Vital Signs Digital Health Law Update social gra

Vital Signs Digital Health Law Update | Winter 2023

Note From the Editors

We bring you Vital Signs, a curated, one-stop resource on the most notable digital health law updates from our U.S. and global contributors. In Industry Insights, our lawyers take an in-depth look at the bulletin issued by the U.S. Office for Civil Rights in December 2022 on HIPAA-covered entity obligations when using tracking technologies on websites and mobile applications. The legal framework regarding the use of tracking technologies continues to evolve rapidly, necessitating careful evaluation and continued strategic thinking to promote compliant practices. In our Federal and State sections, you'll read highlights of significant U.S.-based developments. And for our readers with interests in Europe, don't miss the numerous important updates from European jurisdictions. Thank you to our contributors who are committed to bringing you curated updates covering digital health developments of interest.

Lawyers Spotlight:

This month, we highlight the three lawyers who authored our Industry Insights feature story on HIPAA guidance on third-party tracking technologies. 

Becky Kcehowski (Business & Tort Litigation, Pittsburgh) is a litigator who regularly defends putative class actions, including digital data privacy cases against health care providers; and advises clients regarding protective online terms and conditions, including arbitration clauses and liability limitations.

Heather O’Shea (Health Care & Life Sciences, Chicago) has over 20 years’ experience representing clients across the health and life sciences industry in government enforcement actions and litigation, including in matters concerning clinical decision support tools and digital platforms.  

Mauricio Paez (Cybersecurity, Privacy & Data Protection, New York) has over 20 years’ experience advising clients on health care privacy and security issues, including matters involving telehealth, medical devices, and other digital health products and services.

Industry Insights

Office for Civil Rights HIPAA Guidance: Tracking Technologies on Provider Websites and Mobile Applications

By Rebekah Byers Kcehowski, Heather O’Shea, and Mauricio F. Paez

In December 2022, the Office for Civil Rights of the Department of Health and Human Services(the "Department") issued a bulletin (the "Bulletin") focusing on covered entities' obligations under HIPAA when using third-party tracking technologies on their websites and mobile applications. The Department defines "tracking technology" very broadly to include "a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app," such as cookies and pixel tags. The Department presented the Bulletin as a clarification that covered entities and their business associates can use tracking technologies only in accordance with HIPAA and applicable regulations. In doing so, the Department provided a notably broad interpretation of how covered entities obtain individually identifiable health information ("IIHI") (a subset of protected health information) when using such tracking technologies and interacting with individuals online or via mobile apps. According to the Department, this includes data collection using such technologies on public-facing websites and mobile app services where the interaction relates to health conditions or services, even if the user is not a confirmed patient of the provider.

Specifically, the Department notes that certain information collected on a regulated entity's website or mobile app, including IP address, geographic location, or other unique identifying code—even where there is no existing individual-entity patient relationship, and even if unrelated to specific treatment or billing information—may be protected IIHI. This would include, for example, when an individual visits a provider's public website area to make an appointment, search for information on health conditions, or request specific medical instructions, etc. The Department states that all such IIHI "collected on a regulated entity's website or mobile app generally is PHI[.]"  According to the Department, this is because the information connects the individual to the regulated entity and therefore "is indicative that the individual has received or will receive health care services or benefits from the covered entity[] and thus relates to the individual's past, present, or future health or health care or payment for care."

This interpretation is significant for covered entities and their business associates that support websites and mobile apps, and that utilize tracking technologies in such complex environments. For example, tracking and conversion information collected in connection with digital marketing (e.g., data to assess user engagement and experience, community outreach, and general digital marketing campaigns) may now be subject to HIPAA's privacy and security rules— even where there is no specific engagement for health services. Further, third parties that support these efforts and process such data need to review their compliance with these rules as business associates, which includes requiring that mandatory business associate agreement terms or individual authorizations be implemented before such sharing. Failure to address the obligations may result in a potential breach notification to the U.S. Department of Health and Human Services and the affected individuals, among other related obligations.

In light of the Bulletin, entities should consider the following: 

  • Conduct a complete inventory of where tracking technologies are used when providing digital/online services, whether to patients or the general public. For example, in which sites and apps are trackers being used? Is the tracker a first-party (covered entity) or third-party (marketing partner) cookie? The covered entity should inventory and map all tracking technology, the purpose for the tracker, who controls it, what information is being collected, and whether and why the information is being shared with a third party
  • If IIHI is involved, and the covered entity shares the information with a third party (either directly or indirectly), is such sharing and subsequent use by the third party subject to a business associate agreement?
  • Can the IIHI be de-identified or rendered generic as permitted under HIPAA before sharing (i.e., before any sharing)?
  • Does the covered entity's "notice of privacy practices" required under HIPAA take into account the collection and use of IIHI from tracking data for health care operations and marketing? Are updates to the notice of privacy practices or online privacy policies necessary?
  • If the entity is a "hybrid entity" under HIPAA—has the entity mapped out the trackers based on these two separate functions and whether the use of shared systems and support environments complicate these issues?
  • Are there other third-party technologies and tools that the covered entity should adopt to facilitate compliance, including under a business associate agreement? This may reduce the risk of unauthorized disclosures of such information and facilitate ongoing compliance with HIPAA regulations.
  • Do the terms of the covered entities' privacy policy and terms of use adequately disclose the use of these tracking technologies and the information that is collected, and do they properly limit or mitigate the liability risks associated with these practices? There are relatively straightforward terms that can be incorporated into these provisions, with notice banners and disclaimers, that can provide companies with significant protections against litigation.
  • Is the presentment of the privacy policy, legal terms and disclaimers, and other terms properly accepted, recorded, and acknowledged to put users on notice and demonstrate user consent to these practices?

