NVTC Health Technology Committee Event The Health Care Innovation Challenge - Maintaining Regulatory Compliance in a Rapidly Changing Ecosystem Grant Elliott, CEO Ostendio, Inc. 19 November, 2013 @ostendio Confidential The Health Care Innovation Challenge - Maintaining Regulatory Compliance in a Rapidly Changing Ecosystem In an age with 80,000+ health, wellness, fitness and medical apps in the iTunes App store and almost every network, server and computing device connected to the Internet, how can the government regulate information privacy and security without stifling innovation? Confidential @ostendio Agenda • What’s happening with Health Care regulation – HIPAA/HITECH Final Omnibus Rule – Meaningful Use – FDA MMA and CDS • What should you be doing? • Q&A Confidential @ostendio Disclaimer and Full Disclosure • I am not a lawyer… – …and what I am about to present does not constitute legal advice. • I spent 5 years as the Chief Operations Officer and Chief Information Security Officer at a successful Mobile Health Solutions provider • I have successfully negotiated multiple security and privacy audits, including audits based on the ISO/IEC 27002 information security standard and the HIPAA OCR HIPAA Audit Protocols • I am an advisory member of the mHealth Regulatory Coalition (MRC) and the Clinical Decision Support (CDS) Coalition Confidential @ostendio HIPAA/HITECH FINAL OMNIBUS RULE Confidential @ostendio What is the Final Omnibus Rule • Part of the HITECH Act, the Final Omnibus rule adds a number of additional provisions to the Privacy and Security protections within HIPAA. These include: – Business Associates become directly liable for compliance with certain Privacy and Security Rules' requirements – Individuals rights to receive electronic copes of their data and get notifications are expanded – Additional enhancements to the Enforcement rule around willful neglect – Adopted changes to the tiered civil money penalty structure – Introduced “harm threshold” for Breach Notification • The final Omnibus Rule became effective March 23rd 2013, with Business Associates given 6 months to become compliant Confidential @ostendio So how do I know if HIPAA Applies? • Are you a Covered Entity i.e. a health plan, health care clearinghouse or a health care provider? • Are you a Business Associate i.e. you are operating on behalf of a Covered Entity or a Business Associate? – This is determined by who the user is ‘contracting’ with • Are you exchanging sensitive and identifiable health data with the Covered Entity i.e. PHI? http://ostendio.com/why-the-final-omnibus-rule-is-goodnews-for-many-mobile-health-application-developers/ Confidential @ostendio MEANINGFUL USE Confidential @ostendio What is Meaningful Use? Definition Meaningful use is the set of standards defined by the Centers for Medicare & Medicaid Services (CMS) Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria. Objective To promote the spread of electronic health records (EHRs) to improve health care in the United States. Governance HITECH Act provides the HHS with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. Source: http://www.healthit.gov/policy-researchersimplementers/meaningful-use Confidential @ostendio FDA MMA AND CDS Confidential @ostendio FDA MMA • What is a Mobile Medical App? – Any device “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals…” is classified and regulated as a medical device. – A Mobile Medical Application is a mobile app that meets the definition of medical device and is intended: • to be used as an accessory to a regulated medical device; or • to transform a mobile platform into a regulated medical device. • Key to the definition is the term “intended use” Confidential @ostendio FDA MMA Confidential @ostendio FDA MMA Confidential @ostendio FDA MMA Confidential @ostendio FDA MMA • What is a Mobile Medical App? – Any device “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals…” is classified and regulated as a medical device. – A Mobile Medical Application is a mobile app that meets the definition of medical device and is intended: • to be used as an accessory to a regulated medical device; or • to transform a mobile platform into a regulated medical device. • Key to the definition is the term “intended use” • Key to the challenge is the term “accessory” Confidential @ostendio Why does the FDA care about Mobile Medical Apps? Apple Apps Store • Total Active Apps 960,885 – Lifestyle - 77,918 (8.11%) – Healthcare & Fitness 25,799 (2.68%) – Medical - 20,905 (2.18%) Confidential Source: http://148apps.biz/app-store-metrics/ 2013-11-11 23:26:34 -0800 PST FDA MMA Confidential What is happening? • The FDA landscape continues to remain uncertain – FDA activity • Mobile Medical Device Guidance Document – – • – FDA has promised future guidance documents on Clinical Decision Support HHS Activity • FDASIA Work groups established by HHS – – to provide input into the development of recommendations for a risk-based regulatory framework for health information technology (IT), including mobile medical applications Legislative activity • Healthcare Innovation and Marketplace Technologies Act (HIMTA) – • Reintroduced by US Congressman Mike Honda in June 2013 Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act – – Draft guidelines published in 2011 Final guidelines published in September 2013 Introduced on 22nd October by US Congressman Marsha Blackburn Business Sector activity • Multiple Business coalitions set up such as Mobile Health Regulatory Coalition and Clinical Decision Support Coalition Confidential @ostendio The Final Guidelines Misconception “The FDA will start to regulate some smartphone apps that monitor health, officials announced Monday”. FDA To Regulate Health Apps – By Charlotte Alter, Sept. 23, 2013 Confidential @ostendio The Truth is… Confidential @ostendio The Truth is… • The FDA Final Guidance Document was “De-regulatory” in nature. • By default anything that met the definition of a medical device was already regulated under the original statute. • FDA’s guidance document discounts many apps and puts many others into the category of “enforcement discretion”. Confidential So what should I be doing? • Educate yourself – Seek advice from experts – Join a coalition – • • • FDA – MRC/CDS • HIPAA - SaaS/Mobile Health Tech HIPPA Read Brad Thompson’s e-book - FDA Regulation of Mobile Health 2013 Whether HIPAA or Meaningful Use applies or your Application is regulated by FDA or not you should always take steps to secure Sensitive data. Start by: – Assigning responsibility – Start writing policies even if they are just 1 paragraph – Set up a single place to store policy documents and materials – Train, educate & communicate – Proactively manage compliance – follow up!!! Keep innovating!!! Confidential @ostendio Contact Details Questions? Grant Elliott | CEO | Ostendio, Inc. Tel: +1 703 646 0304 E-mail: [email protected] Website: www.ostendio.com Facebook: www.facebook.com/ostendio Twitter: @ostendio Confidential
© Copyright 2026 Paperzz