Government, media and industry have all pointed to the potential for telemedicine to assist in combating the COVID-19 pandemic. In addition, steps have been taken by the government to ease the burdens associated with the use of telemedicine during this crisis. Unfortunately, the complexity of the regulatory infrastructure has left a fair amount of confusion with respect to the extent to which rules have been, and may be, liberalized. At a time when our healthcare infrastructure is engaging with a health crisis that will get worse before it gets better, confusion about the requirements for care delivery needs to be reduced to a minimum.

Please join us on Monday, March 16 from 1 – 2pm ET for an update on:

  • Loosened Medicare reimbursement requirements
  • State emergency efforts
  • Related issues associated with the delivery of telemedicine services during the COVID-19 pandemic

CLICK HERE TO REGISTER

Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.

As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.

Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:

Trend #1 – Increased Push for a Private Right of Action

In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.

Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.

If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become substantial, if not staggering. The private rights of action in the proposed state laws make it imperative for businesses to inventory the personal data they hold, practice data minimization principles, and invest in reasonable cybersecurity measures to mitigate exposure in the event of a data breach and implement comprehensive compliance programs.

Trend #2 – Data Controllers to Undertake Risk Assessments

Recently proposed legislation reflects not only provisions drawn from the CCPA, but also those based on the GDPR, most notably the definition of data controller and data processor roles and responsibilities. In addition, at least three states include a requirement for data controllers to perform risk assessments of their data. A data controller is an entity who, alone or jointly with others, determines the means and purpose of the processing of personal data. For example, in the Washington Privacy Act, data controllers must conduct and document data protection assessments for:

  1. Targeted advertising data processing;
  2. The sale of personal data;
  3. When profiling of data creates a foreseeable risk of injury (financial, physical or reputational), unfair impact or intrusion on the private affairs of consumers;
  4. For the processing of sensitive data; and
  5. Any processing activity that represents a heightened risk of harm to consumers. In addition, the assessments must weigh the benefits and risks of processing.

Similarly, both the Virginia Privacy Act (HB 473) and Illinois Data Transparency and Privacy Act require controllers to perform a risk assessment for each processing activity involving personal information, and an additional risk assessment each time there is a change in processing that “materially increases the risk to consumers.” The proposed Virginia and Illinois laws assert that if the privacy harm risks to consumers outweigh the interest of a controller, business or other stakeholder, then consumer consent is required for processing. If such consumer consent is sought by a controller, it should be easily given and withdrawn.

Of note, all three states include a provision that the risk assessments must be provided to the state’s Attorney General upon written request; however, the assessments are confidential and exempt from public disclosure. Businesses subject to GDPR will likely have already performed internal data privacy impact assessments (DPIAs), which are a demanding exercise. For organizations without EU-facing operations, the compliance burden is likely to increase should these laws pass in their current form.

Trend #3 – Increased Protection for Biometric Data

Likely a result of publicity surrounding litigation arising out of the Illinois Biometric Information Privacy Act (BIPA) and recent media attention regarding the increased prevalence of biometric technologies, a number of the newly proposed data privacy laws focus on strengthening protections for biometric data. Several states proposing recent legislation—Illinois, Nebraska, New Hampshire, Virginia and Washington—include biometric identifiers in the definition of either personal information or sensitive data.

Notably, the Washington Privacy Act would require controllers to obtain opt-in consent from consumers to process biometric data and would include a section devoted exclusively to the requirements for data controllers with respect to Facial Recognition Technology (FRT). Examples of such requirements include:

  1. Obtaining consent from consumers prior to enrolling a consumer’s image in FRT;
  2. Separating FRT databases from other databases and reviewing FRT databases annually;
  3. Ensuring that any FRT that may have a legal effect is subject to human review; and
  4. Requiring periodic training of those who operate a FRT service.

Due to the increased focus on these technologies, companies should carefully and thoroughly evaluate the privacy implications of any biometric or FRT product or service prior to launch. For example, facial recognition technology has reportedly been deployed in certain countries to identify those with elevated temperatures in order to prevent the spread of COVID-19. How these new laws in the United States will mesh with biometric technologies in the event of a public health crisis remains to be seen.

