Health Issues

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

1: Health data holder

The term “health data holder” includes, among others, any natural or legal person developing products or services intended for health, developing or manufacturing wellness applications, or performing research in relation to healthcare, who:

  • in relation to personal electronic health data: in its capacity of a data controller has the right or obligation to process the health data, including for research and innovation purposes; or
  • in relation to non-personal electronic health data: has the ability to make the data available through control of the technical design of a product and related services.  These terms appear to be taken from the Data Act, but they are not defined under the EHDS.

In practice, this means that, for example, hospitals, as data controllers, are data holders of their electronic health records.  Similarly, pharmaceutical companies are data holders of clinical trial data and biobanks.  Medical device companies may be data holders of non-personal data generated by their devices, if they have access to that data and an ability to produce it.  However, medical device companies would not qualify as a data holder where they merely process personal electronic health data on behalf of a hospital.

Individual researchers and micro enterprises are not data holders, unless EU Member States decide differently for their territory.

2: Data sets covered by EHDS

The EHDS sets out a long list of covered electronic health data that should be made available for secondary use under the EHDS.  It includes, among others:

  • electronic health records;
  • human genetic data;
  • biobanks;
  • data from wellness applications;
  • clinical trial data – though according to the recitals, this only applies when the trial has ended;
  • medical device data;
  • data from registries; and
  • data from research cohorts and surveys, after the first publication of the results – a qualifier that does not seem to apply for clinical trial data.

Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

On October 12, 2023 the Italian Data Protection Authority (“Garante”) published guidance on the use of AI in healthcare services (“Guidance”).  The document builds on principles enshrined in the GPDR, national and EU case-law.  Although the Guidance focuses on Italian national healthcare services, it offers considerations relevant to the use of AI in the healthcare

Germany’s hospital system is reported to be of high quality but is also very expensive by international standards. Hospitals and healthcare payers such as health insurances are exposed to increasing economic constraints. One particular point of criticism is, for example, the current system of Diagnosis Related Group (DRG)-based fees.

Patient treatments are compensated based on the DRGs which effectively leads to a lump-sum payment system per diagnosis (with certain exemptions). This system has pros and cons. As a downside, it is reported to create incentives for over-treatments to generate DRG-based fees per patient.

At the same time, many hospitals in Germany are at risk of closure and insolvency due to financial challenges. The German federal states have thus asked the federal government for financial support to finance the restructuring of the hospital system and prevent hospitals from bankruptcy.

German federal and state governments have been discussing an intended hospital reform for months. Provided that no additional money flows into the healthcare system, the principle for this reform is “outpatient care before inpatient care”. The financial volume incentive shall therefore be minimised and a concentration on larger hospitals and medical institutions shall optimise or at least improve the current structures and quality of medical care in Germany. This shall also be accompanied by a reduction of the general number of hospitals in Germany.

On 10 July 2023, the key objectives of the envisaged hospital reform plans (Eckpunktepapier: Krankenhausreform) have been agreed on: (1) Ensuring security of supply (in particular public responsibility for ensuring the provision of healthcare, so-called “Daseinsvorsorge”), (2) securing and increasing the quality of treatment, and (3) reducing bureaucracy. Particularly, this is to be reflected in the following key measures:Continue Reading Germany plans significant hospital reform with broad impact on life sciences companies

Following the COVID-19 pandemic and the relatively slow approval of vaccines in the EU versus other key jurisdictions, as part of the EU’s General Pharmaceutical Legislation amendment proposal, published on 26 April 2023, the European Commission has proposed to introduce temporary emergency marketing authorizations (“TEMAs”) for use when there is a “public health emergency.”  The TEMA will be an “agile, fast and streamlined” process to allow products to be developed and made available as soon as possible in emergency situations.  However, it remains to be seen whether in practice the TEMA process will provide a faster procedure than existing routes for early and expedited approval of medicinal products, such as conditional marketing authorizations (“CMAs”) or Member State procedures for temporary approval.

Reason to Introduce the TEMA

The EU took a coordinated approach to approval and procurement of vaccines during the COVID-19 pandemic.  In the EU, COVID-19 vaccines were approved using the CMA procedure combined with a rolling expedited review.  According to the European Medicines Agency (“EMA”), CMAs were the “the most appropriate tool to grant access to COVID-19 vaccines to all EU citizens at the same time and to underpin mass vaccination campaigns.”  Vaccines approved with a CMA included Comirnaty, Nuvaxovid and Spikevax (amongst others).

However, the approval of COVID-19 vaccines in the EU was slower than in other jurisdictions.  For example, the UK MHRA granted Comirnaty a temporary authorization on December 2, 2020.  The US FDA gave the vaccine an Emergency Use Authorization on December 11, 2020.  Whereas, the Commission did not grant a CMA for the vaccine until December 21, 2020.Continue Reading EU Pharma Legislation Review Series: Temporary Emergency Marketing Authorizations

As part of the EU’s General Pharmaceutical Legislation amendment proposal, published on 26 April 2023 (“theProposal”), the European Commission (“Commission”) has introduced a series of measures aimed at securing the supply of critical medicinal products across the EU and at preventing shortages.  In particular, there are new obligations for Marketing Authorization Holders (“MAH”) and competent authorities are given more power to better monitor and control the availability of medicines on the market.

As we have discussed previously, these measures aim to tackle the broader problem of security and robustness of pharmaceutical supply chains, which became especially prominent during the COVID-19 pandemic.  In this blog, we briefly explore some of the changes introduced by the Proposal.

Preventing Supply Disruptions and Shortages

Critical Medicinal Products

The Proposal expands the monitoring of “critical medicinal products” beyond emergency situations.  Now, medicinal products “for which insufficient supply results in serious harm or risk of serious harm to patients” will be included in the “Union list of critical medicinal products” (“Union list”), and the Commission will have the power to implement measures such as stockpiling of active pharmaceutical ingredients or finished dosage forms.  Continue Reading EU Pharma Legislation Review Series: Supply Security and Shortages Control

By Libbie CanterAnna D. KrausOlivia VegaElizabeth Brim & Jorge Ortiz on April 14, 2023

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act

On 24 January 2023, the Italian Supervisory Authority (“Garante”) announced it fined three hospitals in the amount of 55,000 EUR each for their unlawful use an artificial intelligence (“AI”) system for risk stratification purposes, i.e., to systematically categorize patients based on their health status. The Garante also ordered the hospitals to erase all the data

On February 1, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under its Health Breach Notification Rule (“HBNR”) against digital health platform GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to third-party advertisers.  According to the proposed order, GoodRx will pay a $1.5 million civil penalty and be prohibited from sharing users’ sensitive health data with third-party advertisers in order to resolve the FTC’s complaint. 

This announcement marks the first instance in which the FTC has sought enforcement under the HBNR, which was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and comes just sixteen months after the FTC published a policy statement expanding its interpretation of who is subject to the HBNR and what triggers the HBNR’s notification requirement.  Below is a discussion of the complaint and proposed order, as well as key takeaways from the case.

The Complaint

As described in the complaint, GoodRx is a digital healthcare platform that advertises, distributes, and sells health-related products and services directly to consumers.  As part of these services, GoodRx collects both personal and health information from its consumers.  According to the complaint, GoodRx “promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties.”  The complaint further alleged that GoodRx disclosed its consumers’ personal health information to various third parties, including advertisers, in violation of its own policies.  This personal health information included users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers.Continue Reading FTC Announces First Enforcement Action Under Health Breach Notification Rule

Recent legislation allows employers to continue offering first-dollar telehealth coverage without jeopardizing the ability to contribute to a health savings account (“HSA”), but only through the end of the 2024 plan year.

Background – HSA Eligibility

Employees can make and receive pre-tax contributions to HSAs to use for qualified medical expenses. To be “eligible” to make or receive contributions to an HSA, you (a) must be covered by a high deductible health plan (“HDHP”), and (b) may not have other non-HDHP coverage that covers benefits before the HDHP deductible has been met.

Certain types of coverage, like dental and vision care, is disregarded in determining whether an individual is “eligible” to contribute to an HSA. Disregarded coverage does not have to be coordinated with HDHPs. This means that participants can receive “first-dollar” coverage for disregarded coverage and still be eligible to make or receive contributions to an HSA.

Telehealth is Disregarded Coverage Through 2024

Under prior legislation, telehealth coverage provided (i) during plan years beginning before December 31, 2021; and (ii) during the period beginning April 1, 2022 and ending December 31, 2022, is disregarded coverage under the HSA rules. See the CARES Act and the Consolidated Appropriations Act, 2022. Continue Reading Employers Can Continue to Cover Telehealth Benefits Before HDHP Deductible Is Met