Insights

Vital Signs Digital Health Law Update Winter 2024

Vital Signs: Digital Health Law Update | Spring 2024

Note From the Editors 

Welcome to Vital Signs, a curated compilation of the latest legal and regulatory developments in digital health. Our lead article reports on recent developments in the U.S. Food and Drug Administration's ("FDA") regulatory framework for artificial intelligence and machine learning. Updates in the United States include a report on the U.S. Department of Justice's ("DOJ") continued prosecution on alleged telemedicine schemes, numerous FDA updates (including on laboratory developed tests), and various federal privacy/cybersecurity and state privacy and telemedicine developments.  In our Global Section, you'll find updates from the European Commission on digital health and varying developments from countries in Europe, along with Japan. Thank you to our Jones Day contributors who are committed to bringing you a one-stop resource on notable digital health updates.

Industry Insights 

Recent Developments in FDA's Regulatory Framework for Artificial Intelligence and Machine Learning

By Jessica Tierney and Harrison R. Farmer 

FDA has made some, albeit small, progress with respect to its regulatory role and oversight of artificial intelligence ("AI") and machine learning ("ML") (collectively, "AI/ML") since the last time this technology's impact on FDA-regulated products was discussed in our July 2022 Vital Signs.

On April 11, 2024, FDA Commissioner Dr. Robert Califf stated in congressional testimony that AI/ML "presents new and unique challenges and opportunities" to FDA-regulated products; however, "there is no 'one-size-fits-all' approach" for this technology. Indeed, it appears that FDA has continued to gradually hone in its risk-based regulatory framework over the past several years based on its own ad hoc experience reviewing AI/ML product applications, and following the approach and guidelines in President Biden's October 2023 AI Executive Order and other existing initiatives, such as the Framework for Regulatory Advanced Manufacturing Evaluation (FRAME) Initiative and the AI/ML-Based SaMD Action Plan

As part of this effort, for example, FDA's Center for Biologics Evaluation and Research ("CBER"), Center for Drug Evaluation and Research ("CDER"), Center for Devices and Radiological Health ("CDRH"), and the Office of Combination Products ("OCP") (collectively, the "Centers") jointly issued a white paper on March 15, 2024, titled "Artificial Intelligence and Medical Products: How CBER, CDER, CDRH, and OCP are Working Together" (the "AI White Paper"). The AI White Paper, which is the latest in a series of FDA publications on the use of AI/ML in drug development and manufacturing, is intended to "provide greater transparency regarding how FDA's medical product Centers are collaborating to safeguard public health while fostering responsible and ethical innovation." FDA explains in the AI White Paper its four high-level "areas of focus" for AI:

  1. Fostering collaboration to safeguard public health.
  2. Advancing the development of regulatory approaches that support innovation, including supporting regulatory science efforts to develop methodology for evaluating AI algorithms; monitoring and evaluating trends and emerging issues to detect knowledge gaps; and issuing additional guidance.
  3. Promoting the development of standards, guidelines, best practices, and tools, including building on Good Machine Learning Practice Guiding Principles to evaluate its safe, responsible, and ethical use; identify and promote best practices for long-term safety and real-world performance monitoring; explore best practices for documenting and ensuring that the data used to train and test AI models is fit for use; and develop a framework and strategy for quality assurance with the emphasis of continuous monitoring and risk mitigation.
  4. Supporting research related to the evaluation and monitoring of AI performance, including supporting demonstration projects that identify introduction points for bias and how it can be addressed; promote equity and ensure data representativeness by considering health inequities associated with the use of AI in medical product development; and support the ongoing monitoring of AI tools in medical product development within demonstration projects to ensure conformance and maintenance to standards, performance, and reliability throughout the life cycle. 

In fact, FDA continues to review and authorize a growing number of devices utilizing AI/ML across many different fields of medicine. As of May 13, 2024, FDA has approved, authorized, or cleared 882 AI/ML-enabled devices—with more than 150 of those devices receiving FDA marketing authorization between August 1, 2023, and March 31, 2024. Recent notable devices include Sepsis ImmunoScore, which is an AI/ML-based software that identifies patients at risk for having or developing sepsis; EpiMonitor, which senses electrodermal activity and motion data using an AI algorithm to detect possible generalized tonic clonic seizures and alerts caregivers; and Tyto Insights for Wheeze Detection, an AI-enabled clinical decision support software system that analyzes recorded lung sounds to detect wheezing.

FDA has seen a significant rise in the number of biologic and drug product submissions that incorporate AI/ML technologies—specifically in clinical research, post-market surveillance, and manufacturing. This continued surge in the number of FDA-regulated products that incorporate AI/ML suggests that FDA will begin to accelerate its efforts by issuing more policies, frameworks, guidance documents, and initiatives on this subject in the near to immediate future.

FEDERAL

DOJ Continues to Prosecute Alleged Telemedicine Schemes, With a Focus on DME and Prescription Medication

In keeping with a trend discussed in previous editions of Vital Signs, DOJ continues to criminally prosecute individuals who allegedly use telehealth platforms to procure prescriptions for medically unnecessary durable medical equipment ("DME") and prescription medication, though the government only rarely pursues civil enforcement targeted at such conduct.

