Vital Signs Digital Health Law Update | Spring 2023
Note From the Editors
This edition of Vital Signs is filled with digital health developments from around the world. In Industry Insights, you'll see and hear from Alexis Gilroy and Claire Castles, each in a short video recorded for our Vital Signs audience. In our Federal and State sections, you'll read about breaking news from DEA announcing its submission of a draft temporary rule to OMB entitled: "Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications," the FTC's flurry of activity in the early months of 2023, the FDA's new digital health framework, two updates on accountability and security measures in artificial intelligence, and several state-level reports on telemedicine regulation. Don't miss the numerous updates from Europe and a summary of Brazil's first law permanently authorizing telemedicine. Thank you to our contributors who are committed to bringing you curated updates covering digital health developments of interest.
Lawyer Spotlight: Alexis S. Gilroy and Claire E. Castles
The end of the U.S. public health emergency on May 11, 2023, and the new temporary rule from the U.S. Drug Enforcement Administration addressing the prescribing of controlled medications via telemedicine are top of mind for the digital health industry. This month, we highlight two lawyers who are leading the Jones Day team on the important regulatory and operational impacts of these developments. Alexis S. Gilroy (Washington, co-leader of Health Care & Life Sciences) advises on complex digital health transactional, regulatory, and strategy matters for health systems, virtual care companies, technology organizations, pharmacy and retail leaders, life sciences businesses, medical device organizations, and investors across the United States and abroad. Claire E. Castles (Los Angeles, Health Care & Life Sciences) advises U.S. and international clients on programs and practices to advance regulatory compliance in the digital health arena, in addition to response strategies for novel and emerging public health threats, including COVID-19.
Industry Insights: The End of the PHE. Now What?
The federal COVID-19 public health emergency ("PHE") expires on May 11, 2023, and numerous and complex effects will follow. Watch Alexis Gilroy and Claire Castles discuss the end of the PHE and the Drug Enforcement Administration ("DEA")'s proposals for permanent telemedicine waivers. Please note that these recordings were made prior to DEA's announcement that it had submitted a draft temporary rule to OMB entitled: "Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications."
United States Developments
DEA to Extend Current Telehealth Flexibilities
On May 9, 2023, the DEA, jointly with the Substance Abuse and Mental Health Services Administration, or SAMSHA, announced the Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications (the "Temporary Rule"), effective May 11, 2023, through November 11, 2024. The Temporary Rule extends the full set of telemedicine flexibilities for prescriptions of controlled substances adopted during the COVID-19 public health emergency for six months (through November 11, 2023). Further, for any provider-patient telemedicine relationships established up to and through November 11, 2023, the full set of such telemedicine flexibilities will also be extended for one year (through November 11, 2024). The Temporary Rule follows the more than 38,000 comments the DEA received in response to its two proposed rules relating to prescriptions of controlled substances published in March (available here and here, with comments here and here). The DEA stated that during the Temporary Rule, it will "continu[e] to carefully evaluate the comments received" and "anticipates implementation of a final set of regulations permitting the practice of telemedicine under circumstances that are consistent with public health, safety, and effective controls against diversion[.]" The unpublished Temporary Rule (scheduled to be published on May 10, 2023) can be found here.
Federal Enforcement Trends: FTC Enforcement of Consumer Data Collection and Sharing
The early months of 2023 have seen a flurry of action from the Federal Trade Commission ("FTC") to restrict data collection and sharing by telehealth companies.
- In February 2023, the FTC announced an enforcement action against GoodRx, a digital health platform focused primarily on prescription drug discounts. This action is the agency's first under the Health Breach Notification Rule. The FTC alleged that GoodRx shared users' personal health information with advertisers and third parties including Facebook and Google, used personal health information to target ads to its users, and made false representations to its users about such activities. In response, the FTC and GoodRx entered into a proposed order, subject to federal court approval, that would prohibit the company from sharing health data for advertising purposes. The proposed order would also require the company to obtain customer consent for other personal health information sharing, seek deletion of such customer data in the hands of third parties, limit the retention of such customer data, and implement a new privacy program. GoodRx also agreed to pay a $1.5 million civil penalty.
- In early March, the FTC issued a complaint and proposed order, also subject to federal court approval, alleging that BetterHelp, an online counseling service, had shared consumer data with platforms such as Facebook and Snapchat for advertising purposes, despite representing to consumers that it would keep such information private. The agency also alleged that BetterHelp had used consumers' sensitive health information to target ads. Under the proposed order, the company would agree to pay $7.8 million in civil penalties, some of which would be used to provide refunds to users who registered and paid for BetterHelp services between August 2017 and December 2020. The order also requires BetterHelp to take other remedial steps mirroring those agreed to by GoodRx.
These actions signal close FTC scrutiny of telehealth companies' data collection, sharing, and retention practices, as well as a new interest in enforcement actions under the Health Breach Notification Rule.
Copyright Considerations When Using Generative AI
As detailed in a recent Jones Day Commentary, over the past few years, artificial intelligence ("AI") has dominated headlines, increasing awareness and intrigue about its promises and perils. Companies and individuals across different industries, including digital health, are turning to generative AI platforms to create new content, including marketing materials, source code, and more. The use of these platforms raises issues with regard to copyright and other IP issues, including ownership of output, infringement, legal protection, and training of AI. For example, users of generative AI tools should be aware of the Copyright Office's recently issued guidance and, in particular, consider that users may not be able to copyright the output solely based on supplying the prompt, and that a human-authored aspect to the work may be required. Industry stakeholders may also need to consider the applicable terms and conditions for use of AI tools and consider that users of generative AI tools do not necessarily own the output, which could potentially stem allegations that the output infringes on a third-party copyright.
Advancements on DCTs Through FDORA and Guidance on Conduct of DCTs
The Food and Drug Omnibus Reform Act of 2022 ("FDORA"), which was signed into law on December 29, 2022, as part of an omnibus appropriations bill (H.R. 2617), contains several provisions intended to promote diversity in clinical trials, encourage the use of decentralized clinical trials ("DCTs"), and modernize clinical trials.
Diversity in Clinical Trials. Among other items, FDORA requires the submission of diversity action plans for most sponsors (unless a waiver is granted), and indicates that sponsors may consider characteristics such as geographic location and socioeconomic status as part of the rationale for the sponsor's enrollment goals and explanation for how the sponsor intends to meet such goals. FDORA requires the secretary of the U.S. Department of Health and Human Services to issue new draft guidance or update existing draft guidance within 12 months—and finalize guidance within nine months of closing the comment period on such draft guidance—that provides details on how and when FDA will grant waivers, how sponsors can make modifications to diversity action plans, and public posting of diversity information.
Decentralized Clinical Studies. FDORA also requires the secretary to issue or revise draft guidance within one year—and finalize guidance within one year of closing the comment period on such draft guidance—that includes recommendations to clarify and advance the use of decentralized clinical studies to support the development of drugs and devices. On May 2, 2023, FDA released draft guidance entitled "Decentralized Clinical Trials for Drugs, Biological Products, and Devices." A "decentralized clinical trial" is "a clinical trial where some or all of the trial-related activities occur at locations other than traditional clinical trial sites." As required by FDORA, the guidance includes recommendations for how to advance the use of flexible and novel clinical trial designs and to help improve trial participant engagement, recruitment, enrollment, and retention of a meaningfully diverse clinical population. It further offers recommendations on topics such as the roles and responsibilities of the sponsor and investigators in a DCT, informed consent and institutional review board oversight in DCTs, and safety monitoring of trial participants in a DCT.
FDA Releases Framework on Digital Health Technologies
In March 2023, FDA issued the highly anticipated "Framework for the Use of Digital Health Technologies in Drug and Biological Product Development," which outlines a multifaceted approach to collaboratively address challenges that arise when incorporating digital health technologies ("DHTs") and DHT-derived data into regulatory decision-making. The framework is intended to guide activities, such as (i) defining objectives for workshops and demonstration projects; (ii) developing methodologies for evaluating DHTs proposed as measuring key endpoints or other important measures in clinical trials; (iii) managing submissions with extensive and continuous data; and (iv) developing a standardized process for data management and analysis of large datasets from DHTs.
The framework comes as a result of the latest version of the Prescription Drug User Fee Act, PDUFA IV, signed into law as part of the FDA User Fee Reauthorization Act of 2022, wherein FDA committed to establish a framework that will guide the use of DHT-derived data in regulatory decision-making for drug and biological products. Further, FDA committed to conducting a series of public workshops on DHT policy (the first of which was held March 28-29, 2023, to explore the challenges and opportunities related to the use of DHTs in clinical trials during the drug development process, focusing on actigraphy and other sensor-based measurements), undertaking at least three issue-focused demonstration projects, and updating guidance on prescription drug use-related software. FDA will also enhance its IT capabilities in support of the review of DHT-generated data, and expand and enhance relevant and related FDA technical expertise.
Federal Enforcement Trends: Telehealth Prescribing of Controlled Substances
On February 24, 2023, the DEA announced a pair of new proposed rules governing the prescription of certain controlled substances via telemedicine, and solicited public comment on said rules for 30 days. The proposed rules are designed to take effect on or before the COVID-19 PHE expires on May 11, 2023. During the PHE, providers were permitted to prescribe controlled substances using telehealth platforms alone. The new rules would require providers to conduct an in-person examination with patients before prescribing Schedule II controlled substances, such as Adderall, Oxycodone, Ritalin, and Vicodin, as well as Schedule III-V narcotics. Under the proposed rules, providers may prescribe an initial 30-day supply of Buprenorphine and Schedule III-V non-narcotics through telehealth, but are required to conduct an in-person examination before prescribing any further refills. Given the pandemic-era rise in the use of telehealth for ADHD treatment, these rules could create significant disruption for patients and telehealth companies alike. Telehealth companies may need to reconfigure their telehealth offerings to reflect these regulations if they go into effect.
FDA Granted Authority to Establish Premarket Cybersecurity Requirements for "Cyber Devices"
The Consolidated Appropriations Act, 2023 (Omnibus) amended the Federal Food, Drug, and Cosmetic Act by adding section 524B Ensuring Cybersecurity of Devices, thereby granting the U.S. Food and Drug Administration ("FDA") the authority to establish premarket cybersecurity requirements for cyber devices. A "cyber device" is a device that includes software validated, installed, or authorized by the sponsor as a device or in a device; has the ability to connect to the internet; and contains any technological characteristics that could make it vulnerable to cybersecurity threats. While the law took effect on March 29, 2023, the requirements do not apply to an application or submission submitted to FDA before this date. FDA also issued a final guidance on March 29, 2023, outlining its "refuse to accept" policy related to the new requirements and reiterating its intent to work collaboratively with sponsors as part of the interactive or deficiency review process.
After March 29, 2023, manufacturers are required to: submit a plan to monitor, identify, and address cybersecurity vulnerabilities and exploits; design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems; and provide a software bill of materials. As resources available to manufacturers, FDA's Cybersecurity in Medical Devices Frequently Asked Questions references the 2014 guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices," the 2016 guidance "Postmarket Management of Cybersecurity in Medical Devices," and October 2021 National Telecommunications and Information Administration Multistakeholder Process on Software Component Transparency document "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)."
SEC Advances Three Cybersecurity Rule Proposals to Public Comment
On March 15, 2023, the U.S. Securities and Exchange Commission ("SEC") voted to propose three cybersecurity measures. If adopted, these proposed rules would (i) enhance protection of customer information under Regulation S-P; (ii) add new requirements addressing cybersecurity risk to the U.S. securities markets; and (iii) expand the types of entities covered by Regulation SCI. Specifically, the SEC's proposed amendments would require firms to notify individuals affected by certain data breaches within 30 days and extend safeguards and disposal rules to cover customer nonpublic personal information. Comments on each proposal will be accepted for 60 days following publication in the Federal Register. Companies should continue to monitor proposed rules and ensure that their controls and disclosure practices are compliant before these rules go into effect.
Department of Commerce and Office of the National Coordinator for Health Information Technology Request Comments on AI System Accountability Measures and Policies
The National Telecommunications and Information Administration ("NTIA") of the U.S. Department of Commerce announced it is requesting public comments on AI system accountability measures and policies. The request for comment focuses on regulatory and other measures to facilitate reliable evidence demonstrating the legality, efficacy, and trustworthiness of AI systems. NTIA seeks comments on questions, including those related to:
- The purpose of AI accountability mechanisms (e.g., certifications, audits, and assessments);
- Recommended trust and safety testing by AI developers and their clients;
- Data access generally necessary for audits and assessments;
- Regulator and other actor efforts to facilitate AI system accountability and credibility; and
- Recommended differing approaches in various industries, including health care.
Written comments must be received on or before June 10, 2023.
Department of Health and Human Services and Office of the National Coordinator for Health Information Technology Announce Proposed Rules for AI in Health Care
On April 11, 2023, the U.S. Department of Health and Human Services ("HHS")'s Office of the National Coordinator for Health Information Technology announced proposed rules for AI developers in health care seeking HHS certification. While such certification is voluntary, it is often required in public and private health care settings. The proposed rules require/include:
- Health IT developers to disclose categories of data informing algorithms;
- Health IT developers to use the Electronic Health Record Reporting Program;
- Certain limits to exceptions to a rule barring providers from refusing to share patient data;
- Software developers to implement risk management practices and real-world testing plans;
- Expanded standards for the exchange of patient medical data; and
- Request for feedback on pharmacy interoperability and lab data interoperability.
The proposed rules were published on April 18, 2023, and comments will be accepted until June 20, 2023.
OIG Releases Toolkit on Analyzing Telehealth Claims
As previewed in our last issue, the Department of Health and Human Services Office of Inspector General ("OIG") issued a Telehealth Toolkit to arm providers with tools for analyzing telehealth claims to identify "program integrity risks." Similar to the Telehealth Special Fraud Alert that OIG issued in July 2022, the Toolkit focuses on seven data analysis measures that providers can apply to their own data. These include billing a high proportion of the highest, most expensive levels of telehealth services; billing a high average number of hours of telehealth services per visit; billing telehealth services for a high number of days in a year or for a high number of patients; frequently billing multiple payors for the same service telehealth services; frequently billing for a telehealth service and then ordering medical equipment; and frequently billing for both a telehealth service and a facility fee. For each measure, OIG recommends an approach to analyzing the data and identifies the threshold that OIG uses for its own analysis, which it notes that each provider can adjust for its individual purposes. Providers may find the Toolkit helpful developing useful safeguards and identifying (and addressing) any noncompliant billings.
California Settles With The Pill Club to Resolve Claims of Improper Billing and Prescribing Practices
On February 7, 2023, the state of California announced an $18.3 million settlement with online reproductive health pharmacy The Pill Club ("TPC") to resolve allegations that TPC engaged in improper Medi-Cal billing and excessive prescribing between 2016 and 2022. The settlement includes $15 million to resolve claims under the state's False Claims Act and $3.3 million to resolve claims under the Insurance Fraud Prevention Act ("IFPA"). The California DOJ initiated the investigation in 2019 after two nurse practitioners formerly employed by TPC filed a complaint against the pharmacy, alleging the pharmacy submitted thousands of false claims to Medi-Cal for female contraceptive products. Three years later, the state moved to intervene as to both the state FCA and IFPA claims. According to the settlement, TPC's allegedly fraudulent practices included billing for (i) excessive amounts of contraceptives not requested by patients and in excess of medical necessity, (ii) asynchronous telemedicine medical visits improperly coded as synchronous visits, and (iii) prescriptions dispensed from an unlicensed out-of-state pharmacy. This settlement reflects the increased scrutiny that federal and state agencies have placed on digital health providers and pharmacies following the COVID-19 pandemic.
State Medicaid Coverage for Telehealth Post-PHE
As the end of the federal PHE approaches—and with it, the end of many temporary regulatory and statutory flexibilities—states are moving to react to the changing telehealth landscape. While some states have already taken steps to strengthen telehealth coverage—New Hampshire, for instance, passed telehealth parity legislation in 2020 that applies to Medicaid and private payers—other states are currently exploring such changes. For example, the Alaska Department of Health has proposed regulations that would continue COVID-19 telehealth flexibilities for Medicaid, and bills introduced in Michigan and New Jersey would require payment parity for telehealth by private payors. In Wisconsin, the newly expanded definition of "telehealth" and guaranteed permanent coverage for currently covered services provided through telehealth and functionally equivalent to in-person visits for Medicaid members will take effect the first day of the first month after the PHE terminates. In light of these changes and the fact that the Kaiser Family Foundation reports that 32 states either implemented in fiscal year 2022 or plan to implement in fiscal year 2023 fee-for-service Medicaid telehealth policy expansions (12 states report fee-for-service Medical telehealth policy limitations), this is an evolving area to watch for changes. In a fact sheet published in February 2023, the Centers for Medicare & Medicaid Services" encourages states to continue to cover Medicaid and CHIP services when they are delivered via telehealth" after the PHE ends.
Idaho Passes New Virtual Care Access Act
On March 21, 2023, Idaho passed its new Virtual Care Access Act (H.B. No. 162), which will become effective July 1, 2023. The bill will amend Idaho's existing law to make it easier to render telehealth in the state by changing or replacing certain requirements for providing "virtual care." Of note, the new statute:
- Utilizes a broad modality-neutral definition for "virtual care," namely "an umbrella term that encompasses terms associated with a wide variety of synchronous and asynchronous care delivery modalities enabled by technology, such as telemedicine, telehealth, m-health, e-consults, e-visits, video visits, remote patient monitoring, and similar technologies," and
- Includes specific continuity of care obligations, including that (i) the provider or a member of the provider's group is available for follow-up care to those receiving services via virtual care and (ii) such patients are provided with a method to contact the provider of record for the service.
Ohio Medical Board Adopts New Telehealth Rules
On February 8, 2023, the State Medical Board of Ohio voted to adopt new telehealth rules, which went into effect February 28, 2023. Numerous comments were received from industry participants and are available in the Rules & Policy Packet from the board's February 2023 meeting. The board created a Telehealth Rules Document to highlight the changes that have been implemented. Of note, in addition to setting out specific practice standards, the board rules require specific continuity of care obligations, including for patients for whom a health care professional determines that a telehealth visit will not meet the standard of care and for patients who need emergency care.
Utah Repeals Online Prescribing Act
On March 15, 2023, Utah's Online Prescribing, Dispensing, and Facilitation Licensing Act ("Online Prescribing Act"), U.C.A. 1953 § 58-83-101 et seq., was repealed by 2023 Utah House Bill 152, effective May 3, 2023. Removing this little utilized—and often confusing—statute that is limited to a specific set of virtual care offerings utilizing a questionnaire format streamlines the continuing separate Utah telehealth statute.
Advanced Practice Registered Nurse Compact Updates
The Advanced Practice Registered Nurse Compact ("APRN Compact"), which would allow APRNs to hold one multistate license with privileges to practice in other compact states, was adopted in August 2020. The APRN Compact becomes effective when seven states join. As of April 2023, Delaware, North Dakota, and Utah are the first states to join the APRN Compact, with legislation pending in Arizona, Hawaii, Kentucky, Maryland, Montana, New York, and Texas.
Updates to Practice and Prescribing Authority for APRNs in Utah and Kentucky
Effective May 3, 2023, Utah provides full independent practice authority to APRNs with the passage of Utah Senate Bill 36 on March 14, 2023.
On March 23, 2023, and effective June 29, 2023, Kentucky Governor Beshear signed Kentucky Senate Bill 94 establishing "Collaborative Agreement for the Advanced Practice Registered Nurse's Prescriptive Authority for Nonscheduled Legend Drugs," or CAPA-NS, and "Collaborative Agreement for the Advanced Practice Registered Nurse's Prescriptive Authority for Controlled Substances" ("CAPA-CS"), which would allow APRNs to prescribe controlled substances independently without a CAPA-CS after four years, provided certain requirements are met.
Texas Considers Legislation on APRN Supervision
Pending state legislation (Texas House Bill 3567), introduced on March 6, 2023, would (i) require utilization of alternative physician supervision during any period where the supervising physician is more than 75 miles from the APRN's practice location and (ii) reduce the number of APRNs that a physician may supervise from seven to five.
European Medical Device Coordination Group Publishes Position Paper on "Hybrid Audits"
In December 2022, the Medical Device Coordination Group ("MDCG") published the MDCG position paper on "hybrid audits," which outlines the MDCG's position on the possible use of hybrid audits by notified bodies under Regulation (EU) 2017/745 on medical devices ("MDR") and Regulation (EU) 2017/746 on in vitro diagnostic medical devices ("IVDR"). The MDCG is composed of representatives of all Member States and is chaired by a representative of the European Commission.
The position paper defines hybrid audits as "an audit on the premises of the manufacturer or its supplier(s) and/or subcontractor(s) with at least one auditor present on the premises and other members of the audit team participating from elsewhere using information and communication technologies." The position paper provides three clarifications with respect to how hybrid audits can be used under the MDR and the IVDR:
- "The presence of the auditor(s) on the auditee's premises and of the other members of the audit team can last either from the opening meeting to the closing meeting or for a portion of that time."
- "A conformity assessment activity included in the audit plan can be carried out either on the auditee's premises, from elsewhere or simultaneously from the auditee's premises and elsewhere. The auditee should be involved in any case."
- "When establishing their audit plan, notified bodies need to make sure that they plan sufficient time to audit the relevant processes on the auditee's premises and identify and clearly document which parts of the conformity assessment activities are carried out on the auditee's premises or using ICT."
During the global COVID-19 pandemic, the traditional auditing methods were disrupted in part from travel restrictions. Since then, auditors and auditees have become accustomed with the use of information and communication technologies during audits (in accordance with MDCG guidance, i.e., MDCG 2020-4 Guidance on temporary extraordinary measures related to medical device notified body audits during COVID-19 quarantine orders and travel restrictions and MDCG 2020-17 Questions and Answers related to MDCG 2020-4).
Certain conformity assessment procedures under the MDR and the IVDR require the notified body to carry out audits of the manufacturer's quality management system on the manufacturer's premises, both for the initial assessment and for periodic surveillance. MDCG advised that hybrid audits can be used under the MDR and the IVDR where notified bodies determine such hybrid audits would contribute to conducting the conformity assessment in a timely and efficient manner in compliance with the Regulations (MDCG 2022-14 Transition to the MDR and IVDR—Notified body capacity and availability of medical devices and IVDs).
United States and European Union Sign Collaboration Agreement for Research on AI, Computing, and Related Privacy-Enhancing Technologies
On January 27, 2023, the European Commission announced that the United States Department of State and the Directorate-General for Communications Networks, Content and Technology, or DG CONNECT, of the European Commission signed the "Administrative Arrangement on Artificial Intelligence for the Public Good." The arrangement aims to strengthen the cooperation between the European Union and the United States on AI and computing in an effort to address global challenges. This increased research cooperation aims to aid in the identification and development of promising AI research results that have potentially broad societal benefits in areas ranging from climate change, natural disasters, health and medicine, electric grid optimization, and agriculture. While the announcement reports that AI boosts medical research, diagnostics, and treatment, the pandemic also highlighted the divide between countries. To reduce this divide, this arrangement will also aim to share findings and resources with international partners. The arrangement will be implemented by relevant U.S. and EU institutions and agencies working in this area.
European Commission, European Medicines Agency, and Heads of Medicines Agencies Publish Q&A on the Protection of Commercially Confidential Information and Personal Data While Using CTIS
On March 27, 2023, the Commission, European Medicines Agency ("EMA"), and Heads of Medicines Agencies ("HMA") published a Questions & Answers document on the protection of Commercial Confidential Information and Personal Data while using CTIS ("Q&A").
On January 31, 2022, the European Clinical Trials Regulation (Regulation (EU) No 536/2014) ("CTR") entered into application. The CTR introduces the Clinical Trials Information System ("CTIS"), which aims to increase the transparency and availability of information on clinical trials. Starting from January 31, 2023, all applications for clinical trials conducted in the EU must be submitted by the CTIS, and in principle, all data submitted will be publicly accessible. However, the CTR foresees grounds justifying confidentiality, including the need to protect "Commercially Confidential Information" ("CCI") and personal data in accordance with the GDPR. When applying for clinical trial authorization, a sponsor can either use a redaction or deferral mechanism. Under the redaction mechanism, the sponsor submits an unredacted document version "not for publication" in addition to the redacted version "for publication." Under the deferral mechanism, the sponsor can delay the publication of clinical trial data and documents in order to protect CCI for some time.
CCI is not defined in the CTR. On April 8, 2022, EMA issued a draft guidance document on how to approach the protection of personal data and commercially confidential information in documents uploaded and published in the Clinical Trial Information System ("CTIS"), which aims to facilitate a common understanding of CCI. The draft guidance defines CCI as "any information contained in the clinical trial application, or provided during the trial life-cycle, which is not in the public domain or publicly available, and where disclosure may undermine the legitimate economic interest or competitive position of the clinical trial sponsors or marketing authorisation applicants/holders." The draft guidance provides examples of CCI (e.g., detailed information on the manufacturing of the active substance, information related to future development plans, etc.) and a nonexhaustive list of information not considered CCI (e.g., information that can be derived from the public domain, administrative information, nonclinical-related information, and some types of clinical information).
The Q&A provides further clarity to CTIS users on how to make use of the deferral mechanism (e.g., justification for deferrals), how to protect personal data (e.g., where names of individuals are expected to be included), and how to protect CCI (e.g., how Member States will ensure that CCI is not inadvertently published).
The principles of this Q&A will be incorporated in the aforementioned EMA guidance once finalized.
European Medicines Agency Announces Pilot for Scientific Advice for Certain High-Risk Medical Devices
On February 27, 2023, EMA announced a pilot project provided by medical device expert panels aimed at giving scientific advice on the intended clinical development strategy and proposals for clinical investigation of certain high-risk medical devices. Manufacturers can submit their letter of interest to be part of the pilot on scientific advice, and the expert panels will provide free advice to 10 selected applicants on their clinical development strategy and/or proposals for clinical investigation.
European Medicines Agency and Heads of Medicines Agencies Publish Big Data Steering Group 2022 Report
On January 9, 2023, EMA and HMA published the Big Data Steering Group ("BDSG") 2022 report. The BDSG is a joint task force of EMA and HMA to describe the big data landscape from a regulatory perspective and to identify practical steps for the European medicines regulatory network to make best use of big data in support of innovation and public health in the EU.
This report is based on the second BDSG workplan. The workplan had previously identified 11 big data priority recommendations for BDSG. The 2022 report summarizes the key activities and achievements of the BDSG for each of these priority recommendations. These recommendations, together with some of the key activities performed in 2022, include:
- Deliver a sustainable platform to access and analyze health care data from across the EU: DARWIN EU, the Data Analysis and Real-World Interrogation Network, welcomed its first data partners. DARWIN EU enables EMA and national competent authorities in the European medicines regulatory network to use real-world evidence from across Europe on diseases, populations, and the uses and performance of medicines. The first data partners—including hospitals, primary care, health insurance, registries, and biobanks—provided EMA and the EU regulatory network with access to more than 26 million patients' data. Furthermore, the first four DARWIN EU studies were initiated to support the EMA scientific committees.
- Establish an EU framework for data quality and representativeness: The first draft EU data quality framework for medicine regulation was launched for public consultation. This framework sets out the criteria for a more consistent and standardized approach to the quality of data used in medicine regulation and is intended to facilitate more focused recommendations for specific data domains.
- Enable data discoverability: The first metadata list for real-world data sources and studies was published to improve transparency with regard to the discoverability of data sources and real-world studies.
- Develop EU Network skills in big data: Providers of big data training, including on pharmacoepidemiology and on real-world data evidence, were selected.
- Strengthen EU Network processes for big data submissions: A number of pilot projects aimed at generating real-world evidence for use cases through the product life-cycle of medicines were progressed with the EMA scientific committees.
- Build EU Network capability to analyze big data: The EMA Committee for Medicinal Products for Human Use ("CHMP") raw data pilot was launched, exploring the practicalities of analyzing raw trial data in marketing authorization applications. Furthermore, network experts started to draft an AI reflection paper, which will cover regulatory aspects of AI and machine learning, including the impact on assessing the benefit/risk in medicine development and authorization.
- Modernize the delivery of expert advice: The EMA CHMP established the Methodology Working Party ("MWP"). The MWP is composed of European experts nominated by CHMP members and aims to pool and use expertise in key areas, such as biostatistics, modelling and simulation, pharmacokinetics, pharmacogenomics, and real-world evidence. The MWP's tasks include: (i) providing product-related support when requested by the EMA committees and the Scientific Advice Working Party; (ii) engaging with stakeholders, including international regulators, associations of pharmaceutical companies, and patient and health care professional organizations; (iii) preparing, reviewing, and updating guidelines and concept papers; and (iv) providing training and workshops to assessors. The first workplan for MWP was finalized in 2022.
- Ensure data are managed and analyzed within a secure and ethical governance framework: The BDSG participated in a review of the EU Network data governance, which includes review of the mandates of the BDSG and EU Network Data Board.
- Collaborate with international initiatives on big data: An International Coalition of Medicines Regulatory Authorities ("ICMRA") workshop was held for regulators to share experience in obtaining and using real-world evidence for the assessment of medicines. As an output from the workshop, ICMRA issued a statement on international collaboration on RWE in regulatory decision-making, which highlighted the opportunity for international collaboration in certain areas.
- Create an EU Big Data Stakeholder Implementation Forum: The third EMA/HMA Big Data Stakeholder Forum was held virtually in December 2022, offering stakeholders the opportunity to provide feedback and their perspectives on implementation regarding the big data priority recommendations and workplan.
- Veterinary recommendations: The European Veterinary Big Data strategy 2022-2027 was published describing challenges and opportunities that digital transformation offers in that domain.
Speech of European Commissioner on the Revision of the EU Pharmaceutical Legislation
On March 13, 2023, the European Commissioner for Health and Food Safety Kyriakides delivered a speech on the "Revision of the EU pharmaceutical legislation: Addressing challenges, seizing opportunities."
As part of the EU pharmaceuticals strategy, and drawing lessons from the COVID-19 pandemic, the European Commission plans to evaluate and reform the EU's general legislation on medicines for human use to ensure a future-proof and crisis-resistant medicines regulatory system.
In her speech, the commissioner recalled the six aims of the reform:
- Ensure that all Europeans can access both innovative and established medicines when needed.
- Ensure that the EU pharmaceutical industry can innovate and remain globally competitive.
- Address shortages of medicines and boost the security of supply, including through stronger obligations on supply and transparency of stocks and earlier notification of shortages, with greater EMA involvement.
- Make medicines more environmentally sustainable, considering the impact of pharmaceutical production in the authorization processes and environmental risk assessments in authorization dossiers.
- Create ambitious tools to combat antimicrobial resistance, including through measures to stimulate new antimicrobial products and prudent use. Accordingly, the EU is considering transferable exclusivity vouchers for the development of novel antimicrobials under strict conditions and procurement mechanisms for access to new and existing antimicrobials guaranteeing revenue regardless of sales volumes.
- Bring simplification, regulatory modernization, and digitalization through a leaner regulatory environment for investment with simplified and faster marketing authorization procedures, stronger support for promising medicines, and better use of data and digitalization.
Following the speech, the European Commission released on April 26, 2023, among other things: (i) Proposal for a Regulation laying down Union procedures for the authorisation and supervision of medicinal products for human use and establishing rules governing the European Medicines Agency; (ii) Proposal for a Directive on the Union code relating to medicinal products for human use; (iii) Communication on Pharmaceutical Reform and Antimicrobial Resistance; and (iv) Commission proposal for a Council Recommendation on stepping up EU actions to combat antimicrobial resistance in a One Health approach. An overview of the published documents can be found here.
Health Emergency Preparedness and Response Authority Agrees With the European Centre for Disease Prevention and Control and the European Medicines Agency to Strengthen Cooperation on Health Emergency Preparedness and Response
On March 14, 2023, the European Commission announced that its Health Emergency Preparedness and Response Authority ("HERA") and the European Centre for Disease Prevention and Control, as well as HERA and EMA, have agreed to strengthen cooperation and to coordinate their work in support of health emergency preparedness and response in the area of medical countermeasures. The agreement aims to reduce overlaps and promote efficient use of resources. The areas of collaboration are, among others:
- Promoting advanced research and development of medical countermeasures and related technologies; and
- Identifying vulnerabilities and strategic dependencies within the EU related to the development, production, procurement, stockpiling, and distribution of medical countermeasures.
European Commission Publishes Clinical Practice Guidelines and Clinical Decision Support Tools Program for European Reference Networks
On March 7, 2023, the European Commission published the clinical practice guidelines and clinical decision support tools program for European Reference Networks ("ERNs"). ERNs are virtual networks bringing together health care providers across Europe to tackle complex or rare medical conditions that require highly specialized treatment and a concentration of knowledge and resources. The purpose of the program is to provide assistance to the ERNs and their health care providers in the process of development, appraisal, and implementation of clinical practice guidelines and clinical decision support tools, taking into account objectives and criteria under the Directive 2011/24/EU on patients' rights in cross-border health care and relevant implementing measures and procedures.
Adoption of the Extended Deadlines for Compliance with MDR and IVDR and Publication of Q&A on Practical Aspects Related to the Implementation
On March 15, 2023, the European Parliament and Council adopted Regulation (EU) 2023/607 of 15 March 2023 amending Regulations (EU) 2017/745 and (EU) 2017/746 regarding the transitional provisions for certain medical devices and in vitro diagnostic medical devices. The regulation extends the period during which devices compliant with the old EU legislation on medical devices can continue to be placed on the EU market. The regulation also eliminates any "sell-off" restrictions for devices legally placed on the market during the transition time (see also Jones Day Commentary, "EU Commission Proposes Extended Deadlines to Comply with the Medical Device Regulation and In Vitro Diagnostic Regulation" and Vital Signs Digital Health Law Update | Winter 2023). The Regulation entered into force on March 20, 2023.
On March 27, 2023, the European Commission published a Q&A on practical aspects related to the implementation of Regulation (EU) 2023/607 amending Regulations (EU) 2017/745 and (EU) 2017/746 with regards to the transitional provisions for certain medical devices and in vitro diagnostic medical devices. The Q&A aims to facilitate the implementation of the adopted regulation with regards to the transitional provisions. The Q&A covers, among other things, the scope of the extension, the conditions to be fulfilled to benefit from the extended period, and the devices which will benefit from the removal of the sell-off date.
Publication Quick Guide on the Rules and Procedures of the Clinical Trials Regulation
On January 30, 2023, the Clinical Trials Coordination and Advisory Group published a quick guide for sponsors on the rules and procedures of the EU Clinical Trials Regulation ("CTR"). The quick guide explains the main rules and procedures of the CTR for sponsors who wish to conduct clinical trials (national and multinational) in the EU/European Economic Area or have ongoing clinical trials in this region.
The quick guide highlights specific legislation for clinical trials on advanced therapy medicinal products and covers, among other things:
- Whether a clinical study qualifies as a clinical trial on a medicinal product under the CTR;
- Some of the key principles of the CTR (e.g., a single EU application with a single clinical trial dossier and a prior national authorization of the clinical trial application);
- The transition period of the CTR;
- Required steps before starting a clinical trial (e.g., the registration of the user, medicinal product, and organization);
- Required steps during a clinical trial (e.g., safety surveillance);
- Required steps post-clinical trial (e.g., notification via the CTIS and archiving obligations); and
- Transparency requirements (e.g., how to protect CCI and personal information).
ENISA Publishes Report on Personal Data Sharing in the Health Sector
On January 27, 2023, the EU Agency for Cybersecurity ("ENISA") published the report "Engineering Personal Data Sharing—Emerging Use Cases and Technologies." The report analyzes specific use cases relating to personal data sharing, primarily in the health sector, and details how specific technologies and considerations of implementation can support data protection. Specifically, it highlights challenges of personal data sharing in the health sector and demonstrates how to meet data protection principles through specific technologies and techniques. For instance, the report considers attribute-based encryption and proxy re-encryption as means to guarantee a user-controlled data sharing approach. Furthermore, with regard to the management of electronic health records by health care providers, the report discusses polymorphic encryption and pseudonymization as an approach to ensure that only authorized health service providers will have access to personalized information.
European Commission Publishes Updated Rolling Plan on Implementation of Regulation on Health Technology Assessment
On April 4, 2023, the European Commission published the "Updated Rolling Plan—Implementation of Regulation on Health Technology Assessment." The Regulation on Health Technology Assessment ("HTAR") aims to expand the availability of vital and innovative health technologies through the efficient use of resources and strengthening the quality of health technology assessment across the EU. It establishes a coordination group of HTAR national or regional authorities and a stakeholder network, setting forth rules on the involvement in joint clinical assessments and joint scientific consultations of patients, and clinical and other relevant experts. The rolling plan contains a list of key activities that the European Commission has or intends to carry out in preparation for the implementation of the HTAR. The rolling plan is subject to regular review to provide national authorities and stakeholders with the most updated information.
Reminder of the Belgian Federal Agency for Medicines and Health Products of Homologation Requirements for Prescription Software Suppliers
On March 2, 2023, the Belgian Federal Agency for Medicines and Health Products and National Institute for Health and Disability Insurance reminded prescription software suppliers of a number of homologation requirements for the order of presentation and selection of medicinal products and nonmedicinal products. In particular, prescription software suppliers are required to use the national database on medicines ("SAM," authentic source of medicines) as a data source to prescribe medicinal products for outpatient care.
French Data Protection Authority Issues Guidance on Health Databases
On March 2, 2023, the French Data Protection Authority ("DPA") published a guide on how to distinguish "database warehouses" and "research databases" for health data. The guide indicates that data controllers must determine, at the point of creation, whether a database containing health data will perform several processing operations (i.e., a warehouse) or whether it is a research, study, or ad hoc evaluation. Furthermore, the guide indicates that the legal regime differs based on the use case scenario. Specifically, the use of data warehouses requires either (i) the collection of explicit consent from the data subject or (ii) a commitment of the data controller to comply with the DPA's repository relating to the processing of personal data for the purpose of creating data warehouses in the health sector. If a data controller fails to fulfill the aforementioned conditions, it must request an authorization from the DPA to create a data warehouse. In any case, the data controller must conduct a data protection impact assessment.
French DPA Outlines Enforcement Priorities for 2023
On March 15, 2023, the French DPA announced its enforcement priorities for 2023. The enforcement priorities include access to electronic patient records in health care institutions and user tracking by mobile applications. With regard to access to patient records, the DPA clarified that, in recent years, the DPA and the ministry in charge of health have exchanged a great deal of information on health data security (e.g., general policy on the security of health information systems, shared medical file, etc.) as an issue that the DPA often encounters and which concerns all health establishments. According to the DPA's announcement, the scope of the DPA's audits will include all measures put in place to ensure data security.
Irish DPA Issues Fine on Health Care Service Provider for Insufficient Security Measures
On January 23, 2023, the Irish DPA issued a €460,000 fine on a health care service provider for inadequate data security measures following a data breach. The health care service provider experienced a ransomware attack affecting patient data held on its patient administration system. The attack led to access to, unauthorized alteration of, and loss of availability of personal and special category personal data of 70,000 data subjects. The DPA found that the company had failed to ensure that the personal data was processed in a manner that guaranteed appropriate security of the personal data.
Italy Signs Contract for a National Telemedicine Platform
On March 8, 2023, the Italian Agency for Regional Health Services signed a contract allocating resources for a national telemedicine platform (as part of the National Recovery and Resilience Plan). The platform is intended to provide health care professionals with new validated tools to operate, increase patient access to treatments and services, and reduce pressure on hospitals and emergency departments overloaded with a large number of requests affecting their availability to deliver health care services to those who are most in need.
Norwegian DPA Issues Fine on U.S. Medical Devices Company for Failure to Notify a Data Breach in Time
On March 8, 2023, the Norwegian DPA issued a fine of approximately €220,000 on a medical devices company for failing to timely notify the DPA of a data breach (i.e., 72 hours after having become aware of the data breach). The company experienced an incident affecting the personal data of all of its employees in Europe. The DPA found that the company had become aware of the data breach at least 67 days before the notification.
The Nîmes Court of Appeals Declares a Health Data Hosting Contract Null and Void Due to Certification Issues
In a December 15, 2022, decision, the Nîmes Court of Appeals declared null and void a contract between a private nurse and a software company for subscription to a software used for transmission of treatment sheets. The court ruled that the contract had an "illicit purpose" because neither the software company nor its subcontractor in charge of data hosting had received proper certification to host health data (Certification des hébergeurs de données de santé). Under French law, providing health data hosting services without proper accreditation from specialized certification bodies such as COFRAC is punishable with a heavy criminal fine (€225,000 for legal entities). This decision shows that in addition to criminal fines and other regular data protection-related sanctions, providing services of hosting health data without proper certification could also result in annulment of contracts.
The CNIL Publishes Guidance on Requesting Authorization for Use of Health Data for Medical Research Purposes
On February 6, 2023, the French Data Protection Authority (the "CNIL") published a new guidance on the procedure of obtaining the CNIL's permission to use health data for the purposes of medical research. The new guidance reminds medical research organizations that any use of personal health data for medical research requires undergoing prior formalities with the CNIL, with the exception of medical research using data collected first-hand from patients and used exclusively for the said patients ("in-house research"). The guidance further explains that if a research project fully conforms to the CNIL's publicly available framework kits (référentiels), the requesting entity only needs to submit to the CNIL a declaration of conformity. In any other case, organizations need to send an authorization request directly to the CNIL or submit it through the CNIL's health data platform. In the authorization request, organizations need to detail both legal and technical elements of the planned project. The guidance also recommends organizations annex a data impact assessment to the authorization request.
The CNIL Issues a Warning to Two Medical Research Organizations for Failure to Conduct a Data Protection Impact Assessment
On March 13, 2023, the CNIL published a press release about a warning issued to two medical research organizations for noncompliance with health data-related requirements. In the press release, the CNIL points out that the organizations had not conducted a data protection impact assessment before processing personal data for medical research—a requirement for processing any personal health data for medical research purposes. In addition, the CNIL found that the information sheets provided to the persons participating in the research were incomplete and falsely claimed that the data would be anonymized when, in fact, the data would only be pseudonymized.
Brazil Enacts Law Permanently Authorizing Telemedicine
Brazil has enacted its first law permanently authorizing telemedicine. Previously, responsible authorities, including the Brazilian Federal Council of Medicine ("CFM"), the Ministry of Health, and Congress provided little guidance regarding telemedicine. In 2018, the CFM proposed a resolution to govern telemedicine, only to revoke it in 2019. With the COVID-19 pandemic, the CFM issued an official letter followed by a Ministry of Health Rule authorizing telemedicine for continuing existing treatment. Subsequently, Congress enacted Law No. 13.989 of April 15, 2020, that, for the first time, explicitly permitted, during "the crisis occasioned by the coronavirus (SARS-CoV-2)," the use of telemedicine. In April 2022, the CFM issued Resolution No. 2,314 (the "2022 CFM Resolution") further regulating the practice of telemedicine, requiring that legal entities providing services of telemedicine, platforms of communication, and archiving of information be headquartered in Brazil and registered with the Regional Council of Medicine for the state in which the legal entity is headquartered.
Former President Jair Bolsonaro signed Law No. 14,510 of December 27, 2022, to replace the prior temporary authorization. It adjusts Law No.8.080 of September 19, 1990, to authorize and regulate not just the practice of telemedicine but the broader area of telehealth, which is defined as "the modality of providing health services from a distance, by means of the utilization of information and communications technology, that involves, among other items, the secure transmission of health information, by means of text, sound, images or other adequate forms." Though the practice of medicine is regulated by the Regional Councils of Medicine of each state, the law states that acts of a health professional in the modality of telehealth will have validity in all of Brazil. Although the new law does not entirely align with the 2022 CFM Resolution, it incorporates many of the resolution's concepts, such as a health professional's right to exercise independent judgment in conducting treatment (including whether the first consultation with a doctor can be by telehealth). The statute also incorporates other concepts from the 2022 CFM Resolution, such as by emphasizing that patient consent for any telehealth session must be clear and all personal health information must be kept confidential and handled in accordance with relevant laws, including the Brazilian General Data Protection Law.
Recent and Upcoming Speaking Engagements
Cristiana Spontoni, EU Pharmaceutical Law Forum, Key Updates on for Behavioural Advertising though the Internet: New Developments for Cookies and Google Analytics, May 2023
Stefan Schneider, Emily Tait, Laurent De Muyter, Carl A. Kukkonen III, JONES DAY TALKS®: The Rise of AI Regs: Approaches from the European Union and United States, April 2023
Guillermo Larrea, Mark Rasmussen, Alex Wilson, Mauricio Paez, Dr. Jörg Hladjk, Dorothy Giobbe, Ted Chung, Sixth Annual Latin American Privacy and Cybersecurity Symposium, April 2023
Laura Laemmle-Weidenfeld, HCCA, 2023 Compliance Institute: Telehealth: The Past, Present, Future, April 2023
Gerry Griffith, AHLA, Health Care Transactions 2023, April 2023
Emily Tait, John Froemming, Carrie Kiedrowski, Carl A. Kukkonen III, U.S. Copyright Office Launches New Artificial Intelligence Initiative, March 2023
Marta Delgado Echevarría, Rebecca Swindells, JONES DAY PRESENTS®: Harmonizing Global Protections: The EU Trade Secret Directive, March 2023
Jennifer Bennett, Patricia Campbell Ph.D., Rita Yoon, Women in IP Speaker Series: Can You Keep a Secret? Choosing between Patent Protection and Trade Secret Protection, March 2023
Po-Chien Chen, JONES DAY PRESENTS®: Taiwan's Enhanced Trade Secret Restrictions and Stricter Penalties, March 2023
Steven Zadravecz, JONES DAY PRESENTS®: Enhancing Trade Secret Protection in Remote Work Environments, March 2023
Laura Laemmle-Weidenfeld, AHLA, Medicare and Medicaid Institute: Hot Topics in Fraud and Abuse, March 2023
Ann Hollenbeck and Gerry Griffith, Michigan Bar, Michigan Health Law Institute, Federal Regulatory Update, March 2023
Gerry Griffith, TEGE Council, Annual Meeting, IRS Audits, March 2023
Thomas Bouvet, JONES DAY PRESENTS®: Trade Secret Audits: Enhanced Mapping, Protecting Access and Creating Understanding, February 2023
Haifeng Huang, Po-Chien Chen, JONES DAY PRESENTS®: The Challenges of Defending Trade Secrets in China, February 2023
In Case You Missed It
Generative AI Generates Excitement—and Copyright Concerns
Iowa Becomes Sixth State to Enact a Comprehensive Data Privacy Law
Generative Artificial Intelligence and the Requirements of Open Source Software Licenses
FDA Takes Long-Awaited Action on Labeling Plant-Based Milk Alternatives
Pocket Guide to the Unitary Patent and Unified Patent Court
Better Together: U.S. and EU Enter Artificial Intelligence Collaboration Agreement
COVID-19 Key EU Developments, Policy & Regulatory Update No. 98
COVID-19 Key EU Developments, Policy & Regulatory Update No. 97
The Silicon Valley Bank Failure: Cash Management and Risk Oversight
SEC Fines Company $3 Million for Allegedly Misleading Cyberattack Disclosures
Consumer Health Information and Increased Scrutiny: FTC Brings First Action Under Health Breach Notification Rule
Can EU Operators of Online Marketplaces be Held Liable for Trademark Infringement?
U.S. National Institute of Standards and Technology Releases AI Risk Management Framework
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.