EU Regulatory and Litigation

The European Commission has made clear its intention to harness the potential that digital innovation can offer, and in May 2015, announced it Digital Single Market strategy. A key part of this is the digital transformation of health and care in order to improve healthcare for its citizens. On 20 July 2017, the European Commission launched a public consultation to assess how digital innovation can be used to enhance health and care in Europe. This consultation follows on from the Roadmap published last month, with the aim of developing a new policy Communication by the end of 2017.

The consultation focuses on collecting information on three main areas:

(i) cross-border access to and management of personal health data, through electronic medical records and e-prescriptions;

(ii) sharing of data and expertise to advance research, assist with personalized healthcare and anticipate epidemics; and,

(iii) measures for widespread uptake of digital innovation and interaction between patients and healthcare providers.

The questions are very much at a fact-finding level, asking respondents’ views on a wide range of issues, particularly on data protection, which, as recent cyber-attacks on the UK NHS and sanctions imposed by the UK Information Commissioner have shown, is an important factor in a digital market. However, although the Roadmap sets out some intended outcomes that are in line with the three areas of the consultation, the ultimate goal of “widespread adoption of digital technology to make borderless European health and care a reality” is unlikely to be obtained by the end of the year.

The Commission is inviting citizens, patient organizations, healthcare professionals, public authorities and any other users of digital health tools to share their views until 12 October 2017.

We have previously reported on a number of EU projects designed to promote eHealth interoperability (the ability of EU Member States to share healthcare information between their respective IT systems), including the Commission’s eHealth standards project, which aims to build consensus on the standards to be applied to eHealth products, and EURO-CAS, which aims to develop tools to assess the conformity of eHealth products with those standards.

In parallel with those projects, the VALUeHEALTH project, which ran from April 2015 to June 2017 as part of the Commission’s broader research and innovation program, Horizon 2020, focused on developing a business plan for the implementation and funding of eHealth services across the EU. Trans-European digital services are currently funded by the Connecting Europe Facility (“CEF”), which has committed to investing EUR 1.04 billion for this purpose between 2014 and 2020. VALUeHEALTH was concerned with ensuring the sustainable interoperability of European eHealth services beyond 2020.

To this end, the VALUeHEALTH project had five objectives, summarized in the following schematic:

VALUeHEALTH Overall Concept, and Objectives:
http://www.valuehealth.eu/index.cfm/about/

Objective 1: Develop a set of prioritized use cases

The VALUeHEALTH prioritized “use cases” for eHealth services on the basis of a number of criteria, including their potential positive impact on patients, improved health outcomes, and reduced healthcare costs. Using these criteria, two use cases were prioritized:

  • Safe prescribing: Ensuring that existing algorithms to support prescribing decisions are able to access critical safety information (e.g., other current medication, allergies and intolerances, clinical conditions, significant family history, relevant bio-markers).
  •  Individual disease management: Condition-specific information-sharing between actors involved in the healthcare, social care and self-care of a patient’s portfolio of long-term conditions.

These use cases were used to inform the analysis underlying the business plan under the remaining objectives.

Objective 2: Design an overarching business model framework

The project sought to identify the expected benefits of interoperability for various stakeholders — in particular, those whose involvement was necessary to sustain interoperability, and those who most needed to realise value from interoperable information. Further, it was intended to produce a cost-benefit analysis for stakeholders who would be required to drive investments. Finally, business modelling methodologies would be used to establish the value of eHealth interoperability and to determine how cost savings and growth in capacity could justify financial investment in eHealth services, with minimal dependence on public funding.

As a result of this work, VALUeHEALTH has established a Business Modelling Task Force, tasked with developing the value chains and value propositions described above. However, further details are not yet available on the project website.

Objective 3: Develop a scale-up roadmap

The VALUeHEALTH project identified high quality data capture as a necessary pre-condition for the scale-up of self-financed cross-border eHealth services. With this in mind, it aimed to examine the barriers to, and the conditions and incentives required for, wide-scale, high quality data capture, which could inform a scale-up strategy.

Barriers identified by the project were (i) the reliance on busy, often junior, clinicians to capture health information from patients, and (ii) the existence of reimbursement models that pay for activity rather than clinical outcomes. Incentives were needed to address these issues.

The Commission intends to use this information to scope the interoperability deployment roadmap and scale-up strategy, as well as its structure and costs. However, it appears that this exercise is ongoing.

Objective 4: Design an information communication technology and interoperability deployment roadmap

VALUeHEALTH has defined the interfaces, services and tools need to deliver the prioritized use cases identified in Objective 1 and, from this, has derived a design and deployment roadmap for eHealth services in general. However, this is not yet available publicly.

There appears to be some overlap between the roadmaps envisaged by Objective 3 and Objective 4. From the available information, we understand that the scale-up roadmap described in Objective 3 is designed to address issues with data capture (i.e., the practical human barriers to ensuring that the data required for cross-border eHealth services is collected and entered into the system), whereas the ICT and interoperability roadmap described in Objective 4 is intended to address the technical requirements of the service.

Objective 5: Deliver a business plan and sustainability plan

The results of Objectives 1-4 have been used to produce a Business Plan and Strategy for future public-private investment in EU eHealth services. In particular, the plan provides guidance to the CEF on how to construct digital service infrastructure for health to ensure maximum value and sustainability beyond 2020. Again, this plan has not yet been published.

We have previously reported on the Accelerated Access Review (AAR), which made 18 recommendations to the UK government for speeding up patient access to new medical technologies. The overarching aim of the AAR was to make the UK a world-leader in healthcare innovation. The AAR report, which was published in October 2016, was particularly focused on digital technologies, and recognized that the current systems in place are not sufficiently flexible to realize the full potential of digital health.

To implement the recommendations of the AAR, the UK government announced last week that it is investing a total of £86 million in four projects aimed at encouraging small and medium sized enterprises (SMEs) to develop and test new products and technologies in the UK’s National Health Service (NHS).

One of the four projects to be funded by the new package is the ‘Digital Health Technology Catalyst’. The Catalyst will receive £35 million to help support innovators by match-funding the development of digital technologies for use by patients and the NHS. The government specifically highlighted digital technologies that help patients manage their conditions from home, or that develop new medicines, as possible areas of development, and cited MyCOPD as a successful project to be repeated – an online system that helps people with chronic obstructive pulmonary disease better manage their condition.

The announcement has been publicly welcomed by a number of industry representative groups, including the Association of British Healthcare Industries (ABHI), techUK, BioIndustry Association (BIA) and the British In Vitro Diagnostics Association (BIVDA).

On 28 June, the Advocate General of the Court of Justice of the European Union gave his opinion on the SNITEM and Philips France case against France. In this case, the Conseil d’Etat in France asked whether a particular software program intended to be used by doctors to support  prescribing decisions falls within the definition of medical device as provided by Directive 93/42/EEC (the Medical Devices Directive).

Definition of a medical device

As we have discussed previously in this blog, there is no general exclusion for software in the definition of medical device provided by the Medical Devices Directive. Software may be regulated as a medical device if it has a medical purpose, meaning that it is capable of appreciably restoring, correcting or modifying physiological functions in human beings. The assessment is by no means straightforward for software as, unlike general medical devices, it is not immediately apparent how these parameters apply to programs. The Commission MEDDEV guidance makes a distinction between software specifically intended by the manufacturer to be used for one or more of the medical purposes set out in the definition of a medical device, and software for general purposes that is used in a healthcare setting which will not be considered as a medical device.

Opinion of the Advocate General

The software subject of this case, the Intellispace Critical Care and Anesthesia (ICCA) manufactured by Philips France, is designed to assist anesthesia and intensive care services by providing doctors with information to assist their prescribing decisions. It provides information with regards to possible contraindications, interactions with other medicines and excessive dosing. The ICCA has been CE marked as a medical device.

The dispute in this case arose from the fact that French law requires that software designed to assist medical prescriptions should be certified at national level. Philips France claimed that, by imposing a further requirement in addition to the conformity procedure laid down by the Directive, the French Government had set up a restriction on import of the device, contrary to EU law.

The French Government argued that the ICCA does not satisfy the definition of a medical device under the Directive, as its functions are purely administrative and for storage purposes, and could not, therefore, be marketed in France without such certification from the French authorities.

The Advocate General disagreed with the French Government’s assessment, and found that ICCA should be classified as a medical device. The following 3 factors are key to reach this conclusion: (i) the ICCA is not a program for general purposes that is used in a healthcare setting; it goes beyond simple storage of data and modifies and interprets such data providing certain information that is useful for healthcare professionals to make adequate prescribing decisions; (ii) the fact that the ICCA does not act directly on the interior or the surface of the human body does not prevent its classification as a medical device; as “contributing” to the principal intended action is sufficient, and; (iii) the Commission’s MEDDEV guidance and other guidance issued by national competent authorities are aligned, and classify programs such as ICCA as medical devices.

Next steps

The European Court will now consider this opinion and deliver a judgment in a few months. This case is the first time that the European Courts have considered software that may be classified as medical devices, and the decision of the Court will likely have an immediate effect on the EU market and how software used in healthcare setting is regulated.

You may find further details on this case in our Advisory.

Royal Free NHS Foundation Trust (the Trust) is one of the largest Trusts in the UK, employing more than 9,000 staff and providing services to over a million patients in North London.

On 3 July 2017, the UK Information Commissioner (ICO), the regulator overseeing data privacy, ruled that the Trust failed to comply with the Data Protection Act when it provided patient details to Google DeepMind. The Trust provided personal data of about 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury.

DeepMind works with hospitals on mobile tools and Artificial Intelligence to plan patient journey, from diagnosis to treatment, as quickly and accurately as possible. Streams, an application which is in use at the Trust, is based on a mobile technology platform to send immediate alerts to clinicians when a patient’s condition deteriorates. Streams has also been rolled out to other UK hospitals, and DeepMind has also diversified the application for use in other settings that include a project aimed at using Artificial Intelligence to improve diagnosis of diabetic retinopathy, and another aimed at using similar approach to better prepare radiotherapists for treating head and neck cancers The application therefore saves lives.

In her ruling, the ICO recognized the huge potential for innovative research and creative use of data on patient care and clinical improvements. However, ICO considered that the price of innovation does not need to be erosion of fundamental privacy rights. The ICO noted in particular: “[i]n relation to health data, the Commissioner and her office recognises the benefits that can be achieved by using patient data for wider public good and where appropriate, we support the development of innovative technological solutions that use personal data to improve clinical care. We would like to make it clear that the Commissioner has no desire to prevent or hamper the development of such solutions; however, such schemes and laudable ends must meet the necessary compliance mechanism set out in the Act.

In this case, the ruling is levelled against the Trust as the data controller responsible for compliance with the Data Protection Act throughout its partnership with Streams and DeepMind has been acting as a data processor processing personal data on behalf of the Trust.

The ruling is based on the ICO investigation which has identified several shortcomings in how the data were handled according to the terms of the agreement for the partnership between the Trust and DeepMind. Most importantly, as regards transparency in data sharing between the Trust and DeepMind, the ICO found that patients were not adequately informed that their data would be used as part of the test.

The Trust is required to provide an undertaking to ensure that personal data are processed in accordance with the Data Protection Act especially in relation to the following guiding principles: (a) personal data must be processed fairly and lawfully; (b) processing of personal data must be adequate, relevant and not excessive; (c) personal data must be processed in accordance with the rights of data subjects; and (d) appropriate technical and organisation controls must be taken, including the need to ensure that appropriate contractual controls are put in place when a data processor is used. These remedial measures are set out in the undertaking for the Trust to implement according to the time-table imposed by the ICO. The Trust is also required to commission an audit of the trial the results of which will be shared with the ICO and the results may be published as the ICO sees appropriate.

In February 2016, the European Commission established a Working Group on mHealth tasked with developing guidelines “for assessing the validity and reliability of the data that health apps collect and process”. Since this Working Group was set up, there have been a series of face-to-face meetings, open stakeholder meetings, conference calls and online questionnaires. Two drafts of the guidelines have also been published for consideration, as discussed in our previous posts here and here.

Last month, the Working Group, drawn from patients, healthcare professionals, industry, public authorities, payers and social care insurance, research and academia, finally published its report on the draft guidance. Members of the Working Group were invited to give their views on the assessment criteria, what they understood by each of the criteria and whether they considered them relevant for the purposes of assessing the validity and reliability of health apps.

To the extent that any consensus could be found on the criteria for the assessment of apps, six criteria were considered to be relevant: privacy, transparency, reliability, validity, interoperability and safety. Two further criteria achieved majority support: technical stability and effectiveness.

