CE, the likelihood of consumer injury increases.178
In addition to concerns regarding the breadth of HIPAA regulatory effects
and the ability for HIPAA to meaningfully prevent consumer injury, the
digital health marketplace also requires more robust and comprehensive
cybersecurity specifications to sufficiently manage cybersecurity risk.179
HIPAA privacy and security specifications fit the roles of CEs and BAs as
traditionally understood, rather than as product manufacturers or service
providers.180 Focusing on general IT functions, high level organizational
process, and risk management techniques, rather than product development
and service requirements or validation procedures does not effectively direct
the specificity often needed in the development process.181
While the OCR provides active HIPAA enforcement, HIPAA limits
applicability to specified entities, leaving a significant gap of uncovered
entities.182 In the rare circumstance that Congress would expand definitions
of HIPAA entities, the HIPAA compliance model does not effectively
manage consumer risk for entities manufacturing and developing products.183
Absent significant statutory revision, it is unlikely that OCR oversight could
effectively manage broad digital health cybersecurity risk.
A. The U.S. Food and Drug Administration: Reluctant Leader
The FDA has signaled its reluctance to manage cybersecurity in a variety
of ways, including statements that the ONC manages privacy and
cybersecurity standards for health IT and that the FDA will not regulate
178. See Part II (following the logical conclusion of demand-side compliance, the best
case occurs when and if CEs have bargaining power to demand HIPAA compliance of BAs;
the worst case when and if the OCR holds BAs accountable) (nothing how in both
circumstances, compliance expectations are communicated after, rather than before a BA
creates an unsecure product causing consumer injury).
179. See Part II, HIPAA Security Rule and accompanying notes; see Raths, supra note
180. See Raths, supra note 157 (describing how the HIPAA Privacy Rule does not match
a fast-moving, digital health marketplace with increasingly mobile connectivity and how,
similarly, security specifications could include standard product development measures, such
as code scanning prior to release, effective code merging and management, standard
authentication procedures and identity validation); see Part III.
181. Raths, supra note 157.
182. See Part II, HIPAA Classification and accompanying notes.
183. See Part II and accompanying notes. Because Covered Entities (CE) and Business
Associates (BA) are highly specific roles under HIPAA, requiring a variety of conditions to
be in place before HIPAA applies, relying only on HIPAA to regulate the digital health
marketplace would not effectively manage cybersecurity risk across the digital health market,
as many organizations are not required to be compliant with HIPAA. If Congress expanded
these definitions, the lack of comprehensive cybersecurity requirements would still not
effectively manage cybersecurity risk, due to the gaps in required cybersecurity activities for
CE and BA.