Vital Signs Digital Health Law Update social gra

Vital Signs: Digital Health Law Update | Summer 2021


The "dog days of summer" certainly provide a welcome, if brief, break in the extremely rapid pace of statutory, regulatory, and various other policy and industry efforts applicable to digital health. Just in time for us to collectively catch up on the impacts of the recent actions.

As is the hallmark of our Vital Signs effort to bring you this curated, one-stop resource quarterly on the most notable digital health law updates from our contributors globally, the level of activity during the past quarter has truly outpaced any to date. As the volume and breadth of topics identified below indicate, digital health policy is a "KEY HEALTH POLICY TOPIC" in most jurisdictions, so stay alert as changes continue, and we collectively seek to understand and apply these new policies to innovative digital health offerings.

Given that we wanted to make room for some notable multinational developments, we are taking a break from Industry Insights in this issue, but we will be back with more in the future. In the meantime, it may be a good time to revisit some of our prior, yet very relevant, Industry Insights features on Digital Health Dealmaking: Challenges and Opportunities, The Intersection between Telehealth and Fraud, Abuse, and Enforcement, and IP Protection for Virtual Health Treatment Modalities.


WHO Is Working to Create Ethical Standards for Machine Learning and Artificial Intelligence

On June 28, 2021, the World Health Organization ("WHO") issued guidance titled "Ethics and Governance of Artificial Intelligence for Health," which identifies ethical challenges and lays out ethical principles for the use of artificial intelligence ("AI") in medicine. WHO stated that although technologies which utilize AI hold tremendous promise to improve patient care, provide accurate diagnoses, optimize treatment plans, and support pandemic preparedness and response, those technologies must "put ethics and human rights at the heart of its design, deployment, and use." The guidance emphasizes that humans should remain in control of health care systems and medical decisions, and that AI technologies should be transparent, explainable, and do no harm to patients. WHO also seeks to foster responsibility, accountability, equity, and sustainability in the utilization of AI in medicine. This follows similar efforts earlier this year by the Consumer Technology Association, an industry group, who introduced "self-policing" accreditation standards focused on core requirements for health care AI to be deemed trustworthy.

OECD Global Tax Adds to Growing Trend of Taxation of International Digital Health Services

As of July 9, 2021, the United States, France, Germany, China, India, and 127 other countries subscribed to a new framework for international taxation—the OECD Global Tax Proposal—intended to address: (i) the taxation of revenue generated by digital services and other consumer-facing businesses by firms that have no or limited physical presence in a country and (ii) competition amongst countries to tax the income of the world's largest multinational enterprises. An increasing number of large health care systems are now offering international digital health care services, and this new tax framework may affect the revenues they generate. This includes, for example, telemedicine-based second opinion services and virtual clinical visits offered to international patients. "Pillar 1" of the new framework is projected to apply only to revenue generated by the very largest multinational enterprises with global revenue over €20B. Even the largest health care systems are unlikely to reach that revenue threshold. "Pillar 2" of the new framework is projected to introduce a global minimum tax meant to address income tax competition among participating countries. A preliminary version of Pillar 2 exempted nonprofit organizations and their subsidiaries (including certain for-profit subsidiaries); but the July 2021 agreement is silent on this point, making it unclear whether this exemption will ultimately apply. Moreover, although Pillar 1 is intended to replace country-specific digital services taxes, it is not clear whether countries will be willing to withdraw their digital services taxes. Indeed, the European Union is still contemplating adopting a levy on digital goods and services sold online for firms with annual revenues of at least €50M, despite simultaneously supporting adoption of Pillar 1. As such, even if health care organizations are not subject to taxation under the new framework, it is important to anticipate the growing application of digital services taxes and value-added taxes on revenue generated from international telemedicine and virtual health services.



