Health Care IT Legal Issues:
1. Enabling IT from Mobile Devices: mHealth, mDevices and Telemedicine.
2. Current Hot Topics in Health Care IT Contracting.
3. Medical management System Architecture.
1. abe-oldenburgl@bennettjones.com
HEALTH CARE IT LEGAL ISSUES
Lisa Abe-Oldenburg
Bennett Jones LLP
IT.Can Roundtable
October 29, 2012
Index
1. Enabling IT from Mobile Devices: mHealth, mDevices and Telemedicine.
2. Current Hot Topics in Health Care IT Contracting.
3. Medical management System Architecture.
1. Enabling IT from Mobile Devices: mHealth, mDevices and Telemedicine.
“If the Internet is humanity's planetary nervous system, we are now building our planetary
immune system,” Dr Nathan Wolfe.
mHealth
In the early manifestations of health care, African villagers used smoke signals to warn people to
stay away from the village in case of serious disease. In the early 1900s, people living in remote
areas in Australia used two-way radios, powered by a dynamo driven by a set of bicycle pedals,
to communicate with the Royal Flying Doctor Service of Australia. Care at a distance (also
called ''in absentia'' care), was also often conducted via post.
Today, the provision of health care or health-related information can be provided through the use
of mobile devices (typically mobile phones but also other specialized medical mobile devices
such as wireless monitors). There are 6 billion mobile phones in use worldwide. 1 Mobile
devices are ubiquitous and personal and the nature of mobility provides users with 24x7
anywhere access to networks and information. The health care sector can benefit from the pre-
existing investment and development that has already been made into network infrastructure,
connectivity, user interfaces, hardware, IT, billing models and user training. So much computing
power and communication already exists in the hands of so many people. It is only natural that
mobile devices become a vital part of health care.
Dr. Wolfe sees great potential in the mobile phone. When he visits remote parts of the Congo not
connected by road or electricity grid, he often finds that locals are able to use a mobile-phone
service, recharging their phones at night using portable generators. He recently left his post at
1
According to the International Telecommunication Union, there were 5.98 billion mobile phones in use at the end of 2011.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
2. -2-
abe-oldenburgl@bennettjones.com
the University of California, Los Angeles, to head the Global Viral Forecasting Initiative
(GVFI). Since most deadly viruses, like HIV and SARS, originate in wild animals, his team is
developing a software system to offer hunters of bushmeat who are in constant contact with such
animals, a tiny financial reward to send an SMS message letting him know when they are ill,
which would provide a useful early warning. Health workers would then be sent to test the ailing
person to see if there is cause for alarm.2
Wireless communication systems, hand held devices, mass data storage and cloud computing
will revolutionize health care to become more patient-centric, allowing for care anywhere and
precision-based medicine, by providing personalized, participatory, predictive and preventive
toolkits that will help patients manage genetic vulnerabilities, chronic illness, and episodic acute
conditions.
As a result of demographic changes, such as ageing and chronic illness, the public sector is
recognizing a need to optimize access and quality of care, and is driving regulatory reform to
partner with the private sector for innovation, efficiency, improved outcomes and cost reduction.
Much of this innovation is being achieved through the adoption of mobile technologies, which
are being developed and deployed more rapidly in emerging markets than developing countries.
In developed countries, health care systems are hospital-centric, focusing largely on acute care
even while chronic conditions dominate the disease load In emerging markets however,
inadequate health infrastructure limits are driving growth in mobile health care as a means of
providing access to much-needed health services, where patients were previously poorly served,
or not served at all.
Mobile applications and services can include, among other things, remote patient monitors, video
conferencing, online or text decision support/consultations, personal health care devices, wireless
access to patient records and prescriptions, text reminders, coaching and
demonstrations/explanations, drug adherence and verification, general health and wellness data
gathering and monitoring.
As an example, in Africa, mPedigree operates a program in partnership with the principal
telecom operators, leading pharmaceutical industry associations and Fortune 500 technology
companies, to empower African patients and consumers to protect themselves from the fatal
effects of pharmaceutical counterfeiting. The mPedigree mobile health platform allows
consumers purchasing drugs to text (via SMS) at no cost (via their own or a shared mobile
phone) a coded number on the packaging and receive instant verification, which will either
confirm that the product is legitimate or warn that it is counterfeit. The UN estimates that
roughly half of the anti-malarial drugs sold in Africa—worth some $438 million a year—are
counterfeits. The WHO has been working with government agencies and manufacturers around
the world to create a database of products, giving each packet of medicine a new number. A new
initiative from mobile phone company Orange (part of France Telecom), allows for tracking of
drugs at any point in the distribution pipeline using widely available and relatively inexpensive
technology. According to mPedigree, counterfeit drugs cause at least 700,000 deaths annually.3
2
"A Doctor in your Pocket", The Economist, April 16, 2009.
