Vital Signs Digital Health Law Update social gra

Vital Signs: Digital Health Law Update | Fall 2023

Note From the Editors

We bring you Vital Signs, a curated, one-stop resource on the most notable digital health law updates from our U.S. and global contributors. In Industry Insights, our lawyers describe the increasingly common regulation of digital health privacy by states. These state laws are far reaching, impacting digital health providers that primarily operate outside of the enacting states. In our U.S. Developments section, you'll read about Drug Enforcement Administration ("DEA") developments related to controlled substance prescribing, updates from the U.S. Food and Drug Administration ("FDA") on digital health technologies, and several significant state regulatory updates. In our Global Developments section, we highlight noteworthy digital health-related updates throughout Europe. Thank you to our contributors who are committed to bringing you curated updates covering digital health developments of interest.

Industry Insights

States Increasingly Seek to Regulate Digital Health Privacy

On September 11, 2023, Delaware adopted the Delaware Personal Data Privacy Act, becoming the latest state to enact a comprehensive privacy statute. The law reflects a growing interest in privacy among state legislatures and follows the enactment of the Oregon Consumer Privacy Act on July 18, 2023. The Oregon and Delaware laws will become effective on July 1, 2024, and January 1, 2025, respectively. 

Five other states have recently enacted such laws that are or will be effective by the end of 2023 (California, Virginia, Colorado, Connecticut, and Utah). Additionally, another five states have passed comprehensive privacy laws that will come into effect after 2023 (Iowa, Indiana, Tennessee, Montana, and Texas). These laws are far-reaching, impacting even those digital health providers that primarily operate outside of the enacting states. For example, in many circumstances, the California Consumer Privacy Act applies to businesses for which the only nexus to California is the online sale of products to California residents. While generally the laws do not apply to companies' Health Insurance Portability and Accountability Act ("HIPAA")-regulated activities, they have broad implications for companies handling health data not protected by HIPAA and participating in non-HIPAA protected activities. Because current federal privacy laws, such as HIPAA, are limited in scope and application, and because the American Data Privacy Protection Act—a comprehensive federal privacy law intended to preempt state law—remains long pending before the U.S. Congress, state laws currently pose the broadest, most complex compliance challenges and risks for digital health companies' non-HIPAA regulated activities.

One example of such a state law is Washington's My Health My Data Act (the "Act"), the first comprehensive consumer health information privacy law. Though not effective until March 31, 2024, the Act requires applicable entities, among other things, to: (i) publish a consumer health data privacy policy; (ii) obtain consumers' affirmative consent before collecting or sharing consumer health data; (iii) provide consumers with certain health data rights; (iv) maintain reasonable data security practices; and (v) enter into a written contract with processors relating to their use of consumer health data. The Act also makes it unlawful to implement a geofence (i.e., a virtual perimeter for a real-world geographic area) around an entity that provides in-person health care services in order to identify or track consumers seeking health care services, collect consumer health data, or send notifications to consumers related to their consumer health data or health care services. 

The implications of these requirements and prohibitions are far-reaching for several reasons. First, the law applies to all non-HIPAA regulated persons and businesses that: (i) conduct business in Washington or produce or provide products or services to Washington consumers; and (ii) collect, process, share, or sell consumer health data. Second, "consumer" is broadly defined to include not only Washington residents, but also any person "whose consumer health data is collected in Washington." And third, "consumer health data" is broadly defined to include any personal information that is reasonably linkable to the consumer's physical or mental health status. While the Washington Attorney General may enforce violations of the Act, the Act also provides consumers with a private right of action. 

Although Washington is the first state to enact a comprehensive consumer health information privacy law, at least 25 U.S. states and territories generally treat health data as personal information, the breach of which could trigger legal notification obligations under state law. Many states, such as Connecticut, require compliance with state notification requirements even if an entity is already HIPAA compliant. To complicate matters further, many state comprehensive privacy laws treat health-related information as "sensitive" information, requiring further protection of such data. In these instances, entities often must obtain affirmative consent before collecting or processing such data. While compliance risks and obligations depend on a variety of complex factors, it is undeniable that health-related information is and will continue to be heavily regulated by state laws frequently implicating out-of-state businesses. As such, companies must remain diligent to maintain compliance in this rapidly evolving legal landscape. 

United States Developments


DEA Extends Telehealth Prescription Waiver Through 2024

The DEA and the U.S. Department of Health and Human Services ("HHS") have jointly extended through the end of 2024 exceptions to DEA regulations that permit authorized prescribers to prescribe certain controlled substances to patients via telemedicine without having an in-person evaluation of the patient. In a temporary rule published to the Federal Register on October 10, 2023, the DEA and HHS stated that this extension will allow stakeholders, including patients, practitioners and pharmacists, sufficient time to prepare for the implementation of any future regulations the agencies issue regarding the prescription of controlled substances via telemedicine. 

