On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog post, we describe the specific
Privacy & Data Security
The New Italian Sunshine Act: What Companies Should Know And How To Get Ready
On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act. The Sunshine Act entered into force on 26 June 2022. However, it will become fully enforceable once the Ministry of Health sets up the Public Register where companies will have to disclose their data and issues the necessary implementing acts. This means that realistically the new transparency system will not be operational before 2023. Nonetheless, it is critical that companies operating in Italy make sure that they are ready when the time comes. Here, we outline some of the key features of the new Sunshine Act and the steps that companies could take in preparation.Continue Reading The New Italian Sunshine Act: What Companies Should Know And How To Get Ready
Major Cyber-Attack on Irish Health System Causes Commercial Concern
On May 20, 2021 there was a major ransomware attack on the Irish health system. The centralized HSE (Health Service Executive) which provides and manages healthcare for the Irish population was targeted on May 14, and has seen significant disruption since. It has described the attack as a ‘zero-day threat with a brand new variant of the Conti ransomware.’
Continue Reading Major Cyber-Attack on Irish Health System Causes Commercial Concern
Proposed New EU Cyber Rules Introduce More Onerous Requirements and Extend to More Sectors
In addition to releasing the new EU Cybersecurity Strategy before the holidays (see our post here), the Commission published a revised Directive on measures for high common level of cybersecurity across the Union (“NIS2”) and a Directive on the resilience of critical entities (“Critical Entities Resilience Directive”). In this blog post, we summarize key points relating to NIS2, including more onerous security and incident reporting requirements; extending requirements to companies in the food, pharma, medical device, and chemical sectors, among others; and increased powers for regulators, including the ability to impose multi-million Euro fines.
The Commission is seeking feedback on NIS2 and the Critical Entities Resilience Directive, and recently extended its original deadline of early February to March 11, 2021 (responses can be submitted here and here).
Continue Reading Proposed New EU Cyber Rules Introduce More Onerous Requirements and Extend to More Sectors
Germany Prepares New Law for Patient Data Protection and Increased Digitalisation in Healthcare and for “Data Donations” for Research Purposes
On 3 July 2020, the German parliament passed a draft bill (German language) for patient data protection and for more digitalisation in the German healthcare system (Patientendaten-Schutz-Gesetz). The draft bill is currently in the legislative procedure and is expected to enter into force in autumn 2020.
One of the main objectives of the…
European Commission publishes Strategic Forum’s recommendations on Smart Health
On November 5, 2019, the European Commission published a report entitled “Strengthening Strategic Value Chains for a future-ready EU Industry”, which was prepared by the Strategic Forum on Important Projects of Common European Interest (“Forum”). The Forum assists the European Commission in identifying key strategic value chains that can contribute to Europe’s industrial…
French medicines regulator produces first in Europe medical devices cybersecurity guidelines
France’s medicines regulator, the Agence Nationale de Sécurité du Médicament et des Produits de Santé (ANSM), has released draft guidelines, currently subject to a public consultation, setting out recommendations for manufacturers designed to help prevent cybersecurity attacks to medical devices. Notably, the draft guidelines are the first instance of recommendations released by a national regulator in Europe that apply cybersecurity considerations specifically to medical devices. The full ANSM draft guidelines, ‘Cybersécurité des dispositifs médicaux intégrant du logiciel au cours de leur cycle de vie’ (‘Cybersecurity of medical devices integrating software during their life cycle’) published 19 July 2019, is available in French here, and in English here.
The draft guidelines note that while the European regulatory framework (the Medical Devices Regulation 2017/745 and In Vitro Diagnostic Medical Devices Regulation 2017 /746) has been modified “in line with technological developments” (e.g. “data exchange, monitoring, risk prediction and control software”) to include software within the definition of a medical device, and accompanying security and performance requirements specific to such medical devices incorporating software, the “[medical device and in vitro diagnostic medical device r]egulations do not explicitly refer to or elaborate on the notion of cybersecurity”. For the purposes of the guidelines, ‘cybersecurity’ is described as “the full set of technical or organisational measures set up to ensure the integrity and availability of a [medical device] and the confidentiality of the information held on or output by this [medical device] against the risk of targeted attacks.”
Continue Reading French medicines regulator produces first in Europe medical devices cybersecurity guidelines
European Data Protection Board releases Guidance on Intersection of the GDPR and the Clinical Trials Regulation
The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”). The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health. The Directorate General decided to create this Q&A because of perceived contradictions between the GDPR and the CTR, in particular in relation to the legal basis (e.g., the use of consent) and the further use of clinical trial data. (See also here).
Continue Reading European Data Protection Board releases Guidance on Intersection of the GDPR and the Clinical Trials Regulation
The Implications of the GDPR on Clinical Trials in Europe
On October 22, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership organized a workshop entitled “Can GDPR Work for Health Research.” In the first session, the workshop discussed the implications of the General Data Protection Regulation (“GDPR”) on clinical trials in…
Exploring the EU Horizon for Pharma
The EU pharmaceutical industry landscape is in significant flux. There are many pressures to provide new therapies and to make them available more early and for as many qualifying patients as possible. In that context, the industry model and the role of exclusivity rights as a tool to stimulate innovation are being discussed. At the same time, discovering and developing new products is more complex and requires a collaborative effort. This happens against the background of new rules on medical devices and the protection of personal data, which are, for instance, relevant in assessing clinical effectiveness and relying on real world evidence.
Three members of the Covington European Life Sciences team will be speaking on these topics at the EU Pharmaceutical Law Forum being held in Brussels on 16-18th May.
Continue Reading Exploring the EU Horizon for Pharma