COVID-19 has rapidly accelerated our expectations that virtual connection can deliver better and more economical care. As a result, digital health companies have an unprecedented opportunity to innovate, but with that opportunity also comes significant regulatory challenges related to the collection and processing of personal health information. What legal requirements apply to processing of health information? What are the risks associated with noncompliance? In this brief primer, we provide answers to these questions, and a window to what may lay next on the horizon.
Frequently Asked Questions
What federal laws may apply to digital health companies, and what do they generally require?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects certain health information. When considering whether HIPAA applies to your activities, it is best to start with the question “who is holding the information?”, rather than, “what is the nature of the information?”
HIPAA applies to “covered entities,” which are healthcare providers, health plans (insurers) and healthcare clearing houses:
|Healthcare Providers||Health Plans||Healthcare Clearinghouses|
|This includes providers such as:
if they transmit any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
· Health insurance companies
|This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., a standard electronic format or data content), or vice versa.|
Covered entities outsource many of their operations and functions to service providers. If you are a service provider who creates, receives, maintains, or transmits “protected health information” (or “PHI”) for or on behalf of a covered entity, you are likely a “business associate” to the covered entity and must comply with applicable parts of HIPAA. Traditional examples of business associates include companies that help providers bill for their services and companies that host PHI in the cloud. Today, however, any cutting-edge tech company that processes PHI as part of their service may be a business associate and should be thinking about whether they need to comply with HIPAA. This includes everything from SaaS platforms to wearable patient devices.
Among other things, HIPAA requires covered entities and business associates to: (i) develop and implement HIPAA-specific policies and procedures that address the privacy, security, and breach notification requirements of the HIPAA regulations; (ii) conduct and document a security risk analysis and risk management plan, which generally involves a full security audit of their information security systems; (iii) enter into Business Associate Agreements with all of their covered entity customers and business associate vendors (as applicable); and (iv) provide and document HIPAA training annually to all of their workforce members.
The FTC Act
The FTC’s Health Breach Notification Rule
Once an obscure law, the FTC is now seeking to expand its Health Breach Notification Rule to cover a number of digital health companies, such as developers of health apps and connected devices, through a recent policy statement expanding the scope of the rule to cover such entities. If this law applies to you, you must notify consumers and the FTC in the event of a breach, which is defined broadly to include any disclosure of health information not authorized by a consumer. In addition to security breaches, you must notify consumers if, for example, you inadvertently shared their health information beyond their consent.
The Food, Drug, and Cosmetic Act
The Food and Drug Administration (FDA) enforces the Federal Food, Drug, and Cosmetic (FD&C) Act, which, among other things, regulates the safety and effectiveness of medical devices. In certain cases, “medical devices” includes mobile medical apps and other digital health products and services. The FDA focuses its regulatory oversight on regulated devices that pose a higher risk to a person’s safety if they don’t work as intended. For example, companies developing a product or service containing algorithms to supplement clinical decisions should be aware of the FDA’s guidance regarding “clinical decision support” and “software as a medical device” to understand the regulatory implications of their product development.
The False Claims Act
If you are a healthcare provider or business associate that submits claims to the U.S. government, the U.S. Department of Justice (DOJ) could also pursue you for violations of the False Claims Act if you 1) knowingly provide deficient cybersecurity products or services; 2) knowingly misrepresent cybersecurity practices or protocols; or 3) knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
Recognizing the overlap among these federal laws, the FTC, U.S. Department of Health and Human Services (HHS), and the FDA have put forth an interactive tool on their websites to help entities determine which federal laws apply to them. However, given the complexity of these federal laws, we strongly suggest that you consult with legal counsel for advice before making any such determinations.
What state laws may apply?
In addition to federal privacy laws, you might also be subject to state privacy laws that govern the collection, use, and disclosure of health information. These laws generally fall into four categories. First, certain states have comprehensive health privacy laws that go beyond the requirements of HIPAA. For example, California’s Confidentiality of Medical Information Act (CMIA) imposes obligations more restrictive than HIPAA and may also cover entities that otherwise fall outside of HIPAA’s jurisdiction (e.g., healthcare providers that do not electronically bill insurance).
Second, if you are not subject to HIPAA but meet certain threshold requirements, you may be subject to one or more of the comprehensive general privacy laws enacted in California, Virginia, Colorado, Utah, and Connecticut. These laws provide their residents with rights with respect to their personal information, for example, the right to access their personal information and the right to have such personal information deleted. Starting in 2023, California’s law will even apply to employee information, such as COVID vaccination information.
Third, sector or issue-specific privacy laws may apply to you, such as: Illinois’ Biometric Information Privacy Act (BIPA); state laws governing the collection, use, and disclosure of HIV/AIDS-related information; state data security and data breach notification laws; and state laws governing data brokers, such as California’s Shine the Light law.
Finally, State Attorneys General can enforce their own state prohibitions against unfair or deceptive practices.
What are some of the risks of noncompliance?
If you’re covered by HIPAA, you are subject to civil penalties ranging in the amount of $100 to $50,000 per violation, with a maximum penalty of $1.5 million for all identical violations in the same year. The range of penalties are based on four tiers, and the tiers are based on the severity of the violation. The HHS Office for Civil Rights (OCR) is charged with enforcing HIPAA. (State Attorneys General also have authority to bring civil actions on behalf of state residents for violation of the HIPAA Privacy and Security Rules). So far this year, OCR has brought enforcement actions in the following areas:
- Patients’ right to access their own protected health information: HHS launched a Right of Access Initiative in 2019, which has so far resulted in 27 enforcement actions. The two latest access-related enforcement actions—in which healthcare providers failed to timely provide patients with copies of their medical records upon request—resulted in approximately $30,000 in penalties.
- Unauthorized disclosure of protected health information: In March 2022, OCR announced an enforcement action arising from a healthcare provider’s unauthorized disclosure of a patient’s name and medical history in response to a negative review posted by the patient on the healthcare provider’s Google webpage. The impermissible disclosure resulted in a $50,000 civil money penalty.
If you are within the FTC’s jurisdiction and violate the Health Breach Notification Rule, the FTC can seek fines of up to $40,792 per violation per day. Although the FTC cannot seek first-time penalties for violations of the FTC Act, it may partner with the states to seek monetary relief. Notably, the FTC has been aggressively seeking non-monetary injunctive relief against digital health companies it finds to be violating the FTC Act. For example, last year, the FTC alleged that the menstruation and fertility app Flo shared sensitive health information with third parties in violation of its promises to consumers. The Order required that the app send notice to all existing customers about the enforcement action. Other FTC cases have required companies to delete algorithms that have been enriched by purportedly unlawfully-obtained data.
In October 2021, the DOJ announced the launch of its Civil Cyber-Fraud Initiative to combat new and emerging cyber threats. In March 2022, the DOJ announced its first settlement under its newly created Cyber-Fraud Initiative, which utilizes the False Claims Act to pursue entities and individuals that put U.S. information or systems at risk. The case targeted Comprehensive Health Services LLC (CHS), which contracted to provide medical support services to the U.S. government abroad in Iraq and Afghanistan. The DOJ alleged that CHS violated the False Claims Act by submitting claims for a purportedly secure EMR system to store all patients’ medical records, when in fact patients’ medical records were not being consistently stored in a secure manner. The DOJ fined CHS $930,000.
State Attorneys General are also active in enforcing privacy violations. For example, in September 2020, the California Attorney General announced a settlement against digital health company Glow, Inc. for $250,000 for, among other things, failing to adequately safeguard its users’ health information and allowing access to users’ health information without their consent, in violation of the CMIA and California unfair competition laws.
How can I avoid regulatory scrutiny?
The best way to avoid regulatory scrutiny is to make sure you have a strong information security and privacy compliance program in place. You should take steps such as:
- Designating someone to oversee your information practices.
- Conducting a data mapping exercise so that you understand what information you are collecting, what you are using it for, and who you are sharing it with.
- Evaluating which privacy laws apply to the information you process and addressing compliance for each.
- Including contractual provisions addressing use of information in your agreements with service providers and third parties.
- Conducting internal employee training.
- Reviewing your claims related to the processing of individuals’ information.
I don’t directly collect personal information from consumers, but I develop software that processes my clients’ consumer information to help make decisions about those consumers. What risks do I need to be aware of, and how should I address them?
Please refer to our client advisory on these issues, which lays out potential additional legal requirements that may apply and how to mitigate risk.
I’ve heard about cybersecurity attacks, and in particular, ransomware attacks, in the healthcare sector. What should I do to mitigate these risks?
The federal agencies mentioned above have provided guidance, including through business education materials and enforcement actions, on how to secure health information (and any other personal information you maintain). Here are some tips:
- Designate an individual with responsibility to oversee your security program.
- Conduct a risk assessment. Understand the internal and external risks to your systems and the health information on your systems to develop policies, procedures, and safeguards that are appropriate for you.
- Know what’s on your network. Maintain an inventory of the software and hardware assets that have access to your network. A misconfigured server or vulnerable software version is a common way that bad actors get into networks.
- Don’t collect health information you don’t need, and dispose of it securely when you no longer need it. No one can steal information you don’t have.
- Restrict access to health information. It’s important to restrict access to health information to those employees and contractors that have a need to access it and at the least level of privilege necessary to perform their job duties. Use software that allows for separate environments and tools like firewalls to segment networks so that you can limit access between computers on your network and computers and the internet.
- Implement robust authentication. Require complex passwords for laptops, tablets, and smartphones. Require multi-factor authentication wherever it is available. Implement policies to restrict access to active users and active user accounts and suspend or disable accounts after repeated login attempts.
- Encrypt personal health information in transit and at rest.
- Implement controls designed to monitor and log activity of authorized users and detect unauthorized access.
- Regularly test the effectiveness of your controls. Test for commonly known and reasonably foreseeable vulnerabilities.
- Train personnel. Provide special training to engineers and people who can access sensitive data. Provide training to all personnel on how to safeguard against common attack vectors, such as phishing.
- Put in place procedures to keep security current. For example, update and patch third-party software. Have a system in place to heed credible security warnings.
- Oversee service providers. Conduct due diligence on service providers to make sure they are capable of maintaining reasonable safeguards. Have contractual provisions that require reasonable security and take steps to verify compliance.
- Have a plan in place in case something does go wrong. Implement an incident response plan that documents the process to identify, contain, remediate, and escalate incidents involving unauthorized access to or use of health information. Maintain business continuity plans to recover from ransomware attacks or other disruptions to services, including backing up health information and periodically testing and restoring backups.
I’m not in the healthcare sector, but I collect COVID vaccination information from my employees. How should I mitigate risks?
The FTC recently issued business guidance on this issue, which can be found here.
What if I want to help influence government policies in this area? How can I get involved?
Agencies often release proposed policies for public comment. For example, on April 6, 2022, OCR issued a Request for Information (RFI) to better understand how HIPAA-regulated entities (i.e., covered entities and business associates) implement “recognized security practices.” The RFI comes in light of a January 2021 amendment to the HITECH Act that requires the Secretary of HHS to consider entities’ “recognized security practices” when making determinations regarding fines, audits, and remedies to resolve potential violations of the HIPAA Security Rule. Entities that have implemented “recognized security practices” may reduce penalties and corrective action obligations levied against them in the event of a HIPAA violation. Comments to the RFI must be submitted on or before June 6, 2022.
The FTC has also noted in its public statement of regulatory priorities for 2022 that a review of the Health Breach Notification Rule is ongoing. It may issue a Notice of Proposed Rulemaking, seeking comments on proposed changes to the rule.
The FTC is also expected to embark on a comprehensive privacy rulemaking. On December 10, 2021, the FTC announced that it was “considering initiating a rulemaking…to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The FTC will likely formally launch a rulemaking proceeding soon.