Digital health companies are producing innovative products at a rapidly accelerating pace and experiencing a boom in investments and demand as the regulatory environment becomes more supportive of digital health services to both improve patient care and stay profitable. Protecting intellectual property (IP) and building a feasible data strategy to support the research and development endeavor are essential steps for companies in their drive toward commercialization and return on their investment. On this episode of the Of Digital Interest podcast, McDermott partners Bernadette Broccolo (Health) and Ahsan Shaikh (IP), explore key issues for digital health companies, their collaboration partners and investors, and start-ups to consider, including:

  • What is currently patent eligible in the digital health space?
  • What patent-eligible trends and opportunities are we seeing?
  • How do laws governing data sharing among digital health collaborators impact the research and development effort and associated IP rights?
  • What challenges and opportunities do artificial intelligence, blockchain and machine learning present for digital health innovators?

Listen now

When it comes to market success for digital tools in the health sector, business strategy can be far more complex than in other industries. Understanding customer-driven market trends is important, but healthcare’s complexity can camouflage customer demand and its regulatory ecosystem adds layers of additional considerations.

Customer Demand and Digital Solutions

The convenience, competitive pricing, answers-at-your-fingertips responsiveness and hyper-personalization delivered by top technology brands and their integration into other industry sectors has created an expectation for digital health solutions that deliver the same experience.

In some instances, consumers are finding the solutions. For example, telemedicine is gaining momentum as consumers discover that digital interactions with high-quality providers are oftentimes more convenient and less expensive than face-to-face encounters. Other tools are providing access to prescriptions, better health condition management solutions, better information sharing enabling smoother transitions among care settings, and more efficiency in everything from hospital operations to scheduling appointments to identifying in-network care options.

When it comes to business strategy, however, digital health solutions need to recognize that consumer pressures are frequently at odds with existing incentives within care delivery systems and, perhaps legal and regulatory requirements. Accordingly, it is critical not just from a compliance perspective but also from a business strategy perspective to navigate the healthcare industry’s unique market and regulatory dynamics.

Balancing Demand with Reality
Continue Reading Digital Health Business Strategy: A Careful Balance

With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.

How Does the CCPA Impact Insurers?

On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.

Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:

Continue Reading Privacy and Data Security: 2020 Considerations for the Insurance Industry

The digital health space had a strong start to 2020 with two of the industry’s largest conferences leading the conversation on what’s to come for digital health companies, deals, products and the regulatory outlook in the coming year. The Consumer Electronics Show (CES) launched its Digital Health programming track in Las Vegas this year and the J.P. Morgan Healthcare Conference continued to bring thousands of healthcare investors from numerous sectors together in San Francisco.

On this episode of the Of Digital Interest podcast, McDermott partners Sarah Hogan and Dale Van Demark share their takeaways from the conferences, where they were on the ground and moderating discussions. This episode explores:

  • The role of digital therapeutics in the digital health marketplace
  • The role of the consumer in digital health adoption
  • Forward-looking thoughts on digital health collaborations
  • The importance of data, privacy and trust for the future of digital health solutions

Click here to listen to the full episode.

On January 30, 2020, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which is available here, with appendices available here. This highly anticipated 390-page release supersedes the prior draft versions, the last of which was released in December 2019. The DoD will begin requiring contractors to obtain certification under the CMMC later this year, giving companies in the supply chain little time to assess their obligations, identify and remediate cybersecurity weaknesses that might preclude their desired certification, retain an appropriate certification vendor and obtain the certification.

This certification process raises a host of legal considerations. For instance, the identification of cyber weaknesses requires a candid and thorough assessment that will result in a list of the areas where the contractor’s cybersecurity is lacking. This list may be critical in mitigating cyber risks, helping to plan for certification and in reducing the business risks that would result from a failed certification effort, but it also can be highly damaging from a legal risk perspective, especially in the hands of plaintiffs’ lawyers or regulators that may want to use it to support allegations of inadequate security. The same information required to support certification could be used to establish that a DoD contractor knew of risks and failed to take action.

These considerations underscore the importance of involving legal counsel in the process and taking steps to support a claim that key self-critical deliverables are protected under attorney-client and/or work-product privileges, while also ensuring that the contractor fully prepares for CMMC certification.

Why Did the DoD Create the CMMC?

The DoD created the CMMC to combat malicious cyber actors targeting intellectual property in the DoD’s supply chain, as such attacks threaten economic security and national security. The CMMC encompasses the security requirements for controlled unclassified information (CUI) specified in NIST SP 800-171 for DFARS Clause 252.204-7012 as well as the basic safeguarding requirements for federal contract information (FCI) specified in FAR Clause 52.204-22.

Continue Reading Tackling Increased Cybersecurity Requirements in the Defense Industrial Base

Throughout the past year, the healthcare and life science industries experienced a proliferation of digital health innovation that challenged traditional notions of healthcare delivery and payment, as well as product research, development and commercialization, for long-standing and new stakeholders alike. Lawmakers and regulators made meaningful progress towards modernizing the existing legal framework to both protect patients and consumers and encourage continued innovation, but these efforts still lag behind the pace of digital health innovation. As a result, some obstacles, misalignment and ambiguity remain, and 2020 will likely be another year of significant legal and regulatory change.

Click here to read our review of key developments that shaped digital health in 2019 and set the groundwork for trends in 2020.

 

The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other “copy-cat” privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.

In the past year, US legislators have proposed a wide variety of data privacy laws—none of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:

Continue Reading Comprehensive Federal Privacy Law Still Pending

The California Consumer Privacy Act (CCPA) is not yet one month old, but movement has already started on a new California privacy law. In November 2019, the advocacy group Californians for Consumer Privacy, led by Alastair Mactaggart, the architect of CCPA, submitted a proposed California ballot initiative to the Office of the California Attorney General that would build upon the consumer privacy protections and requirements established by CCPA. In December 2019, as required under state law, California Attorney General Xavier Becerra released a title for and summary of the proposed ballot initiative, which will be known as the California Privacy Rights Act (CPRA).

Key Provisions of the CPRA

CPRA seeks to give California consumers additional control over and protection of their personal information in five core ways.

Continue Reading CCPA Has Just Gone Into Effect, But Businesses May Need to Prepare for a New California Privacy Law

On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households.

The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing.

This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. With the CCPA, companies now face potentially staggering damages in relation to a breach. To provide some context, a data breach affecting the personal information of 1,000 California consumers may result in statutory damages ranging from $100,000 to $750,000, and a data breach affecting the personal information of one million California consumers may result in statutory damages ranging from $100 million to $750 million. These potential statutory damages dwarf almost every previous large data breach settlement in the United States.

To mitigate the risk of this increased exposure, companies need to take key steps to ensure they have implemented reasonable security procedures and practices.

What Is Reasonable Security?

Continue Reading CCPA and ‘Reasonable Security’: A Game Changer

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague.

Dormant Commerce Clause

The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike down state laws that explicitly discriminate against out-of-state actors or that regulate activity that occurs entirely outside of the state. In addition, the Dormant Commerce Clause prohibits laws that do not explicitly discriminate against out-of-state economic interests if the effect of a law is to unduly burden interstate commerce. If a state law does unduly burden out-of-state interests, a court will typically balance the burdens imposed on interstate commerce against the benefits the law creates for the state to determine whether or not the law should be upheld.

Continue Reading Though CCPA is Now Live, Questions About Its Constitutionality Linger