Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

MedicalTechnologies_Tubes2We recently updated our chart that tracks state biosimilar substitution laws to include new laws in Iowa and Montana. These new laws bring the total number of states with biosimilar substitution laws to 27, plus Puerto Rico. The latest version of our chart can be found here. As with the laws we’ve seen before, both the Iowa and Montana biosimilar amendments mirror the state’s existing generic drug substitution laws. More specifically, they amend state pharmacy laws to allow, and in some situations require, the substitution of interchangeable biosimilars. Continue Reading New State Substitution Laws, and a Busy Spring for Biosimilars

In July 2015, we posted about the N.Y. Attorney General’s False Claims Act (FCA) settlements with Trinity HomeCare and its related entities, and how the case provided insight into the future of FCA enforcement.  We identified five key trends based on the settlements:

  1. The FCA cases were based on qui tams and pursued by the State Attorney General after federal government declination.
  2. The FCA cases were based on a narrow, single state or regional arrangement, as opposed to allegations of a national scheme or program.
  3. One of the FCA cases was based on conduct about which Trinity had previously been warned.
  4. The FCA cases were based on government billings for specialty drugs.
  5. All parties to the arrangement were named as defendants in the qui tams.

Trinity was already under investigation by the N.Y. Attorney General’s office for its billing of hemophilia drugs (the basis of the first 2015 settlement) when a second qui tam alleged that Trinity submitted false claims in connection with a specialty drug used to treat premature infants at risk for lung disease.  That second qui tam led to the second settlement and now, almost 20 months later, has led to a new Complaint. Continue Reading Five Trends in False Claims Act Enforcement: Take Two

Phishing Scam ImageEarlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam.  The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals.  In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA).  Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR.  That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR.  Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement

6350-Pharma-Summit-blog-buttonMintz Levin and ML Strategies will be hosting the 2nd Annual Pharmacy Industry Summit on April 5th and 6th! The Summit will bring together stakeholders and thought leaders from across the industry to discuss legal and policy challenges facing manufacturers, PBMs, payors, pharmacies, and providers.

With a new administration and state legislatures taking aim at the pharmacy industry, manufacturers, PBMs, payors, and pharmacies face a number of unknowns and questions:

  • What is the fate of FDA User Fees?
  • Will Senator Wyden’s Creating Transparency to Have Drug Rebates Unlocked (C-THRU) Act gain traction?
  • What are state legislatures proposing to address drug pricing?
  • Will the Republicans take another shot at the Affordable Care Act?
  • What is President Trump’s “new system” for competition in the drug industry referenced in his March 7th tweet?
  • What’s new in value-based contracting and what does the future hold for innovative contracting arrangements?

With sessions focusing on the Affordable Care Act developments, drug pricing, state law developments, value-based contracting, and the FDA impact on the supply chain, among others, we plan to discuss these and many other issues impacting the pharmacy industry.

For additional information on the Summit, including an agenda and registration information, please visit our event website.

As described in last week’s post, Senator Wyden has introduced the C-THRU Act that seeks to require public disclosure of PBM rebate amounts, establish a minimum rebate percentage that PBMs must pass on to Part D and Exchange Plan clients, and intends to change the definition and/or application of “negotiated prices” under the Part D program.  This post focuses on the portion of the C-THRU Act that relates to Part D negotiated prices.

According to the Summary of The Creating Transparency to Have Drug Rebates Unlocked (C-THRU) Act (“Summary”) released by the Senate Finance Committee prior to the release of the actual bill, Part D enrollee cost-sharing is based off the price at which the pharmacy acquires the drug.  The Summary provides the following example:  “a drug maker sets a drug[‘]s price at $100.  Under current law, Part D beneficiaries pay co-insurance based on the $100 price, not the lower price, say, $80, that a PBM negotiates with a drug maker.  Seniors in Medicare ought to benefit from these negotiations.”  This example is inaccurate, ignores the definition of and parties involved in negotiated prices as defined under the Part D regulations, and assumes that Medicare seniors currently do not benefit from manufacturer rebates.  In fact, CMS recently recognized that manufacturer rebates are helping keep Part D enrollee premiums down. Continue Reading C-THRU’s Proposed Changes to Negotiated Prices – A Demonstration of the Part D Program’s Complexities and Misunderstandings

Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs

Last week, Senate Finance Committee Ranking Member Ron Wyden (D- Ore.) introduced the “Creating Transparency to Have Drug Rebates Unlocked (C-THRU) Act of 2017.”  As its name suggests, it seeks to require parties (e.g., PBMs) that contract with pharmaceutical manufacturers for drug rebates to be more transparent regarding the rebates they receive on behalf of their health plan clients, specifically Part D plans and qualified health benefit plans that participate on ACA Exchanges (“Exchange Plans”). The Act would: (1) require the Secretary of the Department of Health & Human Services (HHS) to make available on its website the PBM transparency data submitted by PBMs that contract with Part D Sponsors or Exchange Plans, (2) require the Secretary of HHS to adopt a minimum percentage of drug rebates that a PBM would need to pass through to its Part D or Exchange Plan clients, and (3) amend the definition of negotiated price under the Part D program to change what price concessions would have to be reflected at the point-of-sale.  This post focuses on the first two changes.  The third change will be addressed in a separate post. Continue Reading Wyden’s C-THRU Act – Publicizing PBM Rebate Data

As the healthcare industry moves towards value-based purchasing, pay-for-performance, and other payment reform models, industry leaders have identified federal fraud and abuse laws as a barrier to full implementation of such models.  Last month, the Health Care Leadership Council released a White Paper entitled “Health System Transformation: Revisiting the Federal Anti-Kickback Statute and Physician Self-Referral (“Stark”) Law to Foster Integrated Care Delivery and Payment Models” (“HCL White Paper”), identifying current fraud and abuse laws as impeding transformation of the healthcare system.  Pharmaceutical and device manufacturers have also taken advantage of the OIG’s Solicitation of New Safe Harbors and Special Fraud Alerts (“OIG Solicitation”) to advocate for more flexible fraud and abuse laws with respect to value-based arrangements. Continue Reading Pharmaceutical Manufacturers and Healthcare Leaders cite Fraud and Abuse Laws as Obstacle to Value-Based Arrangements

Here we are in March 2017 and no one is sure where things stand with the 340B Drug Discount Program.   HRSA and its oversight of the 340B program are subject to the recent Executive Orders restricting issuance of federal regulations and the promised repeal of the Affordable Care Act (ACA) has the potential to impact 340B operations.  In fact, the only thing that appears certain for the 340B program is that nothing is certain.  So let’s review several recent 340B developments, and potential developments to come.

Omnibus Guidance

In June 2016, I predicted in this blog that the final version of the long-promised HRSA 340B Omnibus Guidance, which would have provided clarity on 340B program standards, would never actually be issued or implemented.  And in fact, at the end of January 2017, HRSA withdrew the final 340B Omnibus Guidance while it is was still pending at OMB.  Even if it had issued, the Guidance would have been subject to the terms of the regulatory freeze President Trump imposed by Executive Order immediately after his inauguration on January 20, 2017. Continue Reading The Uncertain Future of the 340B Drug Discount Program