Legal health isn’t easy for digital health companies

With the recent announcement of the Apple CareKit, an open-source platform to simplify the development of healthcare apps for iOS devices, it appears that the digital health industry is primed to become even more robust in 2016.

Over the past year, digital health companies raised about $4.5 billion in funding. There were 302 financing deals, with an average size of$14.8 million — up slightly from 2014, when there was a substantial surge in these deals.

As the convergence of healthcare and technology continues, technology companies (and investors) are increasingly finding themselves lost in a thicket of unique legal issues, enforced by unfamiliar regulators, including privacy of patient information, consumer protection and fraud and patient safety.

Investors in and buyers of digital health companies should be aware of these concerns, as they can be addressed at the outset of investment and acquisition agreements.

Health technology regulation

The consumer electronics market is lightly regulated in comparison to government efforts to protect users of digital health products. In the United States, companies moving into the digital health sector are faced with an interlocking and sometimes overlapping regime of federal, state and sometimes local regulatory bodies, and should expect to expend significant resources on regulatory compliance.

At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) has both a “Privacy Rule” that governs permissible uses and disclosures of protected health information (PHI), and a “Security Rule” that governs electronic storage and transfer of PHI by certain covered entities, including health plans, healthcare providers and any business associates of these entities.

As development in the healthtech sector expands, there will be more legal issues presented for tech companies.

Under the Security Rule, covered entities and their business associates must evaluate potential risks and implement security measures to deal with these risks. Ensuring compliance with HIPAA can present both technical and administrative issues, especially for startups.

Notably, some digital health companies — including some mobile apps — are not required to comply with HIPAA. Its regulations only apply to those apps that transmit PHI (like medical records or appointment dates) to or on behalf of covered entities or their business associates, and generally would not include “health” apps designed for use solely by individuals.

While most technology companies would have no reason to be concerned about the regulatory authority of the U.S. Food and Drug Administration (FDA), which regulates food, drugs and medical devices, the FDA plays a significant role in the healthcare sector. However, the FDA has shown reticence to go beyond suggestions for what they call “low-risk” products that are intended “for only general wellness use,” which includes certain software programs.

As such, the FDA only strictly regulates and requires agency approval for apps that specifically conform to a definition of medical devices that capture “mobile medical apps” that control or transform a medical device and deal with topics such as diagnosis and treatment recommendations. In particular, the agency is concerned with apps that could pose a risk to patient safety if they did not function as intended.

For those mobile apps not regulated by the FDA, like those used by consumers to manage their own health, the agency maintains “enforcement discretion.” Recent publicity surrounding a study that found a blood pressure measuring app to be inaccurate and unsafe has prompted calls for the FDA to more closely regulate such apps.

In the event a product or application is not subject to HIPAA rules or regulated by the FDA, it may still face regulations promulgated by the Federal Trade Commission (FTC). The FTC deals with deceptive or unfair business practices, and has recently enforced actions against a medical billing company that collected personal medical information without consent and a medical transcription company that used a third party for services without making sure that third party could implement reasonable security measures.

Moreover, the FTC’s Health Breach Notification Rule — which requires notice to affected individuals, the FTC and, in some cases, the media of unauthorized access, use or disclosure of personal health information — applies to any vendor of “personal health records” or service provider to such a vendor, even if not covered by HIPAA.

Healthtech companies could face increased scrutiny.

In addition to federal regulation and oversight, digital health companies also must worry about state laws governing privacy, consumer protection and the healthcare industry generally. So-called “telehealth” or “teledoc” companies should be aware of state licensure rules. Most states deem physicians to be practicing in the place where the patient resides and accordingly require licensure in that locale. Companies offering patients online or mobile access to licensed healthcare professionals nationwide may implicate licensure requirements in all 50 states.

A related issue is the corporate practice of medicine doctrine that prohibits non-physician-controlled business entities from practicing medicine or employing physicians to do so. Many states have broad regulations that extend this doctrine to different types of healthcare professionals, such as dentists and physical therapists, and digital health companies that seek to provide access to medical or other healthcare services must structure their businesses accordingly.

Many states also prohibit licensed professionals or licensed facilities from sharing their professional fees with unlicensed entities and individuals, also known as “fee-splitting.” Payments must be appropriately structured to comply with state fee-splitting prohibitions.

Finally, 47 states and the District of Columbia maintain breach notification statutes, which require companies to provide notice to individuals and, in many cases, state authorities, credit reporting agencies or the media of instances of unauthorized access, use or disclosure of certain types of personal information. Depending on what a particular health record contains, a breach involving such a record may trigger one of those statutes.

What is an investor or buyer to do?

Investors and buyers in the “healthtech” sector should be conscious of these regulatory pitfalls in connection with financings and acquisitions. Due diligence should identify whether the target company has obtained all necessary authorizations and approvals to operate its technology. This may require a more detailed and deeper review than is typical for technology investors. It is also important to review the company’s policies and procedures on effectiveness to ensure that they comply with norms within the healthcare industry, as well as with government regulations and legal requirements.

Additionally, it would be prudent to review any potential or current litigation and investigations to be aware of red flags, like product-liability concerns or fraudulent business practices. These diligence practices should, in certain circumstances, be extended to third parties with whom the seller or target has contractual relationships.

With respect to contractual protections, recent acquisition agreements between technology companies and healthtech startups have included detailed sections attesting to the legality of the target company’s medical devices and their compliance with laws — specifically FDA regulations, the Federal Food, Drug and Cosmetic Act, HIPAA and any other laws relating to fraud, abuse or kickbacks.

This includes stating that there are no current or threatened enforcement actions by the FDA or any other agency, that no licenses issued by the FDA have been suspended and that any clinical trials are being conducted in accordance with the law. These provisions indicate the importance of assuring that any acquisition of healthcare technology should take into consideration the target’s commitment to user privacy, consumer protection and patient safety.

Future developments

As development in the healthtech sector expands, there will be more legal issues presented for tech companies. In early February, the Senate Committee on Health, Education, Labor and Pensions approved a bill titled the “Improving Health Information Technology Act” for a future vote in the Senate.

If passed, this bill would encourage certification of health IT products, establish a transparent product rating system and seek to develop technology that would make it easier for patients to securely access their own health information.

At the same time, a recent controversy over the accuracy of the technology used by blood-testing startup Theranos has caused some unease over regulation and funding in the digital health industry.

In the future, healthtech companies could face increased scrutiny from the government, potential investors and consumers.