GDPR —The EU Law that Affects US Health Tech

When should American Health Tech companies conform to non–US laws?

When your business collects data from individuals outside of the US: In the case of the General Data Protection Regulation (GDPR), which has been protecting European citizens since 2018, US companies must comply with GDPR if they potentially collect and store personal information about citizens in Europe. The penalties are hefty, especially since fines are multiplied for each individual affected.

When business partnerships are affected by international legal principles: In the health care sector, lucrative and long–term business partnerships depend on intentionality of how data is collected, stored, and shared. Data interoperability, coupled with appropriate data protection, will be the foundation for successful business development conversation—especially when scaling beyond regional deals.

When similar laws are on the horizon to be passed the US: The recent proposed update to HIPAA along with multiple GDPR-type laws at the state level provide a strong indication that the US is moving toward federal data protection laws that mirror Europe’s GDPR.

GDPR-type laws stress “privacy by design,” a concept requiring businesses to display intentionality around the data they collect, the method of collection, and the security of their storage. Intentionality is a principle, especially around regulatory alignment, that could save the Health Tech industry billions each year as opposed to being reactive and retroactively fitting everything a few years down the line.

At its core, GDPR bestows eight basic rights on European citizens, which in turn creates obligations on behalf of the businesses they interact with:

Basic Right Description of Individual Right Business Obligation It Imposes
Right to access Individuals have the right to request access to their personal data and to ask how their data is used by the business after it has been gathered Business must provide a copy of the personal data free of charge (and in electronic format, if requested)
Right to be forgotten Individuals have the right to withdraw their consent from a business to use their personal data Business must delete all of the individual’s personal data
Right to data portability Individuals have a right to transfer their data from one service provider to another Business must provide the data in a commonly used and machine readable format
Right to be informed Individuals have a right to know if their data is going to be gathered, and what data will be gathered, as well as a default right to opt in Business must get explicit and freely given opt-in consent from individual prior to data collection
Right to have information corrected Individuals have a right to have their data updated if it is out of date, incomplete, or incorrect If an individual requests such an update, the business must comply
Right to restrict processing Individuals can request that their data is not used for processing Business can collect and store the individual’s data, but cannot use it for other purposes
Right to object Individuals have a right to stop the processing of their data for direct marketing Business must make this right clear to individuals in all communications and must stop processing the individual’s data as soon as the request is received
Right to be notified Individuals have a right to be informed if there has been a data breach which compromises their personal data Business must provide this notice within 72 hours of first having become aware of the breach

Have questions about what all this means for your specific health tech business and consumers? Reach out to us — we’d love to help!


HIPAA is Changing – Good News for Health Tech

HIPAA has been a brick wall for data access for health companies. Legitimate? Yes, we always want to protect health data. But we also want to use the data to improve care at the request of the patient. In December 2020, the federal government proposed several updates to HIPAA to encourage better data sharing between health care providers and health tech companies that “empower patients, improve coordinated care, and reduce regulatory burdens.” Here are the quick take-aways:

  • We have to start with a reminder that any updates to HIPAA will require your company to revise your policies and legal language, including: your Notices of Privacy Practices, relevant operational processes, and effected Business Associate agreements.  Don’t forget to retrain your staff too!
  • Once you have these administrative tasks out of the way, treatment providers will no longer have to obtain signatures from patients acknowledging they have been provided a copy of the provider’s Notice of Privacy Practices. They will have more freedom to disclose and discuss PHI with your company to improve patient care coordination and health outcomes.
  • If you provide auxiliary support or support community-based organizations offering auxiliary support to patients such as transportation, food or housing services that improve health outcomes, the requirements around data sharing with health care providers may be incrementally removed through modernized HIPAA, Interoperability, and Information Blocking rules.
  • Keep in mind that this is a proposed rule released under the Trump Administration.  However, with the ONC Information Blocking Rule going into effect this spring, Biden’s team will have to remedy data access policy discrepancies quickly. So look out for a possible final rule in 2021.

In 2018, the EU implemented a law called the General Data Protection Regulation (GDPR) that protects all data collected on a person. The reality of increased care coordination efforts and payment programs beyond the provider space will likely accelerate us towards needing a national-level GDPR-type law to cover health data appropriately – stay tuned for more from Elevation on this topic!


