Health Issues

On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”).  This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA)

Continue Reading California Enacts Health AI Bill and Protections for Neural Data

On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific new requirements for the processing of health and social data using cloud-computing. We will also discuss whether the new rules may impact medical research and other projects that utilize cloud-computing for processing health data.

1. Scope and Background of Sec. 393 SGB V

The new Section 393 SGB V (Social Security Code – Book V) has been enacted with the recent “Digital Act” (see our earlier blog on the Digital Act). The title of Section 393 SGB V is “Cloud-Use in the Healthcare System“. Hence, it aims to impose specific requirements for healthcare service providers, statutory health insurances and their contract data processors when they process health data and social data using cloud-computing services. According to the German legislator, the provision aims at enabling the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.

The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilizes a tool that the healthcare providers or health insurance has developed on their own.

The term “cloud-computing service” is defined in the law as “a digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations” (Section 384 Sentence 1 No. 5 SGB V). This reflects the corresponding definition of cloud-computing in Article 6 (30) of the NIS2-Directive (EU) 2022/2555 on cybersecurity measures. Services that fall under this definition include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices

Last week, on 4 July 2024, the German Parliament (Bundestag) has passed significant changes to the country’s drug pricing and reimbursement laws. Just six months after the German Federal Health Ministry (BMG) presented a first draft bill for a “Medical Research Act” (Medizinforschungsgesetz or MFG), the German Parliament has now accepted a modified version of that bill. The Medical Research Act mainly amends (1) national laws for clinical trials with drugs and medical devices, (2) rules for ATMPs (3) drug pricing and reimbursement laws (AMNOG) and (4) initiates a re-organization of the regulatory agencies and ethics committees.

In this blog, we take a closer look at the much-discussed changes in the German drug pricing and reimbursement area. We will focus on two key elements:

  • The controversial new feature of “confidential reimbursement prices”; and
  • The new link between drug pricing and local clinical trials which offers pricing incentives for companies that can show that a “relevant part”  of the clinical trials for a new medicine were conducted in Germany.

We had noted in an earlier blog that the German rules for pharmaceutical pricing and reimbursement are among the most complicated legal areas in the entire world of life sciences laws. With the now coming new laws, Germany adds some additional complexity to its system.

1. Background

The discussed changes to the German drug pricing and reimbursement laws are part of the German Government’s new National Pharma Strategy that aims to enhance Germany’s attractiveness as a place for pharmaceutical research, development, and manufacturing. The Government presented an underlying strategy paper in December 2023 and the Medical Research Act is the first legislative implementation step of that strategy. For an overview of this new National Pharma Strategy, we invite you to read our previous blog on this topic.

The Medical Research Act was first presented to stakeholders in late January 2024. For a comprehensive overview of this first draft, please see our earlier earlier blog. After an initial consultation, the Government revised the draft and initiated the legislative process at the end of May 2024. Overall, the Government has deployed an unusually fast pace and was successful with its plan to get the bill through Parliament before the summer break.Continue Reading Germany amends drug pricing and reimbursement laws with “Medical Research Act” – Drug pricing becomes intertwined with local clinical research expectations

June 27, 2024, Covington Alert

On June 25, 2024, the Food and Drug Administration’s (FDA) Center for Veterinary Medicine (CVM) announced that it has finalized Guidance for Industry (GFI) #276, Effectiveness of Anthelmintics: Specific Recommendations for Products Proposed for the Prevention of Heartworm Disease in Dogs (Final Guidance). The Final Guidance replaces CVM’s draft guidance issued in November 2022. While CVM’s core recommendations remain the same, the Final Guidance clarifies the discussion and recommendations related to geographic locations from which Dirofilaria immitis (D. immitis) larvae used in trials should be sourced, laboratory dose confirmation studies, and field effectiveness studies for products intended to prevent heartworm disease. CVM’s stated overarching goal in making the revisions is to better align GFI #276 with current technology and veterinary epidemiology, including available diagnostic methodology. Drug sponsors who deviate from these recommendations are encouraged to discuss the deviations with CVM.

Background

On May 24, 2018, FDA published a Federal Register Notice requesting public input on possible alternative approaches for evaluating the effectiveness of heartworm disease prevention products for dogs. On its webpage announcing the final guidance, FDA explained that it asked for public input because of reports of lack of effectiveness and certain limitations of the effectiveness studies conducted to support product approval. FDA’s then-current recommendation for demonstrating the effectiveness of a new animal drug intended to prevent heartworm disease was for sponsors to conduct two laboratory dose confirmation studies and one multi-site field effectiveness study under the principles of Good Clinical Practice. FDA specifically requested input on the population level effectiveness endpoint, exposure to infective D. immitis larvae in field studies, outcome assessment in field studies, and laboratory study designs.Continue Reading FDA Issues Final Guidance on Demonstrating Effectiveness of Anthelmintics in Dogs

June 27, 2024, Covington Alert

Per- and poly-fluoroalkyl substances (PFAS)—sometimes referred to as “forever chemicals”—have garnered significant attention in recent years, becoming a focus of government regulation and a deluge of civil litigation targeting a wide array of industries. As with any developing area of risk, it is critical that companies assess what insurance coverage they have for PFAS-related risks; allegations of PFAS exposure can trigger decades of potentially available insurance coverage. Policyholders across industries are taking steps to assess their exposure to PFAS liability and to evaluate the insurance coverage that may respond to any PFAS-related claims.

Recent Developments

The science concerning the human health and environmental effects of PFAS has progressed significantly over the last two decades. For example, in 2024, environmental and other regulators took significant action on PFAS:

  • In February, the Food and Drug Administration announced a voluntary ban on PFAS-containing food packaging, such as takeout containers, microwave popcorn bags, and fast-food wrappers, in the U.S.
  • In April, the Environmental Protection Agency set its first regulatory limits on six types of PFAS in drinking water. The EPA also designated two types of PFAS as CERCLA hazardous substances, paving the way for future contribution actions under environmental cost-recovery statutes.

Continue Reading Navigating PFAS Liability: Emerging Regulations, Litigation Risks, and Insurance Coverage Strategies

1.  Background

Gene and cell therapies are on the rise. On June 12, 2024, the German Federal Government was handed the strategy paper for a National Strategy for Gene and Cell Therapies. The paper is intended to serve as a basis for policymaking to give Germany a leading role in the field of gene and cell therapies (GCT) in Europe. The German Government recognizes that the age of GCT has started but that there are many legal, regulatory and practical shortcomings that impedes research and development of GCTs in Germany.

Back in the fall of 2022, the German Federal Ministry of Education and Research (BMBF) had commissioned the Berlin Institute of Health (BIH) to coordinate and moderate the development of a National Strategy for GCT. Eight working groups were created to develop the National GCT Strategy, with a total of about 150 experts from various stakeholder groups. The result of their work is a document divided into eight fields of action, in which various measures are proposed to achieve strategic goals in the field of GCT.

The National GCT Strategy is one of several highly targeted measures with which the German Government aims to make Germany more attractive as a location for pharmaceutical and healthcare innovation. Just six months ago, in December 2023, the Federal Ministry of Health (BMG) presented a strategy paper for the new National Pharma Strategy. We reported on this in detail in an earlier Covington blog.

Unlike the National Pharma Strategy, which was developed under the Social Democrat-led Federal Ministry of Health (BMG), the National Strategy for GCT is an initiative led by the Federal Ministry of Education and Research which is led by the liberal party FDP. The BMBF appears keen to play a leading role in the establishment of GCT in Germany. Industry stakeholders may welcome this as the BMBF is known to be a more industry-friendly part of the German Government than the BMG.

2.  The National Pharma Strategy as a possible role model

The example of the National Pharma Strategy and its rapid implementation already indicates what the next steps in the National GCT Strategy may be. Shortly after the National Pharma Strategy was agreed upon, the first draft of the “Medical Research Act” was presented on 26 January 2024 to implement key elements of the Pharma Strategy, including amendments in the areas of clinical trials, ATMPs and pharmaceutical pricing and reimbursement (AMNOG). We reported on this in two earlier blogs that discussed the proposed changes for clinical trials and drug pricing. The draft Medical Research Act is expected to come into force in the fall of 2024. Hence, the current German Government is keen to act fast to strengthen Germany as a place for pharmaceutical innovation and R&D.Continue Reading Germany prepares new National Strategy for Gene and Cell Therapies

On April 26, 2024, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a final rule that modifies the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act (“HIPAA”) regarding protected health information (“PHI”) concerning reproductive health. We previously covered the proposed rule (hereinafter, “the NPRM”), which was published on April 17, 2023. The final rule aligns closely with the NPRM.

OCR noted that the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization (holding that there is no constitutional right to abortion) created a legal landscape that “increase[s] the potential that use and disclosure of PHI about an individual’s reproductive health will undermine access to and the quality of health care generally.” According to OCR, the final rule aims to “continue to protect privacy in a manner that promotes trust between individuals and health care providers and advances access to, and improves the quality of, health care” by “limit[ing] the circumstances in which provisions of the Privacy Rule permit the use or disclosure of an individual’s PHI about reproductive health care for certain non-health care purposes.”

The final rule prohibits a regulated entity from using or disclosing an individual’s PHI:

  • to conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided; and
  • to identify an individual, health care provider, or other person to initiate an investigation or proceeding against that person in connection with seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

“Lawful under the circumstances in which it is provided” means that the reproductive health care is either:

  • lawful under the circumstances in which the health care is provided and in the state in which it is provided; or
  • protected, required, or authorized by Federal law, including the United States Constitution, regardless of the state in which such health care is provided.

Continue Reading HHS Modifies Privacy Rule to Support Reproductive Health Care Privacy

On Friday, April 26, 2024, the Federal Trade Commission (“FTC”) voted 3-2 to issue a final rule (the “final rule”) that expands the scope of the Health Breach Notification Rule (“HBNR”) to apply to health apps and similar technologies and broadens what constitutes a breach of security, among other updates.  We previously covered the proposed rule, which was issued on May 18, 2023.

In the FTC’s announcement of the final rule, the FTC emphasized that “protecting consumers’ sensitive health data is a high priority for the FTC” and that the “updated HBNR will ensure [the HBNR] keeps pace with changes in the health marketplace.”  Key provisions of the final rule include:

  • Revised definitions:  The final rule includes changes to current definitions in the HBNR that codify the FTC’s recent position on the expansiveness of the HBNR.  Specifically, among other definition changes, the HBNR contains key updates to the definitions of:
    • “Personal health records (‘PHR’) identifiable information.”  In the final rule, the FTC adopts changes to the definition of PHR identifiable information that were included in the proposed rule to clarify that the HBNR applies to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  In the final rule, the FTC discusses the scope of the definition, noting that “unique, persistent identifiers (such as unique device and mobile advertising identifiers), when combined with health information constitute ‘PHR identifiable health information’ if these identifiers can be used to identify or re-identify an individual.”
    • “Covered health care provider.”  In the proposed rule, the FTC proposed adding a definition of “health care provider” to include providers of medical or other health services, or any other entity furnishing “health care services or supplies” (i.e., websites, apps, and Internet-connected devices that provide mechanisms to track health conditions, medications, fitness, sleep, etc.).  The final rule does not make substantive changes to this proposed definition but does contain a slight terminology change to “covered health care provider” to distinguish that term from the definition of “health care provider” in other regulations. 

Continue Reading FTC Issues Final Rule to Expand Scope of the Health Breach Notification Rule

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

1: Health data holder

The term “health data holder” includes, among others, any natural or legal person developing products or services intended for health, developing or manufacturing wellness applications, or performing research in relation to healthcare, who:

  • in relation to personal electronic health data: in its capacity of a data controller has the right or obligation to process the health data, including for research and innovation purposes; or
  • in relation to non-personal electronic health data: has the ability to make the data available through control of the technical design of a product and related services.  These terms appear to be taken from the Data Act, but they are not defined under the EHDS.

In practice, this means that, for example, hospitals, as data controllers, are data holders of their electronic health records.  Similarly, pharmaceutical companies are data holders of clinical trial data and biobanks.  Medical device companies may be data holders of non-personal data generated by their devices, if they have access to that data and an ability to produce it.  However, medical device companies would not qualify as a data holder where they merely process personal electronic health data on behalf of a hospital.

Individual researchers and micro enterprises are not data holders, unless EU Member States decide differently for their territory.

2: Data sets covered by EHDS

The EHDS sets out a long list of covered electronic health data that should be made available for secondary use under the EHDS.  It includes, among others:

  • electronic health records;
  • human genetic data;
  • biobanks;
  • data from wellness applications;
  • clinical trial data – though according to the recitals, this only applies when the trial has ended;
  • medical device data;
  • data from registries; and
  • data from research cohorts and surveys, after the first publication of the results – a qualifier that does not seem to apply for clinical trial data.

Continue Reading EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective

On Monday, March 25, Florida Governor Ron DeSantis signed SB 3 into law. At a high level, the bill requires social media platforms to terminate the accounts of individuals under the age of 14, while seeking parental consent for accounts of those 14 or 15 years of age. The law

Continue Reading Florida Enacts Social Media Bill Restricting Access for Teens Under the Age of Sixteen