The legal framework regarding the use of tracking technologies continues to evolve rapidly, necessitating careful evaluation and continued strategic thinking to promote compliant practices.

United States Developments


Federal Government Extends Certain Medicare Telehealth Reimbursement Flexibilities

On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act, 2023, extending certain Medicare telehealth reimbursement flexibilities first implemented in response to the COVID-19 public health emergency until December 31, 2024, regardless of when the public health emergency ends. Specifically, the Act extends waivers that (i) remove geographic and originating site requirements typically applicable to Medicare telehealth services, allowing payment for telehealth services provided to beneficiaries located in their homes, anywhere in the United States (not just rural areas); (ii) expand the types of practitioners eligible to provide and be reimbursed for Medicare telehealth services to include occupational, physical, and speech language therapists, as well as audiologists; (iii) allow for continued coverage and payment for certain telehealth services furnished using audio-only telecommunications; and (iv) delay the in-person visit requirements associated with payment for mental health services furnished through telehealth. Congress had previously extended these waivers for 151 days following the end of the declared public health emergency.

Other waivers implemented by federal agencies have not been further extended by Congress. For example, OCR waivers (allowing use of certain remote communication technologies that may not be HIPAA-compliant) and DEA waivers (allowing providers to prescribe Schedule II-V controlled substances via telemedicine, so long as certain requirements are met) expire at the end of the declared public health emergency. Likewise, CMS has implemented additional waivers that have their own associated expiration dates. For example, the flexibility allowing "immediate availability" for purposes of providing direct supervision to be achieved via telecommunications expires the end of the year in which the public health emergency ("PHE") ends, and the flexibility extending coverage and payment for telehealth services listed on the Medicare Telehealth Services List on a temporary basis expires 151 days after the end of the PHE. On January 30, 2023, the Executive Office of the President announced that the current plan is to end the PHE on May 11, 2023. 

PRAC Publishes Report on Increased Telehealth Use During the Pandemic and Associated Program Integrity Risks

In December 2022, the Pandemic Response Accountability Committee ("PRAC") Health Care Subgroup issued a report on the nature and use of telehealth during the first year of the COVID-19 pandemic and emerging risks associated with increased telehealth usage. Led by the HHS Office of Inspector General ("OIG"), the report reflects data from selected programs across six federal agencies, including Medicare, TRICARE, and the Federal Employees Health Benefits Program, among others. The report emphasizes the importance of ensuring the benefits of telehealth are realized while minimizing the risk of fraud, waste, and abuse.

The report identified a number of program integrity risks associated with an increase in telehealth usage, such as high-volume billing, duplicate claims, and inappropriate charges for the most expensive level of telehealth services. While the PRAC acknowledged that the programs have some existing safeguards to oversee telehealth services, it concluded that additional controls could strengthen program integrity and ensure accurate payments. For example, programs could: (i) conduct additional monitoring of telehealth services; (ii) enhance efforts to educate providers and individuals about telehealth services; (iii) collect additional data related to telehealth services; and (iv) develop additional billing controls to prevent inappropriate payments.

The report likely reflects topics that OIG will be particularly attuned to in 2023 and may suggest an increased use of data in informing administrative or enforcement actions. It also underscores the importance of a robust compliance program for telehealth organizations and providers.

DOJ Continues Scrutiny of DME and Genetic Testing Billed Via Telemedicine

Last fall, the United States Department of Justice ("DOJ") continued to pursue enforcement actions against providers across the country who allegedly fraudulently billed Medicare for unnecessary durable medical equipment ("DME") and/or genetic testing ordered in the absence of a physician-patient relationship and without a basis to determine that the items and services were medically necessary.

Between September and October of 2022, DOJ announced convictions in three almost identical fraudulent arrangements. One Kentucky doctor admitted to ordering medically unnecessary DME and genetic testing in exchange for kickbacks from telehealth companies. DOJ alleged that the doctor had no physician-patient relationship with the Medicare beneficiaries and often never spoke with them. Nonetheless, he prescribed braces commonly used for knees, ankles, shoulders, and the back and neck. He also ordered tests for inherited genetic variants that are associated with an increased risk of cancer. A Washington doctor also admitted to accepting kickbacks in connection with medically unnecessary genetic testing provided to patients with whom he had no physician-patient relationship. That doctor's only contact with each beneficiary was a brief phone call initiated by telemarketers. Notably, his telemedicine consults were billed to Medicare in addition to the genetic testing. Lastly, an Ohio doctor admitted to charges of accepting kickbacks in return for her prescription of unnecessary genetic testing, DME, and pain creams. DOJ alleged that she improperly relied on representations from telemedicine companies that qualified employees had properly screened beneficiaries. She made no inquiry or investigation of her own to ensure the services were medically necessary.

Telehealth companies and providers should be aware that DOJ continues to direct its attention in their direction. All parties should monitor their activities to ensure the valid formation of a physician-patient relationship and the medical necessity of prescribed items and services. These prosecutions also underscore the need for providers to make an independent investigation of medical necessity as opposed to relying on third-party representations.

DOJ Announces Conviction of Pharmacy Investor for "Recycling" Prescriptions

On September 27, 2022, a Florida pharmacy investor admitted to his role in a scheme to pay illegal kickbacks and bribes to telemarketers and telemedicine providers in exchange for their work recruiting Medicare beneficiaries and prescribing them unnecessary medications (mainly topical creams). The prescribing physicians signed orders after cursory telephone conversations with beneficiaries or no contact at all. Murphy and his co-conspirators sometimes submitted claims for reimbursement through multiple pharmacies they owned in a practice DOJ referred to as "recycling."

OIG to Release Toolkit on Analyzing Telehealth Claims

In January 2023, OIG announced that its work plan would include the release of a toolkit to provide information for public and private sector partners about analyzing claims data for telehealth services. OIG indicated that this toolkit was being issued as a follow up to its 2022 data brief on Medicare Telehealth Services During the First Year of the Pandemic: Program Integrity Risks (OEI-02-20-00720). The toolkit is expected to be issued during fiscal year 2023. 

In Final Guidance, FDA Casts A Wide Net Over Clinical Decision Support Software

In September 2022, the U.S. Food and Drug Administration (the "FDA") issued long-awaited final guidance describing the agency's approach to regulating clinical decision support software ("CDS") as medical devices under the Federal Food, Drug, and Cosmetic Act. When enacting the 21st Century Cures Act in 2016, Congress moved to limit FDA's regulatory authority in this space by carving out certain categories of software functions from the statutory definition of a medical device. To describe its interpretation of the exclusion criteria as it applies to CDS, FDA first issued draft guidance in 2017 and then again in 2019, which was the focus of much regulatory debate. In the final version of this guidance, FDA appears to depart from previous policy by (i) implementing heightened disclosure requirements for software output and labeling intended to allow a health care provider to "independently review" the basis for the recommendation, (ii) offering a more nuanced discussion of automation risk, and (iii) adopting a narrower interpretation of the exclusion criteria applicable to CDS functions. This paradigm arguably brings a broader sweep of medical software under the agency's jurisdiction than Congress intended and raises many questions about the impact of these changes on industry obligations, in particular for marketed software that may no longer qualify for exclusion under FDA's more demanding standards.


California Attorney General Initiates Novel Investigation Into Potential Racial and Ethnic Bias in Health Care Algorithms

As noted in a Jones Day Alert, on August 31, 2022, California Attorney General Rob Bonta delivered letters to 30 hospitals and health systems across California requesting information regarding commercial decision-making technology tools and their potential contribution to racially biased treatment and/or outcomes. While the Office of Attorney General acknowledges that there are many factors that contribute to disparities in health care access, quality, and outcomes, it believes that bias in decision-making tools and algorithms likely contributes to such disparities. In the OAG's view, unfair bias in violation of applicable California and federal non-discrimination laws is perpetuated if technologies systematically benefit certain patients relative to historically disadvantaged groups with comparable health care needs.

Rather than issuing subpoenas or civil investigative demands, the OAG instructed the selected hospitals and health systems to provide a list of the decision-making tools, products, software systems, and/or algorithmic methodologies currently in use that contribute to clinical decision support, operational optimization (e.g., office or operating room scheduling), population health management, or payment management. The OAG also requested information regarding the purposes for utilizing each tool/algorithm, how the tools/algorithms inform decisions, and any policies, procedures, training, or protocols related to their use. OAG requested that the 30 hospitals submit such information by October 15, 2022.

The OAG describes its information request as just the "first step." Attorney General Bonta was reelected on November 8, 2022. While the OAG's investigation appears to be one of the first of its kind, there will likely be continued scrutiny in this area, given increased industry focus on health equity. Hospitals and other health care facilities should consider (i) identifying and assessing utilized technologies for the possibility of a disparate impact in application; and (ii) evaluating guidelines and training to avoid potential unintended negative consequences to vulnerable patient groups.

California Privacy Protection Agency Modifies its Proposed Regulations Implementing Provisions of the California Privacy Rights Act

On November 3, 2022, the California Privacy Protection Agency ("CPPA") modified its proposed regulations implementing many California Privacy Rights Act ("CPRA") provisions. The initial proposed regulations were divided into nine substantive Articles and addressed a variety of topics, including consent, required privacy notices and disclosure to consumers, mandatory user opt-out signals, and provisions related to sensitive personal information. CPPA modified the regulations it had previously proposed. The most significant modifications consisted of new guidance for complying with CPRA's requirement that businesses minimize their personal information processing. The proposed regulations were also simplified for easier implementation.

A major compliance area for businesses is operationalizing new CPRA rights, including the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information. Businesses will need to consider updating their privacy policies and put process in place to enable consumers to exercise their rights in a timely manner as prescribed in the statute. The proposed regulations provide considerable guidance on how businesses should obtain consent from consumers and methods they may use to enable consumers to exercise such rights. The CPRA became effective on January 1, 2023. The rules are expected to be finalized in early 2023.

Kentucky Medical Board Amends Opinion on Telemedicine

The Kentucky medical board amended its opinion regarding Telemedicine effective September 15, 2022, determining that the Model Policy on the Appropriate Use of Telemedicine Technologies in the Practice of Medicine, adopted by the Federation of State Medical Boards in April 2022, constitutes the general standards of acceptable and prevailing medical practice relating to the practice of medicine via telemedicine technologies to the extent that it does not conflict with Kentucky law.

Maine Medical Board Revises Telehealth Regulations Relating to Telehealth Modality

Effective July 24, 2022, the Maine medical board—in conjunction with the osteopathic medical board and the nursing board—revised their regulations regarding telehealth to update definitions to comport with statutory text (modality neutral approach to telehealth). Notably, the regulations specifically acknowledge "audio-only" interactions as telehealth, stating "[w]hen necessary and appropriate under the circumstances and if in compliance with the applicable standard of care, telehealth includes the use of audio-only technology."

Mississippi Medical Board Regulations Differentiate Real-Time Telemedicine and Store-and-Forward Encounters

In August 2022, the Mississippi medical board adopted new regulations that include separate definitions for real-time telemedicine, remote patient monitoring, and "store-and-forward." The regulations further suggest that store-and-forward technology may "enhance" but "not replace" real-time interactions, placing further scrutiny on provider-to-patient encounters that do not utilize video.