Top Regulatory Changes for the 2021 Health Tech Landscape

As health tech companies solidify their budgets and agendas amidst the continued pandemic, they should consider these prominent health regulatory changes expected in 2021:

  1. HIPAA is getting a major update. The federal government released a HIPAA proposed rule allowing individuals to obtain their records from electronic health systems for free and electronically share their data across their providers. This is good news for ensuring more coordinated care. However, for providers and companies supporting providers, this will likely require major revisions of current HIPAA policy statements and partnership contracts.

  2. Health data will need to be shared in an interoperable way. Enforcement date for the federal government 2020 twin regulations around data interoperability and information blocking will begin early in 2021. This means that if you are a provider, an entity supporting providers, or a company collecting and sharing health data, you will need to make sure your data platform design and business practices adhere to data, privacy, and sharing requirements.

  3. Telehealth and remote patient monitoring is here to stay…but say goodbye to certain provisions. During this global pandemic, the government, as our nation’s biggest insurer, agreed to pay for many health services to be provided remotely for the first time. This new remote-type care has been hailed a success from all involved – individuals, providers, and payers. However, as people get vaccinated and begin venturing out again, support of certain services that have better efficacy in-person will no longer be covered remotely.

  4. Value-based care payments may leap forward. The newly minted Democratic Congress and Biden in the White House may mean a push toward enhancing Biden’s agenda to expand insurance access for individuals. Cost and transparency will be front and center. Health tech companies providing insight in improving care while decreasing health care spending will be key players.

In the coming weeks, we’ll be providing deeper insights on these topics to help health tech companies navigate 2021.


EHR Integration for Virtual Care: (Part 1) – Basic Lingo

Many virtual care platforms claim to be EHR integrated.  But often, there are many versions of this truth.  As many provider groups are currently looking for telehealth solutions that are EHR integrated, we wanted to provide some clarity around the fundamental elements that define EHR integration.

First, keep in mind that integrating to a single EHR system requires a combination of business agreements and technical capabilities.  Both the owners of the EHR system, the EHR vendor and the connecting application must agree on what data is accessed, when, how and by whom.  This is a cumbersome business partnership process.  Repeating this process for the plethora of EHR solutions is not realistic.  As a result, it is important to ask “what EHRs are you currently integrated with?”…because a single virtual care platform certainly will not be integrated to all EHR systems.

Next, it’s important to understand the nature of the integration.  Not all integrations are created equal.  Basic levels of integration can simply be EHR data scrapes from the previous day that are sent to virtual care system.  This may be limiting to providers seeing more acute patients that need more frequent management.  The other option is real-time data access that allows access to data on either side as it is entered.  Terms like “future release” and “on our roadmap” are not guarantees and depending on the relationship with the EHR vendor, application providers may have limited data control.  References of other customers’ user experiences, who are similar in size and specialty, are important to review.

Last, the direction of the data flow from application to EHR system is another important factor defining the extent of EHR integration.  Here are the three types and how that may affect a physician’s workflow:

  • Uni-directional: Here data flows from application to the EHR as directed by the EHR vendor and must be verified by the EHR vendor before becoming part of the record.  This may cause delays in data access for providers needing data more quickly.

  • Bi-directional: Here data within the virtual care system and the EHR communicate in a way that allows providers to interact with a single system without the need for duplicating information entry.  This helps with faster diagnosing and lower prescribing errors.  However, this option is technically more cumbersome to maintain and may cost more.

  • API-Based: Here data flows similar to how a website works, with no permanent connections. It has the benefits of bi-directional data flow with easier sign-on and maintenance – which equals lower cost.  API-based solutions are new but are becoming more standard,  especially after the new data interoperability laws passed earlier this year.  But try to look for FHIR-based API solutions as they are becoming the standard in the healthcare industry.

The key to integration is to make the solution be as frictionless for the provider to use as it would be to see a typical patient in person. The richer the integration, the more likely the providers are going to use it.  At the same time, we should not let perfection prevent progress and start with a pragmatic approach to ensure that the solution will receive buy-in.

Our next blog will discuss EHR integration further by highlighting the top workflow areas where EHR integration is key. Stay tuned!


Virtual Care: A Physician’s Wish List

Today, leadership at the US Centers for Medicare and Medicaid (CMS) stated that use of virtual care is here to stay. Almost all providers who would entertain virtual health delivery in response to the COVID pandemic have signed onto “a” system at this point.  However, one of the big questions at play is whether providers will stick to their current systems or jump ship to another platform once they get their initial experiences with these telehealth and remote patient monitoring platforms.

Physicians in all fields of care have a number of primary concerns that need to be addressed as virtual patient care becomes standardized in today’s healthcare environment. Virtual care solution companies must work together with healthcare providers, understand their needs and create platforms that make sense for current care delivery environments.


  • Reimbursement: Reimbursement is an important concern to healthcare providers and key to remaining competitive. Meeting the current and future demands of virtual care from their patients, they need the ability to function while adhering to current and emerging regulations for reimbursement, especially in the next coming months. Criteria for billing options within those platforms must be approved and cleared by regulatory bodies, such as the FDA, under the evolving environment for virtual health.

  • Robustness: Virtual care systems must be robust systems that can accept increased patient load in regard to bandwidth, data exchange, and scheduling capabilities. Such a platform must also be able to scale across a physician’s practice with all their patients and allow for practice growth.

  • Training and Support: Virtual care product companies must provide adequate training and support for client usage. Getting up and running, availability for tech support for any issues that come up, and helping with HIPAA compliance are at the top of that list.

  • EHR Integration: EHR integration along with e-prescribing and remote patient monitoring potentials also need to be part of the virtual care platform. Well-integrated systems will eliminate the need for dual documentation (EHR record and virtual platform), improve workflows, and provide the ability to document in different contexts/specialties.

We will keep you posted on regulatory and platform developments. In our next blog, we’ll take a closer look at EHR integration. Stay tuned.


A Patient’s View of Successful Virtual Care

Medical providers who offer and promote virtual health for their patients can differentiate themselves as leaders during this time when practice volume is largely down across the board.  Virtual care done right creates new revenue streams and opportunities for improved health outcomes that will live beyond the pandemic.

In this second of a series on virtual care, we look at the top five things patients most care in their virtual visit experience. Providers should choose virtual care modalities and tech developers must aim to design virtual care systems that help achieve these patient goals.

Top five things patients care about:

1. Ease of scheduling. The capability of scheduling a visit via phone call, patient portal, or through a virtual care app easily, with confirmation.

2. Avoiding long wait times. While virtual care is in most cases more convenient than having to travel to a physician’s office and waiting there, wait time is still wait time. One of the advantages of scheduling virtual care is, frankly, the ability to wait while in the comfort of one’s home. That being said, no one wants to wait forever. Time commitments for individuals now working from home are also a challenge.

3. Clear communication. Patients appreciate eye contact with their physicians. Therefore, clarity of picture and adequate sound capabilities equals a successful virtual visit. This kind of communication relies on good data integration and encourages trust from the patient.

4. Accessibility to patient records. Patients want their healthcare providers to make their medical records easily accessible. This goes both ways. The physician’s ability to immediately access a patient’s medical record while on the call ensures quality and continuity of care.

5. Data interoperability. Requirements regarding data interoperability must adhere to rules from HHS in regard to patient access to data. Patients want to receive a discharge summary capturing the visit. The visit should be correctable if necessary. This also requires the ability of the patient to notify the doctor if any information is erroneous.

Our next blog will focus on aspects of virtual health systems and services that are important to healthcare providers. Stay tuned.


Preparing for the Permanency of Virtual Care

Since the COVID-19 shelter-in-place orders were announced across the US in March, the use of virtual care technologies for patient visits within ambulatory clinics has increased from under 10% to over 70%.  During the first weeks of March, providers scrambled to simply find any virtual care technologies to help keep their “doors” open to their patients.  Problems with bandwidth, reliability, and the unknown length of this pandemic have had practices backtrack, looking for better virtual care platforms. Regulators and payers have met the provider community with sweeping changes to virtual care policies, especially related to reimbursement.  We now teeter between extended shutdown orders and the possible openings of various states.

In these uncertain times, providers and the technology companies supporting virtual care delivery can count on the following:

  • This period of emergency will end, and so will the current landscape of relaxed virtual care regulations.

  • Individuals have now realized the convenience and common sense behind seeing their providers virtually and avoiding unnecessary exposure.

  • This pandemic has provided a window for regulators and payers to see the efficacy and demand for virtual care.

Finding the “new normal”

When the current crisis is over, providers will likely see an increased demand for virtual services. They will want platforms that are affordable, seamless with their workflows, and compliant with regulatory criteria. What worked effectively during the current crisis might not work in the future. The need to adapt will drive the US to permanent and expanded virtual care regulations.

The successful forward path as virtual care regulations journey towards permanency requires assessing short and long-term strategies that focus on reimbursement challenges, legalities, and regulatory oversight.

