Should Health IT Entrepreneurs Bother Knowing The Difference Between Legislation And Regulation?

Health Consulting

So you’re all about creating the best IT-based solution to disrupt healthcare. Whether you’re a entrepreneur with a brilliant idea or a programmer bringing an idea to life, the success of your efforts will have to be aligned with the regulatory landscape of health IT legislation and regulation– and most companies need help sooner than they think.

Paying close attention to legislation and regulation might seem unnecessary, but a healthy comprehension of the environment can truly define the success of your company. Your customers, whether health organizations, health providers, or patients and families all have to function within these legislative and regulatory parameters to be reimbursed by health insurers (of which CMS is the largest) or gain access to valuable information. In addition, they have to comply with these laws to ensure that they can access pertinent data and not be in danger of non-compliance, i.e., fines or more. In order to prevent even the hint of impropriety your customers will rely on you for the highest and clearest compliance. If your product or company fails to meet the requirements for data collection, exchange, and use, then not only could you fail to attract users, but you could be held legally responsible.

The regulatory world is a busy one, and not everything will be relevant to your business all the time. That said, being aware of  crucial details in bills or regulations early in your business model formation or product design can keep you on the right track — unawareness can derail, even halt, your business once you begin to sell or scale. Knowing some basics will give you the solid foundation for knowing what to pay attention to, when and why it will impact your business, and how to get involved along the way.

Legislation versus Regulation, What’s the difference?


The first step the government takes to dictate how something should work (i.e., how Health IT should function or be used or how health data should be collected, exchanged, or used) is to pass a law. This process happens in Congress on the federal level and state levels. The U.S. Congress and each state has their own state-level legislatures where laws are introduced and voted on by members of the corresponding legislature — these are one area of early influence for you. Advocates and lobbyists educate legislators and their staff on issues and help craft possible language for the bill on your behalf.…but more on that later in this series. A newly introduced bill often has a long road, sometimes years, before the possibility of becoming a law and many factors go into how far a bill progresses. In D.C. we often colloquially ask if a bill “has legs,” — does it have the potential to actually get passed and become a law. Getting passed means the bill received enough votes in both the representatives’ and senators’ chambers and was signed by the President (for federal laws) or by the state governor (at the state level).

Things to keep in mind:

  1. Just because a bill was introduced doesn’t mean it will become the law of the land—However, it can give a sense of current social and political sentiment and can give a lot of insight on potential obstacles.

  2. Often a bill on a single issue, regardless of how important, will not be passed unless it becomes part of a larger bill addressing many concerns. This means that when a larger bill is passed, it’s important to work with experts to understand the smaller subsections that might affect your business. This is one of the most pertinent examples of the phrase “the devil is in the details.”

  3. Even when a bill is passed, it often serves only as an outline to how an industry will need to function. Think “broad strokes.” The legislature usually points to a government agency to provide further details on how that law will be put in action. These action plans are what we call regulations. This means that there are limited items to enforce until the corresponding agency releases further instructions of do’s and don’ts in regulatory language.


Regulations, by any government agency, are not simply penned and released. A long, methodical, thoughtful process precedes any regulation’s release, which normally follows this order:

  1. A Notice of Proposed Rulemaking (NPRM) —This is where the government agency releases a draft rule, often after the agency holds multiple public hearings or workgroups to hear from stakeholders. An NPRM is not law, but can give you a clear idea of what the final law may look like. Any release of a draft government rule is usually accompanied by a public comment period, typically between sixty and ninety days, where the agency is looking for further comments from industry stakeholders on the feasibility and acceptability of the rule. This is another place you can get involved in shaping the regulatory landscape to advocate that the law represents your business needs and goals. We’ll cover more on this in part 2 for this series, “Why, how and when to get involved in the regulatory process.”

  2. A Final Rule — Once a final rule is released, it becomes the law of the land, until the agency decides to update the regulation. Some regulations are updated every year—such as CMS’ physician pay schedule. Others may not see an updated version for decades. Recognizing the constantly evolving world of technology, most agencies that deal with health IT recognize the need for more frequent regulatory updates. The most important thing  to note in any final rule is the enforcement date. Enforcement dates usually start downstream from when the final rule is released, allowing the industry time to become compliant before any fines or penalties come into effect.

Things to keep in mind:

  1. Public comments are actually read at least at a “batch level” by government officials. This means that government officials, often long-term employees, have a stake in seeing that rules can be successfully enforced with a positive impact on an industry. So they will at minimum survey how many stakeholders are either for or against a stance in the draft rule.

  2. Health IT laws are a combination of policies (how a health application should or should not be used) and technical specifications (how a health IT application should work, be designed, or what minimum capabilities it should have.) Both policies and technical specifications outlined in regulations can have an impact on your health IT or health IT-enabled business.

  3. Understanding whether you fall into the “business associate” or “third-party” definition in regards to your relationships with health providers will directly affect how regulations will affect your business and your revenue generation models.

  4. There are other levels of draft rules, government guidance, and regulatory communications that can be used. Working with regulatory experts, such as Elevation, will help you determine the impact of governmental requirements on your business models and product designs.

Get our latest insights on healthcare regulatory compliance delivered directly to your inbox.

Health Consulting

Regulatory alignment for the next generation of health tech companies

© 2020 Elevation Health Consulting. All Rights Reserved. Privacy Notice