Welcome to the latest installment of Arnold & Porter's Virtual and Digital Health Digest. This edition primarily covers April 2023 highlights across the virtual and digital health space. This digest focuses on key virtual and digital health and telehealth-related developments in the United States, United Kingdom, and European Union in the health care, regulatory, intellectual property, and privacy spaces.
US News
FDA REGULATORY UPDATES
FDA Issues Discussion Paper on Use of AI/ML in Drug Development. On May 10, 2023, FDA issued a discussion paper on using artificial intelligence (AI) and machine learning (ML) in the development of drugs and biological products. Main topics discussed in the paper include the landscape of current and potential uses of AI/ML (e.g., drug target identification and prioritization, compound screening and design, and clinical trial applications); considerations for use of AI/ML (including overarching standards and practices); and next steps and stakeholder engagement. The discussion paper is not FDA guidance or policy and does not endorse a specific AI/ML use or approach in drug development. Rather, FDA describes the discussion paper as "an initial communication with stakeholders ... intended to promote mutual learning and discussion."
FDA recognizes the increased use of AI/ML throughout the drug development life cycle and its potential to accelerate the development of safe and effective drugs. The agency explains that it has seen a rapid growth in the number of drug and biological product applications that include AI/ML (100+ submissions in 2021). Per FDA, such submissions cut across a range of therapeutic areas, and the uses of AI/ML within the submissions cover the many different areas of the drug development process — from drug discovery and clinical trial enrichment to endpoint assessment and post-market safety surveillance.
FDA is soliciting feedback on the opportunities and challenges with utilizing AI/ML in the development of drugs, as well as in the development of medical devices intended to be used with drugs. Comments on the discussion paper are due by August 9, 2023.
FDA Hosts Webinar on AL/ML Software Predetermined Change Control Plans (PCCP) Guidance. On April 13, 2023, FDA hosted a webinar on the draft guidance entitled, "Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/ Machine Learning (AI/ML)-Enabled Device Software Functions," issued on April 3, 2023. As summarized in the webinar, the guidance aims to describe FDA's proposed approach to AI/ML-enabled devices to support their iterative development and improvement over time; to build on the agency's longstanding commitment to developing innovative approaches to ensuring that safe and effective digital health technologies are available to patients; to include recommendations on information to be included in a PCCP provided as part of a marketing submission for an AI/ML-enabled device; to specify that modifications to a machine learning-enabled device software function made in accordance with an authorized PCCP can be implemented to the device without a new marketing submission; and to include details on the recommended content of these sections, with additional clarity provided in the many examples in the document's appendices. Additional information about the draft guidance can be found in the April 2023 issue of Arnold & Porter's Virtual and Digital Health Digest. A transcript of the full webinar is available here.
HEALTHCARE FRAUD AND ABUSE UPDATES
OIG Toolkit: Analyzing Telehealth Claims to Assess Program Integrity Risks. On April 20, 2023, OIG released a toolkit for evaluating telehealth claims and identifying fraud and abuse risks. OIG developed the toolkit based on the methodology the agency used for its report, Medicare Telehealth Services During the First Year of the Pandemic: Program Integrity Risks (OEI-02-20-00720), which identified Medicare providers whose billing for telehealth services poses a high risk to Medicare. OIG explained that the agency created the toolkit because of increased fraud and abuse concerns following the "dramatic increase" in the use of telehealth due to the COVID 19 pandemic.
The toolkit prescribes steps for analyzing fraud and abuse risks of provider telehealth claims, as well as identifies seven risk areas of concern to program integrity. These include, among others, billing telehealth services at the highest, most expensive level for a high proportion of services and billing a high average number of hours of telehealth services per visit.
Continued Government Scrutiny of Telehealth Services. The Telehealth Toolkit comes amid a continued crackdown in fraudulent telehealth schemes. For example, on May 2, 2023, an Ohio man and owner of several marketing companies admitted to his role in conspiracies to commit health care fraud and pay and receive illegal kickbacks. According to information filed by the government, Mike Belter used several marketing companies he owned and controlled to identify Medicare and TRICARE beneficiaries to target for expensive drugs with his co-conspirators. These companies would call beneficiaries to persuade them to try the expensive drugs without considering whether these drugs were medically necessary to the beneficiaries or not. Belter and his co-conspirators would then pay kickbacks to telemedicine companies, who in turn paid kickbacks to doctors to induce them to write prescriptions for the medications without concern for medical necessity. Further, Belter and his co-conspirators would direct the prescriptions to pharmacies who would submit claims for reimbursement to federal health care programs and send a portion of the proceeds to Belter and his companies as payment for the prescriptions generated through the conspiracy. Belter and his co-conspirators caused a submission of false and fraudulent claims to health care programs of over US$24 million of prescription drugs in total.
On April 20, 2023, two Florida doctors were sentenced for their roles in a durable medical equipment telehealth kickback scheme. Dean Zusmer owned one of four DME companies that collectively billed Medicare US$37 million for medically unnecessary DME. Zusmer and his co-conspirators paid kickbacks to marketers in order to acquire patient referrals and signed doctors' orders. Specifically, Zusmer and his co-conspirators, including Jeremy Waxman, used overseas call centers to solicit patients and telemedicine companies to procure prescriptions for unnecessary braces for these patients. Dr. Alexander Lawrence also owned one of the DME companies with Waxman and concealed both his and Waxman's roles in the scheme by putting the DME company in the name of one of Alexander's family members. Zusmer was sentenced to eight years and one month in prison and ordered to pay US$1,404,200.97 in restitution while Alexander was sentenced to two years and nine months in prison, with restitution to be determined in a later hearing. Waxman was previously sentenced to over 15 years in prison for his role in the scheme.
PROVIDER REIMBURSEMENT UPDATES
Notable New Technology Add-on Payment Applications in Inpatient Prospective Payment System Proposed Rule. On April 10, 2023, CMS posted a proposed rule to update the Inpatient Prospective Payment System (IPPS) for FY 2024. 88 Fed. Reg. 26658. This rule was published in the Federal Register on May 1, 2023. Comments are due June 9, 2023.
Drug and device manufacturers whose services and technology meet three criteria are eligible for the new technology add-on payments (NTAP) under the IPPS. To be eligible for the payment, the medical service or technology must be new, must be costly "such as that the MS-DRG rate otherwise applicable to discharges involving the medical service or technology is determined to be inadequate," and "must demonstrate a substantial clinical improvement over existing services or technologies." Under the standard NTAP pathway, applicants must demonstrate that they meet all three criteria. Devices that have received Breakthrough Status from FDA have access to an alternative pathway and are deemed to have met the criteria related to newness and substantial clinical improvement.
In the FY 2024 IPPS proposed rule, CMS discusses several NTAP applications for devices that utilize software and artificial intelligence to detect heart failure, EEG abnormalities, and monitor renal function: the Ceribell Delirium Monitor, Ceribell Status Epilepticus Monitor, Nelli® Seizure Monitoring System, Transdermal GFR Measurement System utilizing Lumitrace, and EchoGo Heart Failure 1.0. See 88 Fed. Reg. 26931, 26933, 26940, 26954, 26934. All of these devices received Breakthrough Status. Each device will either be approved or disapproved for the new technology add-on payment in the IPPS final rule.
HCPCS Applications for the First 2023 Coding Cycle. On May 1, CMS released its summaries, with preliminary determinations, of 33 applications for revisions to Health Care Common Procedure Coding System (HCPCS) Level II billing codes and related payment determinations, which will be considered at public meetings on May 30, May 31, and June 1, 2023. Notably, billing code requests for prescription digital therapeutics Luminopia and EndeavorRx® will be discussed at the May 31, 2023 meeting.
The meetings are an opportunity for CMS to receive additional information related to the applications; CMS will make no decisions at these meetings. The meetings are open to the public and will be held remotely, using Zoom. Registration is available here.
Preparing for the End of the Public Health Emergency. The PHE expired on May 11, 2023 and major changes are in store for provider reimbursement flexibilities related to telehealth. CMS has published materials to aid providers and ensure a smooth transition as flexibilities related to the PHE end. These include a transition fact sheet, FAQ about the PHE waivers, a memorandum discussing guidance for the expiration of the PHE, a waiver and flexibility request form, and information regarding acute hospital care at home.
Some changes take effect immediately, others occur at the end of this fiscal or calendar year, and still others have been extended through 2024.
PRIVACY UPDATES
Washington State Enacts "My Health, My Data Act". Washington State recently took an aggressive step toward restricting the use of personal health information, including indicators of health associated with a persistent unique identifier, such as a cookie ID, an IP address, or a device identifier. On April 28, 2023, Washington State Governor Jay Inslee signed into law the "My Health, My Data Act" (the Act), which will take effect on March 31, 2024, although provisions banning certain uses of geotagging near in-person health services went into effect immediately. The Act restricts the collection, use, and disclosure of information that is "linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." A "consumer" includes not only state residents (which is the definition typically used in the growing body of generally applicable state consumer privacy laws); it also includes any "natural person whose consumer health data is collected in Washington."
The Act does not focus solely on the privacy of data collected in the digital health context, but concern about lack of the protection for such data was among the motivations for the statute's enactment. As Sponsor Senator Manka Dhingra (D-Redmond) asserted in its favor: "With the significant growth in the use of tracking apps, online chats, social media, and search engines for accessing health care information, advice, and research, these protections for sensitive health data are long overdue."
The Act prohibits "regulated entities" from collecting or sharing consumer health data without the express, affirmative consent of the consumer to whom the data pertains, unless the collection or sharing is necessary to provide a product or service that the consumer has requested.
- Regulated entities are not only organizations doing business in Washington State, but also entities producing or providing products or services targeted to consumers in the state, to the extent they determine the purpose and means of collecting and processing consumer health data.
- Consumer health data includes, for example, individual health conditions, treatment, diseases, or diagnosis; social, psychological, behavioral, and medical interventions; the use or purchase of prescribed medications; and information "derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)" to identify a consumer with these or other indicators of health.
There are exceptions from the Act's mandates and prohibitions for certain entities and information governed by other privacy laws or regulations, but those exceptions are inapplicable to many entities that currently collect personal health data.
Unlike most of the recently enacted state consumer privacy laws, the Act provides a private right of action for enforcement. Violations of the Act are deemed unfair or deceptive acts or practices under the Washington Unfair Business Practices law, which allows for enforcement by either a consumer directly or by the Washington Attorney General. Entities involved in digital health activities will likely need to commence planning soon to ascertain their potential exposure and to implement the necessary measures to comply, not only with the restrictions and requirements described above, but also with other provisions of the Act not detailed here.
CORPORATE TRANSACTION UPDATES
Q1 for Digital Health: Zero IPOs, Low Stocks, But Six Large-Scale Transactions. The fall of two banks that were friendly to digital health startups, coupled with Moody's downgrading of bank credit rankings, left digital health startups in a difficult environment in early 2023. Rock Health's latest funding report showed zero digital health IPOs in Q1 and noted the trading of digital health stocks was almost 50% lower in Q1 of 2023 when compared to Q1 of 2021. While 130 digital health deals were reported in Q1, six of these deals made up 40% of the total digital health funding in Q1, suggesting that the current digital health market is largely dominated and influenced by a handful of large-scale transactions. The six "megadeals" were as follows: Monogram Health at US$375 million, ShiftKey at US$300 million, Paradigm at US$203 million, ShiftMed at US$200 million, Gravie at US$179 million, and Vytalize Health at US$100 million.
Digital Health Care Platform eVisit Expands Customer Base by Acquiring Bluestream Health. On April 27, eVisit, a leading telehealth care platform and telemedicine provider, announced its acquisition of Bluestream Health, a health tech firm that helps brick-and-mortar facilities transition to more virtual-care-based formats. eVisit plans to integrate Bluestream's language services into its telehealth platform, allowing patients to interact through eVisit's telehealth platform in 198 new languages, plus American Sign Language. eVisit also highlighted the acquisition's ability to more quickly scale its acute and enterprise care offerings.
With the acquisition, eVisit's customer base is anticipated to double. The acquisition of Bluestream Health also allows eVisit to expand its telehealth platform to public health care delivery and broaden its customer base. Specifically, the new language database enables eVisit to use its telehealth platform to serve underrepresented communities and incarcerated populations. "An underserved population, often ignored [with] significant health care needs [and] high barriers to access that can be addressed through, opening up more effective digital front doors and seamless workflow," eVisit CEO Sachin Agrawal said of the acquisition's benefits.
Investment Arms Aegis Ventures and Northwell Holdings Launch Digital Health Care Company Optain with US$12M Investment. On Tuesday, May 9, partners Aegis Ventures and Northwell Holdings launched Optain, a digital health care company that will use AI-backed retinal imaging to attempt to detect early signs of disease. Specifically, Optain will provide screening for diabetic retinopathy, age-related macular degeneration, and glaucoma with the goal of reducing reactive care with increased preventative care. To fund Optain, Aegis Ventures and Northwell Holdings provided an initial seed investment of US$12 million. The launch of Optain is part of a growing global trend of venture capital firms partnering with health care organizations to develop and quickly deploy emerging digital health technology.
POLICY UPDATES
Silicon Valley Congresswomen Reintroduce
Comprehensive Privacy Legislation. On April 19, 2023,
Reps. Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) reintroduced the
Online Privacy Act (H.R. 2701), a consumer privacy bill that would
strictly limit how companies collect, use, and disclose personal
information. The bill would establish the Digital Privacy Agency, a
new federal agency that would be designed to enforce users'
privacy rights and ensure businesses' compliance with the law.
Under the bill, a consumer's personal information could not be
used for digital machine learning/AI algorithms absent the
consumer's express consent. The bill would not preempt more
restrictive state legislation and supports an individual's
private right of action. As the House Energy & Commerce
Committee continues to lead bipartisan negotiations toward a future
federal privacy bill, it remains unclear which, if any, of the
provisions within H.R. 2701 would be supported by
Republicans.
EU and UK News
REGULATORY UPDATES
UK MHRA Guidance on Software and AI as a Medical Device. On April 6, 2023, the UK Medicines and Healthcare products Regulatory Agency (MHRA) collated all of the guidance produced by its Software Group on software and AI as a medical device (i.e., SaMD and AIaMD). The Software Group is responsible for ensuring that the UK public has access to safe and innovative devices that meet a clinical need and collaborates with many international regulators, academic groups, and UK health organizations. The collection includes all previously published guidance on: (1) classification of software applications as a device; (2) the regulatory status of software used in the COVID-19 pandemic; (3) the Software and AI as a Medical Device Change Programme and Roadmap (discussed on our November Digest); (4) the intended purpose statement for SaMD (discussed on our April Digest); (5) post-market vigilance; and (6) the guiding principles for good machine learning practice.
Use of Telehealth Survey Results From the Commonwealth Fund. On April 6, 2023, the Commonwealth Fund published its findings from a survey exploring how primary care doctors in 10 high-income countries view the ease of use and effectiveness of telehealth. During 2022, in the UK, more than a quarter of doctors (28%) used telehealth to conduct over 75% of their patient visits, and 67% of doctors used telehealth to conduct between 25% and 75% of their patient visits in a typical week — a total of 95% of physicians using telehealth at least 25% of the time. The equivalent numbers were much lower in the U.S. (only 15% conducted over 25% of patient visits via telehealth per week), Germany (16%), and France (7%).
The survey also found:
- 82% of UK doctors reported that implementing a telehealth platform was "very easy" or "somewhat easy," compared to 72% in the U.S., 72% in France, and 30% in Germany.
- 85% of UK doctors reported that use of telehealth improved timeliness of care "to a great extent" or "to some extent," compared to 82% in the U.S., 55% in France, and 19% in Germany. This didn't necessarily equate to improved quality of care, however, as less than one in five saw an improvement in quality of care.
- 72% of UK doctors reported that telehealth allowed them to assess mental and behavioral health needs effectively, compared to 75% in the U.S., 30% in France, and 28% in Germany.
The report concluded that more qualitative research is required to explain differences in telehealth use between countries and whether telehealth is being delivered to patients in the most efficient way.
UK Government Publishes Response to Report Evaluating Progress on the Digitization of the NHS. On April 28, 2023, the UK government's response to the report assessing its progress on digitization of the NHS was published (see discussion of the report in our March Digest). The government disagreed with the report's overall finding that progress had been "inadequate," stating that the report does not reflect the plans the government has put in place for digital transformation, for example the launch of the multi-agency advice service for AI technologies in the NHS (also discussed in our March Digest). In response to a rating of "requires improvement" for streamlining contracting methods between the NHS and technology developers, the government listed a number of initiatives it had been involved in (such as the AI in Health and Care Award) to support companies developing and deploying health technologies. The government committed to ensure the NHS App "can act as the digital front door" with a pilot launching in May 2023 to support digital inclusion for vulnerable groups.
The NHS App, together with virtual wards and the "Supporting People at Home" program are other ways that the government is improving digital health monitoring of individuals within their homes.
PRIVACY UPDATES
Guidance for Generative AI Users and Developers from the UK ICO. On April 3, 2023, the UK's Information Commissioner's Office (ICO) published guidance for developers and users of generative AI that processes personal data. The guidance lists eight questions for organizations to proactively consider to ensure compliance with data protection law. These cover topics such as identifying a lawful basis for processing, ensuring transparency, updating the Data Protection Impact Assessment, mitigating security risks, and limiting unnecessary processing. The ICO states that it will enforce non-compliance with the law, for example by issuing enforcement notices requiring a company to take or refrain from taking certain steps or penalty notices. The guidance also points users and developers to the ICO's guidance on AI and Data Protection, Regulatory Sandbox, and Innovation Advice Service for more information.
ICO Response to UK Government's AI White Paper. On April 11, 2023, the UK's ICO published its response to the government's White Paper on AI (discussed in the April Digest). The ICO describes AI as a strategic priority and highlights its regularly updated guidance on AI and data protection and risk toolkit. While welcoming the government's intention to bring together regulators to develop joint regulatory guidance, the ICO called for clarification on the specific roles of government and regulators in issuing guidance and encouraged delivery of the White Paper's goals by utilizing the Digital Regulation Cooperation Forum (DRCF). With respect to the format of the guidance and the design of the regulatory sandbox, the ICO recommended that the government research what AI developers would find most useful — for example, sector or case-specific guidance, rather than high-level guidance on the principles. The ICO also made several comments on the AI White Paper principles, noting that it is important to align with data protection principles (for example, the fairness principle should apply to the use and development of an AI system). Lastly, the ICO called for discussions on cross-sectoral regulators receiving additional funding to address the AI proposals. Individuals and organizations can comment on the AI White Paper until June 21, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
