Skip to Main Content

September 2020  Volume 1Issue 6
Health Law Connections

A Framework for Innovation

AHLA thanks the leaders of the Health Information and Technology Practice Group for contributing this feature article.
  • September 01, 2020
  • Gerard Nussbaum , Zarach Associates LLC
  • Scott Bennett , Microchip Technology

Health care has always sought to drive innovation and develop new approaches and tools while assuring safety for both patients and caregivers. From the invention of the stethoscope by René Laënnec in 18161 through the use of advanced telehealth tools of today, clinicians have been using technology to enhance the treatment of patients.

Of course adopting new technologies is far more complicated now than it was in the early 1800s when Laënnec rolled up a sheet of paper into a tube to enable him to hear the patient’s heartbeat.2 Today’s health care enterprise faces heightened privacy and security requirements, regulatory burdens, and the need to assure appropriate risk management when developing, acquiring, adopting, and using technology. Often, in-house counsel, and the external attorneys that support them, are faced with requests that require them to rapidly come up to speed on a new technology or an opportunity for the health care organization (HCO) to partner with an emerging company (EC) to develop a new technology. These requests are frequently accompanied by short timelines.

External innovators—in many cases ECs that are seeking to partner with the HCO—rely upon nimble and agile approaches that may not be fully in sync with the HCO’s internal processes; and in many cases do not take account of the challenges HCOs experience as they seek to adopt newer technologies. ECs generally lack a proven business model; are seeking to define and validate both their product and approach to the market; and may also lack leadership with extensive business experience.3

Both the HCOs and their external partners would benefit from a more consistent framework for assessing legal, regulatory, compliance, and risk management concerns. Such a framework would ease communication and help set expectations. For the attorneys, the framework would support a complete review, assure that appropriate documentation was created, highlight key management decisions to be made, and enable them to more actively participate in risk management discussions.

Potential Risks to Consider When Undertaking New Initiatives

For any new technology initiative, a long list of potential risks should be considered during the planning process. Many of these risks are set forth in the table below. Certain of these risks are heightened when undertaking an innovation initiative with an EC partner. The nature of this partner may also require a different view of the risks as the likelihood and potential impact may differ from a similar initiative that was fully managed and staffed internally by the HCO. How the risks and appropriate mitigation activities are assessed and structured may also be a point of friction between the parties as they each view the risk-benefit tradeoff differently. This tug of war between the moon-shot approach of the EC and the longer-term view of the HCO should also be addressed in structuring the relationship.

To meet the needs of both the EC and the HCO, all parties need to be transparent regarding their objectives and goals. The expected benefits for each party, as well as the contributions to advancing health, knowledge, and learning must be on the table. The excitement of participating in something new often is the primary motivation for the HCO and key staff; unfortunately, the excitement can wear off, leaving both parties frustrated and disappointed. Careful consideration of the objective, goals, and benefits—in a structured manner—can help build a more durable initiative and relationship between the parties.

Framework for Collaboration

A framework that supports collaboration includes clear documentation of the agreed upon goals, means to achieve the goals, and ability to measure progress towards the goals. The framework is not intended to be a once and done, but rather something that is reviewed on a regular basis to assure the collaboration between the parties is remaining true to its aims and to identify where a course adjustment is needed. The framework should be flexible so that the parties can make adjustments based upon their experience together. Many innovation initiatives end up moving in a completely different direction, often with significantly changed technology and goals due to the interactions throughout the collaboration.

To help align the efforts of the parties, early attention to key framework elements is helpful. We approach these key elements as answers to a series of core questions that the parties should discuss to come to a shared understanding.

Is the Problem We Are Trying to Solve Worth It?

All too frequently, an EC will approach the HCO with an exciting technology that the innovators believe will revolutionize health care. This may generate a great deal of excitement leading to an attempt to collaborate to pursue this exciting technology. Scenarios such as this often result in failure because the focus is on the technology, not the essential and underlying need. The parties must carefully define the problem they are trying to solve and the benefits of solving the problem.

The benefits must be worth the effort. For example, innumerable innovations purport to save a nurse five minutes every hour. However, unless the total solution finds a way to apply the freed-up time to a worthwhile activity and assures that this benefit is actually and reliably achieved, the benefit of time savings has no real value to the HCO.

The opportunity definition must include: a clear statement of the problem the parties are seeking to solve, specific benefits to be gained by solving the problem, and a solid quantification of the value of the benefits to the HCO. Benefits quantification should be monetary. As a foundation, this opportunity definition will be key to gaining senior executive approval for the effort; as well as providing a basis for the EC’s fundraising and go-to-market strategy for the final product.

