Healthcare technology and compliance: A complex patchwork of laws and regulations | Health Care Compliance Association (HCCA)

[author: Susan Lee Walberg]

Every day, we see the increasing role of technology in our healthcare world. It wasn’t all that long ago that we began the transition to electronic medical records, and portable devices mostly meant BlackBerries. How far we have come, and so quickly! In healthcare, technological advances have so many potential benefits: Greater efficiency and accuracy in our medical records; the ability to identify possible problems in our bills before they go out; artificial intelligence (AI) can read a radiograph with greater speed and accuracy than a human; and patients can have devices at home to monitor chronic diseases and track/report concerning changes in things like blood sugar, heart rhythm, or blood pressure. And that is just a top-of-mind snapshot of some capabilities that we now have and are further developing.

While we love to think of improved efficiency and outcomes, there is also the “dark side” of such technology. Private information is much less likely to remain private. Too much automation can lead to inaccurate records or lazy recordkeeping. Allowing computers to make decisions or have a role in patient care can lead to risks if those systems and processes are not thoroughly tested and subject to human oversight. Technology, however, is moving at lightning speed—especially since the COVID-19 pandemic, when telehealth and remote patient monitoring suddenly became not just a convenience but a necessity. The U.S. Department of Health and Human Services (HHS) scrambled to ease various requirements related to telehealth benefits and HIPAA enforcement to accommodate patient needs during the healthcare emergency. The public health emergency is now over, but our technology is still racing into the future. Laws and regulations do not happen quickly, as we all know, so we now find ourselves trying to apply outdated standards to a brave new world. This situation has not gone unnoticed, however. A number of agencies have sought to bridge that gap by expanding or clarifying the scope of existing laws and regulations, as well as writing new ones. Enforcement, too, has taken some interesting turns in the effort to protect patients and prevent bad actors from taking advantage of the current patchwork of regulations.

Some agencies we may not typically deal with in the healthcare compliance world are stepping up, and, of course, some that we would expect to see are working creatively to help address the new technologies and the risks they create.

Here are the top current federal agencies that are actively engaged in healthcare technology-related compliance risks and what they are doing. Note that this snapshot is a moving target, especially with a new administration that may be shifting priorities or reconfiguring existing agency responsibilities.

HHS

It’s no surprise that HHS is front and center in regulating key aspects of healthcare technology, and with a new administration, there are still open questions about what that will look like. That said, the laws under their purview do struggle to keep up with technology, and the current challenge is how to apply the principles and requirements to technologies that were not used—or were used far less frequently—when the regulations were put into place. When HIPAA became law (for those of us old enough to remember the painful implementation), many health claims and transactions were still paper-based, as were many medical records. Standard transactions and interoperability weren’t common parlance, and AI certainly wasn’t part of our daily nomenclature.

The laws and regulations under HHS aren’t new: the HIPAA Privacy and Security rules, the Breach Notification Rule, and the 21st Century Cures Act, to name a few. But enforcement is evolving, as you will see.

In terms of healthcare technology, HIPAA rules apply to health tech used by providers and insurance plans—for instance, apps that providers’ offices use to coordinate or communicate with patients about their care, or devices used to maintain, store, or transmit patient information. Business associates and their subcontractors must follow the same rules as the covered entities they work with.

Because the world has changed drastically since the inception of HIPAA, regulators are finding different ways to hold organizations accountable for failures in their privacy and security practices or applying old laws in new ways.

Not just another breach story

The Louisiana-based Lafourche Medical Group settled a case with HHS Office for Civil Rights, in a first-ever settlement of a phishing attack case under HIPAA. The breach affected nearly 35,000 patients. This case was significant because the medical center was the victim of a phishing attack; however, HHS found that the cybersecurity practices were not adequate, thereby allowing the attack to occur. Lafourche reportedly failed to complete a security risk assessment, provide adequate employee training, or establish the necessary policies and procedures in place to prevent this occurrence. The settlement cost Lafourche $480,000, and it is also under a corrective action plan.^[i]

Cases involving cybersecurity breaches are also being pursued under the False Claims Act (FCA), another interesting enforcement trend.

