Gone are the days when a doctor would examine your eyes using a flashlight and a squinted stare. Today, she will hold up her smartphone and will assess the health of your eyes, take pictures and store images in your electronic health records – all with the touch of a button. Welcome to the world of mobile health or ‘mhealth’.
mhealth is challenging the effectiveness of health and privacy regulation in Canada. While regulators have taken certain steps to address mhealth, the extent of technological change raises further questions about the suitability of existing regulation in protecting the public. Further, from the perspective of industry, it has become more difficult for manufacturers and app developers to determine the legislation with which they must comply and the regulators under whose jurisdiction they fall.
Rapid technological development
The delivery of healthcare is changing. Mobile technology is now ubiquitous among health care consumers and professionals and is widely viewed as one of the solutions to delivering healthcare more effectively and cost-efficiently.1 Industry research shows that by 2017 3.4 billion people – including health care professionals, consumers and patients – will be using a smartphone, half of whom will be using a mhealth app.2 These apps can already do everything from monitoring diabetes, blood pressure and Parkinson’s disease to diagnosing glaucoma.3 But, it won’t stop there. Google is already aiming to diagnose cancers, impending heart attacks and other diseases, at a much earlier stage than is currently possible, through a wristband that conducts non-invasive blood tests using nanotechnology.4
With this shift in the delivery of healthcare comes the emergence of a significant market. A 2012 report by GSMA and PwC projects that the global mhealth market will reach USD $23 billion in 2017 – $6.5 billion in North America.5 More recently, a Silicon Valley venture capital firm estimated that – in the first half of 2014 alone – venture funding for digital health companies hit $2.3 billion.6 The Deloitte Center for Health Solutions provides similar projections.7
In short, mhealth will be integral to the future of healthcare delivery.8
Regulators fail to keep up
This rapid technological development has raised new questions for regulators, in particular for health and privacy regulators.
Health Canada has issued two guidance documents regarding medical software.9 These documents provide clear guidance on a number of issues, such as remote monitoring, imaging, viewing and clinical decision support, and address issues not covered by the U.S. Food and Drug Administration’s guide to mobile health applications.10 However, there are questions that remain unanswered. For example, Health Canada regulates medical devices that are ‘imported for sale’ or ‘sold’ in Canada. But does the app qualify as a diagnostic device? What if the app can be downloaded for free? Or, what if the software is hosted by a server in another country?
The practical effect of these loopholes is that certain apps could be used in Canada free from regulatory oversight, including licensing requirements, premarket approval, mandatory problem reporting and recalls. From a regulatory perspective, this is clearly a problem and has led Health Canada to join regulators from a number of countries, the European Union and the World Health Organization in the search for a coordinated approach to regulating mhealth technology.11 However, there have yet to be any amendments to the Medical Device Regulations or further notices from Health Canada.
The digital aspect to mhealth means that privacy regulation must also keep up with this rapid change. While electronic data certainly improves efficiency, it raises questions about how electronic personal health information (PHI) is collected, stored and used, as well as who is responsible in the event that PHI is lost, stolen or disclosed without consent.
There are legitimate concerns about the security of PHI data when using mhealth technologies, as it can be accidentally exposed or easily leaked to unauthorised parties. According to a 2013 Financial Times investigation, 9 of the top 20 mhealth apps have been found to transmit data to companies tracking details about people’s mobile phone use.12 The more PHI is shared, the greater the risk for accidental or deliberate misuse. On a more sinister note, New Scientist recently published an article titled ‘Hacked to death’, which revealed that the US Department of Homeland Security is investigating more than 20 medical devices for security flaws that could be exploited to cause harm - for example, hacking a pacemaker to induce a heart attack.13
In Ontario, the regulation of PHI is governed by the Personal Health Information Protection Act (PHIPA).14 PHIPA prescribes who can collect, use and disclose PHI, and their respective obligations.15 The Act defines ‘health information custodian’ to include doctors, hospitals and anyone who collects and uses PHI in connection their powers or duties. The regulation under PHIPA also specially addresses the obligations of information technology service providers used by custodians to collect, use, disclose and store PHI electronically.16
However, despite the comprehensiveness of PHIPA, the nature of mhealth technology raises questions about the Act’s suitability in regulating mhealth apps and devices. This is because suppliers of mHealth apps, primarily software developers, do not fit comfortably within PHIPA’s definition of ‘health information custodian’, the persons permitted to collect PHI, their agents, and those that ‘provide services’ to custodians – usually, IT companies.
A good example is a developer of a smartphone app that, together with a wristband, monitors a person’s heart rate. In this case, the app is clearly collecting PHI as defined by PHIPA.17 However, an app developer does not fall within the specific definition of a ‘health information custodian’.18 Similarly, it does not fit comfortably under the definition of an ‘agent’ of a custodian because the app is not really ‘authorized’ by a custodian – i.e. the doctor or hospital – but by the individual who has downloaded the app. Finally, the app developer is not a service or network provider to a custodian because, again, it is providing a service to the patient, not the custodian. It’s possible that the broad definition of ‘persons who provide to custodians’ might include an app developer, but that conclusion is far from straightforward.19
Consideration should also be given to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA generally applies to information collected ‘in the course of commercial activities’, but does not apply to companies that collect, use or disclose personal information entirely within provinces that have their own privacy laws that have been declared substantially similar to PIPEDA.20 Ontario’s PHIPA has been deemed substantially similar to PIPEDA, but only with respect to ‘health information custodians’.21 PIPEDA continues to apply in all interprovincial and international transactions by companies subject to the act in the course of their commercial activities.22
Returning to the example of the smartphone heart rate monitor, on a plain reading of both statutes, it is possible that PHIPA and PIPEDA could both apply. To the extent that the app developer can be a person ‘who supplies services for the purpose of enabling’ an Ontario doctor or hospital to collect and use PHI, PHIPA may apply. At the same time, if the app was purchased from a company outside of Ontario and is hosted by a server outside of Ontario, PIPEDA might also apply as the commercial activity (buying the app) would be an international or interprovincial transaction. Do both acts apply? If so, the app developer would be answerable to both the provincial and federal privacy regulator.
Business and regulatory uncertainty
The current regulatory environment creates uncertainty for app developers and manufacturers entering and operating in the mhealth market.
It is unclear what regulations apply when a company enters the market. The cost of entry will be much lower if it does not have to comply with certain statutes. For example, in the case of medical device regulations, obtaining a license from Health Canada constitutes a significant up-front cost.23 However, if the app is later determined to be a medical device, the company may be exposed to significant penal and civil liability. The company may be the target of civil or class action lawsuits. Health Canada may also impose a number of penalties, including a complete ban on the sale of the app in Canada. In which case, it would have been much better to incur the up-front costs of obtaining a license.
App developers and manufacturers may face similar uncertainty in determining applicable privacy legislation. A developer might be subject to PHIPA or PIPEDA, or both. These statutes impose different obligations on the collection, use and sharing of personal information and the uncertainty about which statute applies makes it more complicated for companies to implement appropriate privacy and data security policies. To provide an example, PHIPA includes an express notice requirement in the event of unauthorized use or disclosure of PHI, PIPEDA currently does not.24 If a company does not have to disclose it has lost or misused information, it may not want to. If there is a statutory obligation to disclose data breaches, company will want to make sure it complies fully, in order to reduce its exposure to potential lawsuits.
Finally, companies may find themselves subject to the jurisdiction of both the provincial and federal privacy regulators. If it is unclear which act applies, both regulators may assert jurisdiction and, in the case of alleged breaches of the applicable act, both may conduct investigations and administrative hearings. From a constitutional law perspective, this raises interesting questions about how provincial and federal legislation work together and whether the federal legislation is paramount. From a business perspective, it creates uncertainty in how to run their business and to reduce risk, and it increases costs.
What is certain? Over the next few years, regulators will be busy in keeping pace with the development of mhealth technology. In addition, they will need to work with the mhealth industry to create a predictable regulatory environment that is not overly burdensome, permits technological creativity and, most importantly, protects the public.