Digital health includes not only telehealth and telemedicine, but also personalized medicine, remote patient monitoring (RPM), mobile health, health IT, artificial intelligence (AI), and digital therapeutics. The latest health technology advancements in diagnostics, treatment, and ongoing patient management have the potential to improve health and disease outcomes more than ever before.
This article will explore briefly the U.S. regulatory climate that helped spur the acceleration of digital health over the past few years. It then uncovers the existing regulatory framework for companies bringing to market digital health products and services, including the complexities around reimbursement for digital health. Finally, the article will highlight and comment on the recent rise of industry groups and non-profits working on standards and open-access resources to guide companies in this space to the right regulatory path.
Acceleration of Adoption of Digital Health
With smartphones, tablets, and other electronics in the hands of doctors and patients, the accessibility and convenience of telehealth has led to the expansion of digital health technologies. The FDA—and in particular, the Center for Devices and Radiological Health (CDRH) within the FDA—has advanced digital health over the past decade through policy initiatives, such as interoperability among medical devices, which has permitted products with remote monitoring capabilities, including telehealth platforms, to flourish.
Financial investment and technological advancements, met by unprecedented patient demand for alternatives to in-person care during the COVID-19 public health emergency (PHE), created an innovation “sandbox” for digital health to thrive. Understanding the need to allow flexibility for innovative solutions, federal regulators implemented various waivers aimed at enhancing access to patients and physicians. These waivers, along with consumer demand, spurred the use of digital health technologies during the course of the PHE.
By way of example, the Centers for Medicare and Medicaid Services (CMS) enacted several temporary individual and blanket waivers to provide flexibility in providing care during the COVID-19 PHE. The first set of blanket waivers was related to Medicare payment for telehealth, which CMS defines as remote services that would normally be furnished in person. Under ordinary circumstances, five specific criteria must be met for telehealth reimbursement by Medicare, including, e.g., that the service must be furnished via an interactive telecommunications system (with video capability) and that the provider and the patient each be located in a clinical site of service (such as a physician office). The blanket waiver relaxed each of the five criteria, including permitting the use of audio-only equipment, rather than solely devices with both audio and video capability, and permitting both providers and patients to attend the telehealth visits from their homes.
As another example, CMS instituted the Acute Hospital Care at Home Program (AHCaH) aimed at reducing hospital inpatient volumes by treating some acute care patients at home via telehealth. Under the program, AHCaH waived certain requirements that nursing services be provided on premises (i.e., at a healthcare site) at all times and immediate availability of a registered nurse to care for a patient.
While the status of these waivers varies, as some have already been terminated or will terminate at the end of the PHE and others have been made permanent, the impact of these waivers and accompanying flexibilities persist. The industry’s use of PHE waivers indicates that the future of telehealth will continue to trend toward flexibility and innovation. This trend likely will result in pressure to change existing regulations, or at the least agency guidance that provides flexibility in enforcement of existing regulations. As evidence of the industry’s desire to make telehealth the new norm, a group of over 300 healthcare and industry organizations issued a letter to Congress titled “Establishing a Pathway for Comprehensive Telehealth Reform,” which outlined the need to prioritize telehealth going forward. The letter also proposes several potential steps to continue telehealth flexibility after the PHE, such as extending waivers and enacting legislation to support the use of telehealth.
Current Legal Framework – The Patchwork and Gaps
The FDA Actively Regulates Medical Devices, But Not Wellness or Certain Telehealth Products
For companies bringing a digital health product to market—be it software driven by AI or machine learning (ML) or a smart watch app that tracks biometric information—one question that must be answered is “Is my product regulated by the FDA?” If so, then companies must consider additional operating costs and regulatory overhead (which may be significant) when considering bringing a product to market.
