ensure adequate adherence without stifling cybersecurity innovation.
Although a framework could improve cybersecurity for the digital health
marketplace, no clear and comprehensive regulatory responsibility currently
exists. Overlapping administrative agency responsibilities between the FDA,
OCR, the ONC, and the FTC results in a lack of clear cybersecurity direction
and accountability for digital health providers.157 Both part of HHS, the OCR
monitors HIPAA compliance for CEs and BAs while the FDA evaluates
FDCA compliance for medical devices.158 Meanwhile, the ONC, also part of
HHS, creates high-level standards for cybersecurity and privacy and the FTC
establishes rules and holds organizations accountable for unfair or deceptive
trade practices under Section 5 of the FTC Act, increasingly for privacy and
cybersecurity concerns.159 This mélange of guidance exists, yet no clear
stance has emerged that provides a level of specificity, leaving organizations
with few options aside from inventing rules inconsistently and
Of these four regulatory bodies, the OCR and the FDA have mature
regulatory frameworks with specific health and medical device industry
157. David Raths, Digital Health Dilemma: Regulators Struggle to Keep Pace with
Health-Care Technology Innovation, GOV’T TECH. (Jan. 13, 2015), http://www.govtech.
158. See Part II.
159. See, e.g., Iltifat Husain, FTC, Not the FDA, Tells the Digital Health World They Need
Peer Reviewed Data to Back Up Their Claims, IMEDICALAPPS (Jan. 7, 2016), http://www.
imedicalapps.com/2016/01/ftc-fda-digital-health (describing the FTC’s role in ensuring that
claims are truthful and non-deceptive while also discussing the FTC’s growing role in
reviewing health products).
160. Jonah Comstock, Time to Reform HIPAA and FDA Regs for Digital Health Era?,
HEALTHCARE IT NEWS (July 13, 2016, 5:01 PM), http://www.healthcareitnews.com/
news/time-reform-hipaa-and-fda-regs-digital-health-era; Ed Miserta, mHealth Panel: Make
Progress, Not Excuses, CLINICAL LEADER (Aug. 30, 2016), http://www.clinicalleader.
161. See Part II; HIPAA and the FDCA are typically considered potential regulatory
frameworks for managing cybersecurity in the digital health marketplace due to their relatively
mature frameworks (HIPAA with its focus on PHI and the FDCA with its focus on medical
devices). Further, the OCR and the FDA have been regulating HIPAA and FDCA for,
respectively, 20 and 110 years. The OCR has significantly moved the needle toward increased
enforcement and activity for privacy and security. On the 20th anniversary of HIPAA, the
OCR described how HIPAA has revolutionized the very nature of healthcare and noted the
changing nature of health technology, especially mobile health. U.S. DEP’T HEALTH & HUMAN
SERVS., U.S. DEP’T OF LABOR & U.S. DEP’T OF TREASURY, HIPAA at 20: A Bipartisan
Achievement, HHS BLOG (Aug. 19 2016), https://www.hhs.gov/blog/2016/08/19/hipaa-20-
bipartisan-achievement.html. The FDA has also increased its reach as new technologies
emerged. See Colin Zick et al., Regulation Electronic Health Records and Clinical Decision
Support, FOLEY HOAG, LLP (Jan. 2014), http://www.foleyhoag.com/-/media/files/foley%20ho
(describing FDA proposed regulation and workgroup implemented in order to address then-