This is the second time that the agencies have extended the exceptions permitting the prescription of certain controlled substances via telemedicine without an in-person patient visit. In March 2020, the DEA granted temporary exceptions to the Ryan Haight Act and its implementing regulations, initially permitting DEA-registered prescribers to write prescriptions for Schedule II through Schedule V substances via telemedicine without an in-person office visit. On March 1, 2023, in anticipation of the expiration of the COVID-19 Public Health Emergency on May 11, 2023, the DEA and HHS issued two Notices of Proposed Rulemakings soliciting public comments on the prescription of controlled substances via telemedicine without an in-person office visit and the induction of buprenorphine via telemedicine. After having reviewed the comments received, and on the eve of the expiration of the Public Health Emergency (May 10, 2023), the agencies issued the first extension of the exceptions to the Ryan Haight Act, permitting authorized prescribers to continue to prescribe controlled substances without an in-person office visit until November 11, 2023. Additionally, for those patients for which the patient-practitioner relationship was formed on or prior to November 11, 2023, the first extension allowed the telemedicine prescribing flexibilities to apply through November 11, 2024. After hosting two Telemedicine Listening Sessions on September 12 and 13, 2023, and in response to "the need to further evaluate the best course of action given the comments received in response to the [Notices of Proposed Rulemakings]," the agencies determined that a second extension of the exceptions to the Ryan Haight Act is necessary to "ensure a smooth transition for patients and practitioners that have come to rely on the availability of telemedicine for controlled medication prescriptions" and to provide time to practitioners to comply with any new standards the agencies may publish. The second extension allows practitioners to prescribe controlled substances for new patients through December 31, 2024.

DEA Considers Comments Advocating for Special Registration That Would Permit Telemedicine Prescriptions of Controlled Substances Without In-Person Patient Evaluation

The DEA, which Congress has twice instructed to establish a special registration process for telemedicine prescriptions of controlled substances, stated in an August notice of meeting for the Telemedicine Listening Sessions held on September 12 and 13, that it "is open to considering—for some controlled substances—implementation of a separate Special Registration for telemedicine prescribing for patients without requiring the patient to ever have had an in-person medical evaluation at all." In response, in early September, ATA Action (the American Telemedicine Association's affiliated trade organization) submitted recommendations to the DEA regarding such a special registration process.

In its recommendations, ATA Action recognizes the DEA's responsibility to prevent diversion of controlled substances but seeks to balance that responsibility with "the need to ensure patient access to care." The following seven recommendations made by ATA Action are rooted in two principles: (i) clinical practice should not be limited by non-clinical decisionmakers; and (ii) telehealth is not a type of care but rather a modality of care that should not be arbitrarily restricted. 

  • Any new special registration process should work in conjunction with the existing DEA registration process already required under the Controlled Substances Act. A modifier should be used with the practitioner's existing DEA number (such as a "T" at the end) to indicate the special registration has been completed and, importantly, to note when a prescription is issued via telemedicine. 
  • Telemedicine providers should not be required to maintain local addresses in every state where they practice. Providers are already required to maintain state licenses and authority in states where they practice. Requiring a physical address in each state defeats the purpose of serving patients remotely.
  • Special registration should include the elements DEA needs to monitor for illegitimate practitioners and illegal prescribing practices. These elements include: (i) personal/business information (provider address, phone, email, and identification number (i.e., NPI)); (ii) state authority (state practice licenses, state controlled substances registration, states of practice and proof of malpractice insurance); (iii) attestations by the provider that specified DEA-required practices will be adhered to, such as descriptions of practice and patient population served, clinical and quality assurance protocols, prescription drug monitoring programs, diversion control protocols, patient identification verification protocols, and emergency protocols; and (iv) training requirements. (As of July 2023, DEA currently requires an eight-hour course on addiction medicine, for which the required proof of completion could be reiterated, and the DEA could add a one-hour training requirement related to preventing diversion of all controlled substances and unique considerations related to the practice of telemedicine.)
  • Special registration should not be limited to any specific specialty or treatment condition. However, because Schedule II medications are classified as more dangerous, and in recognition of the DEA's interest in limiting diversion of these medications, ATA Action recommends that the DEA require additional information, which could include information concerning medical practice scope and protocols. 
  • Dispensers (pharmacies and pharmacists) should be able to identify legitimate prescribers who have a current special registration. The DEA-proposed telemedicine "stamp" may be considered a "red flag" and lead to further denials to dispense legitimate prescriptions. ATA Action instead recommends that the "stamp" indicate special registration status in order to give the dispenser confidence in the validity of the prescription. Similarly, the DEA should make clear to dispensers that the addition of the "T" modifier on a prescriber's registration number indicates that the geographic red flag should not be considered. 
  • The location of the patient during the telemedicine visit should not require any registration. Rather, the prescriber prescribing the controlled substance (and the dispenser dispensing it) should hold the controlled substances authority. 
  • The special registration process should not place any arbitrary limits on a clinician's ability to practice within the scope of their authority. Examples of arbitrary limits to avoid include: (i) specifying a number of patients that can be treated; (ii) specifying a time period in which prescriptions can be issued; (iii) limiting which clinician types have which authorities or privileges (this is governed by state clinical practice laws and boards); and (iv) limiting prescriptions to FDA-approved indications (ATA Action notes it is legal and common for clinicians to use their clinical judgment to prescribe medications "off-label").

ATA Action's recommendations are an expansion of comments it submitted in March 2023 in response to proposed rules in which the DEA considered, but rejected, such a special registration. As a result of receiving tens of thousands of comments on these proposed rules, the DEA extended COVID-19 telemedicine flexibilities for the prescription of controlled substance.

FDA Continues to Hone Its Understanding and Oversight of Digital Health

This quarter, the FDA engaged in rulemaking, released guidance, and introduced initiatives at the organizational level to stay current with digital health trends and enhance the agency's understanding of the benefits and risks associated with the use of digital health technologies ("DHT").

  • FDA Issues PDURS Draft Guidance. On September 18, 2023, FDA issued a draft guidance explaining how the agency intends to apply its drug labeling authorities to end-user output of prescription drug-use-related software ("PDURS"). PDURS is software disseminated by or on behalf of a drug sponsor that produces content presented to end users (such as patients, caregivers, or health care providers) that supplements, explains, or is otherwise textually related to the prescription drug or drug-led combination product. Comments on the draft guidance must be submitted by December 18, 2023. 
  • FDA Publishes LDT Proposed Rule. As noted in a Jones Day Alert, on October 3, 2023, FDA published a proposed rule "to amend its regulations to make explicit that in vitro diagnostic products (IVDs) are devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act) including when the manufacturer of the IVD is a laboratory." The proposed rule requires manufacturers to comply with device regulatory requirements in stages beginning one to four years after FDA publishes the final rule. Comments on the proposed rule must be submitted by December 4, 2023.
  • FDA Updates Guidance on OTS Software Use in Medical Devices. On August 11, 2023, FDA released updated guidance describing the documentation sponsors should consider including in premarket submissions for medical devices employing off-the-shelf ("OTS") software. The guidance reflects specific considerations applicable to the integration of generally available software components into medical devices when the software life cycle is beyond the device manufacturer's complete control. FDA adopts a risk-based approach pursuant to which sponsors may submit either "basic" or "enhanced" documentation depending on the risk associated with the device. This approach is consistent with June 2023 guidance on recommended documentation for device software function(s) premarket submissions.
  • FDA Introduces Digital Health FAQs. Launched on September 15, 2023, this dynamic webpage consolidates and makes readily accessible a range of agency resources and regulatory guidance on DHT. 
  • FDA Establishes a Digital Health Advisory Committee. On October 11, 2023, FDA announced the creation of a new Digital Health Advisory Committee, which is tasked with supporting the safe and effective regulation of DHT. The Committee will provide advice to the FDA Commissioner on DHT topics, including artificial intelligence, machine learning, virtual reality, wearables, DHT use in decentralized clinical trials, patient generated health data, and cybersecurity. Applications for membership on the Committee will be accepted until December 11, 2023.

DOJ Continues Scrutiny of Medicare Fraud Involving DME and Prescription Skin Creams 

As part of a nationwide enforcement action in June 2023, the Southern District of Florida charged owners of an internet-based platform with allegedly coordinating kickback arrangements between telemedicine companies and durable medical equipment ("DME") suppliers, pharmacies, and telemarketers. Under the kickback arrangements, the defendants allegedly received payments from the DME suppliers, pharmacies, and telemarketers for coordinating with the telemedicine companies and for using the defendant's platform to generate orders for DME and costly skin creams that fraudulently represented that physicians had examined and treated the Medicare patients. The government alleged that in reality, however, the physicians—who were paid by the telemedicine companies, who in turn were paid by the DME suppliers, pharmacies, and telemarketers—signed the orders based only on brief telephonic interactions, or no interactions at all, with beneficiaries. The defendants also allegedly removed references to telemedicine in the orders, so as to conceal the scheme. The arrangements allegedly resulted in the submission of $1.9 billion in false claims to Medicare and other government insurers by the DME suppliers and pharmacies. 

