After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.
In March 2016, the US Federal Trade Commission (“FTC”) staff submitted public comments regarding the telehealth provisions of a proposed state bill in Alaska demonstrating the FTC’s continued focus on health care competition and general discouragement of anti competitive conduct in health care markets, with a renewed interest and focus on telehealth.
The search by consumers, payers and providers for more efficient, effective and convenient care delivery models has led to an explosion of technological innovation in the health care sector. This explosion has supported the increased use of telemedicine by providers to reach patients who were previously out of reach, and to provide more timely and cost-effective care.
With the use of telemedicine technologies comes a responsibility on the part of providers to educate and inform patients on the benefits, and more importantly, on the risks associated with receiving care via telemedicine. Like any other care setting, compliance with this responsibility serves the dual purpose of providing consumers with the information needed to make an informed decision about their care, but also mitigates the provider’s potential liability exposure from medical malpractice claims. Continue Reading
This week, the Federal Trade Commission (FTC or Commission) released an interactive tool (entitled the “Mobile Health Apps Interactive Tool”) that is intended to help developers identify the federal law(s) that apply to apps that collect, create and share consumer information, including health information. The interactive series of questions and answers augments and cross-references existing guidance from the US Department of Health and Human Service (HHS) that helps individuals and entities—including app developers—understand when the Health Insurance Portability and Accountability Act (HIPAA) and its rules may apply. The tool is also intended to help developers determine whether their app is subject to regulation as a medical device by the FDA, or subject to certain requirements under the Federal Trade Commission Act (FTC Act) or the FTC’s Health Breach Notification Rule. The Commission developed the tool in conjunction with HHS, FDA and the Office of the National Coordinator for Health Information Technology (ONC).
Based on the user’s response to ten questions, the tool helps developers determine if HIPAA, the Federal Food, Drug, and Cosmetic Act (FDCA), FTC Act and/or the FTC’s Health Breach Notification Rule apply to their app(s). Where appropriate based on the developer’s response to a particular question, the tool provides a short synopsis of the potentially applicable law and links to additional information from the appropriate federal government regulator.
The first four questions cover a developer’s potential obligations under HIPAA. The first question explores whether an app creates, receives, maintains or transmits individually identifiable health information, such as an IP address. Developers may use the tool’s second, third and fourth questions to assess whether they are a covered entity or a business associate under HIPAA. The tool’s fifth, sixth and seventh questions help developers establish whether their app may be a medical device that the FDA has chosen to regulate. The final three questions are intended to help users assess the extent to which the developer is subject to regulation by the FTC.
Although the tool provides helpful, straightforward guidance, users will likely need a working knowledge of relevant regulatory principles to successfully use the tool. For example, the tool asks the user to identify whether the app is “intended for use” for diagnosis, cure, mitigation, treatment or disease prevention, but does not provide any information regarding the types of evidence that the FDA would consider to identify a product’s intended use or the intended use of a mobile app (e.g., statements made by the developer in advertising or oral or written statements). In addition, how specifically an app will be offered to individuals to be used in coordination with their physicians can be dispositive of the HIPAA analysis in ways that are not necessarily intuitive.
The tool provides a starting point for developers to raise their awareness of potential compliance obligations. It also highlights the need to further explore the three federal laws, implementing rules and their exceptions. Developers must be aware of the tool’s limitations—it does not address state laws and is not intended to provide legal advice. In fact, the tool does not provide links to the actual text of the laws or regulations and is clearly aimed at non-lawyers. Nor does the tool highlight all applicable guidance documents provided on the websites for each federal regulator, which shed additional light on what that regulator has determined is within or outside of its oversight.
At a recent public workshop, Dr. Janet Woodcock, director of the U.S. Food and Drug Administration’s (FDA) Center for Drug Evaluation and Research (CDER), announced plans to expand the agency’s use of the Sentinel infrastructure to conduct post-market effectiveness studies.
Sentinel is an electronic surveillance system that aggregates data from electronic medical records, claims and registries that voluntarily participate and allows the agency to track the safety of marketed drugs, biologics and medical devices. As of August 2015, the Sentinel database includes information from 193 million individuals, 4.8 billion instances of prescription dispensing, 5.5 billion unique encounters and 51 million acute inpatient stays.
The FDA currently uses the system to assess post-market safety issues. However, in a February 3, 2016, workshop, Dr. Woodcock announced that the FDA is in the early stages of adapting the Sentinel infrastructure to develop the “Guardian” system, which the agency intends to use to “actively gather information about the performance of regulated medical products” used in health care. At the same workshop, Dr. Steven Anderson of the FDA’s Center for Biologics Evaluation and Research (CBER) described the Guardian system as a parallel system to Sentinel that will rely on the Sentinel infrastructure to assess product effectiveness. According to Dr. Anderson, the FDA is currently assessing the feasibility of using Sentinel to perform effectiveness studies, and over the next five years, intends to develop the system to support a range of clinical trial designs.
The FDA envisions that the Guardian system will help the agency and external researchers quickly and less inexpensively answer questions about the performance of medical products that would otherwise require expensive, time-consuming clinical investigations to assess. The FDA did not specifically address how the agency intends to use the effectiveness data developed using the Guardian system.
The proposed Guardian system represents the FDA’s latest attempt to harness the power of “big data” and to participate in the changes precipitated by digital health strategies and tools to address FDA priorities. In 2014, the FDA launched its openFDA initiative, which gives the general public access to several of the agency’s public data sets (e.g., adverse event reports). Moreover, in December 2015, the FDA launched a beta version of its precisionFDA platform, which is an online, cloud-based platform that is intended to allow scientists from the public and private sectors to test, pilot and validate existing and new bioinformatics approaches for processing the large amounts of data collected using next-generation sequencing (NGS) technology.
The FDA’s efforts to launch the Guardian system mirror “big data” initiatives by other private and public stakeholders seeking to leverage data capture and data mining to pursue important public health, quality improvement, research and cost-containment efforts.
As we reflect upon how the health care industry has changed in 2015 and what we expect to see in 2016, there is one area that stands out as having great promise for continued growth—telehealth.
- There were more than 200 telehealth-related bills introduced in 42 states in 2015, many of which helped to encourage the growth and expansion of telehealth. More than half of the states now have laws that mandate some degree of coverage of telemedicine programs by private payers. In addition, nearly a quarter of the states have joined the Interstate Medical Licensure Compact, which provides a more streamlined licensure process for physicians who are located in a “Compact state” and who provide telemedicine services to residents of another “Compact state.” In 2016, we expect even more states will adopt laws to require health insurance coverage for telemedicine services and ease the licensure requirements for health care professionals who are engaged in multi-state telemedicine programs. See our article, “States Begin 2016 with the Expansion of Telehealth Services,” for additional details.
- There has been a marked increase in consumer investment in personal health and wellness, partly as a cost reduction strategy in light of high-deductible health plans, over the past few years. Consumers are particularly excited about the possibilities of telehealth, which has spurred the expansion of direct-to-consumer telehealth programs. In 2016, we anticipate an increase in the number of consumers who use telehealth services, as well as an increase in the types of telehealth technologies used.
- An increasing number of employers—ranging from big to small—offered telemedicine as a benefit to employees in 2015 in an effort to reduce health care costs and as a means of improving employee health. Given the broad breadth of coverage included in the cost of employer-sponsored coverages, and the desire for employers to improve employee health to increase productivity and satisfaction levels, we anticipate that even more employers will turn to telemedicine as a solution in 2016.
- The telehealth programs of accountable care organizations (ACOs) and clinically integrated networks (CINs) proved to improve patient access to care (particularly in the area of behavioral health) and deliver quality care at a lower cost—a critical imperative in the post-Accountable Care Act era of value-based purchasing. The realization of these benefits in 2015 will likely contribute to an increase in the number of ACOs and CINs using telemedicine as a tool in 2016.
- There was a marked rise in 2015 in the number of partnerships between U.S. health care providers and international institutions for U.S. physicians (particularly in certain orthopedic and oncology sub-specialty areas) to provide consultations to international physicians about their patient cases, as well as “second opinion” programs where U.S. physicians review the medical records and diagnostic tests of patients located abroad, and then render a second opinion to that patient. We anticipate that these international telemedicine arrangements will continue throughout 2016 as U.S. providers search for ways to expand their patient base and grow their brands internationally.
If these telehealth trends continue in 2016 as anticipated, there is reason to remain optimistic that providers, patients, and entrepreneurs will continue developing and using telehealth in a way that positively changes the U.S. health care industry.
After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court of Justice (ECJ) in October 2015. Critics already comment that the Privacy Shield will share Safe Harbor’s fate and will be declared invalid by the ECJ; nevertheless, until such a decision exists, the Privacy Shield should give companies legal security when transferring data to the United States.
While a text of the new agreement is not yet published, European Commissioner Věra Jourvá stated that the Privacy Shield should be in place in the next few weeks. According to a press release from the European Commission, the new arrangement
…will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.
One of the most known critics of the U.S. data processing practices and initiator of the ECJ Safe Harbor decision, Austrian Max Schrems, already reacted to the news. Schrems stated on social media that the ECJ Safe Harbor decision explicitly says that “generalized access to content of communications” by intelligence agencies violates the fundamental right to respect for privacy. Commissioner Jourová, referring to the Privacy Shield, stated that “generalized access … may happen in very rare cases”—which could be viewed as contradictory to the ECJ decision. Critics also argue that an informal commitment by the United States during negotiations with the European Union is not something on which European citizens could base lawsuits in the United States if their data is transferred or used illegally.
The European Commission will now prepare a draft text for the Privacy Shield, which still must be ratified by the Member States. The EU Parliament will also review the draft text. In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsperson.
On January 15, 2016, the U.S. Food and Drug Administration (FDA) published a draft guidance entitled Postmarket Management of Cybersecurity in Medical Devices (Draft Guidance), which outlines FDA’s recommendations for managing postmarket cybersecurity vulnerabilities in medical devices that contain software or programmable logic and software that is a medical device, including networked medical devices. The Draft Guidance represents FDA’s latest attempt to outline principles intended to enhance medical device cybersecurity throughout the product lifecycle.
On January 6, the Federal Trade Commission (FTC) released a report that it hopes will educate organizations on the important laws and research that are relevant to big data analytics. The report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, looks specifically at how big data is used after it is collected and analyzed and provides suggestions aimed at maximizing the benefits and minimizing the risks of using big data.
Risk and Rewards
The report argues that big data analytics can provide numerous opportunities for improvements in society. In addition to more effectively matching products and services to consumers, big data can create opportunities for low income and underserved communities. The report highlights a number of innovative uses of big data that provide benefits to underserved populations, such as increased educational attainment, access to credit through nontraditional methods, specialized health care for underserved communities, and better access to employment.
At the same time, the report shows that potential inaccuracies and biases might lead to detrimental effects for low-income and underserved populations. For example, organizations could use big data to inadvertently exclude low-income and underserved communities from credit and employment opportunities, which may reinforce existing disparities or weaken the effectiveness of consumer choice.
Considerations for Using Big Data
The report outlines some of the consumer protection laws (in particular, the Fair Credit Reporting Act and FTC Act) and equal opportunity laws that apply to the use of big data, especially with regard to possible issues of discrimination or exclusion. It also recommends that an organization consider the following questions to help ensure that its use of big data analytics does not lead to unlawful exclusion or discrimination:
How representative is your data set?
If the data set is missing information from particular populations, take appropriate steps to address this problem.
Does your data model account for biases?
Review data sets and algorithms to ensure that hidden biases do not have an unintended impact on certain populations.
How accurate are your predictions based on big data?
Balance the risks of using correlative results, especially where the business’ policies could negatively affect certain populations.
Does your reliance on big data cause ethical or fairness concerns?
Consider whether fairness and ethical considerations advise against using big data in certain circumstances and whether the business can use big data in ways that advance opportunities for previously underrepresented populations.
Monitoring and Enforcement Ahead
The FTC stated that its collective challenge is to make sure that big data analytics continue to provide benefits and opportunities to consumers while adhering to core consumer protection values and principles. It has committed to continue monitoring areas where big data practices could violate existing laws and to bring enforcement actions where appropriate. With that in mind, organizations that already use big data and those that are have been persuaded by reported benefits of big data should heed the FTC’s advice. The FTC is highlighting its interest in the consumer protection and equal opportunity ramifications of big data use. This report serves as a warning—a statement of intent—that the FTC will be evaluating data practices in light of these concerns. It is clear that organizations must identify and mitigate the risks in using big data, not only those dealing with privacy and data protection but also those presenting consumer protection and equal opportunity issues. Thinking critically about and taking corrective action in line with the considerations listed above, and creating a record that such steps have been taken, may help organizations using big data to avoid FTC regulatory scrutiny.
On December 28, 2015, the Ministry of Industry and Information Technology of China released the newly revised Classification Catalogue of Telecommunications Services, which is due to take effect as of March 1st, 2016. This round of revision has long been awaited since its last amendment in 2003, and is expected to reflect the advancement and emergence of new technologies and business models in the telecommunication field as well as to help keep new telecommunication business models under the regulatory radar.
Read the full China Law Alert.