HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency

On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding the disclosure of protected health information (“PHI”) to public health authorities and use of PHI to perform analytics for such authorities.  Designed to “facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency,” the Notification relaxes HHS’s enforcement of certain provisions of the Privacy Rule issued  under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  More specifically, the Notification announces that, under certain circumstances, HHS will not impose penalties for violations of such provisions against covered health care providers and their business associates for the use and disclosure of PHI “by business associates for public health and health oversight activities” in connection with the COVID-19 nationwide public health emergency. Continue Reading

AI Update: Using Artificial Intelligence to Combat COVID-19

The rapid spread of COVID-19, along with the effectiveness of existing public health response plans and the impacts of social distancing on the economy, have raised the question of how new technology can be used to address and manage the pandemic. On April 1, 2020, the Stanford Institute for Human-Centered Artificial Intelligence hosted “COVID-19 and AI: A Virtual Conference” to explore the potential applications of artificial intelligence (“AI”) in diagnostics and treatment, epidemiological tracking and forecasting of the spread of COVID-19, and the pandemic’s impacts on the economy, culture, and human behavior.

Continue Reading

The Potential Benefits of Digital Health Technology in Managing COVID-19

The COVID-19 crisis is demonstrating the potential of digital health technology to manage some of our greatest public health challenges.  The White House Office of Science and Technology Policy has issued a call to action for technology companies to help the science community answer high-priority scientific questions related to COVID-19.  The Centers for Disease Control and Prevention has also recognized that technology and surveillance systems can play an integral role in supporting the public health response to outbreaks.

The following are just a few examples of how technology has the potential to play an integral role in flattening the curve, limiting the spread of the virus, and assisting in the treatment of infected individuals.  Perhaps the positive impact of these technologies will further accelerate the adoption and importance of digital innovation in healthcare.  However, such innovation still needs to be balanced with the continuing need for safety.

Tracking the Coronavirus Pandemic

Digital health technology can help manage the pandemic by providing an early signal to potential infection.  As widely reported, many public health authorities are limiting test eligibility to symptomatic patients and healthcare workers.  Furthermore, there is a time delay between the onset of physical symptoms and, if the infected individual is able to get a diagnostic test, the receipt of results.

Kinsa Health, a company that uses internet-connected thermometers, has provided smart thermometers to people to record fevers at home.  Users of the smart thermometer can then instantly report their fever and symptoms.  Though the thermometers cannot confirm that a person has the coronavirus, the fever spikes captured by the thermometer are an early signal to potential infection.

Data from the Kinsa thermometer could help health authorities plan their allocation of resources.  The instant reporting feature allows Kinsa to track the spread of fevers, and share the data through its online interactive maps that show where individuals are exhibiting symptoms by zip code.  The clusters of fever spikes can signal to health authorities where to allocate medical resources and where to impose measures to further prevent the transmission of the virus.

Monitoring Hospital Visitors and Patients

Artificial intelligence has also been implemented in hospitals in the United States and abroad to help medical professionals screen visitors and treat infected patients.  Hospitals with access to digital health technology can more effectively monitor and manage the coronavirus pandemic.  For example, in Florida, Tampa General Hospital is using artificial intelligence developed by Care.ai, Inc. to screen hospital visitors with camera-embedded facial scanners that analyze facial attributes and thermal scans to determine whether a visitor is feverish.  Similarly, researchers at the University of Massachusetts Amherst are developing FluSense, an artificial intelligence device intended to analyze cough sounds to assess the potential spread of viral respiratory diseases.  Hospitals are deploying tools like these to help reduce the spread of the virus.

Remote monitoring, another form of artificial intelligence technology, can be implemented by medical facilities to protect staff and carefully monitor patients.  In Israel, for example, Sheba Medical Center has been monitoring patients at remote hospital units in the hospital’s dormitories and underground parking garages.  The sensor technology employed by Sheba, developed by EarlySense Ltd., is positioned under the patient’s mattress and analyzes the patient’s heart rate, respiratory rate, and body movement.  Hospital staff can then monitor the patients remotely and be alerted to deteriorating health conditions as they occur.  This technology not only reduces the medical professional’s exposure to the virus, but also benefits patients by improving the quality of health care.

