The life sciences industry is at a critical juncture. Research and development costs for new medicines are rising, while the blockbuster products that historically financed these investments are tumbling off the patent cliff. In 2013, the U.S. FDA approved only 32 new medicines, and that figure has remained relatively stable in recent years. Meanwhile, the healthcare needs of an aging and growing population have soared, and governments under mounting budgetary pressure increasingly demand robust pharmaco-economic results.
These market factors create significant pressure for the life sciences industry but also provide a great opportunity for the development of new business models. Indeed, the life sciences industry is looking for ways to lower the costs of innovation and deliver increased value-for-money by capturing digital opportunities. Pharmaceutical companies who have previously focused on "selling the pill" now find themselves faced with the question how to develop truly integrated patient care "beyond the pill."
Two key trends are transforming the life sciences industry in the digital era: mobile health apps and big data. With technological innovations and opportunities, however, come new legal considerations. These digital trends give rise to a number of questions that pharmaceutical companies will need to answer as they become digital businesses.
mHealth apps are on the rise, rapidly developing from basic well-being and lifestyle applications to more sophisticated diagnostic tools, to such an extent that one could speak of a true mobile health “boom.”
The success of mobile health apps can be explained by two key factors: the huge availability of mobile phones (including in developing countries) and the fact that their technical functionality is particularly well suited for healthcare use. Indeed, by 2017 approximately 3.4 billion people – or half of the world’s population – will own a smartphone, and half of them are expected to use some form of health app. In addition, mobile-specific functions such as built-in sensors and cameras, and their ability to connect with other devices (such as bracelets or watches), enables the collection of an impressive range of body-related, medical and lifestyle information which can be further analysed and correlated.
Mobile health apps have therefore become an essential tool in the movement toward more patient-centric healthcare, facilitating patients’ access to health information anywhere and at any time. They play an important role in increased disease prevention (for example, through a fitness app monitoring patients’ weight, which is an essential factor in the development of chronic cardiac diseases) and patient monitoring (for instance by means of a medication reminder app). In addition, mHealth significantly contributes to more efficient health care (e.g., by permitting remote interventions and reducing unnecessary consultations).
Furthermore, in times of an aging population and increased budgetary pressure in developed countries, the benefits of mobile health apps are likely to result in billions of dollars of healthcare costs savings, while in developing countries mobile apps have become indispensable for ensuring basic access to primary healthcare. The use of mobile technology is therefore believed to have the potential to transform “the face of healthcare” across the globe. Or, to quote the words of U.S. mobile health pioneer Erik Topol, we might soon enter an era where healthcare professionals will be prescribing “a lot more apps than pills.”
However, mobile medical apps have clearly not yet reached their full potential. Tens of thousands of health and wellness apps are available for download from different online stores, though most available apps are focused on a healthy lifestyle (rather than more “medical” functions such as self-diagnosis or treatment monitoring), have limited functionality and do little more than provide information. In addition, the number of downloads for most apps is rather insignificant as patients and healthcare professionals have to navigate a maze of apps with very limited guidance on their quality and reliability. Similarly, app manufacturers lack clear regulatory guidance on their legal classification and applicable requirements.
Indeed, the potential of mHealth will only be fully realized through the increased development of truly “medical” apps with more sophisticated functionalities. Unlike pure lifestyle apps, these medical apps are in principle regulated as medical devices (under the EU Medical Devices Directives), be it as stand-alone (medical) software or as an “accessory” specifically designed to be used together with a medical device (such as an electrocardiogram).
However, to date, app manufacturers have been given only very limited guidance on whether their products must comply with the medical devices rules. In the EU, there are no clear binding rules on the delimitation between lifestyle and well-being apps and apps that are regulated as medical devices. The 2012 EU MEDDEV guidelines on stand-alone software used in healthcare provide a practical (though non-binding) “roadmap” but are not very well tailored to mobile apps and many grey areas still exist.
As a general rule, health apps are regulated as medical devices and will have to comply with the relevant rules if their intended purpose (conform to the labeling, instructions and promotional materials provided by the manufacturer) is the prevention, diagnosis, treatment and/or monitoring of a disease. For example, apps that allow healthcare professionals or patients to calculate a medicine dosage or to make a quick (self) diagnosis are likely to have a medical purpose, while apps which merely store electronic patient records generally fall outside the scope of the medical devices rules (though the ultimate determination is made by the national regulator and can thus vary between different EU member states).
In accordance with the aforementioned guidance, the risk related to the malfunction of a health app is in itself not a criterion for its qualification as a medical device in the EU. On the contrary, the U.S. FDA explicitly adopted a risk-based approach and only regulates health apps that are medical devices and whose functionality could pose a risk to patients’ safety if the app were not to function as intended. Manufacturers therefore have to take into account different rules when developing apps for transatlantic use.
Within the EU, the classification of an app as a (usually class I) medical device requires self-certification by the manufacturer of the health app’s conformity with the essential legal requirements and the affixing of a CE mark. However, it also triggers compliance with important vigilance requirements (such as adverse event reporting) and national promotional rules. Some regulators, for example, take the strict position that comment/rating sections in an app store should be disabled when it concerns an app involving a medicinal product aimed at patients. On the other hand, the classification of an app as a medical device has the advantage of reassuring patients and health care professionals of its quality.
The regulation of mobile apps is currently in flux – as confirmed by the European Commission’s recent summary report on the 2014 Green Paper on Mobile Health and with more and more regulators adopting national guidance – and its evolution is likely to go hand in hand with the increased development of more sophisticated medical apps. Several crucial regulatory issues - most importantly clinical investigations involving mobile medical apps, their potential prescription status, and, last but not least, pricing and reimbursement, which are currently oddly absent in the mobile health debate - are expected to appear on the EU agenda soon and will undoubtedly take mHealth to the next level.
When the printing press was invented in 1439, it took about 50 years to print the same amount of information that had been written in Europe’s history before then. Today, the amount of data doubles roughly every two to three years (the global data supply reached approximately 4.4 zeta bytes in 2013 and is expected to reach 40 ZB by 2020). At the same time, computer processing power doubles every two years. As the amount of data grows and the ability to store, aggregate, combine and analyze that mass of data becomes more accessible and affordable, a universe of new discoveries and more and better predictions opens. This development has become known as “big data.”
Big data can be harnessed in life sciences. One of the first companies to evidence this was Google. During the 2009 H1N1 flu outbreak, Google was able to map the spread of the virus in real time, based on the search terms used by ill people Googling their symptoms. Ironically, it took the U.S. government approximately two weeks to do the same via its network of healthcare professionals.
Big data has lots of potential for life sciences companies because they possess large amounts of data gathered through, among other things, scientific research, clinical trials and electronic health records. Moreover, this data is expected to grow exponentially as a result of mobile health apps, digitalized medical equipment, wearables, cheap DNA sequencing, etc. Analyzing this big data can help facilitate discovery of new medicines and open up new frontiers for improved patient care, ranging from personalized medicine to faster, safer and less expensive clinical trials and innovations. The McKinsey Global Institute estimates that the U.S. healthcare system could save $300 billion a year through the better integration and analysis of data.
Technological innovation ultimately leads to legal modernization. However, until the law catches up with the technology, life sciences companies need to operate within the existing legal framework. This brings about a wide array of legal questions covering different fields, including intellectual property (e.g., how to own and protect the data, the algorithms and the results, how to make sure not to infringe the IP rights of others), competition (e.g., risk of data concentration), anti-discrimination (especially in case of diagnostics and patient profiling), liability for faulty data and outcomes and consumer protection.
However, the main regulatory question mark for life sciences companies exploiting big data or commercializing data for data analytics purposes stems from privacy and data protection regulations, particularly in the EU. Indeed, according to the Article 29 Working Party, the EU’s advisory institute on privacy and data protection, big data poses risks to privacy due to (1) the scale, variety and detail of the data collection involved (including tracking and profiling); (2) the challenge of ensuring security measures keep up with the increased volumes of data; (3) the need for transparency when repurposing the data collection for different purposes; (4) the challenges that scale, variety and detail of data pose for data accuracy; (5) the possible use of data to discriminate; (6) the increased economic imbalance between corporations and consumers; and (7) the increased possibilities of government surveillance.
This list refers to a number of key principles of EU data protection legislation, such as purpose limitation, proportionality, transparency, consent, data quality and the sharing of data. Big data applications – which usually lead to the processing of some form of personal data – need to be assessed in light of these principles. Life sciences companies find themselves in the limelight of both the regulator and the general public (such as patients) as health data are considered sensitive data under EU privacy law.
In the context of big data, purpose limitation is particularly relevant. According to this principle, personal data must be collected and processed for specific, explicit and legitimate purposes and cannot be further processed for purposes incompatible with the original purpose. This principle inherently struggles with the concept of big data in which existing data is aggregated and analyzed in new ways, possibly for incompatible purposes. It is also closely linked to the transparency principle, according to which individuals must be provided with certain information concerning the processing of their personal data (including in particular the purposes of the processing) before the processing takes place. Given that re-informing the individuals of any new purposes is often unfeasible, ensuring compatible use becomes all the more relevant.
In an opinion on purpose limitation, the Article 29 Working Party recognizes that personal data which was gathered previously may also be genuinely useful for other purposes, not initially specified, and that there is value in allowing some degree of additional use “within carefully balanced limits.” However, the principle of purpose limitation requires that in each situation where further use is considered, a careful assessment is made of whether such use is compatible with the original use.
Four key factors should be taken into account when assessing compatibility: (1) the relationship between the specified original purpose and the new data analytics purpose (the closer the relationship, the more likely it is that the new use will be compatible); (2) the context in which the data was collected and the reasonable expectations of the data subject; (3) the nature of the data and the likely impact of data analytics on the individuals (e.g., where sensitive personal data is involved, compatible use becomes less likely); and (4) the safeguards adopted to ensure fairness and to prevent any undue impact on individuals. As such, pseudonymized, a fortiori anonymized, personal data will cause less concern than raw personal data. However, the Article 29 Working Party’s opinion on anonymization sets a high threshold before a set of data can become truly anonymous. This is particularly relevant – and challenging – in the context of the large amounts of clinical trial data collected by life sciences companies.
The EU institutions are currently discussing a new general data protection regulation that will apply uniformly in all Member States and which is intended to bring data protection into the 21st Century. However, the legislative process is advancing slowly due to the different perspectives of industry-friendly governments and MEPs and those supporting the rights of individuals. The new legislation is clearly meant to ensure the adequate protection of privacy in Europe, and will not necessarily make the industry’s life easier. As such, new concepts such as “privacy by design” and higher penalties for data protection breaches are expected. Wait and see.
Filip Van Elsen, partner; Eveline Van Keymeulen, senior associate; Quentin Van Peteghem, associate; and Julie Bossaert, associate, are lawyers with London-based Allen & Overy LLP, a global firm in 32 countries specializing in technology and pharma regulatory law.