In September 2023, two pharmacy operators and a pharmacist (collectively, the "Pharmacy Defendants") were indicted in a kickback scheme allegedly executed in collaboration with marketing and telehealth companies. The marketing companies allegedly identified Medicare and TRICARE beneficiaries and pressured them via telephone to agree to try costly prescription creams. The marketing companies then sent telemedicine companies recordings of these telephone calls, along with pre-marked prescription pads for particularly costly creams. The marketers are alleged to have paid the telemedicine companies kickbacks for every prescription approved, and the telemedicine companies paid doctors to approve the prescriptions. The marketing companies then allegedly directed the prescriptions to pharmacies with which they had kickback arrangements, including the Pharmacy Defendants. The Pharmacy Defendants allegedly filled the prescriptions, submitted false claims for reimbursement worth over $33 million to Medicare and TRICARE, and paid a portion of each reimbursement to the marketing companies as a kickback.

Jones Day continues to monitor federal and state telemedicine enforcement actions in the wake of the COVID-19 pandemic.

SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

On July 26, 2023, the U.S. Securities and Exchange Commission ("SEC") adopted final rules that impose significant, new cybersecurity and breach disclosure obligations. The rules amend Form 8-K to require domestic companies to publicly disclose material aspects of the nature, scope, timing, and material impact (or reasonably likely material impact) of material cybersecurity incidents within four business days of determining that a cybersecurity incident is material. Additionally the rules add a new Item 106 to Regulation S-K and amend Form 10-K to require, among other things, disclosure of: (i) the company's processes for assessing, identifying, and managing material risks as related to cybersecurity threats; (ii) whether and how any risks from past or ongoing cybersecurity threats have materially affected (or are reasonably likely to materially affect) the company; (iii) the board of directors' oversight of risks from cybersecurity threats; and (iv) management's role in assessing and managing material risks from cybersecurity threats. 

HHS Proposes HIPAA Privacy Rules to Support Reproductive Health Care Privacy 

On June 16, 2023, the 60-day comment period on the proposed rule regarding reproductive health care privacy under HIPAA closed, resulting in nearly 9,000 comments. The rule would limit the use or disclosure of protected health information by HIPAA-covered entities when the purpose of the use is to investigate or to further criminal, civil, or administrative actions against a person who received lawful reproductive health care. HHS supported the rule as a needed protection for reproductive care and patient privacy in the wake of the Dobbs v. Jackson Women's Health Organization opinion. 


State Legislators Turn Attention to AI

In recent months, state legislators have signaled strong interest in the topic of artificial intelligence ("AI"), particularly as relevant to the issues of independent medical judgment, bias, and mental health treatment. For example:

  • Some states have proposed or adopted measures intended to prevent the substitution of AI for human clinical judgment. If adopted, Maine Senate Bill 656 would, for example, prohibit health care facilities from adopting policies or practices that employ health information technology or algorithms to achieve a medical or nursing care objective. It would also prohibit using systems based on artificial intelligence or clinical practice guidelines that limit or substitute for the direct care of a licensed nurse, including the full exercise of independent professional judgment. 
  • Others state measures, like New Jersey Senate Bill 1402, would prohibit health care providers from using AI to discriminate against members of a protected class. 
  • States have also expressed particular concern about the use of AI in mental health treatment. Rhode Island House Bill 6285 would allow mental health providers to use only AI technologies which have received approval from a relevant professional licensing board and which prioritize safety through continuous monitoring to facilitate safety and efficacy. The bill would require mental health providers using AI technologies to provide notice to patients if AI is used and to offer treatment by a licensed mental health professional. Such providers would also be required to obtain a patient's informed consent for mental health treatment using AI technologies.

The above proposals are evidence of a forthcoming flurry of state legislative activity intended to regulate the use of AI in health care, both directly and indirectly. All entities considering leveraging AI technologies should closely monitor their compliance activities as the legal landscape develops. 

10 State Attorneys General Enter Into Settlement With Telehealth Company for Deceptive Marketing Practices

In an April 2023 Assurance of Voluntary Compliance, a telehealth vision company agreed to pay $500,000 to resolve allegations that it violated state consumer protection laws and health and safety laws by promoting and selling its products without the required clearance or approval from FDA. The company also settled the states' allegations that the company made unsubstantiated and false or misleading advertising and marketing claims, including claims about the accuracy and safety of its online vision test and misrepresentations regarding customer satisfaction rates and guarantees. 

Florida Telehealth Restrictions on Gender-Affirming Care Head to Trial

Effective May 17, 2023, new legislation requires that adults in Florida must have an in-person meeting with a physician prior to receiving any form of gender-affirming care. A group of patients who had previously accessed gender-affirming care via telehealth are challenging this requirement. On September 11, 2023, a federal judge declined the patients' request to enjoin enforcement of the telehealth restriction. This issue, among others related to the new legislation, is set for bench trial in the Northern District of Florida on December 13, 2023. 