Is There a Commitment to Buy the Resulting Product?

Closely related to the anticipated benefits is the question of whether the HCO is willing to commit to purchase the proposed solution. Not only is there a need for a champion for the collaboration—usually a department head, service line leader, or other operational line executive—but the champion must commit to using part of her budget to buy the resulting product on a commercial basis.

Many HCOs have entered into development and pilot relationships with ECs, but at the end of the multi-year collaboration have declined to buy the resulting product. This is the worst outcome for the EC that has managed to create a viable product. It makes subsequent sales efforts with other HCOs difficult, complicates funding discussions, and may ultimately lead to the demise of the EC. Of course, the commitment to purchase must be predicated upon the solution meeting defined and measurable requirements and a mutually agreed upon price.

How Do We Assure Access to the Right People?

For the EC, the development of the solution is their sole focus. But for the HCO there are many competing priorities, especially when involving clinicians, line HCO personnel, and HCO leadership. Both parties need to define the overall resources they are committing to the project. For the HCO, this would include staff time, investments in supporting technologies, and any monetary investments made by the HCO in the EC.

These items must be fully budgeted and allocated by the HCO. The EC will need focused time on a regular basis with line staff for planning sessions, design reviews, feedback sessions, and related meetings. Line staff (e.g., nurses, therapists, pharmacists) time should be allocated as part of their shift or schedule, not an add-on to their day-to-day responsibilities. For the HCO, this usually means backfilling positions; assuring department budgets, to which managers are held accountable, include funding for the backfill; and taking into account any union contract issues regarding shift length, overtime, and covered duties.

For the EC, this means adapting to a more structured schedule for interactions with line staff, assuring proper preparation for these interactions, and keeping in close alignment with departmental managers. Rapid development methods support a process of regularly scheduled developer and user interactions. For this to work, the EC must continue to drive meaningful progress and assure that their development efforts are appropriately staffed to drive meaningful progress at each meeting interval. Line HCO enthusiasm may be rapidly lost if a track record of progress that is responsive to line staff feedback is not maintained.

In addition to the target users of the solution, other key stakeholders—including information technology, finance, legal, risk management, clinical engineering, infection control—must be involved and appropriate budgets and staff time allocation made to assure timely resource engagement. Appropriate use of resources should be reviewed and managed as part of the regular project governance meetings, as the time of the involved experts—both EC and HCO—is the most valuable input that each party will provide.

How Do We Turn Vision into Reality?

Successful collaborations are based upon a shared vision. Each party has their own reasons for pursuing the shared vision. The motivations may include, for the HCO, improvements in its ability to improve health in its communities, enhance efficiency and effectiveness, more broadly advance health care, and obtain a return on its investment; for the EC, the ability to develop and refine new products, enhance company and owner wealth, and gain public recognition.

The financial benefit objective provides a basis for appropriately motivating the parties. This may include formalization of increasing HCO equity stakes in the EC when certain major milestones are met by specific deadlines.4 These incremental equity stakes may be directly or indirectly tied to the HCO’s level of resource investment in the collaborative development, which may be separate from any direct financial investment in the EC. For milestones to support the overall vision, they must be clearly measurable and time bound.

Shared major milestones with concomitant benefit for the HCO support appropriate engagement by both parties in achieving the milestones, provide a basis for regular assessment of progress towards the shared goal, and focus both parties on achievement-oriented behaviors. While the milestones should be defined in rather specific terms, the leadership of both parties should expect to adjust the milestones as the nature of the collaboration evolves. This leadership engagement is a significant pillar in shared project governance.

Shared governance of collaborative innovation projects occurs at many levels. At the lowest level—the HCO line manager and the EC project manager—governance is about the agreed upon schedule, assuring that resources are available for collaboration, and a sober assessment as to whether the expected benefits will be realizable. The HCO project sponsor and EC leadership should meet on a regular basis (at a minimum every two weeks) to address any roadblocks, demonstrate progress, and assure continued alignment of vision and delivered solutions.5 A project steering committee, which includes the project sponsor, key stakeholders, and EC leadership, should meet every four weeks to review project progress and maintain accountability. HCO senior leadership, or a delegated oversight group, should maintain appropriate oversight over the collaboration and ascertain at least quarterly that continuing the collaborative relationship is still in the HCO’s strategic interests.

Regulatory and Compliance

This section provides some of the key regulatory and compliance issues that should be considered in developing and adopting new health care technologies. Regulatory and compliance issues are often a point of friction between the EC and the HCO, as the EC may not have prior experience with these issues and view them as bureaucratic stumbling blocks slowing progress. The parties need to arrive at a shared understanding of the requirements and assure that they are incorporated into the solution design by including key stakeholders (e.g., compliance, cybersecurity) in the design team and governance.

Determine and Manage All Potential Risks

It is critical to assess, and find ways to manage, all potential risks from the technology. The risk assessment cannot stop at the Health Insurance Portability and Accountability Act (HIPAA). It is important to consider the different types of risks created by the collaborative development. Other significant risks could include:

  • Physical injury—to patients, health care personnel, or visitors;
  • Distracting and/or overwhelming health care providers and other personnel;
  • Cybersecurity;
  • Bias and discrimination; and
  • Fraud and abuse.

Consider the Privacy Implications

The use of a new technology must comply with all relevant federal and state privacy laws, starting with HIPAA. Development efforts may take varying paths, with attendant likelihood that the EC will have access to patient information either as part of or incident to the development effort. Unless clear safeguards are set up to prevent access to patient information, a Business Associate Agreement with the EC will be needed.

Other privacy laws that could apply include the federal Part 2 regulations; state health information laws; state consumer privacy laws (e.g., the California Consumer Privacy Act (CCPA)); and the General Data Protection Regulation of the European Union (GDPR). As well, assuring that use of personal information is consistent with any representations about privacy made by the EC or HCO; the Federal Trade Commission has actively used its authority under Section 5 of the Federal Trade Commission Act6 to bring enforcement actions against companies that failed to live up to their privacy promises.

Beyond obligations imposed by law, ECs and HCOs should respect consumers’ reasonable expectations about how their information will be handled. The public criticism of various health care collaborations involving Google and others illustrate the perils of violating privacy expectations, even if the arrangement complies with the law.

Concomitant with the focus on privacy, the parties must assure that cybersecurity is designed in and made a core part of the development relationship. The EC may need to familiarize itself with the relevant privacy and security requirements, unless the HCO is willing to undertake the work necessary to educate the EC in depth.

Manage Potential Conflicts of Interest

Be aware of potential conflicts of interest. For example, a prominent surgeon who generates a sizeable amount of business for an HCO is one of the owners of an EC seeking to co-develop her innovation with the HCO may raise issues under the Stark Law and Anti-Kickback Statute (AKS), including questions about whether the arrangement is truly arm’s length and commercially reasonable. Nonprofit HCOs must also be mindful of the Internal Revenue Service prohibition against private inurement and private benefit.

Beware of the Stark Law and AKS

In addition to issues relating to physicians with an ownership interest in the EC, new technologies can raise many additional concerns under the Stark Law, AKS, and other federal and state fraud and abuse laws. A few examples:

  • When the technology is provided for free or at a reduced cost, such as with a pilot program.
  • When the technology could influence a provider’s referral decisions (e.g., a software program that suggests certain prescription medications), or a patient’s choice of provider.
  • When the technology allows a provider to avoid a certain expense or eliminates a task that its personnel previously performed, and the technology is funded by a potential recipient of referrals.

Consider the Need for Food and Drug Administration (FDA) Approval

Any technology that meets the statutory definition of a medical “device” might require pre-market approval by the FDA.7 Software can be a regulated device, although the 21st Century Cures Act8 excluded certain software functions from FDA regulation. The FDA has published extensive guidance regarding its approach to regulating a variety of different types of software used in health care.9

Assess Whether the Use of the Technology Constitutes Research

If the use of the technology—and the information it generates—constitutes research involving human subjects, then the parties will need to comply with the FDA regulations for the protection of human subjects, the Common Rule, and/or the provisions of the HIPAA Privacy Rule that address the use of protected health information for research. The parties may need, among other things, to obtain prior approval from an institutional review board or privacy board and specific informed consent from the research subjects. Depending upon the nature of the technology and its intended uses, the scope of human subjects may include not only patients but also staff.

Think About Reimbursement

Reimbursement is an important consideration in the EC’s development of the technology and the HCO’s adoption and use of it. Keep in mind that the development of technology often outpaces changes to reimbursement, which may affect the HCO’s ability to achieve the desired financial benefits and the sales potential of the resulting technology.

Assess Insurance Coverage

HCOs should verify that their insurance coverage encompasses co-developed technologies during the development period, as well as after in the event of liability for the product’s shortcomings when used by other HCOs. The HCO and the EC may need to determine if the EC is able to obtain sufficient insurance coverage.

