Digital health companies are producing increasingly innovative products at a rapidly accelerating pace, fueled in large part by the expansive healthcare data ecosystem and the data strategies for harnessing the power of that ecosystem. The essential role data strategies play make it imperative to address the data-related legal and regulatory considerations at the outset of the innovation initiative and throughout the development and deployment lifecycle so as to protect your investment in the short and long term.
The Evolution of Digital Health
Digital health today consists of four key components: electronic health records, data analytics, telehealth, and patient and consumer engagement tools. Electronic health records were most likely first, followed very closely by data analytics. Then telehealth deployment rapidly increased in response to both demand by patients and providers, the improved care delivery and access it offers, and more recently, the expanded reimbursement for telehealth solutions. Each component of digital health was developed somewhat independently, but they have now converged and are interrelated, integral parts of the overall digital health ecosystem.
The patient and consumer engagement dimension of digital health has exploded over the last five years. This is due, in large part, to consumer and patient demand for greater engagement in the management of their healthcare, as well as the entry of disruptors, such as technology service providers, e-commerce companies, consumer products companies and entrepreneurs. At this point in the evolution of the digital health landscape, the patient and consumer engagement tool dimension pulls in all other key components and no digital health consumer engagement tool is complete without the full package.
Data Strategies and Collaborations as Key Innovation Ingredients
No digital health initiative can be developed, pursued or commercialized without data. But the world of data aggregation and analytics has also changed significantly and become immensely complex in recent years. Digital health innovation is no longer working exclusively within the friendly confines of the electronic health record and the carefully regulated, controlled and structured data it holds. Today, digital health innovation relies on massive amounts of data in a variety of types, in various forms, from a wide variety of sources, and through a wide variety of tools, including patient and consumer wearables and mobile devices.
Further, such data strategies frequently involve the collaboration among various stakeholders, some of which bring essential ingredients such as technology infrastructure and data analytics tools and general innovation prowess, but which are unregulated and perhaps new to the healthcare industry. The sharing of robust and multi‑dimensional data among regulated and unregulated collaborators with different compliance obligations, cultures and risk tolerance presents complex privacy and security compliance and other liability issues that the regulated healthcare participants, who will contribute rich sources of clinical, research and consumer data, have no choice but to address before proceeding. Thus, for any data collaboration to be successful and sustainable, both parties must understand and be willing to tackle these various issues at the front-end through a careful analysis of available compliance strategies and a forthright and balanced approach to contractual allocation of the associated legal and economic responsibilities and risks.
Increasingly, data collaborations involve the valuation of the data being contributed for purposes such as structuring rights to royalties, license fees and equity shares when a digital health discovery is commercialized. Yet what is sometimes overlooked and unfamiliar to the unregulated stakeholders is the HIPAA prohibition on the sale of data (and similar prohibitions that have been proposed or adopted by one or more states). The HIPAA prohibition, with certain exceptions, applies to directly or indirectly receiving remuneration for protected health information (PHI). One of the various exceptions is for disclosure of PHI for research purposes only for a reasonable fee to cover the cost to prepare and transmit the PHI.
De-Identification of Data
De-identification of data is essential to comply with the HIPAA sale of data prohibition. Again, regulated and unregulated players may have different understandings of what it means to be de-identified. Key questions to address out of the gate are:
- What data is being contributed?
- Who will de-identify it?
- What legal standard for de-identification will be targeted?
- What method of de-identification will be used (g., the HIPAA safe harbor method or the alternative HIPAA statistical certification pathway)
- Who’s going to bear the cost of the de-identification process?
- Who will own the de-identified data?
- Who will use the data in the context of the collaboration?
- Who will use the de-identified data for other purposes other than in connection with the collaboration?
- Will anyone have the right to sell or license the data to third parties?
What you want to avoid is expending the extensive time, effort and money required to build a robust data only to discover later that it cannot be used because the appropriate compliance pathways for collecting, storing and aggregating the multi-dimensional data in the repository were not charted and followed. A failed repository effort alone can significantly delay a digital health initiative or bring it to a screeching halt.
For a deeper discussion on data considerations in digital health, listen to our Of Digital Interest podcast, Protecting Your Technology: IP Considerations in Digital Health.