Site moved to, redirecting in 1 second...

13 posts categorized "Medical Devices"

January 30, 2015

Privacy and Security and the Internet of Things

"Only Connect"

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Things workshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act's attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report -- and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) -- seeks to increase the public's confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum -- I can't define it, but I know it when I see it (see Justice Stewart's timeless concurring opinion in Jacobellis v. Ohio).

Continue reading "Privacy and Security and the Internet of Things" »

October 14, 2014

Apple HealthKit - Epic Integration at Ochsner Health System - David Harlow Interviews Dr. Richard Milani

Apple-healthkitThe first health system to announce that it had integrated HealthKit into its Epic EHR is Ochsner Health System in Louisiana. It is a 12-hospital, 40-clinic operation with over 900 physicians. I spoke recently with Dr. Richard Milani, Ochsner's Chief Clinical Transformation Officer. He was enthusiastic about the improvements in clinical outcomes realized to date through homegrown integrations of things like Withings scales, and sees significant expanded potential using the Epic-HealthKit integration including dissemination of data to clinicians for more efficient and effective management of care and presentation of data to patients in a way that may motivate behavior change to improve health status.

Continue reading "Apple HealthKit - Epic Integration at Ochsner Health System - David Harlow Interviews Dr. Richard Milani" »

June 17, 2014

FDA continues to detail types of mHealth apps it will not regulate

FDASince issuing its mobile medical applications guidance, the FDA has offered a number of clarifying statements, intended to give the regulated community a clearer idea of whether and when to expect any particular mHealth application to be considered a device.

Last week, the FDA added a category of applications with respect to which it intends to "exercise enforcement discretion" (i.e., not regulate):

  • Mobile apps that allows a user to collect, log, track and trend data such as blood glucose, blood pressure, heart rate, weight or other data from a device to eventually share with a heath care provider, or upload it to an online (cloud) database, personal or electronic health record. [Added June 11, 2014].

Continue reading "FDA continues to detail types of mHealth apps it will not regulate" »

April 23, 2014

HIPAA Marketing Rule Guidance: Better Than Nothing

61800551_5f5a2485ce_zThe HITECH Act made some significant changes to the HIPAA Privacy Rule, updating some provisions and increasing protections for individuals. Improvement of regulatory schemes that are a little long in the tooth is laudable, since technical and societal changes, of necessity, make for a perpetual game of catch-up. However, it is a challenge for regulators to pick the right battles to fight, and the challenge is made that much more difficult to navigate when, as in the case of the HITECH Act, Congress gets into the weeds with extremely detailed statutory language, thus limiting the regulators' range of discretion. Since it is often difficult for Congress to act, and even more difficult for it to act rationally, the detailed language of the HITECH Act hamstrings the regulators and the regulated community.

Continue reading "HIPAA Marketing Rule Guidance: Better Than Nothing" »

April 07, 2014

FDASIA Health IT Report Issued; Comments Welcomed on Three-Agency Approach

Pages from HealthITreport_FINALThe FDA, the FCC and ONC issued a long-awaited joint report with a proposed strategy and recommendations for a risk-based framework for regulation of Health IT.

The report identifies four key priority areas and outlines next steps to take in each area:  

I. Promote the Use of Quality Management
II. Identify, Develop, and Adopt Standards and
Best Practices;
III. Leverage Conformity Assessment Tools; and
IV. Create an Environment of Learning and
Continual Improvement

This report should be read together with the FDA framework for regulation of mobile medical applications which was supposedly up in the air pending release of this report. It now seems that they are directed at related, but different, parts of the ecosystem. Both are part of a bigger story, including pending legislaton.

Continue reading "FDASIA Health IT Report Issued; Comments Welcomed on Three-Agency Approach" »

December 11, 2013

Digital Health: Apps, Analytics & Agencies

I spoke yesterday at the Massachusetts Bar Association's "Hot Topics in Healthcare" program. (Webcast live, and available behind a paywall at the link.)

