As the frequency of cyberattacks against healthcare entities increases, multiple government regulatory and enforcement agencies are actively coordinating their privacy protection and data security guidance for health technology vendors and Health Insurance Portability and Accountability Act (HIPAA) covered entities. Most recently, the Federal Trade Commission (FTC) released a web-based tool targeting mobile app developers. According to its April 5, 2016 announcement, the FTC developed the tool in collaboration with the Department of Health and Human Services' Office of National Coordinator (ONC), Office of Civil Rights (OCR) and Food and Drug Administration (FDA).
The apparent aim of the tool is to make it easier for mobile app developers to understand when they are a HIPAA business associate, when their app or companion devices exceed the FDA's threshold for exercising enforcement discretion for mobile medical apps, and how the FTC will regulate mobile health apps when HIPAA or FDA regulations do not apply. The tool is structured as a series of survey questions that can be answered either "yes" or "no," yielding answers supported by brief legal explanations explaining why FTC, OCR and/or FDA jurisdiction is implicated.
As an example, a mobile app collecting individually identifiable health information is subject to HIPAA if it is intended for a wellness program offered by an employer-sponsored health plan, but likely subject to FTC jurisdiction if the app is offered through a wellness program offered directly by an employer. Beyond privacy protections and data security, the tool also encodes the legal reasoning supporting FTC regulatory authority concerning breach notification even when HIPAA rules do not apply.
It also exposes the commonality of other basic legal parameters regardless of regulatory jurisdiction, such as the obligation not to make unsubstantiated claims in advertising an app. By easily allowing developers to adjust their answers and see the resulting explanations, the tool provides much-needed clarity for health technology innovators, and should advance efforts to demystify the interplay of HIPAA, FDA and FTC regulatory frameworks.
While the FTC's tool is not on its face addressing the rising threat of ransomware and other types of cyberattacks directed at healthcare organizations, it reflects regulators' recognition of the need to reconcile two significant aims: on the one hand, making sensitive personal data more accessible over mobile and other wireless devices, and on the other hand, reducing the industry's data vulnerabilities as cyberthreats become more prevalent and sophisticated. One could argue that the regulators are rejecting commonly heard tropes such as "consumers are willing to trade off privacy for more convenience" in favor of raising cyberprotection as a core professional competency across the technology industry. Raising that competency begins with education.
The mHealth Developer Portal—and OCR's Response
Another example of regulators' recent efforts to educate mobile app developers is OCR's release in October 2015 of an mHealth Developer Portal, a community-based portal where developers can post their HIPAA-related questions. The portal itself is innovative (for a government agency) in that it provides an informal online community that enables users to read and "like" questions posted by others. In February 2016, OCR posted its first guidance responding to these questions, by means of a composite set of Health App Use Scenarios based on some of the questions it received. The scenarios clarify situations in which an app developer is a HIPAA business associate, but are likely to be followed up with further guidance on other areas of interest to the mHealth app community. To illustrate, here is one of the published scenarios:
Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. Healthcare provider and app developer have entered into an interoperability arrangement at the consumer's request that facilitates secure exchange of consumer information between the provider's electronic health record (EHR) and the app. The consumer populates information on the app and directs the app to transmit the information to the provider's EHR. The consumer is able to access test results from the provider through the app.
Developer is not a business associate (BA) because it is not creating, receiving, maintaining or transmitting PHI for a covered entity or other business associate. The interoperability arrangement alone does not create a BA relationship because the arrangement exists to facilitate access initiated by the consumer. The app developer is providing a service to the consumer, at the consumer's request and on her behalf. The app developer is transmitting data on behalf of the consumer to and from the provider; this activity does not create a BA relationship with the covered entity.
Contrast the reasoning above to a slightly adjusted fact pattern illustrated in OCR's guidance:
At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patient's food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR.
Developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting PHI on behalf of the covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting protected health information (PHI), and the app is a means of providing those services.
Crosswalk Between HIPAA and NIST Standards
Another way that regulatory agencies are raising cyberdefense as a professional competency in the health technology community is through the release in February 2016 of a crosswalk between HIPAA and NIST standards. The document identifies specific technical standards developed by independent standards-making bodies such as IEEE, ISO/IEC and COBIT that concern protection, security and integrity of data.
OCR developed the crosswalk in collaboration with the ONC and the National Institute of Standards and Technology (NIST) to demonstrate the technical standards implicated by each facet of the HIPAA Security Rule. It follows the "Cybersecurity Framework for Improving Critical Infrastructure" released two years earlier by NIST as part of wider governmental efforts to strengthen cyberdefenses of government, defense and critical infrastructure networks. In similar fashion, the FDA issued guidance in January 2016 on postmarket management of cybersecurity in medical devices that aligns with the NIST cybersecurity framework.
Following the crosswalk and the technical standards it identifies could enhance the overall standard of products and services developed by health technology innovators. Developers and covered entities should expect to see more crosswalking of these competencies in job descriptions, professional development activities and performance expectations of tech developers. In all likelihood, there will be more attention placed on concepts of "privacy by design" in health tech applications to ensure they reflect best practices across the public and private sectors.
To an increasing degree, consultants are likely to cross-reference to these independent technical standards when conducting health security risk assessments. One caution, however, for developers, customers and investors: Because many of the technical standards have certification requirements and copyright restrictions, adhering to these standards could increase R&D costs.
Determining Industry Best Practices
While the efforts described above aim to disseminate information to the health tech community, regulators are also engaging the industry more proactively to determine best practices in cybersecurity and privacy. For example, in connection with OCR's recent launch of phase 2 of its HIPAA Audit Program, OCR declared: "Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches," adding that it would "evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program." Manatt is actively counseling and educating clients about OCR's phase 2 audit program as well.
Furthermore, in March 2016, the U.S. Department of Health and Human Services announced the launch of a Healthcare Industry Cybersecurity Task Force, whose members include chief information security and privacy officers of leading health systems, commercial health plans, medical schools, medical device makers, clinical laboratories and tech security companies, as well as representatives from HHS, the U.S. Departments of Defense and Homeland Security, and NIST. Formed as required by the budget reconciliation signed into law last December 2015, the task force is charged with developing policy recommendations to address cybersecurity in healthcare while enabling patients and providers to easily and securely access electronic health information, including by mobile and other wireless devices.
As a whole, these regulatory activities acknowledge that privacy protection and data security cannot be eroded for the sole purpose of making data more convenient or accessible to consumers. Regulators are providing constructive guidance and have positioned themselves to learn more about industry practices, which could lead to more relevant, timely and appropriate regulation and enforcement in the future.