the government’s intent to proactively identify and prosecute FCA violations arising out of COVID-19 relief efforts and manage a potentially extensive docket of similar qui tam actions filed by private whistleblowers.

Recent Prosecution Efforts Related to COVID-19 Fraud Exploiting Digital Health Platforms

As described in the Jones Day October 2020 White Paper, an uptick in fraud prosecutions and litigation has historically followed federal crisis relief programs. True to historical trend, the DOJ announced investigations and prosecution of COVID-19 related fraud, following memoranda issued by the Attorney General and Deputy Attorney General in March 2020. On March 26, 2020, DOJ initiated its first COVID-19 related fraud case—charging Erik Santos with conspiracy to violate the Anti-Kickback Statute for allegedly leveraging telemedicine providers and testing for submission of fraudulent claims related to COVID-19 tests. The criminal complaint alleged that Santos sought to defraud Medicare by soliciting and receiving kickback payments from companies involved in diagnostic testing in exchange for steering potential patients to those companies. Santos allegedly relied on "a network of telemedicine health care providers" to prescribe the fraudulent tests. Similarly, on May 15, 2020, DOJ charged Ashley Hoobler Parris with conspiracy to violate the Anti-Kickback Statute and to commit health care fraud based on allegations that she paid illegal kickbacks to co-conspirators at telemedicine companies to obtain doctors’ orders for genetic and COVID-19 testing to serve Medicare beneficiaries. DOJ has also brought charges against an individual posing as a distributor of COVID-19 supplies, and has indicted two pharmacy owners for misuse of COVID-related emergency codes to submit false claims for cancer drugs.

Global Developments


European Commission Encourages Development of Digital Health Solutions for Public Health Crisis Response Efforts

In November 2020, the European Commission ("Commission") adopted a Communication on Building a European Health Union (the "Communication") aimed at strengthening the EU’s public health crisis preparedness and response systems. Digital health data features prominently throughout the Communication. The commission plans to use big data to forecast and predict potential drug shortages and future health crises. Specifically, for example, the Communication encourages (and contemplates funding for) Member States to utilize high-performance digital computing platforms to collect and process electronic health records to facilitate health trend surveillance. Additionally, the Communication anticipates a new European Health Emergency Response Authority that will be tasked with supporting the development of technologies such as "vaccine platform technologies[,]…digital tools and artificial intelligence" that can be used as countermeasures in public health crisis response efforts.

European Commission adopts a Pharmaceutical Strategy for Europe Centered on Digital Health Solutions

In November 2020, the Commission published a long-awaited Pharmaceutical Strategy. The strategy is built upon several digital health pillars. One pillar, for example, is focused on "fully exploiting the huge potential of new technologies and digitalization," and promotes data transparency between industry and regulators "through a robust EU-wide data infrastructure" that will provide access to "comparable and interoperable health data from across the EU." Consequently, the Commission is expected to propose plans for establishing and funding such a European health data space, in compliance with data privacy rights. Another strategic pillar focuses on adapting the existing legislative framework to the ongoing "technological transformation" affecting the pharmaceutical industry, including data analytics and digital therapeutics (e.g., app-based platforms and personalized medicine). Accordingly, in 2022, the Commission is expected to amend EU legislation and guidelines "to make the lifecycle management of medicines more efficient and adapted to digitalization."

The European Medicines Agencies Network "Strategy to 2025" Identifies Digital Health as a Priority

In December 2020, the European Medicines Agencies Network ("EMRN") presented its "Strategy to 2025: Protecting public health at a time of rapid change," laying down high-level goals and supporting recommendations that are expected to shape the work plans of EMRN members for the next five years. Among the priority areas identified in the strategy are "data analytics, digital tools and digital transformation and innovation." The strategy acknowledges that the convergence of new treatment modalities, diagnostics, medical devices, wearables, sensors, connected health, and greater digitization of healthcare information generates enormous amounts of data. To that end, specific strategic goals include: (i) enabling access to and analysis of routine healthcare data, analysis of individual patient data from clinical trials, and promoting data standardization; (ii) building sustainable capability and capacity for the advancement of statistics, epidemiology, real world data, and advanced analytics; and (iii) ensuring data security and ethical data handling. The strategy also contemplates development of robust centralized regulatory authority analytical capabilities directed at providing scientific advice and modelling/simulation analyses on applicant data during assessment. Several other of the strategy’s initiatives and goals are similarly focused on digital health solutions to increasing the accessibility and availability of medications and addressing supply chain inefficiencies. The strategy is considered a living document that will undergo periodic review and updating as appropriate.

