Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
Fortune’s April 2018 cover story, “Tech’s Next Big Wave: Big Data Meets Biology,” conveys loudly and clearly that technological innovation is transforming the health care continuum—changing the way care is delivered, as well as how patients manage their ongoing health—and as patient demand for health innovation increases, more companies seem eager to hop on the digital health bandwagon. The article provides a thoughtful, realistic (and somewhat sobering) perspective on digital health innovation’s successes and other results to date. It also quite effectively uses real world stories to convey the human dimension of digital health. One is the story of a mother who manually sampled and recorded her son’s glucose levels 20 times a day before an automated monitoring system connected to a mobile app allowed them both to live their lives without constant interruption by this critical care management function. Another describes use of an artificial intelligence “command center” to expedite access to life-saving surgery by a man with an aortic dissection. These real-world examples drive home the fact that digital health is already making a profound difference in our lives by removing barriers to care that are critical to saving lives and managing chronic diseases.
What the article does not touch on, however, are the myriad, complex legal challenges that must be addressed at the earliest stages of the planning process and the intensifying interest of government oversight and enforcement bodies, such as the Federal Trade Commission, the Food and Drug Administration, the Office of Civil Rights of the Department of Health and Human Services, and the Securities and Exchange Commission, interested in protecting the safety and privacy of patients and consumers. Just last month, we saw the SEC charge Theranos’ CEO Elizabeth Holmes with fraud for allegedly misleading investors about the company’s ability to detect health conditions from a small sample of blood. Earlier this year, another “unicorn” start-up, Outcome Health, settled with the federal government after The Wall Street Journal reported that they allegedly misled advertisers with manipulated information. The United States has also brought claims against the private equity company investor of a compounding pharmacy that allegedly paid illegal kickbacks to marketing firms to induce prescriptions written by telemedicine providers for costly compounded drugs reimbursed by TRICARE.
Opportunities and Challenges of the Patient Data “Gold Rush”
Eric Topol, MD, director at the Scripps Research Institute, told Fortune that “the quest to retrieve, analyze and leverage” data “has become the new gold rush. And a vanguard of tech titans—not to mention a bevy of hot startups—are on the hunt for it.” There is no doubt that harnessing and analyzing big data provide virtually limitless fuel for digital health innovation of the type patients and consumers are demanding and that tech companies are eager to develop and commercialize. While optimism about the quest for big data is certainly justified, it must be tempered by caution and careful consideration of complex, multi-dimensional legal and regulatory requirements that can shape the strategy for the exchange, use and exploitation of identifiable personal health data and other personal data. As innovation continues to move in many directions and at light speed, it can be easy to get wrapped up in the excitement, but it’s worth taking a step back to take a look at the legal implications of doing so.
There are many current laws protecting patient data privacy, confidentiality and security that limit the type and extent of data-sharing that patients and digital health technology innovators demand. For instance, some state and federal privacy laws that protect particularly sensitive information (e.g., information concerning HIV/AIDS, mental health, substance abuse, and genetic testing and counseling) are more restrictive than the Health Insurance Portability and Accountability Act (HIPAA) and may require express written patient consent for uses and disclosures that HIPAA would permit without consent, and the Genetic Information Nondiscrimination Act of 2008 also limits access to genetic information by group health plans, health insurers and issuers of Medigap policies.
Prioritizing Comprehensive Compliance Programs
While the Fortune article states that transformative technologies are putting consumers “in the driver’s seat,” there are still legal barriers that are currently keeping them in the passenger seat. To that end, and at the earliest stage of the research and development life cycle, companies must thoroughly think through key compliance considerations such as the nature and frequency of necessary patient and consumer consents, how they will substantiate claims they make in marketing and selling a product, what pre‑market regulatory approvals they need to obtain and how they will support the application for such approvals, to name just a few. A comprehensive corporate compliance program that incorporates the essential elements identified by the Office of the Inspector General can help companies identify, address and manage regulatory and compliance challenges before they become a serious problem that will threaten the success of the digital health initiative and expose them to government enforcement actions and third party lawsuits.
To learn more about the legal barriers that exist in the digital health space, as well as the need for and value of a proper and thorough compliance program, read “The Law of Digital Health,” written by members of the McDermott Will & Emery Digital Health Team. Be sure to also stay up to speed on all of the regulatory challenges and growth opportunities in health care technology today by bookmarking our “Of Digital Interest” blog.
Follow us on LinkedIn at McDermott Will & Emery LLP.
As the telemedicine landscape continues to evolve and new capabilities come to bear, those working in the industry will face a diverse mix of legal and regulatory hurdles as stakeholders begin to leverage new avenues and options for care delivery. This evolution requires practitioners to understand the legal frameworks that will continue to change as regulators attempt to keep pace with evolving technology.
To help address the complexities of the telemedicine regulatory environment — and those across the digital health ecosystem at large — we partnered with the American Health Lawyers Association to release “The Law of Digital Health,” which details legal realities for digital health leaders and their advisors looking to bring new tools to market or expand their existing positions.
Unique Legal and Regulatory Considerations Applicable to Telemedicine
The “telemedicine sector” is undoubtedly complex and rife with nuance, beginning with how it is defined, which significantly varies among payers, regulators, accrediting bodies and providers. Adding to the intricacy are the variations in telemedicine regulation, depending on factors such as the patient’s location/geography and care setting, coverage and reimbursement or type of technology used. Despite these complexities, organizations are moving forward with their telemedicine initiatives and navigating these issues because of the great potential telemedicine has to expand access to care. Continue Reading Telemedicine’s Complex Legal Landscape
Earlier this month, more than 45,000 attendees descended on Las Vegas, NV, for the nation’s largest annual health care technology conference: the 2018 HIMSS Conference & Exhibition (HIMSS18). Conversations and educational sessions covered a wide range of health tech topics, with thought leaders, solutions developers, health system executives, patient advocates and care providers coming together to discuss the myriad obstacles and opportunities facing the health care technology industry today.
On Tuesday March 6, during the HIMSS conference, McDermott Will & Emery along with our friends at Capstone Headwaters convened a panel discussion on “Financing High-Growth Healthcare IT Companies, which I had the pleasure of moderating. The seasoned mix of health care finance and private equity professionals discussed the various types and sources of capital available to fuel high-growth health IT organizations and how to choose the right mix of capital to support a company’s growth needs. We also reviewed the legal and regulatory implications for investments in health care IT companies, and discussed considerations for optimal positioning in a value-based care environment. Continue Reading Financing High-Growth Health IT Companies: McDermott and Capstone’s Panel Recap from HIMSS 18
Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading
Designed to provide business leaders and their key advisors with the knowledge and insight they need to grow and sustain successful digital health initiatives, we are pleased to present The Law of Digital Health, a new book edited and authored by McDermott’s team of distinguished digital health lawyers, and published by AHLA.
Visit www.mwe.com/lawofdigitalhealth to order this comprehensive legal and regulatory analysis, coupled with practical planning and implementation strategies. You can also download the Executive Summary and hear more about how Digital Health is quickly and dynamically changing the health care landscape.
What if you didn’t have to take time out of your day to see a physician in person when you needed a prescription? What if a diagnosis could be delivered over video chat? What if your psychiatrist was available at the press of a button or swipe on your screen?
These options are fast becoming a reality, as telehealth (or telemedicine) continues to take hold in a health care system that is desperate for increased efficiency and higher quality outcomes. And while telehealth offers exciting new possibilities in terms of convenience and access for patients, it also poses new regulatory challenges for industry stakeholders still learning the new rules of the game in today’s digital health ecosystem.
The Chronic Care Act
One of the biggest drivers of change in the industry right now is the Chronic Care Act. Last month, as part of the House and Senate budget deal to fund the government through March 23, legislators included the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017, which will increase reimbursement for a lot of different telemedicine programs.
