Female scientist discussing results of experiment with male colleague

How life sciences legal teams prepare for a technology-driven future

5 minute read 29 Mar 2024
Related topics
Life sciences
Tax
Law

Advances in healthcare technology create new data flows for life sciences companies, shifting the landscape for legal departments.

In brief

  • Advances in technology are changing the healthcare landscape, bringing us one step closer to an intelligent health ecosystem.
  • Life sciences companies are seeing new flows of data as products evolve and new ways of measuring patient outcomes emerge.
  • Life sciences companies must consider Privacy & Security by Design in early product development due to new advancements.

The life sciences industry is just skimming the surface of what emerging technologies like cloud, Artificial Intelligence and machine learning can do and the efficiencies that it will create. The healthcare ecosystem is uniquely positioned to take advantage of this technological evolution due to the large amounts of data it produces, but this also raises new concerns that legal teams at life sciences companies need to be considering.

The industry now has medical devices like inhalers for asthma or knee replacement implants and smart pills that come equipped with remote sensors that can send data back to the patient’s care team about usage habits, therapeutic progress, or the integrity of the device itself. Fifty-eight percent of life sciences executives from all subsectors, including pharma and medical devices, said in EY’s Tech Horizon Survey in April 2022 that data and analytics would likely account for one of their top three investment priorities over the next two years. The expanding universe of the Internet of Medical Things (IoMT), breakthroughs in AI models, and the unprecedented expansion of available health data is fueling new insights and actionable measures along the continuum of care to enable patients and practitioners alike to improve overall health outcomes.

We call this new technologically driven future the Intelligent Health Ecosystem (IHE). A hyperconnected system built on superfluid data flows that can optimize decision-making, enhance outcomes, accelerate access to new innovations and deliver personalized, patient-centric health experiences. Yet, with every new technology, risks and challenges arise that require careful consideration of potential legal and regulatory pitfalls. Advancing IHE solutions will require life sciences organizations to revisit data governance and privacy compliance policies, embed Privacy by Design and Security by Design principles early in product development and proactively engage with patients. consumers, vendors and strategic partners on privacy practices and responsibilities.

New considerations around data privacy

The life sciences sector always had to be mindful of concerns around patient privacy. Growing consumer awareness and concern about the collection and processing of sensitive personal data has spurred new laws, shifting the calculus on what it takes to maintain robust privacy and data governance practices.

Comprehensive consumer privacy laws have either been enacted (for example, California, Virginia, Colorado) or soon will be in nearly a dozen U.S. states, with several laws like the “My Health My Data Act” in Washington state focused specifically on the processing of health data. Requirements vary from state-to-state and can include risk assessments, contractual obligations on third-party data processing, and the patient’s right to access, correct or request deletion of their personal data. This is all on top of the existing regulatory implications of international data privacy laws where cross-border data transfers and data localization requirements may also come into play.

IHE solutions are enabled by a high level of connectivity and speed. As such, applicable privacy compliance and data governance practices may need to be updated to align with these evolving requirements so that, for example, the patient is made aware of what data a remote sensor may be collecting and with whom it will be shared. Interoperable systems that refine raw data into valuable insights need to be kept secure and access controls maintained to minimize disclosures and reduce the risk of compromise. Clear communication of these obligations and training on how to handle them is critical for life sciences organizations to take full advantage of IHE innovations without exposing themselves to unnecessary risk.

Design with privacy and security in mind

A remote sensor that collects and shares a patient’s health data with their care team –whether it be a medical device monitoring movement or a wearable monitoring patient vitals during a drug's clinical trial -- needs to be able to do so quickly and accurately, but also securely. AI solutions that leverage large language models to answer patient questions need to be trained on massive data sets but don’t necessarily require personally identifiable information on an individual level to accomplish that objective. Considerations like this should be addressed by deploying Privacy by Design and Security by Design principles in the early stages of the product development lifecycle and encouraging product teams to engage privacy and security experts on particularly complex issues. Applicable questions to begin with include:

  • Does the system/tool allow for data tagging and the creation of relevant metadata?
  • Are security measures like encryption, role-based access controls and/or deidentification supported and utilized?
  • Can data subject correction/deletion requests be fulfilled quickly and easily?
  • How does the system/ tool facilitate the configuration and application of records retention schedules?
  • Where applicable, is patient consent made mandatory prior to collecting sensitive health data, and is it just as easy to withdraw consent as it is to provide it?
  • Is the flow of health data sufficiently mapped and understood to provide full transparency as to what systems, users, and processing the data goes through when ingested into the system/tool?

How EY can Help

  •  Legal Managed Services

    The EY Legal Managed Services team can help address contracting, regulatory compliance, entity governance and legal operations challenges. Learn more.

    Read more

Establishing trust as a policy

Often, health data is accompanied by other types of information like socioeconomic factors, demographics, and behavioral data that, when combined, can become identifiable. Pharmaceutical manufacturers and other life sciences organizations must think beyond what they can do with such data to what they should do to maintain patient and consumer trust. IHE solutions may present remarkable potential, but transparency and clarity about how those solutions process this data is critical to preserving the trust required to bring these solutions to scale.

 

Moreover, life sciences organizations across the care continuum continue to be a top target for cyber criminals, and even an errant email can expose them to legal, financial, and reputational risk. Healthcare organizations were in the top three most attacked industries in 2022, according to CheckPoint Research, with an increase of 86% year-over-year in cyberattacks on healthcare organizations (more than 1410 attacks per week). As IHE solutions rely upon increased interoperability, all stakeholders in the ecosystem need to be properly vetted and maintain appropriate privacy and security standards, as the weakest link can lead to disaster for all involved.

   

Prepare for, and prevent, disaster by reviewing and revising any policies related to business continuity and incident response. Staff training – at all levels – and communications around privacy and data protection topics should be occurring on a regular basis. Contracts with third parties like suppliers, and even providers of cloud services, analytic services, and software development, should include specifics around data processes and protections. As would be normal practice internally, legal departments should specify how data should be handled and who can have access to that data.

 

Four things pharmaceutical companies should be doing now

Some key steps the legal department at any life sciences organizations should be thinking about:

  • Patient consent agreements should be periodically reviewed and updated.
  • Specify how data should be handled, where it should be stored/for how long, and who can access it.
  • Make sure all data is being handled in compliance with local, national, and international standards.
  • Embed Privacy by Design and Security by Design principles early in the development of new products, as well as across the continuum of care.

This article was originally published in Law360

Summary

Ultimately, when introducing new technology into your organization, companies should go beyond asking whether they can utilize it and ask themselves whether they should be. Setting a higher standard for data privacy and protection will not only go a long way with regulators, but will ensure consumer trust, setting the company up for greater success and lower risk.

Related articles

What pharma supply chain transformation means for tax

Businesses looking to create visibility and resilience in their supply chains must loop in tax and transfer pricing teams early in the process. Learn more.

Ana Maria Romero

How digital is changing the tax strategy for MedTech

As MedTech companies make substantial investments in digital technology, there are important tax implications that should be addressed. Learn more.

Ana Maria Romero + 2

Why life sciences tax departments need to act now on sustainability

Life sciences organizations should consider tax liabilities and compliance obligations resulting from myriad new sustainability taxes. Learn more.

Rick Fonte + 2

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.