October 31, 2020

Volume X, Number 305

Advertisement

October 30, 2020

Subscribe to Latest Legal News and Analysis

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

Legal and Regulatory Landscape for Mobile Health Technologies

Mobile health (mHealth) technologies continue to expand in application and implementation. Over the past decade, the breadth of these technologies has grown from the creation of healthcare-directed websites (think WebMD) to implanted medical devices that constantly transmit and receive information (sometimes on a device-to-device basis).

If you are either a provider or a user of mHealth technologies you must be aware of the legal and regulatory landscape in which these technologies operate. Failure to “stay between the lines” can result in financial penalties, public relations disasters, or both. Here are the key legal and regulatory areas impacting mHealth technologies:

Federal

  1. FDA: The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications that present a potential risk to patients if they do not work as intended. In February of 2015, the FDA provided updated guidance on the regulation of those applications. Marketing a regulated medical device without proper pre-market notification or clearance can result in product recalls and lawsuits if the device causes personal injury or death.

  2. HIPAA: The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule are all implicated by mHealth technologies. Enforced by the Office of Civil Rights within the Department of Health and Human Services, HIPAA breaches (through the unauthorized disclosure of protected health information (“PHI”)) can result in substantial fines, bad publicity (think Anthem), and costs associated with notifying affected individuals. Importantly, the Breach Notification Rule applies only to unencrypted PHI, and therefore encryption methods that meet the HIPAA definition should be adopted wherever possible. 

  3. FTC: Section 5 of the FTC Act protects consumers against fraudulent, deceptive, and unfair business practices. These are usually tied to privacy policy violations in the mHealth space – use or disclosure of consumers’ information beyond what is represented. Additionally, the FTC enforces the Health Breach Notification Rule which requires vendors of personal health records to notify consumers if there has been a breach involving their electronic health information. As with HIPAA violations, breaches of Section 5 can result in substantial fines and unfavorable publicity. 

State

  1. Licensure: Use of mHealth technologies for interstate consults may implicate state licensure requirements (i.e., practicing medicine without a license). Several states have adopted or are considering adoption of the Interstate Licensure Compact which would enable limited use of mHealth technologies for interstate consults. Unless and until all states have adopted laws allowing this practice, each medical professional must be aware of the licensing requirements.

  2. Data Breach Notification Laws: A HIPAA breach involving PHI necessarily implicates a breach of the various state data breach notification laws, which protect “personally identifiable information” (“PII”). Forty-seven states have adopted these laws. As with HIPAA, many of these laws provide some relief if the PII is encrypted.

© Copyright 2020 Dickinson Wright PLLCNational Law Review, Volume V, Number 106
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

2018 Go To Thought Leader AwardHospitals, medical professionals, insurance organizations and others in the healthcare industry face a number of industry-specific regulatory and compliance issues. Dickinson Wright’s interdisciplinary healthcare practice group has the expertise and experience to provide sophisticated, cost-effective legal services to a broad range...

248-433-7234
Advertisement
Advertisement