European Commission Introduces Three Critical Funding Initiatives Affecting Digital Health

In December 2020, the Commission welcomed agreements reached by the European Parliament and Council on three significant funding initiatives affecting the digital health industry:

The EU4Health Program draft regulation aims to improve EU competitiveness in the global digital economy and achieve technological sovereignty. The Program envisages the establishment of a € 5.1 billion reserve fund (which will be open for applications in 2021) earmarked for five key areas: supercomputing, AI, cybersecurity, advanced digital skills, and ensuring a wide use of digital technologies across the economy and society. Several examples of projects that will be considered for funding include projects focused on: (i) the deployment and operation of "secure and interoperable digital service infrastructures and data quality assurance processes for the exchange of, access to, and use and reuse of data; supporting cross-border networking, including through the use and interoperability of electronic health records, registries and other databases; developing appropriate governance structures and interoperable health information systems"; (ii) "digital transformation of healthcare and health systems including through benchmarking and capacity building for the uptake of innovative tools and technologies such as artificial intelligence"; and (iii) "the optimal use of telemedicine and telehealth, including through satellite communication for remote areas, fostering digitally-driven organizational innovation in healthcare facilities and promoting digital tools to support citizen empowerment and patient-centered care."

The Digital Europe Programme aims to accelerate economic recovery and drive EU digital transformation. For these purposes, funding of € 7.5 billion has been provided for projects in: (i) supercomputing; (ii) AI; (iii) cybersecurity; (iv) advanced digital skills; and (v) ensuring the wide use of digital technologies across both economy and society. The Commission published draft orientations for Digital Europe, which will shape the work programs and calls for proposals for the first two years. Examples of projects that will be considered for funding that are likely to advance are: (i) interconnection of repositories of different kinds of health and care data (including genomics, clinical records, laboratory information systems, patient registries, and health images); (ii) secure access and interoperable exchange of health across the EU; (iii) expansion of knowledge regarding rare and complex diseases; (iv) establishment of platforms for the collection and use of real-world health data; and (v) enhancement of IT skills of healthcare professionals.

Horizon Europe provides for up to €100 billion in research and innovation funds dedicated to four pillar areas, one of which touches upon digital solutions in the healthcare space tackling public health challenges such as the COVID-19 pandemic, extension of clinical trials, innovative protective measures, virology, vaccines, treatments and diagnostics, etc. Specific calls for proposals will be accessible through the Funding and Tenders Portal’s one-stop-shop.

European Commission Launches IntellIoT project to Develop Digital Solutions

The Commission launched IntellIoT, an €8 million project comprised of a consortium of thirteen partners from nine countries to enable the autonomous internet of things systems. Over three years, the initiative will leverage technologies in 5G, cybersecurity, distributed computing, augmented reality, and tactile internet to empower healthcare professionals and hospitals to work more efficiently and place patients’ needs and wellbeing at the forefront.

European Commission provides funding to digital health projects addressing COVID-19

In order to strengthen the public health preparedness and accelerate the deployment and market uptake of mature digital health technologies for prevention and treatment of diseases, the Commission launched a Call for Expression of Interest addressing COVID-19. Thirteen projects that utilize digital tools and AI at the heart of their innovative approaches were selected and granted a total of €55.2 million. Within the next 24 months, the selected projects will deliver solutions in four complementary areas, with the first planned prototypes being available in the coming six to twelve months. Several selected projects cover the use of telemedicine to assist both intensive care units and outpatient systems for COVID-19 remote monitoring and treatment.

European Commission Implements COVID-19 Warning & Tracing Apps

In October 2020, the European Commission launched the interoperable gateway for COVID-19 contact tracing and warning apps. The EU gateway enables contact tracing across borders by requiring users to install an app that ensures perfect functionality of the tracking services when crossing borders. The system also guarantees cross-functionality with all potential future apps, as well as secured transmission and privacy for app users. The system is expected to be dismantled once the pandemic ends.

European Commission Expert Panel Opinion Highlights Digital Health Solutions as an "Indispensable Resource"

On November 25, 2020, the European Commission’s Expert Panel on effective ways of investing in health issued its opinion on the organization of resilient health and social care following the COVID-19 pandemic. The opinion expressly recognizes the importance of AI and the need to implement systems for the safe use of quality of health data and realize the full potential of digital solutions such as telemedicine and tele-monitoring. The opinion states that telemedicine is "emerging as an indispensable resource to support surveillance of patients and ensure continuity of care" and identifies a list of priority points for the efficient integration of telemedicine.

