INTRODUCTION

Note From the Editors

Welcome to Vital Signs, a curated compilation of the latest legal and regulatory developments in digital health. Our lead article reports on HHS' recent final rule on the confidentiality of substance use disorder patient records. Don't miss the numerous U.S.-based updates on cybersecurity, tracking technologies, FDA guidance, and DOJ activities, among others. In our Global Section, you'll find reports from Europe and India from our colleagues around the world. Thank you to our Jones Day contributors who are committed to bringing you a one-stop resource on notable digital health updates.

INDUSTRY INSIGHTS

HHS Finalizes "Part 2" Rule on Confidentiality of Substance Use Disorder Patient Records Regulations to Further Align with HIPAA

On February 8, the Department of Health and Human Services ("HHS") announced its final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (the "Final Rule"). HHS stated that the Final Rule implements modifications required under the Coronavirus Aid, Relief, and Economic Security Act, increasing alignment with the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act (collectively, "HIPAA"). HHS also states that the Final Rule reflects modifications proposed in the 2022 Proposed Rule, as well as modifications informed by subsequent public comments.

The Final Rule notably implements requirements and flexibilities related to notice and consent, provides certain individual rights and remedies, incorporates required processes with respect to breach notification and de-identification, and maintains certain restrictions on the use and disclosure of part 2 information.

Notice & Consent

The Final Rule requires part 2 programs to provide patient notices including certain statements, descriptions and examples, patient rights, program duties, complaint processes, and other details, as applicable. Such notices are akin to the HIPAA Notice of Privacy Practices ("NPP"), which, relatedly, may undergo change pursuant to anticipated upcoming modifications to the HIPAA Privacy Rule.

The Final Rule also implements considerably more flexibility by enabling patients to provide a single consent (meeting requirements of HIPAA authorizations) for "all future uses and disclosures" for treatment, payment, and health care operations, subject to certain exceptions. Additionally, the Final Rule permits part 2 programs, covered entities and business associates, and other lawful recipients of part 2 information to further use and disclose such information following an initial patient consent and disclosure in certain instances. Notably, consents for use and disclosure of records for civil, criminal, administrative, or legislative proceedings may not be combined with consents for other purposes, and disclosure of covered counseling notes requires specific consent from the individual. Each disclosure made pursuant to patient consent must be accompanied by a redisclosure notice and either a copy of the consent or a clear explanation of the scope of the consent.

Individual Rights & Remedies

The Final Rule provides additional rights to individuals related to: (i) requests for restrictions on and accounting of certain disclosures; and (ii) the option to opt-out of receiving fundraising communications. Further, the Final Rule implements the right to file complaints with the Secretary, in conjunction with complaints filed with a part 2 program, and applies civil and criminal enforcement authorities applicable under HIPAA.

Breach Notification and De-Identification

The Final Rule applies breach notification processes and requirements under HIPAA, implementing applicable definitions and notification requirements for certain recipients. Moreover, the Final Rule implements the same de-identification methods provided under HIPAA, allowing for either the safe harbor method of removing all identifiers or expert determination.

Limitations

Despite the various modifications, the Final Rule maintains certain restrictions, including on the use and disclosure of part 2 information for legal proceedings against patients, absent patient consent or a court order. It also implements restrictions regarding counseling notes similar to HIPAA restrictions on psychotherapy notes.

While the Final Rule provides flexibility to decrease patient and provider burden and to improve care coordination and patient access, privacy practices remain pivotal, particularly given HHS's recent and increased focus on health data privacy and cybersecurity practices. The Final Rule was published in the Federal Register on February 16 and will become effective on April 16.

UNITED STATES DEVELOPMENTS

Federal

DEA Urged to Clarify That Prescriber Geography Is Not a "Red Flag" for Telehealth Prescriptions

In February, the American Telemedicine Association and its affiliated advocacy organization, ATA Action, along with other interested groups, issued a letter urging the Drug Enforcement Administration ("DEA") to issue explicit guidance to the pharmacy community clarifying that a prescriber's geography in relation to a patient or pharmacy is not a "red flag" for prescriptions that result from telehealth visits. The letter notes that many in the pharmacy community currently view geography as a "red flag" that raises suspicions about a prescription's validity. (Note that red flags are not set forth in statutes or regulations, but rather in DEA enforcement actions and other guidance.) Because "[t]he ability of telehealth to expand access to care relies on providers being able to virtually reach geographies they otherwise could not in person," the signatories to the letter argue that the distance of a telehealth prescriber from the patient alone should not signal that the prescription may be illegitimate. The letter asks the DEA to address this issue in its anticipated proposed rulemaking related to the prescribing of controlled substances in the absence of a prior in-person medical evaluation.

HHS Publishes Cybersecurity Performance Goals and Concept Paper Indicating Strategy for the Health Care Sector

In December 2023, HHS published a concept paper outlining its cybersecurity strategy for the health care sector, including pronounced enforcement efforts and higher industry practice standards. In January 2024, HHS released its Health Care and Public Health Sector-Specific Cybersecurity Performance Goals ("CPGs"). These CPGs are categorized into "essential" and "enhanced" goals to address common cyber-related vulnerabilities in the health sector. While compliance with the CPGs is "voluntary," HHS indicated that it plans to implement these goals as enforceable cybersecurity standards under existing programs and regulations like Medicare, Medicaid, and HIPAA. In the interim, HHS indicated that it will work with Congress to "increase resources . . . to investigate potential HIPAA violations [and] conduct proactive audits."

American Hospital Association Files Suit Against HHS Challenging Stance on Tracking Technologies

In November 2023, the American Hospital Association ("AHA") brought suit against the HHS Office of Civil Rights ("OCR") to block enforcement of its December 2022 bulletin (the "Bulletin") on the use of tracking technologies as related to HIPAA. The Bulletin proposes a far-reaching interpretation of what information may constitute protected health information and individually identifiable health information governed by HIPAA. Considerable industry backlash followed the Bulletin's release. Soon after, HHS and the Federal Trade Commission ("FTC") issued a joint letter to approximately 130 hospital systems and telehealth providers warning against purported impermissible uses of tracking technologies. On January 5, 2024, the AHA filed its opening brief against the HHS OCR stating, among other things, that HHS has "issued a new rule that is flawed as a matter of law, deficient as a matter of administrative process, and harmful as a matter of policy." The brief states that, in issuing this rule, HHS "exceeds the government's statutory and constitutional authority, violates the substantive and procedural requirements for agency rulemaking, and injures the very people it purports to protect." The AHA made several requests for relief, including declaratory judgment and permanent injunction.

National Institute of Standards and Technology Releases Framework for March-In Rights In December 2023, the National Institute of Standards and Technology ("NIST") released a proposed framework for federal agencies regarding the exercise of government march-in rights for federally-funded inventions. Among other considerations, the proposed framework considers the price of a product as a relevant factor with respect to whether an invention has achieved practical application or whether it reasonably satisfies health or safety needs. Comments regarding the proposed framework closed February 6. Although the government has not previously exercised its march-in rights, NIST's notice indicates that federal agencies may begin to exercise those rights to promote competition and reduce prices, including in the health care industry. Looking ahead, the proposed framework may chill collaboration between the biotech/pharmaceutical industry and universities or small biotech companies receiving federal funding for research and development. For additional details, see here.

Office of Inspector General Releases General Compliance Program Guidance

In November 2023, the Office of Inspector General ("OIG") of HHS released its "General Compliance Program Guidance" ("GCPG"). The GCPG provides guidance generally applicable to "all individuals and entities" in the health care industry, from providers to manufacturers, suppliers, and investors. While much of the GCPG is a consolidation of familiar guidelines and principles, the OIG also recommends adding topics, such as quality and patient safety, to compliance reviews and expressly considers the impact of ownership and payment incentives on patient care. Like all HHS-OIG compliance documents, the GCPG is not binding on any individual or entity. The GCPG is the first in a series of new compliance program guidance documents that the OIG states it will issue over the course of the next few years, with more industry-specific guidance to be released in 2024. For additional details, see here.

HHS Enters Into First-Ever Ransomware Resolution Agreement and Corrective Action Plan

In October 2023, the HHS OCR announced a first-of-its-kind ransomware agreement after a medical management company serving as a business associate and providing a variety of services, including medical billing and payor credentialing, suffered a ransomware attack. The OCR alleged that the company was non-compliant with HIPAA by failing to: (i) conduct an accurate and thorough risk analysis; (ii) implement information system activity review procedures; and (iii) implement and maintain appropriate HIPAA policies. The resolution requires the medical management company to pay $100,000 and subjects it to a three-year corrective action plan under which it must cure the above alleged failures, inventory its ePHI-containing environments, update its risk management plan, and provide additional training to its employees, all under the supervision of HHS. The settlement signals federal agencies' increased scrutiny of companies' health information protection programs, and highlights agencies' willingness to penalize victims of ransomware attacks.

FDA Identifies Guiding Principles for Predetermined Change Control Plans

In October 2023, the Food and Drug Administration ("FDA"), Health Canada, and the United Kingdom's Medicines and Healthcare products Regulatory Agency jointly identified five guiding principles for developing Predetermined Change Control Plans ("PCCPs"). PCCPs are increasingly provided in marketing submissions to describe planned modifications to machine learning-enabled devices. These joint guidelines encourage international harmonization to support the safe and effective improvement of medical devices and more thorough regulatory oversight. While recognizing that the regulatory environment for PCCPs may vary across jurisdictions, the guidelines concur that robust PCCPs are: (i) focused and bounded; (ii) risk-based; (iii) evidence-based; (iv) transparent; and (v) responsive to the total product lifecycle.

FDA Issues Final Guidance on "Assessing the Credibility of Computational Modeling and Simulation in Medical Device Submissions"

In December 2023, the FDA issued draft guidance explaining how it intends to evaluate real-world data ("RWD") related to patient health status or the delivery of health care to determine whether it is of sufficient quality for generating real-world evidence ("RWE"). RWE (i.e., clinical evidence regarding a product's use, benefits, or risks) can be used to support the FDA's medical device regulatory decision-making. RWD can be collected from a variety of sources, including electronic health records, medical claims data, data from product and disease registries, or digital health technologies. The guidance also includes a discussion of factors important for determining whether the RWD is "fit-for-purpose" for a particular regulatory decision. Ultimately, to be considered, the FDA provides that the RWD must be "relevant to and reliable for informing or supporting" the decision.

FDA Releases Commissioned Report on Managing Legacy Medical Device Cybersecurity Risks

Published in November 2023, a report, authored by MITRE, addresses the challenges posed by medical devices that still perform their primary function but which may be vulnerable to cybersecurity risks. The report makes several recommendations and articulates considerations for less-resourced health care delivery organizations, including enhanced data collection regarding the risks and costs of replacement versus continued use of legacy devices, shared responsibility over the device lifecycle, and enhanced modular design.

FDA Issues Final Rule on "Direct-to-Consumer Prescription Drug Advertisements: Presentation of the Major Statement in a Clear, Conspicuous, and Neutral Manner in Advertisements in Television and Radio Format"

In November 2023, the FDA issued a final rule describing five standards which it believes, independently and collectively, help to ensure that the major statement relating to side effects and contraindications in direct-to-consumer TV/radio advertisements is presented in a "clear, conspicuous, and neutral manner."

FDA Adds 171 Devices to AI/ML-Enabled Devices List.

The FDA recently added 171 devices to its list of artificial intelligence/machine learning-enabled devices ("AI/ML"). With this update, the FDA also provided insights about submission trends based on analyses of publicly-available information, including device marketing authorization documents. Notable FDA insights from this update include the following:

• Based on projected volume, the FDA expects a > 30% year-over-year increase of AI/ML-enabled devices in 2023 as compared to 2022;
• In 2022, 87% of AI/ML-enabled devices were used in Radiology, 7% in Cardiovascular Medicine, and 1% each in Neurology, Ophthalmology, Hematology, Gastroenterology/Urology, Clinical Chemistry, and ENT Services; and
• There is a trend toward more hybrid models which combine various algorithmic approaches by, for example, using one model to generate features and another to classify.

FDA Issues Revised Draft Guidance on "Communications From Firms to Health Care Providers Regarding Scientific Information on Unapproved Uses of Approved/Cleared Medical Products"

The revised draft guidance discusses the FDA's evolving position regarding how scientific information on unapproved uses ("SIUU") of approved/cleared medical products can be communicated to health care providers. For additional details, see here.

FDA's Center for Devices and Radiological Health Joins the AI Global Health Care Initiative Collaborative Community

The forum of private and public sector members seeks to leverage the potential of AI to improve patient care. As this new engagement signals, digital health will remain a top priority for the FDA in 2024.

FDA Publishes Final Guidance on Digital Health Technologies (DHTs) for Remote Data Acquisition in Clinical Investigations

In December 2023, the FDA issued final guidance for the use of DHTs in clinical investigations of medical products. Use of DHTs may improve the efficiency of clinical trials for sponsors, investigators, and other stakeholders, increase the opportunities for individuals to participate in research, and make such participation more convenient. According to the FDA, this final guidance satisfies its obligation under §3607(a) of the Food and Drug Omnibus Reform Act of 2022 ("FDORA"): (i) to issue or revise draft guidance regarding the appropriate use of DHTs in clinical trials within a year of enactment; and (ii) to issue a revised draft guidance or final guidance within 18 months after the end of the public comment period on the draft guidance. The final guidance revises the draft guidance issued December 23, 2021, explains the regulatory considerations for DHTs that meet the definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act, and clarifies the considerations in cases where a participant may use their own DHT in a clinical investigation. The final guidance also contains details regarding the FDA's recommendations for the verification and validation of DHTs used in a clinical investigation.

DOJ Persists in Medicare Fraud Enforcement Efforts Involving DME and Telemedicine Providers

• The Department of Justice ("DOJ") continues to focus on individuals and entities purportedly using telehealth platforms and providers in connection with the inappropriate prescription of medically unnecessary durable medical equipment ("DME"). In October 2023, the owner of a New York-based marketing company admitted to his role in a fraudulent scheme resulting in more than $127 million in false claims for unnecessary DME. The situation in question involved kickback schemes to telemedicine companies and DME suppliers.
• A Virginia-based nurse practitioner pled guilty in November 2023 to involvement in a similar scheme, involving $7.8 million in false Medicare claims, which used telemedicine to procure orders for unnecessary DME.

DOJ Scrutinizes Fraudulent Medicare Submissions Involving Genetic Testing

In October 2023, a Louisiana doctor pled guilty to defrauding Medicare out of approximately $5.6 million. The doctor admitted to: (i) working as an independent contractor for several purported telemedicine companies; and (ii) signing thousands of orders for unnecessary genetic tests and DME, for which he admitted to receiving kickbacks. As part of the fraud, the doctor admitted to making several false and fraudulent statements supporting the orders despite never speaking to or otherwise treating many of the beneficiaries.

The U.S. Treasury Department's Financial Crimes Enforcement Network Beneficial Ownership Information Rule

The U.S. Treasury Department's Financial Crimes Enforcement Network ("FinCEN") Beneficial Ownership Information Rule ("BOI Rule"), issued pursuant to the Corporate Transparency Act ("CTA"), took effect on January 1, 2024. The rule mandates that certain "reporting companies" disclose information about their "beneficial owners" in an effort to combat money laundering, terrorist financing, and other illicit activities. The reporting obligation covers both domestic entities created by filings with a secretary of state or similar office, and foreign entities that register to do business in any U.S. jurisdiction (with exemptions for 23 specified entities). The rule defines "beneficial owner" broadly as individuals directly or indirectly owning or controlling at least 25% of a reporting company's interests or exercising substantial control over the reporting entity. Reporting companies formed on or after January 1, 2024, must submit initial reports within 30 days of creation or qualification. Reporting companies formed prior to January 1, 2024, have until January 1, 2025, to file initial reports.

Health care entities, particularly those with complex business arrangements involving "substantial control" over potential reporting entities, may be affected by the CTA and BOI Rule. In these cases, a nuanced analysis may be required to determine the ownership information for disclosure or reporting to FinCEN.

WHO Issues Guidance on Artificial Intelligence for Health

The World Health Organization ("WHO") published guidance on the use of large multi-modal AI models ("LMMs") in the health sector. This guidance identifies the health-related benefits and pitfalls posed by LMMs and provides recommendations for government action.

WHO identifies promising applications for, and formidable risks of, LMMs. For example, the guidance identifies that LMMs could provide more accurate diagnoses, especially regarding "unusual presentations" or complex cases. Companies are already training LMMs using medical and health data, and the algorithms have proven able to both process vast amounts of medical information and issue accurate responses. Additional benefits could include improved patient-guided use, time savings for health professionals as LMMs handle administrative tasks, improved medical and nursing education through simulated clinical interactions, and streamlined clinical research and drug development. However, the WHO guidance also recognizes certain risks. Prominent concerns include the tendency for LMMs to produce false responses that are indistinguishable from factually accurate responses (i.e., "hallucinations") and the potential for poor quality or biased data that may exacerbate misinformation and bias.

To minimize dangers, WHO recommends intervention at each stage of an LMM's "value chain." The value chain is the series of decisions regarding programming and development that shape an algorithm and its potential risks and benefits. WHO identifies three stages of LMM use: (i) design and development; (ii) provision; and (iii) deployment. WHO also recommends that governments: (i) introduce mandatory post-release auditing and impact assessments; and (ii) hold developers responsible for false or damaging responses which they could have corrected or avoided. Following this framework and diligently monitoring the impact of LMMs will, in WHO's view, help maximize AI's potential health benefits and minimize its risks.

State

New York Becomes First State to Propose Hospital-Targeted Cybersecurity Regulations

In December 2023, New York proposed a much-anticipated regulation to create specific additional cybersecurity requirements for hospitals within the state. The regulations would require, among other things: (i) the establishment of a regularly reviewed and written cybersecurity program; (ii) annual penetration testing; (iii) the appointment of a Chief Information Security Officer; (iv) incident reporting within two hours of determination that a breach is material; and (v) multifactor authentication to access information systems off-site. Hospitals will have one year from the date of adoption to comply with most of the regulations, however, the incident reporting obligations will be effective immediately upon adoption.

Cloud Software Company Agrees to pay $49.5 million to Settle Claims brought by Multistate Coalition of State Attorneys General

In October 2023, a cloud software company agreed to pay $49.5 million to settle claims brought by attorneys general of 49 states and Washington, D.C., stemming from a 2020 data breach that exposed certain customer data. The cloud software company's customers included numerous health care groups whose patients' sensitive health information was compromised. The multistate investigation found that: (i) the company's cybersecurity practices failed to comply with the HIPAA Privacy and Security Rules; and that (ii) these vulnerabilities were exploited by individuals who stole sensitive data. The attorneys general also concluded that the company had failed to notify its customers of the breach promptly, completely, and accurately, in violation of state consumer protection laws and HIPAA's Breach Notification Rule—a provision frequently invoked in several recent high-profile enforcement actions.

Oregon Clarifies Rules for Provision of Health Care Across State Lines

The Oregon Medical Board has updated its rules and is in the process of updating its Telemedicine Statement of Philosophy to align with amendments allowing out-of-state physicians and physician assistants to provide temporary or intermittent follow-up care to established patients living in Oregon. The update also clarified a prior law allowing out-of-state providers to treat established patients who are temporarily located in Oregon via telehealth by defining "temporarily located" to include only patients in Oregon "for the purpose of business, education, vacation, or work." The law specifies that such practice occurs where the patient is located, meaning that providers are subject to the authority of the Oregon Medical Board.

GLOBAL DEVELOPMENTS

Europe

EU Parliament and Council Reach Agreement on Urban Wastewater Treatment Directive

On January 29, 2024, a provisional political agreement was reached between European Parliament and the Council regarding the European Commission's 2022 proposal to revise the Urban Wastewater Treatment Directive. This agreement focuses on the responsibility of the most polluting industries—pharmaceuticals and cosmetics—to pay at least 80% of the costs of additional treatment to remove micropollutants from urban wastewater (known as "quaternary treatment.") The costs borne by polluting industries will be "complemented by national financing" to avoid adverse impacts on the availability, affordability, and accessibility of medicines, according to the text of the agreement. According to an EU diplomat, each member state can decide how much of the cost the Extended Producer Responsibility covers, from 80% up, and can also decide how the rest of the cost is covered. The political agreement has not yet been formally approved by Parliament and the Council.

EU Reaches Agreement On Artificial Intelligence Act

In December 2023, European Parliament and the Council reached a political agreement on the Artificial Intelligence Act ("AI Act") proposal, the first-ever comprehensive legal framework for AI worldwide. The AI Act aims to guarantee that AI systems placed on the European market and used in the EU are safe and respect both fundamental rights and EU values. By taking a risk-based approach, the AI Act seeks to achieve a balance that would foster customer trust as well as investment and innovation in the field of AI within Europe. The AI Act has an extraterritorial reach, applying to AI providers regardless of their location, users within the EU, and providers and users outside the EU when the output produced by the system is used in the EU. In summary, the AI Act: (i) prohibits certain AI systems; (ii) imposes strict requirements on high-risk AI systems; (iii) outlines transparency obligations on other AI systems, and iv) introduces specific rules for general-purpose AI models and foundation models in order to guarantee transparency. For additional details, see here.

EU Releases Data Act to Facilitate Access and Use of Data

In December 2023, a set of regulations on harmonized rules for fair access to and use of data (the "Data Act") was published in the EU's Official Journal. The Data Act sets forth rules on fair access to and use of personal and non-personal data across all economic sectors that is generated by connected products and digital-related services.

The Act sets rules on business-to-business and business-to-consumer data access; establishes a ban on unfair contractual terms for data sharing and introduces non-binding model contractual terms; provides for a harmonized framework for the access and use of data held by the private sector, public sector bodies, the Commission, the European Central Bank, and EU bodies; facilitates switches between providers of data processing services; establishes safeguards against unlawful data transfer; and provides for the development of interoperability standards for the reuse of data between sectors. Additionally, it includes an obligation for EU Member States to lay down rules on penalties for infringements of the Data Act. EU supervisory authorities may impose administrative fines as provided in the EU GDPR for certain infringements of the Data Act.

The Data Act entered into force in January 2024 but most of its rules will apply beginning September 2025.

Guidelines for Secure AI System Development

In a landmark collaboration, the U.S. Cybersecurity and Infrastructure Security Agency and the UK National Cyber Security Centre jointly unveiled the Guidelines for Secure AI System Development ("Guidelines"), a publication co-endorsed by 23 national and international cybersecurity entities. This marks a crucial initiative to address the convergence of AI, cybersecurity, and critical infrastructure. Aligned with the U.S. "Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI," the Guidelines offer vital recommendations for AI system development, emphasizing the adoption of "secure by design" principles. The approach underscores customer ownership of security outcomes, advocates transparency and accountability, and establishes organizational structures where secure design is prioritized. Notably, the Guidelines are not limited to frontier AI models but encompass all types of AI systems. The Guidelines furnish data scientists, developers, managers, decision-makers, and risk owners with suggestions and mitigations to guide informed decisions throughout the secure design, model development, system development, deployment, and operation phases of their machine learning AI systems.

Applicable to a broad spectrum of AI systems, the Guidelines serve as a valuable resource for stakeholders involved in the decision-making processes of designing, deploying, and operating machine learning AI systems.

European Commissioner Gives Speech at the Future Of Health Summit, "Digitalisation as a Driver for Sustainable and Resilient Global Health"

In October 2023, the European Commissioner gave a speech at the Future Of Health Summit on the topic of "Digitalisation as a Driver for Sustainable and Resilient Global Health." In her speech, the Commissioner emphasized the transformative power of digital technologies in health care. Several EU initiatives in the field of digital health were discussed, including the following:

• The European Health Data Space (as proposed on May 3, 2022, by the European Commission and discussed further here) will become the backbone of the European Health Union. It aims to bring together the health data of 430 million citizens and enables unprecedented access and sharing of such data, including for research purposes.
• The Health Network is connecting digital health experts to enable the exchange of health data across borders and to develop common guidelines.
• Myhealth@EU, a program to enable cross-border health services, allows for the exchange of electronic prescriptions or patient summaries across borders.
• The European Cancer Imaging Initiative supports the development of new computer-aided tools to improve screenings, diagnoses, and personalized medicine. It currently links datasets of images of various cancer types; a total of more than 200,000 image series' from about 20,000 individuals.
• The Global Gateway and Team Europe Initiative on digital health aim to address the digital divide by working with partner countries and the African Union.

Further, the Commissioner notes that EU member states have currently allocated a total of 14 billion euros for digital health infrastructure, telemedicine, and digital skills under 27 national Recovery and Resilience Plans.

The Commissioner ultimately stressed that fully realizing the benefits of digital transformation in health care requires the development of digital skills.

European Commission Publishes Booklet on

European Reference Networks

In October 2023, the European Commission Directorate-General for Health and Food Safety published "European Reference Networks—Working for patients with rare, low-prevalence and complex diseases—Share, care, cure." European Reference Networks ("ERNs") are virtual networks connecting health care professionals, providers, and patients across the EU and Norway. ERNs aim to tackle diseases and conditions that require highly specialized treatment and pooling of knowledge and resources. Among other things, ERNs convene virtual advisory boards with medical specialists across different disciplines across the EU using dedicated IT platforms to discuss, diagnose, and treat patients. ERNs also coordinate and facilitate educational and training activities, develop clinical practice guidelines and other clinical decision support tools, work together on knowledge generation and dissemination, and serve as focal points for research and innovation in the area of rare and low-prevalence complex diseases. In addition, ERNs are populating EU-registries with high-quality data from patients with rare diseases. There are currently 24 ERNs in the EU.

European Parliament and Council Agree on Respective Positions on the European Health Data Space

In November 2023, Parliament proposed several changes regarding the secondary use of health data. (The primary use of health data is the provision of health services whereas the secondary use of health data is any other purpose, such as scientific research or the training of medical devices). For example, Parliament aimed to: (i) require explicit patient permission for the secondary use of certain sensitive health data; and (ii) provide for an opt-out mechanism for other data. Further, Parliament aims to provide citizens with the right to challenge a decision of a health data access body and to allow non-profit organizations to lodge complaints on their behalf. Notably, the Parliament position expands the list of cases in which a secondary use would be banned, for example, in the labor market or for financial services.

In December 2023, the Council of the EU also agreed upon Parliament's position with respect to the proposed European Health Data Space. The Council proposed significant amendments, including, for example, that EU Member States should have the discretion to allow patients to opt out of the new data-sharing system.

Parliament and the Council can now start negotiations on the final legislative text. Additional details on the procedural developments can be found here.

EMA Adopts Revised CTIS Transparency Rules

In October 2023, the European Medicines Agency ("EMA") adopted revised Clinical Trial Information System Transparency Rules. The Clinical Trials Information System ("CTIS") is used for the exchange of information on clinical trials in the EU. The information in CTIS is, in principle, public, with certain exceptions. Confidentiality can, for example, be justified for the protection of personal data or commercially confidential information. EMA has issued transparency rules in the past, clarifying the types of data that can be kept confidential and the mechanisms used to do so. EMA has simplified these CTIS transparency rules to give patients and health care professionals faster and more efficient access to clinical trial information. One key change in the revised rules is the removal of the deferral mechanism, which allowed sponsors to delay the publication of certain data and documents for up to seven years after the end of the trial to protect personal data and commercially-confidential information. The revised transparency rules will apply after their technical implementation in CTIS, which is expected to be finalized in the second quarter of 2024.

Danish DPA Issues Assessment on AI Solutions in the Health Care Sector

In November 2023, the Danish Data Protection Authority ("DPA") announced the publication of an assessment of the development and use of AI solutions within the health care sector. The assessment was initiated following a request to examine whether the Copenhagen Municipality had the legal basis to develop, operate, and train an AI solution to process personal and sensitive data for the purpose of predicting citizens' rehabilitation needs. The DPA concluded that, considering the intrusive nature of the processing activity, there was no adequate national legal basis for the processing of personal data in the operation of the AI solution.

German Data Protection Conference Releases Position Paper on Cloud-Based Health Applications

In November 2023, the German Conference of the Independent Data Protection Authorities published a position paper on cloud-based digital health applications. The paper emphasized compliance with data protection principles and stated that health applications should allow users to use apps without cloud functions and without linking to a user account unless these actions are expressly requested. It also covered a variety of other topics, including data protection responsibilities, international transfers, the use of personal data for research, security measures, and instances requiring a data protection impact assessment.

Irish Civil Society Organization Issues Recommendations on EU Health Data Space

In November 2023, the Irish Council for Civil Liberties ("ICCL") issued its recommendations on addressing issues related to the secondary use of health data as referenced in connection with the European Parliament's European Health Data Space ("EHDS"). The ICCL suggests that the EHDS: (i) specify the legal bases and purposes under the GDPR for processing electronic health data; and (ii) reduce the number of categories of health data allowed for secondary use. The ICCL also raised concerns regarding the secondary use of data generated by wellness applications.

Italian DPA Imposes Fines on Regional Health Authority and Hospital

In September 2023, the Italian DPA imposed a € 60,000 fine on a hospital due to its unlawful processing of personal data. In particular, the health care facility required mandatory presentation of a "green pass" for access to medical services, which was deemed inconsistent with data protection principles (such as lawful fairness and transparency).

Similarly, in November 2023, the Italian DPA announced that it had imposed a fine of € 40,000 on the Territorial Social and Health Authority of Lodi for violations of: (i) the GDPR; and (ii) national legislation on data protection. In particular, the DPA found that employees of the public health authority could access other employees' health data and that the data subjects could not have control over the access of their data. Therefore, the DPA concluded that the use of such data resulted in unlawful data processing (i.e., the infringement of data protection principles, such as lawfulness, purpose limitation, and confidentiality).

Polish DPA Approves Code of Conduct for the Health Sector

In December 2023, the Polish DPA announced the approval of the code of conduct for the health sector developed by the Polish Hospital Federation. The tool aims to safeguard the personal data of patients and other individuals within health care facilities. The code is the first in Europe addressing both public and private entities in the medical sector and highlights the advantages of adherence, including demonstrating GDPR compliance and guaranteeing the correct use of specific solutions approved by the DPA.

Bulgaria Digitizes Prescriptions for Medicines

In November 2023, the Bulgarian Health Ministry announced the digitization of prescriptions for all medicines to better control consumption and availability. In October 2023, Bulgaria introduced mandatory electronic prescriptions for diabetes medications and antibiotics following severe shortages and over-consumption issues. Shortages with other medicines have led to this introduction of electronic prescriptions for all prescription medicines. The electronic prescription system gives an overview of real data, providing key insights in consumption, and ultimately shortages, of medication.

Law Modifying the Belgian eHealth Platform Becomes Effective

In December 2023, the Belgian law of 23 November 2023 modifying the law on the eHealth Platform came into force. The Belgian eHealth platform allows for the exchange of data among all actors in health care, and offers several IT services. The new law introduces, among other things, a "referral directory" indicating the type of data kept with a certain health care actor and patients.

New Belgian Data Tracking System Goes Live

In October 2023, the new Belgian "Data Tracking System" ("DTS") went live. The Data Tracking System replaces the old MeSeA applications for handling authorization and vigilance files for human, veterinary, herbal, and homeopathic medicines. The DTS contains, for example, several new functionalities, to be made compatible with other software applications.

Right to Digital Consultation in the Netherlands

The "Right to digital consultation as appropriate for good care" legislative proposal aims to ensure that patients can ask their health care providers for digital video consultations. A health care provider must comply with such requests, unless it would prevent them from providing appropriate care. Health care providers will also have to organize themselves so that digital consultations can be offered, for example, by installing an appropriate application and camera.

Public Campaign on Consent to Share Medical Data

The Dutch Ministry of Health, Welfare and Sport ("VWS") began a public campaign on the importance of permission to share medical data. Under this campaign, health care providers would be prohibited from sharing medical data with other health care providers without the patient's consent. With the campaign slogan, "We take care of you, do you provide permission," VWS informs residents of the Netherlands about available options and how they can provide permission for sharing medical data.

Mandatory Electronic Prescriptions and GP Medication Appointments in Personal Health Environment

Under the Electronic Data Sharing in Health Care Act, as of January 1, 2024, general practitioners in The Netherlands are required to send prescriptions at least electronically to dispensers of such prescriptions. The second obligation under the act will take effect on July 1, 2024, and requires general practitioners to make medication-related appointments available to patients via the patient's personal health environment.

UK DPA Launches Public Consultation on Guidance Addressing Transparency in Health and Social Care

In November 2023, the UK DPA requested public consultation on its draft guidance addressing transparency in the health and social care sectors. The draft guidance targets various professionals in the health and social care sectors and is formulated to assist health and social care organizations in understanding the DPA's expectations regarding transparency. The guidance delves into key aspects such as defining data protection transparency, creating effective transparency materials, communicating privacy information to patients and the public, and evaluating transparency levels.

Asia Pacific

India Enacts Comprehensive Privacy Act with Extra-territorial Reach

In August 2023, India enacted the Digital Personal Data Protection Act of 2023 ("DPDP"). The DPDP defines the term "Personal Data" broadly as all data about an individual who is identifiable by, or in relation to, such data. Further, the DPDP applies to the processing of digital personal data inside India as well as outside of India if the processing is "related to" the offering of goods or services in India. If covered, collectors of digital personal data face various consent, notice, and public reporting obligations, as well as restrictions on the transfer of such data for processing outside of India. Although the act is yet to come into effect, digital health providers operating in India should prepare to comply.