A Brief Overview of the Regulatory Bodies Watching Digital Health đź‘€
On the heels of Truepill settling with the Drug Enforcement Administration (DEA)— more on this below— I wanted to put together a primer on the various government agencies that should be on your radar as a healthcare founder.
Trust is so important in healthcare. And not only does a potential violation with the government consume a startup’s precious time and money — but it can erode the very foundation of patient confidence and security.
Beyond the Federal Trade Commission (FTC), which I discussed in this article, there are a few other regulatory bodies founders should know. From the Food and Drug Administration (FDA) to the Office for Civil Rights (OCR), and even the Drug Enforcement Administration (DEA), let's take a look at what these groups do and and the regulatory frameworks they enforce.
FYI: In the U.S. government, a "department" is a top-tier administrative unit headed by a Secretary and covers a broad scope of functions. An "agency" is a specialized organization within a department or as a standalone entity, focusing on specific tasks. A "commission" is a type of agency often created for a specific purpose, typically regulatory, and may have varying degrees of independence. An "office" is a sub-unit within agencies or departments, generally responsible for specialized, narrow functions.
Department of Health and Human Services (HHS)
The HHS is a $1.7 trillion, 80,000-employee arm of the federal government responsible for “improving the health, safety, and well-being of America.” Within HHS is a collection of agencies and offices, including NIH, CDC, FDA, and CMS.
While most HIPAA violations are from health plans, providers, and pharmacies, some startups which serve as “business associates” find themselves under violation. For instance, iHealth recently settled with HHS for $75,000 for impermissibly disclosing the private health information of 267 individuals and then failing to conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by iHealth”.
Regulations enforced:
Health Information Technology for Economic and Clinical Health (HITECH) Act
Many other regulations are created and enforced by offices and departments within HHS
Startups that should take note:
Any startup dealing with healthcare data—whether it's patient records, billing information, or telehealth services—should be well-versed in HHS regulations, especially HIPAA.
Drug Enforcement Administration (DEA)
The DEA is a federal law enforcement agency under the United States Department of Justice with a $3.1 billion budget and over 10,000 employees. The DEA's primary mission is to enforce the controlled substances laws and regulations of the United States. You may think the DEA only worries about drug trafficking, but it also monitors drug manufacturing and prescribing, including telemedicine.
For example, in November 2023, Truepill settled with the DEA for “operating an unregistered online pharmacy, filling prescriptions for Schedule II controlled substances in excess of the 90-day limit, and filling prescriptions written by medical providers who did not have the required licenses.”
Regulations enforced:
Controlled Substances Act
Ryan Haight Online Pharmacy Consumer Protection Act of 2008
Startups that should take note:
The DEA becomes relevant if your digital health startup deals with controlled substances — from Adderall to Ambien — including via telemedicine or e-prescribing. Your startup will need to undergo special registration and verification process to comply.
Office for Civil Rights (OCR)
The OCR (which sits within HHS) is the watchdog of the Health Insurance Portability and Accountability Act (HIPAA) itself. OCR is responsible for enforcing privacy and security standards to safeguard protected health information (PHI). In cases of data breaches involving healthcare data, OCR is the one you'll be answering to, not the FTC. Founders should acquaint themselves with OCR’s guidelines and enforcement activities.
Regulations enforced:
HIPAA Privacy Rule
The HIPAA Security Rule
Patient Safety Act and Rule
Federal Civil Rights Laws
Federal Conscience and Religious Freedom Laws
Startups that should take note:
Any startup handing protected health information (PHI), whether as a provider, clearinghouse, or business associate, needs to know OCR and specifically HIPAA.
Food and Drug Administration (FDA)
If your startup claims to diagnose or treat a disease (as a medical device, or even software that could be categorized as such), say hello to the FDA. Also sitting within HHS, the FDA regulates the safety and effectiveness of medical devices and pharmaceuticals. Software as a Medical Device (SaMD), mobile medical applications, clinical decision support software, and wearables that offer health or medical functionality could all come under the FDA’s purview. 23andMe famously received a warning letter from the FDA in 2010, something Anne discussed with my on the Heart of Healthcare podcast last year.
Regulations enforced:
Federal Food, Drug, and Cosmetic Act
The Kefauver-Harris Amendments
Medical Device Amendments
Code of Federal Regulations Title 21
Startups that should take note:
If your startup develops medical devices, medical software, software as a medical device (SaMD), pharmaceutical drugs, or even dietary supplements, understanding FDA regulations should be a priority. Consult the FDA’s guidelines to determine if your product fits their definition of a medical device.
The FDA has stated that any software intended for encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition is not considered a medical device.
Federal Trade Commission (FTC)
The FTC is the guardian of consumer protection laws. Tasked with preventing deceptive and unfair practices, the FTC plays an instrumental role in setting the standards for privacy and fair competition across various industries, healthcare included. Digital health startups including BetterHelp, GoodRx, and Flo Health have all gotten in trouble with the FTC.
Regulations enforced:
Federal Trade Commission Act
Health Breach Notification Rule
Children’s Online Privacy Protection Act (COPPA)
Startups that should take note:
If your company comes in contact with health data of any kind, be aware of the regulations enforced by the FTC. This also goes for any startup that uses influencer marketing or has online reviews. I’ve previously shared how to stay off the FTC’s naughty list in this article which you’ll want to check out.
Centers for Medicare & Medicaid Services (CMS)
Also a part of HHS, CMS oversees health coverage to more than 160 million Americans through Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the Health Insurance Marketplace. CMS is primarily involved in health plan administration, helping set standards for healthcare providers and those managing health data, payment models, quality measurement, and issuing rules and regulations that pertain to the healthcare industry. Unlike the FTC, which has a mandate to protect consumers and promote competition primarily through the enforcement of consumer protection laws, CMS’s primary role is more aligned with setting standards for healthcare provision and managing large-scale healthcare programs.
Regulations enforced:
Meaningful Use
Healthcare interoperability standards
Administrative Simplification provisions of HIPAA
Medicare regulations
Medicaid regulations
Quality reporting
Startups that should take note:
If your startup is developing a product or service that may be eligible for reimbursement under Medicare or Medicaid, CMS is your go-to agency. Familiarize yourself with their Innovation Center, which may provide opportunities for your startup’s solutions to be reimbursed.
Other
HHS Office of Inspector General (HHS-OI) fights waste, fraud, and abuse, and works to improve the efficiency of Medicare, Medicaid, and more than 100 other HHS programs.
Department of Justice (DOJ) Health Care Fraud Unit focuses on prosecuting the nation’s most complex health care fraud matters as well as medical professionals involved in the illegal prescribing and dispensing of opioids and other controlled substances. This is the group that took down uBiome and Outcome Health.
The Federal Bureau of Investigation (FBI) is the primary agency for investigating health care fraud, for both federal and private insurance programs. They were also involved in the uBiome case.
The Securities and Exchange Commission (SEC) oversees the enforcement of securities laws, primarily focusing on the protection of investors and the maintenance of fair and efficient markets. A notable case is their involvement in the Theranos investigation, where they charged the company and its executives with massive fraud.
More regulatory resources
In digital health, where data reigns supreme and trust is paramount, you’ll want to ensure your startup doesn’t get the unwanted attention of a government regulatory agency. Here are some helpful resources as you figure out your regulatory strategy:
HealthIT.gov’s Security Risk Assessment Tool can helps reveal areas where your organization’s protected health information (PHI) could be at risk.
The FDA Digital Health Center of Excellence is a great resource for medical device founders.