Health Information Blocking Rules Went Into Effect as of April 5, 2021

After previous postponements, the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (as modified by an interim final rule) went into effect on April 5, 2021. While certain provisions have later compliance dates, compliance with the information blocking rules was immediately required. Any individual or entity that meets the definition of an "actor" (i.e., health care provider, health IT developer of certified health IT, or health information network ("HIN") or health information exchange ("HIE")) is subject to the rules. Providers, HINs, and HIEs are subject to the rules even if they do not use certified health IT.

These rules generally prohibit actors from engaging in activities that are likely to interfere with access, exchange, or use of electronic health information ("EHI"), unless an exception applies. For example, with respect to the licensing exception, if a developer intends to license interoperability elements for EHI access, exchange, or use, the license agreement must comply with the requirements of the exception. Among other things, the agreement must not include noncompetition terms or otherwise discriminate against competitors. Given the breadth of the rule and the detailed requirements of the exceptions, all actors should carefully assess their existing data sharing policies and practices, as well as relevant contracts, and modify them as needed to avoid engaging in prohibited information blocking.

COVID-19 Public Health Emergency Extended Through October 17, 2021

The United States Department of Health and Human Services ("HHS") again renewed the COVID-19 public health emergency ("PHE") declaration for another 90 days, effective July 19, 2021, thereby allowing the agency to continue Section 1135 waivers and other telehealth flexibilities during the pandemic. The current expiration date is, therefore, set for October 17, 2021. As highlighted in our last issue of Vital Signs, former Acting Secretary of HHS Norris Cochran indicated in a January 2021 letter to governors that the PHE will likely continue until the end of 2021, and this latest renewal aligns with that letter. In a recent interview with the Washington Post, HHS Secretary Beccera said that he was "absolutely supportive of efforts to give [HHS] the authority to utilize telehealth in greater ways." Health care providers should continue to monitor both the expiration of the PHE and proposed legislative and regulatory flexibilities that may provide for long-term telehealth flexibilities.

HHS and FDA Withdraw Trump Administration Plan to Eliminate Regulatory Review of Connected Health Devices 

On April 16, 2021, the HHS and the Food and Drug Administration ("FDA") withdrew a January 15, 2021, HHS notice that, among other things, would have exempted 83 class II devices and one unclassified device from premarket notification requirements under 510(k) of the Food, Drug, and Cosmetic Act. After reviewing the notice, comments from within HHS, and complaints from mHealth and telehealth companies, the agencies determined that the proposed exemption was flawed and could have put the lives of Americans using that technology in danger. The decision affects dozens of connected health tools, including (among others) mHealth apps that assess skin lesions for signs of cancer, wearable devices that track heart rhythms, and digital health platforms for behavioral health and substance abuse.

Government Accountability Office Cautions Lawmakers on Permanently Adopting Temporary COVID-19-Related Telehealth Expansions While Others Urge Congress to Press Forward 

In a 27-page report and testimony before the Senate Finance Committee on May 19, 2021, representatives from the Government Accountability Office ("GAO") said that, though telehealth services have been crucial to expanding access to care during the COVID-19 PHE, lawmakers should wait and gather more data before deciding on whether to permanently expand telehealth coverage for Medicare and Medicaid programs beyond the pandemic. In particular, GAO representatives requested further information related to spending, program integrity, patient health and safety, and equity in the use of telehealth services.

Meanwhile, in a statement submitted the same day to the Senate Finance Committee, the American Hospital Association ("AHA") urged Congress to make permanent certain health care flexibilities granted for the COVID-19 PHE, including telehealth, hospital-at-home flexibilities, and site-neutral payment exceptions. Similarly, on April 28, 2021, the AHA issued a statement before a House Ways and Means Subcommittee on Health hearing, urging Congress to continue granting telehealth flexibilities beyond the PHE, including eliminating geographic and originating site restrictions and reimbursement for audio-only services. Related sentiments were shared by the American Academy of Neurology in their May 13, 2021, position statement, wherein they asked Congress for a "permanent expansion of telehealth services to improve safety and access to care and to reduce health care costs for people with neurologic disease." Advocacy by stakeholders is beginning to translate to Congressional action, evidenced by a bipartisan effort of U.S. Representatives Liz Cheney (R-WY) and Debbie Dingell (D-MI) to codify COVID-19 telehealth waivers and critical telehealth policies implemented during the pandemic through proposed legislation titled the "Advancing Telehealth Beyond COVID-19 Act of 2021." However, whether telehealth flexibilities originating during the PHE will be made permanent remains a hot debate.

Federal Enforcement Update: OIG and DOJ Target Telemedicine Companies That Exploited COVID-19 Telemedicine Regulation Flexibilities

As examined in our team's recent client Alert, on May 26, 2021, the Department of Justice ("DOJ") announced a series of coordinated law enforcement actions against 14 defendants across seven federal districts. These actions targeted alleged fraudulent health care schemes relating to exploitation of the COVID-19 PHE that resulted in more than $143 million in false billings.

One particular indictment included what DOJ described as "first in the nation charges," which involved the exploitation of Centers for Medicare & Medicaid Services ("CMS") policies expanding access to telemedicine services during the PHE. As highlighted in our last issue of Vital Signs, prior DOJ enforcement actions involving telehealth services have primarily focused to date on "telefraud," i.e., "scams that leverage aggressive marketing and so-called telehealth services" to sell expensive items like durable medical equipment and genetic testing. The most recent indictment is unique, however, as it appears to involve fraud charges relating to the actual provision of telemedicine services themselves, alleging that defendants offered telehealth providers access to Medicare beneficiaries for whom they could bill consultations, in exchange for referrals of medically unnecessary cancer and genetic testing. 

This notable uptick in DOJ enforcement actions is reflective of a broad agency focus on alleged health care fraud arising from the COVID-19 pandemic, including a novel focus on fraud and abuse within the sphere of legitimate provision of telemedicine services.

Supreme Court Ruling Eases Burdens on Text Messaging Between Health Care Providers and Patients 

In a 9-0 decision authored by Justice Sonia Sotomayor, the Supreme Court resolved a contentious circuit split over the definition of an "automatic telephone dialing system" under the Telephone Consumer Protection Act ("TCPA"). The Court held on April 1, 2021, in Facebook v. Duguidthat to qualify as an "automatic telephone dialing system" under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator. As such, the decision significantly limited the scope of automated calls and messages that violate the TCPA, giving health care providers more leeway to send automated text messages to patients without obtaining prior patient consent. Regardless of the Supreme Court's clarification on this topic, providers should still be cognizant of adherence to Health Insurance Portability and Accountability Act privacy and security requirements, among other constraints, when sending health-related messages by text.

Medicare 2022 Physician Fee Schedule Proposals Extend Telehealth Coverage and Act on Recent Statutory Authority for Certain Mental Health Treatment via Telehealth

Among other actions, on July 13, 2021, CMS issued proposals for the 2022 Physician Fee Schedule, including several notable proposals for telehealth services.

Starting with the 2021 Physician Fee Schedule, CMS created a third category for temporarily adding services when provided via telehealth under waivers given the special circumstances of COVID-19. These "Category 3" services are those allowed during the PHE given the likely clinical benefit when furnished via telehealth, yet a service without sufficient evidence at the time (to meet Medicare's requirements for Categories 1 and 2). To provide additional time for coverage of these services as of a date certain (potentially following the expiration of a PHE), CMS proposes to extend these Category 3 services to December 31, 2023. Further, CMS included several proposals related to the 2020 Congressional actions in the Consolidated Appropriations Act, 2021 to expand Medicare telehealth services for patients with mental health disorders while in their homes, including when utilizing audio-only technology, although Medicare coverage for most telehealth services is limited to patients in rural health facilities utilizing real-time video and audio capabilities. Notably, as with the statute, the proposals would only cover telehealth services provided to established mental health patients of providers who previously met with the patient in person and so long as certain ongoing periodic services are provided in person. CMS will accept comments on the proposed rule until September 13, 2021.

Studies Evaluating the Use and Quality of Telehealth Services Across the United States Continue to Proliferate

Over a year after the PHE began, additional studies and data regarding both telehealth usage and quality of care continue to be published. According to data released by CMS highlighting the continued impact COVID-19 is having on Medicaid and Children's Health Insurance Program beneficiaries and utilization of health services, the number of services delivered via telehealth surged 2,700% during the PHE to nearly 68 million between March and October 2020. This increase, however, was not enough to offset the decline in service utilization in other areas, as beneficiaries forewent millions of primary, preventive, and mental health care visits during the same time period. In addition, a recent Kaiser Family Foundation analysis found that more than a quarter of all Medicare beneficiaries had a telehealth visit between the summer and fall of 2020, and among them, a majority (56%) reported accessing care using a telephone only. A smaller group of Medicare beneficiaries reported accessing telehealth services via video visit (28%) or through both video and telephone (16%). In a July 2021 analysis, McKinsey reports that telehealth usage has stabilized at a rate around 38 times higher than it was before COVID-19. Regarding benefits for telehealth users, a new study published in the Orthopaedic Journal of Sports Medicine shows patients who received much of their physical therapy using telehealth reported the same high-quality outcomes compared to those who only did in-person physical therapy. The research, which was conducted pre-COVID, also discovered a cost savings for patients who used telehealth.


Actions in Several States Pave Way for More Telehealth Modality Flexibility

Arkansas, Arizona, Delaware, Mississippi, and Oklahoma (effective November 1, 2021) all took steps enabling more telehealth modality flexibility, especially in the context of real-time services with legislative or regulatory actions incorporating the use of "audio-only" telehealth in some way. For example, Arizona and Delaware legislative changes now allow for "audio only" if audio-visual telehealth is not reasonably available. Mississippi adopted regulations including a broader definition of "telemedicine" that may demonstrate a preference for real time, but directly conveys options for utilizing various modalities in addition to real-time video—a preference previously conveyed in medical board rules inferring that an exam incorporated a "face-to-face" element.

Mississippi Regulatory Updates Require Special State Registration for Telehealth Services

Effective May 19, 2021, each provider organization (including "organizations, institutions, and business entities, including online service entities") offering telehealth services in the State of Mississippi must register with the Mississippi State Department of Health, Office of Licensure before providing telehealth services in the state.

New Jersey Makes It Legal to Prescribe Medical Marijuana via Telehealth

New Jersey Governor Phil Murphy signed into law S 619, allowing health care providers to prescribe medical marijuana via telehealth. The new law permits providers to use telehealth to authorize patients for medical cannabis and to prescribe medical cannabis to people who face barriers to in-person care, including children in long-term care facilities and patients who are developmentally disabled, housebound, terminally ill, or in hospice care.

States Make Permanent Many of the Temporary Digital Health Measures Enacted in Response to the COVID-19 Public Health Crisis

Arizona Governor Doug Ducey signed H.B. 2454 into law, making permanent telehealth services enacted during the COVID-19 pandemic and expanding access for low-income families and those living in rural areas. Texas Governor Greg Abbott also signed H.B. 4, effective June 15, 2021, that makes permanent some of the emergency health measures put in place over the past year to address the COVID-19 pandemic.  The enrolled bill opens the door for Medicaid and public health plans to use telehealth platforms for preventive health and wellness screenings; case management services; physical, occupational, and speech therapy; nutritional counseling; assessment services; and behavioral health services, including those delivered by audio-only telehealth if appropriate.

