Photo of Jordan Cohen

In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security.  To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security. This obligation stems from HIPAA’s requirement that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic protected health information. This is referred to as a “risk assessment” or “risk analysis” and is a core element of HIPAA’s Security Rule. But it is not enough to simply assess or analyze the risk; HIPAA requires that the risks be mitigated. This is particularly important when it comes to information security risk. As OCR states in its newsletter: Continue Reading HIPAA, Security Vulnerabilities and Patching

Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems. I started off by asking the panelists how these challenges have evolved over the years, anticipating that the conversation would soon turn to the challenges faced by newer technologies such as cloud computing and artificial intelligence. But it was the panelists’ opinion that many in the health care space continue to struggle with the basics, including basic HIPAA compliance. Continue Reading HIPAA Tips from the Trenches

In less than 10 days, the European Union will begin enforcing its General Data Protection Regulation (GDPR) which will apply to any company that collects, processes, or uses EU-origin personal data, regardless of where the company is located. Though many of our readers are focused on HIPAA, some engage engage in activities that may trigger the GDPR, or they may have future aspirations to expand their business into the EU. Fortunately for our readers, our colleague Cynthia Larose has been relentlessly covering the GDPR at Privacy & Security Matters, and recently published a refresher list of webinars on GDPR issues related to contracts, human resources data, data transfer and more.

Last month, the Department of Health and Human Services’ Office of Inspector General (OIG) released its latest report on compliance with the Drug Supply Chain Security Act (DSCSA). As we discussed in a prior post, the DSCSA requires enhanced security and accountability for prescription drugs throughout the U.S. pharmaceutical supply chain, with phased-in obligations for the various trading partners over 10 years, beginning with the law’s passage in November 2013. Covered trading partners include manufacturers, repackagers, wholesale distributors, and dispensers.

The OIG’s most recent study focuses on dispensers of various sizes and types, including independent retail pharmacies, chain retail pharmacies, and small and large hospital pharmacies. Of the 40 dispensers interviewed, the agency found that all them had received at least some drug product tracing information from their trading partners, and 26 of these dispensers received all required elements of this information. The remaining 14 dispensers were missing a few of the required elements. Two of the dispensers were unaware of the DSCSA. The following table summarizes the missing information:

The OIG also found that dispensers received drug product tracing information in a variety of transmission modes and formats. The agency believes this is a result of dispensers and their trading partners using different systems rather than adopting a standardized way to exchange this information. Neither the DSCSA nor FDA guidance requires a uniform transmission mode or format for the exchange of drug product tracing information.

To facilitate dispensers’ compliance with the DSCSA, the OIG recommends that FDA offer educational outreach to dispensers where appropriate. Specifically, the agency recommends that FDA provide education to ensure that dispensers understand their responsibilities to receive complete drug product tracing information from trading partners before taking ownership of drug products.

For its part, FDA concurred with the OIG’s recommendation and intends to review its dispenser communications plan and identify and create opportunities to work with dispenser-centric trade and professional organizations to provide additional education and outreach. FDA also noted in its response that, as the last trading partner in the supply chain before a drug product is dispensed to a patient, dispensers play a vital role in ensuring patient safety, making it essential that they understand their product tracing responsibilities under DSCSA.

We will continue to monitor and report on the industry’s implementation of the DSCSA, including the OIG’s planned study of the extent to which drug product tracing information can be used to trace drugs through the entire supply chain.

Last week, the Centers for Medicare & Medicaid Services (CMS) announced that new Medicare cards would be issued starting next month. As we previously reported, the government has been planning to revamp the card to reduce fraud. Medicare cards have historically included a SSN-based Health Insurance Claim Number (HICN) that was an easy target for identity thieves and fraudsters. A new randomly-generated Medicare Beneficiary Identifier (MBI) will replace the HICN on the new cards.

The move to issue new cards was set in motion by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), which requires SSNs to be removed from Medicare identification cards within four years after MACRA’s enactment.

CMS will have a transition period during which either the HICN or the MBI can be used to exchange data with CMS. The transition period is set to begin no earlier than April 1, 2018, and run through December 31, 2019.

For those looking for additional information, CMS has created presentations explaining the card’s impact on different health care industry stakeholders.

The pharmaceutical industry is facing new limits on payments to prescribers in New Jersey. Earlier this month the state’s Division of Consumer Affairs finalized sweeping new rules prohibiting some types of payments and capping others. New Jersey now joins the ranks of other states, like California and Massachusetts, with specific payment prohibitions between manufacturers and prescribers. The new rules place the burden of compliance on prescribers licensed in New Jersey, but manufacturers should be fluent in these requirements.  We expect engagement and collaboration with New Jersey prescribers to be impacted, as these rules are clearly designed to be a disincentive to financial arrangements between manufacturers and prescribers.  How deeply this impacts ongoing and new collaborations with prescribers is yet to be seen, as manufacturers do rely on prescribers for contributions to product design, product feasibility in clinical workflow, and patient expectations. Below is a summary of the key aspects of the new rules, along with tables to assist in identifying how certain payments are affected.  Continue Reading A Guide to New Jersey’s New Limits on Pharmaceutical Industry Payments to Prescribers

Throughout 2017, the lower courts built upon the standard for determining materiality under the False Claims Act (FCA) established by the U.S. Supreme Court in Universal Health Servs., Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989 (2016) (“Escobar”). In Escobar, decided in June 2016, the Court endorsed the “implied false certification” theory of liability under the FCA, premised on a “rigorous” and “demanding” element of “materiality.”  As expected, this decision triggered a spate of litigation over what “materiality” means, and how to apply this requirement.

By way of background, the Court held that the “implied false certification” theory has two elements:

  • “the claim does not merely request payment, but also makes specific representations about the goods or services provided,” and
  • the defendant’s “failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.”

The Court described the materiality standard as centered on “the likely or actual behavior” of the agency that made the payment decision, not whether the agency had the legal authority to deny payment, as argued by the Department of Justice (DOJ) prior to the Court’s decision. To be material, the Court reasoned, the misrepresentation must go to the essence of the bargain, and noncompliance cannot be “minor or insubstantial.”  The Court noted that materiality can be determined based on a number of factors – none of which are dispositive – and held that a court’s decision, though fact-specific, still could lead to dismissal on a motion to dismiss or at summary judgment. Those looking for additional background on the Escobar decision should see our Health Care Enforcement Defense AdvisoryContinue Reading Health Care Enforcement Year in Review and 2018 Outlook: The False Claims Act’s Materiality Standard as Established by Escobar Continues to Evolve

Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. This latest installment in our health app series will introduce some of these considerations, including approaches that developers can take to minimize their risk. Continue Reading Building a Health App? Part 6: HIPAA and Other Privacy and Security Considerations

Our colleagues at ML Strategies have provided their Health Care Weekly Preview for the week of October 16, 2017. The preview discusses the Administration’s decision to stop paying the cost-sharing reductions (CSRs) that plans have been receiving to cover lower-income individuals under the Affordable Care Act. It also discusses the suit that California and 18 other states and the District of Columbia have filed in response to the Administration’s decision on CSR payments.

Our colleagues at ML Strategies have provided their Health Care Weekly Preview for the week of October 9, 2017.  This week’s preview discusses many topics, including the Trump administration’s roll back of the ACA’s mandate that employers cover birth control coverage. It also discusses Congess’ work on health extenders, CHIP, and the community health centers program, among other things. The preview also touches on MedPAC’s recommendation that CMS replace the Merit-based Incentive Payment System (MIPS) which the group believes is too much of a burden on physicians.