Digital Healthcare 2021

Last Updated July 16, 2021


Law and Practice


Troutman Pepper has a Digital Health Practice that helps clients revolutionise the delivery of healthcare. At the national, regional, state and local levels, the firm has successfully worked with diverse stakeholder groups to develop the legal and governance infrastructure necessary to support a health information exchange organisation (HIEO). As one of the largest health law practices in the US and a part of the firm’s Health Sciences Department, the Digital Health Practice advises healthcare providers, technology companies, payors, pharmaceutical and medical device manufacturers, and other stakeholders facing complex legal and regulatory issues related to health information technology (HIT). The team examines the privacy, regulatory, IP and potential product liability risk factors of clients’ products and services. Clients turn to the team to negotiate and execute their complex IT contracts, navigate federal safe harbours for the donation of electronic medical records (EMRs) and other HIT, and investigate and respond to health data breaches. The team regularly handles software licensing and data hosting agreements, data sharing and Data Use Agreements, and helps to establish multiparty health information exchanges.

Digital health and digital medicine represent a relatively new area, with applications across the continuum of healthcare. Digital health refers to any entity or technology that is used to engage health consumers for wellness and health-related purposes by obtaining health data. Examples include fitness trackers, augmented reality or virtual reality digital health tools. In general, these tools do not require clinical evidence, do not meet the regulatory definition of a medical device, and may or may not require regulatory oversight.

Digital medicine is a subset of digital health technologies that includes software and algorithmically driven products that are used to treat patients and collect and share a person's health information. Examples include mobile health and applications, electronic health records, telehealth and telemedicine, wearable medical devices, robotics and artificial intelligence (AI). Digital medicine products are used independently or with pharmaceuticals, biologics or devices to optimise patient care and improve health outcomes. These tools require clinical evidence, and the requirements for regulatory oversight vary depending on risk level. Products that are classified as medical devices require regulatory approval, while those used as a tool to develop pharmaceuticals, devices or medical products require regulatory acceptance by the appropriate regulatory review division.

According to the US Food and Drug Administration (FDA), digital medicine technologies use computing platforms, connectivity, software and sensors for healthcare. Importantly, they include technologies intended for use as a medical product, in a medical product, as companion diagnostics, or as an adjunct to other medical products such as devices, drugs and biologics. They may also be used to develop or study medical products in clinical research.

A plethora of new digital technologies are driving transformation in healthcare and reshaping how people interact with healthcare providers, including how data is shared and how decisions are made about treatment plans and health outcomes. The broad scope of digital health technologies includes mobile health, health information technology, wearable devices, telehealth and personalised/precision medicine. Exciting new applications include AI-enabled medical devices (eg, diagnostics, digital therapeutics and clinical research) and information management tools (eg, blockchain electronic health records).

Emerging ethical and legal issues associated with population-level deployment of digital health tools include privacy concerns stemming from the use of surveillance technologies without individual consent. The World Health Organization (WHO) has advised governments to implement data protection policies for digital health and medicine, working closely with private industry to help ensure that personal patient data is protected.

Another emerging ethical issue is the health inequity affecting communities with insufficient access to digital health tools. Lower digital literacy and lack of access to current digital equipment and operating systems or to data and internet access plans may all contribute to the problem of health disparity as digital health technologies become more prevalent.

The severity of the COVID-19 pandemic has driven rapid adoption of digital health technology, especially in the primary care setting. The trend is here to stay as telemedicine is being used to reduce health workers’ and patient exposure to COVID-19, to comply with COVID-19-related ordinances, and to take pressure off strained health systems. Other applications include digital learning packages to educate people about the disease, geographic information systems (eg, vaccine “passports” or “certificates"), quick response code applications for real-time case tracking, cloud- or mobile-based systems for self-care, and patient tracking.

The severity of the impact of climate change on health is increasing. According to a WHO special report, the direct health risks of climate change include the physiological effects of exposure to higher temperatures, increasing incidences of respiratory and cardiovascular disease, mental health issues, and injuries or death due to droughts, floods, heatwaves, storms and wildfires. Consequently, healthcare systems will face additional pressures to provide care.

Healthcare organisations are using health sensors, connected devices and wearables to help with the diagnostics and management of respiratory diseases. In 2019, for example, the FDA approved the first “smart inhaler” to collect data on how patients use their inhalers containing a medicine for respiratory diseases. Other apps are being developed to help prevent and monitor the spread of infectious diseases and manage heat-related conditions. Digital media will also play an important role in educating the public about the health risks associated with climate change.

In the United States, the legal and regulatory environment governing digital health and medicine is complex and dynamic. The US Department of Health and Human Services (HHS) has responsibility for the health and safety of Americans. Other federal agencies with oversight responsibility include the Office for Civil Rights (OCR), the FDA, the US Department of Justice (DOJ) and the Federal Trade Commission (FTC). Federal laws apply when a digital product is used to collect, create or share consumer information, or when a product is used to diagnose or treat a disease or health condition. Some of the important laws and regulations governing digital healthcare include the following.

  • The Health Insurance Portability and Accountability Act (HIPAA) – the OCR within the HHS enforces the HIPAA rules, which protect the privacy and security of certain health information and require certain entities to provide notifications of health information breaches.
  • The Federal Food, Drug, and Cosmetic Act (the "FD&C Act") – the FDA enforces the FD&C Act, which regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA focuses its regulatory oversight on health apps that pose a high risk if they do not work as intended. Regulations governing digital health include 510(k) certification, pre-market approval, software as a medical device, digital health software pre-certification and laboratory developed tests.
  • The Federal Trade Commission Act (the "FTC Act") – the FTC enforces the FTC Act, which prohibits deceptive or unfair acts or practices in or affecting commerce, including those relating to privacy and data security, and those involving false or misleading claims about health apps’ safety or performance.
  • The FTC’s Health Breach Notification Rule – the FTC's Health Breach Notification Rule requires certain businesses to provide notifications following data breaches of personal health information.
  • The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.
  • Other relevant laws may include practice of medicine laws pertaining to telemedicine, anti-kickback statutes, intellectual property and patent protection laws.

The FTC offers an online tool to help companies identify which federal laws and regulations may apply to their mobile health apps and other products. However, the tool is just a preliminary step in understanding mobile health app and device compliance and is neither comprehensive nor a substitute for professional legal advice.

Adding to the legal complexity are the many state laws and regulations governing digital healthcare, data privacy and protected health information, such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, and the enforcement actions of state attorneys general.

The FDA developed a Digital Health Innovation Action Plan to revamp the agency’s approach to ensuring all Americans have timely access to safe and effective digital health products. As part of this plan, in September 2020, the FDA launched the Digital Health Center of Excellence (DHCoE), a central resource to help the agency and external stakeholders develop and promote digital health technologies. The DHCoE is part of the Center for Devices and Radiological Health and will focus on regulatory oversight for "mobile health devices, Software as a Medical Device (SaMD), wearables when used as a medical device, and technologies used to study medical products". The DHCoE’s key priorities in 2021 are to:

  • connect and build partnerships to accelerate digital health advancements;
  • share knowledge to increase awareness and understanding, drive synergy and advance best practices;
  • innovate regulatory approaches to provide efficient and least burdensome oversight, while meeting the FDA standards for safe and effective products; and
  • harmonise policies with other regulators.

The creation of the DHCoE follows the agency’s Digital Health Software Precertification Program, which is a regulatory framework that reflects the software development and refinement process. In March 2020, the FDA approved the first product through this 510(k) Precertification Program framework, a prescription digital therapeutic for adults with chronic insomnia. Additionally, the FDA previously announced that it is finalising its guidance on other digital health-related regulatory focus areas such as multiple-function device products and clinical decision support software.

In April 2021, the FTC published new guidance on AI models, focused on how businesses and health systems can promote truth, fairness and equity in their use of AI. While recognising the potential benefits of AI, the guidance stresses the need to avoid inadvertently introducing bias or other unfair outcomes. This caution is applicable to the prevention and resolution of health access inequities.

The FDA enforces the FD&C Act, which regulates the safety and effectiveness of medical devices, including certain mobile medical apps. The FDA has issued numerous guidance documents to provide clarity and predictability for manufacturers of digital health and digital medicine technologies. In general, the FDA is taking a tailored, risk-based approach that focuses on the subset of technologies that meet the regulatory definition of "device".

The FDA does not intend to examine low-risk general wellness products that meet the following two factors:

  • those that are intended for only general wellness use; and
  • those that present a low risk to the safety of users and other persons.

In contrast, the FDA will apply its regulatory oversight to those technologies that are deemed medical devices and where their functionality could pose a risk to patients’ safety if the device failed to function as intended.

Digital health and digital medicine potentially create legal and compliance risks that may trigger an investigation by the DOJ or state attorneys general. For example, as healthcare providers adopt telehealth, they must be careful to protect against unproven claims involving medical necessity or business arrangements that may trigger the federal Anti-Kickback Statute and Stark Law. Violation of these laws can result in criminal and, in association with the federal False Claims Act, civil liability on those that knowingly and wilfully offer, solicit, receive or pay any form of remuneration in exchange for the referral of services or products covered by any federal healthcare programme.

