Federal Regulation of EHealth
Federal Regulation of EHealth
Interest Group Substantive CLE Program: EHealth and Privacy
Health care entities are generally well aware of the regulatory authority of the Department of Health and Human Services (HHS) and the Health Care Financing Administration. EHealth ventures, including online pharmacies, Internet companies providing health-related information, providers with web sites, and online vendors of medical supplies, must also be aware, however, of the numerous other federal regulatory bodies that can have an impact on their business. This paper discusses the authority of the Food and Drug Administration (FDA), the Federal Communications Commission (FCC), the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Department of Justice (DOJ) to regulate various aspects of eHealth. It also examines recent legislation dealing with e-Commerce.
- Food and Drug Administration.
- The FDA and EHealth.
The FDA has primary jurisdiction over the advertising and promotion of prescription drugs and medical devices.1 The FDA also regulates the labeling of medical devices and prescription and over-the-counter drugs.2 In the year 2000, the FDA issued 15 reprimands to medical device manufacturers that posted distorted claims on their web sites.3 Sites selling prescription drugs must comply with the Food, Drug and Cosmetic Act,4 as well as state laws governing pharmacy licensure. As of March 27, 2000, the FDA had initiated 80 investigations into various types of health fraud or unapproved drug products.5 For example, the FDA’s Officer of Criminal Investigation, working in conjunction with the U.S. Postal Inspection Service, worked to develop a case against a man who eventually pled guilty to selling unapproved oral HIV tests over the Internet.6
- FDA and Telemedicine.
The FDA’s Center for Devices and Radiological Health (the "Center") is charged with ensuring the effectiveness and safety of medical devices used in telemedicine.7 The Center performs several functions with respect to medical devices. For example, the Center conducts premarket reviews of medical devices used in telemedicine systems.8 The system for the regulation of medical devices used on humans was established by The Medical Device Amendments of 19769 and the Safe Medical Device Amendments of 1990. Section 513 of the Medical Device Amendments of 197610 established three classes of devices: class I (general controls), class II (special controls), and class III (pre-market approval).11 A device that was not distributed commercially prior to May 28, 1976, and is not substantially equivalent to a legally marketed device, automatically requires pre-market approval.12
The Center conducts post-market surveillance through its Office of Surveillance and Biometrics (OSB). The OSB conducts an annual review of over 100,000 device-related adverse event reports, and oversees post-market studies, and there have been very few adverse incident reports relating to telemedicine to date.13 The FDA believes that this is due, in part, to the fact that many manufacturers of telemedicine systems have considered their products exempt from FDA regulation, and there is a lack of awareness regarding FDA reporting systems.14 The Center oversees quality systems and design controls for medical devices, and takes the position that good manufacturing practices "represent one of the best approaches toward the assurance of telemedicine design safety and effectiveness."15 The Center also develops standards for devices, practices, and nomenclature "which provide the necessary environment for telemedicine systems to flourish." 16 Additionally, the Center conducts telemedicine research designed to develop methods to evaluate the performance of components of telemedicine systems. 17
- Federal Communications Commission.
The FCC has been involved in the promotion of telehealth, or the provision of medical care over a distance via the use of electronic communications. The FCC’s Advisory Committee on Telecommunications and Health Care has taken the position that telemedicine holds significant promise to increase the availability of health services.18 The Telecommunications Act of 1997, and subsequent FCC Orders, resulted in $400 million in telecommunications discounts for rural health facilities.19
The FCC has established a Rural Health Care Program designed to provide reduced rates to rural, nonprofit health care providers for telecommunications services related to telemedicine.20 Through the Rural Health Care Program, qualified health care providers may obtain assistance with limited long distance charges for accessing the Internet, and for telecommunications services used for the provision of health care.21 In November of 1999, the FCC took steps to improve the Rural Health Care Program by making it easier for providers to apply for assistance.22
- Securities and Exchange Commission.
The SEC has published guidelines for companies within its jurisdiction that have web sites. The guidelines apply to public companies, investment companies and municipal securities issuers that have an online presence. 23 The SEC issued its guidance, in part, out of concern for "the potential for electronic media, as instruments of inexpensive, mass communication, to be used to defraud the investing public."24 The SEC has stated that web site content is subject to the federal securities laws in the same manner that the laws apply to any other statements made by or attributable to the company. 25 If a company issuing securities makes statements that "reasonably can be expected to reach investors or the securities markets regardless of the medium through which the statements are made, including the Internet," that company must ensure that its statements are accurate.26
Notably, both the SEC and investors may hold companies liable for third-party information connected to their web pages through a hyperlink. 27 Third-party information is attributable to a company if the company either: (1) involves itself in the preparation of information (the "entanglement theory"); or (2) explicitly or implicitly endorses or approved the information (the "adoption theory").28 The entanglement theory involves some degree of pre-publication involvement in the creation of the information, while the adoption theory involves endorsement or approval of existing third-party information.
