Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during September 2023 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• FDA Regulatory Updates
• Health Care Fraud and Abuse Updates
• Provider Reimbursement Updates
• Policy Updates
• Privacy Updates

U.S. Featured Content:

Sponsors of remote monitoring clinical decision support (CDS) and medical device data system (MDDS) tools take note! In the latest in a string of Warning Letters to sponsors of digital health devices, FDA recently issued a Warning Letter disagreeing with a sponsor’s assessment that a remote monitoring tool intended for use with a ventricular heart support hardware device qualified as a non-device under the 21st Century Cures Act (Cures Act) exemptions. In a September 19 Warning Letter, FDA asserts Abiomed Inc.’s (Abiomed’s) Impella Connect System exceeds the scope of a non-device CDS, and therefore is an adulterated, unapproved device. Although the agency agreed that certain of the Impella Connect System’s functions may be non-device MDDS functions, FDA viewed the system’s alarm-related functionalities as being regulated device functions. FDA’s view that software functions intended to support time-critical decisions with alarm or alert functionality are regulated device functions is reflected in previously issued agency guidance on the Cures Act CDS and MDDS exemptions. Read the FDA regulatory updates section below for more information on the Abiomed Warning Letter. 

EU and UK News

• Regulatory Updates
• Privacy Updates
• Competition Updates

EU/UK Featured Content:

The UK Department of Science, Innovation and Technology announced on September 21 that the UK Extension to the EU-U.S. Data Privacy Framework (the Data Bridge) will enter into force on October 12. The Data Bridge will allow certifying entities to easily transfer personal data from the UK to the U.S., which would otherwise be prohibited under the UK General Data Protection Regulation without another transfer mechanism (such as the standard contractual clauses or binding corporate rules). This follows the publication of the EU-U.S. Data Privacy Framework in July. However, the EU-U.S. Data Privacy Framework has been challenged in the European Court and the UK data protection authority has expressed reservations concerning the UK Data Bridge. This is therefore a continuing area of uncertainty for companies. You can read more in our Advisory.

U.S. News

FDA Regulatory Updates

FDA Issues Warning Letter to Sponsor of Remote Monitoring Device. On September 19, FDA issued a Warning Letter to Abiomed disagreeing with the company’s assessment that a remote monitoring tool intended for use with a ventricular heart support hardware device qualified as a non-device CDS under the Cures Act. In the Warning Letter, FDA asserts Abiomed’s Impella Connect System exceeds the scope of a non-device CDS, and therefore is an adulterated, unapproved device. Although the agency agreed that certain of the Impella Connect System’s functions may be non-device MDDS functions, FDA viewed the system’s alarm-related functionalities as being regulated device functions. 

Abiomed is a manufacturer of several class III devices, including the Impella 2.5, Impella CP, Impella CP with SmartAssist, Impella 5.0, Impella LD, Impella 5.5 with Smart Assist, Impella RP, Impella RP Flex, and Impella RP Flex with SmartAssist (collectively, Impella Pumps). Following a March 2023 inspection, FDA issued Abiomed a Form 483 of inspectional observations with concerns related to the regulatory status of the Impella Connect System. The Impella Connect System comprises a web-based user portal (software) and a remote link module (hardware) that are designed to work with the Automated Impella Controller (AIC), which is part of a medical device system that provides temporary ventricular support to help a patient’s heart to pump blood in a critical care setting. As described in the Warning Letter, the Impella Connect System allows users to remotely monitor the performance of an individual AIC pump or multiple pumps and view case information on demand, as well as to filter notifications by alarm status. Per FDA, the Impella Connect System Website Instructions describe email notifications of alarms at initiation of the alarm and an additional notification for alarms that are still occurring after 15 minutes, and displays of case tiles, which include pump metrics and alarm state, which are color coded (red: critical, yellow: serious, green: no alarm). 

In its response to the Form 483, Abiomed took the position that these Impella Connect System features are non-device CDS functions because they support a health care provider “as it provides a concise and user-friendly view of active AIC case status” and “concise notifications.” In issuing the Warning Letter, FDA disagreed with Abiomed’s position. Rather, FDA viewed these features as software device functions requiring premarket authorization because the notifications and view of the active AIC case status provide patient-specific medical information to detect a life-threatening condition and generate time-critical alarms intended to notify a health care provider. FDA further explained that the notifications and view of the active AIC case status provide time-critical alarms with patient-specific medical information intended to trigger potential clinical intervention to assure patient safety, and that by functioning as a secondary alarm system with color-coded tiles and pre-set thresholds to notify users by email of alarms issuing from the AIC, the Impella Connect System fails to meet criterion 3 of Cures Act CDS exemption because it does not support or provide recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition.