In February 2024, a Florida man was charged in a 10-count indictment for his role in a DME kickback scheme that allegedly caused $97 million in losses to Medicare. The man and his co-conspirators allegedly procured orders for medically unnecessary DME—specifically, orthotic braces—through call centers and telemedicine companies and then sold these orders to DME companies for $125 to $450 per brace. The DME companies would then ship the braces to the Medicare beneficiaries and submit false claims for reimbursement to Medicare. To conceal the kickbacks, the defendant and his affiliated entities allegedly entered into sham marketing agreements and submitted sham invoices to the entities billing for the DME.

In February 2024, a different Florida man admitted to his role in a similar DME scheme that cost Medicare and other health care programs at least $3.6 million. According to prosecutors, the accused and his alleged co-conspirators utilized telemedicine companies to obtain prescriptions for medically unnecessary DME. They would then allegedly solicit kickbacks and bribes from DME companies in exchange for these completed doctors' orders, purportedly billing Medicare and other health care benefit programs for the unnecessary equipment. 

In March 2024, a New Jersey-licensed nurse practitioner pled guilty to her role in a conspiracy to defraud Medicare of $136 million. According to court documents, the nurse owned two purported telemedicine companies and two orthotic brace suppliers. Through these companies, she allegedly recruited medical professionals whom she bribed to sign orders for medically unnecessary orthotic braces and prescription drugs. The government claimed these providers issued the orders in the absence of any patient contact or after only a brief telephonic interaction, and allegedly submitted false claims to Medicare, which paid nearly $66 million dollars in total.

In March 2024, DOJ secured a guilty plea from a Fort Lauderdale man who allegedly perpetrated a fraud involving pharmacy owners, telemarketers, and telemedicine providers. According to the plea agreement, the man and his co-conspirators—who owned and operated pharmacies—would pay kickbacks and bribes to telemarketing companies to recruit Medicare beneficiaries who would accept prescriptions for various unnecessary medications—mainly topical creams. The conspirators also allegedly paid bribes and kickbacks to telemedicine companies that employed or contracted with physicians who signed the prescriptions, typically with minimal to no patient contact. These claims were then submitted to Medicare, costing Medicare Part D more than $36.2 million.

HHS Opens Investigation Into Change Healthcare Cyberattack

In February 2024, Change Healthcare, a UnitedHealth subsidiary and provider of revenue and payment cycle management technologies, experienced a significant cyberattack that left the company unable to process medical claims—disrupting billing throughout the health care industry. The breach has attracted the attention of the Department of Health and Human Services ("HHS"), whose Office for Civil Rights ("OCR") issued a "Dear Colleague" letter on March 13, 2024, announcing that it would investigate the incident. OCR intends to examine whether a breach of protected health information occurred and whether Change Healthcare adequately complied with Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Breach Notification Rules. OCR also warned that although its interest in businesses that have partnered with Change Healthcare is "secondary," these entities should ensure that they uphold their regulatory obligations, "including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA rules." 

Orange Book Listing of Drug-Device Patents

In March 2024, the Federal Trade Commission ("FTC") filed an amicus brief in Teva Branded Pharmaceutical Products R&D, et al. v. Amneal Pharmaceuticals of New York, LLC, et al., 2:23-cv-20964, U.S. District Court for the District of New Jersey ("Teva v. Amneal"), stating that the court should grant Amneal's motion for judgment on the pleadings to compel Teva to delist certain patents in the FDA Orange Book for Teva's ProAir HFA product. For additional details, see here.

As detailed in the amicus brief, the FTC takes a narrow view of the "drug product" definition in the Hatch-Waxman Act, stating that "drug manufacturers cannot lawfully list device patents that are not limited to either the active ingredient or the approved product." Furthermore, the FTC stated that even if a patent claims a part of a drug, "under the statutory text, it is not a sufficient condition for proper listing that the patent 'claims the drug.'" 

FTC's narrow view is shared by certain members of Congress, who have targeted new drug application holders and demanded that drug-device patents be delisted from the Orange Book. For many years, FDA has failed to respond substantively to requests from drug makers for clarity regarding which types of patents that cover drug-device combination products should be listed in the Orange Book.

Three key takeaways include: 

  1. There are unanswered questions regarding whether and to what extent patents that claim drug-device combination products should be deemed to claim the "drug product" for purposes of Orange Book listings.
  2. FDA has not provided clear guidance, despite repeated requests from industry.
  3. FTC takes a narrow view, arguing that only those patents which specifically claim the finished dosage form containing the drug substance are properly listable in the Orange Book; claims drawn to a device component for administering a drug are not.

FDA Aligns Medical Device Current Good Manufacturing Practice Regulatory Framework With International Consensus Standards

On February 2, 2024, FDA finalized the Quality Management System Regulation ("QMSR") rule ("QMSR Final Rule"), amending the medical device current good manufacturing practice requirements of the Quality System Regulation to promote alignment with international consensus standards. The rule amends 21 C.F.R. Part 820 to incorporate by reference the International Organization for Standardization ("ISO") 13485:2016 and Clause 3 of ISO 9000:2015. Effective February 2, 2026, the QMSR Final Rule introduces several changes to the regulatory scheme but does not fundamentally alter key requirements for an effective quality system. Some of these changes include broadening the scope of FDA's inspection authority to include internal and supplier audit reports and extending risk management practices, which were previously limited to design controls, to the entire product life cycle. For additional insight, consult our Jones Day Alert.

CDRH Medical Device Safety and Innovation Reports Take Stock of FDA's Progress and Plans for the Future

On April 17, 2024, FDA's Center for Devices and Radiological Health ("CDRH") published two companion reports on medical device safety and innovation to highlight programmatic updates and future priorities in 2024. FDA's innovation efforts will focus on reimagining the premarket review program, expanding the agency's footprint in key geographical innovation centers and launching a home as a health care hub prototype to foster innovation of integrated, consumer-friendly technology to extend care into the home. With respect to safety, FDA plans to expand manufacturer participation in its voluntary improvement program, strengthen active surveillance, and improve its medical device recall program.

FDA Finalizes Rule Regarding Laboratory Developed Tests

On May 6, 2024, FDA published the laboratory developed tests ("LDT") final rule ("LDT Final Rule") amending the 21 C.F.R. § 809.3(a) definition of "in vitro diagnostic product" to specify that such definition "[includes] when the manufacturer of these products is a laboratory." The LDT Final Rule generally adopts the proposed four-year, five-stage phaseout of FDA's general enforcement discretion policy regarding LDTs but provides notable exceptions from select FDA medical device regulatory requirements for certain in vitro diagnostics offered as LDTs. The LDT Final Rule will become effective on July 5, 2024. 

FDA Proposes Updated Guidance Concerning Cybersecurity of Medical Devices

On March 13, 2024, FDA released draft guidance titled "Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act." This guidance provides select supplementary updates to the previous guidance titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" and is intended to assist individuals in meeting the cybersecurity requirements for FDA medical device submissions under Section 524B of the Federal Food, Drug, and Cosmetic Act. The proposed updates clarify what constitutes a "Cyber Device" and address requirements concerning documentation, modifications, and providing a reasonable assurance of cybersecurity. The public comment period ended on May 13, 2024. While the draft updates have yet to be finalized, they are a valuable insight into FDA's current thinking and priorities.

HHS and NIST Release New Guidance on HIPAA and Health Care Cybersecurity 

In February 2024, following the recent rise in cyberattacks in the health care sector, the National Institute of Standards and Technology, or NIST, and HHS released a new cybersecurity resource guide intended to aid entities in implementing the HIPAA Security Rule. This resource guide provides covered entities with practical guidance on assessing and managing risk to electronic protected health information and identifies typical activities that a covered entity should consider when implementing an information security program. Included within the release is a new online reference of additional resources covering key issues—such as telehealth/telemedicine and medical device security—that covered entities may find useful for achieving compliance with the HIPAA Security Rule and improving the security posture of their organizations. Although nonbinding, covered entities should consider utilizing these resources to ensure compliance with HIPAA and best practice. 

U.S. Congress Reintroduces New Comprehensive Federal Privacy Law

On April 7, 2024, Congress introduced a bipartisan comprehensive privacy bill titled the American Privacy Rights Act of 2024 ("APRA"). If enacted, APRA would be the U.S.'s first comprehensive national privacy law and would apply to "any entity that determines the purposes and means of collecting, processing, retaining, or transferring covered data" and is subject to the FTC Act, is a common carrier, or is a nonprofit (with limited exceptions for government entities, their service providers, specified small businesses, and certain nonprofits) (a "covered entity"). "Covered data" would include information that identifies, is linked, or is reasonably linkable to an individual or device, excluding deidentified data, publicly available information, and employee data. Among other obligations, APRA would (i) prohibit covered entities from processing covered data unless "necessary, proportionate, and limited;" (ii) require "affirmative express consent" for transfers of sensitive data and processing of biometric data; (iii) require covered entities and "service providers" to adopt reasonable data security practices, including vulnerability assessments and procedures for retention, disposal, training, and incident response; and (iv) require certain larger covered entities to designate a privacy and/or security officer. The APRA would create a private right of action but would also be enforceable by both the FTC (under the FTC Act's provisions concerning unfair and deceptive practices) and state attorneys general. APRA would preempt comprehensive state privacy laws that cover the same requirements but would not preempt state data breach notification laws, state privacy laws relating to employee, student, and health care privacy, or certain federal laws relating to data privacy and protection, like the Gramm-Leach-Bliley Act or HIPAA. Although APRA would alleviate compliance challenges created by the current patchwork of state privacy laws, digital health companies should carefully monitor it for potential impact and applicability.

STATE

Arkansas Attorney General Announces Investigation Into Change Healthcare Cyberattack

The fallout from the Change Healthcare cyberattack described above continues to grow—expanding beyond the federal level. In late March 2024, Arkansas Attorney General Tim Griffin announced that his office would initiate an investigation into the incident given its "unprecedented magnitude." The investigation will seek to determine whether the confidential medical information of Arkansans was compromised in violation of the Arkansas Personal Information Protection Act and the Arkansas Deceptive Trade Practices Act. Griffin also plans to investigate whether Change Healthcare employed reasonable security procedures and practices. 

