Effective June 11, 2018, all Department of Veterans Affairs (“VA”) health care providers will be able to offer the same level of care to all beneficiaries regardless of the beneficiary’s or the health care provider’s location. In its recently released final rule, the VA stated that in December 2016 Congress mandated that the agency provide veterans with a self-scheduling, online appointment system, and that the agency meet the demands for the provision of health care services to veterans, regardless of whether such care was provided in-person or using telehealth technologies. As a general rule, most telehealth practitioners are required to comply with various and state-specific licensing, registration, and certification requirements in order to render health care services via telehealth. Failure to do so can potentially jeopardize a practitioner’s professional credentials and could expose them to penalties including fines and imprisonment for the unauthorized practice of medicine or other health care services. These state-specific requirements create certain challenges for telehealth practitioners seeking to practice across state lines.

Therefore, in order to address the mandate issued by Congress, the VA developed and published the final rule to supersede these state-to-state regulations by clarifying that VA health care providers may exercise their authority to provide health care services via telehealth, notwithstanding any state laws regarding licensure, registration, or certification requirements that might be conflicting with taking these actions. Essentially, the VA is exercising its authority as a federal agency to preempt conflicting state laws relating to the practice of medicine or other health care services via telehealth. These efforts by the VA are designed to better protect its health care providers from potential enforcement actions by individual states and/or their respective professional boards, provided that these practitioners are providing telehealth services within the scope of their VA employment.

It must be noted that the final rule’s scope is narrow and only applies to health care providers who are employed by the VA. The final rule does not cover contractors, including health care providers who are participating in the Choice Program. The final rule also does not expand the scope of practice for VA health care providers beyond what is required or authorized by federal laws and regulations or the laws and regulations relating to the practice of medicine or other health care services that are dictated by the state(s) in which the health care provider is licensed to practice. Additionally, the final rule does not affect the VA’s existing requirement that all VA health care providers must adhere to all applicable laws and regulations regarding prescribing and administering of controlled substances, which not only obligates a provider to comply with such laws in the state(s) where he/she is licensed to practice, but also with the federal Controlled Substances Act.

Among the public comments submitted in response to the VA’s proposed rule, published October 2, 2017, the Federal Trade Commission, an agency that has been a big proponent of efforts to expand access to telehealth services, applauded the amendments to the VA’s regulations, stating that it will “provide an important example to non-VA health care providers, state legislatures, employers, patients, and others of telehealth’s potential benefits and may spur innovation among other health care providers and, thereby, promote competition and improve access to care.”

Telehealth providers and stakeholders should closely follow the VA’s progress as the agency works to implement the final rule. Any resulting successes, as well as any failures, may meaningfully impact the continued expansion and adoption of telehealth technologies and services among the private and commercial sectors, as well as potentially influence continued state legislative efforts in this developing area.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

As a lawyer practicing in the telemedicine space, I am rarely surprised these days.  But every once in a while I will read or hear something that stops me in my tracks. That is exactly what happened when I read a blog post by an FTC Commissioner which, among other things, calls for government policies that help facilitate greater adoption of telemedicine.  The post was part of a broader piece about the FTC’s role in promoting competition and innovation in health care.

By way of quick background, the Federal Trade Commission is the federal agency charged with protecting consumers and promoting competition, which includes challenging anticompetitive business practices.  The agency has been active in the health care sector, challenging several hospital and physician practice mergers. In an effort to highlight some of the FTC’s non-enforcement efforts, one of the agency’s five commissioners, Maureen Ohlhausen, wrote a blog post touting the agency’s advocacy efforts in the health care arena, and specifically highlighted how the FTC’s competition policy could help facilitate greater proliferation of telemedicine.

Among the highlights in the post related to telemedicine:

  • Telemedicine can reduce costs and increase access to care, but such advantages often run afoul of state professional licensing schemes that were developed to regulate local medical practices.
  • The variation in state licensure and other requirements continues despite “the fact that the core entry requirements for physicians are essentially uniform across the U.S”.
  • Legacy statutes and regulations are barriers “to the efficient flow of health care information and expertise and, indeed, specialized labor — barriers that can be costly to public and private payers and, in the end, individual patients,” without necessarily offering better consumer protection benefits.
  • Lawyers and policymakers need to creatively address ways to lower barriers without sacrificing the good in state regulations.
  • It is critical that policymakers “approach new technologies with a dose of regulatory humility” and should educate themselves about technological innovation, and:
    • Understand its effects on consumers and the marketplace;
    • Identify benefits and likely harms, and;
    • If harms do exist, consider whether existing laws and regulations sufficiently address the issues before assuming that new laws would be required.

Ms. Ohlhausen goes on to call for the FTC to use its policy research and development tools to better understand innovative technology, new business models facilitated by the new technology, and the likely risks and benefits for consumers.  More significantly, Ms. Ohlhausen also challenges the agency to educate itself “about undue impediments to innovation and competition” while also using its authority to enforce against harm to consumers from the use of new health information technology vehicles.

