The use and development of health apps has exploded over the past several years. Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Robert Kantrowitz, Associate, Kirkland & Ellis, about the legal framework surrounding health apps and what is currently happening in the industry. They discuss trends related to M&A and investment, the FTC’s role in regulating the industry, and rules regarding breaches. Jon and Rob spoke about this topic at AHLA’s April 2022 virtual program, Health Care Data: Navigating Legal and Operational Challenges. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
The use and development of health apps has exploded over the past several years. Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Robert Kantrowitz, Associate, Kirkland & Ellis, about the legal framework surrounding health apps and what is currently happening in the industry. They discuss trends related to M&A and investment, the FTC’s role in regulating the industry, and rules regarding breaches. Jon and Rob spoke about this topic at AHLA’s April 2022 virtual program, Health Care Data: Navigating Legal and Operational Challenges. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for ALA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health. It companies, their solutions include their proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit Clearwater compliance.com.
Speaker 2:Hello everyone. And welcome to another a HLA speaking of health law podcast. My name is John Moore. I'm the chief risk officer and senior vice president of consulting services. At Clearwater. We provide cybersecurity cyber risk management and compliance services across the healthcare industry. And with me today, I have Robert Trotz and, uh, Rob, do you wanna introduce yourself?
Speaker 3:Sure thing. Uh, uh, I'm my name's Rob, Rob Cantz. Uh, I'm, uh, an associate here at Kirkland Elli in the, in the New York office. And, uh, I specialize in, uh, healthcare, uh, mergers and acquisitions.
Speaker 2:Great. And so Rob and I, uh, we recently had an opportunity to present at an ALA conference talking about, uh, health apps and, uh, legal framework to health apps. I was hoping, uh, Rob, we could talk a little bit about that again today, if that's okay with you.
Speaker 3:Uh, I'd love to
Speaker 2:<laugh> all right. Uh, so I, you know, I threw out that term, uh, health apps and, and that's become a, a, a broader and perhaps more difficult, uh, category to, to talk about, but I'll do my best sort of to set this stage for, for folks when I'm, when we're referencing health apps, that can mean a, a number of different things, uh, some typical categories, and I'll, I'll say categories, however, these are getting sort of merged and blended over time, but things like clinical and, and diagnostic assistance, remote monitoring type of apps, particularly in telehealth situations, clinical reference apps, uh, that providers in particular might use, uh, productivity apps, healthy lifestyle, uh, type of, of applications now that are becoming more and more common, um, for the, in the consumer market. Uh, so there's all these different sorts of, of, uh, uh, applications out there related to healthcare, uh, fitness wellness type of things that are falling into these categories. And again, those categories are starting to, to merge over time, but typically the data that would be processed by this type of app would include sorted identifying information. That would be the, the, your user contact information, username, passwords, all the typical stuff that we have and associated with applications and using applications, medical history information, uh, potentially certainly when we're talking about applications that are, uh, pulling in medical records in particular, that kind of information, diet, fitness, history, um, sensors that track our movement and those types of things, uh, like the, the Fitbits and other, uh, uh, applications and things that are out there, potentially financial information that we're pulling in, in particular from, from payer type of organizations, uh, other device information too, that, you know, we have, uh, particularly when we're running these things on a phone, there's often a unique identifier, GPS, location, history, IP address, et cetera. And, and another thing which we'll talk a little bit about is, um, to a certain extent, it per, it, it, what rules are applicable are dependent on the source of that application and by source, I mean, from whom as the user obtained, it, um, in some cases, for example, that might be from their provider, uh, you go to your provider's website and you, and you download or access an application, uh, perhaps with your patient records and that kind of thing. Um, payers oftentimes will have a similar portal type of, of situation that allows access to your, uh, insurance information. Um, third party, uh, third parties as well. Sometimes those are business acting as business associates and then part of providers, or it may just be health app developers themselves that, that are not acting in the capacity of a, of a business associate. And of course there's medical device suppliers, and as well. And we'll talk a bit about that and those categories again, can overlap. So that's, that's what we're talking about, at least Rob Soki with you. That's how I'm gonna define, um, what we're talking about today. And, uh, and so let's, let's get to it. Um, before we, we jump into kind of the legal framework, Rob, you know, given your, your area of, of expertise and your insight into kind of what's going on out there in particular around transactions. Can you tell us a little bit about, uh, what's happening in the industry in regard to health apps and investment, et cetera, in that area right now?
Speaker 3:Got it. Yeah. Yeah. Uh, that, that works. Uh, I, I appreciate the, the background for, for our audience here. Uh, I think that's, that's helpful context. So I think it's probably no surprise that health app development has seen tremendous growth over the past decade or so. And the metrics speak for themselves. I've seen reports showing that in, you know, around 2015, 50% of, of doctors said they use these mobile health apps. Uh, and I believe for the past few years now, the, the USS numbers in terms of individuals has almost doubled, uh, year over year. And in last year, you could find more than 350,000 digital health apps available at the different app stores. And I think I, I saw the number in 2021, the, the global health apps market size was valued at almost 40 billion. So this is, you know, pretty substantial. And, and so seeing all this production and use, right, I mean, you, you see that there's obviously demand, right? So, uh, the production and valuation of this sector wouldn't be so high if there wasn't. Uh, and I think what's driving this demand is, is a few things, uh, not to stay the obvious, but some of this growth can be, uh, attributed to just the general smartphone adoption, right? Uh, the, the flip phone days weren't that long ago. I mean, I think the first iPhone was only released in 2007, uh, and without the smartphone and the, the increased functionality, you, we all see today on our, on our devices, uh, you don't really get the health apps and, or this growth that we've seen in their adoption and, uh, you know, creation. Uh, but I think the more recent explosion has been the general awareness of these apps, uh, and interest in self care and getting a better, an understanding of one's wellbeing. Uh, and I think just the general acceptance and encouragement from the, uh, medical community, like I said earlier, uh, a good percentage of, of doctors use these things and then tell their patients, uh, to use the apps, uh, in other factors that many of these apps are, are tied to wearables. And, uh, we've seen the gr the growth in wearables, uh, over these recent years. And, and when I say wearables, I mean, for example, like smart watches, certain clothes, glasses, and other types of cen sensors. So I think we've seen, you know, uh, hundreds of millions of whale wearables were shipped. And, and I think the year 20, 20 and 2021. So these are, you know, also tied to, to the health apps and we'll, and we'll go into that, uh, uh, perhaps perhaps later in some more detail, but just to stick with the, the growth aspect here, uh, there's some functionality, uh, that's gotten better too. And we we've seen that smart watches, you know, which everyone knows they, you know, they can track steps, heart rate, and calories, right. But now there there's some wearables that allow diabetes patients to reach their blood glucose levels, uh, through an app on their phones and then, you know, connects to a sensor that's attached to their bodies. So obviously the, you know, the, the increase in this functionality is makes people very interested in, in using them. So now the, to pivot, if I can a little bit on the healthcare, an a side, which is, uh, you know, what I, what I mentioned earlier is, is, is close to my practice. Uh, there's definitely an increased investment in this space. Uh, so, so obviously investors have taken note of the growth that I was just mentioning earlier and, uh, digital health investment around the world, I think hidden all time, high of 57.2 billion in, uh, funding in 2021. And, you know, in part that was Fu fueled by rapidly developing need to, uh, provide, you know, digital solutions and, and certain delivery models to patients during the, the COVID 19 pandemic. Um, particularly in my practice, we've seen, uh, uh, D uh, tremendous deal flow in the healthcare sector that has really just been nonstop, uh, since I would say, uh, a few years back. Um, and, and I'd say, uh, there was a little, maybe a little low earlier this year, but it's certainly ramped up again. Uh, and we're seeing a lot of deals in the health. It space really, really pick up. Um, and, and it's not just the, the, the total investment that's growing, I think, and, and other, and other thing that, that I've seen is that there's just larger deals at higher elevate at higher valuations are, are also something that, that I've seen. Um, and I think I saw a report estimated, uh, 195% increase in valuations from 2020 to 2021, which is just, um, just amazing. Uh, and, and another thing I've noticed is, is really just a seller's market, too. You know, the multiples have very high in terms of valuations, even these younger, smaller companies have com continue to command higher multiples, uh, earlier in their life cycle of businesses. I think some people can maybe, uh, say that's in relation in relation to specs and stuff like that, but it's also not heard of to see, you know, uh, 20 X or more EBITDA multiples. Um, this has really just, just been a, a hot area,
