New U.S. FDA Draft Guidance Outlines Path To Faster Modification of AI/ML-Enabled Devices

The U.S. Food and Drug Administration (FDA or Agency) has issued new draft guidance on “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions”1 that discusses a “science-based approach to ensuring that AI/ML-enabled devices can be safely, effectively, and rapidly modified, updated, and improved in response to new data.”2 This approach should offer more certainty to industry as FDA’s stated goal is to allow AI/ML-enabled devices to be modified faster in accordance with FDA requirements while being “built to adapt to the data and needs of individual health care facilities” and “adapt to deliver treatments according to individual users’ particular characteristics and needs.”3 Those wishing to comment on the draft guidance should note that the comment period closes on July 3, 2023.

(more…)

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

(more…)

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

New measures for the security assessment of data transfers from China to other countries could make it harder for international pharma companies with China operations to transfer health data out of the country. Lianying Wang explains.

HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA

Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months.  However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear.  Now, the Department of Health and Human Services is seeking to provide clarity. (more…)

One Step Forward, Two Steps Back: FDA’s Final Guidance on Clinical Decision Software Raises More Questions Than Answers

Recently, the U.S. Food and Drug Administration (FDA) published a suite of guidance documents relating to software, automation, and artificial intelligence. One guidance document in particular, addressing clinical decision support (CDS) software, may signal a tightening in FDA’s oversight on software tools with artificial intelligence and machine learning (AI/ML) that could introduce confusion and frustrate innovation in this important, fast-developing area. On October 18, 2022, FDA held a webinar to provide additional clarifications on this final guidance.

Digital Health Industry Take Note: New HIPAA Comment Opportunity and Guidance Addresses Growing Risk of Cybersecurity Attacks

Digital health companies should take note of new data privacy and security developments under the Health Insurance Portability and Accountability Act (HIPAA) that can affect product planning and customer negotiations.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released a request for information (RFI) seeking input on (1) how covered entities implement recognized security practices, which OCR considers in enforcement matters and (2) the different types of harm that individuals experience from HIPAA violations in order to consider how OCR may share enforcement recoveries with individuals harmed. Digital health companies subject to HIPAA should consider submitting comments by the June deadline to ensure that the evolving digital health industry has a voice in establishing industry best practices and advocating for continued flexibility in the implementation of security standards that suit their unique business needs distinct from traditional covered entities and business associates. (more…)

EU Data Governance Act – Edging Closer to a European Single Market for Data

On 6 April 2022, the European Parliament formally approved the Data Governance Act (“DGA”), which establishes a legal framework to promote the availability of data and increase trust in data sharing across sectors in the EU. Some of the key objectives of the new legislation include enabling the re-use of certain categories of protected public sector data and making it easier and safer for citizens and businesses to share their data with relevant stakeholders. (more…)

Developments in Health Privacy and Cybersecurity Policy and Regulation: OCR Issues Cybersecurity Warnings and New Health Data Legislation Is Introduced

On March 17, 2022, the U.S. Department of Health and Human Service’s Office for Civil Rights (“OCR”) issued industry guidance for Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities to take preventative steps to protect against some of the more common, and often successful, cyber-attack techniques. For example, the number of breaches of unsecured electronic Personal Health Information (“ePHI”) reported to the OCR affecting 500 or more individuals due to hacking or IT incidents increased 45% from 2019 to 2020. Further, OCR noted that the number of breaches due to hacking or IT incidents accounted for 66% of all breaches affecting 500 or more individuals reported to the Department in 2020. OCR concludes most cyber-attacks could be prevented or substantially mitigated if HIPAA covered entities and business associates implemented HIPAA Security Rule requirements to address the most common types of attacks.

OCR’s reminders and recommendations for regulated entities include to: (more…)

CPRA Law + Tech Series

WEBINAR

Sidley Senior Managing Associate Sheri Porath Rockwell (Chair, California Lawyers Association Privacy Law Section) and Stacey Gray, Director of Legislative Research & Analysis at the Future of Privacy Forum, will be leading a multi-session webinar series, CPRA Law + Tech, that focuses on the technologies and data practices at the heart of emerging state privacy legislation, including the California Privacy Rights Act (CPRA). (more…)

Part II – Digital Health Passports in Europe: Amended Proposal for a Digital Green Certificate and Eligible Testing Methods

In March 2021, the European Commission released a proposal for the creation of a “Digital Green Certificate,” which will allow EU citizens to travel easier throughout the EU during the COVID-19 pandemic. Last week, the EU Member States agreed on some proposed changes to the proposal, including strengthening of the data privacy provisions. According to the proposal, in order to obtain a Digital Green Certificate, individuals must prove that they have been vaccinated, present a negative test result, or have recently recovered from COVID-19. The proposal allows the issuance of a certificate for all COVID-19 vaccines, which have received an EU-wide marketing authorisation, however only the results of certain in vitro diagnostic tests will be considered valid.

(more…)