Skip to main content
All

This digest covers key virtual and digital health regulatory and public policy developments during September 2023 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

U.S. Featured Content:

Sponsors of remote monitoring clinical decision support (CDS) and medical device data system (MDDS) tools take note! In the latest in a string of Warning Letters to sponsors of digital health devices, FDA recently issued a Warning Letter disagreeing with a sponsor’s assessment that a remote monitoring tool intended for use with a ventricular heart support hardware device qualified as a non-device under the 21st Century Cures Act (Cures Act) exemptions. In a September 19 Warning Letter, FDA asserts Abiomed Inc.’s (Abiomed’s) Impella Connect System exceeds the scope of a non-device CDS, and therefore is an adulterated, unapproved device. Although the agency agreed that certain of the Impella Connect System’s functions may be non-device MDDS functions, FDA viewed the system’s alarm-related functionalities as being regulated device functions. FDA’s view that software functions intended to support time-critical decisions with alarm or alert functionality are regulated device functions is reflected in previously issued agency guidance on the Cures Act CDS and MDDS exemptions. Read the FDA regulatory updates section below for more information on the Abiomed Warning Letter. 

EU and UK News

EU/UK Featured Content:

The UK Department of Science, Innovation and Technology announced on September 21 that the UK Extension to the EU-U.S. Data Privacy Framework (the Data Bridge) will enter into force on October 12. The Data Bridge will allow certifying entities to easily transfer personal data from the UK to the U.S., which would otherwise be prohibited under the UK General Data Protection Regulation without another transfer mechanism (such as the standard contractual clauses or binding corporate rules). This follows the publication of the EU-U.S. Data Privacy Framework in July. However, the EU-U.S. Data Privacy Framework has been challenged in the European Court and the UK data protection authority has expressed reservations concerning the UK Data Bridge. This is therefore a continuing area of uncertainty for companies. You can read more in our Advisory.

U.S. News

FDA Regulatory Updates

FDA Issues Warning Letter to Sponsor of Remote Monitoring Device. On September 19, FDA issued a Warning Letter to Abiomed disagreeing with the company’s assessment that a remote monitoring tool intended for use with a ventricular heart support hardware device qualified as a non-device CDS under the Cures Act. In the Warning Letter, FDA asserts Abiomed’s Impella Connect System exceeds the scope of a non-device CDS, and therefore is an adulterated, unapproved device. Although the agency agreed that certain of the Impella Connect System’s functions may be non-device MDDS functions, FDA viewed the system’s alarm-related functionalities as being regulated device functions. 

Abiomed is a manufacturer of several class III devices, including the Impella 2.5, Impella CP, Impella CP with SmartAssist, Impella 5.0, Impella LD, Impella 5.5 with Smart Assist, Impella RP, Impella RP Flex, and Impella RP Flex with SmartAssist (collectively, Impella Pumps). Following a March 2023 inspection, FDA issued Abiomed a Form 483 of inspectional observations with concerns related to the regulatory status of the Impella Connect System. The Impella Connect System comprises a web-based user portal (software) and a remote link module (hardware) that are designed to work with the Automated Impella Controller (AIC), which is part of a medical device system that provides temporary ventricular support to help a patient’s heart to pump blood in a critical care setting. As described in the Warning Letter, the Impella Connect System allows users to remotely monitor the performance of an individual AIC pump or multiple pumps and view case information on demand, as well as to filter notifications by alarm status. Per FDA, the Impella Connect System Website Instructions describe email notifications of alarms at initiation of the alarm and an additional notification for alarms that are still occurring after 15 minutes, and displays of case tiles, which include pump metrics and alarm state, which are color coded (red: critical, yellow: serious, green: no alarm). 

In its response to the Form 483, Abiomed took the position that these Impella Connect System features are non-device CDS functions because they support a health care provider “as it provides a concise and user-friendly view of active AIC case status” and “concise notifications.” In issuing the Warning Letter, FDA disagreed with Abiomed’s position. Rather, FDA viewed these features as software device functions requiring premarket authorization because the notifications and view of the active AIC case status provide patient-specific medical information to detect a life-threatening condition and generate time-critical alarms intended to notify a health care provider. FDA further explained that the notifications and view of the active AIC case status provide time-critical alarms with patient-specific medical information intended to trigger potential clinical intervention to assure patient safety, and that by functioning as a secondary alarm system with color-coded tiles and pre-set thresholds to notify users by email of alarms issuing from the AIC, the Impella Connect System fails to meet criterion 3 of Cures Act CDS exemption because it does not support or provide recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition.

The Warning Letter also includes several quality system and complaint handling violations. 

FDA Establishes Digital Health Advisory Committee. On October 11, FDA announced that it is establishing a Digital Health Advisory Committee (DHAC) to provide advice on complex scientific and technical issues relating to digital health technologies (DHTs), including artificial intelligence/machine learning, augmented reality/virtual reality, digital therapeutics, wearables, remote patient monitoring, and cybersecurity. The DHAC’s role will be to provide advice and recommendations on new approaches to develop and evaluate DHTs, as well as identifying risks, barriers, or unintended consequences that could result from proposed or established FDA policy or regulation. 

There will be nine voting members on the DHAC, including a committee chair, as well as non-voting members. FDA is requesting nominations for voting members, a voting consumer representative, and temporary non-voting industry representatives. FDA is seeking nominations for committee members who have technical and scientific expertise from diverse disciplines and backgrounds. Nominations can be submitted through the FDA Advisory Committee Membership Nomination Portal; nominations may also be sent by mail. 

FDA anticipates that the DHAC will be fully operational in 2024. 

FDA Issues Draft Guidance on Prescription Drug Use-Related Software. On September 19, FDA published draft guidance titled “Regulatory Considerations for Prescription Drug Use-Related Software” (PDURS Draft Guidance) describing the application of FDA’s drug labeling authorities to certain software outputs that are disseminated by or on behalf of a drug sponsor for use with a prescription drug or a prescription drug-led combination product. The draft guidance expands on, and was developed in response to, comments FDA received on a 2018 request for comments on prescription drug-use-related software.

The PDURS Draft Guidance, when finalized, is intended to clarify: (1) what factors FDA considers when determining whether an end-user output should be subject to prescription drug labeling requirements; (2) how FDA-required labeling, particularly the prescribing information, should describe prescription drug use-related software that is considered essential for the safe and effective use of the drug product; and (3) when and how sponsors should submit end-user output to FDA for review. As explained by FDA, the recommendations in the PDURS Draft Guidance align with ongoing agency initiatives and considers existing agency policies for the regulation of software to ensure efficient, coordinated review in instances when prescription drug use-related software is reviewed by the agency as a device.

Comments on the PDURS Draft Guidance are due by December 18.

FDA Finalizes Guidance on Device Cybersecurity Considerations. On September 27, FDA issued final guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the Final Guidance), superseding a 2014 guidance on cybersecurity and premarket submissions. In announcing the guidance, FDA underscored the importance of robust cybersecurity controls to ensure medical device safety and effectiveness in light of the increasing frequency of cybersecurity threats in the health care sector, as well as increased integration of wireless, internet, and network connected capabilities, portable media, and the frequent electronic exchange of health information. The changes since the 2014 guidance are intended to emphasize the importance of ensuring that devices are designed securely and are designed to be capable of mitigating emerging cybersecurity risks throughout the total product lifecycle (TPLC), and to clearly outline FDA’s recommendations for premarket submission information to address cybersecurity concerns. In addition, the Final Guidance is intended to help manufacturers meet their obligations under new Section 524B of the FDCA, which requires marketing applications for “cyber devices” to include certain cybersecurity information. However, the Final Guidance recommendations are broader in scope and apply to all devices with cybersecurity considerations (including 510(k)-exempt devices), not just the subset of cyber devices subject to the Section 524B requirements. For additional information about the Section 524B requirements, please see the January and April 2023 issues of Arnold & Porter’s Virtual and Digital Health Digest.

The Final Guidance discusses four main principles for device cybersecurity: (1) cybersecurity is part of device safety and the quality system regulations; (2) designing for security; (3) transparency; and (4) submission documentation. The Final Guidance also provides recommendations for using a secure product development framework (SPDF) as one option to manage cybersecurity risks and ensure that the quality system regulation is met.

FDA Reopens Comment Period for Drug Manufacturing Artificial Intelligence Discussion Paper and Announces Public Meeting. In the March 2023 issue of this digest, we discussed a new FDA discussion paper titled “Artificial Intelligence in Drug Manufacturing” (Discussion Paper), which presents consideration and policy development associated with application of AI to pharmaceutical manufacturing. The Discussion Paper (issued March 1) includes specific questions for stakeholder feedback, such as areas of AI in manufacturing where guidance may be beneficial, common practices for validating and maintaining self-learning AI models, and necessary elements for manufacturers to implement AI-based models in a cGMP environment. Although interested persons were initially given until May 1 to comment, on September 27, FDA announced it is reopening the comment period for the Discussion Paper until November 27. 

For more information on the Discussion Paper, please see the March 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest.

Health Care Fraud and Abuse Updates

DOJ Continues to Pursue Medically Unnecessary Telemedicine Schemes Across the U.S. On September 21, Elizabeth Hernandez, a nurse practitioner, was convicted by a Florida jury for her role in submitting over US$200 million in fraudulent claims for medically unnecessary genetic testing and orthotic braces to Medicare beneficiaries. According to the grand jury charges, Hernandez worked with telemedicine and telemarketing companies, electronically signing and causing the signing of doctors’ orders for durable medical equipment (DME) and genetic tests solely based on either a short telephone call with the patient or no patient communication at all. The charges alleged that Hernandez signed these orders without considering medical necessity and without physically examining the patients. The jury found that Hernandez and her co-conspirators submitted and caused submission of more than US$14 million worth of false and fraudulent claims to Medicare and Medicare Advantage.
 
A Charlotte physician was convicted in a similar DME scheme. On September 26, Dr. Sudipta Mazumder, who was working as an independent contractor for a telemedicine company, was convicted for signing fraudulent orders for medically unnecessary durable medical equipment for beneficiaries of the Medicare and TRICARE programs. Dr. Mazumder purportedly had little to no interaction with the patients and did not ascertain whether the patients needed the DME and whether the devices were medically necessary. In addition, DOJ alleged that Dr. Mazumder received unsigned orders for orthopedic braces for patients, signed the orders, and returned them to the telemedicine company in exchange for $20 for each signed order. 
 
On September 27, David Clark — owner of Conclave Media and Nationwide Health Advocates — pleaded guilty in connection with a US$44 million telemedicine fraud scheme involving medically unnecessary DME, including orthotics, such as back and knee braces, and genetic tests. Specifically, Clark signed thousands of orders for medically unnecessary orthotic braces and genetic tests, billing more than US$200 million in fraudulent Medicare claims. See the August 2023 issue of Arnold & Porter's Virtual and Health Digest for an overview of the charges in this case.
 
The ordering of medically unnecessary items like genetic tests and DME through telemedicine network providers who offered financial incentives to write prescriptions continues to be an enforcement target for DOJ, due, in part, to the significant payments being made by the federal health care programs. Many of these cases, like the Hernandez conviction discussed above, also involve a complex scheme of telemarketing targeting federal health care program beneficiaries. Telemedicine providers should review their standard operating procedures for all telemedicine services, with additional consideration given to best practices outlined in OIG’s July 2022 Special Fraud Alert on telemedicine and OIG’s telehealth claim risk analysis resources here.
 

Provider Reimbursement Updates

DEA Issues Second Temporary Rule Extending Telehealth Prescribing Flexibilities. As we described in the September 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest, during the public health emergency (PHE), the Drug Enforcement Agency (DEA) made two major changes related to prescribing controlled substances. First, qualified practitioners were permitted to prescribe a controlled substance to a patient via a two-way, audio-video telemedicine appointment. Second, during the PHE, qualifying practitioners were also permitted to prescribe buprenorphine to new and existing patients with an opioid use disorder based only on a telephone evaluation.

Anticipating the end of the PHE, DEA and HHS issued two proposed rules (available here and here), that, if finalized, would significantly curtail the prescribing rules for controlled substances via telemedicine permitted during the PHE. 

After receiving thousands of public comments, on May 10, HHS and DEA, in concert with the Substance Abuse and Mental Health Services Administration (SAMHSA), published a temporary rule extending all telemedicine flexibilities regarding the prescribing of controlled substances that were in place during the PHE until November 11. See 88 FR 30037. Of particular significance, the temporary rules extended the PHE “exceptions allowed for the prescribing of controlled medications via telemedicine encounters even when the prescribing practitioner had not conducted an in-person medical evaluation of the patient.” 88 Fed. Reg. 69879; 88 FR 30037. These exceptions were “granted in order to avoid lapses in care for patients.” Id.

On October 6, DEA, HHS, and SAMHSA issued a second temporary rule further extending these flexibilities until December 31, 2024, citing the desire to ensure a smooth transition for patients and practitioners that have come to rely on the availability of telemedicine for controlled medication prescriptions and to provide sufficient time for providers to come into compliance. See 88 Fed. Reg. 69879 (Oct. 10, 2023). The second temporary rule was issued just weeks after DEA hosted Telemedicine Listening Sessions on September 12 and 13. The listening sessions invited public feedback to inform DEA’s regulations on prescribing controlled substances via telemedicine. In this latest temporary rule, DEA states that it is working to promulgate new standards or safeguards by the fall of 2024. 88 Fed. Reg. 69880.

Policy Updates 

In September 2023, Congress narrowly averted a federal government shutdown by passing the “Continuing Appropriations Act, 2024 and Other Extensions Act” (H.R. 5860), which is a Continuing Resolution (CR) to extend government funding at fiscal year (FY) 2023 levels through November 17. In response, Rep. Matt Gaetz (R-FL) filed a motion to vacate the chair (H.Res. 757) to remove then-House Speaker Kevin McCarthy (R-CA). On October 3, the motion to vacate passed by a vote of 216-210 with all Democrats and eight Republicans voting in favor of removing Speaker McCarthy. 

Rep. Patrick McHenry (R-NC) now serves as the temporary Speaker Pro Tempore until a new speaker is elected. While there have been several candidates in the running, including House Majority Leader Steve Scalise (R-LA), Trump-endorsed Rep. Jim Jordan (R-OH), and others such as Rep. Austin Scott (R-GA), it is unclear which House Republican will ultimately win the next speakership race. On October 12, Rep. Scalise announced that he is withdrawing from the race to be the next Speaker of the House, just one day after winning the nomination from the House GOP conference, citing insufficient support to win on the House floor and indicated that he plans to remain in his role as House Majority Leader. Rep. Jordan was also nominated but failed to win the needed votes to win the speaker’s gavel after two rounds. 

Until the House can elect a new speaker or change the rules for the Speaker Pro Tempore, no bills or other significant legislative action can be taken up on the House floor. After electing a new speaker, the House is expected to immediately reestablish negotiations toward a federal appropriations package or CR before November 17 or else face a second government shutdown.
 

Privacy Updates 

Health Care Industry Members Submit Comments to Congress on Privacy in the Context of Digital and Other Technological Health Innovations. In response to the request for comments on privacy and digital health care recently issued by Senate HELP Committee Ranking Member Bill Cassidy, discussed in the September 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest, the American Hospital Association (AHA) sharply criticized proposed restrictions on the use of online tracking technologies by health care providers. In a September 28 letter to Senator Cassidy, the AHA listed several benefits of web tracking and other digital technologies for patients and health care providers, including:
 
  • Analytics tools that convert web users’ interactions with hospital webpages into information on factors such as the level and concentrations of community concern on medical questions, which gives hospitals the data needed to more effectively allocate resources and help community members to more easily find the health care information they are seeking.
  • Video technologies that enable hospitals to offer a wide range of information to the public, including videos that educate the community about particular health conditions.
  • Location tracking technologies that facilitate dissemination of precise information about where health care services are available, including embedded applications that provide bus schedules or driving directions to and from a community member's location. 

In its letter, the AHA strongly criticized the HHS Office for Civil Rights (OCR) for its guidance issued in December 2022 warning HIPAA-covered entities and their business associates of the potential liability for privacy and data security violations through the use of website tracking technologies. The AHA asserted that if the OCR guidance “is permitted to stand, hospitals and health systems will be forced to restrict the use of valuable third-party technologies like these.” 

The Healthcare Information and Management Systems Society (HIMSS) also submitted a response to Senator Cassidy’s request for comments, in which it underscored its support for a “seamless, secure, ubiquitous, and nationwide data access and interoperable health information exchange.” HIMSS states that to facilitate such exchange to the benefit of the health care system, an “opt-out” mechanism for patient choice regarding health data uses and disclosures is preferable to the type of “opt-in” framework imposed by the EU General Data Protection Regulation (GDPR). According to HIMSS, “the U.S. healthcare system features significant differences from the European Union, and opt-in requirements will create significantly more burden for providers with little benefits to patients.”
 

EU and UK News

Regulatory Updates 

G7 Countries Commit to AI Code of Conduct. On September 7, officials from the G7 countries agreed to create an international code of conduct for artificial intelligence. These guidelines will attempt to create a unified, but non-binding, international rulebook to oversee and seek greater control over this emerging technology. The officials stated that they recognize the need to manage new risks and challenges for individuals, society, and democratic values and to harness benefits and opportunities brought about by advanced AI systems. The group’s digital ministers are expected to finalize the code of conduct in a virtual meeting planned for November or December 2023.
 
Letter From MedTech Europe Calling for Reform of the Medical Technology Regulatory Frameworks. On September 14, MedTech Europe, together with 34 national associations, wrote an open letter to the European Commission calling for reform of the EU legislation governing the regulation of medical devices (Regulation (EU) 2017/745 (Medical Devices Regulation) and Regulation (EU) 2017/746 (In Vitro Diagnostic Medical Devices Regulation)). The stakeholders describe the current regulatory framework as “unpredictable, complex, slow and costly,” which is delaying timely access of innovative technologies, including digital innovation, to patients and health care systems in Europe and hindering innovation. MedTech Europe proposes introducing three major changes: 

  1. A more efficient, predictable, and adaptable CE marking system
  2. A dedicated and fast-track assessment pathway for critical medical technologies
  3. A new European entity to oversee and manage the regulatory system
While acknowledging the progress that has been made on addressing short-term implementation challenges, MedTech Europe concludes by asking the commissioner to formally elevate the proposals for structural reform within Europe’s health policy debates.
 
Launch of the UK Innovative Devices Access Pathway Pilot Phase. On September 19, the UK government launched the pilot phase of the Innovative Devices Access Pathway (IDAP), an initiative to help bring innovative technologies to the NHS where there is an unmet medical need. IDAP has been designed to accelerate the development of innovative medical devices, with the aim of taking delays and uncertainty out of the route to market. IDAP will provide an integrated support service for medical device developers that will include enhanced opportunities for engagement with the regulatory authorities and a streamlined adoption process.

Companies of all sizes are being invited to apply, both internationally and in the UK, where they intend to launch a device for the UK market. Applications for the pilot phase are open and will close after October 29. More details on the IDAP can be found in a our blog post.

AI and Digital Hub Regulatory Advice Pilot To Be Launched in 2024. On September 19, the UK Department for Science, Innovation and Technology (DSIT) announced the launch of a pilot advisory service called the AI and Digital Hub. The service will allow organizations in the UK to seek tailored advice on whether their developments and ideas comply with regulatory requirements for digital technology and AI. In turn, the DSIT has said that businesses will be able to take their new innovations to market responsibly and more quickly, helping to grow the UK’s economy. The service will be run by members of the Digital Regulation Cooperation Forum (DRCF), made up of the Information Commissioner’s Office, Ofcom, the Competition and Markets Authority, and the Financial Conduct Authority. The pilot is set to launch in 2024 and will run for 12 months. DSIT has said this announcement delivers on commitments made as part of the UK government’s AI Regulation white paper, including the establishment of a central AI risk function within government. It was noted that the government is working with UK regulators on how to regulate AI given its cross-cutting nature and impact on various sectors, and it highlighted the guidance from the Medicines and Healthcare products Regulatory Agency in relation to digital technologies used in the health care setting.

On the same day, the DSIT also published a number of
case studies to illustrate what AI assurance looks like across a variety of sectors and to provide examples of effective AI assurance techniques for organizations to use. These include how to conduct an AI governance review for a global pharmaceutical company and applying argument-based assurance to AI-based digital mental health technologies.
 

Privacy Updates

Adoption of the UK-U.S. Data Bridge. On September 21, the UK government adopted the Data Protection (Adequacy) (United States of America) Regulations 2023 (UK-U.S. Data Bridge), and published several supporting documents for guidance. The UK-U.S. Data Bridge is an adequacy decision that recognizes that the U.S. provides an adequate level of protection for personal data transfers made to U.S. entities listed in the UK Extension to the EU-U.S. Data Privacy Framework (DPF). This means, in practice, that when personal transfers are made to one of the entities that are certified to the UK Extension and listed on the DPF, there is no need to rely on standard contractual clauses (SCCs) or binding corporate rules (BCRs), and thus no obligation to carry out a data transfer impact assessment, as normally required. The UK-U.S. Data Bridge will come into effect on October 12, and you can read more in our Advisory.


Why does it matter? As the UK is no longer a member of the European Union, the EU-U.S. Data Privacy Framework does not automatically enable the transfer of personal data from the UK to the U.S. Transfers of personal data from the UK will require a Data Bridge, which was agreed to in principle between the UK and U.S. governments on June 8. However, the UK data protection authority, the Information Commissioner’s Office (ICO), has expressed reservations concerning the Data Bridge.

In addition, the day before the adoption of the UK-U.S. data bridge, the EU-U.S. Data Privacy Framework, which had been adopted in July 2023 as discussed in our Advisory, was published in the EU Official Journal. The EU-U.S. Data Privacy Framework has been challenged before the European General Court by a French member of the European Parliament, Philippe Latombe, and privacy activist group NOYB, which was founded by Maximilian Schrems, announced that it will be challenging the DPF on the basis that it is largely a copy of the Privacy Shield. It will be necessary to keep an eye on the current proceedings before the EU courts and whether this has implications for the UK-U.S. Data Bridge.

EFPIA Attends Meeting on Opt-Out Requirements in EHDS. On September 6, the European Federation of Pharmaceutical Industries and Associations (EFPIA) met officials of the European Commission, a member of the European Parliament, and permanent representations of future presidencies of the Council of the EU, to discuss the implementation of an opt-out mechanism in the European Health Data Space (EHDS). 

The meeting followed a joint statement issued by EFPIA together with other 31 health stakeholders where they outlined that implementing an opt-out mechanism in the EHDS would challenge the effective use of electronic health data for research (e.g., by creating health disparities and undermining reliability of data driven health interventions), as discussed in the July 2023 issue of Arnold & Porter's Virtual and Digital Health Digest.

ABPI Handbook on Using Health Data. On September 6, the UK Association of the British Pharmaceutical Industry (ABPI) published a handbook on how to analyze and use health data from the NHS responsibly. The handbook builds upon the principles established by the ABPI in collaboration with its members and key stakeholders in 2022. These principles are:

  • Be transparent about the purpose and use of health data, and how risk will be managed.
  • Ensure that fair contractual arrangements in relation to data access and return of benefits are in place.
  • Promote engagement from patients and the public in the design and approval of health data projects.
  • Share insights across the health system generated from the use of health data.
  • Ensure compliance with data privacy regulations and the associated patients’ rights. 

Members of the ABPI are committed to follow these principles when using NHS health data for research purposes. 

Consultation From the UK ICO on Period Tracking and Fertility Tracking Apps. During the month of September and until October 5, the UK ICO carried out a consultation on period tracking and fertility tracking apps. The aim of the consultation was to gather information from users on their experiences with the app, in order to identify areas of improvement in data security. The ICO is now reviewing how personal information is used or shared by these apps and the negative impact this may have on users. The ICO stated that, in light of the results of the consultation, it may be necessary to take measures to improve data security and transparency, including regulatory action.

Competition Updates

CMA Clears UnitedHealth/EMIS Merger. After an in-depth investigation into the anticipated acquisition by UnitedHealth Group Incorporated (UH) of EMIS Group Plc (EMIS), on September 29, the UK Competition and Markets Authority (CMA) decided to approve the deal without imposing any conditions. 

EMIS supplies data management systems to the NHS, including the electronic patient record system used by the majority of NHS GPs to manage appointments, conduct patient consultations, and update, store, and share patient records. UH provides medicine optimization (MO) software (which recommends alternative medicines to doctors to increase cost-effectiveness), as well as population health management (PHM) services (which make use of data analytics to improve patient outcomes). The parties are, therefore, in a vertical relationship, with electronic patient record systems generated by EMIS a vital input into PHM services and MO software.

At the end of its Phase 1 investigation, the CMA was concerned that, due to EMIS’s high market shares in the provision of electronic patient record systems, the high switching costs, and the limited competition existing in this area in the UK, the parties might, post-merger, restrict access to EMIS's electronic patient record systems to the detriment of rival suppliers of MO software and PHM services. However, at the end of a Phase 2 in-depth investigation, the CMA concluded that the merged entity would not have the ability or incentive to engage in such a foreclosure strategy as: 

  1. The NHS would be able to use its oversight role to investigate any complaints in this respect and resolve any breaches of the applicable standards (thus effectively preventing the merged entity from pursuing this kind of behavior).
  2. Any possible gains in profits from customers of EMIS’s electronic patient records switching to UH’s software and services would not compensate the profits lost from customers switching away from EMIS’s systems. Importantly, any such strategy could also potentially have wider costs, such as damaging the merged entity’s relationship and reputation with the NHS. 

The CMA also considered whether the merged entity could use any commercially sensitive information shared with EMIS by MO software rivals to improve UH’s MO offering to the detriment of that of its rivals. Although some proprietary information is shared with EMIS, the CMA found, based on the nature of this information, that its disclosure would not be capable of harming the competitiveness of the rival, particularly as some of the information shared with EMIS is likely to be very specific to the individual supplier, and so not of use to UH.  

*The following individuals contributed to this Newsletter:

 Amanda Cassidy is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Eugenia Pierson is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Mickayla Stogsdill is employed as a Senior Policy Specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Katie Brown is employed as a Policy Advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.
Heba Jalil is employed as a Trainee Solicitor at Arnold & Porter's London office. Heba is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.