In brief In September 2024, Texas’ Attorney General announced a “first-of-its-kind” settlement with a healthcare generative artificial intelligence (“Gen AI”) company over what it said were “false, misleading, or deceptive” Gen AI products that aid physicians and medical staff in drafting clinical notes and charts. Per the Attorney General, the Company’s advertised hallucination rate was “very likely inaccurate” which “may have deceived hospitals about the accuracy and safety of the Company’s products.” The settlement provides…
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA,…
With the new Washington state My Health My Data Act, you may wonder if any exceptions or exemptions apply to your organization (for an overview of the law, see here). As a reminder, the definition of consumer health data is broad: “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status” (the definition includes as an enumerated example any information…
Nevada Senate Bill 370 is the third US state law passed this year with specific obligations related to consumer health privacy. Just as with most obligations under the similar Washington state My Health My Data Act (summary here), regulated entities are required to comply with the Nevada law from March 31, 2024. Obligations specific to entities processing consumer health data are already operative in Connecticut since July 1, 2023 (summary here). The Nevada law is…
The Connecticut Data Privacy Act (CTDPA) is operative since July 1, 2023, and so are certain amendments that were signed into law as recently as June 26th, 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024. Additional Obligations for Processing Consumer Health Data As other omnibus US state privacy laws, the…
Legislative activity in the U.S. state of Washington continues this year with numerous bills being considered. Businesses that process health data should follow the process of House bill 1155 (the My Health, My Data Act), which has been amended once and was approved in the House Committee on Civil Rights & Judiciary hearing on February 3, 2023. Who and what data are protected? The My Health, My Data Act protects as “consumers” Washington residents and…
In Fall 2022, the Office of the Privacy Commissioner of Canada (OPC) published a study it had funded on the privacy implications of direct-to-patient commercial virtual care platforms (VCPs) in Canada, technologies that allow healthcare practitioners to provide healthcare services to patients remotely. While the study does not constitute binding law or guidance, it is nonetheless noteworthy for operators of VCPs because (1) it identifies practices by commercial operators that the study describes as problematic…
The NHS’s New Data Sharing Agreement NHSX has published a new Data Sharing Agreement (DSA) template. The template is a great tool for companies collaborating with NHS organisations to access and use data for R&D, and for companies which access and use data as part of their provision of services to the NHS. We’ve set out our top 5 takeaways below: What’s in a name? Data Sharing Agreement is a misnomer – this is not…
Patient registries are where big data meets new and exciting regulatory opportunities in pharma, and regulators are keen to address the gaps between regulation and innovation in this space. The European Medicines Agency (EMA) has published new draft guidelines on registry-based studies (Guidelines) for a three-month public consultation period. The Guidelines make the case for optimising the use of registry-based studies as a source of real-world evidence. The new Guidelines will be an essential tool…
Delay of MDR Implementation and its Implications for Brexit The recent postponement of the Medical Device Regulation 2017/745 (“MDR”) means its full application will now fall beyond the end of the Brexit transition period. This could have a huge impact on the UK’s legal framework for medical device regulation after Brexit. Background The MDR repeals the existing Medical Device Directive 94/32/EEC (“MDD”). The MDR came into force on 25 May 2017, and originally, approved medical…