3-D Printing of Equipment and Materials

3-D printing has been recognized for its potential in crisis remediation, and we are seeing this with COVID-19.  The Chinese used 3-D printed houses for isolation of infected patients.  Facebook has a group, OSCMS, dedicated to the design, validation and sourcing of fabrication of open source emergency medical supplies.  Tips for using 3-D printing to create values and components for ventilators are being created by technologists and shared by healthcare professionals around the world via tools like Google Docs and WhatsApp.  There are various stories of short-term use ventilators being produced using 3-D printing techniques.

More Examples in China

The China Academy of Information and Communications Technology recently released a full report on the use of big data, AI and smart applications by more than 100 Chinese companies in response to the pandemic. The report concludes that collection and accumulation of data, harmonizing data standards and sufficient data processing capabilities were all key to a more successful response. Specific examples of digital technologies that are promoted by the report for epidemic prevention and control include: (1) “big data monitoring and analysis platforms to analyze the trajectory of confirmed patients, track their contact history, identify the virus transmission route, and predict the development trend of the epidemic situation”; (2) “AI technologies, … online diagnosis, viral genome sequencing” and (3) “cloud computing, big data, AI … applications in epidemic detection, analysis, early warning, prevention and control.”  Interestingly the report also talks about privacy and the importance of anonymization for data sharing even during a crisis.

Balancing Innovation and Safety

As we all struggle with the impacts of the crisis it is heartening to know that human ingenuity is a great source of solutions to our problems.  Perhaps fears with respect to the impacts and risks of technology in healthcare may have been disproportionate when compared to the very real benefits that technology is exhibiting in helping to manage the pandemic and attempt to curb the spread of the virus.  However, we have seen little discussion or coverage of whether these rapid innovations are taking into account regulatory guidance.  We make no comment on the compliance of any of the solutions described in this post, but instead observe that safety and compliance do remain important considerations even when moving rapidly.  As our colleagues posted yesterday, some simple steps can also help in managing litigation risk with these types of innovative technologies.  We have also developed a Coronavirus/COVID-19 Checklist to assist companies that are deploying technology solutions to manage the spread of the virus.

Digital Health Alert: Product Liability Considerations for COVID-19-Related Solutions

Product liability considerations are not likely the first concerns that spring to mind for the many companies working to develop digital health countermeasures and other products related to COVID-19.  Yet even while putting together solutions on an accelerated timeline, there are some straightforward actions that companies can take that may reduce litigation risk down the road.

PREP Act Immunity

First, a company preparing medical countermeasures for COVID-19 should consider whether its activities are immune from suit under the federal Public Readiness & Emergency Preparedness Act (“PREP Act”).[1]  The PREP Act applies to a broadly defined set of activities related to “Covered Countermeasures,” including “the manufacture, testing, development, distribution, administration, and use of the Covered Countermeasures.”[2]  “Covered Countermeasures” include drugs, devices, or biologics used to treat COVID-19, as well as “product[s] or technolog[ies] intended to enhance the use or effect of such” treatments, but only as long as FDA has approved the countermeasure or authorized it for emergency use.  The PREP Act also includes other limitations and restrictions, including the requirement that the activity in question must have a nexus with a federal, state, or local government authorization or agreement.[3]  However, the immunity it provides, if an activity qualifies, is broad.

Regardless of whether the PREP Act applies to a particular digital health application, developers of such applications should consider other measures they can take to reduce liability risk.  Many of the common product liability theories under which a company might be sued, such as design defect and failure to warn, apply a rule of reasonableness, such that a claim often will not succeed if the company took reasonable precautions under the circumstances.  What “reasonable” means in this context will depend on the facts of a particular case, but a company can take several steps to increase the likelihood that a potential litigant or court will view its conduct as reasonable.  These considerations apply to any digital health solution, but especially in the rapidly-evolving COVID-19 environment where there are unlikely to be clear industry guidelines or precedents to follow.