In the telehealth space, devices that merely enable communication between patients and their doctors largely are not regulated by the FDA. For example, the FDA does not actively regulate software that allows patients to remotely communicate with physicians, or to upload their personal data (e.g., weight, heart rate) or medical images (e.g., photos taken by patients using their phone) onto a portal for their doctor to view. In contrast, software that connects directly to a medical device may be FDA-regulated. For example, software that permits a physician to remotely connect to and control a cochlear implant or glucose meter may be regulated by the FDA.
In the wellness space, the FDA has remained mostly hands-off. Wellness products are those intended to promote a healthy lifestyle, such as products for weight management, physical fitness, relaxation, and stress management. In 2016, under the 21st Century Cures Act (Cures Act), Congress specifically excluded wellness products from the definition of “device” under the Federal Food, Drug, and Cosmetic Act (FDCA), which is the jurisdictional hook for the FDA. The Cures Act exempted from FDA regulation software functions intended “for maintaining or encouraging a healthy lifestyle” that are “unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition.” The Cures Act furthered the FDA’s then-existing general wellness policy by removing any doubt that the FDA would actively regulate wellness products.
Outside of the wellness space and devices that merely enable telehealth communication, companies need to carefully evaluate their products—and particularly the claims being made about their products and the kind of information provided to consumers/patients—to determine if their products will be subject to FDA regulation. The FDA will continue to assert jurisdiction over products that are (1) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease or (2) intended to affect the structure or any function of the body. For example, clinical decision support (CDS) software—often powered by AI or ML—presents a novel opportunity to analyze immensely large amounts of data for patterns or other information that may be relevant to a particular patient or the patient’s diagnosis. The Cares Act exempted certain low-risk CDS software from FDA regulation. Outside of that narrow subset of CDS software, however, the FDA applies a risk-based approach regulation driven by two primary factors: (1) the seriousness of the health condition (i.e., critical, serious, or not serious) and (2) the significance of the information to the user (e.g., whether the information informs clinical management or is the sole basis for patient diagnosis). Software that is patient-facing will be viewed with higher scrutiny than software that is only intended for healthcare professionals.
HIPAA – and Its Limited Application
While many developers of digital health products and services may initially think of HIPAA as a primary regulatory consideration for their product (as may the users of such technologies), in actuality, HIPAA is not an all-encompassing law aimed at regulating the privacy and security of health information. Instead, it applies in fairly narrow circumstances.
HIPAA is a federal law that protects the privacy and security of individually identifiable health information (protected health information or PHI). However, HIPAA only governs “covered entities,” which is defined as health plans, healthcare clearinghouses, and healthcare providers that electronically transmit claims, and “business associates,” which are persons or entities that perform certain functions or activities that involve the use or disclosure of PHI for a covered entity.
In many cases, digital health companies are not covered entities nor business associates under HIPAA and therefore fall outside of its jurisdiction. This is the case, even if the products generate and store consumer health-related data. There are exceptions, of course, and the analysis of whether HIPAA applies depends on the data flows and how services are paid. But generally speaking, health information accessed through or stored on consumer cell phones or tablets, including geographic location information or search history, is not protected by HIPAA. If a covered entity provides audio-only telehealth services via a traditional landline, the transmitted information is not protected by HIPAA because it is not “electronic.” Also, even if a covered entity uses an electronic communication technology or mobile technology, the covered entity is not responsible for the privacy or security of an individual’s PHI once it has been received by the individual’s phone or other device.
A developer of a health app is a business associate under HIPAA only if it creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate. Therefore, the number of health- or medical-related apps that may be subject to HIPAA is limited. For example, even if a consumer downloads a provider-recommended health app, uploads health information into the app, and directs the app to transmit the information to the consumer’s healthcare provider, the app developer is not a business associate under HIPAA because there is no indication the provider hired the app developer to provide services to the patient involving the handling of PHI. A consumer’s use of an app to transmit data to a covered entity does not by itself make the app developer a business associate of the covered entity.
Unfair and Deceptive Trade Practice (UDAAP) Laws: The FTC and State Equivalents
In addition to the FDA and HHS’s OCR (which enforces HIPAA), the FTC is a major federal player in the regulation of digital health. The FTC Act applies regardless of whether a product meets the definition of a medical “device” under the FDCA, or whether information being collected is “protected health information” under HIPAA, because FTC laws apply more generally to consumer products and services.
The FTC Act broadly prohibits “unfair and deceptive acts or practices” in or affecting commerce. Misrepresentations or omissions of material facts may constitute such deceptive acts or practices. Under the FTC Act, consumer advertising also must be truthful and not misleading. In the context of digital health products, the FTC considers health-related claims that are supported by “competent and reliable evidence” not to be misleading. The FTC has taken action, for example, against app marketers who said their apps could treat acne, but had insufficient scientific evidence to support their claims. Recent FTC enforcement on digital health products has focused less on health-related claims, and instead on claims made about an app’s inappropriate use of user information. In one instance, the FTC found a company retaining and using consumers’ images after those consumers had deactivated their accounts, despite statements to users that photos and videos would be “permanently” deleted upon account deactivation.
In addition to federal regulation by the FTC, many states have consumer protection laws that can overlap with federal law or impose additional requirements. State laws are enforced by state Attorneys General and some laws provide means for affected consumers to file class action lawsuits against digital health companies. Thus, companies must be mindful both when making claims about the efficacy of these digital health products and about the information that is collected, how it will be used, and how it is protected to mitigate risks under UDAAP laws.
UDAAP Laws: The Bases for Privacy and Data Security-Related Claims
Unfair and deceptive trade practice laws are used as the basis for many privacy and data security-related enforcement actions and lawsuits. Allegations under UDAAP laws are based on a company not doing what it said it would do with personal information (deception). Cases in this area are successful if the plaintiff can show that there were misrepresentations or omissions of material facts in statements made about how information would be used. There is also an expectation that companies protect personal information under UDAPP laws, which have been used to argue that companies had insufficient security measures in place, and thereby engaged in fundamentally unfair practices. Thus, digital health companies should be particularly mindful about disclosures and measures used to protect health information. While there is often an interest in the digital health industry to make claims that health information has been anonymized or aggregated, companies are cautioned of the FTC’s view that such statements are often deceptive. Digital health companies will want to be mindful of all disclosures and assertions made about what information is collected, how it is used, shared, and protected to mitigate UDAAP risks.
FTC’s Health Breach Notification Rule and Personal Health Records
Throughout 2021 and into 2022, the FTC has continued to flex its muscles in the digital health space, sending a clear message of its intent to more closely scrutinize companies collecting health information that sit outside HHS/OCR’s reach. After voting to approve a series of resolutions authorizing investigation into key enforcement priorities that included big tech and healthcare companies, the agency released a controversial statement on the scope of the Health Breach Notification Rule (HBNR) aimed squarely at the digital health industry. The HBNR, released more than a decade ago but not yet enforced, requires vendors of “personal health records” (PHR) to notify consumers and, in some cases, the FTC, if there has been a “breach” of health information. The FTC broadly interpreted both key terms under the law causing industry stir and confusion.
First, a PHR is an electronic record of identifiable health information that can be drawn from multiple sources. According to the FTC, apps are a PHR if they have the capability to draw information from multiple sources such as a combination of consumer inputs and APIs with other apps or trackers. Controversially, the FTC said covered apps include those that draw information from multiple sources even where the health information is only from one source (e.g., a blood sugar monitoring app draws health information from the consumer’s inputted blood sugar levels) but the app also takes non-health information from another source (e.g., dates from a calendar). Second, a “breach,” under the HBNR, (as well as state data breach notification laws and/or HIPAA), is the unauthorized acquisition or access of triggering information. But the FTC’s position in its statement (later re-iterated in additional guidance,) is that “breaches” are not just limited to cybersecurity intrusions. The FTC clarified that a “breach” under the HBNR also includes sharing of covered information without authorization. A settlement with a popular fertility tracking app demonstrates how broadly the FTC may interpret such “sharing.”
This broad interpretation of “PHR” and “breach” under the HBNR, coupled with the FTC’s reminder to companies that principles of fairness and the likelihood of harm may prompt breach notification (aside from just the explicit notification triggers under state breach notice laws), signals the FTC’s intent to scrutinize a wider net of companies and activities processing information about a person’s health. Given HIPAA’s narrower scope, as discussed above, the FTC views itself as the primary regulatory authority to step in in the absence of a broader health information-based law. Companies in the digital health space will want to closely inventory and analyze all instances of “sharing” of health or medical information (including the use of vendors to provide support) to understand whether health information is being inadvertently disclosed and/or whether consumers have “authorized” such sharing.
Other State Privacy and Data Security Laws
In the United States, there is a patchwork of laws that impact how a company can collect and use information, as well as obligations with respect to providing individual “rights,” like access, opting out, and deletion.
State Comprehensive Privacy Laws
While the existing and forthcoming state “comprehensive” privacy laws have some exemptions for entities regulated by HIPAA and/or for PHI regulated by HIPAA, as noted previously, in many instances, digital health companies may sit outside HIPAA’s reach. Thus, the current state law in California (along with its upcoming revisions), and those coming into effect in 2023 in Colorado, Connecticut, Utah, and Virginia, should be top of mind for digital health companies. For example, companies subject to Colorado, Connecticut, and Virginia’s laws will soon need to obtain consent for collecting any “sensitive information.” This includes information about medical history, or a mental or physical condition. And, if subject to California or Utah’s law, then an opt-out right to the processing of such information must be offered.
State Data Security Laws
Even if a digital health company is unregulated by HIPAA, it still has obligations to protect personal information. In the United States, at least 22 states have laws that require companies to protect information. This includes states such as Colorado, Connecticut, Maryland, Massachusetts, Oregon, New Jersey, and New York. These laws may apply to organizations based on certain types of information they collect, and/or because a company collects information from residents of the impacted state. Some of these state laws contemplate that specific requirements be addressed in a data security program (e.g., written information security policy, vendor contractual requirements, employee training, a designated person in charge), while others generally require that “reasonable security” measures be deployed.
Generally speaking, these laws do not capture the granular requirements detailed in the HIPAA Security Rule. However, the type of information that digital health companies collect from wearable devices and mobile apps could still nonetheless trigger breach notification requirements under state laws or the HBNR. Thus, companies in this space may want to look to other industry-developed data security frameworks or standards, such as NIST CSF, ISO 27001, and/or HITRUST to proactively guide the development of a comprehensive data security program.
Other State Laws (Biometrics, Genetic Testing, Communicating with Individuals, etc.)
There are a number of other laws that may apply to digital health companies depending on the type of information they are collecting (e.g., biometric, genetic), from whom they are collecting such information (children), and how they communicate with such individuals (calling, emailing, texting). For example, Utah passed the Genetic Information Privacy Act (GIPA) in May of 2022. The law, aimed at protecting genetic data collected from direct-to-consumer genetic testing companies, generally creates requirements for notice; consent for certain data uses; data security obligations; and access, deletion, and destruction rights. The law is similar to a recent California law, which updated both its data security and breach notice laws to include genetic data. Under California law, genetic is considered “personal information,” which must be reasonably protected and is subject (along with other personal information) to data breach notification requirements.
Reimbursement Considerations for Digital Health
Reimbursement models were originally engineered for face-to-face care. As the push for value-based care grows, digital health tools offer a solution to increase quality of care efficiently. Although reimbursement of digital health services continues to expand by both governmental and private payors, digital health innovations face hurdles in obtaining insurance reimbursement and maintaining market profitability.
