Davis Wright Tremaine LLP Davis Wright Tremaine LLP
eHealth/HIPPA
Home
Practice Areas
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map
Advisory Bulletins
E-Health Law Advisory Bulletin, December 1999

Policing the Electronic Frontier: An Introduction to E-Health Legal Issues
By W. Reece Hirsch, Partner

E-health companies and those engaging in health care e-commerce should prepare for a new regulatory environment in which state and federal authorities apply heightened scrutiny to this burgeoning sector of the New Economy.

It is rapidly becoming clear that the relatively freewheeling early stages of the e-health industry are drawing to a close, a development that was inevitable given the highly regulated character of the American health care industry and the public policy concerns that attach to the provision of health care services in any form. First generation health care "dot coms" should reevaluate existing business models for legal compliance and second generation companies must develop business models with an eye towards anticipating this changing regulatory landscape.

This E-Health Law Advisory Bulletin provides a brief overview of some key legal issues relevant to e-health companies. A series of executive summary bulletins will follow in the coming months reviewing many of these and other issues in greater detail.

HIPAA Electronic Data Security Standards
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") mandated the creation of electronic data security standards, which promise to have a profound impact on health care information technology practices for years to come. In August 1998, the Department of Health and Human Services ("HHS") issued proposed electronic data security regulations (the "HIPAA Security Regulations"). It is anticipated that the final HIPAA electronic data security regulations will be issued by HHS prior to the end of 1999. The HIPAA Security Regulations require that any health plan, health care clearing-house or health care provider that electronically maintains or transmits individually identifiable health information must adopt policies, practices and procedures to protect the confidentiality of that information. Transmission of individually identifiable health information over the Internet is a type of transaction subject to the HIPAA security requirements.

Many e-health companies will not be directly subject to HIPAA because they are not health care providers, health plans or health care clearinghouses, as those terms are defined in the HIPAA Security Regulations. However, a wide variety of e-health companies are likely to be viewed as "business partners" of HIPAA covered entities. Business partners are required to enter into "chain of trust partner agreements," pursuant to which a HIPAA covered entity and an e-health company business partner would agree to electronically exchange data and protect the integrity and confidentiality of that data. Although the HIPAA Security Regulations will not become effective until late 2001 or early 2002, the regulations are likely to become the industry standard for commercially reasonable security practices prior to the effective date. As a result, many e-health companies can expect to be asked in the near future to enter into chain of trust partner agreements with health care providers and other parties subject to HIPAA.

HIPAA Privacy Standards
HIPAA also mandated the establishment of new standards governing privacy of individually identifiable health information that is electronically transmitted or electronically maintained by health care providers, health plans and health care clearinghouses. The Secretary of HHS has issued proposed privacy regulations pursuant to HIPAA ("HIPAA Privacy Regulations"), which were published in the Federal Register on November 3, 1999. Because it appears unlikely as of this writing that congress will pass comprehensive privacy legislation or legislation to extend HIPAA's statutory deadline, HHS is expected to issue final HIPAA privacy regulations by February 21, 2000. Although the HIPAA Privacy Regulations apply only to information that is electronically transmitted or maintained, and not to paper-only records, the privacy standard will substantially increase the rights of patients to control the use and dissemination of their health information, and cause HIPAA covered entities and their business partners, such as e-health companies, to adopt HIPAA-compliant privacy protections.

The HIPAA Privacy Regulations prohibit a covered entity from using or disclosing an individual's protected health information, except as expressly permitted or required by the regulations. As with the HIPAA Security Regulations, many e-health companies will find that they are not directly subject to the HIPAA Privacy Regulations, which apply to health care providers, health plans and health care clearinghouses, but will be required to enter into chain of trust partner agreements with HIPAA covered entities. The HIPAA Privacy Regulations set forth specific terms and conditions for chain of trust agreements. E-health companies that receive protected health information from providers and other HIPAA covered entities should begin considering HIPAA privacy compliance now in order to avoid being forced to react to chain of trust partner agreements presented by their clients.

