COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to the processing of health information? What are the risks associated with noncompliance? In this brief primer, we provide answers to these questions, and a window to what may lay next on the horizon.
Frequently Asked Questions
What federal laws may apply to digital health companies, and what do they generally require?
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects certain health information. When considering whether HIPAA applies to your activities, it is best to start with the question "who is holding the information?" rather than, "what is the nature of the information?"
HIPAA applies to "covered entities," which are healthcare providers, health plans (insurers), and healthcare clearing houses:
Healthcare Providers | Health Plans | Healthcare Clearing Houses |
This includes providers such as:
|
This includes:
|
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., a standard electronic format or data content), or vice versa. |
Covered entities outsource many of their operations and functions to service providers. If you are a service provider who creates, receives, maintains, or transmits "protected health information" (or "PHI") for or on behalf of a covered entity, you are likely a "business associate" to the covered entity and must comply with applicable parts of HIPAA. Traditional examples of business associates include companies that help providers bill for their services and companies that host PHI in the cloud. Today, however, any cutting-edge tech company that processes PHI as part of their service may be a business associate and should be thinking about whether they need to comply with HIPAA. This includes everything from SaaS platforms to wearable patient devices.
Among other things, HIPAA requires covered entities and business associates to: (i) develop and implement HIPAA-specific policies and procedures that address the privacy, security, and breach notification requirements of the HIPAA regulations; (ii) conduct and document a security risk analysis and risk management plan, which generally involves a full security audit of their information security systems; (iii) enter into Business Associate Agreements with all of their covered entity customers and business associate vendors (as applicable); and (iv) provide and document HIPAA training annually to all of their workforce members.
The FTC Act
Regardless of whether you are a covered entity or business associate, you may be covered by the Federal Trade Commission (FTC) Act, which prohibits deceptive or unfair practices. Your practices may be deceptive if, for example, your privacy policy or other public statements do not match your actual practices with respect to consumer data. The FTC has stated that disclosing sensitive health information without notice and consent may be an unfair practice. Additionally, failing to maintain reasonable safeguards to protect health information against breaches may also be an unfair practice. The FTC Act covers entities across all sectors of the economy; however, it does not apply to nonprofit entities or entities engaged in the business of insurance.
The FTC's Health Breach Notification Rule
Once an obscure law, the FTC is now seeking to expand its Health Breach Notification Rule to cover a number of digital health companies, such as developers of health apps and connected devices, through a recent policy statement expanding the scope of the rule to cover such entities. If this law applies to you, you must notify consumers and the FTC in the event of a breach, which is defined broadly to include any disclosure of health information not authorized by a consumer. In addition to security breaches, you must notify consumers if, for example, you inadvertently shared their health information beyond their consent.
The Food, Drug, and Cosmetic Act
The Food and Drug Administration (FDA) enforces the Federal Food, Drug, and Cosmetic (FD&C) Act, which, among other things, regulates the safety and effectiveness of medical devices. In certain cases, "medical devices" includes mobile medical apps and other digital health products and services. The FDA focuses its regulatory oversight on regulated devices that pose a higher risk to a person's safety if they don't work as intended. For example, companies developing a product or service containing algorithms to supplement clinical decisions should be aware of the FDA's guidance regarding "clinical decision support" and "software as a medical device" to understand the regulatory implications of their product development.
The False Claims Act
If you are a healthcare provider or business associate that submits claims to the U.S. government, the U.S. Department of Justice (DOJ) could also pursue you for violations of the False Claims Act if you 1) knowingly provide deficient cybersecurity products or services; 2) knowingly misrepresent cybersecurity practices or protocols; or 3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
Recognizing the overlap among these federal laws, the FTC, U.S. Department of Health and Human Services (HHS), and the FDA have put forth an interactive tool on their websites to help entities determine which federal laws apply to them. However, given the complexity of these federal laws, we strongly suggest that you consult with legal counsel for advice before making any such determinations.
What state laws may apply?
In addition to federal privacy laws, you might also be subject to state privacy laws that govern the collection, use, and disclosure of health information. These laws generally fall into four categories. First, certain states have comprehensive health privacy laws that go beyond the requirements of HIPAA. For example, California's Confidentiality of Medical Information Act (CMIA) imposes obligations more restrictive than HIPAA and may also cover entities that otherwise fall outside of HIPAA's jurisdiction (e.g., healthcare providers that do not electronically bill insurance).
Second, if you are not subject to HIPAA but meet certain threshold requirements, you may be subject to one or more of the comprehensive general privacy laws enacted in California, Virginia, Colorado, Utah, and Connecticut. These laws provide their residents with rights with respect to their personal information, for example, the right to access their personal information and the right to have such personal information deleted. Starting in 2023, California's law will even apply to employee information, such as COVID vaccination information.
Third, sector- or issue-specific privacy laws may apply to you, such as: Illinois' Biometric Information Privacy Act (BIPA); state laws governing the collection, use, and disclosure of HIV/AIDS-related information; state data security and data breach notification laws; and state laws governing data brokers, such as California's Shine the Light law.
Finally, state attorneys general can enforce their own state prohibitions against unfair or deceptive practices.
What are some of the risks of noncompliance?
If you're covered by HIPAA, you are subject to civil penalties ranging in the amount of $100 to $50,000 per violation, with a maximum penalty of $1.5 million for all identical violations in the same year. The range of penalties are based on four tiers, and the tiers are based on the severity of the violation. The HHS Office for Civil Rights (OCR) is charged with enforcing HIPAA. (State attorneys general also have authority to bring civil actions on behalf of state residents for violation of the HIPAA Privacy and Security Rules.) So far this year, OCR has brought enforcement actions in the following areas:
If you are within the FTC's jurisdiction and violate the Health Breach Notification Rule, the FTC can seek fines of up to $40,792 per violation per day. Although the FTC cannot seek first-time penalties for violations of the FTC Act, it may partner with the states to seek monetary relief. Notably, the FTC has been aggressively seeking non-monetary injunctive relief against digital health companies it finds to be violating the FTC Act. For example, last year, the FTC alleged that the menstruation and fertility app Flo shared sensitive health information with third parties in violation of its promises to consumers. The Order required that the app send notice to all existing customers about the enforcement action. Other FTC cases have required companies to delete algorithms that have been enriched by purportedly unlawfully obtained data.
In October 2021, the DOJ announced the launch of its Civil Cyber-Fraud Initiative to combat new and emerging cyber threats. In March 2022, the DOJ announced its first settlement under its newly created Cyber-Fraud Initiative, which utilizes the False Claims Act to pursue entities and individuals that put U.S. information or systems at risk. The case targeted Comprehensive Health Services LLC (CHS), which contracted to provide medical support services to the U.S. government abroad in Iraq and Afghanistan. The DOJ alleged that CHS violated the False Claims Act by submitting claims for a purportedly secure EMR system to store all patients' medical records, when in fact patients' medical records were not being consistently stored in a secure manner. The DOJ fined CHS $930,000.
State attorneys general are also active in enforcing privacy violations. For example, in September 2020, the California attorney general announced a settlement against digital health company Glow, Inc. for $250,000 for, among other things, failing to adequately safeguard its users' health information and allowing access to users' health information without their consent, in violation of the CMIA and California unfair competition laws.
How can I avoid regulatory scrutiny?
The best way to avoid regulatory scrutiny is to make sure you have a strong information security and privacy compliance program in place. You should take steps such as:
I don't directly collect personal information from consumers, but I develop software that processes my clients' consumer information to help make decisions about those consumers. What risks do I need to be aware of, and how should I address them?
Please refer to our client advisory on these issues, which lays out potential additional legal requirements that may apply and how to mitigate risk.
I've heard about cybersecurity attacks, and in particular, ransomware attacks, in the healthcare sector. What should I do to mitigate these risks?
The federal agencies mentioned above have provided guidance, including through business education materials and enforcement actions, on how to secure health information (and any other personal information you maintain). Here are some tips:
I'm not in the healthcare sector, but I collect COVID vaccination information from my employees. How should I mitigate risks?
The FTC recently issued business guidance on this issue, which can be found here.
What if I want to help influence government policies in this area? How can I get involved?
Agencies often release proposed policies for public comment. For example, on April 6, 2022, OCR issued a Request for Information (RFI) to better understand how HIPAA-regulated entities (i.e., covered entities and business associates) implement "recognized security practices." The RFI comes in light of a January 2021 amendment to the HITECH Act that requires the Secretary of HHS to consider entities' "recognized security practices" when making determinations regarding fines, audits, and remedies to resolve potential violations of the HIPAA Security Rule. Entities that have implemented "recognized security practices" may reduce penalties and corrective action obligations levied against them in the event of a HIPAA violation. Comments to the RFI must be submitted on or before June 6, 2022.
The FTC has also noted in its public statement of regulatory priorities for 2022 that a review of the Health Breach Notification Rule is ongoing. It may issue a Notice of Proposed Rulemaking, seeking comments on proposed changes to the rule.
The FTC is also expected to embark on a comprehensive privacy rulemaking. On December 10, 2021, the FTC announced that it was "considering initiating a rulemaking…to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination." The FTC will likely formally launch a rulemaking proceeding soon.
For more information, please contact Maneesha Mithal, Tracy Shapiro, Haley Bavasi, Hale Melnick, or another member of the firm's privacy and cybersecurity or digital health practices.