Photo of Michael W. Ryan

Michael W. Ryan advises manufacturers, health care providers, developers, and investors on the legal, regulatory, and reimbursement issues that arise during the development and commercialization of medical devices, drugs, biological products, and clinical laboratory testing services. Read Michael Ryan's full bio.

Designed to provide business leaders and their key advisors with the knowledge and insight they need to grow and sustain successful digital health initiatives, we are pleased to present The Law of Digital Health, a new book edited and authored by McDermott’s team of distinguished digital health lawyers, and published by AHLA.

Visit www.mwe.com/lawofdigitalhealth to order this comprehensive legal and regulatory analysis, coupled with practical planning and implementation strategies. You can also download the Executive Summary and hear more about how Digital Health is quickly and dynamically changing the health care landscape.

Explore more!

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

On July 29, 2016, the US Food and Drug Administration (FDA) finalized General Wellness: Policy for Low Risk Devices Guidance (Final Guidance) detailing its risk-based regulatory approach to relax certain regulatory requirements for low risk products that promote a healthy lifestyle—coined “general wellness products.” In the Final Guidance, the FDA makes minimal substantive changes to the policies articulated in its January 2015 draft guidance. Notably, however, the Final Guidance added and refined several examples to illustrate the products that are subject to FDA’s enforcement discretion and ultimately outside FDA’s intended scope of regulatory oversight.

Read the full article, FDA Finalizes Guidance on Low Risk General Wellness Devices here.

This week, the Federal Trade Commission (FTC or Commission) released an interactive tool (entitled the “Mobile Health Apps Interactive Tool”) that is intended to help developers identify the federal law(s) that apply to apps that collect, create and share consumer information, including health information. The interactive series of questions and answers augments and cross-references existing guidance from the US Department of Health and Human Service (HHS) that helps individuals and entities—including app developers—understand when the Health Insurance Portability and Accountability Act (HIPAA) and its rules may apply.  The tool is also intended to help developers determine whether their app is subject to regulation as a medical device by the FDA, or subject to certain requirements under the Federal Trade Commission Act (FTC Act) or the FTC’s Health Breach Notification Rule. The Commission developed the tool in conjunction with HHS, FDA and the Office of the National Coordinator for Health Information Technology (ONC).

Based on the user’s response to ten questions, the tool helps developers determine if HIPAA, the Federal Food, Drug, and Cosmetic Act (FDCA), FTC Act and/or the FTC’s Health Breach Notification Rule apply to their app(s). Where appropriate based on the developer’s response to a particular question, the tool provides a short synopsis of the potentially applicable law and links to additional information from the appropriate federal government regulator.

The first four questions cover a developer’s potential obligations under HIPAA. The first question explores whether an app creates, receives, maintains or transmits individually identifiable health information, such as an IP address. Developers may use the tool’s second, third and fourth questions to assess whether they are a covered entity or a business associate under HIPAA. The tool’s fifth, sixth and seventh questions help developers establish whether their app may be a medical device that the FDA has chosen to regulate.  The final three questions are intended to help users assess the extent to which the developer is subject to regulation by the FTC.

Although the tool provides helpful, straightforward guidance, users will likely need a working knowledge of relevant regulatory principles to successfully use the tool.  For example, the tool asks the user to identify whether the app is “intended for use” for diagnosis, cure, mitigation, treatment or disease prevention, but does not provide any information regarding the types of evidence that the FDA would consider to identify a product’s intended use or the intended use of a mobile app (e.g., statements made by the developer in advertising or oral or written statements). In addition, how specifically an app will be offered to individuals to be used in coordination with their physicians can be dispositive of the HIPAA analysis in ways that are not necessarily intuitive.

The tool provides a starting point for developers to raise their awareness of potential compliance obligations. It also highlights the need to further explore the three federal laws, implementing rules and their exceptions. Developers must be aware of the tool’s limitations—it does not address state laws and is not intended to provide legal advice. In fact, the tool does not provide links to the actual text of the laws or regulations and is clearly aimed at non-lawyers.  Nor does the tool highlight all applicable guidance documents provided on the websites for each federal regulator, which shed additional light on what that regulator has determined is within or outside of its oversight.

At a recent public workshop, Dr. Janet Woodcock, director of the U.S. Food and Drug Administration’s (FDA) Center for Drug Evaluation and Research (CDER), announced plans to expand the agency’s use of the Sentinel infrastructure to conduct post-market effectiveness studies.

Sentinel is an electronic surveillance system that aggregates data from electronic medical records, claims and registries that voluntarily participate and allows the agency to track the safety of marketed drugs, biologics and medical devices. As of August 2015, the Sentinel database includes information from 193 million individuals, 4.8 billion instances of prescription dispensing, 5.5 billion unique encounters and 51 million acute inpatient stays.

The FDA currently uses the system to assess post-market safety issues. However, in a February 3, 2016, workshop, Dr. Woodcock announced that the FDA is in the early stages of adapting the Sentinel infrastructure to develop the “Guardian” system, which the agency intends to use to “actively gather information about the performance of regulated medical products” used in health care. At the same workshop, Dr. Steven Anderson of the FDA’s Center for Biologics Evaluation and Research (CBER) described the Guardian system as a parallel system to Sentinel that will rely on the Sentinel infrastructure to assess product effectiveness. According to Dr. Anderson, the FDA is currently assessing the feasibility of using Sentinel to perform effectiveness studies, and over the next five years, intends to develop the system to support a range of clinical trial designs.

The FDA envisions that the Guardian system will help the agency and external researchers quickly and less inexpensively answer questions about the performance of medical products that would otherwise require expensive, time-consuming clinical investigations to assess. The FDA did not specifically address how the agency intends to use the effectiveness data developed using the Guardian system.

The proposed Guardian system represents the FDA’s latest attempt to harness the power of “big data” and to participate in the changes precipitated by digital health strategies and tools to address FDA priorities. In 2014, the FDA launched its openFDA initiative, which gives the general public access to several of the agency’s public data sets (e.g., adverse event reports). Moreover, in December 2015, the FDA launched a beta version of its precisionFDA platform, which is an online, cloud-based platform that is intended to allow scientists from the public and private sectors to test, pilot and validate existing and new bioinformatics approaches for processing the large amounts of data collected using next-generation sequencing (NGS) technology.

The FDA’s efforts to launch the Guardian system mirror “big data” initiatives by other private and public stakeholders seeking to leverage data capture and data mining to pursue important public health, quality improvement, research and cost-containment efforts.

On January 15, 2016,  the U.S. Food and Drug Administration (FDA) published a draft guidance entitled Postmarket Management of Cybersecurity in Medical Devices (Draft Guidance), which outlines FDA’s recommendations for managing postmarket cybersecurity vulnerabilities in medical devices that contain software or programmable logic and software that is a medical device, including networked medical devices. The Draft Guidance represents FDA’s latest attempt to outline principles intended to enhance medical device cybersecurity throughout the product lifecycle.

Read the full article.