Jurisdiction
Because the Internet transcends local, state and national boundaries, an e-health company's operations may be subject to the jurisdiction of courts in multiple states. Recent court cases indicate that a web site is more likely to be subject to the laws of another state if it is an interactive site that engages in commerce or two- way communications with citizens of that state. Web sites that are merely passive postings of information are less likely to be subject to the laws of other states. Of course, few "sticky" e-health sites today are purely passive postings. In the case of an interactive site, the operator may seek to exclude users from certain states by requiring user registration or by posting disclaimers on the site specifying that its activities are not directed toward certain jurisdictions.

Practice Liability Issues
Some e-health companies provide medical information by allowing users to submit questions to, or engage in online dialogue with physicians or other health care professionals. E-health companies must carefully consider at what point the provision of user-specific health care information may create a provider-patient relationship. The scope of practice of physicians and other providers is determined by state licensing authorities, making these questions all the more complicated for e-health companies, which typically provide services on a nationwide basis. If, for example, a physician employee of an e-health company provides medical information to a user that is deemed to create a physician-patient relationship, then the e-health company may be violating state corporate practice of medicine prohibitions, aiding and abetting in the unlicensed practice of medicine, and exposing itself to possible liability for harm caused by the actions of its physician agent. The employed physician may be subject to professional discipline for practicing medicine without a license in the state in which the user resides. Even if the physician is licensed in the user's state of residence, the provision of online medical advice without an in-person evaluation may violate applicable state scope of practice and professional standards. This is an area of law that is unsettled, but as certain e-health companies seek to expand the range of health care services that may be delivered on the Internet, these questions will increasingly be confronted.

Chat Rooms and Message Boards
Medical information web sites often feature chat rooms in which users share information regarding medical conditions. E-health companies may subject themselves to liability by establishing or sponsoring a site in which erroneous medical information is disseminated by users or company personnel. E-health companies must carefully consider the liability issues related to monitoring or moderating chat rooms and message board communications. While monitoring or moderating chat room content helps to limit inappropriate or misleading communications, it also causes the e-health company to assume greater responsibility for that content, thus arguably increasing the company's potential liability. The terms of use of an e-health company's site should clearly state the extent to which the company is assuming responsibility for chat room and message board communications. The terms of use should also clearly articulate any monitoring or moderating activities, or the absence of such activities. Monitoring or moderating activities should also be highlighted in the site's privacy policy.

Fraud and Abuse Issues
The application of state and federal laws prohibiting kickbacks and physician self-referrals to e-health companies is still a fairly uncharted area. Nonetheless, online advertising arrangements may implicate laws such as the federal anti-kickback statute, which generally prohibits the knowing and willful solicitation, offer, payment or acceptance of remuneration (i) for referring an individual for an item or service covered by the Medicare program or another federal health care benefit program or (ii) for purchasing such items or services. Online advertising is often paid for based upon a percentage of the dollar volume of click-through purchases. If the items being advertised and purchased are goods or services covered by Medicare or other federal health care programs, such as pharmaceuticals, then such arrangements should be carefully reviewed for compliance with applicable fraud and abuse statutes.

Ethical Considerations
Ethical issues have rapidly moved to the forefront of the consideration of the e-health industry by the public and the media. These concerns frequently are precipitated by the involvement of physicians and other health care providers in the ownership, management or operations of e-health companies. health care providers have played instrumental roles in the ownership, management and operation of many notable e-health companies, but activities that are appropriate when engaged in by lay persons may take on a different character and public perception when a health care professional is involved - the so-called "white coat syndrome."

E-health ethics issues are being addressed on several fronts, including the Hi-Ethics Alliance, the Internet health care Coalition and the Health on the Net Foundation's Code of Conduct for Medical Web Sites.

The law of cyberspace and the application of health care regulatory laws to e-health are both evolving at the speed of the Internet. The functionality of e-health webs sites and partnering relationships among e-health companies tend to evolve just as quickly. For these reasons, e-health companies should engage in periodic legal audits to make sure that their practices remain in compliance with a regulatory landscape that is still emerging. The next edition of this E-Health Law Bulletin will provide a more detailed analysis of the recently issued HIPAA privacy regulations.

About Reece Hirsch:
Reece Hirsch is a partner in the San Francisco office of Davis Wright Tremaine LLP. He is co-chair of the firm's E-Health Law Practice Group and a member of the editorial advisory board of Internet health care Strategies. He writes and lectures frequently on e-health legal issues. He can be reached at (415) 276-6514 or reecehirsch@dwt.com.

Return to top of page

Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP