scrutiny for its products. In either case, the bottom line is that companies are
making business decisions shaped by the regulatory options they face.
A. Regulatory Arbitrage
First, a large set of companies has chosen to pursue a strategy of
“regulatory arbitrage,” in which the company will purposefully design its
technology in a way that minimizes or avoids regulatory scrutiny.
Nicolas Terry has explored the idea of regulatory arbitrage in the context of
mobile health technologies and Health Insurance Portability and
Accountability Act (HIPAA) protection.
56 Most health data that is exchanged
through, and held by, traditional healthcare providers, such as physicians and
hospitals, is subject to HIPAA’s protections for privacy and security.
health technology companies (including pharmaceutical companies and
medical device manufacturers) working with these providers may similarly
be subject to HIPAA as business associates, by virtue of these connections.
Many mobile health companies have instead chosen to design their
systems and interactions with patients to avoid collecting the kind of data, or
interfacing with the kind of entities, that would render their technology
subject to HIPAA protection.
59 As a result, Professor Terry notes, “the vast
majority of health apps are not curated, sold, or implemented by HIPAA
60 Much of the health data collected by these apps is
therefore not protected by HIPAA, and consumers lack the associated privacy
and security protections.
This regulatory arbitrage argument extends beyond the HIPAA context to
the innovation policy lever analysis described in Part I. A savvy company
that is aware of the FDA’s decision to exercise enforcement discretion over
broad categories of mobile health technologies can construct its products in
ways that make them fall outside the FDA’s current focus.
development costs low by avoiding FDA regulation is likely to ensure a given
55. More formally, Professor Victor Fleischer has defined regulatory arbitrage as “the
manipulation of the structure of a deal to take advantage of a gap between the economic
substance of a transaction and its regulatory treatment.” Fleischer, supra note 54, at 230.
56. Terry, supra note 54, at 44–47.
57. 45 C.F.R. § 160 (2002); 45 C.F.R. § 164 (2002); see also The HIPAA Privacy Rule,
U.S. DEP’T. HEALTH & HUMAN SERVS.,
(last visited Mar. 2, 2017).
58. 45 C.F.R. § 160 (2002); 45 C.F.R. § 164 (2002).
59. Terry, supra note 54, at 38.
60. Id. at 37.
61. Id. at 37–38.
62. See generally U.S. DEP’T HEALTH & HUMAN SERVS. MOBILE MEDICAL APPLICATIONS:
GUIDANCE FOR INDUSTRY AND FOOD AND DRUG ADMINISTRATION STAFF (2015),
https://www.fda.gov/downloads/MedicalDevices/. . ./ UCM263366.pdf.