Joint presentation to Fx Conference Audio Conference on Digital Health, May 21, 2013. My part focused on FDA regulation of mobile medical applications.

1. www.duanemorris.com
©2011 Duane Morris LLP. All Rights Reserved. Duane Morris is a registered service mark of Duane Morris LLP.
Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Los Angeles | Chicago | Houston | Hanoi | Philadelphia | San Diego | San Francisco | Baltimore | Boston | Washington, D.C.
Las Vegas | Atlanta | Miami | Pittsburgh | Newark | Boca Raton | Wilmington | Cherry Hill | Princeton | Lake Tahoe | Ho Chi Minh City | Duane Morris LLP – A Delaware limited liability partnership
Ken Keane, Lisa Clark and Michael Swit
mHealth Converges: The Impact of FCC,
HIPAA/Privacy and FDA
An Fx Conferences Audio Conference
May 21, 2013

2. www.duanemorris.com
Standard Disclaimers
• Views expressed here are solely ours and
do not reflect those of our firm or any of its
clients.
• This presentation supports an oral briefing
and should not be relied upon solely on its
own to support any conclusion of law or
fact.
• This presentation, and the materials
included herewith, are provided for general
educational purposes and should not be
construed as legal advice.
2

3. www.duanemorris.com
What We Will Cover
• Background on mHealth – Lisa Clark
• The FCC and mHealth – Ken Keane
• FDA and mHealth – Michael Swit
• Privacy and Security/HIPAA and mHealth –
Lisa Clark
3

4. www.duanemorris.com
Background on mHealth
Lisa Clark
4

5. www.duanemorris.com
What is mHealth? Terms and
Definitions
• mHealth
– is health care delivered wirelessly
– facilitates health data exchange
– is replacing bricks-and-mortar health care delivery
• Closely related term: Health Information
Technology (HIT)
• Other terms: Telemedicine, Telehealth, Wireless
Health, eHealth, Digital Health
5

6. www.duanemorris.com
mHealth Devices and Platforms
• Medical devices:
– Glucose meters that transmit results to electronic
health record (EHR) or lab
– Wearable devices to track patients who may wander
• Medical apps/software
– Tablet or smart phone with app that provides general
medical information to physicians at bedside
• Other software
– Software that supports health information exchanges
(HIEs) and electronic health records (EHRs)
6

7. www.duanemorris.com
Who uses mHealth?
1. Consumers (for themselves)
- Weight apps
2. Consumers-Providers/Providers-Consumers
- Glucose meters
- Telepsychiatry
3. Providers-Providers
- Teleradiology
4. Payors-Providers, Payors-Consumers
7

8. www.duanemorris.com
The mHealth Stakeholders
1. Device makers, pharma
2. Start-ups, etc.
3. Investors
4. Payors
5. Providers
6. Consumers
7. Government
8. Others:
1. Standard setting organization, academia, telecom, private
organizations
8

9. www.duanemorris.com
Expected Growth in mHealth
• Anticipated growth:
– $27.3B by 2016 (BCC Research)
– Growth rate at 22% through 2014 (RNCOS)
• Simultaneous contraction in hospital-based
and other traditional healthcare services
(physician visits, etc.).
9

10. www.duanemorris.com
• Federal Communications Commission (FCC)
• Food & Drug Administration (FDA)
• Health and Human Services (HHS)
– Office of the National Coordinator (ONC)
– Centers for Medicare and Medicaid Services (CMS)
• Federal Trade Commission (FTC)
• Other
– Department of Homeland Security
– Department of Commerce (National Telecommunications and
Information Administration)
– States, etc.
10
Who is Regulating mHealth?

11. www.duanemorris.com
mHealth/Government Interest
• Government -- actively tracking mHealth and
HIT and why, where, and how to jump in.
– 62 government committees (!) looking at mHealth/HIT.
• Congress – three days of hearings in mid-
March 2013
11

12. www.duanemorris.com
mHealth/Government Interest …
• The Food and Drug Administration Safety
Innovation Act (FDASIA) Workgroup:
– “charged with providing expert input on issues and concepts
identified by the Food and Drug Administration (FDA), Office of the
National Coordinator for Health IT (ONC), and the Federal
Communications Commission (FCC) to in order to inform the
development of a report on an appropriate, risk-based regulatory
framework pertaining to health information technology including
mobile medical applications that promotes innovation, protects
patient safety, and avoids regulatory duplication.”
– First meeting was on April 29, 2013. Slides from meeting are at
www.healthit.gov/sites/default/files/fdasia_kickoff_faca_slides.pdf
12

13. www.duanemorris.com
mHealth/This Presentation
• We will review key mHealth activities regarding
– FCC
– FDA
– Privacy and security/HIPAA
• Other areas of interest include (not discussed today)
– Reimbursement (Medicare, Medicaid and private)
– Fraud and abuse
– Licensure
– Liability/insurance/malpractice
– IP
13

14. www.duanemorris.com
The FCC and mHealth
Ken Keane
14

15. www.duanemorris.com
FCC -- History in Wireless Medical
Technology
• Allocated spectrum for low-power medical
telemetry 40 years ago
• 460-470 MHz
• Unlicensed medical applications also long allowed
under FCC Rules
• In 1999, established rules for implanted
devices like wireless defibrillators (aka
Medical Implant Communications Service or
“MICS”)
• 402-405 MHz15

16. www.duanemorris.com
FCC – History with Wireless Medical …
• In 2000, designated 14 MHz for Wireless
Medical Telemetry
• 608-614 MHz and 1.4 GHz range
• Used for telemetering patient monitoring data to
central stations
• In 2009, established Medical Device
Radiocommunication Service (“MedRadio”)
• Incorporated MICS and expanded allocation to include
401-406 MHz
• Expanded rule to accommodate body-worn devices.
• Rules harmonized with those in other Regions of the
world16

17. www.duanemorris.com
FCC – History with Wireless Medical …
• Applications include e.g. blood glucose monitors, and
body-worn devices
• In 2010, FCC signed Memorandum of Understanding
with FDA. Intended to increase efficiency of
regulatory processes for wireless medical devices
by, e.g.
• Enhancing information sharing
• Coordinating approval processes
17

18. www.duanemorris.com
FCC – History with Wireless Medical …
• In 2011, rules adopted for Medical
Micropower Networks
• Implanted devices surgically injected to provide
artificial nervous system for stroke victims, wounded
soldiers, and others with traumatic brain injuries
• Spectrum allocated in response to Petition by Alfred
Mann Foundation
• 24 MHz in four six megahertz blocks in UHF band
18

19. www.duanemorris.com
MBAN Devices -- Background
• In 2012, adopted rules for Medical Body
Area Network Systems (“MBAN”)
• Wireless devices for a wide variety of functions such as
blood pressure monitoring, delivery of electrocardiogram
readings, and neonatal monitoring
• MBAN devices designed to be deployed widely within a
hospital setting and make use of inexpensive, disposable
(band-aid sized) body-worn sensors/transmitters
• MBAN technology to facilitate movement of patients to
different parts of the health care facility for treatment, and
reduce risk of infection from wired sensors
19

20. www.duanemorris.com
• limitations of physical cables keep nearly half of all
patients from being actively monitored. MBANs allow
for ubiquitous and reliable monitoring, and give health
care providers the chance to identify life-threatening
problems or events before they occur
• According to Institute for Healthcare Improvement, a
monitored hospital patient has a 48% chance of
surviving a cardiac arrest -- number drops to 6% without
monitoring
20
MBAN Devices -- Background (con’t)

21. www.duanemorris.com
MBAN Rules
• MBAN decision allocated 40 MHz of spectrum at
2360-2400 MHz for MBAN use on a secondary basis
• Expansion of existing MedRadio Service in Part 95 of Rules
• Permits MBAN devices to operate on a ‘license-by-rule’ basis in
which users will not have to apply for and receive individual
station licenses
• Expected to lead to rapid and widespread development of
innovative MBAN applications
21

22. www.duanemorris.com
MBAN Rules (con’t)
• MBAN to share spectrum with primary aviation
users, industry and Government. Rules contain
registration and coordination provisions to protect
flight test telemetry operations conducted by
aerospace companies and government users.
• 2360-2390 MHz long used exclusively for flight test telemetry
between aircraft under test and engineers on the ground
• Enables engineers to monitor performance of aircraft in real-
time, and warn pilot in the event of any anomalous condition is
detected
• Utilizes large, dish-type tracking antennas which are very
sensitive to interference
22

