How life sciences legal teams prepare for a technology-driven future

Advances in healthcare technology create new data flows for life sciences companies, shifting the landscape for legal departments.

In brief

• Advances in technology are changing the healthcare landscape, bringing us one step closer to an intelligent health ecosystem.

• Life sciences companies are seeing new flows of data as products evolve and new ways of measuring patient outcomes emerge.

• Life sciences companies must consider Privacy & Security by Design in early product development due to new advancements.
  

The life sciences industry is just skimming the surface of what emerging technologies like cloud, Artificial Intelligence and machine learning can do and the efficiencies that it will create. The healthcare ecosystem is uniquely positioned to take advantage of this technological evolution due to the large amounts of data it produces, but this also raises new concerns that legal teams at life sciences companies need to be considering.

The industry now has medical devices like inhalers for asthma or knee replacement implants and smart pills that come equipped with remote sensors that can send data back to the patient’s care team about usage habits, therapeutic progress, or the integrity of the device itself. Fifty-eight percent of life sciences executives from all subsectors, including pharma and medical devices, said in EY’s Tech Horizon Survey in April 2022 that data and analytics would likely account for one of their top three investment priorities over the next two years. The expanding universe of the Internet of Medical Things (IoMT), breakthroughs in AI models, and the unprecedented expansion of available health data is fueling new insights and actionable measures along the continuum of care to enable patients and practitioners alike to improve overall health outcomes.

We call this new technologically driven future the Intelligent Health Ecosystem (IHE). A hyperconnected system built on superfluid data flows that can optimize decision-making, enhance outcomes, accelerate access to new innovations and deliver personalized, patient-centric health experiences. Yet, with every new technology, risks and challenges arise that require careful consideration of potential legal and regulatory pitfalls. Advancing IHE solutions will require life sciences organizations to revisit data governance and privacy compliance policies, embed Privacy by Design and Security by Design principles early in product development and proactively engage with patients. consumers, vendors and strategic partners on privacy practices and responsibilities.

New considerations around data privacy

The life sciences sector always had to be mindful of concerns around patient privacy. Growing consumer awareness and concern about the collection and processing of sensitive personal data has spurred new laws, shifting the calculus on what it takes to maintain robust privacy and data governance practices.

Comprehensive consumer privacy laws have either been enacted (for example, California, Virginia, Colorado) or soon will be in nearly a dozen U.S. states, with several laws like the “My Health My Data Act” in Washington state focused specifically on the processing of health data. Requirements vary from state-to-state and can include risk assessments, contractual obligations on third-party data processing, and the patient’s right to access, correct or request deletion of their personal data. This is all on top of the existing regulatory implications of international data privacy laws where cross-border data transfers and data localization requirements may also come into play.

IHE solutions are enabled by a high level of connectivity and speed. As such, applicable privacy compliance and data governance practices may need to be updated to align with these evolving requirements so that, for example, the patient is made aware of what data a remote sensor may be collecting and with whom it will be shared. Interoperable systems that refine raw data into valuable insights need to be kept secure and access controls maintained to minimize disclosures and reduce the risk of compromise. Clear communication of these obligations and training on how to handle them is critical for life sciences organizations to take full advantage of IHE innovations without exposing themselves to unnecessary risk.

Design with privacy and security in mind

A remote sensor that collects and shares a patient’s health data with their care team –whether it be a medical device monitoring movement or a wearable monitoring patient vitals during a drug's clinical trial -- needs to be able to do so quickly and accurately, but also securely. AI solutions that leverage large language models to answer patient questions need to be trained on massive data sets but don’t necessarily require personally identifiable information on an individual level to accomplish that objective. Considerations like this should be addressed by deploying Privacy by Design and Security by Design principles in the early stages of the product development lifecycle and encouraging product teams to engage privacy and security experts on particularly complex issues. Applicable questions to begin with include:

• Does the system/tool allow for data tagging and the creation of relevant metadata?
• Are security measures like encryption, role-based access controls and/or deidentification supported and utilized?
• Can data subject correction/deletion requests be fulfilled quickly and easily?
• How does the system/ tool facilitate the configuration and application of records retention schedules?
• Where applicable, is patient consent made mandatory prior to collecting sensitive health data, and is it just as easy to withdraw consent as it is to provide it?
• Is the flow of health data sufficiently mapped and understood to provide full transparency as to what systems, users, and processing the data goes through when ingested into the system/tool?