In the digital health market, new trends reveal future opportunities for innovators and shape healthcare investors’ strategies. Trends for 2022 include regulatory developments regarding digital health, telehealth expansion, investments in direct-to-consumer healthcare, and more.
Moving into the third year of the COVID-19 pandemic, healthcare professionals around the world continue to face unrelenting workloads and acute staff shortages. Patient and consumer expectations of healthcare are changing. Future health systems will need to deliver care that is more accessible, scalable, and equitable, while under pressure to increase quality outcomes across the board. This evolution in healthcare will have long-lasting effects for many years to come, and there are a number of related key legal areas in digital health to consider for 2022.
FDA REGULATORY DEVELOPMENTS
The Food and Drug Administration’s (FDA’s) fiscal year (FY) 2022, which began October 1, 2021, is already poised to bring significant new regulatory developments for digital health.
FDA’s FY 2022 actions to date include authorization of a new virtual reality device product (intended to use in patients with chronic lower back pain) and issuance of a new discussion paper on 3D Printing of Medical Devices at Point of Care.
FDA also issued key new draft guidance documents: Content of Premarket Submissions for Device Software Functions, Assessing the Credibility of Computational Modeling and Simulation in Medical Device Submissions, and Digital Health Technologies for Remote Data Acquisition in Clinical Investigations.
Anticipated developments include the following:
- FDA’s long-awaited, final guidance document for Clinical Decision Support Software, which is once again listed on FDA’s FY 2022 “A-List” as a top prioritization guidance document. FDA has issued this guidance in draft twice previously—once in December 2017 and most recently in September 2019—and obtained significant feedback from industry and other affected stakeholders for both drafts (as discussed in our prior LawFlash).
- A new draft guidance document on premarket submissions for artificial intelligence or machine learning (AI/ML) software. As described in our prior LawFlash, FDA proposed in an April 2019 discussion paper that premarket submissions for AI/ML-based software include a “predetermined change control program.” The agency later committed to issuing a new draft guidance document on this topic in its January 2021 action plan for AI/ML-based software as a medical device (SaMD).
- New draft guidance documents on premarket submission content related to cybersecurity, SaMD, and software in a medical device (SiMD).
- A new draft guidance document on how FDA intends to adopt the International Medical Device Regulators Forum (IMDRF) guidance on risk categorization for SaMD.
In addition, while FDA enforcement has dropped off in recent years due to FDA’s focus on COVID-19 related matters, enforcement across the medtech industry, including digital health, is expected to increase over the next year.
TELEHEALTH, REMOTE MONITORING , AND CONTROLLED SUBSTANCES TELEPRESCRIBING
2022 portends to be another big year for telehealth expansion. The dramatic uptick in telehealth usage in 2020 tempered in 2021 to levels that likely reflect steady future usage as a complementary form of care. Congress and many states are rethinking their respective telehealth policies, although Congress does not necessarily need to pass substantive legislation on telehealth until the COVID-19 public health emergency appears to be winding down. The two major battleground issues on a federal level are whether new or only established Medicare patients can receive telehealth services and whether audio-only telehealth services may be covered. States continue to grapple with telehealth practitioner licensing and reciprocity issues.
Remote monitoring, called by many names (telemetry, remote physiologic monitoring, remote patient monitoring, remote therapeutic monitoring), has been an integral tool for caring for patients outside of facility settings for a long time, and its application has only grown in recent years as better technologies and infrastructure allow more capable monitoring in a patient’s home. The Center for Medicare & Medicaid Services, the American Medical Association, and various states continue to explore and evolve in the use of remote monitoring technologies in concert with developers and stakeholders, but more needs to be done from both an operational and a reimbursement perspective to make remote monitoring a viable, scalable piece of the healthcare continuum.
Further, the prescribing of controlled substances via telehealth technologies is anticipated to be a divisive topic as the pandemic winds down. The special registration provision of the Ryan Haight Act continues to await the US Drug Enforcement Administration’s (DEA’s) proposed implementing regulations, even in the face of mounting pressure from both Congress and the private sector. While the DEA waived certain of the restrictions on controlled substance teleprescribing during the public health emergency, there will be significant pressure to propose and finalize a permanent policy. Telehealth providers in 2022 should look out for movement on this issue, which is particularly critical in the mental health and substance abuse treatment space.