23. www.duanemorris.com23

24. www.duanemorris.com
MBAN Rules (con’t)
• While registration with a medical coordinator will be
required, vast majority of MBAN systems in 2360-
2390 MHz will not require coordination with flight
test operations due to geographic separation
• Use of 2360-2390 MHz restricted to indoor operation
at health care facilities at 1 mW
• MBAN devices in the 2390-2400 MHz band will also
share spectrum, but will not require coordination,
and may be used in any location -- including in
residential settings and ambulances -- and at higher
power (20 mW). However, 10 MHz likely not
sufficient in hospital settings.
24

25. www.duanemorris.com
Registration/Coordination Process:
• Hospital will register with an “MBANs coordinator.”
• MBANs coordinator analyzes proposal and provides
data on proposed deployment to aerospace
coordinator
• In the great majority of cases, there will not be any
interference risk, and coordination not necessary
• In cases where analysis shows a risk of
interference, aerospace and medical coordinators
will seek to resolve situation so as to facilitate
successful deployment without risk of interference
to flight testing
25

26. www.duanemorris.com
Registration/Coordination Process
(con’t)
• Upon successful coordination, medical coordinator
will issue hospital an “electronic key” allowing
activation of MBAN systems
• Beacons in hospitals ensure MBAN systems do not
operate out-of-doors in 2360-2390 MHz band
• In the unlikely event of interference to flight test
telemetry, MBANs must immediately shut down
26

27. www.duanemorris.com
Registration/Coordination Process
(con’t)
• As part of the registration process for operating
MBAN devices in the 2360-2390 MHz band, hospital
will provide medical coordinator with a point of
contact responsible for making changes to MBAN
operating parameters (such as discontinuing
operations or changing frequencies)
• Most MBAN systems expected to be capable of
defaulting to 2390-2400 MHz band
• FCC expects its licensees to work together to
resolve any instances of harmful interference
27

28. www.duanemorris.com
Current MBAN Status
• When FCC issued decision, certain issues identified
for further comment. Those issues included, in
particular, selection of a medical coordinator or
coordinators for MBANs.
• Aerospace industry coordinator already designated,
i.e. AFTRCC (association of aerospace companies)*
___________________________
* Duane Morris is counsel for AFTRCC.
28

29. www.duanemorris.com
Current MBAN Status (con’t)
• AFTRCC, GE Healthcare, and Philips Healthcare
have filed Joint Petition for Reconsideration
regarding issues where the Commission departed
from the proposed rules that the parties had
negotiated and presented
• Petition proposes a number of changes to more closely align
FCC rules with IEEE standards
• One issue is eligibility for 2360-2390 MHz, i.e. Commission’s
decision to allow all clinics, no matter how small, to utilize
MBANs devices in this band
29

30. www.duanemorris.com
Current MBAN Status (con’t)
• Petitioners have urged that MBAN systems be limited to
hospitals and other health care facilities which offer patient
beds on a 24-hour basis. Small clinics, which do not need 30
MHz, could use 2390-2400 MHz
• Decision probable by year end
30

31. www.duanemorris.com
Other FCC Activity
• June 2012, FCC established mHealth Task Force
• September 2012, Task Force issued Report
• FCC Chairman Genachowski announced steps that
FCC will take to implement key recommendations in
Task Force Report including:
• Streamlining experimental licensing rules to permit easier
testing of mHealth devices
• Reform of Rural Health Care Program to facilitate broadband
connections, especially in rural areas (decision issued in
December)
31

32. www.duanemorris.com
Other FCC Activity (con’t)
• Directed FCC’s International Bureau to work with regulators in
other countries to encourage making spectrum available for
MBANs and to discuss spectrum harmonization
• Determined to hire Health Care Director who would act as
POC on all health-related issues (now on board)
* * *
32

33. www.duanemorris.com
FDA and MHealth
Michael Swit
33

34. www.duanemorris.com
What is a Medical Device?
• “Device” – Section 201(h) of the Federal Food,
Drug, and Cosmetic Act (the Act): means:
– an instrument, apparatus, implement, machine, contrivance,
implant, in vitro reagent, or other similar or related article,
including any component, part, or accessory, which is—
 recognized in the official National Formulary, or the United States
Pharmacopeia, or any supplement to them,
 intended for use in the diagnosis of disease or other conditions, or in the cure,
mitigation, treatment, or prevention of disease, in man or other animals, or
 intended to affect the structure or any function of the body of man or other
animals, and
which does not achieve its primary intended purposes through chemical
action within or on the body of man or other animals and which is not
dependent upon being metabolized for the achievement of its primary
intended purposes.
34

