Q1 2020

DIGITAL HEALTH REPORT

During this unprecedented time, digital health is disrupting our healthcare Machine Learning Legal Issues delivery system for the better. Digital health companies are working hard to for Digital Health Companies in provide innovative telehealth, digital screening, and testing services. They Commercial Transactions are leveraging AI to assess symptoms, model outcomes, and identify possible treatments for COVID-19. Digital health companies are providing physicians and other frontline responders with new tools to fight this pandemic.

The Wilson Sonsini digital health team is here to support you during this time. Providing a cross-functional team approach for our digital health clients, we can help you:

• understand the latest regulatory changes; • draft and enter into contracts; • protect your ground-breaking intellectual property (IP); and • obtain financing for your next round of innovation.

Please feel free to reach out to your By Rob Parr and Scott McKinney for digital health companies, and Wilson Sonsini team member or a traditional contract approaches may not member of the digital health practice With its potential to revolutionize properly address intellectual property, industries and products of all types, group for assistance. risk allocation, data use, and other “machine learning” (ML) is a hot important issues that are unique to ML topic. ML, a sub-category of artificial or artificial intelligence more generally. intelligence, refers to software In This Issue This article is intended to highlight for algorithms that are programmed to digital health companies that wish to analyze data, learn from that analysis, Machine Learning Legal commercialize ML-enabled technologies and improve themselves. ML has gained Issues for Digital Health (ML Providers) five key areas in Companies in Commercial significant traction in the digital health commercial contracts where we routinely Transactions...... Pages 1-4 space, with numerous digital health companies developing ML products help clients identify and address certain How to Incorporate FDA into designed to help predict, detect, and issues unique to artificial intelligence Your R&D...... Pages 5-7 treat illness, increase the efficiency of and ML. delivering healthcare, and find solutions Preparing for Your First Sale: 1) Input Data. Input data refers to How Digital Health Companies to other complex challenges facing data that ML technologies process Can Plan for Healthcare health providers, payers, and patients. Business...... Pages 8-9 to generate a given output. ML Artificial intelligence technologies like Providers benefit from obtaining How HITRUST Can Help Get ML present some unique legal challenges vast amounts of input data, You to a Series A...... Pages 9-12 Continued on page 2... Q1 2020 DIGITAL HEALTH REPORT

Machine Learning Legal Issues . . . (Continued from page 1)

because the more input data ML prevent the ML Providers from this manner. Non-negotiated technologies process the “smarter” storing, processing, and using data terms often allocate to the those technologies become. This the input data in the manner data user all risks associated is especially true for ML Providers that they plan to. ML Providers with using the data and may also whose products focus on preventing, should also consider obligating include specific data use terms diagnosing, or treating medical data licensors to provide input governing what a data user can conditions given the importance data on an aggregated and and cannot do with the data. of generating accurate results. We de-identified basis because that For ML Providers whose ML often find that agreements do not aggregated and de-identified data products are designed to function adequately and clearly address the is more likely to be exempt from as diagnostic or treatment tools data provider’s and data recipient’s laws that govern the collection, for certain medical illnesses, rights to input data, so ML Providers use, disclosure, and protection of assuming all risks associated should be careful to obtain proper sensitive data such as personal with the use of source data could input data licenses or usage rights to information. This is especially mean that the ML Provider avoid claims of intellectual property important for ML Providers is taking on significant risk. misappropriation or infringement. whose ML technologies are Before downloading or using designed to process patient data data that is available under non- (a) Negotiated Terms. ML Providers that would be subject to the negotiated terms, ML Providers may obtain input data pursuant Health Insurance Portability should carefully evaluate the to negotiated contract terms, Accountability Act of 1996 corresponding data use terms to such as from their customers (HIPAA) unless that data is de- ensure that the ML Provider’s or other commercial data identified in accordance with intended use of the data complies providers. In these negotiated HIPAA’s specific requirements. with all applicable data use transactions, ML Providers Finally, ML Providers who rights and restrictions. It is also should consider seeking rights obtain input data under in many ML Providers’ interests to modify, restructure, and negotiated terms should also to track the source(s) for input reorganize input data, and consider trying to obtain specific data obtained under standardized to use input data, including representations, warranties, and terms to evaluate potential when aggregated with other covenants regarding the input risks associated with using the data, to enable ML Providers data as further described in data and better enable ongoing to train and improve their ML Section 4(c) below. compliance with applicable technologies and to create license terms. output data (further described in (b) Non-Negotiated Terms. ML Section 3 below). ML Providers Providers may also obtain input 2) ML Technology Improvements. should also consider trying to data from many different online Absent clear contractual terms get perpetual rights to store sources under standardized, non- describing each parties’ rights and use the input data because negotiated contractual terms. to improvements to, changes to, it can be difficult to track These kinds of terms typically and derivatives of the underlying data sources and to separate apply to health-related, open ML technology that arise from individual data elements from sourced scientific or research an engagement between an ML larger data sets. ML Providers data made available in online Provider and an ML technology should also carefully review any repositories and to data obtained licensee (Improvements), there confidentiality terms in their from third party websites. ML is legal uncertainty around who contracts with data providers to Providers should exercise caution would be deemed to own those ensure those provisions do not when obtaining input data in Improvements, especially when the

