FROM THE AAO-HNS MEDICAL DEVICES AND DRUGS COMMITTEEDeveloping digital-health technologyExpanded from the print edition
In 2013, venture capital funding for new healthcare IT and digital-health companies outpaced investment in all other healthcare sectors, reaching nearly $2 billion.
What otolaryngologists should consider when adopting, creating, or developing these 21st-century tools
by Manan Shah, MD, KJ Lee, MD, and Anand K. Devaiah, MD
In 2013, venture capital funding for new healthcare IT and digital-health companies outpaced investment in all other healthcare sectors, reaching nearly $2 billion.1 As the industry grows, otolaryngologists, like all physicians, will increasingly need to navigate and incorporate digital-health technologies. Whether you are creating a digital-health application or are looking to adopt new technology for your practice, it is important to understand how this technology is developed, and the attendant rules and regulations.
While the process of creating digital-health devices and technologies is somewhat similar to developing traditional medical devices, there are critical nuances to look out for. This article outlines how to begin the development process, how digital-health intellectual property is protected, ways to address HIPAA requirements, and what the unique FDA considerations pertaining to mobile-health applications are.
To give their perspective on this topic, the founders of two digital-health startups were interviewed: Shameet Luhar, CEO of Vheda Health, and Kyle Samani, CEO of Pristine. Vheda Health focuses on diabetic care for high-risk patients via telehealth, and Pristine creates software for telehealth using Google Glass.
What is digital-health technology?
When we hear the term “digital-health technology,” we often envision devices paired with smartphones. For example, CellScope is an iPhone case that converts your phone into an otoscope, and AliveCor is a case that transforms an iPhone into a heart monitor. But digital-health technologies encompass more than just your smartphone. Some digital-health applications focus on electronic health records, for example, focusing on organizing and storing information, sharing information across different platforms, and data encryption. Other applications analyze clinical data, and some offer clinical decision-making support or the ability to track outcomes. Digital-health technology also includes wearable and bio-sensing technology, such as Fitbit (a wearable device that tracks daily activity). Digital-health technology can also encompass population health-management tools for large, at-risk populations, like Vheda Health, or telehealth, of which Pristine is an example.
How can physicians get involved in developing digital-health products?
As physicians, we have an intimate understanding of what types of digital-health technology clinicians and patients need most. As more physicians become interested in creating or customizing their own digital-health products, more and more service providers have made themselves available to assist them.
One interesting aspect of digital-health entrepreneurship is that a physician can conceive of a concept and often outsource the actual creation of that concept to a software developer. The problem for most physicians, however, is locating a developer. Mr. Luhar of Vheda Health suggests that physicians start with the basics. Explore your own network by searching LinkedIn, using a simple Google search, or try other specialized networking sites such as Meetup.com.
Physicians who want to take a more hands-on approach and want to seriously pursue their digital-health concept might consider joining organizations that promote and nurture companies, called “accelerators.” These organizations provide access to initial funding, graphic designers, programmers, and mentors for creating technology. Mr. Luhar emphasizes their utility, “[An accelerator] allows a startup to accomplish within 12 weeks what might take a company two years.” Mr. Luhar’s company recently joined a healthcare-focused accelerator, StartUp Health of New York City. Other popular healthcare-focused accelerators include Rock Health, Healthbox, and Blueprint Health. For a more comprehensive list of healthcare accelerators, visit http://storyofdigitalhealth.com/startups.
Mind your IP
Obtaining patent protection is an essential first step. Yet, protecting your intellectual property (IP) can be more complex for digital-health technology than for traditional medical devices. Historically, copyright was a method of protecting software code; however, there is a risk of inadequate protection. Copyright protects the code in its fixed form, but does not protect the underlying idea of the work. Consequently, a competitor may only infringe your copyright if its software code is deemed “substantially similar.” Because the guidelines for what qualifies as “substantially similar” are vague, there is often opportunity for competitors to work around the copyright.2
Software patents can provide broader protection for a general digital-health concept, but recently software patents have become a center of debate. Currently software can be patented, but there is much talk in the legal community about changes that may alter the patent landscape.3,4
Different types of patents can be used to help protect your IP. The graphical user interface (GUI) for a digital-health tool can be protected through design patents and can include the design of the application, the home screen, and generally whatever the user sees when interacting with the device. The appearance of novel hardware can also be protected through design patents. Utility patents can cover methods of using a device. For example, using an iPhone as an otoscope or other add-on device can be protected this way. Finally, methods of doing business can be patented as well, such as novel ways of interacting with patients or insurance companies or streamlining clinic workflows. However, the law regarding business method patents is currently in flux, so it is important to seek an experienced IP attorney for these types of innovation.
