Valid health isn’t simple for digital health companies

Source:   —  April 13, 2016, at 11:34 PM

How to connect the network Behnam Dayanim is a partner in the Paul Hastings Washington, D. C., office, where he chairs the firm’s advertising and promotions practice and co-chairs its privacy and cybersecurity practice.

Valid health isn’t simple for digital health companies

Samuel Waxman is a partner in the Mergers and Acquisitions and Technology Transactions practices in the Paul Hastings NY office.

How to connect the network

Behnam Dayanim is a partner in the Paul Hastings Washington, D. C., office, where he chairs the firm’s advertising and promotions practice and co-chairs its privacy and cybersecurity practice.

How to connect the network

Brooke Schachner is a law receptionist in the corporate practice of Paul Hastings and is based in the firm’s New York office. She focuses on mergers and acquisitions and common corporate law.

How to connect the network

With the recent announcement of the Apple CareKit, an open-source platform to oversimplify the development of healthcare apps for iOS devices, it appears that the digital health industry is primed to become even more strong in 2016.

Over the past year, digital health companies raised about $4.5 billion in funding. There were three hundred two financing deals, with an average size of$14.8 million — up slightly from two thousand fourteen, when there was a substantial surge in these deals.

As the convergence of healthcare and technology continues, technology companies (and investors) are increasingly finding themselves lost in a thicket of unique valid issues, enforced by unfamiliar regulators, including privacy of patient information, consumer protection and fraud and patient safety.

Investors in and buyers of digital health companies should be alert of these concerns, as they can be addressed at the outset of investment and acquisition agreements.

Health technology regulation

The consumer electronics market is lightly regulated in comparison to government efforts to defend users of digital health products. In the United States, companies emotional into the digital health sector are faced with an interlocking and sometimes overlapping regime of federal, state and sometimes local regulatory bodies, and should expect to expend significant resources on regulatory compliance.

At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) has both a “Privacy Rule” that governs permissible uses and disclosures of protected health information (PHI), and a “Security Rule” that governs electronic storage and transfer of PHI by certain covered entities, including health plans, healthcare providers and any business associates of these entities.

Below the Security Rule, covered entities and their business associates should assess potential risks and implement security measures to deal with these risks. Ensuring compliance with HIPAA can present both technical and administrative issues, particularly for startups.

Notably, some digital health companies — including some mobile apps — aren't required to abide by with HIPAA. Its regulations only apply to those apps that convey PHI (love medical records or appointment dates) to or on behalf of covered entities or their business associates, and generally wouldn't include “health” apps designed for utilize solely by individuals.

While most technology companies would've number reason to be concerned about the regulatory authority of the U. S. Food and Drug Administration (FDA), which regulates food, drugs and medical devices, the FDA plays a significant role in the healthcare sector. However, the FDA has shown reticence to go beyond suggestions for what they call “low-risk” products that are intended “for only common wellness use,” which includes certain software programs.

As such, the FDA only strictly regulates and requires agency approval for apps that specifically conform to a definition of medical devices that capture “mobile medical apps” that control or transmute a medical device and deal with topics such as diagnosis and treatment recommendations. In particular, the agency is concerned with apps that could pose a risk to patient safety if they didn't function as intended.

For those mobile apps not regulated by the FDA, love those used by consumers to manage their own health, the agency maintains “enforcement discretion.” Recent publicity surrounding a study that found a blood pressure measuring app to be inaccurate and unsafe has prompted calls for the FDA to more closely regulate such apps.

In the event a product or application isn't subject to HIPAA rules or regulated by the FDA, it may still face regulations promulgated by the Federal Trade Commission (FTC). The FTC deals with dishonest or unfair business practices, and has recently enforced actions against a medical billing company that collected personal medical information without consent and a medical transcription company that used a third party for services without making sure that third party could implement reasonable security measures.

Moreover, the FTC’s Health Breach Notification Rule — which requires notice to affected individuals, the FTC and, in some cases, the media of unauthorized access, utilize or disclosure of personal health information — applies to any vendor of “personal health records” or service provider to such a vendor, even if not covered by HIPAA.

