The US Food and Drug Administration (FDA), along with Health Canada and the United Kingdom's Medicines and Healthcare Products Regulatory Agency, have identified ten guiding principles for development of safe and effective medical devices that use artificial intelligence and machine learning (AI/ML). AI/ML technologies have the potential to improve device performance by deriving insights from data generated through the delivery of health care in real-world use. The ten principles, called Good Machine Learning Practice (GMLP), are intended to be used to identify GMLP best practice and consensus standards.
The principles are:
- Multi-disciplinary expertise is leveraged throughout the total product life cycle.
- Good software engineering and security practices are implemented. The agencies explain this should include the fundamentals of good software engineering practices, data quality assurance, data management and cybersecurity.
- Clinical study participants and data sets are representative of the intended patient population. Data collection should ensure that relevant characteristics of the intended population (such as demographics) are represented in a sample of adequate size so that results can be generalized to the population.
- Training data sets are independent of test sets.
- Selected reference datasets are based upon best available methods.
- Model design is tailored to the available data and reflects the intended use of the device. Design should support the active mitigation of known risks, like overfitting, performance degradation, and security risks.
- Focus is placed on the performance of the human/AI team. Developers need to address human interpretability of the model outputs.
- Testing demonstrates device performance during clinically relevant conditions. Test plans are developed to generate clinically relevant device performance information independent of the training data set, considering the intended patient population, clinical environment and other factors.
- Users are provided clear, essential information. Users have access to information appropriate for the intended audience, such as health care providers or patients, and a means to communicate product concerns to the developer.
- Deployed models are monitored for performance and re-training risks are managed. Models must be monitored in real world use for potential improvement of safety and performance.
- Published: 11 November 2021 11 November 2021
- Last Updated: 11 November 2021 11 November 2021
OIG reports most Medicare beneficiaries using telehealth had an established relationship with a provider
The Office of Inspector General (OIG) of the Department of Health and Human Services published a data snapshot dated October 2021, examining telehealth utilization by Medicare beneficiaries from March to December 2020. During this period, 26 million Medicare beneficiaries (39% of all Medicare beneficiaries) received at least one telehealth service. The OIG found that 84% of Medicare beneficiaries received all their telehealth services from providers with whom they had an established relationship. For office visits, 83% of beneficiaries had an established relationship. Office visits were the most common type of telehealth service, accounting for nearly half of all telehealth services (45.5 million office visits). Beneficiaries receiving home visits via telehealth were the least likely to have an established relationship with their provider (34%). However, home visits were only 1% of all services provided via telehealth.
There were some differences in telehealth utilization between beneficiaries in traditional Medicare and Medicare Advantage plan enrollees. This is not unexpected, since Medicare Advantage plans had greater flexibility to cover telehealth services prior to the pandemic. During the study period, one third of beneficiaries in traditional Medicare received telehealth services compared to 45% of Medicare Advantage enrollees. A slightly larger percentage of traditional Medicare beneficiaries (86% compared to 81%) had an established relationship with the telehealth provider compared to Medicare Advantage enrollees, except for physical, occupational and speech therapy. Both traditional Medicare and Medicare Advantage beneficiaries with established provider relationships had an in-person visit with the provider an average of four months prior to the first telehealth service.
Comment: this study should be reassuring to policymakers who worry that expanding telehealth eligibility permanently would open the floodgates to Medicare fraud. It suggests that Medicare beneficiaries are generally using telehealth as an adjunct to regular provider relationships.
- Published: 24 October 2021 24 October 2021
- Last Updated: 24 October 2021 24 October 2021
The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).
The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.
The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.
It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).
- Published: 04 October 2021 04 October 2021
- Last Updated: 04 October 2021 04 October 2021
The Centers for Medicare and Medicaid Services (CMS) proposes to repeal the Medicare Coverage of Innovative Technology (MCIT) that was published on January 14, 2021, along with the definition of "reasonable and necessary" published at the same time. The effective date of these rules had previously been delayed to December 15, 2021. The proposal to repeal them will be published in the Federal Register on September 15, 2021.
Under the original MCIT rule, devices designated by the Food and Drug Administration (FDA) as breakthrough devices would be covered under Medicare for four years starting on the date that the FDA authorizes marketing of the device (or a later date if designated by the manufacturer). In proposing to repeal the MCIT rule, CMS notes that it and the FDA operate under different statutes in approving Medicare coverage by CMS, and breakthrough designation by FDA. The standard for Medicare coverage is a determination that a device is reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body part. In making national coverage determinations under this "reasonable and necessary" standard, CMS considers whether the item or service improves health outcomes for Medicare beneficiaries, who are typically older and with more comorbidities than the general population.
Under the FDA's processes for breakthrough designation, a device can be approved for this designation prior to marketing authorization. Under the Breakthrough Devices Program, medical devices and combination products must meet two criteria. First, the device must provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions relative to the current standard of care. Second, the device must satisfy one of four elements:
- it represents a breakthrough technology;
- no approved or cleared alternatives exist;
- it offers significant advantages over existing approved or cleared alternatives; or
- device availability is in the best interest of patients.
CMS expressed concern that since the FDA does not require that Medicare beneficiaries be included in clinical studies required for marketing authorization, evidence that the device is reasonable and necessary for the Medicare population may not exist. Also, the MCIT rule would limit CMS's ability to deny coverage if a particular device is found to be harmful to Medicare beneficiaries; CMS could remove coverage only if the FDA removed marketing authorization or issued a warning letter.
The controversial aspect of the definition of reasonable and necessary published on January 14 was the extension of the appropriateness criteria to commercial insurers. CMS proposes to repeal this rule as well, but invites comment on this aspect. CMS invites comments on how to provide improved access to innovative technologies for Medicare patients. Comments are due within 30 days after the publication of the proposed rule on September 15.
- Published: 14 September 2021 14 September 2021
- Last Updated: 14 September 2021 14 September 2021