Digital Health Laws and Regulations Report 2023 The Global Landscape of Digital Health
1. Introduction
The landscape of digital health has changed dramatically in recent years, accelerated by the COVID-19 pandemic, which necessitated an increased reliance on technological tools to manage complex and multifaceted healthcare systems. Digital transformations and other related analytical tools are increasingly being applied to render basic and translational research more efficient by simplifying data collection, analysis, storage, and data mining throughout the product lifespan.
Digital health is the field of knowledge and practice associated with the development and use of enabling digital technologies to improve health. The field encompasses the concept of eHealth for managing healthcare delivery and health surveillance, as well as other digital health technologies, such as the internet of things, artificial intelligence (‘AI’), big data, and robotics. These technologies will become more important in the way people manage their own health and in the way they receive care. A more detailed discussion of the variable roles of technology in healthcare, as well as a general overview of the regulatory landscape, can be found in the book chapter titled Global Landscape of Digital Health: Impact on Healthcare Delivery and Corresponding Regulatory and Legal Considerations (2021).1
The digital health market was valued at over US$200 billion in 2022, and it is projected to expand at a compound annual growth rate of 18% from 2023 to 2030. Strains on healthcare delivery are becoming more pertinent as we enter a global recession, fuelled by inflationary pressures and geopolitical uncertainty. Moreover, all countries face major challenges to prepare their health and social systems for demographic shifts stemming from rising life expectancy. An aging population is correlated with certain complex health states, which can be medically challenging. Digital tools can help assess the impact of higher chronic disease prevalence, design systems that will improve the quality of patient care, and evaluate the effectiveness of specific medical interventions.
This chapter describes the evolving regulatory landscape in three major developing areas – real-world evidence (‘RWE’), health data, and AI/machine learning (‘ML’) – across the key jurisdictions of the United States, Europe, and China.
2. RWE
RWE is playing an increasingly important role throughout the medical product life cycle. RWE can serve as mutually complementary evidence to those evidence generated from prospectively designed, randomised-controlled studies (‘RCTs’) to inform an evaluation of the safety and clinical effectiveness or clinical performance of a new drug or new medical technology. RWE can help determine the therapeutic value of a medical intervention for the purpose of supporting coverage and reimbursement determinations. RWE can also support post-market surveillance activities, optimising the safe and effective conditions of use of an approved product or technology.
Regulatory authorities, including payers and health technology authorities, recognise RWE as a complementary data source to support the development, approval, and surveillance of new innovative products. Its place in safety monitoring and disease epidemiology is well established. The wider application of RWE is gaining some traction, notably for demonstrating safety and effectiveness of prophylactic vaccines, such as those approved for use in primary immunisation programmes. However, the quality and reliability of the data sources are critical elements in determining whether the data can safely inform regulatory decision-making.
In contrast with RCTs, which are conducted on highly selective populations, RWE is collected from diversified data sources that are outside the scope of RCTs and cannot be obtained through a clinical-trial setting. RWE comprises real-world data (‘RWD’), which may be compiled from electronic health records (‘eHRs’), medical-claims databases, patient registries, patient-reported outcomes, prescription-claims data, wearable-device data, and companion apps, among other sources. Digital health tools are critical to the generation and collection of RWD. However, the quality of RWD varies considerably, and whether and how it may be useful for various purposes, such as use in a regulatory submission, will depend on numerous factors, including transparency around data sources, the manner in which data are analysed, and the data’s fitness for purpose. For example, RWD may be used in eHealth applications to help discover digital health biomarkers to evaluate the effects of an intervention on certain physiological functions, e.g., heart rate; digital interventions using connected devices may be developed using RWD; and digital health technologies can help conduct clinical trials by collecting data, recruiting participants, managing data, and reducing costs. Fundamentally, RWD and RWE should not be viewed as a replacement for data generated from traditional clinical trials, though greater availability of RWD, increasing comfort by regulators, and legislative and policy changes in key jurisdictions will undoubtedly contribute to more widespread acceptance of RWD and RWE in the near future.
United States
The Food and Drug Administration (‘FDA’) approves new drugs and medical devices according to varying evidentiary standards. For drugs, a sponsor must show substantial evidence of effectiveness, defined as ‘evidence consisting of adequate and well-controlled investigations, including clinical investigations, evaluating the effectiveness of the drug’.2 While drug applications must be supported with adequate and well-controlled studies, the evidentiary standard for approval or clearance of medical devices is significantly more flexible. Devices to be approved via a premarket application must demonstrate valid scientific evidence, defined as ‘evidence from well-controlled investigations, partially controlled studies, studies and objective trials without matched controls, well-documented case histories conducted by qualified experts, and reports of significant human experience with a marketed devices, from which it can fairly and responsibility be concluded by qualified experts that there is reasonable assurance of the safety and effectiveness’,3 while those to be cleared via the 510(k) process must show substantial equivalence to a predicate device, which may require clinical data.
