September 16, 2021

Maverick's Update

Only What Matters In Health Information Policy

What did you have for breakfast? According to the FTC, the five Big Tech companies (Apple, Amazon, Facebook, Google and Microsoft), regularly eat startups for breakfast. At its open meeting this week, the FTC found that the Big 5 reportedly made 616 “smaller” acquisitions (“smaller” -- meaning under $92 million -- more than $92 million is more like dinner for these companies). That’s so much eatin’ that one FTC Commissioner called it a Pac-Man strategy. These acquisitions weren’t necessarily related to health care, (honestly, we’re not sure -- we didn’t look through the whole list), but FTC Commissioner Christine Wilson called for a similar study on health care mergers. More breakfast stories to come.

Here is some related news for you to digest -- and it doesn’t have to be over breakfast:

1. At that same public meeting, in what Politico called “the first step in creating tougher rules on deals that are increasingly common in the tech and healthcare industries,” the FTC voted to rescind 2020 guidance on vertical mergers -- saying that it will coordinate with the Department of Justice to scrutinize mergers between companies that aren’t direct competitors. And right on cue, an hour after the FTC vote, the Department of Justice issued its own statement about how it will collaborate with the FTC about harmful vertical mergers.

2. Must have been a big meeting, because the FTC also voted to approve a policy statement that reiterates a rule that already exists -- all non-HIPAA covered entities must notify consumers and the FTC if health data is released without authorization -- whether it was because of a hacking incident or just an accident. In the statement, the FTC said that the rule had never been enforced and companies that offer mobile apps seemed confused about it, so the FTC cleared it up for them: “The Commission intends to bring actions to enforce the Rule consistent with this Policy Statement. Violations of the Rule face civil penalties of $43,792 per violation per day.” Alrighty, then -- that’s pretty clear.

3. Not to be outdone, the FDA jumped on the bandwagon to regulate health data by launching its new Office of Digital Transformation. It is not entirely clear what Vid Desai, FDA’s Chief Information Officer, is going to regulate in his big new office, but he is not new to the health data game, and there are a lot of words in FDA’s Data Modernization Action Plan that attempt to explain.

One Thoughtful Paragraph

Speaking of breakfast, The Breakfast Club is an outstanding 1985 coming of age film -- a comedy-drama written by John Hughes about teenagers serving detention. It is called the “breakfast club” because that’s what the high school kids called their 7 am Saturday morning detention. And it is starting to feel like detention for health tech companies, with all the rules and prosecutors ready to pounce. We knew -- way back in January -- that the significant cybersecurity threats and the Democrats’ squeaker election meant big changes for privacy and health data-related laws. Sure enough, President Biden just nominated law professor Alvaro Bedoya, the founder of Georgetown Law’s Center on Privacy & Technology, to the FTC. Bedoya was the first chief counsel of the U.S. Senate Judiciary subcommittee on privacy, technology, and the law, and is expected to help the FTC take a more aggressive approach to data protection. Just two days after Professor Bedoya’s nomination, Senator Amy Klobuchar, who chairs the Senate antitrust subcommittee, said that Congress is ready to move forward with both antitrust changes and a comprehensive privacy law aimed at tech companies. As Shermer High School Assistant Principal Richard Vernon said (who oversees detention in The Breakfast Club), “Don’t mess with the bull, young man. You’ll get the horns.”