In 2009, the HITECH Act gave state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules and to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security rules.

The FTC has authority for enforcing the FTC Act to address unfair and deceptive trade practices associated with digital health, particularly matters of unfair and deceptive trade practices, including data privacy and cybersecurity.

The FTC is the primary non-healthcare federal agency with regulatory authority for enforcing the FTC Act to address unfair and deceptive trade practices. The agency recommends that developers of digital healthcare and digital medicine tools follow these guidelines:

  • data minimisation – apps should limit the information they collect and share about users to data that is necessary for the app to provide its services;
  • limiting access and permissions – app developers should incorporate “privacy by design” principles and set default privacy settings for apps to give users more control over their data and ensure that permission requests are narrowly tailored; and
  • accessibility and transparency – developers must use accessible and transparent privacy policies that clearly explain how users’ personal data is collected, used, retained, stored and shared.

The FTC also monitors the data privacy and security practices of businesses that are providers of health records that are not otherwise covered entities under HIPAA. In January 2021, the FTC settled a case against Flo Health, Inc., the developer of a popular menstrual cycle and fertility-tracking application. The case involved allegations that the company shared the health information of users with outside data analytics companies after promising that such information would be kept private. The settlement, among other things, requires that Flo Health obtain an independent review of its privacy practices and get users’ consent before sharing their health information. The case prompted the FTC to create a helpful guide about privacy representations for health apps.

AI in healthcare is an evolving technology creating some concern for regulators. According to an April 2020 FTC blog, the agency is worried about the use of AI in digital health applications, particularly in cases where it may result in racial bias in healthcare delivery, whether intentional or not. The FTC’s law enforcement actions, studies and guidance underscore that AI tools and applications should be transparent, explainable, fair and empirically sound, while fostering accountability of the developer.

The issues of data privacy and AI also concern regulatory authorities outside the United States. For example, the European Union’s General Data Protection Regulation (GDPR) governs the use of heath, biometric and genetic data, and requires that consent be obtained from patients regarding the use of their data. In February 2020, the EU published an AI strategy that further stresses the strict regulatory enforcement of the GDPR to protect people's health data and privacy.

The GDPR applies to companies outside Europe as well, and it is important to be cognizant of the Regulation’s territorial scope.

There are three kinds of software related to medical devices. Software on its own can be considered a medical device and is referred to as SaMD (software as a medical device). The two other types are software in a medical device (SiMD) and software used in the manufacture or maintenance of a medical device.

Software that meets the definition of a device and is deployed on a mobile platform may be considered a mobile medical app. Examples include software that allows a smartphone to view images obtained from a magnetic resonance imaging device for diagnostic purposes, or computer-aided detection software that performs image processing to help detect breast cancer.

Consistent with the FDA's historic oversight approach that considers the functionality of the software rather than the platform, the agency has expressed its intention to apply its regulatory oversight to those software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to be misused or not to function as intended.

In cases where software applications meet the definition of medical device but pose low risk to the public, the FDA has said it will exercise enforcement discretion over such devices. In cases where software functions do not meet the definition of a device under Section 201(h) of the FD&C Act and the agency does not intend to regulate them as devices.

According to the FDA, the use of SaMD is increasing and resulting in new regulatory challenges. The International Medical Device Regulators Forum (IMDRF), a global voluntary group of medical device regulators, convened to discuss harmonisation on medical device regulation and in 2020 it issued its Strategic Plan 2021–2025. Importantly, the IMDRF SaMD Working Group, which is chaired by the FDA, published a risk categorisation framework for SaMD to help manufacturers and regulators identify risk categories based on how SaMD is used to make healthcare decisions in different healthcare situations.

Specifically, the software as a medical device risk categorisation framework has four categories of risk (I, II, III and IV). Each level corresponds to the potential impact on the patient or public health where accurate information provided by the SaMD to treat or diagnose, drive or inform clinical management is vital to avoid death, long-term disability or other serious deterioration of health, mitigating public health. The Level IV category represents the highest risk, while Level I is the lowest risk.

Artificial Intelligence and Machine Learning

Another important consideration is that through machine learning, software and digital technologies can continuously make improvements to their own safety and effectiveness. For example, AI-based medical devices can continuously learn from training with more data sets and their performance specifications are not fixed, unlike hardware medical devices. This new technology is challenging the traditional regulatory processes such as change management, risk management, clinical evaluation and manufacturing controls.

In January 2021, the FDA announced a new plan to regulate AI/machine learning (AI/ML) SaMD. Unlike traditional SaMD applications that are manually programmed by a software developer, AI/ML-based software can continuously learn from real-world experience, and changes to the AI algorithm occur after the SaMD is distributed for use.

The autonomous and adaptive nature of AI-based tools has led the FDA to create the Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan, which is a multidimensional approach to advance the agency’s oversight of AI/ML-based medical software.

Troutman Pepper has identified five key actions that the FDA intends to take regarding AI/ML:

  • advancing the proposed regulatory framework, including through the issuance of draft guidance on a predetermined change control plan for software’s learning over time;
  • supporting the development of good machine-learning practices to evaluate and improve machine-learning algorithms;
  • fostering a patient-centred approach, including device transparency to users;
  • developing methods to evaluate and improve machine-learning algorithms; and
  • advancing real-world performance monitoring pilots.

The FDA has said that the plan will improve transparency, reduce bias in AI software, and continue to evolve with new developments in the field of AI/ML-based SaMD.

The Health Resources and Services Administration (HRSA) of the HHS defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical healthcare, patient and professional health-related education, public health and health administration.

Common telehealth applications include the following.

  • Live (synchronous) videoconferencing – a two-way audio-visual link between a patient and a care provider.
  • Store-and-forward (asynchronous) videoconferencing – transmission of a recorded health history to a health practitioner.
  • Remote patient monitoring (RPM) – the use of connected electronic tools to record personal health and medical data in one location for review by a provider in another location, usually at a different time.
  • Mobile health (mHealth) – healthcare and public health information provided through mobile devices. The information may include general educational information, targeted texts and notifications about disease outbreaks.

In the wake of COVID-19, healthcare providers around the US cancelled much of their routine, in-person care, and patients stayed home to protect themselves from the risk of infection. This dynamic led to telehealth evolving from a niche service to a broadly used tool enabling patients to see healthcare providers while socially distancing. The new comfort level with telehealth will normalise its use as a healthcare modality for the foreseeable future, and for good reason. The American Medical Association has highlighted several benefits of telehealth, including:

  • overcoming clinician shortages, especially in rural and underserved communities;
  • allowing healthcare providers to increase continuity of care;
  • addressing health issues wherever patients are, even at home, while travelling, or far from a health facility;
  • extending patient access beyond normal clinic hours;
  • limiting physical contact to reduce exposure and transmission of COVID-19 (and other outbreaks or risks of contagion);
  • reducing travel to health providers, which cuts down on commuting time, work and school absences, the need for childcare, and even pollution; and
  • shortening wait times to see a provider and expanding access to specialists who are located at a great distance.

Federal regulation in the wake of the COVID-19 public health emergency (PHE) is complex and dynamic. Troutman Pepper is monitoring the regulatory landscape for changes to the existing regulations as well as proposed new legislation that seeks to maintain or expand the long-term use of telehealth beyond the pandemic.

In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to help healthcare providers provide connected care services to patients at their homes or mobile locations in response to the PHE. The COVID-19 telehealth programme provided immediate support to healthcare providers by fully funding their telecommunications services, information services and devices needed to deliver vital connected healthcare services.

Among the CARES Act’s provisions was a section titled Telehealth Services During Certain Emergency Periods that authorised the HHS to waive certain Medicare coverage restrictions for telehealth services in regions impacted by the outbreak of COVID-19. Subsequently, the Centers for Medicare & Medicaid Services (CMS) issued guidance on implementation to healthcare providers to encourage the use of telehealth for Medicare beneficiaries.

Prior to COVID-19, Medicare fee-for-service (FFS) beneficiaries were eligible to receive covered services via telehealth that satisfy statutory requirements in the Social Security Act concerning the locations, technology, providers and services involved. For example, under the originating site requirement, Medicare patients had to be at an approved facility (eg, a doctor’s office, hospital or nursing home) in a designated rural health professional shortage area. Telehealth services also had to be provided via synchronous, audio-video communication and had to be facilitated using an originating site’s telecommunications equipment, rather than the patient’s cell phone or technology.

Provisions of the 2020 Telehealth Services During Certain Emergency Periods Act softened these restrictions for all Medicare beneficiaries, and waived the “originating site” and communication device requirements, meaning that telehealth consultations between a provider and a Medicare FFS patient may now take place while the patient is at home or at a healthcare facility, regardless of whether the patient is located in a rural area, and via the patient’s smartphone, as long as the communication is a live, two-way, audio-video communication.

Additionally, the HHS waived potential penalties under the federal HIPAA law that protects patient privacy during the coronavirus PHE if teleconferencing tools are used in good faith. Other attenuated restrictions include Practice of Medicine Laws that govern state licensing rules that restrict delivery of telehealth services across state lines.

Proposed Telehealth-Related Legislation

In 2021, several bills have been introduced to extend or expand telehealth access and coverage through and beyond the COVID-19 pandemic. Notable examples include:

  • the Ensuring Telehealth Expansion Act (H.R. 341), which would permanently extend telehealth provisions in the CARES Act;
  • the Protecting Access to Post-COVID-19 Telehealth Act (H.R. 366), which would eliminate most geographic and originating site restrictions on the use of telehealth in Medicare and establish the patient's home as an eligible distant site; and
  • the Temporary Reciprocity to Ensure Access to Treatment (TREAT) Act (H.R. 708), which would provide temporary licensing reciprocity for telehealth and interstate healthcare treatment, allowing any qualified and licensed healthcare professional to provide services, including telehealth, anywhere for the duration of the PHE.

Other recently introduced bills that seek to expand telehealth services unrelated to the COVID-19 pandemic include:

  • the Tech to Save Moms Act (H.R. 937), which would integrate telehealth models in maternity care services;
  • the Tele-Mental Health Improvement Act (H.R. 2264), which would require parity in the coverage of mental health and substance use disorder services provided to enrollees in private insurance plans, whether such services are provided live or via telehealth; and
  • the Telehealth Improvement for Kids' Essential Services (TIKES) Act (H.R. 1397), which would increase access to telehealth under the Medicaid programme and Children's Health Insurance Program.

Given the growing popularity of telehealth, the authors anticipate that many existing and new regulations will enable telehealth to become a permanent part of healthcare delivery in the United States.

The reimbursement landscape for telehealth services is in flux, as reimbursement policies are debated and evolve. Prior to the COVID-19 pandemic, telehealth was considered a relevant service under some circumstances, but generally was reimbursed at lower rates than in-office visits.

The CARES Act helped to ensure that Medicare would pay physicians for telehealth services at the same rate as in-office visits for all diagnoses, not only for services related to COVID-19. In 2021, CMS extended Medicare reimbursement for many telehealth services through at least the end of 2021 and in some cases permanently.

For example, CMS temporarily added 144 telehealth services, and permanently added several others, to be covered by Medicare. The permanent telehealth additions include coverage for group psychotherapy, home visits for established patients and care planning services. CMS also finalised temporary coverage for certain services through the end of 2021, including coverage for high-intensity home visits, emergency department visits, specialised therapy visits and nursing facility discharge-day management.

Many private payers have mirrored the CMS requirements, including extending their telehealth reimbursement policies for some services traditionally performed in an office setting, and waived patients’ out-of-pocket costs for telehealth visits related to the coronavirus. However, the reimbursement policies do subtly vary among private insurers, which adds some complexity to the reimbursement ecosystem.

Given the rapid rise in telehealth services, it is no surprise that some private insurers are beginning to express concern about over-utilisation and increasing costs associated with telemedicine. The uncertainty about reimbursement for telehealth services long term may slow investment and adoption by the medical community. According to a survey by the COVID-19 Healthcare Coalition, 73% of respondents cited low or no reimbursement as a barrier to maintaining telehealth use after COVID-19. The survey also found that the most crucial component for ensuring that coverage will continue is whether CMS receives the authority to continue to cover telehealth services after the pandemic.

Regardless of what happens next regarding reimbursement policies, healthcare providers, payers and patients need to remain cognizant that the landscape is changing quickly.

The internet of things (IoT) in healthcare is helping providers and payers to become more patient centric, efficient and cost effective. Dubbed the internet of medical things (IoMT), it refers to any technology that enables doctors, patients and others – such as guardians of patients, nurses, families and other caretakers – to be part of a connected system, where patient records and data are collected and stored in a cloud-based database, providing doctors and allied health professionals with quick access to patient information.

Today, the application of the IoMT in healthcare plays an important role in managing chronic illnesses, preventing and controlling diseases, and advancing medical research. And the insurance industry is using the IoMT to access better information that will inform underwriting and pricing models.

Examples of the interconnected IoMT ecosystem include:

  • remote patient monitoring of people with chronic conditions;
  • implants (eg, pacemakers);
  • smart patient monitoring tools (eg, wearable mHealth devices, fitness trackers);
  • e-prescriptions;
  • smart diagnostic tools and point-of-care testing;
  • telemedicine;
  • smart pill bottles;
  • genomics data;
  • smart hospital beds with sensors that measure patients' vital signs;
  • patient education apps;
  • smart infusion pumps that connect to analytics dashboards; and
  • digital or virtual assistants or smart speakers.

As more IoMT products enter the market, security vulnerabilities are identified in software in medical devices almost daily, which concerns both government and industry experts. Patient information available on devices connected to home networks, public Wi-Fi, or cellular networks can transmit information to or from the patient and a hospital or healthcare provider’s network. But this greater access to patient information may increase its potential exposure to hacking and compromised privacy and data security. Real-world examples are easy to find.

According to the Wall Street Journal, more than 230 general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the United States, have been targeted since 2018. In 2020 alone, there were more than 80 publicly reported ransomware attacks on healthcare providers.

The FDA and the FTC are two federal agencies with regulatory authority for digital health privacy and cybersecurity matters. According to the FDA, the responsibility to protect patients’ privacy and security rests with device manufacturers, hospitals and facilities.

The FDA guidance document titled Postmarket Management of Cybersecurity in Medical Devices states: “manufacturers should take a proactive, risk-based approach to cybersecurity throughout a device’s life cycle, including a combination of monitoring, maintenance, identification of potential issues, and action to address cybersecurity vulnerabilities and exploits.”

The challenge for companies and institutions is deciding exactly which security vulnerabilities have clinically relevant implications. Important questions that manufacturers of digital health devices, software and apps need to ask include the following.

  • What is the reasonable standard of care in creating a secure IoMT device?
  • What constitutes a design defect or failure to warn?
  • Are security vulnerabilities considered a design defect?
  • How long must device manufacturers provide security monitoring and software updates after selling a product?
  • Does user failure to download security updates act as a superseding cause or a failure to mitigate in cases of liability for defective software?

Concomitantly, the FTC enforces the FTC Act, which addresses unfair and deceptive trade practices and fills the legal void for non-regulated organisations and devices. As the implementation of the IoMT accelerates, the FTC is more aggressively enforcing privacy and cybersecurity matters, particularly for those businesses that are providers of health records that are not covered under HIPAA.

For instance, in 2018, the FTC launched a major investigation into consumer DNA testing companies over their policies for handling personal information and genetic data and how they share the data with third parties such as pharmaceutical and insurance companies.

  • HIPAA provides data privacy and security provisions for protecting medical information.
  • The HITECH Act promotes the adoption and use of health information technology.
  • The National Institute of Standards and Technology Special Publication (SP800.53) defines security controls for federal information systems and cybersecurity activities.
  • State privacy laws(eg, the California Consumer Privacy Act of 2018) give patients the right to know what personal information a business collects about them and how it is used or shared.
  • The GDPR requires that products and systems that collect EU patient data must be considered from a privacy perspective.

Future Trends Affecting IoMT

The Health Sciences Department team at Troutman Pepper believes 2021 will be a critical year for the IoMT and cybersecurity initiatives. In February 2021, the FDA named Kevin Fu, a University of Michigan associate professor, to serve as the first acting director of medical device cybersecurity at the FDA's Center for Devices and Radiological Health (CDRH). “One area I’m hoping to make a good dent in is helping to integrate cybersecurity principles through CDRH’s total product life cycle, and help with training and mentoring,” Fu said. 

Among the FDA’s top priorities in 2021 is to develop a strategy for future medical device security, partner with stakeholders, and foster collaborations across industry and government to enhance security as attackers continue to evolve. The FDA has been working on a Joint Security Plan, which will provide guidance for developing, deploying and supporting cyber-secure technology solutions in the healthcare ecosystem.

Additionally, following President Biden’s recent executive order on improving cybersecurity, the FDA announced that it will create software bills of material (SBOM) through the International Medical Device Regulators Forum to help synchronise security guidelines and standards internationally. These SBOMs will benefit those who develop or manufacture software, those who select or purchase software, and those who operate software. The end users who operate software can also use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.

5G, or the fifth generation of cellular technology, is capable of transmitting data and information much faster than traditional networks (ie, 10 gigabytes/sec for 5G v 15 megabytes/sec for traditional networks). This increased speed will overcome the bandwidth and latency limitations associated with traditional networks. As a result of this potential, Business Insider Intelligence predicts the global telemedicine market to grow 19% annually and is projected to exceed USD130 billion by 2025.

