HIMSS 2015 Conference in Chicago

In "The mHealth Policy Conundrum: Keeping Pace with Technology", Dickinson Wright Attorney Brian Balow will provide an update on changes to policies impacting the mobile and wireless space. Topics that he will address during the one-hour conversation include finalization of the FDA Safety and Innovation Act (FDASIA) Workgroup, other major policy changes implemented in 2014 and potential future changes over 2015 including updates to the Physician Fee Schedule, and legislative efforts improving the use and definition of Telemedicine.


by Brian Balow

Mobile health (mHealth) technologies continue to expand in application and implementation. Over the past decade, the breadth of these technologies has grown from the creation of healthcare-directed websites (think WebMD) to implanted medical devices that constantly transmit and receive information (sometimes on a device-to-device basis).

If you are either a provider or a user of mHealth technologies you must be aware of the legal and regulatory landscape in which these technologies operate. Failure to "stay between the lines" can result in financial penalties, public relations disasters, or both. Here are the key legal and regulatory areas impacting mHealth technologies:


  1. FDA: The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications that present a potential risk to patients if they do not work as intended. In February of 2015, the FDA provided updated guidance on the regulation of those applications: http://www.fda.gov/downloads/MedicalDevices/.../UCM263366.pdf. Marketing a regulated medical device without proper pre-market notification or clearance can result in product recalls and lawsuits if the device causes personal injury or death.
  2. HIPAA: The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule are all implicated by mHealth technologies. Enforced by the Office of Civil Rights within the Department of Health and Human Services, HIPAA breaches (through the unauthorized disclosure of protected health information ("PHI")) can result in substantial fines, bad publicity (think Anthem), and costs associated with notifying affected individuals. Importantly, the Breach Notification Rule applies only to unencrypted PHI, and therefore encryption methods that meet the HIPAA definition should be adopted wherever possible. More information on HIPAA and mHealth technologies can be found at: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security.
  3. FTC: Section 5 of the FTC Act protects consumers against fraudulent, deceptive, and unfair business practices. These are usually tied to privacy policy violations in the mHealth space – use or disclosure of consumers' information beyond what is represented. Additionally, the FTC enforces the Health Breach Notification Rule which requires vendors of personal health records to notify consumers if there has been a breach involving their electronic health information. As with HIPAA violations, breaches of Section 5 can result in substantial fines and unfavorable publicity. More information on the Health Breach Notification Rule can be found at: https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule.


  1. Licensure: Use of mHealth technologies for interstate consults may implicate state licensure requirements (i.e., practicing medicine without a license). Several states have adopted or are considering adoption of the Interstate Licensure Compact which would enable limited use of mHealth technologies for interstate consults. Unless and until all states have adopted laws allowing this practice, each medical professional must be aware of the licensing requirements.
  2. Data Breach Notification Laws: A HIPAA breach involving PHI necessarily implicates a breach of the various state data breach notification laws, which protect "personally identifiable information" ("PII"). Forty-seven states have adopted these laws:http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. As with HIPAA, many of these laws provide some relief if the PII is encrypted.

Depending on the mHealth "solution" you are providing or using, you should have a solid working knowledge of each of these areas of regulation and develop a process that ensures compliance. Failure to do so can have unintended and negative consequences, and if you are a mobile medical application provider, could result in the recall of your product.


by Jessica L. Russell

On March 30, 2015, the Department of Health and Human Services ("HHS") published its proposed rule for Stage 3 the Electronic Health Record Incentive Program (the "EHR Program"). The EHR Program is a three stage program that provides incentive payments to eligible professionals and eligible hospitals and critical access hospitals ("CAHs") (collectively, "eligible providers") that attain "meaningful use" of an EHR by meeting the specific criteria of their respective stage in the EHR Program. Currently, providers are in Stage 1 or Stage 2, depending on when they began their participation in the EHR Program.

While some providers have elected not to implement an EHR due to the high costs, administrative burdens, and dissatisfaction with the structure of the program, starting this year Medicare providers that have failed to obtain meaningful use of an EHR are subject to penalties.

With HHS's newly proposed rule, HHS attempts to address many of the issues that have plagued providers since the EHR Program's inception, including the burden of reporting to multiple quality reporting programs, the number of EHR Program requirements, the timing of EHR meaningful use reporting periods, and the numerous stages of participation. HHS has stated its goal in Stage 3 is to broadly increase "simplicity and flexibility in the program while driving interoperability and a focus on patient outcomes in the meaningful use program." Overall, HHS's proposed rule aims to have all participating providers in Stage 3 and subject to the same meaningful use and EHR Program standards by 2018.

In order to streamline and simplify the EHR Program, HHS intends to establish a single set of objectives and measures for the definition of meaningful use (tailored to eligible professionals or eligible hospitals and CAHs). In 2017, all eligible providers would have the option to attest to these objectives and measures in lieu of the requirements of their current stage in the EHR Program. However, as of 2018, all eligible providers would be required to attest to Stage 3 meaningful use, regardless of their current stage in the program.

In addition, HHS intends to expand of the reporting period by requiring eligible providers to attest to a full year of data to demonstrate meaningful use in Stage 3. Certain Medicaid eligible professionals and eligible hospitals demonstrating meaningful use for the first time would be exempt from this requirement and only subject to a 90 day continuous reporting period for that year to meet meaningful use standards.

HHS has also suggested solutions to minimize the burden of reporting Clinical Quality Measures ("CQMs"), which are measures that must be reported by eligible providers in order to qualify for the incentive payments and avoid penalties. Specifically, reporting under the EHR Program would be aligned in a single reporting mechanism with Hospital Inpatient Quality Reporting (IQR) and the Physician Quality Reporting System (PQRS). To effectuate further efficiency and integration, HHS proposes to require eligible providers to report CQMs electronically in 2018.

HHS is accepting public comments on this proposed rule until May 29, 2015.


by Wendy G. Hulton

Back in 2012, the Ontario Court of Appeal recognized the tort of invasion of privacy – fast forward to the recent string of privacy breaches of personal information held by health care facilities in Ontario. Along comes Hopkins v Kay, 2014 ONSC 321 (CanLII), where patients from the Peterborough Regional Health Centre (the "Hospital") have launched a $5.6 million class action lawsuit against the Hospital alleging that approximately 280 patient records were intentionally and unlawfully accessed and disseminated to third parties without the patients' consent.

The Hospital, in response, brought a motion to strike the plaintiffs' claim on the basis that it did not disclose a cause of action, arguing that the claim was precluded by the Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A ("PHIPA") because the legislature intended PHIPA to be a comprehensive code that displaces any common law cause of action, including intrusion upon seclusion (aka the tort of breach of privacy). The Hospital's position is that the plaintiffs' only recourse is a complaint to the Privacy Commissioner.

The Ontario Superior Court of Justice dismissed the Hospital's motion to strike, concluding that it was not plain and obvious that the claim disclosed no reasonable cause of action, and the Hospital launched an appeal of this decision.

The Ontario Court of Appeal subsequently held that the Hospital cannot escape from the proposed class action proceeding on the basis of the provisions of PHIPA.

The proposed class action was launched by a former patient whose records were improperly accessed. Her claim was based on the common law tort of intrusion upon seclusion, a claim recognized by Ontario courts in Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241.

The representative plaintiff, Erkenraadje Wensvoort, claims that she attended the Hospital on several occasions for treatment of injuries inflicted by her ex-husband. She eventually left her husband, but still feared for her safety. Along with two hundred eighty other patients, the plaintiff received two notices from the Hospital notifying her that the privacy of her personal health information had been breached. The plaintiff was afraid that her ex-husband had paid someone to access her records in order to try to find her.

Wensvoort initially relied on breaches of PHIPA to assert a cause of action, but she later amended her statement of claim to contain only the common law cause of action identified in Jones v. Tsige for intrusion upon seclusion.

PHIPA is an Ontario law that governs the collection, use and disclosure of personal health information. It also provides rules to protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care.

PHIPA provides that an individual may make a complaint to Ontario's Information and Privacy Commission for contravention of the Act and the Commissioner has powers to make a variety orders to ensure compliance with the Act.

The Court also noted that:

The possibility of recovering damages as a result of a breach of PHIPA is the subject of s. 65:

65. (1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.

(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.

(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish.

The Court of Appeal pointed out that PHIPA does not allow the Commissioner to award damages, and instead requires individuals to bring an action in Superior Court to seek compensation for any harm caused. The Court found that this undermines the argument that the legislature intended to exclude courts from resolving disputes governed by PHIPA.

The Court ultimately concluded that PHIPA does not confer exclusive jurisdiction on the Commissioner to resolve all disputes over misuse of personal health information, holding:

PHIPA's highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

The health care community needs to be even more vigilant in its efforts to protect the privacy of health information, now that Hopkins has thrown the doors wide open to tort claims against custodians of health information for privacy breaches.




Dickinson Wright had the opportunity to sit down with leaders from Envision Health to obtain Envision Health's perspective on a number of questions relating to the industry implications of the Patient Protection and Affordable Care Act, Public Law 111-148 on provider and payer marketing and business strategies. Below are a few of our questions and Envision Health's responses, which our readers may find to be interesting. Set forth below are Envision Health's interesting insights and industry perspective. The full version can be found on the Envision Health website www.envhealthsolutions.com

According to a recent study by Accenture, by 2017 approximately 18 percent of the American public will purchase insurance through exchanges versus relying on traditional employer healthcare coverage or foregoing insurance coverage entirely. What does this mean for health plans and their relationship with their members?

Healthcare Industry Perspective (according to Envision Health):

First of all, many insured Americans do not have a good understanding of the services provided under their current health plan, nor do they spend much time considering available benefit options during open enrollment. A study conducted by AFLAC showed that 41% of employees spent 15 minutes or less researching their benefit options (AFLAC Open Enrollment Study, 2013 / 2014). Comparing the amount of time spent researching benefits with the amount of time deciding what type of television to buy (2 hours) or researching a new car purchase (10 hours), it is clear that health plans face significant challenges in marketing services to potential members, regardless of the type of health insurance exchange.

Prior to the ACA, employees receiving health benefits via their employer had little choice or incentive to spend much effort analyzing health options provided by their employer. That will soon be changing. Recent employer surveys indicate that more than 1 in 4 employers are considering moving to a private exchange in the next three to five years.

Envision Health Perspective:

The ACA has transformed how health plans go to market. While their core expertise has traditionally been business-to-business (B2B), they must now become adept at direct to consumer (D2C). In fact, delivering effective consumer marketing, education and informational tools will now become critical to their survival. This is quite a disruption for an industry that until recently lacked valid email addresses for the majority of their covered lives. According to Kelley O. Smith, RN, MPH, and COO of Envision Health, "Health plans are asking us 'Can you help me find and attract the young and healthy?' The most progressive carriers are rapidly finding ways to augment their existing talent with consulting expertise to help them win on the exchanges. These new challenges require a deep understanding of marketing, technology and segmentation tools...and consumer health from a clinical perspective."

Health plans are not the only industry players that are affected by the current market trend. How are healthcare providers affected? Do they need to modify their marketing strategies as well?

Healthcare Industry Perspective (according to Envision Health):

Providers are in the midst of a classic market disruption. The ACA has fundamentally changed their compensation model so they must become adept at population health management and find ways to take out internal costs. At the same time, providers must adapt to increasing regulatory requirements while attempting to capitalize on new technology breakthroughs. The following are some of the ways healthcare providers will be affected:

  • New patients, more services covered – as more patients are insured, providers should see a rise in requests for service. The good news is an increase in revenue. The potential bad news is the risk of overloading physician practices, in particular, primary care physicians. In addition, the ACA requires coverage of 63 different preventative services, also potentially increasing the burden on physicians.
  • Increased price sensitivity – co-pays and high deductibles may discourage patients from visiting the provider.
  • Transparency – consumers will have more insight into costs of care and quality of care.
  • Loss of revenue – due to patients using more "retail-orientated" options.
  • Reimbursement changes – new payment methodologies based on outcomes, such as bundled payments, patient-centered medical homes, and shared savings in ACOs, as well as penalties levied based on the Physician Quality Reporting System (PQRS).
  • Increased collection activities - more out-of-pocket expenses for the consumer may result in higher rates of non-payment of services.
  • Consolidation – hospital systems buying hospitals, hospitals buying physician practices, small physician groups merging.
  • Competition among hospitals, surgeons, physicians – all seeking to engage the "best patients".

Envision Health Perspective:

Providers today are well on their way to traversing the rocky road from fee-for-service to value-based care. Unfortunately, while they straddle both worlds, they must continue to drive revenue by attracting more patients for profitable services while avoiding readmissions penalties and achieving quality standards defined by public, private and physician-led ACOs, patient centered medical homes, Medicaid health homes, the CMS Delivery System Reform Incentive Programs, etc. Addressing these challenges requires a strong command of the latest technology advances, federal healthcare policy, clinical workflows, and how to drive behavior change through advanced marketing. According to Kelley O. Smith, "Each of these initiatives requires some level of risk stratification and consumer engagement; these are not exactly skills providers were known for prior to ObamaCare, but it's precisely the type of work that Envision Health and other 'new age' consulting firms do best."

That being said, what do you think are the best strategies for providers to compete in the marketplace?

Healthcare Industry Perspective (according to Envision Health):

First and foremost, hospitals must not only understand the current legislation, but also the intent of the federal legislation to anticipate where it is headed and align their strategies accordingly. Providers, especially hospitals, need to "re-think marketing". Gone are the days when just having a website, having billboards and publishing press releases was sufficient. Many hospitals now employ a Chief Marketing Officer who engages directly with the executive board and helps to inform their business strategy.

There are numerous marketing strategies developed and refined across more advanced consumer-centric industries that can be applied to providers today:

  • Understand your market – Know your audience, define personas, and segment and personalize your messages wherever possible. Learn to "think like insurers" and utilize big data to your advantage. For example, all providers have (non-PHI) patient data that could be used to reach out to existing and past patients and to develop predictive models to attract the right types of new clients. Predictive analytics tools are proliferating in the market today and are becoming more highly customized to specific segments of the population. Begin with the end in mind. You must define your goals for marketing campaigns in advance. That which gets measured, gets improved.
  • Include a Call-to-Action – Make your calls-to-action contextual. For example, if an individual is browsing the physician section of your website, include a "Schedule an Appointment?" button to activate the consumer to respond while they are "shopping".
  • Understand "Local" Search Engine Optimization (SEO) – Where does your practice or hospital "land" on a web page when the consumer types in "hospitals near me" or "cardiac surgery in Detroit"? Appearing in the number one position will help your organization get nearly 35% of the clicks. Appearing in the second position gets just 12% while the third gets 9.5%, and it trickles down to 2.2% for the tenth position. Make sure your hospital or physician group practice gets included in all the appropriate local, regional and national listings (e.g., bariatric surgeons in Michigan, etc.).

In addition to the above recommendations, provider marketing plans must consider the following realities in today's consumer-driven marketplace:

  • Be ready for transparency – Consumers are increasingly looking at a number of options and criteria when making health care decisions. Cost and quality metrics are becoming more available and will continue to expand.
  • Embrace social media, including mobile – Some providers are asking their patients to share their story on Facebook and other social media sites. Patient testimonials, where the patient talks about their condition, procedure, life struggles can be very powerful because they are sincere and believable.
  • Use innovative tools to engage patients – For example, a mobile health solution that has generated an 80% engagement rate in a 12 month pilot study. By preparing patients for surgery and recovery through prescriptive programs, the application is helping healthcare providers reduce costs and length of stay by an average of 30%. These types of solutions will not only help providers achieve financial rewards from shared savings initiatives, but they also result in real patient benefit that can be shared more broadly with prospective patients, families, care teams, and referring physicians.
  • Legal issues to consider – Providers must carefully review all public-facing materials to ensure that advertising claims are not overstated. Your marketing leaders need to be aware of the most common causes for healthcare consumer lawsuits. Inflated advertising and other messaging can become a PR, and possibly, legal nightmare.

Envision Health Perspective

It is possible for providers to not only survive, but to thrive in today's market. In order to do so, they should simultaneously align their strategies to healthcare's Triple Aim and rapidly apply marketing best practices from other industries. They have much to learn from "local" digital marketing strategies such as those refined for automotive dealerships and in other industries – and they need to apply them to population health management and fostering patient engagement and loyalty. According to Tim J. Busche, "Successful marketing in these changing times is both a fine art and a constantly evolving science. On one hand, providers have always needed to create innovative, integrated and targeted marketing campaigns. In today's evolving marketplace, however, they now need to create strategies that align with where federal healthcare legislation is headed. This is not simple. Our clients have chosen to work with Envision Health because we enable them to connect the dots...in a way that makes sense for their business."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.