On January 7, 2020, the Director of the US Office of Management and Budget (OMB) issued a Draft Memorandum (the Memorandum) to all federal “implementing agencies” regarding the development of regulatory and non-regulatory approaches to reducing barriers to the development and adoption of artificial intelligence (AI) technologies. Implementing agencies are agencies that conduct foundational research, develop and deploy AI technologies, provide educational grants, and regulate and provide guidance for applications of AI technologies, as determined by the co-chairs of the National Science and Technology Council (NSTC) Select Committee. To our knowledge, the NTSC has not yet determined which agencies are “implementing agencies” for purposes of the Memorandum.

Submission of Agency Plan to OMB

The “implementing agencies” have 180 days to submit to OMB their plans for addressing the Memorandum.

An agency’s plan must: (1) identify any statutory authorities specifically governing the agency’s regulation of AI applications as well as collections of AI-related information from regulated entities; and (2) report on the outcomes of stakeholder engagements that identify existing regulatory barriers to AI applications and high-priority AI applications that are within the agency’s regulatory authorities. OMB also requests but does not require agencies to list and describe any planned or considered regulatory actions on AI.

Principles for the Stewardship of AI Applications

The Memorandum outlines the following as principles and considerations that agencies should address in determining regulatory or non-regulatory approaches to AI:

  1. Public trust in AI. Regulatory and non-regulatory approaches to AI need to be reliable, robust and trustworthy.
  2. Public participation. The public should have the opportunity to take part in the rule-making process.
  3. Scientific integrity and information quality. The government should use scientific and technical information and processes when developing a stance on AI.
  4. Risk assessment and management.A risk assessment should be conducted before determining regulatory and non-regulatory approaches.
  5. Benefits and costs. Agencies need to consider the societal costs and benefits related to developing and using AI applications.
  6. Flexibility. Agency approaches to AI should be flexible and performance-based.
  7. Fairness and nondiscrimination. Fairness and nondiscrimination in outcomes needs to be considered in both regulatory and non-regulatory approaches.
  8. Disclosure and transparency. Agencies should be transparent. Transparency can serve to improve public trust in AI.
  9. Safety and security. Agencies should guarantee confidentiality, integrity and availability of data use by AI by ensuring that the proper controls are in place.
  10. Interagency coordination. Agencies need to work together to ensure consistency and predictability of AI-related policies.


Continue Reading US Office of Management and Budget Calls for Federal Agencies to Reduce Barriers to Artificial Intelligence

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators.

Exemption for HIPAA Business Associates

Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate.

The CCPA also exempts covered entities to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. The CCPA does not, however, currently include a similar entity-based exemption for business associates.

AB 713 would add an exemption for business associates to the extent that they maintain, use and disclose patient information consistent with HIPAA requirements applicable to PHI. For example, if a business associate maintains consumer-generated health information that is not PHI, but processes the information in accordance with HIPAA requirements for PHI, then the information would not be regulated by the CCPA. While the practical import of the new exemption may be limited because business associates may not want to apply HIPAA requirements to consumer-generated health information, AB 713 offers business associates another potential exception to CCPA requirements for patient information about California consumers.

Exception for De-Identified Health Information

AB 713 would except from CCPA requirements de-identified health information when each of the following three conditions are met:

  • The information is de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method) at 45 CFR § 164.514(b).
  • The information is derived from PHI or “individually identifiable health information” under HIPAA, “medical information” as defined by the California Confidentiality of Medical Information Act (CMIA), or “identifiable private information” subject to the Common Rule.
  • The business (or its business associate) does not actually, or attempt to, re-identify the information.


Continue Reading California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data

The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data?

The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question.

Why the Debate?

The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The Network Advertising Initiative (NAI) broke this definition down into three main elements that, when satisfied, might make the case that digital advertising involves a “sale.”

