The Prinz Law Office

The Drug Enforcement Administration (“DEA”), jointly with the Department of Health and Human Services (“HHS”), has announced that the current telemedicine regulations will continue in place through the end of December 31, 2024.  To view the full text of the announcement, please click here.  The full text of the extension is available here.

The decision comes after the DEA received more than 38,000 comments on its proposed telemedicine rules and held two days of public listening sessions related to those rules.

The DEA stated in the announcement that the final regulations should be available by the fall of 2024.

Governor Newsom has just signed SB 54, which will require venture capital firms in the state of California to annually report the diversity of founders they are backing.  According to Tech Crunch’s reporting, SB 54 will result in amendments to the Business and Professional Code and also will amend part of the Government Code pertaining to venture capital.

What is California SB 54?

SB 54 goes into effect as of March 1, 2025, and requires the following aggregated information to be reported on all VC investments:

• The gender identity of each member of the founding team, including nonbinary and gender-fluid identities.
• The race of each member of the founding team.
• The ethnicity of each member of the founding team.
• The disability status of each member of the founding team.
• Whether any member of the founding team identifies as LGBTQ+.
• Whether any member of the founding team is a veteran or a disabled veteran.
• Whether any member of the founding team is a resident of California.
• Whether any member of the founding team declined to provide any of the information described above.

Failure to timely comply with the reporting requirement may result in the assessment of a penalty of One Hundred Thousand Dollars ($100,000.00) to be assessed against a “covered person.”  SB 54 defines “covered person” as any person who does both of the following:

• Acts as an investment adviser to a venture capital company.
• Meets any of the following criteria: (i)  Has a certificate from the Commissioner of Financial Protection and Innovation pursuant to Section 25231 of the Corporations Code.  (ii) Has filed an annual notice with the Commissioner of Financial Protection and Innovation pursuant to subdivision (b) of Section 25230.1 of the Corporations Code. (iii) Is exempt from registration under the Investment Advisers Act of 1940 pursuant to subsection (l) of Section 80b-3 of Title 15 of the United States Code and has filed a report with the Commissioner of Financial Protection and Innovation pursuant to paragraph (2) of subdivision (b) of Section 260.204.9 of Title 10 of the California Code of Regulations.

SB 54 provides that reports will be due by March 1st of each year.

What is the Argument in Favor of SB 54?

Tech Crunch reports that supporters of SB 54 have argued that this law will make venture capital more “transparent.”  According to Tech Crunch, less than 3 % of all venture capital investments go to women or black founders.

Tech Crunch reported that SB 54 was opposed by the National Venture Capital Association and TechNet, though both organizations professed to support generally the concept of diversity in venture capital.

What is the Anticipated Impact of SB54?

Although the impact of SB 54 will go beyond just the software industry, this new law is likely to have a significant impact on software and SaaS companies, particularly those having diverse founders, as mandated reporting will likely incentivize venture capital firms to further focus on considering diversity in investment.  If your software company has diverse founders, you will definitely want to keep this law on your radar screen going forward.

The Food and Drug Administration (“FDA”) has issued final guidance to advice developers on their compliance obligations for premarket submissions.  To view the FDA’s finalized document, please click here: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (fda.gov).   The guidance issued by the FDA supersedes the earlier draft guidance issued on April 8, 2022 as well as the “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” issued October 2, 2014.

The guidance describes recommendations regarding the cybersecurity information to be submitted for the following:

• Premarket notification (510(k)) submissions;
• De Novo requests;
• Premarket Approval Applications  (PMAs) and PMA supplements;
• Product Development Protocols (PDPs)
• Investigational Device Exemption (IDE) submissions;
• Humanitarian Device Exemption (HDE) submissions;
• Biologics License Application (BLA) submissions; and
• Investigational New Drug (IND) submissions.

The FDA states in its release that “this guidance applies to all type of devices within the meaning of section 201(h) of the Federal Food, Drug, and Cosmetic Act (“FD&C Act”), including devices that meet the definition of a biological product under section 351 of the Public Health Services Act, whether or not they require a premarket submission.”  In addition, the FDA says that the guidance applies “to devices for which a premarket submission is not required (e.g. for 510(k) exempt devices)” as well as “cyber devices as defined in section 524B of the FD & C Act.”  Finally, the FDA states that the guidance applies to the device portion of a combination product “when the device constituent part presents cybersecurity considerations, including but not limited to devices that have a device software function or that contain software (including firmware) or programmable logic.”  Although the FDA indicates in the release that the guidance should not be construed as “legally enforceable responsibilities,” the FDA advises that the guidance represents its “recommendations” on the topic of cybersecurity.

What exactly recommendations exactly does the FDA make in this guidance?

First of all, the FDA recommends that device manufacturers follow the quality system requirements found in the QS regulation in 21 CFR Part 820, which may include establishing cybersecurity risk management and validation processes where appropriate in accordance with FDA’s guidance “Content of Premarket Submissions for Device Software Functions.”  The FDA says that healthcare facilities may manage devices within their own frameworks such as the National Institute of Standards Technology (“NIST”) cybersecurity framework.   The FDA also points to the following frameworks to consider: the Medical Device and Health IT Joint Security Plan, which is available at https://healthsectorcouncil.org/the joint-security plan;  IEC 81001-5-1; and ANSI, ISA 62442-4-1.

Second of all, the FDA recommends that device manufacturers implement security controls, which include authentication; authorization, cryptography, code, data and execution integrity; confidentiality; event detection and logging; resilience and recovery, updatability and finally, patchability.

Third, the FDA recommends that the manufacturers must establish and maintain procedures for verifying the device design, which verification must confirm that the design output meets the design input requirements.  The FDA again points to 21 CFR  820.30 for guidance on the procedures for verification.

Fourth, the FDA recommends transparency in advising users of relevant security risks through labeling, and provides specific examples of information to include in labeling.  The FDA points to IEC TR 80001-2-2 and IEC TR 80001-2-9 for further guidance on labeling to comply with the standards.

Fifth, the FDA recommends that manufacturers establish a plan for how to identify and communicate to users vulnerabilities identified after releasing the device in accordance with 21 CFR 820.100, which plan can also support security risk management processes described in the QS regulation.  The FDA states that these plans should include the following elements:

• Personnel responsible;
• Sources, methods, and frequency for monitoring and identifying vulnerabilities (e.g. researchers, NIST vulnerability database (NIST NVD), third party manufacturers;
• Identify and address vulnerabilities identified in “CISA’s  Known Exploited Vulnerabilities Catalog” available at https://www.cisa.gov/known-exploited-vulnerabilities-catalog;
• Periodic security testing;
• Timeline to develop and release patches;
• Update processes;
• Patching capability (i.e. rate at which update can be delivered to devices);
• Description of their coordinated vulnerability disclosure process; and
• Description of how the manufacturer intends to communicate forthcoming remediations, patches, and updates to customers.

The FDA points to its “Postmarket Cybersecurity Guidance” for additional recommendations on plans.

Digital health companies should definitely take the time to review and familiarize themselves with the new guidance, as it is likely that health care customers will be expecting compliance with this new guidance going forward, regardless of whether or not digital health companies’ products are actually subject to FDA regulation.  Even though this guidance constitutes merely a recommendation to those digital health companies which are subject to FDA regulation, it provides specific minimum recommendations that health care customers will likely expect their providers to be compliant with going forward.