Contractual Approaches

Given the evolving nature of many collaborations, defining the contractual relationship is challenging. The agreement must include flexibility to accommodate the evolving relationship, product, and goals while assuring appropriate risk mitigation and risk sharing. The contract between the EC and HCO is critical for managing both sides’ responsibilities, expectations, and risks. A comprehensive discussion of the contract provisions that are relevant to health care technology is beyond the scope of this article;10 some of the most important provisions to consider:

  • Performance warranties, addressing what performance is guaranteed, the length of the warranty period, and liability and remedies if the technology fails to perform as warranted.
  • The role of the HCO in “selling” the technology, including the HCO’s responsibility for hosting site visits or brokering introductions to other HCOs.
  • Risk and liability allocation
    • Indemnification and risk-allocation provisions.
      • All parties that could be sued if something goes wrong, including the HCO and EC; any third parties that provide components, services, or training; internet service providers; and cloud storage vendors.
      • Also consider the HCO’s potential liability if it promotes the technology to other HCOs, and the product causes an injury or other harm at one of those HCOs.
    • Limitations on liability
  • Ownership rights in the co-developed intellectual property
  • Data ownership, rights, and permitted uses, including each party’s right to use, share, or sell information generated by the technology, as well as any requirements for deidentifying personal information.
  • Disclosures by the EC, such as known security vulnerabilities, prior adverse events, the results of any data validation or third-party testing, and a bill of materials.
  • Reporting and liability for security incidents and breaches


The opportunity to work with talented and enthusiastic innovators is of major benefit to HCOs. HCOs have a wealth of experience and knowledge to share—a majority of health care participants have a direct view of the rich vein of opportunities for improvement. Working collaboratively, HCOs and ECs, can drive rapid and beneficial improvement in health care. The success of the collaboration may be enhanced by careful consideration of the different approaches and perspectives that each party brings to the effort. A structured framework will assist the parties in transparently communicating and jointly agreeing on key parameters of the working relationship. This article outlines some of these key framework elements as a starting point for further discussion. We welcome your comments as a way to further collaborative opportunities.


  1. Kara Rogers & Ariel Roguin, René Laënnec, Encyclopaedia Britannica, (accessed May 19, 2020).
  2. Mary Bellis, René Laennec and the Invention of the Stethoscope, ThoughtCo., updated Mar 11, 2019, (accessed May 19, 2020).
  3. We use the term emerging company to encompass early through late stage startups. The principles outlined in this article may also be applicable to other types of co-development activities with more mature partners.
  4. The nature of the ownership in the EC, the underlying intellectual property, or other share-gain approaches will likely vary based upon the project goals, the parties, and their individual needs. We use ownership stake here as an example.
  5. Interim meetings may be required to help clear roadblocks if the lowest levels are unable to resolve them.
  6. 15 U.S.C. § 45(a).
  7. 21 U.S.C. § 321.
  8. Pub. L. No. 114-255 (Dec. 13, 2016).
  9. FDA, Guidances with Digital Health Content, (last accessed June 2, 2020).
  10. For a more in-depth exploration of the use of contract provisions in health information technology, see Scott Bennett & Gerard Nussbaum, Role of Technology in Delivering Health Care: Artificial Intelligence, Virtual and Augmented Reality, and Three-Dimensional Printing, in AHLA’s Health Law Watch (2020); AHLA Health Information Technology Contracting Toolkit, (Apr. 28, 2020) (edited by Jody Erdfarb, Jordan Stivers Luke, Seth Wolf, Ryann Schneider, & Alya Sulaiman).

Gerard Nussbaum is a Principal of Zarach Associates. Gerard advises health care clients on full range of strategic and operational health technology matters at the intersection of health, technology, and law. Gerard advises health systems, provider organizations, academic medical centers, suppliers and health care emerging and startup companies. Gerard is a Vice Chair of the AHLA Health Information and Technology Practice Group. Gerard may be reached at [email protected] or 312-620-9506.

Scott Bennett is a partner at the law firm Coppersmith Brockelman in Phoenix. Scott advises health care clients on issues of privacy, security, and compliance. He is the chair of the Digital Health affinity group, which is part of AHLA’s Health Information and Technology practice group. Scott may be reached at [email protected].

AHLA thanks the leaders of the Health Information and Technology Practice Group for contributing this feature article: Alisa Chestler, Baker Donelson Bearman Caldwell & Berkowitz PC (Chair); Kathleen Kenney, Polsinelli PC (Vice Chair—Educational Programming); Lisa Reisz, Vorys Sater Seymour & Pease LLP (Vice Chair—Educational Programming); Scott Bennett, Coppersmith Brockelman PLC (Vice Chair—Member Engagement); Amanda Enyeart, McDermott Will & Emery LLP (Vice Chair—Publishing); and Valerie Montague, Nixon Peabody LLP (Vice Chair—Publishing).