North Carolina Board of Medicine Updates Telemedicine Position Statement

In September 2023, North Carolina's Board of Medicine updated its Position Statement on Telemedicine ("Position Statement") indicating that licensees "practicing telemedicine utilizing questionnaires should have the ability to ask follow-up questions or obtain further history, especially when doing so is required to appropriately diagnose or treat." Additionally, the Position Statement indicates that any provider using telemedicine to provide medical services to patients located in North Carolina is required to be licensed in the state. This requirement does not apply, however, to provider-to-provider consultations across state lines when a North Carolina licensee remains responsible for the care of the North Carolina patient but an out-of-state provider consults "on an irregular basis" with the North Carolina licensee.

Pennsylvania Legislators Consider Measure to Assure Insurance Coverage Parity for Telemedicine

In June 2023, Pennsylvania state senators advanced Senate Bill 739, which would, if enacted, prohibit insurers from denying coverage for a service solely because it is provided by telemedicine. Before it becomes effective, the bill must receive approval from the House, Senate, and governor. 

Vermont Introduces Telehealth License and Registration for Out-of-State Providers

Effective July 1, 2023, Vermont offers a process for health care professionals licensed and in good standing in another jurisdiction to provide telehealth services to patients in Vermont by obtaining a telehealth license or telehealth registration from the Office of Professional Regulation or the Board of Medical Practice. The telehealth license allows an out-of-state health care professional to provide telehealth services to 20 patients in Vermont. In contrast, the telehealth registration allows an out-of-state health care professional to provide telehealth services to 10 patients in Vermont for a period of not more than 120 consecutive days from the date the registration was issued. 

Virginia Allows Out-of-State Providers to Provide Telemedicine-Based Services 

Pursuant to legislation passed in March 2023, physicians, physician assistants, nurse practitioners, and other health providers with an active license in good standing from another state or Washington, D.C. (or a colleague of such provider within the same practice group) may provide telemedicine-based services to an existing patient of such out-of-state provider when such patient is in Virginia, so long as the service is provided for continuity of care and the out-of-state provider has seen the patient in-person within the prior 12 months. 

Global Developments


European Cancer Imaging Initiative's First Prototype of the Pan-European Digital Infrastructure Goes Live

On September 29, 2023, the first prototype of the Cancer Image Europe platform went live. The platform features a public catalog of cancer imaging datasets and a search tool. It aims to foster innovation and deployment of digital technologies in cancer research, treatment, and care to achieve more precise and faster clinical decision-making, diagnostics, treatments, and predictive medicine for the benefit of cancer patients. The European Cancer Imaging Initiative is one of the flagships of Europe's Beating Cancer Plan and is in line with the European strategy for data and the European Health Data Space. 

EMA Publishes a Draft Reflection Paper on the Use of AI in the Lifecycle of Medicines

On July 19, 2023, the European Medicines Agency ("EMA") published a draft reflection paper on the use of AI in the lifecycle of medicines. Data are routinely captured in electronic format in the health care sector. AI and machine learning ("ML") tools can, if used correctly, effectively support the acquisition, transformation, analysis, and interpretation of data. However, the use of AI and ML may introduce risks which need to be mitigated to facilitate patient safety and the integrity of clinical study results. The draft paper outlines several general and specific considerations on the use of AI and ML to support the safe and effective development, regulation, and use of human medicines. It reflects on principles relevant to the application of AI and ML at any step of a medicine's lifecycle, from drug discovery to the post-authorization setting. One key consideration is that the use of AI should always occur in compliance with existing legal requirements, ethics, and fundamental rights. The draft paper also notes that a risk-based approach for the development, deployment, and performance monitoring of AI and ML tools allows developers to proactively define the risks to be managed throughout the AI and ML tool lifecycle. Early regulatory interaction or scientific advice is recommended if the use of AI and ML systems is expected to impact the benefit or risk of a medicinal product. The draft paper also discusses several technical aspects, including data acquisition and training, performance assessment, and governance of AI systems, along with data protection responsibilities and data integrity. Lastly, the draft paper reiterates basic ethical principles for AI and notes that a human-centric approach should guide all development and deployment of AI and ML. The draft paper is open for public consultation by all stakeholders until December 31, 2023. 

EMA Publishes a Report on Pharmacovigilance During the Pandemic

On June 22, 2023, EMA published the "Report on Pharmacovigilance Tasks–From EU Member States and the European Medicines Agency (EMA) 2019–2022." The report summarizes the work carried out by the EU Pharmacovigilance Network between January 2019 and December 2022 to ensure the safety of all medicines authorized in the EU, including COVID-19 vaccines and therapeutics. The report also describes the main enhancements to the EU pharmacovigilance system introduced during this period and reflects on areas for further strengthening. Among other things, the report describes that the coordination of inspections requested by EMA's committees for human and veterinary medicines under the centralized procedure was transferred to IRIS, a secure online platform for handling product-related scientific and regulatory procedures. Further, the report describes that due to travel restrictions during the pandemic, more than half of the 2020 pharmacovigilance inspections were conducted remotely through guidance on remote pharmacovigilance inspections during a crisis situation. Based on this experience, remote inspections will also be used outside of crisis scenarios and in specific cases (e.g., when physical or follow-up inspections to assess the corrective and preventive actions plan are not possible) to facilitate efficiency while maintaining high standards of care. However, remote inspections will not replace on-site inspections. Finally, the report also describes the initiative to develop a reflection paper on digital support tools for implementing and evaluating the effectiveness of risk minimization measures. 

European Commission Publishes the Report on the State of the Digital Decade and Accompanying Q&A

On September 27, 2023, the European Commission published its first "Report on the State of the Digital Decade" and accompanying Questions & Answers. Under the Digital Decade policy, the EU aims for digital transformation by 2030 through cooperation between the EU and Member States to boost European digital capacities and capabilities around four points: (i) skills; (ii) infrastructures; (iii) business; and (iv) public services. The Digital Decade policy program sets concrete targets and objectives for each of those points. One target is to establish 100% access to online medical records for citizens. The report notes that the digitalization of health has the potential to transform the health care landscape, improving access to care, enhancing patient engagement, and ultimately leading to better health outcomes for individuals and communities, notably in rural and remote areas. Improved access to health data is also a step toward controlling the flow of health data and securely sharing it (e.g., data shared for the purpose of obtaining a second opinion). The report notes that the EU performs well on the access to e-health records indicator and is on track to meet the EU target. However, issues to be addressed remain, including expanding the number of connected health care providers and the range of accessible data, as well as the use of certain authentication methods for health data access services. The Commission mentions the legislative proposal for a European Health Data Space which aims to improve people's access to their own electronic health data, to support the exchange of health data between health care providers, and to encourage the reuse of health data to support research, policymaking, and other related purposes.

European Commission Publishes a Report on the Development of the Digital Decade e-Health

In September 2023, the European Commission published a report titled, "Digital Decade e-Health Indicators Development." The report presents the results of a study on the state-of-play of 27 EU Member States, Iceland, and Norway towards achieving the Digital Decade Policy Programme 2030 e-health target of 100% EU citizen access to electronic health records by 2030. The study measured EU citizens' access from four angles: (i) the implementation of electronic access services for citizens (i.e., the technical prerequisites for access); (ii) the categories of accessible health data (such as summaries of the electronic health records, ePrescriptions, and laboratory test results); (iii) the access technology and coverage (such as mobile applications and secure authentication mechanisms); and (iv) the access opportunities for certain categories of people (such as mechanisms for legal guardians). The report indicates that participating countries are progressing well in facilitating citizens' access to electronic health records. For example, in the EU, citizens have 72% access to electronic health records. Electronic access services exist in all participating countries, with the exception of Ireland. However, many countries have not yet established secure and equitable access to a comprehensive set of updated health data provided from a range of health care providers. 

The European Parliament Adopts Roadmap to Better Prepare for Future Health Crises

On July 12, 2023, the European Parliament adopted a resolution on lessons learned from the COVID-19 pandemic and recommendations for the future ("Resolution"). The Resolution aims to serve as a roadmap outlining future actions in four main areas: (i) health; (ii) democracy and fundamental rights; (iii) social and economic aspects; and (iv) global response to a pandemic. Some key proposals of the Resolution are to:

  • Expedite the digitalization of administrative services in the health sector and, wherever appropriate and feasible, the use of online health care services; 
  • Facilitate more coordination among EU institutions on adopting extraordinary measures and address digitalization challenges; and
  • Include digital literacy in the curricula of all learning institutions and to provide the necessary training and equipment for teachers and educators by the Member States. 

European Court of Justice Rules on Patients' Rights to Obtain Copy of Medical Records

On October 26, 2023, the European Court of Justice issued a judgment in response to a preliminary ruling request from a German court, addressing the relationship between patients' rights to access their medical records and the General Data Protection Regulation ("GDPR"). In its ruling, the Court recalled that the GDPR enshrines the right of patients to obtain a first copy of their medical records at no cost. Furthermore, individuals have the right to obtain a complete copy of all documents contained in their medical records, particularly when this is essential for a comprehensive understanding of the personal data included in those documents. This right encompasses data found in medical records, including diagnoses, examination results, and details regarding any treatments or interventions provided. 

EMA and Health Technology Assessment Issue Press Release on Collaboration in Digital Health

On September 15, 2023, EMA and the European Network for Health Technology Assessment ("HTA") issued a press release regarding their joint collaborative efforts. This collaboration encompasses several initiatives, including the completion of seven parallel joint scientific consultations, discussions on needs for medicinal products in oncology, and the organization of trainings for patients and health care professionals. Furthermore, as part of the Regulation on Health Technology Assessment, EMA and HTA bodies will collaborate in the context of joint clinical assessments, joint scientific consultations, and the identification of emerging health technologies. EMA and HTA have also recently introduced a new framework, marking a significant preliminary phase in anticipation of the full application of the Regulation on Health Technology Assessment in January 2025. 

World Health Organization Regional Office for Europe Issues Landmark Report on Digital Health

On September 1, 2023, the World Health Organization ("WHO") issued a report titled, "The ongoing journey to commitment and transformation: Digital health in the WHO European Region 2023." This report offers insight into the digital health landscape in Europe, highlighting the substantial progress made by EU Member States. Many EU Member States have developed national data strategies and policies to regulate the use of big data and advanced analytics in health. However, the report emphasizes the need for further improvements and acknowledges the challenges that lie ahead. For example, while the report indicates that each studied country has experienced accelerated growth of digitization, significant differences between countries exist, especially as related to achieving care transformation. The WHO report presents several suggestions to advance digital health, including establishing an effective governance of digital health, drafting evaluation guidelines, securing sustainable financing, and addressing interoperability. 


French Administrative Supreme Court Refuses Magazine's Request to Access Health Care Data for Hospital Rankings

On June 30, 2023, the French administrative supreme court, Conseil d'Etat, rendered a new decision (No. 469964) that upheld the French Data Protection Authority's (the "French DPA") rejection of a magazine's request to create an annual hospital ranking based on medical data from the French national health database. According to French law, access to this database requires authorization from the French DPA, which verifies whether the data processing serves a "public interest." Conseil d'Etat clarified that access to the database can be granted not only for scientific purposes, but also for journalistic ones, and that the French DPA must consider various factors when assessing the public interest of a data processing project, such as the nature and importance of the research, its contribution to health care knowledge, the sensitivity of the data, the transparency efforts, and the methodology. Ultimately, Conseil d'Etat agreed with the French DPA that the magazine's methodology for ranking hospitals was insufficient and could mislead the public, and therefore did not qualify data processing as a cause of public interest. 

French Data Protection Authority and the French Chamber of Pharmacists Publish GDPR Guidelines

On September 21, 2023, the French DPA, in collaboration with the French Chamber of Pharmacists, issued guidelines for pharmacists on how to comply with the GDPR. In the accompanying press release, the French DPA explained that pharmacists handle significant sensitive health data, and thus poor management or insufficient data security practices may have serious consequences for related data subjects. This initiative follows the publication of the French DPA's Framework on the Processing of Personal Data by Pharmacies in July 2022. The 45-page guidelines cover the main concepts of the GDPR (such as individuals' rights and information, data protection officers, records of data processing activities, data retention periods, data security measures, etc.) and provide practical examples and best practices for common situations that pharmacists face. 


Greek Government Publishes Draft Law to Strengthen the Electronic Circulation of Medicines

On September 20, 2023, the Greek Ministry of Health published a draft law titled, "Regulations for dealing with the COVID-19 coronavirus pandemic, strengthening the protection of public health and health services, the electronic system for monitoring the circulation of medicines, the Unified List of Surgeries." The draft law contemplates an electronic system for monitoring the circulation of medicines in the Greek market, as well as the home delivery of proprietary pharmaceutical preparations for the treatment of serious illnesses. The draft law closed from public consultation on September 26, 2023. 


Italian Data Protection Authority Publishes Manual on Nationwide Health Services and Artificial Intelligence

On October 10, 2023, the Italian Data Protection Authority published a manual for the implementation of nationwide health services through AI systems. The manual underscores that, in accordance with the GDPR, the processing of health data by using AI techniques for the purpose of public interest requires a dedicated regulatory framework. This framework is essential for outlining measures that safeguard the rights, freedoms, and legitimate interests of data subjects. Within this context, the manual delves into key topics, including the principles of accountability, privacy by design, and accuracy, integrity, and confidentiality. 


Dutch Cabinet Commits to Accessibility and Affordability of Health Care by 2024

According to the Dutch cabinet, health is important to the quality of life of both Dutch individuals and the functioning of Dutch society as a whole. When needed, everyone should be able to rely on accessible and affordable care and support. The Dutch government announced that it is working to facilitate this with health care parties, municipalities, and civil society organizations. The 2024 budget of the Dutch Ministry of Health, Welfare and Sport will make a total of €103.4 billion available for care next year. Further, investments are being made in digitization and better exchange of patient data. For example, €9.3 million is available for electronic nursing transfer so that nurses can spend less time on administration.

300% Rise in Digital Consultations at Dutch Online GP Practice

A Dutch online general practitioner ("GP") practice has reported that the number of digital consultations at its GP practices has increased by 300% in one year. The figure indicates a growing shift towards innovative digital solutions in the health care sector. 

Supervision of ICT and Digitization in Dutch Health Care Doubles

In September, a research report published by M&I/Partners shows that the number of supervisors of information and communication technology ("ICT") and digitization in Dutch health care has doubled in recent years. The report not only sheds light on the current state of affairs but also highlights the need for more effective oversight of digitization and ICT. For example, although oversight of ICT and digitization has increased in practice, only 20% of Dutch councils regularly discuss the topic, and it is not a regular agenda item.


Polish Minister of Health Announces the e-Konylium Project

Earlier this year, the Polish Minister of Health announced the e-Konylium project, which will enable specialist e-consultations between primary care physicians and specialists from partner hospitals, as well as between specialists from partner hospitals and specialists from highly specialized centers. Through a special platform created under the supervision and funding of the Ministry of Digitization, doctors will be able to share patients' complete medical records together with the results of diagnostic imaging and discuss patients' health status on an ongoing basis via camera.


Spanish Minister of Health Announces Clinical Data Interoperability Process Allowing Access to Summary Clinical History and Electronic Prescription for EU's Spanish Population

On August 14, 2023, the Spanish Ministry of Health announced the promotion of the advancement of the e-Health network, allowing Spanish citizens to access their clinical data and prescriptions throughout the entire European Union. According to the announcement, more than 78% of Spanish citizens live in autonomous communities fully connected to these services. All relevant autonomous governments have committed to advancing this process. Further, the Ministry has signed agreements to incorporate all the country's autonomous communities and cities into the cross-border health care network in the European Union. This way, and, reciprocally, the citizens of these Member States will also have this service available in Spain. 

Spanish Minister of Health Announces Incorporation of the Interoperable Digital Medical Record in Public Mobile Application as Part of the Digitization Process of the Spanish National Health Service

On July 13, 2023, the Spanish Minister of Health announced the inclusion of the Spanish National Health Service's Digital Clinical History service in a mobile app. This aims to allow patients and health professionals from any community to access patient clinical datasets "through a click or mobile phone" to support the health care of such patient when traveling outside the autonomous communities in which such patient resides. 

Spanish Minister of Health Highlights Strategic Nature of Digital Health 

On June 27, 2023, the Spanish Minister of Health highlighted the strategic nature of digital health in areas such as improving early diagnosis, monitoring complex diseases, and health innovation. He also reaffirmed the importance of Digital Health in the agenda of the Presidency of the Council of the European Union, which began on July 1, 2023.

United Kingdom

UK Information Commissioner's Office Issues Guidance on Workers' Health Data Protection

On September 5, 2023, the UK Information Commissioner's Office released guidance on workers' health data. The guidance aims to help employers understand their obligations under the UK General Data Protection Regulation and the UK Data Protection Act when processing health information of employees. It is composed of two sections: (i) the first section provides an overview of how data protection law applies to the processing of workers' health information; and (ii) the second section considers some of the most common types of employment practices where workers' health information is processed, outlining both legal obligations and best practices to follow. 

Lawyer Spotlight 

Dr. Jörg Hladjk and Laura Laemmle-Weidenfeld

This edition we highlight two lawyers who are regular contributors to Vital Signs:

Dr. Jörg Hladjk (Cybersecurity, Privacy & Data Protection, Brussels) covers all aspects of EU data protection law, including advising clients in the health care and life science industries on global compliance programs and international data transfer strategy; preparing for and managing cybersecurity incidents; and assisting with regulatory investigations and transactional privacy issues.

Laura Laemmle-Weidenfeld (Health Care & Life Sciences, Washington) advises digital health companies, health care providers, and life sciences manufacturers on compliance with health care fraud and abuse laws such as the Anti-Kickback Statute, Stark Law, and False Claims Act; and defends them against investigations brought under those laws by the Department of Justice and other government agencies.

Recent and Upcoming Speaking Engagements 

  • Colleen Heisey, FDLI, Advertising & Promotion for Medical Products Conference: Medical Device Promotion Enforcement, November 2023
  • Toni Citera, PhRMA, Annual Meeting – Fireside Chat, October 2023
  • Maureen Bennett, Peking University, Bringing a Medical Product to Market in the United States, October 2023
  • Dr. Christian Fulda, C5, Life Sciences IP Summit – Navigating the Current Drug Exclusivity Landscape: Implementing Strategies for Effective Patent Lifecycle Management Amidst New Pharmaceutical Law Reform in Europe, September 2023
  • Jessica Tierney, FDLI, Introduction to Food Law & Regulation: Food Labeling: General requirements, September 2023
  • Laura Laemmle-Weidenfeld, PLI, Life Sciences 2023: Navigating the Drug and Device Industries – Effective Life Sciences Compliance Programs and/or Investigations, September 2023
  • Cristiana Spontoni, Informa European Pharma Law Academy, European Pharma Law Academy – Clinical Trials, September 2023
  • Maureen Bennett, ACI, FDA Boot Camp: Clarifying the Clinical Trial Process for Drugs and Biologics, September 2023

Recent Jones Day Publications

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.