FDA Issues Artificial Intelligence/Machine Learning Action Plan

On January 12, 2021, the US Food and Drug Administration (FDA) released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. The Action Plan outlines five actions that FDA intends to take to further its oversight of AI/ML-based SaMD:

  1. Further develop the proposed regulatory framework, including through draft guidance on a predetermined change control plan for “learning” ML algorithms
    • FDA intends to publish the draft guidance on the predetermined change control plan in 2021 in order to clarify expectations for SaMD Pre-Specifications (SPS), which explain what “aspects the manufacturer changes through learning,” and Algorithm Change Protocol (ACP), which explains how the “algorithm will learn and change while remaining safe and effective.” The draft guidance will focus on what should be included in an SPS and ACP in order to ensure safety and effectiveness of the AI/ML SaMD algorithms. Other areas of focus include identification of modifications appropriate under the framework and the submission and review process.
  2. Support development of good machine learning practices (GMLP) to evaluate and improve ML algorithms
    • GMLPs are critical in guiding product development and oversight of AI/ML products. FDA has developed relationships with several communities, including the Institute of Electrical and Electronics Engineers P2801 Artificial Intelligence Medical Device Working Group, the International Organization for Standardization/ Joint Technical Committee 1/ SubCommittee 42 (ISO/ IEC JTC 1/SC 42) – Artificial Intelligence, and the Association for the Advancement of Medical Instrumentation/British Standards Institution Initiative on AI in medical technology. FDA is focused on working with these communities to come to a consensus on GMLP requirements.
  3. Foster a patient-centered approach, including transparency
    • FDA would like to increase patient education to ensure that users have important information about the benefits, risks and limitations of AI/ML products. To that end, FDA held a Patient Engagement Advisory meeting in October 2020, and the agency will use input gathered during the meeting to help identify types of information that it will recommend manufacturers include in AI/ML labeling to foster education and promote transparency.
  4. Develop methods to evaluate and improve ML algorithms
    • To address potential racial, ethical or socio-economic bias that may be inadvertently introduced into AI/ML systems that are trained using data from historical datasets, FDA intends to collaborate with researchers to improve methodologies for the identification and elimination of bias, and to improve the algorithms’ robustness to adapt to varying clinical inputs and conditions.
  5. Advance real world performance monitoring pilots
    • FDA states that gathering real world performance data on the use of the SaMD is an important risk-mitigation tool, as it may allow manufacturers to understand how their products are being used, how they can be improved, and what safety or usability concerns manufacturers need to address. To provide clarity and direction related to real world performance data, FDA supports the piloting of real world performance monitoring. FDA will develop a framework for gathering, validating and evaluating relevant real world performance parameters and metrics.

As discussed in detail here, in April 2019, FDA issued a white paper, “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device,” announcing steps to consider a new regulatory framework to promote the development of safe and effective medical devices that use advanced AI algorithms. The Action Plan comes in response to stakeholder feedback on the white paper and FDA’s February 2020 Public Workshop on the Evolving Role of Artificial Intelligence in Radiological Imaging.

The Action Plan is a helpful step in developing a concrete regulatory strategy to address the development, safety and effectiveness, and post-market monitoring of AI/ML tools. FDA has identified key areas of assessment and risk in broad strokes, but input from stakeholders in the ecosystem is critical to the implementation of strategies that address the practical realities of bringing these tools to market. FDA encourages public engagement with the agency and the Action Plan is open for public comment here.



Waiver of State Licensure Requirements for the Delivery of COVID-19 Countermeasures via Telehealth

In a fourth amendment to the March 17, 2020, Public Readiness and Emergency Preparedness Act (PREP Act), the US Department of Health and Human Services (HHS) has expanded access to COVID-19 Covered Countermeasures through telehealth and clarified the scope of liability protections provided by the PREP Act. In particular, the declaration is important to telehealth providers because it appears to preempt, under certain circumstances, state laws that have limited cross-border practice of medicine using telehealth. Healthcare providers should take note that the licensure exception and any immunity protections are limited to healthcare providers who are ordering or administering a Covered Countermeasure and there is no indication of intent to expand beyond these focused measures.

Access the article.



California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to protect consumers’ personal information from a security breach.

The Agency’s rulemaking will also contain a number of new requirements, including:

  • A requirement that businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (i) perform a cybersecurity audit on an annual basis; and (ii) submit to the Agency on a regular basis a risk assessment with respect to their processing of personal information;
  • A requirement that businesses provide access and opt-out rights with respect to their use of automated decision-making technology, including profiling, and requiring a business’ response to access requests to include meaningful information about the logic involved in that decision-making process; and
  • Expanded the requirements and technical specifications for an opt-out preferences signal to indicate a consumer’s intent to opt out of the sale or sharing of personal information or to limit the use or disclosure of the consumer’s sensitive personal information.

Additional obligations are described in more detail in our previous article.

Do businesses need to scrap their CCPA compliance programs and start over with a new CPRA compliance program?

Absolutely not. An existing CCPA compliance program will be an important and necessary foundation for CPRA compliance. Businesses subject to CPRA will, however, need to expand their existing compliance programs to include, for example, updates to privacy notices (including their privacy policy and notice at collection), procedures for additional consumer rights, updates to service provider and contractor agreements, new record-keeping requirements and cybersecurity assessments.

What should businesses be doing now?

Although the CPRA’s amendments will not be enforceable until 2023, we recommend that businesses:

  • Review the revised definition of “business” to determine whether the amended CCPA will still apply to their operations. The proposed amendments: (i) increase the threshold related to buying, selling or sharing personal information from 50,000 consumers or households to 100,000 consumers or households; (ii) narrow the “common branding” applicability test to bring into scope only commonly branded related entities with whom a business shares consumers’ personal information; (iii) bring into scope joint ventures or partnerships where the businesses involved have at least a 40% interest; and (iv) bring into scope any business that voluntarily certifies to the Agency that it is in compliance with and agrees to be bound by the law.
  • Consider how the business will document and map its uses of sensitive personal information for purposes of complying with consumer requests right to limit the use of their sensitive personal information.
  • Determine whether the new obligations and requirements can be implemented only for California consumers, or whether it would be easier for the business to implement these obligations and requirements for all of its consumers, whether or not they reside in California.
  • Consider and plan for the budget and resources you may need to bring your current CCPA program into compliance with the CPRA amendments.

Are more changes to California privacy law expected?

Because the CPRA is subject to amendment by the California legislature through the normal legislative process, we recommend continuing to monitor the developments and modify preparations accordingly.



Federal Agencies Partner to Warn Healthcare Systems of Imminent Cyber Threat

US hospitals and healthcare systems should be on high alert after a rare joint advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) warning all US hospitals and healthcare providers of an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The joint advisory can be found here.

Access the article.



New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.

Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 and 15 had to describe the processes used to comply with the CCPA’s consent requirements for minors.

Next Steps

The Department of Justice stated that it will accept written comments on the new proposed modifications until October 28, 2020. All timely comments will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file. In the meantime, we recommend reviewing forms and procedures used to comply with the CCPA’s opt-out, agent verification and children’s consent requirements against the proposed modifications to determine whether any updates may be needed.



STAY CONNECTED

TOPICS

ARCHIVES