Jurisdictional challenges facing insurers in the digital health space
A key challenge for insurers operating on a global scale is the myriad of laws that apply in each jurisdiction, with each having unique (and sometimes conflicting) privacy, health, insurance, and data regulations with which to contend in the context of digital health offerings.
For example, how data is exchanged and access to the right to data are crucial to interoperability within the health ecosystem. In the U.S., healthcare privacy regulation in the form of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to much – but not all – of the health ecosystem. Stakeholders must understand whether the data they are seeking to access is inside or outside of HIPAA. In the context of digital tools to assist patients in the healthcare journey, data flows must work smoothly, and insurers need to have the data flows right – and have any requisite permissions to use the data – in order to unlock value in the ecosystem.
In Europe, one key challenge is that insurers are moving from a traditional view as payors to becoming a partner working with regulated industry players or, in some cases, as a provider of healthcare solutions. These dual roles can result in regulatory obligations to which a traditional insurer model may not be accustomed, such as considerations of whether a digital tool qualifies as a “medical device”. In addition, moving beyond merely acting as a payor/facilitator may result in possible liability exposure in areas to which insurance players are unaccustomed. As these lines continue to blur, producers of drugs and medical devices look to move closer to patients, which might generate opportunities for partnerships with insurers but could also generate competition with insurers. Moreover, while insurers are accustomed to operating in highly regulated areas, these borderline issues require early strategic decisions on product and service offerings to avoid unexpected regulatory challenges down the line.
Health regulatory considerations
Despite geographic differences, some regulatory themes are consistent across markets, particularly for insurers interested in integrating their offerings within an existing ecosystem.
In the context of medical devices, the EU and UK perspectives are similar: insurers who are partnering rather than producing should still exercise caution when integrating a telehealth or other online consultation option, as these have a number of technical requirements. In jurisdictions such as France, for example, patients have an absolute right to physician choice, so any system restricting this could be considered in breach of local regulations. Similarly, there are restrictions on drugs and medical devices advertising in EU/UK, where certain types of promotional claims and activities are forbidden. An insurer referring to these products or services, even as part of a larger offering, should consider carefully whether this would rise to the level of “promotion”, possibly running afoul of local requirements. Similarly, claims of early detection are often viewed suspiciously as attempts to promote a product. Notwithstanding, when handled appropriately, insurers could have a role to try to expand these types of offerings.
In the U.S., Food and Drug Administration has recently issued guidance on how to determine whether or not a product is a medical device, as we previously summarized here. Insurers moving into the digital health space may also face unanticipated liability issues, for example in the context of licensing requirements for practicing medicine. Also in the U.S., complex reimbursement considerations can arise in valuing the contribution of digital health technologies, whether in the context of a government or a private payor. Insurers should be prepared to consider non-traditional payment or other incentive models for digital therapeutics, apps, care coordination, and the like, in order to appropriately value the contribution of these services towards enhancing patient care. One challenge, however, is identifying which tools are most efficient to identify which patients are best suited for preventive care to avoid higher costs down the road, thereby bringing better value to the future health ecosystem overall.
Protecting patient privacy
Health privacy laws also reflect a significant cross-border challenge. A first step in assessing compliance is always examining data flows: who is doing what, where data comes from, and how it is being used. While somewhat more straightforward if the data is generated, and only within the U.S., even these transactions are increasingly under scrutiny, as we have recently described here. Our teams work closely together in the context of cross-border data transfers to ensure our stakeholders develop products and processes that are aligned with the various legal requirements. It is generally best practice to evaluate up front what the data flows will be (particularly whether the transfers will be within a single jurisdiction or cross-border) rather than having to retrofit later.
Also on the theme of cross-border data transfers, the EU General Data Protection Regulation (GDPR) provides an additional layer of complexity in the context of sensitive health data, including an additional look at local implementation for health data hosting. Moreover, considerations around “secondary use” of data, such as for research, innovation, policy making, regulatory purposes, and patient safety, are of increasing concern. This is especially worth assessing in the context of the (proposed) European Health Data Space (EHDS), as we have also recently described here.
The role of AI
Artificial intelligence (AI) and machine learning (ML) may help unlock data flows but needs to be managed in a legally compliant and responsible way. The UK medical devices regulator, the Medicines and Healthcare products Regulatory Agency (MHRA), has recently released a Roadmap for regulating AI as a medical device (AIaMD) and software as a medical device (SaMD) as part of its UK Medical Devices Regulations (MDR) reforms. As we have discussed here and here, these principles aim to ensure that regulatory requirements for such devices are clear and streamlined and that the devices are safe and function as intended for patients. The EU is taking a somewhat different approach from the UK whereby some AI will be prohibited and other AI may be deemed “high risk” in the medical devices context under the proposed AI Act, as we have also discussed here.
While insurers can use AI/ML technologies in interesting ways, factors including data quality, user permissions, and permissible uses within the U.S. data rules must be considered. As in other jurisdictions, FDA is also very interested in ensuring that bias is limited and data meets quality and permissible use standards.
Next steps
Insurers, as well as other stakeholders, should be mindful that this is a rapidly changing area, with new developments likely on the horizon within the next one to two years. Stakeholders with tools and projects currently under development should stay on the alert for new regulations, which may necessitate an adaptation of existing project timelines.
Please contact the authors or the Hogan Lovells attorneys with whom you regularly work for guidance on you digital health product needs.
Authored by: John Salmon, Jane Summerfield, Mikael Salmela, Melissa Bianchi
