How data privacy, cybersecurity, ethics and malpractice intersect.
Wearable technology has many benefits but also brings privacy concerns.
More than 100 million Americans are battling chronic diseases such as diabetes, high blood pressure and heart disease, but exciting new technology is being employed to improve the treatment of these conditions. Healthcare professionals are increasingly likely to suggest that patients wear a medical device to monitor their condition.
Such devices and the sophisticated apps that support them are believed to improve care by providing constant monitoring that could potentially save lives. Their use may also reduce healthcare costs by slashing the need for office visits that would otherwise be necessary to monitor a patient’s progress. Wearable medical devices may provide data that can help healthcare professionals understand how a single patient’s multiple chronic conditions interact and support research efforts through anonymized data.
However, the use of wearable medical devices gives rise to several important legal issues that healthcare professionals should consider before recommending them. Below is a broad overview of a few things that healthcare professionals should consider as the use of these tools expands.
Data privacy concerns are paramount. A disparate assortment of state and federal laws imposes requirements on the disclosure of, and occasionally use of, health information. Providers should familiarize themselves with all applicable laws and ensure their practices conform to applicable requirements.
Privacy compliance obligations may require that a physician limit access to the streaming patient data to nurse practitioners, physician assistants or other clinicians who are also providing care. Providers also need to ensure that accurate and timely documentation is added to the patient’s electronic health record (EHR). Providers should explain to their patients what data are being collected and how they will be used before securing the patients’ informed consent.
The collection of the electronic health data from wearable technology not only requires compliance with federal and state privacy laws relating to notice and consent, but it also raises a risk that an internet-connected device could be vulnerable to cyberattacks.
The U.S. Food and Drug Administration (FDA) is keenly focused on this risk and has issued guidance for pre-market and post-market management of cybersecurity in medical devices. Device manufacturers are responsible for providing security updates to their software to address vulnerabilities, and when these updates do not impact device functionality or their intended use, the updates do not require FDA review. But where a cyber security vulnerability poses a uncontrolled risk of patient harm, the product could be recalled.
In the event of a recall related to cybersecurity or another product malfunction, healthcare professionals must be prepared to address them in a timely manner. They should establish a procedure to update patients’ devices with new versions of software, monitoring applications to notify patients of recalls. Although a device manufacturer traditionally has a duty to warn consumers about a recall, healthcare professionals likely have the strongest ongoing contact with affected patients, and they should be prepared to use that relationship to facilitate recalls for their patients. In the event of an update or recall, they should implement these procedures and thoroughly document the steps they have taken to notify all affected patients.
Just last month, the FDA released a cybersecurity “playbook” for healthcare delivery organizations. The “playbook,” which was developed in cooperation with MITRE Corporation, aims to enhance the ability of healthcare organizations to respond to any cyberattack or incident that affects medical devices. In addition to responding to vulnerabilities in connected medical devices, healthcare delivery organizations and healthcare professionals must also scrutinize their own data security practices. To protect data being relayed from a patient’s monitoring device, healthcare professionals should regularly take steps to ensure the security of their computer networks, install and regularly update anti-virus programs and firewalls and implement password policies that require extensive passwords and regular password changes.
Providers who incorporate wearable medical devices into their patient treatment plans should also take pains to comply with all fraud and abuse laws. This means they should avoid accepting anything of value in exchange for recommending the use of a wearable medical device. The U.S. Department of Justice and whistleblowers regularly bring false claims act suits against healthcare professionals alleging they violated the Anti-Kickback Statute by accepting remuneration in exchange for recommending the use of a device covered by the federal healthcare programs.
As of Jan. 1, 2018, Medicare provides coverage for a monthly recurring reimbursement for remote patient monitoring services. Healthcare professionals should implement thorough compliance measures to ensure their billing for remote patient monitoring is compliant with the requirements of insurers and federal healthcare programs like Medicare or Medicaid and to prevent False Claims Act exposure.
Finally, a number of unanswered questions about wearable medical devices may also shape future malpractice cases. It is currently universally unclear when the monitoring of a wearable medical device creates a physician-patient relationship requiring a duty of care. In addition, it is universally unclear whether, and in what circumstances, a physician’s decision to use — or not use — a wearable medical device in a treatment plan could constitute a breach of that duty of care. Moreover, once a wearable device is being worn, malpractice questions could arise about whether the data were timely and accurately reviewed. Providers should monitor developments in this area of the law for guidance on these issues.
Wearable medical devices have the potential to significantly shape the practice of medicine and the regulatory landscape that covers it. As providers continue to incorporate them into their treatment plans, they should do so with a clear eye on the relevant legal and regulatory requirements. Open questions about the scope of potential liability related to the use of wearable medical devices and fast-developing regulatory guidance require continued monitoring.
Stephanie L. Carman and Rebecca H. Umhofer are attorneys who work for Hogan Lovells.
Get the best insights in healthcare analytics directly to your inbox.