New Hampshire Legislation Expands Telemedicine Definition

Effective August 3, 2022, new legislation defines "telemedicine" broadly to include synchronous (not limited to audio/video or interactive audio with store and forward) or asynchronous interactions. Prior legislation required a video visit to establish a provider-patient relationship via telehealth. Specifically, language which had been in place defining a physician-patient relationship as a medical connection between a licensed physician and a patient—that includes an in-person "or face to face 2 way real-time interactive communication," was deleted in the new legislation and replaced with: "that includes an in person exam or an exam using telemedicine, as [now more broadly] defined"—and not limited to video visits.

Oregon Board of Pharmacy Updates Regulations Regarding Prescriptions

In December 2022, the Board of Pharmacy finalized a regulation removing historic conflicts between Board of Pharmacy regulations restricting a physician from "writing prescriptions for medication resulting only from a sale or consultation over the Internet" with the broader telehealth statutory definitions allowing for multi-modality methods for telehealth services. The regulation now states that "[t]he prescription must be issued for a legitimate medical purpose by an individual practitioner acting in the usual course of their professional practice and issued pursuant to a valid patient-practitioner relationship. …" The new language codifies language that had been included in a Temporary Administrative Order during 2022.

Alaska Updates Telehealth Statutory Language

On July 14, 2022, Alaska Governor Mike Dunleavy signed new legislation (HB 265) clarifying in-person requirements for telehealth services by Alaska licensed providers and establishing options for services via telehealth by health providers licensed in other states. Specifically, the new legislation confirms that an Alaska licensed physician can provide telehealth services without first conducting an in-person examination. It remains to be determined how state regulators will implement the new statute, given current Alaska regulations prohibit a physician from providing treatment, rendering a diagnosis, or prescribing medications "based solely on a patient-supplied history that a physician … received by telephone, facsimile, or electronic format." The new legislation also allows for the provision of certain services through telehealth by a physician licensed in another state in certain circumstances (e.g., ongoing treatment or follow-up care to established patients and support for the diagnosis of life-threatening conditions); and establishes telehealth clarifications and authorizations for other types of health providers.

Idaho Reinstates Requirements Limiting Modalities

Prior real-time requirements to establish a provider-patient relationship waived during the public health emergency were reinstated, necessitating a "two-way audio or audio-visual interaction" to establish a provider-patient relationship. Separately, the Idaho legislature approved proposed agency rules to remove regulatory "practice standards" waived during the PHE, leaving only the statutory requirements regarding telehealth at this time (including the prior identified reinstated requirement).

Vermont Issues Statute Permitting Telehealth License or Registration for Out-of-State Health Care Professionals

Effective July 1, 2023, a new statute creates a process for health care professionals licensed and in good standing in another jurisdiction to provide telehealth services to patients in Vermont by obtaining a telehealth license or telehealth registration from the Vermont Office of Professional Regulation or the Vermont Board of Medical Practice. The telehealth license will allow an out-of-state health care professional to provide telehealth services to 20 patients in Vermont, and the telehealth registration will allow an out-of-state health care professional to provide telehealth services to 10 patients in Vermont for a period of not more than 120 consecutive days following the registration date.

Global Developments


European Commission Adopts Regulations Completing the European Health Union

The European Commission recently adopted three regulations as part of the European Health Union:

These three regulations are building blocks of, and complete, the European Health Union. The European Health Union, initially presented in 2020 as a reaction to the COVID-19 pandemic, aims to reinforce the EU's resilience for cross-border health threats by means legislation.

European Commission Publishes Proposals to Modernize Current Liability Rules

On September 28, 2022, the Commission published the Proposal for a Directive on liability for defective products, which aims to modernize the current rules based on strict liability of manufacturers. The proposal covers compensation of personal injury, damage to property, or data loss caused by unsafe products. For example, if adopted, the rules can allow compensation for damage when products like surgical robots are made unsafe by software updates. On the same day, the Commission published the Proposal for a Directive on adapting non contractual civil liability rules to artificial intelligence. This proposal aims to lay down uniform rules for access to information and alleviation of the burden of proof in relation to damages caused by artificial intelligence ("AI") systems, to establish broader protection for victims (be it individuals or businesses), and to foster the AI sector by increasing guarantees.

European Commission Proposes Extension of Deadlines for Compliance with MDR and IVDR

On January 6, 2023, the European Commission adopted a Proposal for a Regulation ("Proposal") extending the period during which, under the Medical Devices Regulation (Regulation (EU) 2017/745) ("MDR"), devices compliant with the EU legislation repealed by the MDR (namely, Directive 93/42/ECC for medical devices and Directive 90/385/ECC for active implantable medical devices) can continue to be placed on the EU market. In particular, under the proposed rules, the MDR would be amended so that certificates issued from May 25, 2017, which were still valid on May 26, 2021, and that have not yet been withdrawn, would remain valid until after the end of the period indicated on the certificate and in any case until: (i) 31 December 2027, for class III devices and for class IIb implantable devices, with some exceptions; or (ii) 31 December 2028, for class I devices marketed under sterile condition or having a measuring function, for class IIa devices, and class IIb devices not covered by (i). Under the current rules, these certificates would become void by May 27, 2024. Furthermore, it is proposed that devices which did not require the involvement of a notified body under the old rules, but do so under the MDR, and for which a declaration of conformity was drawn up prior to May 26, 2021, may be marketed or put into service until December 31, 2028. Under the current rules, this would instead be limited to May 26, 2024.

To benefit from these extended deadlines, products must comply with the old rules that were replaced by MDR (namely, Directive 93/42/ECC for medical devices and Directive 90/385/ECC for active implantable medical devices), may not have undergone significant changes in design and intended purpose, and may not pose an unacceptable risk to the health or safety of persons or public health. In addition, the manufacturer must implement a quality management system under the MDR, must submit a conformity assessment application with a notified body no later than May 26, 2024, and must sign an agreement with a notified body no later than September 26, 2024.

Similar extensions were already adopted in January 2022 as regards diagnostic medical devices covered by the In Vitro Diagnostic Regulation ("IVDR") (and previously regulated by Directive 98/79/EC). The Proposal also aims at removing the so-called "sell-off" deadline introduced under both the MDR and the IVDR, under which devices already in the supply chain had to reach their final user by a certain date. It is now proposed to eliminate such restriction, which means that once products are placed on the market (e.g., they are sold by the manufacturer to a distributor and sit on the distributor's shelves), no further time limitation to their selling-on (e.g., by the distributor to the end-user) will apply. Removing this limitation, according to the Commission, is aimed at avoiding unnecessary disposal of safe medical devices.

The Proposal has been widely welcomed by industry representatives, while not being immune from some criticism, including some uncertainty raised by its provisions. Certainly, the transition to the MDR and IVDR, which were adopted in 2017, has been plagued with uncertainty and delays. Many manufacturers are still not ready, and this leads to the risk of shortages of many devices in the EU, given the upcoming deadlines for compliance with the new rules and the fact that non-compliant devices will be banned. The Commission is hoping that the Proposal will help to avoid shortages of devices that could result from the slower transition to the new rules. The Proposal needs to complete its legislative journey, involving approval by both the European Parliament and the European Council, through an accelerated co-decision procedure before it can become law.

European Commission Publishes Proposal on Substances of Human Origin

On July 14, 2022, the Commission adopted a Proposal for a Regulation on standards of quality and safety for substances of human origin intended for human application aimed at repealing the Blood Directive (2002/98/EC) and the Tissues and Cells Directive (2004/23/EC). The Proposal intends to adapt the current legislative framework to the sectoral developments, addresses the scientific and technical state of the art, and aims to ensure that EU citizens have access to safe and effective blood, tissues, and cells.

The Proposal supports the provision of therapies with substances of human origin ("SoHO") while ensuring high levels of safety and quality and up-to-date technical standards; extends protective measures to new patient groups (i.e., donors, SoHO recipients and offspring of medically assisted reproduction); enhances harmonization between Member States, facilitating cross-border exchange of SoHO; requires Member States to have national SoHO emergency plans to guarantee continuity to access to therapies; and implements digital-ready policies contributes to the European Health Union by pooling expertise and achieving economies of scale.

The Proposal needs to be approved and adopted by the European Parliament and the Council to enter into force.

European Declaration on Digital Rights and Principles

On December 15, 2022, the Presidents of the European Commission, the European Parliament, and the Council signed the European Declaration on Digital Rights and Principles. The Declaration, initially presented in January 2022, covers the EU's commitment to a secure, safe, and sustainable digital transformation. Shaped around six chapters, the Declaration aims to guide policy makers and companies dealing with new technologies. The Declaration includes several commitments regarding health, such as to facilitate and support seamless, secure, and interoperable access across the EU to digital public health and care services, including electronic health records. The signature reflects the shared political commitment of the EU and its Member States to promote and implement the Declaration.

Publication of the 2022-2026 Workplan of Accelerating Clinical Trials in the EU

On August 30, 2022, the Commission, HMA, and EMA published the 2022-2026 workplan of the initiative Accelerating Clinical Trials in the EU ("ACT EU"), which lays out deliverables and timelines. In 2023, the focus will be, amongst other things, on the implementation of the Clinical Trial Information System ("CTIS") as part of the Clinical Trials Regulation (Regulation (EU) No 536/2014) and on modernizing the standards on good clinical practice.

New Recommendation on Decentralizing Clinical Trials in the EU

On December 13, 2022, the European Commission, the HMA, and the EMA published a Recommendation paper on decentralized elements in clinical trials. The recommendation paper is part of ACT EU and is intended to facilitate the use of decentralized elements in clinical trials, such as electronic diaries, wearables, phone calls, and online appointments. The paper includes general and specific considerations for when such decentralized elements are used in clinical trials. General considerations include ensuring the rights, safety, dignity, and well-being of trial subjects; adhering to the applicable EU and national laws and international standards; and designing the decentralized elements in order to guarantee the robustness and reliability of the collected data. More specific considerations include clearly defining the roles and responsibilities of the sponsor, investigator, and any party involved in the clinical trial; obtaining the clinical trial subjects' voluntary informed consent prior to participation in compliance with the applicable laws and international standards; completing a risk assessment where the investigational medicinal product is intended to be delivered or administered at the subjects' home; following specific considerations when any clinical trial procedure is taken outside of the clinical trial site; adopting appropriate measures to minimize the risk of erroneous data entry for data measured and entered directly by clinical trial subjects; adapting the monitoring strategy to the specificities of the clinical trial; and adopting additional measures with respect to confidentiality of data access and security of the systems when remote access to source data and documents is foreseen. In addition, the recommendation contains an overview of national provisions referring to the use of decentralized elements in clinical trials, which is expected to be updated on a continuous basis.

First Data Partners Selected as Part of DARWIN EU

On November 23, 2022, the EMA selected the first set of data partners to collaborate with DARWIN EU, the Data Analysis and Real-World Interrogation Network. DARWIN EU is a network that provides the European medicines regulatory network (consisting of EU national competent authorities, the EMA, and the Commission) with access to data analysis results from real-world health care databases across the EU whenever needed and supporting decision making throughout the medicine lifecycle. DARWIN EU will act as a pioneer of the European Health Data Space ("EHDS") and will ultimately connect to EHDS services.

The selected data partners will have access to real-world health care data (including data from hospitals, health insurance, biobanks, and disease-specific patient registries), and will provide the DARWIN EU Coordination Centre with their data analyses results. The goal is to add at least 10 new data partners each year. A call for expressions of interest for potential new data partners is planned in 2023.