In addition to federal regulation and oversight, digital health companies also should worry about state laws governing privacy, consumer protection and the healthcare industry generally. So-called “telehealth” or “teledoc” companies should be alert of state licensure rules. Most states deem physicians to be practicing in the space where the patient resides and accordingly require licensure in that locale. Companies offering patients online or mobile access to licensed healthcare professionals nationwide may incriminate licensure requirements in all fifty states.

A related issue is the corporate practice of medicine doctrine that prohibits non-physician-controlled business entities from practicing medicine or employing physicians to do so. Many states have wide regulations that prolong this doctrine to different types of healthcare professionals, such as dentists and physical therapists, and digital health companies that seek to allow access to medical or other healthcare services should structure their businesses accordingly.

Many states also prohibit licensed professionals or licensed facilities from sharing their professional fees with unlicensed entities and individuals, also known as “fee-splitting.” Payments should be appropriately structured to abide by with state fee-splitting prohibitions.

Finally, forty-seven states and the District of Columbia support breach notification statutes, which require companies to allow notice to individuals and, in many cases, state authorities, credit reporting agencies or the media of instances of unauthorized access, utilize or disclosure of certain types of personal information. Depending on what a specific health record contains, a breach involving such a record may trigger one of those statutes.

What's an investor or buyer to do?

Investors and buyers in the “healthtech” sector should be conscious of these regulatory pitfalls in connection with financings and acquisitions. Due diligence should identify whether the target company has obtained all required authorizations and approvals to work its technology. This may require a more detailed and deeper review than is typical for technology investors. It's also necessary to review the company’s policies and procedures on effectiveness to ensure that they abide by with norms within the healthcare industry, as well as with government regulations and legal requirements.

Additionally, it'd be prudent to review any potential or current litigation and investigations to be alert of ruddy flags, love product-liability concerns or fraudulent business practices. These diligence practices should, in certain circumstances, be extended to third parties with whom the seller or target has contractual relationships.

With respect to contractual protections, recent acquisition agreements between technology companies and healthtech startups have included detailed sections attesting to the legality of the target company’s medical devices and their compliance with laws — specifically FDA regulations, the Federal Food, Drug and Cosmetic Act, HIPAA and any other laws relating to fraud, abuse or kickbacks.

This includes stating that there are number current or threatened enforcement actions by the FDA or any other agency, that number licenses issued by the FDA have been suspended and that any clinical trials are being conducted in accordance with the law. These provisions indicate the importance of assuring that any acquisition of healthcare technology should get into consideration the target’s commitment to user privacy, consumer protection and patient safety.

Future developments

As development in the healthtech sector expands, there will be more valid issues presented for tech companies. In early February, the Senate Committee on Health, Education, Work and Pensions approved a bill titled the “Improving Health Information Technology Act” for a future vote in the Senate.

If passed, this bill would encourage certification of health IT products, set up a transparent product rating system and seek to expand technology that'd create it easier for patients to securely access their own health information.

At the same time, a recent controversy over the accuracy of the technology used by blood-testing startup Theranos has caused some unease over regulation and funding in the digital health industry.

In the future, healthtech companies could face increased scrutiny from the government, potential investors and consumers.

Featured Image: Lightspring/Shutterstock

Android north Developer Preview two hits with Vulkan, shortcuts, less ‘generic&#eight thousand two hundred seventeen; emoji

Android north Developer Preview two hits with Vulkan, shortcuts, less ‘generic&#eight thousand two hundred seventeen; emoji

This upgrade brings a mixed bag of features and fixes. Vulkan, the new low-overhead graphics API from Khronos Group, makers of OpenGL and that family of standards, is presently portion of the package.

F8 two thousand sixteen

F8 two thousand sixteen

As the company demoed at its F8 developer conference in San Francisco today, it's a team working on automatically tagging people in videos.

Veteran Apple designer leaves for GoPro to be VP of Design

Veteran Apple designer leaves for GoPro to be VP of Design

Coster had worked at Apple since the early one thousand nine hundred ninety, and helped Apple re-establish itself after Steve Jobs returned. Presently he's to do that to GoPro. GoPro’s stock popped on the news and is trading up on the day.

Regina Dugan exits Google to lead Facebook’s Building eight, a new R&D lab

Regina Dugan exits Google to lead Facebook’s Building eight, a new R&D lab

Facebook today announced it's hired former Google Vice President of advanced technology and projects, Regina Dugan, to head up a new grouping dubbed Building eight.