FDA has made clear that RWE may constitute an adequate and well-controlled study, and therefore form the basis for approval of a new drug or biologic product or indication, in certain circumstances. Reliance on RWE is most common in the rare disease context, although it is still fairly limited for drugs and biologics on the whole. RWE has been used to support FDA decision-making for drugs and biologics in a variety of ways, including safety signal evaluation, incorporation of RWD within the context of an RCT, use of synthetic control arms, and use of observational study data as evidence of efficacy for a new indication. The RWE used to support FDA’s decision-making has come from a variety of RWD sources, including eHRs, registries, and medical-claims databases. Reliance on RWE to support product approval or clearance is significantly more prevalent for medical devices than for drugs and biologics. This disparity can, in large part, be attributed to the more flexible evidentiary standards applicable to medical device approval or clearance, although the increasing prominence of ‘connected devices’ from which RWD can be obtained is also an important factor. Such approved and cleared devices have been diverse in their usage of RWE, including RWE as the primary source of clinical evidence; prospective randomised trials nested within RWD sources; control arms and objective performance goals for evaluating the next generation of devices; and diverse RWD sources that may be combined to generate RWE.
In recent years, FDA has issued extensive guidance regarding the use of RWE to support regulatory submissions, driven by legislative requirements as well as increasing availability and use of RWD. The FDA guidance issued so far describes important high-level principles that sponsors should keep in mind when planning to utilise RWE in a regulatory submission, but does not provide much detail on what specific study designs, data sources or analytical methods may or may not be considered sufficient by the agency to meet evidentiary requirements. FDA has repeatedly underscored that sponsors should engage early and often with the agency during the product development process, because whether RWE will be sufficient to meet evidentiary standards largely remains a case-by-case assessment.
The guidance that has been released so far explains that, broadly speaking, FDA evaluates the use of RWE in marketing applications by considering: (i) whether RWD are fit for use; (ii) whether the trial or study design used to generate RWE can provide adequate scientific evidence or help answer the regulatory question; and (iii) whether the study conduct meets FDA regulatory requirements (e.g., for study monitoring and data collection). For both drugs and devices, RWD must be both relevant and reliable to support regulatory decision-making. Relevance pertains to whether the data capture relevant information about exposure, outcomes, and covariates, while reliability includes data accrual and data quality control. For study sponsors, this emphasis on relevance and reliability means that they must: thoroughly document and justify data source selection; finalise the study protocol and statistical analysis plan prior to reviewing outcome data and performing analyses; include an audit trail in datasets to monitor access to the data; consider approaches to ensure that necessary data can be obtained from the data source(s) selected, such as using data linkages, distributed data networks, and AI tools for handling unstructured data fields; and ensure patient-level data access can be provided to FDA as needed and that source data can be available for inspection. While use of RWD and RWE may provide more flexible approaches to product development, the bottom line is that sponsors should not expect RWD and RWE to provide a shortcut to product approval or clearance. Sponsors should work to: stay abreast of FDA guidance and approval precedent developments; design studies with the necessary rigour to meet applicable FDA evidentiary standards; select data sources with an eye to ensuring relevance and reliability; conduct diligence to ensure RWD sources have appropriate rights to data and have structured/curated data in accordance with study needs; and ensure that appropriate data arrangements and privacy controls are in place.
More guidance on RWD and RWE is expected throughout 2023, as well as a public workshop to discuss RWE case studies. The FDA is also commencing a programme, known as the Advancing RWE Pilot Program, that seeks to improve the quality and acceptability of RWE-based approaches to support a change in labelling for effectiveness or to meet post-approval study requirements; among other things, the pilot will provide dedicated, product-specific RWE guidance to sponsors who qualify for the programme and will facilitate public information-sharing regarding successful RWE approaches. Continued policy development is also expected for medical devices.
In addition to the regulatory standards and evaluations applicable to RWD and RWE, there are also a plethora of privacy issues that arise in this context (in any jurisdiction, not just the United States). Though we will not cover those in detail here, any sponsor looking to leverage RWD or RWE in a regulatory submission should be cognisant of the applicable laws and liabilities and ensure that appropriate steps are taken to preserve privacy for those whose data are being used.
While FDA has kept up a swift pace of issuing new guidance concerning RWD/RWE, key questions remain. For example, the specific situations in which FDA will be willing to rely on RWE in regulatory decision-making are not yet clear, and FDA has not clarified what study designs, analytical methods, and data sources will be acceptable in regulatory submissions.