In the United States, healthcare costs are generally paid by commercial payors, which represent 28 percent of national health spending; government healthcare programs such as Medicare and Medicaid, which represent 36 percent of healthcare spending; and out-of-pocket cash pay, which represents nine percent of healthcare spending. Reimbursement across all types of payors traditionally only covered live and in-person care, but in recent years, reimbursement models have expanded to cover more digital health, including telehealth, services.
Given the expansiveness of the Medicare program, including the magnitude of its spending and supported beneficiaries, changes in reimbursement decisions by CMS have a ripple effect and trigger updates in reimbursement decisions by other payors. In 2019, CMS began offering reimbursement for remote patient monitoring services. Before the onset of the COVID-19 pandemic, Medicare only paid for telehealth in limited circumstances, such as in rural or health professional shortage areas. However, as mentioned above, telehealth services covered by Medicare expanded greatly during the COVID-19 PHE, expanding, for example, to cover more types of visits offered asynchronously or through audio-only communication. Many of these changes are on a temporary basis, and only some telehealth flexibilities will continue permanently after the end of the PHE. In the CY 2023 Medicare Physician Fee Schedule Proposed Rule, CMS has proposed adding three Current Procedural Terminology (CPT) codes permanently to the list of services that may be offered via telehealth and gathering further information on a number of codes through 2023 to evaluate their permanent addition to the list of services that may be offered via telehealth.
States have flexibility in covering and reimbursing telehealth services under Medicaid. States may decide, for example, whether to cover telehealth and what types of telehealth services may be covered. Furthermore, states may require telehealth service parity, which requires services to be covered whether offered via telehealth or in person, and payment parity, which requires the same payment rate for services offered via telehealth and in-person. As of May 2022, 21 states have explicit payment parity laws.
Private payors also are increasing their investment in digital health services and reimbursement for care provided under digital health platforms, especially for behavioral health and preventative care services for their insured populations. In recent years, many large payors began acquiring telehealth platforms and offering employers primary care plans that are “virtual-first.” Some commercial payors have incorporated digital health programs, which harness digital health tools and wearable devices to help beneficiaries manage their health conditions, such as Type 2 diabetes.
Navigating the Patchwork of Laws
How can companies and their counsel navigate the patchwork of laws that govern digital health? The federal framework—which has largely been hands-off for low-risk consumer health products—has allowed for the growth of digital health.
Companies bringing digital health products to market need to carefully review their products to determine whether they fall within the FDA’s definition of a medical “device.” In some cases, companies may elect to submit a formal request to the FDA seeking its opinion on whether their product is a medical device and if so, its classification.
The FDA does not evaluate digital health products that are not “devices” under the FDCA. As a result, digital health products are not reviewed for their safety or effectiveness before coming to market. Given the lack of federal oversight, several third parties have introduced tools to assist companies in understanding their regulatory obligations and industry standards governing product performance. For example, the American College of Physicians (ACP) and the American Telemedicine Association (ATA) recently announced their collaboration on a new Digital Health Assessment Framework (Framework) in partnership with the Organization for the Review of Care and Health Applications (ORCHA). The Framework is an open tool intended to provide companies and consumers with information on regulations and industry standards in areas such as data privacy, clinical assurance safety, and usability and accessibility, among other factors. Similarly, the Digital Medicine Society (DiME) launched a Digital Health Regulatory Pathways project (Project). The Project is intended to serve as a tool for digital health companies to understand which regulations apply to their product and how to navigate those regulations. Both the Framework and Project create an open source for companies and consumers to collaborate and assess the regulatory framework surrounding digital health technology.
The reimbursement landscape is constantly evolving, especially as the severity of the PHE decreases. Companies should carefully track both state and federal updates to reimbursement of digital and telehealth services when determining how to bring a product to market.
With the myriad of potential privacy and data security laws, many companies will want to think about putting into place a principles-based privacy program that is aligned with an organization’s underlying mission and goals. A customized program, focusing on the core elements common across data privacy laws (e.g., notice, choice, individual rights, vendor management) enables companies to have a more nimble approach for adapting to this changing area of law.