It is just as important, if not more important, to make sure that producing your concept will not violate someone else’s intellectual property rights. Just because you haven’t seen your innovation on the market doesn’t mean that someone else has not already patented it. Because it is often difficult to determine whether your technology infringes existing patents, we recommend using a qualified patent attorney. While some software entrepreneurs forego patents completely, Mr. Samani of Pristine notes that patents are vital in the healthcare space. Having patents can positively affect later fundraising opportunities. “As an entrepreneur, it is worth the investment to at least file a provisional patent application, because a significant amount of investors won’t even invest without IP protection,” advises Mr. Samani.
The effect of HIPAA on digital-health technology
Physicians are acutely aware of the Health Insurance Portability and Accountability Act (HIPAA), but determining whether HIPAA applies to a digital-health concept can be challenging. HIPAA regulations apply to technology that involves protected health information (PHI). Data becomes PHI when it includes personally identifiable information (PII), and involves what is called a “covered entity” or its business associates. Physicians are defined as covered entities, but a covered entity may also include any healthcare provider, a health plan, or a healthcare clearinghouse that processes health information.
To use an example, consider a fitness app that collects a patient’s health and blood pressure information. This data counts as PII, because it is identifiable. If that data is not shared with a covered entity, like a physician, however, it does not become PHI and HIPAA rules do not apply. Likewise, if healthcare data from patients is provided to a physician or insurance company, but that data is aggregated and no longer includes PII, then it is not PHI, so it need not comply with HIPAA.5
When HIPAA does apply to a technology, the company that provides the technology will function as a “business associate” of the covered entity with access to the PHI. It is critical that business associates comply with HIPAA. A security breach for the technology constitutes a breach for the users, which includes the physicians.
The difficulty is that there is no official, certifying body that clears a technology as compliant. Instead, companies must self-regulate to ensure they meet the requirements or risk facing serious legal ramifications and fines from the U.S. Department of Health and Human Services Office of Civil Rights, which enforces HIPAA.
The first place to begin familiarizing yourself with the nuances of HIPAA is the HHS.gov website (http://www.hhs.gov/ocr/privacy/index.html). Additionally, most hospitals have a HIPAA expert with whom you can speak. As you begin to seriously develop or evaluate a product, we recommend finding a trusted adviser to help you navigate the regulations. For developers, most of the accelerators mentioned above will also have a HIPAA expert. You may also consider reaching out to an accelerator’s expert even if you are not interested in joining an accelerator.
In general, technology must reasonably protect the security and privacy of protected health information. Companies must monitor and audit for data breaches, as well as notify the covered entity in case of a breach.
Most importantly, all providers of digital-health technology that fall under HIPAA rules must sign a business associate agreement with any covered entities (e.g., physicians or health care organizations) they work with stating they will comply with the relevant regulations. This signed agreement is pertinent not only for developers, but also physicians considering adopting new technology into their practice.6
Finally, both Messrs. Samani and Luhar caution that while entrepreneurs in other fields may develop and release a pilot first and ask permission later, in healthcare this approach can lead to severe consequences and endanger patients. We urge all digital-health entrepreneurs to be HIPAA compliant prior to any product testing or have developers go through an IRB, if needed, and obtain written authorization from any participating entities. It is also important to consider the implications of HIPAA early on, because it may affect how you engineer your product. Your product should either comply with HIPAA or to fall outside the scope of HIPAA and its requirements. Mr. Samani elaborates, “HIPAA may not be the only regulation you will need to follow. In the field of mobile health alone, some entrepreneurs must coordinate with the Office of the National Coordinator for Health Information Technology, the National Institute of Standards and Technology, the Federal Communications Commission, and the FDA.” You may also need to consider Children’s Online Privacy Protection Rule (COPPA) if collecting information on minors, and local governments may have individual laws for fields such as telemedicine.
While this may initially seem overwhelming, the good news is that there are a number of resources for entrepreneurs in the digital-health space. Two examples include Catalyze (https://catalyze.io/), which provides HIPAA-compliant hosting and data platforms as a service, and Accountable (http://accountablehq.com/), which provides HIPAA compliance and HIPAA training as a service. Overall, if entrepreneurs keep HIPAA in mind early on, compliance can be easily incorporated into any technology.
FDA regulation and digital-health technology
The FDA has been reviewing mobile medical applications since 1997, but only recently did it publish final guidelines on how it will approach the regulation of digital-health technology. These guidelines have strengthened the market and eliminated much of the uncertainty for developers and investors. In short, technology that functions as a medical device—be it an application on a mobile device or a device that pairs with a mobile device—may be subject to FDA oversight if it is intended for use in the diagnosis, cure, treatment, or prevention of a disease.