Europe
In the United Kingdom (‘UK’), the Medicines and Healthcare products Regulatory Agency (‘MHRA’) published its guidance in December 2021 on the use of RWD in clinical studies to support regulatory decisions. In January 2022, the National Institute for Health and Care Excellence (‘NICE’) published a Health Technology Evaluation Manual formalising the acceptability of RWE as a source of evidence to inform cost-effectiveness assessment. In NICE’s view, RWE can improve the understanding of health and social care delivery, patient health and experiences, and the effects of interventions on patient and system outcomes in routine clinical settings. NICE’s Strategy 2021 to 2026, which sets out the entity’s five-year vision, includes a plan to use RWE to resolve gaps in knowledge and improve patient access to new innovations. NICE published a RWE framework in June 2022 to build on this goal. The framework aims to identify when RWE can be used to reduce uncertainties and improve the health technology assessment, and to describe the best practices for planning, conducting, and reporting RWE to improve its quality. The framework’s core principles are to: (i) ensure data is of good provenance, relevant, and of sufficient quality to answer the research question; (ii) generate evidence transparently and with integrity throughout the process; and (iii) use analytical methods that minimise the risk of bias and characterise uncertainty. These principles underpin guidelines on study conduct, assessing data suitability, and methods for real-world studies.
In July 2022, the EMA endorsed the joint statement of the International Coalition of Medicines Regulatory Authorities (‘ICMRA’) pledging to foster global efforts to further enable the integration of RWE into regulatory decision-making. The global collaboration efforts focus on four specific pillars, namely: (i) harmonisation of terminologies for RWD and RWE; (ii) regulatory convergence on RWD and RWE guidance and best practice; (iii) readiness to address public health challenges and emerging health threats; and (iv) transparency.
The EMA has recognised that patient registries could be rich data sources to collect uniform data over time on a population defined by a particular disease, condition, or exposure. Such registries can play an important role in monitoring the safety of medicines. Since the launch of the initiative for patient registries in 2015, the EMA together with the relevant external stakeholders has explored ways of expanding the use of patient registries by introducing and supporting a systematic and standardised approach to an evaluation of benefit-risk of medicines.
In November 2022, the EMA began the first RWE studies under its Data Analysis and Real-World Interrogation Network ‘DARWIN EU’ initiative. DARWIN EU will be key to European regulators’ vision of enabling the use of RWE and establishing its value for regulatory decision-making on the development, authorisation, and supervision of medicines in Europe by 2025. This EU-wide network will allow the access and analysis of healthcare data from across the EU. The data available to DARWIN EU’s first set of data partners – which include both public and private institutions – will be used for studies to generate RWE that will support scientific evaluations and regulatory decision-making. The first three studies will focus on: rare blood cancers; drug use of valproate; and antimicrobial resistance. DARWIN EU aims to have 150 such RWE studies per year by 2025.
China
In China, the National Medical Products Administration (‘NMPA’) has promulgated several guidelines on the use of RWD and RWE in recent years, including: Guidelines on Using Real World Evidence to Support Drug Development and Review (2020); Technical Guidelines on Using Real World Studies to Support Paediatric Drug Development and Review (2020); Technical Guidelines on the Application of Real World Data in Clinical Evaluation of Medical Devices (2020); Guidelines on Real World Data to Generate RWE (2021); and Guidelines on Communications for Real World Evidence Supporting Drug Registration Application (2023). These guidelines emphasise the quality of RWD and suggest that RWE derived from RWD could support clinical evaluation throughout the life cycle of both drugs and medical devices, including premarket and post-market clinical assessments. Echoing similar guidance from the FDA and EMA, the NMPA guidelines suggest that RWE may increasingly serve as supplementary evidence in medical device clinical evaluation, but it cannot replace the current clinical evaluation pathway. Additionally, a few challenges remain, including limited data accessibility and data sharing, as well as data accuracy, completeness, and consistency.
A unique opportunity for medical devices to gain faster market access in China is the Hainan Bo’ao Pilot Programme, which provides a pathway for importing new drugs and devices without Chinese approvals. In 2013, the People’s Republic of China (‘PRC’) State Council decided to set up the Lecheng International Medical Tourism Pilot Zone (‘BMTPZ’) as a pilot zone for the promotion of international medical tourism. In 2018, the Chinese Central Government announced the entire Hainan Province (where BMTPZ is located) as the 12th free trade zone in China. The government also called for full implementation of the favourable policies granted to BMTPZ in 2013. These policies include: allowing importation of a small amount of drugs to meet urgent clinical needs for use in designated hospitals; allowing cutting-edge medical research projects, such as stem cell studies; and reducing tariffs on medical devices and drugs. Drugs imported under these policies can benefit from an accelerated special-approval process, and clinical data generated from this pilot programme can be used to support new drug applications in China. All drugs are entitled to zero-tariff treatment.