Here are my slides:

Continue reading "Digital Health: Apps, Analytics & Agencies" »

October 30, 2013

Mobile Health Apps: Pass the Secret Sauce

6029363903_0e9abdceab_mThe IMS Institute for Healthcare Informatics released a report on the ecosystem bloody mess of 40,000+ mobile health apps that are available today. Hat tip to Jane Sarasohn-Kahn for writing about it today at Health Populi.

From the executive summary:

Over time, the app maturity model will see apps progress from being recommended on an ad hoc basis by individual physicians, to systematic use in healthcare, and ultimately to an end goal of being a fully integrated component of healthcare management. There are four key steps to move through on this process: recognition by payers and providers of the role that apps can play in healthcare; security and privacy guidelines and assurances being put in place between providers, patients and app developers; systematic curation and evaluation of apps that can provide both physicians and patients with useful summarized content about apps that can aid decision-making regarding their appropriate use; and integration of apps with other aspects of patient care. Underpinning all of this will be the generation of credible evidence of value derived from the use of apps that will demonstrate the nature and magnitude of behavioral changes or improved health outcomes.

(Emphasis supplied.)

We are nowhere near this endpoint -- integration of the use of health apps into health care management -- right now, due to a number of factors.

Continue reading "Mobile Health Apps: Pass the Secret Sauce" »

May 06, 2013

Massively Open Online Medicine: Bad Idea or Just Before Its Time?

MP900425552The new darling of the online educational community is Massively Open Online Courses (MOOCs). The example which figures most prominently in the popular imagination is the Khan Academy, though its founder says otherwise, noting that MOOCs are merely online transplantations of traditional courses, while Khan Academy offers something different. 

Others would take issue with his conclusion, or characterization. A "connectivist" MOOC is based on four principles:

  • Aggregation. The whole point of a connectivist MOOC is to provide a starting point for a massive amount of content to be produced in different places online, which is later aggregated as a newsletter or a web page accessible to participants on a regular basis. This is in contrast to traditional courses, where the content is prepared ahead of time.
  • Remixing, that is, associating materials created within the course with each other and with materials elsewhere.
  • Re-purposing of aggregated and remixed materials to suit the goals of each participant.
  • Feeding forward, sharing of re-purposed ideas and content with other participants and the rest of the world.

Sounds great, but is it working? Can it work? A piece in the current issue of The Washington Monthly took a look and concluded:

Given the current 90 percent dropout rate in most MOOCs, an 8-point gap in completion rates between traditional and online courses offered by community colleges, the 6.5 percent graduation rate even at the respected Western Governors University, and the ambiguity of many other higher education reform ideas, there’s good reason to think that an unbound future might not be so great.

The best American innovations in education were the Land-Grant College Act of 1862, which helped create a system of public universities, and the GI Bill of 1944, which ensured that an entire generation had the money to attend college. This widespread access to the college experience enabled people from working-class backgrounds to advance en masse into professional jobs that required reasoning and logic and extensive knowledge of the world. The question is whether or not we will continue this trend or simply give up and say that a few online classes and specialized training are good enough for the majority of Americans.

In other words: Democratization of higher education - good; MOOCs - not so much.

Why is this relevant to you, gentle reader?

The question is whether the promise of MOOCs, or their inability to deliver, will characterize MOOM -- Eric Topol's neologism, "Massively Open Online Medicine," used in his HIMSS 2013 keynote.

In health care, a perfect implementation of big data and data analytics, combined with open access for clinicians and patients, would yield a success in MOOM along the lines of a connectivist MOOC.

We are not there yet, but Topol (who, by the way, has joined me and a growing number of others as a member of The Walking Gallery, dedicated to the very relevant themes of patient empowerment and data liberation ... see his jacket, Bursting from Within and mine, Friendship Pins) continues to call for a move to population health practiced based on individualized information, which would tend to rely on a population of quantified self adherents and e-patients. Unfortunately, at present these are vanguard groups, the minority blazing the way for the majority. There are numerous initiatives afoot seeking to leverage big data, analytics and the health care system to provide population health (a more traditional example: the Accountable Care Organization). Indeed, the future probably holds an even more radical shift away from the health care delivery system as we know it today (Topol spreads the meme of 80% of physicians not being needed in the future) with home-based and wearable sensors replacing much of the current way of practicing diagnostic medicine.

Given the FDA's recent smoke signals about mHealth guidance being issued in the near future, perhaps that future is in fact inching closer, but it seems to me that it will take some time before the democratization of medicine, or health care, or health can truly take hold. The current health care data privacy and security rules -- like so many regulatory constructs -- are designed to fight the last war, not for the current field of maneuver. Technology, delivery systems and rules all need to change before real improvement can bloom. Just as in the case of education there remains a high value in traditional higher education that has not yet been replicated in the MOOCs, MOOM has not yet delivered on its promise.

Here's hoping we don't have to wait as long as the time between the land grant college act and the GI Bill.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

December 03, 2012

Gimme My Damn Data - The ICD Edition

The latest news story to examine the issue of patient access to implantable cardiac defibrillator data (a variation on the theme of “gimme my damn data”) is an in-depth, Page One Wall Street Journal story featuring Society for Participatory Medicine members Amanda Hubbard and Hugo Campos. They have garnered attention in the past – one example is another piece on Hugo on the NPR Shots blog about six months back. The question posed by these individuals is simple — May I have access to the data collected and/or generated by the medical device implanted in my body? — but the responses to the question have been anything but. It is important to note that not every patient in Amanda’s or Hugo’s shoes would want the data in as detailed a format as they are seeking to obtain, and we should not impose the values of a data-hungry Quantified Self devotee on every similarly-situated patient. Different strokes for different folks.

The point is that if a patient wants access to this data he or she should be able to get it. What can a patient do with this data? For one thing: correlate activities with effects (one example given by Hugo is his correlation of having a drink of scotch with the onset of an arrhythmia — correlated through manual recordkeeping — which led him to give up scotch) and thereby have the ability to manage one’s condition more proactively.

We can get copies of our medical records from health care professionals and facilities within 30 days under HIPAA — and within a just a few days if our providers are meaningful users of certified electronic health records (it ought to be quicker than that … some day). In some states now, and in all states sometime soon (we hope), we can get copies of our lab results as soon as they are available to our clinicians.

Data from implantable medical devices is not covered by HIPAA until it is sent to the patient’s physician (on a periodic basis and usually in edited form — other data is typically retained by the device manufacturer) and entered into the patient’s medical record. It is, rather, governed by FDA rules, and the recent attention to this issue has prompted an FDA spokesperson to say that it would review a plan to give data directly to patients, but that data should be directed to physicians who can interpret it for patients. This is where the action will be in the future: the FDA could develop a framework to allow sharing of this data directly with patients. (The data is collected wirelessly in patients’ homes from the implantable devices.)

Not surprisingly, earlier this year, a Medtronic exec referred to the data in question here as “the currency of the future.” There is clearly a market for the secondary use of patient data — on a de-identified, or anonymized basis — for a variety of purposes, and this is the “big data” we are all hearing about so much lately. (The HIPAA enforcers at HHS recently released guidance on the de-identification of patient data for secondary use — i.e., use for research purposes.) There is value to be extracted from big data, and the question is: Who owns the value? Who owns the data? Suffering as I do from the professional disability of being a lawyer, I am reminded of Moore v. Regents of the University of California, the 1990 California Supreme Court case that found that Mr. Moore, a cancer patient who sought to share in the profits for the commercial cell line developed from cancer cells in a tumor removed from his body, had no property rights in his discarded body parts. Moore could perhaps be read to support the device manufacturers’ perspective that there is no value in the data coming from the implantable device until it is processed by the manufacturer.

