Following a two-day meeting by a Food and Drug Administration (“FDA”) advisory committee on breast implant safety earlier this year, FDA on May 2, 2019, released a statement announcing that no breast implant models will be banned from the U.S. market at this time. Also described in the statement are a number of measures the agency is undertaking in order to assist women in making more informed decisions regarding breast implants.

The March 26, 2019, meeting of the General and Plastic Surgery Devices Panel was convened to discuss issues and concerns related to the benefit-risk profile of breast implants, including a potential link between textured breast implants and breast-implant associated anaplastic large cell lymphoma (“BIA-ALCL”). The panel heard testimony from nearly 40 member surgeons of the American Society of Plastic Surgeons as well as from a number of women who stated that they suffered adverse health consequences after receiving breast implants. The panel recommended that health care providers implement stronger informed consent practices for breast implant surgeries, including disclosure of information regarding the signs and symptoms of breast implant illness (“BII”) and BIA-ALCL as well as the increased risk of BIA-ALCL with textured implants.

According to the May 2 statement, which was jointly issued by FDA Principal Deputy Commissioner Amy Abernethy and Center for Devices and Radiological Health Director Jeff Shuren, FDA concluded after reviewing available data and information that textured breast implants do not meet the legal standard for imposing a ban under the Food, Drug, and Cosmetic Act. The statement points out that while “the majority of women who develop BIA-ALCL have had textured implants, there are known cases in women with smooth-surface breast implants and many reports do not include the surface texture of the implant at the time of diagnosis.”

The statement also announced a change of policy with respect to adverse event reporting. Manufacturers of breast implants will no longer be permitted to submit summary reports of adverse events and instead will be required to file individual medical device reports (“MDRs”) that will be publicly available in the Manufacturer and User Facility Device Experience (“MAUDE”) database. FDA will also make the previously submitted summary reports public in the coming weeks. Additionally, FDA will work with primary stakeholders on developing the content and format of possible boxed warnings or patient checklists for breast implants in order to communicate significant health concerns and risks associated with breast implants.

According to the statement, FDA also is undertaking new efforts to improve the characterization of, and risk factors for, BII and to increase information available to women to enable more informed decision-making about “whether to obtain breast implants or to remove existing breast implants in an effort to reverse systemic symptoms.” The agency also plans to examine whether device materials may cause immune or inflammatory reactions among certain predisposed individuals, and may require disclosure of breast implant ingredient information to be included in product labeling.

Shortly before the March 26 meeting, FDA sent warning letters to two manufacturers of breast implants for failing to adequately comply with post-market commitments to study the long-term safety of their products. These actions, coupled with FDA’s recent statement, signal that breast implant safety is a high-priority issue for the agency. Manufacturers, providers, payors, and other stakeholders should carefully evaluate the potential impact of FDA’s announced initiatives on their activities.

On April 30, 2019, Assistant Attorney General Brian Benczkowski announced that the Department of Justice (“DOJ”) had published an updated version of the Criminal Division’s 2017 guidance publication “Evaluation of Corporate Compliance Programs.”  In making the announcement, Assistant Attorney General Benczkowski said the update was designed to “better harmonize the prior Fraud Section publication with other Department guidance and legal standards.”  He noted that DOJ also sought “to provide additional transparency in how [it] will analyze a company’s compliance program.”

The updated guidance document focuses on answering three principal questions:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith?  In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

The new guidance addresses the topic areas from the original publication – some of which have been re-phrased – by grouping them under one of these three questions.  It also raises additional questions prosecutors should ask when evaluating compliance programs and adds one new topic, “Investigation of Misconduct.”

  1. Is the corporation’s compliance program well-designed?

Under the updated DOJ guidance, “the starting point for the prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”  Notably, specificity is key: the DOJ asks whether the program is “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business and complex regulatory environment.”

