Digital Healthcare 2021

The new Digital Healthcare 2021 guide covers 14 jurisdictions. The guide provides the latest legal information on the impact of COVID-19, digital healthcare and climate change, software as a medical device (SaMD), telehealth, the internet of medical things (IoMT), 5G networks, artificial intelligence (AI) and machine learning, cloud computing and intellectual property (IP).

Last Updated: June 30, 2021

Compare law and practice by selecting locations and topic(s)

Select Locations

Select Topic(s)


Please select at least one location and one topic to use the compare functionality.



Moses & Singer LLP is a New York law firm with global reach through its affiliations. Its nationally and internationally recognised lawyers in its healthcare, and privacy and cybersecurity departments guide clients in navigating successfully the constantly evolving US federal and state laws. The majority of the members of this ten-lawyer department previously held positions in the legal departments of healthcare organisations or governmental agencies that address health issues. As IT and data are transforming digital health, Moses & Singer provides strategic counselling and industry-informed, practical advice to assist clients in addressing risks and leveraging new opportunities. Clients such as healthcare technology companies, institutional and government entities, academic medical centres, research entities, biotechnology and pharmaceutical companies, hospitals and healthcare systems, and providers of healthcare products and services rely on the firm for its innovative solutions in matters involving the structuring of joint ventures and other business partnerships.

Global Overview

Accelerating advances in digital healthcare require accelerated innovation in healthcare technology agreements. Updated and new agreements are required to use key digital healthcare technologies. These include connected devices that make up the Internet of Medical Things (IoMT), wearable technology, 5G wireless networks, data analytics and machine learning, and new types of medical devices. 

Wearable technology (wearables) are devices worn by individuals and sensors that attach to the skin and continuously monitor physical conditions and collect data in combination with smartphones. 5G networks are fifth-generation wireless networks that will replace the current 4G (fourth-generation) networks and bring significantly greater speed, greater bandwidth and reduced latency, all of which means that more and richer data can be transferred in the same amount of time. Connected devices and wearables generate volumes of data that 5G can transmit between devices and the hospital’s general IT systems. Together with other data sources, these technologies generate new types of data that increase the utility of machine learning and data analytics. For convenience, healthcare systems and other healthcare institutions will be referred to as “hospitals.” 

This article proposes a new paradigm for structuring data use and data sharing called “decision rights,” which is discussed below. Decision rights is designed to address the current difficulties of allocating ownership and rights of use in current contract negotiations.

“Digital healthcare” will become just “healthcare." This transition will occur as digital healthcare technologies and procedures are integrated into almost all fields of medicine. This article addresses how technology and data agreements should change today to accommodate the changes brought by digital healthcare technologies, both before and after this transition.   

Technology Trends to Address in Healthcare Technology Agreements

Traditional healthcare technology agreements should be re-structured to meet the digital healthcare objectives of healthcare technology companies that develop and sell digital healthcare products and the objectives of the hospitals that buy these products. In addition, most digital healthcare agreements are combined technology and intellectual property agreements which are then subject to a regulatory overlay.

Technology trends that are changing the nature of healthcare agreements include:

  • an increased number of smart devices that collect and transmit data; these include devices that previously did not have sensors or the ability to collect data;
  • increased use of connected devices assembled into the internet of medical things networks and sub-networks; 
  • an increased volume of data;
  • increased use of cloud-based IT;
  • increased avenues for cyber-attacks; 
  • increased data-sharing within and between healthcare institutions;
  • hospitals need different types of vendors for different types of technology, resulting in the need for new models of vendor management;
  • increased use of open source software;
  • data-based preventative medicine becoming part of medical services provided by hospitals.

Using Upgraded Digital Healthcare Technology Agreements to Address these Trends

The first step to address these trends is to determine what computing power and capabilities are needed to address the above trends and then conduct a “gap analysis” to determine the shortfalls in existing systems. Then a plan should be developed to determine whether and how to revise existing contracts or enter into new ones to close the gaps. An upgrade path should be developed to expedite the adoption of the new digital healthcare technologies on the horizon.

Addressing these issues at a high level, for both healthcare technology companies and hospitals, the following should be covered by technology agreements. 

  • Most current hospital IT systems are not designed to handle the volume of data now generated by digital healthcare technology or to conduct sophisticated analytics. This is not simply a matter of data storage but also the capability to receive and process data and to transmit and exchange data with other internal and external systems. Moreover, the systems should handle dynamic data. Dynamic data, also called transaction data, is periodically updated and provides the advantages of using only static data.
  • At the same time, the new digital healthcare technologies enable advanced data uses. When connected to the internet their devices are “hackable” and become new avenues for cyber-attacks. Contracts should build in cybersecurity protections. In many cases, it is advisable for hospitals to retain cybersecurity or forensic firms to identify cyber weaknesses so that weaknesses can be corrected and plans can be made for hospitals to continue to operate, even after a ransomware attack.
  • In addition, the connected devices, wearables, and IoMT networks may have cyber weaknesses which allow them to be attacked directly.  Agreements should require timely vendor assistance with implementing software security patches and upgrades. 
  • A cautionary note: if hospital IT security practices are overly strict, employees may “bring their own infrastructure to work.” That is, they may send sensitive documents and data to consumer-level external email or data storage apps. Hospital security practices need to strike a balance between strict protection and an inadvertent incentive to circumvent it.
  • Agreements for cloud services are different from “on-premises” IT where software is physically installed on hospital computers. As hospitals move more functions to the cloud, existing infrastructure agreements need to be revised to eliminate functional limitations that will interfere with the delivery and use of cloud-based technology. 
  • Data use has Health Insurance Portability and Accountability Act (HIPAA)-specific requirements, and data-use agreements require tailored terms and should be co-ordinated with an institution’s data-sharing rules.
  • Open-source software is attractive to academics. They are often not aware that there are nine basic versions of open-source licences, and some result in the loss of IP rights. Legal departments should establish policies to protect against the use of open-source software in that category. Moreover, professors and physicians say they want open-source software, but what they often want is a click-wrap agreement. 
  • Preventive medicine is increasing. It will have a complicated regulatory status as the data is a combination of HIPAA-regulated data and unregulated personal wellness data. Agreements need to address this, while minimising regulatory scrutiny and sanctions. In addition, preventive-medicine companies are often not familiar with the HIPAA Security and Privacy Rules, which are regulations.
  • An important factor in implementing IT systems depends on successfully addressing problems that arise after Go-Live when the system is said to be in “production” state. “Production” means that pre-production testing has been concluded and the system has been rolled out and is being used by end-users after a “Go-Live” date. The important issue is that testing done in pre-production does not uncover all of the difficulties that arise after Go-Live. Therefore, the agreement should provide for a special correction and support period after Go-Live and, further, it is advantageous for the vendor’s build team to provide the post-Go Live services, rather than the support team, which has less technical knowledge. 
  • Finally, a best practice is to minimise shared responsibility in contracts. Contracts should divide the responsibilities clearly, and in the agreements should not impose obligations on a party where they are not commercially reasonable.

Proposed Paradigm: “Decision Rights”

In practice, it is difficult to reach an agreement on data-sharing rights because the parties dispute the scope of ownership, and intellectual property rights can be unclear given the current state of the law. The parties are also concerned that they may be prejudicing data rights they may need in the future. In addition, they are concerned that, by giving up rights, they may be foreclosing revenue in healthcare and other industry sectors. If the focus is shifted from ownership to data use, because that is often the real issue involved, a legal framework will be needed to govern the scope of use and sharing, with particular attention given on protecting both providers and users of data sets.

This article proposes “decision rights” as that legal framework. A useful definition of "data" is “something that happened.” “Using” data means taking an action based on what is learned from “what happened.” This includes machine learning. Decision rights is a licensing model that defines the purpose of conducting analytics and the use of the results in terms of decisions that can be made based upon them. The model also provides the entity controlling the data with a mechanism to grant (and enforce) rights in the same data it provides to different users for different purposes, thus enhancing data-monetisation and revenue-generation. Decision rights protect against regulatory sanctions by putting boundaries on the data use that constrain the rights of use on downstream parties. Under a decision rights framework, those entities owning or controlling a database would grant a set of rights defined by the decisions that can be made, and if desired, limit the rights to a business unit or even a specific individual. This framework applies to all industries. The following example is a digital healthcare scenario.

As an example, Hospital No 1 uses robots to patrol the halls to locate areas that need emergency cleaning. The images captured by the robots incidentally capture patients' beds lined up in the hallways awaiting entry into operating rooms and/or transfer between operating rooms and the recovery rooms. Hospital No 2 seeks to optimise patient transfer and optimisation of the use of the operating room by eliminating bottlenecks and reducing the time patients spend out of their hospital rooms and spend waiting in staging areas. Hospital No 1 can grant Hospital No 2 the right to use the images only for the purposes previously outlined. In order to do this, Hospital No 1 could structure the right to use its images only for the purpose of analysing the image data and using that to optimise the use of its facilities. In addition, decision rights is a way to protect both Hospital No 1 and No 2 by using decision rights to control use in onward transfers of data sets created by Hospital No 2 without compromising Hospital No 1’s decisions to provide different rights to different users.

Healthcare Technology Development and Component Supply Agreements

Healthcare companies that develop healthcare technology products and services for sale to hospitals face several issues in structuring arrangements with their own suppliers. Often, these suppliers’ components and sub-assemblies are integrated into the healthcare technology company’s products. Those products may be medical devices regulated by the US Food and Drug Administration (the FDA). Complexities arise when different suppliers contribute components to sub-assemblies which are then integrated into the final product. The agreements between a healthcare technology company and its suppliers must address several key issues.

  • If the healthcare technology company sells an FDA-approved medical device, its risk is that a change in a component provided by a supplier could change the device so that it becomes subject to separate FDA approval as if it were a new device. As protection, the healthcare technology company would like approval rights over proposed changes to the supplier’s component sufficient to prevent loss of FDA-approved status. An alternative is a requirement that the supplier establish a large reserve inventory of the component in its pre-modified form, so that the healthcare technology company can use the same component even after the supplier has changed its component.
  • A complicating risk is when a change in one component used by the supplier would not change FDA status, but a change made by one supplier requires a change in the component of another supplier, and together these modifications present a risk to FDA status. Thus, healthcare technology companies must co-ordinate agreements with their suppliers.
  • A risk to the supplier is that limitations on the scope of its right to upgrade a component may interfere with its ability to market the component with improved technology to other customers. The healthcare technology company’s and supplier’s competing interests can be addressed by an inventory solution, or the technology company securing the right to have the older version of the product manufactured by another supplier. 
  • Putting aside regulatory issues, a healthcare technology company will likely want changes made by a supplier to be backwards-compatible with prior versions of its component or other components to which it connects. This applies to hardware and software elements of a component when the component is a combination of the two. A backwards-compatibility requirement must be built into the contract and not attempted after the fact.
  • Making a component backwards-compatible can be made easier if the contract requires each version of the component to be designed to be forwards-compatible. Software in particular can be designed to be forwards-compatible.
  • A risk to both the healthcare technology company and supplier is that the supplier’s supplier can no longer obtain the raw materials or constituent parts necessary to build the component to agreed-upon specifications. This may be an inherent risk because of the specialised nature of the component, or one that can be addressed by having multiple available sub-suppliers, or having sub-suppliers be on the healthcare technology company’s approved list.

Intellectual Property Rights in Digital Healthcare Agreements

A healthcare technology company may ask a supplier to develop a completely customised component or a customised version of an existing component. The key ownership and intellectual property issues that arise are as follows.

  • For fully customised components, the healthcare technology company may want to own the product and all the intellectual property rights in order to:
    1. obtain exclusivity; and
    2. own the design so that it can employ another supplier to manufacture the component.
  • The component manufacturer will likely want to retain rights in its pre-existing technology and sufficient rights to make a non-competing component for another of its customers. Allocating these rights is a matter of contract negotiating and careful drafting.
  • Owning the intellectual property is not sufficient unless ownership conveys ownership of the design documents, materials requirements, and manufacturing processes. Thus, these should be made deliverables under the contract and updated as revisions are made. 
  • The calculus in allocating intellectual property rights can change when the customisation of either hardware or software is a bespoke layer on top of the supplier’s standard product. A healthcare technology company may wish to retain all rights, for the same reasons.  However, if the custom layer cannot be used apart from the underlying supplier component, the rationale for ownership may change and it may be advantageous for the supplier to retain ownership, among other reasons, to prevent the custom layer from losing compatibility with the underlying base as the supplier continues to make improvements to the base.
  • The scope of the supplier’s indemnity for IP infringement can be challenging when customisation is involved. If the healthcare technology established functional criteria for the customisation, it may wish to be indemnified against IP infringement claims arising out of the technology that the supplier used to meet the criteria. The supplier may wish to avoid liability for technology it used at the direction of the healthcare technology company. In short, the issue becomes one of determining what technology was required by the healthcare technology when specific technology was not required but the requirements entailed the use of technology. This is an issue that is better resolved at the contract-drafting stage.

Intellectual Property and Joint Development of Healthcare Products

Much of healthcare technology is developed through the collaborative efforts of different companies. Having joint development resulting in joint ownership can lead to adverse consequences. By US statute, one joint owner can grant non-exclusive licences to third parties without consent of the joint owner. This can result in the one party's contribution being free research and development to another party. This outcome can be avoided by proper contract-drafting.   

Agreements for the Digital Healthcare Wearable Ecosystem

Wearable technology agreements cover the situation in which a patient is discharged from a hospital and given wearable technology to provide for remote monitoring to discover continued progress or the emergence of problems. The following agreements should be included in this arrangement:

  • an underlying agreement providing consent from the patient to the transmission and use of its personal health data by the institutions involved;
  • an agreement between the patient and the hospital authorising the use and transmission of data if not already covered by the patient-consent agreement;
  • a licensing and data agreement with the company providing the wearable, including the rights that the company has to collect data for its own business use from individuals and to create aggregate data sets for all individuals using the wearable; these rights may have to be defined as a limitation on the company’s standard terms and conditions;
  • an agreement with the technology platform that distributes the wearable data;
  • an agreement allowing the sharing of data with the patient’s physicians and family members and other designees;
  • a development agreement governing improvements to the device and ownership rights in any customer features.

Digital Healthcare and Data Mapping

A document mapping data flows provides several advantages and is instrumental in drafting agreements. First, it provides the lawyers drafting the agreements with the information they need to structure the agreement properly. This should cover the institution’s issue of the data and upstream and downstream rights in it, and should be combined with a decision rights' agreement or other data-sharing and use agreement. Second, a data map can be used to alert company engineers and software programmers when they need to obtain legal advice as to the types of consents and other agreements that need to be put in place in order to develop the commercial products. If a company has the right to use data for medical research under US law, where it is not completely de-identified, that right does not provide the right to use the data to develop a commercial product, where, generally, the data must be wholly de-identified. 


Data will not govern itself. Accordingly, agreements must be put in place to control the collection, transmission, modification, and use of data, including by the internet of medical things, robots, and wearables which are designed to collect data and provide it for machine learning and data analytics. Digital healthcare technology requires upgrading or entering into new IT agreements. Cloud computing requires different forms or agreements. Digital healthcare technology provides additional avenues of cyber-attacks. Data mapping should be used in structuring data and technology agreements to minimise potential gaps between responsibilities imposed by contracts and hospital use, and how healthcare technology companies develop products and services. 


Moses & Singer LLP is a New York law firm with global reach through its affiliations. Its nationally and internationally recognised lawyers in its healthcare, and privacy and cybersecurity departments guide clients in navigating successfully the constantly evolving US federal and state laws. The majority of the members of this ten-lawyer department previously held positions in the legal departments of healthcare organisations or governmental agencies that address health issues. As IT and data are transforming digital health, Moses & Singer provides strategic counselling and industry-informed, practical advice to assist clients in addressing risks and leveraging new opportunities. Clients such as healthcare technology companies, institutional and government entities, academic medical centres, research entities, biotechnology and pharmaceutical companies, hospitals and healthcare systems, and providers of healthcare products and services rely on the firm for its innovative solutions in matters involving the structuring of joint ventures and other business partnerships.