Data breach reporting and security continue to be overarching themes in digital health. With the US Federal Trade Commission’s (FTC’s) September 2021 policy statement regarding the Health Breach Notification Rule (Rule), there is refocused attention on the Rule and its applicability. The FTC’s policy statement makes clear that robust, healthcare-specific breach notification rules apply to companies regardless of whether they are governed by HIPAA or FTC rules.
The FTC had received some criticism for failing to enforce or provide guidance regarding the Rule for more than 10 years after its original issuance. The FTC may be more active in its enforcement to put mobile health app developers and other digital health companies on notice regarding these breach notification requirements.
Certain states’ data privacy laws will take effect in 2023. Assessing their applicability and implementing mechanisms to prepare for compliance will be front of mind for those operating in the digital health space. These specific laws include the California Privacy Rights Act (expanding the California Consumer Privacy Act’s applicability), the Colorado Privacy Act, and the Virginia Consumer Data Privacy Act. While the laws contain certain healthcare-related and/or HIPAA exemptions, these state data privacy laws will generally apply to consumer-facing digital health products.
The development and application of AI in the digital health space will continue to rise, and the FTC will continue its focus on AI technologies. AI has multiple use cases throughout healthcare provider, health plan, and health system enterprises, and with more interoperable and secure data, it is likely to continue to be a desired technology behind analytics, insights, and the decisionmaking processes.
On April 19, 2021, building on its 2020 guidance, the FTC published new guidance focused on how businesses can promote best practices in their use of AI. It was also announced in November 2021 that the FTC had hired additional personnel to work with the FTC’s chief technology officer and technologists as part of an informal AI strategy group to advise on emerging technology issues.
INVESTMENTS IN DIRECT-TO-CONSUMER HEALTHCARE
The 2022 State of Mental Health in America report notes that mental health in the United States continues to worsen as the COVID-19 pandemic continues. In the last few years, there has been a slow but growing acceptance of the importance of mental health, and this has translated to an increase and focus on scaling for digital mediums focused on addressing and treating mental health struggles. This focus on scaling for services like text-based therapy apps will continue in 2022 with increased focus on ensuring efficacy and increasing access particularly for generally underserved communities.
2022 will also likely continue to see the growth of investments in and formation of companies focused on direct-to-consumer healthcare and telemedicine, including investments in IT and data infrastructure that supports such services.
According to the Centers for Disease Control and Prevention (CDC), 6 in 10 adults in the United States have a chronic disease, with 4 in 10 having two or more chronic diseases. As discussed above, telehealth companies are likely to continue to expand to address chronic health issues, such as diabetes, by providing more affordable options to quickly diagnose patients and regularly assist them in managing their chronic conditions. Like direct-to-consumer healthcare and mental health services, this increased focus on using technology and digital mediums to address chronic health will require a focus on improving infrastructure, ensuring efficacy of current technology, and navigating regulatory changes.
FRAUD AND ABUSE
Various actions by the US Department of Justice (DOJ) over the last two years have spurred new concern about the potential for fraud in telehealth and other digital health services. Starting with a National Strikeforce Takedown in September 2020, the DOJ, the US Department of Health and Human Services Office of Inspector General (OIG), and other enforcement agencies have been focusing their efforts on combating fraud in digital health. At the same time, proponents of virtual care solutions have emphasized that fraud in telehealth is no more prevalent than fraud in other care settings.
In 2022, we anticipate additional OIG audits and fraud investigations stemming from the increased use of telehealth services during the COVID-19 public health emergency. In addition, the DOJ recently announced its new Civil Cyber-Fraud Initiative, which seeks to use the False Claims Act to prosecute cybersecurity-related fraud by government contractors and grant recipients.
DIGITAL HEALTH CONTRACTING
In the digital health space, AI, machine learning, and big data will continue to become more essential and pervasive, forcing contracting parties to negotiate some challenging issues.
For example, prior collaborations may have involved circumstances where embedded or integrated software applications were tools designed to achieve particular functionality and meet relatively clear specifications (without requiring any groundbreaking technical achievements). In those circumstances, software developers and partners may have been somewhat interchangeable, the work product may have been pretty easily maintained if a copy of the source code was provided, and the software may not have needed significant modifications over time.
But, where machine learning is the engine behind a new digital health advancement, not all developers, partners, and work product are created equal. In this scenario:
- When (and if and how) certain milestones will be achieved could be more uncertain, in which case developers may be less willing to be paid based on final deliverables.
- The underlying models may be difficult to interpret and explain (i.e., black boxes), and customers and regulators may be skeptical of translation into real-world results.
- Core technology may belong to the original developer, may serve as a platform for wide-ranging applications, and may change over time based on broad use (rather than pursuant to a particular customer’s instructions and requirements).
- Customers—and downstream integrators, users, and patients—will be relying on the original validated commercial product, whereas the nature of a learning system is to change and improve through additional use and data. This tension will require careful planning and coordination of all constituents to enable sufficient flexibility while satisfying regulatory, market, and patient needs.
- Data rights and restrictions will be central (and more nuanced than some software companies may be accustomed to). Strictly limiting upstream data usage solely as necessary to provide the relevant services for the applicable end customer would ignore the reality that data fuels the underlying adaptive technology. But informed consent procedures, and any previously obtained consents, may be difficult to modify in order to fit this new data-driven regime. In a heavily regulated environment, a carte blanche approach could raise red flags.
- Some AI-based platforms could be positioned as marketplaces for third-party add-on applications (app stores associated with particular devices, tests, diagnoses, treatments, fields, etc.).
- Exiting a relationship that is dependent on the original developer may present substantial hurdles, such as (1) ongoing patient care and end use, which may include critical security updates; and (2) potentially recreating or reverse engineering the entire model from scratch.
This shift in dynamic—from a tool that is custom built (or readily available) to a key, opaque, embedded technology—could lead to (1) further strategic investment and acquisition activity in order to integrate and control AI-related research, development, and know-how; and/or (2) heavily negotiated exclusive arrangements in order to maintain a competitive advantage.
LABOR AND COMPLIANCE WITH COVID-19
While there was hope that the COVID-19 pandemic would be in the rearview mirror in 2022, the pandemic will continue to cause significant disruptions for the foreseeable future. With the omicron variant’s record infection rates, companies may face refreshed labor and compliance challenges.
In light of the US Supreme Court’s stay of the OSHA Emergency Temporary Standard (ETS) on vaccination and testing, we expect state laws to fill the void. Already, more than a dozen state legislatures have passed bills aiming to limit an employer’s ability to mandate vaccination or expand the grounds for exemptions. We expect movement on state COVID-19 employment laws in all directions. Some state and local lawmakers will attempt to pass laws like New York City’s recently announced vaccine requirement for private sector employers, and others will try for laws that more closely resemble, for example, Montana’s law prohibiting employers from “discriminating” against employees based on vaccine status.
Already, we have seen more state and local vaccine requirements for healthcare employers as compared to any other industry (for example, in California, District of Columbia, Illinois, Philadelphia, and more). And state and local jurisdictions may be further emboldened by the Supreme Court’s decision finding that the Centers for Medicare & Medicaid Services had the statutory authority to implement its COVID-19 vaccine mandate rule for healthcare workers.
Next, with the rise of the omicron variant and increasing data showing that booster shots can limit infection and transmission, it is likely that booster requirements will be a significant issue in 2022. Recently, the CDC announced that it will focus on persons “staying up to date” with vaccines instead of being “fully vaccinated.” The CDC already incorporated this concept into its new quarantine and isolation guidance, which includes stricter recommendations for individuals who were exposed to COVID-19 and are not “up-to-date” on COVID-19 vaccinations. Employers should watch CDC guidance and state and local laws on boosters closely.
Many businesses delayed reopening in-person operations in 2021 due to the rise of the delta variant and low vaccine rates, among other factors. In 2022, a good number of businesses will reopen in person—some for the first time in two years, and others after several trial attempts. Many businesses will be revisiting the logistics of reopening and developing a wide range of employment and safety policies on topics like remote work, COVID-19 testing, vaccination, staggered shifts, face coverings, contact tracing, screening protocols, travel, sick leave, required accommodations, and guest and visitor protocols.[View source.]