We greatly appreciate our readers continuing to turn to us for insight on the most critical legal, regulatory and transactional developments impacting digital health, and the innovative collaborations transforming health care. Over the past year, McDermott’s Health practice made headlines for our work on several of the most high-profile collaborative transformations that took place in
Last week, President Trump signed the SUPPORT for Patients and Communities Act (SUPPORT Act), a bipartisan piece of legislation designed to tackle the opioid crisis by, among other approaches, increasing the use of telemedicine services to treat addiction. Several key provisions are summarized below.
The package includes provisions to expand public reimbursement for telemedicine services…
On November 1, 2018, the Centers for Medicare and Medicaid (CMS) issued final rules for updating the 2019 Medicare Physician Fee Schedule to implement recent telehealth-related legislative reforms. As reported in our Digital Health Mid-Year Report: Focus on Medicare, these changes are expected to have a material impact on the ability of providers to…
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).…
The Office of the National Coordinator for Health Information Technology (ONC) is one step closer to issuing its long-awaited proposed rule to implement various provisions of the 21st Century Cures Act, including proposed regulations distinguishing between prohibited health information blocking among health care providers and health information technology vendors and other permissible restrictions on access…
As the health industry evolves to meet consumer expectations for better quality, lower-cost and more convenient health care options, the demand for technology-driven innovation is accelerating as is the level of interest and investment among stakeholders or all sorts.
Health systems and other institutional providers are playing a more active investment role in the commercialization of biomedical, digital health, and other important health care discoveries in order to remain competitive, secure their positions as industry leaders and generate growth opportunities. This more active role also affords their internal innovators (e.g., physicians and scientists) to play a meaningful role in accelerating the commercialization of home-grown discoveries that may otherwise be left in “the valley of death” between government-funded basic research and later stage, industry-funded commercialization. Drug and medical device manufacturers, venture capital, private equity firms, large donors and other investors are injecting significant capital into fueling research, development and commercialization of health care technology innovation. On the one hand, health care systems and providers welcome such external co-investors who bring sophisticated expertise in product and market research, technology innovation, valuation and strategy capabilities, as well as access to networks of potential co-investors. For such external co-investors, on the other hand, joining forces with health care institutions affords much needed access to the expertise and thought leadership of clinicians, scientists and health technology innovation; a ready‑made proving ground and “anchor customer” for the product; and the halo effect of the health care provider around the co-investor’s clinical care and research reputation. The theory and the hope is that the combined capital and the different, but complementary, expertise, experience and perspectives of such co‑investors provides a formula for financially successful innovation that is transformative and not merely disruptive.…
Join McDermott next Wednesday for a live webinar on the unique considerations in developing and procuring AI solutions for digital health applications from the perspective of various stakeholders. We will discuss the legal issues and strategies surrounding:
- Research and data mapping essential to the development and validation of AI technologies
- Protecting and maintaining intellectual property
The digitization of health care and the proliferation of electronic medical records is happening rapidly, generating large quantities of data with potential to provide valuable insights into disease and wellness and help solve challenging public health problems.
There is tremendous enthusiasm over the possibilities of leveraging this data for secondary use–i.e., a use…
As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China.
Does the GDPR Apply to Companies in China?
The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to:
- The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or
- The monitoring of people’s behavior in the European Union.
As a result, even if a Chinese company does not have any formal establishments in the European Union, the GDPR will nonetheless apply if it is conducting either of these two types of activities.
What Are the Requirements for Companies in China Subject to the GDPR?
The GDPR primarily focuses on two categories of entities: “controllers” and “processors.” These two types are similar to concepts in the Chinese rules. “Controllers” are entities that, alone or jointly with others, determine the purposes and means of the processing of personal data. “Processors” are entities that carry out the processing of personal data on behalf of the controllers.
Key requirements for most controllers under the GDPR:…
Earlier this month, more than 45,000 attendees descended on Las Vegas, NV, for the nation’s largest annual health care technology conference: the 2018 HIMSS Conference & Exhibition (HIMSS18). Conversations and educational sessions covered a wide range of health tech topics, with thought leaders, solutions developers, health system executives, patient advocates and care providers coming together to discuss the myriad obstacles and opportunities facing the health care technology industry today.
On Tuesday March 6, during the HIMSS conference, McDermott Will & Emery along with our friends at Capstone Headwaters convened a panel discussion on “Financing High-Growth Healthcare IT Companies, which I had the pleasure of moderating. The seasoned mix of health care finance and private equity professionals discussed the various types and sources of capital available to fuel high-growth health IT organizations and how to choose the right mix of capital to support a company’s growth needs. We also reviewed the legal and regulatory implications for investments in health care IT companies, and discussed considerations for optimal positioning in a value-based care environment. …