3
http://mpedigree.net/
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
3. -3-
abe-oldenburgl@bennettjones.com
Counterfeit drugs used to be a problem for poor countries. Now they threaten the rich world
too.4 Through the use of mobile technology, hundreds of thousands of lives will be saved and
counterfeiters can be caught and brought to justice.
mDevices
The use of mobile devices on wireless sensor networks (WSN) in health care is flourishing.
Applications of wireless sensor technologies, devices, services and tools, can help monitor the
health status of patients, providing prevention and early intervention, feedback and coaching, in
order to reduce costs associated with chronic conditions that are the leading cause of disability
globally and which put an enormous strain on most health care systems.
Mobile devices that can be used to monitor human activities using sensor technology and
networks, may be deemed medical devices and subject to regulation as well as licenses 5 from
regulators in order to be sold in Canada.6 The term "Medical Devices", as defined in the Food
and Drugs Act, covers a wide range of health or medical instruments used in the treatment,
mitigation, diagnosis or prevention of a disease or abnormal physical condition. Health Canada
reviews medical devices to assess their safety, effectiveness and quality before being authorized
for sale in Canada. Medical devices may also require certification by the Canadian Nuclear
Safety Commission (CNSC), and compliance with radiation emitting regulations, prior to
licensing for operational or servicing activities. With the advent of new unproven technologies,
regulators will face challenges in seeking a balance between patient safety and potential benefits.
The applications of mobile devices in medical use can be of two types: (i) wearable, and (ii)
implanted.
Wearable devices are those that can be used on the body surface of a human or just at close
proximity of the user. Some of the wearable medical devices and applications are: temperature
measurement, respiration monitor, heart rate monitor, pulse meter, blood pressure monitor,
glucose sensor, etc.
The implantable medical devices are those that are inserted inside the human body. These
devices and their applications include for example: cardiac arrhythmia monitor/recorder, brain
liquid pressure sensor, endoscopic capsules, etc.
The non-medical devices and their applications in the area of health care can include real-time
video streaming and real-time audio streaming. Besides the typical scope of monitoring
applications in health care facilities, there are other uses such as remote controlled applications,
data file transfer, measuring body positions and location of the patient, and at home monitoring.
4
"Poison Pills", The Economist, 2 September 2010.
5
In Canada, certain devices must have a Medical Device Licence before they can be sold. To determine which devices need a Licence, all
medical devices have been categorized based on the risk associated with their use. This approach means that all medical devices are grouped into
four classes with Class I devices presenting the lowest potential risk (e.g. a thermometer) and Class IV devices presenting the greatest potential
risk (e.g. pacemakers). Prior to selling a device in Canada, manufacturers of Class II, III and IV devices must obtain a Medical Device Licence.
Although Class I devices do not require a Licence, they are monitored through Establishment Licences.
6
The Therapeutic Products Directorate (TPD) applies the Food and Drug Regulations and the Medical Devices Regulations under the authority
of the Food and Drugs Act to ensure that the pharmaceutical drugs and medical devices offered for sale in Canada are safe, effective and of high
quality. The TPD also administers fee regulations for drugs and medical devices under the authority of the Financial Administration Act.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
4. -4-
abe-oldenburgl@bennettjones.com
To address the growing use of sensor technology in this area, a new field known as wireless body
area networks (WBAN or simply BAN) has emerged. Also, a new concept of "people centric"
and "urban" wireless sensor networking has been proposed and is gaining momentum.
Radio Frequency Identification (RFID) and Wireless Sensor Network (WSN) are two important
wireless technologies that have wide variety of applications and provide unlimited future
potentials most especially in health care systems. RFID is used to detect presence and location of
objects while WSN is used to sense and monitor the environment. Integrating RFID with WSN
not only provides identity and location of an object but also provides information regarding the
condition of the object carrying the sensor enabled RFID tag.
