Photo of Bernadette M. Broccolo

Bernadette M. Broccolo has been counseling health industry organizations for more than 37 years on leading-edge health industry relationship formation and realignments. Her areas of concentration include privacy, technology contracting, corporate governance, human subject protection and federal taxation of exempt organizations. Bernadette speaks and writes frequently on emerging health care topics of importance to her clients and the industry. Read Bernadette Broccolo's full bio.

Fortune’s April 2018 cover story, “Tech’s Next Big Wave: Big Data Meets Biology,” conveys loudly and clearly that technological innovation is transforming the health care continuum—changing the way care is delivered, as well as how patients manage their ongoing health—and as patient demand for health innovation increases, more companies seem eager to hop on the digital health bandwagon. The article provides a thoughtful, realistic (and somewhat sobering) perspective on digital health innovation’s successes and other results to date. It also quite effectively uses real world stories to convey the human dimension of digital health. One is the story of a mother who manually sampled and recorded her son’s glucose levels 20 times a day before an automated monitoring system connected to a mobile app allowed them both to live their lives without constant interruption by this critical care management function. Another describes use of an artificial intelligence “command center” to expedite access to life-saving surgery by a man with an aortic dissection. These real-world examples drive home the fact that digital health is already making a profound difference in our lives by removing barriers to care that are critical to saving lives and managing chronic diseases.

What the article does not touch on, however, are the myriad, complex legal challenges that must be addressed at the earliest stages of the planning process and the intensifying interest of government oversight and enforcement bodies, such as the Federal Trade Commission, the Food and Drug Administration, the Office of Civil Rights of the Department of Health and Human Services, and the Securities and Exchange Commission, interested in protecting the safety and privacy of patients and consumers. Just last month, we saw the SEC charge Theranos’ CEO Elizabeth Holmes with fraud for allegedly misleading investors about the company’s ability to detect health conditions from a small sample of blood. Earlier this year, another “unicorn” start-up, Outcome Health, settled with the federal government after The Wall Street Journal reported that they allegedly misled advertisers with manipulated information. The United States has also brought claims against the private equity company investor of a compounding pharmacy that allegedly paid illegal kickbacks to marketing firms to induce prescriptions written by telemedicine providers for costly compounded drugs reimbursed by TRICARE.

Opportunities and Challenges of the Patient Data “Gold Rush”

Eric Topol, MD, director at the Scripps Research Institute, told Fortune that “the quest to retrieve, analyze and leverage” data “has become the new gold rush. And a vanguard of tech titans—not to mention a bevy of hot startups—are on the hunt for it.” There is no doubt that harnessing and analyzing big data provide virtually limitless fuel for digital health innovation of the type patients and consumers are demanding and that tech companies are eager to develop and commercialize. While optimism about the quest for big data is certainly justified, it must be tempered by caution and careful consideration of complex, multi-dimensional legal and regulatory requirements that can shape the strategy for the exchange, use and exploitation of identifiable personal health data and other personal data.  As innovation continues to move in many directions and at light speed, it can be easy to get wrapped up in the excitement, but it’s worth taking a step back to take a look at the legal implications of doing so.

There are many current laws protecting patient data privacy, confidentiality and security that limit the type and extent of data-sharing that patients and digital health technology innovators demand. For instance, some state and federal privacy laws that protect particularly sensitive information (e.g., information concerning HIV/AIDS, mental health, substance abuse, and genetic testing and counseling) are more restrictive than the Health Insurance Portability and Accountability Act (HIPAA) and may require express written patient consent for uses and disclosures that HIPAA would permit without consent, and the Genetic Information Nondiscrimination Act of 2008 also limits access to genetic information by group health plans, health insurers and issuers of Medigap policies.

Prioritizing Comprehensive Compliance Programs

While the Fortune article states that transformative technologies are putting consumers “in the driver’s seat,” there are still legal barriers that are currently keeping them in the passenger seat. To that end, and at the earliest stage of the research and development life cycle, companies must thoroughly think through key compliance considerations such as the nature and frequency of necessary patient and consumer consents, how they will substantiate claims they make in marketing and selling a product, what pre‑market regulatory approvals they need to obtain and how they will support the application for such approvals, to name just a few. A comprehensive corporate compliance program that incorporates the essential elements identified by the Office of the Inspector General can help companies identify, address and manage regulatory and compliance challenges before they become a serious problem that will threaten the success of the digital health initiative and expose them to government enforcement actions and third party lawsuits.

To learn more about the legal barriers that exist in the digital health space, as well as the need for and value of a proper and thorough compliance program, read “The Law of Digital Health,” written by members of the McDermott Will & Emery Digital Health Team. Be sure to also stay up to speed on all of the regulatory challenges and growth opportunities in health care technology today by bookmarking our “Of Digital Interest” blog.

Follow us on LinkedIn at McDermott Will & Emery LLP.

Designed to provide business leaders and their key advisors with the knowledge and insight they need to grow and sustain successful digital health initiatives, we are pleased to present The Law of Digital Health, a new book edited and authored by McDermott’s team of distinguished digital health lawyers, and published by AHLA.

Visit www.mwe.com/lawofdigitalhealth to order this comprehensive legal and regulatory analysis, coupled with practical planning and implementation strategies. You can also download the Executive Summary and hear more about how Digital Health is quickly and dynamically changing the health care landscape.

Explore more!

The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data (Personal Data) about individuals in the European Union (EU) single market countries, and potentially affects the clinical and other scientific research activities of academic medical centers and other research organizations in the United States.

This On the Subject includes frequently asked questions that discuss the extent to which United States research organizations must comply with GDPR when conducting research. Future coverage will address the impact of GDPR on other aspects of the United States health care sector.

Continue reading.

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.

Background. The FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized. Continue Reading Upcoming FTC Workshop on Informational Harm | Next Brushstrokes on the FTC’s Consumer Privacy and Security Enforcement Canvas

The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them.

Read the full article here.

Digital health—the intersection of health care related software applications, analytical tools, medical device technology and electronic data assets that are enabled and achieved through the use of the internet and hand-held devices—is empowering the innovation needed to meet the imperative for a transition from payment based on volume to payment based on value that is evaluated in terms of measurable improvements in care delivery and population health.

ODI post 2

One prominent example is the use of digital health solutions to implement the payment innovation contemplated by the Medicare Access and CHIP Reauthorization Act (known as MACRA)—which directly ties both payment increases and reductions to various, specific efficiency and value measures. The Merit-Based Incentive Payment System (MIPS), one of the two available payment pathways under MACRA, assigns points to clinicians in different performance categories, several of which promote the adoption of digital health solutions. To illustrate:

  • The Quality category requires six measures to be reported, many of which may be leveraged through the use of digital health tools. For example, the Maternity Care: Post-Partum Follow-Up and Care Coordination measure tracks the percentage of patients who were seen for post-partum care within eight weeks of giving birth who received particular evaluations, screening and education. Obstetricians, gynecologists and family medicine practitioners could earn points under this measure by using telemedicine technologies, like videoconferencing platform, to engage in virtual patient visits with post-partum patients to answer the patient’s questions, provide education on the recovery process and assess the patient’s physical and mental health status, including the performance of mandatory post-partum depression screenings.
  • The Advancing Care Information category requires the use of certified electronic health record technology to coordinate care through patient engagement (g., secure messaging). The implementation of patient portals with integrated messaging platforms facilitate communication between the patient and health care practitioner, providing additional functionalities like sending reminders, engaging in dialogue about follow-up care, encouraging preventative action and distributing educational materials. These portals typically also give the patient access to timely and informative data, like test results, that allow the patient to play a role in decision making and (hopefully) empower the well-informed consumption of care.
  • The Clinical Practice Improvement category is perhaps the best opportunity for digital health integration. Activities that improve beneficiary engagement, population management, expanded practice access and care coordination—among others—are assigned points and weighted. Here, mobile apps have the capability to enable e-visits via videoconference as an alternative method to an in-person visit; facilitate questionnaire reporting; and send reminders, materials and other notifications to alert and educate patients about services due. The apps also provide opportunities to generally inform the delivery of care for the specific patient by sending alerts to providers to indicate that it’s time for a visit or that a problematic symptom was noted on a questionnaire. Further, clinical practices could leverage app-sourced data to gain information about patient trends, clinical areas of concern or successes related to digital health tool utilization.

For additional examples and insights on how digital health tools will be necessary for a successful transition to alternative payment schemes, please read Managing the Transition to Transformation: Digital Health Solutions: Essential Ingredients in Alternative Health Care Delivery and Payment Innovations.

Both developers and users of digital health solutions face both immense opportunities and daunting challenges. One key challenge is compliance with the often complex state and federal laws and regulations adopted by the numerous regulatory bodies responsible for overseeing different aspects of digital health. The following illustration identifies the numerous regulatory bodies that have been increasingly focused on the use of technology in healthcare and are expected to continue their focus and enforcement activities in the coming years.

ODI blog

Because innovation is moving faster than the law in this area, in-house counsel and compliance officers must be prepared to identify and manage the myriad compliance and liability risk considerations arising from participation in and use of digital health tools. This will require an understanding of how each of these regulatory bodies oversees and regulates digital health today and close monitoring of how that evolves and changes in the future.

Health care providers, patients and consumers should approach the selection and use of digital health advancements with a reasonable degree of caution. As AMA CEO James L. Madara, MD, advised in his address at the recently concluded 2016 AMA Annual Meeting, “…. Appearing in disguise among these positive products are other digital so-called advancements that do not have an appropriate evidence base … or that just do not work well or that actually impede care, confuse patients and waste our time … from ineffective electronic health records to an explosion of direct-to-consumer digital health products to apps, some of which are of poor quality.” In this regard, providers would be well served by performing sufficient “due diligence” to determine whether the functionality of the digital health tool effectively meets their specific clinical and operational needs, as well as the needs of their patients, and to evaluate the developer’s compliance with applicable laws and regulations.