Cyber-Attack on European Medicines Agency

On December 9, 2020, the EMA reported that it experienced a cyber-attack affecting BioNTech and Pfizer COVID-19 documents. Following an investigation launched by the EMA in cooperation with law enforcement and other relevant entities, it appeared that the data breach was limited to only one IT application. The attackers targeted data related to COVID-19 medicines and vaccines and unlawfully accessed third parties’ documentation.

ENISA Publishes Sectoral Threat Landscape 2020 Report

On October 20, 2020, the EU Agency for Cybersecurity ("ENISA") published a sectoral threat landscape 2020 report ("Report") which covers the healthcare sector. According to the Report, cyber-attacks in the health/medical sector have increased considerably due to the importance of the sector during the COVID-19 pandemic.

European Data Protection Authorities Issues Fines in the Healthcare Sector

Between October and December 2020, the European Data Protection Authorities ("DPA") issued fines and decisions in the healthcare sector against hospitals, a polyclinic, and a healthcare provider for violating GDPR requirements. In particular, the Swedish DPA issued two fines amounting to €1.2 million (information available in Swedish here) and €3 million (information available in Swedish here), respectively, against a healthcare provider and a hospital for insufficient measures to protect healthcare data. In Norway, the DPA fined a hospital €69,000 for insufficient security measures (information available in Norwegian here). In addition, the Italian DPA issued a €20,000 fine against a polyclinic for insufficient security measures and for the unlawful processing of health-related personal data (information available in Italian here). In Belgium, the DPA issued a decision against a hospital for infringing the principle of transparency enshrined in the GDPR when deducting trade union membership fees directly from employees’ salaries. However, no sanctions were issued due to the prompt intervention of the hospital’s data protection officer (information available in French here).

German Data Protection Authority Issues Statement on the Digital Modernization of Care and Nursing Draft Law

On December 7, 2020, the German DPA of Rhineland-Palatinate issued a statement on the proposed Digital Modernization of Care and Nursing Law, which has not yet been adopted (information available in German here). The DPA highlighted that, under the proposed law, certain insured individuals may be precluded from exercising their data protection rights if those individuals do not have access to robust digital devices to access their digital data. The DPA stressed that insured individuals should not be deprived of the opportunity to exercise their data privacy rights.

Italy Poised to Adopt Guidelines on the Implementation of Telemedicine Services

In December 2020, the Conference between State and Regions discussed the adoption of guidelines on the implementation of telemedicine services to boost uptake of such services in compliance with specific guidelines that were adopted by the Ministry of Health in 2014. Once the final text is adopted, telemedicine will effectively become a service provided by the national health system and, as such, reimbursed as any other health service. The document regulates telemedicine services (e.g., tele-examination, teleconsultation and tele-reporting) and outlines specific requirements and features of telemedicine systems. There are also guidelines relating to the propriety of telemedicine for various clinical conditions, patient informed consent, professional liability, and reimbursement.

Italian Data Protection Authority Publishes Opinion on Algorithm Identifying Patients at Risk

On October 26, 2020, the Italian DPA published an opinion regarding a draft regulation of an Italian province, regarding the use of "initiative medicine" (i.e., a care model for the management of chronic diseases that focuses on prevention through the use of Big Data and artificial intelligence) (information available in Italian here). The DPA took issue with the fact that the Italian province failed to provide the DPA with a data protection impact assessment for the purpose of processing medical data through the use of the digital algorithm.

French Council of State Issues a Summary Proceedings Judgment on the Transfer of Health-Related Data to Third Countries

On October 13, 2020, the French Council of State (the supreme administrative court in France) issued a summary proceedings judgment regarding a decree that prohibited the transfer of personal data from the French "Health Data Hub" (i.e., a data platform that processes health-related data for reasons of public interest) to third countries outside the EU, via the use of Microsoft services. The Council of State held that the suspension of the data processing activities undertaken by the Health Data Hub could not be justified. In addition, the Council of State stressed that precautions must be taken, such as concluding a new agreement with Microsoft, in light of the Schrems II ruling. Moreover, the Council of State highlighted that the processing of personal data by a U.S. company within the EU is not prohibited.

France Updates Reimbursement Application Files to Improve Evaluation Efficiency for Medical Devices Employing AI

In October 2020 the French High Authority for Health ("HAS")—the agency in charge of evaluating health products from a medical and economic perspective—updated its guidelines to assist device manufacturers employing AI to secure reimbursement for the clinical use of new technologies. The update also broadens access to an Innovation Pass, which is an exceptional and temporary funding process aimed to facilitate early access for patients to innovative technologies in clinical development. The updated guidelines require device manufacturers to disclose technical information (which manufacturers may view as propriety) for the purpose of effectively assessing the clinical benefit of the medical device.

