As one of the fastest growing segments of the healthcare sector, it comes as no surprise that Health Tech regulation in the UK is undergoing significant change. Key factors fuelling this overhaul include:

• the need to reform the UK regulatory regime following Brexit

• the realisation during the Covid-19 pandemic that industry and government can and should work together more effectively to bring products to market faster, and
• the subsequent publication and government led push to implement the Life Sciences Vision.

It is notable that much of the law and regulation that applies to Health Tech (with some exceptions noted below), whether for new tech-driven medical devices, medicines solutions or other healthcare services, has not always developed with tech in mind and applies to traditional services just as it does to newer, tech-based solutions. So, while we talk of Health Tech regulation, it is often the case that there is no Health Tech regulation as such, but rather, new and existing law that relates to medical devices, medicines and other healthcare solutions that will apply irrespective of how those things are provided.

This briefing should be of particular interest to Health Tech developers and investors that may be newer to the sector and are familiarising themselves with the legal frameworks that apply.

The transition away from EU law and HMG consultations

The timing of the UK’s exit from the EU has meant that major regulatory reform implemented in the EU (and which the UK played a key role in shaping), does not apply in the UK.

This includes key areas of Health Tech regulation such as:

• clinical trials (where the new Clinical Trials Regulation has applied in the EU from January 2022, but the UK regime is still based on the old 2001 EU Directive), and
• medical devices regulation, (where the new Medical Devices Regulations has applied in the EU since May 2021, while the UK regime is still largely based on the Medical Devices Regulation 2002)

As a result of this, a number of consultations have been held by UK regulators in these areas, with sweeping reforms proposed in government responses published in 2023.

Following the global pandemic, a prevailing view within the Life Sciences sector is that the UK has a unique opportunity to build on the success of the vaccine programme and create a centre of excellence for companies looking to bring medicines and medical devices to market. The government has supported that belief by publishing its Life Sciences Vision in July 2021 and following this up with a series of:

• funding announcements aimed at supporting innovation in Health Tech (for example, the recent £30m NHS med tech fund and Spring budget commitments), and
• publications setting out practical recommendations for creating a regulatory environment which fosters innovation (for example, the recommendations made by the UK Chief Scientific Advisor in the report on Pro-Innovation Regulation of Technologies in Life Sciences which were universally accepted by the Government, and the Life Sciences Council’s joint statement on medical devices regulatory reform).

If there is to be a Labour government following the next general election, Labour have confirmed that they will align their life sciences strategy to the Life Sciences Vision.

Medical Device Regulation

The government body responsible for regulating medical devices, the Medicines & Healthcare products Regulation Agency (MHRA), has laid out a suite of legislative and regulatory changes which are hoped will maintain the UK’s position as a lead market competitor in the medical devices industry.

Earlier this year, the MHRA updated its guidance on the implementation of the future medical devices regulations to confirm the intention for the “core aspects” of the UK regulations to apply from July 2025. The MHRA is targeting a proportionate, phased implementation to allow for a smooth transition and reduce disruption.

While much of the new medical device regulatory framework is yet to be given a definitive form, the government response to the MHRA’s 2021 consultation established five key pillars which are intended to support the reforms:

• Strengthen the MHRA’s power to act to keep patients safe
• Make the UK a focus of innovation
• Address health inequalities and mitigate biases throughout medical device product lifecycles
• Establish proportionate regulation which supports businesses through access routes that build on synergies with EU and global standards, and
• Set world leading standards through the new UKCA mark

The aim remains to better align with international best practice where this is of benefit to UK patients and diverging only where advantageous to do so. The proposals bring the UK regime in line with the requirements of the EU Medical Devices Regulation (MDR) and In Vitro Diagnostics Regulation (IVDR), and refer to international definitions and guidance from the International Medical Device Regulators Forum (IMDRF).

