Five To-Do’s for Telemed Companies Before the Public Health Emergency Ends

This article originally appeared in Bloomberg Law on May 26, 2021.

Patient privacy will continue to be a top priority for regulators as patients continue to rely heavily on telemedicine. Foley & Lardner LLP attorneys say taking steps now to ensure compliance with HIPAA will put vendors and health-care providers ahead of what is sure to be a hectic and confusing time as the public health emergency waivers and federal enforcement discretion comes to an end.

Data privacy is already a popular topic among lawmakers and, given the explosive growth of telemedicine in the past several years and the relative lack of privacy enforcement during the COVID-19 public health emergency (PHE), patient data privacy will soon be a top priority for regulators reviewing the practices of tech-enabled health-care services companies, particularly telemedicine and digital health.

During the PHE, Department of Health and Human Services Office for Civil rights announced that health-care providers will not be penalized for HIPAA violations occurring in the good-faith provision of telemedicine services. This flexibility prompted telemedicine providers to avail themselves of communications technology not previously used for health care or vetted for HIPAA compliance.

Alongside the use of these (often less-secure) platforms, health tech companies have increasingly looked to patient data as an asset, by building data lakes and data mining programs at a scale never before seen in health care.

Concurrently, the rise of “patient as consumer” has led telemedicine companies to draw on e-commerce principles to create a better user experience with the goal of converting users into patients (or vice versa). Website data analytics and advertising tools built for direct-to-consumer (DTC) non-health care e-commerce are now used by health-care companies.

This has made drawing the line between the non-health care data of the “user” versus protected health information (PHI) of the “patient” particularly tricky when the same person is simultaneously a user of a technology company and a patient of the company’s affiliated medical group.

To improve the user experience, this new wave of health tech companies rely on data collected from users and subsequently shared with data analytics and advertising services to gain insights into user behavior. Some companies go so far as to retarget the user with advertising if the user leaves the website without booking a telemedicine appointment. These types of data disclosures implicate the HIPAA Privacy Rule for HIPAA-regulated health-care providers and their vendors.

A Patient Scenario Demonstrates Privacy Issues

For example, consider a patient who visits his provider’s telemedicine website, seeking information related to diabetes. The provider’s goal may be to convert the patient’s curiosity about diabetes into a telemedicine appointment. Then suppose the patient browses the information online but does not schedule an appointment. The provider has a contract with a data analytics vendor, where that patient’s browsing data, IP address, and other unique identifiers are shared and analyzed by the vendor to generate insight on potential reasons why this patient did not schedule an appointment. Moreover, the patient’s “cart abandonment” might trigger an automated call to action (e.g., an email or text message prompting the patient to complete his checkout and book an appointment).

These are otherwise basic DTC e-commerce tactics that become significantly thorny when used in the health-care industry. Under HIPAA, IP address and any unique identifiers are included in the 18 data elements identified by HIPAA as PHI. To disclose PHI to a third party, like a data analytics vendor, there must be a proper business associate agreement between the vendor and telemedicine platform provider or health-care provider, and patient consent must be obtained depending on the situation.

Many of the most widely-used data analytics vendors in e-commerce will not sign a business associate agreement and some go as far as mandating that any organizations regulated by HIPAA not share PHI.

So the question for the company in this example is, can this disclosure of PHI be structured in compliance with the HIPAA Privacy Rule and, if so, how to do so while maintaining a delightful user experience? These types of data disclosures and marketing practices are guaranteed to draw the attention of both HHS OCR and the Federal Trade Commission over the next few years.

Get Ready for the End of Waivers

The PHE and its associated waivers, including for privacy and security violations, will end. Telemedicine companies should develop a strategy now for how they will operate after the waivers end.

Below are five concrete steps telemedicine and digital health companies can take now to best position themselves for robust and compliant operations:

Conduct, under attorney-client privilege, a risk assessment of health data maintained and transmitted by the organization.
Conduct third-party diligence on all vendors who maintain PHI, including telemedicine platform, data analytics, and electronic health record vendors.
Review the data collection practices of the company’s website and app, then determine whether the practices comply with HIPAA and state law.
Review the company’s privacy documents (e.g., HIPAA policies and procedures, notice of privacy practices, online privacy policy, online terms of use, patient-user authorizations, and record retention policies) to ensure the company is not missing any key documents and that the documents that do exist have been updated to reflect the company’s current data practices.
If the company has data vendors that refuse to sign a business associate agreement, consider alternative vendors willing to do so.

This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owner.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.