Australia’s medtech sector has experienced rapid growth over the last decade, with a recent focus on digital health, connected devices and artificial intelligence.

In this article, we discuss some of the key legal issues faced by startups entering the medtech space, focussing on proposed changes to the medical device regulatory regime, privacy and intellectual property laws.

1. Changes to the classification rules for SaMD (Software as a Medical Device)

Technology has evolved and diffused dramatically since the last major overhaul of the Australian medical device regime which occurred in 2002. The changes to the Therapeutic Goods Act 1989 (Cth) (the Act) and the introduction of the Therapeutic Goods (Medical Devices) Regulations 2002 (Medical Devices Regulations) were intended to provide a best practice regulatory regime which harmonised Australia's requirements for quality, safety and performance with the higher standards enforced in Europe at the time.

However, Australia’s medical device regulatory framework has not kept pace with the advances in information and communications technology which now underpin the focus of medtech innovation – particularly the development of standalone software and integrated technology platforms which can be used to diagnose or treat disease.

Given this, the Therapeutic Goods Administration (TGA) is poised to recommend the introduction of new regulations to govern SaMD, or software-as-a-medical device. One of the most significant proposed changes will be the requirement to properly classify SaMD according to risk, in contrast to the present situation which results in all SaMD being properly classified as Class I (i.e. the lowest risk classification of device), regardless of actual risk. This is because the current classification rules only consider the possible harm caused by a physical interaction of a medical device and a human.

The proposed changes to the rules will result in SaMD which is used directly in diagnosis or therapy being classified as Class IIa to III devices, both for new applications and for existing registrations. The only SaMD to remain as Class I would be lower risk software which directs patient activity based on a non-interactive intervention. This will align with international approaches, for example in the European Union, where rules for higher classifications have already been introduced. However, this will have a dramatic impact on the time and costs involved in registering (or maintaining the registration of) the SaMD on the Australian Register of Therapeutic Goods (ARTG). Medtech companies should review the proposed classification scheme in anticipation of the increased regulatory scrutiny which is likely to be imposed.

2. Cyber security

For any medical device to be included on the ARTG, the manufacturer must demonstrate compliance with the ‘Essential Principles’ contained in the Medical Devices Regulations. The Essential Principles require the minimisation of risks associated with the design, long-term safety and use of the device, which implicitly includes minimisation of cyber security risks.

However, the Essential Principles currently do not refer specifically to SaMD. This is a recognised gap, and one which the TGA plans to address by recommending changes to the Essential Principles to include clear and transparent requirements for demonstrating the safety and performance of SaMD and other regulated software. Proposed requirements include:

  • any cyber security risks associated with network connectivity be minimised;
  • that software be designed and produced using best practice software engineering principles;
  • best practice cyber security principles be used regarding the risk of unauthorised access to the device; and
  • medical devices be designed to facilitate software updates, and information about the clinical risk of an update is provided to the user.

Again, the proposed changes to the regime will necessarily involve additional effort and cost for manufacturers to systemise development and production practices, and document the evidence for assessment. The TGA also notes that in some cases, new quality management and development practices may have to be put in place to demonstrate compliance.

3. New penalties under the Privacy Act

All Australian companies (with limited exceptions) must comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) when dealing with personal information. The APPs contain higher standards when dealing with health information.

Breaches of the APPs are subject to hefty penalties - up to A$2.1 million for the most serious and repeated breaches. However it is likely that these penalties, together with the OAIC’s enforcement powers, will be increased significantly in the near future. The Australian Government has proposed these amendments to substantially strengthen the enforcement regime and align our legal framework more closely with the European GDPR.

The proposed amendments will increase the maximum penalty for entities subject to the Privacy Act to the higher of:

  • A$10 million for serious or repeated breaches;
  • three times the value of any benefit obtained through the misuse of information; or
  • 10% of a company’s annual domestic turnover.

The draft legislation is due for consultation before the end of 2019.

4. Use of data in machine learning

Medical technology is increasingly incorporating elements of machine learning which relies on continuous data analysis to “train” the algorithm to become more accurate over time. However, given the privacy constraints around secondary uses of health information, consent to the use of such data for machine learning purposes must be obtained from individuals. Data could be de-identified for this purpose, however it may be argued that the process of de-identifying data is itself a “use” of data which requires consent under the APPs.

Medtech companies should both identify how they need to use the data they collect, and consider the potential ways in which they might plan to use that data in the future, and ensure that they have obtained the required consents to enable those uses.

Under the Privacy Act, APP 1 requires that a company make available a well drafted privacy policy. In addition to that, medtech companies may wish to develop a “white paper” which provides some further details about the company’s data handling and cyber security practices so that it is clearer and more transparent to potential customers and individuals how their data, and particularly personal information, will be collected, used, stored and disclosed. A privacy policy may deal with this to some extent, however, it is not a legal requirement to describe a company’s data protection practices in any detail in such a policy. A white paper can be a good way to provide comfort to consumers of technology that personal information will be handled safely and appropriately.

5. Abolishment of the Innovation Patent System

Legislation currently before the Australian Parliament – the IP Laws Amendment (Productivity Commission Response Part 2 and Other Measures) Bill 2019 (Cth) (Bill) – will, if passed, have the effect of abolishing Australia’s innovation patent system. The innovation patent system provides second tier patent protection of eight years for innovations, as opposed to the 20 year protection for patentable inventions.

The innovation patent system was introduced in 2001 to protect incremental technological developments by Australian small and medium sized enterprises and has been used effectively in the medical device space.

Under the Bill, those who have already obtained or applied for innovation patents will (if the Bill is passed) continue to be able to enforce them. In addition, for a period of 18 months from the Bill receiving royal assent, it will still be possible to apply for innovation patents. After this ‘grace period’, no more applications will be accepted.

Medtech companies who wish to apply for innovation patent protection should try to obtain these key enforcement tools while they are still available.