Consider clinical trial data collection through general-purpose consumer activity tracker bracelets (e.g. FitBit or Withings), continuous glucose monitoring devices, smartphone memory task applications (e.g. iPhone app to test Alzheimer’s drug) and other DHTs. Sponsors, investigators, institutions, IRBs, CROs and other stakeholders seeking information on how to use DHTs in clinical trials should consult the U.S. Food and Drug Administration (FDA) draft guidance entitled Digital Health Technologies for Remote Data Acquisition in Clinical Investigations (December 2021) available here.
Sections I – III of this Alert walk through the draft guidance, with a focus on technology considerations that impact privacy, security and data integrity and quality. In Section IV, we explore the implications of the draft guidance, DHTs and associated general-purpose computing platforms from a study contracts perspective. We include pointers for managing the technologies and mitigating risk to study subjects, study data and stakeholders.
Definition. The draft guidance describes a DHT as any “system that uses computing platforms, connectivity, software, and/or sensors, for healthcare and related uses.” DHTs can include software as well as hardware, and sometimes consist of both. DHT hardware is often a sensor that continuously or intermittently records physiological and/or behavioral data. DHT software may run on a general-purpose computing platform, such as a mobile phone or smart watch. DHT software can administer electronic clinical outcome assessments (eCOAs), including Electronic Patient-Reported Outcome (ePRO) and Electronic Performance Outcome (ePerfO) reports.
Is the DHT a Medical Device? While DHTs transform study data collection, FDA cautions that a DHT may also be a medical device regulated by FDA. The draft guidance notes that DHTs used in clinical investigations typically would be exempt from requirements to obtain marketing authorization and other device requirements if the study complies with 21 CFR 812, but some DHTs are significant risk devices and would require an IDE. Whether a DHT meets the definition of a medical device is beyond the scope of this Alert.
Examples of DHTs include:
– A general-purpose consumer activity tracker bracelet with sensors is a DHT hardware.
– A memory task mobile application on which participants perform a clinical outcome assessment memory task is a DHT software that operates on a general-purpose computing platform (a smartphone or a tablet).
– An FDA-cleared continuous glucose monitor device that includes both a sensor and a mobile application is a combination of a DHT hardware (the glucose monitor sensor) and a DHT software (the mobile application). This DHT operates on a general-purpose computing platform (a smartphone or a tablet).
Appendix A of the draft guidance provides more detail.
DHTs dramatically improve the ease with which data can be collected and transmitted for trial subjects, sponsors and sites. DHTs enable the collection of a wide range of clinically relevant data without the need for in-person trial visits, and allow for more frequent or even continuous data collection. FDA notes that remote, continuous data collection may provide a more complete picture of subjects’ daily living experiences by directly recording subjects’ performance of activities of daily living and sleep. DHTs also present the opportunity for a wider pool of subjects to participate in clinical trials, such as cognitively impaired individuals who would be unable to report their own experiences and individuals who cannot easily travel to in-person study visits.
– DHT hardware and DHT software may not be sufficiently secure. DHTs necessarily involve electronic touchpoints, or interfaces, where they communicate internally and with other technologies, such as to transmit collected data. Connected systems can be vulnerable to the introduction of malware, threatening subjects’ privacy, data integrity and potentially stakeholder systems.
– DHTs that contain software and/or hardware provided by third parties often have terms of service. The draft guidance cautions sponsors, investigators and IRBs to consider how these terms may affect subjects and their privacy.
– While the draft guidance does not mention the privacy policies of DHTs or general-purpose computing platforms, stakeholders need to understand the associated privacy policies and their impact on the study subjects. Privacy policies are often opaque and convoluted. See discussion in Section IV below on addressing this in the informed consent and study contracts.
– We note that if DHTs capture HIPAA-covered protected health information (PHI) or personally identifiable information (PII), stakeholders need to consider whether HIPAA and state privacy, security and data breach laws apply. Stakeholders then need to factor compliance and risk mitigation into their clinical trial agreements, vendor agreements and other documents. See Section IV below.