The Warning Letter also includes several quality system and complaint handling violations. 

FDA Establishes Digital Health Advisory Committee. On October 11, FDA announced that it is establishing a Digital Health Advisory Committee (DHAC) to provide advice on complex scientific and technical issues relating to digital health technologies (DHTs), including artificial intelligence/machine learning, augmented reality/virtual reality, digital therapeutics, wearables, remote patient monitoring, and cybersecurity. The DHAC’s role will be to provide advice and recommendations on new approaches to develop and evaluate DHTs, as well as identifying risks, barriers, or unintended consequences that could result from proposed or established FDA policy or regulation. 

There will be nine voting members on the DHAC, including a committee chair, as well as non-voting members. FDA is requesting nominations for voting members, a voting consumer representative, and temporary non-voting industry representatives. FDA is seeking nominations for committee members who have technical and scientific expertise from diverse disciplines and backgrounds. Nominations can be submitted through the FDA Advisory Committee Membership Nomination Portal; nominations may also be sent by mail. 

FDA anticipates that the DHAC will be fully operational in 2024. 

FDA Issues Draft Guidance on Prescription Drug Use-Related Software. On September 19, FDA published draft guidance titled “Regulatory Considerations for Prescription Drug Use-Related Software” (PDURS Draft Guidance) describing the application of FDA’s drug labeling authorities to certain software outputs that are disseminated by or on behalf of a drug sponsor for use with a prescription drug or a prescription drug-led combination product. The draft guidance expands on, and was developed in response to, comments FDA received on a 2018 request for comments on prescription drug-use-related software.

The PDURS Draft Guidance, when finalized, is intended to clarify: (1) what factors FDA considers when determining whether an end-user output should be subject to prescription drug labeling requirements; (2) how FDA-required labeling, particularly the prescribing information, should describe prescription drug use-related software that is considered essential for the safe and effective use of the drug product; and (3) when and how sponsors should submit end-user output to FDA for review. As explained by FDA, the recommendations in the PDURS Draft Guidance align with ongoing agency initiatives and considers existing agency policies for the regulation of software to ensure efficient, coordinated review in instances when prescription drug use-related software is reviewed by the agency as a device.

Comments on the PDURS Draft Guidance are due by December 18.

FDA Finalizes Guidance on Device Cybersecurity Considerations. On September 27, FDA issued final guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the Final Guidance), superseding a 2014 guidance on cybersecurity and premarket submissions. In announcing the guidance, FDA underscored the importance of robust cybersecurity controls to ensure medical device safety and effectiveness in light of the increasing frequency of cybersecurity threats in the health care sector, as well as increased integration of wireless, internet, and network connected capabilities, portable media, and the frequent electronic exchange of health information. The changes since the 2014 guidance are intended to emphasize the importance of ensuring that devices are designed securely and are designed to be capable of mitigating emerging cybersecurity risks throughout the total product lifecycle (TPLC), and to clearly outline FDA’s recommendations for premarket submission information to address cybersecurity concerns. In addition, the Final Guidance is intended to help manufacturers meet their obligations under new Section 524B of the FDCA, which requires marketing applications for “cyber devices” to include certain cybersecurity information. However, the Final Guidance recommendations are broader in scope and apply to all devices with cybersecurity considerations (including 510(k)-exempt devices), not just the subset of cyber devices subject to the Section 524B requirements. For additional information about the Section 524B requirements, please see the January and April 2023 issues of Arnold & Porter’s Virtual and Digital Health Digest.

The Final Guidance discusses four main principles for device cybersecurity: (1) cybersecurity is part of device safety and the quality system regulations; (2) designing for security; (3) transparency; and (4) submission documentation. The Final Guidance also provides recommendations for using a secure product development framework (SPDF) as one option to manage cybersecurity risks and ensure that the quality system regulation is met.

FDA Reopens Comment Period for Drug Manufacturing Artificial Intelligence Discussion Paper and Announces Public Meeting. In the March 2023 issue of this digest, we discussed a new FDA discussion paper titled “Artificial Intelligence in Drug Manufacturing” (Discussion Paper), which presents consideration and policy development associated with application of AI to pharmaceutical manufacturing. The Discussion Paper (issued March 1) includes specific questions for stakeholder feedback, such as areas of AI in manufacturing where guidance may be beneficial, common practices for validating and maintaining self-learning AI models, and necessary elements for manufacturers to implement AI-based models in a cGMP environment. Although interested persons were initially given until May 1 to comment, on September 27, FDA announced it is reopening the comment period for the Discussion Paper until November 27. 

