With 2022 well underway, the rapid pace of statutory, regulatory, policy, and industry activities in digital health continues in force. We bring you Vital Signs, a curated, one-stop resource on the most notable digital health law updates from our U.S. and global contributors.
As telehealth services have become expected from consumers, U.S. federal coverage is extended and expanded, along with a recent legislative proposal of permanency for telehealth flexibility. Similarly, state jurisdictions are taking steps to relax modality requirements and enhance protections to consumer data and privacy, while state and local taxing authorities are seeking to claim their stake in income derived from remote activities. In our Industry Insights, you’ll hear from experienced tax lawyers about state and local taxing authorities focused on digital health. We also report on new developments at the USPTO that affect digital health patent applications. Globally, you’ll read about the numerous developments concerning data and privacy protection as digital health policy remains at forefront of jurisdictions throughout the EU.
We thank our contributors and once again commit to continue to monitor and bring to you curated updates covering the myriad developments that will undoubtedly continue throughout 2022.
Industry Insights
By Michael Wynne and Jennifer Waryjas
The pandemic accelerated the learning curve for state tax agencies in the progress of remote work taxation. In 2020, a number of states issued guidance stating that the presence of a telecommuting employee whose work shifted to remote as a result of COVID-19, would not create a taxable connection (“nexus”) with the state. In 2021, the Supreme Court declined original jurisdiction to New Hampshire in a suit against Massachusetts to invalidate a Massachusetts COVID-19 personal income tax sourcing regulation, which continued to source to Massachusetts the wages of nonresidents who worked for a Massachusetts employer but telecommuted because of the pandemic. Approximately one-third of states issued a temporary suspension of corporate income tax and sales tax nexus thresholds when employees were forced to work remotely. In 2022, few of those temporary measures remain in effect, and skirmishes continue in courts in Ohio and Missouri regarding local income tax sourcing rules similar to that of Massachusetts. In short, we are in a prolonged testing phase to determine whether and how remote work and business activities are affected by state taxes.
State tax agencies are thinking about “how” employees are working, what technology platforms are utilized, where and how software, data, and integrated services are used, and from where the value of investors’ capital is derived in a new light. This shift is already affecting telemedicine operations, with income tax implications for health systems, service companies, professional corporation (“PC”) owners, vendors, and consumers.
Telemedicine: The Doctor is In, but Where?
States must have jurisdiction over an out-of-state business in order to assess and collect tax. That jurisdiction hinges first on a minimum connection with the taxing state of the person or activity the state seeks to tax, which can arise from a demonstrated purposeful exploitation by a taxpayer of a state’s market. A variety of contacts may suggest nexus in a state sufficient to impose income and operational taxes for digital health organizations. Those contacts could include the legal formation of the necessary entities; professional state licenses; data storage locations; and where technology interfaces and integrated technology service offerings are licensed, leased, or owned in consumer and provider locations. Additionally, these contacts may influence where income from operations of the business, or the earnings of the investors, will be sourced for tax purposes.
When patients are seen by a practitioner through virtual means, one or more states may claim nexus with the practitioner’s employer based on agreements with parties in the taxing state and concepts of agency, or on the level of revenues derived from the taxing state if it has economic nexus laws, and/or on the location of both the patient and the doctor. If the patients are in a so-called market-based state, the employing entity will need to monitor the location of its patients and whether the aggregate treatments meet the economic thresholds in each state. The minimum thresholds trigger the requirement for a multitude of state taxes. A similar analysis is required for cost-of-performance states in evaluating where the direct costs are located for what a state may identify as the activity producing the income. Some states may view the income-producing activity to be the patient’s visit to a facility in their state, while others may view the income-producing activity to be maintaining and operating the network that allows the remote delivery of the service to the patient.
Sourcing State Income
Aligning State and Federal Income Taxes
State tax reporting methods are not mirrors of the federal separate return and consolidated filing system. Some States even impose direct income taxes on flow-through entities that are merely reporting entities for federal tax purposes. Many states use the “unitary business principle” to define the reporting group, and in some states to also define the taxpayer. Under that principle, operations conducted across state lines in pursuit of a single business—whether the member entities are vertically or horizontally integrated—are viewed as a single business and required to report all member entities in one return if the group is under common ownership or control.
Telemedicine structures comprised of multiple entities are, through their ownership structure, intercompany agreements, and restrictive covenants, susceptible to or eligible for characterization as a unitary business group required to file a combined return for the group. It’s important to identify which entities may be members of a given state’s unitary combined return, as transactions with related group members are generally eliminated from income. A combined return implements a different policy than a federal consolidated return, so federal filing conventions applicable to the telemedicine structure must be viewed through state-policy lenses to determine what state reporting obligations will differ from federal filing expectations of the parties.
Moving Forward
For the foreseeable future, state tax laws will continue to haphazardly adapt to the evolutions in how and where work gets done and services are delivered. Tax consequences are not set and done once, but set and revisited periodically as the business and the laws change. Telemedicine is at the forefront of this evolution and must therefore be ahead of the curve in identifying risks and implementing solutions.
United States Developments
FEDERAL
CMS Extends and Expands Coverage for Telehealth Services for CY 2022
CMS expanded coverage of telehealth services as part of the Physician Fee Schedule for Calendar Year 2022. Most notably, CMS expanded coverage for the diagnosis, evaluation, or treatment of certain mental health disorders consistent with the Consolidated Appropriations Act. Specifically, the Physician Fee Schedule extended Medicare coverage for these services delivered to beneficiaries located in their homes (such that the geographic restrictions applicable to traditional telehealth services do not apply) so long as in-person non-telehealth services are furnished within six months prior to the telehealth visit and at least once within twelve months of each subsequent telehealth service. Services must be distinguished and documented in the patient’s medical record. A subsequent in-person visit is not required when the risks and burdens associated with an in-person service outweigh the benefits associated with furnishing the in-person item or service, subject to certain additional requirements. CMS also expanded coverage for audio-only telecommunications for mental health disorders when the patient is located at home, the provider has the ability to utilize both audio and video communication, and the beneficiary chooses to utilize audio-only technology because they are incapable of using audio/video technology or do not consent to it. Reasons for using audio-only technology must be documented in the patient’s medical records. Similar flexibilities were also extended to Rural Health Clinics and Federally Qualified Health Centers.
The Physician Fee Schedule included other changes impacting coverage for telehealth services, including extending coverage of services added to the telehealth services list on a temporary “Category 3” basis until December 31, 2023, permanently adopting separate coding and payment for longer virtual check-in services described by HCPCS code G2252, and increasing originating site facility fees to $27.59.
Proposed Federal Legislation Would Make Certain Telehealth Flexibilities Permanent
As covered in previous issues of Vital Signs, lawmakers have introduced numerous bills since the beginning of the pandemic to expand telehealth access and coverage through and beyond the COVID-19 public health emergency. Most recently, the Telehealth Extension Act of 2021 (H.R. 6202) was introduced on December 9, 2021. This Act would permanently allow beneficiaries to receive services while located in their home or any other site determined appropriate by CMS and would remove the geographic restrictions from the Medicare telehealth statute (currently, the Medicare telehealth statue generally limits Medicare coverage for telehealth services by the geographic location of the patient—the patient must be located in a Rural Health Professional Shortage Area located outside of a Metropolitan Statistical Area or in a rural census tract). In addition, the Act would extend the current waiver or modification of requirements for telehealth services for two years following the end of the COVID-19 public health emergency. The Act also contains provisions that would limit payment for high-cost durable medical equipment and high-cost laboratory tests ordered by physicians or other practitioners via telehealth, unless such practitioners have provided an in-person service at least once during the six month period prior to the order, and would require Medicare administrative contractors to audit practitioners furnishing a high volume of durable medical equipment and ordering laboratory tests via telehealth. A similar bill—the Telehealth Extension and Evaluation Act (S. 3593)—was introduced on February 8, 2022.
Hundreds of stakeholders recently sent a letter to Congress supporting comprehensive telehealth reform, including through the continuation of current telehealth waivers through the end of 2024 and the adoption of permanent telehealth legislation.
DEA Considers Regulating and Providing for Registration of Telepharmacy Services
On November 17, 2021, the Department of Justice, Drug Enforcement Administration (DEA), issued an advanced notice of proposed rulemaking to gather more information on the practice of telepharmacy. The DEA is considering regulating telepharmacy—which is under the jurisdiction of the Controlled Substances Act and the DEA if it involves the dispensing of controlled substances—by providing for special or modified telepharmacy registration. The request for comments, which closed January 18, 2022, sought input from regulatory agencies in states that authorize telepharmacy, industry and healthcare providers, and telepharmacy vendors and servicers.
“Telepharmacy” is described in the notice of proposed rulemaking as “the provision of pharmacist care by a remote pharmacist, through the use of telecommunications and other technologies, to a patient located at a dispensing site.” The two primary types of remote dispensing sites are described as brick-and-mortar storefronts staffed by non-pharmacists and automated self-service kiosks that may accept and dispense prescriptions to patient-users. A real-time telecommunication connection is used to allow a pharmacist to supervise non-pharmacists and connect with the patient-user. Many states authorize the practice of telepharmacy, which is often used to serve rural areas. An important note: mail-order pharmacy services are not considered telepharmacy services.
FTC Settles Charges Against Alabama Dental Board Relating to Anti-Competitive Dental Supervision Regulations
In a significant victory for tele-dentistry providers, the Federal Trade Commission (“FTC”) announced on December 21, 2021, that it had settled charges of anti-competitive practices against the Alabama Board of Dental Examiners. As noted in a prior issue of Vital Signs, the FTC alleged that the Alabama Dental Board unreasonably excluded unlicensed personnel from remotely conducting mouth scans to be used in the creation of clear teeth aligners. The FTC claimed that these restrictions were in part responsible for SmileDirectClub abandoning plans to open additional locations in Alabama. Under the FTC final order resolving the charges, the Alabama Dental Board has agreed to permit non-dentist providers to conduct mouth scans for the creation of clear teeth aligners without on-site dentist supervision and to allow such scans to be conducted remotely.
FTC Affirms Applicability of Health Breach Notification Rule
On September 15, 2021, the FTC issued a policy statement Notification Rule (“Rule”) will apply to health apps and connected devices that collect or use consumer health information, which are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”). The Rule will require that vendors of personal health records (“PHR”), PHR-related entities, and third-party service providers that maintain information of U.S. citizens or residents “notify U.S. consumers and the FTC, and, in some cases, the media,” in the event of a breach or unauthorized access of unsecured covered information. Entities that violate the Rule will face civil penalties of up to $43,792 per violation per day.
Following its announcement, on January 21, 2022, the FTC announced new resources to help companies determine their obligations under the Rule. These resources include the Health Breach Notification Rule: Basics for Business, a quick introduction to the Rule; and Complying with FTC’s Health Breach Notification Rule, (“Compliance Guidance”) which contains more in-depth guidance on compliance. The Compliance Guidance’s FAQ section reaffirms the FTC’s intent to apply the Rule to apps and connected devices. The FAQs also provide examples of how the Rule would apply in various situations and note that, in cases involving unauthorized access, the Rule contains a rebuttable presumption that access has not, or could not reasonably have, taken place.
DOJ Announces Civil-Cyber Fraud Initiative
As noted in a recent Jones Day Alert, on October 6, 2021, the U.S. Department of Justice (“DOJ”) announced the launch of a Civil Cyber-Fraud Initiative (“Initiative”) to combat new and emerging cyber threats. DOJ will use False Claims Act (“FCA”) enforcement actions to target cybersecurity-related fraud by government contractors and grant recipients, which knowingly: provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches. DOJ has announced that it plans work closely with other federal agencies on the Initiative and pursue enforcement actions stemming from information provided by whistleblowers. Although the announcement did not focus on the health care industry, health care and life sciences companies should be aware of the Initiative as it promises increased attention from DOJ and whistleblowers.
FDA Releases Guiding Principles for Artificial Intelligence/Machine Learning (AI/ML) Device Development
In October 2021, FDA, jointly with Health Canada and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (“MHRA”), published ten Guiding Principles to inform the development of Good Machine Learning Practice (“GML) for medical devices that use AI/ML. The Principles, which follow the Agency’s release of an AI/ML Action Plan earlier in 2021, are intended to “help promote safe, effective, and high-quality medical devices that use [AI/ML]” and help create new practices specific for medical technology and the health care sector. Although neither formal nor binding, the Guiding Principles provide practical guidance that companies should keep in mind as they develop and utilize AI/ML in their medical devices.
Looking forward, FDA expects GMLP best practice and consensus standards to evolve as advances are made in the AI/ML medical device field. While not prioritized, the Agency has announced its intent to publish a 2022 draft guidance on “Marketing Submission Recommendations for A Change Control Plan for AI/ML-Enabled Device Software Functions.”
FDA Issues Draft Guidance Documents Regarding the Use of Real-World Data in the Development of Drugs and Biological Products
As part of the Agency’s RWE Program, FDA recently released a series of draft guidance documents regarding the use of Real-World Data (“RWD”) and Real-World Evidence (“RWE”) in regulatory decision-making for drugs and biological products. These include, among others, a draft guidance document on “Considerations for the Use of Real-World Data and Real-World Evidence,” which discusses the applicability of FDA’s investigational new drug application regulations to studies involving RWD, with a focus on non-interventional clinical study designs, and clarifies expectations concerning RWD submitted to FDA in support of a regulatory decision regarding the effectiveness and safety of a drug. FDA also released a draft guidance on “Assessing Electronic Health Records (“HER”s) and Medical Claims Data,” which addresses the selection of data sources, the evaluation of relevance and reliability of EHRs and medical claims data for clinical study use, and data considerations more generally.
Since the issuance of these guidance documents, Dr. Robert Califf, an advocate for the use of RWD and RWE, has been confirmed as the FDA Commissioner. Califf has stated that part of his agenda will include development of additional RWD-related regulatory policies and systems.
FDA Issues Draft Guidance on Use of Digital Health Technologies in Clinical Investigations
In December 2021, FDA issued a draft guidance entitled “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.” Digital Health Technology (“DHT”) is broadly defined in the draft guidance as “a system that uses computing platforms, connectivity, software, and/or sensors, for healthcare and related uses.” The draft guidance provides recommendations for sponsors, investigators, and others on the use of DHTs for remote data acquisition from participants in clinical investigations evaluating medical products (drugs, biologics and medical devices). The draft guidance outlines information that should be contained in an investigational new drug application (“IND”) or an investigational device exemption (“IDE”) application for a clinical investigation in which the sponsor plans to use one or more DHTs or in a marketing application that includes such a clinical investigation.
Key areas of guidance include: selection of DHTs that are suitable for use in the clinical investigation; verification and validation of DHTs for use in the clinical investigation; use of DHTs to collect data for trial endpoints; identification of risks associated with the use of DHTs during the clinical investigation; and management of risks related to the use of DHTs in clinical investigations. Notably, the draft guidance states that it does not address the extent to which a DHT may be considered a medical device.
Digital Health Patent Applicants Can Benefit From USPTO Pilot Program to Defer Subject Matter Eligibility Rejections
Recent times have seen a confluence of various technologies to bring a revolution in healthcare. Such technologies include, among others, cloud computing, artificial intelligence, internet of things (“IoT”), blockchain, robotics, and the like. However, the constantly evolving case law on subject matter eligibility (“SME”) has imposed some challenges on expeditiously obtaining patent protection on some aspects of such technologies. For example, patent examiners at the United States Patent and Trademark Office (“”) may sometimes classify claims directed to certain aspects as being subject matter ineligible under 35 U.S.C. § 101, and it can be time consuming to overcome the SME concerns raised by the USPTO to obtain a patent.
To ease the burden on patent applicants, the USPTO earlier provided helpful guidance on the SME issue. However, the law on SME has been in a flux, and in response, the USPTO has updated the guidance a few times. Lack of a clear line on SME has inconvenienced digital health applicants with applications initially rejected under § 101. Addressing some of such inconvenience, the USPTO announced, in January 2022, a new Deferred Subject Matter Eligibility Response (“DSMER”) Pilot Program for nonprovisional patent applications that launched on February 1, 2022 and will end on July 30, 2022. The USPTO notes that participation in the this program is by invitation only to certain patent applicants. The program allows the participating applicant to defer presenting arguments or amendments in response to the SME rejection(s) until the earlier of final disposition of the participating application, or the withdrawal or obviation of all other outstanding rejections. Other than this permitted deferral of responding to SME rejection(s), the applicant’s replies must be fully responsive to office actions, and the application will undergo the normal prosecution process.
So far, the DSMER program is a welcome development. Although SME rejections have often been effectively deferred using various prosecution tactics until prior art issues have been overcome, this program has the potential to expedite patent prosecution as the USPTO examiners evaluating applications under this program would have a reduced burden with regard to SME rejections.
STATE
New Jersey Passes Legislation Increasing Telehealth Modality Flexibility and Mandating Payment Parity
On December 21, 2021, New Jersey bill S2559 was signed into law as P.L.2021, c.310, ushering in comprehensive telehealth reform in the state. Effective immediately, the new law permits healthcare providers to deliver telehealth through “asynchronous store-and-forward technology … with or without the use of interactive, real-time, two-way audio” if certain requirements are met, including that the provider inform the patient at the outset of the telehealth encounter that they are able to meet the same standard of care as if the services were rendered in person. The new law also requires that (i) patients seeking telehealth services be informed that the encounter may be with a provider who is not a physician and that they may request such encounter be scheduled with a physician and (ii) the identity, professional credentials, and contact information of the healthcare provider delivering the services be made available to the patient at the time services are scheduled or, if not available at that time, upon confirmation of the telehealth encounter.
Under the new law, “carriers,” including insurance companies, HMOs, and medical service corporations will be prohibited from imposing restrictions on the location or setting of the telehealth provider or patient. Additionally, the law will require certain state health benefit plans, including the state Medicaid program, to reimburse telehealth services at the same rate as in-person services unless the organization providing the services does not provide the same service on an in-person basis in New Jersey or the services are provided through real-time, two-way audio without a video component (with the exception of behavioral health services).
New Ohio Law Puts Statutory Framework in Place for Telehealth
Ohio Governor DeWine signed into law House Bill 122 (“HB 122”), also known as the Telemedicine Expansion Act, which will be effective on March 23, 2022, and will expand the types of health care providers who may provide telehealth visits. It expressly authorizes initial and annual patient visits to be conducted via telehealth (synchronous or asynchronous) as long as the standard of care is met, although licensing boards and administrative agencies may require an initial in person visit prior to prescribing schedule II controlled substances with certain exceptions. Notably, HB 122 specifies that if a patient has consented to receiving telehealth services, the health care professional who provides such services is not liable for damages under a claim that the telehealth services do not meet the standard of care that would apply if services were provided in person. The new law will also change the reimbursement landscape for telehealth in Ohio, restricting health plans from imposing higher cost sharing for telehealth services than comparable in-person services or excluding coverage for a service solely because it is provided via telehealth and permitting certain health care professionals to provide services via telehealth to Medicaid patients.
Washington Medical Commission Releases New Telemedicine Policy Statement
Effective November 2021, a new Washington Medical Commission policy statement on telemedicine defines “telemedicine” to include “store and forward technologies,” which is defined broadly as the “asynchronous or non-simultaneous transmission of a patient’s medical information from an originating site to the health care provider at a distant site that results in examination, medical diagnosis, or treatment of the patient.” The policy acknowledges that a patient relationship can be established through telemedicine (newly defined to include store-and-forward) if the standard of care does not require an initial in-person encounter. However, it emphasizes that the standard of care requires “direct interaction” with a licensed practitioner and requires a practitioner using telemedicine to interview the patient and perform a physical examination, when medically necessary. The new guidance also provides that Washington-licensed practitioners may use telemedicine to consult with non-Washington-licensed practitioners in other states for peer-to-peer consultations so long as the Washington-licensed practitioner remains responsible for diagnosing and treating the patient.
California Enacts Protection of Patient Choice in Telehealth Provider Act
In October 2021, California enacted the Protection of Patient Choice in Telehealth Provider Act, which continues legislative efforts in California to ensure that telemedicine services are delivered as part of an integrated, comprehensive patient care program. Among other things, the Act requires health plans to ensure that third party corporate telehealth providers obtain patient informed consent for telehealth services and that the plan maintains oversight to ensure that such consents are obtained. Further, the Act requires that third party corporate telehealth providers share medical records with primary care providers absent a patient objection. In late January 2022, the California Department of Managed Health Care provided guidance to plans regarding implementation of the Act’s provisions, emphasizing that plans must submit a filing to demonstrate compliance with the Act by March 21, 2022.
