By Brian Balow
Mobile health (mHealth) technologies continue to expand in application and implementation. Over the past decade, the breadth of these technologies has grown from the creation of healthcare-directed websites (think WebMD) to implanted medical devices that constantly transmit and receive information (sometimes on a device-to-device basis).
If you are either a provider or a user of mHealth technologies you must be aware of the legal and regulatory landscape in which these technologies operate. Failure to “stay between the lines” can result in financial penalties, public relations disasters, or both. Here are the key legal and regulatory areas impacting mHealth technologies:
Federal
- FDA: The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications that present a potential risk to patients if they do not work as intended. In February of 2015, the FDA provided updated guidance on the regulation of those applications: http://www.fda.gov/downloads/MedicalDevices/…/UCM263366.pdf. Marketing a regulated medical device without proper pre-market notification or clearance can result in product recalls and lawsuits if the device causes personal injury or death.
- HIPAA: The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule are all implicated by mHealth technologies. Enforced by the Office of Civil Rights within the Department of Health and Human Services, HIPAA breaches (through the unauthorized disclosure of protected health information (“PHI”)) can result in substantial fines, bad publicity (think Anthem), and costs associated with notifying affected individuals. Importantly, the Breach Notification Rule applies only to unencrypted PHI, and therefore encryption methods that meet the HIPAA definition should be adopted wherever possible. More information on HIPAA and mHealth technologies can be found at: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
- FTC: Section 5 of the FTC Act protects consumers against fraudulent, deceptive, and unfair business practices. These are usually tied to privacy policy violations in the mHealth space – use or disclosure of consumers’ information beyond what is represented. Additionally, the FTC enforces the Health Breach Notification Rule which requires vendors of personal health records to notify consumers if there has been a breach involving their electronic health information. As with HIPAA violations, breaches of Section 5 can result in substantial fines and unfavorable publicity. More information on the Health Breach Notification Rule can be found at: https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule.
State
- Licensure: Use of mHealth technologies for interstate consults may implicate state licensure requirements (i.e., practicing medicine without a license). Several states have adopted or are considering adoption of the Interstate Licensure Compact which would enable limited use of mHealth technologies for interstate consults. Unless and until all states have adopted laws allowing this practice, each medical professional must be aware of the licensing requirements.
- Data Breach Notification Laws: A HIPAA breach involving PHI necessarily implicates a breach of the various state data breach notification laws, which protect “personally identifiable information” (“PII”). Forty-seven states have adopted these laws: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-lwas.aspx. As with HIPAA, many of these laws provide some relief if the PII is encrypted.
Depending on the mHealth “solution” you are providing or using, you should have a solid working knowledge of each of these areas of regulation and develop a process that ensures compliance. Failure to do so can have unintended and negative consequences, and if you are a mobile medical application provider, could result in the recall of your product.