Federal Trade Commission (FTC)

In general, the FTC is tasked with consumer protection, which includes overseeing communication about products and services to ensure that representations about efficacy and safety are accurate and not misleading to the public. You won’t find healthcare or technology as an industry the FTC regulates, but if you look at the FTC website and click on guidance, there it is: health privacy, consumer privacy, data security, Red Flag Rules (which reside under the Fair Credit Reporting Act), and tech.^[ii] The FTC has very broad authority: “The Commission may ‘prosecute any inquiry necessary to its duties in any part of the United States,’ FTC Act Sec. 3, 15 U.S.C. Sec. 43, and is authorized ‘to gather and compile information concerning, and to investigate from time to time the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce, excepting banks, savings and loan institutions . . . Federal credit unions . . . and common carriers’ FTC Act Sec. 6(a), 15 U.S.C. Sec. 46(a).”^[iii]

The good news is that most of what you find on the FTC site is, indeed, not enforcement-related laws, rules, or regulations; however, there is a large volume of useful guidance. The FTC is very interested in data security and technology. The bad news (depending on your point of view, of course) is that the FTC is getting into the business of enforcing its existing rules that do apply, and it has been very transparent in its warnings. You will find the FTC enforcing the Health Breach Notification Rule (HBN Rule), the FTC Rule (which relates to unfair and deceptive trade practices), and the Children’s Online Privacy Protection Act, as well as antitrust laws. The FTC’s HBN Rule was issued on August 24, 2009 (16 CFR Part 318), as required under the American Recovery and Reinvestment Act of 2009, with a compliance date of February 22, 2010.

The HBN Rule covers vendors of personal health records (PHRs) that contain individually identifiable health information created or received by healthcare providers. More specifically, PHRs are defined as an electronic record of “identifiable health information on an individual that has the technical capacity to draw information from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” (16 CFR Part 318)

It’s important to understand the scope of this rule because it applies much more broadly than HIPAA. In fact, the FTC has issued guidance specifically explaining that a breach constitutes any unauthorized disclosure of individually identifiable health information, as it applies to entities not covered by HIPAA. Apps, in particular, that collect personal data are within the purview of the FTC’s enforcement actions. A key point to note is that an “unauthorized disclosure” means the patient/consumer did not consent to the disclosure. That may seem intuitive until you think about this applying to various consumer apps where people enter their own health information. Think about all the various “tracker” apps and health management tools online. Have you reviewed their privacy practices and consented to data sharing with Big Tech? That’s the type of disclosure we’re talking about, and the FTC isn’t having it.

Not so good: The case of GoodRX

The FTC showed it means business when it pursued GoodRx for failing to notify consumers of how it was disclosing their personal health information to entities such as Google and Facebook. GoodRx is a telehealth and prescription discount provider that offers a convenient app for consumers to use. The app collects personal health information from users, including information users enter, as well as information gleaned from pharmacy benefit managers when a consumer redeems a GoodRx coupon.

Over 55 million consumers have used the GoodRx app since 2017. The FTC proposed order, filed by the U.S. Department of Justice (DOJ) on behalf of the FTC, prohibits GoodRx from sharing user health information with third parties for advertising purposes and has assessed a fine of $1.5 million.

Keep an eye on the FTC. They are looking to bridge the gaps left open by HIPAA and stay on top of healthcare technology consumer protection. GoodRX was the warning shot, but there have already been others. The FTC is making use of the Breach Notification Rule, as well as the Federal Food, Drug, and Cosmetic Act (FDCA), claiming that security violations amount to an unfair and deceptive trade practice.

The Food and Drug Administration (FDA)

The FDA may not be the first agency you think of when contemplating the regulatory requirements applicable to health tech devices, services, or applications. By its very name, the agency is responsible for the safety of food and drug products.

But the FDA has evolved as technology has advanced. The FDA now applies to two aspects related to health technology compliance: the regulation of medical devices and the cybersecurity of those devices. It’s also imperative to remember that AI and machine learning software are often categorized as medical devices (Software as a Medical Device), so the FDA will become a more visible player in regulating healthcare technology as AI becomes a bigger component of healthcare developments.

The FDCA is the applicable law in terms of regulating medical devices. The FDA’s role going forward will be impactful for all the various technology companies seeking to create the next generation of wearables and software-enabled healthcare diagnostic tools, etc., especially given the FDA’s stance on AI. The FDA has already issued draft guidance relating to AI and devices.

Speaking for many healthcare compliance professionals, unless we’ve worked with life science companies, we may not have ever given much, if any, thought to the FDA. That could be changing now, however, when almost anything can be a “medical device.”

The FDA is also very engaged in security as it relates to the various healthcare devices we are discussing here. Much of the emphasis from the FDA, however, relates to education and communication rather than enforcement. The FDA stresses the significance of communication about security risks and the safeguards in place for patients and caregivers. Clear communication, which includes a discussion of risks and benefits, is of huge importance, according to the FDA. The FDA is working collaboratively with a variety of stakeholders, including device manufacturers and developers, to provide guidance on incorporating cybersecurity considerations early in the product development phase.