Another perspective would be that each patient has a property right in the data generated by his or her body or implants. There have been a couple of discussions on and elsewhere about the notion of a “green button” or a “rainbow button” that would serve as a mechanism for patients to decide how to share their own data (in those cases, the discussion was focused on EHR data, but the principles ought to be the same here). If I want to share my EHR or device data with all, so that it may be aggregated with other patient data and used in research and the development of evidence-based medicine protocols, then I should be able to do so.  If I want to donate that data gratis, or if I want to see a small license payment collected by an intermediary (a la the Copyright Clearance Center), if I want to permit it to be used with full identifiers, or as a de-identified record, I should be able to do that.

The quest of patients with implanted devices to gain rights to data should not have to be so quixotic. The information in question is subject to a different regulatory scheme than EHR data, but that is an accident of history, technology and politics.  There is no fundamental distinction between a series of MRI images, or a blood test result, and a set of data downloaded from an implantable medical device.

It is possible that we have turned a corner on this issue. It is far from resolved, but the FDA is addressing it — or at least acknowledging it — publicly.

How close are we to resolving this issue? What obstacles do you see ahead? What other sorts of data have remained inaccessible to patients? Where is the next battlefield?

This post first appeared on, the blog of the Society for Participatory Medicine. I chair the Society's public policy committee.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

March 13, 2009

Massachusetts Code of Conduct finalized for Pharma, device manufacturers, health care providers

The code of conduct adopted in Massachusetts is the most restrictive set of rules in the nation, crows the Department of Public Health, and mutters the industry.  The final MA pharma and medical device conflict of interest rule is posted on the DPH website, together with related comments, memos and presentations.  In brief, the rule "sets out what is and is not permissible for pharmaceutical and medical device manufacturers with respect to providing meals, sponsoring continuing medical education and other conferences, and otherwise providing payments or other items of economic benefit to Massachusetts health care practitioners."

Some fear the new regulations will lead to a drop in medical conferences held in Massachusetts, further battering the local economy.

Some wonder whether they would have helped nip in the bud past medical research fraud (probably not).

So what do they do?  They implement part of the Massachusetts health reform law, part 2, so much of the commentary ought to have been (and was) directed at the legislature a while back, before it took action, and not at DPH, which is essentially just implementing the legislation.  The rules build on PhRMA and AdvaMed codes of conduct, but do go a wee bit further.  In DPH legalese:

Chapter 111N and 105 CMR 970.000 regulate pharmaceutical and medical device manufacturer conduct in three ways, requiring pharmaceutical and medical device manufacturers to:  (1) adopt and comply with a state-authored code of conduct, (2) provide compliance information to the Department, and (3) disclose sales and marketing related payments to covered recipients. Sections 970.006-970.008 of the Department’s proposed regulations set out what is and is not permissible for pharmaceutical and medical device manufacturers with respect to providing meals, sponsoring continuing medical education and other conferences, and otherwise providing payments or other items of economic benefit to Massachusetts health care practitioners.  Additionally, the Department’s proposed regulation outlines the statutory compliance directives in Section 970.005 and interprets the contours of the disclosure requirements for pharmaceutical and medical device manufacturers in Section 970.009.  Finally, the Department’s proposed regulation reiterates the penalties outlined in Chapter 111N and provides procedures for enforcing the code of conduct, compliance and disclosure requirements of 105 CMR 970.000.  The Department’s proposed regulations seek to address potential undue influence in interactions between pharmaceutical or medical device manufacturing companies and health care practitioners, and increase transparency with respect to such relationships without compromising Massachusetts health care consumers’ access to clinical trials and new discoveries and treatments arising from legitimate and beneficial industry interactions with health care practitioners.

See the final reg hotlink above for the full memo, FAQs, the full text of the regs, a presentation outlining the regs and comparing them with other states' regs, etc.

There's a lot to digest here.  Bottom line: Massachusetts may be in the vanguard on this front, but the industry and the rest of the nation will be following right along, as the pendulum swings to the pro-regulatory mindset.  There is less and less stomach in Washington and on Main Street for anything that even smells of financial impropriety, and the national imperative to get health care costs in check will likely fuel further action on this front. 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting