IRAC application

- In this video, we're going to do IRAC exercise three together. And recall that the IRAC exercises are a legal analysis tool to help us move from issue identification to action. The IRAC stands for issue, rule, application, and conclusion. And we'll read through this first story together. This story is about a company, Company A, that has a new technology using the combination of a smartphone camera and machine learning to analyze the pupil of someone suffering from a potential concussion. The use of this technology is really meant to assist coaches, soccer coaches, football coaches, basketball coaches, in time to identify if a person has a concussion or not. And if they do, to keep them off the field. If they don't, to send them back in. But of course it has other multiple uses for anybody who might be concerned from sports or an injury that they suffered a concussion. So you can read through here what the app actually does. And then you're told that you, you student, are a recent hire at Company A. Your new boss knows that you took this course in law and ethics in data analytics and artificial intelligence and he wants or she wants your opinion about any possible legal concerns that you have for this new app on the smartphone. Now, we're going to look at this problem outside of any known FDA regulatory approvals, because, of course, this would have to go through a regulatory approval process. That's not what our concern is here. We're going to be looking at other issues that we've learned about that might come up, legal concerns that might come up, with respect to this new app. So the issue here, the issue arises out of the context of the story. The issue for us is whether there is a possibility that consumers using the new app to diagnose a health condition, here a concussion, will experience an invasion of privacy as a result of the collection and use of that personal medical data. That is our issue. Is there a possible legal issue with respect to privacy using an app like this? Now, the rules that are relevant here are regulatory and the regulatory law that is immediately applicable is something called HIPAA in the US, the Health Insurance Portability and Accountability Act. HIPAA protects health data. Remember in the US, the regulation of privacy concerns is by sector, so health data, financial data, student data, and so forth. HIPAA is our law to protect health and medical data, so medical records, health data. Generally, HIPAA regulates organizations that meet two criteria and they're listed here for you in this rule. First, an organization must play a certain role in the provision of healthcare to patients. So if you're regulated by HIPAA, you are likely an organization that is having something to do with the provision of healthcare to patients. If it does and it meets that definition, it will be something called a covered entity. Also, there are business associates under HIPAA. So these are legally defined terms. You're either a covered entity providing healthcare or you're a business associate. Business associates are those that work with covered entities, so service providers. Cloud service providers storing data, for example, could be considered a business associate. Secondly, HIPAA only applies when the organization, covered entity, or business associate handles protected health information, PHI. Therefore, to determine whether HIPAA applies to this situation, we're going to be thinking about if the organization meets these definitions of covered entity or business associate, and if it is handling PHI. Now, this is a new area, right. This is technology. HIPAA was written before apps were being created at rapid pace. So we're going to be taking existing law, HIPAA, and applying it here in the application's piece to reach a conclusion. There is no case law in this area. We can't go just look up a case about apps and HIPAA. Unfortunately, we don't have that luxury. So we're going to have to reason through. And this is you as the new employee of Company A, this is what you would be doing. So based on what you know about this new app, how it works, who will be using it, do you think that the government regulators would conclude that your new company is subject to HIPAA's privacy and security compliance rules? So that's really the most important thing here. If we think that we're subject to HIPAA, then we have to make sure that in our business of marketing and distributing this app and taking data and managing data, that we're following along with all of the HIPAA's various rules. So questions to consider here. These come from the US Department of Health and Human Services, and these are suggestions about how companies in technology might consider HIPAA and think about whether or not they should be complying with the compliance rules. One, who are the app's customers? Two, who directs use of the health data? Three, does Company A have a formal relationship with a covered entity like a healthcare provider? And four, will a covered entity require the use of the app? So these are all things that help us tease through and think about whether or not this new technology should be regulated by existing law in HIPAA. And the thinking, the general thinking right now about this is that the app, there are a lot of apps in the area of healthcare, you know, just keeping data, managing data, and there's a lot of power that consumers can have with respect to their health data because they have access to their own information. They know where to share it, who they want to share it with. It seems like in the app area, at least presently, that unless the app developer is working with a covered entity like a doctor's office or a health insurance plan, it's likely that the app is going to fall outside of the regulation of HIPAA. So the distance from being a covered entity or a business associate is really important. And also, because consumers can really direct the use of the data, that seems to lead the US HHS to conclude that apps like this are not going to be subject to regulation, at least not now. Again, remember we're looking in this course at existing law to see if it applies to new technology. But we're also aware that the law may and at some point, likely will catch up to the technology. So at the moment, although there are certainly other regulations that could apply to the design of the app, the regulation of HIPAA, the privacy and security regulations likely do not apply to this situation. And Company A does not have to be concerned with those.