Telemedicine and Mobile Health Innovations Amid Increasing Regulatory Oversight

COMMENTARY Telemedicine and mobile health innovations amid increasing regulatory oversight

By Sharon Klein, Esq., and Jee-Young Kim, Esq. Pepper Hamilton LLP

The growing mobile health market is rapidly UNDERSTANDING TELEMEDICINE transforming health care delivery. More than AND MOBILE HEALTH 80 percent of physicians use mobile technology Telemedicine involves direct patient care to provide patient care, and more than and is a subcategory of telehealth, a broader 25 percent of commercially insured patients use concept that includes telecommunications mobile applications to manage their health.1 technologies, or mobile medical applications, Technological advancements, the expansion to remotely support health care, health- of access to health care under the Patient related education, public health and health Protection and Affordable Care Act, Pub. administration.3 Generally, telemedicine L. No. 111-148, the emphasis on cost- involves: effective quality care and the proliferation • Geographic separation between two or of mobile medical applications have pushed more participants or entities engaged in telemedicine to the new frontier of health care delivery. health care. Over the past 50 years, the scope of • The use of telecommunications tech- telemedicine practices has expanded to nology to gather, store and disseminate meet demands for immediate care in both health-related information. remote and metropolitan regions. Mobile • The use of interactive technologies to health, a form of telemedicine using wireless assess, diagnose and treat medical devices and cell phone technologies, conditions. has also evolved. By the end of this year, Mobile health is a medium through which experts expect 2 billion smartphones, telemedicine is practiced. It allows for tablets and other portable devices globally, increased provider and patient mobility, each of which can potentially provide as well as greater delivery of clinical care individuals access to health care information via consumer-grade hardware, such as The WebMD app is shown here. WESTLAW JOURNAL/Kim Sachs from anywhere at any time.2 smartphones and tablets.4 In light of the seemingly limitless opportunities in telemedicine, health care providers, consumers and entrepreneurs must navigate Mobile health allows for greater provider and patient mobility the many risks that come with reliance on and the delivery of clinical care via consumer-grade hardware, these new technologies and comply with an such as smartphones and tablets. increasing number of regulations.

RECENT TELEMEDICINE AND MOBILE HEALTH TRENDS The resurgence of telemedicine began in 2011, when the U.S. Centers for Medicare & Medicaid Services issued a much-awaited final rule permitting a more flexible process for credentialing and privileging practitioners who provide these services. The trend escalated in 2013, when federal and state legislation and major insurers expanded Sharon R. Klein (L) is the partner-in-charge of Pepper Hamilton LLP’s office in Orange County, the types of reimbursable telemedicine Calif., where she serves as the national chair of the privacy, security and data protection practice. She can be reached at [email protected]. Jee-Young Kim (R) is an associate in the firm’s health care services. In 2014, the trend continues with services practice in the Los Angeles office. She can be reached at [email protected]. the Federation of State Medical Boards’ adoption of a model policy intended to provide guidance to state medical boards

