The fast-growing field of digital health is transforming healthcare by bringing together digital communications technology, electronic health information, electronic prescribing, connected medical devices, and telehealth. These technologies are being deployed by healthcare entities ranging from small health tech startups to large, established hospital systems, medical device companies, and other traditional healthcare companies. Telehealth systems are already in use for applications as varied as direct-to-consumer urgent care and remote provider-to-provider consultations for treatment of complex conditions such as strokes or rare genetic diseases. With these exciting new developments comes a new set of regulatory challenges and concerns for companies in the space. This alert provides a brief overview of some of the laws and regulations that may apply to health companies engaging in digital health.
Regulation of Medical Devices by the Food and Drug Administration
Digital health apps may be subject to regulation by the Food and Drug Administration (FDA). FDA guidance has stated that the agency intends to regulate health apps that qualify as medical devices and could pose a risk to patient safety if they do not function as intended.
The FDA is actively engaged in developing a modern regulatory regime that regulates digital health technologies without stifling innovation. In July, the FDA rolled out a new Digital Health Innovation plan that aims to efficiently enable the delivery of safe and effective digital health technologies. For more on this topic, please see the Venable Healthcare Alert, FDA Launches Action Plan for Digital Health Regulation.
State Law and Regulation of Corporate Practice of Medicine and Professional Fee-Splitting
Many states have corporate practice of medicine (CPOM) laws, which prohibit a general business corporation from rendering medical care or employing physicians to do so. State laws may apply to different types of licensed healthcare providers, such as physicians, dentists, and chiropractors. Digital health companies that provide healthcare services must take care to comply with any applicable state CPOM laws.
In addition, some states have "fee-splitting laws" that prohibit licensed healthcare professionals and facilities from sharing fees with unlicensed individuals and entities. The State of New York, for example, has fee-splitting rules that make it unlawful for physicians to share professional fees with many other persons and entities. Digital health companies must ensure that any arrangements involving licensed healthcare professionals comply with applicable fee-splitting laws.
State Medical Licensing Requirements and Telehealth
Digital health companies that provide telemedicine or telehealth services face an array of licensure requirements that differ from state to state. Most states require that a healthcare professional, such as a physician, who renders care to a patient residing in a particular state be licensed in that state. As such, digital health companies serving patients in multiple states must have a process in place to ensure that affiliated healthcare professionals are appropriately licensed in all applicable states. Many states also have laws specific to telemedicine and internet prescribing. California law, for example, prohibits providers from prescribing certain drugs through the internet without first conducting an appropriate medical examination of the patient.
Healthcare Fraud and Abuse Laws
Federal healthcare fraud and abuse laws that could impact digital health companies include the Anti-Kickback Statute (AKS) and the Stark Law. The AKS prohibits knowingly offering, paying, soliciting, or receiving any remuneration to induce referrals of items or services reimbursable by a federal healthcare program. The Stark Law makes it unlawful for physicians to refer Medicare patients for designated health services to an entity with which the physician has a financial relationship and prohibits the submission of a claim for reimbursement for services rendered pursuant to an unlawful referral. Digital health companies should take care to ensure that business arrangements comply with these complex laws and their associated regulations. In addition, many states have comparable healthcare fraud and abuse laws. State laws can be broader and may apply to all payers, not just public healthcare programs like Medicare and Medicaid. For example, digital health services that engage in marketing or lead generation must carefully evaluate their business arrangements to ensure compliance with state and federal healthcare fraud and abuse laws.
Federal, State, and International Health Privacy Laws
The Health Insurance Portability and Accountability Act (HIPAA)
Health apps are surging in popularity as customers seek online tools to help them set health and fitness goals, track progress, and manage long-term health concerns. A digital health company that builds or operates a health app must be aware that apps that create, store, or transmit HIPAA protected health information (PHI) on behalf of a covered entity such as a hospital, clinic, physician practice, or health plan, or a business associate of such businesses, will be subject to HIPAA. As such, they will require a comprehensive HIPAA privacy and security program.
Foreign and State Health Privacy Laws
Many states and foreign jurisdictions have health privacy laws that impose more stringent protections than HIPAA. These states and foreign jurisdictions may, for example, cover broader categories of information or impose stricter requirements such as shorter breach notification timelines. Digital health companies must be aware of the laws in the states and foreign jurisdictions where the company is based and where its customers are located.
Consumer Protection Regulation by the Federal Trade Commission and State Attorneys General
The Federal Trade Commission's (FTC) Bureau of Consumer Protection enforces federal law against companies engaged in unfair, deceptive, and fraudulent business practices. The FTC's enforcement efforts cover data security and false advertising, both of which can come into play in the digital health space. State attorneys general also operate in this area, and their enforcement efforts have been on the rise. In March of this year, the New York Attorney General's office announced settlements with the makers of three digital health apps regarding misleading claims about the apps and problems with their privacy policies. As part of the settlement, the apps must now disclose to consumers that they may collect and share personally identifiable information such as GPS location and device unique identifier. This enforcement action highlights the need for digital health companies to have in place effective and compliant terms of use and privacy policies for their health apps.
Federal Communications Commission Regulation
The Federal Communications Commission (FCC) regulates communications devices, which may include some digital health technologies. Medical devices that use radio frequency communication may come under FCC jurisdiction. The FCC works with the FDA to promulgate consistent regulations and standards for the use of technologies that may be subject to regulation by both agencies.
Venable healthcare regulatory attorneys are experienced in structuring digital health businesses to comply with these laws. Please contact one of the authors of this alert for assistance.