There is no "bright line" test to determine whether a company can be held liable under the securities laws for hyperlinked information. The SEC has stated, however, that there are three non-exclusive factors that may help predict liability under the adoption theory.29 The first factor involves the context of the hyperlink and whether it appears to endorse the third-party information. The SEC gives as an example of endorsement of third-party information a statement accompanying a hyperlink that says, "XYZ’s web site contains the best description of our business that is currently available."30 A second factor is the risk of investor confusion due to the lack of any warnings or disclaimers indicating that the investor is leaving the company’s web site and linking to a third-party web site. Hyperlinked information on a third party’s web site may be "less likely" to be attributed to a company if the visitor to the company’s web site, when leaving the site, is presented with an intermediate screen that prominently and clearly states that the visitor is leaving the original web site and the information viewed subsequently does not belong to the company. 31 A third factor considers how the hyperlink is presented on the web page. For example, a company may be viewed as adopting a third party’s statements if the hyperlink to those statements is displayed more prominently on a web page than other links.32 In view of these concerns, any company issuing securities to investors should examine the SEC’s guidance and exercise caution when posting hyperlinks on its web site.
- Federal Trade Commission.
- FTC’s health-related jurisdiction
The Federal Trade Commission (FTC) is largely responsible for the investigation of fraudulent web sites under the Deceptive and Unfair Trade Practices Act.33 The FTC is charged with preventing unfair and deceptive acts or practices that affect commerce.34 With respect to health care marketing, the FTC’s goals include:
- helping consumers find truthful and accurate information about products and services;
- assisting consumers in distinguishing legitimate health products and services from health scams; and
- protecting vulnerable consumers from injury.35
The FTC exercises jurisdiction over medical device advertising and over-the-counter drugs, including dietary supplements.36 In October of 2000, the FTC announced "Operation Top Ten Dot Cons," a joint effort with consumer protection agencies in eight nations to share information and coordinate to combat the "top 10 online scams," including health care fraud.37
Over the past two years, the FTC, through its initiative entitled Operation Cure.all, has targeted 800 web sites posting "questionable" health related claims.38 In 1997 and 1998, the FTC conducted two "Health Claim Surf Days," which identified the 800 web sites targeted by Operation Cure.all. These web sites contained potentially false or unsubstantiated claims regarding things such as purported cures for heart disease, cancer, and AIDS. 39 After receiving an e-mail from the FTC stating that their claims required scientific substantiation and that disseminating unsubstantiated or false claims violates federal law, 28 percent of the sites had either removed their claims or had taken down the web pages altogether.40
- FTC and privacy.
Until recently, there were no federal regulations mandating specific measures to protect online privacy, although online companies had to abide by their own privacy policies or risk enforcement actions by the FTC for deceptive practices. 41 In April of 2000, the FTC published privacy regulations implementing the Children’s Online Privacy Protection Act (COPPA).42 The following month, the FTC issued proposed regulations under the Financial Services Modernization Act of 1999.43 Both sets of regulations reflect four basic standards regarding online privacy: notice, choice, access and security.44 For example, the COPPA regulations state that a web site home page must have a clear and prominent link to a description of its privacy and information practices.45 The web site must also give parents the choice of whether to consent to the collection of identifiable information from a child, and the ability to access, review, and delete specific information that has been collected about the child.46 The Financial Services Modernization Act rules require that consumers: (1) be provided with clear and conspicuous notice as to what personal information is being collected about them; (2) receive information regarding the conditions under which the financial institution will disclose nonpublic information to third parties; (3) have the opportunity to actively acknowledge the policy through the click of a button or some other mechanism; and (4) be provided with a reasonable opportunity to decline to have their information shared with third parties. 47
The FTC has been involved in enforcing the privacy policies of individual online companies. For example, FTC, along with the attorneys general of 42 states, sued a defunct online toy store, Toysmart.com, that bought an advertisement in the Wall Street Journal offering to sell its customer database. 48 The FTC sued because Toysmart had a stated policy that it would not share the information with third parties.49 The FTC recently accepted a settlement whereby a Walt Disney Company Internet subsidiary will pay Toysmart, which is majority-owned by Disney, $50,000, and, in exchange, Toysmart will destroy the records.50
- Online pharmacies.
Mail order pharmacies have been around for years, and there are now numerous web sites where consumers can log on and get prescriptions filled. Some of these sites, however, are attempting to fill prescriptions without proper licenses, or are actually prescribing drugs to patients. In May of 2000, the Pennsylvania Attorney General charged three online pharmacies and their executives with violating state licensing and consumer protection laws for selling prescription drugs over the Internet without a license.51 As discussed above, the FDA regulates prescription drugs. The FTC has the power to initiate civil actions against online drug companies that make false or misleading claims about the drugs they offer.52
- Department of Justice.
One of the DOJ’s "highest priorities" is combating fraud and white-collar crimes targeting taxpayer-funded health care programs. 53 The DOJ’s funding for health care fraud enforcement is increasing significantly. 54 The DOJ works with the FTC and other federal agencies to ensure "aggressive enforcement of federal laws designed to protect individual privacy." 55
In December of 1998, Attorney General Janet Reno created the Department of Justice’s Privacy Council, chaired by the DOJ’s Chief Privacy Officer. 56 The Council services as a clearinghouse for legislative, regulatory, and policy initiatives related to privacy.57 The Council also advises DOJ officials on privacy matters, and provides a forum for exchanging information about important developments relating to privacy.58 The Council is charged with considering a wide range of privacy issues, including:
- what affirmative steps, if any, should the [DOJ] take to protect privacy, including the adequacy of current efforts to enforce federal laws protecting individual privacy and the need for additional legal authority;
- how new technologies accommodate law enforcement effectiveness with privacy interests;
- how the [DOJ’s] workplace policies can ensure an appropriate accommodation between employee privacy and the law enforcement and management needs of the Department;
- how the use of public records, and the sharing of information by law enforcement to further the [DOJ’s] law enforcement and public safety responsibilities can be harmonized with the need to protect the privacy of citizens;
- whether the [DOJ’s] international efforts are appropriately focused on privacy issues, especially in light of the recent European Union’s directive on privacy and new European privacy laws; and
- how the [DOJ] can ensure adequate coordination and communication with state, local and tribal law enforcement agencies on privacy issues. 59
- Federal legislation.
The Electronic Signatures in Global and National Commerce Act (E-SIGN) 60 became effective on October 1, 2000. E-SIGN provides that electronic signatures in interstate commerce may not be denied legal validity merely because the signatures are in electronic form. E-SIGN defines "electronic signature" as "an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with intent to sign the record." E-SIGN does not address the types of authentication procedures that will be sufficient to verify an electronic signature.
E-SIGN includes special provisions dealing with consumer protection. If a particular transaction would require a written agreement or acknowledgement in a non-electronic setting, E-SIGN requires that consumers affirmatively consent to participating in the electronic transaction. Furthermore, consumers must be provided with clear and conspicuous disclosures regarding the following:
- The consumer’s right to obtain a paper copy of the record or agreement;
- The right to withdraw consent to participate in the transaction electronically and the process involved in withdrawing consent;
- The specific electronic transactions and records to which the customer’s consent applies;
- The hardware and software that will be necessary to open, read, and retain the agreements or records that are executed or maintained electronically; and
- How, after the consent, the consumer may, upon request, obtain a hard copy of the electronic record, and whether any fee will be charged with the copy.
After the consumer consents to the electronic transaction, the person providing the electronic record must inform the consumer regarding any change in hardware or software requirements needed to access the record that was the subject of the consent.
E-SIGN provides that state law may modify, limit, or supersede the provisions of E-SIGN under certain circumstances. For example, state law supersedes E-SIGN if the state has adopted the Uniform Electronic Transactions Act (UETA). UETA and E-SIGN contain similar provisions with respect to electronic transactions, although E-SIGN does not specifically state that an electronic record or electronic signature satisfies a law requiring a record or signature to be in writing.
UETA applies to electronic records and electronic signatures. The act defines "electronic signature" as an "electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." 61 An "electronic record" is "a record created, generated, sent, communicated, received, or stored by electronic means." Transactions subject to UETA are also subject to other applicable provisions of substantive laws. The parties to a transaction subject to UETA must agree to conduct the transaction electronically.
UETA provides that a record or signature may not be denied legal enforceability solely because the record or signature is in electronic form. Contracts may not be denied legal effect solely because an electronic record was used in the formation of the contract. If a law requires a signature, or requires a record to be in writing, an electronic record or signature will satisfy such a provision.
The application of these electronic signature laws to the health care industry remains unclear. For example, because health care is primarily local, there is a debate about whether health care transactions affect interstate commerce, which is a prerequisite in determining E-SIGN’s applicability. 62 Also, a question arises regarding whether a certain health care interaction is a "transaction" under the law, and whether a patient is a "consumer."63
On September 25, 2000, the President’s Office of Management and Budget ("OMB") issued a memorandum directed to the heads of departments and agencies in the federal government providing guidance on E-SIGN. 64 The memorandum states that E-SIGN supersedes many federal and state statutes requiring the use of paper records and ink signatures in consumer and commercial transactions. 65 OMB has instructed all federal agencies to begin to identify which of their regulations may be subject to E-SIGN and to determine whether it is necessary to issue guidance or set standards on the use of electronic records and signatures. 66 Record retention requirements imposed by federal and state laws will be subject to E-SIGN starting on March 1, 2001.67 If, on that date, an agency has announced, proposed or initiated rulemaking to set standards for electronic records, E-SIGN’s effective date as to that requirement will be moved back to June 1, 2001. 68
- Digital Millennium Copyright Act.
The Digital Millennium Copyright Act (DMCA) was enacted in 1998. Title II of the legislation limits the liability of online service providers for copyright infringement, in certain situations.69 The DMCA requires, among other things, that Internet Service Providers (ISPs) register with the U.S. Copyright Office to qualify for protection against liability arising from infringing materials that a third party may route through the ISP’s servers.70 ISPs must appoint an agent to receive notices regarding copyright infringement, and that agent’s name and contact information must be displayed on the ISP’s web site. 71
Federal regulatory bodies will play a paramount role in the development of the eHealth industry. The Department of Health and Human Services is just one of the numerous governmental entities that have policies that have an impact on eHealth. As discussed above, the FDA, FCC, SEC, FTC and DOJ all affect the operation of eHealth entities. Health companies doing business on the Internet must be aware of the activities of these regulatory bodies, and must also be aware of federal laws that result in frequent change to the regulatory landscape.
3. Marc Ballon, Medical Device Makers Scrutinized for Misleading Claims on Web Sites; Enforcement: The FDA is Reprimanding More Companies for Falsely Promoting Products on the Internet, Los Angeles Times, Dec. 13, 2000, at C1.
5. As of March 27, 2000, the FDA had initiated 80 investigations into various types of health fraud or unapproved drug products. See John T. Bentivoglio, Remarks at the Symposium on Healthcare, Internet and E-commerce: Legal, Regulatory, and Ethical Issues (March 27, 2000)
7. Melvyn Greberman, M.D., Center for Devices and Radiological Health, Food and Drug Administration, White Paper, Telemedicine Related Activities, July 11, 1996 (available at http://www.fda.gov/cdrh/telemed.html) (visited Jan. 15, 2001).
19. Id.; Congress also recently passed H.R. 5661, that increases Medicare reimbursement for telemedicine by, among other things, expanding eligible service areas to include all non-metropolitan counties and existing urban Medicare demonstration sites. The law takes effect October 1, 2001.
23. Use of Electronic Media (Interpretation; Solicitation of Comment), 65 Fed. Reg. 25843 (2000).
35. Richard Cleland, Senior Attorney, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission, White Paper: The Promotion of Health Care Products and Services on the Internet: The Role of the Federal Trade Commission, Sept. 11, 2000.
37. Federal Trade Commission, Law Enforcers Target "Top 10" Online Scams; Consumer Protection Cops From 9 Countries, 5 U.S. Agencies, and 23 States Tackle Internet Fraud, Oct. 31, 2000 (available at http://www.ftc.gov/opa/2000/10/topten.htm) (visited 1/12/2001).
39. Federal Trade Commission, "Operation Cure.all" Targets Internet Health Fraud, FTC Law Enforcement and Consumer Education Campaign Focuses on Stopping the Quacks and Supplying Consumers with Quality Information, (June 24, 1999) (available at http://www.ftc.gov/opa/1999/9906/opcureall.htm) (visited Jan. 12, 2001).
53. See John T. Bentivoglio, Chief Privacy Officer for the Department of Justice, Remarks at the Symposium on Healthcare, Internet and E-commerce: Legal, Regulatory, and Ethical Issues (March 27, 2000) (transcript available online at www.cybercrime.gov/healthsp.htm).
55. John T. Bentivoglio, Statement Before the Subcommittee on Courts and Intellectual Property, Committee on the Judiciary, United States House of Representatives, Concerning Electronic Privacy Disclosure Practices (May 27, 1999).
64. Executive Office of the President, Office of Management and Budget, Memorandum for the Heads of Departments and Agencies, Subject: OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act (Sept. 25, 2000).