New EMA Quality Innovation Expert Group

On November 21, 2022, EMA announced the establishment of a Quality Innovation Expert Group ("QIG") to support innovative approaches for the development, manufacturing, and quality control of medicines for the benefit of patients in the EU.

The QIG aims to ensure that the European medicines regulatory network keeps pace with innovation, identifies and addresses gaps in the regulatory framework, increases predictability for developers of innovative technologies, and facilitates communication within the EU regulatory network, between EU regulators and stakeholders, and with international partners. The QIG can also be involved when assessing medicines using innovative technologies in regulatory submissions for scientific advice, marketing authorization applications and post-authorization lifecycle changes.

Council of the EU adopts Recommendation for New Approach on Cancer Screening

On December 9, 2022, the Council of the EU adopted the Recommendation on strengthening prevention through early detection: A new EU approach on cancer screening replacing Council Recommendation 2003/878/EC. The Recommendation introduces new best practices to improve cancer screening and is part of a new EU Cancer Screening Scheme. The COVID-19 pandemic has disrupted health promotion and prevention programs, and negatively impacted access to early diagnosis and treatment of cancer.

The objectives of the recommendation are, among other things, to support the development of the EU-supported Cancer Screening Scheme ensuring that 90% of the EU population qualifying for breast, cervical and colorectal cancer screenings are offered screening by 2025; to share data on cancer screening, including through the EHDS; to extend breast cancer screening to women aged between 45 and 74; to prioritize cervical cancer screening by testing for the human papilloma virus for women aged 30 to 65 and to extend vaccination; to extend cancer screening programs to lung, prostate and gastric cancer; and to introduce novel cancer screening programs based on minimally invasive methods.

The recommendation encourages Member States to implement accessible cancer screening programs; to register and manage screening data using available centralized data systems compliant with data protection legislation; to monitor the process and outcome of organized cancer screening and quickly reporting the results; and to introduce promising novel screening tests when proven effective.

Belgium Closes Down Old Patient Leaflet Website and Introduces New Features in Online Medicines Database

On January 2, 2023, the Belgian Federal Agency for Medicines and Health Products ("FAMHP") announced the shutdown of the old website of patient leaflets. In the meantime, FAMHP has opened a new database which includes relevant information about all (human and veterinary) medicines which hold a marketing authorization, registration, parallel import authorization, or temporary use permit in Belgium. The database, updated daily, includes information about the patient leaflet, summary of product characteristics ("SmPC"), authorization, market status (e.g., commercialized, unavailable, etc.), and risk minimization activities and direct health care professional communication where applicable. A new feature allows to obtain a hyperlink that will permanently display the most recent version of the package leaflet and SmPC.

Belgium Prolongs Pilot Project on the Electronic Patient Information Leaflet

On August 17, 2022,, the Belgian trade association of the pharma sector, announced that the pilot project on the electronic version of the Patient Information Leaflet (e-PIL), launched on August 1, 2018, in Belgium and Luxembourg, will be prolonged until August 1, 2025, after having obtained positive intermediary results and permission of the Commission. In addition, the project will be extended in scope to cover medicines administered exclusively in the hospital.

PharmaScan BeLux VZW Launched

On July 1, 2022, and Medaxes announced the launch of PharmaScan BeLux vzw, a non-profit organization which will serve as a platform with the objective to collect and share reliable data on medicines delivered by pharmaceutical companies and distributors to health care institutions, such as hospitals. The data on the distribution will be available for use not only for the participating pharmaceutical companies but also for other stakeholders.

Irish Health Authority Publishes Guidance

In November, the Irish national health authority ("HPRA") published several sets of guidance concerning clinical studies. In particular, a Guide to Clinical Investigations Carried Out in Ireland; a Guide to Performance Studies Conducted in Ireland; and a Guide to Appeals under Cosmetic Product Legislation were published. In addition, HPRA published a new MDR and IVDR regulatory information page containing guidance on a number of topics, including medical device classification, European Union reference laboratories, etc. The page is meant for industry stakeholders, including manufacturers, authorized representatives, importers, and distributors working to implement the MDR and IVDR.

Italian Ministry of Health Publishes Guidelines on the Digital Model for Implementing Home Care

On April 29, 2022, the Italian Ministry of Health published organizational guidelines containing the "Digital Model for the implementation of home care." The organizational guidelines define a reference model for the implementation of different telemedicine services in the home setting, through the identification of innovative processes for taking care of the patient at home and the enhancement of multi-professional and multidisciplinary collaborations.

Italian Technical Committee of Human Technopole Publishes Outcome of Public Consultation to Identify Priorities of the National Life Sciences Community

On September 15, 2022, the Italian Technical Committee of Human Technopole published the final report on the public consultation to identify the priorities of the national life sciences community in terms of research infrastructure, as part of the focus of Human Technopole. Through the participation of the scientific and research community, three main areas were identified where there is a high demand for National Platforms: the omics domain (which includes genomics, single cell analysis technologies, etc.); the imaging domain (which includes molecular, cellular and tissue imaging techniques, etc.); and the data handling and analysis domain (which will support the other two domains through data flow design, first-level analysis, data storage and sharing with NP users, and, based on demand, database creation for the community).

Polish e-Health Development Program for 2022-2027

On October 20, 2022, the Polish Health Ministry published the last version of the e-Health Development Program for 2022-2027 ("Program"). The Program intends to develop tools supporting clinical decisions and to improve the effectiveness of diagnostics, by doing a better use of data and using artificial intelligence in the medical sector. It will involve central systems that will be developed, as well as systems of service providers, which will also be used by medical employees. The implementation of the Program will be done in three stages. In 2023, e-services supporting the patient and the health care system will be implemented nationally. In 2025, solutions supporting coordinated patient care will come into force. In 2027, the widespread use of solutions related to clinical decision support and telemedicine is expected.

Portuguese Ministry of Health Publishes the Strategic Plan: Seasonal Health Response – Winter 2022-2023

On November 23, 2022, the Portuguese Ministry of Health announced the Ministry of Health Strategic Plan: Seasonal Health Response – Winter 2022-2023. The ultimate objective of the plan is to reduce the occurrence of respiratory infections, the need for use of health care, the impact on the national health system's productivity, hospitalizations, and deaths. Specific objectives include the intention to strengthen the digital access of citizens and institutions to the National Health Service.

Spanish Government Allocates More Than 230 Million Euros to the Digital Transformation of Primary Care in the NHS

On August 11, 2022, the Spanish Health Ministry announced the allocation of more than 230 million euros to the digital transformation of Primary Care in the Spanish National Health System. The amount comes from the Recovery, Transformation and Resilience Plan. Funds began to be allocated in 2022 (70 million euros) and will continue during 2023 (160 million euros).

The projects to carry out the digital transformation of Primary Care are located in three functional areas of action, namely: (i) Digital Intelligent Health Center, aimed at providing digital services to primary care health centers with a holistic patient-centered approach (e.g., inter-consultation clinical information exchange solutions between primary and specialized care); (ii) Personalized Care, aimed at providing face-to-face and virtual services designed for groups of patients requiring personalized, continuous, and systematic care (e.g., digital interdisciplinary rehabilitation, the exchange of medical images or the intelligent ambulatory information system); and (iii) Digital transformation of the support services of the health care activity, aimed at promoting the digital transformation of non-care management services in their relationship with citizens (e.g., digital traceability of samples, cybersecurity for medical devices, or the platform for sharing studies with the patient).

The projects are being carried out by seven working groups at regional level that are under coordination of the Spanish Ministry of Health. Examples of specific projects are digitization of informed consent, digital traceability of samples, cybersecurity for medical devices, or the platform for sharing studies with the patient.

Dutch Ministry of Health Publishes Integral Healthcare Agreement

On September 16, 2022, the Dutch Ministry of Health published the Integral Healthcare Agreement ("IZA"), which aims to ensure good, accessible and affordable care for the future. To achieve this, agreements have been made between the Ministry of Health and a large number of parties in the health care sector. Signatories to the IZA include umbrella organizations of hospitals, mental health care and care for the elderly. The digitalization of health care is one of the key themes in the IZA. The IZA stresses that data exchange is essential to provide proper and safe health care. Electronic data exchange is, and should be, the standard in health care. In 2025, all residents of the Netherlands will have digital access to their own health care data via a Personal Health Environment. Appropriate care is also increasingly hybrid care—a mix of digital and physical. The starting points are: Do it yourself at home, if possible; and digital, if possible.

Health Insurers in the Netherlands Call for More Digitalization in Health Care

In November 2022, health insurers in the Netherlands announced their new prices for the year 2023, which went up significantly compared to 2022. Health care must be organized differently, according to the insurers. The insurers are also calling for more digitalization. They acknowledge that patients often enjoy routine checkups, but state that the health care system does not have the resources for this anymore. In any case, personal contact may have to be sacrificed in order to compensate for the large shortage of personnel in the health care sector.

French Health Authorities Publish New recommendations on the Cybersecurity of Medical Devices with Integrated Software

On September 23, 2022, the French National Agency for Medicines and Health Products Safety ("ANSM") published its first recommendations on the cybersecurity of connected medical devices and software qualifying as medical devices, together labelled as "medical devices integrating a software." In these recommendations, ANSM defines four main security criteria applicable to such medical devices: availability (i.e., ability to provide the intended service even under hostile circumstances), confidentiality, integrity, and auditability. Based on these criteria, ANSM provides both a methodology to assess cybersecurity-related risks for medical devices integrating a software as well as more than 60 recommendations to manage such risks at every main step of a medical device life-cycle (conception, development, distribution and use, post-market, end-of-life). According to ANSM, these recommendations are designed to constitute best practices mainly for manufacturers of medical devices integrating a software, so that they can adopt the necessary measures to prevent cyberattacks and data compromise, and ensure, for instance in the context of the mandatory CE marking process, that their medical device meet the general requirements as regards safety and performance set out in EU regulations.

ENISA Publishes Reports Addressing Cybersecurity in the Health Sector

On December 13, 2022, the EU Agency for Cybersecurity ("ENISA") published the "After Action Report of Cyber Europe 2022." The report compiles information about "Cyber Europe," i.e., a series of EU-level cyber incident and crisis management exercises to test the resilience of the European health care sector. The report identifies potential challenges and suggests recommendations, such as allocating commensurate budget and resources to cybersecurity teams to ensure cybersecurity resilience. Regular testing at local level was also recommended as best practice.

On November 3, 2022, ENISA published the threat landscape 2022 report. According to the report, there has been a large number of cyber incidents in the health sector in 2022, due to cases of either sensitive data being leaked or health services being unavailable. Moreover, basic web application attacks, miscellaneous errors and system intrusions represent the majority of data breaches occurring in the health care sector.

EMA & HMA Endorse Two Documents to Enhance Data-Driven Medicines Regulation

On October 10, 2022, the European Medicines Agency ("EMA") & the Heads of Medicines Agency ("HMA") endorsed the "draft Data Quality Framework for EU medicines regulation" and the "Good practice guide for the use of the Metadata Catalogue of Real-World Data Sources" for public consultation. The first document sets out quality criteria for data used in medicine regulation to ensure they are fit for purpose to support benefit-risk decisions. The second document is a draft good practice guide for the use of the EU metadata catalogue of real-world data sources. The guide is the first produced worldwide to focus on metadata to empower systematic integration of real-world evidence in medicines regulation.