However, the Working Group’s discussions were plagued by “areas of apparent disagreement and different understanding of the implications, use and meaning of the criteria during app assessment”, such that the Working Group was unable to come to any agreement on the scope, purpose or targets for health app assessment guidelines. Their divergent understandings were not helped by the fact that the range of technologies that constitute health apps is constantly evolving, nor by the passing of new legislation and guidelines at EU and Member State level (e.g., the Medical Devices Regulation and the General Data Protection Regulation).

The Working Group was, therefore, forced to conclude: “Clearly, an important lesson from this exercise is the need to follow a step-wise approach, starting with a solid agreement on scope and terminology, especially if the Guidelines are to be developed by a multi-stakeholder group.” As such, it seems that the guidelines are currently not being progressed in their current form.

It has been almost a year since the European Commission published a final draft of a Code of Conduct on privacy for mHealth mobile applications (the “Code”). Our previous post summarizes the draft and its application to app developers. However, we noted that the Article 29 Working Party (the “WP29”), an independent advisory body comprised of representatives from all EU Data Protection Authorities, had to comment on the draft before it was formally adopted. In a letter dated 10 April 2017, the WP29 has finally set out its comments on the draft, and identified areas of improvement.

Comments on the draft

The letter begins by setting out the WP29’s expectations for the Code:

  • The Code needs to be compliant with the Data Protection Directive (Directive 95/46/EC, the “Directive”) and its national implementing legislation.
  • The Code must be of adequate quality.
  • The Code must provide sufficient added value to the Directive and other applicable data protection legislation.
  • The Code should continue to be relevant following the transition to the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”).

The WP29 is quite critical of the draft Code, and identifies a number of ways that the draft fails to add value to existing data protection legislation. The WP29’s general comments are that:

  • The Code does not elaborate sufficiently on the relationship between the Directive and national legislation implementing the Directive in individual EU Member States.
  • While the Code’s stated aim is to facilitate data protection compliance and not to address other compliance issues, it should nonetheless take into account other legislation that impacts on the prime objective of data compliance (e.g., provisions on cookies in the ePrivacy Directive (Directive 2002/58/EC)).
  • The Code needs to be clearer on the roles of the parties involved in the processing of personal data (i.e., whether the app developer is a data controller, data processor or both).
  • The Code should be re-evaluated in light of the relevant provisions of the GDPR to ensure that the content of the Code is consistent with the definitions given in both the Directive and the GDPR.

Specific comments

The WP29 also sets out more specific observations on areas in which the Code requires improvement. In summary:

  • Governance and monitoring model: It was not clear whether the model detailed in the Code would be compliant with some of the new requirements of the GDPR. In addition, further information was needed on: (1) the composition of the Assembly and how membership was to be managed; (2) how the monitoring body would be accredited; and (3) the financial contributions required from different members (the WP29 was specifically concerned with ensuring that fees did not preclude wide participation).
  • Practical guidelines for data controllers: The Code should make clear that consent to personal data processing should fulfil all requirements of the GDPR and the Directive, and guidance in relation to obtaining consent to the processing of children’s data should be more thorough. At the same time, the Code should acknowledge that there are other conditions that render data processing fair and lawful, and refer explicitly to them. It should also identify safeguards to raise awareness of the possible risks associated with the use of mHealth apps.
  • Data protection principles: Whilst the “practical guidelines for data controllers” referred to the necessity of safeguards for data subjects, it did not mention that these safeguards should be “appropriate”, in line with data protection principles. Further, the Code should refer to all of the data protection principles, or explain why they are not relevant.
  • Information, transparency and data subjects rights: The Code should require developers to make more information about the role of the data controller available to end users. It did not provide sufficient information on how data subjects could exert their rights, or how data controllers and data processors should meet their obligations. The Code should refer to the relevant provisions of the GDPR in relation to transfer of personal data to third countries. The legal basis and requirements for processing data for marketing purposes should also be referred to, such as the relevant sections of the GDPR.
  • Security: The Code should include more details and relevant examples on how app developers can integrate “privacy by design” and “privacy by default” into their development processes, as well as being attentive to legal restrictions relating to retention periods. Specific provisions in relation to data protection breaches should be included in line with the definitions of personal data contained in the Directive and the GDPR.