CE marking

The UK government has introduced legislation to allow valid EU CE marked medical devices to continue to be placed on the market in Great Britain. The Medical Devices (Amendment) (Great Britain) Regulations 2023, which came into force on 30 June 2023, set out new transitional periods in which valid CE marked medical devices will continue to be accepted for sale in Great Britain according to the type of device, as follows:

• 30 June 2028: end of transition period for general medical devices compliant with the old EU medical devices directive or EU active implantable medical devices directive.
• 30 June 2030: end of transition period for in vitro diagnostic (IVDs) medical devices complaint with the EU IVD medical devices directive.
• 30 June 2030: end of transition period for general medical devices compliant with the EU medical devices regulation.

Companies should note that the above transitional periods allow manufacturers of medical devices to continue to rely on expired EU Medical Device Directive certificates to place medical devices on the Great Britain market where they have been deemed valid under the transitional arrangements relating to the EU Medical Devices Regulations 2002.

Innovative Devices Access Pathway

The Innovative Devices Access Pathway (“IDAP”) is a pilot for a regulated support service designed to improve patient access to cutting-edge technology, facilitate the development of innovative technologies and support the government’s strategy of embracing innovation.

The IDAP will be collaboratively operated by the MHRA, the National Institute for Health and Care Excellence (NICE), Health Technology Wales, and the Scottish Health Technology Group. It is hoped that it will “bring innovative technologies and solutions to the forefront of the NHS”.

The IDAP is open to UK and international developers with new health technology solutions. The primary aim of the IDAP is to “take uncertainty out of the route to access”, bringing innovative technologies to patients that can transform health outcomes.

The IDAP will help innovators generate evidence that meets the needs for the UKCA marking process and consider the needs of the health technology assessment process early in the development pathway. IDAP will also offer post-market access support.

The IDAP was launched in September 2023 and developers can register interest here.

Post-market surveillance

The recently published draft Medical Devices (Post-market Surveillance Requirements) (Amendment) (Great Britain) Regulations 2023 will establish a new regime for post-market surveillance of medical devices in the UK, and are expected to come into force mid-2024. The draft regulations outline what a post-market surveillance plan should cover (including data collection and processing obligations, and complaint investigation), as well as requiring that a proportionate post-market surveillance system is implemented for each medical device placed on the Great Britain market.

The draft 2023 regulations broadly follow the approaches taken by the comparable EU legislation, the Medical Device Regulations and the In Vitro Diagnostic Medical Device Regulations. At a high level, both require implementation of a post-market surveillance plan per device placed on the market “for the purposes of identifying any need to apply corrective or preventive actions“. However, there are some differences. For example, under the EU regime, medical device manufacturers are not required to report serious incidents where that serious incident is an expected side-effect that has been appropriately documented, but this exception has not been replicated in the draft UK legislation.

Software and AI as Medical Devices

For an overview of software and AI regulation in the UK, please refer to the first article in our Health Tech Series here.

The article outlines various key features of the UK’s approach to regulating software and AI as medical devices, such as the White Paper on the UK AI framework and its interaction with the healthcare sector, and draws comparisons with the approach taken in the EU. Additionally, it provides some practical steps for both developers and users of Health Tech AI systems to take as regulation in this area develops.

Clinical trials

At the beginning of July, the MHRA published its 2023 – 2026 Corporate Plan, which highlights the importance of introducing new legislation and guidance on clinical trials in the UK to help provide the “stable and predictable regulatory environment that companies require”. The intention is that by March 2026, the MHRA will implement a revised regulatory framework for clinical trials.

UK regulatory backdrop

Despite the EU’s Clinical Trials Regulation (536/2014) entering into force in the EU in January 2022 (following significant input from the MHRA), due to the timing of Brexit, the previous 2001 EU Directive (2001/20/EC) remains the current primary source for clinical trials regulation in the UK.

In March 2023, the MHRA published its response on proposals for changes to the law governing clinical trials, namely the Medicines for Human Use (Clinical Trials) Regulations 2004. Responses demonstrated strong support to update and improve the legislation governing clinical trials, with most respondents agreeing that patient safety should remain the focus of the legislation, but with a more flexible and risk proportionate approach to decision-making.