Accuracy and Understandability

First, a company should ensure that its application provides accurate and understandable information.  In addition to carefully reviewing content to confirm its accuracy, a digital health company should conduct testing before consumers use a new product.  Similarly, if an application includes medical content, the company should consider consulting with a healthcare professional.  Such a consultation will help ensure accuracy and completeness and also mitigate the risk of an allegation that individuals with relevant training and expertise were not involved in the design of the product.

Further, if  the application offers medical recommendations or recommendations about seeking medical care, a company should 1) thoroughly vet any external sources for accuracy and 2) transparently inform users about the bases for any recommendations.  For example, if the software incorporates (or relies upon) data from external sources, such as the Centers for Disease Control (“CDC”) or the World Health Organization (“WHO”), the application should disclose its use of such sources.  The company should also consider taking the additional step of providing links to such external data sources in the application, which could reduce the risk of a failure-to-warn claim by providing the user with additional independent sources of information.  Finally, companies should develop and present content with the end user in mind.  For instance, the company should present any complex or technical information in a format that an ordinary person could understand.  All of the above steps could serve as evidence that the company took reasonable precautions when developing its product.

Terms of Use/End User Agreement

Terms of use or an end user agreement for the product can provide important legal protections.  A digital health application should require users to review and affirmatively consent to the terms of use, and should require acknowledgment of any disclaimers or warnings, some examples of which are discussed below.  Further, a company should consider including a limitation of liability in the terms of use or end user agreement, as well as a requirement that users indemnify the company for damages resulting from unauthorized or unlawful uses, or any breach of the terms of use.  For example, a clause might limit liability to the fullest extent permissible under the law, including by expressly limiting damages arising from lost profits, lost data access, or lost revenue as a result of using the product.

Warnings and Disclaimers

An application should include appropriate warnings and disclaimers.  Most jurisdictions require a product manufacturer to warn of all known or knowable risks that present a substantial danger when one uses the product in a reasonably foreseeable way.  A digital health company should consider presenting the most important warnings, such as those concerning the health of the consumer, as part of the user experience, rather than in the terms of use or end user agreement.  For example, if the user base includes patients or consumers, the application should advise users to seek medical attention if they experience serious symptoms, and that they could be carriers of COVID-19 even if they remain asymptomatic.  In addition, if the product or software relies on an external data source, such as the CDC or WHO,  it should advise users that the information and recommendations provided depend on the accuracy of a third-party data source for which the company does not have responsibility.  Any warnings should also caveat that information about COVID-19 evolves constantly.  Companies should consider taking the additional step of including links to authoritative public health authorities, such as the CDC or WHO, and specifically direct users to access such sources for the most up-to-date information.[4]

Additionally, proper disclaimers can reduce potential liability for breach of warranty.   Generally, there are two types of warranties: 1) express warranties (statements made by the manufacturer or seller of the product to the consumer), and 2) implied warranties (implied in the sale of the product).  A company’s application should explicitly disclaim such warranties, including (in particular) the implied warranties of merchantability and fitness for a particular purpose.

Monitoring for Issues

Finally, a digital health company should consider creating policies and procedures to monitor performance of the application and assess any problems that might arise.  Such steps could serve as important evidence that the company behaved reasonably.  Ideally, this would include a system for users to report problems or concerns, as well as policies to guide the company’s review of such reports and a notification plan for affected users.  Even if a company cannot create such a comprehensive monitoring system, it should at least consider designating an individual with responsibility for monitoring the application’s performance and developing a plan to address any issues that may arise.  Further, a company should consider whether any employees — such as those who might review or evaluate medical information from users — should have medical training or be supported by employees with appropriate medical training.

[1] 42 U.S.C. § 247d-6d.

[2] 85 Fed. Reg. 15201.

[3] 85 Fed. Reg. 15,198, 15,199 (Mar. 17, 2020).

[4] For example, at the time of publication, the CDC maintains a webpage devoted to information on COVID-19.  See CDC, Coronavirus Disease 2019 (COVID-19), https://www.cdc.gov/coronavirus/2019-ncov/index.html.  The WHO maintains a similar website.  See WHO, Coronavirus Disease 2019, https://www.who.int/emergencies/diseases/novel-coronavirus-2019.

COVID-19: FDA Regulatory Considerations for Digital Health Solutions

Digital health companies are playing an important role in the global response to the COVID-19 public health emergency.  For example, the White House Office of Science and Technology Policy issued a Call to Action to the tech community requesting help in answering urgent scientific questions about COVID-19.  As readers of this blog are aware, some digital health solutions are regulated as medical devices.  Recently, Covington put together a briefing on the regulatory considerations for medical device companies as they prepare to respond to the COVID-19 pandemic.  Digital health companies might be interested in slides 35 to 39, which specifically address considerations for COVID-19 digital health solutions that are regulated as medical devices in the U.S.:  Access the Full Presentation Here


TechForce19: UK Government promises up to £25,000 for innovator companies that develop digital support solutions for COVID-19

On 23 March 2020, the Department of Health and Social Care (“DHSC”) issued a plea to technology companies to come up with digital support solutions for COVID-19.  The DHSC is making £500,000 available, with funding of up to £25,000 per company.  The challenge, named TechForce19, aims to increase community support for the elderly, vulnerable and self-isolating.

This will be of interest to any innovative companies able to develop and deploy technology in one of TechForce19’s three priority areas:

  1. remote social care;
  2. optimising staffing in care and volunteering sectors; and
  3. mental health.

The proposed digital solutions should aim to address community problems, not clinical problems, and should not require integration with NHS systems.  The technology may focus on, for example, delivery, recruitment and management of services to facilitate and ease pressure on one or more of the three priority areas during COVID-19.

TechForce19 has been launched by NHSx, the joint organisation for the digital transformation of the UK health and care system, which brings together the DHSC, NHS England and NHS Improvement.  PUBLIC, a GovTech venture firm, will manage TechForce19 for no profit.

Interested companies can apply here.

Please note that developing these digital support solutions will likely raise a myriad of regulatory, privacy and commercial issues.  Covington’s Digital Health team is here to provide support and would be happy to speak with any companies who wish to bring innovative and essential products to the market at this important time.

HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency.

Covered Health Care Providers

On March 17, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced that it will exercise enforcement discretion for health care providers communicating with patients and providing telehealth services through remote communications technologies during the COVID-19 nationwide public health emergency. OCR’s Notification of Enforcement Discretion states that it will waive sanctions and penalties for HIPAA violations connected to the “good faith” provision of telehealth through the use of audio or video communication technologies. Covered health care providers may use certain technologies for telehealth services, even if the technologies or the manner in which they are used by health care providers do not comply with the HIPAA Rules.

Under the Notification, OCR permits health care providers to use non-public facing audio or video applications – i.e., those applications not accessible from the Internet but only from within the internal network – for the purpose of assessing and treating a patient exhibiting COVID-19 symptoms or other medical conditions not related to COVID-19. OCR encourages providers to enable all available encryption and privacy modes for the applications and to notify their patients that there may be privacy risks. OCR emphasizes that health care providers are not allowed to use public facing applications for the provision of telehealth.

Covered health care providers who want additional privacy protections are encouraged to use technology vendors that are HIPAA compliant and will enter into a business associate agreement (“BAA”) for their video communication products. OCR’s Notification contains a list of vendors that represent they are HIPAA-compliant, but notes that OCR has not reviewed the BAAs offered by these vendors. During the COVID-19 nationwide public health emergency, OCR will not impose penalties related to the good faith provision of telehealth services for covered health care providers that do not have a BAA with video communication vendors.

Covered Hospitals

Effective March 15, 2020, HHS will also waive sanctions and penalties for covered hospitals that do not comply with certain provisions of the HIPAA Privacy Rule. The limited waiver states that covered hospitals will not risk HIPAA violations for failing to comply with:

  • the requirement to obtain patient authorization to speak with family members or friends involved with the patient’s care;
  • the requirement to honor a patient’s request to opt out of the facility directory;
  • the requirement to distribute a notice of privacy practices;
  • the patient’s right to request additional privacy restrictions; and
  • the patient’s right to request confidential communications.

This limited waiver applies only (1) in the emergency area identified in the public health emergency declaration; (2) to covered hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital implements its disaster protocol. Once the declaration of a public health emergency is terminated, covered hospitals must resume compliance with all HIPAA requirements for any patient under their care.

FCC Clarifies that COVID-19 “Emergency Purposes” Calls/Text are Not Subject to “Prior Express Consent” Requirement

On March 20, the Federal Communications Commission (“FCC”) on its own motion released a Declaratory Ruling to confirm that the COVID-19 pandemic constitutes an “emergency” under the Telephone Consumer Protection Act (“TCPA”); as a consequence, hospitals, health care providers, state and local health officials, and other government officials may lawfully communicate through automated or prerecorded calls (which include text messages) information about the coronavirus and mitigation measures to mobile telephone numbers and certain other numbers (such as those of first responders) without “prior express consent.” Continue Reading

Covington Publishes Coronavirus/COVID-19 Checklist for Technology Solutions

To assist companies that are developing technology solutions to help predict, mitigate or contain the spread of COVID-19, our cross-practice digital health team has put together a checklist of considerations to keep in mind (available here).

For additional guidance, please visit our COVID-19 Legal and Business Toolkit (available here).

HHS Finalizes Interoperability Rules

On March 9, 2020, the Department of Health and Human Services (HHS) issued two final rules aimed at improving patient access to electronic health information (EHI), as well as the standardization of modes of exchange for EHI.  The rules, which were issued by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), implement provisions of the 21st Century Cures Act and introduce new requirements for increasing interoperability.  We previously covered the proposed rules, which were released on March 4, 2019.

ONC’s final rule focuses on preventing information blocking and providing patients with greater control over their health data and is an important step towards promoting greater care coordination across various settings of care.  The rule directly regulates healthcare providers, developers of certain health IT, health information exchanges, and health information networks, and raises strategic considerations for companies partnering with these regulated stakeholders.  Key provisions of the final rule include:

  • Standardized Criteria for APIs: The final rule establishes standards for application programing interfaces (APIs) to improve the exchange of EHI and to enable patients to access their health information at no cost. Developers must ensure that their systems can communicate with third-party users, which include consumer apps.  ONC finalized the technical standard for API, adopting the Health Level® 7 (HL7) Fast Healthcare Interoperability Resources® (FHIR) 4.0.1.
  • Information Blocking and Exceptions: The Cures Act prohibits “information blocking,” defined broadly to mean practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.  The rule finalizes the seven “reasonable and necessary” exceptions to the Cures Act’s prohibition of information blocking that were included in the proposed rule.  These include, for example, activities to protect patient safety, privacy, and the security of EHI.  The final rule also adds an eighth “Content and Manner Exception,” under which it will not be information blocking for an actor to limit the manner in which it responds to a request to access, exchange, or use EHI or the contents of the response, provided certain conditions are met.  Actors that engage in practices that do not meet one of the eight exceptions will not automatically be considered to have engaged in information blocking; instead, such practices will be evaluated on a case-by-cases basis.  Vendors, providers, and others will have six months to comply with the information blocking provision.  Enforcement of associated civil monetary penalties (CMPs) will not begin until the CMP rules are established through future rulemaking.
  • Conditions and Maintenance of Certification: The final rule establishes Conditions and Maintenance of Certification requirements for health IT developers.  The conditions require, for example, assurances that the developer will not engage in information blocking, compliance with API technical requirements, and real-world testing.
  • Access, Exchange, and Use Definitions: The final rule revised the proposed rule’s definitions of “access,” “exchange,” and “use.”  ONC made clear that “access” includes the ability or means necessary to make EHI available for exchange and not only for use.  ONC stated that the definition of “exchange” includes all transmissions, and is not limited to one-way transmissions.

CMS’s final rule on interoperability and patient access to health data applies to certain federally regulated payers, including Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA), and certain Qualified Health Plan (QHP) issuers on the federally-facilitated exchanges (FFEs).[1]  The final rule establishes policies to improve the exchange of health data to facilitate greater patient access to EHI.  Key provisions of the final rule (which largely track the proposed rule) include:

  • Patient Access API: The final rule requires health plans to implement and maintain a standards-based Patient Access API that meets the technical standards finalized in ONC’s final rule.  The Patient Access API must make certain health data available, including at a minimum, adjudicated claims, encounters with capitated providers, and some clinical data.  Plans must make data with a date of service on or after January 1, 2016, available through the Patient Access API.  Plans must also permit third-party applications to access and retrieve health data through the Patient Access API, with the approval and at the direction of a current enrollee.  The Patient Access API must be fully implemented by January 1, 2021 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2021).
  • Provider Directory API: Plans must make provider directory information available through a public-facing Provider Directory API accessible on the plan’s website.  Directory information must include, at a minimum, provider names, addresses, phone numbers, and specialties, plus pharmacy information for MA plans that offer prescription drug benefits (MA-PDs).  All information must be made available within 30 days of a plan receiving new or updated provider directory information.  The Provider Directory API must be fully implemented by January 1, 2021.
  • Payer-to-Payer Data Exchange: The final rule requires MA organizations, Medicaid and CHIP managed care entities, and QHP issuers on the FFEs to coordinate care between plans by exchanging specific data elements from the content and vocabulary standard finalized in ONC’s final rule.  The CMS final rule clarifies that plans must send specific data, with the approval and at the direction of a current or former enrollee, to “any other payer identified by the enrollee.”  A plan is required to send data received under the payer-to-payer exchange only in the electronic form and format in which it was received.  Moreover, plans are required to exchange only data corresponding to dates of service on or after January 1, 2016.  Plans must fully implement the payer-to-payer data exchange by January 1, 2022 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2022).
  • Publication of Information Blocking: The final rule provides that, beginning in late 2020, CMS will publicize a list of clinicians and hospitals that may be engaging in information blocking practices that could prevent the disclosure and use of EHI, based on the providers’ responses to attestation statements.
  • Admission, Discharge, and Transfer Notifications: The final rule modifies the Conditions of Participation for Medicare- and Medicaid-participating hospitals that utilize electronic medical records systems or other electronic administrative systems.  The rule requires hospitals, including psychiatric hospitals and critical access hospitals, to send electronic notifications of a patient’s admission, discharge, or transfer to all applicable post-acute care services providers, primary care practitioners and groups, and other practitioners and groups identified by the patient as primarily responsible for his or her care and who need to receive information on the patient’s status for treatment, care coordination, or quality improvement purposes.  This requirement will become effective six months after publication of the final rule.

Notably, CMS did not finalize its proposal to require certain health plans to participate in trust exchange networks to improve interoperability.  Commenters generally supported the proposal, but some raised concerns that CMS should wait until ONC developed a mature Trusted Exchange Framework and Common Agreement (TEFCA) before finalizing the requirement.  CMS stated that, due to these and other concerns, it was not finalizing the policy at this time.

[1] The final rule does not apply to QHP issuers offering only stand-alone dental plans (SADPs) or offering coverage only in the federally-facilitated Small Business Health Options Program Exchanges (FF-SHOPs).