New York Attorney General Becomes First to Act on Web Trackers Under the HITECH Act

New York Attorney General Letitia James announced in late December 2023 that she had reached a $300,000 settlement with NewYork-Presbyterian Hospital ("NYP") for allegedly disclosing the health information of individuals who visited its website. James's office alleged that between June 2016 and June 2022, NYP used web trackers to collect personal information about visitors searching for doctors or appointments on its website. The information often included health conditions and was frequently linked to unique patient identifiers. NYP then allegedly shared this data with third-party tech companies, in violation of HIPAA. Notably, this enforcement involved a civil claim under the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, which empowers state attorneys general to sue on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The settlement marks the first time this provision has been used at the state level to sanction a covered entity for the use of web trackers. Such trackers have come under increased scrutiny following HHS guidance published in December 2022—and updated in March 2024—warning that use of these online tools potentially violates the HIPAA Privacy Rule.

South Carolina Enacts Telehealth and Telemedicine Modernization Act

In March 2024, South Carolina's Telehealth and Telemedicine Modernization Act was signed into law. Among other things, the legislation creates a comprehensive telehealth framework applicable to all health care professions in the state, rather than only medical doctors and doctors of osteopathic medicine as before. The law also streamlines the process of prescribing Schedule II and III controlled substances via telehealth, which previously required prior authorization by the South Carolina Medical Board. Now, telehealth providers in South Carolina may prescribe these medications when the patient is physically located in a hospital, the prescription is for buprenorphine and prescribed for an opioid use disorder, the medication is for end of life care, or in other situations as authorized by the Medical Board.

Florida Seeks to Improve Maternal Health Through Expanded Telemedicine Program

In March 2024, Florida enacted SB 7016, which, in part, expands the state's Telehealth Minority Maternity Care Program through an additional $23 million in funding. The program seeks to improve maternal health outcomes among racial and ethnic minority populations by promoting access through telehealth to screenings and treatments for common pregnancy-related complications. Florida's Department of Health contracts with local providers to administer the program, and the additional funding will be used to grow these partnerships to implement the program statewide.

Washington and Nevada Laws Expand Health Data Privacy Beyond HIPAA 

On March 31, 2024, Nevada and Washington became the first states with health privacy laws in effect that offer protections for a new category of consumer health data ("CHD") not covered by HIPAA. CHD is personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future health status. The laws are far-reaching, imposing increased privacy protection obligations on entities and associated data processors that (i) conduct business or provide products or services to consumers in the state and (ii) alone or jointly determine the purpose and means of handling CHD. Both statutes provide consumer rights and require entities to (i) implement security safeguards and restrict access to CHD; (ii) obtain affirmative, separate consent prior to collecting, sharing, or selling CHD (unless providing a consumer-requested product/service); (iii) execute data processing agreements before allowing any third-party CHD processing; (iv) develop and publish tailored privacy policies; and (v) abstain from geofencing. Washington, as highlighted in our Fall 2023 Vital Signs, provides consumers with a private right of action. Companies collecting CHD data should review, and revise as necessary, their policies and practices to ensure they address the increased potential for litigation and government enforcement in these states.

Five More States Enact Comprehensive Privacy Laws

As highlighted in our Fall 2023 Vital Signs, states are increasingly regulating digital health privacy. In 2024, five more states enacted comprehensive privacy laws, bringing the total to 17: (i) New Jersey Data Privacy Act, or NJDPA; (ii) New Hampshire Privacy Act, or NHPA; (iii) Kentucky Consumer Data Protection Act, or KCDPA; (iv) Nebraska Data Privacy Act, or NDPA; (v) and Maryland Online Data Privacy Act, or MODPA. Like the others, these laws are far-reaching, impacting even those digital health providers that operate primarily outside of the enacting states. For example, Nebraska joins Texas in requiring compliance regardless of the covered entity's revenue or amount of data processing. While the laws generally do not apply to companies' HIPAA-regulated activities, New Jersey and Maryland provide only information-level, not entity, exemptions. Thus, these laws have broad implications for companies handling health data not protected by HIPAA and participating in non-HIPAA protected activities. Lastly, these laws generally treat health-related information as "sensitive" information, such that entities must obtain affirmative consent before collecting or processing the data. Digital health companies should continue to monitor comprehensive state privacy laws as they become effective.

Wisconsin Codifies Rule Permitting Out-of-State Telehealth Providers to Enroll in Medicaid Without Physical Address in State

On March 22, 2024, Wisconsin enacted Senate Bill 476, which prohibits the state's Department of Health Services from requiring a health care provider who is authorized to provide health care services in Wisconsin and who does so exclusively through telehealth—or a group of such providers—to have a physical address or site in the state in order to enroll as a medical assistance provider. This statute codifies and builds on protections given in DHS 105.48, promulgated in June 2023.