In line with responses to other recent consultations, the MHRA is looking to align with international standards rather than be limited by alignment with the EU. It is hoped that the implementation of the proposals will make it easier and more efficient to run trials in the UK, enabling greater patient access to new, safe and life-changing treatments, while making the UK an attractive place for trials. We have previously outlined a number of the reform proposals here.

New notification scheme for lowest-risk clinical trials

The first reform was introduced in October 2023, with the MHRA announcing a new streamlined notification scheme for the lowest-risk clinical trials, which aims to halve the time to receive an approval decision.

Under the scheme, initial applications for the lowest-risk Phase 3 and 4 trials will be processed by the MHRA within 14 days instead of the statutory 30 days, provided the sponsor can demonstrate the trial meets the MHRA’s criteria, including by confirming there are no known safety issues with the medicine being investigated.

MHRA anticipates that 20% of initial clinical trial applications in the UK will be eligible for the fast-track process.

The Lord O’Shaughnessy Review

After the March 2023 consultation response, an independent report was published in May 2023 following the Lord O’Shaughnessy review into commercial clinical trials. The government’s response to the review was published alongside the independent report.

The report outlined 27 recommendations on “how commercial clinical trials can help the life sciences sector unlock UK health, growth and investment opportunities”.  The government’s response agreed with each recommendation, noting that clinical research is a “key driver” of growth in the UK life sciences sector, and that improving clinical trials regulation will allow the UK population “to access ground-breaking treatments that can dramatically improve standards of care”.

On 30 June 2023, the NHS Health Research Authority (“NHS HRA”) published its comments on the Lord O’Shaughnessy review, welcoming the government’s response. The NHS HRA noted that it is collaborating with a number of organisations across UK clinical research to deliver recognised outcomes, such as achieving a 60-day turnaround time for regulatory approvals.

The NHS HRA also confirmed that it is “supporting implementation of enhanced National Contract Value Review”. The NCVR was established in the Future of Clinical Research Delivery: 2021 to 2022 implementation plan in order to streamline establishing contracts that set up commercial trials. The fourth recommendation of the Lord O’Shaughnessy review was that a “comprehensive and mandatory national approach to costing and contracting should be developed and instigated, in partnership with industry”, via a radical expansion of the NCVR, which the UK government has agreed with.

Timescales on this revised NCVR are ambitious, with the government “reinforc[ing] its commitment to a mandatory national approach to costing and contracting, led by NHSE England, with an enhanced service to be delivered from October 2023”.

International harmonisation

An integral part of the proposed regulatory reforms is ensuring the UK remains an attractive place to do business in a global life sciences market. In June 2023, the MHRA announced new recognition routes for medicines approved by regulators in Australia, Canada, the EU, Japan, Switzerland, Singapore, and the US. This will replace the EC Decision Reliance Procedure which temporarily allows the MHRA to rely on a decision taken by the European Medicines Agency when granting marketing authorisations (“MAs”) for Great Britain.

The MHRA has said that new recognition routes are “focused on providing UK patients faster access to the absolute best, most cutting-edge, and safest medical treatments”. Pursuant to this announcement, MAs may be granted via two routes:

1. the MHRA’s own assessment and approval procedure; or
2. international recognition routes which allow the MHRA to rely on approvals from trusted regulatory partners around the globe.

The MHRA has recently published guidance which confirms that the new international recognition procedures will be available to MA holders from 1 January 2024. The guidance specifies the various recognised regulatory authorities in different countries from whom applicants must have authorisation. It also outlines two recognition timetables: (i) 60 days for simpler applications where a recognised regulator’s approval was granted within the previous two years; and (ii) 110 days for more complex applications where a recognised regulator’s approval was granted within the previous ten years. We have outlined this guidance in greater detail here.