As most devices and their applications are wireless in nature, security and privacy are among
major areas of concern. The direct involvement of humans also increases the sensitivity. Whether
the data gathered from patients or individuals is obtained with the consent of the person or
without it due to the need by the system, misuse or privacy concerns may restrict people from
taking advantage of the full benefits from the system. Also of concern is the risk of serious
personal injury. People may not see these devices safe for daily use. Public fear that such devices
may be used for monitoring and tracking individuals by government agencies or other private
organizations and that those devices could be tampered with or contain defects, raises policy
issues, will require strict regulation and contracts that fairly allocate liability risk for vendors and
suppliers.7
Telemedicine
In the health care sector, many organizations and/or health care professionals use telemedicine to
facilitate access to health care for patients. However, many more are using it to increase access to
distance education opportunities or to reduce the amount of travel and cost involved in attending
meetings.
"Telemedicine" has been defined as the use of telecommunications technologies to create
audio/visual linkages between physicians and patients in different locations, in actual or stored
time.
The benefits of telemedicine include improving access and quality of care, by having the right
provider in the right place at the right time. The Ontario Telemedicine Network (OTN) is one of
the largest telemedicine networks in the world. More than 3,000 health care professionals in
more than 1175 sites across the province use OTN to deliver care to their patients. This year,
OTN will deliver more than 135,000 patient visits.
Using two-way videoconferencing, OTN provides access to care for patients in every hospital
and hundreds of other health care locations across the province. OTN offers a full range of
telemedicine services, including videoconferencing, webcasting, store forward and telehomecare
to meet various clinical, educational and administrative needs.
7
Security and Privacy Issues in Wireless Sensor Networks for Health Care Applications, Moshaddique Al Ameen, Jingwei Liu and Kyungsup
Kwak, Journal of Medical Systems, Volume 36, Number 1 (2012), 93-101, DOI: 10.1007/s10916-010-9449-4.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
5. -5-
abe-oldenburgl@bennettjones.com
Areas where Telemedicine is being used include Teleneurology,8 Teleradiology, Telepathology,
Teledermatology,9 Telecardiaology, Telepsychiatry, Teleopththalmology and Fetal Monitoring.
The connectivity of telemedicine involves telecommunications systems, and in particular phone
lines, Internet, satellite and wireless communications.
One of the major concerns with any mobile or tele-medicine application is the issue of privacy
and data security. In Ontario, personal health information is subject to the requirements of the
federal Privacy legislation as well as the Personal Health Information Protection Act, 2004.
Other provinces have similar legislation.
Another issue is the regulation of medical professionals across jurisdictional borders. The
College of Physicians and Surgeons of Ontario ("CPSO"), which regulates doctors in the
province, recognizes that telemedicine enables physicians to deliver health services across
provincial/territorial and international borders. In many cases, physicians in Ontario refer
patients or provide patients’ information to a specialist located outside of the province. Where
this occurs and the physician outside of the province is not registered with the CPSO, the CPSO
expects the physician in Ontario to inform the patient of that fact and that any potential
complaint would need to be considered outside of the province (for example, in the jurisdiction
of the specialist). Providing this information is part of the process for obtaining the patient’s
informed consent to the medical consultation.
For Ontario physicians providing care to patients outside of the province via telemedicine, the
CPSO suggests that they:
comply with the licensing requirements of any province/territory/country in which they
are providing medical services; and
in addition, understand that the CPSO maintains jurisdiction over its members wherever
they may practice and therefore is required to review any complaint made to it about a
member, even if made by a patient located in another jurisdiction.
This is based on the principle that patients must be protected from harm and physicians held
accountable for the quality of services they perform. Ontario physicians with a certificate of
registration in another jurisdiction should also be aware that the CPSO may review concerns
arising in the other jurisdiction and may take action with respect to the physician’s certificate of
registration in Ontario.
Telemedicine is in a constant state of evolution. The innovative technologies in telemedicine
provide endless opportunities for developing new approaches to the delivery of health services.
In recognizing the tremendous potential for growth in this area, the CPSO acknowledges that
telemedicine will likely be one of the greatest influences on the way medicine is practiced in the
8
The Telestroke Program of the OTN provides stroke patients in remote areas of the province with 24/7 access to life-saving emergency care that
they might not receive without this real-time expert neurological assessment. Emergency Physicians use OTN to connect with neurologists to
obtain urgent diagnosis and treatment advice, including the administration of time-sensitive medication.
9
Otn.teledermSF allows a health care professional to take a digital image of a skin condition and upload it along with pertinent patient data to a
secure server. An Ontario-based dermatologist accesses the server to review the information, returning a diagnosis and suggested treatment to the
referrer– all without a long wait, added costs or travel time for patients.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
6. -6-
abe-oldenburgl@bennettjones.com
future. For this reason, the CPSO will continue to monitor future developments and provide
updates, in particular, on jurisdictional issues and certificates of registration. It also views
telemedicine as an impetus for the future development of a national medical registry.
