Digital Health Care

The digital transformation of our health care systems can feel like a brave new world – with equal promise and risk for pharmaceutical companies. In this chapter we look at how digital trust is a crucial consideration when navigating digital health.

  • Download

Introduction

(Traditional) pharmaceutical companies are accustomed to interacting with patients, doctors, regulators, and payers – most notably in the context of manufacturing small and large molecules and the associated approvals and commercialization of these therapies. But when it comes to digital health, it can still feel like a brave new world. With the increasing emphasis on patient access to technology, such as apps, websites, wearables; personalized treatments; Artificial Intelligence/Machine Learning; virtual clinical trials; and real-world data collection, there is increasing promise – and also risk – for pharmaceutical companies looking to improve both therapeutic outcomes and all user (including patient) experience through these innovative technologies.

Many stakeholders are surprised to learn that the use of software can involve a huge learning curve and raise issues historically associated with the development of medical devices. Moreover, many pharmaceutical companies still struggle with how to fit digital products into their business models and into their overall organization, and face potential challenges on the regulatory and liability aspects associated with this digital transformation.

A key consideration in this context is the trust required in digital systems when managing sensitive patient health data as companies will potentially become the holders of  vast amounts of such data through the development and management of these digital tools and products. It is crucial for stakeholders to uphold ethical standards, maintain patient privacy, and avoid undue influence on treatment decisions to ensure patient trust and protect their well-being. For pharmaceutical companies, a thoughtful approach to implementing digital support across the patient pathway will be an important key to future successes. This will necessarily involve enhancing transparency and trust from the perspective of the patient.

Talking the Cure with Hogan Lovells: Discussing AI in Medical Devices

Listen here
Quote

For pharmaceutical companies, a thoughtful approach to implementing digital support across the patient pathway will be an important key to future successes. This will necessarily involve enhancing transparency and trust from the perspective of the patient.

Quote

Proper data governance processes include internal training on responsible management of health data, robust and up to date policies and appropriate guardrails guiding external relationships where data may need to be shared.

How will pharmaceutical companies and other stakeholders protect sensitive patient health data from privacy and cybersecurity risks? 

 

Aligning expectations

Data usage is driving the future of pharma. The ability to collect, analyze, and use data in new and innovative ways is increasingly essential for developing new treatments, improving patient outcomes, and reducing costs. Moreover, it is nearly impossible to talk about data these days without recognizing the increasing role of AI. The use of AI-enabled systems that collect, store and/or process sensitive personal data, particularly health information, raise important privacy and cybersecurity concerns. In addition, the use of health data beyond traditional clinical development brings forth the possibility of diverse data health projects with varying partner/vendor relationships.

Managing data risks when pharma meets tech

To manage risk appropriately, pharmaceutical companies need to ensure that appropriate data governance processes are in place to secure the data and protect patient privacy. This is true whether or not AI-enabled systems are in place but risks can be heightened, and can present in novel ways, where they are. Proper data governance processes include, at a minimum, internal training on responsible management of health data, robust and up to date policies and appropriate guardrails guiding external relationships where data may need to be shared, with, for example, a third party app developer cooperating in developing a disease care model.

Compliance with health privacy laws can also raise significant challenges of cross-border coordination. Companies must examine their data flows: who is doing what, where the data comes from, and how it is being used. It is generally best practice to evaluate up front what the data flows will be (particularly whether the transfers will be within a single jurisdiction or cross-border) rather than having to retrofit later. Also on the theme of cross-border data transfers, the EU General Data Protection Regulation (GDPR) provides an additional layer of complexity in the context of sensitive health data, including an additional look at local implementation for health data hosting. Moreover, considerations around “secondary use” of data, such as for research, innovation, policy making, regulatory purposes, and patient safety, are of increasing concern. This is especially worth assessing in the context of the (proposed) European Health Data Space (EHDS), as we have also recently described here. Furthermore, when AI is involved, there are additional compliance and governance layers that must be added, and we consider AI more deeply in chapter AI Governance.

Companies should consider:

  • What data is needed to develop and deliver the product/service?
  • What is the source of the data used to develop any algorithms and can the rights be secured to use that data for all of the possible uses the company may well have in the future?
  • What technology access is needed to gain insights from the data?
  • What retention rights are needed in relation to that data, and will these needs change over time as intended uses can evolve?
  • Is there sufficient experience in-house to analyze the data or will it be necessary to work with others?
  • How will data be used by partner(s) and with what limitations?
  • What are the selection criteria for the data?
  • Where will the data be stored and transferred (from where to where) and with what security precautions?
  • Is additional diligence required due to the involvement of an AI-based system?
  • If the resulting software application will be a regulated medical device, what data security features will be required, which standards will apply, what data will need to be generated to demonstrate safety, efficacy and security, and what regulatory authorizations will be needed.
  • Notice and patient consent may also be required to ensure the appropriate levels of data protection as patients engage with, and develop trust in, the evolving digital health ecosystem.

Key recommendations

1

Data usage

Data is essential for developing new treatments, improving patient outcomes, and reducing costs. However, with the advent and usage of AI, expectations must be aligned with data privacy and cybersecurity concerns and the rights that are secured for the use of that data both for development of applications and also as the applications operate in the real world.

2

Staying abreast of legal developments

Stakeholders with projects currently under development must stay on the alert across jurisdictions in this rapidly developing area which cut across a  wide array of legal areas; all of which are evolving. 

3

Stay alert to the challenges of cross-border coordination

Europe’s digital future will be guided by recently implemented regulations – notably the GDPR, Medical Device Regulations (MDR), Data Governance Act (Regulation), NIS2 Directive – but will also be increasingly intwined with other regulations, including under the AI Act, EHDS, and Data Act. While the U.S. and UK are pursuing contrasting (and potentially less prescriptive) approaches, companies should nevertheless be mindful of possible unexpected extraterritorial ramifications of new guidance. This can be especially challenging given the ability of digital services to travel across borders at the blink of an eye.

Key contacts

Melissa Bianchi

Partner

vCard download

Melissa Bianchi

Partner

Fabien Roy

Partner

vCard download

Fabien Roy

Partner

Jodi Scott

Partner

LinkedId vCard download

Jodi Scott

Partner

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG.  For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.