Conclusion

Time will tell as to whether the 2020 crop of CCPA-like proposed statutes will eventually become law—many similar CCPA copycat proposals failed in 2019—but it is apparent that there is a strong movement to enact stricter data privacy legislation. As Washington’s legislature approaches the end of its legislative session early this month, there is keen interest in the outcome of the Washington Privacy Act, which has a proposed effective date of July 31, 2021. While a similar measure failed in Washington last year, now that CCPA is in effect, the landscape has changed.

Businesses should closely monitor the developments in Washington and other states, particularly with respect to the trend of increased private rights of action and the resulting liability. While these state legislative proposals share a common goal, the lack of standardization among federal, state and international data privacy regimes is cause for significant concern in the business community, which bears the brunt of complying with competing and sometimes conflicting legal and regulatory obligations. These trends show no signs of abating, so stay tuned.

On March 4, 2020, the House passed the Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, a bipartisan bill to aid in COVID-19 preparedness and response. The bill includes, among other things, provisions that waive certain telehealth requirements during the COVID-19 public health emergency to ensure Medicare beneficiaries can receive telehealth services at home to avoid placing themselves at greater risk of the virus.

Generally, Medicare beneficiaries may only receive telehealth services as a Medicare covered service if:

  • The beneficiary (patient) is located in a qualifying rural area;
  • The beneficiary is located at one of eight types of qualifying originating sites;
  • The services are provided by one of 10 categories of distant site practitioners eligible to furnish and receive Medicare payment for telehealth services;
  • The beneficiary and distant site practitioner communicate via an interactive audio and video telecommunications system that permits real-time communication between them—telephones, fax machines and email do not meet this requirement; and
  • The CPT/HCPCs code for the service is on the list of covered Medicare telehealth services.

The bill gives the secretary of the US Department of Health and Human Services (HHS) the authority to waive the originating site requirement for telehealth services provided to Medicare beneficiaries located in any identified emergency area during emergency periods by a qualified provider. An “emergency area” is a geographical area in which, and an “emergency period” is the period during which, there exists: (a) an emergency or disaster declared by the president pursuant to the National Emergencies Act or the Robert T. Stafford Disaster Relief and Emergency Assistance Act; and (b) a public health emergency declared by the secretary. The bill also allows telehealth services to be provided to Medicare beneficiaries via phone, but only if the phone allows for audio-video interaction between the provider and the beneficiary.

The bill takes important steps to allow healthcare providers to deploy telehealth resources in response to COVID-19 and other public health emergencies, and allows Medicare beneficiaries to receive telehealth services from the comfort of their home (even via their smart phone) without risk of exposure. While the bill represents a further step in the expansion of the availability of telehealth services, we should be careful not to overstate its impact. The waiver of the originating site requirement and expansion of telemedicine modalities is limited to emergency areas identified by the president and secretary during emergency periods. Accordingly, as a practical matter, this expansion of availability of telehealth reimbursement is very limited. In addition, healthcare providers must still comply with state laws and regulations that govern telehealth, including, but not limited to, professional licensure, scope of practice, standard of care, patient consent and other reimbursement requirements for non-Medicare beneficiaries.

The bill offers a welcome relaxation of the rigid Medicare requirements for telehealth reimbursement during a time of stress within the healthcare industry. It also represents another, albeit small, step in the gradual acceptance of telehealth within the healthcare reimbursement sector.

In our global economy, Coronavirus (COVID-19) raises serious concerns for employers in all industries. Workers may be on the front lines caring for patients and developing vaccines, travelling for business, or in close contact with individuals who travel or may have been affected. At this time, there is no vaccine or medication approved to prevent or treat the COVID-19 disease. Therefore, preparedness and prevention are crucial. Frontline responders must be especially vigilant as they deliver care and anticipate the challenges this uncharted territory presents.

McDermott’s Coronavirus Resource Center, brought to you by a multi-disciplinary team, will keep you informed of the latest developments and provide comprehensive insight to help you navigate this crisis with your employees, including:

  • Frequently asked questions for US and multi-national employers
  • Recent news updates
  • Podcasts
  • Upcoming events

Click here to access the Resource Center.

As the number of confirmed COVID-19 cases in the United States grows, healthcare providers are stepping up their response planning. To combat the spread of COVID-19, the Centers for Disease Control and Prevention (CDC) urged healthcare systems and providers to deploy all of the resources necessary to ensure health system preparedness. The CDC recommended the use of telehealth tools to help address COVID-19 preparedness and to assist in directing patients to the right level of healthcare for their medical needs.

Healthcare providers have a unique and pressing opportunity to offer telehealth services to potential COVID-19 patients. At the same time, healthcare providers’ response to the COVID-19 outbreak highlights some of the barriers to the provision of telehealth services. Providers considering using telehealth as part of their COVID-19 response efforts should take the following factors into consideration:

  • While healthcare providers cannot diagnose COVID-19 through a telehealth visit, they can perform a number of services without requiring a patient to visit crowded medical facilities where the virus might be present. These services include performing initial patient screenings, assessing and assigning risk categories to patients, determining if a patient needs to seek diagnostic testing, and answering patient questions and offering treatment recommendations.
  • Deploying telehealth services is not without its challenges. The varying reimbursement policies of private, state and federal payers, as well as differing state-based medical licensing requirements, may burden providers and patients with confusion, economic inefficiencies and onerous processes in a difficult engagement context.
  • As part of the COVID-19 response discussions, telehealth advocates propose that the Centers for Medicare and Medicaid Services reduce or eliminate its long-standing telehealth reimbursement restrictions. This change would allow Medicare to pay for virtual visits during national emergencies, regardless of originating site or geographic location. There is also a push to waive the lengthy enrollment process telehealth providers must undergo to be paid by Medicare.
  • While telehealth has the potential to assist in a healthcare system’s response to COVID-19, providers still must comply with state laws and regulations that govern telehealth, including but not limited to professional licensure, scope of practice, standard of care and patient consent, in addition to the reimbursement requirements and limitations put into place by third-party payers.
    • Typically, telehealth providers must be licensed in the state in which the patient is located, although certain states have exceptions that telehealth providers may leverage in response to COVID-19.
    • Telehealth providers must practice within the scope of practice of the profession in which they are licensed and within the standard of care set forth by the governing professional board in a given state.
    • State telehealth laws may require a specific modality for telehealth consultations (e.g., audio-visual consultations). Likewise, third-party payers may require a specific modality for telehealth consultations for purposes of reimbursement.

Digital health companies are producing increasingly innovative products at a rapidly accelerating pace, fueled in large part by the expansive healthcare data ecosystem and the data strategies for harnessing the power of that ecosystem. The essential role data strategies play make it imperative to address the data-related legal and regulatory considerations at the outset of the innovation initiative and throughout the development and deployment lifecycle so as to protect your investment in the short and long term.

The Evolution of Digital Health

Digital health today consists of four key components: electronic health records, data analytics, telehealth, and patient and consumer engagement tools. Electronic health records were most likely first, followed very closely by data analytics. Then telehealth deployment rapidly increased in response to both demand by patients and providers, the improved care delivery and access it offers, and more recently, the expanded reimbursement for telehealth solutions. Each component of digital health was developed somewhat independently, but they have now converged and are interrelated, integral parts of the overall digital health ecosystem.

The patient and consumer engagement dimension of digital health has exploded over the last five years. This is due, in large part, to consumer and patient demand for greater engagement in the management of their healthcare, as well as the entry of disruptors, such as technology service providers, e-commerce companies, consumer products companies and entrepreneurs. At this point in the evolution of the digital health landscape, the patient and consumer engagement tool dimension pulls in all other key components and no digital health consumer engagement tool is complete without the full package.

Data Strategies and Collaborations as Key Innovation Ingredients

No digital health initiative can be developed, pursued or commercialized without data. But the world of data aggregation and analytics has also changed significantly and become immensely complex in recent years. Digital health innovation is no longer working exclusively within the friendly confines of the electronic health record and the carefully regulated, controlled and structured data it holds. Today, digital health innovation relies on massive amounts of data in a variety of types, in various forms, from a wide variety of sources, and through a wide variety of tools, including patient and consumer wearables and mobile devices.

Continue Reading Consumer Demand in Digital Health Data and Innovation

Digital health is experiencing a boom in investment as the regulatory environment becomes more supportive of digital health services. But as companies seek to make the most of their funding and protect the innovations that drive their product, it is imperative that they protect their intellectual property from being copied or duplicated by others in the market.

What exactly is IP?

Intellectual Property (IP) is generally non-tangible property. You can hold your laptop in your hands or you can stand on a piece of land — those are both tangible examples of property. Intellectual property cannot be physically held or touched. Protections available for intellectual property generally break down into one of four areas: patents; trade secrets, trademark, and copyright.

Patent protection offers an additional layer of protection for digital health solutions compared to copyrights. For example, a company may be eligible for a patent if it has innovated a new approach to identifying data, a new approach to storing data more efficiently, or a new approach to the data structure itself—those are all ways where innovations could be patentable and help extend protection around data.

How does IP apply to data?

If, in a digital health patent application, a company focuses on innovation for a computer-specific problem—such as keeping data private, keeping data secure, de-identifying data—that is usually a homerun argument to the patent office for crossing the first threshold of eligibility for patenting.

This is one of the few areas where the patent office has made it clear that these ideas and invention types are considered patent eligible. Thereafter, of course, remains the traditional challenge of getting a patent, which is to prove that no one before you has invented what you’ve invented. But lately, in the digital health space, that challenge seems to be less difficult to overcome compared to the eligibility challenge.

How to protect IP

Continue Reading Maximizing Your IP Protections in Digital Health

Digital health companies are producing innovative products at a rapidly accelerating pace and experiencing a boom in investments and demand as the regulatory environment becomes more supportive of digital health services to both improve patient care and stay profitable. Protecting intellectual property (IP) and building a feasible data strategy to support the research and development endeavor are essential steps for companies in their drive toward commercialization and return on their investment. On this episode of the Of Digital Interest podcast, McDermott partners Bernadette Broccolo (Health) and Ahsan Shaikh (IP), explore key issues for digital health companies, their collaboration partners and investors, and start-ups to consider, including:

  • What is currently patent eligible in the digital health space?
  • What patent-eligible trends and opportunities are we seeing?
  • How do laws governing data sharing among digital health collaborators impact the research and development effort and associated IP rights?
  • What challenges and opportunities do artificial intelligence, blockchain and machine learning present for digital health innovators?

Listen now

When it comes to market success for digital tools in the health sector, business strategy can be far more complex than in other industries. Understanding customer-driven market trends is important, but healthcare’s complexity can camouflage customer demand and its regulatory ecosystem adds layers of additional considerations.

Customer Demand and Digital Solutions

The convenience, competitive pricing, answers-at-your-fingertips responsiveness and hyper-personalization delivered by top technology brands and their integration into other industry sectors has created an expectation for digital health solutions that deliver the same experience.

In some instances, consumers are finding the solutions. For example, telemedicine is gaining momentum as consumers discover that digital interactions with high-quality providers are oftentimes more convenient and less expensive than face-to-face encounters. Other tools are providing access to prescriptions, better health condition management solutions, better information sharing enabling smoother transitions among care settings, and more efficiency in everything from hospital operations to scheduling appointments to identifying in-network care options.

When it comes to business strategy, however, digital health solutions need to recognize that consumer pressures are frequently at odds with existing incentives within care delivery systems and, perhaps legal and regulatory requirements. Accordingly, it is critical not just from a compliance perspective but also from a business strategy perspective to navigate the healthcare industry’s unique market and regulatory dynamics.

Balancing Demand with Reality
Continue Reading Digital Health Business Strategy: A Careful Balance

With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.

How Does the CCPA Impact Insurers?

On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.

Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:

Continue Reading Privacy and Data Security: 2020 Considerations for the Insurance Industry