Facing pressure from stakeholders and technological realities, the U.S. Food and Drug Administration has again delayed its enforcement of parts of the Drug Supply Chain Security Act (DSCSA). As we discussed in a prior post, the DSCSA requires enhanced security and accountability for prescription drugs throughout the U.S. pharmaceutical supply chain, with phased-in obligations for the various trading partners over 10 years, beginning with the law’s passage in November 2013. Covered trading partners include manufacturers, repackagers, wholesale distributors, and dispensers, whose upcoming compliance obligations under the DSCSA are all addressed by FDA in the recently issued Compliance Policy guidance documentContinue Reading FDA Delays Enforcement of Prescription Drug Product Identifier and Related Requirements

On a sweltering hot D.C. morning, those of us anxiously awaiting the Supreme Court’s opinion in its first case involving biosimilar biological products finally exhaled. The June 12, 2017 opinion followed the parties’ oral arguments on the last day of the Court’s October 2016 Term, as we previously reported. With respect to both of the significant issues presented, the Justices unanimously reversed the Federal Circuit Court of Appeals split opinion and remanded for further consideration of questions related to State law.

Although our intellectual property colleagues have separately analyzed the “Patent Dance” implications of the Court’s decision in Amgen v. Sandoz (see here), the second issue presented in the case related to the proper interpretation of the 180-day notice provision of the Biologics Price Competition and Innovation Act (“BPCIA”). The Federal Circuit had held that such notice by the biosimilar applicant can only be provided to the reference product sponsor after FDA licenses (i.e., approves) the biosimilar application.  Continue Reading SCOTUS Ruling Gives a Boost to Biosimilars; FDA Continues to Advance Products Through AdComs

The latest installment in the ongoing saga over EpiPen Medicaid Drug Rebates came on May 31, 2017, when Senator Charles Grassley issued a press release stating that between 2006-2016 taxpayers may have overpaid for EpiPen by as much as $1.27 billion, “far more” than the announced-but-never-confirmed or finalized $465 million DOJ settlement with Mylan.

To understand what the latest news means in the ongoing saga over EpiPen Medicaid Drug Rebates, it is important to understand how we got here.   And why at the end of the day, the information Senator Grassley included in the May 31, 2016 release may be less important than the information he hinted at but omitted from the release. Continue Reading The Latest in the Epipen Medicaid Drug Rebate Saga – Where Are We Now?

A bipartisan congressional effort is underway to convince CMS to reverse its biosimilar reimbursement policy implemented under the Obama administration. We discussed the current reimbursement policy in a March 2016 blog post when CMS initially released the guidance.  CMS implemented the controversial guidance as a final rule in October 2016.

The current policy requires all biosimilars that are related to a reference product to be given a shared Healthcare Common Procedure Coding System (HCPCS) code. For Medicare Part B, reimbursement is then calculated based on the average sales price (ASP) of all of the biosimilars with that HCPCS code plus 6% of their reference product’s ASP. Continue Reading CMS Urged To Reverse Obama-Era Biosimilar Reimbursement Policy

Yesterday, CMS released the Proposed Part D DIR (Direct and Indirect Remuneration) Reporting Requirements for 2016 and postponed the 2016 DIR Reporting deadline.

Each year, CMS releases Proposed Part D DIR Reporting Requirements for interested parties to review and comment on. The DIR Reporting Requirements tend to change slightly from year-to-year as the Part D program has developed and CMS gains further understanding of rebates and price concessions that a Part D plan sponsor may receive or pay.  Additionally, some changes in DIR Reporting Requirements are the result of changes to Part D regulations.  After reviewing the comments, CMS publishes the Final Part D DIR Reporting Requirements, typically in late May, and then plan sponsors submit their DIR Report by June 30th.

These Proposed DIR Reporting Requirements are the first that reflect the change in the definition of “negotiated prices” as set forth at 42 C.F.R. § 423.100. Although the discussion regarding changing the definition of negotiated prices started multiple years ago and was finalized in 2014, the change was not effective until January 1, 2016.  CMS’s proposed changes related to the updated definition of negotiated prices are captured in Summary DIR Report columns DIR #8 and DIR #9.

The deadline for submitting comments is June 2, 2017.

Typically, Part D plan sponsors must submit their DIR reports to CMS by June 30th of the year following the close of the plan year (June 30, 2017 for 2016 DIR).  CMS is postponing the deadline for 2016 DIR submission so that it has time to review the comments it receives and so that Part D plan sponsors have adequate time to analyze and categorize their data in the manner required by the upcoming Final Part D DIR Reporting Requirements.  CMS will announce the 2016 DIR submission deadline in the Final Part D DIR Reporting Requirements for 2016 and it appears that plan sponsors will have approximately 30 days to analyze and categorize their data.

By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid.  Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

Patient assistance programs have been a staple within the health care industry for over a decade.  These programs, operated by 503(c)(3) charities, may receive funding from pharmaceutical manufacturers or other providers to offer assistance to low-income patients in affording their medications, copayments, deductibles, premiums, or other related services.   The Office of the Inspector General (OIG) and the Centers of Medicare & Medicare Services (CMS) have acknowledged the role of provider- and manufacturer-supported charitable premium assistance and have established parameters for these charities to operate in compliance with the Anti-Kickback Statute.

Over the last two years, however, government scrutiny and enforcement related to charitable patient assistance programs has increased.   During this time, nearly a dozen pharmaceutical manufacturers and providers have publicly disclosed receipt of government subpoenas investigating their contributions to patient assistance charities.

These new investigations raise a number of questions when it comes to structuring relationships with patient assistance programs.  On May 16th, we will be holding a webinar to review these current investigations and outline what providers, payors, pharmacy benefit managers (PBMs), and pharmacies working with manufacturers and patient assistance programs need to know in light of these investigations.

We hope you join us!  For more information and to register for this webinar, please click here.

shutterstock_428983732Last week, the California Assembly Committee on Business and Professions voted in favor of Assembly Bill 315.  AB 315 seeks to amend the California Business and Professions Code: (a) to require PBMs to obtain licensure from the Board of Pharmacy, (b) to state that PBMs have fiduciary duties to their “purchaser” clients (i.e., health plans), and (c) to require PBMs to disclose to their purchaser clients data regarding drug costs, rebates, and fees earned. The favorable vote moves the bill to the Committee on Appropriations.

California is not the only state that is considering adopting a PBM “transparency” law.  New York’s Governor Cuomo released a proposal that seeks to require PBMs to both register with the State and obtain a license (from the Department of Financial Services) as well as disclose financial incentives or benefits for promoting the use of certain drugs and financial arrangements that affect customers.  The Governor would also like to impose price controls on pharmaceutical manufacturers.  New York has a long history of regulating PBMs through a handful  of systems because the services that PBMs offer often result in a PBM needing to hold a specific non-PBM license and to adopt a specific corporate structure.  In addition, Senator Wyden (D-Ore.) introduced the C-THRU Act to the Senate Finance Committee in March.  The C-THRU Act seeks to make PBM rebate data publicly available, require the Secretary of HHS to adopt a minimum percentage of drug rebates that a PBM would need to pass through to certain of its health plan clients, and amend the definition of “negotiated prices” under the Medicare Part D Program.  Continue Reading California Advances PBM Licensing and “Transparency” Law

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.