May 5, 2020, 4:01 AM | news.bllomberglaw.com
The public health crisis caused by the Covid-19 outbreak has created unprecedented opportunities for partnership between health-care providers and digital health developers.
However, these partnerships can pose dangers—particularly from privacy and cybersecurity perspectives—if not thoroughly vetted and properly structured.
We outline some of the most important issues digital health developers should consider before agreeing to contract with health-care providers on digital Covid-19 projects.
Know Your Role in the Regulatory Framework
When working directly with health-care providers to assist in their performance of health-care operations, you may be regulated as a business associate under the Health Insurance Portability Act (HIPAA), even if you never interact directly with a patient.
Business associates are obligated under both HIPAA and the Health Information Technology for Economic and Clinical Health Act to develop and maintain policies and procedures for the use and disclosure of electronic PHI. Business associates must enter into a business associate agreement (BAA), which outlines obligations for the protection of health information received during the partnership.
Avoiding the corporate practice of medicine is another important consideration. Most states prohibit the corporate practice of medicine, meaning that only licensed professionals are permitted to make or influence clinical decisions. Such laws prohibit the design of an app or other digital tool that aims to provide treatment or diagnostic information without the direct involvement of a licensed health-care provider.
Understand Your Privacy and Security Obligations
On the federal level, as stated above, a business associate has direct obligations under HIPAA. The extent of those obligations will vary depending upon the nature of the relationship with the HIPAA covered entity and the services provided. Business associates are directly liable under the HIPAA rules for failure to comply with the HIPAA Security Rule.
Digital health companies not subject to HIPAA will also have privacy obligations under federal law. For example, they may be subject to the Federal Trade Commission’s Data Breach Notification Rule, which requires certain businesses not covered by HIPAA to notify their customers and others if there is a breach of unsecured, individually identifiable electronic health information.
Similarly, the FTC oversees the privacy practices of all consumer facing services and devices, and requires entities that collect, use, store and disclose personal information to have a posted privacy policy and adhere to the claims contained therein. A business that makes false claims regarding its privacy practices or that displays unsatisfactory privacy practices may be found in violation of the unfair and deceptive practices provision of the FTC Act.
Additionally, a growing number of states have data privacy laws that govern the use and disclosure of personally identifiable information, even beyond health information. Many states provide specific requirements in the event of a data breach, which can include particular methods for notifying consumers and regulators.
Some state privacy laws contain specific requirements for the use, disclosure, and storage of personally identifiable information. For example, while the California Consumer Privacy Act (with an anticipated enforcement date of July 1), excludes information subject to HIPAA, it does apply to personal information not covered by HIPAA that some digital health providers may collect, such as consumer purchasing histories. Massachusetts requires businesses to encrypt certain types of data transmitted wirelessly or across public networks, as well as data stored on portable devices.
Note that simply de-identifying consumer data may not be enough to avoid compliance with various state privacy laws. States vary in their definition of “anonymous” or “aggregated” data, with some states imposing higher standards than HIPAA. For example, New York considers information identifiable if it can be linked to a user with a particular device (e.g., IP addresses). In 2017, the New York attorney general brought enforcement actions against several companies that stated in their privacy policies that they would not share personally identifiable information but did disclose certain “aggregated data,” which was actually identifiable under New York standards.
Foreign laws add to this complexity. In addition to establishing various handling requirements for personal data emanating from the European Union, Europe’s General Data Protection Regulation requires a level of security for personal data that is appropriate to the attendant risks, and imposes tight time frames for notifying supervisory authorities and/or data subjects of a data security breach.
Incorporating privacy and security obligations into early stages of planning may help. Consider applicable data protection and information security legal requirements, as well as information security best practices, at the outset of a project. Early planning can help to avoid non-compliance and attendant risks and exposure, as well as any later need to redesign, which may cause delay and additional cost.
Plan and Prepare to Be Vetted by Health-Care Partners
In the wake of several high profile breaches involving third-party vendors, health-care providers are more diligent than ever in how they vet the third-party vendors with whom they partner.
When partnering with health-care providers to provide digital health products be prepared to disclose any prior data breaches or past security incidents, and to explain remedial measures taken to prevent future incidents. Consider drafting your own internal privacy policies and be ready to demonstrate your plan for protecting the privacy of consumer information.
If you plan to utilize subcontractors, make sure you’ve performed third-party risk assessments, which you should expect to provide to your prospective partner. Be prepared to sign agreements that require you to certify your ability to comply with various privacy law requirements and ensure you can comply with any contractual obligation to which you agree. Many contracts contain their own data security terms, which should be considered carefully. A vendor may not be able to manage competing security terms with multiple clients.
Any company that accesses, stores or discloses personally identifiable health information will need to anticipate federal and state oversight. Although the Covid-19 crisis provides a meaningful opportunity for partnerships between health-care providers and digital health developers, it is critical to understand and prepare for the obligations such partnerships entail.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Author Information
Linda A. Malek is a partner at Moses & Singer and chair of the firm’s health care and privacy & cybersecurity practice groups.
Blaze D. Waleski is of counsel with the firm’s health care, privacy & cybersecurity, and intellectual privacy practice groups.
Nora L. Schmitt is an associate with the health care and privacy & cybersecurity practice groups.