ATA2022: Regulatory risk in the business of telehealth

Nathaniel Lacktman, a partner at Foley & Lardner, kicks off a talk on telehealth and regulation Sunday at the ATA2022 conference in Boston.

Photo: Susan Morse/HFN

BOSTON – Aaron Maguregui, a digital health attorney at Foley & Lardner, said he gets asked all the time, "Is it OK to use pixels and cookies on a telemedicine website?"

It goes to the bigger question for telehealth providers: When does data collected from a telemedicine website become patient data?

Attorneys from Foley & Lardner kicked off the ATA2022 conference Sunday morning in Boston by breaking down regulations that rule risk for telehealth providers.

Nathaniel Lacktman, a partner in the firm, said the theme for ATA 2022 is what's next. For telehealth, this means looking at what happens when the public health emergency (PHE) ends and federal waivers allowing for virtual flexibility may or may not be extended through the Department of Health and Human Services or by Congress.

"We're seeing suggestions the public health emergency may not be extended," Lacktman said. "There's fear and anxiety about the telehealth cliff." 

The PHE is currently scheduled to end in July.

Telehealth is now an expectation for care convenience, and patients are expecting a broader spectrum for treatment of more serious diseases, Maguregui said. There's expectations from investors that companies can meet the scrutiny of being a profitable and sustainable model. Regulators are expecting more, too, Lacktman said. 

Maguregui said, increasingly, telehealth providers need to know the risk of collecting and sharing information that could be considered patient data protected by HIPAA.

If the only users of a website are patients, does it make the data collected there "patient data"? There's no definitive answer from regulators, Maguregui said.

When personal user information is used for marketing purposes or shared with third-party users for advertising, the risk of breaching protected health information is greater.

If data collected on a landing page belongs to a primary-care clinic, it's fairly obvious that this private patient information. 

"Using patient data for marketing purposes is highly regulated," Maguregui said. "What makes this risk harder, the two biggest players, HHS Office of Civil Rights and FTC, have been largely silent for the last two years."

In 2021, a women's health app was cited for sharing data with Facebook and Google, he said.

In another case in 2017, an Illinois-based law firm filed a class-action lawsuit against telemedicine company MDLive, alleging the company took screenshots of sensitive patient health information and sent them to TestFairy, an Israeli company that does quality control on apps, and that this was a violation of patient privacy. 

Less than two months later, on June 2, 2017, the plaintiff voluntarily dismissed the suit in response to arguments by MDLIVE that the suit lacked any legal or factual basis.

What can save a company from litigation risk are the fine type cookie policies and terms, Maguregui said. This is critical to mitigating risk.

The best way to obtain a user's agreement is through e-sign or click and sign, he said.

Create a plan. Create a workflow for data. Are health insurers being billed so that HIPAA applies? Collaborate with marketing, legal and other teams.
Nail down the purpose of the website. 

And don't copy and paste someone else's privacy policy, he said. Create your own.

The question all companies need to ask is, what are you asking the user to do? 

"There is definitely regulatory risk," Maguregui said. "The greater risk is public perception."

Also, what works today may not work tomorrow in the changing regulatory environment. Stay on top with audits and reviews.

Twitter: @SusanJMorse
Email the writer: SMorse@himss.org