The Top 3 Legal Considerations for Pediatric Digital Health Companies
If you’re a founder or executive at a digital health company focused on pediatrics, you’re well aware that building tools to support our youngest generation’s health comes with unique advantages and challenges. On the clinical side, addressing childhood onset conditions early creates significant potential for positive impact well into adulthood.
However, as with any emerging area of healthcare innovation, new legal and regulatory considerations arise that must be thoughtfully addressed. Pediatric healthcare innovation companies—especially those in AR/VR/XR, Digital Therapeutics (“DTx”), Remote Monitoring, Virtual Care Management, Telehealth, and Telebehavioral health—need a deep understanding of the laws and regulations that govern this special market.
At Nixon Gwilt Law, we’ve helped numerous pioneers in pediatric digital health tackle these issues to successfully commercialize their products. Here are the critical legal issues pediatric digital health companies need to be thinking about today.
The 3 Key Legal Aspects of Developing Digital Health Tools for Children and Teens
1. Stricter privacy rules apply
Healthcare data privacy standards are already complex under the Health Insurance Portability and Accountability Act (“HIPAA”), but several additional regulations come into play when working with patients under 18.
The Children's Online Privacy Protection Act (“COPPA”) mandates that any digital health platform—including websites, applications, and online services—obtain verifiable parental consent if they’re collecting identifiable data from children under 13. This can include things like virtual reality software for pediatric mental health or software platforms that gamify physical therapy treatment programs. Pediatric digital health companies also need to consider the nature and purpose of any data collection.
COPPA applies to your company if:
Your website or online service is directed to children under 13 and you collect Personal Information from them; OR
Your website or online service is directed to children under 13 and you let others collect Personal Information from them; OR
Your website or online service is directed to a general audience, but you collect Personal Information from children under 13; OR
Your company runs an ad network or plug-in, for example, and you collect Personal Information from users of a website or service directed to children under 13.
The Family Educational Rights and Privacy Act (“FERPA”), is a U.S. federal law that protects the privacy of student education records. This law grants parents the right to access their children’s education records, the right to seek to amend those records, and the right to have some control over the disclosure of personally identifiable information from the records.
When a student turns 18 or attends a post-secondary institution, these rights transfer to the student. If your digital health company is interacting with schools or educational institutions, your company must comply with FERPA and honor parents’ and students’ rights.
Many states also have their own privacy laws that may exceed federal rules. Some restrict or prohibit certain disclosures of drug and alcohol treatment records for minors, for example. In Virginia, personal data collected from children is considered “sensitive data” under the Virginia Consumer Data Protection Act, requiring companies to comply with strict consent requirements prior to collecting and using such data.
Here’s a quick guide to help you identify when each of these 3 privacy rules apply (and when protections end):
Layering compliance across these rules requires extra diligence around onboarding and consent workflows, data handling policies and protocols, and access controls.
2. A long and expensive path to market
The Food & Drug Administration (“FDA”) clearance process for new medical devices for adults, including Software as a Medical Device (“SaMD”), already requires extensive time and resources to prove to the FDA that the device in question is safe and effective for patients. This increases when your digital therapeutic or other tool is intended for children.
For example, if you are conducting a clinical trial to study your device that requires pediatric participants, the participants’ parents, and sometimes the child, must provide informed consent. In many cases, only one parent’s consent is not sufficient.
Additionally, the U.S. Department of Health & Human Services (“HHS”) requires Institutional Review Board (“IRB") approval and oversight for more categories of research involving children than those involving adults. Be sure to check whether your trial will require IRB approval before getting started.
Beyond approval, be prepared for a higher bar in terms of safety data, clinical endpoints accepted, trial size and duration, and supplemental post-market surveillance requirements.
These requirements can present unique challenges for emerging technologies that are increasingly popular among children, like virtual reality (“VR”). While VR holds significant promise, the long-term effects on pediatric populations are not yet fully understood and it can be hard to quantify long-term benefits or risks to the FDA.
This may mean you will need to conduct extended post-market surveillance to monitor any delayed or cumulative effects, which can add to the cost and complexity of bringing a pediatric digital health solution to market. Companies in this space should prepare for ongoing data collection and plan for long-term studies to satisfy the FDA’s regulatory requirements.
3. Reimbursement varies widely by state and plan
Reimbursement is crucial for maximizing access to digital health tools, but the U.S. does not currently have centralized insurance coverage for pediatric healthcare. This often leads to challenges in navigating and understanding reimbursement.
For adult populations, Medicaid and commercial payers often rely on Medicare rules as a blueprint when constructing coverage for adults. This provides a somewhat consistent and predictable reimbursement landscape for adult-centered services.
But there is no centralized Medicare-style model for pediatrics, so state Medicaid programs and commercial payors independently develop their own coverage structures. This results in a highly fragmented reimbursement landscape that varies by state, payor, and plan.
For example, according to the 2023 Texas Medicaid Telecommunications Services Handbook, Texas Medicaid covers “telemonitoring” (a.k.a. remote physiologic monitoring or “RPM”) for patients 20 years old and younger who (i) have end-stage solid organ disease; (ii) are an organ transplant recipient, or (iii) require mechanical ventilation. California Medicaid, however, only covers RPM for patients 21 and older, excluding children entirely. Similar differences among other states and plans may require you to be flexible in your revenue model and fee structure as you grow.
Turning Regulatory Challenges Into Opportunities in Pediatric Digital Health
While complex, none of these dynamics are insurmountable blockers to successfully bringing pediatric digital health solutions to the children and teenagers who need them. Long-standing regulations—despite their occasional rigidity—do provide a clear roadmap for pediatric digital health companies.
With thorough preparation and the right advisors, companies focused on improving pediatric care can find avenues to sustainable growth. Thinking about legal considerations from the start can safeguard your company from bigger problems down the road. Proper planning can be a competitive edge for your pediatric digital health organization.
Want to tackle these legal hurdles with confidence? Our checklist provides a concise, step-by-step guide to the key legal considerations specific to pediatric digital health. Get your copy today.