Mobile health (“mHealth”) medical app developers, including health information technology (“HIT”) and telemedicine app developers, tend to focus on FDA requirements.  Indeed since many of these apps may be categorized as medical devices, and the FDA approval process is lengthy, developers are wise to focus on whether an app is regulated by the FDA.  But a successful developer should also build privacy protections (e.g., privacy policies) and security protections (e.g., disaster recovery) into its product from the earliest stages.  The Federal Trade Commission (“FTC”) calls this “Privacy By Design.”  “Security By Design” is the corollary.  The idea is to design the product service with privacy and security protections in place, to avoid major modifications down the road and regulatory hurdles.  Many developers say, “Of course I’ll take care of privacy and security - the data is encrypted.”  That’s great but it’s not enough.  If HIPAA applies, there are a long list of privacy and security standards to address.  If HIPAA does not apply, the FTC and other agencies may step in with their own requirements.  The goal of Privacy and Security By Design is to avoid the avoidable – a privacy or security violation or breach that slows down and even stops the success of a product on the market.  It’s competitive out there for mHealth, HIT and telemedicine app developers, and the edge is important. 

The meaningful use (MU) regulations provide incentive monies for hospitals and physicians that establish electronic health records systems (EHRs) and satisfy other criteria, such as providing new forms of ‘patient engagement’ like technologically-enabled patient-provider communications. The advantages of a wireless record-sharing are enormous – quicker diagnoses, better quality tracking, and seamless payment systems.  But there are lots of steps and decisions required in setting up EHRs and developing broader data exchange systems like health information organizations/exchanges (HIOs or HIEs).  Last week, the Department of Health and Human Services’ Office of the National Coordinator denied certification for two small EHRs and promised ongoing rigorous enforcement of EHRs. Those engaged in developing of EHRs and HIEs must address a range of operational and legal issues, including picking and monitoring vendors; figuring out patient consent issues, particularly with respect to sensitive psychiatric, substance abuse and other data; determining governance issues; figuring out how to finance the HIE; and assessing other potential risks, such as if the HIE fails to link a  record to the right patient or the HIE is hacked or accessed by an unauthorized person.  Many are studying these challenges and seeking solutions.  The College of Healthcare Information Management Executives  recently sent a comment letter to ONC suggesting the development of a single set of standards for certification.  Based on the need, common approaches and product designs will emerge out of  solutions developed in the field today by hospitals, health systems, physicians, vendors and others--sooner rather than later.  

The 2013 HIPAA Amendments directly apply to healthcare providers, plans and clearinghouses as "covered entities," as well as their subcontractors and vendors as "business associates" (including their downstream subcontractors and agents). However, it is not just covered entities and business associates that need to understand the 2013 Amendments. Advertisers, data aggregators, market researchers and others that want access to PHI, even data that appear to be de-identified, will be impacted.

Last week, I addressed a group of small business leaders regarding the ACA.  In taking questions from the audience, I discovered certain misconceptions among this group concerning the ACA, including the following:

• Misconception: Muslims are exempt from the ACA’s individual mandate requiring nearly all Americans to have health insurance by 2014.

Correction: While certain religious sects are exempt from the individual mandate, only those currently recognized by the Social Security Administration as being exempt from Social Security requirements are eligible for an exemption from the individual mandate.  These sects consist  mainly of the Amish and certain other Mennonite sects.  Because Muslims are not exempt from participating in Social Security, they are not exempt from the individual mandate requirement.  Those seeking a religious exemption from the individual mandate requirement must apply for such an exemption through a health insurance exchange to be established by the individual states or the federal government.

• Misconception: The ACA encourages rationing of care and will interfere with the relationship between physicians and their patients.

Correction: The ACA has created the Patient Centered Outcomes Research Institute (“PCORI”), a private, non-profit entity.  PCORI is designed to benefit physicians and their patients by providing information on which treatments are most effective, and expressly prohibits the rationing of care.  While some believe PCORI is modeled after the United Kingdom’s National Institute for Health and Clinical Excellence (“NICE”), such is not the case.  Unlike NICE, any findings generated by PCORI may not be used to promulgate practice guidelines or make coverage decisions.  Further, the ACA includes patient safeguards so as to ensure that coverage decisions made by the U.S. Department of Health and Human Services (“HHS”) are not based on age, terminal illness, or a patient’s quality of life preference.  Therefore, PCORI will not interfere with the physician-patient relationship.  

• Misconception: The ACA does nothing to address medical professional liability reforms.

Correction: While the ACA does not include any liability reform provisions, such as caps on the non-economic (i.e., pain and suffering) portions of medical malpractice awards, the ACA establishes a competitive grant program for states to develop, evaluate, and implement innovative professional liability reforms.  This program is in addition to the $25 million medical liability reform alternative grant program the Obama administration rolled out in September 2009—one  being implemented by the Agency for Healthcare Research and Quality.

• Misconception: Employers have until December 31, 2014 to impose a $2,500 employee contribution limit on employer-offered healthcare flexible spending accounts (“FSAs”).

Correction: Employers have until the end of 2014 to amend their FSAs to reflect such $2,500 employee contribution limit, but all such FSAs must be operated beginning this year in accordance with this new limit.  Also, if an employee works for two or more separate companies (i.e., ones that are not controlled by the same owner(s)) and participates in more than one FSA, he or she may contribute up to the $2,500 limit to each FSA.  In addition, there is no limit on employer contributions to FSAs; and the $2,500 employee contribution limit does not apply to other employee-funded plans such as a dependent care FSA or a Health Savings Account.  Further, there shall be inflation adjustments that shall serve to increase the $2,500 employee contribution limit in future years.  

• Misconception: Employers are liable for any additional Medicare tax they fail to withhold and that their employees subsequently pay.

Correction: Under the ACA, employers are obligated to withhold an additional Medicare tax of 0.9% (i.e., an increase from 1.45% to 2.35%) on taxpayers with earned income in excess of certain threshold amounts (i.e., $200,000 for an employee who is single; $250,000 if the employee is married and filing jointly; or $125,000 if the employee is married and filing separately).   However, an employer is not liable for any additional Medicare tax it fails to withhold and that the employee later pays.  But employers will be liable for any penalties resulting from their failure to withhold.  In addition, employers are not required to match the extra Medicare tax payment as they are required to do for the basic Medicare tax – they need only pay 1.45% on all earnings – so there is no extra cost to the employer for the additional Medicare tax other than administrative expenses; and an employer must withhold such extra Medicare tax on compensation in excess of the applicable threshold, even if the employee is ultimately not liable for it (e.g., a married employee whose wages, together with his or her spouse, do not exceed the $250,000 threshold for couples that are married and filing jointly).  Further, employers have no duty to inquire about the earned income of an employee’s spouse. 

The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information ("PHI"), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make "reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request."

The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI.