AHLA's Speaking of Health Law

The Digital Health Revolution: Realities and Legalities

AHLA Podcasts

In 2021, nearly $30 billion was invested in digital health and the technology that supports it. As of 2022, almost a third of Americans were using some sort of digital health mechanism, such as telehealth or an app. Will Clark, vCISO and Principal Consultant, Clearwater, speaks with Sara Shanti, Partner, Sheppard Mullin, about the ongoing revolution in digital health and the technology that is rising to support it. They discuss current security challenges and best practices for covered entities in the current legal and regulatory landscape. Sponsored by Clearwater.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for ALA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health, it companies, their solutions include their proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information, security experts for more information, visit Clearwater compliance.com.

Speaker 2:

Hello, and welcome to all of our guests. I'm will Clark the CSO and principle consultant with healthcare focused, cyber security and compliance solutions from Clearwater. And I'm here today to discuss digital health and the revolution that's all around us, the realities, the legalities of it all. And it is a pleasure to introduce Sarah shanty. Sarah is a partner with a law firm, shepherd Mullen, and she represents healthcare providers and technology companies in matters related to data privacy and healthcare regulatory compliance. Sarah focuses on novel healthcare innovation and supporting clients in the evolution of our industry. Sarah, it's a real pleasure to have you here today. Why don't you tell us a little bit about your insights from the world of digital health and the apps that are arising to support that?

Speaker 3:

My pleasure and thank you for that introduction. Well, it is, you know, such a pleasure to be here with you today. I know that you and I have been noodling around in this digital health space, um, for, for many years, not to age us, but I know it's been well over a decade for both of us. And I think we're both especially excited, um, that there has been such a boom. Um, you know, as heartbreaking as the, the reason for the boom in digital health, which is really the pandemic. Um, you know, we saw a lot of innovation come out of the desperation of the pandemic to ensure that healthcare, um, was, you know, being sought and delivered. Um, despite all of the circumstances that were really prohibiting traditional healthcare from happening, um, like it has in the, in the past. And so in seeing that huge boom, um, of course comes excitement and opportunity, but we also see some of the, the mishaps, some of the regulatory, um, concerns and really some of the safety issues that might impact, um, patient care and the delivery of the very care we're we're looking to improve. Um, I know the numbers are kind of staggering. Um, I think last year we saw, you know, nearly$30 billion investment. Um, I know we're on track to be a little less than that in 2022, but still the numbers and the investment is really exciting. Um, I think it's a little bit more narrowed, um, in scope of really where there's some real operational opportunity as opportunities as opposed to, um, you know, some pie in the sky ideas, which we're also gonna see happen, but maybe just not, you know, in the immediate future. Um, and then I think we're seeing that, you know, the regulations and legislatures are really trying to keep up with some of this expanding innovation to make sure that it really meets its objective. Um, I know one piece that you really focus on is some of those, um, technical and security risks in which, um, patients might not really know are, you know, kind of, um, you know, under the surface of their application or their website or other platform that they're using. And I know I would love to hear what you're kind of seeing on that end. Um, with regard to some of the actual security risks that are really playing, you know, out live, um, as we, as we evolve in this space,

Speaker 2:

You're quite right. Uh, this is probably one of the most interesting times in my career in which I have observed the rise of digital technology that is seeking to serve the public effectively. Uh, you were speaking earlier about the effect of the global pandemic on the healthcare marketplace. It was really like a gigantic catalyst that forced all of us to really think how we were going to continue to do business under very unique circumstances. One of the things that I've seen in the past is that healthcare has been very, very locally focused. You know, we spent generations building up hospitals that would become, uh, large policies to, to the efficient provision of healthcare and the education of the next generation of physicians and clinicians. And all of a sudden we were presented with a world in which we can't go there right now. So how then do we provide for healthcare while this gives us the rise of the virtual community? It's almost as if that, which was solely three dimensional in the past is now becoming virtual. And as healthcare entities begin to reach out to their customers online and provide them with easier and faster ways to say set up an appointment or a walk in clinic, the community is becoming virtual. It is reaching out to people and seeking to fulfill that need. So that has been quite exciting to watch. Of course, this gives us the great unknown for consumers. So, you know, we, we, north Americans, we love our technology and we love all the cool things that float our way. But as you correctly mentioned, Sarah, this also means that there are security risks for consumers. Uh, our, I personally identifiable information can easily trickle out the back door onto the black market. We can be exposed in ways that we traditionally have not thought possible. And suddenly people are thinking about security and privacy, but as end users, we don't really know where to turn to or what to do about that. So when we talk about, uh, the rise of say, uh, a security framework for the development of digital apps, for example, that's a way that we as a north American community can come together and come up with a standardized way to improve that sense of security and privacy in the tools that we offer our clients.

Speaker 3:

Yeah, absolutely. And that's so timely because even as of this week, um, the FDA or the food and drug administration, which as, you know, will, you know, regulate medical devices, including software that might, you know, rise to the level of a medical device or be impactful on the health of a user. Um, you know, they've even had a, you know, a, a, a public advisory committee even as of earlier this week, you know, talking about some of these devices, not only just apps and things like that, but really looking forward into virtual reality, um, you know, um, and kind of XR world, where there are devices that, you know, have not only, you know, physical, um, safety issues like radiology, um, and you know, different kind of frequency mechanisms that might, you know, rise to the level of a safety risk, but also user, um, understanding of how to use the device or the application, right. Might look beautiful and be very pretty and user friendly. But, um, our user is able to understand how to use that correctly. Are there caretakers using that correctly? Um, not only the security perspective of the data, but the security of just use and ensuring that it's meeting the objective of that device or application. So we're seeing that, you know, even where there's not black letter law, and I know we're gonna talk about what does exist so far. Um, we're seeing there's a huge appetite for regulation to, um, you know, either evolve or, you know, be crafted to ensures getting, you know, back on track with how quickly innovation is moving. Um, and I'd love well for you to maybe talk a little bit more about, you know, some of those security incidents that you've actually seen that, you know, maybe some of our listeners, including myself can really relate to. Um, and, and how we're using, um, technology today.

Speaker 2:

Yes, I've actually had kind of a chance to really see a lot over the last 25 years or so. And it's remarkable just how much information manages to get removed under, other than normal circumstances. You know, we have a lot of geopolitical risks in this world in which our intellectual property is carefully and quietly removed. I've seen it done in multiple industries. Personal information in the healthcare industry is particularly valuable because it can also be marketed on the black market. You know, when you get access to one of these beautiful, integrated electronic medical records, and I've designed and installed a few of those, you're really getting a number of solidly, valuable attributes around each person. So it, you know, if it, it's not too many years ago, that a lot of my clients might not be aware that somebody had hacked into their system could take them a hundred, 200 days to become aware. And of course, that cycle has to tighten up. And what we have seen at least what I've observed is an increasing cadence of meaningful discussion between covered entities in the healthcare space. So like hospitals and insurance companies and government entities as well begin to really discuss what the framework of a regulatory structure like HIPAA really means and how to apply that effectively. And what we have seen over the last two decades is the rise of the meaningful security framework. In other words, when you start with a regulatory structure, it lays out the philosophy or the goal of what you might want to do to analyze risk, for example, but what does that mean functionally on a day to day basis? So we've seen these security frameworks start to develop in the background and they grow and they become more specific. And the amount of information that we as security practitioners actually talk to our clients about and assess, and document has become much more detailed and much clearer so that we can actually provide words to describe what we all know to be good security hygiene. Now, I can only imagine that from your standpoint, Sarah, you've seen the level of sophistication improve from the regulatory and legal side of this as well, because these relationships that covered entities have with their vendors, for example, they all have to be documented, right?

Speaker 3:

Yes. Now you're talking my language. Well,<laugh>, this is where I live every day. I live in, you know, HIPAA world and use the term covered entity, which is of course, those specific entities that are actually governed by HIPAA. Um, I know during the pandemic we saw lots of misuse of the term HIPAA, right? It's, it's really, you know, fascinating to see that folks really understand that HIPAA does protect their health information. Um, you know, HIPAA's been around for about 25 years now. Um, but really just the last few years have patients really kind of started to understand that they have a right to privacy. And that HIPAA is really important with regard to their health information. Um, the misunderstanding, I think, is that HIPAA really has a limited scope of who it applies to and what information it applies to. And I think, you know, consumers, patients and regulators, and, and really the whole global industry is struggling a little bit with how to ensure that, you know, privacy rights, especially in this electronic, um, you know, world that we're in, it's not just protecting paper records or a hu a few systems here and there it's, everything is so interconnected that, you know, HIPAA HIPAA's limited scope might not be really cutting it, um, with regard to what patients and consumers need. And so that's where we kind of get into where the states have become really dominant. Um, you know, we of course have 50 states and other jurisdictions that all kind of interplay sometimes overlapping, sometimes creating some gaps in what information, um, is really protected. And so that's one thing that the industry is struggling with a little bit to ensure that consumers and patients are really having, you know, confidential, um, uh, confidential data, despite HIPAA, not always touching all of that data. For example, a lot of applications that you might download from your phone or from your, um, your app store might be, you know, third party apps that aren't, um, you know, in an arrangement or other relationship with, you know, your physician or another provider or your payer or an insurance company. And so that information is likely, you know, really sensitive if you're downloading information every day, um, but is likely not covered under HIPAA. And that's where despite the states getting involved, there's additional industry push, um, the American telemedicine association or ATA is probably something we're gonna hear about a lot more in the coming years. Um, and they have just recently, you know, I think it was in spring of this year, in fact, um, partnered with the American college of physicians, which of course is a really important industry group from the medical perspective. Um, as well as some of the, um, EU industry organizations to really start talking about again, framework, which I know you brought up, what is the secure framework of digital, um, medicine, digital applications that, that can be the standard, um, that is, is achieved by applications and, you know, even wellness apps, not just kind of your strict medical, um, platforms. And so we're really excited to see that framework is being drafted and created and promoted. Um, and I know we're gonna see many more, but where, you know, the, the federal government and the state government still have some of those gaps, we're seeing that industry is not waiting and really putting in place some frameworks to really keep, you know, these apps when you download them, you don't have to think twice about your data being secure or safe in how they're used and, you know, operating. So we're really excited to see that the industry is moving forward, because I think we all agree that patient safety is, you know, a huge, um, a huge importance and a huge objective. Um, I know one thing that we kind of see is there's a little bit of where there's not legal requirements to comply where innovators, maybe aren't as motivated to comply, um, you know, to meet legal obligations. And I know will, maybe you can talk a little bit about the two things that we see are clients and the industry really react to though is even where there's not law in place. We see that there's, um, you know, a little bit of fear mongering and a little bit of motivation by fees, um, and where, you know, consumers, you know, are pushing, um, because of, you know, some of the, um, the results of, um, you know, the, the negative effects of having a poorly operated or a, you know, unsafe application might push innovators to, um, meet standards even where they're not otherwise legally, legally required.

Speaker 2:

I like the way you phrase that Sarah, because it's, uh, really the fear and the fees are two ways that we can look at what motivates all of us to do a better job. In the beginning, when I started working with security assessments around HIPAA, at the end of the last century, I might add<laugh> really people really didn't quite get some of the topics. I remember spending a fair amount of time talking about creating a, a role within an organization for information security officer and people would kind of look at me and say, what are you talking about? Or I'd chat about a risk analysis. And they would say risk analysis. What does that mean? It was in the beginning, it was a big educational thing, and there was a degree of fascination, but then, you know, in it, there's always something else to do. So we kind of lost focus on it until we, as a country decided to actually put some teeth behind the regulations. And that's where the fear started to come in. When people started to see that, oh, these little problems actually can turn out to be much larger problems. I have had clients in the beginning of all this who have wound up on the front page of national papers, and I can tell you, it is a very unpleasant place for them to be, and they're keenly aware of the hit to their bottom line in Goodwill terms to be so noted as not having a secure enterprise. So the fear has been a big motivator and then the fees as well, when we have, uh, regulators who actually will impose fines, when they see evidence that organizations aren't taking all the requirements seriously. Now, the antidote to that of course is good conversation. And you mentioned it earlier as did I the, of the arrival of the security frameworks. So when we talk about a risk analysis, what does that mean? Well, it means these various steps. When we talk about maintaining good integrity around identity and access management, it means all of these controls. So once you begin to identify the controls, you can actually measure how effectively an organization is fulfilling those controls and where all of this hits our conversation today is as the digital apps arrive, we need to have frameworks with specific controls that make sense of how to build digital applications properly. And that's the cool thing that's kind of arriving right in our own midst. So there's like a lot of opportunities here for companies to improve efficiency, to reach clients. They might not normally reach and to be able to offer services in a new way and a more efficient way with still being able to prove to their clients and customers that they conduct their business in a secure fashion. So I see a lot of that and I see the arrival of even brand loyalty, you know, as we begin to trust developers of, of tools. And we begin to see brands that we believe to be very secure. There's a lot of market value in that. So really these conversations between covered entities under regulation like HIPAA and other businesses that support them, maybe not directly covered, but we're all in this conversation together.

