industry(leading(education( …...– $27.3b market by 2016 (bcc research) – growth rate at 22%...

855.85HIPAA www.compliancygroup.com

Industry leading Education

Certified Partner Program

•  Please ask questions •  For todays Slides http://compliancy-‐group.com/slides023/ •  Todays & Past webinars go to: http://compliancy-‐group.com/webinar/

www.duanemorris.com

This presentation •  Background on mHealth •  Examination of Regulatory Requirements

–  Focus on privacy and security issues

•  Conclusions/Recommendations •  DO NOT KILL THE MESSENGER!

3 ©2011 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP.

www.duanemorris.com

What is mHealth?

•  mHealth –  is health care delivered wirelessly –  facilitates the delivery and support of health

data through data exchange –  is replacing bricks-and-mortar health care

delivery


www.duanemorris.com

Terms and Subsets •  General mHealth –related terms, used loosely

–  Health Information Technology (HIT), –  Telemedicine, –  Telehealth, –  Wireless Health, –  eHealth, –  Digital Health

•  Kinds of mHealth products and services –  Can be mobile app, web-based, or desktop –  Examples: Personal health records, devices to gather health information

(e.g., for weight or diabetes management) physician-patient engagement products, records access and storage for clinicians, clinical decision support (CDS) etc.

–  REMEMBER THE DEFINITION OF MHEALTH


www.duanemorris.com

Economic Shifts •  Expected growth in mHealth:

–  $27.3B market by 2016 (BCC Research) –  Growth rate at 22% through 2014 (RNCOS)

•  Simultaneous contraction in hospital-based

and other traditional healthcare services (physician visits, etc.).


www.duanemorris.com

Who uses mHealth? 1.  Consumers (for themselves)

- Weight apps 2.  Consumers-Providers/Providers-Consumers

-  Glucose meters -  Telepsychiatry

3.  Providers-Providers -  Teleradiology

4.  Payors-Providers, Payors-Consumers


www.duanemorris.com

The mHealth Stakeholders 1.  Device/software developers and sellers 2.  Investors 3.  Payors 4.  Providers 5.  Consumers 6.  Others:

1.  Standard setting organization, academia, telecom, private organizations

7.  Government


www.duanemorris.com

The Regulatory Environment •  Complex and disorganized •  High government interest •  Knowing the rules can

–  Make or break a new product/service –  Reduce investor risk –  Reduce costs and delays for purchasers –  Provide opportunities for streamlining health care costs


www.duanemorris.com

mHealth/Government Interest … •  The Food and Drug Administration Safety

Innovation Act (FDASIA) Workgroup: –  “charged with providing expert input on issues and concepts

identified by the Food and Drug Administration (FDA), Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC) to in order to inform the development of a report on an appropriate, risk-based regulatory framework pertaining to health information technology including mobile medical applications that promotes innovation, protects patient safety, and avoids regulatory duplication.”

–  First meeting was on April 29, 2013. Slides from meeting are at www.healthit.gov/sites/default/files/fdasia_kickoff_faca_slides.pdf


www.duanemorris.com

mHealth/Government Interest

•  62 government committees (!) looking at mHealth/HIT.

•  Congress – three days of hearings in mid-

March 2013


www.duanemorris.com

Privacy, Security and Data Protection •  What are the required, recommended and best

privacy and security protections for a particular mHealth product or service?

•  The steps: –  Determine how patient data flows in and out –  Identify each use as well as each disclosure –  Determine legal or appropriate privacy and security

protections


www.duanemorris.com

I Feel Great Weight Management Software Tool

I Feel Great Consultants

Government

Other Providers

Advertisers

Employers

1. Confirmation of Medical Necessity

1. Claim information

1. Prescription

II Feel Great

Insurer

Dispensing Pharmacy

Me, the Patient

My Physician 1.  Daily

Data Exchange 1. Prescription

2. Daily Data Exchange

1. Data Analyzed/ Clinical Decision Support

* This diagram includes examples of types of data flow for illustration purposes only.


www.duanemorris.com

•  Food & Drug Administration (FDA) •  Health and Human Services (HHS)

–  Office of the National Coordinator (ONC) – centralized agency, predominately privacy and security

–  Centers for Medicare and Medicaid Services (CMS) – reimbursement, fraud

•  Federal Trade Commission (FTC) •  Department of Homeland Security •  Other

–  Federal Communications Commission (FCC) –  Department of Commerce (National Telecommunications and

Information Administration) –  States


Until We Have Clarity On Regulatory Framework for mHealth, What Agencies Are Regulating It?

