By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Healthcare has become the proverbial shiny object to many technology companies, both within and without of Silicon Valley. The technology companies seem to view healthcare as a great, untapped wilderness that is flush with potential profits. However, the rush into and promise of healthcare is never quite so simple.
Companies such as Amazon and Apple generate a ton of press, whether sought out or created on the outside, because these companies are viewed as having solved so many technology and interaction issues. For example, Apple has become a master of producing or refining seemingly stuck technology, while Amazon is considered to be (and likely is) the dominant retail force. The narratives around these companies and the new technology that they develop then lead the press, investors and others who like to speculate down the road that healthcare is a natural progression after having disrupted and conquered other fields.
A recent example is the nearly constant speculation that Amazon’s Alexa, a digital assistant, could revolutionize home health care, coach patients, or otherwise deliver healthcare. Amazon recently held a diabetes challenge event that sought uses for Alexa in promoting use cases with patients. Holding events of this nature clearly explore actual and practical uses in healthcare on the one hand, but are only big teases on the other hand because current regulatory failures are explicitly acknowledged (i.e. not being up to HIPAA standards). In spite of known and acknowledged regulatory deficiencies, the potential examples for the use of Alexa and other digital assistants never really ends. Every day a new use is thrown out and discussion begins.
Adding more fuel to the fire, the Food and Drug Administration announced a digital health pilot program, officially known as the Pre-Cert for Software Pilot, to enable companies to obtain pre-clearance for certain products. Apple, Google (through Verily), Samsung, and FitBit are the big traditionally consumer-facing technology companies that were among the nine participants selected to participate. The goal of the pilot is to speed that way to approval for certain software products in order to respond to the normally slow pace of development in healthcare. The thinking goes that if healthcare wants to tap into digital innovation, then it must be able to act at the speed of digital innovation. The open question is how safe these new solutions will be and can such solutions live up to the traditional quality standards for healthcare devices.
Theorizing about possible uses of different technology solutions and bringing the known capability of companies like Amazon or Apple to healthcare makes for great theater, but significant hurdles exist. The hurdles can certainly be overcome, but doing so means dedication and attention to detail. The primary hurdle that I constantly think about is HIPAA. If any traditional technology company wants to get into healthcare, it will be necessary for that company to determine how it fits into the ecosystem, namely whether it is a covered entity or a business associate (most likely). Taking the assumption that a technology company will be a business associate creating and/or operating tools on behalf of providers (covered entities), the technology companies will need to sign business associate agreements. Taking the experience from provision of cloud services, thinking AWS, expect the technology companies to drive the terms of the business associate agreement, which will most likely be limited to strictly the requirements set out in the HIPAA regulations.
A business associate agreement is only the start though. It is also necessary to implement and comply with the privacy and security obligations that come with being a business associate. While such requirements are arguably easy to implement, doing so does require attention to detail. The privacy protections are fairly black and white, it is mostly a matter of preparing the policies and then educating. This is a gross over-simplification but gets the point across. The security side of the house is probably even easier for technology companies because it would be expected that the baseline protections utilized by such companies go well above and beyond what HIPAA requires. In my assessment, the biggest stumbling block will be appropriately educating and then monitoring individuals to ensure compliance. Insiders are already neck and neck with ransomware/hacking for the biggest security threats, which would only become more volatile by throwing in a workforce that is not accustomed to operating in a highly regulated area. As such, while HIPAA presents challenges, those challenges can be overcome.
Another, less explored regulatory issue is how full entry into healthcare could implicate fraud and abuse laws. Will Apple, Amazon or other companies seek to introduce products that could be reimburseable by Medicare or Medicaid? If yes, then standard operating procedure such as offering discounts or attractive offers to drive purchases would then likely result in a regulatory violation and much unwanted attention. Can the technology companies exercise enough discipline to wall off healthcare operations from other business teams? Other companies can and do create divisions, but technology companies have at times garnered reputations of pursuing ideas without necessarily thinking through full implementation. Chasing an idea down a rabbit hole without fully vetting regulatory considerations is not a preferable way to go. Then again, the pharmaceutical industry is cynically viewed as incorporating fraud and abuse allegations and settlements into the way of doing business. Could technology replicate this approach? Thinking of the government’s settlement with eClinicalWorks for misrepresenting the capabilities of its electronic medical records, maybe that path is already being laid.
While I am admittedly not an FDA lawyer, it seems that the potential need for approval as a medical device presents one of the biggest issues for new technology to come into healthcare. Even though the FDA, as mentioned above, is experimenting with easing regulations, the baseline of needing approval as a medical device for many uses still exists. Unless the law is fundamentally changed, such a requirement cannot be glossed over. The need for approval drives a very conservative approach to develop, implementation and maintenance. For example, many traditional medical device companies feel that FDA approval precludes the ability to update and/or patch operating systems on a device because a device obtains approval with a certain operating system. If that system is changed, then the functionality of that device could arguably change and the basis for approval undercut. Can technology companies that so often throw incomplete or “buggy” products into the marketplace while expecting to then fix on the fly work in such an environment? Will the environment change? The inability to answer these questions at the moment is cause for a pause.
Technology sparks imagination and possibility. Opportunities are as endless as what can be thought of. That promise is justifiably appealing, but it should be tempered by reality. Until a real solution comes to market and proves itself, the hopes are just hype.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.