On Friday, March 26, 2021, over 180 attendees worldwide attended McKinsey & Company’s first Global HealthTech CEO Connect of 2021. The discussion focused on regulatory and legal considerations for software as a medical device (SaMD) in both the United States and Europe and specific use cases for digital therapeutics and other digital health products. Speakers included Morrison & Foerster partners Bethany Hills and Wolfgang Schönig as well as special guest Corey McCann, president and CEO of Pear Therapeutics, in a fireside chat at the end of the program.
Globally, the convergence of software technology and life sciences creates a massive opportunity for growth, and the market for these products is growing exponentially. Both the U.S. Food and Drug Administration (FDA) and European regulators have focused on establishing a regulatory framework for oversight of SaMD.
After key definitions and concept overviews by the McKinsey team, Bethany Hills set the foundation of the FDA’s evolution in regard to SaMD in the United States and provided insights into the specific pathways impacting digital therapeutics. The FDA has not specifically defined SaMD, instead relying in the guidance documents on the definition provided by the International Medical Device Regulators Forum (IMDRF), which define the term as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device. In essence, the software must act on its own, and have indications or be intended for the diagnosis, treatment, prevention, or monitoring of a condition. Medical devices in the United States are assigned one of three regulatory classes based on the risk and safety and effectiveness of the device. Most SaMD would fall under Class I or II, which then determines the type of submission required for authorization to market, including the 510(k) and De Novo pathways. Most devices are cleared under the 510(k) pathway; however, that trend is changing more recently, with many de novo submissions and authorizations involving SaMD. Areas to keep a close eye on include FDA’s finalization of its Clinical Decision Support Software Guidance, currently in draft form, and the Pre-Certification Pilot Program that could significantly impact SaMD if implemented outside the pilot program, by providing a faster, more efficient pathway to FDA authorization. The FDA does not make reimbursement-related decisions, however, a recent CMS Final Rule creates the Medicare Coverage of Innovative Technology (MCIT) pathway that will result in four years of national Medicare coverage starting on the date of the FDA’s market authorization of a device holding a Breakthrough Device Designation.
Providing the European perspective, Wolfgang took the stage to discuss the EU’s current regulatory landscape, and reimbursement for Digital Health Apps in Germany. The EU Medical Device Directive (MDD) will soon be replaced, effective May 26, 2021, by the EU Medical Device Regulation (MDR), directly applicable across the EU and significantly stricter for medical device software (MDSW) in three areas: prediction and prognosis applications, impact on the Class I categorization, and enhanced quality and safety requirements. After a review of the MDSW classifications and key changes to the Quality Management Systems, including more stringent requirements for Post-Market Surveillance activities, additional responsibilities along the supply chain, and stricter timeframes for document retention and incident reporting, the discussion turned to Unique Device Identification, which aims to enhance the effectiveness of post-market safety-related activities and traceability. Finally, the discussion focused on the application requirements for low risk apps (Class I or IIa) to receive reimbursement in Germany per the regulation on the Eligibility of Digital Health Applications for Reimbursement by the State Health Schemes (DiGAV), including certain interoperability requirements with the Electronic Patient File system, data protection requirements, and positive healthcare effects to be shown.
Below are some highlights from the Q&A:
1. Are there exceptions for software developed in a research setting/environment?
a. In the United States, a software product can be used in a research and development setting without requiring the FDA’s authorization. However, there are nuances if the research setting involves human subjects.
b. In the EU, the MDR generally applies to SaMD that is made available to others, including in a research setting. Yet, one important exception allows for the in-house development and use of SaMD in health institutions with only limited regulation (Article 5(5) MDR). The requirements to fulfill in order to benefit from this exception are rather strict. Most notably, they include that the specific needs for the targeted treatment cannot be met by any equivalent device on the market and that the SaMD is not transferred to another legal entity.
2. Is there different regulatory treatment if the use of the medical device is for healthcare providers only vs. patients?
a. In the United States, the answer depends on the category of the SaMD. For example, Clinical Decision Support software has different standards applied for provider users v. patient users.
b. The MDR in the EU does not expressly distinguish between groups of end-users; however, some regulatory requirements can make differentiated measures necessary. For example, instructions for use under certain circumstances may be delivered to professionals in electronic form while non-professional users can demand a printed version. Additionally, member states of the EU can decide that the instructions must be delivered in a certain language. In this regard, Germany requires documents to be in German for non-professional users but deems English instructions sufficient for professional users.
3. What are some of the reimbursement options for SaMD companies?
a. Reimbursement options and pathways seem elusive for SaMD companies, although there does seem to be an evolving path for the category of digital therapeutics.
b. In the EU, reimbursement options for SaMD are not harmonized, i.e., each member state has established its own rules on the matter. This means, that the requirements to qualify for reimbursement differ significantly from country to country. Since the COVID-19 pandemic has seriously boosted the acceptance and demand for digital health products, some member states are currently revisiting their frameworks for reimbursement for SaMD. Germany, for instance, has enacted the DiGAV under which certain low risk apps (Class I or IIa) can receive reimbursement (see above and here).
4. What are the implications of GDPR on SaMD regulation in Europe? Among other issues to consider, the GDPR sets up restrictions for transfers of personal data from within the European Union to a country outside the EU. Please note that the meaning of “transfer” is understood quite broadly, and includes situations in which personal data becomes accessible to a third party, even if such third party does not actually access the data. Cross-border data transfers require a so-called transfer mechanism, which can usually be an adequacy decision by the European Commission for a particular country, EU model clauses, or binding corporate rules. Following the judgment of the European Court of Justice in the case “Schrems II,” in which the Court invalidated the EU-U.S. Privacy Shield, transfers to the United States have become particularly onerous to facilitate. Furthermore, EU member states may have introduced additional restrictions for transfers in the context of SaMD. For example, in Germany under the DiGAV, data transfers to the United States or any other non-EU country without an adequacy decision by the EU Commission is generally impossible. However, the German Federal Institute for Drugs and Medical Devices has issued guidance explaining under which circumstances it may be possible to use EU subsidiaries with parent companies in non-EU countries. More information is available here. Please note, however, that this topic is hotly debated and far from settled.
5. How critical is HIPAA for companies in the U.S. market? HIPAA is a critical set of federal standards for privacy and security of protected health information. However, HIPAA is only one piece of the patchwork of privacy and security laws in the United States spanning federal and state requirements that could be applicable to SaMD.
MoFo Life Sciences also features a six-part blog series discussing software as a medical device in Europe and the current regulatory landscape in more detail. Catch-up on parts 1-5 below and subscribe to our blog to receive the latest updates.