Atlanta is home to numerous healthcare information technology (“Health IT”) companies and serves as a Health IT leader in the Nation. Following the American Recovery and Reinvestment Act (“Stimulus Act”) and the HealthCare Reform Act, the Health IT market grew exponentially. Both laws dedicated billions of dollars to fund Health IT initiatives designed to spark innovative methods of delivering healthcare services by changing how healthcare is coordinated among providers and patients while reducing the costs to deliver clinical care. Some of these initiatives dedicated funds to encourage the adoption and implementation of electronic health records. Other programs provided direct funding for concepts that would change how healthcare was delivered. All of the funding and initiatives have driven significant economic growth in Health IT and caused a lot of companies to develop Health IT service lines. While the federal funding has been the carrot to foster Health IT growth, there is a stick and it is the vigorous regulations that Health IT companies must address in order to avoid significant fines and penalties.
Complying with the rules and regulations can be expensive and must be considered when developing a healthcare related product. First, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its Privacy and Security Rules impose significant operational changes and implementation requirements that cannot be overlooked. Effective September 23, 2013, the HIPAA requirements for Health IT companies will be extensive. Each company must perform an information security risk analysis of how it receives, uses and discloses patient health information. This includes an assessment of where patient information is stored, how it is transmitted and whether or not the company has implemented appropriate administrative, physical and technical safeguards to protect the privacy, confidentiality and integrity of the information. While it sounds like it is merely a process of ensuring policies and procedures are in effect, the Health IT company must evaluate and address its electronic databases, encryption methods, remote accessibility, storage, data back up and contingency plans in the event of an emergency. This type of risk assessment is not only time consuming, resource intensive, but also incredibly costly.
If the Health IT company fails to address the HIPAA regulations and implement the appropriate administrative, physical and technical safeguards in a timely manner, the Health IT company could be subject to fines up to $1.5Million in the event of a breach. Moreover, there are mandatory penalties for breaches of 500 or more unsecured records. These penalties mean the infrastructure of a Health IT company, including whether it uses encryption, how it monitors and protects the integrity of the information during transit and its database storage are just as critical as gaining revenues through sales. Just this week, the importance of how Health IT companies store information was highlighted when a health university used a cloud to store its patient information and suffered its third breach which included approximately 3000 records. Failure to sufficiently address HIPAA requirements may lead to penalties in excess of $1.5Million and a public relations nightmare. Therefore, the regulations while extensive are incredibly important for the ongoing sustainability of the business.
In addition to HIPAA, Health IT companies must also assess whether or not it is considered a “medical device” as defined by the Food and Drug Administration (“FDA”). Depending upon the type of Health IT product being launched, the Health IT company may be required to register with the FDA. The FDA has broadened its scope and is pursuing enforcement actions against Health IT companies that fail to register when applicable. In fact, today a product that merely receives and displays patient information may be considered a medical device and governed by the FDA. Specifically, if the patient information is received from another medical device and displayed in a manner that is converted into a graph or a different form of display, the device may move from a Class I FDA medical device to a Class II or Class III FDA Device. As the device escalates in its classification, the FDA regulatory requirements increase. In those instances, the Health IT company must file a 510k registration with the FDA. Preparing the 510k filing with the FDA is more than merely completing an application to register the product. The design specifications, software requirements, software validation and testing, the hazards and unintended consequences and the device description, among other items, must be specifically documented and provided to the FDA for audit. In addition, quality specifications must be implemented by the Health IT company to ensure that the information received from a medical device, displayed and transmitted has integrity and has not been manipulated in transit. In order to ensure that the information and the system function in compliance with the design specification, software validation testing must be performed and the results should be provided to the FDA as part of the audit and registration process; again, another resource-intensive and costly experience for Health IT companies. Unfortunately, without filing with the FDA or complying with HIPAA, the risk of penalties and loss are severe. Therefore, as Health IT companies continue to drive into the future pursuing growth, the companies must budget and ensure that they are assessing regulatory compliance requirements.
Ultimately at the end of the day, the success of the company will depend upon the design, the functionality and the consumer’s adoption of the product. However, if a Health IT company does not address its regulatory compliance, it risks the potential of the enterprise failing. As the Health IT industry pursues innovative concepts, the Health IT companies must place compliance with regulations as a priority right next to driving sales and strategic planning.