On April 18, lawyer Dillon Brozyna of Edelson PC, on behalf of lead plaintiff Joan Richards of Utah, filed a class action against MDLive, a telehealth provider based in Sunrise, Florida.

MDLive offers an app that connects patients to doctors, pediatricians, and therapists 24/7. The complaint alleged MDLive's app transmits screenshots of users' health information to a third-party vendor, Israel-based Test Fairy. Test Fairy uses that information to "possibly identify bugs."

In its motion to dismiss the suit, MDLive referred to its Terms of Use Contract, which users must agree to. The contract's privacy policy states that it may disclose information to contracted third parties to support its business, according to an MDLive statement. The company also said Test Fairy is bound by a confidentiality agreement.

When dealing with sensitive health information, is that enough?

The dispute raises serious privacy and security concerns about telemedicine platforms and related mobile apps, both of which are becoming more widely accepted. Over the past few months, senators have introduced two bills to expand Medicare's telehealth services and one to eliminate the Department of Veterans Affairs' restrictions on telehealth across state lines. This comes not long after Congress approved a bill to make telehealth services available under the U.S. Department of Defense's TRICARE health plan for active duty military members and their families.

Prioritize Privacy and Security

As with other providers, certain telemedicine services must abide by HIPAA privacy and security rules. The privacy rule provides guidance that only the minimum health information necessary to care for the patient shall be used or shared. The security rule sets standards for securing patient data.

The Federal Trade Commission's privacy rules also apply. Any app or software developer whose product accesses personal information should pay attention to FTC rules. If a company's user agreement is unreasonably vague relative to the data collected, stored, and shared, the FTC could allege an unfair and deceptive trade practice violation.

"The FTC focuses on making sure policies are transparent, clearly outlined, and cover all the ways in which a company might use or disclose the consumer's health information and other personal data," said Jade Kelly, a partner in Arent Fox's San Francisco office and a member of its Health Care and Privacy, Cybersecurity & Data Protection Groups. "A privacy policy should be as specific as possible and put consumers on notice as to what the company does with their data."

Because privacy and security are closely intertwined, a telehealth provider should be as detailed as possible in designing its security protocols. If a telemedicine company doesn't have proper security measures in place, it should get them fast, lest they risk violation of FTC and HIPAA regulations, federal wiretap laws, invasion of privacy, and even simple breach of contract.

"When you buy something, you are relying on what a company says they will do to protect your information," said Christopher Dore, a partner at Edelson PC who focuses his practice on emerging consumer technology and privacy issues. "If they don't do that, then you're not getting the benefit of the bargain."

Telemedicine technology should employ HIPAA-compliant security measures, including fully encrypted data transmission, peer-to-peer secure network connections, and unique user identification, among other protocols. The trouble is, some tech companies, in a rush to take advantage of telemedicine's growth, don't take the time to implement these policies, putting them at risk of a security breach as well as a lawsuit.

"Companies are competing to get to market, and that comes with speed," said Dore. "As a consequence, they often aren't putting the time, effort, and resources into security protocol. Take the time to design your product and your service correctly and use the most up-to-date security standards."

Transparency Is Key

The legal issues surrounding telemedicine technology don't stop with privacy and security. Providers must also be mindful of federal and state fraud statutes.

With some exceptions, under the antikickback statute, it is a criminal offense to knowingly offer, pay, solicit, or receive money to induce referrals of items or services reimbursable by a federal health care program. The Stark Law prohibits physicians from referring Medicare patients for designated health services to an entity with which the physician has a financial relationship.

Generally, to comply with the antikickback statute, Stark Law, and any related state laws, the physician, service vendor, health system, or any combination thereof must have a carefully structured written and signed agreement in place that sets forth the service provided and compensation in advance. Compensation must not vary with the volume or value of any referrals or business generated between parties. These laws are very nuanced, Kelly said, which is why specificity and transparency are important.

As technology develops, rules and regulations directed toward telemedicine and health-related mobile apps will likely increase, especially in the realm of privacy and security.

"With almost 100 percent certainty, people are very resistant to sharing medical information," said Dore. "There is a heightened standard, and the law has recognized that in some respects. As we expand into new technologies, steps have to be taken to make sure protection extends to all the different mediums."

Heather R. Johnson is a freelance writer based in Oakland, California.

[Image courtesy of DIGITALART/FREEDIGITALPHOTOS.NET]