European Data Protection Authorities Issue Fines in the Health Care Sector

In 2022, the European Data Protection Authorities ("DPA") issued fines and decisions in the health care sector against hospitals, polyclinics, and health care providers for violating GDPR requirements. For instance, the Swedish DPA imposed a fine of €154,000 against a hospital for having failed to implement technical and organizational measures to ensure an appropriate level of security. In Greece, the DPA issued a €30,000 fine against a diagnostic center for having failed to implement appropriate technical and organizational measures to ensure the security of personal data. The Belgian DPA imposed a fine of €20,000 against a medical analysis laboratory for having failed to carry out a Data Protection Impact Assessment, to inform data subjects correctly, and to implement appropriate measures to ensure the security of personal data. The Hungarian DPA imposed a fine of €193,000 on a company providing hearing aid technology for having carried out an unlawful processing of personal data.

German Data Protection Authority Issues Statement on the Use of e-prescriptions in pharmacies

On November 11, 2022, the German Federal Commissioner for Data Protection and Freedom of Information ("BfDI") issued a statement on the use of e-prescriptions in pharmacies. In particular, the BfDI noted that the planned interface of the systems retrieving e-prescriptions in pharmacies is not sufficiently secured according to the state of the art, and thus violates the GDPR. The BfDI also stated that it expects all relevant parties involved in e-prescriptions to have a secured system for collecting e-prescriptions by introducing the electronic health card by summer 2023. As such, the BfDI suggested to apply secure and convenient means of authentication, such as a PIN linked to the health card or electronic identity card.

German Data Protection Authority and German Society for Medicine Discuss Interplay between Data Protection and Medical Care

On October 20, 2022, the Hessen Data Protection Authority ("HBDI") and the Board of Directors of the German Society for Internal Medicine ("DGIM") met to explore possibilities on how data protection can interplay with medical care and research to improve the latter, by enhancing patients' trust. In particular, the DGIM highlighted the challenges faced by doctors when having to comply with data protection in practice, noting that uncertainty in dealing with data protection leads to obstacles in patient care and uncertainties in medical research. In this regard, the HBDI noted that both parties showed interest in continuing the exchange of ideas, with the aim of working towards more practice-oriented regulations.

UK Data Protection Authority Publishes Draft Guidance on Information Concerning Workers' Health

On October 27, 2022, the UK Data Protection Authority ("ICO") published a draft employment practices guidance regarding information about workers' health for public consultation. The draft guidance aims to provide practical guidance about processing health information of workers in accordance with data protection legislation and to promote good practice. The ICO also plans to produce additional practical tools (such as checklists) in order to support employment practices.

Recent and Upcoming Speaking Engagements

  • Laura Laemmle-Weidenfeld, AHLA - Medicare and Medicaid Institute: Hot Topics in Fraud and Abuse, March 2023
  • Ann Hollenbeck and Gerry Griffith, Michigan Bar, Michigan Health Law Institute - Federal Regulatory Update, March 2023
  • Laura Laemmle-Weidenfeld, PLI Hot Topics in Health Care Law 2022, Enforcement Trends in Health Care Law: Lessons Learned in 2022, December 2022
  • Rebekah Byers Kcehowski, James T. Kitchen, Mauricio F. Paez, John A. Vogt, Wiretapping Your Website: Implications of Popa v. Harriet Carter Gifts, Inc., December 9, 2022
  • Heather O'Shea, Cristiana Spontoni, Kyle A. Diamantas, Jones Day Webinar Series: Cross-Practice Issues in the Life Sciences, Health Care Regulatory: Trends and Issues in Enforcement and Whistleblower Claims, December 7, 2022
  • Meredith Wilkes, Anna Raimer, Megan McKeown, Women in IP Speaker Series: The 12 Days of Trademarks, December 6, 2022
  • Thomas A. Briggs, Christopher S. Hanfling, Edward T. Kennedy, Jones Day Webinar Series: Cross-Practice Issues in the Life Sciences, Tax: Taxes in Collaboration Agreements in the Life Sciences Industry, November 30, 2022
  • Laura Laemmle-Weidenfeld, Health Care Compliance Association, Health Care Enforcement Compliance Conference - Anatomy of a False Claims Act Case, November 2022
  • Taylor Goodspeed, Penn Law, Health Care Fraud, November 2022
  • Renaud Bonnet, Charles Chau, Peter E. Devlin, Giles P. Elliott, Vica Irani, Ferrell M. Keel, Jones Day Webinar Series: Cross-Practice Issues in the Life Sciences, Capital Markets: Preparing Your Life Sciences Company for an IPO, October 26, 2022
  • Jeremy P. Cole, Sarah A. Geers, Ka-on Li, Bing Liang, Ph.D., Jones Day Webinar Series: Cross-Practice Issues in the Life Sciences, Intellectual Property: Collaborating and Commercializing: Key IP Considerations for Life Sciences Companies, October 19, 2022
  • Dr. Jörg Hladjk, Mauricio F. Paez, Jones Day Webinar Series: Cross-Practice Issues in the Life Sciences, Cross-Practice Issues in the Life Sciences, Cybersecurity, Privacy, and Data Protection: Cybersecurity and Privacy Developments for Life Sciences Companies, October 12, 2022
  • Colleen Heisey, Food and Drug Law Institute, Medical Product Advertising & Promotion Conference - Recent Trends in Enforcement and Practical Examples to Ensure Compliance, October 2022
  • Marta Delgado Echevarría, Thomas Bouvet, Rebecca Swindells, Dr. Jörg Hladjk, Trade Secrets: How to Protect Your Business From Theft and Cyberattacks, September 8, 2022

In Case You Missed It

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.