NVTC Health Technology Committee Event
The Health Care Innovation Challenge - Maintaining
Regulatory Compliance in a Rapidly Changing Ecosystem
Grant Elliott, CEO
Ostendio, Inc.
19 November, 2013
@ostendio
Confidential
The Health Care Innovation Challenge - Maintaining Regulatory
Compliance in a Rapidly Changing Ecosystem
In an age with 80,000+ health,
wellness, fitness and medical apps in
the iTunes App store and almost every
network, server and computing device
connected to the Internet, how can the
government regulate information
privacy and security without stifling
innovation?
Confidential
@ostendio
Agenda
• What’s happening with Health Care
regulation
– HIPAA/HITECH Final Omnibus Rule
– Meaningful Use
– FDA MMA and CDS
• What should you be doing?
• Q&A
Confidential
@ostendio
Disclaimer and Full Disclosure
•
I am not a lawyer…
– …and what I am about to present does not
constitute legal advice.
•
I spent 5 years as the Chief Operations Officer
and Chief Information Security Officer at a
successful Mobile Health Solutions provider
•
I have successfully negotiated multiple
security and privacy audits, including audits
based on the ISO/IEC 27002 information
security standard and the HIPAA OCR HIPAA
Audit Protocols
•
I am an advisory member of the mHealth
Regulatory Coalition (MRC) and the Clinical
Decision Support (CDS) Coalition
Confidential
@ostendio
HIPAA/HITECH FINAL
OMNIBUS RULE
Confidential
@ostendio
What is the Final Omnibus Rule
•
Part of the HITECH Act, the Final Omnibus rule adds a number
of additional provisions to the Privacy and Security protections
within HIPAA. These include:
– Business Associates become directly liable for compliance with
certain Privacy and Security Rules' requirements
– Individuals rights to receive electronic copes of their data and get
notifications are expanded
– Additional enhancements to the Enforcement rule around willful
neglect
– Adopted changes to the tiered civil money penalty structure
– Introduced “harm threshold” for Breach Notification
•
The final Omnibus Rule became effective March 23rd 2013,
with Business Associates given 6 months to become compliant
Confidential
@ostendio
So how do I know if HIPAA Applies?
• Are you a Covered Entity i.e. a health plan, health
care clearinghouse or a health care provider?
• Are you a Business Associate i.e. you are operating on
behalf of a Covered Entity or a Business Associate?
– This is determined by who the user is ‘contracting’ with
• Are you exchanging sensitive and identifiable health
data with the Covered Entity i.e. PHI?
http://ostendio.com/why-the-final-omnibus-rule-is-goodnews-for-many-mobile-health-application-developers/
Confidential
@ostendio
MEANINGFUL USE
Confidential
@ostendio
What is Meaningful Use?
Definition
Meaningful use is the set of standards defined by the
Centers for Medicare & Medicaid Services (CMS) Incentive
Programs that governs the use of electronic health records
and allows eligible providers and hospitals to earn incentive
payments by meeting specific criteria.
Objective
To promote the spread of electronic health
records (EHRs) to improve health care in
the United States.
Governance
HITECH Act provides the HHS with the authority to
establish programs to improve health care quality, safety,
and efficiency through the promotion of health IT, including
electronic health records and private and secure electronic
health information exchange.
Source: http://www.healthit.gov/policy-researchersimplementers/meaningful-use
Confidential
@ostendio
FDA MMA AND CDS
Confidential
@ostendio
FDA MMA
• What is a Mobile Medical App?
– Any device “intended for use in the diagnosis of disease or
other conditions, or in the cure, mitigation, treatment, or
prevention of disease, in man or other animals…” is classified
and regulated as a medical device.
– A Mobile Medical Application is a mobile app that meets the
definition of medical device and is intended:
• to be used as an accessory to a regulated medical device; or
• to transform a mobile platform into a regulated medical device.
• Key to the definition is the term “intended use”
Confidential
@ostendio
FDA MMA
Confidential
@ostendio
FDA MMA
Confidential
@ostendio
FDA MMA
Confidential
@ostendio
FDA MMA
• What is a Mobile Medical App?
– Any device “intended for use in the diagnosis of disease or
other conditions, or in the cure, mitigation, treatment, or
prevention of disease, in man or other animals…” is classified
and regulated as a medical device.
– A Mobile Medical Application is a mobile app that meets the
definition of medical device and is intended:
• to be used as an accessory to a regulated medical device; or
• to transform a mobile platform into a regulated medical device.
• Key to the definition is the term “intended use”
• Key to the challenge is the term “accessory”
Confidential
@ostendio
Why does the FDA care about Mobile Medical Apps?
Apple Apps Store
•
Total Active Apps 960,885
– Lifestyle - 77,918 (8.11%)
– Healthcare & Fitness
25,799 (2.68%)
– Medical - 20,905 (2.18%)
Confidential
Source: http://148apps.biz/app-store-metrics/
2013-11-11 23:26:34 -0800 PST
FDA MMA
Confidential
What is happening?
•
The FDA landscape continues to remain uncertain
–
FDA activity
•
Mobile Medical Device Guidance Document
–
–
•
–
FDA has promised future guidance documents on Clinical Decision Support
HHS Activity
•
FDASIA Work groups established by HHS
–
–
to provide input into the development of recommendations for a risk-based regulatory
framework for health information technology (IT), including mobile medical
applications
Legislative activity
•
Healthcare Innovation and Marketplace Technologies Act (HIMTA)
–
•
Reintroduced by US Congressman Mike Honda in June 2013
Sensible Oversight for Technology which Advances Regulatory Efficiency
(SOFTWARE) Act
–
–
Draft guidelines published in 2011
Final guidelines published in September 2013
Introduced on 22nd October by US Congressman Marsha Blackburn
Business Sector activity
•
Multiple Business coalitions set up such as Mobile Health Regulatory Coalition and
Clinical Decision Support Coalition
Confidential
@ostendio
The Final Guidelines Misconception
“The FDA will start to regulate some
smartphone apps that monitor
health, officials announced
Monday”.
FDA To Regulate Health Apps –
By Charlotte Alter, Sept. 23, 2013
Confidential
@ostendio
The Truth is…
Confidential
@ostendio
The Truth is…
• The FDA Final Guidance Document was “De-regulatory” in
nature.
• By default anything that met the definition of a medical
device was already regulated under the original statute.
• FDA’s guidance document discounts many apps and puts
many others into the category of “enforcement discretion”.
Confidential
So what should I be doing?
•
Educate yourself
–
Seek advice from experts
–
Join a coalition
–
•
•
•
FDA – MRC/CDS
•
HIPAA - SaaS/Mobile Health Tech HIPPA
Read Brad Thompson’s e-book - FDA Regulation of Mobile Health 2013
Whether HIPAA or Meaningful Use applies or your Application is
regulated by FDA or not you should always take steps to secure
Sensitive data. Start by:
–
Assigning responsibility
–
Start writing policies even if they are just 1 paragraph
–
Set up a single place to store policy documents and materials
–
Train, educate & communicate
–
Proactively manage compliance – follow up!!!
Keep innovating!!!
Confidential
@ostendio
Contact Details
Questions?
Grant Elliott | CEO | Ostendio, Inc.
Tel: +1 703 646 0304
E-mail: [email protected]
Website: www.ostendio.com
Facebook: www.facebook.com/ostendio
Twitter: @ostendio
Confidential