The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The FTC’s policy statement, entitled “On Breaches by Health Apps and Other Connected Devices,” attempts to clarify the Rule by stating that mobile health applications and interactive tools used by organizations that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are regulated by the Rule.[1] Significantly, the FTC’s guidance broadly deems developers of health care apps or connected devices to be “health care providers” subject to the Rule because they “furnish health care services or supplies.” It also clarifies that health apps that collect non-health data (such as calendar dates) are within the scope of the Rule. In the wake of the FTC’s statement, any organization that is not covered by HIPAA, but provides or uses mobile or web-based health apps to collect personal health information, should evaluate their coverage under the Rule.

The FTC’s recent expansive view of this Rule—which was initially passed pursuant to the 2009 American Recovery and Reinvestment Act—covers many popular mobile health and fitness related applications and wearables on the market. For example, the FTC explained that any application that “collects information directly from consumers” and has the “technical capacity to draw information through an API [application programming interface] that enables syncing with a consumer’s fitness tracker” is covered under its interpretation of the Rule. The FTC further stated that “an app that draws information from multiple sources is covered, even if the health app comes from only one source.” For example, an application that monitors blood sugar and also takes non-health information from a consumer’s phone’s calendar (i.e., dates) would also be covered. The FTC specifically called attention to “apps and other technologies [that] track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” The FTC press release noted that the increased use of COVID-19 related health applications impacted its policy statement. Entities subject to the Rule may be required to provide notice, including in certain circumstances to the media, in the event of a cybersecurity breach or even in the case of “sharing of covered information without an individual’s authorization.”

The Rule contains statutory definitions that should now be read in light of the policy guidance, applying its provisions to (i) vendors of personal health records (“PHR”); (ii) “PHR related entities”; and (iii) “third party service providers.” The Rule generally requires “vendors of personal health records”, and PHR-related entities to provide notice to affected individuals and the FTC within 60 calendar days after the discovery of a “breach of security.” A provider must notify the vendor or PHR related entity of a breach.

A violation is treated as an unfair and deceptive act or practice under the FTC Act which may carry steep civil penalties of up to $43,792 per violation per day. As of the date of the FTC’s policy statement, however, the FTC has not yet enforced the Rule, and, according to the remarks of FTC Commissioner Rohit Chopra, the FTC and the public have been notified only four times about a breach under the Rule since February 2010.

It is also important to note that there remains a dispute about the scope of the Rule even among the FTC’s commissioners, especially because it has not been interpreted in the context of an FTC enforcement action. For example, Commissioner Christine Wilson wrote, in her dissenting statement, that the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor. In response to the FTC’s use of the moniker “health care provider” when referring to mobile health applications, Ms. Wilson asked: “How broadly does the Commission intend to read this language?” Similarly, Commissioner Noah Joshua Phillips argued in his dissenting statement that the FTC’s majority goes beyond the text of the Rule in interpreting the definition of “breach of security” to include the unauthorized sharing.

The FTC’s policy statement also comes during the ongoing rulemaking process by the FTC concerning the Rule and the Department of Health and Human Services’ ongoing rulemaking concerning the application of the HIPAA Privacy Rule to mobile health applications. As such, vendors of PHRs should monitor these ongoing rulemaking efforts, which could impact the FTC’s current interpretation of the Rule. Nevertheless, companies subject to the Rule under the current interpretation, can still take proactive measures to avoid a violation by, among other things, assessing the categories of its stored data, undertaking a cybersecurity risk assessment and comprehensive review of privacy policies, and ensuring the existence of a robust security incident response protocol. Notably, the breach notification requirement under the Rule generally only applies to a breach of unsecured PHR identifiable health information. In addition, such entities may have notification obligations under applicable state laws. You can reach out to Epstein Becker Green for further guidance as we will be monitoring the FTC’s enforcement activity closely moving forward.

******************************************************************

[1] 16 C.F.R. §318.1 provides, the rule “applies to foreign and domestic vendors of personal health records, PHI related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission Act (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” HIPAA covered entities and business associates must instead comply with HHS’s breach notification rule. See Dissenting Statement of Commissioner Christine S. Wilson.

Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.

On September 30, 2021, the Provider Reimbursement Review Board (the “Board”) issued a revised set of rules that become effective November 1, 2021. These new and revised rules affect all new and some pending Medicare Part A provider appeals. These rules clarify several aspects of Board appeals and simplify some of the Board’s complex procedures.

The most significant change is the requirement that all submissions to the Board must be made electronically through the Office of Hearings Case and Document Management System (“OH-CDMS”) unless the provider or representative submits a request to the Board for an exemption and the Board grants that request. If an exemption is necessary, a provider or representative may communicate with the Board at a new email address (PRRB@cms.hhs.gov).   In order to file documents electronically, providers or their representatives should register with OH-CDMS in advance of any filing date.

In addition to the shift to electronic filing, the Board adopted several changes that are intended to simplify the appeals process and promote greater disclosure.  The most significant changes are summarized below.

  • If a provider designates a representative, it must do so in a letter on the provider’s letterhead. However, if the provider is under the ownership or control of a parent entity, then the representation letter must be on the parent organization’s letterhead and signed by an authorized official of the parent organization.
  • Similarly, a new rule requires that if a provider is owned or controlled by a parent organization, the appeal request must identify the name and address of the parent organization for the year under appeal. This is a departure from past practice, which identified only the legal entity that had been granted a Medicare provider number.
  • The Board clarified the requirements for appeals of self-disallowed and protested costs, and now requires that the provider specify the disputed item in its cost report in order to preserve the claim for review.
  • A new rule obligates the Medicare Administrative Contractor (“MAC”) to ensure that any evidence the MAC, CMS, or the Secretary considered in making its determination is included in the case record. This new rule may reduce the necessity for discovery requests and delays in resolving appeals.
  • For group appeals, the Board added a new requirement that a group representative must report to the Board that a group is either complete or provide reasons why the group should be held open.
  • A new rule that applies to appeals filed after August 29, 2018 would give providers the option of relying on their preliminary position paper and waive the filing of a final position paper. Providers would have to submit all of their arguments and exhibits with the preliminary position paper, and could elect to submit a rebuttal to the MAC’s position paper. This step would avoid duplicating arguments, and may reduce the number of appeals dismissed based on a failure to file a timely final position paper.
  • The new rules also revise the Board procedures when a party requests expedited judicial review (“EJR”) that involves a challenge to a statute, regulation, or CMS ruling. If a MAC opposes a provider’s request for EJR, then it must now file any jurisdictional challenge within five days of the date that the EJR request is filed.
  • The Board revised its rules governing substantive claim challenges to specify that when any party questions whether a cost report included an appropriate claim for reimbursement, that challenge must be filed no later than the filing deadline for the MAC’s preliminary position paper. If the matter involves a request for EJR, then any substantive claim challenge must be filed within five business days of the EJR request. This would allow for better coordination of proceedings before the Board before any decision to allow the provider to bypass the Board and seek judicial review.

The changes made by the Board in this version of its procedural rules continue the trend of requiring additional specificity and clarity when providers prepare their cost reports, and obligate the MACs to disclose more information earlier in the appeal process. With the adoption of these new rules, providers must plan and consider potential appeal issues during the cost report filing stage to ensure that their appeal rights are protected.

In this column, in the coming months we are going to dig into the data regarding FDA regulation of medical products, deeper than the averages that FDA publishes in connection with its user fee obligations.  For many averages, there’s a high degree of variability, and it’s important for industry to have a deeper understanding.  In each case, we will offer a few preliminary observations on the data, but we would encourage a conversation around what others see in the data.

Chart

This is an interactive chart that you can explore by clicking on the colors in the legend to see how specific therapeutic areas stack up against the average.

Methodology

We want to understand FDA’s performance generally with regard to review times associated with 510(k)s across all medical devices.  Using data available from openFDA, we selected the data for the last almost 12 years, from January 1, 2010 until September 1, 2021, based on the date FDA receives the premarket notification.  Data older than that are probably not terribly relevant.  We further filtered for traditional 510(k)s because special and abbreviated submissions have different review processes, and likewise we removed any that had received expedited review.  We then removed any product codes that had three or fewer submissions during that time.  We wanted to get rid of anything that was simply too anecdotal, too noisy.  That sorting left us with just over 25,000 submissions, and 852 pro codes used.

To calculate the review time, we used the difference between date received and date decided, although we realize that FDA has additional data that it uses to calculate its actual review time in a more nuanced way, differentiating between time at FDA and time where the clock is turned off because the manufacturer is supposed to be doing something.  We calculated averages for each individual pro code.  The x-axis in the graph is simply all of the product codes sorted by average review time from the quickest to the longest.

We wanted to add in an average, and the most natural probably would’ve been the average of the pro code averages included in the graphic.  But that ignores the fact that some pro codes have lots more products than others.  The average of the pro code averages was 176.5 days.  The average of all the 25,000 submissions was 163.5 days.  It’s apparently lower because some of the quicker pro codes apparently have more devices in them.  In the chart, we went with the simple average of submissions, as that is most akin to the data that FDA typically publishes.

Observations

We would note that we aren’t entirely sure the range of factors that drive review times.  Certainly it would seem that higher risk and complexity would be likely to lead to higher review times.  But in the years that we’ve been doing this work, those are not by themselves reliable predictors of how long a review will take.  Novelty is also important, although novelty is less of a factor in the 510(k) process because the process is based on a substantial equivalence claim.  But it’s also pretty obvious that a lot of administrative circumstances impact review times, such as high reviewer turnover in a branch.  At any rate, this data does not give us information on why certain product codes would have higher review times.  We will leave that to future inquiry.  Here we just want to tease apart the variance.

Big Picture

At each end of the graph, we see sharp nonlinear growth, presumably for what are in a sense outliers.  On the left-hand side, we have rapid acceleration from the quickest reviews of about 50 days up to about 100.  At the other side, we have a quick increase from 300 to the very top at over 500 days.  But in between those two extremes, from about a review time of 100 days to about 300, it’s a pretty steady linear climb.  That’s a bit surprising, and it reveals that really there is no such thing as an average.  There is no plateau among the review times around the mathematical average.  Indeed, we don’t see any plateaus at all.  Apparently, it really does matter what product we are talking about when trying to predict a review time.

Therapeutic Areas

Remember that in FDA’s organizational chart, reviews within the Office of Device Evaluation (“ODE”) are organized by therapeutic area.  That makes sense, as you want the same people generally with therapeutic expertise reviewing devices in that therapeutic area.  In this graph, product codes are assigned to an applicable therapeutic area.

Notice that really none of the product codes in a given therapeutic areas are extremely clustered, either low or high.  That suggests that no particular therapeutic review branch is substantially quicker than the rest.  But within that general observation, there are definitely some small clusters of review times for product codes within the different therapeutic areas.

It would actually be pretty remarkable if an organization the size of ODE could achieve uniformity of review times across all review branches.  But this is unexpectedly evenhanded.

In this episode of the Diagnosing Health Care Podcast:  On December 27, 2020, President Trump signed into law the No Surprises Act as part of the $2.3 billion Consolidated Appropriations Act. Recently, the Biden administration issued its first interim final rule in order to implement this act, which will go into effect on January 1, 2022. While the goal is to protect patients from surprise billing, the law will also impose significant compliance burdens on plans, providers, and facilities.

Epstein Becker Green attorneys Helaine FingoldBob Hearn, and Alexis Boaz discuss the key areas health care companies need to keep in mind as they prepare to comply with the No Surprises Act.

Visit Epstein Becker Green’s No Surprises Act page for ongoing coverage.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

Starting in 2022, Ohio will require owners of tax-exempt real property to notify the county auditor if the exempt property ceases to qualify for exemption.

This is a substantial departure from current law, which had left the role of monitoring changes in exempt properties’ uses to the county auditors or Ohio’s tax commissioner; under the new law, health care entities that own property in the state must determine whether or not their property continues to qualify for exemption.

Ohio’s recent Budget Bill – House Bill 110 – created the new reporting requirement, which will be codified at section 5713.083 of the Ohio Revised Code.  The change will require those who own real estate that is exempt from property tax to notify the county auditor by December 31 of the year in which the property ceases to qualify for exemption.

Property owners who do not comply with this new requirement will face a monetary penalty equivalent to up to five years of tax savings that they received while the property was treated as exempt, even though it had ceased to qualify for exemption. The five-year look-back will be limited to years in which the current owner held title to the property.

It is still unclear what test property owners are supposed to use to determine whether their properties have ceased to qualify for exemption.  In Ohio, property owners must apply to receive exemption for their property, and the Ohio Tax Commissioner is typically the official who grants exemption to real estate.  Ohio law does not require owners to disclose changes in use, or leases of property, so property owners may struggle to determine whether or not their exempt property’s qualification for exemption has ended. It is also unclear how the county auditors across Ohio are going to review the existing exempt properties in order to enforce the monetary penalties.  The Ohio Tax Commissioner will promulgate forms that property owners can use to attempt to comply with the law, but those forms are not yet available.

While that form remains in the works, prudent property owners may wish to review their inventory of exempt real estate, and to compare their current uses of those properties with the use of the property when they applied for and received exemption.

On September 15, 2021, CMS published a proposed rule that would repeal a final rule that created an expedited pathway for Medicare coverage of breakthrough devices and established formal criteria for applying the “reasonable and necessary” standard for coverage in Section 1862(a)(1)(A) of the Social Security Act, which has been the basic standard for coverage since the inception of the Medicare program.[1]  CMS has set a short period for comments, and interested parties must submit comments by October 15, 2021.

The new proposed rule reflects a significant policy change.  Where the initial rule focused on expanding access to new innovations, the current approach focuses more on Medicare program goals and outcomes data. Continue Reading CMS Proposes to Reverse Course and Repeal Its Final Rule Expediting Medicare Coverage of Breakthrough Devices and Defining the Medicare “Reasonable and Necessary” Coverage Standard

The New Jersey Department of Health (the “Department”) recently finalized regulations initially proposed in April 2020 that will now require all telehealth organizations providing telemedicine services to patients located in New Jersey to register their business with the Department before October 15, 2021, and annually thereafter.  In addition to annual registrations, telehealth companies will also be required to submit annual reports on activity and encounter data. Continue Reading Navigating New Jersey’s Telemedicine Business Registry

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency,[1] the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.

The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.[2]

Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:

  • keep all operating systems and software housing health data current with the latest security patches;
  • install and maintain virus protection software;
  • provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
  • restrict users from downloading, installing, and running unapproved software; and
  • maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

The failure to implement the aforementioned measures could render California providers vulnerable to liability.

Attorneys in Epstein, Becker & Green’s Privacy, Cybersecurity, and Data Asset Management practice group have extensive experience in advising healthcare providers how to protect against an increase in cybersecurity threats, conducting internal investigations in response to a presumed breach, notifying state and federal regulators in the event of a breach, and responding to government inquiries. For any questions about these or other related issues, contact the authors or your regular EBG Attorney.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.

***

[1] See also Cybersecurity & Infrastructure Agency, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (Aug. 2021), https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf (encouraging organizations to adopt a “heightened state of awareness” and implement certain recommendations to reduce risk of ransomware attacks).

[2] See California Civil Code section 1798.82.

On August 30, 2021, the DOJ announced a $90 million dollar settlement with Sutter Health and affiliates[1] (“Sutter Health”) to settle False Claims Act (“FCA”) allegations brought by qui tam relator, Kathy Ormsby, related to the Center for Medicare & Medicaid Services’ (“CMS”) MA Program.[2] Sutter Health elected to settle with DOJ and the relator without an admission of liability. As part of the Settlement Agreement, the Office of Inspector General (“OIG”) required Sutter Health to enter into a Corporate Integrity Agreement. Continue Reading The Department of Justice (“DOJ”) Continues its Medicare Advantage (“MA”) Enforcement Efforts with a $90 Million Dollar Settlement Against Downstream Provider Sutter Health

On June 21, 2021, Florida Governor Ron DeSantis signed into law a bill requiring genetic counselors to be licensed by the Florida Department of Health (“FLDOH”).  The new law, known as the Genetic Counseling Workforce Act (“GCWA”), became effective on July 1, 2021.  FLDOH has announced a 90 day enforcement moratorium to allow counselors time to become appropriately licensed in the State.  Florida now joins a growing number of states that regulate the work of genetic counselors.

Continue Reading Florida Joins a Growing Number of States Requiring Licensure of Genetic Counselors