Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.
We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.
As the Federal Communications Commission repeals the Open Internet Order—more commonly known as the net-neutrality rules—health care consumers and providers have been left wondering how this change will affect their ability to receive and deliver health care using digital health tools. In this On the Subject, we outline how changes in internet access will affect digital health and what the regulatory landscape will look like in the coming months and years.
On October 20, 2016, the United States Department of Justice Antitrust Division (DOJ) and Federal Trade Commission (FTC) issued joint Antitrust Guidance to Human Resource (HR) Professionals (the Guidance) involved in hiring and compensation decisions. The agencies issued the guidance to educate HR professionals about how the antitrust laws apply in the employment context.
As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.
One of the key questions raised during the FTC’s CHI seminar is: “what is consumer healthinformation”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.
Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”
The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.
The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, in [...]
Last month, the Federal Trade Commission (FTC) and the Equal Employment Opportunity Commission (EEOC) issued joint guidance addressing the use of background checks in employment decisions. The guidance does not offer new requirements related to background checks, but rather serves as a reminder to employers of their obligations under federal law when they use background checks, and creates a user-friendly guide to applicants and employees regarding their rights with respect to background checks.
The guidance consists of two documents – one for employers, “Background Checks: What Employers Need to Know,” and one for applicants and employees, “Background Checks: What Job Applicants and Employees Should Know.” The first document, “What Employers Need to Know,” offers guidance to employers on their existing legal obligations under the Fair Credit Reporting Act (FRCA), a federal law enforced by the FTC, and federal non-discrimination laws enforced by the EEOC. The document reminds employers that under FCRA employers must obtain written permission from job applicants and employees before conducting a background check, and must notify applicants and employees that background reports may be used to make decisions about employment. In addition, the agencies reaffirm that employers must not discriminate based on a person’s race, color, national origin, sex, religion, age (40 or older) or disability when requesting or using background information for employment. Finally, the guidance discusses the requirements related to the retention, preservation and disposal of personnel or employment records.
The second document, “What Job Applicants and Employees Should Know,” describes applicants’ and employees’ rights under federal law when an employer conducts background checks. The agencies remind applicants and employees that it is lawful for potential employers to ask about applicants’ or employees’ backgrounds or require a background check, as long as the employer does not unlawfully discriminate. The guidance also states that employers must not ask for medical information until they offer an applicant a job, and can only ask for genetic information under limited circumstances (for example, when an employer offers health or genetic services as part of a voluntary wellness program, or if the information is required to comply with the Family and Medical Leave Act). Finally, the guidance explains that when applicants have been turned down for a job or denied a promotion based on information in their background reports, they have the right to review the report for accuracy.
This marks the first time the two agencies have jointly issued guidance, which seems to indicate that both agencies have a vested interest in enforcing the laws related to employer use of background checks, and perhaps serves as a signal to employers that both agencies consider this topic a priority. Employers should consider reviewing the new guidance, and ensure that their policies and practices with respect to background checks comply with federal law, as well as applicable state and local law.
A new Federal Trade Commission report urges mobile app platforms and developers to better inform consumers about their privacy practices. Mobile app platforms and developers should review their privacy policies to ensure accuracy, transparency and appropriate level of consumer choice.
We recently released a Hot Topic that details the Federal Trade Commission’s (FTC) settlement with Spokeo, Inc. Spokeo collected information about individuals from online and offline sources to create profiles that included contact information, marital status, age range and in some cases included a person’s hobbies, ethnicity, religion, participation on social networking sites and photos that Spokeo attributed to a particular individual. Spokeo marketed these profiles to companies in the human resources, background screening and recruiting industries as information to serve as a factor in deciding whether to interview or hire a job candidate. The FTC concluded that Spokeo acted as a consumer reporting agency and thus violated the Fair Credit Reporting Act (FCRA) by: (1) failing to ensure the consumer reports it sold were used for legally permissible purposes; (2) failing to ensure that the information it sold was accurate; and (3) by failing to inform users of Spokeo’s consumer reports of their obligations under the FCRA. Spokeo agreed to pay $800,000, and comply with the FCRA going forward, among other things.
There is an important message for employers in this settlement: If you receive profile information from data brokers and use that information in making employment decisions, the FCRA applies. And while this enforcement action focused on the data broker, the FTC could turn next to offending employers. The FTC has published guidance on how to avoid an enforcement action in these circumstances and comply with the FCRA at: Using Consumer Reports: What Employers Need to Know Employers should also check on the local state laws that may apply, because some states restrict the use of such reports for employment purposes.
Subscribe