Creative enforcement

Given the previously mentioned, it’s clear that, although there are laws on the books, the technology is moving faster than the regulations can be updated. Many questions remain, especially with AI rapidly advancing, impacting not only basic or administrative functions (such as patient scheduling and writing letters to payers) but also clinical tasks (such as collecting patients’ metrics via implantable devices and sending and interpreting the results). Regulators aren’t sitting on their hands, but most current laws don’t align squarely with the new risks in this high-tech environment. With that in mind, here are a few cases that demonstrate the “creative” enforcement activities by the various players above.

Jelly Bean

Jelly Bean Communications Design LLC and Jeremy Spinks have agreed to pay $293,771 to resolve FCA allegations that they failed to secure personal information on a federally funded Florida children’s health insurance website, which Jelly Bean created, hosted, and maintained.

According to Principal Deputy Assistant Attorney General Brian M. Boynton, head of the DOJ’s Civil Division: “We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.”^[iv]

This website developer failed to exercise appropriate cybersecurity measures for the website they created for a government healthcare program. The government pursued this matter with the FCA. That’s not a typical enforcement strategy for either cybersecurity or FCA. However, times are changing, as we see when we follow enforcement activities with all the agencies mentioned in this article.

Modernizing Medicine Inc. Modernizing Medicine Inc.

(ModMed), is an electronic health record (EHR) technology vendor located in Boca Raton, Florida, has agreed to pay $45 million to resolve allegations that it violated the FCA by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments.

The Anti-Kickback Statute (AKS) prohibits anyone from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value—to induce referrals of items or services covered by Medicare, Medicaid, and other federally funded programs. In a complaint filed in conjunction with this settlement, the United States alleged that ModMed violated the FCA and the AKS through three marketing programs: First, ModMed solicited and received kickbacks from Miraca Life Sciences Inc. in exchange for recommending and arranging for ModMed’s users to utilize Miraca’s pathology lab services. Second, ModMed conspired with Miraca to improperly donate ModMed’s EHR to healthcare providers in an effort to increase lab orders to Miraca and simultaneously add customers to ModMed’s user base. Third, ModMed paid kickbacks to its current healthcare provider customers and other influential sources in the healthcare industry to recommend ModMed’s EHR and refer potential customers to ModMed

“Electronic health records serve a critical role in informing physician decision making, and it is therefore essential that health care providers select such technology free from the influence of improper financial inducements,” said Boynton.^[v] “Vendors of electronic health records will be held to the same standards of compliance that we expect of everyone who provides health care services” (emphasis added).

“Today’s settlement marks the fourth resolution that our office has achieved as we seek to root out fraud in the electronic health record technology field,” said U.S. Attorney Nikolas P. Kerest for the District of Vermont. “It is imperative that medical providers be able to trust the health record systems with which they document important and sensitive patient information, and for too long electronic health record vendors have prioritized only sales. The government alleges that for years, ModMed, through a variety of schemes, engaged in illegal kickbacks that distorted both the EMR [electronic medical record] and pathology lab markets, in addition to providing its users with a deficient product. This resolution reflects the seriousness of the government’s allegations and the determination of the Department of Justice to restore integrity to the electronic health record field.”

As a result of this conduct, the government alleges that ModMed improperly generated sales for itself and Miraca, while causing healthcare providers to submit false claims for reimbursement to the federal government for pathology services, and for incentive payments from HHS for the adoption and “meaningful use” of ModMed’s EHR technology.

In January 2019, Miraca (now known as Inform Diagnostics) agreed to pay $63.5 million to resolve allegations that it violated the AKS and the Stark Law by providing subsidies to referring physicians for EHR systems and free or discounted technology consulting services.^[vi]

Conclusion

Compliance in healthcare involves much more now that technology has expanded its frontiers. Compliance professionals need to understand the patchwork of laws and agencies that can now impact our organizations, clients, and vendors, as well as how those business partners are adhering to those laws and regulations themselves.

Takeaways

• HIPAA is no longer the sole focus of compliance for technology. Multiple federal and state agencies regulate healthcare, including telehealth, with overlapping laws, guidance, and enforcement responsibilities.
• Many healthcare apps and devices qualify as medical devices. Confirm whether the Food and Drug Administration (FDA) oversight applies and ensure approval before recommending or using new technology.
• The Federal Trade Commission (FTC) prioritizes consumer privacy in health apps. Review privacy policies and consent forms carefully, as enforcement actions have targeted improper data sharing without user consent.
• Artificial intelligence is transforming healthcare processes. Monitor federal regulatory developments from the FDA, the U.S. Department of Health and Human Services, Office for Civil Rights, and the FTC, and update policies regularly to address evolving oversight requirements.
• Regulators increasingly apply old laws in new ways. Examples include cybersecurity under consumer protection laws and HIPAA issues under the False Claims Act.