The fast-growing field of digital health is transforming healthcare by bringing together digital communications technology, electronic health information, electronic prescribing, connected medical devices, and telehealth. These technologies are being deployed by healthcare entities ranging from small health tech startups to large, established hospital systems, medical device companies, and other traditional healthcare companies. Telehealth systems are already in use for applications as varied as direct-to-consumer urgent care and remote provider-to-provider consultations for treatment of complex conditions such as strokes or rare genetic diseases. With these exciting new developments comes a new set of regulatory challenges and concerns for companies in the space. This alert provides a brief overview of some of the laws and regulations that may apply to health companies engaging in digital health.
Regulation of Medical Devices by the Food and Drug Administration
Digital health apps may be subject to regulation by the Food and Drug Administration (FDA). FDA guidance has stated that the agency intends to regulate health apps that qualify as medical devices and could pose a risk to patient safety if they do not function as intended.
The FDA is actively engaged in developing a modern regulatory regime that regulates digital health technologies without stifling innovation. In July, the FDA rolled out a new Digital Health Innovation plan that aims to efficiently enable the delivery of safe and effective digital health technologies. For more on this topic, please our previous posting, FDA Launches Action Plan for Digital Health Regulation.
State Law and Regulation of Corporate Practice of Medicine and Professional Fee-Splitting
Many states have corporate practice of medicine (CPOM) laws, which prohibit a general business corporation from rendering medical care or employing physicians to do so. State laws may apply to different types of licensed healthcare providers, such as physicians, dentists, and chiropractors. Digital health companies that provide healthcare services must take care to comply with any applicable state CPOM laws.
In addition, some states have “fee-splitting laws” that prohibit licensed healthcare professionals and facilities from sharing fees with unlicensed individuals and entities. The State of New York, for example, has fee-splitting rules that make it unlawful for physicians to share professional fees with many other persons and entities. Digital health companies must ensure that any arrangements involving licensed healthcare professionals comply with applicable fee-splitting laws.
State Medical Licensing Requirements and Telehealth
Digital health companies that provide telemedicine or telehealth services face an array of licensure requirements that differ from state to state. Most states require that a healthcare professional, such as a physician, who renders care to a patient residing in a particular state be licensed in that state. As such, digital health companies serving patients in multiple states must have a process in place to ensure that affiliated healthcare professionals are appropriately licensed in all applicable states. Many states also have laws specific to telemedicine and internet prescribing. California law, for example, prohibits providers from prescribing certain drugs through the internet without first conducting an appropriate medical examination of the patient.
Healthcare Fraud and Abuse Laws
Federal healthcare fraud and abuse laws that could impact digital health companies include the Anti-Kickback Statute (AKS) and the Stark Law. The AKS prohibits knowingly offering, paying, soliciting, or receiving any remuneration to induce referrals of items or services reimbursable by a federal healthcare program. The Stark Law makes it unlawful for physicians to refer Medicare patients for designated health services to an entity with which the physician has a financial relationship and prohibits the submission of a claim for reimbursement for services rendered pursuant to an unlawful referral. Digital health companies should take care to ensure that business arrangements comply with these complex laws and their associated regulations. In addition, many states have comparable healthcare fraud and abuse laws. State laws can be broader and may apply to all payers, not just public healthcare programs like Medicare and Medicaid. For example, digital health services that engage in marketing or lead generation must carefully evaluate their business arrangements to ensure compliance with state and federal healthcare fraud and abuse laws.
Federal, State, and International Health Privacy Laws
The Health Insurance Portability and Accountability Act (HIPAA)
Health apps are surging in popularity as customers seek online tools to help them set health and fitness goals, track progress, and manage long-term health concerns. A digital health company that builds or operates a health app must be aware that apps that create, store, or transmit HIPAA protected health information (PHI) on behalf of a covered entity such as a hospital, clinic, physician practice, or health plan, or a business associate of such businesses, will be subject to HIPAA. As such, they will require a comprehensive HIPAA privacy and security program.
Foreign and State Health Privacy Laws
Many states and foreign jurisdictions have health privacy laws that impose more stringent protections than HIPAA. These states and foreign jurisdictions may, for example, cover broader categories of information or impose stricter requirements such as shorter breach notification timelines. Digital health companies must be aware of the laws in the states and foreign jurisdictions where the company is based and where its customers are located.
Consumer Protection Regulation by the Federal Trade Commission and State Attorneys General
Federal Communications Commission Regulation
The Federal Communications Commission (FCC) regulates communications devices, which may include some digital health technologies. Medical devices that use radio frequency communication may come under FCC jurisdiction. The FCC works with the FDA to promulgate consistent regulations and standards for the use of technologies that may be subject to regulation by both agencies.