2. Current Hot Topics in Health Care IT Contracting.
Most national health systems are both vast and fragmented. Technology still presents challenges
for mHealth adopters. Both doctors and payors list privacy and security concerns as leading
barriers to greater use of mHealth, and only around half of doctors believe that the mobile
Internet facilities at their workplace are reasonably secure. Poor integration also impedes uptake.
Just 53% of doctors say that the mHealth applications and services they use work with their
organization's IT, and even fewer say they are integrated with technology in other parts of the
health system, such as other hospitals and clinics.10 Integration of new systems, software and
technologies give rise to a host of integration issues, which must be managed through adequate
design, implementation, testing, correction, change and governance processes. Contracts must
set realistic and measurable boundaries on each party's obligations and liability, in particular for
personal injury.
The move to a more patient-centric health care model requires leadership and co-ordination
among all stakeholders – physicians, hospitals, health insurers, pharmaceuticals, medical device
companies and government. In order to achieve desired results, conventional business models
and contracts typically will not work. Contract negotiations need to involve all stakeholders and
will likely shift their focus to clinical outcomes, value and patient satisfaction. The following
key principles will need to be addressed in health care IT contracts:
Interoperability – representations, warranties and covenants as to interoperability of IT
with sensors and other mobile and non-mobile devices, networks and systems, to share
vast amounts of data with other applications, such as electronic health records and
existing health care plans.
Integration – services and deliverables to include integration activities and work products
of providers and users.
Qualitative Solutions – deliverables to be problem solving, real-time, qualitative solutions
that realize measurable productivity gains. Outcomes to provide a return on investment
not just in terms of cost but also access and quality of care based on health care
objectives.
Socialization – terms dealing with sharing of information, privacy, security and data
access and retention across a broad community.
Service Levels - that enable patient involvement and the provision of ubiquitous and
instant feedback.
10
"Emerging mHealth: Paths for Growth", a PwC survey and study of the mobile health market.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
7. -7-
abe-oldenburgl@bennettjones.com
Scalability and portability require open modular architecture and vendors are increasing the use
of cloud computing and open source technologies to deliver IT services and systems. Peter
Neupert of Microsoft argues that the rise of cloud computing (providing data storage and
processing over the Internet), will be ―transformative‖ for wireless health.11
However, cloud computing and open source technologies pose several risks, such as:
security and privacy breaches, unauthorized access
data mining
uncertainty as to location of data at any point in time
inability to properly audit
cross-border data transfer
difficulty with access to and return of data
vendors' standard cloud computing contract terms and open source licenses don't contain
adequate protection for intellectual property, have unreasonably high limits on liability,
no warranties or indemnities.
Health care providers will need to assess and manage these risks, as well as seek legal advice in
contract negotiations involving innovative technologies.
3. Medical Management System Architecture.
Access to the right information and the automation of complex tasks & workflow is the key
focus of medical management systems, enabling freeing the staff to spend more time on caring
for patients and extending the reach of services. Such systems (and procurement/outsourcing
contracts) need to have the technical and functional specifications, as well as service level
requirements (SLAs) of flexibility & scalability, comprehensive report types, ease of
customization, intuitive visuals and interactive graphics that simplify complex data analysis and
presentation. As well, seasoned professionals with relevant experience in the health care
industry, can help consult on, design, develop, configure, integrate and implement the system
that incorporates the best health care practices and is designed to deliver key tangible benefits to
patients and health care industry stakeholders.
There is a huge spectrum of medical management systems and architecture that has been
developed over the past 10-15 years, and continues to be developed to provide solutions in
medical office administration, pathology, radiology, pharmaceutical delivery systems, medical
records management and other areas. There are increasingly extensive applications of new
systems techniques and methods in hospitals, clinics, physician's offices, including
11
"M-Powered – The Convergence of Mobile Telephony and Health Care is Under Way", The Economist, Nov 11, 2010.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
8. -8-
abe-oldenburgl@bennettjones.com
communication links between various health care providers, insurers, product suppliers, medical
records storage and retrieval and ancillary patient-support systems. With the amalgamation of
sciences, existing medical systems are constantly being modified to fit particular circumstances
and to solve specific problems.
In a hospital setting, for example, computer hosts are dispersed to different locations in the
network. There are generally workstations, personal computers, lap tops, mobile devices, PDAs,
modems, switches, hubs, printers, medical equipment, storage archives, servers and host systems
all configured to be connected through a LAN, WAN Intranet and the Internet.