10 | WESTLAW JOURNAL • HEALTH LAW © 2014 Thomson Reuters for regulating the use of telemedicine Providers should be aware of the staff distant-site telemedicine practitioners technologies.5 reimbursement requirements and restric- will join, the level of involvement they may Increasingly, there are more arrangements tions that may affect their billing practices, have in medical staff committees and the for distant-site specialists to provide tele- know which telemedicine services will be procedural rights they will enjoy. ICU (intensive care unit), tele-stroke and reimbursed and only submit compliant Credentialing and privileging other telemedicine services; partnerships claims to avoid liability for fraud and abuse or false claims. Regardless of telemedicine advancements, between insurers and integrated health care health care organizations remain liable delivery systems to provide patients in rural Fraud and abuse for the care provided to their patients. communities access to specialists through Telemedicine services often involve business Under CMS’ final rule, effective July 5, 2011, telemedicine programs; and development arrangements between unrelated health health care organizations may rely on the of mobile technology for patient monitoring, care entities and may include the lease of credentialing and privileging decisions patient engagement and virtual clinical equipment or the use of a product owned of distant-site hospitals or information encounters. in part by physicians. Such business provided by other telemedicine entities Within the mobile health industry, pharmacy arrangements must be structured in a when determining privileges for practitioners management continues to be the most manner that does not implicate federal who provide telemedicine services as long common use of mobile technologies. Growth fraud and abuse laws, including the Anti- as certain conditions are met, including a will most likely continue as data analytics Kickback Statute and the Stark Law. compliant written agreement.10 vendors launch hosting platforms that make it easier for mobile application developers to comply with federal privacy and security Increasingly, there are more arrangements requirements in the health care arena. for distant-site specialists to provide emergency, stroke and other telemedicine services. NAVIGATING LEGAL ISSUES IN TELEMEDICINE AND MOBILE HEALTH As more health care entities use telemedicine, Under the Anti-Kickback Statute, it is a crime To mitigate possible negligent credentialing more consumers rely on these and mobile to knowingly offer, pay, solicit or receive any claims and associated risks, when entering health services, and more entrepreneurs remuneration to induce referrals of items or into written agreements with distant sites, develop telemedicine technologies, oversight services reimbursable by a federal health care health care organizations must know who 6 and scrutiny by state medical boards and program. Arrangements meeting certain will be providing care to patients, confirm federal and state regulatory agencies also requirements that are set forth in regulatory that any written agreement they sign reflects continue to increase. safe harbors do not implicate the statute. current legal requirements and establish specific responsibilities of distant-site Providers, consumers and entrepreneurs The Stark Law prohibits physicians from hospitals and telemedicine entities. They must be mindful of the following legal issues referring Medicare patients for designated must also ensure that written agreements to ensure their telemedicine and mobile health services to an entity with which the 7 include adequate representations, warranties health services are compliant with federal physician has a financial relationship. It and indemnifications regarding the quality of and state requirements, and appropriately includes exceptions that apply to ownership services provided by the distant site and any protect patient safety and privacy. interests and compensation arrangements involving physicians. entity with which it subcontracts. PROVIDER CONSIDERATIONS Advisory opinions issued by the U.S. Distant sites, in turn, must have processes to assess the quality of their practitioners. Reimbursement Department of Health and Human Services’ Office of Inspector General addressing While distant-site, Medicare-participating Reimbursement continues to be a telemedicine-related fraud issues provide hospitals are highly regulated, distant-site significant barrier to telemedicine. Medicare additional guidance for providers and telemedicine entities are not. Therefore, reimbursement for telemedicine services is entrepreneurs when structuring telemedicine relationships with such entities require limited. Generally, it requires face-to-face arrangements.8 greater scrutiny to assure the quality of the contact between a patient and provider, with telemedicine services being provided and the exceptions for certain telemedicine services Medical staff bylaws qualifications of the practitioners providing provided at eligible facilities located in rural, Health care organizations that provide them. non-metropolitan areas with health care telemedicine services must review and revise Peer review professional shortages. their medical staff bylaws and credentialing The expansion and increased reliance Medicaid reimbursement varies from state and privileging policies to make sure on telemedicine means that health care to state, and only about 20 states have they cover telemedicine practitioners and organizations and telemedicine entities enacted statutes that recognize or require practices. These documents must include must develop policies and procedures for commercial insurers to reimburse for certain criteria for granting privileges to distant-site monitoring telemedicine practitioners and telemedicine services. practitioners and a procedure for applying the criteria to those practitioners.9 They should sharing internal review information. While also address what category of the medical

© 2014 Thomson Reuters AUGUST 2014 • VOLUME 22 • ISSUE 3 | 11 information needed to make accurate how and what patient information is being regarding interstate and international credentialing and privileging decisions collected, transmitted, used and stored. communications by airwaves, including should be regularly shared, it must be done When information is shared between wireless technology issues and in a manner that maintains and protects unrelated entities, all disclosures must problems with connectivity, as well as the privacy of peer review and patient comply with federal and state privacy and technical regulations for transmitters information. security laws, including the Health Insurance and other equipment. At a minimum, this shared information Portability and Accountability Act, or HIPAA, • The Federal Trade Commission must include adverse events that result Pub. L. 104-191, and the Health Information establishes regulations regarding from a practitioner’s telemedicine services Technology for Economic and Clinical Health disclosures about the collection and and complaints a health care organization Act, Pub. L. No. 111-5, and guidance by the use of consumer data to avoid false, Federal Trade Commission. misleading and deceptive trade As a result of modifications to federal practices and provides a privacy-by- Reimbursement continues design framework for protecting mobile to be a significant barrier privacy and security laws in 2013, all subcontractors having access to protected privacy. The FTC is currently examining to telemedicine. health information (no matter how far down health care competition, including the chain) must now comply with the full regulatory barriers that may prevent spectrum of requirements applicable to telemedicine across state lines. 11 receives about a practitioner. Health business associates.12 • The Office of National Coordinator care organizations should determine what With the development of mobile applications, for Health Information Technology, or additional information, if any, to collect, how ONC, establishes regulations to adopt to use and act on this information and what the Federal Trade Commission and U.S. Department of Health and Human Services standards and certification criteria for information to share so that all peer-review health information technology. privileges under state law are preserved. are recognizing that health data is moving beyond the traditional medical-provider Inter-agency collaboration Compliance with state requirements context and falling outside the scope of Given the potentials for overlap, in 2012, Most states continue to require physicians federal and state privacy laws as more through the FDA Safety and Innovation engaging in telemedicine to be licensed in consumers are managing and controlling Act, Congress required the Food and the state where the patient is located, with their own health data. limited exceptions for consultations. For HHS has announced that its Office of Providers should be aware telemedicine and mobile health services, Inspector General intends to review the health care organizations and providers need security of portable devices used in hospitals of the reimbursement expert legal guidance to navigate individual that access protected health information requirements and state requirements, including licensure, as part of its HIPAA compliance audits.13 restrictions that may affect consent and patient notice and practice of Emphasis is being placed on transparency their billing practices. medicine issues, and the possible exceptions and clear notice to consumers about how to such requirements. their health data is being collected, stored, and shared when provided through mobile Drug Administration to consult with the CONSUMER AND PATIENT applications.14 FCC and ONC to develop a report with CONSIDERATION recommendations for a risk-based regulatory Patient privacy TECHNOLOGY AND VENDOR framework pertaining to health IT that avoids Entrepreneurs are continuing to develop CONSIDERATIONS regulatory duplication. mobile medical applications for virtual Regulatory overlap On April 3, 2014, HHS released the draft 15 physician-patient and clinical interactions Developers and manufacturers of mobile report prepared by the FDA, FCC and ONC, across the continuum of care. These include health applications and devices that support which identified three categories of health payment portals and applications dedicated telemedicine services must comply with IT, based on function and level of risk to to medication management, fitness and multiple, and often conflicting, privacy and patient safety, rather than the platform on consumer health. security regulations promulgated by various which it operates: Prior to relying on any telemedicine federal agencies: • Administrative health IT functions, such technology to collect and transfer patients’ • The Food and Drug Administration as billing and scheduling. protected health information, health care establishes regulations regarding the • Health management health IT functions, entities should ensure that they have secure hardware and software, including the such as health information and data communication channels; implement safety and effectiveness, of telemedicine exchange, electronic access to clinical entity- and technology-specific business devices and mobile medical results, and medication management. associate and other confidentiality and applications. privacy agreements; educate administrators • Medical device health IT functions, such and users regarding the appropriate use of • The Federal Communications as computer aided detection software telemedicine technologies; and understand Commission establishes regulations

• Applications that are intended to be used as an accessory to a medical device to control the device or display patient-specific data. Mobile applications that are • Applications that transform the mobile platform into a medical device with considered medical devices and subject attachments or sensors. to FDA regulations • Applications that perform patient-specific analysis and assist with diagnosis or treatment recommendations.

• Applications that supplement clinical care by helping patients manage their health. Mobile applications that may be considered • Applications that help patients document or communicate their medical information medical devices, but which the FDA to providers. does not currently intend to regulate • Applications that perform simple calculations used in clinical practice.

• Electronic copies of reference materials. Mobile applications that could be used • Educational tools for medical training. in a health care environment, but are not considered medical devices • Applications used for general patient education. • Applications that automate general office operations in a health care setting.

and robotic surgical planning and On Sept. 25, 2013, the FDA issued a final device, the Internet or other network, or control. guidance on mobile medical applications portable media are more vulnerable to The agencies concluded that the administrative to provide clarity for developers and cybersecurity threats than those that are not and health management functions posed little manufacturers regarding regulatory over- connected. 16 risk to patient safety and required either no or sight. According to the agency, whether The FDA recommends manufacturers limited additional oversight. However, because a mobile application constitutes a medical develop security controls to maintain the of their recognized risks, medical device health device that is subject to FDA regulation confidentiality, integrity, and availability 17 IT functions would remain under FDA oversight. depends on its intended use. Specifically, of information stored in medical devices. the FDA guidance separates mobile Additionally, cybersecurity issues and risks This proposed functional categorization applications into three categories (see box). emphasizes that the safety of health IT should be addressed and analyzed in the relies not only on how it is designed and The regulatory overlap surrounding mobile design phase, both for efficiency in the developed, but also on how it is customized, medical applications is complex and likely FDA approval process and greater effectiveness in managing a device’s security.

Most states continue to require physicians engaging in CONCLUSION telemedicine to be licensed in the state where the patient is Increased use of mobile medical tech- located, with limited exceptions for consultations. nology comes with heightened regulations to mitigate the privacy and security risks of the interconnected health care implemented, integrated and used by to change as federal agencies continue to environment. The absence of compre- clinicians, patients and vendors. interact. Even if a mobile application is not hensive national privacy and security FDA guidance currently subject to FDA regulation, the legislation has driven regulatory agencies to application may be subject to other federal step in. Recently, the FDA has been active in and state agency regulations. regulating mobile health, extending its To navigate the multifaceted legal jurisdiction into health care information On June 14, 2013, the FDA issued draft complexities of telemedicine and mobile technology and redefining medical devices guidance on medical device cybersecurity health, health care companies should 18 to include software applications, including that supplements existing policies and appoint an interdisciplinary committee to mobile medical applications. In 2013 it issued addresses issues that manufacturers should monitor regulatory guidance, assess common guidance for developers and manufacturers consider when designing medical devices compliance principles across regulatory 19 on what mobile medical applications qualify to effectively mitigate these risks. Such agencies, document compliance with privacy as a medical device and further guidance on risks include the intentional or unintentional and security criteria, perform regular risk cybersecurity concerns in this market. compromise of a device or its stored data. analysis for privacy and security issues and According to the agency, medical devices develop incident response programs. WJ capable of connecting to another medical

© 2014 Thomson Reuters AUGUST 2014 • VOLUME 22 • ISSUE 3 | 13 NOTES 8 See generally U.S. Dep’t of Health & 16 U.S. Food & Drug Admin., Mobile Medical Human Servs., Office of Inspector Gen., Applications: Guidance for Industry and Food 1 Press Release, Healthcare Info. & Mgmt. Advisory Opinions, available at http://1.usa. and Drug Administration Staff (Sept. 25, 2013), Sys. Soc’y Analytics, HIMSS Analytics 2013 gov/1nNDB4B. available at http://1.usa.gov/1lBzw3p. The Mobile Technology Survey Examines mHealth FDA guidance defines a “mobile application” 9 Landscape (Feb. 26, 2014), http://bit.ly/1uBlbFa; 42 C.F.R. §§ 482.12(a)(8), (a)(9); see also as a software application that can be run on Matt Mattox, 10 Key Statistics about mHealth CMS State Operations Manual, Appendix a mobile platform, or a Web-based software (Jan. 15, 2013), http://bit.ly/1lwaaFr. A-Survey Protocol, Regulations and Interpretive application that is tailored to a mobile platform Guidelines for Hospitals, Interpretive Guidelines 2 but is executed on a server, and a “mobile IMS Inst. for Healthcare Informatics, Patient for §§ 482.12(a)(8) & (a)(9). Apps for Improved Healthcare: From Novelty to medical application” as a mobile application Mainstream (October 2013), available at http:// 10 42 C.F.R §§ 482.12(a)(8), (a)(9). that meets the statutory definition of a “device” bit.ly/1lwajsG. and either is intended to be used as an accessory 11 42 C.F.R. §§ 482.22(a)(3)(iv), (a)(4)(iv). to a regulated medical device, or to transform a 3 The Centers for Medicare and Medicaid 12 mobile platform into a medical device. Services defines telemedicine as “the provision 45 C.F.R. §§ 160.103; see also Rebekah 17 of clinical services to patients by practitioners Monson, Sharon Klein & Henry Fader, The Sharon R. Klein & Dayna C. Nicholson, When from a distance via electronic communications.” Omnibus Final HIPAA Rule Is Here, Pepper Is an iPad More Than an iPad? When It Is an FDA 76 Fed. Reg. 25,553 (May 5, 2011). Hamilton LLP Health Care Law Alert (Jan. 24, Regulated Medical Device, Pepper Hamilton LLP 2013), available at http://bit.ly/1nimm9Q. Client Alert (Mar. 7, 2014), available at http://bit. 4 Am. Telemedicine Ass’n, Telemedicine 13 ly/1uBneZU. Frequently Asked Questions, What is mHealth?, U.S. Dep’t of Health & Human Servs., Office 18 http://bit.ly/1pdl6Gj. of Inspector Gen., Work Plan for Fiscal Year 2014, See U.S. Food & Drug Admin., Guidance at 26, available at http://1.usa.gov/1kL18OM. for the Content of Premarket Submissions for 5 The Federation of State Medical Boards Software Contained in Medical Devices (May 11, 14 Allison Grande, Health Apps Need More defines telemedicine technologies as 2005), available at http://1.usa.gov/1lBzGaK; Privacy Safeguards, FTC Panel Says, Law360 “technologies and devices enabling secure U.S. Food & Drug Admin., Guidance to Industry: (May 7, 2014), available at http://bit.ly/UJ01KL; electronic communications and information Cybersecurity for Networked Medical Devices see also Sharon R. Klein & Jeffrey L. Vagle, FTC exchange between a licensee in one location and Containing Off-the-Shelf (COTS) Software (Jan. 14, Recommends Framework for Mobile Privacy, a patient in another location with or without an 2005), available at http://1.usa.gov/1pFTVYd. intervening health care provider.” Fed’n of State Pepper Hamilton LLP Client Alert (Feb. 25, 2013), 19 Med. Bds., State Medical Boards’ Appropriate available at http://bit.ly/1l0TPYi. See U.S. Food & Drug Admin., Content of Premarket Submissions for Management of Regulation of Telemedicine (SMART) Workgroup, 15 Press Release, U.S. Dep’t of Health & Human Cybersecurity in Medical Devices (June 14, 2013), Model Policy for the Appropriate Use of Servs., Proposed health IT strategy aims to available at http://1.usa.gov/T7ls6K; see also Telemedicine Technologies in the Practice of promote innovation, protect patients, and Sharon R. Klein & Odia Kagan, Unhack My Heart: Medicine (Apr. 26, 2014), available at http://bit. avoid regulatory duplication (Apr. 3, 2014); see FDA Issues Guidance to Mitigate Cybersecurity ly/1ibJadE. also U.S. Food & Drug Admin., Fed. Commc’ns Threats in Medical Devices, Pepper Hamilton LLP 6 Comm’n & Office of Nat’l Coordinator for Health 42 U.S.C. § 1320a-7b. Client Alert (June 24, 2013), available at http:// Info. Tech., FDASIA Health IT Report: Proposed bit.ly/1iarYpf. 7 42 U.S.C. § 1395nn. Strategy and Recommendations for a Risk-Based Framework (April 2014), available at http://1.usa. gov/1oBNDZZ.

WESTLAW JOURNAL INTELLECTUAL PROPERTY

This publication keeps corporations, attorneys, and individuals updated on the latest developments in intellectual property law. The reporter covers developments in state and federal intellectual property lawsuits and legislation affecting intellectual property rights. It also covers impor- tant decisions by the U.S. Justice Department and the U.S. Patent and Trademark Office. Coverage includes copyright infringement, Lanham Act, trademark infringement, patent infringement, unfair competition, and trade secrets

Call your West representative for more information about our print and online subscription packages, or call 800.328.9352 to subscribe.