Three Digital Health Trends Affecting Investors in 2021

Private equity deal volume hit a low in the first half of 2020 as the pandemic slowed the US and global economies. But toward the end of the year, deals began picking back up, particularly in the digital health space.

COVID-19 forced healthcare providers to shift from in-person to virtual care, and technology was the vehicle to make that switch possible. Investors noticed, and more deals focused on companies specializing in telehealth, remote patient monitoring and other technology platforms that facilitate communication among specialists.

Expect this trend to continue in 2021, and keep these three factors in mind when evaluating the digital health landscape.

Easing of Laws and Regulations Surrounding Telehealth and Digital Health

Both telehealth and digital health are highly regulated, as every state has laws and regulations that govern how care is provided virtually and how those services are billed. In response to the pandemic, we’ve seen flexibility with these laws and regulations, and the Biden administration has signaled that it might make some flexibilities permanent.

Investment opportunities will likely increase as a result of the Biden administration’s willingness to lower some of the longstanding barriers to coverage and payment for virtual services, including telehealth, remote patient monitoring and other related services. That’s a positive sign for firms looking at healthcare through the lens of a technology solution.

Reallocation of Resources Due to Vaccine Rollout

Since the onset of the pandemic, labs have conducted a huge volume of testing and have had to ramp up personnel and other resources. Plus, the vast majority of COVID-19 tests must be ordered by a physician or nurse, further straining available resources.

While testing will likely continue in some capacity for a long time, the number of tests will presumably decline steadily as more people are vaccinated. That means capacity will open up, both for healthcare providers who were ordering the tests and for lab companies that were performing them. As a result, firms should begin asking themselves:

  • Where are there opportunities to shift focus and resources previously devoted to testing?
  • What other conditions lend themselves to at-home testing?
  • Where can companies shift efforts that were previously focused on reviewing orders?

Addressing Mental Health and the Other Epidemic

COVID-19 obviously emerged as the foremost health emergency of the past year. But it’s important to remember that the United States is still in the midst of an opioid addiction epidemic.

On top of that, COVID-19 has been hard on many people’s mental health. In response, many employers have made mental health a higher priority, and that trend is likely to continue, even as employees return to the workplace. In 2021, investors are likely to continue to emphasize digital health tools and service offerings that are focused on mindfulness and behavior health.

To learn more from Lisa and other thought leaders about the healthcare investing landscape heading into 2021, you can view a recording of The Deal’s webinar here.



Brexit/GDPR: European Commission Publishes Draft Adequacy Decision for Data Transfers

On 19 February 2021, the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. For businesses in the European Union (and EEA) who transfer data to business partners and vendors in the UK, it will be crucial that the final decision is made before the end of June 2021.

Thanks to an additional transitional period for data transfers in the last-minute EU-UK Trade and Cooperation Agreement (TCA), the worst fears of data protection experts that the UK could become a “third country” overnight did not materialise. However, this period ends no later than in June 2021.

While the chances that final decision will be issued in time have now increased, companies in the EU/EEA should be aware that this is not guaranteed. In case the Commission fails to authorize data transfers to the UK, businesses should – if no other safeguards are present – be prepared enter into the standard contractual clauses (SCCs, aka Model Contracts) in order to comply with the GDPR.

McDermott can help you with identifying data transfers to the UK and choosing the right SCCs.



FDA Issues Artificial Intelligence/Machine Learning Action Plan

On January 12, 2021, the US Food and Drug Administration (FDA) released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. The Action Plan outlines five actions that FDA intends to take to further its oversight of AI/ML-based SaMD:

  1. Further develop the proposed regulatory framework, including through draft guidance on a predetermined change control plan for “learning” ML algorithms
    • FDA intends to publish the draft guidance on the predetermined change control plan in 2021 in order to clarify expectations for SaMD Pre-Specifications (SPS), which explain what “aspects the manufacturer changes through learning,” and Algorithm Change Protocol (ACP), which explains how the “algorithm will learn and change while remaining safe and effective.” The draft guidance will focus on what should be included in an SPS and ACP in order to ensure safety and effectiveness of the AI/ML SaMD algorithms. Other areas of focus include identification of modifications appropriate under the framework and the submission and review process.
  2. Support development of good machine learning practices (GMLP) to evaluate and improve ML algorithms
    • GMLPs are critical in guiding product development and oversight of AI/ML products. FDA has developed relationships with several communities, including the Institute of Electrical and Electronics Engineers P2801 Artificial Intelligence Medical Device Working Group, the International Organization for Standardization/ Joint Technical Committee 1/ SubCommittee 42 (ISO/ IEC JTC 1/SC 42) – Artificial Intelligence, and the Association for the Advancement of Medical Instrumentation/British Standards Institution Initiative on AI in medical technology. FDA is focused on working with these communities to come to a consensus on GMLP requirements.
  3. Foster a patient-centered approach, including transparency
    • FDA would like to increase patient education to ensure that users have important information about the benefits, risks and limitations of AI/ML products. To that end, FDA held a Patient Engagement Advisory meeting in October 2020, and the agency will use input gathered during the meeting to help identify types of information that it will recommend manufacturers include in AI/ML labeling to foster education and promote transparency.
  4. Develop methods to evaluate and improve ML algorithms
    • To address potential racial, ethical or socio-economic bias that may be inadvertently introduced into AI/ML systems that are trained using data from historical datasets, FDA intends to collaborate with researchers to improve methodologies for the identification and elimination of bias, and to improve the algorithms’ robustness to adapt to varying clinical inputs and conditions.
  5. Advance real world performance monitoring pilots
    • FDA states that gathering real world performance data on the use of the SaMD is an important risk-mitigation tool, as it may allow manufacturers to understand how their products are being used, how they can be improved, and what safety or usability concerns manufacturers need to address. To provide clarity and direction related to real world performance data, FDA supports the piloting of real world performance monitoring. FDA will develop a framework for gathering, validating and evaluating relevant real world performance parameters and metrics.

As discussed in detail here, in April 2019, FDA issued a white paper, “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device,” announcing steps to consider a new regulatory framework to promote the development of safe and effective medical devices that use advanced AI algorithms. The Action Plan comes in response to stakeholder feedback on the white paper and FDA’s February 2020 Public Workshop on the Evolving Role of Artificial Intelligence in Radiological Imaging.

The Action Plan is a helpful step in developing a concrete regulatory strategy to address the development, safety and effectiveness, and post-market monitoring of AI/ML tools. FDA has identified key areas of assessment and risk in broad strokes, but input from stakeholders in the ecosystem is critical to the implementation of strategies that address the practical realities of bringing these tools to market. FDA encourages public engagement with the agency and the Action Plan is open for public comment here.



Waiver of State Licensure Requirements for the Delivery of COVID-19 Countermeasures via Telehealth

In a fourth amendment to the March 17, 2020, Public Readiness and Emergency Preparedness Act (PREP Act), the US Department of Health and Human Services (HHS) has expanded access to COVID-19 Covered Countermeasures through telehealth and clarified the scope of liability protections provided by the PREP Act. In particular, the declaration is important to telehealth providers because it appears to preempt, under certain circumstances, state laws that have limited cross-border practice of medicine using telehealth. Healthcare providers should take note that the licensure exception and any immunity protections are limited to healthcare providers who are ordering or administering a Covered Countermeasure and there is no indication of intent to expand beyond these focused measures.

Access the article.



California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to protect consumers’ personal information from a security breach.

The Agency’s rulemaking will also contain a number of new requirements, including:

  • A requirement that businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (i) perform a cybersecurity audit on an annual basis; and (ii) submit to the Agency on a regular basis a risk assessment with respect to their processing of personal information;
  • A requirement that businesses provide access and opt-out rights with respect to their use of automated decision-making technology, including profiling, and requiring a business’ response to access requests to include meaningful information about the logic involved in that decision-making process; and
  • Expanded the requirements and technical specifications for an opt-out preferences signal to indicate a consumer’s intent to opt out of the sale or sharing of personal information or to limit the use or disclosure of the consumer’s sensitive personal information.

Additional obligations are described in more detail in our previous article.

Do businesses need to scrap their CCPA compliance programs and start over with a new CPRA compliance program?

Absolutely not. An existing CCPA compliance program will be an important and necessary foundation for CPRA compliance. Businesses subject to CPRA will, however, need to expand their existing compliance programs to include, for example, updates to privacy notices (including their privacy policy and notice at collection), procedures for additional consumer rights, updates to service provider and contractor agreements, new record-keeping requirements and cybersecurity assessments.

What should businesses be doing now?

Although the CPRA’s amendments will not be enforceable until 2023, we recommend that businesses:

  • Review the revised definition of “business” to determine whether the amended CCPA will still apply to their operations. The proposed amendments: (i) increase the threshold related to buying, selling or sharing personal information from 50,000 consumers or households to 100,000 consumers or households; (ii) narrow the “common branding” applicability test to bring into scope only commonly branded related entities with whom a business shares consumers’ personal information; (iii) bring into scope joint ventures or partnerships where the businesses involved have at least a 40% interest; and (iv) bring into scope any business that voluntarily certifies to the Agency that it is in compliance with and agrees to be bound by the law.
  • Consider how the business will document and map its uses of sensitive personal information for purposes of complying with consumer requests right to limit the use of their sensitive personal information.
  • Determine whether the new obligations and requirements can be implemented only for California consumers, or whether it would be easier for the business to implement these obligations and requirements for all of its consumers, whether or not they reside in California.
  • Consider and plan for the budget and resources you may need to bring your current CCPA program into compliance with the CPRA amendments.

Are more changes to California privacy law expected?

Because the CPRA is subject to amendment by the California legislature through the normal legislative process, we recommend continuing to monitor the developments and modify preparations accordingly.



STAY CONNECTED

TOPICS

ARCHIVES