Healthcare organisations that contract for 5G services will need to collaborate with their telecommunications providers to safeguard the large amounts of vulnerable patient information and data from cyber-attacks. They also will need to build 5G coverage across the United States, and globally, to facilitate safe and equal access to healthcare technologies leveraging 5G, particularly in rural and minority communities that stand to benefit the most from the IoMT. Currently, the FTC estimates that only 31% of rural communities in the United States meet the minimum infrastructure requirements for 5G implementation.

That said, there is little doubt that 5G-enabled technology will usher in a new era of healthcare. It will impact patient care, help relieve the capacity burden on healthcare providers and hospitals, and expand access to quality care. For example, 5G can support the high-resolution video requirements of telehealth appointments, while simultaneously allowing real-time sharing of data collected from diagnostic devices and other medical devices. This capability will enhance decision-making across health networks and improve care for patients, particularly for people who have trouble accessing medical specialists.

Some examples of where 5G is being used in healthcare today include:

  • Rush University and AT&T are using 5G to improve clinical care and patient experience;
  • Emory Healthcare is leveraging Verizon's 5G wideband for training, monitoring, diagnostics and image transfers from ambulance to emergency room; and
  • British Telecom is collaborating with Britain's National Health Service to test the future of connected ambulances.

Not only does 5G have the capacity to impact the IoMT, but it is also well suited to collect and integrate the large data sets that are needed to develop new breakthrough medical innovations using augmented reality, virtual reality, AI, remote medical learning and remote patient monitoring, to name a few.

The digital health revolution was enabled by passage of the HITECH Act in 2009, which provided financial incentives for healthcare providers and technology companies to develop and implement electronic health records (EHRs) that can be easily used and shared.

The EHR initiative is based on the premise that information is power, and more information is more power. In this context, the EHR was envisaged as a comprehensive record of an individual’s personal information and medical history. The goal is to help healthcare providers select the right treatment for the right patient at the right time. In other words, to facilitate personal and precision medicine. A second benefit of EHRs is that they can facilitate the tracking of services and enable more efficient reimbursement.

Adding to the official EHR, is a plethora of data from new digital tools and apps that gather, collect and analyse personal health information. Examples include fitness trackers, calorie counters, smart medication bottles that remind patients to take their pills and AI-enabled remote collection of specific biometric data used to manage chronic health conditions and signal when there is a problem.

Privacy is an ongoing concern for those tasked with protecting EHRs and other forms of sensitive personal health information. And more than ever, patients want a say in who can access their protected health information (PHI) and how it is used in research and for marketing purposes.

As a rule, most healthcare providers must follow the Health Insurance Portability and Accountability Act, a federal privacy law that sets a baseline of protection for certain individually identifiable health information. The law permits, but does not require, covered healthcare providers to give patients the choice as to whether their health information may be disclosed to others for certain key purposes, including treatment, payment and healthcare operations.

The HHS Office of Civil Rights (OCR) is responsible for enforcing the laws and regulations concerning privacy, including HIPAA and the HITECH Act, and guiding the actions of “covered entities” such as healthcare providers, health insurers, and "business associates" such as the third-party vendors that support them. These regulations provide guidance for safeguarding PHI, including healthcare services provided, health condition of the patient and payment information that can be used to identify an individual.

The key provisions of HIPAA and the HITECH Act include:

  • the Privacy Rule;
  • the Security Rule; and
  • the Breach Notification Rule.

The Privacy Rule

The Privacy Rule is designed to ensure PHI is treated with respect for everyone’s privacy. Under HIPAA, use of PHI is restricted to authorised or permitted uses, and then, for purposes other than treatment, only information that is the minimum reasonably necessary for the permitted purpose, or those uses as to which an individual has given consent (eg, research or marketing). A notice of permissible privacy practices must be provided to patients before services are provided. Individuals are allowed to review their PHI records and request an accounting for most non-treatment- and non-payment-related disclosures of the individual’s PHI made by a covered entity and its business associates.

The Security Rule

The Security Rule states that covered entities and business associates must comply with certain security objectives:

  • ensure the confidentiality and integrity of electronic PHI handled by them;
  • protect against reasonably anticipated threats to the security or integrity of PHI;
  • anticipate unauthorised uses and disclosures of PHI; and
  • train their staff on related compliance matters.

Administrative, physical and technical safeguards and organisational processes must be implemented and periodically assessed to ensure that the safeguards and processes continue to fulfil the objectives. Importantly, while encryption of PHI is not required under the security regulations, if PHI is encrypted at an appropriate level of strength, an unauthorised use or disclosure that involves such data is not subject to required disclosure under the Breach Notification Rule.

The Breach Notification Rule

The Breach Notification Rule applies to data breaches that occur affecting PHI from covered entities and business associates. A breach can include the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted under the Privacy Rule and that compromises the security or privacy of the PHI. When a breach occurs, the Breach Notification Rule requires that, no later than 60 days after discovery of the breach, actual or constructive notice of key details is provided to affected individuals, to HHS and the news media in cases of a large data breach. The OCR division of HHS is responsible for investigating data breaches when they occur. Violations are subject to substantial civil money penalties, and criminal penalties and fines are possible for intentional violations.

More than ever, companies, academic institutions and government agencies are interested in aggregating and sharing PHI and data for medical research as they pursue new treatments or cures for diseases. The de-identification of data is essential in keeping PHI as secure as possible, while allowing research to progress.

The de-identification process removes identifiers from PHI, which attenuates privacy risks to individuals. According to HHS, there are two acceptable methods for de-identifying data.

  • Determination by a qualified expert with appropriate knowledge of and experience in rendering data unidentifiable will apply the necessary methods to determine that the risk to the data is small. From there, that individual will document the methods and results, proving how they came to the determination that the data had been de-identified.
  • The “safe harbour” method. In this approach, the covered entity does not have any knowledge that the data could be used alone or in combination with other information to determine an individual’s identification from it. And a covered entity is permitted to consider data to be de-identified if it removes 18 types of identifiers. Some of the types of identifiers include:
    1. names;
    2. telephone numbers;
    3. email addresses;
    4. Social Security numbers; and
    5. medical record numbers.

Importantly, the HIPAA Privacy Rule states that once data is de-identified, covered entities can use or disclose it without limitation because the information is no longer considered PHI and does not fall under the same restrictions as PHI. This policy allows for PHI and data to be used in research, policy assessment and comparative effectiveness studies, to name a few.

In addition to the federal laws and regulations, some individual states have their own privacy laws that require healthcare providers to obtain patients’ written consent before they disclose their health information to other people and organisations, even for treatment. Many of these privacy laws protect information that is related to health conditions considered “sensitive” by most people.

Given all the complexities of governing data use and data sharing, Troutman Pepper's Health Sciences Department team advises clients to seek expert legal advice when evaluating privacy laws and regulations, particularly since they are evolving over time.

AI, augmented intelligence and machine learning are revolutionising human health and well-being. Healthcare and life science companies, governments and healthcare providers are investing billions of dollars in AI as they seek to discover new tools to diagnose, treat, cure and prevent disease; to democratise healthcare; and to expand access, particularly in underserved communities.

AI is a general term that describes using computer algorithms to process big data sets. In some applications, the data sets are used to train and validate the algorithm using known answers and outcomes (eg, diagnostic tests). In other applications, the algorithm learns on its own by analysing clusters of relationships in the data. In healthcare, there are two important subsets of AI: augmented intelligence and machine learning.

Augmented intelligence assists, rather than replaces, healthcare professionals with clinical decision-making and the administration of care. Machine learning is the process of training computers to learn by exposing them to vast amounts of data. Examples of machine learning include:

  • deep learning, which uses algorithms to identify hierarchies within data that aids in complex understanding; and
  • natural language processing, which uses algorithms to examine, extract and interpret data that is structured with a language.

According to HHS, there are five key roles for AI in healthcare today.

  • Reducing administrative burden and costs – AI enables the rapid processing of EHRs and can automatically transcribe and process medical notes. It can reduce costs by eliminating manual data entry. AI is also being used by Centers for Medicare and Medicaid Services and private payers to automate billing, which can help reduce improper payments and fraud.
  • Connecting patients to resources and care – AI applications are providing patients with personalised care recommendations. Augmented intelligence and AI are creating virtual care programmes for people with chronic conditions and expanding access to treatment for rural and other underserved populations.
  • Advancing population health management – AI is being used to identify populations at risk and treatment opportunities for a group of individuals or community. The potential for AI to mitigate and even prevent public health crises is tremendous.
  • Improving diagnosis and detection – AI analyses large data sets of medical and social determinants of health to identify patterns and assist physicians in developing treatment plans. A key goal is to diagnose conditions and treat disease at an early stage when there is the best chance to achieve a positive health outcome.
  • Developing new therapeutics – AI is being used to accelerate the drug development process, from identifying gaps in current therapies to bringing new products to market that can be used on top of standard of care or replace standard of care. AI can sort through thousands of research articles, patents and chemical libraries in the search for new therapies. It is being used to identify patients for clinical trials. AI is also enabling precision medicine where people’s genetic profiles are being used to tailor treatment plans, particularly in oncology.

The future success of AI is dependent on private industry, government agencies, patients and caregivers, academic researchers and healthcare providers sharing data. The most valuable sources of data include:

  • administrative data (eg, claims data from payers);
  • clinical data (eg, clinical trials data and EHR data);
  • genomics data (eg, cancer risk assessment, prenatal testing, recreational genomics);
  • patient-generated data (eg, IoMT, social media data);
  • social determinants of health data (eg, environmental conditions and demographics); and
  • surveillance data (eg, registry data, survey data and vitals data).

Examples of broad data sharing can already be found in the pharmaceutical industry. In 2019, ten pharmaceutical companies agreed to provide data via a third-party blockchain vendor to train their machine-learning algorithms to accelerate drug discovery and development programmes. While the data is not disclosed to competitors, each of the companies will be able to use the improved algorithm to pursue its own research.

Although data sharing is necessary to develop AI, there are important legal, cultural and technology challenges to be managed. Some of these challenges are described below.

Legal Considerations

At present, there are inconsistent restrictions on data use. PHI is the most sensitive data and is protected by HIPAA and other federal and state laws. PHI includes claims data, clinical data and surveillance data. In contrast, patient-generated data from mobile apps and wearable devices is regulated through terms-of-service agreements, which may be inconsistent with how health data can be shared and used. Another important legal consideration is intellectual property (IP). Companies and researchers need to balance sharing data with their fiduciary responsibility to protect IP rights.

Cultural Considerations

Restrictive interpretations of HIPAA have created a risk-adverse environment for data sharing. Data silos and administrative hurdles, particularly among government agencies, can block or slow data sharing. Also, there is concern about bias and/or the lack of diversity in health data sets, which can affect the clinical utility and demographic representation of certain AI algorithms.

Technical Considerations

Large quantities of data are needed to train and test AI algorithms. Organisations will need to upgrade their IT infrastructure to process this data efficiently. It is also a challenge to combine and analyse disparate data sets that use different nomenclature and coding schemes. Finally, there is a need for more technical experts in AI with healthcare experience.

The healthcare industry is challenged by the volume of available data, which is growing exponentially; compliance with laws and regulations; and cost effectively providing quality care to as many people as possible. Any contemporary solution to manage these challenges means embracing heath information technology (HIT), including software and hardware, new platforms and middleware, and new technology services. In the wake of COVID-19, the demand for performance from HIT tools is accelerating.

Healthcare professionals, researchers and payers expect quick access to their digital tools and data, which is typically possible if the IT infrastructure is functioning at its optimal capacity. Too often, however, legacy HIT systems were developed in a piecemeal approach, in which new applications were appended to older technology, creating challenges to performance and reliability of their overall HIT infrastructure. Today’s reality requires that organisations think and act differently about the HIT they partner with or develop.

There is little debate that existing HIT infrastructure needs to be modernised and providers need to automate certain tasks while remaining compliant with relevant federal and state regulations. This is no simple endeavour, as there is no one-size-fits-all approach to modernising HIT, and organisations will need to consider their budgets and timelines in addition to compliance issues. Below is a list of technologies that healthcare companies, institutions and providers are using to transform their HIT.

  • Quantum computing – quantum computing is exponentially faster than traditional computers and will enable a range of disruptive applications for healthcare providers and payers by accelerating diagnoses, personalising medicine and optimising pricing. As access to health data continues to grow, the combination of quantum computing and traditional computing to save lives and reduce costs will be exponential.
  • Blockchain– as digital health technology advances, the need for data security, data portability and data accessibility increases. A single global blockchain can serve as a universal, global electronic health record. A blockchain system offers a secure digital environment, capable of storing and managing patient information in a verifiable manner, publicly accessible in real-time by authorised participants in the healthcare service provider chain.
  • 3D printing – 3D printing is being used to create tools from a digital file by adding multiple layers of one or more materials to build a single structure. One of the most common uses of 3D printing in medicine is the fabrication of medical devices. 3D printing using cells is being experimented with that can “print” prosthetic appendages and other body parts, and even organs and tissues such as heart valves.
  • Connectivity– health-related companies are building connectivity into their IT architectures. The IoMT refers to the thousands of applications and wearable devices in use (eg, smartwatches and smartphones) as well as medical devices used in homes (eg, blood pressure machines, digital scales and even EKGs). The focus is on helping people monitor their own health and well-being, as well as providing longer-term health information to their care providers.
  • Electronic health records – EHRs are supporting reimbursement and financial processes, and expediting clinical documentation and prior authorisation steps. Hospitals and other institutions are enhancing EHRs by incorporating digital voice assistants, natural language processing and ambient listening capabilities into patients’ rooms.
  • Telehealth and cloud computing –telehealth is a virtual interaction between provider and patient, with the goal of providing medical care. As organisations focus on improving telehealth, the cloud is a force-multiplier. It allows for the petabytes of storage that will be needed for medical imaging, while providing the ability to build and deploy systems that extend a clinician's reach to remote locations with an internet connection or a cell signal.
  • AI, augmented intelligence and machine learning– AI is the creation of machines to work and react like healthcare providers. Augmented intelligence is using those same machines to enhance rather than replace the physician. Machine learning refers to the process of training computers to learn by exposing them to data.

As advancements with digital technologies offer significant value, they also create new and often unknown risks that must be identified and managed. For example, regulatory authorities worldwide are updating or creating new laws and regulations to help ensure data protection, cybersecurity and intellectual property rights arising from the rapid advancement of health technologies.

Cloud computing has become one of the most frequently used IT applications in healthcare because it increases efficiency and decreases costs. The cloud makes sharing medical records easier and safer, automates administrative operations, and enables the creation and maintenance of telehealth applications. 

Healthcare analysts project that cloud computing will increase for the foreseeable future as institutions and providers look for solutions to manage the volume of health data being generated across the digital health ecosystem. Several other factors enabling the proliferation of cloud computing are investment from industry, 5G telecommunications, government organisations, public awareness, regulatory compliance and new payment models.

Cloud computing can be segmented into public, private and virtual private cloud data centres. In the healthcare industry, it is further segmented into clinical and non-clinical information systems. Some best practices for clinical applications include pharmacy information system, computerised physician order entry, radiology information system and electronic medical records (EMRs). Non-clinical uses include automatic patient billing, claims management and revenue cycle management.

Despite its popularity, there are legal and regulatory considerations when it comes to cloud computing, such as data privacy, data breaches and data portability. For example, HHS’ Office for Civil Rights is investigating hundreds of cases involving breaches of health information. Of those, about half were caused by hacking or an IT incident.

All cloud-based health solutions must comply with HIPAA. This includes security measures for patient privacy, enforcement of laws and breach notification procedures. The requirements of HIPAA need to be understood by both the healthcare provider and cloud service provider (CSP) in order to ensure compliance. Cloud platforms and access can sometimes fail, which can negatively impact productivity, and businesses must rely on the CSP to bring the service back online.

Many CSPs are certifying their data centres for HIPAA and safe harbour compliance controls. This is important because when a covered entity contracts with a CSP to create, receive, maintain or transmit PHI, the CSP is considered a business associate under HIPAA. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement, and the CSP is liable for meeting the terms of the agreement and for compliance with HIPAA.

In cases where the software is an off-the-shelf product developed or updated by a vendor other than the healthcare company, the software developer may not be responsible for compliance with FDA regulations. Rather, the party with regulatory responsibility (ie, the covered entity) needs to assess the vendor’s activities and determine what is needed to establish that the software is validated for its intended use and meets regulatory requirements.

There are best practices for working with CSPs, including the following.

  • Regulatory and legal compliance –conduct due diligence and select CSPs that are experienced with aspects of regulatory and legal compliance (eg, HIPAA).
  • Governance –select a CSP that matches your organisation’s standards and offers the same or greater level of data security and effectiveness.
  • Cloud design –virtual cloud infrastructures are scalable and efficient. Ask vendors to demonstrate how they support other organisations, and how they segregate and protect data from their other customers.
  • Data access –remote access to data is a key benefit of cloud computing. Determine how the vendor manages access to sensitive information and regulatory requirements.
  • Data protection –determine what security measures the vendor has to protect data. Assess whether the cloud provider meets your organisation’s standard for data protection and consider encrypting your data before storing in the cloud to reduce risk.
  • Data availability –back up data or create a service level agreement (SLA) with the CSP to mitigate risk and ensure systems are operational in the event of data loss.
  • Issues management– review the cloud vendor’s policies and procedures for managing incidents in its environment, such as a data breach or other compliance problems.
  • Vendor reputation –check references and select a vendor that is trustworthy and has a good reputation.

Digital health is transforming patient care, communication with and among healthcare providers, patient quality of life, access to care, and healthcare administration. An effective IP strategy is essential to protect competitive advantages and support future investments in the digital health industry. Digital health innovators, whether companies or entrepreneurs, should proactively work to protect their IP as early as possible. IP is generally regarded as intangible property that can be sold, assigned, licensed and litigated. The core elements of IP protection include patents, trade secrets, trade marks and copyright. These are summarised below.