In medical management systems, the key functions a system must address include:
Patient administration, such as front office appointments, reservations, registrations,
admissions, discharge, payment, back office services, staff scheduling, doctor and
nursing station orders, transfers, etc.
Clinical management, such as diagnostic/laboratory, operation theaters, patient indecies,
medical records, blood banks, telemedicine, physical management systems, care plans
and personnel management, etc.
Resource management, such as pharmacy, general stores, ambulatory, cafeteria, medical
equipment and supply chain management, etc.
Financial Management, accounting, payroll, health benefits admin, claims processing,
etc.
Information Management, such as clinical decision support, patient data monitoring and
safety, medication-use process, research systems, enterprise application management, etc.
With the progress and the development of information technology, the internal data in medical
organizations has become extremely valuable and sensitive in electronic format. Moreover, the
use of the Internet has enhanced information communication as well as affected the development
of the medical information management systems. Such systems are often networks within other
networks, and when all are connected together, comprise a vast resource of useful information
that can be analyzed for medical research, advancement in health care and improvement of
individual health. However, the Internet is considered as a high-risk and public environment
which is easily invaded. The data in medical network systems is very sensitive and confidential
and it is necessary under the law to protect the personal privacy of electronic patient records,
including ensuring data in health care facilities is properly authorization-controlled. As a
consequence, medical network systems are considered high security networks that require
excellent protections and managerial strategies to prevent the risk of disclosure, misuse of
confidential information and external attacks from happening. Health care organizations need to
implement secure medical managerial strategies to be applied to the network environment of the
medical information system architecture, while allowing the medical system to work smoothly
and safely that not only benefits the patients, but also allows the doctors to use it more
conveniently, and further promote the overall medical quality. These objectives can be achieved
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx
9. -9-
abe-oldenburgl@bennettjones.com
through proper design of the technology, as well as implementation of business processes that
minimize managerial mistakes, resulting in highly-reliable medical information systems.
In today's hospitals, the medical workstation is a basic component of any image management and
communication system. The design of such component can be very complex, because of the
challenging engineering requirements. Architectural models must ensure flexible and portable
software platforms upon which medical workstations can be realized. Some current models are
based on an overall framework of object oriented programming.12
Biomedical Information Management Systems ("BIMS") is an example of software architecture
designed to provide a flexible computational framework to manage the information needs of a
wide range of biomedical research projects. The main goal is to facilitate the clinicians’ job in
data entry, and researcher’s tasks in data management, in high data quality biomedical research
projects.
The architecture methodology required in a health care setting, must be able to manage large
amounts of complex and dynamic information. In addition, to be fully functional, flexible and
allow modeling and managing of large amounts of heterogeneous biomedical data sets, both
textual as well as visual (medical images) information, the architecture would need to be
developed as a web-based application.
In Medical Genetic Testing (MGT) Laboratories, there are existing knowledge management
(KM) technology weaknesses. Information system (IS) architecture is being developed to
establish process automation and content management of the distributed workflow of knowledge
generation and knowledge management (KG&KM) during MGT result interpretation. The IS
will validate the interpretation decision by using information systems/information technologies
(IS/IT), especially KM tools, such as workflow management system (WFMS), search engine and
groupware. Once developed and implemented, such integrated systems will significantly
improve MGT lab researchers' KG&KM performance through increasing knowledge capture,
improving documentation quality and maintaining (if not improving) users' information
satisfaction.13
IT contracts for the development and procurement of such systems, require careful consideration
of the terms and allocation of risks that are best managed between the parties. In the health care
sector, the procurement Directive and guidelines must be followed. Contractual issues need to
be analyzed from a legal and business perspective. Contracts need to focus on issues arising in
IT development and outsourcing, legal compliance (e.g. privacy), intellectual property ownership
and licensing, liability risk allocation, patient outcomes, impacts and results, as well as the
functional and technical requirements (including testing) of the IS architecture.
12
A software architecture for medical image processing stations, Boccignone, G. , Chianese, A., De Santo, M., Picariello, A., Image Processing,
IEEE International Conference, Nov 1994.
13
A System Architecture Design for Knowledge Management (KM) in Medical Genetic Testing (MGT) Laboratories, Gu, Y., Warren, J., Stanek,
J., Suthers, G., Computer Supported Cooperative Work in Design, 10th International Conference, May 2006.
C:My DocsPaper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx