In the first of a three-part series, Covington’s global cross-practice Digital Health team answers key questions that companies across the life sciences, technology, and communications industries should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.
Key Regulatory Questions About Digital Health Solutions
1. What are your digital health solution’s intended uses? Understand whether the components of the solution (or in some cases, the sum of the parts) are regulated by one or more regulatory authorities and, if so, the associated regulatory classification and requirements.
In various jurisdictions, including the U.S., EU, and China, a digital health solution could potentially be regulated as a medical device or a drug-device combination product, or it could be a consumer product not regulated under medical product authorities. Much would depend on the solution’s intended use and functionality, and the claims made by the product’s manufacturer. U.S., EU, and Chinese laws acknowledge that standalone software can be a medical device. A digital health software solution could be regulated as a medical device if is intended by the manufacturer to have a medical purpose or otherwise affect patient care. If the solution is intended to “e-enable” a drug or otherwise intended for use with a drug, it could create a drug-device combination product. In the U.S. and China, such drug-device combinations may be regulated under the drug marketing application or under a separate device marketing application. In the EU, such drug-device combinations are regulated as medicines. Alternatively, the solution could be a consumer product that is not subject to medical product regulation if it is not intended for use with a drug and is positioned as a “lifestyle/general wellness” tool, rather than a tool with a medical purpose.
2. What kind of claims can you make about your digital health solution? Also establish what level of substantiation is required for those claims. If you are a pharmaceutical company, consider whether your or your collaborator’s digital health solution may impact the marketing of your drug(s) (e.g., would the digital solution be considered by FDA, EMA, DOJ, FTC, China’s CFDA or SAIC and/or another regulatory authority to be drug advertising, promotion, or labeling; does testing it require an investigational application; do you need to file a supplemental drug application or variation to a marketing authorization).
Permitted claims will depend on the regulatory classification of your solution. For example, e-enabling and other digital health components of approved/authorized medicines can create combined drug-device combination products, which will need to comply with U.S. and EU drug laws. This will impact permitted advertising and promotion and will often require specific product labeling. It could also require a supplement or variation to an existing marketing authorization.
In the U.S., if your solution is a medical device, its advertising and labeling will be subject to FDA and/or FTC regulation. Both agencies have authority to take action against false or misleading promotion, including claims that are not supported by appropriate clinical data. There are no harmonized EU medical device advertising rules. You will need to consider at an EU member state level whether there are any restricted audiences before promoting your device. In China, any therapeutic claims would be subject to restrictions under China’s drug and/or device regulations and its Advertisement Law, and CFDA must pre-approve all advertisements and medical information websites.
3. Are your warnings and disclosures tailored to your intended audience and use(s), not merely boilerplate? Understand whether they reasonably warn about possible adverse health consequences to patients. Even in the absence of regulatory labeling requirements, you may have duties to your customers under tort law or general consumer protection legislation.
The adequacy of warnings will depend on the risk and classification of the solution and the purpose of the disclosure. Different considerations apply depending on whether the disclosure is intended to provide legally mandated information or to warn against unintended uses or functions. For example, in certain instances a manufacturer may accept that its solution is a regulated product and seek to include appropriate warnings in associated materials. In other cases, the solution could be unregulated and warnings and disclosures could be applied as protection against unintended use of the product.
4. What other regulations apply to your digital health solution? Depending on the nature of the digital health solution, several other laws and regulations may apply. For instance, if the solution is offered through health care providers or health plans or if it interacts with the electronic health record systems of health care providers, compliance with the HIPAA privacy and other data privacy laws, security and breach notification rules may be required.
In the U.S., federal laws intended to protect against fraud and abuse, such as the Anti-Kickback Statute and the Stark physician referral statute, may also be implicated. In addition, consideration should be given to analogous state laws and to state laws governing the practice of medicine.
In the EU, the digital health solution may also be a regulated health service. Many jurisdictions will require that entities or organizations delivering a health service have some kind of register or permit from a relevant regulator. This would include, for example, the Care Quality Commission in the UK, which will register an entity as a health service provider only once it has carried out an audit and subject it to periodic re-inspections. Moreover, if that health service provider wishes to provide services specifically to a national or regional health service provider, it may need to hold other permits or meet certain additional standards.
Additional laws and regulations may also apply in China. For example, similar to the EU, in China health services are subject to strict regulation. These services must typically be managed through an institution with a health care institution license, and advertisements for health services must be submitted by that institution to the provincial-level health authorities for pre-approval. Health information websites must also meet specific regulatory and pre-approval requirements. China’s increasing body of regulation on cybersecurity, Internet information, and health privacy may also impose requirements on the flow of personal health information to and from a medical device or consumer product.