Consumer rights

U.S. regulatory considerations for digital health

This final article in our four-part series examines other relevant laws that digital healthcare providers and providers should be aware of.


When businesses tell consumers they’ll protect their personal information, the Federal Trade Commission (FTC) can act and make sure businesses keep their promises. The FTC has taken legal action against organizations that have violated consumers’ privacy rights, misled them by failing to ensure the safety of sensitive consumer information, or caused substantial harm to consumers. In many cases, the FTC has accused defendants of breaking laws relating to unfair and deceptive business practices.

As a recent example, a developer of a popular female fertility tracker app resolved the FTC’s claims that it misled consumers about disclosing consumer health data. Under the proposed regulation, the developer is prohibited from distorting: 1) the purposes for which he or the entities to which he discloses data collect, store, use or disclose the data; 2) to what extent can consumers control these uses of data? 3) its compliance with any privacy, security or compliance program; and 4) how it collects, stores, uses, discloses, deletes or protects users’ personal information. In addition, the developer must notify the affected users of the disclosure of their personal information and request any third party who has received information about the health of the users to destroy this data.1

In addition, the FTC also enforces federal laws relating to consumer privacy and safety.2 Specifically, the FTC’s health breach notification rule requires a personal health record (PHR) provider or DSP-related entity to notify affected consumers, the FTC, and in some cases, media of a breach of unsecured personal health information. Service providers and PHR related entities must also notify these PHR providers in the event of a violation. The FTC defines PHR as an electronic record of identifiable health information about an individual from multiple sources that is managed, shared, and controlled by or primarily for the individual.3 A company is a PHR provider if it offers or maintains a PHR. An example of a PHR provider is a business with an online service that allows consumers to store or organize medical information from many sources in one online location.4

A PHR provider that is not a HIPAA Covered Entity is not required to be HIPAA Compliant. Thus, PHR providers are not subject to the HIPAA violation notification rule, but are governed by the FTC health violation notification rule.5 The FTC recognizes scenarios in which an entity is a HIPAA Business Associate and subsequently offers PHR services to the public. Such an entity would be subject to both the HIPAA and FTC violation notification rules. The fact model is limited and does not address a situation where the customers of the PHR provider and the covered entity are the same group of people. However, in the event that a PHR provider has a direct relationship with all those affected by a violation of HIPAA, one entity could contract with the other to provide notification to those affected.6


The delivery of health care services in the United States through telemedicine or telehealth is generally regulated by state medical boards, state by state. Licensure requirements may vary depending on the location of the patient or health care provider. Before the Covid-19 pandemic, most states, as well as the District of Columbia, Puerto Rico and the Virgin Islands, required physicians practicing telemedicine to be licensed in the state in which the patient is located. Regarding the Covid-19 public health emergency, twelve state councils have issued a special-use license, a telemedicine license or certificate, or a license to practice medicine across the borders of the United States. State regarding the practice of telemedicine and six states required physicians to register, as opposed to to obtain a license, if they wanted to practice across state lines.7

Many of these requirements were changed during the pandemic to rapidly scale large telehealth platforms to provide remote care during quarantine periods and in response to other pandemic-related demands. As a result, more and more states allow doctors providing health services to state residents to be licensed in neighboring states or other states. Some have taken the approach of providing an accelerated license to practice or relinquishing a license to practice for a temporary license for special needs. What is not clear, however, is how these states will pivot after the public health emergency is no longer in effect, and whether federal regulators could consider a federal approach to avoid the patchwork of state laws. and licensing regulations affect how telemedicine and telehealth services are implemented and at scale.

In addition to state licensing laws, there are also consent, medical record, pharmacy, physician order, and privacy considerations related to telemedicine services. Additionally, reimbursement for telehealth services for beneficiaries of federal health programs, such as Medicare, is governed by the Centers for Medicare and Medicaid Services, which historically have reimbursed only limited visits to remote areas where the one or both parties were physically in an acute care facility. Commercial payers, such as private and employer-sponsored health plans, govern reimbursement for private paying patients, and each has their own set of reimbursement requirements and schedules.

As a result, any company seeking to develop or expand its telemedicine presence in the United States will need to conduct a state-by-state analysis of specific regulatory requirements and will require federal reimbursement expertise and an understanding of the impact of contracts of commercial payers on reimbursement. for private paying patients. More importantly, such a business may need a crystal ball, as it is unclear how state and federal regulators will approach these issues once the public health emergency of Covid-19 is no longer in effect. .


Federal and state anti-kickback laws (for example, the federal anti-kickback law8) regulate business relationships in the health, pharmaceutical and medical device sectors, prohibiting natural or legal persons from requesting or receiving remuneration in exchange for referrals from health care program activities. Federal and state laws on physician self-referral (for example, the Stark Law9) generally prohibit health care providers from referring designated health services (DHS) to entities with which natural or legal persons have a direct or indirect financial relationship, with some exceptions.

The misrepresentation lawten imposes criminal penalties on any person or organization who knowingly makes a false record or makes a false statement regarding any federal health program, whether directly or indirectly. In addition, federal Social Security law imposes CMPs or excludes from Medicare and Medicaid programs physicians and other health care providers who commit various forms of fraud and abuse involving Medicare and Medicaid.

Under these federal and state laws, certain practices that encourage use and profitability and otherwise remunerate referrals are inadmissible and could subject known actors to civil or criminal penalties. Therefore, the types of business arrangements and negotiations that are common in other industries may be illegal in the healthcare industry, where goods or services are reimbursed by the federal government or third party payers. To the extent that companies aspire to provide goods or services to health care providers or directly to patients, when health care is reimbursed by federal health programs and commercial payers, these companies and their contracts and agreements Businesses will need a full understanding of applicable healthcare fraud and abuse. before doing business.


Digital health in the United States, like traditional healthcare, is governed by a variety of complicated and ever-changing regulations, especially during and after the Covid-19 public health emergency. Non-U.S. Based businesses must understand how to navigate these complex regulations at every stage of their business development, and nuanced and knowledgeable legal representation to understand the practical application of these regulations is essential for success in the U.S. market.




3 See

4 Identifier.

5 Identifier.

6 Identifier.

7 https: // …

8 42 USC § 1320a-7b.

9 42 USC § 1395nn.

ten 31 USC §§ 3729-3733.

Leave a Reply

Your email address will not be published.