35. www.duanemorris.com
Is Software a Medical Device?
• Yes, if it fits the definition of Section 201(h),
where the main focus will be how the software
can be used to treat, prevent or diagnose
disease
35

36. www.duanemorris.com
FDA – Basics of Device Regulation
• Devices are classified per risk – 3 Classes
– Class I – least risky; typically do not require prior FDA
review or approval, but must meet all other “general
controls” applicable to all medical devices (e.g., facility
registration, device listing, MDR reports)
– Class II – more risky – typically require FDA clearance
of a “Premarket Notification” Submission or “510(k)”
 Standard for clearance of 510(k) – “substantial
equivalence” to an already lawfully marketed device
36

37. www.duanemorris.com
FDA – Basics of Device Regulation
– Class III – most risky – require approval of a
Premarket Approval Application (PMA) –
 Standard of approval – reasonable assurance of safety
and effectiveness, based on clinical investigations
• Classification – required of all devices on market
as of May 1976; over 1,000 devices classified as
to:
– Identification – i.e., what is the device?
– Intended use
– Technological characteristics
37

38. www.duanemorris.com
Key to FDA Device Marketing
• Must find a classification that your device
meets
– If not, and your device is new technology, by operation
of law, your device is automatically placed in Class III
• Device “classification” and mHealth Devices –
– Is your product a device at all?
 Even if it is, if the use is so “minor,” will FDA allow me to
come to market easily?
 If it is, finding a device classification that your mHealth
device meets
– If you can’t, what do you do about being automatically
placed in Class III?38

39. www.duanemorris.com
FDA’s Draft Guidance on Mobile
Medical Applications
• July 2011 – in reply to concerns about FDA
regulation of mobile apps, agency issues draft
guidance
– http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Gui
danceDocuments/UCM263366.pdf
– “mobile app" -- defined as a software application that
can be executed (run) on a mobile platform, or a web-
based software application that is tailored to a mobile
platform, but is executed on a server.
39

40. www.duanemorris.com
FDA’s Draft Guidance on Mobile
Medical Applications …
– “mobile medical application” (MMA) -- mobile app that
meets the definition of "device" in section 201(h) of the
Federal Food, Drug, and Cosmetic Act (FD&C Act) and
either:
 is used as an accessory to a regulated medical device;
or
 transforms a mobile platform into a regulated medical
device.
– Intended use – is key to determining if it is a medical
device; can be inferred by FDA from many sources
– Others – FDA will not enforce at this time
40

41. www.duanemorris.com
Draft Guidance – NOT an MMA
• Electronic copies of textbooks, teaching aids, or
reference materials
• General health & wellness apps -- solely used to
log, record, track, evaluate, or make decisions or
suggestions related to developing or maintaining
general health and wellness
– e.g. – dietary tracking logs; appointment reminders;
dietary suggestions based on calorie counting
• Automated office functions – e.g., billing,
inventory
41

42. www.duanemorris.com
Draft Guidance – NOT an MMA …
• Generic aids -- that assist users but are not
commercially marketed for a specific medical
indication.
– e.g., apps that use the mobile platform as a magnifying
glass (but not specifically for medical purposes),
recording audio, note-taking, replaying audio with
amplification, and other similar functionalities.
• Mobile apps that perform the functionality of an
electronic health record system or personal
health record system.
42

43. www.duanemorris.com
Draft Guidance – Apps FDA Will
Regulate
• Apps that are an extension of one or more
medical device(s) by connecting to such
device(s) for purposes of controlling the device(s)
or displaying, storing, analyzing, or transmitting
patient-specific medical device data.
– Examples – are considered “accessories”
 remote display of data from bedside monitors
 display of medical images
 remote control of drug delivery of an infusion pump
– Take on classification of device to which connected
43

44. www.duanemorris.com
Draft Guidance – Apps FDA Will
Regulate …
• Apps that transform the mobile platform into a
medical device by using attachments, display
screens, or sensors or by including functionalities
similar to those of currently regulated medical
devices.
– Example: AliveCor™ iPhone based ECG system –
physical attachment to an iPhone that converts it into
an ECG and transmits data via web
 510(k) cleared in November 2012
44