France: One step Towards Interoperability, the Cornerstone of e-Health Innovation

On November 30, 2020 the French e-Health Agency ("ANS") announced its entry into a partnership with Interop'Santé, an association in charge of fostering the interoperability of health systems, in order to simplify interoperability testing. This partnership is a step toward achieving health information system interoperability in France. French interoperability goals apply to both public and private players developing solutions for the sharing and exchange of data in the health sector. Interoperability is becoming a key driver for e-health development in France and one of the critical success strategies for new market entrants.

Portuguese Data Protection Authority Publishes Guidelines on Processing of Health Data

On November 13, 2020, the Portuguese DPA published guidelines on the processing of health-related personal data in the context of the COVID-19 pandemic ("Guidelines") (information available in Portuguese here). In particular, the Guidelines shed light on processing activities for the purpose of COVID-19 testing and body temperature control.

Code of Conduct for the Processing of Personal Data in the Health Field in Catalonia

On December 30, 2020, the Catalan DPA approved the Code of Conduct for the processing of personal data in the healthcare sector, promulgated by the Catalan Health and Social Care Consortium. The Code establishes a common framework for the application of the principles and obligations established in the data protection regulations by the entities adhering to the consortium and other entities that provide such services, in accordance with Article 40 of the GDPR. Specifically, the Code offers practical and unified solutions for the application of these principles and obligations; establishes measures to reinforce protection standards; and provides for the creation of a supervisory body to ensure compliance, thus helping entities that voluntarily adhere to offer a high level of protection of personal information (information available in Spanish here).

The Netherlands Approves Funding for Healthcare Digitization Projects

Scheduled for distribution in 2021, the Dutch Parliament has approved the establishment of a €77 million fund for healthcare digitization. The budget is focused upon innovative healthcare solutions for healthcare professionals. Healthcare professionals can apply for subsidies to purchase equipment, train healthcare personnel on e-health, and develop digital solutions.

Belgian Survey on Teleconsultations

On October 29, 2020, the Belgian Flemish association of general practitioners (Domus Medica) published the results of a survey on the use of teleconsultations in the context of the COVID-19 pandemic (available here only in Dutch). The survey demonstrates a significant increase in the use of teleconsultations by general practitioners since the onset of the COVID-19 crisis, mainly via telephone consultations (rather than video consultations). Ninety-five percent of respondents who claimed to use telephone consultations did so on a regular or very frequent basis and most respondents (89%) reported their opinion that such teleconsultations should, in the future, retain a place in their practice.


Japanese Government Commences Discussions Regarding Permanent Relaxation of Telehealth Regulations

In February 2020, the Japanese government temporarily expanded the scope of permissible telemedicine services in order to mitigate risks associated with COVID-19 exposure and infection. More recently, the Japanese government commenced discussion regarding the permanent relaxation of telehealth regulations. For example, while the current guidelines for telemedicine issued by the Japanese Ministry of Health, Labour and Welfare generally require a face-to-face meeting for the first medical examination, the Japanese government is considering relaxing this requirement. Currently, the Japanese government expects to provide amendments to the telemedicine guidelines in fall 2021.

Japanese Government Publishes Draft Amendment of Guidelines Concerning Security Management of Medical Information Systems

Given recent cyber-attacks targeting medical institutions, as well as the increasing use of smartphones and various cloud services by medical institutions, the Japanese Ministry of Health, Labor and Welfare released on October 2, 2020 a proposed amendment (version 5.1) of the Guidelines Concerning Security Management of Medical Information System for public comments. The amendment includes provisions addressing the allocation of responsibility between a medical institution and a cloud service provider, appropriate authentication methods (such as a recommendation to introduce two-factor authentication), encryption key management, network monitoring, establishment of an incident response system, and selection criteria for IT service vendors.

Recent and Upcoming Speaking Engagements

  • PLI Enforcement Trends in Health Care Law—Lessons Learned in 2020, Virtual Program (December 2020). Jones Day Speaker: Laura Laemmle-Weidenfeld.
  • 2020 HHS Telehealth Innovation Summit Panel—Telehealth Policy, Reimbursement Groups, Impact on Value and Access, Virtual Program (December 2020). Jones Day Speaker: Alexis Gilroy. Access recordings here.
  • ATA EDGE—Intersection Between Compliance and Telehealth, Virtual Program (January 2021). Jones Day Speaker: Laura Laemmle-Weidenfeld.

In Case You Missed It

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.