Illinois Approves Permanent Telehealth Access With Limited Payment Parity

Like several other states, the Illinois General Assembly acted to keep patients from abruptly losing access to the health care services they relied on during the COVID-19 pandemic. On June 29, 2021, the Illinois House sent House Bill 3308 to Governor Pritzker to sign into law. The bill amends the Illinois Insurance Code to require health care services that are covered under an accident or health insurance policy to be covered when delivered via telehealth, when clinically appropriate and subject to specified conditions. The bill eliminates geographical barriers to telehealth delivery, clarifies that patient cost-sharing must not exceed the amount such cost-sharing would be if the health care services were delivered in person, and permits substance use disorder professionals and those providing early intervention services for children to use telehealth. The bill uses the Illinois Telehealth Act's definition of "telehealth services" and adds that as used in the insurance coverage section, "telehealth services" include services delivered by telephone, but do not include asynchronous store and forward systems, remote patient monitoring technologies, e-visits, or virtual check-ins. ("Telehealth" means the evaluation, diagnosis, or interpretation of electronically transmitted, patient-specific data between a remote location and a licensed health care professional who generates interaction or treatment recommendations. "Telehealth" includes telemedicine and the delivery of health care services provided by way of an interactive telecommunications system, as defined in subsection (a) of Section 356z.22 of the Illinois Insurance Code.)

Industry Challenge to Eye Care Consumer Protection Act in South Carolina Can Proceed

In an unpublished opinion filed on May 5, 2021, the Court of Appeals of South Carolina held that Opternative has standing to proceed with its constitutional challenge to South Carolina's Eye Care Consumer Protection Act (the "Act"). The Act prohibits a prescription from being based "solely on the refractive eye error of the human eye or be generated by a kiosk" (i.e., automated equipment or an automated application designed to be used on a phone, computer, or internet-based device), and has stifled the expansion of ocular telehealth in the state. Opternative sought a declaratory judgment that the Act violated its rights under the South Carolina Constitution because it could no longer operate its business there after the Act was enacted in 2016. The trial court held that Opternative lacked the requisite standing to challenge the Act without reaching the merits. However, even though Opternative could change its business model to comply with the Act, the appellate court found that Opternative had indeed suffered an injury in fact and remanded the case to the trial court with instructions to consider the Act's constitutional validity. Interested parties should continue to monitor the trial court proceedings to see how the challenge is resolved.



European Commission Proposes to Regulate Artificial Intelligence

On 21 April 2021, the European Commission ("Commission") adopted a proposal for regulating artificial intelligence ("Artificial Intelligence Act", or "AIA") with the purpose of establishing a clear legislative framework for developing, commercializing, and using AI systems in the European Union ("EU"). AI systems are identified by the AIA as software relying on certain techniques and approaches (e.g., machine learning, "ML") to generate "outputs such as content, predictions, recommendations or decisions influencing the environments they interact with." The AIA proposes to promote development of AI technologies while preserving individual rights and mitigating potential threats to their health and safety. First, the Commission proposes to create "AI regulatory sandboxes" to provide controlled environments for developing and testing new technologies. Second, the Commission proposes prohibiting certain types of potentially dangerous AI practices. Specifically, for example, the AIA would prohibit the use of AI systems deploying subliminal techniques (i.e., those going beyond individuals' consciousness) to materially distort human behavior, or exploit the vulnerabilities of specific groups, where physical or psychological harm is likely to occur. The Commission's draft also intends to prevent public authorities from using AI systems for the so-called "social scoring" and real-time remote biometric identification systems in publicly accessible spaces, subject to certain exceptions. Third, the Commission proposes to permit but heavily regulate other certain types of "high-risk" AI systems. For example, the AIA proposes a series of obligations on developers of high-risk systems, including technical, recordkeeping, oversight, risk mitigation, accuracy, robustness, cybersecurity, and postmarket surveillance requirements. Sanctions for noncompliance are also projected to be particularly high. There is no specific expected timeline for the European Parliament and Council to discuss and vote upon the Commission's proposal.

European Union Launches Public Consultation Period for Feedback About the European Health Data Space

On May 3, 2021, following a specific request for feedback on the "Inception Impact Assessment," the Commission launched a public consultation ("Consultation") on the European Health Data Space ("EHDS"). The Consultation seeks input from stakeholders about their experiences with the collection, access, use, and reuse of health data. Interested parties can provide feedback by filling in a specific questionnaire which is divided into three sections: (i) Use of health data for research, innovation, policy and regulatory decision-making; (ii) Development and use of digital health services and products; and (iii) Development and use of AI systems in health care settings. Comments were due on July 26, 2021, and will serve as help for the Commission to shape the EDHS legal framework, which is planned for the fourth quarter of 2021.

Joint EMA/HMA Workshop on AI in medicines regulation

On May 25, 2021, the European Medicines Agency ("EMA") and the Heads of Medicines Authorities ("HMA") published a report on their "Joint Workshop on Artificial Intelligence in Medicines Regulation" held in April 2021. The workshop brought together a broad range of stakeholders who discussed the innovative uses of AI and ML. They pointed out the necessity for EMA and EU institutions to develop a regulatory framework that could grant access to and validate AI. To achieve the goal, the stakeholders recommended building partnerships with academia and research centers, fostering the dialogue across international institutions, and upskilling the staff across the EU regulatory network. The complete list of compiled recommendations is provided in Annex I to the report, while Annex II lays down a priority mapping of such recommendations.

EMA Issues Draft Guideline on Computerized Systems and Electronic Data in Clinical Trials

On June 10, 2021, the EMA published a draft "Guideline on computerised systems and electronic data in clinical trials" ("Draft Guideline"). The Draft Guideline is open for consultation for six months, from June 18 to December 17, 2021, and is expected to be formally adopted by the EMA next year, taking into account the comments received. EMA's goal is to provide sponsors, clinical research organizations, investigators, and other interested parties appropriate guidance on the latest changes occurring throughout the past decade in the clinical trials landscape due to the introduction of computerized systems and the collection of electronic data. This includes, for example, the growing use of electronic health records, electronic tools used for recording and collecting patients' clinical data (e.g., mobile devices, automatic event capture tools for blood pressure, respiratory measures, etc.), electronic case report forms, tools that automatically capture data related to transit and storage temperatures for the investigational medicinal product and clinical samples, and electronic informed consent. The Draft Guideline specifically sets forth guidance related to use of such systems in clinical trials, including pretrial justification for use; system validation processes; clarifications on key principles, concepts, and definitions; outsourcing and subcontracting of certain processes; user management; and information technology security. Stakeholders are encouraged to review and provide comments during the consultation period.

EU Digital COVID Certificate Becomes Effective in EU

On July 1, 2021, the Commission announced the entry into force of the EU Digital COVID Certificate Regulation. In practice, this means that EU citizens and residents can now have their Digital COVID Certificates ("Certificates") issued and verified across the EU to facilitate travels across Europe. The Certificate is available in either digital or paper format, containing a QR code, and is issued by national authorities free of charge. The Certificate certifies whether a person has been vaccinated against COVID-19, has a recent negative test result, or has recovered from the infection. In addition, any processing of personal data must comply with the General Data Protection Regulation ("GDPR"), and in any event, personal data will not be retained.

European Union Agency for Cybersecurity Launches Online Tool on Procurement Guidelines for Cybersecurity in Hospitals

On April 7, 2021, the European Union Agency for Cybersecurity ("ENISA") launched an online tool on Procurement Guidelines for Cybersecurity in Hospitals. The new tool aims to help health care organizations identify the most relevant guidelines to their procurement context, whether they offer products or services. The new tool also aims to foster the importance of a robust procurement process to ensure the implementation of appropriate security measures. The new tool should be read in light of the ENISA Procurement Guidelines for Cybersecurity in Hospitals published in 2020, which have now been summarized by ENISA in each of the 24 EU official languages.