www.duanemorris.com

FDA Regulation •  “Device” – Section 201(h) of the Federal Food,

Drug, and Cosmetic Act (the Act): an instrument, apparatus, implement, machine, contrivance,

implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is—

…   intended for use in the diagnosis of disease or other conditions, or in the cure,

mitigation, treatment, or prevention of disease, in man or other animals, or   intended to affect the structure or any function of the body of man or other

animals …

•  Devices are regulated under 3 classifications.


www.duanemorris.com

FDA Regulation •  Classes:

–  Class I – least risky; typically do not require prior FDA review or approval

–  Class II – more risky – typically require FDA clearance of a “Premarket Notification” Submission or “510(k)”   Standard for clearance of 510(k) – “substantial equivalence” to

an already lawfully marketed device –  Class III – most risky – require approval of a Premarket Approval

Application (PMA) –   Standard of approval – reasonable assurance of safety and

effectiveness, based on clinical investigations

•  Unclassified


www.duanemorris.com

FDA Activity Applicable to mHealth

•  No overview policy. •  FDA has stated that it has approved over 75 mHealth

devices. No identification. •  July 2011 – “Draft Guidance on Mobile Medical

Applications (MMAs); waiting for final guidance due 9/13 •  June 14, 2013 – “Draft Guidance for the Content of

Premarket Submissions for Management of Cybersecurity in Medical Devices”

•  August 14, 2013 – “Guidance on Radio Frequency Wireless Technology in Medical Devices”


www.duanemorris.com

FDA on Security and Data Protection

•  “Draft Guidance for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” (6/13)

•  FDA expects that manufacturers will –  to take proactive approach to cybersecurity by considering it in the design

phase. –  include cybersecurity risk analysis and management plan as part of risk

analysis required by regulation   should define and document, e.g., assessment of threats and

vulnerabilities, traceability matrix from cybersecurity controls to risks, etc.

–  For more information, see http://www.duanemorris.com/alerts/fda_draft_guidance_details_key_cybersecurity_management_measures_4959.html


www.duanemorris.com

FDA on Security and Data Protection

•  July 29, 2013 - FDA issued Recall notice for Picis ED PulseCheck software, owned by UnitedHealth Group –  Picis ED PulseCheck - software used in ED –  Error in software caused doctor’s notes re patient

prescriptions to drop out of electronic record files –  Product recalled, used in 20 states; digital fix issued

and problem resolved –  More FDA recalls and enforcement actions (and

malpractice litigation) expected


www.duanemorris.com

Privacy and Security, HIPAA •  HIPAA protects the privacy and security of protected

health information (PHI); fines up to $1.5m per year for violations.

•  HIPAA applies to –  Covered Entities – 1) health care providers that engage

in certain electronic transactions, 2) health plans, and 3) health clearinghouses (billing companies)

–  Business Associates – agents and subcontractors of Covered Entities that handle PHI, and their agents and subcontractors


www.duanemorris.com

Privacy and Security, HIPAA cont. •  A wireless heart rate monitor service provider that permits a

patient to collect heart rate data at home and send it to his/her physician •  is NOT a Covered Entity if it does not bill a payor (instead bills the

customer or the provider) •  BUT the physician (who is a Covered Entity) must protect the PHI

•  Software that supports the distribution of specialized drugs to a hospital and includes a patient portal provides billing services •  IS a Covered Entity if it bills a payor for the hospital or

individual •  IS also a Business Associate because if it is billing for the

hospital or performing data analysis


www.duanemorris.com

Privacy and Security, Sensitive Data and Consent, HIPAA and State Law

•  When is consent to collect/use/disclose ‘sensitive data’ required? –  ‘Sensitive data’ includes: mental health, substance

abuse, reproductive health, genetic, infectious disease and other data.

–  Different laws apply. –  Consent may be obtained in writing, through opt-in/opt-

out, etc. – verbal not advised. –  Consent must be clear and honored.


www.duanemorris.com

Privacy and Security, HIPAA cont. •  If HIPAA applies, then must implement a

Compliance Program that includes: 1.  Privacy requirements – Notices, P&Ps, Training, Rights for

Individuals, etc. 2.  Security ‘standards’ – Access Restrictions, Audit Requirements,

Disaster Recovery, etc.   Standards are sized to organization

3. Breach Notification – Breach Reporting Policy   For “Unsecured PHI”, defined to meet certain criteria identified by

HHS for data in motion and data at rest http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html


www.duanemorris.com

Privacy and Security, FTC •  FTC is authorized to protect the consumer

against –  1) Deception (material misrepresentation, omission); –  2) Unfairness (harm or the potential for harm)

•  Actions: –  PATH social networking app: settled with FTC for $800k against

charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent.

–  AcneApp: agreed to stop advertising baseless claims that app could cure acne with lights emitted from smartphones.


www.duanemorris.com

Privacy and Security, FTC •  FTC expectations for software and apps:

–  Privacy by Design - build privacy considerations in from the start. –  Transparency. –  Collect sensitive data with consent. –  Keep data secure. –  Truthful advertising, etc.

•  Industry Practice: “Terms and Conditions” and “Privacy Policies” on websites, apps. They address: –  How product/service uses data. –  How user may use data. –  Laws (Children’s Online Privacy, etc.)


www.duanemorris.com

Privacy and Security - Social Media

•  What is ‘social media’? –  Forms of exchange of user-generated content,

including blogging, chat rooms, internet forums, podcasts, instant messaging, etc.

•  Principle is free-flow of information (and thus difficult to control privacy and security).

•  No separate laws (yet). FTC and some states (California) have taken the lead of developing standards

•  Consider transparency of how data used, obtain consents as necessary, etc.


www.duanemorris.com

FTC Guidance - Privacy

•  “Mobile Privacy Disclosures: Building Trust Through Transparency” www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf

•  “Marketing Your Mobile App: Get It Right from the Start” business.ftc.gov/documents/bus81-marketing-your-mobile-app


www.duanemorris.com

FTC Guidance - Security •  “Mobile App Developers: Start with

Security” business.ftc.gov/documents/bus83-mobile-app-developers-start-security –  Make someone responsible. –  Take stock of the data. –  Understand differences between mobile platforms. –  Use due diligence on third party code. –  Use transit encryption for usernames, passwords, and other

important data. –  Protect your services, etc.


www.duanemorris.com

Department of Homeland Security •  May 4, 2013 issued a Bulletin, “Attack Surface: Healthcare and

Public Health Sector” –  Recognizes security risks in wireless technologies on enterprise networks

and wireless utilization of mobile devices. Concerns: –  Areas of concern: Identity theft, malicious intrusions, mistakes

•  Recommendations include: –  Purchase networked medical devices with “well documented and fine-

grained security features” that permit safe deployment on networks –  Purchasing agreements should include vendor support, patch, and

antivirus updates, standard security blocking and tackling, firewalls and endpoint security software, encryption of data at rest and during transmission, and rigorous access controls to healthcare networks.


www.duanemorris.com

Concluding Comments •  Is your head spinning? •  For an mHealth product/service:

–  Determine legal and appropriate Security Framework (FDA, HIPAA, Homeland Security etc.)   No one-size-fits-all   Determine industry best-practices

–  Determine Privacy Requirements   HIPAA Compliance   FTC concerns – develop Terms and Conditions, Privacy Policy AND

FOLLOW THEM –  Determine and comply with all other regulatory requirements, e.g., FDA

registration, etc.


www.duanemorris.com

Concluding comments, cont. •  For an mHealth purchaser/healthcare entity:

–  Carefully assess security, privacy and data protections and quality of product   Consider legacy issues, interface with enterprise

system, future projects and plans   Research best practices; review with IT specialist

–  Consider cost, including implementation and oversight issues

–  How to integrate product/service into organization – training, audits, sanctions, etc.

–  Make sure you have insurance coverage 34 ©2011 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP.

www.duanemorris.com

Other Resources •  To best follow national developments:

–  HHS’s Office of National Coordinator www.healthit.gov (authorized by ARRA to oversee development of HIT)

•  To determine best industry practices, work with industry groups, consultants. –  mHIMSS, www.mhimss.org –  AHIMA, www.ahima.org

•  Consult with counsel/consultants on application of laws, e.g., HIPAA, Terms of Use, policies, etc.


www.duanemorris.com

Questions?

•  Lisa Clark, Partner, Duane Morris –  Phone: +1 215 979 1833

Email: [email protected]

•  C. Mitchell Goldman, Partner, Duane Morris –  Phone: +1 215 979 1862 –  Email: [email protected]


Free Demo and 60 Day Evaluation www.compliancy-‐group.com

HIPAA Hotline 855.85HIPAA

855.854.4722

  HIPAA Compliance   HITECH Attestation   Risk Assessment

 Omnibus Rule Ready  Meaningful Use core measure 15

industry(leading(education( …...– $27.3b market by 2016 (bcc research) – growth rate at 22%...

Documents