Speaker 2:Certainly, uh, certainly from that investment perspective it has. And, and it also, I'm, I'm not sure if everyone's aware, but as the, uh, I' the promoting interoperability, uh, rules that came out a little while back that are now being implemented, uh, causing providers and payers in particular to implement APIs on, uh, that allow access, uh, to patients and policy holders to their, um, personal health records, etcetera, through third party applications. One of the, the object stated objectives of that regulation was to increase the competition amongst third party app health app providers for that, uh, specific functionality. So there's, you know, clearly from a, from, uh, investment perspective, there's a lot of interest in this area. As you pointed out, Rob from a, a public policy perspective, there's interest in promoting, um, the use of, of health apps, certainly in, in the area of, uh, providing better access to medical information and the part of patients, um, also of course, telehealth, which has become in no small part accelerated, I think because of the, the, um, COVID situation is, is also growing and, you know, and it's interesting while that's all happening and there's all this activity, there's been some recent, um, studies in one particular I saw from Accenture that suggests that adoption, however, may be stalling. And one of the things that, um, surprised me in particular was adoption in that 18 to 34 year old age group, which I is one where you would think there would be the most adoption from a technology perspective. And of course, you know, one of the, the big issues cited by, uh, that group in that study was concerns around security and privacy. And, and that too, I think, excuse me, is not surprising, uh, given all of the, the press that we've seen recently with, uh, healthcare breaches and, and just breaches in general associated with security. So I think that, uh, you know, for, for the investment to pay off for the goals and objectives from a public policy perspective to be successful, um, we're, we're gonna have to, to get a grip on all of this, certainly from a legal structure perspective. Uh, Rob, could you tell us a little bit about kind of what that existing legal framework is that would be applicable to the health application, uh, environment?
Speaker 3:Sure. So, so I think there, there are three, uh, I, I guess, pillars of the, the framework applicable to, to these health apps, uh, one is HIPAA or the health insurance portability and accountability act, uh, and, and under HIPAA, you know, it's the office for civil rights, uh, within the department of us health and, uh, human services, which enforces these HIPAA rules. Um, and generally, you know, HIPAA protects privacy and security of certain health information and, uh, requires certain entities provide notification of health information breaches. Uh, the other is the federal food drug and cosmetic act, uh, the FDA enforces, uh, this act and which regulates basically, you know, safety effectiveness of medical devices, uh, and certain mobile, uh, medical apps, not, you know, not just food and drugs, um, but also these devices. And then there's the federal trade commission act. Uh, the FTC enforces the FTC act, uh, which essentially, uh, prohibits deceptive or unfair acts are practices affecting commerce. Uh, and this includes those relating to privacy, uh, data security and those, you know, involving false or misleading claims about apps, safety, or performance, things like that.
Speaker 2:So when I was kind of describing the, the topic area in particular, I pointed out that, you know, application users can, can get access to or provided, uh, by their, by those applications to a number of different sources, including their providers, business associates, third party developers, et cetera. Um, I did that for a reason and the reason was to set up this question<laugh> so can you tell us, you know, why is that important? Why does it matter, uh, from where, uh, a user might get their application?
Speaker 3:Oh yeah. Well, well played John, uh, the, the source of the information, uh, generally, you know, determines which of the regimes I just mentioned, uh, apply. So, you know, at, at a high level, uh, if the source of the information is a covered entity, you know, such as your doctor, uh, or if that doctor's business associate, uh, then it would, this would likely fall under HIPAA's purview. Uh, if the source of the information is from a third party app developer or another party, that's not subject to HIPAA, then the FTCs rules would, would generally cover this information. Uh, and then, you know, third, if, if the information is from a provider or from a medical device manufacturer related to the use of an app, um, that would meet the definition of a medical device, uh, per the FDA, then, uh, the food drug and cosmetic act, uh, would, would apply to the app.
Speaker 2:Yeah, I'm gonna, I'm gonna guess that HIPAA is probably the, the most familiar of those to, to folks on listen to an, a HLA, uh, podcast. Certainly, you know, the security, privacy breach notification rules come into play there. Uh, and, and as you mentioned, you know, the, from whom one obtains, their application plays a big role in, in whether or not HIPAA applies. Uh, certainly if you're getting that directly from a provider or a business associate on behalf of a provider, NetApp contains electronic protected health information, you're gonna run into a situation where, where HIPAA applies. One of the kind of nuances around that I mentioned earlier, the, um, the new rules, which require the implementation of APIs, um, to provide access to, to patient records and, and, uh, insurance records, that kind of information, depending on whether we're talking about the provider or the payer APIs and, and the, um, need to make those APIs accessible to third party app providers. If, if I, as a patient, um, get my third party app from a app developer, that's not acting on behalf of a provider, uh, or isn't a provider themselves, which is another interesting question, but, um, is not a provider themselves. Then interestingly, once that, that EPH H I gets into my app, it no longer, uh, is governed by HIPAA, which is, I think an important distinction. It' probably cause a lot of confusion in the, in the consumer, uh, world, but the, the obligation of the provider to protect that information, according to the HIPAA rules ends when that data crosses over into that third party application. So something that, uh, I think folks need to be, um, aware of, certainly on, on that little bit of a distinction, uh, Robbie mentioned to FTC, how does the FTC play in, in this a little bit more?
Speaker 3:Uh, yeah. Um, and I think that's a very important distinction think extremely helpful. Um, but anyways, so on the FTC, uh, so the federal trade commission act was adopted in 1914 and under the act, uh, as currently amended the, the FTC is, you know, acting as the nation's consumer protection agency is empowered. As I mentioned before, you know, among other things, other things to prevent unfair methods of competition and unfair deceptive acts or practices, intersecting commerce. Um, this is under section five of the FTC act and the FTC can prescribe rules, defining acts or practices that it deems unfair, deceptive, right, and establishing requirements, uh, designed to prevent such acts. Uh, and then under section six, they they're able to, you know, is the enforcement part where they're, they're able to seek monetary redress or other relief for, for conduct that's, you know, injurous to con to, to consumers. So basically in a nutshell, the FTC act, uh, prohibits companies from misleading their consumers or engaging in any unfair practices that may harm consumers. So, as I mentioned earlier, the, the FTC enforcement of deceptive act or unfair practices, uh, includes those relating to privacy and data security. And, and those involving certain claims about, let's say, uh, at health apps, safety or performance. So that's where, you know, the FTC kind of jumps in. So, uh, I think, you know, most relevant to, to our discussion today is, you know, in September of, of last year, 2021, uh, the FTC issued a policy statement clarifying that, uh, it's health breach notification rule applies to makers of health apps and connected devices and other similar products. Uh, so taking a step back for a second that the health breach notification rule itself was issued more than a decade ago. So that's not necessarily new, but this policy statement is. And so the FTC noted that the explosion of health apps as, as we were discussing earlier and connected devices makes its requirements, uh, with them really important to FDCs oversight going forward, uh, and under, under their statement, the FDC advised, uh, mobile health apps, uh, their developers, I mean, to examine their obligations under the, the health, uh, breach certification role. So, uh, to get a little technical for a second, uh, and when people look at the rule, they might see the terms thrown out there. So the rule really applies to when they under the rule, a vendor of personal health records, or you'll, you'll hear me say PHRs, uh, which is essentially the, the health app developers themselves. Uh, it then applies to PHR related entities, which is the company that sends or receives, uh, health app data, uh, such as the, a company that offers the fitness track. And again, just, just wanna stop and note for a second that this is, you know, these are entities that are not already covered by HIPAA. So FTC is, you know, more or less filling the gaps. Uh, and then third is, uh, the third party service provider for, you know, vendors of PHR or PHR related entities. And so these are essentially businesses that provide billing that collection other, you know, storage services related to that health information, such entities. I think it's, you know, for those who are familiar with the, the HIPAA space, very similar to, to like a business associate under HIPAA,
Speaker 2:Right. I think you mentioned the fitness tracker, is that the kind of an app that would fall under the FTC enforcement typically? Or is there an example that, um, that you could give that folks might be somewhat familiar with that would fall under FTC enforcement?
Speaker 3:Yep. Yep. So, so that, that's exactly right. That's one of, one of the examples, I think even maybe FTC points it out as one of the examples. Um, but in short, uh, the many companies that, you know, collect people's health information, whether it's the fitness tractor, a diet app, connected blood pressure cuff or something, something similar, those aren't covered by HIPAA would fall under FTC enforcement. Um, so I think specifically the FTC considers, uh, apps covered by the health breach notification rule. Uh, I specifically the FTC describes as when it's capable of drawing information from multiple sources, such as your combination of consumer, uh, inputs, uh, and APIs. So I think, uh, one example FTC provides is that, uh, an app is covered if it collects information directly from consumer, but also has the, the technical capacity to draw information through an API that enables, uh, syncing with say a fitness tracker as we've been using. Um, before similarly though, the app that draws information from multiple sources is also covered, um, even if the information comes from only one source. So for the health information, I mean, so for example, if say a, a blood glucose monitor, uh, application draws information, uh, the health information from the consumer's inputted blood sugars levels from one source, but then takes their non-health related information and say contacts or, uh, date dates from the, the calendar. Uh, it's also covered under the rule.
Speaker 2:Great. And I'd probably be remiss if I didn't mention at this time, anyone who's would is interested in perhaps an even deeper dive into the FTC health breach notification rule and their, their recent statements in regard to the interpretation of the application of that role. There was a previous HLA podcast that, that, uh, I had the, for good fortune of doing with Ty cam from Microsoft and Adam Green from, uh, Davis Wright and Tremaine that I would, would recommend, uh, if, if, if this is the kind of thing that, uh, you enjoy hearing even more about. And, uh, and so thanks Robin. And we mentioned, of course, the, the FDA, and, and there's gonna be cases obviously where specific, and I think this may even become more common specifically where an app is intended to, to diagnose, cure, mitigate, treat, or prevent a disease. And of course it has to have both the functionality, but also the intended use, uh, to diagnose, cure, mitigate, or treat, or know cure mitigator treat, or prevent a disease. And I'll, I'll give you an example of why that's important, but if that's the case, then, then it starts to fall into the FDA and becomes a medical device. And, and, uh, then we get into a question of their risk to the, to the user, uh, if it's minimal risk, the FDA doesn't necessarily enforce that. Uh, but if there's a potential significant risk to the individual, then you're gonna fall into the regulation, regulated medical device rules. And, and I, I mentioned, it's not just a functionality, but the in intended use, I'll give you this. And I think this is still the case with the apple watch. The apple watch has an EKG functionality that apple spent significant, uh, time to get approved as a medical device, um, for, uh, software embedded in medical device for, for that functionality specifically of the apple watch. However, they also have an oxygen monitor functionality within the watch that they didn't get approved. There's probably a number of reasons why they didn't that, but didn't do that. But, uh, one of the reasons cited is, well, that's just for fun and wellness and not to be relied on. So I'm not sure that the users are necessarily aware, very aware of that distinction, but, but certainly, um, comes into an interest, some interesting questions about whether or not something needs to go through the, the medical device, uh, process. And if you're interested more, there was recently, um, recently as in the early last month, uh, new guidance that came draft guidance that came out from the FDA on cybersecurity and medical devices, quality system considerations and content pre-marketing submissions. I think that's still open for comment right now for those, uh, who are interested in, in that, uh, particular area, Rob, the, you know, one of the, I guess, the big concerns, and we mentioned this in passing now, I think throughout the, the discussion today is, is a situation of a breach. And certainly from a consumer perspective, you know, that's one of the things I, I think probably, uh, is in the back of their mind, or is coming more and more in the back of folks' mind is what, what are the rules regarding breach and of a health app?
Speaker 3:You know, obviously you don't wanna get to that point, but, uh, if, if, if it, if it comes to that there, it's important to kind of understand the, the requirements, uh, if there's a breach, you know, whether the, the app subject to HIPAA or, you know, the FTC. So, uh, for, for the FTC under the rules requirements, uh, the vendors of PHR and PHR related entities, they basically must, must notify us consumers and the FTC. And in certain cases, the media, um, if there's been a breach of unsecured, identifiable health information, and if not, there's, you know, there's potential for civil civil penalties for, for such violations. Uh, the rule goes into specifics in terms of timing method and constant notification. But just to give you, you know, a little, little, little detailed tease, or I don't wanna just leave you hanging with the only super high level. Um, so if the breach is, uh, experienced, there's a notification to each affected person. Uh, I think the standards with without unreasonable delay and within 60 calendar days after the breach is discovered, uh, and if the breach involves 500 people or more, you must notify the FTC as soon as possible. And then there's a 10 day business days after discovering a breach, uh, uh, requirement. So, but if the, the information's fewer than 500 individuals, you have a little bit more time here, you basically, you need to send the same standard form to the FTC, uh, along with, um, other forms documenting any other breaches during that same calendar year, uh, involving fewer than 500 people and red all must be done within 60 calendar days following, uh, the end of that calendar year. I know that's, that's, that's kind of a lot, but if you go onto the rule itself, I think, uh, it, it lays it out nicely. And there's also, um, great resources that the FTC C has. Uh, then there's also, as I mentioned before the media. So if you meet that, uh, 500 residents, uh, or more threshold, especially of a particular state, the district of Columbia, or, you know, other us territory without unreasonable delay, and within 60 days after the breach is discovered, there's a requirement to notify prominent media outlets, um, serving the, the relevant, uh, uh, impacted individuals. So for, from HIPAA, uh, which again, a lot of the audience may be more familiar with this is, you know, following a breach of unsecured protected health information, uh, covered entities must provide notification to the affected individuals, uh, OCR and in certain circumstances to the media. So a lot of similarities with the FTC, uh, breach notification rule. And, uh, in addition, business associates must notify their covered entities if breach occurs or buy the business associate, uh, at or buy business associate. So this is particularly relevant, cause a lot of the, the health app developers are gonna, uh, fit into that business associate category to the extent, uh, there's the relationship with the, the covered entity, uh, John, as you laid out, uh, earlier. Um, so in terms of requirements, there's a lot of similarities in, in terms of, uh, that, that type of detail. So the, the timer requirement for business associate would be, you know, no later than 60 days following the discovery of a breach. Um, and then for the covered entities, uh, if a breach, uh, affects 500 more individuals say same, same type of deal here, um, they must notify, uh, OCR without unreasonable delay without, without unreasonable delay and in no case later than, uh, 60 days following the breach. Um, and if less than 500 individuals, uh, it's a similar type of, you know, annual annual notification where the report breach is affecting fewer those individuals, uh, no later than 60 days after the end of that calendar year, that those breaches are discovered. So you'll see a lot of parallels between the two, as I mentioned, uh, and then, uh, for, for more than 500 individuals, the same, same type of deal with, with notifying, uh, the media
Speaker 2:Certainly certainly breaches are, are well they're increasing obviously. And, uh, generally speaking and certainly in particular in healthcare, I it's, uh, becoming a, a growing problem. I think for, for everyone in the industry, I saw an article this morning about how quickly class action lawsuits are being filed after a, a breach. And there was even, um, a suggestion of it being some sort of modern day ambulance chasing, which is something I hadn't heard in a while in the, uh, legal profession. But, you know, obviously the, uh, developers of these apps need to take note of that as well as the, the providers, uh, and, and payer community that's, uh, providing apps to their patients and, and policy holders. So certainly something we need to be aware of. One of the, we work a lot with, with, um, health, it, digital health companies, developer of health applications to, uh, be compliant, but also to make sure that they're minimizing the risk to the, of a breach, to the confidentiality, integrity, and availability of the information contained within an app. And, and typically, um, you're better off if you start with that intention in mind, as you're developing your app, oftentimes, uh, unfortunately folks will develop the app. They have a good idea for the app. They'll build the app and then try to, uh, build security into it later. And that's usually a less effective and, and more expensive approach to this. So, uh, for our, for us, when we're working with, uh, developers of health apps, certainly we encourage them to build security into the system development life cycle. So build security in from the start, um, you, we recommend of course that they understand the, the remaining risk that exists. Um, that's a requirement, um, for HIPAA compliance, certainly, but, but generally speaking, a good practice from a security perspective as well. And to the extent that we have risks that, um, exceed what, what we believe to be acceptable, we want to introduce additional safeguard guards or controls to further reduce that risk. And ultimately, uh, we want to test that application as well to make sure that, uh, the safeguards and controls that we have implemented are operating effectively and as we, uh, intended them, uh, to do. And, and if we do that and, and we kind of set about from the start to do that, we can really minimize the risk of a breach from these healthcare care, um, health applications. And, and as we mentioned, that's gonna be key, I think, to their further adoption, uh, by the consumer, by the public and, um, further success of the investments in this area. So, uh, Rob, any, any, uh, tips you can give for folks who are looking for more information generally about the, the rules, regulations, et cetera, around health apps.