California Enacts the Genetic Information Privacy Act
On October 6, 2021, California’s Genetic Information Privacy Act (“GIPA”) went into effect. GIPA applies to “direct-to-consumer genetic testing companies” that collect genetic data from California consumers and create obligations for notice, consent, data security, and individual consumer rights. It will require genetic testing companies to provide consumers with information (and notice) about genetic data use, maintenance, disclosure, transfer, security, retention, and deletion practices. GIPA also mandates express consumer consent for the collection, use, and disclosure of genetic data and requires that consumer consent revocation be honored within 30 days of request. Violations of the law will be enforced by the state AG, with civil penalties ranging from $1,000 to $10,000.
Florida’s Protecting DNA Privacy Act Goes into Effect
On October 1, 2021, Florida’s Protecting DNA Privacy Act the (“Act”) went into effect. The Act restricts certain willful collection, retention, analysis, and disclosure of DNA samples or DNA analysis results of Florida residents without their express consent. Specifically, the Act requires a person from whom DNA is extracted to give their “express consent” for a specified use of their genetic information and states that a person’s extracted genetic information is the “exclusive property” of that person to control. There are exceptions to the Act, including (i) criminal investigation or prosecution; (ii) medical diagnosis or treatment where express consent for clinical laboratory analysis was obtained, or performed by a clinical laboratory certified by CMS; or (iii) preparing research subject to federal law (e.g., HIPAA). Florida is one of several states that have recently passed genetic privacy laws, including California, Utah, and Arizona.
Global Developments
EUROPE
In the past months, EU institutions have adopted several legislative acts with the purposes of implementing specific rules set forth by Regulation (EU) No. 2017/745 (the “Medical Devices Regulation”, or “MDR”) and Regulation (EU) No. 536/2014 (the “Clinical Trials Regulation”, or “CTR”), as well as establishing common rules for Health Technology Assessments (“HTA”) of medicinal products and medical devices to be carried out by competent national authorities of the EU Member States.
Regulation of the European Parliament and of the Council on HTA Adopted
Building on the European Pharmaceutical Strategy and the European Health Union, the European Parliament and the Council adopted Regulation (EU) 2021/2282 on HTA, which entered into force on January 12, 2022 (“Regulation”). The Regulation, however, will be applicable beginning on January 12, 2025. The goal of the Regulation is to establish a legislative framework and procedures for the cooperation of Member States on HTA, which is defined as “multidisciplinary process that summarizes information about the medical, patient and social aspects and the economic and ethical issues related to the use of a health technology in a systematic, transparent, unbiased and robust manner.” Information, data, analyses, and other evidence required for the joint clinical assessment of health technologies will have to be submitted only once by the health technology developer for the entire Union. The Regulation therefore sets common rules and methodologies for clinical assessments which will apply to the clinical assessments conducted by Member States.
European Commission Adopts Implementing Regulation on Rules and Procedures for the Cooperation of the Member States in Safety Assessment of Clinical Trials
On January 7, 2022, the European Commission adopted Implementing Regulation 2022/20 laying down rules for the application of the Clinical Trials Regulation (“CTR”)MDR with regard to the rules and procedures for the cooperation of the Member States in safety assessments of clinical trials (“Regulation”). The Regulation will enter into force on January 31, 2022, the same date as the CTR. The Regulation implements Article 44(2) of the CTR and lays down rules for the cooperation between Member States in the assessment of information and reports submitted by Sponsors pursuant to Articles 42 and 43 of the CTR concerning, respectively, sponsors to: report suspected and/or unexpected serious adverse reactions to the European Medicines Agency (“EMA”); and submit to EMA annual reports on the safety of each investigational medicinal product used in clinical trials. The Regulation intends to distribute the tasks related to safety assessments of concerning clinical trials between at least two of the Member States concerned. Therefore, active substances which are used in an investigational medicinal products in clinical trials authorised in only one Member State fall out from its scope.
European Commission Implementing Regulation on Electronic Instructions for Use of Medical Devices Entered into Force
On January 4, 2022, Commission Implementing Regulation (EU) 2021/2226 laying down rules for the application of the Medical Device Regulation (“MDR”) with regard to electronic instructions for use of medical devices entered into force (“Implementing Regulation”). The Implementing Regulation sets out the conditions for instructions for use in electronic form, i.e., “instructions for use displayed in electronic form by the device, contained in portable electronic storage media supplied by the manufacturer together with the device, or made available through a software or a website” (“eIFU”). According to the Implementing Regulation, manufacturers may use eIFU for the following devices, when intended for exclusive use by professional users and the use by other persons is not reasonably foreseeable: (i) implantable and active implantable medical devices and their accessories; (ii) fixed installed medical devices and their accessories; (iii) any other medical devices and their accessories “fitted with a built-in system visually displaying the instructions for use.”
A specific risk assessment must be undertaken by manufacturers who intend to use eIFU. Such risk assessment must, inter alia, demonstrate that the use of eIFU “maintains or improves the level of safety obtained by providing the instructions for use in paper form.” Moreover, manufacturers must have a system in place to provide, within specific timeframes, the instructions for use in paper form at no additional cost for the user. These features will be subject to the assessment of Notified Bodies, unless the MDR does not require the concerned devices to undergo Notified Body review.
European Commission Implementing Regulation on the European Database on Medical Devices (“Eudamed”) Entered into Force
On December 19, 2021, Commission Implementing Regulation (EU) 2021/2078 laying down rules for the application of the MDR as regards Eudamed entered into force (“Eudamed Regulation”). It sets out detailed arrangements necessary for the setting up and maintenance of the database envisaged by the MDR for the purposes of enhancing overall transparency on medical devices, avoiding multiple reporting requirements, enhancing coordination between Member States and streamlining and facilitating the flow of information among all the entities involved in the medical devices framework, from sponsors of clinical investigations and manufacturers of medical devices, to Notified Bodies, national competent authorities and European Commission.
Eudamed will be composed of two parts. The first part will be made accessible to certain authorized users via a restricted website, while other simplified information will be made publicly accessible to non-identified users. The Eudamed Regulation specifies the rules, inter alia, on access to and registration in Eudamed, technical and administrative support, data privacy, testing and training for the use of the database, as well as IT security on fraudulent activities.
European Medicines Regulatory Network Adopts Data Standardisation Strategy
On December 16, 2021, the European Medicines Regulatory Network (“EMRN”)—including all national agencies of the European Economic Area (“EEA”) Member States competent on medicinal products—adopted the Data Standardization Strategy (“Strategy”). The Strategy seeks to harmonize the data submission formats for the different sets of documentation that pharmaceutical companies provide for the purposes of regulatory filings. In order to achieve this goal, the Strategy lays down a series of recommendations, divided in four macro-areas as follows:
- “Medicinal Product,” which includes datasets on substance and product information, manufacturing and quality. The target is to develop a standardized template for all inspections data, including Good Manufacturing Practices (“GMP”) inspections, so that the identification of previous inspections and the review of the existing reports is less time consuming. Furthermore, to assess product quality, the Strategy recommends to develop an international standard on manufacturing quality raw data;
- “Healthcare and Study Data,” including data on interventional and observational clinical trials and mobile health devices. The EMRN recommends to further support the current work of the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (“ICH”) on the development of a standard for interventional study protocol structure, as well as to adopt a common data model to enable the use of real world data and metadata obtained from healthcare records and disease registries in a harmonized manner in order to facilitate access and reuse of such data across countries;
- “Safety and Risk Management,” which includes Individual Case Safety Reports (“ICSR”), Product Safety Update Reports (“PSUR”) and environmental risk assessments and Risk Managements Plans (“RMP”), seeks to develop an electronic PSUR with structured information that follows the ICH E2C (R2) periodic benefit-risk evaluation report guidelines with the view of facilitating the tracking and linking of product and health information across different data sets;
- “Submissions,” which provides for recommendations on dossier management and structured application forms.
However, the Strategy does not include a roadmap for its implementation and any prioritization requires further assessment on expected costs and benefits.
EU Commission publishes new study monitoring data flows in Europe
On February 3, 2022, the EU Commission published a press release regarding a new study on the monitoring of data flows in Europe (“Study”). The Study provides insight on the volumes and types of cloud data inflows and outflows across the 27 EU Member States, as well as Iceland, Norway, Switzerland, and the United Kingdom through the use of a data flow visualization tool developed by the EU Commission (“European Data Flow Visualization Tool”). The European Data Flow Visualization Tool allows the EU Commission to (i) map and estimate the volume of main data flows in the area of cloud computing in the aforementioned countries; (ii) forecast data outflows up to 2030; and (iii) analyze the volume of data flows per sector, company size, and cloud service type. According to the Study, the largest data flows in 2020 originated from the health sector, with Germany registering the largest volume of data inflow. Companies may use the Study as a reference point to “support decision making towards future trade agreements, industrial decisions and cloud investments.”
EFPIA Confirms General Data Protection Regulation (“GDPR”) Code of Conduct on Clinical Trials and Pharmacovigilance
On January 13, 2022, the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) announced that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance (“Code”) is now in the final phase of review by the European data protection authorities. Following the review, the Code will be submitted to the European Data Protection Board for approval. The Code aims to enable the health sector to align on key data protection positions, thereby providing more consistency, clarity and certainty for clinical research. In addition, the Code should clarify the linkages between the GDPR and other key sectoral legislation such as the Clinical Trials Regulation. Further, the Code will respond to the ambition of the European Commission to improve data governance in Europe by means of creating a European Health Data Space.
International Coalition of Medicines Regulatory Authorities (“ICMRA”) Reflection Paper on remote approaches to Good Clinical Practice (“GCP”) and Good Manufacturing Practice (“GMP”) regulatory oversight during the COVID-19 pandemic
On November 26, 2021, the ICMRA published a reflection paper on the “regulatory experience of remote approaches to GCP and GMP regulatory oversight during the COVID-19 Pandemic” (“Reflection Paper”). As result of the work carried out by a specific working group set up by ICMRA, chaired by the UK Medicines and Healthcare Products Regulatory Agency (“MHRA”) and including representatives from the US FDA, the Reflection Paper provides transparency to stakeholders on the approaches followed by the competent authorities during the pandemic. The combined experience provides valuable insight into how regulators have managed regulatory oversights, inspections and assessments to support the businesses of the interested stakeholders. In particular, the Reflection Paper serves as a summary of the collective approach to different typologies of initiatives undertaken by the regulators across the globe, including, inter alia, inspections carried out remotely or via an hybrid approach (i.e., partially remote and partially in person at site) or evidencing potential flaws, both under GCP and GMP perspectives. It also provides an overview of the experiences with the different types of digital tools, such as visual technology.
ENISA Publishes Report on the CSIRT Capabilities in the Health Care Sector
On November 11, 2021, the European Union Agency for Cybersecurity (“ENISA”) published a report on the Computer Security Incident Response Teams’ Capabilities (“CSIRTs”) in the Health Care Sector. The report provides insights on current incident response trends within the health care sector and recommendations on the development of incident response capabilities and incident response procedures, such as facilitating the creation of health-sectoral CSIRTs.
Belgium: Belgian DPA Publishes Guidance on the Processing of Biometric Data
On December 1, 2021, the Belgian Data Protection Authority (“DPA”) published guidance concerning the processing of biometric data (“Guidance”), as defined by the GDPR. The Guidance sets out the legal framework for the processing of biometric data, with a focus on consent requirements, the different phases of biometric processing (i.e., the enrollment- and comparison-phases) and the conditions and requirements related to the storage of biometric data. The Guidance also elaborates on the processing of biometric data in the context of personal authentication via smartphones and other electronic devices where facial recognition software and fingerprint sensors are increasingly used as an alternative to the traditional personal identification number. Moreover, the Guidance reaffirms that the healthcare provider remains responsible for the processing taking place via its own device or services.
France: French Government Announces New Digital Health Doctrine
On February 2, 2022, the French Government has made public its new Digital Health Doctrine. The purpose of this document is to describe the framework in which digital health data exchange and sharing services should develop, both in terms of target (within three years) and in terms of trajectory. It is intended for the providers of digital services, whether they are decision-makers, project managers as well as users of digital services. It includes in particular a list of priorities set out by the French Government for digital health in 2022.
France: French Data Protection Authority (“DPA”) Issues Guidelines on Data Retention Intended for Scientific Research
On January 31, 2022, the French DPA issued guidelines on personal data retention periods in the scientific research field and appropriate security measures to be implemented for retention purposes. The DPA recalled that retention periods for personal data can be determined based on a specific date or the occurrence of a specific and certain event. The DPA also stated that where the anonymization of personal data is not possible, operating entities shall implement appropriate security and confidentiality measures. Any retention thereafter shall be considered as a retention for archival purposes.
France: French DPA Organizes Public Consultation on Update of Two Reference Methodologies for Health Research Activities
On January 10, 2022, the French DPA initiated public consultation on the updated version of the reference methodologies -005 and -006, which are to be extended to the processing of personal data for research, study or evaluation purposes in the health field. The new draft version of the reference methodologies would cover data processing relying on a “task carried out in the public interest” or “legitimate interest,” reduce the maximum historical depth from 9 to 5 years, introduce the obligation of obtaining a favorable opinion from the French ethics and scientific committee for research, studies and evaluations in the health field (“CESREES”) and reinforce the transparency of the data processing. The public consultation ended on February 18, 2022.
France: French Online Health Space “Mon Espace de Santé” Starts Operating
On January 1, 2022, the French online health space “Mon Espace de Santé“ (i.e., “My health space”) started operating in France. “Mon Espace de Santé” is an online public service that enables the storage and sharing of health data, thereby aiming to provide better care to individuals and to enhance data security.
France: French DPA Publishes Reference Guidelines for the Implementation of Health Data Warehouses
On November 17, 2021, the French DPA published reference guidelines for health data warehouses. These reference guidelines provide that entities contemplating the implementation of health data warehouses may not request prior authorization from the DPA if they meet the criteria set forth by the reference guidelines. Moreover, these reference guidelines only apply to health data warehouses relying on the “task carried out in the public interest or in the exercise of official authority vested in the controller” (art. 6 (1) e) of the GDPR).
France: French DPA Publishes Q&As on Collection of Personal Data at the Workplace, the Health Pass, and mandatory vaccination
On September 29, 2021, the French DPA published a set of Q&As on collection of personal data in the workplace and on the health pass and vaccination obligation in the context of COVID-19. With respect to the former, the French DPA aims to stress the basic principles for the collection of employees’ personal data, such as the limitation to collect only strictly necessary data, the fact that employers cannot force employees to participate in screening campaigns and the employer’s possibility to require the presentation of a health pass. In the latter, the French DPA clarifies, amongst other things, the type of data visible from the QR-code, how the persons in charge of controlling the health pass can be authorized to do so, and what guarantees must be implemented in the extension of the health pass.
Finland: Finnish DPA Fines Psychotherapy Center for Failure to Notify of A Data Breach in Time, and Insufficient Security Measures
On December 7, 2021, the Finnish DPA fined a psychotherapy center, €608,000 for GDPR violations. The center had experienced a personal data breach in 2018 and 2019. An external party logged in to the patient record database without authorization. The Finnish DPA’s investigation showed that the center was aware of the personal data breach since 2019, but only notified the Finnish DPA in September 2020. Furthermore, the center failed to implement appropriate security measures, thereby exposing the server to cyber-attacks.
Germany: Provisions of the German Patient Data Protection Act concerning Electronic Health Records become applicable
As of January 2022, specific provisions of the German Patient Data Protection Act (“Patienten-Schutz-Gesetz (PDSG)“) (i.e., an act aiming to digitalize the German health care system by introducing innovative digital applications and requirements and by protecting patient information stored in electronic format, in force since October 2020), became applicable. Starting from January 2022 on, patients have the option to store sensitive data that has only been documented in a hardcopy before in their Electronic Health Records (“EHR”), such as maternity logs, pediatric health records, and vaccination cards. Further, insured persons may have their data transferred from the EHR when they change health insurance and may use their smartphone or tablet to individually determine who can access each document stored in the EHR. As of 2023, insured persons will have the option to voluntary make the data stored in the EHR available for medical research in a pseudonymized and encrypted form.
Norway: Norwegian DPA Issues Fine Against Hospital for Insufficient Security Measures
On October 22, 2021, the Norwegian DPA announced it had fined a Norwegian hospital, 750,000 Norwegian Krone (approx. €75,500) for insufficient data security measures. In particular, the hospital had not implemented sufficient access-management controls. As a result, all users that had obtained an authorization within the Central Norway Regional Health Authority could access almost all the folders of the hospital, including folders which were not relevant to the purposes for their processing.
Spain: Ministry of Health Adopts National Digital Health Strategy
On December 2, 2021, the Ministry of Health adopted the National Digital Health Strategy (“Strategy”). The Strategy establishes the foundations for the digital transformation of the Spanish National Health System (“NHS”). Aiming to guide the digital transformation of the NHS, the Strategy sets out four strategic objectives:
- “A proactive approach to healthcare” that seeks to facilitate access to healthcare to the general public;
- “Better performance of the NHS” intended to improve the infrastructure of NHS digital services and provide healthcare professionals the necessary digital skills;
- “Evidence-based decision-making in the NHS,” aiming to drive health data interoperability and reinforce data analytics. The goal is also to create a Technical Office for Standardization and Quality of Health Data and a National Health Data Space, with the latter to be aligned with the European Health Data Space and consist of a cloud platform for storage, processing analysis of health data and serve as database for different healthcare purposes, including research; and
- “Innovative NHS” that seeks to adapt the NHS to the technological development providing health services tailored to the patient’s needs and enhancing the patient’s decision-making capacity.
The Strategy will develop from 2021 to 2026 and its implementation will be monitored by the Ministry of Health.
UK: Two Technology Companies Face Action in UK courts on Behalf of 1.6 Million People
On September 30, 2021, a UK law firm announced that it is bringing a representative action on behalf of approximatively 1.6 million individuals whose confidential medical records were unlawfully processed by two technology companies. In 2017, the UK DPA ruled that the data sharing agreement entered into between the technology companies and a UK trust violated multiple data protection obligations since the patients were not informed about how their data would be used. In addition, the UK trust did not implement sufficient security measures to protect the personal data. The main claim in the lawsuit will be based on the companies’ failure to obtain the patients’ consent to process the medical records.
Recent and Upcoming Speaking Engagements
- Undine von Diemar, The GDPR 3 Years On: A Look at the Lessons from Implementation and the Next Steps for Compliance and Enforcement, Jones Day Course at Peking University, October 2021
- Jimmy Kitchen & Amy Pandit, Cybersecurity Developments, Trends, and Related Implications for Public Companies, Jones Day’s 2021 Speaker Series, November 3, 2021
- Jennifer Everett & David Kopans, CLE Academy: 2021 Year-End Data Privacy Law Update, November 8, 2021
- Jonn R. Beeson & D. Michael Murray, Mergers & Acquisitions: Considerations for Structuring and Implementing Earnouts in Life Sciences Transactions, Jones Day’s Cross-Practice Issues in Life Sciences M&A Webinar Series, November 17, 2021.
- Women in Speaker Series: Artificial Intelligence in the Biopharma Licecycle: U.S. and EU IP Considerations, Jones Day Webinar, December 13 2021
- Maureen Bennett & Cristiana Spontoni, Doing a Global Deal: The Regulatory Dimension, Jones Day’s Cross-Practice Issues in Life Sciences M&A Webinar Series, December 1, 2021
- Joseph Goldman, Lori Hellkamp & Edward T. Kennedy, Pharma Tax Considerations in Strategic M&A, Joint Ventures, Co-Development, and Royalty Sales, Jones Day’s Cross-Practice Issues in Life Sciences M&A Webinar Series, December 8, 2021
- Jennifer Everett, Jörg Hladjk, Mauricio Paez, & David Kopans, Cybersecurity and Privacy Risks in Life Sciences Transactions, Jones Day’s Cross-Practice Issues in Life Sciences M&A Webinar Series, December 15, 2021
- A. Patricia Campbell, Ph.D., Carl A. Kukkonen III, & Ka-on Li, Artificial Intelligence IP Considerations in Drug Discovery and Development, Jones Day’s Cross-Practice Issues in Life Sciences M&A Webinar Series, January 19, 2022
- Jeff Kapp, National HIPAA Summit 31 – Telehealth Cybersecurity Considerations: What Telehealth Cybersecurity Risks are Lingering? Pulling Back the Pandemic Rug, Virtual Program, March 1-4, 2022
- David Kopans, ACI – 13th Annual Advanced Forum on Managed Care Disputes and Litigation: Legal Landmines for MCOs in the Digital Landscape and How to Avoid Them, Chicago, IL, March 30, 2022
- Cristiana Spontoni, 31st Annual EU Pharmaceutical Law Forum – New Developments for Digital Clinical Data and Legal Implications, Brussels, Belgium, May 17-19, 2022