The patent climate in digital healthcare is complex, and patents are difficult to obtain. That said, digital health products that have mechanical, chemical and/or electrical components may be patentable if they are novel and inventive. Also, features of the device may be patentable (eg, methods and protocols associated with using the device). Once a patent is granted in the United States, it gives the patent owner a 20-year right to stop others from making, using or selling the patented invention.

Trade Secrets

Trade secret protection may be an attractive option in cases where a digital health technology is not eligible for patent protection. The federal Defend Trade Secrets Act provides a uniform law governing trade secret protection and enforcement. Trade secrets are particularly useful in situations where the innovation is hard to replicate, such as one that relies on a created data set or a multidimensional analytic model. Trade secrets are defined to be inclusive of an invention or technology that is:

  • truly a secret;
  • represents something of commercial value; and
  • reasonable steps are taken to keep it secret.

Unlike patents, trade secrets can have an unlimited duration.

Trade Marks

A strong trade mark will both encourage “brand” recognition (ie, the user associates the product with its name) and protect against infringement. It is an important asset of a company. In order to protect the brand, companies must create a strong mark and conduct a comprehensive search to ensure the mark is not already being used. The trade mark also needs to be registered with the United States Patent and Trademark Office to ensure nationwide validity and legal protections against infringement. A trade mark will need to be renewed every ten years. Additionally, companies may consider international registration if they are providing a product or service outside the United States.


Healthcare providers can use digital health products to collect data. If the data is stored in a database, the database may be protected under copyright if it is sufficiently original. Copyright may also apply to algorithms and software code used in a digital health device or app. The United States Copyright Office has a process to register copyrights, which is required for enforcement actions against infringement and reclaiming of any monetary damages. A registration deposit of the software code or database is required to meet the requirements of the Copyright Act. In the United States, the term of copyright protection is the life of the author plus 70 years. If the work was created as a work made for hire, the term is the shorter of 120 years after creation or 95 years after publication. The copyright term and protections may differ in other countries.

IP plays a critical role in universities and other public research institutions (PRI). IP broadly includes trade secrets, patentable inventions, designs, software programs, original written works, diagrams, lectures and presentations. Creating IP and bringing it to the next stage of development is an important goal for many universities and PRI. Most research universities have policies to facilitate the transfer of IP that can lead to benefits for society at large as well as the industry sector and institutions concerned. For example, universities may require faculty and researchers to assign any IP developed with the university’s resources back to the institution. In some cases, a university may pay researchers royalties, subject to their contractual agreement. Universities may also out-license their IP to companies for commercialisation in return for financial compensation (eg, equity in the licensee company, upfront payments, royalties, or milestone payments).

Research universities, government institutions and private industry frequently collaborate and work together to more efficiently develop new products or improve existing products. In such circumstances, the involved parties need to establish contracts and collaboration agreements that safeguard their IP rights. The most common IP rights at play in collaborations are patents, trade secrets, trade marks and copyright.

In the early stages of discussion, the relevant parties involved should undertake a careful assessment of each party’s goals and discuss any IP-related issues. The next step is to develop a contract or collaboration agreement. As a best practice, a collaboration agreement should define (at a minimum) the following:

  • ownership of IP rights held by participants prior to a project starting;
  • ownership of IP rights arising from research collaboration;
  • rights to use the IP where one party does not own it or where it is jointly owned;
  • responsibilities of all parties with respect to IP protection, maintenance and funding;
  • conflicts of interest in relation to collaborative and contract research;
  • sharing of revenues; and
  • publication rights.

Additionally, if protected health information (PHI) is being shared, the HIPAA rules generally require that the parties enter into a business associate agreement to safeguard protected health information, define the handling data, and how data breaches will be managed.

The best practices highlighted above are built on a strong foundation of licensing and contracting expertise.

As AI and SaMD applications become ubiquitous across healthcare, the consequences involved in decisions made by these tools will increase. However, predicting the liability risks for AI-based applications, including machine learning, is challenging. The courts in the United States have offered minimal guidance on how AI and other digital tools should be viewed under the existing product liability legal framework.

For example, the US Court of Appeals for the Third Circuit found that AI-based devices that provide information, ideas and recommendations do not qualify as “products” under the New Jersey Product Liability Act, and the current product liability framework does not apply (see the non-precedential decision in Rodgers v Christie, 2020 WL 1079233 (3d Cir. 2020)). If other courts were to embrace this reasoning, it is unlikely that AI-based products will be deemed “products” in the near term.

Conversely, if the courts expand the definition of “products” to include AI-based applications and SaMD, they may be subject to existing theories of product liability, including strict liability, negligence and breach of warranty. Each of these legal theories is summarised below. It is worth noting that many jurisdictions outside the United States have similar product liability frameworks.

Strict Liability

Under this theory, plaintiffs must prove that they were harmed by a product manufactured or sold by a defendant that contained a manufacturing or design defect, or failed to warn of a potential safety hazard, and the product was being used in a reasonably foreseeable manner when the harm occurred. A product can be deemed defective if it fails to perform as safely as an ordinary consumer would expect when used in an intended manner or if the risks inherent in the design outweigh the benefits. A failure to warn may apply if the manufacturer did not instruct or warn adequately of a risk that was known to occur when the product was being used in a reasonably foreseeable manner. Importantly, this may include situations where a company failed to warn the physician (or consumer) about the potential underperformance or bias in specific subpopulations because certain demographics were under-represented in the development of the AI algorithm.


Negligence claims focus on the behaviour of the defendant and are based on what was known, or should have been known, at the time of manufacture. Under this theory, plaintiffs must prove that the seller or manufacturer failed to exercise due care and the plaintiff was harmed as a result. Negligence suits can be based on negligent design or failure to warn claims.

Breach of Warranty

Breach of warranty is another theory that may apply to product liability cases. The three types of warranties are:

  • express warranty;
  • implied warranty of merchantability; and
  • implied warranty of fitness for a specific purpose.

Additional categories and subcategories of warranties exist in other settings; for example, a special warranty deed guarantees transfer of clear real estate title. Express warranties are created by an affirmation of fact (eg, statements) made by the seller that becomes part of the bargain, or through a description of the product that becomes part of the bargain, or by the seller giving a sample of the product that becomes part of the bargain. Implied warranties of merchantability require that a product meets minimum standards of quality, and that the product is fit for the ordinary purpose for which it is sold. Implied warranties of fitness apply when the seller knows, or has reason to know, of a specific purpose for which the product is required and the purchaser relies on the seller to select a suitable product to meet that purpose. Under the breach of warranty theory, the plaintiffs must prove that the plaintiff purchased the product from the defendant, the seller issued an express or implied warranty, the seller breached the warranty because the product failed to perform as warranted and the plaintiff was harmed as a result.   

It will take time for case and statutory laws specific to AI/SaMD and product liability to evolve. Meanwhile, companies and software developers can take reasonable precautions to limit their risk. Below are some best practices to consider.

  • Ensure the AI-based SaMD provides accurate and easy to understand information.
  • Conduct software testing and consult medical or scientific professionals for feedback.
  • Disclose if the SaMD application relies on external data sources and provide links to those sources if available.
  • Require that users review and agree with a terms of use agreement, including a limitation of liability, and require acknowledgement of disclaimers or warnings.
  • Disclose any known warnings or disclaimers.
  • Create policies and procedures to monitor performance of the SaMD application and evaluate any problems that might arise.   
  • Designate an employee with primary responsibility for monitoring the SaMD’s performance and developing a plan to address any issues that surface.   
  • Provide a mechanism for end users to report problems or concerns, and publicly post the company’s policy for how it handles such reports and/or notifies affected users.   
  • Provide employees with training or input from medical professionals if appropriate.
  • Offer post-sale software updates for AI algorithms and SaMD with a goal of improving performance or fixing problems.

Third-party vendors are essential for healthcare companies because they provide products, services and expertise that cannot be sourced in-house. A third-party vendor is defined as any entity that an organisation does business with, including suppliers, manufacturers, service providers, business partners and affiliates. Vendors can be upstream (eg, suppliers) and downstream (eg, distributors), as well as non-contractual entities.

The product liability theories with respect to AI and SaMD may also extend to third-party vendors in the supply chain. However, apportioning blame within the supply chain will require detailed technical analysis regarding the various features of the AI algorithm or SaMD as well as the contracts and indemnification agreements among the companies involved.

As the healthcare industry continues to undergo digital transformation, it is important that healthcare organisations and providers have systems in place that allow them to monitor and manage third-party vendor risk and guard against liability.

The future of digital health and medicine lies in the answers it will provide to healthcare professionals, patients and payers. It promises to accelerate breakthrough innovations that will increase access to quality care for more people and radically improve health outcomes.

Industry analysts predict substantial growth in the digital health marketplace for the foreseeable future. To illustrate this point, the Mercom Capital Group reported that investments in digital health exceeded USD21 billion in 2020, effectively doubling from USD10 billion in 2019. According to Rock Health, the first quarter of 2021 closed with USD6.7 billion in digital health funding in the United States alone, representing the largest quarter of funding ever.

Several of the broad trends in digital health include the following.

  • AI, cloud and quantum computing will advance as companies and researchers develop the next generation of diagnostics and breakthrough therapies.
  • Healthcare administration will become more efficient and lower overall costs.
  • Telemedicine will ease the burden on healthcare organisations and improve access to healthcare for underserved populations and rural communities.
  • Wearables and medical apps will enable remote monitoring of both healthy people and patients with chronic conditions.
  • Genomics will enable the development of precision medicines tailored to individuals.
  • Electronic health records and apps will gather data on patients’ family and personal medical histories and empower physicians to prevent some diseases from occurring.
  • 5G telecommunications will enable the interconnectedness of products and services across the digital health ecosystem, globally.
  • Companies, universities, government institutions and other research organisations will contract and collaborate more than ever.
  • Laws, regulations and policies governing digital health will evolve and become more complex. Privacy, cybersecurity, and IP rights will remain critically important issues.
  • There will be a growing need for more trained professionals working at the nexus of healthcare, information technology and the law.
Troutman Pepper

3000 Two Logan Square
PA 19103-2799

+215 981 4249
Author Business Card

Trends and Developments


Jones Walker is the largest law firm in Louisiana and is among the largest in the United States, with more than 350 attorneys across the Southeast and other strategic locations, including Atlanta, Miami, New York City, and Washington, DC. Led by a core group of veteran healthcare attorneys, the Jones Walker healthcare industry team includes attorneys from all of the firm’s major practice areas. Each team member has extensive experience in specific practice areas, as well as in-depth knowledge of today’s healthcare marketplace and regulatory environment. Jones Walker’s nationally recognised telemedicine team has been actively assisting healthcare entities with the structuring and integration of telemedicine systems for more than 20 years. These healthcare entities range from large hospital systems that cross state borders, to hospital-based physician practices, direct-to-consumer telemedicine providers, and manufacturers of medical devices used in telemedicine monitoring and diagnoses.

Digital Health Takes a Major Leap, but the Journey is Not Over

From a public-health perspective, 2020 provided an unimaginable and unwanted stress test for local, regional, and national healthcare systems. The same can be said for digital healthcare. Despite unprecedented, nearly overwhelming challenges, the system proved its mettle – and telemedicine, in particular, demonstrated its value during a pandemic and beyond.

According to the World Health Organization, as of the end of April 2021, more than three million people worldwide, at minimum, have died as a result of COVID-19, the disease caused by the SARS-CoV-2 coronavirus. Countless others have become sick, and the pandemic continues to spread rapidly in certain parts of the world.

In direct response to the threat, public-health entities in the United States and around the globe launched a massive counter-offensive. Safe, effective vaccines were developed and deployed in record time. Technologies perfected in the fight against COVID-19 are beginning to lead to breakthroughs against other diseases, and telemedicine – which prior to 2020 was finally beginning to achieve broader acceptance – vaulted into the spotlight as an efficient and highly effective method for providing a range of healthcare services while protecting patients and providers against an infectious, deadly disease.

The expansion of telemedicine this past year was in large part dependent on the issuance of temporary waivers from federal and state health regulators. However, progress rarely moves in a straight line, and there are no guarantees that telemedicine, as made available and practised in 2020, will continue as such in 2021.

In a similar fashion, the new COVID-19 vaccines, under federal emergency-use authorisations, are being developed, distributed, and administered at an unprecedented pace. However, as vaccination rates increase in the United States and the population begins to approach so-called herd immunity, the continued general acceptance and growth of telemedicine may be stifled as a result of legislative, regulatory, and even industry inertia, despite the now well-demonstrated benefits of providing healthcare via telemedicine. While temporary telemedicine waivers have not yet been rolled back in the United States, a look at the broader landscape suggests that these temporary waivers may be limited to the declared public-health emergency and may soon expire.

For example, on 27 April 2021, and with only one quarter of the state’s population fully vaccinated, the governor of Tennessee indicated that he would not renew any public health orders, declaring that “COVID-19 is no longer a health emergency in our state.” While many are focusing on how this may affect mask mandates, public gatherings, and other public-health measures, most tele-health-related waivers are based on the existence of a “declared” public-health emergency at either the federal or state level. The end of the declared emergency, while generally considered an important public-health victory, will result in the expiry of state and federal telemedicine waivers, and reversion to the pre-COVID-19 limitations and restrictions on the delivery of healthcare via telemedicine and possible rollback of hard-won and undisputed gains.

Whether discussing tele-health, healthcare law and regulation, or any related issue, one principle must be kept in mind: good medicine is good medicine, no matter the delivery methodology. The goal of telemedicine providers, insurers, technology companies, law-makers, and regulators should be equally simple and singular: high-quality patient care. While telemedicine is not intended to replace all face-to-face healthcare encounters, all medicine should be delivered to the same high standards.

For many rural communities, chronically ill or homebound individuals, and under-served populations, telemedicine has proven itself to be a lifesaving modality for the delivery of care. For colleges, universities, large employers, and other entities, telemedicine tools such as healthcare kiosks – which allow for real-time, immediate visits with healthcare professionals – can ensure effective triage and treatment for students and employees.

Ultimately, telemedicine will be seen as having achieved its full potential when it is no longer referred to as “telemedicine,” but simply as “medicine.” But that day remains some time away. In this context, this article will look at a number of issues that are likely to come to the fore as telemedicine and digital health-providers respond to yet another change in the healthcare landscape. Although telemedicine is here to stay, the degree to which its full capabilities will be realised is certainly not set in concrete.

Licensing may return as a primary barrier

Prior to the COVID-19 pandemic, most states had strict limitations on the licensing of healthcare professionals to practise telemedicine within their borders. Physicians and non-physician practitioners (including nurses, psychologists, and physical therapists) were required to hold licences in the states where their patients resided. “Relationship requirements” also stipulated that the provider or someone in the provider’s practice must have seen the patient in person before initiating tele-health services.

In early 2020, as the pandemic gained momentum and the US Department of Health and Human Services (HHS) issued a series of bulletins, notifications, and FAQs announcing, and then clarifying, then-HHS Secretary Alex Azar’s waiver of certain federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic Clinical Health (HITECH) Act non-compliance sanctions against covered entities and providers. As a result, the state licensing boards in turn began to loosen their telemedicine licensing requirements.

According to the Federation of State Medical Boards (FSMB), as of 31 March 2021, 41 states and several US territories had allowed some form of licensing waivers to meet the need for qualified physicians to provide medical services in their states via tele-health. Many of these state licensing waivers adhered closely to HHS rules governing the types of telemedicine services that could be provided and would be reimbursed by the Centers for Medicare & Medicaid Services (CMS).

Looking ahead and toward the anticipated expiry of current telemedicine waivers, industry groups and advocates are pursuing various options to expand licensure for providers. For example, the FSMB, which includes 29 states, the District of Columbia, and the Territory of Guam, supports the Interstate Medical Licensure Compact (the Compact), an agreement among its participating states to work together to streamline significantly the licensing process for physicians who want to practise in multiple states.

Established in 2017, the Compact allows qualifying physicians who practise in multiple states to complete a single application in order to receive separate licences from each state in which they intend to practise. The Compact is modelled after the Nurse Licensure Compact, which allows holders of a multi-state nursing licence to practise in all of the nearly three dozen participating states. A key distinction between the two compacts, however, is that physicians must still pay between USD300 and USD700 for each state licence — a significant financial burden and ongoing expenditure for providers practising telemedicine at the national level.

A more effective solution would be to allow simple reciprocity of licences across states. Not only would it be less expensive for physicians and/or their employers, but it would also streamline the qualification process. This option is likely to meet resistance from state medical licensing boards, which have a strong investment in maintaining control over the licensure process.

In their defence, most boards will pose an important and as-yet-unresolved question: “How can we effectively sanction bad players?” The answer to this challenge lies in developing consistent standards and methods of accountability across states. However, this resolution will require a willingness among state licensing boards to loosen their hold and negotiate such thorny issues.

Reimbursement will likely increase, but the pace will slow

Despite cross-jurisdictional licensing issues, states had already begun to expand tele-health coverage within their borders prior to the pandemic. In 2019, the American Telehealth Association reported that 40 states and the District of Columbia had adopted substantive policies or received funding to expand tele-health coverage since 2017, and that the majority of states had no restrictions around eligible provider types.

