restrictive cybersecurity requirements in the HIPAA statute, the HIPAA
regulatory structure, in particular the OCR’s enforcement activity, has
evolved over eighteen years to become comparatively stronger than pre-HITECH HIPAA OCR activity.167
Unfortunately, the existing roles within HIPAA significantly limit the
OCR’s ability to fully regulate the digital health marketplace.168 CEs only
include health plans, healthcare providers, and healthcare clearinghouses, a
limited set of organizations with very specific purposes.169 Manufacturers
and developers of digital health products, therefore, would likely not be
considered CEs unless their services are provided directly to consumers and
the services are reimbursable by insurance.170 The BA role may include some
manufacturers and developers if providing digital health solutions through a
CE, but collectively CE and BA roles alone do not encompass direct-to-consumer digital health technologies, leaving a large portion of the digital
health marketplace regulated only by catch-all FTC enforcement.171
Further, the HIPAA model cannot sufficiently regulate digital health
cybersecurity because it exhibits a pull, demand-side compliance model.172
https://www.hipaa.com/ocr-penalizes-physician-practice-for-hipaa-privacy-and-security-rule-violations/ (describing an HHS resolution with a Physician Practice following its HIPAA
violations).
167. See HIPAA enforcement actions, supra note 166 (representing a fraction of HIPAA
enforcement actions which ultimately serve to strengthen the OCR’s regulatory scheme); see
generally Part II, Health Insurance Portability and Accountability Act and accompanying
notes (describing CE and BA roles and statutory requirements).
168. EXAMINING OVERSIGHT, supra note 11, at 15.
169. See Part II, HIPAA Classification and Applicability.
170. Id.
171. Id. Although the BA role is comparatively large and has been applied in a variety of
business contexts, the BA role depends on its relationship with a Covered Entity. Because a
Covered Entity is fairly narrow in application, BA applicability also leaves out significant
portions of the Digital Health marketplace. Although the Federal Trade Commission does
enforce unfair and deceptive trade practices, the FTC Act gives power to the FTC to regulate
data security practices, but does not directly create statutory requirements for organizations to
meet on the front end. See Kathryn F. Russo, FTC v. Wyndham Worldwide Corporation et al.
and the FTC’s Authority to Regulate Companies’ Data Security Practices, 23 COMPETITION:
J. ANTI. & UNFAIR COMP. L. SEC. ST. B. CAL. 164, 166–68 (2014) (describing the Wyndham
case outcome substantiating the FTC’s ability to bring actions under the FTC Act for data
security practices amounting to unfair or deceptive trade practices). The FTC does have
rulemaking authority as specifically allocated according to statute, such as the Health Breach
Notification Rule, incorporated into the American Recovery and Reinvestment Act of 2009;
see 16 C.F.R. Part 318.
172. This Article does not address whether privacy should be included in consumer
protection statutes because Congress has already enshrined that decision in substantial
legislation, including HIPAA. That said, the regulatory structure of HIPAA does not require
pre-market approval or validation before a process or device is released to the public; this
structure relies on voluntary compliance. Otherwise, this structure carries substantial potential
penalties if an entity does not comply, additionally in which case either the OCR audits the
entity or someone files a complaint; see Part II, Health Insurance Portability and