The extent to which the UK pursues international conformity in the context of Health Tech regulation generally and medical devices in particular remains to be fully determined. However, what is clear is that the government’s approach to regulatory review in this area is purposive – to drive investment, foster innovation, and improve patient outcomes.

If you would like to discuss any issues relating to the regulatory framework surrounding Health Tech in the UK, or its reform, please contact a member of our Health Tech team.

By Rory Trust, Katie Carter and Liam Edwards, lawyers specialising in the health tech sector at independent UK law firm Burges Salmon

The post Health Tech Series: Key Regulatory Changes for Health Tech Developers appeared first on .

The healthcare industry is increasingly concerned about the improper use of third-party tracking technologies. These technologies, including cookies and pixels, enable detailed tracking of online user behaviour, presenting a significant risk if not correctly managed. They can expose sensitive patient information, violating patient privacy rights and jeopardizing trust in healthcare providers in the process.

This rising concern has drawn the attention of regulatory bodies. The Office of Civil Rights at the U.S. Department of Health and Human Services (HHS) has issued a comprehensive bulletin detailing the expectations for Health Insurance Portability and Accountability Act (HIPAA)-covered providers and associated businesses who utilize data tracking technologies.

The HHS bulletin underscores the need for healthcare providers to review and revamp their practices concerning these technologies. It outlines how to ensure these practices are HIPAA compliant, guiding healthcare organisations to maintain the delicate balance between leveraging technological advancements and preserving patient privacy.

In this article, we’ll explain why data analytics compliance is important, consider how to avoid noncompliance, and review vendors based on their HIPAA policies.

Navigating the Delicate Balance of Patient Data Privacy and HIPAA

As digital health evolves, so have data analytics platforms.

This ecosystem includes well-known software from Google Analytics and Adobe Analytics alongside a range of lesser-known contenders. Each solution offers a unique set of strengths and weaknesses.

Some platforms boast extensive analytics capabilities but fall short in compliance, while others offer robust privacy protections but may lack end-to-end data insights. Due to the diverse nature of healthcare providers, there’s no one-size-fits-all platform.

Providers must embark on a thoughtful selection process to find a platform that aligns with the unique needs of their organization. More than selecting a tool, providers are identifying a partner capable of adapting to the evolving needs of the healthcare industry.

Among other considerations, HIPAA compliance should be the critical and overarching factor. With the increase in regulatory scrutiny, non-compliance costs have become too grave to disregard. Beyond the financial penalties, it can inflict irreparable damage to an organization’s reputation and the trust of patients and partners.

A recent high-profile class-action lawsuit against Meta (formerly Facebook), alongside cases against Advocate Aurora Health, WakeMed Health and Hospitals, and Northwestern Memorial Hospital, underscores the risks. At the heart of these cases is the unauthorized use of third-party tracking technologies leading to the exposure of sensitive patient data.

Ultimately, civil penalties for violating HIPPA can reach up to $1.5 million per year for multiple violations of the same provision. Additionally, the reputational damage from a breach of Protected Health Information (PHI) can harm an organization’s credibility. The subsequent loss of trust might deter patients from seeking care, harm existing partnerships, and diminish future collaboration and funding opportunities.

With a proactive approach to HIPAA compliance and robust safeguards for patient data, healthcare organizations can navigate the digital health landscape effectively and responsibly.

But, you might wonder, how do you decide who would make a good partner?

The Path to Finding a Compliant Analytics Vendor

In the aftermath of the new patient-tracking regulations, healthcare providers need to select compliant analytics vendors has been thrown into sharp relief.

These vendors should demonstrate an unwavering commitment to protecting PHI—this is non-negotiable. They must have comprehensive privacy and security measures that reflect an understanding of the importance of safeguarding sensitive patient data.

One critical step in this selection process is scrutinizing the vendors’ business associate agreements (BAAs). A BAA is a contract between a HIPAA-covered entity and a business associate, defining each party’s responsibilities to ensure PHI’s security and confidentiality. Confirming that these agreements align with HIPAA rules and can stand up to rigorous inspection is essential.

But that’s just the start. Simply having a compliant BAA is not sufficient. Maintaining ongoing vigilance is necessary to ensure that these vendors continually uphold the agreed-upon privacy and security standards.

How do you do this? Regular audits and assessments. These audits can verify whether vendors consistently adhere to the established standards, revealing any potential areas of weakness or non-compliance.

Ultimately, healthcare providers should be ready to pivot if a vendor falls short of the requisite standards. The dynamics of the digital health industry mean that regulations and technology are continuously evolving. Providers have to remain alert to these changes and be ready to re-evaluate their vendor relationships as needed. That’s the only way to avoid costly mistakes.

Assessing Solutions: A Closer Look at Google and Adobe

The landscape of data analytics solutions is broad and varied, with some options standing out due to their popularity among organizations across industries. However, when it comes to healthcare, the consideration of HIPAA compliance takes precedence, and this lens brings certain realities into sharp focus.

A case in point is Google Analytics, a widely used analytics tool renowned for its comprehensive features and user-friendly interface. Yet, despite its popularity, it presents a significant drawback for healthcare providers—it is not compliant with HIPAA rules.

Google does not enter into a Business Associate Agreement (BAA), a mandatory requirement under HIPAA regulations when dealing with patient data. Thus, its use poses a non-compliance risk, making it generally not recommended for healthcare providers.

Thankfully, alternatives are emerging that offer a compromise. One such vendor is Freshpaint, a novel platform that facilitates the continued use of Google Analytics while ensuring HIPAA compliance. Freshpaint is a good option for providers who want the functionality of Google Analytics without the legal risks.

The other big player is Adobe Analytics. Adobe is not inherently HIPAA compliant but offers a path toward compliance through additional services. Healthcare Shield is a real-time customer data platform tailored for providers. While it may incur additional costs, a provider could add these services and enter into a BAA with Adobe to remain compliant.

Beyond the most common solutions, other platforms offer various levels of HIPAA compliance, each with unique features and advantages. Mixpanel, for example, offers robust reporting and data visualization capabilities, while Plausible presents itself as an open-source, self-hosted option. Additionally, Piwik Pro is another noteworthy HIPAA-compliant option with robust features and benefits.

Healthcare Tracking Compliance in 2023—Key Takeaways

Now that you have a solid grasp on the challenges posed by new digital tracking technology let’s talk about solutions. Here are five things providers can do to stay compliant while maintaining a robust analytics system:

1. Prioritize HIPAA Compliance: With hundreds of thousands of dollars and public perception on the line, no provider can afford to work with a vendor who isn’t compliant with HIPAA.
2. Scrutinize Vendor Commitments: Evaluate each vendor’s commitment to privacy regulations, and make sure they’re willing to enter a Business Associate Agreement (BAA).
3. Stay Up-to-Date on Regulations: Laws and regulations about HIPAA change frequently, so you should stay informed on the latest developments. Consider creating Google Alerts, for example.
4. Educate Your Staff: Foster a culture of privacy and trust within your organization by training everyone on the importance of HIPAA compliance and recent cases that illustrate the cost of non-compliance.
5. Seek Expert Advice: Consider consulting with digital health experts. They can help you implement changes to your tracking system and avoid common mistakes.

By default, healthcare should ensure that personal data is processed with the highest privacy protection. More importantly, understanding and adhering to data privacy principles isn’t a choice, it’s a necessity, and it’s eminently achievable.

Healthcare organizations that follow these steps will be in better shape than their peers in 2023 and beyond. Ultimately, by meeting the expectations of the HHS, providers can successfully balance the benefits of digital health analytics with the responsibilities of patient privacy.

About the author

Arun Kumar, Executive Vice President of Data & Insights with over a decade of experience delivering analytical customer experience solutions, Arun believes organizations need to combine technology at scale with the power of human insight and empathy to develop meaningful, relevant, and experience-based relationships with constituents. He has led teams for some of the top agencies in the world including Wunderman Thompson, and Publicis Sapient. Arun has helped build multi-channel touchpoints and direct-to-consumer strategies for brands like The American Red Cross, Bose, Carnival, Newell Brands, and TD Bank. 

The post Avoid Costly Compliance Risks in the Era of Digital Health appeared first on .

FDA Draft Guidance on Digital Health Technologies

The guidance is titled “Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.”

According to the Federal Register notice on the guidance’s publication, it is intended to outline the potential of digital health technologies (DHTs) for data collection in medical trials and establish the agency’s current thinking on DHTs.

“Advances in sensor technology, general-purpose computing platforms, and methods for data transmission and storage have revolutionized the ability to remotely obtain and analyze clinically relevant information from individuals.”

These digital health technologies play a growing role in clinical research and trials. One important benefit of these DHTs is that they can provide researchers with continuous information on a study participant’s health, regardless of their location or distance from the researchers conducting the study.

These tools could help make clinical trials more accessible to individuals who have been previously excluded from research due to barriers like geographic distance or transportation struggles.

The right DHT can also help ensure compliance from participants who would otherwise need to track health information throughout their day — and whether they are at work, school, home or outdoors. This information can help provide a fuller picture of participants’ lives and reactions to study interventions.

The same DHTs could also “facilitate the direct collection of information from participants who are unable to report their experiences (e.g., infants, cognitively impaired individuals).”

Draft Guidance Offers Best Practices for Remote Data Acquisition Users

In addition to describing the current potential and benefits of DHTs in medical research, the guidance also contains considerations and recommendations for study sponsors that plan to use DHTs.

Recommendations include suggested best practices for selecting DHTs for a medical study, the description of DHTs in regulatory submissions, verification and validation of study DHTs and the definition and evaluation of clinical endpoints from DHT-collected data.

The guidance also covers the cybersecurity and privacy implications of data-collecting DHTs. Remote data acquisition using these technologies can generate large amounts of sensitive data on patient health. Without the right protections, this data could put the privacy of those patients at risk. Poor data management could also result in the loss of essential study information.

In the guidance, the FDA recommends additional best practices for protecting patient data, securely storing sensitive information and general DHT risk management.

The draft guidance, once finalized, will not “establish any rights for any person” and will not be “binding on FDA or the public,” according to the FDA’s Federal Register notice.

The FDA is seeking comment on the draft guidance from industry, investigators, and other stakeholders by March 23, 2022.

What the FDA’s Guidance May Mean for Researchers and Healthcare Providers

Over the past few years — and during the COVID-19 pandemic, especially — smart medical devices and healthcare software of all kinds have become much more common in medical environments.

The growing popularity of wearables and connected health technology as sources of remote data acquisition, both in clinical trials and in clinical practice, likely pushed the FDA to issue this draft guidance.

The guidance is also part of a broader effort by the FDA to update and clarify the agency’s positions towards the use of both medical hardware and software. Much of the existing FDA guidance on medical hardware and software is outdated, and likely doesn’t reflect many of the recent developments made by medical hardware and software developments.

Other important developments include the “guiding principles” on AI/ML device development that the FDA published in October last year. These principles provide recommendations, information and best practices similar to those outlined in the new draft guidance for DHTs.

The most important move from the FDA has likely been the publication of new draft guidance on medical software. This guidance, once finalized, will replace the current FDA guidance on software in a medical device (SiMD) and software as a medical device (SaMD), which is currently more than 16 years old.

FDA Offers New Clarity on DHTs With Draft Guidance

The new draft guidance on Digital Health Technologies for Remote Data Acquisition will provide some support to study sponsors who opt to use these technologies in their research.

The guidance will also explain the benefits of these technologies and offer an update on the FDA’s current attitude towards data-collecting health devices.

By Shannon Flynn, ReHack

The post How Remote Data Acquisition in Healthcare is Changing in 2022 appeared first on .