The 21st Century Cures Act, enacted in December 2016, amended the definition of “medical device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FDCA) to exclude five distinct categories of software or digital health products. In response, the US Food and Drug Administration (FDA) issued new digital health guidance and revised several
In response to the rapid pace of innovation in the health and life sciences arena, the US Food and Drug Administration (FDA) is taking a proactive, risk-based approach to regulating digital health products. Software applications and other transformative technologies, such as artificial intelligence and 3D printing, are reshaping how medical devices are developed, and FDA is seeking to align its mission and regulatory obligations with those changes.
FDA’s digital health software precertification program is a prime example of this approach. Once fully implemented, this voluntary program should expedite the path to market for software as a medical device (SaMD), and promote greater transparency between FDA and regulated entities.
Under the program, FDA will conduct a holistic review of the company producing the SaMD, taking into account aspects such as management culture, quality systems and cybersecurity protocols, to ascertain whether the company has developed sufficient infrastructure to ensure that its products will comply with FDA requirements and function safely as intended. Companies that fulfill the requirements of the excellence appraisal and related reviews will receive precertification that may provide for faster premarket reviews and more flexible approaches to data submissions at the outset.
In April 2019, the US Food and Drug Administration (FDA) issued a white paper, “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device,” announcing steps to consider a new regulatory framework to promote the development of safe and effective medical devices that use advanced AI algorithms. AI, and specifically ML, are “techniques used to design and train software algorithms to learn from and act on data.” FDA’s proposed approach would allow modifications to algorithms to be made from real-world learning and adaptation that accommodates the iterative nature of AI products while ensuring FDA’s standards for safety and effectiveness are maintained.
Under the existing framework, a premarket submission (i.e., a 510(k)) would be required if the AI/ML software modification significantly affects device performance or the device’s safety and effectiveness; the modification is to the device’s intended use; or the modification introduces a major change to the software as a medical device (SaMD) algorithm. In the case of a PMA-approved SaMD, a PMA supplement would be required for changes that affect safety or effectiveness. FDA noted that adaptive AI/ML technologies require a new total product lifecycle (TPLC) regulatory approach and focuses on three types of modifications to AI/ML-based SaMD:
As part of the 21st Century Cures Act, Congress gave the US Food and Drug Administration (FDA) the authority to establish a Breakthrough Devices Program intended to expedite the development and prioritize the review of certain medical devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating disease or conditions. In December 2018, FDA issued a guidance document describing policies FDA intends to use to implement the Program.
There are two criteria for inclusion in the Breakthrough Device Program:
- The device must provide for a more effective treatment or diagnosis of a life-threatening or irreversibly debilitating human disease or condition; and
- The device must (i) represent breakthrough technology, (ii) have no approved or cleared alternatives, (iii) offer significant advantages over existing approved or cleared alternatives, or (iv) demonstrate that its availability is in the best interest of patients.
The digital health market is expected to grow beyond $379 billion by 2024, with a 27.7 percent compounded annual growth rate over the coming years. This activity is fueled by increasing demand for remote monitoring services, favorable government initiatives and funding, and the proliferation of mobile intelligent devices. An article by Rock Health noted that in 2018, “investors poured nearly $8.1B into the sector, surpassing 2017’s record-setting total of $5.7B by a whopping 42%.”
Amidst this growth, digital health startups are seeking to make the most of their funding and protect the innovations that drive their product. To do so, they must protect their intellectual property from being copied or duplicated by others in the market. Patents offer the strongest form of protection for innovations and can lead directly lead to increased investment. For digital health startups that eventually go public, valuation can reach $1.1 million per software patent application filed.
An issued patent in the United States gives the patent owner a 20-year monopoly right to stop others from making, using or selling the patented invention. A digital health company with a patent on a software feature—for example, a unique approach to dynamically generate a questionnaire based on user information for a remote health consult—has the right to stop competitors from making, selling or using software that includes that feature. Digital health companies, particularly pre-IPO, should develop a patenting strategy to assess how best to protect the innovations that drive their business and increase the company’s monetary value and longevity. If you have ever said one of the following phrases, your company likely will benefit from a discussion with patent counsel on how to protect your inventions:
- We’re the first ones to ever do this.
- None of our competition does this.
- This feature drives a lot of business to our company.
- This feature was really hard to implement, but we found a way to do it.
We greatly appreciate our readers continuing to turn to us for insight on the most critical legal, regulatory and transactional developments impacting digital health, and the innovative collaborations transforming health care. Over the past year, McDermott’s Health practice made headlines for our work on several of the most high-profile collaborative transformations that took place in…
Last week, President Trump signed the SUPPORT for Patients and Communities Act (SUPPORT Act), a bipartisan piece of legislation designed to tackle the opioid crisis by, among other approaches, increasing the use of telemedicine services to treat addiction. Several key provisions are summarized below.
The package includes provisions to expand public reimbursement for telemedicine services…
On November 1, 2018, the Centers for Medicare and Medicaid (CMS) issued final rules for updating the 2019 Medicare Physician Fee Schedule to implement recent telehealth-related legislative reforms. As reported in our Digital Health Mid-Year Report: Focus on Medicare, these changes are expected to have a material impact on the ability of providers to…
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.
The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.
The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).
The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).…
The Office of the National Coordinator for Health Information Technology (ONC) is one step closer to issuing its long-awaited proposed rule to implement various provisions of the 21st Century Cures Act, including proposed regulations distinguishing between prohibited health information blocking among health care providers and health information technology vendors and other permissible restrictions on access…