I can only applaud Ms. Ohlhausen’s approach.  It is encouraging to see a policymaker acknowledge the role regulations may play in stifling innovation and call for government agencies to find creative ways to lower barriers while balancing consumer protection.  I only hope other regulators follow Ms. Ohlhausen’s lead.

 

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws.  However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA.  Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s privacy requirements should also be on your radar.

The means by which the FTC regulates privacy is the FTC Act, a consumer protection law that gives the FTC authority to go after “unfair or deceptive acts or practices” in or affecting commerce.  An unfair practice is a practice that is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The FTC is becoming more aggressive in its application of the FTC Act against mobile and information technology companies, wringing settlements from companies such as Google and Facebook, but also filing enforcement actions against smaller entities for data breaches and inappropriate privacy practices. In February 2013, for example, the FTC announced a settlement with Path, Inc. (“Path”), a social networking application available as an app. Path gave its users three options to search for additional friends to invite to join Path.  One of these options was to allow Path to browse through the users mobile device contacts; the others were to search Facebook, or to allow the user to send SMS messages to friends. No matter which option the user selected, Path searched through the user’s mobile contacts and stored the information, which included names, addresses, birthdays, etc., on Path’s servers.  By contrast, Path’s privacy policy stated that Path only collected its users’ IP addresses and assured users that Path protected their privacy. The FTC alleged that this discrepancy constituted an unfair and deceptive trade practice because Path’s users were not presented with any meaningful choice regarding how much information was collected and were deceived by the company’s practices which contradicted their privacy statement.

Also in February 2013, the FTC reached a settlement with HTC America, Inc. (“HTC”), a manufacturer of mobile phones.  The FTC alleged that HTC engaged in unfair security practices when the modification it made to the operating systems of its devices created security vulnerabilities. Specifically, HTC’s modifications allowed certain applications already on a user’s device to download other applications without the user’s consent. HTC also failed to deactivate the “debug” code on its devices, which meant that HTC devices could record and make logs of each user’s internet activity and make those logs available to HTC, or to any application on the user’s device with permission to read the logs.  Again, the FTC charged HTC with misleading representations because HTC’s user manuals and mobile device interfaces suggested that consumer data would not be disclosed to third parties without consumer permission.

Some insights on the FTC’s approach to privacy can be distilled from these two enforcement actions.  First, the FTC expects companies to provide users with meaningful choices in the amount of sensitive information that is shared with the company. Default settings should maximize privacy protections.  Second, the FTC appears to be taking the position that the FTC Act allows it to determine appropriate security standards for mobile devices, and that it expects companies to provide users with technically secure products.  Applications or devices that are unreasonably susceptible to unauthorized third-party manipulation could be considered unfair trade practices. Finally, and perhaps, most importantly, the FTC may consider a company’s failure to comply with its stated privacy policies as misrepresentation and a deceptive trade practice.

If you are an mhealth company with access to personal information, at a minimum you should have privacy and security policies in place and be taking steps to ensure that you are not engaging in activities that violate your own policies.

While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy Protection Act, which requires certain operators of commercial websites and online services that collect personally identifiable information to conspicuously post privacy policies. Such laws that cover personally identifiable information in general have a much broader focus than HIPAA, which only targets covered entities and business associates exchanging medical information. Even companies not regulated under HIPAA must therefore take such state laws into consideration, and given the potentially severe penalties, noncompliance could be devastating—for example, California seeks penalties of $2,500 per violation, which the complaint defines as each copy of the app downloaded by California consumers. Moreover, simply having a privacy policy will not be enough. While the lawsuit targets the airline for not posting a privacy policy, state legislation and enforcement will be augmenting their focus on the content of such policies to ensure the adequate protection of consumer information.

Mobile phoneAdditionally, companies need to be mindful of federal privacy laws. For example, the Federal Trade Commission has become increasingly concerned with the failure of children’s-app developers to explain to parents the kinds of personal information the apps collect from children. The problem is widespread, as the FTC reviewed 400 popular children’s apps and found that only 20 percent disclosed their data collection practices. This nondisclosure could violate the Children’s Online Privacy Protection Act, a federal law that requires web site operators to get parents’ consent before collecting or sharing certain information obtained from children under 13. The FTC is in the process of tightening these protections, but not without pushback from major tech companies, who claim that the FTC’s proposals could inhibit the development of apps and other services for children. However, children’s-app developers are not the only entities that should be mindful of these developments. The FTC is investigating a wide array of app and internet activity, including activities that more directly intersect with healthcare such as peer-to-peer file sharing and certain online advertising practices.

Figuring out whether your telehealth company is regulated under HIPAA is certainly of the utmost importance. But even if your telehealth company is not HIPAA-regulated, you are not out of the woods yet. As we venture further into the age of mobile computing, and the associated privacy concerns become more publicized, states and federal agencies will be increasingly vigorous in going after telehealth companies that collect personal information.