Security, Privacy, and Innovation in the Future of Telemedicine
constantly experiencing innovation, regulations can quickly become outdated and either prevent the adoption of technologies or no longer address the actual concerns that arguably should be regulated. For example, the primary federal healthcare privacy law, the Health Insurance Portability and Accountability Act (HIPAA), was initially enacted in 1996, and its privacy rule’s effective date was 2003. Even the more recent Health Information Technology for Economic and Clinical Health Act (HITECH Act), incentivizing the adoption and meaningful use of electronic health records (EHR) and outlining certain privacy and usage principles associated with such, is now a decade old. Similarly, most state laws also remain relatively static or struggle to keep up with these rapid changes. Massachusetts last updated its state law governing healthcare privacy and disclosure more than a decade ago, in 2008. Existing laws may have requirements that do not include recent new technologies such as telemedicine or create regulatory barriers to their deployment. They may also fail to deal with emerging technological changes that could contribute to retention, storage, or transfer of data in more secure ways like cloud computing and possibly, one day, blockchain.
In some cases, the pacing problem can be a pacing benefit for innovation by allowing it to emerge faster than it can be regulated away; but in other cases, outdated regulations may prevent innovations like telemedicine from becoming more widely adopted or deter innovators from pursuing certain opportunities or applications for promising technologies. In telemedicine, this can include limitations that prevent televisits with a provider who has not been previously seen or requiring a nurse to be present during televisits. Such burdens can not only discourage the use of telemedicine, but also keep it from being available to any patient, anytime, anywhere.
Policymakers should consider whether additional security requirements are necessary for new health innovations, such as telemedicine. In fact, in some cases, rather than expanding existing regulations to new technologies, policymakers may want to consider whether the old regulations are necessary for currently regulated entities as well. They should also consider how new and old requirements might be able to evolve along with the technology.
The Importance of Precise Definitions and Limiting Unintended Consequences
Most people consider health information, such as information about which medications they take, to be particularly sensitive information and would often be willing to pay a price or make tradeoffs to maintain the security and privacy of such information. Health information is shared in burgeoning technologies, such as fitness apps, social media support groups, and telemedicine. In an environment where data is increasingly omnipresent, it is necessary to be precise about both data and covered entities. Such precision helps ensure that regulations do not frustrate consumer expectations or impede the intended purpose for sharing the information.
In general, existing laws narrowly establish which entities are covered by regulatory requirements. In Massachusetts, for example, hospitals and medical offices are subject to the privacy requirements for PHI and EHR, but the privacy requirements do not apply to the doctors directly. If expansion of these covered entities is necessary to ensure parity in security and privacy for online providers, it should be done carefully and precisely to reflect those providers that are similarly situated.
Additionally, definitions of covered PHI data should distinguish between data that are deliberately collected and utilized and those which may be incidental or publicly shared by the patient. This approach would reflect a Obama-era 2012 Federal Trade Commission report recommending that when such data is collected or utilized, those doing so obtain a heightened level of consent and awareness from consumers when providing choices involving sensitive data. This approach would minimize the effects of unintended consequences of broad definitions that could accidentally penalize benign or beneficial actions. An overly broad definition of health information could include everything from physical descriptions to buying habits that indicate certain medical conditions or health-related habits. When considering how to address technological changes, policymakers should be cautious in expanding definitions of health information.
A narrowly tailored approach could help ensure parity in security and privacy in online and offline medical visits, while limiting potential unintended consequences. It should not always be assumed that the appropriate policy answer is to expand definitions to regulate new digital technologies like telemedicine to the equivalent of their analog counterparts. Broad definitions could have unintended consequences for a variety of patient choices and empowerment via technology, not just for telemedicine or electronic health records. Appropriately narrow definitions also provide greater clarity for both consumers and providers to hopefully limit either mistakes that wrongly allow information to be exposed or the frustration in being unable to obtain information they are entitled to while still providing the flexibility for innovation to evolve.
Consider Potential Tradeoffs
Health information is often sensitive. Focusing on privacy presents tradeoffs among innovation, the different uses of data by different providers or entities, the need for access to information for legitimate purposes, or consumer choices. Placing restrictions to always favor privacy can at times cause harm.
While healthcare privacy is often incredibly important, it is also important to consider the impact of privacy requirements on access to information by the patient, next of kin, or another physician during an emergency. For example, families or emergency providers may encounter difficulties gaining access to records in a timely fashion owing to strict interpretations of regulations. That is not to say that creating additional protections for sensitive information is inappropriate, but that valuing privacy is not without its own costs.
Classifications of data and technologies are not always clear, particularly when it comes to the growing array of technologically enabled tools for both patients and providers. For example, in addition to telemedicine, a growing number of apps allow individuals to track and even share health data from menstrual cycles to blood sugar to heartrate during fitness workouts. In some cases the creators of these apps have sought FDA approval, but in many cases such approval is deemed unnecessary. While the FDA and other regulators have recognized the value to both providers and patients of such innovations, subjecting a direct-to-consumer app to the same requirements as a hospital when it comes to the information collected could deter such innovation. It also poorly reflects the purpose and nature of the data collected and the consumer and innovator assumptions about its purpose. Policymakers should consider how classifications of data could impact not only doctors and telemedicine, but a growing number of devices consumers may use to take control of their own health as well.