For more information on the Discussion Paper, please see the March 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest.

Health Care Fraud and Abuse Updates

Provider Reimbursement Updates

DEA Issues Second Temporary Rule Extending Telehealth Prescribing Flexibilities. As we described in the September 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest, during the public health emergency (PHE), the Drug Enforcement Agency (DEA) made two major changes related to prescribing controlled substances. First, qualified practitioners were permitted to prescribe a controlled substance to a patient via a two-way, audio-video telemedicine appointment. Second, during the PHE, qualifying practitioners were also permitted to prescribe buprenorphine to new and existing patients with an opioid use disorder based only on a telephone evaluation.

Anticipating the end of the PHE, DEA and HHS issued two proposed rules (available here and here), that, if finalized, would significantly curtail the prescribing rules for controlled substances via telemedicine permitted during the PHE. 

After receiving thousands of public comments, on May 10, HHS and DEA, in concert with the Substance Abuse and Mental Health Services Administration (SAMHSA), published a temporary rule extending all telemedicine flexibilities regarding the prescribing of controlled substances that were in place during the PHE until November 11. See 88 FR 30037. Of particular significance, the temporary rules extended the PHE “exceptions allowed for the prescribing of controlled medications via telemedicine encounters even when the prescribing practitioner had not conducted an in-person medical evaluation of the patient.” 88 Fed. Reg. 69879; 88 FR 30037. These exceptions were “granted in order to avoid lapses in care for patients.” Id.

On October 6, DEA, HHS, and SAMHSA issued a second temporary rule further extending these flexibilities until December 31, 2024, citing the desire to ensure a smooth transition for patients and practitioners that have come to rely on the availability of telemedicine for controlled medication prescriptions and to provide sufficient time for providers to come into compliance. See 88 Fed. Reg. 69879 (Oct. 10, 2023). The second temporary rule was issued just weeks after DEA hosted Telemedicine Listening Sessions on September 12 and 13. The listening sessions invited public feedback to inform DEA’s regulations on prescribing controlled substances via telemedicine. In this latest temporary rule, DEA states that it is working to promulgate new standards or safeguards by the fall of 2024. 88 Fed. Reg. 69880.

Policy Updates 

Privacy Updates 

• Analytics tools that convert web users’ interactions with hospital webpages into information on factors such as the level and concentrations of community concern on medical questions, which gives hospitals the data needed to more effectively allocate resources and help community members to more easily find the health care information they are seeking.
• Video technologies that enable hospitals to offer a wide range of information to the public, including videos that educate the community about particular health conditions.
• Location tracking technologies that facilitate dissemination of precise information about where health care services are available, including embedded applications that provide bus schedules or driving directions to and from a community member's location. 

In its letter, the AHA strongly criticized the HHS Office for Civil Rights (OCR) for its guidance issued in December 2022 warning HIPAA-covered entities and their business associates of the potential liability for privacy and data security violations through the use of website tracking technologies. The AHA asserted that if the OCR guidance “is permitted to stand, hospitals and health systems will be forced to restrict the use of valuable third-party technologies like these.” 

EU and UK News

Regulatory Updates 

1. A more efficient, predictable, and adaptable CE marking system
2. A dedicated and fast-track assessment pathway for critical medical technologies
3. A new European entity to oversee and manage the regulatory system

Privacy Updates

Why does it matter? As the UK is no longer a member of the European Union, the EU-U.S. Data Privacy Framework does not automatically enable the transfer of personal data from the UK to the U.S. Transfers of personal data from the UK will require a Data Bridge, which was agreed to in principle between the UK and U.S. governments on June 8. However, the UK data protection authority, the Information Commissioner’s Office (ICO), has expressed reservations concerning the Data Bridge.

In addition, the day before the adoption of the UK-U.S. data bridge, the EU-U.S. Data Privacy Framework, which had been adopted in July 2023 as discussed in our Advisory, was published in the EU Official Journal. The EU-U.S. Data Privacy Framework has been challenged before the European General Court by a French member of the European Parliament, Philippe Latombe, and privacy activist group NOYB, which was founded by Maximilian Schrems, announced that it will be challenging the DPF on the basis that it is largely a copy of the Privacy Shield. It will be necessary to keep an eye on the current proceedings before the EU courts and whether this has implications for the UK-U.S. Data Bridge.

EFPIA Attends Meeting on Opt-Out Requirements in EHDS. On September 6, the European Federation of Pharmaceutical Industries and Associations (EFPIA) met officials of the European Commission, a member of the European Parliament, and permanent representations of future presidencies of the Council of the EU, to discuss the implementation of an opt-out mechanism in the European Health Data Space (EHDS). 

The meeting followed a joint statement issued by EFPIA together with other 31 health stakeholders where they outlined that implementing an opt-out mechanism in the EHDS would challenge the effective use of electronic health data for research (e.g., by creating health disparities and undermining reliability of data driven health interventions), as discussed in the July 2023 issue of Arnold & Porter's Virtual and Digital Health Digest.

ABPI Handbook on Using Health Data. On September 6, the UK Association of the British Pharmaceutical Industry (ABPI) published a handbook on how to analyze and use health data from the NHS responsibly. The handbook builds upon the principles established by the ABPI in collaboration with its members and key stakeholders in 2022. These principles are:

• Be transparent about the purpose and use of health data, and how risk will be managed.
• Ensure that fair contractual arrangements in relation to data access and return of benefits are in place.
• Promote engagement from patients and the public in the design and approval of health data projects.
• Share insights across the health system generated from the use of health data.
• Ensure compliance with data privacy regulations and the associated patients’ rights. 

Members of the ABPI are committed to follow these principles when using NHS health data for research purposes. 

Consultation From the UK ICO on Period Tracking and Fertility Tracking Apps. During the month of September and until October 5, the UK ICO carried out a consultation on period tracking and fertility tracking apps. The aim of the consultation was to gather information from users on their experiences with the app, in order to identify areas of improvement in data security. The ICO is now reviewing how personal information is used or shared by these apps and the negative impact this may have on users. The ICO stated that, in light of the results of the consultation, it may be necessary to take measures to improve data security and transparency, including regulatory action.

Competition Updates

CMA Clears UnitedHealth/EMIS Merger. After an in-depth investigation into the anticipated acquisition by UnitedHealth Group Incorporated (UH) of EMIS Group Plc (EMIS), on September 29, the UK Competition and Markets Authority (CMA) decided to approve the deal without imposing any conditions. 

EMIS supplies data management systems to the NHS, including the electronic patient record system used by the majority of NHS GPs to manage appointments, conduct patient consultations, and update, store, and share patient records. UH provides medicine optimization (MO) software (which recommends alternative medicines to doctors to increase cost-effectiveness), as well as population health management (PHM) services (which make use of data analytics to improve patient outcomes). The parties are, therefore, in a vertical relationship, with electronic patient record systems generated by EMIS a vital input into PHM services and MO software.

At the end of its Phase 1 investigation, the CMA was concerned that, due to EMIS’s high market shares in the provision of electronic patient record systems, the high switching costs, and the limited competition existing in this area in the UK, the parties might, post-merger, restrict access to EMIS's electronic patient record systems to the detriment of rival suppliers of MO software and PHM services. However, at the end of a Phase 2 in-depth investigation, the CMA concluded that the merged entity would not have the ability or incentive to engage in such a foreclosure strategy as: 

1. The NHS would be able to use its oversight role to investigate any complaints in this respect and resolve any breaches of the applicable standards (thus effectively preventing the merged entity from pursuing this kind of behavior).
2. Any possible gains in profits from customers of EMIS’s electronic patient records switching to UH’s software and services would not compensate the profits lost from customers switching away from EMIS’s systems. Importantly, any such strategy could also potentially have wider costs, such as damaging the merged entity’s relationship and reputation with the NHS. 

The CMA also considered whether the merged entity could use any commercially sensitive information shared with EMIS by MO software rivals to improve UH’s MO offering to the detriment of that of its rivals. Although some proprietary information is shared with EMIS, the CMA found, based on the nature of this information, that its disclosure would not be capable of harming the competitiveness of the rival, particularly as some of the information shared with EMIS is likely to be very specific to the individual supplier, and so not of use to UH.  

*The following individuals contributed to this Newsletter:

 Amanda Cassidy is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Eugenia Pierson is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Mickayla Stogsdill is employed as a Senior Policy Specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Katie Brown is employed as a Policy Advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.
Heba Jalil is employed as a Trainee Solicitor at Arnold & Porter's London office. Heba is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.