2 Q1 2020 DIGITAL HEALTH REPORT

licensee may exert some control over a given output. Although this in their license agreements to the operation of the ML technology.1 output data may be protectable as obtain certain protections for the Accordingly, ML license agreements intellectual property, primarily transaction. The ultimate terms should state clearly who owns all under trade secret law2, in some of that protection will depend on Improvements as a contractual cases the protection offered to ML the ML technology being licensed, matter between the parties and output data by intellectual property its intended application and the properly effect transfer of ownership laws and other legal doctrines applicable deal dynamics, including from one party to the other with is ambiguous or altogether non- the parties’ respective bargaining appropriate contractual assignment existent. As a result, similar to the power. That said, at a minimum, language. approach we described in Section these general guidelines may be 2 above for Improvements, ML helpful for ML Providers to consider The ML Provider could start with license agreements should clearly when contracting with customers/ the position that it will exclusively and expressly identify who owns the licensees: own Improvements. This is often the output data as a contractual matter most practical approach from the between the parties and include (a) Representations and Warranties – ML-Provider’s standpoint because appropriate assignment language ML Provider representations and Improvements may arise from an to effect the desired allocation warranties about the accuracy, aggregation of inputs and actions of ownership rights. ML license quality, or performance of the that cannot be attributed solely to agreements should also address any ML technology and output data one party or licensee and may not rights the non-owner obtains to present some unique challenges be readily separable from or useful use the output data. If output data in transactions involving the independent of the baseline ML is sensitive or valuable to an ML licensing of ML technology. technology. If a licensee of ML Provider, then an ML Provider who These things can be difficult to technology pushes for ownership to owns that output data pursuant gauge when the ML technology Improvements during a negotiation, to its ML agreement could try to learns during an engagement, then the ML Provider should grant the licensee of that output particularly given the opacity evaluate whether to accommodate data a license to use the output that surrounds exactly how ML that request on a case-by-case basis, data that is narrowly tailored to the technology makes decisions and taking the relevant circumstances licensee’s needed use cases and that produces output data. into account. Ultimately, the ML includes clear restrictions on use and Provider’s goal is to only cede obligations sufficient to maintain (b) Indemnification – ML Provider ownership over a narrowly defined the secrecy of the output data. An indemnification commitments category of Improvements that ML Provider who cedes ownership could be drafted such that the in fact can be readily separated of the output data also could try ML Provider does not have an from the baseline ML technology, to obtain a broad license to use obligation to indemnify the and to try and obtain a broad and that data on a go-forward basis as licensee for issues that are more unrestricted license back to use described in Section 1 above. directly traceable to the licensee’s those Improvements in the future. activities or that are more readily 4) Risk Allocation. ML Providers within the licensee’s control. For 3) Output Data. ML technologies should also consider trying to example, this may include third- process input data to produce negotiate risk allocation provisions party claims alleging violations

1 U.S. copyright law covers original works of authorship fixed in a tangible medium of expression, and U.S. patent law generally covers novel, useful, and non-obvious in- ventions. U.S. copyright and patent laws are currently interpreted to cover only works of authorship and inventions created by humans. For example, in Naruto v. Slater, 888 F.3d 418 (9th Cir. 2018), the Ninth Circuit Court of Appeals held that only humans have standing to sue for copyright infringement and the U.S. Copyright Office has taken the position that copyrights in works of authorship can only vest in humans. See Compendium of the U.S. Copyright Office Practices, Third Edition, Section 306. Similarly, the U.S. Patent Act protects inventions created by “individuals” and includes other requirements that may not be readily satisfied by a machine inventor. See 35 U.S.C. § 100(f). Given the current state of U.S. copyright and patent laws, it will in many cases be unclear who would be deemed to own or have rights to improvements to ML technologies arising from processing a data provider’s input data absent clear contractual terms that address this issue. 2 U.S. trade secret laws apply to valuable, non-public information that is subject to reasonable efforts to maintain its secrecy.

Continued on page 4...

3 Q1 2020 DIGITAL HEALTH REPORT

Machine Learning Legal Issues . . . (Continued from page 3)