    • The digital advertising must involve “personal information.” We know that it does because serving digital ads requires, at the very least, access to IP address and browsing history.
    • The digital advertising must involve the movement of personal information from a business to another business or third party. This is often true for digital advertising relationships, as ad tech intermediaries and other participants in the ad exchange often use the personal information they have received from businesses for their own purposes, thus taking many ad tech entities outside of CCPA’s “service provider” safe harbor.
    • The digital advertising must involve the exchange of monetary or other valuable consideration for the personal information. This is a fact-specific inquiry that will vary across contractual arrangements. For that reason, the NAI analysis states it would be difficult to broadly categorize all digital advertising activities as “sales.” However, the NAI cautions that if the recipients of personal information can retain the information “for profiling or segmenting purposes” (e.g., the ability to monetize the data independently), that could be evidence of a “sale” of data.


Continue Reading A Sale or Not a Sale? The Digital Advertising Debate

A recent McDermott roundtable on European health private equity generated key insights into the future of medtech, digital health, and data analytics, and identified opportunities for companies and investors.

Digital health solutions are widely considered to be the next big growth market. Healthcare lags significantly behind other industries when it comes to digitization, but the potential opportunities are driving developers, healthcare providers, and investors to find solutions.

PATIENT CARE
A key point to bear in mind about healthcare technology is that success and adoption may often be measured by the quality of the users’ experience, the resulting clinical outcomes, short and long term cost savings, and the resulting margin for both investors and the health care system at large. These multi-faceted goals are best illustrated by the demands for i) greater efficiency, and ii) better patient outcomes.

Efficiency is typified by, for example, streamlined bookings and appointment reminders, algorithms that triage patients to ensure they are seen by the right person at the right time, and in-home patient monitoring after patients are discharged. Patient take-up is also an excellent gauge of efficiency, for example, a high tech product that measures and reports blood sugar is of no value if the interface is too complicated for an older population.

Better outcomes result from clinicians gathering and using data to determine the right treatment in the fastest possible time, and are demonstrated, for example, by permanent lifestyle changes, improvements in self-care or care outside hospital,accurate drug dosage and use of medicines, and, in direct contrast with other sectors, reduced, rather than increased, service usage.

PRIVACY AND REGULATORY HURDLES
One of the most obvious challenges inherent in digital health is data privacy and security. Stemming from that are issues relating to control of the data, the right to use it, and ownership of the analysis. The most successful companies are those that, from the very beginning, understand the regulatory landscape in which they are operating; are transparent in terms of where their data comes from; make clear the type of data at issue, be that identifiable, pseudonymized, anonymized, or something in between; and identify who will control what data in what form. The ability to marry up these factors is a key part of any new entrant’s value proposition.


Continue Reading Challenges and Opportunities in MedTech, Innovation and Digital Health

As discussed in the first post in this two-part series, new players from outside the traditional healthcare paradigm are joining forces with hospitals, health systems and other providers to drive unprecedented innovation. These unexpected partnerships are bringing new solutions to market and changing how business is done and care is delivered.

Many of these collaborations revolve around data and data sharing arrangements. Traditional health industry stakeholders such as hospitals and health systems (HHSs) are partnering with technology companies—both established and start-up—to develop and market digital health solutions that engage patients beyond the brick-and-mortar clinical setting. Digital health tools are making it easier for patients to receive care in a mobile setting and access their health data across various platforms and sources. These innovative partnerships thus hold out the possibility of delivering better, faster, more targeted care.

Addressing Community Concerns

At the same time, digital health collaborations can encounter challenges regarding data privacy and security, permissions and ownership. Historically, health data was housed in one place—within the health institution. But with the rise of digital health tools, health data has become ubiquitous, raising fears about how it may be used, aggregated and shared.


Continue Reading Getting Cross-Industry Collaborations Right, Part 2: All About That Data

A recent update to the Office of Management and Budget (OMB) website suggests that the answer is “yes”—though that depends on how one defines “soon.” According to its website, OMB received the Office of the National Coordinator for Health Information Technology’s (ONC’s) final rule, entitled 21st Century Cures Act: Interoperability, Information Blocking, and the ONC

The demand for healthcare innovation is driving collaboration between formerly disparate healthcare companies and bringing in new players, such as technology companies and start-ups, into an already complex space. As companies build partnerships and pool resources – particularly healthcare data – data ownership presents numerous challenges that need to be addressed throughout the lifecycle of

In preparation for GDPR compliance, organizations around the globe worked months in advance of the deadline to ensure compliance. But what happened after the date of effectiveness? McDermott set out to learn how companies fared across the United States, Europe, China and Japan.

In digging deeper, we discovered valuable findings, including:

  • Countries and regions are

Investment in artificial intelligence (AI) and digital health technologies has increased exponentially over the last few years. In the United Kingdom, the excitement and interest in this space has been supported by NHS policies, including proposals in the NHS Long Term Plan, which set out ambitious aims for the acceleration and adoption of digital health and AI, particularly in primary care, outpatients and wearable devices.

Although these developments are encouraging to developers, there is still no clear framework for reimbursement or tariffs for digital health tools and AI.

At the same time, the plethora of new technologies has led to increased calls for regulation and oversight, particularly around data quality and evaluation. Many of these concerns may be addressed by the new Medical Device Regulation (MDR) and other regulatory developments. In fact, there is some risk that while regulatory landscape is moving quickly, the pricing environment is still a way behind.

In May 2020, the new MDR will change the law and process of certification for medical software. The new law includes significant changes for digital health technologies which are medical devices. In March 2019, the National Institute for Health and Care Excellence (NICE) also published a new evidence standards framework for digital health technologies. The Care Quality Commission (CQC) already regulates online provision of health care, and there are calls for wider and greater regulation. The government has also published a code on the use of data in AI.

Digital Health Technologies and the MDR

The new MDR will mean a significant change to the regulatory framework for medical devices in the European Union.

As with the previous law, the MDR regulates devices through a classification system.

The new regime introduces new rules for medical software that falls within the definition of device. This will mean significant changes for companies that develop or offer medical software solutions, especially if their current certification has been “up-classed” under the MDR.

Key Takeaways for Investors in Digital Health Tools

Companies and investors in digital health should:

Continue Reading Digital Health in the UK: The New Regulatory Environment Under the Medical Device Regulation

This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai. 

Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.

This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.

1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?

Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.

Category Definition Key Regulatory Compliance Focus

Health Care Big Data

The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)

Data relating to health care generated in the course of disease prevention and control as well as health management

Note: the Measures do not clarify what data qualifies as health care “big” data.

Localisation and storage

Transfer: Cross-border data transfer is subject to security assessment.

Human Genetic Resources

The Interim Administrative Measures for the Management of Human Genetic Resources

Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.

Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.

Localisation and storage

Transfer: Approval from administrative bodies is required before cross-border transfer.

Pharmaceutical Data

The Pharmaceutical Data Management Specification (Draft for Comments)

Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Device Data

The Guidelines for Technical Review of Network Security Registration for Medical Devices

Health care data and device data. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Records

The Regulations for Medical Institutions on Medical Records Management

All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.

Medical records are filed as medical history.

Collection: Consent from data subject is required.

Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.

Scientific Data

The Measures for the Management of Scientific Data

Primarily data produced from basic research, application research, pilot development and other endeavours in such areas as natural science and engineering technology science, and the original data and data derived via observation and monitoring, survey and investigation, and inspection and detection that is used for scientific research activities. Transfer: Data involving state secrets are strictly forbidden to be transferred to a third party.

2. What are the key compliance steps for health care data collection in China?

Collection of any health care data involving personal information should be based on the three principles of China’s Cybersecurity Law (legitimacy, justification and necessity) and requires the consent of the data subject. The rules, purposes, methods and ranges of such collection should also be disclosed to the data subject.

Collection of human genetic information by foreign entities or foreign individuals is strictly regulated, and such collection is subject to the approval of regulatory authorities.

Multinationals may wish to consider taking the following steps to be compliant with Chinese laws:


Continue Reading Health Care Data Compliance in China: 4 Key Questions and Compliance Steps for Multinationals