Wisconsin Governor Vetoes Bill Permitting Out-of-State Mental Health Providers to Practice via Telehealth Without Wisconsin Licensure

Governor Tony Evers vetoed a bill intended to address the state's need for increased mental health services, citing quality of care and patient protection concerns. Presented to the governor in March 2024, Assembly Bill 541 would have allowed psychologists, counselors, therapists, and social workers who, by education, training, and experience, are qualified to provide mental health services, present in their state of licensure during the provision of services, and permitted to provide telehealth services in Wisconsin within their licensing state's scope of license to provide telehealth services to patients in Wisconsin without licensure or other approval from Wisconsin. When providing such services, providers would have been required to comply with their licensing state's regulations and make various disclosures to patients, including which regulatory boards patients could contact to file a complaint. Governor Evers, finding these protections insufficient, stated that the bill creates "an end run" around the interstate compacts to which Wisconsin is party and "leaves patients and consumers little recourse for complaints regarding poor treatment or unethical behavior." In May, the veto was sustained.

Global Developments 

EUROPE

European Commission Proposes Council Recommendation on Vaccine-Preventable Cancers

On January 31, 2024, the European Commission ("Commission") issued a Proposal for a Council Recommendation on Vaccine-Preventable Cancers (the "Proposal"), which aims to support Member States in their efforts to prevent cancer through vaccination. The Commission has indicated that an estimated 40% of cancer cases in the European Union ("EU") are preventable. Notably, cancers caused by human papillomaviruses ("HPV") and Hepatitis B virus ("HBV") can be prevented by vaccination. However, according to a 2024 OECD report, only some 5% of total health spending was dedicated to cancer prevention in the Member States in 2021.

The Proposal is one aspect of Europe's Beating Cancer Plan, a key component of the European Health Union and the Commission's response to the increasing number of cancer cases and cancer-related deaths across the EU. Among the Cancer Plan's goals is for Member States to attain HPV vaccination rates of at least 90% for women and to significantly increase the vaccination of men by 2030. The Cancer Plan also seeks to ensure access and increased uptake of the HBV vaccination, particularly toward preventing liver cancer. To reach these vaccination goals, the Proposal recommends that Member States take measures such as the following:

  • Introduce or strengthen the implementation of HPV and HBV vaccination programs as part of national immunization programs, including by providing vaccinations free of charge and/or fully reimbursing related costs for those for whom vaccination is recommended;
  • Improve the monitoring of vaccination coverage rates, in compliance with the General Data Protection Regulation ("GDPR"), by building or upgrading population-based electronic vaccination registries that enable the availability of data at national level and subnational level and to which data recorded by different vaccine providers can be seamlessly transferred, to inform efficient, data-driven public health action;
  • Streamline national procedures for obtaining parental consent to vaccinate minors, including by sharing and discussing national approaches to facilitate vaccination uptake; 
  • Actively participate in efforts to further facilitate EU citizens' access to their vaccination data, empowering them to follow their vaccination history and make decisions on vaccination, as well as to further facilitate the exchange of such data for continuity of care purposes across the EU; and 
  • Among other things, the Commission plans to support EU Member States in developing or upgrading electronic vaccination registries. Furthermore, to tackle misinformation and disinformation around vaccination, the Commission and EU agencies regularly publish reliable, science-based information across all channels and through trusted multipliers, such as health care professionals.

The Commission would also support Member States in implementing the proposed recommendations. In particular, it would provide a model for communication campaigns, adaptable to national needs, to help raise awareness of the importance of these vaccinations. The Commission would also support work to improve monitoring across the EU, while the European Centre for Disease Prevention and Control would develop a new dashboard of national vaccination rates for HPV and HBV by 2024 year-end, to provide a better overview of the situation. 

European Commission Publishes Data on the Application of the Cross-Border Healthcare Directive

On April 19, 2024, the European Commission published a report entitled Data On Cross-Border Patient Healthcare Following Directive 2011/24/EU For Reference Year 2022 ("Report"). The Cross-Border Healthcare Directive (Directive 2011/24/EU) sets out the conditions under which a patient may travel to another EU country to receive safe and high-quality medical care and have the cost reimbursed by their own health insurance scheme, and encourages cooperation between national health care systems. The Report includes data on the operation of the directive and identifies several national issues with data collection and quality to provide cross-border health care. For example, according to the Report, countries still struggle to differentiate between requests received under social security legislation and requests received under the Cross-Border Healthcare Directive, creating data quality issues.

European Commission Publishes a Study on the Reuse of Medical Devices on the EU Market

In February 2024, the European Commission published a Study On The Implementation Of Article 17 Of Regulation (EU) 2017/745 On Medical Devices On The EU Market ("Study"). Among other things, the Study evaluates how Member States have implemented the legislative provision on the reprocessing of single-use devices ("SUDs"), and how such provisions function in practice. The Study also reports on the certification processes of SUDs by notified bodies, the reprocessing of SUDs by manufacturers and health institutions, and the reuse of purchased reprocessed SUDs by health institutions. Lastly, a series of perceived challenges, opportunities, as well as recommended actions are included in the Study. 

European Commission Proposes New Measures for the Better Life-Cycle Management of Medicine Authorizations

On March 11, 2024, the European Commission proposed a Delegated Regulation amending the current legislation on variations ("Proposal"). Marketing authorization holders are responsible to report any "variations" to the initial authorization. Recent scientific and technological advancements and a rise in the number of variation requests led to the need to update the rules on variations request. The Proposal aims to make the variations procedure simpler, clearer, and more flexible. Among other things, the Proposal contemplates the possibility to submit a single application for grouping several variations and allows for national competent authorities to process the variations under a work-sharing procedure in order to avoid duplication. 

European Commission Proposes to Amend the MDR and IVDR 

On January 23, 2024, the European Commission issued a proposal to amend the Medical Devices and In Vitro Diagnostic ("IVD") Medical Devices Regulation to deal with two urgent issues. First, it aims to further extend the transitional period for certain IVDs to mitigate the risk of shortages, especially of high-risk IVDs. Second, the proposal aims to enable a gradual rollout of the electronic systems integrated into the European database on medical devices ("Eudamed") that are finalized, instead of deferring the mandatory use of Eudamed until the last of the six modules is completed. The use of Eudamed—and especially its systems for the registration of economic operators, devices, and certificates—will facilitate transparency and provide information on devices on the EU market, helping to monitor the availability of devices. In addition, the proposal aims to impose a requirement on manufacturers to give prior notice before interrupting the supply of certain critical medical devices and IVDs.

DARWIN EU Continues to Operate 

On March 6, 2024, European Medicines Agency ("EMA") announced that the Data Analysis and Real World Interrogation Network, or DARWIN EU, will continue working toward a higher capacity for real-world data studies and seeks to add new data partners. The current 20 data partners generate real-world evidence ("RWE") from sources such as hospitals, primary care, health insurance, registries, and biobanks to support regulatory activities of EMA's scientific committees and national regulators in the EU. RWE complements information from clinical trials and other evidence in regulatory decision-making and can be relevant for a wide range of topics and therapeutic areas.  

One Year Left to Transition Clinical Trials to the New EU System

All ongoing clinical trials in the EU must be transitioned to the Clinical Trials Information System ("CTIS") by January 31, 2025. There are a number of resources available to help sponsors make the transition, including guidance, best practice guide, and additional materials.  

EMA Revised the SME User Guide 

On January 23, 2024, EMA published a revised version of its User Guide For Micro, Small and Medium-Sized Enterprises. The revised user guide offers comprehensive information on the EU legislative framework for medicines, outlining requirements for the development and authorization of medicines for human and veterinary use. The revised guide has a new section with an overview of the IT systems (including the CTIS) and a new section with guidance on utilizing big data for decision-making. 

European Court Rules on Distance Selling

On February 29, 2024, the European Court of Justice ("ECJ") issued a judgment on distance selling of medicinal products without a prescription (Case C-606/21 Doctipharma). The case involves Doctipharma, an online platform facilitating the sale of over-the-counter ("OTC") medicines through a website aggregating online pharmacy offerings. Doctipharma was challenged before the French national courts because it allegedly unlawfully participated in the e-commerce of medicines without authorization. The Paris Court of Appeal referred the case to the ECJ to clarify two points: (i) the service of Doctipharma, which consists of connecting pharmacists and customers for the sale of OTC medicines via the websites of pharmacists, qualifies as an information society service; and (ii) the conditions under which a Member State may prohibit such service. In particular, Member States may prohibit the service consisting of connecting pharmacies and customers if that service provider is itself selling medicinal products without authorization or other rights to do so. If, however, the service provider merely facilitates connections between pharmacists and customers, without engaging in direct sales, Member States cannot prohibit the provision of such services, even if the service provider lacks the pharmacist's qualification.

European Parliament and Council of the EU Reach Political Agreement on the European Health Data Space

On March 15, 2024, the European Commission announced that the European Parliament and the Council of the EU had reached a political agreement on the proposed Regulation for the European Health Data Space ("EHDS"). The EHDS aims to establish a common space where individuals can easily manage their electronic health data ("EHD") and enable researchers, innovators, and policymakers to use this data securely and reliably through common rules, standards, infrastructures, and a governance framework. The political agreement introduced several amendments to the proposed EHDS, including an opt-out mechanism for individuals regarding the primary and secondary use of their personal EHD. The agreement also eased administrative burdens by allowing EU Member States to designate trusted data holders who can securely process requests for health data access, and included more specific provisions to protect intellectual property rights, trade secrets, and data protection rights.

BELGIUM 

Belgian Agency Issues Guidance on Use of GMOs in Clinical Trials 

On January 25, 2024, the Belgian Federal Agency for Medicines and Health Products updated the Belgian regulatory guidance on the use of genetically modified organisms ("GMOs") in clinical trials. The guidance provides a complete overview of the legal procedures in Belgium for submitting a dossier for a clinical trial involving a GMO. It also presents the deadlines associated with these procedures and the authorities involved.

Belgian Agency Reports on Digital Mental Health 

On April 23, 2024, the Belgian Superior Health Council published a report on digital interventions and apps for mental health. According to that report, digital mental health (including online consultations, apps, wearables, immersive technologies, etc.) has the potential to address a wide range of existing mental health needs, with different objectives and target populations at all stages. However, Belgium currently lacks an overarching national framework for digital mental health providing health care professionals clear and specific guidance. The report aims to formulate a first set of recommendations to shape such national framework and guide further developments on the domain of digital mental health. The report gives an overview of the most frequently used technologies, evidence for their effectiveness, and practical challenges in using those technologies. The report concludes with 12 recommendations to further improve the use and maximize the potential of digital interventions and apps for mental health care in Belgium.  

Belgian Draft Law on Electronic Prescriptions

On April 5, 2024, the Belgian Council of Ministers approved a draft law that creates a legal framework for the electronic referral prescription. To date, only paper referral prescriptions have been used in health care and compulsory health insurance. In response to ongoing digitalization to facilitate care, Belgium will roll out electronic referral prescriptions in phases. 

Belgium Launches Application for Tobacco Products and Electronic Cigarettes 

On April 19, 2024, the Belgian application "Smoking Info" was launched. This application is the first search engine for tobacco products and e-cigarettes in Belgium and Europe and is aimed at both consumers and the commercial sector. The application contains complete and transparent information about the products, such as the ingredients and the nicotine content, giving consumers insight into the composition and risks of the products. Furthermore, the application contains a positive list of products permitted in Belgium, and a negative list of products which are not permitted and should thus be withdrawn from the market. These lists will facilitate compliance for the commercial sector.  

ESTONIA 

Estonian Data Protection Authority Publishes Recommendations on Health Data Processing for Employers 

On April 16, 2024, the Estonian Data Protection Authority ("EDPA") issued recommendations for employers processing health data, emphasizing that such data must be protected more carefully than ordinary personal data. The EDPA stated that employers should generally not process employees' health data and advised that if employers offer health-related services, they must identify ways to offer such services without receiving detailed information. Employers should also document all processing activities and adhere to professional secrecy, releasing no more information than legally permitted. 

FRANCE 

French Data Protection Authority Publishes Guidance on Genetic Testing 

On March 6, 2024, the French data protection authority ("CNIL") issued guidance on the sale of genetic testing kits. The CNIL emphasized the vast amounts of personal and sensitive data collected for the purpose of these tests (e.g., genomic data such as ethnic origin, phenotypic data, and health-related data, as well as data collected for ordering and sending tests). The CNIL also clarified that genetic tests in France can only be conducted for judicial investigations, medical care, or research purposes.

French Data Protection Authority Releases Notice on Security of Health Data 

On February 9, 2024, the CNIL published a notice on the security of health data. Between 2020 and 2024, the CNIL conducted several checks on health care facilities and discovered that many had authorization policies allowing non-health care professionals to access computerized patient files ("CPF"). To address the security issues in CPF, the CNIL recommended implementing secure access measures with strong authentication and complex passwords, establishing specific authorizations to limit access to necessary data, enhancing confidentiality for certain files, logging access to track and identify abnormal activity, and setting emergency protocols for appropriate data access during emergencies. 

France Enacts New Legislation to Secure Digital Space With Enhanced Health Data Provisions 

On May 21, 2024, the French government published the recently adopted law to secure and regulate digital space (Law no. 2024-449) which introduces new security requirements for hosting health data. Pursuant to Article 31 of the new law, Health Data Hub must use a cloud computing provider that implements "security and protection criteria" against any access to data by public authorities of third countries, if such access contravenes EU or Member State law. A government decree to be released within six months of the publication of the law will specify the "security and protection criteria" and under what conditions projects already in progress before the publication of the law may request a temporary exemption. In addition, Article 32 of the new law extends the requirement of obtaining health data hosting certification to digital archiving service providers.   

French Supreme Administrative Court Rejects Suspension of Health Data Hosting by Microsoft Azure

On March 22, 2024, the interim judge of the French Supreme Administrative Court, Conseil d'Etat, rejected a request to suspend the French Data Protection Authority's authorization for a U.S. technology company to host Health Data Hub's health data. The request, filed by several French companies and associations, argued that hosting the data with the U.S.-based technology company posed a significant risk of data exposure to U.S. authorities. However, while the court determined such risk could not be entirely dismissed, it was hypothetical given the substantial safeguards in place, including data pseudonymization. Further, the court determined the public interest in allowing the European Medicines Agency to conduct research and evaluations on a broad range of medications and medical devices justified not suspending the authorization. 

DPA: CNIL Warns About Online Genetic Tests 

On March 6, 2024, the CNIL issued a warning note regarding the surge in popularity of at-home genetic testing kits sold online, particularly those marketed for genealogical purposes. The CNIL reminded recipients that these tests, which typically collect extensive genomic information, including ethnic origin and health predispositions, alongside personal identifiers, pose significant risks due to unreliable results and a lack of transparency about the use of sensitive personal data. The CNIL also emphasized that French law strictly regulates genetic testing, permitting it only within judicial, medical, or research contexts. 

DPA: CNIL Investigates Massive Personal Data Breaches at Health Insurance Payment Operators 

On February 7, 2024, the CNIL announced the launch of an investigation into a mass-scale personal data breach affecting two operators managing third-party payments for numerous health insurance providers. The breach impacted more than 33 million individuals, compromising personal details such as civil status, birth dates, social security numbers, health insurers' names, and contract guarantees. However, no banking, medical, postal, phone, or email data were compromised. The CNIL's swift investigation aims to assess the adequacy of the security measures in place before and after the incident, ensuring compliance with GDPR obligations. 

FINLAND

Finnish Minister Proposes Amendments to Act on Electronic Data 

On March 14, 2024, the Finnish Ministry of Social Affairs and Health proposed amendments to the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. The proposed amendments concern, among other things, the right of social welfare professionals to access information about patients' benefits and the right of health care to disclose patient information to service providers.

GERMANY

German Federal Council Approved the Digital Act and the Health Data Use Act

On February 2, 2024, the German Federal Council approved the Digital Act ("DigiG") and the Health Data Use Act ("GDNG"), both effective January 1, 2025. The DigiG aims to simplify health care through digital solutions, introducing the electronic patient record to enhance data exchange and health care delivery. It seeks to better integrate digital health applications into the health care system and impacts all participants, including pharmacies, doctors, and insurance companies. The GDNG aims to facilitate health data use for research, establishing a central repository for diverse data sources. The GDNG supports AI training with regulated data and ensures compliance with the upcoming EU Health Data Space, enabling secondary use of health data through secure processing environments. 

ITALY

Italian Data Protection Authority Issues Fine on Health Care Provider

On December 7, 2023, the Italian Data Protection Authority ("IDPA") issued a fine of €40,000 on a health care provider for permitting unauthorized access to personal health data. In particular, the IDPA found that the provider had allowed nurses and hospital doctors to access all hospital and emergency department data, including patients' COVID-19 test results, without specific restrictions. 

POLAND
Polish Ministry of Health Informs About Digitalization in Health Care

On January 16, 2024, the Polish Ministry of Health announced that many digital solutions in the health care field have been developed and are currently under development. For example, e-prescription, e-referral, and e-consultation are already developed. Work is currently ongoing to improve the Online Patient Account, the MojeIKP application, the Home Medical Care (DOM) platform, and to improve the reporting of medical events and the exchange of electronic medical records. 

Polish Data Protection Authority President Issues Statement on CJEU Judgment

On March 15, 2024, the Polish Data Protection Authority ("PDPA") announced that the PDPA's president had issued an opinion regarding the ECJ judgment in a case concerning the processing of sensitive employee personal data and compensation under the GDPR. The PDPA's president noted that employers who are also medical doctors should, when assessing their employees' ability to work, apply the data protection principles of data integrity and confidentiality. 

SPAIN

Spanish Data Protection Authority Fines Health Insurance Company

On February 6, 2024, the Spanish Data Protection Authority issued a fine of €200,000, later reduced to €160,000, on a health insurance company for processing health data without obtaining explicit consent or demonstrating the existence of a public interest. 

SWEDEN

Sweden Announces First Connection to E-Health National Medicines List

On April 25, 2024, the Swedish Health Authority, or E-hälsomyndigheten, announced that the Västra Götaland region ("VGR") began its connection to the authority's new services, the "National Medicines List." That list is a nationwide source of information that gives the health care system, pharmacies, and patients access to the same information about the patient's prescribed and collected medicines and other goods. It is the first step in a national digital infrastructure. The new functionality is gradually being introduced into the VGR's hospital record system and plans to be fully integrated by the end of 2024. 

UNITED KINGDOM

UK Data Protection Authority Releases Blog on Challenges in Access to Care Records 

On February 28, 2024, the UK Data Protection Authority ("UK DPA") published a blog addressing the challenges of individuals with care system experience in accessing their records. The UK DPA also urged individuals with care experience to share their challenges through a survey to enhance support and resources, reaffirming its commitment to improving assistance for both individuals and organizations managing care records in the United Kingdom.

ASIA PACIFIC 

JAPAN

Japanese Government Issues Regulations for Use of Personal Medical Information for Research

The Japanese government adopted new regulations to promote the use of personal medical information for research purposes as part of its implementation of the Next Generation Medical Infrastructure Act, which introduced pseudonymized medical information (now including rare diseases and medical data) that can only be utilized by institutions accredited by the government. The new regulations provide, among others items, standards for such accreditation and the accreditation application procedure.

LAWYER SPOTLIGHT

Ann T. Hollenbeck (Detroit, Health Care & Life Sciences) advises on the operations and structure of domestic and foreign telehealth offerings, including pharmacy service lines and use of mid-level providers to deliver care in the virtual setting, as well as the structure and conduct of virtual clinical trials.

Kyle A. Diamantas (Miami/Washington, Health Care & Life Sciences) advises food, OTC, and consumer product brands in connection with regulatory advice and strategic guidance on issues ranging from direct-to-consumer offerings, personalized nutrition, and related digital advertising and marketing considerations. 

Jessica Tierney (Washington, Health Care & Life Sciences) advises clients seeking to bring new and novel telehealth products to market—including counseling on and assisting with the appropriate level of engagement with FDA. She also assists with post-marketing requirements. 

RECENT AND UPCOMING SPEAKING ENGAGEMENTS 

RECENT PUBLICATIONS

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.