45. www.duanemorris.com
Draft Guidance – Apps FDA Will
Regulate …
• Apps that allow the user to input patient-specific
information and - using formulae or processing
algorithms - output a patient-specific result,
diagnosis, or treatment recommendation to be
used in clinical practice or to assist in making
clinical decisions.
45

46. www.duanemorris.com
Why mHealth and FDA Don’t “Connect”
• Lack of Transparency –
– While FDA says it has reviewed and cleared/approved
over 75 mHealth devices, not clear what FDA required
as 2011 draft guidance is “generic” in nature
 no specific guidances for clearances
 difficult to find detailed info on “per device” requirements
• Many mHealth Devices do not fit existing
device classifications
– Result – automatic Class III status under law
 Challenge – de novo petition process is unwieldy
46

47. www.duanemorris.com
Why mHealth and FDA Don’t “Connect”
• Need for more guidance
– 2011 Guidance – said more guidance would be
provided to cover:
 Apps that use data from more than one kind of medical
device
 Clinical decision support software
 Wireless safety considerations – for example, rumor that
at least one FDAer involved in mHealth issues would
require that developers prove their apps not interfere
with other devices used in healthcare settings
 Application of Quality System Regulation (QSR) to
software
47

48. www.duanemorris.com
The AliveCor™ Device & App
48

49. www.duanemorris.com49

50. www.duanemorris.com
How it Came to Market
• Classification – 21 CFR 870.2340
Electrocardiograph.
– (a) Identification. An electrocardiograph is a device
used to process the electrical signal transmitted
through two or more electrocardiograph electrodes and
to produce a visual display of the electrical signal
produced by the heart.
– (b) Classification. Class II (performance standards).
• Seven consensus standards and an FDA
guidance document apply – check “Product
Code” to figure that out – “DPS”
http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/classification.cfm?ID=666
50

51. www.duanemorris.com
So, What Do You Do?
• Meet with FDA – unless absolutely clear
• Understand that you are in the medical device
business and that, even if you have a Class I
device, you have to meet the General
Controls, which are demanding, especially:
– Quality Systems Regulations
 Design controls for software
• Reimbursement – who will pay for it?
– CMS
– Private payer
51

52. www.duanemorris.com
Privacy/Security and MHealth
Lisa Clark
52

53. www.duanemorris.com
Privacy and Security
• The question: What are the required,
recommended and best privacy and security
protections for a particular mHealth product or
service?
– Is the product/service subject to HIPAA?
– Does the FTC guidance apply? Has the FTC initiated an
enforcement action against a similar product/service?
– When is consent to collect/use/disclose data required?
– What other federal or state laws or agencies might regulate the
product/service?
– What are industry best-practices?
53

54. www.duanemorris.com
Privacy and Security
• The terms:
– ‘Privacy’: protects the consumer through
policies, rights to data, etc.
– ‘Security’: protects the data through
passwords, encryption, etc.
– ‘By Design’: Designing the
product/service with privacy and security
in mind
54

55. www.duanemorris.com
Privacy and Security
• The principal laws and regulations:
– Health Information Portability and Accountability Act of
1996 (HIPAA)
– Federal Trade Commission Act (consumer fraud,
fairness)
– Federal and state consent laws
– Other privacy and breach laws
– American Reinvestment and Recovery Act –
Meaningful Use regulations
55

56. www.duanemorris.com
Privacy and Security
• HIPAA:
– Protects the privacy and security of protected health
information (PHI)
– Fines up to $1.5m per year for violations.
– Does HIPAA apply?
 Applies to Covered Entities – 1) health care providers
that engage in certain electronic transactions, 2) health
plans, and 3) health clearinghouses (billing companies)
 Also applies to Business Associates – agents and
subcontractors of Covered Entities that handle PHI, and
their agents and subcontractors
56

57. www.duanemorris.com
Privacy and Security, HIPAA cont.
• If an entity is not a Covered Entity or Business
Associate, then HIPAA does not apply
– a physician IS a covered entity (and so any app
provided by the physician to patients, e.g., personal
health record that interfaces with physician is covered)
– a data management company that provides services to
a hospital IS a Business Associate
57