Unapproved medical devices that address urgent clinical needs can also be imported to Hainan for use in designated hospitals in the BMTPZ. In 2018, the Hainan People’s Government issued the Interim Regulation on Administration of Importing Medical Devices for Urgent Clinical Use in BMPTZ. An updated version of this regulation was promulgated in 2020. This regulation provides detailed guidance on the application and approval process for medical devices that have been approved abroad but have not been approved in China and are not replaceable by medical devices already registered in China. RWD generated from the use of medical devices under this policy can be used to support imported medical device registration applications in China. Medical devices are not eligible for zero-tariff treatment unless they are for use by the owner only as manufacturing equipment, but their import duties may be reduced over time.
On 18 April 2022, China’s Center for Medical Device Evaluation (‘CMDE’) and the Hainan Medical Products Administration jointly issued the Communication Procedures for Pilot Medical Devices Real-World Data Application Projects in BMTPZ (for Trial Implementation). Overseas manufacturers can apply to conduct real world studies to collect RWD as local clinical evidence to support their product registration in China. Because China does not have a formal pre-submission channel like the U.S. FDA, this guideline established a more formal communication process, as well as roles and responsibilities between CMDE and overseas manufacturers. Additionally, according to reports, a regional RWD database may be launched in Hainan to enable total product life cycle supervision.
RWD in Hainan is generated from multiple sources, including: electronic medical records when patients receive treatment in BMTPZ; information spontaneously reported by patients; diagnoses, treatment data, and follow-up visit data generated in the patients’ place of residency; and information related to the device and its adverse events that is reported to the drug administrative authorities in Hainan.
The BMPTZ faces certain practical challenges; in particular, RWD is auxiliary to clinical-trial data in supporting marketing approvals in China. Most successful approvals have involved both BMTPZ RWD and overseas clinical data. Despite its challenges, the BMPTZ represents an important opportunity for international drug and device manufacturers and medical research institutions to swiftly enter China’s growing medical market.
There is also much room for development in the area of international harmonisation across jurisdictions, though some collaborative momentum has been built in recent years due to the COVID-19 pandemic. For example, in summer 2022, ICMRA released a joint statement acknowledging the need for greater international alignment on RWE issues. The ICMRA members pledged to foster global efforts to further enable the integration of RWE into regulatory decision-making, highlighting the key areas of harmonisation of RWD and RWE terminologies, convergence on guidance and best practices, readiness, and transparency. Though efforts like these have significantly advanced the cause of international harmonisation, there is still a long way to go until true international harmonisation will be realised.
3. Health Data
Health data can be generated from various sources, ranging from hospital or clinic visits to mobile wearable devices and connected medical devices that can manage individual health and wellness. The sharing of such health data is key to the development of more personalised treatment and optimisation of treatment interventions. Health data contribute to the sustainability of health systems by improving decision-making regarding disease prediction and prevention and addressing public health threats. Hence, the use of health data in health care delivery has expanded rapidly in the past few years.
In the United States, wearable monitoring devices can track and transmit health data to a patient’s health care professional (‘HCP’) in real time; in the European Union (‘EU’), a centralised data store where EU citizens can access their health information and ePrescriptions, called MyHealth@EU, is live in 10 Member States. Further, pilots are in the pipeline, particularly in view of the recent European Commission’s proposal to regulate different types of electronic health data. In the UK, digital growth charts pioneered by the Royal College of Paediatrics and Child Health rely on open-source coding to instantaneously calculate child growth predictions; and in China, large databases contribute to aspects of the health care system ranging from commercial health insurance to critical care medicine.
The frameworks governing health data, at both national and international levels, continue to evolve. Major jurisdictions continue promulgating guidance on cross-border transfer mechanisms for personal data, reflecting the increasingly global nature of health care delivery and clinical research. Data privacy concerns and cybersecurity risks have intensified over the course of the COVID-19 pandemic, and an increasing number of medical devices are susceptible to such threats. In recent years, multiple jurisdictions have issued new guidance on minimising such risks.
United States
In the United States, while there is no federal general data privacy law, health data are governed by the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’). Further, at the state level, the United States has increasingly seen states passing their own privacy laws. California, Virginia, Colorado, Connecticut, and Utah have already passed comprehensive data privacy bills, and many more states are considering passing data privacy bills, including bills addressing health privacy and automated decision-making.4 The increasingly complicated patchwork of state laws has led to some rumblings that a new U.S. federal privacy law could be in the cards, but the legislative action seems to be at the state level for now.
At the international level, the European Commission may soon recognise the United States as having an adequate data protection framework. Such an adequacy decision would allow a broad range of health-related companies with a United States presence, including pharmaceutical, medical device, and digital health companies, to more easily transfer health data from the European Economic Area.5 This issue is particularly salient for entities involved in clinical research and telemedicine; for example, the lack of adequacy decision has complicated the U.S. National Institutes of Health’s ability to obtain data from studies that contain European participants. In October 2022, President Biden issued an Executive Order implementing a new US-EU data transfer framework called the Transatlantic Data Privacy Framework. In December 2022, the European Commission issued its proposed adequacy decision for the United States based on President Biden’s Executive Order. The Transatlantic Data Privacy Framework would allow organisations to transfer personal data freely from the European Economic Area to the United States, without relying on transfer mechanisms such as the EU Standard Contractual Clauses.6 The European Commission’s draft adequacy decision will now undergo a review process by the European Data Protection Board, EU Member States, and the European Parliament, which can take six months or longer. Some experts predict the release of a finalised adequacy decision in summer 2023.
With respect to security more generally, in April 2022, the FDA released the draft guidance document ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions’. This draft guidance, which applies to medical devices broadly and is not limited to the digital health context, provides details about how device manufacturers should integrate cybersecurity considerations into their quality systems, and about what cybersecurity information should be included in premarket submissions to demonstrate a reasonable assurance of safety and effectiveness.7 Additionally, in November 2022, the FDA updated the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, which ‘outlines a framework for health delivery organisations (‘HDOs’) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety’.8
Europe
In response to increasing use of big data derived from various sources to support regulatory and market access decision-making, greater scrutiny will be placed on the quality of the data sources to determine whether the data can be relied upon to inform regulatory decision-making.
Additionally, in May 2022, the European Commission proposed a regulation which would create a health data ecosystem known as the European Health Data Space (‘EHDS’). If adopted, the EHDS would fully harmonise electronic patient records throughout the EU and facilitate the portability of patient records across Member State borders. This colossal database could be accessed for the purpose of providing health care as well as secondary purposes such as policymaking and research by industry. Each use would be underpinned by clear rules, common standards and practices, infrastructure, governance, security, safety, and privacy. The Commission has ambitiously communicated that its ‘target is for the Health Data Space to start functioning by 2025’. However, significant challenges will need to be overcome before the launch of the EHDS. Currently, the proposal is in draft form awaiting the Committee’s decision.
In the EU and UK, personal data are governed by the EU General Data Protection Regulation (‘EU GDPR’) and its UK counterpart, the Data Protection Act 2018 (‘UK GDPR’) (collectively, ‘GDPR’). GDPR is a sweeping data privacy law: EU GDPR represented the biggest ever change to data privacy laws, and it applies broadly – any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU, is subject to EU GDPR. UK GDPR has a similar extraterritorial reach.
While representing a sea change in the protection of personal data, GDPR also has shortcomings. For example, within the healthcare space, GDPR fails to answer whether the training data used to develop ML systems can be retained after the project is complete and reused for other purposes, or whether such data can be shared with third parties. Currently, parties determine the use of such data through contractual negotiations. However, due to the sensitive nature of health data, some critics suggest that regulations should carve out the health care industry and apply additionally stringent rules that do not allow for certain commercial arrangements.
GDPR has set out the global regulatory standard for data protection for several years, governing data processing and cross-border data transfer in particular, but the tide appears to be turning.9 In addition to major jurisdictions like China promulgating their own data protection laws (as discussed in more detail adjacent), new laws within Europe are also either under negotiation or taking effect soon. Cybersecurity has been a particularly hot topic, notably in light of recent high-profile cyberattacks, such as a 2022 attack on an IT service provider that affected National Health Service (‘NHS’) resources. In January 2023, for example, the EU’s Network and Information Security 2 Directive entered into force; this cybersecurity legislation will implement security and reporting requirements across EU states. Further, the proposed European Cyber Resilience Act would regulate cybersecurity requirements for products with digital elements. The main objectives are two-fold: (i) to facilitate the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle; and (ii) to allow users to take cybersecurity into account when selecting and using products with digital elements.
Cybersecurity is also a priority in the UK. The UK government announced in November 2022 that it would strengthen the UK’s Network and Information Systems regulations, which were established in 2018. The objective of the legislative proposal was to improve the UK’s cyber resilience. Under the proposed changes, digital service providers will face fines of up to £17 million if they fail to put in place effective cybersecurity measures. The legislative proposals included seven policy measures seeking to address the increasingly sophisticated and frequent cybersecurity threats facing UK companies. The proposed changes will bring providers of outsourced IT and ‘managed service providers’ into the scope of the existing regulations.
Finally, in 2022, NICE unveiled its Early Value Assessment for Medtech (‘EVA’) programme, which is an innovative new approach to assessing digital health products that best reflect system need and demand. This programme offers a rapid assessment on the clinical effectiveness and value-for-money of such products. The methodological approach will explore in detail the potential of technologies to: (i) address unmet medical need; (ii) assess existing evidence; and (iii) identify key gaps in the market place. Once a technology receives a conditional recommendation through EVA, NICE will work with manufacturers to develop a plan to gather detailed evidence while the product is in clinical use. The benefit of EVA is to support earlier patient access to technologies that have the potential to meet system needs. Unlike existing NICE guidance processes, EVA would not require selected technologies to have generated a large amount of evidence. Rather, the data would be generated incrementally once the technology has been recommended for use in the NHS.
China
The PRC’s data governance regime has evolved in recent years, including the additions of the Cybersecurity Law in June 2017 (which regulates cybersecurity and the construction, operation, maintenance, and use of networks in China); the Biosecurity Law in April 2021 (which regulates activities related to biosecurity, such as the safety management of biological materials and data derived therefrom); and the Data Security Law in September 2021 (which applies to data processing activities in China). Additionally, the Human Genetics Resources (‘HGR’) Regulation (2019) governs the processing of HGR data (defined as data that derives from organs, tissues, cells, or other biospecimens that contain human genome or genes). The processing of clinical-study data is subject to the HGR Regulation. On 22 March 2022, the Ministry of Science and Technology released draft Implementing Rules on the Administrative Regulations on Human Genetic Resources for public comment. These draft rules will provide clearer guidance on how foreign entities can make use of Chinese HGR. Most recently, the Personal Information Protection Law (‘PIPL’) came into effect in November 2021. In addition to applying across the PRC, PIPL also has extraterritorial applications, including: telemedicine services offered to patients in the PRC; collaborating with researchers in the PRC; and acting as a lead site for a multi-national clinical trial with PRC-based sites. PIPL applies (i) where the processing is for the purposes of providing products or services to individuals located in China; (ii) where the processing is for analysing and evaluating the behaviour of individuals located in China; and (iii) under circumstances prescribed by laws and administrative regulations.
PIPL governs any ‘analysing or assessing activities of natural persons inside the borders’ of the PRC, even if the handling activities take place outside of the PRC.10 Accordingly, conducting clinical research with research sites or research subjects located in the PRC could involve activities that may constitute ‘analysing or assessing activities’ of data subjects. For example, PIPL applies to studies conducted through mobile applications whereby subjects are enrolled remotely and the app collects data on the subject’s physical condition or geographic location through the subject’s mobile phone; or to wearable devices that transmit health and other data to another country for use in research. Health and biometric data qualify as ‘sensitive personal information’ under PIPL and qualify for additional protections, including a requirement to collect separate consent for processing such personal data.
PIPL requires all personal-information controllers that need to transfer personal information out of Mainland China to either: (i) pass a security assessment organised by the Cyberspace Administration of China (‘CAC’); (ii) undergo certification by specialised certification agencies in accordance with relevant regulations; or (iii) conclude a standard contract designated by China cyberspace regulators with the overseas recipient. In September 2022, the Measures for the Security Assessment of Outbound Data Transfers promulgated by CAC came into effect. This regulation specifies that a security assessment application must be filed with CAC if: (i) the data to be transferred abroad are important data; (ii) a critical information infrastructure operator or a personal-information handler who has processed more than 1,000,000 persons’ personal information intends to transfer personal information abroad; or (iii) a personal-information handler who has transferred the personal information of 100,000 persons or the sensitive personal information of 10,000 persons cumulatively since 1 January of the previous year intends to transfer personal information abroad. In December 2022, the National Information Security Standardisation Technical Committee released the Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities V2.0. Further, in February 2023, the CAC released the Provisions on Standard Contracts for Cross-border Transfer of Personal Information, which will become effective on 1 June 2023. Moving forward, personal-information controllers and overseas recipients are expected to conclude the standard contract for data transfer outside of China using the standard contractual clauses affixed to the Provisions. These guidelines supplement and clarify PIPL’s personal information protection certification regime. These developments are reminiscent of cross-border data transfer mechanisms under GDPR and suggest that we may continue to see legislation detailing such transfer mechanisms from major jurisdictions.
4. Evolving Landscape of AI and ML
ML – which uses statistical pattern-recognition capabilities – and AI have increasing health care and life sciences applications, and the regulation of AI as a medical device (‘AIaMD’) and software as a medical device (‘SaMD’) has rapidly evolved. SaMD and other non-device software is used in the treatment and diagnosis of diseases and conditions underpinned by AI and ML, and apps are now able to produce imaging analytics, connect HCPs with one another, monitor medication adherence, and communicate felt experience during treatment with HCPs. For a more thorough discussion of the regulatory framework governing AI and ML in these key jurisdictions, see A Cross-Border Regulatory and Public Policy Analysis of Machine Learning and Artificial Intelligence: The Future of AI in Life Sciences (2022).11
A key concern from a global perspective is the lack of generalisability of AI/ML across jurisdictions. For example, the exact definitions of AIaMD and SaMD vary across jurisdictions, which poses challenges to regulators who may wish to pursue a more unified global approach with such technologies. Additionally, regulators have grappled with how to handle the inevitable changes in AI/ML-enabled devices as they learn and develop. However, better validation, documentation, and testing of AI/ML-enabled devices will generally facilitate acceptance of such devices across jurisdictions.
United States
FDA guidance directly on point to the regulation of SaMD with AI and ML components has to date been fairly limited, given that such software is an emerging area of development. However, the guidance that has been made available signals significant agency investment in allowing AI and ML to be integrated into SaMD as a general matter, while developing flexible regulatory mechanisms by which device changes due to AI/ML components can be appropriately pre-approved as long as they do not too significantly alter the functioning of the device.
In 2021, FDA released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, highlighting that such technologies ‘have the potential to transform health care delivery’, with the agency anticipating that ‘with appropriately tailored total product life cycle-based regulatory oversight, AI/ML-based [SaMD] will deliver safe and effective software functionality that improves the quality of care that patients receive’. This action plan followed the 2019 publication of FDA’s Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD), which underscored that though FDA’s historical typical sign-off has been on AI/ML-based SaMD with ‘locked’ algorithms – ones that do not change once released into the market – the future lies in adaptive products that ‘learn’ with time and increasing numbers of inputs.
These guidance documents anticipate FDA review, during the initial premarket review for an AI/ML-based device, of a ‘Predetermined Change Control Plan’. Such a plan would detail information about both the types of anticipated modifications to the software and the methodology underlying algorithm changes, to ensure that the device remains safe and effective after the modification. FDA’s proposed framework further clarifies, however, that subsequent regulatory reviews may still be required, depending on the type of modification being made.
Greater clarity on this topic is coming soon, as in mid-February 2023 FDA sent a draft guidance document titled ‘Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning-Enabled Device Software Functions’ to the White House for review and potential publication clearance. The guidance, if issued, will come on the heels of a recent statutory amendment, which granted the FDA the authority to proactively sign off on device changes, if consistent with a predetermined change control plan.
Europe
As part of the EU’s AI Strategy, the Commission has proposed a first-of-its-kind regulatory framework on AI comprising a Regulation laying down harmonised rules on AI (the ‘AI Act’) and a Directive on its associated non-contractual civil liability profile (the ‘AI Liability Directive’). In its current draft, the AI Act distinguishes between uses of AI that create unacceptable risk, high risk and low/minimal risk. If adopted, high-risk AI systems will need to meet comprehensive requirements, such as those related to data governance, recordkeeping, transparency, accuracy, and security. Low/minimal-risk uses of AI will need to abide by transparency obligations. The AI Liability Directive seeks to give businesses legal certainty on their exposure to liability, while simultaneously ensuring that the legal framework is fit for the increasingly digitised economy. The new regime lays down uniform rules for access to evidence and alleviation of the burden of proof in relation to damages caused by AI systems, thus establishing broader protection for an injured party to seek redress. It also introduces a presumption of causality against the developer, provider, or user. Given the novelty of these proposals, their impact on businesses, and their cross-sector application, it is anticipated that the progression of the AI Act and the AI Liability Directive through the legislative process over the course of 2023 will receive a great deal with scrutiny.
In contrast to the EU, the UK is currently pursuing a decentralised approach to the regulation of AI. Industry regulators, such as the MHRA, are charged with developing regulatory regimes specific to the industries they regulate. In its Roadmap of 17 October 2022, the UK MHRA published its Guidance on Software and AI as Medical Device Change Programme Roadmap. The guidance builds on the Government responses to consultation on the future regulation of medical devices in the UK and follows on from the Software and AI as Medical Device Change Programme, which was published in 2021. Among other issues, the guidance aims to ensure that SaMD can be accurately distinguished from other products and promises to update the national Borderlines Manual. However, some key issues discussed in our recent publication12 remain under consultation, including the need to formally define the concept of a manufacturer for SaMD. For example, as apps often use open-source code, any entity making modifications to the code may inadvertently take on the responsibilities of the manufacturer of this modified code if the software classifies as SaMD.
The UK Government’s Roadmap sets out a number of ‘Work Packages’ addressing specific aspects of such devices, including qualification, classification, premarket evaluation, post-market surveillance, and cybersecurity. Several of the Work Packages address AIaMD, specifically: Work Package Nine ‘AI RIG’ aims to clarify how AIaMD can best meet medical device requirements for products utilising AI; Work Package 10 ‘Project Glass Box’ aims to improve user functionality and transparency in AIaMD in the UK; and Work Package 11 ‘Project Ship of Theseus’ focuses on the adaptability of AI across digital health. MHRA intends to publish the specific guidance in a step-wise manner.
A report published by the UK Regulatory Horizons Council in November 2022 outlines the need to make the AIaMD regulatory process more open and transparent, to increase the involvement of patients and public, and to improve regulatory clarity for manufacturers and users. The report recommends building a critical mass of AIaMD experts across all key industry gatekeepers (in the UK, this would include MHRA, NICE, the Health Research Authority, and the Care Quality Commission), to enable appropriate and sufficient scrutiny of products entering into the marketplace.
China
China does not have legislation specifically regulating AIaMD and SaMD; rather, the general medical device regulations apply to medical device software products. However, the CMDE introduced new Guidelines for Registration Review of AI-enabled Medical Device in March 2022, which clarify the registration process and standardise the technical review requirements for AIaMD. These guidelines define AIaMD as medical devices that use AI technology to analyse medical device data to achieve a medical use; the guidelines do not consider products that base their output on non-medical data or have non-medical uses to be AIaMD. These systems’ value is judged by their generalisability, which the NMPA monitors as an ongoing concern with requirements focusing on:
- data acquisition: adequate and diverse data; the rationality of data distribution; and the quality control of data collection, data set construction, and annotation;
- algorithm design: algorithm selection must be clear; training data volume evaluation must prove the adequacy and effectiveness of algorithm training; and the analysis of data outputs such as false negatives and positives, repeatability, robustness, real-time performance, and reproducibility; and
- validation and qualification: clinical validation; and a comprehensive analysis of the algorithm’s performance.
The guidance also highlights specific data and information security practices that companies should use to protect their proprietary information, including diversifying patent portfolios and streamlining the technical features of patent claims. The guidelines add to a robust body of rules issued by NMPA regarding the development and maintenance of SaMD.
5. Conclusion
The digital health revolution has transformed the delivery and management of health systems. The enabling technologies also transform how health-related data are collected, processed, and captured to inform decision-making and improve patient outcomes. Health data could also be potential secondary data sources for clinical research in a real-world setting. Data are considered health-related if they provide information on health status or prognostic characteristics of individuals or populations at large. ML and other digitalised analytical tools could substantially improve data mining for the detection and surveillance of a health-related event or emerging disease. Research based on such applications could provide insights into causal relationships between a treatment and its effects on human subjects.
Such sweeping technological and methodological advances are bringing about a sea change in the global regulatory environment. Regulators from around the world are rethinking their approaches, adopting regulatory models that are agile, iterative, and collaborative to address the considerable challenges posed by disruptive digital health technologies and methodological approaches. In general, regulators are moving towards outcome-based regulations, aiming to strike the right balance between the need to foster innovation and the need to enforce the regulators’ statutory role – to protect public health by preventing unintended consequences of emerging technologies and novel analytical approaches. To enable the exchange of health data within the increasingly globalised healthcare and life sciences ecosystems, interoperability and cross-border collaboration on developing internationally agreed standards will become a necessity in order to identify data sources that are findable, accessible, interoperable, and reusable. All these endeavours will likely be the next frontier for better regulation of the healthcare and life sciences sector.
6. Acknowledgments
The authors are very grateful to Bo (Alice) Du (‘BD’), Julie Kvedar (‘JK’) and Helen Ryan (‘HR’), who are associates respectively based in Shanghai, New York and Washington D.C., for their contributions to this chapter. BD advises life sciences companies on a wide range of regulatory and compliance matters. JK’s practice focuses on cross-border healthcare transactions and regulatory compliance matters. HR advises on life sciences regulatory compliance.
7. Endnotes
1. Tsang L., et al., Global Landscape of Digital Health: Impact on Healthcare Delivery and Corresponding Regulatory and Legal Considerations (2021).
2. 21 U.S.C. § 355(d).
3. 21 C.F.R. § 860.7(c)(2).
4. [Hyperlink]
5. [Hyperlink]
6. [Hyperlink]
7. [Hyperlink]
8. [Hyperlink]
9. [Hyperlink]
10. PIPL Art. 3.
11. Tsang L., et al., A Cross-Border Regulatory and Public Policy Analysis of Machine Learning and Artificial Intelligence: The Future of AI in Life Sciences, 34 Intell. Prop. & Tech. L.J. 10, 3–11 (2022).
12. Ibid.
link