Following the passage in 2020 of a series of major pieces of federal COVID-19-related legislation, the CMS took a number of actions to loosen restrictions on, expand the use of, and adjust payment rates, in order to ensure reimbursement for telemedicine services. The list of tele-health codes for which providers can be reimbursed was expanded; payment rates were equalised between in-person and tele-health visits; limitations on the number of times certain services could be provided via tele-health were eliminated; state Medicaid programmes were encouraged to increase access to tele-health; and non-enforcement policies were applied to situations in which a plan or issuer added benefits or reduced or eliminated cost-sharing for tele-health and other remote-care services.

It is as yet unclear whether current reimbursement policies will survive the COVID-19 era. The future of telemedicine reimbursement will depend in large part on the ability of providers, insurers, and states to convince relevant officials of the ongoing value of digital health services.

Corporate practice of medicine prohibitions should be re-evaluated and standardised

State corporate practice of medicine prohibitions restrict corporations from practising medicine or employing physicians to provide professional medical services. Although these regulations vary significantly by state, in general the prohibition is designed to prevent the commercialisation of the practice of medicine, avoid conflicts of interest between a corporation’s obligations to its shareholders and physicians’ obligations to their patients, and eliminate any interference with a physician’s medical judgement.

By their very nature, telemedicine and digital health typically transcend jurisdictional boundaries, meaning that compliance with ownership, employment, and other obligations in one state may not ensure compliance in another. This diversity of rules and exceptions has the effect of limiting the formation, development, and use of telemedicine alternatives for fear of creating legal exposure – particularly when the entities most likely to have the resources and scale to provide effective telemedicine are often corporations.

Rather than modifying restrictions with the goal of supporting appropriate delivery of telemedicine and other medical services, some states are taking a somewhat regressive approach, needlessly tightening corporate practice of medicine restrictions. For example, on 28 April 2021, California Senate Bill 642 cleared the California Senate Health Committee. Among other concerns, SB 642 would impose limitations on some types of contractual arrangements between professional medical corporations (PCs) and entities owned by non-physicians, including corporations, private equity investors, and other businesses. The bill would also require that shareholders, officers, and directors of a PC have “ultimate control” and management responsibility for the entity, and would prevent such persons from being replaced or removed from their positions at the direction of non-physicians.

In a similar vein, several recent court cases have made it clear that in restrictive corporate practice of medicine states, courts will scrutinise medical practice ownership and management carefully when determining whether insurance companies are required to reimburse practitioners for medical services. In Allstate Insurance v Northfield Medical Center, the New Jersey Supreme Court upheld a trial court’s USD4 million verdict in favour of Allstate, in which it ruled that a New York lawyer and a California chiropractor violated the state’s Insurance Fraud Prevention Act because the medical practice was not legitimately structured, in violation of the corporate practice of medicine and was therefore not allowed to submit medical insurance claims. In June 2019, New York State’s highest court ruled in a consolidated action, Andrew Carothers MD, PC v Progressive Insurance Co, that the ownership and control structure of the plaintiff’s practice violated state corporate practice of medicine laws and was ineligible for reimbursement by insurers. Both of these cases found that the corporate structure and operational control over a physician’s practice amounted to false billing, notwithstanding that all care was warranted and rendered by physicians.

Until such time as state legislatures take into account new methods for delivering care — and the financial and operational arrangements that support such methods – telemedicine-providers and healthcare entities that contract with providers will need to scrutinise their contracts and structures on a state-by-state basis to avoid falling foul of state corporate practice of medicine prohibitions.

Fraud, over-utilisation, and malpractice are high-profile, but unlikely, concerns

Loosened restrictions on tele-health have raised some fears of fraud and abuse from telemedicine practitioners, with some also expressing concern that over-utilisation and unnecessary procedures may increase should telemedicine gain a permanent role in the broader healthcare delivery system. Others point to concerns that patients may be more likely to experience medical malpractice.

To date, however, there appears to be no evidence that digital health services give rise to higher rates of fraudulent or inappropriate activity. What is more, fraud and abuse laws are strong, and over-utilisation and potential fraud have always been highly scrutinised by payors. This will continue to be the case, regardless of whether patient interactions occur in person or via telemedicine.

Telemedicine consults can help reduce unnecessary emergency room visits and minimise the use of other pre-emptive procedures, a much more practical and cost-effective (and less invasive) option for patients, providers, and insurers. Likewise, as the number of physicians declines and fewer doctors are taking new patients, especially Medicare patients, many individuals experience delays when attempting to see primary care and specialist providers. Telemedicine can ensure that patients have access to available and appropriate health resources even if they are not in geographic proximity.

Patient data privacy and ethics – and the technologies that support them – will take centre stage

Like all healthcare professionals, telemedicine providers are subject to HIPAA and the HITECH Act, as well as a range of more recent federal and state data privacy and breach notification laws such as the California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA). Such laws have been established because healthcare data and personally identifiable information (PII) are, simply put, juicy targets for hackers and cyber criminals. In 2020 alone, hundreds of data breaches, often involving data from hundreds of thousands of individuals, were reported to HHS.

A number of the temporary waivers issued by HHS during the pandemic loosened restrictions on the types of technologies through which telemedicine could be conducted. Among other examples, then-Secretary Azar waived sanctions against the use of audio and video communications products such as Skype, Zoom, and Google Meet. As usage of these and other platforms boomed during the pandemic, a number of key vulnerabilities became clear. (In 2020, the Oxford English Dictionary included “zoombombing” among its tech-related words of the year.)

It is likely that, as waivers from HHS and others expire, telemedicine providers will be required to utilise a more limited number of secure tools through which to conduct patient interactions. However, wider exposure to telemedicine has led to rapid acceptance among patients, insurers, and even some regulators — a degree of enthusiasm that must be maintained even as more stringent technology standards return.

Physicians and other practitioners will need to identify the most appropriate service models and technologies that meet their practice and patient needs. Providers should ensure that they seek out and retain the services of reputable vendors that provide full inter-operability with existing electronic medical records (EMR) systems, are willing to sign business associate agreements, and provide reliable customer service while maintaining robust data security measures. Integration and automation are challenges, but they are not insurmountable.

Telemedicine providers will also need to establish and document clear ethical guidelines about what types of patient information can be collected and how it can be disseminated and used to guide care. Patients are in a uniquely vulnerable position when working with providers, particularly those patients whose mental and physical health issues may impair their ability to understand fully or agree to the terms of a telemedicine visit.

A positive side-effect of the pandemic has been the degree to which healthcare-providers have shared — as appropriate and legal — key data that have helped combat COVID-19. Entities that once hoarded information are now making it available in ways that can help shape effective (from cost and outcome perspectives) policy, treatment modalities, and preventive measures. Telemedicine can help support this kind of information and knowledge-sharing — an important argument for expanding its use, even after the current crisis subsides.

Conclusion: telemedicine is here to stay, but the form remains uncertain

As the use of telemedicine has expanded and gained wider acceptance among patients, providers, hospitals, and insurers, it is unlikely that access to telemedicine will be rolled back to a significant degree, even after the expiry of the COVID-19-related temporary waivers. That said, to achieve their full potential, digital health services will need to overcome a number of persistent and emerging barriers. Ultimately, just as online education and work-from-home employment options have changed the lives of students and workers, telemedicine will continue to play a growing role in the delivery of quality care to patients.

Jones Walker

201 St. Charles Ave
New Orleans
LA 70170-5100

+504 582 8000

+504 582 8583
Author Business Card

Law and Practice


Troutman Pepper has a Digital Health Practice that helps clients revolutionise the delivery of healthcare. At the national, regional, state and local levels, the firm has successfully worked with diverse stakeholder groups to develop the legal and governance infrastructure necessary to support a health information exchange organisation (HIEO). As one of the largest health law practices in the US and a part of the firm’s Health Sciences Department, the Digital Health Practice advises healthcare providers, technology companies, payors, pharmaceutical and medical device manufacturers, and other stakeholders facing complex legal and regulatory issues related to health information technology (HIT). The team examines the privacy, regulatory, IP and potential product liability risk factors of clients’ products and services. Clients turn to the team to negotiate and execute their complex IT contracts, navigate federal safe harbours for the donation of electronic medical records (EMRs) and other HIT, and investigate and respond to health data breaches. The team regularly handles software licensing and data hosting agreements, data sharing and Data Use Agreements, and helps to establish multiparty health information exchanges.

Trends and Development


Jones Walker is the largest law firm in Louisiana and is among the largest in the United States, with more than 350 attorneys across the Southeast and other strategic locations, including Atlanta, Miami, New York City, and Washington, DC. Led by a core group of veteran healthcare attorneys, the Jones Walker healthcare industry team includes attorneys from all of the firm’s major practice areas. Each team member has extensive experience in specific practice areas, as well as in-depth knowledge of today’s healthcare marketplace and regulatory environment. Jones Walker’s nationally recognised telemedicine team has been actively assisting healthcare entities with the structuring and integration of telemedicine systems for more than 20 years. These healthcare entities range from large hospital systems that cross state borders, to hospital-based physician practices, direct-to-consumer telemedicine providers, and manufacturers of medical devices used in telemedicine monitoring and diagnoses.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.