Legal Health Check for Healthcare IT Organizations

For companies developing healthcare IT solutions, the pace of change is rapid and the pressure to innovate intense. At the same time, when selling software or hardware systems to healthcare providers or to other customers in a healthcare environment, the range of legal issues is complex. The healthcare IT organization may also be responsible for compliance with a range of federal and state statutes and regulations, and government regulators are increasingly active in all spheres of healthcare. In our experience, timely attention to key areas can make a difference in preventing legal problems from impeding innovation. Here are some key areas warranting a regular checkup and discussion with your legal counsel:

1. Keeping Data Secure
With the variety and number of data streams being generated by providers, patients and others increasing exponentially, the importance of securing it does, too. Has your organization completed a security risk assessment? Does it have a security plan in place, including regular training and system audits? Are the appropriate security and non-disclosure agreements in place with any business partners who might be handling your data or your customer’s data to ensure responsibility and accountability? A security program should balance the legal requirements with the specific operational needs and risks of the company as well as the scope and complexity of the business.

2. Data Breach/Disaster Recovery
The question the healthcare IT organization needs to ask is not whether a data breach will occur, but whether it is prepared to appropriately respond when it does occur. Have employees been trained to recognize a breach (or likely breach) and to respond appropriately? Do contracts clearly allocate responsibility and seek to mitigate risk to the largest extent possible? Do the right people in the organization understand the potential notification requirements for a breach, including what constitutes a breach, when notification is triggered, the specific timeframes and content of notifications, and the special requirements that are implicated when a breach involves protected health information (PHI)?

3. Privacy/HIPAA Compliance/GDPR Compliance
Many healthcare IT organizations are part of a data supply chain that includes PHI and other personal data about consumers or patients. That personal data must be handled with care and in compliance with federal and state regulations, and violations can be very costly and have other serious repercussions for the organization. Does your company have appropriate business associate agreements in place with all downstream business associates in the healthcare data supply chain? Have you analyzed privacy provisions applicable in each of the jurisdictions in which your company will be doing business? If your organization does business abroad or handles personal data from abroad, your organization also may be subject to foreign privacy and data security requirements. The European Union, for example, is implementing a new General Data Protection Regulation (GDPR). Compliance with the GDPR, which includes many new requirements, is required by May 25, 2018. Has your organization assessed whether it has obligations under GDPR or other international privacy laws?

4. FDA Compliance
For manufacturers of devices with health IT functions and mobile medical application developers, how is your product classified and regulated, if at all, by the Food and Drug Administration (FDA)? Is your product required to go through an FDA clearance or approval process? What disclosure is required, and what requirements exist for company labeling and advertising? Fear of or uncertainty about regulation should not stifle your company’s innovation, but the possibility of government oversight should not be ignored.

5. Intellectual Property
Is the company thinking long-term about its intellectual property strategy, including how to best protect the innovation it has created from use by competitors? Are trade secrets properly secured and the subject of reasonable security measures? Should you consider patent or copyright protection, or trademark registration for your company’s logo or other branding? Do you have the appropriate non-disclosure, confidentiality, and invention assignment agreements with employees involved in developing or handling confidential information? What legal action plan has the company developed to prevent critical technology from “walking out the door” with key employee departures, and to deal with such a scenario if it occurs?

6. Planning for Growth Capital Financing or Acquisition
The current healthcare technology environment is characterized both by rapid growth and consolidation. Whether your company’s growth path is through venture capital, private equity, acquisitions or combinations with a larger strategic or financial platform enterprise, it is essential to be in a position to optimize the results of such a transaction. Is your company ready, from a legal, financial and operational standpoint, to pursue a strategic transaction? Has the company’s
ownership structure, including share or membership rights and equity options, been optimized and properly documented? Does the management of your company have a realistic sense of its valuation?

7. Contract Risk Mitigation
What are the key contractual provisions to include in agreements with the healthcare providers your organization serves? If you are implementing systems that need to interact with legacy systems or other solutions, how do you protect against problems with interoperability with those other systems? If there are data quality problems that were unforeseen and outside of your control, how is your company protected? What insurance policies may be available or can be negotiated to address risks like data breach that are more common in healthcare IT? Which provisions, for example, terms of indemnification or limitation of liability, are most important to negotiate?

8. Responding to Governmental Investigations
Is your company prepared to respond to a subpoena or other formal request for information in connection with a governmental investigation? Does your company have a comprehensive response plan in place to be ready in the event a governmental investigation is launched? Are you ready to manage the external and internal communication/crisis management issues that may arise?

To review the entire document and formatting for this alert, please access the original below: