Virtual and Digital Health Digest
Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during May 2023 from the United States, United Kingdom, and European Union.
In this issue, you will find the following:
U.S. News
- FDA Regulatory Updates
- Health Care Fraud and Abuse Updates
- Provider Reimbursement Updates
- Privacy Updates
- Corporate Transaction Updates
- Policy Updates
EU and UK News
U.S. News
FDA Regulatory Updates
FDA Issues Warning Letter to Sponsor of Wearable ECG Monitoring Devices. A recent Warning Letter issued to iRhythm Technologies Inc. (iRhythm) underscores the importance of compliant change control and promotional review processes for sponsors making modifications to FDA-cleared or -approved digital health technologies. On May 25, 2023, FDA issued a Warning Letter to iRhythm alleging, among other violations, that iRhythm is marketing its Zio AT System outside the scope of its 510(k) clearance, thereby rendering it an unapproved device. The device at issue has a 510(k) clearance to continuously record and report patient symptomatic and asymptomatic cardiac events and ECG information. Notably, the 510(k) specifies that the device is not intended for use on critical care patients. Despite this limitation, FDA asserts that claims in marketing materials, the website, and other documentation imply the Zio AT System is intended for high-risk patients and offers near real-time monitoring. FDA states that describing a new patient population could significantly affect the safety and effectiveness of the device and thus likely requires a new 510(k) when analyzed under the relevant FDA guidance.
FDA also asserts that various technology changes, including hardware changes, firmware changes, and algorithm changes that iRhythm made to the device require a new 510(k). Further, the Warning Letter also includes misbranding violations relating to failure to disclose an important performance limitation to health care providers, as well as various quality system and MDR reporting observations. Issuance of the Warning Letter followed an earlier facility inspection and issuance of a Form 483 of Inspectional Observations, with FDA finding various aspects of iRhythm’s Form 483 response to be inadequate.
FDA Petitioned To Take Action Against Opioid Prescribing Decision Support Software. In keeping with the enforcement theme, also notable is a recent Citizen Petition submitted by the Center for U.S. Policy (CUSP) requesting that FDA deem Bamboo Health’s NarxCare software a misbranded device and take appropriate enforcement action. NarxCare is a clinical decision support (CDS) tool marketed to help clinicians evaluate controlled substance data from state prescription drug monitoring program databases and other sources to make prescribing decisions. CUSP’s petition raises concern about aspects of the NarxCare software that CUSP views as exceeding the scope of the 21st Century Cures Act exemption for non-device CDS software functions, including generation of predictive risk scores based on complex algorithm factoring (risk of addiction or overdose). FDA has yet to respond to the petition.
FDA Requests Public Comment on Patient Access to At-Home Use Medical Technologies. FDA has established a docket for public comment on increasing patient access to at-home use medical technologies, including digital health technologies. Select digital health-focused topics for comment include questions about how FDA can support the development of digital health technologies for home use, ways digital health technologies can foster the remote conduct of clinical trials, design attributes to better facilitate use of digital health technologies by diverse patient populations outside of a clinical setting, and methods and strategies for evidence generation and data analysis to facilitate the regulatory review of home use medical technologies. Comments are due by August 30, 2023.
FDA Commissioner Comments on Importance of Regulation of Large Language Models. On May 8, 2023, FDA Commissioner Robert Califf spoke at the National Health Council’s (NHC) 2023 Science for Patient Engagement Symposium. Califf’s remarks covered a number of digital health topics, including large language models. Notably, Califf cautioned that “if we’re not nimble in the use and regulation of large language models, we’ll be swept up quickly by something that we hardly understand.” He also cautioned that “technologies like large language models give almost everyone the potential to produce false narratives or even so-called deep fakes” and stated that he views “the regulation of large language models as critical to our future.” Califf’s remarks on the potential risks of language learning models getting ahead of FDA regulation echo those he has made at other recent conferences.
Health Care Fraud and Abuse Updates
Deputy Assistant Attorney General Lisa H. Miller Delivers Remarks at the American Bar Association’s 33rd Annual National Institute on Health Care Fraud. On May 4, 2023, Deputy Assistant Attorney General Lisa H. Miller delivered remarks at the American Bar Association’s 33rd Annual National Institute on Health Care Fraud in Chicago, Illinois. Miller’s remarks emphasized the DOJ’s crackdown on telehealth fraud and their continued focus in this area. Since 2018, the Health Care Fraud Unit has charged 163 defendants in connection with telemedicine schemes, including 40 medical professionals, involving more than US$4.75 billion billed and US$1.65 billion paid.
Deputy Assistant Attorney General Miller’s remarks spotlight DOJ’s continued focus on telehealth fraud. Recently, two Utah business owners were accused of defrauding insurance companies out of US$250 million in a fraudulent prescription claims scheme. David Gary Bishoff and Brycen Kay Millet reportedly ran call centers located in Utah that fraudulently billed private insurers for telemedicine prescriptions. These call centers contacted individuals to enroll them into private insurance programs, offering no-cost medication without medical exams. Bishoff and Millett recruited licensed physicians who reviewed false prescriptions presented by health care practitioners after a telemedicine appointment with patients. The physicians would then write prescriptions as requested by the practitioners and the prescriptions were sent to different pharmacies owned by the defendants. Insurance companies were billed for the allegedly fraudulent, medically unnecessary medication.
In total, Bishoff and Millett received over US$12 million in reimbursement revenue over a four-year period. Bishoff pleaded guilty to one federal felony charge of conspiracy to commit health care fraud at the end of March, while Millett currently awaits trial.
Provider Reimbursement Updates
CMS Clarifies That Distant Site Practitioners Can Continue to Bill for Medicare Telehealth Until the Agency Releases Additional Guidance. On May 19, 2023, CMS released a FAQ stating that eligible hospital-employed outpatient therapists can continue to bill Medicare Part B for telehealth through the end of Calendar Year 2023. The new guidance specifically applies to hospital-employed outpatient physical therapists, occupational therapists, speech language pathologists, diabetes self-management training (DSMT) programs, and medical nutrition therapy providers. This FAQ was a departure from CMS’ initial FAQ guidance specifying that these hospital-employed therapists could not bill for telehealth after the expiration of the public health emergency (PHE) on May 11, 2023.
In its updated FAQ, CMS specifies that “for DMST services, we understand that some other types of hospital clinical staff, beyond those identified as eligible distant site practitioners for Medicare telehealth, can provide these services in some cases.” For these situations, CMS notes that it will be “exercising enforcement discretion in reviewing the telehealth practitioner status of the clinical staff personnel providing any part of a remotely furnished DSMT service.”
The updated CMS guidance extends these flexibilities beyond the hospital setting to rehabilitation agencies, comprehensive outpatient facilities, and, in some cases, to home health agencies and skilled nursing facilities. This extension was seen as a “major advocacy win” for organizations such as the American Physical Therapy Association (APTA), the American Speech-Language Hearing Association, and the American Occupational Therapy Association which had jointly pushed CMS to extend PHE telehealth expansions beyond the inpatient setting. CMS has yet to release an expected termination date at this juncture.
This month, federal lawmakers introduced legislation (H.R. 3878), that would permanently allow these various types of therapists to be reimbursed for telehealth services by Medicare. The Expanded Telehealth Access Act, which has House bipartisan support, would codify the PHE-related flexibilities related to such practitioners under Medicare telehealth law. Congress would need to take action, however, before the remaining post-PHE allowances expire.
Privacy Updates
FTC Proposes To Amend Health Breach Notification Rule To Address Digital Health Technologies. On June 9, 2023, the Federal Trade Commission (FTC) published a notice of proposed rulemaking (NPRM) to amend its Health Breach Notification Rule (HBNR) adopted in 2009. Until this year, the agency had not once taken an enforcement action under the HBNR; now, as evidenced by its recent enforcement actions against GoodRx and Easy Healthcare Corporation and the new NPRM, it is clear the FTC intends to use the rule aggressively. The amendments proposed in the NPRM, according to the agency, will allow the FTC “to keep up with marketplace trends, and respond to developments and changes in technology.”1
The FTC is inviting comments on the proposed modifications until August 8, 2023.
Background
The HBNR requires notification to individuals, the FTC, and in some cases the media, of breaches of the security of “personal health records” (PHRs) experienced by PHR “vendors,” “PHR related entities,” and “third party service providers” (excluding entities regulated under HIPAA). A “PHR” under the HBNR is an electronic record of “PHR-identifiable health information” that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual to whom the information pertains. “PHR identifiable health information” is individually identifiable information provided by or on behalf of an individual, and a PHR “vendor” is any non-HIPAA-regulated entity that offers or maintains a PHR.
Proposed Changes
The proposed HBNR amendments would create a new definition of “health care services or supplies” and provide that mobile apps and other technologies providing such services or supplies are “health care providers” for HBNR purposes. “Health care services or supplies” would include “any online service, such as a website, mobile application, or Internet-connected device that provides mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, diet, or that provides other health-related services or tools.” Individually identifiable health information collected through mobile apps and other technologies providing such services or supplies would constitute “PHR identifiable information” and the technologies would therefore be PHR vendors.
The proposed amendments also would expand the definition of a “breach of security” under the HBNR to clarify that “a breach is not limited to cybersecurity intrusions or nefarious behavior” of an external actor. Under the FTC’s proposal, the definition would include an “unauthorized disclosure,” such as a voluntary disclosure made by a PHR vendor without obtaining the consumer’s consent, irrespective of a third party’s intrusion.
Regarding breach notifications, the FTC is proposing to require that they include a “description of the potential harm that may result from the breach (e.g., medical or other identity theft),” and is seeking comments about whether notifying entities can assess the potential harms to individuals following a breach, and if not, whether it would be helpful for them to inform individuals that they are unaware of any harms that may result from the breach.
The FTC also is seeking comment on potential regulatory changes that it did not actually propose. For example, the FTC considered clarifying what would constitute an individual’s “authorization” (relevant to whether a disclosure was “unauthorized”) and wants to know what interested parties think about:
- What constitutes acceptable methods of authorization?
- Is it acceptable to obtain an individual’s authorization to share PHR information through an individual’s click in connection with a pre-checked box?
- Is it sufficient if an individual agrees to terms and conditions disclosing such sharing but that individual is not required to review the terms and conditions?
- Or is it sufficient if an individual uses a health app that discloses in its privacy policy that such sharing occurs, but the app knows via technical means that the individual never interacts with the privacy policy?
- Are there certain types of sharing for which authorization by consumers is implied, because such sharing is expected and/or necessary to provide a service to consumers?
Significance
The NPRM underscores the FTC’s intent to apply the HBNR broadly to digital health companies as a tool to protect consumer privacy with respect to any personal health information provided to a third party offering some form of electronic record. Companies that could be deemed to be PHR vendors, “PHR related entities,” or “third party service providers” under the proposed amendments may wish to use the opportunity to submit comments as a means to obtain clarity regarding their potential risks under the HBNR.
Corporate Transaction Updates
ChatGPT Is Entering Hospitals: Health Care Systems Race To Create Strategic Partnerships With Artificial Intelligence Companies. Over the past few months, health care systems and vendors have increasingly sought strategic partnerships with AI companies to increase efficiency of health care services, reduce the burden on providers, and improve patients’ experiences.
In April, Microsoft and electronic health vendor Epic announced an expanded partnership to combine the Microsoft Azure OpenAI Service, which includes generative large language model ChatGPT and GPT-4, with Epic’s electronic health record (EHR) software. Microsoft’s Azure OpenAI Service uses AI algorithms to automatically fill in missing information in EHR software, allowing EHRs to become more complete and accurate and enabling clinicians to focus on patient care. The integration’s tools are currently being implemented by early adopters at UC San Diego Health, UW Health, Stanford Health Care, and UNC Health.
On May 18, 2023, Navina, an AI-powered platform that converts large amounts of patient data into actionable treatment plans, and Tampa General Hospital (TGH), one of the largest hospitals in the United States, announced that they will partner to integrate Navina's AI technology into TGH’s primary care offerings. Specifically, TGH will now have access to Navina’s AI technology that takes information from labs, consult notes, imaging, and other sources to create a picture of a patient's health status that clinicians can use to quickly assess patients and develop treatment plans.