To answer the question of whether your technology is regulated, the general question developers should ask is, “Could this technology pose a risk to a patient’s health if it does not work as intended?” If the answer is “yes,” then most likely it will be subject to regulation. If your digital-health technology does not function as a medical device or mobile application, the FDA will not exercise its regulatory powers over it. Examples of applications that are not regulated devices include wellness applications, general health reference materials, and healthcare administration applications dealing with billing, appointments, and insurance transactions.
In its recently issued guidelines, the FDA noted that medication reminder applications and technologies are not likely to be regulated. Likewise, recent guidelines specify that the FDA will not require compliance for software or systems that simply transfer, store, convert the format of, or display medical device data unless this data is intended for active patient monitoring. An example the FDA uses is if your application collects blood sugar data for active adjustment of insulin, it must comply, as a malfunction could hurt the patient acutely, but if it simply collects long-term insulin data and displays it, it will not fall under FDA regulation.
Examples of digital technologies that do require FDA clearance include anything that controls a medical device, transforms a mobile device into a medical device, and anything that assists with diagnosis or treatment of a patient. The FDA further classifies devices using risk stratification. With digital-health technology, risk stratification is similar to that of traditional medical devices; greater risk to a patient implies a higher class. Class I devices are low risk and may be exempt or cleared via a 510(k) pathway (i.e., cleared by demonstrating it is equivalent to an existing approved device). Class II devices will usually require a 510(k) approval. Finally, Class III devices, which are the highest-risk devices, will require a rigorous pre-market approval.7
In summary, physicians and physician entrepreneurs should be aware of the promises and pitfalls that new digital-health applications can pose in development and implementation. They may improve healthcare efficiency, increase patient engagement, and improve patient outcomes.8,9 While the process of developing digital-health technology may seem initially arduous, understanding the underpinnings of how and what is needed to develop this technology can help physicians. We hope that providing an overarching view of this landscape and some available resources may help you navigate the digital-health field.
Manan Shah, MD, is a resident in otolaryngology at the University of Connecticut School of Medicine. He worked previously at an early-stage, venture-capital fund. He writes about healthcare innovation at MananMD.com. Please feel free to contact him with any questions at manan.Shah.email@example.com.
KJ Lee, MD, is chief scientific officer at IQ-EQ Systems LLC. Please feel free to contact him with any questions at KJLeeMD@aol.com.
Anand K. Devaiah, MD, is associate professor of otolaryngology, neurological surgery, and ophthalmology, and the chair of the Medical Devices and Drugs Committee for the AAO-HNS and editor for the Bulletin article series from this committee.
Please feel free to direct any questions to Dr. Devaiah at firstname.lastname@example.org, or to the Medical Devices and Drugs Committee liaison, Harrison Peery (email@example.com). Have a suggestion on a future article? Let us know.
Disclosures: Drs. Shah, Lee, and Devaiah do not have a financial relationship with any commercial entities discussed in this article.
Disclaimer: The discussion of services and products above does not constitute an endorsement of their products or services by the authors or the AAO-HNS.
- Puliafito A. FDA 101: a guide for digital-health entrepreneurs. Rock Health website. http://rockhealth.com/2013/03/fda-101-a-guide-for-digital-health-entrepreneurs. March 26, 2013. Accessed June 16, 2015.
- United States Patent and Trademark Office website. http://www.uspto.gov. Accessed June 16, 2015.
- Technology development accelerators. Harvard Office of Technology Development website. http://otd.harvard.edu/inventions/ip/software/compare. Accessed June 16, 2015.
- Quinn G. Software patent basics: what level of description is required? IPWatchdog website. http://www.ipwatchdog.com/2014/01/25/software-patent-basics-what-level-of-description-is-required. Jan. 25, 2014. Accessed June 16, 2015.
- Quintini, S. HIPAA compliance for startups. Global Entrepreneurship Library website. http://www.unleashingideas.org/global-entrepreneurship-library/global-resource/hipaa-compliance-startups. April 2012. Accessed June 16, 2015.
- Health information privacy. HHS website. http://www.hhs.gov/ocr/privacy/index.html. Accessed June 16, 2015.
- FDA website. http://www.fda.gov. Accessed June 16, 2015.
- Lee KJ. Electronic medical records (EMR)—the train has left the station. ENT News. 16(3) 45-46; July/August 2007.
- Lee KJ. Philosophy and reality of entrepreneurship. ENT & Audiol News. 23(1) 40-42; March/April 2014.