of intellectual property or other damages, such as lost profits) and their licensees. For example, ML rights directed to Improvements ii) incorporate an overall ceiling Providers who process “protected arising from processing the or “cap” on liability. Limitations health information” on behalf of licensee’s input data or the on liability typically exclude a “covered entity” are subject to licensee’s operation of the ML certain types of claims from their HIPAA as a “business associate.” technology. coverage (e.g., indemnification And, ML Providers that ingest claims). ML Providers should personal data may be subject to a (c) All Necessary Rights – Consider carefully consider any proposed growing body of data privacy laws seeking representations, exclusions and whether to that include onerous compliance warranties and covenants from negotiate that those exclusions obligations and significant penalties the licensee that it: i) has and will should be subject to other rules for non-compliance, such as the continue to have all rights and on liability (e.g., higher caps on EU’s General Data Protection consents necessary to provide the liability). Regulation 2016/679 and the input data to the ML Provider for California Consumer Protection Act, use as permitted by the applicable Compliance with Laws. New 5) and certain state laws regulating agreement; and ii) will use the regulation in the artificial how companies can use biometric output data in compliance with intelligence field may be on the data that are working their way all current and future laws, and horizon.3 ML Providers should through state legislatures. ML consider seeking an indemnity prepare accordingly and consider for third-party claims alleging a Providers must diligently assess trying to negotiate terms in their breach of these commitments. whether data privacy laws like contracts with their licensees that these laws apply, and, if so, take the would allow them to adjust their (d) Limitation of Liability – Consider necessary steps to ensure continued product offerings or terminate their trying to include a limitation compliance. on liability provision that agreements altogether if new laws covers claims asserted under or regulations take effect that would Conclusion all theories, including tort and outlaw or substantially constrain statutory claims, to help protect them from licensing, operating, or This article highlights five key areas the ML Provider from potential training their artificial intelligence where we often help ML Providers products liability lawsuits related products as originally contemplated identify and address certain important to ML technology failures in their agreements with licensees. issues in commercial transactions or defects. These provisions involving ML technologies. ML typically i) limit recoverable ML Providers should also closely Providers should keep in mind that using damages in disputes between the scrutinize the extent to which they ML technology can present other risks parties to direct damages only may be subject to certain laws given that are beyond the scope of this article, (i.e., damages that immediately the nature of the input data they so it is important to engage counsel to and naturally result from the ingest, the output data they may help ensure those risks are adequately breach, as opposed to indirect create and their relationships with evaluated and addressed.

3 For example, on January 7, 2020, the White House Office of Science and Technology released a memorandum proposing new rules to guide future federal regulation of ar- tificial intelligence technologies. See Guidance for Regulation of Artificial Intelligence Applications, January 7, 2020. This is one of several recent developments signaling possible future regulation in the artificial intelligence space in the U.S.

4 Q1 2020 DIGITAL HEALTH REPORT

How to Incorporate FDA into Your R&D

By Eva F. Yin and Paul S. Gadiock

Whether a software or a hardware product is subject to U.S. Food and Drug Administration (FDA) regulation is impacted significantly by the intended Design use(s) and the claims associated with the intermediate product. Understanding the impact of versions with shorter and easier these and other factors on how a product regulatory may be regulated by the FDA early in the pathway to R&D provides a valuable opportunity Design to avoid market for a company to strategically design FDA regulation – its product around functionalities that general wellness, trigger FDA regulation and premarket non-device CDS, software authorization so that it can go to market exemptions sooner. Releasing an earlier version of the product that falls outside of the FDA’s jurisdiction can provide the ability In parallel, prepare for to collect important data, including FDA regulatory filings user feedback for and market data, for for subsequent versions supporting a regulatory authorization with more complex of subsequent versions of the device and/or higher risk that incorporate FDA-regulated functionalities functionalities. Pursuing these different versions of the product simultaneously (or in parallel) with both short-term and long-term goals in mind can also allow a company to adapt more easily to the changing regulatory landscape, market significant competitive advantage by that an Investigation Device Exemption trends and consumer demands, and increasing consumers’ and investors’ (IDE)1 may be needed before one can test evolving technology in the digital health confidence in the product. their investigational product in humans. space. In particular, companies with a first- Another strategy to generate clinical data Of course, companies would need in-class technology that will require is for the digital health product to collect to carefully assess whether it is premarket authorization through either data from users that can be used to commercially viable to release an earlier the De Novo (available only for Class I validate future regulated functionalities non-FDA regulated product, with and II medical devices) or the PMA (for that are not presently manifested in the due consideration of the intellectual Class III medical devices) pathway, both product. Under this stepwise approach property strategy and the risk of reverse of which typically require significantly to product use and not prematurely engineering by competitors. In some more time, data, and resources than treading into FDA-regulated territory, cases, the potential benefits of launching the 510(k) pathway, should clarify and manufacturers may be able to amass data a non-FDA regulated product may be incorporate its FDA regulatory strategy for future FDA-regulated functionalities outweighed by the costs associated with in its R&D as early in the process as while bypassing the need for an IDE. doing multiple commercial launches possible. For example, to obtain clinical of incremental versions of the product. data on an FDA-regulated product Not allocating sufficient time and Furthermore, the ability to market before clearance or approval for product resources to consider how the FDA and claim that the product has been development or to support an FDA filing, may regulate the company’s product FDA cleared or approved can provide companies should take into account or delaying such consideration until

1 FDA, IDE Application, available at https://www.fda.gov/medical-devices/investigational-device-exemption-ide/ide-application.

Continued on page 6...

5 Q1 2020 DIGITAL HEALTH REPORT

How to Incorporate FDA into Your R&D. . . (Continued from page 5) much later in the R&D or just before invasive, implanted, or involve any getting enough sleep, eating a commercial launch can end up intervention or technology that may balanced diet, and maintaining a costing more time and resources than pose a risk to the safety of users and healthy weight, which may help strategizing with an FDA regulatory other persons if specific regulatory living well with type 2 diabetes. counsel earlier in the R&D process, when controls are not applied, such as risks • Product that promotes physical companies have an opportunity to tailor from lasers or radiation exposure. activity, which, as part of a healthy their product design according to its lifestyle, may help reduce the risk of regulatory and market strategies. Further, the design of the general high blood pressure. wellness product as well as all • Software that tracks your caloric Designing Around FDA Jurisdiction as promotional materials and claims intake and helps you manage a a Non-Medical Device associated with the product, including healthy eating plan to maintain a the instructions for use and the healthy weight and balanced diet. In general, products that are intended company’s website, must comply with Healthy weight and balanced diet for use in the diagnosis, cure, mitigation, one of the following principles: 1) may help living well with high blood treatment, or prevention of a disease or claims about sustaining or offering pressure and type 2 diabetes. other condition, or intended to affect general improvement to functions the structure or any function of the body associated with a general state of 2) Non-device clinical decision support are considered medical devices subject health do not make any reference to (CDS) products to FDA regulation.2 One approach diseases or conditions; or 2) if making is to design a product that does not reference to diseases or conditions, Another common category of products implicate these functions so that it is not then the intended uses must be that falls outside of FDA jurisdiction considered a regulated medical device. narrowly tailored to promote, track, is non-device CDS products that meet 5 In the digital health space, common and/or encourage choice(s), which, the following four criteria: categories of products that the FDA does as part of a healthy lifestyle, i) may 1) not intended to acquire, process, or not regulate include low-risk, general help to reduce the risk of or ii) may analyze a medical image or a signal wellness products and non-device help living well with certain chronic from an in vitro diagnostic device clinical decision support (CDS) products, diseases or conditions. Claims that or a pattern or signal from a signal each of which is summarized below. exceed these limitations may subject acquisition system; the product to FDA regulation. 2) intended for the purpose 1) Low risk, general wellness products of displaying, analyzing, or General wellness products are those Examples of general wellness claims printing medical information that present a low risk to the safety of or intended uses that fall outside of about a patient or other medical users and other persons and have an FDA regulation include: 4 information (such as peer-reviewed intended use that either 1) relates to clinical studies and clinical practice maintaining or encouraging a general • Software that coaches breathing guidelines); state of health or a healthy activity, techniques and relaxation skills, or 2) relates the role of a healthy which, as part of a healthy lifestyle, 3) intended for the purpose lifestyle with helping to reduce the may help living well with migraine of supporting or providing risk or impact of certain chronic headaches. recommendations to a healthcare diseases or conditions and where it • Software that tracks and records professional about prevention, is well understood and accepted that your sleep, work, and exercise diagnosis, or treatment of a disease healthy lifestyle choices may play an routine which, as part of a healthy or condition; and important role in health outcomes lifestyle, may help living well with 4) intended for the purpose of for the disease or condition.3 To be anxiety. enabling such healthcare considered low risk, the general • Product that promotes making professional to independently wellness product should not be healthy lifestyle choices such as review the basis for such

2 21 U.S.C. § 321(h). 3 FDA, General Wellness: Policy for Low Risk Devices (September 27, 2019), available at https://www.fda.gov/media/90652/download. 4 FDA, General Wellness: Policy for Low Risk Devices, at 5. 5 FDA, Clinical Decision Support Software (September 27, 2019), available at https://www.fda.gov/media/109618/download.

6 Q1 2020 DIGITAL HEALTH REPORT

recommendations that such within 90 days, subject to delays due to the earlier product as a predicate. That software presents so that it is not requests for additional information or said, companies can also exploit this the intent that such healthcare questions raised by the FDA during the strategy by exploring available predicates professional rely primarily on any review process.7 for releasing intermediate versions of of such recommendations to make the product with functionalities that a clinical diagnosis or treatment For medical devices that are not can be cleared by the FDA through the decision regarding an individual considered high risk Class III shorter 510(k) pathway, while pursuing patient. medical device and where there is in parallel a fully loaded version of the no substantially equivalent predicate product for approval under the De Novo For additional information on FDA (e.g., due to a new technology or a new or PMA pathway. exemptions, please refer to the Fall 2019 intended use that raises new questions issue of the Digital Health Report. 6 of safety or effectiveness), the company Conclusion will need to submit a De Novo request Planning Ahead for Premarket to the FDA, including clinical testing, Incorporating FDA regulatory Authorization validation, and special controls for strategy early in the R&D can provide providing reasonable assurance of significant competitive advantage Products that include functionalities safety and effectiveness for the intended and help companies avoid regulatory of an FDA-regulated medical device, uses(s). The FDA aims to review De Novo pitfalls, adapt more easily and quickly such as those that are intended to requests within 150 calendar days, but to changing market trends and treat, diagnose, prevent, or mitigate a the process can take longer if the FDA consumer demands, and overcome disease or health condition, will likely requests additional information or raises hurdles in obtaining the appropriate require premarket authorization by the any issues during the review.8 FDA premarket authorization for the FDA before the product can be legally company’s product(s). Early in the R&D, distributed or marketed in the U.S. Once the De Novo request has been companies can more easily design its However, even within the realm of FDA- granted, the FDA will establish a new product or diversify its pipeline to avoid regulated medical devices, some medical classification regulation for a new device FDA regulation entirely, or plan for devices are exempt from premarket type, which allows competitors to use intermediate versions of the product that notification or approval. For medical the product as a predicate device for present faster FDA regulatory pathways device products that are subject to FDA their 510(k) submission. In some cases, to market, while simultaneously regulation and are not exempt from the FDA may change the regulation develop and purse the appropriate premarket notification, they generally and later exempt such device type FDA premarket authorization for require FDA premarket clearance from premarket notification. As such, more regulated functionalities of the through the 510(k) pathway, which companies with first-in-class products product. Such diversified strategy can requires demonstrating substantial subject to FDA approval through the help start-up companies obtain critical equivalence to a previously cleared De Novo pathway will likely incur more data, revenues, and additional financing medical device, or a PMA approval for cost than competitors who enter the needed for further R&D and for high risk Class III medical devices. The market later through the shorter and less supporting FDA filings for subsequent FDA aims to review 510(k) submissions costly 510(k) regulatory process by using versions of the product.

6 WSGR Digital Health Report: Fall 2019, “A Window into the FDA’s Risk-Based Regulatory Approach for Clinical Decision Support Software” and “Qualifying for FDA’s Medical Software Exemptions” available at https://www.wsgr.com/en/insights/digital-health-report-fall-2019.html; FDA, Clinical Decision Support Software (September 27, 2019), available at https://www.fda.gov/media/109618/download. 7 FDA, 510(k) Submission Process, available at https://www.fda.gov/about-fda/510k-submission-process#substantive. 8 FDA, De Novo Classification Request, available at https://www.fda.gov/medical-devices/premarket-submissions/de-novo-classification-request#FDA_Review_and_ Review_Timeline; De Novo Classification Process (Evaluation of Automatic Class III Designation) (October 30, 2017), available at https://www.fda.gov/media/72674/ download.

7 Q1 2020 DIGITAL HEALTH REPORT

Preparing for Your First Sale: How Digital Health Companies Can Plan for Healthcare Business

By Melissa Hudzik key element in knowing who will pay for earliest stages of your business planning, your product. you should consider whether a third- It is no surprise that technological party payor will cover your product. The advances have changed the practice of Knowing Your Buyers and the Payors variables and options are numerous. medicine. Technology companies are Start thinking about the following If you plan to sell direct-to-consumers, creating digital health products that questions: are modernizing and advancing the that is your product does not require healthcare industry far beyond what any a physician’s order, your research and • Are there similar products on the of us would have believed possible just analysis are easy. Consumers are your market that are covered? target market and they will buy from you a few years ago. Digital health products • How are they covered? consist of a wide range of items, from (or a third-party seller) and pay out of - Are the products separately devices sold direct-to-consumers to their own pockets for your product. For reimbursed so that the third- software that is added to operating purposes of this article, we will remove the direct-to-consumer option from the party payor pays for the products room equipment in hospitals. Bringing calculus. specifically? digital health products to the healthcare - Is payment for the product industry requires companies to consider If you plan to sell to consumers, but bundled into the payment for who is going to buy and pay for their your product will require a physician’s another product or procedure so products and how they are going to get order, those consumers are now patients paid. These factors are vital pieces of the and will be the ultimate buyer of your that there is no separate payment? business plan and it is never too early to product; however, all three types of • Do similar products have their start planning for that first sale. payors are in play. Likewise, if your own unique Healthcare Common product will be sold to healthcare Procedure Coding System (HCPCS) The healthcare industry is one of the providers, all three types of payors most regulated industries in America. code? Or is there a broad code that could pay for your product. Healthcare The federal and state governments are captures like-products? providers include: major payors for healthcare items and - If similar products have unique services. Accordingly, laws are in place • Physicians codes, you may need to plan time to help protect governmental purses. • Hospitals in your business plan to apply for From fraud and abuse and compliance a new HCPCS code. • Ambulatory Surgery Centers laws, to laws requiring licensure of • Is anticipated third-party payor durable medical equipment suppliers, the • Durable medical equipment and reimbursement enough to cover healthcare industry is a field filled with device providers costs and expenses? landmines for those unprepared for what • Durable medical equipment and - Has reimbursement trended may be encountered. However, with due device manufacturers diligence and planning, entry into the upwards or downwards? industry will be smooth and successful. • Other health technology companies. If you anticipate that a third-party payor Once you know who will buy your In this article we will discuss two types will cover your product, you will need product, you can evaluate how you will of buyers: 1) patients and 2) healthcare to decide whether you will sell your get paid for your product. providers and three types of payors: product to another manufacturer or health technology company who will in 1) patients (often called “self-pay”), 2) Knowing Who Will Pay for Your turn bill third-party payors or whether healthcare providers, and 3) third-party Product payors. Third-party payors include: you will become a healthcare provider Medicare, Medicaid, other federal and Unlike the direct-to-consumers option and bill the third-party payors yourself. state healthcare programs, and private above, which has a single payor, selling Becoming a healthcare provider takes healthcare insurance companies. to healthcare providers or patients considerable time and resources but is an Knowing who will buy your product is a presents all three types of payors. At the option that is available.

