USA Law and Practice Contributed by: Nadia de la Houssaye, Allison Bell, Emily Degan Vorhoff and Keiana Palmer, Jones Walker LLP
3.3 Enforcement Regulatory authorities enforce digital healthcare laws and regulations through various mecha- nisms, with enforcement intensity varying across domains. FDA Enforcement The FDA employs a risk-based approach to enforcement, focusing on products that pose the greatest potential harm to patients. Enforcement actions include warning letters, product recalls, injunctions and civil penalties. The agency has increased scrutiny of software as a medi- cal device (SaMD), particularly those making diagnostic or treatment claims without proper authorisation. HIPAA/Privacy Enforcement The HHS OCR enforces HIPAA violations through civil monetary penalties and corrective action plans. Common violations include unper- mitted use/disclosure of protected health infor- mation (PHI), inadequate safeguards and failure to provide patient access to their information. OCR investigations often follow data breaches affecting 500 or more individuals, which must be reported promptly under the Breach Notification Rule. FTC Enforcement The FTC targets deceptive advertising claims and unfair privacy practices in digital health, typically resulting in consent decrees requiring companies to implement comprehensive privacy programmes and undergo regular assessments. Medicare Fraud Enforcement The CMS and the HHS Office of Inspector Gen- eral (OIG) have increased scrutiny of telehealth billing practices. In April 2023, HHS-OIG issued a toolkit for identifying telehealth fraud and
improper payments, focusing on high-risk bill- ing patterns. State-Level Enforcement State attorneys general increasingly enforce data privacy laws and consumer protection statutes against digital health companies, par- ticularly concerning sensitive health information collected outside HIPAA’s scope. Areas subject to stricter enforcement include: • false or misleading marketing claims about clinical effectiveness; • inadequate security measures protecting sensitive health data; • billing fraud in telehealth services; • unauthorised practice of medicine across state lines; and • non-compliance with informed consent requirements. Enforcement intensity has increased as digital health adoption has expanded, with regulators adapting traditional enforcement mechanisms to address novel challenges presented by emerg- ing technologies while attempting to balance innovation promotion with consumer protection. 3.4 Sufficiency of Oversight The current regulatory framework for digital healthcare offers significant strengths as well as limitations in addressing emerging risks. Current strengths include: • established pathways for traditional medical device oversight through the FDA; • a HIPAA framework for protecting health information by covered entities; • growing expertise within regulatory agencies regarding digital technologies;
157 CHAMBERS.COM
Powered by FlippingBook