Speaker 3:

Yes. I love that. I'm gonna pick that up well, because I think that that's just notable that, um, I wanna speak to it a little bit from, you know, my perspective as well. I, I work with a lot of, you know, really large, um, entities, global entities, telehealth entities, some that really have a market corner, um, or a corner of the market, but then I'm also seeing some, you know, very, very brand new, fresh faced innovators who are just jumping into healthcare. And so of course there's a lot of different things tugging on, you know, their business model and getting to market. But I wanted to, to note a couple of things that I personally found really interesting in that, um, you know, I think as of this year, almost a third, or it's kind of reported that almost a third of Americans are using some sort of digital health, um, uh, mechanism, whether it's telehealth or an app. And that's just a huge number if you kind of think about where we were a couple of years ago. And so that number is just going to continue to grow and grow until I think it's gonna be part of all of our lives if it's not already. Um, but in this day and age, we're also seeing this huge struggle with privacy. More and more folks are using these applications for things that are really sensitive, um, like mental health, um, substance abuse, family therapy. And so that information isn't just even, you know, your, your blood pressure, which is sensitive enough, it's something very, very personal. And so you certainly hit the nail on the head that trusting your product, trusting your company is really important for consumers. They wanna know that they're gonna use that platform to, you know, maybe give some of their most vulnerable information too, that even if the law doesn't require it, that that device that, you know, application or, or whatever we're talking about here is gonna protect their information. Um, I certainly know we're in an interesting moment after some Supreme court rulings as well. And so I think that just, you know, also kind of, um, underscores the importance for, you know, not always to wait for the law to protect your information, but for our clients and for the industry to be really proactive and, you know, showing good corporate citizenship, um, and best practices. And then if that's not motivating enough, right. To kind of do the right thing and, and to assure that your customers are gonna feel, um, that, you know, you've got their backs a little bit, um, is to think about fees again, right. Not only in selling your products so that customers feel secure, um, but reimbursement, and I know this is probably something that we kinda get into some of the legal weeds about, um, how, you know, government programs reimburse, how states have parity laws, um, where they require, um, even commercial payers to reimburse for, um, digital health services, specifically telehealth in this moment, um, to the same rate as if you had in person care. And that can be really significant. Um, and so, you know, having your products be compliant and marketable that they're meet federal or state standards, um, even ahead of time, even ahead of those standards may be applying is going to be something really good in, in the industry to ensure reimbursement provider partnerships, um, and just, you know, consumer success, um, looking forward. I wanted to note another really interesting point, um, that we're seeing metaverses virtual reality, augmented reality, um, you know, just have some huge traction. We know we're not totally there yet, but it's growing, but I know there's a figure of by 2030. So in the next seven or eight years, that industry in the healthcare, not even wellness, just kind of traditional healthcare is, is expected to be over 70 billion with a B dollars. And so looking forward, well, I'd love to hear kind of what we can offer our listeners and our clients as to best practices, knowing that even if they're not tightly regulated, um, or don't have, you know, specific contractual requirements today, knowing where the industry is going, what we can recommend to, um, you know, as a best practice, so that they'll be even more successful.

Speaker 2:

It's it really interesting to think about it? You know, we've been talking about the possibilities that technology gives us to increase market share, to create virtual communities. One of the things I was gonna mention a little bit ago was how technology is allowing us to make services available to less populated regions of the country that otherwise would not have enough momentum to build a large hospital in their local area, but they can provide access to services through technology. So the, the opportunities are there. So your question is what are the best practices that help to make this all valuable and secure and private? And I come back to the idea of the evolving conversation. Regulations are a great way to begin the conversation nationally, and certainly HIPAA attempted to set a floor, but not a ceiling for what we all should be doing customarily as good as security. And then as we earlier noted the entities that are directly covered by a regulatory structure, do business with other organizations who are not directly covered. So that business associate agreement that is in the beginning, it was a, a lot of boiler plate that was going to fulfill the need to have an agreement to cover the relationship between the hospital, for example, and an external entity who did something on their behalf. But what we see now is the conversation between the covered entity like the hospital and the vendor is evolving to the point where both parties are beginning to see that there are controls that need to be in place for the function that is provided by the vendor that our covered entity hospital would've done anyway, if they were doing it in house. So the best practice is to become ever more aware of what the various controls are that are immediately applicable to this relationship that we have. I even have a client who's, uh, coming into the American market from the UK, and they're creating new technologies that link providers and services together. And they are in no way covered by any HIPAA regulatory structure, but because they see the value of being able to say that they too participate in a structured, complete security process, they want to engage with the conversation. So the best practice is always an increasing level of specificity in the conversation of what constitutes good day to day security hygiene. When you're in the business of operating a hospital, when you're creating an app, when you're doing payment processing, all these things work together so that we can derive the value from the technology and not pay a price of unintended consequences of our own information leaking out to others.

Speaker 3:

Yeah. And, and I know that, you know, we're, we're here talking today about, you know, this digital health revolution, right. And, and I think a big part of that is to get, you know, healthcare to every, you know, kind of corner of our country in the world where, you know, there might not be a brick and mortar hospital, um, or an emergency room, or, you know, a, um, you know, maternity ward, um, and so that you don't necessarily need the brick and mortar to get, you know, kind of daily updates or daily service, um, or, you know, not even daily, just annual checkups or, you know, to speak to a medical professional. Um, and, and know, maybe you don't have to go, you know, two towns over to the, um, ed or have an inpatient issue. It can be resolved, you know, um, a little bit more proactively. So in this revolution of which really hopefully does make healthcare more available, um, and efficient. Um, you know, I think the reality is that it's here to stay, but I think on the other hand, um, it's only gonna become more interoperable, which I think only poses a bigger risk, right? There's only gonna be more of an electronic footprint, more data sharing. In fact, the federal government has a whole push under the 21st century, uh, cures act to ensure that data is available to patients, um, you know, kind of almost immediately. And, um, that that information can be, you know, interoperable, um, excuse me, exchange freely through interoperable systems. So the reality is we're in it for the long haul, um, and that, you know, the risk might only grow. And then I think the legality is that, you know, to your point, even where you're not governed by HIPAA and even where that, you know, could be a marketing piece where you say we, we're not governed by it, but we're still gonna meet some of those standards. I think what I've seen is that there's, you know, really exciting innovation, but compliance doesn't happen overnight. And so, you know, I kind of, I kind of think about when you're cleaning house, you know, once you start cleaning your kitchen, somehow that spills over to cleaning your living room to cleaning the bedrooms, right. It's kind of hard to just say, I'm only gonna have a clean kitchen, um, or I'm only gonna have a, you know, a clean mud, right. It kind of spills out good practices kind of grows. And I think in the same way, you know, when you kind of, you know, let your, you know, yard go, or you let your, you know, um, kitchen, you know, overflow with dishes that can also spill out into the rest of your domain. And so my point being that, you know, we try to have our clients, um, understand that we understand it's not magic. You can't wave a wand and be compliant overnight, but you can really have a plan, um, so that, you know, through budget and as you get to market, you can continue to improve and show regulators that your intention was to, um, you know, meet, you know, compliance objectives. Um, but it just doesn't happen overnight. And I think this is where maybe I'll turn it over to you to speak very, um, briefly on, um, you know, kind of what you've seen as a best practice in not waving the magic wand, but really having a clear plan to ensure that, um, material safeguards and, you know, safety concerns are met, despite it not happening, you know, overnight,

Speaker 2:

I love this turn of phrase. Compliance does not happen overnight. And I, I agree completely. I have seen through the years, many, uh, customers come to me and say, help us put together a security program really fast, or write some policies for us really fast. And I always tell people that policies and procedures and programs are like a mirror. They should reflect good, healthy conversations and daily activities that the entire group has in their organization. And I think as soon as we realize that compliance and security are things that are earned carefully through time, by paying attention to the day to day activities, as you so beautifully summarized, I think that is really the key to building a better security culture. There is in fact, no thing as a perfectly secure organization, but there are absolutely organizations who are going to do a better job of keeping their information assets secure this year than they did last year. And one of the best tools that we can use to ensure all of that turns out to be the risk assessment and response. And when we take a look at what the risks our organization might actually face could be, and how much damage could occur, if something like that happens, and how would we respond that risk assessment risk response is probably one of the most meaningful ways that you can have that improving continuous conversation as an organization. And of course, with digital assets growing as they are all of the supplies. And I keep hoping one of these days, I'm gonna find a phone with a bigger battery.<laugh><laugh> Sarah. It has been an absolute pleasure to have a conversation with you today about all of this. I think you are right. We're at the beginning of something that is going to be growing and evolving. And I'm very excited to that. We are all part of this vibrant community of, uh, security and privacy and figuring out how to be better at what we do in our technology, in the service of our customers and clients. It's been a real delight speaking with you.

Speaker 3:

Ah, same to you. Well, thank

Speaker 1:

Listening. Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health law.org.