For example, if you went to a rural hospital and they didn’t have a stroke neurologist and you were having a stroke, you would have an ED doctor with no stroke specialty diagnosing you—not an ideal situation. With telemedicine, it’s now possible for rural doctors to consult with specialty doctors at renowned sites, which the government will fund thanks to the Chronic Care Act. Continue Reading Telehealth and the Changing Regulatory Landscape: Opportunities and Challenges in the Digital Health Ecosystem
The explosion in digital health solutions that connect consumers with licensed health care providers (e.g., nurses, nutritionists, physicians) and laypersons who have certain informal training (e.g., wellness guide, lifestyle coach, outreach partner) has the potential to blur the lines between what constitutes the practice of a licensed health care profession and what does not (usually because the service is intended to be merely informational or educational). Why does it matter which side of the line a particular service falls on? If a service is one that is delivered by a licensed health care professional, there are various state laws and regulations that may govern the activity, and different potential causes of action that may apply in the event a consumer/patient is injured in the process.
- If a digital health solution connects a consumer to an individual who is engaged in an activity that is normally performed by a licensed health care professional, state laws and regulations governing health care professionals likely apply.
As background, state professional boards regulate individuals who deliver health care services to the public (e.g., nursing, psychology, medicine, phlebotomy). What falls within the definition of a specific health care service can be very broad and varies state to state. Continue Reading Walking the Fine Line between the Delivery of Health Care Services and Information/Educational Support
This past fall, after months of speculation, President Trump declared the opioid crisis sweeping the United States a national public health emergency. Upon the president’s declaration, Acting Health and Human Services Secretary Eric D. Hargan made a formal declaration under Section 319 of the Public Health Service Act, making available an exception to the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the Haight Act) that would allow providers to prescribe controlled substances using telemedicine without first conducting an in-person visit. Currently, the Haight Act restricts the ability of a provider to prescribe controlled substances using telemedicine without first conducting an in-person examination, unless an exception applies. For a detailed discussion regarding the Haight Act and the restrictions on the use of telemedicine to prescribe controlled substances within the context of the treatment of opioid addiction and mental health generally, our latest article addresses the opioid crisis and access to mental and behavioral health providers.
The declaration of a public health emergency allows the US Drug Enforcement Agency (the DEA) to remove the restriction of prescribing controlled substances using telemedicine for the treatment of opioid addiction, but the DEA has not promulgated any rules or guidance on the subject. The lack of development has drawn the interest of Senators Claire McCaskill, Lisa Murkowski, and Dan Sullivan. The senators, in a January 30, 2018, letter to Robert Patterson, the acting administrator of the DEA, note that the restriction on the use of telemedicine from prescribing addiction treatment medications continues to have a harmful impact on rural Americans, citing specifically to Missouri, where 98 out of its 101 rural counties lack a licensed psychiatrist. In this letter, the senators call on Mr. Patterson to expedite the rulemaking process to create a special registration process to permit the prescription of opioid-based medication-assisted addiction therapies via telemedicine without first performing an in-person visit.
McDermott Will & Emery LLP will continue to monitor whether progress is made to develop this expedited rulemaking process and report updates on this blog.
The opioid epidemic is making the United States acutely aware of the horrors of substance abuse disorders and the limited means of treating the individuals suffering from addiction. Rural America is among the places hit hardest by opioid addiction while also having limited access to mental and behavioral health providers.
Telemedicine offers a viable solution to provider shortages, particularly with an eye toward mental health care professionals. Although telemedicine alone will not remedy the shortage of psychiatrists in the United States, the technology does possess the capability of greatly increasing access to them; however, a large driver of psychiatric care is provided through pharmaceutical treatments.
The ability for providers to prescribe pharmaceuticals, particularly controlled substances, to patients the provider has not seen in person is limited by the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (Haight Act). The relevance of the Haight Act, a law that went into effect almost nine years ago, has been revitalized, but the opioid epidemic and advances in psychiatric treatment are now demonstrating the law requires clarification through amendment to improve access to pharmaceutical treatments and, in turn, increase access to mental health care.
Reprinted with permission, copyright © 2018, The Bureau of National Affairs, Inc.