Also on May 18, Detroit-based Henry Ford Health announced that they have partnered with CodaMetrix, an artificial intelligence spinoff from Massachusetts, to automate bedside medical coding. Henry Ford Health will use the CodaMetrix platform to automate its more than 700,000 annual bedside services. Inpatient bedside coding currently makes up 20% of Henry Ford Health system’s coding costs, and autonomous AI for medical coding should result in lower costs and an improved patient experience.
Pharma Giants Move Into Digital Health. On May 31, 2023, pharmaceutical and biotech giant Bayer announced it is launching a new precision medicine unit that will focus on the creation of digital health tools. Bayer stated the new unit will focus on developing digital health tools that will allow patients to make better informed choices.
Bayer’s announcement is just one example of numerous large pharmaceutical companies expanding further into digital health in recent years. With hospitals and health systems facing tight margins, pharmaceutical companies have sought to cut costs and increase efficiency by leveraging digital health tools.
Policy Updates
Congressional Leaders Closely Coordinating on Next Steps To Regulate Artificial Intelligence (AI). Senate Majority Leader Chuck Schumer (D-NY) and Sens. Martin Heinrich (D-NM), Todd Young (R-IN), and Mike Rounds (R-SD) held over 100 staff-level meetings with academic, association, and industry groups on AI-related issues this year in an effort to develop a federal AI framework for future federal response. By the end of 2023, the Senate plans to host at least three member-level briefings on AI, and the Senate Judiciary Committee alone is expected to host at least three additional AI hearings in the coming months. On June 13, 2023, the Senate hosted its first member-level AI briefing, and the Senate Judiciary Subcommittee on Human Rights and the Law held a hearing examining “AI and human rights.” In the House, the Energy and Commerce Committee is also expected to host a three-part hearing series examining AI and related legislative solutions. Lawmakers are expected to continue developing comprehensive legislation to address AI, but the specific timeline for introduction is unknown. See also, the recently published Congressional Research Service (CRS) report titled “Generative Artificial Intelligence and Copyright Law” which explores some of the legal issues related to whether the outputs of generative AI programs are entitled to copyright protection.
Recent Efforts To Regulate AI
- Congress Begins Holding Health-Related Hearings on AI. On June 7, 2023, the Senate Judiciary Subcommittee on Intellectual Property (IP) held a hearing titled “Artificial Intelligence and Intellectual Property — Part I: Patents, Innovation, and Competition.” The hearing included witnesses from a range of backgrounds, including two academic professors and executives representing Google and Novartis. This hearing kicked off the Senate Judiciary Committee’s multi-part series to examine the current state of AI in the U.S. and ways in which Congress can regulate AI innovation in the future. For example, Sen. Richard Blumenthal (D-CT) discussed his interest in developing a framework for a new federal agency to oversee the regulation of AI. Several Republicans, including Ranking Member Thom Tillis (R-NC), discussed the need for additional domestic advancements in AI so the U.S. can remain competitive with China.
- Senate Finance Chairman Discusses Use of AI in Medicare Advantage. On June 8, 2023, the Senate Finance Committee held a hearing titled “Consolidation and Corporate Ownership in Health Care: Trends and Impacts on Access, Quality, and Costs.” The committee discussed a range of issues related to vertical and horizontal consolidation, pharmacy benefit managers (PBMs), site-neutral billing, price transparency, Medicare Advantage (MA), and automated AI algorithms. Chairman Ron Wyden (D-OR) expressed concern about the high level of claims denials reported by MA plans, many of which are utilizing AI-based algorithms in their cost containment processes such as prior authorization. Chairman Wyden discussed the Algorithm Accountability Act (S. 3572), which would require companies to conduct impact assessments for bias, effectiveness, and other factors when using automated systems within their operational functions.
- Bipartisan Senators Introduce Legislation Related To AI Disclosure. On June 8, 2023, Senate Homeland Security and Governmental Affairs (HSGAC) Chairman Gary Peters (D-MI) introduced legislation with Sens. Mike Braun (R-IN) and James Lankford (R-OK) to require federal agencies to disclose any use of AI systems to make “critical decisions” and inform the public of such use. The Transparent Automated Governance (TAG) Act (S. 1865) would also direct federal agencies to create a human-reviewed appeals process of the AI systems determined to have harmed individuals. Sen. Peters’ staffers recently told reporters that HSGAC is planning to mark up the legislation in the near future.
Digital Therapeutics Industry Urges Medicare To Cover Software-Based Treatments. During the week of June 5, 2023, House Energy and Commerce Health Subcommittee Chairman Brett Guthrie (R-KY) and Rep. Buddy Carter (R-GA) mentioned in their weekly constituent newsletters that they met with representatives from the Digital Therapeutics Alliance (DTA) to discuss support for the Access to Prescription Digital Therapeutics Act (S. 723/H.R. 1458). The DTA garners bipartisan support to require Medicare coverage of prescription digital therapeutics approved by the U.S. Food and Drug Administration (FDA) for the prevention, management, or treatment of a medical condition as authorized by a qualifying physician.
House Ways and Means Holds Markup of Telehealth Legislation; Education and Workforce Follows. On June 7, 2023, the Ways and Means Committee held a markup of nine bills, including consideration of the Telehealth Expansion Act of 2023 (H.R. 1843), which would permanently exempt high deductible health plans (HDHPs) from the requirement of a deductible for telehealth and other remote-care services. The safe harbor for telehealth services from the deductible in HDHPs was established originally under the Coronavirus Aid, Relief, and Economic Security Act (CARES) Act (H.R. 748, 116th Congress) as a response to the COVID-19 pandemic and has been extended to the start of 2025. H.R. 1843 would make this safe harbor permanent. While committee Republicans argued the bill would improve rural access to health care, Ranking Member Richard Neal (D-MA) led most Democrats in expressing opposition to providing further benefits for health savings account (HSA) plans. The bill was favorably reported by the Ways and Means Committee to the full House in a 30-12 vote, but it’s unclear whether this legislation will be considered in the Democratically controlled Senate. On June 13, 2023, the House Education and Workforce Committee held a markup for the Telehealth Benefit Expansion for Workers Act of 2023 (H.R. 824), which would similarly extend flexibilities established during the COVID-19 pandemic to allow for expanded coverage of telehealth services offered under a group health plan or group health insurance coverage. Both pieces of legislation are expected to be considered by the full House as soon as the week of July 19, 2023.
EU and UK News
Regulatory Updates
Extended Transitional Periods Expected for EU CE-Marked Medical Devices in the UK. On April 27, 2023, the UK Medicines and Healthcare products Regulatory Agency (MHRA) updated its guidance on the implementation of the future medical devices regulatory framework in the UK. It states that the government is aiming for core aspects of the future regime to apply from July 1, 2025.
In addition, the current Medical Device Regulations 2002 provide that the CE-marked medical devices (i.e., devices approved in the EU) can only be legally placed on the Great Britain market until June 30, 2023; the UK government is introducing new legislation to extend this deadline to support supply of devices in Great Britain ahead of the new regime. The transitional arrangements will be extended to the following:
- June 30, 2028 for general medical devices compliant with the old EU medical devices directive (EU MDD) or EU active implantable medical devices directive (EU AIMDD) with a valid declaration and CE marking
- June 30, 2030 for in vitro diagnostic medical devices (IVDs) compliant with the old EU in vitro diagnostic medical devices directive (EU IVDD)
- June 30, 2030 for general medical devices compliant with the new EU medical devices regulation (EU MDR) and IVDs compliant with the EU in vitro diagnostic medical devices regulation (EU IVDR)
These dates will align with the transitional periods for UKCA-marked devices under the new UK regime. See our blog post for more information.
Legislative Progress on the EU AI Act. On May 11, 2023 the two European Parliament Committees with joint responsibility for the EU AI Act, adopted a draft negotiating mandate, making several suggested amendments to the AI Act. The AI Act was proposed by the European Commission on April 21, 2021 and sets out a regulatory framework for AI systems. The act is currently going through the ordinary legislative procedure with lawmakers discussing how to regulate AI systems with a general purpose, which AI applications should be prohibited based on unacceptable risks, and refinements on the definition of “high risk.” Members of the European Parliament have amended the list of prohibited AI practices to include bans on intrusive and discriminatory uses of AI systems (e.g., real-time remote biometric identification systems in publicly accessible spaces) and have expanded the scope of high risk areas (which would be subject to stricter risk management, transparency, and data governance requirements) by including harm to health, safety, fundamental rights, or the environment.
As discussed in previous digests, one of the issues with the EU AI Act is that all AI that qualifies as a medical device will be considered high risk, meaning that manufacturers will need to meet both sets of requirements. One of the amendments applies specifically to medical devices with an AI component and acknowledges the need for alignment and to avoid duplication between sectoral legislation and the AI provisions. However, it is still unclear how this will take place in practice and which rules will take precedence.
The mandate now needs to be approved by the whole of Parliament (scheduled for June 12, 2023) before negotiations commence with the European Council.
Reporting of Adverse Incidents From SaMD. On May 15, 2023, the MHRA published guidance to manufacturers on the reporting of adverse incidents involving Software as a Medical Device (SaMD). This is welcome product-specific guidance and acknowledges some of the unique properties of SaMD. All adverse incidents (i.e., where a manufacturer’s device is suspected to be the contributory cause of an incident and the event that occurred led, or might have led, to death or serious deterioration in health) must be reported to the MHRA as individual events, periodic summary reports, or trend reports.
The guidance sets out examples of the different errors in SaMD which could result in indirect harm and lead to reportable adverse events, and clarifies that devices running the software should also be reported if they cause harm (e.g., a smart watch causes a skin burn).
Report on the Pro-Innovation Regulation of Technologies and Proposed Launch for IDAP. On May 26, 2023, the UK government’s Chief Scientific Adviser published the “Pro-innovation Regulation of Technologies Review: Life Sciences,” referred to in our April digest. The report sets out 12 recommendations to create an agile regulatory framework for new technologies and encourage innovation in the UK life sciences industry, including, for example, allowing different organizations involved in the regulatory system to share data and aid decision-making on new technologies (for example, through an integrated cloud-based data platform) and creating an innovative licensing pathway for medical devices (Innovative Devices Access Pathway, IDAP) based on learnings from the equivalent for medicines (ILAP). Another recommendation was to further streamline decision-making on NICE approvals to speed up access.
NICE supported the recommendations, noting how the changes it had already implemented had sped up its appraisals by 25% and how it had already run seven pilots of early value assessments in 2022-2023.
The MHRA announced on May 26, 2023 that IDAP is set to launch later in 2023 and will be run by the MHRA, NICE, and the devolved administrations. The aim is to bring innovative technologies to the NHS faster through the provision of an integrated scientific support service. Innovators are encouraged to register for further information ahead of the launch by emailing IDAPEnquiries@mhra.gov.uk. See our blog for further information.
Privacy and Cybersecurity Updates
Report on Cybersecurity Standards for AI. On April 27, 2023, the European Union Agency for Cybersecurity published a press release on its report entitled “Cybersecurity of AI and Standardisation.” The goal of the report is to “provide an overview of standards (existing, being drafted, under consideration and planned) related to the cybersecurity of artificial intelligence (AI), assess their coverage and identify gaps in standardisation” in preparation for the EU AI Act. While general-purpose standards (such as information security and quality management) could be applied to AI, there is a suggestion that further standards need to be developed, for example in relation to the traceability of data and testing procedures.
Opinion of the European Committee of the Regions on the European Health Data Space. On May 3, 2023, the European Committee of the Regions (CoR) recommended amendments to the proposed EHDS Regulation. The CoR welcomed the EHDS Regulation but had several suggestions designed to add to and refine the provisions. These include:
- Allowing Member States to determine priority categories of electronic health data, explaining that these new categories should be guided by the real needs of Member States
- Permitting health care providers to see restricted health data where it would protect a manifest public interest, giving the example of infection control
- Shortening the time limit for notification requirements relating to serious incidents involving patient records from 15 days to seven days, in order to reduce the risk of these incidents causing serious harm
The CoR wishes to make it mandatory for health care providers to inform patients of the existence of a finding that may impact their health and, in those circumstances, giving that person the opportunity to receive more information about the finding. The CoR recommends that data permits should be issued for up to a maximum of 10 years, instead of five years, acknowledging that many research projects will require data to be retained for more than five years.
MEPs Raise Doubts on Granting Adequacy Decision for EU-U.S. Data Privacy Framework. On May 11, 2023, the European Parliament adopted a resolution raising concerns with a potential adequacy decision by the European Commission on the EU-U.S. Data Privacy Framework (Framework), as currently drafted. The Framework is intended to protect transfers of personal data from EU organizations to U.S.-based entities. It was designed as a replacement for the EU-U.S. Privacy Shield, which was ruled to be invalid by the ECJ in 2020. One of the principal concerns raised by members of European Parliament (MEPs) was that it allows for bulk collection of data, and it does not make bulk collection subject to independent prior authorization. Another concern was that the Data Protection Review Court created under the Framework would be able to make decisions in secret, in violation of EU citizens’ rights to access data and rectify data relating to them. MEPs recognized the need for further negotiations to ensure EU citizens benefit from legal certainty, equivalent rights to redress, and access to information to those of U.S. citizens. We previously discussed the opinion from the European Data Protection Board in the March digest, as well as our Enforcement Edge blog.
MedTech Europe Position Paper on Cybersecurity. On May 23, 2023, MedTech Europe published a position paper setting forth three focal areas to create a cyber-resilient medical technology ecosystem in Europe.
- MedTech Europe’s position is that sectoral regulation (i.e., the EU MDR and EU IVDR) should remain the primary source of cybersecurity regulation of medical devices. These regulations, together with guidance from the Medical Device Coordination Group, set out essential requirements that digital medical technologies (including Medical Device Software (MDSW)) must adhere to throughout the entire lifecycle of a device. These include requirements that manufacturers must (1) carry out assessments of risks associated with negative interactions between a MDSW and the IT operating environment, (2) perform mandatory third-party conformity assessments in order to obtain a CE mark, and (3) operate post-market surveillance systems to monitor possible malfunctioning of a device (which could be caused by cyberattacks). Furthermore, the industry already complies with other EU legislation that plays a role in cybersecurity (e.g., the Cybersecurity Act, GDPR, and the Network and Information Security Directive 1).
- MedTech Europe emphasizes its commitment to prevent cyberattacks, and in particular ransomware attacks. In the statement, they welcome new legislation aimed at reinforcing shared cybersecurity responsibilities (for example, the revised Network and Information Security Directive 2 — discussed in our January digest), but also state that this should be combined with investment in the security of organizations and the training of staff.
- MedTech Europe supports initiatives aimed at improving digital literacy and cybersecurity skills within staff, as well as increasing public awareness of the risks associated with cybersecurity in health care.
Product Liability Updates
Industry’s Request to EU Legislators on the Product Liability Directive. On May 16, 2023, the European Federation of Pharmaceutical Industries and Associations (EFPIA) published a joint statement with various industry representatives (including DigitalEurope and Medtech Europe) regarding their concerns with the proposed Product Liability Directive (PLD) published by the European Commission on September 28, 2022 (See our November digest for more details on the proposals). The industry argues that, although revision of the PLD was well-intended (i.e., to accommodate new technological developments such as AI), it has gone further than necessary and risks bringing uncertainty and upheaval to a previously effective and balanced product liability regime.
This ultimately could result in a heavy burden on national court systems as they try to implement new rules and could undermine Europe’s competitiveness as a place to manufacture products. The statement urges European legislators to take into account six points as they consider the proposed PLD, including undertaking an investigation into the effects of including software in the regime, ensuring disclosure orders will be necessary and proportionate, and limiting the alleviation of the burden of proof on consumers.
* Heba Jalil contributed to this digest. Heba is employed as a Trainee Solicitor in Arnold & Porter’s London office.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This publication is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.-
FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule, Federal Trade Commission (May 18, 2023), available here.