The draft will now need to be reconsidered by the drafting group to take these comments into account. The WP29 specifically states: “When revising the draft, please consider carefully what “added value” the code of conduct provides as a whole and, in particular, what specific examples, practical solutions or recommendations you could draw from discussions with stakeholders, ...” In the meantime, given the shortage of guidance in this area, developers may choose to follow the Code, and the recommendations from the WP29 in order to conform to best practice.

Connected health involving health technology, digital media and mobile devices opens up new opportunities to improve the quality and outcomes of both health and social care. Such transformational innovation, however, may also bring about significant regulatory compliance risks.

On 3 March 2017, four UK healthcare regulators, including the Care Quality Commission (“CQC”), made a joint statement reminding providers of online clinical and pharmaceutical services, and associated healthcare professionals, that they should follow professional guidelines to ensure such services are provided safely and effectively.

We have written an in-depth assessment on the ongoing regulatory activities in the UK, available here, which was published in Digital Health Legal on 20 April 2017.

As indicated in the joint statement, CQC inspections found that certain online services were found to be too ready to sell prescription-only medicines without undertaking proper checks or verifying the patient’s individual circumstance, raising significant concerns about patient safety. The view taken by the regulators is that the same safeguards should be put in place for patients whether they attend a physical consultation with their GP (primary care physician) or seek medical advice and treatment online.

UK domestic law already provides that online providers must assess the risks to people’s health and safety during any care or treatment and make sure that staff have the qualifications, competence, skills and experience to keep people safe. The CQC has the power to bring a criminal prosecution if a failure to meet this responsibility results in avoidable harm to a person using the service or if a person using the service is exposed to significant risk of harm. Unlike other enforcement regimes, the CQC does not have to serve a warning notice before prosecution. The CQC can also pursue criminal sanctions where there have been fundamental breaches of standards of quality and safety and can enforce the standards using civil powers to impose conditions, suspend or cancel a registration to provide the online services.

In March 2017, the CQC published guidance clarifying its existing primary care guidance by setting out how it proposes to regulate digital healthcare providers in primary care. The guidance provides that the CQC will evaluate the following key lines of inquiry (“KLOEs”): whether services are safe, effective, caring, responsive to people’s needs and well-led. Each KLOE is accompanied by a number of questions that inspectors will consider as part of the assessment, which are characterised by the CQC as ‘prompts’.

The European Commission has published a report on the cost-effectiveness of standards-driven eHealth interoperability; the exchange of data between IT systems. This is one of a number of parallel initiatives from the Commission to advance e-Health interoperability, such as the EURO-CAS project launched in January this year, and is an essential part of the EU Digital Agenda.

The ultimate goal of the Commission’s efforts on eStandards for eHealth interoperability is to join up with healthcare stakeholders in Europe, and globally, to build consensus on eHealth standards, accelerate knowledge-sharing and promote wider adoption of standards.

The eStandards project is working to finalize a roadmap and associated evidence base, a white paper on the need for formal standards, and two guidelines addressing how to work with: (a) clinical content in profiles, and (b) competing standards in large-scale eHealth deployments. An initial roadmap has already been prepared. The final roadmap aims to describe the actions to be taken by standards development and profiling organizations (SDOs), policymakers in eHealth, and national competence centers, to warrant high availability and use of general and personal health information at the point of care, as well as for biomedical, clinical, public health, and health policy research.

The objective of this discrete cost-effectiveness study is to support the preparation of the final roadmap. The study contacted 3 categories of stakeholders: i) Centers of Competence; ii) Vendors (mostly small and medium-sized companies) on the European market; and iii) Standards Organizations (mostly international). It has shown that stakeholders use the same tools in different projects across Europe, which should facilitate communication of best practices between them.

Its main findings are that:

  • All stakeholders consider that using standards and standards-driven tools contribute to better quality products.
  • Vendors and Centers of Competence share the same benefits as a result of the efficiency of the project (e.g. the continuous improvement of the specifications, and their effectiveness).
  • In terms of economic results, the study shows clearly that using and reusing existing tools and content saves effort and time, as well as money. It standardizes methods of working and increases professionalism of the project team. However due to the complexity of the eHealth domain, training is one of the major challenges for increasing the adoption of profiles and standards.
  • The study also indicates that standards are available, but the challenge is their adoption.

The study proposes a few practical recommendations for promoting the use of the standards-driven tools:

  1. Develop a strategy to communicate and disseminate the use of standards-driven tools, showing evidence of their positive impact in the development of projects and products;
  2. Develop simple indicators and/or refine the indicators used in this study in order to quantify the progress of adoption of standards-driven tools;
  3. Identify the weaknesses and limitations associated with deploying standards and tools;
  4. Develop conformity assessments and testing platforms for better adoption of the standards.

These initiatives complement the new guidance published on 23 March by the Commission for digital public services in its new European Interoperability Framework, which is meant to help European public administrations to coordinate their digitalization efforts when delivering public services.

We have previously published a post on the potential uses of mobile apps in clinical trials, and the accompanying advantages and limitations. Recent research published in The New England Journal of Medicine (NEJM) confirms the increasing number of innovative studies being conducted through the internet, and discusses the bioethical considerations and technical complexities arising from this use.

Apps used in clinical research

The vast majority of the population, including patients and healthcare professionals, have mobile phones. They are using them in a growing number of ways, and increasingly expect the organizations they interact with to do the same. Clinical research is no exception. As we discussed previously, smartphones are becoming increasingly important as a means of facilitating patient recruitment, reducing costs, disseminating and collecting a wide-range of health data, and improving the informed consent process.

A major development in relation to app-based studies occurred in early 2015 with the launch of Apple’s ResearchKit, an open-source software toolkit for the iOS platform that can be used to build apps for smartphone-based medical research. Since then, similar toolkits, such as ResearchStack, have been launched to facilitate app development on the Android operating system.

Several Institutional Review Board-approved study apps were launched shortly after the creation of ResearchKit, including MyHeart Counts (cardiovascular disease), mPower (Parkinson’s disease), Gluco-Success (type 2 diabetes), Asthma Health (asthma) and Share the Journey (breast cancer).

The NEJM publication refers to data from MyHeart Counts to emphasize particular features of app-based studies. The MyHeart Counts study enrolled more than 10,000 participants in the first 24 hours: a recruitment figure that many traditional study sponsors would regard with envy. While this figure appears, at least in part, to result from expanded access to would-be participants who are not within easy reach of a study site, it may carry with it a degree of selection bias. For example, the consenting study population in MyHeart Counts was predominantly young (median age, 36) and male (82 per cent), reflecting the uneven distribution of smartphone usage and familiarity across the population in the demographics of app-based study participants. The MyHeart Counts completer population (i.e. those who completed a 6-minute “walk test” at the end of seven days) represented only 10 per cent of participants who provided consent. The reasons for low completer rates in app-based studies are not mapped out, but may relate to participants’ commitment to partake in and contribute to the study in the absence of face-to-face interactions.

Regulatory and legal challenges for digital consent

Conduct of clinical trials is guided by good clinical practice (GCP) principles, which seek to ensure that:

  • trials are ethically conducted to protect the dignity, privacy and safety of trial subjects; and
  • there exists an adequate procedure to ensure the quality and integrity of the data generated from the trial.

Informed consent is one of the most important ethical principles, and an essential condition both for therapy and research. It is a voluntary agreement to participate in research, but is more than a form that is signed; it is a process during which the subject acquires an understanding of the research and its risks.

The challenges of conducting clinical research using digital technology are, to name a few:

  1. how to ensure that the language used in the informed consent is engaging and user-friendly to promote greater understanding of the nature of the study and the risks relating to participation in the trial;
  2. how to assess capacity and understanding of trial subjects remotely;
  3. how to assess voluntary choice without the benefit of body language and tone; and
  4. how to verify the identity of the person consenting (although this risk may be mitigated in the future through biometric or identity verification tools).

Moreover, there are practical challenges with using these technologies. For example, relating to the assessment of patient eligibility, and monitoring of trial subjects to ensure clinically meaningful data of an acceptable quality are collected and collated during the trial to comply with the GCP principles and support regulatory submissions.

Because of some of these challenges, the NEJM publication suggests that app-based research may be most suitable for low-risk studies. However, it is likely that these risks will be mitigated in the future as the technology develops and researchers and patients become more familiar with its use.