58. www.duanemorris.com
Privacy and Security, HIPAA cont.
• A wireless heart rate monitor service provider that permits a
patient to collect heart rate data at home and send it to his/her
physician
• is NOT a Covered Entity if it does not bill a payor (instead bills the
customer or the provider)
• BUT the physician (who is a Covered Entity) must protect the PHI
• Software that supports the distribution of specialized drugs to a
hospital and include a patient portal provides billing services
• IS a Covered Entity if it bills a payor for the hospital or
individual
• IS also a Business Associate because if it is billing for the
hospital or performing data analysis
• MAY BE a Covered Entity as a Provider
58

59. www.duanemorris.com
Privacy and Security, HIPAA cont.
• If HIPAA applies, then must implement a
Compliance Program that includes:
– Privacy requirements – Notices, P&Ps,
Training, Rights for Individuals, etc.
– Security ‘standards’ – Access Restrictions,
Audit Requirements, Disaster Recovery, etc.
– Breach Notification – Breach Reporting Policy
59

60. www.duanemorris.com
Privacy and Security, FTC
• FTC is authorized to protect the consumer
against
– 1) Deception (material misrepresentation, omission);
– 2) Unfairness (harm or the potential for harm)
• Actions:
– PATH social networking app: settled with FTC for
$800k against charges that it deceived users by
collecting personal information from their mobile device
address books without their knowledge and consent.
– AcneApp: agreed to stop advertising baseless claims
that app could cure acne with lights emitted from
smartphones60

61. www.duanemorris.com
Privacy and Security, FTC Guidance
• “Marketing Your Mobile App: Get It Right from
the Start” business.ftc.gov/documents/bus81-
marketing-your-mobile-app
 Privacy by Design - Build privacy considerations in from the
start.
 Transparency.
 Collect sensitive data with consent.
 Keep data secure.
 Truthful advertising, etc.
- “Mobile Privacy Disclosures: Building Trust Through Transparency”
www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf
61

62. www.duanemorris.com
Privacy and Security, FTC Guidance
• “Mobile App Developers: Start with
Security” business.ftc.gov/documents/bus83-mobile-app-
developers-start-security
– Make someone responsible.
– Take stock of the data.
– Understand differences between mobile platforms.
– Use due diligence on third party code.
– Use transit encryption for usernames, passwords, and other
important data.
– Protect your services, etc.
62

63. www.duanemorris.com
Privacy and Security, Sensitive Data
and Consent
• When is consent to collect/use/disclose
‘sensitive data’ required?
– ‘Sensitive data’ includes: mental health, substance
abuse, reproductive health, genetic, infectious disease
and other data.
– Different laws apply.
– Consent may be obtained in writing, through opt-in/opt-
out, etc. – verbal not advised.
– Consent must be clear and honored.
63

64. www.duanemorris.com
Privacy and Security, Social Media
• What is ‘social media’?
– Forms of exchange of user-generated content,
including blogging, chat rooms, internet forums,
podcasts, instant messaging, etc.
• Principle is free-flow of information (and thus difficult
to control privacy and security).
• No separate laws (yet).
• If mHealth product/service uses social media (e.g., an
app that links to a chat room), must ensure
transparency of how data used, obtained consent as
necessary, etc.
64

65. www.duanemorris.com
Privacy and Security, Other Resources
• HHS’s Office of National Coordinator
www.healthit.gov (authorized by ARRA to
oversee development of HIT):
– Development of Nationwide Privacy and Security
Framework for National Health Information Exchange
(HIE)
 Privacy and security at every level.
– Examining conflicting state laws around consent.
– Developing toolkits.
65

66. www.duanemorris.com
Privacy and Security,
Recommendations
• To determine best industry privacy and security
practices, work with industry groups, consultants.
• General resources:
– mHIMSS, www.mhimss.org
– AHIMA, www.ahima.org
• Obtain legal advice regarding applicable laws (HIPAA,
FTC, sensitive data, breach, etc.) and whether the
product/service’s privacy and security compliance
program satisfies those laws.
66

67. www.duanemorris.com
Questions?
• Ken Keane, Partner, Duane Morris
– Phone: +1 202 776 5243
Email: KKeane@duanemorris.com
• Lisa Clark, Partner, Duane Morris
– Phone: +1 215 979 1833
Email: LWClark@duanemorris.com
• Michael Swit, Special Counsel, Duane Morris
– Phone: +1 619 744 2215
Email: MASwit@duanemorris.com
67