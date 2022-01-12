Law firms MAC Law Group, LLC See all

January 12, 2022 - To understand how Artificial Intelligence ("AI") can be used in health care, we first need to appreciate what it is. AI includes not only the ability to recognize and analyze data, but also to "infer" or "predict" what that data means in certain contexts. There are myriad ways that AI can assist in the health care context in both the diagnosis of disease and its treatment.

As such, AI promises to efficiently assist clinicians in what clinicians do: compile, review, and analyze data gathered on their patients, and make inferences as to what that data means to the patient and how to treat the patient or cure the disease.

The promise of AI is that it can perform these tasks at great speed and efficiency. Providers and payers are under considerable pressure to decrease health care costs wherever possible. Payers are more discerning than ever in terms of items and services for which they will pay. AI in diagnosis or treatment of a disease presents an opportunity to decrease health care costs and improve management of health care resources.

However, AI also presents challenges including potential bias in the algorithms used, privacy and security vulnerabilities introduced by utilizing very large volumes of data, and the difficulty of ascertaining and evaluating the safety of AI-driven products and services.

The applications of AI in health care are potentially endless but with this potential, there is also risk. One way of managing risk in health care is through a broad array of laws and regulations that govern new technologies. The Food and Drug Administration is the primary U.S. agency that regulates new drugs, devices, biologics, and innovations to ensure that they are safe for use in humans and animals. In addition to the FDA, there are certain states that have begun to enact laws and regulation in this arena.

AI and machine learning ("ML") are techniques used to design and train software algorithms to learn from and act on data. The AI/ML-based software intended to treat, diagnose, cure or prevent disease or other conditions are medical devices under the Food, Drug and Cosmetics Act ("FD&C Act"), and are called "Software as a Medical Device" ("SaMD"). The FDA has authority to regulate SaMDs and has implemented a number of policies intended to guide the industry in safe practices for the development and use of SaMDs in the U.S.

To begin distribution of a SaMD, a manufacturer must submit a marketing application to the FDA, which includes relevant information related to the type and data requirements based upon the risk of the SaMD (e.g., 510K notification, premarket approval application pathway or De Novo classification). When there is a change in a SaMD, a manufacturer must also submit a 510K notification to the FDA's Center for Devices and Radiological Health, which will review the application using a risk-based approach to determine when a premarket submission is required.

To date, the FDA has cleared several AI/ML-based SaMDs. For the most part, these have been SaMDs that have locked algorithms prior to marketing; however, not all SaMDs are locked and the algorithms may adapt over time. The types of algorithm modifications that would be subject to FDA review depend upon various factors related to the SaMD's performance, inputs or intended use.

The FDA has also recently issued guidance specific to AI in medical devices. On Oct. 27, 2021, the FDA, in cooperation with Health Canada and the United Kingdom's Medicines and Healthcare products Regulatory Agency, released guiding principles on the use of AI and ML in medical devices (the "Guiding Principles").

The Guiding Principles do not have the effect of regulation, but are intended to promote safety and efficacy in medical devices that employ AI and ML. Generally speaking, the Guiding Principles are a starting point for various industry players to work together to promote Good Machine Learning Practices.

While the FDA is the primary regulatory agency responsible for overseeing AI in health care, there are additional laws, regulations, and guidance that should be considered. For example, reimbursement is a fundamental concern for manufacturers and in some cases, when a new software product will be used for diagnosis or treatment, it will be reviewed by a Medicare Administrative Contractor ("MAC"). In others, a new product will be substantially similar to another product already on the market and in that case, an analysis of Current Procedural Terminology ("CPT") and Healthcare Common Procedure Coding System ("HCPCS") codes will reveal the range of potential reimbursement and an analysis of National Coverage Determinations and Local Coverage Decisions will be performed.

However, if the new SaMD is truly novel, the best approach is to have the manufacturer approach the Medical Director of the regional MAC to obtain direction on reimbursement. This process could be protracted so manufacturers are well advised to begin the process early to ensure that the product is reimbursable when ready to go to market.

There are also privacy and security related concerns under the Health Insurance Portability and Accountability Act ("HIPAA") regulations, the U.S. Federal Trade Commission's ("FTC") health breach notification regulations, various state laws, and the EU's General Data Protection Regulation ("GDPR"). Inasmuch as the use of SaMD for diagnosis and treatment may require the use and storage of identifiable personal data, depending upon the entity creating the data, how it is regulated, and which countries the data is collected from, the U.S. federal and state laws, and possibly the GDPR, will come into play.

Moreover, it is important to note that an increasing number of states have laws and regulations that require heightened privacy and security mechanisms for certain classes of information (e.g., genetic information). It is therefore imperative that manufacturers consider the totality of these laws and regulations for their SaMD and build the software with the relevant privacy and security protections.

Because AI relies on the collection of large data sets and the ability to reidentify even "de-identified" information is becoming increasingly easier with sophisticated algorithms, it is important to assess and protect against the privacy vulnerabilities that arise in the use of AI.

Depending on the functionality of AI, there could be state and federal laws that require a health care provider or an AI developer to seek licensure, permits and/or other registrations (e.g., AI may be employed in a way that requires FDA approval if it provides diagnosis without a health care professional's review).

As AI functionality expands (and potentially replaces those of physicians in physician services), questions may arise as to how these services are regulated, and whether the provision of such services would be considered the unlicensed practice of medicine or a violation of corporate practice of medicine (CPM) prohibitions. Some states (e.g., New York, New Jersey, and California) statutorily prohibit an unlicensed individual or company from practicing medicine, including by employing or contracting with licensed physicians to provide medical services.

Another important consideration includes the contractual and insurance implications of AI in the diagnosis and treatment of disease. Will a provider's typical malpractice insurance cover a provider who relies on AI in his/her diagnosis and treatment decisions? Is there additional coverage that should be purchased?

Moreover, when contracting for the lease of SaMDs, will there be indemnity provisions or limitations on liability that manufacturers will request, and will providers agree to those provisions? Manufacturers should consult with legal counsel to determine the best approach for protection of their intellectual property as well as their potential exposure for the algorithms they may create for the SaMD.

Lastly, an issue being examined with increasing scrutiny is that of potential bias in AI algorithms. ML and AI examine patterns that emerge in data sets to predict certain outcomes. Whether those predictions are based on patterns resulting from bias is difficult to determine, and it is important to discern the reliability of the predictions. The FTC has generally stated that the sale or use of racially biased algorithms, for example, is a deceptive practice banned by the Federal Trade Commission Act.

The EU has been more detailed in its oversight of bias in AI. In April, 2021, the European Commission issued a proposed regulation on AI that, among other things, imposes requirements on testing, risk management, and human oversight aimed at minimizing the risk of erroneous or biased AI-assisted decisions. Common to both the FTC and European Commission is a stated desire for transparency to prevent bias.

The use of AI in the diagnosis and treatment of disease and other areas of health care is truly exciting. With the endless possibilities of AI application in health care, there will most certainly be risks that must be analyzed along the way. There will be regulatory requirements that will need to be addressed, and there will likely be implications for the health care workforce as well.

At a minimum, there will be significant responsibilities for manufacturers of AI products and services and training implications for clinicians and ancillary workforce members to ensure that these new technologies are utilized in a manner most beneficial to individuals and that the risks associated with them are appropriately managed.