In the next months, we will begin a blog series looking at topics such as:

  • Technologies needed to effectively practice virtual care;

  • Designing successful virtual care visits for providers and patients;

  • Building trust around PHI data used during virtual care scenarios;

  • How integration with electronic health records (EHRs) affects the virtual care experience;

  • Incorporating the art of reimbursement cycle management to maximize virtual care revenue;

  • Practicing virtual care in the fee-for-service versus a value-based care ecosystem.

Check back in with us next week as we tackle these important considerations when it comes to the “new normal” of virtual healthcare delivery.


Health IT Company to Pay $145 Million for Violating Federal Law

Last week, Practice Fusion, an electronic health records (EHR) company, was fined $145 million for setting up a business arrangement that violated the federal Anti-Kickback Statute. This law prevents anyone from offering, soliciting, paying, or receiving anything of value in order to induce referrals or generate federal healthcare business. Practice Fusion designed their technology to alert providers to the opportunity of prescribing extended release opioids (EROs), a drug for which their pharmaceutical company partner had a majority market share. This illegal arrangement generated less than $1 million, of with the EHR company was forced to forfeit in addition to the fine.

What does this mean for health IT companies?

  • This is the first time criminal penalties have been sought against an health IT company for an anti-kickback violation. This ruling opens the door for health IT vendors to be prosecuted for perverse business models encouraging health care delivery practices that are beneficial to the company and not the patient.

  • The US government is sending a clear messaging that gambling with violating federal law for financial gain should never be an option.

Best practices to follow:

  • ALWAYS work with regulatory experts to understand if your business model or product design violates federal or state statutes. This year, there will be several new federal laws being released that affect health IT and health data. The federal government is already gearing up to prosecute violators.

  • ALWAYS create health technology to enable providers to offer evidence-based care… this means care practices that are backed up by medical science.

  • ALWAYS create health technology that ultimately benefits patients by improving their outcomes.


Understand RCM to succeed in the RPM market

Remote patient monitoring (RPM) devices – fitness watches, blood pressure, cardio monitors – are growing in popularity as a way to gather and correlate data outside of a traditional clinical setting and share up-to-the-minute data with care providers. However, health tech entrepreneurs and developers must understand the revenue cycle management (RCM) aspects of the telehealth and RPM market and stay up-to-date about regulatory guidelines to ensure profitability. Some basics:

  1. Medicare requires reimbursable telehealth technology to have an interactive audio-video component.

  2. Telehealth technologies must be used in designated sites called “originating sites” – often not the home.

  3. RPM is defined differently from telehealth by Medicare. Medicare pays for RPM services with no additional requirements regarding originating sites or use of the telehealth place of service codes. This allows for patients to receive RPM services in their home.

  4. Because of the complications is using CPT code 99091, the Centers for Medicare & Medicaid Services (CMS) introduced three new codes for RPM services in 2019 – codes 99453, 99454, and 99457.

  5. For telehealth (not RPM), the American Medical Association, released six new CPT codes to support virtual visits. Watch for additional CPT codes coming in 2020 for telehealth and RPM.

Successful reimbursement-based revenue depends on complex billing mechanisms beyond the CPT codes. State-based laws can also affect telehealth and RPM billing. Know how federal and state entities define, fund, and regulate healthcare delivery options when it comes to remote care. Work with RCM experts to determine if your RPM-based care delivery model can generate adequate revenue using these codes.


2020: Draft Health Data Regulations Become Final

2020 looks to be a landmark year for finalized regulations dictating how health data can be exchanged.  Health technology entrepreneurs must understand the regulatory landscape of how care can profitably be delivered.  Your clients – hospitals, provider groups, payers and patients – will be affected by these finalized regulations.  Gone are the days where hospitals and providers were simply concerned with mandatory collection of certain data points to recoup investments in electronic health record systems through government incentives.

Health providers in the post-Meaningful Use era are focused on how to efficiently leverage health data for improved health outcomes and maximizing value-based reimbursement payments.  Time is money, and providers need health data technology that provides actionable data, strengthens the provider-patient relationship, and personalizes the ever-shortening clinical visit window.

Moving forward, health data applications will thrive or die based on their ability to access, exchange and analyze health data from multiple sources providing comprehensive and relevant views of an individual’s health story.  In a highly regulated market such as health care, it would be remiss to not fully understand how this year’s finalized health regulations will affect you or your clients.  Some important regulations to follow:

In the New Year, Elevation will be blogging on regulatory provisions, governmental resources, related business opportunities, red flags, stakeholder sentiments and implementation best practices. Stay tuned.