FDA intends the draft guidance to facilitate the use of DHTs in clinical studies. The draft guidance covers the following:
In selecting a DHT for use in a clinical trial, sponsors should consider whether the DHT meets the definition of a device under section 201(h) of the Food, Drug, and Cosmetic Act to determine whether it may be exempt from applicable requirements to obtain marketing authorization and other device requirements.
When assessing whether a DHT is fit-for-purpose (that the level of validation associated with the DHT is sufficient to support its use in the clinical investigation), sponsors should consider, among other things:
Population. The characteristics of the clinical investigation population, to ensure that participants are able to use the DHT (and general-purpose computing platform, if applicable).
Design and Operation. The design and operation of the DHT, including power and network needs, ease of use, and how to minimize missing or lost data. The draft guidance lists many points such as data storage capacity, frequency of data transmission, low battery and poor signal alerts, environmental factors and more.
BYOD (Bring Your Own Device). The use of a subject’s own DHT or general-purpose computing platform, including accuracy and precision across brands and models and the minimum technical specifications necessary for proper measurement of data.
Free Access. Whether all subjects have the necessary technology to use the DHT. To ensure that subjects with limited access are not excluded from the clinical trial, sponsors may need to provide DHTs, general-purpose computing platforms, and/or telecommunications technologies. We remind sponsors to steer clear of the Federal Anti-Kickback Statute and other fraud and abuse risks by using appropriate compliance measures when providing free products or services.
Sponsors should include a description of the DHT in FDA submissions, including:
– Why the DHT is fit-for-purpose for use in the study.
– How the DHT is worn, operated, and charged.
– How the DHT measures data.
– Privacy and security controls.
– Attributability of data to the subject.
– Information on data management, including collection, storage, transmission, and archiving, to help show data integrity.
Verification and validation describe the steps that ensure that the DHT is fit-for-purpose for remote data collection, including by showing that the data collected by the DHT is measured accurately and precisely over time, and that the DHT appropriately assesses the clinical event or characteristic. Usability testing should be done to address potential DHT-use errors or problems that subjects may experience. Deep dives by the draft guidance include:
Sensor-based DHTs. If the protocol permits more than one brand or model of DHT to collect the same data, sponsors should verify that measurements across protocol-specified DHTs are consistent.
DHT software. Specific verification and validation considerations exist for DHT software used to administer eCOAs.
General-purpose computing platforms. Sponsors should assess whether the computing platform could adversely impact the functioning of the DHT software.
Interoperability. Connected systems in the study should be able to effectively and securely exchange information.
Usability studies. These studies should enroll a cohort similar to the intended trial population to identify any issues with use and improve the functionality of the DHT, user satisfaction, and the content of instructions provided to trial subjects and personnel.
Sponsors should include a definition and description of the clinical endpoints measured from data collected by the DHT and justify any novel endpoints.
The SAP should discuss analyses of data collected from DHTs. The SAP should prespecify intercurrent events that may be related to the DHT and, as applicable, the general-purpose computing platform. Missing or erroneous data may occur as a result of intercurrent events, including:
– Software updates that change how the data are collected or that change the algorithms used to process data.
– Software incompatibility caused by operating system upgrades.
– Trial participant error or non-compliance with study procedures.
– DHT or general-purpose computing platform failure.
– Data transmission failure.
Sponsors should consider clinical and privacy-related risks to study subjects. See Sections III-IV below for discussion.
Data collected by DHTs should be securely transferred and stored in a durable electronic data repository and included in the record of the clinical investigation. See Section III below for discussion.
FDA recommends that sponsors and investigators to develop plans for training study subjects and personnel, risk management, and management of DHT updates, error, or loss. In some cases, the responsibility clearly falls on the sponsor; in other cases, the draft guidance does not specify. See Section III below for discussion.
FDA advises sponsors, investigators and IRBs to consider the clinical and privacy risks to subjects associated with using DHTs for data collection. Certain risks may need to be assessed by the IRB, communicated in the informed consent, and addressed by the sponsor in the FDA submission.
Clinical risks: FDA notes that the physical features of the DHT may pose clinical risks to subjects, such as skin irritation from a wristband. In some cases, study subjects should receive re-use and cleaning instructions to prevent infection and other adverse events. FDA also cautions sponsors to consider cybersecurity risks that could impact the DHT functionality or compromise patient privacy.
Privacy-related risks: FDA warns that unique privacy risks may arise when using DHTs and, as applicable, the general-purpose computing platforms they run on, in a clinical trial. Concerns include:
– Potential disclosure of identifiable information via a breach of the DHT, general-purpose computing platform or durable electronic data repository.
– Safeguards for data at rest and in transit.
Informed consent: FDA makes numerous recommendations for the informed consent. See Section IV below.
Secure data collection, transmission and storage can help mitigate risk:
Durable Electronic Repository: Per the draft guidance, the data captured by the DHT, including the relevant metadata, should be securely transferred to and retained in a durable electronic data repository as part of the record of the clinical investigation.
Part 11: FDA reminds sponsors to comply with 21 CFR Part 11 and specifically refers to FDA’s 2017 draft guidance that addresses, among other things, mobile technologies that allow for remote data capture directly from study subjects. See Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers (June 2017) (2017 Draft Guidance).
Breach of DHT and Repository: Sponsors should consider the risk of breach of both the DHT and the electronic data repository. Data security should be safeguarded at all stages, including collection, transmission, storage and archiving.
Source Data: FDA would generally consider the data in the durable electronic data repository to be source data. This source data becomes part of the case histories and should be available for inspection under 21 CFR 312 and 812.
The last section of the draft guidance provides more nuts-and-bolts considerations for sponsors and investigators to help ensure data integrity and quality, participant safety and protection, and compliance with regulatory requirements.
As further discussed below, FDA recommends that sponsors consider including a training plan for participants and personnel, and that investigators be responsible for ensuring training of trial participants per the sponsor’s protocol. FDA further recommends that sponsors develop a risk management plan and a plan for management of DHT updates, changes, and error.
The draft guidance advises sponsors to ensure training of study subjects and study personnel on using DHTs and associated general-purpose computing platforms according to the protocol (e.g. wearing the DHT for specific period of time). The draft guidance addresses numerous training topics, such as:
– DHT and general-purpose computing platform activation and setup.
– Data collection, uploading, or syncing.
– Data privacy and security measures.
– Sharing the same DHT with other individuals.
– Connecting to wireless networks.
– Proper DHT wearing, cleaning, or other maintenance.
– Handling of adverse events and response to DHT notifications, including errors.
– Technical assistance to subjects and personnel, potentially in collaboration with the DHT manufacturer or vendor.
Training materials should be part of the FDA submission.
FDA advises sponsors to develop a risk management plan to address potential problems that subjects may have with the use of the DHT or general-purpose computing platform, including:
– Clinical and privacy risks (see discussions in this Section III above and in Section IV below).
– Potential interference between the functions of the DHT used for the clinical investigation and other potential functions of the DHT. This is of particular concern if subjects use their own DHTs or general-purpose computing platform.
– Loss, damage or replacement of the DHT or general-purpose computing platform, including a corrective action plan to prevent compromising subject privacy or data integrity.
– Subjects upgrading or updating the DHT or general-purpose computing platform during the study.
Sponsors also should develop a safety monitoring plan for reviewing and managing any abnormal patient measurements related to participant safety.
Changes to the DHT or general-purpose computing platform could lead to variability of results. FDA recommends contingency plans for updates, model discontinuations and new model releases. In addition, sponsors should:
– Keep records of the timing and nature of all updates.
– Ensure the updates do not impact the verification and validation.
– Consider locking software algorithms for the entire study to ensure that results are not meaningfully different.
FDA advises that, “unless there is a security concern,” when feasible, planned software or operating system updates should be delayed until the end of the study if they could modify how the DHT signal is processed or interpreted. In real life, computer operating systems and software applications are constantly updating for security concerns. This recommendation may be challenging to implement in practice.
FDA advises stakeholders to have procedures in place to identify and handle DHT and general-purpose computing platform errors like batteries, sensors, etc.
FDA also advises sponsors to pursue corrective actions if malware is detected. We advise stakeholders to carefully allocate liability for security incidents and data breaches in the clinical trial agreement and vendor agreements, depending on how and where the malware intruded and the parties’ respective obligations.
In addition to suggestions geared to all stakeholders and specifically to sponsors, the draft guidance advises investigators to:
– Ensure subjects understand what information the DHT will collect, and how data security and privacy will be maintained.
– Ensure subjects are trained on using the DHT according to the protocol.
– If required by the protocol, review data from DHTs periodically.
To guide stakeholders on managing risk in the informed consent and in their study contracts, the remainder of this Alert applies our technology law experience to the draft guidance recommendations. Please note that the draft guidance does not discuss privacy policies, but because privacy policies typically are integral to the end user license agreement or terms of service, our discussion covers privacy policies.
Ignoring Terms: Privacy policies, end user license agreements and terms of service are everywhere. Users of software, hardware and web site routinely ignore them (how often do you read the terms before clicking “I agree”?). DHTs and any general-purpose computing platforms they run on should be accompanied by appropriate PP & EULAs vetted by the applicable stakeholder(s). Silence or poorly drafted terms suggest the manufacturer is more of a fly-by-night operation that may be skimping on regulatory compliance.
Your Phone as an Example: While this is not an Apple promotion, for an example of how a general-purpose computing platform’s PP & EULAs may affect study subjects, see the Apple iPhone’s “Sensor & Usage Data & Privacy” policy. Go to Settings/Privacy/Research Sensor & Usage Data for information on how Apple shares information gathered by your iPhone sensors (and other means) with research studies. To access the initial terms, click “Learn more about Sensor & Usage Data.” At the end of the terms, you will reach a “Learn More” link that takes you to a Data & Privacy page containing additional information. DHTs and any general-purpose computing platforms they operate on may contain multiple layers of PP & EULAs, depending on each technology and the manufacturer. This iPhone example reflects only one portion of the PP & EULAs that stakeholders should review before employing DHTs and when drafting the informed consent and their study and vendor contracts.
Data Sharing with Third Parties: The draft guidance notes that PP & EULAs may “allow DHT manufacturers and other parties to gain access to personal information and data collected by the DHT.” We hope this raises alarm bells for you. Study subjects need to know if their data is shared outside of the study. Stakeholders in clinical trials using DHTs should work to understand the often complex PP & EULAs and factor them into the informed consent process. Further, FDA notes that it may be appropriate for sponsors to work with the DHT or general-purpose computing platform manufacturer to modify their terms to protect study subject data privacy.
The draft guidance walks through how the informed consent (ICF) should address DHTs used in the study and, if applicable, any general-purpose computing platform they run on.
The ICF must:
– Include reasonably foreseeable clinical and privacy risks or discomforts related to DHT use and should address how to mitigate the risks most likely to occur.
– Indicate unforeseeable risks, if applicable.
– Address any added costs to subjects, such as data usage charges for using the DHT or general-purpose computing platform.
The ICF should explain:
– The type of information collected by the DHT, and how it will be used and monitored.
– What subjects should do in case of concerning or abnormal clinical events detected by a DHT, such as seeking emergency medical attention (e.g. abnormal cardiac rhythm).
– Who will have access to the data collected by the DHT (including DHT manufacturer and other third parties) and for how long.
-Measures taken to protect participant privacy and data.
– If applicable, that the subject’s data will be shared with the DHT or general-purpose computing platform manufacturers or other third parties, according to terms of the PP & EULAs. The draft guidance notes PP & EULAs are typically long and use complex terminology, and advises sponsors and investigators to understand their terms and how they may impact study subjects.
– A clear understanding of the PP & EULAs – possibly accompanied by discussions or negotiations with the manufacturer – will be essential to drafting the ICF.
Looking beyond the draft guidance, in their contracts, stakeholders should address liability and compliance issues associated with the DHTs and any general-purpose computing platforms they run on in order to protect subject privacy, data security, and stakeholder systems. Review should include all PP & EULAs, the clinical trial agreement (CTA) and vendor agreements.
First, stakeholders need to understand data basics and the technology obligations.
Data Mapping: Engaging in a data mapping exercise is critical to understanding the data landscape and information flow for the DHTs, associated general-purpose computing platforms, and connected systems the data flow into. Stakeholders need to identify what data is collected; whether the data is protected by law (e.g. PHI and/or PII); where and how data is collected; and where and how data is stored and transmitted; and what entity(ies) have access to the data and/or own the technology along each step of the way; this exercise also needs to include the technologies and systems that the DHTs and associated platforms communicate with. Answers to these questions will impact the informed consent, training, study conduct and underlying contracts such as the CTA and vendor agreements.
Matrix: To create a high level view of who is responsible for what, stakeholders can create a matrix of responsibilities that takes into account the data mapping results and reflects the functions, features and regulatory and compliance issues for the DHTs and associated general-purpose computing platforms. The matrix would indicate responsibilities (logistically and from compliance and risk allocation perspectives) under the PP & EULAs, CTAs and vendor agreements.
With a good handle on the data mapping and responsibilities matrix, stakeholders can bake the results into their contracts. As applicable, CTAs, vendor agreements and other study-related contracts should address:
Risk Allocation: Careful allocation of risk among contracting parties with regard to the DHT and applicable general-purpose computing platform. Key topics include security measures, notification of security incidents/data breaches, cooperation, responsibility for malware, mitigation, corrective actions, costs, compliance with federal and state privacy and security law, audit, indemnification, limitation of liability and cyberinsurance.
Responsibility Delineation: Clear delineation of each party’s responsibilities for each element identified in the draft guidance and in the associated plans developed per the draft guidance (e.g. training, technical assistance, management plan for DHT updates, changes, and error and more). Depending on the issue, one party may have front-line obligations for certain items with the ability to escalate to the other party.
Flow Down Terms: Appropriate flow down terms to vendor agreements, such as CRO and monitoring agreements.
Training: Obligations regarding DHT training for study subjects and site personnel.
Free Products and Services: Sponsor provision of free DHTs, general-purpose computing platforms, and/or telecommunications technologies, where appropriate, in the CTA. These terms should be accompanied by appropriate fraud and abuse language.
PPs & EULAs terms: Provisions required by or advisable in light of the specific PP & EULAs of the DHTs and any general-purpose computing platforms.
Added Costs: Budget impact, if any, of added obligations.
For more information, see our earlier post on privacy and security risks for CTAs and vendor agreements.
The draft guidance sets forth a framework for implementing DHTs and associated general-purpose computing platforms in an effective, accurate and safe manner to remotely obtain data directly from study subjects. FDA’s recommendations range from what to include in submissions to demonstrating fitness for purpose to informed consent considerations, training, durable electronic repositories, plans for managing problems encountered by subjects and DHT updates and errors, and more.
While DHTs open new doors for study conduct, they complicate matters, too. This is particularly true for subject privacy, data integrity and quality, and the security of the many connected electronic systems that may be involved. Sponsors, research institutions, IRBs, CROs and other stakeholders need to understand the technology, data mapping results, the PP & EULAs and connectivity of the stakeholders’, subjects’ and third party systems. Then – and this is key to mitigating risk to study subjects, study data and stakeholders – they need to turn around and allocate related rights and obligations in their CTAs and vendor agreements, possibly after first having negotiated revisions to the DHT and platform PP & EULAs.
With their continuous, remote data collection and broad population reach, we expect the use of DHTs in clinical studies to grow over time. We encourage stakeholders to take advantage of this and to anticipate accordingly in their contracts and compliance.
 The author would like to thank Zoe Dettelbach for her contribution to this post.
The contents of this post should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This content is not intended to and does not, by its receipt, create an attorney-client relationship. The contents are intended for general informational purposes only. We urge you to consult your attorney about the specific situation and any legal questions you may have. Attorney advertising in some jurisdictions. © 2023 Leibowitz Law. All rights reserved. “Leibowitz Law” is a trade name of Leibowitz LLC.
To be notified when we post new Insights, please sign up for our email list. As industry thought leaders, Leibowitz Law Insights address developing issues at the intersection of law, regulation, technology and life sciences.