As 2017 began, FDA appeared poised to implement significant changes to the rules governing off-label communications related to drugs, biologics, and medical devices. The Agency had hosted a public hearing in November 2016 to receive input from interested industry stakeholders and members of the public about possible alternatives for off-label regulation, seemingly a first step in exploring more liberal (or possibly stricter) enforcement standards. However, in January, FDA released a new final rule amending the definitions of “intended use” applicable to drugs and devices in 21 C.F.R. §§ 201.128, 801.4, which would affect how off-label uses are considered with respect to intended use of regulated products, and issued a memo discussing its current position on off-label uses and communications. In short, all of FDA’s actions since the November public hearing have shown that it intends to continue strict enforcement of off-label promotion despite changes in the highest levels of government and strongly negative industry response. Continue Reading The Past, Present, and Future of Government Regulation of Off-Label Communications – Part 1
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
While we continue to monitor Congressional efforts to repeal and replace the ACA, we are also monitoring CMS’s efforts to implement the administration’s Medicaid program goals without Congressional action. The future of the Medicaid program depends not only on the final outcome of a repeal and replace bill, but also on the Secretary Price’s and CMS Administrator Verma’s strategy and vision for the program. In two recent Letters to Governors from Secretary Price and Administrator Verma, we see how some legislative provisions from the AHCA that are still the subject of debate could be implemented despite the lack of legislative action. Continue Reading Medicaid Reform Beyond the AHCA
On March 30, 2017, in a closely watched case, a federal district court denied the Motion for Judgment on the Pleadings filed by Carolinas Healthcare against a Complaint filed by the DOJ Antitrust Division and the State of North Carolina. The Complaint alleged that Carolinas Healthcare insisted on contract provisions with payors that limited or prohibited steering to lower-cost providers. In its motion, Carolinas Healthcare relied heavily on the Second Circuit decision in United States v. American Express Co., 838 F.3d 179 (2d Cir. 2016), where the Second Circuit had reversed a trial verdict condemning steering restrictions in Amex’s contracts with merchants. This alert reviews the court’s ruling and considers its implications for future health care antitrust cases.
Last week the Health Care Compliance Association hosted its annual “Compliance Institute.” Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.
Continuing Enforcement Issues
Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. These issues include:
- Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
- Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
- Covered entities publishing PHI on their website or on social media without an individual’s authorization.
- Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
- Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
- Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
- Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
- Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
- Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
- Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
- Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
- Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
- Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
- Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.
Upcoming Guidance and FAQs
OCR also identified upcoming guidance and FAQs that it will use to address the following areas:
- Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
- Text messaging
- Social media
- Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
- The Resolution Agreement and Civil Monetary Penalty process
- Updates of existing FAQs to account for the Omnibus Rule and other recent developments
- The “minimum necessary” requirement
Long-term Regulatory Agenda
The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.
Audit Program Status
The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.
The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.
ML Strategies has published the first installment of a new weekly preview, designed to give you quick overview of health happenings in the coming week. The preview highlights upcoming activity in the House and Senate and other hot topics on the Hill.
Spoiler alert: the confirmation processes for Dr. Scott Gottlieb (FDA) and Judge Neil Gorsuch (Supreme Court) will get a lot of attention this week.
See HERE for this week’s preview and be sure to stay tuned in the coming weeks.
Mintz Levin and ML Strategies will be hosting the 2nd Annual Pharmacy Industry Summit on April 5th and 6th! The Summit will bring together stakeholders and thought leaders from across the industry to discuss legal and policy challenges facing manufacturers, PBMs, payors, pharmacies, and providers.
With a new administration and state legislatures taking aim at the pharmacy industry, manufacturers, PBMs, payors, and pharmacies face a number of unknowns and questions:
- What is the fate of FDA User Fees?
- Will Senator Wyden’s Creating Transparency to Have Drug Rebates Unlocked (C-THRU) Act gain traction?
- What are state legislatures proposing to address drug pricing?
- Will the Republicans take another shot at the Affordable Care Act?
- What is President Trump’s “new system” for competition in the drug industry referenced in his March 7th tweet?
- What’s new in value-based contracting and what does the future hold for innovative contracting arrangements?
With sessions focusing on the Affordable Care Act developments, drug pricing, state law developments, value-based contracting, and the FDA impact on the supply chain, among others, we plan to discuss these and many other issues impacting the pharmacy industry.
For additional information on the Summit, including an agenda and registration information, please visit our event website.
In 2016 and now in early 2017, state legislatures and regulatory boards continue to enact laws and rules setting telemedicine practice standards. Such standards generally include clarifying the definition of telemedicine as well as providing standards related to prescribing in an online setting, patient informed consent, treatment of medical records generated during a telemedicine encounter, and confidentiality. A recent survey conducted by the Federation of State Medical Boards (FSMB) found that telemedicine standards are the number one priority for state medical boards going into 2017. Continue Reading States Continue Trend to Reduce Telemedicine Barriers
As described in last week’s post, Senator Wyden has introduced the C-THRU Act that seeks to require public disclosure of PBM rebate amounts, establish a minimum rebate percentage that PBMs must pass on to Part D and Exchange Plan clients, and intends to change the definition and/or application of “negotiated prices” under the Part D program. This post focuses on the portion of the C-THRU Act that relates to Part D negotiated prices.
According to the Summary of The Creating Transparency to Have Drug Rebates Unlocked (C-THRU) Act (“Summary”) released by the Senate Finance Committee prior to the release of the actual bill, Part D enrollee cost-sharing is based off the price at which the pharmacy acquires the drug. The Summary provides the following example: “a drug maker sets a drug[‘]s price at $100. Under current law, Part D beneficiaries pay co-insurance based on the $100 price, not the lower price, say, $80, that a PBM negotiates with a drug maker. Seniors in Medicare ought to benefit from these negotiations.” This example is inaccurate, ignores the definition of and parties involved in negotiated prices as defined under the Part D regulations, and assumes that Medicare seniors currently do not benefit from manufacturer rebates. In fact, CMS recently recognized that manufacturer rebates are helping keep Part D enrollee premiums down. Continue Reading C-THRU’s Proposed Changes to Negotiated Prices – A Demonstration of the Part D Program’s Complexities and Misunderstandings
The Stark Law has caused angst for many a physician and many a health care lawyer over the years. The Stark Law has also troubled hospital and health system CEOs looking for ways to align incentives with physicians. Some stakeholders say Congress should do away with the myriad statutes and regulations that comprise the strict liability federal law banning physician self-referral. Those stakeholders suggest either repealing it altogether and letting other fraud and abuse laws do the work, or – as its namesake former-Representative Pete Stark has suggested – replace it with a much simpler prohibition on soliciting referrals for kickbacks or other special treatment.
My colleague, Tom Crane, suggests another approach – revamp the Stark Law’s advisory opinion process so the Centers for Medicare and Medicaid Services (“CMS”) can protect arrangements from sanctions, similar to the Office of the Attorney General’s (“OIG’s) Anti-Kickback Statute (“AKS”) advisory opinion process. Continue Reading Changes Needed to Stark Law Advisory Opinion Process