In many instances, digital products are not squarely regulated by the US Food and Drug Administration (FDA), or by the Department of Health and Human Service (HHS) Office of Civil Rights (OCR)-which enforces the Health Insurance Portability and Accountability Act (HIPAA). Instead, a patchwork of various state data privacy and security laws may apply, in addition to consumer protection laws. We expect to see states continue to pass laws, which means companies have to monitor state law developments to ensure the data they collect meets regulatory requirements.

Widespread Adoption of Telehealth - The Impact of Covid-19

The commercialization of digital health and medtech products, specifically, telehealth tools, has significantly increased over the past several years - accelerated, in part, by the COVID-19 Public Health Emergency (PHE). Understanding the need to allow flexibility for innovative solutions, federal regulators implemented various waivers aimed at enhancing access to patients and physicians. These waivers, along with consumer demand, spurred the use of telehealth technologies during the course of the PHE.

Although COVID-19 waivers are set to end upon the termination of the PHE, their impact persists. The industry's use of PHE waivers signals a continued trend toward flexibility and innovation. This trend will likely result in changes to existing regulations, or at the least, agency guidance that provides flexibility in enforcement of existing regulations. As evidence of the industry's desire to make telehealth the new norm, a group of over three hundred healthcare and industry organizations issued a letter to Congress in January 2022 titled "Establishing a Pathway for Comprehensive Telehealth Reform," which outlined the need to prioritize telehealth going forward.27 The letter also proposed several potential steps to continue telehealth flexibility after the PHE, including enacting legislation to support the use of telehealth.

Telehealth and MedTech - A Patchwork of Privacy Laws

HIPAA - And Its Limited Application

While many developers (and users) of digital health products and services may think of the Health Insurance Portability and Accountability Act (HIPAA) as a primary regulatory consideration for their product, in actuality, HIPAA does not, in fact, regulate the privacy and security of all health information on a whole. Rather, it applies under fairly narrower circumstances.

HIPAA is a federal law that protects the privacy and security of individually identifiable health information (protected health information or PHI). However, HIPAA only governs "covered entities," which is defined as health plans, health care clearinghouses, health care providers that electronically transmit claims, and "business associates," which are persons or entities that perform certain functions or activities that involve the use or disclosure of PHI for a covered entity.28 In many cases, medtech and digital health companies are neither "covered entities," nor "business associates" under HIPAA, and therefore fall outside of its jurisdiction. This is the case, even if the products generate and store consumer health-related data. There are exceptions, of course, and the analysis of whether HIPAA applies depends on the data flows and how services are paid. But generally speaking, health information accessed through or stored on consumer cell phones or tablets, including geographic location information or search history, are not protected under HIPAA.29

Unfair and Deceptive Trade Practice Laws (UDAAP): The FTC and State Laws

In addition to FDA and HHS's OCR (which enforces HIPAA), the Federal Trade Commission (FTC) is a major federal player in the regulation of telehealth. Because FTC laws are generally applied to consumer products and services, the FTC Act applies regardless of whether a product meets the definition of a medical "device" under FDA laws, or whether collected information is defined as PHI under HIPPA.

The FTC Act broadly prohibits "unfair and deceptive acts or practices" in or affecting commerce.30 Many states have consumer protection laws that either overlap with this federal law or impose additional requirements. Many of these state UDAAP equivalent laws provide a means for affected consumers to file class action lawsuits against digital health companies.

Federal and state UDAAP laws are used as the basis for many privacy and data security-related enforcement actions and lawsuits. Allegations under UDAAP laws are based on a company not doing what it said it would do with personal information (deception). Cases in this area are successful if the plaintiff can show that there were misrepresentations or omissions of material facts in statements made about how information would be used, or that a company had insufficient security measures in place, and thereby, engaged in fundamentally unfair practices.

More State Privacy and Data Security Laws

The states have created a patchwork of privacy and security laws that directly impact how a company can collect and use information, as well as, obligations with respect to providing individual "rights"--i.e., access, opting out, and deletion. At least 22 US states have laws that require companies to protect information.31 This includes states such as Colorado, Connecticut, Maryland, Massachusetts, Oregon, New Jersey, and New York.

The state laws may apply to organizations based on certain types of information that it collects, and/or because a company collects information from residents of the impacted state. Some of these state laws contemplate that specific requirements be addressed in a data security program (e.g., written information security policy, vendor contractual requirements, employee training, a designated person in charge, etc.), while others generally require that "reasonable security" measures be deployed.

For example, the current state law in California (along with its recent amendments) and Virginia, and those other state laws coming into effect in 2023 in Colorado, Connecticut, and Utah should be top of mind for digital health companies.32 Companies subject to Colorado, Connecticut and Virginia laws will need to obtain consent for collecting any "sensitive information,"33 such as medical histories or information about a mental or physical condition.34 California or Utah laws require an opt-out right to the processing of sensitive information.35 Additionally, there are a number of other state laws that may apply to digital health companies. The applicability of such laws depends on: (1) the type of information the company collects (e.g., biometric, genetic), (2) from whom the company collects such information (e.g., children), and (3) how the company communicates with such individuals (e.g., calling, emailing, texting).

What's Next for Telehealth & Privacy

Telehealth and remote patient access is the new norm. We expect states will continue to enact laws to fill the perceived gaps in federal regulations. With the myriad of potential privacy and data security laws, and those on the horizon, many companies will want to think about putting into place a principles-based privacy program that is aligned with an organization's underlying mission and goals. A customized program, focusing on the core elements found across data privacy laws (e.g., notice, individual rights, choice, vendor management, etc.) enables companies to have a more nimble approach for adapting to this changing area of law.

Footnotes

27. See ATA, 336 Stakeholders Seek Leadership from Congress to Create Permanent Comprehensive Telehealth Reform, Jan. 31, 2022, available at:336 Stakeholders Seek Leadership from Congress to Create Permanent Comprehensive Telehealth Reform - ATA (americantelemed.org).

28. 45 CFR §160.103.

29. HHS, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone1 or Tablet, Jun. 29, 2022, available at: Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet | HHS.gov.

30. 15 U.S.C. § 45 et seq.

31. Alabama (Ala. Code 1975 §§8-38-3 to 8-38-10); Arkansas (A.C.A. §§4-110-101 to 4-110-106); California (Cal Civ Code §§1798.82 to 1798.84); Colorado (C.R.S. 6-1-716(2)(a)); Connecticut (Conn. Gen. Stat. §36a-701b); Delaware (6 Del. C. §12B-102); District of Columbia (DC CODE § 28-3852a); Florida (Fla. Stat. §501.171); Illinois (815 ILCS 530/45); Indiana (IN ST 24-4.9-3-1); Kansas (KS ST 50-6, 139b);

Louisiana (La. R.S. 51:3074); Maryland (Md. Code. Ann., Comm. Law §14-3503); Massachusetts (MA ST 93H §§3 to 4); Nebraska (Neb. Rev. Stat. Ann. §87- 808); Nevada (Nev. Rev. Stat. Ann. §§603A.210 to 215); New Mexico (N.M.S.A. §57-12C(4)-(5)); New York (NY Gen. Bus. §899-bb); Oregon (Or. Rev. Stat. §646A.622); Rhode Island (R.I. Gen. Laws §§11-49.3-1 to 5); Texas (Tex. Bus. & Com. Code Ann. §521- 052); Utah (Utah Code Ann. §13-44-201).

32. Cal. Civ. Code § 1798.100 et seq; Colo. Rev. Stat. § 6-1-1306(1)(b); Connecticut Pub. Acts 2022, No. 22-15 § 4(a)(1); Utah Code Ann. § 13-1-201(1)(b).

33. Colo. Rev. Stat. § 6-1-1308 (7); Connecticut Pub. Acts 2022, No. 22-15 § 6(a)(4); Va. Code Ann. § 59.1-574(A)(5).

34. Colo. Rev. Stat. § 6-1-1308 (7); Connecticut Pub. Acts 2022, No. 22-15 § 6(a)(4); Va. Code Ann. § 59.1-574(A)(5).

35. Cal. Civ. Code § 1798.121; 11 CCR § 7027; Utah Code Ann. § 13-61-302(3)(a); Va. Code Ann. § 59.1- 573(A)(2)

2023 Top-of-Mind Issues for Life Sciences Companies

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.