Italian Medicines Agency Issues Guidance on the Submission of Applications for Clinical Trials Involving the Use of AI or Machine Learning Systems

In June 2021, the Italian Medicines Authority ("Agenzia Italiana del Farmaco", "AIFA") adopted guidance on the submission of applications for clinical trials involving the use of AI and ML systems. The AIFA acknowledges the constant and significant increase in the number of clinical trial applications ("CTAs") based on the use of AI and ML. In the absence of an EU-wide harmonized regulatory setting, the agency deemed necessary to outline the state of the art and provide a "living" guidance to sponsors with the aim of optimizing the submission of CTAs relying on new technologies to be updated on the basis of new scientific findings. The guidance clarifies that in case AI/ML tools are meant to be used in the context of a clinical study, sponsors have to provide AIFA additional information on, inter alia, information on the IT system to be used, the level of interaction foreseen, and the expected impact deriving from the use of AI/ML with regard, in particular, to patients' rights, safety, and trial data/results. Moreover, the AIFA requires CTAs to include a specific assessment of the benefit/risk associated with the use of the AI/ML model and to include such information in the informed consent form. Stakeholders are encouraged to review the guidance in full.

French Data Protection Authority Issues an Opinion on the Creation of a List of Unvaccinated Patients

On July 4, 2021, the French Data Protection Authority ("CNIL") issued an opinion on the contemplated creation of a list of unvaccinated patients by the National Public Health entity to be used within the French government vaccination program. Even though the CNIL explained that doctors may access and use COVID vaccine-related information, provided that such information relates to their patients only, the CNIL stated that it disagrees with the creation of lists of their patients according to certain characteristics (illness, vaccination status, etc.) for use by doctors.

French Data Protection Authority Releases Interim Recommendations on Clinical Trials Data Processing Activities

On June 24, 2021, the CNIL updated its interim recommendations (source document in French) on the processing of data within the frame of remote monitoring of clinical trials data, applicable until September 30, 2021. Further to the authorization by the French Health Security Authority of a limited list of clinical trials allowing for remote monitoring, the CNIL issued recommendations on remote monitoring. CNIL recommendations include guidance on French formalities required and on security measures.

French Data Protection Authority Releases an Opinion on the French "Health Pass" Bill 

On May 12, 2021, the CNIL issued (source document in French) an opinion on the contemplated implementation by the French government of a "health pass." The CNIL stated that the use of a health pass must be limited to the duration of the pandemic crisis and to the events involving a large number of people. Also, purposes of processing and categories of recipients must be clearly determined to prevent any risk of data privacy violation.

German Federal Office for Information Security Publishes Report on Digital Consumer Protection Regarding Health Apps

On June 16, 2021, the Federal Office for Information Security published a report on digital consumer protection in 2020 ("Report"). The Report highlights consumer risks in the digital space, identifies current challenges in the digital consumer market, and provides suggested actions for digital consumer protection. Following the COVID-19 pandemic in 2020, the Report focused on health apps and highlighted that the majority of health apps lack sufficient IT security measures.

Spanish DPA Publishes Report on Access to Patients' Medical Record

On May 24, 2021, the Spanish Data Protection Agency ("DPA") published a report on access to patients' medical history ("Report"), according to Article 9 (2) (f) GDPR (i.e., processing special categories of personal data for the establishment, exercise, or defense of legal claims). The Report assesses the scope of Article 9 (2) (f) GDPR under three different circumstances: (i) preparing a defense upon legal proceedings initiated by a patient; (ii) providing information to insurance companies to cover the liability of health care organizations' employees; and (iii) responding to a claim for breach of Article 76 of Law 50/1980 on the Insurance Contract.

Swedish DPA Fines Swedish Medical Counseling Company Approximately 1.2 Million Euros for GDPR violation

On June 7, 2021, the Swedish DPA fined a Swedish medical counseling company approximately 1.2 million euros for a personal data breach that occurred in the context of telephone medical advice. In particular, the calls operated by the company's hotline were accessible online and thus were not protected with appropriate security measures.

Dutch DPA Objects to Bill on Electronic Data Exchange in Health Care Sector

On May 28, 2021, the Dutch DPA released a statement with objections to the bill on electronic data exchange in the health care sector ("Bill"). The DPA highlights that the Bill would require health care providers to exchange patient data electronically in certain circumstances. In addition, health care providers may be forced to breach their obligation of professional secrecy in order to exchange patient data electronically.

UK Evidence Standards Framework and an Office for Digital Health

The National Institute for Health and Care Excellence ("NICE"), as part of a working group led by the National Health Service ("NHS") England, published an updated version of the evidence standards framework for digital health technologies in May 2021. The framework is to be utilized for digital health technologies which may be commissioned by the NHS. These updates intend to make it easier for manufacturers in the sector to understand the relevant evidence requirements for their digital product. Further updates are expected in late 2022. NICE also recently announced that it is establishing a new Office for Digital Health which will focus on increasing innovation in the sector and continuing to work with the Medicines and Healthcare Products Regulatory Agency, the UK regulator.

UK Guide to Good Practices for Digital and Data-Driven Technology

The Department of Health and Social Care updated its guidance for digital technology in line with NHS England's plan to increase the use of digitally enabled care. The guide covers topics such as data transparency, clinical safety, and data protection.


Australian Government Will Invest AUD 870.5 Million to Transform Digital Health in Australia

As part of the 2021-2022 budget, the Australian government plans to make significant investments in digital health across several areas. Notably, the government will allocate AUD 301 million to fund the next wave of My Health Record ("MHR"), Australia's online database of individuals' health information. The MHR upgrade will streamline the platform to create an "easy-to-use interface" and will include COVID-19 test results and immunization status. The government is also making significant investments in telehealth. Following a successful campaign by industry groups and consumer organizations, Medicare (Australia's universal health insurance scheme) will continue to cover telehealth services provided by general practitioners, specialists, nurses, midwives, and allied health professionals until December 31, 2021. Other digital health initiatives targeting aged care and mental health resources will also share a significant proportion of the funding package. The Australian government anticipates that its investment in Australia's digital health landscape will deliver innovative new methods to provide care and "continue the momentum for embracing new technologies achieved during COVID-19."


  • Jones Day Webinar Miniseries: Digital Health Part 1: How Disruptive Technologies Are Reshaping the Global Health Sector (June 17). Jones Day Speakers: Maureen Bennett, Alexis, Gilroy, Christiana Spontoni.
  • Digital Health & Telemedicine in Mexico, Virtual Program (June 2021). Jones Day Speakers: Javier Cortés, Guillermo Larrea, Rodrigo Gómez, Mauricio Llamas. 
  • New SCCs and Post-Schrems II Enforcement: Latest Developments on International Data Transfers, Virtual Program (July 2021). Jones Day Speakers: Michael Will, Undine con Diemar, Olivier Haas, Jörg Hladjk, Jonathon Little, Schuyler Schouten.
  • AHLA—Health Care Antitrust: Meeting the Challenge, Virtual Program (May 2021) Jones Day Speaker: A. DeFilippo.
  • ACI—Forum on Managed Care Disputes and Litigation: How Health Insurers Should Approach Telehealth, Virtual Program (June 2021) Jones Day Speaker: David Kopans
  • NYCHBL—Value-Based Care Evolves: Understanding Direct Contracting & Medicare Advantage Options, Virtual Program (June 2021) Jones Day Speaker: David Kopans
  • NACVA Conference—Regulatory Overview for Valuation Professionals, Houston, Texas (June 2021) Jones Day Speaker: John Kirsner
  • 2021 EU Pharma Law Academy—Basic and Advanced Clinical Trials, Cambridge, UK (September 2021) Jones Day Speaker: Cristiana Spontoni
  • ACI—False Claims and Qui Tam Summit for Life Sciences and Healthcare, Virtual Program (September 2021) Jones Day Speaker: Rebecca Martin


Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.