Speaker 3:Yep. Um, and, and I'll also, uh, it's interesting that you point out the, uh, that the, the privacy litigation is the new, you know, ambulance chasing, maybe in, uh, a law school. They start switching from Paul's graph to, uh, security breach type cases. I mean, maybe that's something a few years down the road, but, um, no, that's, that's very interesting. Um, yeah, in terms of resources, there's a lot out there. I think what's, what's nice with, you know, the FTC OCR and FDA is that they provide a lot of helpful tools and resources to try to, uh, help, uh, businesses comply, uh, with their requirements. So, so I think, you know, some of this stuff may be, you know, daunting or, or worrying, and it shouldn't be because you know, that there are resources and the ability to, to address these requirements accordingly. Um, so one, one great place I think to start is the FTC has an interactive tool that, that, that I really like, which sort of acts like a, a decision tree to see which regime, uh, applies. Uh, and you could, you could go to the FTCs website. I think I have it here, uh, www.ftc.gov/business, uh, dash guidance slash resources, uh, slash mobile dash health dash apps, dash interactive tool. Um, so, but, but if you, if you Google, uh, FTC breach notification, uh, interactive tool or FTC interactive tool, it should pop up right. In, right in your search bar, but that's probably one of the best places to start. Cause it really helps kind of, if you have any questions being like, well, does it apply to me? That's always a, a great place to start
Speaker 2:From any last thoughts or, or, uh, ideas you'd like to, to leave the audience with.
Speaker 3:Um, I would<laugh>, I would say, uh, you know, definitely watch this space more. I think it's, it's interesting what it's gonna do. As, you know, as, as we discussed earlier, there was a big explosion in this type of adoption followed by, you know, increase investment in the space. And then there's, you know, there's, as you mentioned, there's some flattening out. So it's interesting that maybe as this market kind of corrects itself, there'll be some, uh, stability, or, you know, there'll may maybe be some winners and losers in terms of which apps survive, which ones don't. And, and ultimately, I think one of the apps that are going to survive and, and the sector itself are gonna be those that, uh, really take these regulatory regimes seriously and, uh, take the, the privacy and data protection of, uh, the, the consumers seriously and, and, uh, addresses them accordingly.
Speaker 2:I, I think there's a, certainly a, a sudden seems if I'm not sure what's a sudden increase in proposed legislation, but the legislation being proposed seems to be taking a lot more seriously, uh, just broadly around, um, breach notifications. And, you know, of course the priv HIPAA privacy rules being, uh, re-looked at again. And so there is a, certainly a lot of activity around, um, health applications, uh, health information, uh, protections, generally speaking around secure cybersecurity in particular, um, a across the, the country right now, both at the state and federal level. So it, it is a certainly a dynamic environment for, uh, folks trying to operate in space. And, and again, encourage, uh, if you're, if you're looking at, uh, being an app developer in healthcare, um, certainly want to be aware of these things, uh, earlier, uh, and sooner so that you can make sure that as you're developing your solution, that you're, um, addressing all of these concerns, both from a security and as well as a compliance perspective. So I certainly that's all I have, Rob, if you don't have anything else, uh, maybe we, we, uh, close this out.
Speaker 3:No, yeah, that was very well said.
Speaker 2:Um, so great. So thank you all for, for joining us on another ALA podcast. I, uh, really appreciate it and, uh, appreciate you taking the time here with us today.
Speaker 3:Thanks everyone for, for listening in this was a lot of fun. And, uh, thanks again.
Speaker 1:Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA, speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health.