8 Q1 2020 DIGITAL HEALTH REPORT

If you anticipate that your product will Why It Matters company’s interactions with patients not be covered or if you do not intend and health care providers have their to seek coverage, your payors will be The healthcare industry, compared to own potential obligations. For example, general commerce, puts distinct duties your buyers: patients and healthcare relationships with physicians may trigger and responsibilities on digital health providers. Below are a few examples of reporting obligations to the federal and companies. When a federal or state possible buyers and payors. state governments, such as under the healthcare program will reimburse federal Sunshine Act, and maintaining • If your product is something for your product, your company must protected health information could physicians will use in their offices, comply with all applicable laws and trigger Health Insurance Portability and you may choose to sell directly to the regulations that govern healthcare Accountability Act (HIPAA) compliance physicians who will pay you directly. providers. This includes federal laws such as the Anti-Kickback Statute requirements. Fortunately, regulatory If your product is intended • and the False Claims Act and state and compliance obligations can be for patient-use and requires a laws that govern healthcare providers. researched and planned for well in physician’s order, you may sell Accepting federal or state healthcare advance. your product to a durable medical program payments will put scrutiny on Conclusion equipment supplier who will sell to your business that you would not face the patient. Your payor is the durable otherwise. Absent accepting federal and The healthcare industry is heavily medical equipment supplier and state healthcare program payment, some regulated and presents regulatory and their payor is the patient. states have broad “all payor” laws that compliance challenges that are not are applicable even if a private insurer • If your product is intended present in other industries. Digital health or the patient themselves pay for your for patient-use and requires a companies can prepare well in advance product. physician’s order, you may become a of their first sale by knowing their buyers healthcare provider and sell directly While not accepting third-party and payors. Digital health companies to patients. Your payor here is the reimbursement could ease some can work with counsel at any stage to patient. compliance burdens, a digital health research and plan for business.

How HITRUST Can Help Get You to a Series A

By Catherine Warren the previous issues of this report to help to investors. Researching potential you evaluate the four partner options investors is the best starting point. Does Venture capital fundraising continues available for digital health start-ups.2 the investor target early- or late-stage to be a prominent vehicle to fuel new companies? Does the investor have companies. Although 2019 likely won’t Assuming you have decided to continue experience investing in your market? Are top 2018 in total capital raised, overall down the venture capital road, it there companies in the fund’s portfolio deal value is set to meet or surpass that is important to start with a basic that could be seen as competitors? What 1 of 2018. Before moving any further, it’s understanding of how to approach risk factors do they look for? These important to note that venture financing venture financing and what can make are all questions you should be able to isn’t the only avenue for a growing this journey easier. Any start-up hoping answer before beginning to deal directly company. If you are unsure of whether to receive funding from investors must with potential investors. Know who the it is the best route for your start-up, consider how they organize and present big players are and what they are looking consider reading the two-part article in their business making it appealing for and you can prioritize and emphasize

1 Venture Monitor, Pitchbook and National Venture Capital Association (NVCA), https://nvca.org/wp-content/uploads/2019/10/3Q_2019_PitchBook_NVCA_Venture_ Monitor-1.pdf. 2 Digital Health Report, WSGR (Spring/Summer 2018), https://www.wsgr.com/images/content/1/3/v2/13538/DHReport-Spring-Summer2018.pdf; Digital Health Report, WSGR (Fall 2018), https://www.wsgr.com/images/content/1/3/v2/13537/DHReport-Fall2018.pdf.

Continued on page 10...

9 Q1 2020 DIGITAL HEALTH REPORT

How HITRUST Can Help Get You to a Series A. . . (Continued from page 9) on these areas. Not only will this help wait until later rounds of financing are Privacy policies and/or Health Insurance you get the financing you need, but often more willing to jump in at the early stage Portability and Accountability Act the elements of a start-up company that while start-ups are waiting longer before (HIPAA) compliance are something venture capitalists (VCs) prioritize are looking for seed investing (an average of that many, if not all, “high quality” also good for your long-term business three years). The result here is investors digital health companies have in place. model. In the digital health market, data are given a better picture of the company We have seen the unfortunate impact protection and privacy policy falls into overall prior to investing. Although there on companies who do not protect this bucket. are some concerns about Committee on the private health information that Foreign Investment in the United States consumers have given them. Last year, This article will outline the basic trends (CFIUS), immigration, and political the Wall Street Journal reported that a in venture financing over the past few candidate policy proposals impacting the number of smartphone apps provided years, including those specific to digital market, 2019 did not show major signs of their user information to Facebook.10 health, and identify one particular factor slowing investment. This is just one of the many stories that, that is continuing to gain interest to combined with the numerous accounts venture funds in the digital health space: Venture in Digital Health and Moving of private patient information exposure, The Health Information Trust Alliance Forward contributes to a negative image for (HITRUST). digital health. By no surprise, Rock Turning to digital health venture Health’s 2018 National Consumer Health 2019 Venture Financing Trends trends, fundraising for healthcare and Survey found that only 11 percent of life sciences start-ups set a record in respondents were willing to share their Looking at the venture field in general 2018 with more than $2 billion raised personal data with tech companies.11 The over the past year, the average deal size over two years by U.S. venture funds impact that a data breach can have on a has remained high with more than 50 alone.5 In 2019, nearly $50 billion was start-up is detrimental and something percent of deals raising more than $1 invested in the healthcare sector where investors are keen to ameliorate to million. Early-stage deals have continued digital health companies represented 31 increase a digital health start-up’s chance to draw millions in capital with an percent of those investments.6 StartUp of success. average of $14.5 million per deal and Health reported that in 2019 there was closing of more than 44 mega-deals, a total of $13.7 billion in funding across For years venture capital firms, although it’s important to note that a 727 deals, becoming the second most especially those focused on investing in number of these deals include an element 7 funded year to date. Interest in digital digital health start-ups, have shown a of debt.3 Focusing largely on seed and health continued to increase in Q3 of preference for investing in companies early-stage deals, Pitchbook reported 2019, especially for companies showing that are HITRUST certified and venture that the continued increase in deal size at improved patient outcomes and paths to capitalists are aware that if a digital the seed stage could be due to investors’ 8 lower healthcare costs. However, there health company doesn’t have an iron- willingness to invest despite the start-up are also some concerns within the digital clad privacy and security policy in only having a minimum viable product health market that continued expansion place, they are at risk of being the next prior to the seed round. The result is that of CFIUS regulation could impact company to endure a data breach. One the company can go to market much investment in healthcare companies group of venture firms, led by Frist earlier than before, giving the investor resulting in a decline in investment from Cressey Ventures, recently made it very earlier return on investment.4 An Asia and potentially leading to investors clear to digital health start-ups the interesting dichotomy in timing has also favoring companies that are considered importance of prioritizing privacy and developed. Larger investors who used to 9 “higher quality.” data protection.

3 Venture Monitor, Pitchbook. 4 Venture Monitor, Pitchbook. 5 Venture Monitor, Pitchbook. 6 HITRUST® and Frist Cressey Ventures Launch Venture Council and Program to Build Security and Privacy into the “DNA” of Tech Startups, https://hitrustalliance.net/ hitrust-and-frist-cressey-ventures-launch-venture-council-and-program-to-build-security-and-privacy-into-the-dna-of-tech-startups/. 7 StartUp Health Insights, StartUp Health, file:///C:/Users/cwa1/Downloads/2019%20Q4%20End%20of%20Year%20Full%20Report.pdf. 8 Venture Monitor, Pitchbook. 9 StartUp Health Insights, StartUp Health. 10 You Give Apps Sensitive Personal Information. Then They Tell Facebook, Wall Street Journal, https://www.wsj.com/articles/you-give-apps-sensitive-personal- information-then-they-tell-facebook-11550851636. 11 Beyond Wellness For the Healthy: Digital Health Consumer Adoption 2018, Rock Health, https://rockhealth.com/reports/beyond-wellness-for-the-healthy-digital-health- consumer-adoption-2018/.

10 Q1 2020 DIGITAL HEALTH REPORT

Frist Cressey Ventures in collaboration an investor looks for in a start-up, and up to around two months to complete with HITRUST formed the Venture since venture firms are showing an depending on the needs of the company. Capital Advisory Council (VC Council) increased interest in privacy and data Furthermore, because this is done and Venture Program. Currently, protection, and specifically in HITRUST, internally, there is only a basic level of the VC Council includes a number you as the start-up eager for venture assurance that HITRUST can offer at this of prominent venture capital firms, financing should be prioritizing this point. including Ascension Ventures, Bain as well. With that in mind, the next Capital Ventures, Echo Health Ventures, section of this article will take a look at If the company would like more Frist Cressey Ventures, Heritage Group, HITRUST and what it has to offer. compliance security, it can then seek Maverick Ventures, New Enterprise CSF Validation, a second and more Associates, 7Wire Ventures, and is HITRUST and Whether It’s Worth It stringent assessment. This involves a continuing to gain more. The VC Council CSF or third-party assessor reviewing the HITRUST is an organization founded in members have assets of more than company’s self-assessment, conducting 2007 and governed by a representative $30 billion with over 1,000 companies an in-depth look at security controls, body in the healthcare industry that in their portfolios combined. Two of and evaluating compliance with each developed a comprehensive information these investors—Echo Health Ventures control requirement through an on- risk management and compliance and Maverick Ventures—were among site visit to the company. The assessor program, the Common Security the top 10 most-active investors in the will determine any major issues missed Framework (CSF). The HITRUST CSF innovative health field in 2019, according during the self-assessment and return a is approved by the U.S. Department of to StartUp Health.12 Validated Report. It is important to note Health and Human Resources as an that this stage will not ensure that the The purpose of the Venture Program is to acceptable risk management framework company could pass a HIPAA audit— provide start-ups with tools and services for HIPAA. Additionally, the framework only the CSF Certification will ensure to expedite the process of implementing provides a common set of controls for this. adequate risk management and a larger group of compliance standards compliance controls. Specifically, the including GDPR, PCI, ISO, NIST, and Finally, if the company chooses to, it can 14 program provides training courses and COBIT. The program is designed to be apply for CSF Certification, which will an annual conference, a personalized flexible and adapt to changes in policy ensure that the company is compliant assessment platform allowing start-ups and provide compliance throughout the with all regulating bodies. The assessor to compare its HITRUST assessment life cycle of any healthcare company. will score the company’s compliance scores to other companies, and on each security measure. This is To begin the compliance process, a additional guidance and resources to determined by how the company’s start-up will input its risk factors based successfully establish and implement a security policy is put in place and the on a provided list into the software, that privacy policy.13 Note that to be eligible, procedures for that policy. HITRUST then generates a report with control the start-up must have been incorporated will then review the assessment, which specification based on 19 categories of or founded within the last five years, can take a few months, and then they control requirements. Following this have under 100 full-time employees, will issue a CSF certification. The report, the company can choose to and have an annual revenue under $20 certification will be valid for two years at complete three stages of assessment million. which point, the company will need to to determine how the company is undergo assessment again. 15 If digital health start-ups aren’t already doing based on the specified controls. prioritizing data protection, the move The first step is the self-assessment, Clearly, the HITRUST certification by Frist Cressey Ventures to partner where the company can use the CSF process is very taxing. Many months of with HITRUST should be their wake-up Assessment Report and MyCSF Software assessment and use of company time, call. Let’s return quickly to a concept to run through a checklist internally money, and resources can burden a first mentioned in this article. It is good and determine any gaps in their start-up. However, due to the way the practice to understand the aspects that security control system. This can take assessment is completed, integrating

12 StartUp Health Insights, StartUp Health. 13 Which Assessment is Right for Me?, HITRUST, https://hitrustalliance.net/assessment-right/. 14 HITRUST CSF, HITRUST, https://hitrustalliance.net/hitrust-csf/. 15 What is the HITRUST Certification Process?, RSI Security, https://blog.rsisecurity.com/what-is-the-hitrust-certification-process/#1963.

Continued on page 12...

11 Q1 2020 DIGITAL HEALTH REPORT

How HITRUST Can Help Get You to a Series A. . . (Continued from page 11) the HITRUST framework early on in More importantly, for long-term success, necessary preliminary matter before any the life of a company can reduce this it’s imperative that a company assures its start-up can consider how they will move burden. Moreover, venture capital firms customers that their health information the needle. Venture firms understand 16 are eager to invest in digital health is secure and will remain secure. the costs that come with establishing start-up companies that are HITRUST Ensuring customers that their health and maintaining a privacy policy. The information remains protected by a compliant and assessing your HITRUST Venture Program aims to encourage HITRUST-certified company may be the compliance may allow you, as a start- start-ups to seek HITRUST CSF up, to negotiate for better terms in your comfort that the customer needs. certification while reducing the burden next equity financing. Also consider that Conclusion that comes along with that process. If investors are concerned with reducing you plan to seek HITRUST certification, cybersecurity threats and want to ensure Digital health start-ups are starting to consider participating in the Venture that these threats are minimized as much find their place more and more in the Program as it may give your start-up an as possible before investing. This is an venture world, leading venture firms opportunity to connect with venture understandable concern since consumers to give them more attention. As one are skeptical about sharing health data venture capital put it, investors care firms on the Venture Council to help with tech companies, which can stunt about how a digital health company kickstart your next venture financing development in start-up company work, will “move the needle on cost, quality, while also providing your company with therefore limiting the returns that a and access to care.”17 Adequate data a strong privacy foundation necessary venture firm will see on its investment. protection and privacy policies are a for long-term success.

16 Why Your Health Startup Should Prioritize Privacy And Data Security, Forbes, https://www.forbes.com/sites/forbesbostoncouncil/2019/08/26/why-your-health-startup- should-prioritize-privacy-and-data-security/#3fa0aa465c90. 17 Where Top VCs are Investing in Digital Health, Tech Crunch, https://techcrunch.com/2019/12/16/where-top-vcs-are-investing-in-digital-health/.

The Digital Health Report is developed and reviewed by a team of attorneys from the firm’s corporate, intellectual property, litigation, and regulatory departments, including the individuals listed below.

Ali R. Alemozafar Farah Gerdes David Hoffmeister Michael Hostetler Partner Partner Partner Partner Intellectual Property Technology Transactions Corporate Patents and Innovations 415-947-2054 617-598-7821 650-354-4246 858-350-2306 [email protected] [email protected] [email protected] [email protected]

James Huie Manja Sachet Kathleen Snyder Partner Partner Of Counsel Corporate Technology Transactions Technology Transactions 650-565-3981 206-883-2521 617-598-7857 [email protected] [email protected] [email protected]

650 Page Mill Road, Palo Alto, California 94304-1050 | Phone 650-493-9300 | Fax 650-493-6811 | www.wsgr.com

Austin Beijing Boston Brussels Hong Kong London Los Angeles New York Palo Alto San Diego San Francisco Seattle Shanghai Washington, DC Wilmington, DE

This communication is provided as a service to our clients and friends and is for informational purposes only. It is not intended to create an attorney-client relationship or constitute an advertisement, a solicitation, or professional advice as to any particular situation. © 2020 Wilson Sonsini Goodrich & Rosati, Professional Corporation. All rights reserved.