Additionally, DOJ will focus on an entity’s programs, policies and procedures to assess such things as comprehensiveness, how the policies and procedures are communicated to employees and third parties, who has ownership responsibility for integrating the policies and procedures and whether there are gatekeepers (i.e., is guidance and training provided by individuals with approval authority or certification responsibilities).

DOJ will also look at the organization’s training and communications efforts and will evaluate how the organization integrates its policies and procedures into its operations.  This includes determining whether there is risk-based training, assessing the form, content and effectiveness of the training, the availability of guidance to employees and communications about potential misconduct. In other words, what senior management has “done to let employees know the company’s position concerning misconduct and whether there are communications when an employee is terminated or otherwise disciplined for failure to comply.”

Another key element DOJ looks for is a confidential reporting mechanism that employees can use to report concerns. When evaluating the effectiveness of the reporting program, prosecutors take into account whether employees are able to make reports anonymously and whether qualified employees are involved in the investigation of the reported concerns through properly scoped investigations that ensure that the correct issue is examined.  Beyond just evaluating the results of a compliance function, this requires an assessment of how investigations are responded to, whether the corporation allocates appropriate resources to the investigation, and how the company monitors status.

Finally, DOJ wants to know how an entity is managing third party partners, including “agents, consultants, and distributors who are commonly used to conceal misconduct.”  This means an assessment of the third-party management process, whether appropriate controls were in place regarding use of third parties and how the third-party relationship was managed.

Of particular note, the update reminds corporations that DOJ has a continuing interest in mergers and acquisitions, and it expects that a well-designed program conducts “comprehensive due diligence of any acquisition targets.”  Believing that this pre M&A due diligence puts the company in a better position to evaluate potential issues, DOJ will want to see how the compliance function has been integrated into the M&A process, and whether there is a crosswalk in place to connect it to due diligence implementation.  Put plainly, how does the company track and remediate any misconduct identified as part of the due diligence?

  1. Is the Corporation’s Compliance Program Being Implemented Effectively?

DOJ evaluates whether the corporate compliance program is effectively implemented and engrained in the company’s culture so that it affects employee behavior. A corporation must actively foster a culture of ethics and compliance that originates from the top—that is, Boards of Directors, executives, and senior management. Not only must employees be informed about compliance processes, but they should also be convinced the company is committed to compliance based on the words and actions of the corporate leadership.

Prosecutors next look at the structure of the compliance program, specifically, whether the personnel tasked with implementing the program have sufficient seniority, resources, and autonomy from management to be effective. As with many other factors detailed in the update, each corporation’s implementation is dependent upon the size, structure, and risk profile of the particular entity. Regardless of program structure, the guidance stresses empowerment of the compliance personnel: a corporation must ensure that the compliance program has “adequate resources, appropriate authority” and direct access to the governing authority or a subgroup thereof.

Finally, prosecutors evaluate the program’s incentive structure to determine whether it adequately motivates compliance. Again, the methodology chosen should be specific to each company’s culture: whether it comes in the form of publicizing disciplinary actions as a deterrent or providing financial and career advancement as positive incentives is dependent upon the outcomes observed by a company.

  1. Does the Corporation’s Compliance Program Work in Practice?

DOJ acknowledges that the third question—whether a company’s well-designed and implemented corporate compliance program is effective in practice—may be difficult to assess, particularly when misconduct that becomes the focus of an investigation is not immediately detected by the compliance program. The guidance instructs prosecutors that the mere presence of misconduct does not indicate that the compliance program is ineffective. Indeed, if the misconduct was identified through the compliance program’s mechanisms, this factor may weigh in favor of a defendant’s compliance efforts.

Prosecutors may need to address this third question both at the time of the misconduct and at the time of a charging decision or resolution.  Different concerns are evaluated at each stage. At the time of misconduct, prosecutors should evaluate “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.”

Corporate compliance obligations do not end once the misconduct has been identified; effective corporate compliance programs “improve and evolve” over time in response to business changes and new areas of risk. Prosecutors may re-assess the compliance program at the time of charging or resolution, addressing “whether the program evolved over time to address existing and changing compliance risks” and “whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”

Second, DOJ asks whether there are effective (and funded) mechanisms for timely and thoroughly investigating allegations or suspicions of misconduct. Ensuring that investigations into misconduct are independent, objective, and documented is essential to an effective compliance program.

Finally, DOJ assesses the corporation’s root-cause analysis and remediation of any misconduct identified. The guidance underscores the importance of the corporation engaging in its own remedial actions, including appropriate disciplinary actions, even after DOJ is involved.

Conclusion

The DOJ has provided a detailed update to its guidance and framed the key questions that it will ask during an investigation when evaluating compliance program effectiveness. This update provides insight into the steps that any health care entity can proactively take to ensure it receives the benefit of a robust and effective compliance program should misconduct occur. DOJ has signaled that being proactive, rather than reactive, is what is expected. In particular, DOJ will look at what a company did in the face of an allegation of misconduct as part of its evaluation of the compliance function when determining an appropriate remedy – or in deciding to forego one. It is also clear that DOJ does not view compliance as a “one size fits all” enterprise, and will be looking at how a company adapts its program to its own specific risk profile. It also expects the compliance function to operate independently and that the organization fosters a “culture of compliance.” Companies should review their corporate compliance programs to ensure that they are current, disseminated on a regular basis to all employees, and a central, visible focus throughout the organization.

On May 7, 2019, the Department of Justice (“DOJ”) released new guidance for trial attorneys in the DOJ’s civil division regarding how entities under False Claims Act investigation can receive credit for cooperation.  The release of this new guidance follows public comments delivered in March by Michael Granston, director of DOJ’s civil fraud section, noting that DOJ was considering issuing additional guidance on cooperation credit related to False Claims Act matters.

The policy explains that cooperation credit in False Claims Act cases may be earned by “voluntarily disclosing misconduct unknown to the government, cooperating in an ongoing investigation, or undertaking remedial measures in response to a violation.” In its press release, DOJ noted that cooperation credit will involve a reduction in the damages multiplier and civil penalties and DOJ may publicly acknowledge the company’s cooperation.

The authors are in the process of preparing a Client Alert addressing potential implications of this new guidance on health care entities. The Client Alert will be ready in the coming days and will be posted on the EBG website, linked to this blog post, and distributed through EBG’s email lists.

DOJ Press Release

Link to the New Guidance

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties.  The notice provides: “As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers in the HITECH Act.”

The HITECH Act implemented a tiered penalty scheme for violations of HIPAA.  That tiered approach was dependent on the level of culpability associated with the violation.  At the lowest level of culpability -when the “person did not know (and by exercising reasonable diligence would not have known)” of the violation – the penalty was established at $100 for each violation “except that the total amount imposed on the person for all such violations may not exceed $25,000.”  Each level of culpability had successively higher penalties attached.  At the top tier – when the violation was due to willful neglect- the penalty is $50,000 for each violation “except that the total amount imposed on the person for all such violations may not exceed $1.5 million.”  P.L. 111-5, Section 13410(d); codified at 42 U.S.C. §1320d–5.  However, the statutory language included some unclear language, as noted in the preamble to the regulations implementing the statute.

In adopting the HITECH Act’s penalty scheme, the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘‘for each violation,’’ each of which provided a penalty amount ‘‘for all such violations’’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [Interim Final Rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year. For violations due to willful neglect that are not timely corrected, the IFR adopted the penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in a calendar year.

78 Fed. Reg. 5566, 5582 (Jan. 25, 2013) (emphasis added).

At the time, HHS chose to interpret Congress’ meaning to allow it to impose the highest fine ($50,000) and the highest aggregate amount ($1.5 million) for every tier category – regardless of the tier and degree of culpability of the covered entity.  Under that scheme, the penalty assessment was as follows:

Culpability Minimum penalty per violation Maximum penalty per violation Annual Limit
No Knowledge $100 $50,000 $1.5 million
Reasonable Cause $1000 $50,000 $1.5 million
Willful Neglect- Corrected $10,000 $50,000 $1.5 million
Willful Neglect- Not Corrected $50,000 $50,000 $1.5 million

The interpretation above arguably turned the four tier approach set forth in the statute into a two tier approach.  However, as of April 26, 2019, HHS “[u]pon further review of the statute by the HHS Office of the General Counsel” HHS has determined that “all HIPAA enforcement actions will be governed” by a revised set of penalty tiers that mirrors the statute’s four tiers.  The new penalty tiers will be as follows.

Culpability Minimum penalty per violation Maximum penalty per violation Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1000 $50,000 $100,000
Willful Neglect- Corrected $10,000 $50,000 $250,000
Willful Neglect- Not Corrected $50,000 $50,000 $1.5 million

HHS also noted that it would engage in future rulemaking “to revise the penalty tiers in the current regulation to better reflect the text of the HITECH Act.”  With these changes, organizations with robust privacy and security compliance programs (with strong reporting mechanisms) may see an advantage of being in the lower penalty tiers in the event a violation occurs.

Florida has been at the forefront of some very interesting healthcare M&A activity in the past year, including an influx of private equity and consistent growth in Hospital and Health Plan vertical integration.  Unless subject to antitrust filing requirements, these high profile transactions are typically carried out under veils of confidentiality and announced upon completion.  However, Florida M&A is not insulated from recent Florida House health reform initiatives.  If the Florida House gets its way, the pace of healthcare transactions in Florida may hit a speed bump in the form of a notice, delay and potential for a pre-close assessment by the Florida Attorney General.

The Florida House activity in the health care space cannot be understated.  In a striking video, the Florida House promises the 2019 legislative session will bring “more affordab[ility], more choices, more practitioners, more access, more quality, and more value” to the State’s health care market. In the video, the Florida House promises to end “government protection for hospital monopolies” and increase “enforcement against providers who violate antitrust laws.”

On April 11, 2019 the Florida House demonstrated its bipartisan commitment to increase visibility of provider consolidation activities in the State by unanimously voting to pass Florida House Bill 1243 (“HB 1243” or “Bill”) sponsored by Rep. Colleen Burton (R). The Bill’s unanimous passage, only a month after introduction, sends a strong signal that the Florida House is committed to more transparency for certain Florida healthcare transactions and providing a “waiting period” to ensure antitrust law is followed and enforced.  The Bill was forwarded to the Senate, and we will be closely monitoring how the Senate responds to this initiative.

If enacted into law, HB 1243 would require each party of any transaction involving a group practice, hospital, or hospital system that results in a material change to another group practice of four or more physicians, hospital, or hospital system to provide written notice to the Florida Office of Attorney General (“AG”) at least 90 days before the effective date of such a transaction. A party’s failure to provide proper written notice would subject such entity to sizable potential civil penalties of up to $500,000.00.  Additionally, in counties where there is only one entity contracting with or employing any category of medical specialists, such entity’s restrictive covenants would be void and unenforceable until there is new market entry by a competitor entity for at least three years.

HB1243 is designed to provide the Florida AG with an opportunity to scrutinize hospital and group practice health care transactions of all sizes, including transactions that might not otherwise have required a federal pre-merger notification, filing, and review under the Federal Hart-Scott-Rodino Act (“HSR”).   Because the proposed waiting period of ninety days is longer than that required under HSR, it may delay transactions already covered under HSR.

If HB1243 is enacted, health care buyers and sellers will need to be aware of the impact on their plans to buy, sell, and operationalize health care transactions in Florida.  This would add an additional layer of regulatory submissions to the AHCA approvals already on the radar of private equity investors. While the Bill may not pass before the Senate’s legislative session adjourns on May 3rd, we are closely monitoring the political climate around health care.

Businesses should carefully evaluate their acquisition pipeline and growth strategies in light of the bipartisan support for HB1243.  This issue has momentum and, if not passed in this session, is likely to resurrect in future sessions. We recommend that physicians closely evaluate the timing of any exit strategy, taking into account the risk of an M&A slowdown caused by new regulatory requirements. Businesses should carefully consider whether to expedite acquisitions and other material business transformations before the Bill’s likely chilling effect on investor interest due to the pre-transaction waiting period and increased regulatory scrutiny.

The Epstein Becker Green St. Petersburg, Florida office is closely monitoring this legislation as well as other Florida health reform efforts.  If you have questions about HB1243 or the antitrust implications of your hospital or physician transaction, please contact Kathleen Premo and Elizabeth Scarola  to discuss pro-active strategies for such a transaction in our current Florida political environment.

The Centers for Medicare & Medicaid Services (“CMS”) has published a final rule that will expand access to telehealth services for Medicare Advantage (“MA”) plan enrollees.[1] CMS Administrator Seema Verma characterized the agency’s latest policymaking efforts as “a historic step in bringing innovative technology to Medicare beneficiaries” and a way for the agency to provide “greater flexibility to Medicare Advantage plans, [so] beneficiaries can receive more benefits, at lower costs and better quality.”[2]

Traditionally, MA plans have been limited to providing, as part of their Medicare benefit packages, solely those telehealth services covered under original Medicare, as defined at Section 1834(m) of the Social Security Act (“Act”). MA plans seeking to offer a broader scope of telehealth services only could do so as MA supplemental benefits, which were funded through use of rebate dollars or supplemental premiums paid by enrollees. Section 1834(m) of the Act limits payments for Medicare telehealth services to specified services provided using a real-time, interactive audio and video telecommunications system between the Medicare beneficiary and practitioner. Also, this section of the Act limits the locations where beneficiaries may receive Medicare-covered telehealth services (e.g., rural and authorized health care facilities).

Under the Bipartisan Budget Act of 2018 (P.L. 115-123) (“BBA”), which was signed into law by President Trump in February 2018, Congress amended the Act to enable MA plans to offer telehealth services beyond the Part B-covered telehealth services traditionally covered as part of the MA basic benefit package. Section 50323 of the BBA created a new Section 1852(m) of the Act which allows MA plans to provide “additional telehealth benefits” starting in 2020 and to treat them as basic benefits (also known as “original Medicare benefits” or “benefits under the original Medicare FFS program option”). The term “additional telehealth benefits” is defined in the final rule as “services—(1) for which benefits are available under Part B, including services for which payments not made under section 1934(m) of the Act due to the conditions for payment under such section; and (2) that are identified for the applicable year as clinically appropriate to furnish using electronic information and telecommunications technology when a physician or practitioner providing the service is not at the same location as plan enrollee.”[3] This change will benefit both plans and enrollees by enabling plans to fund much of the cost of such benefits through the government-paid capitation without relying on rebate dollars or additional premium charges.

MA plans choosing to offer additional telehealth benefits may maintain different cost sharing for specified Part B services furnished through in-person visit and those Part B services furnished via electronic exchange.[4] CMS has required that for every MA additional telehealth benefit, the MA plan also must provide access to the same service via an in-person visit, thereby giving the MA plan enrollee the ultimate choice in how to access such services. CMS has chosen not to define which services will be considered “clinically appropriate” to offer in this manner, instead extending to the provision of such additional telehealth benefits the existing requirement at Section 422.504(a)(3)(iii) that the MA organization to agree to provide all benefits covered by Medicare “in a manner consistent with professionally recognized standards of health care.” CMS will defer to MA plans to independently determine, for each plan year, which services are clinically appropriate to furnish using electronic information and telecommunications technology.  MA plans that choose to cover additional telehealth benefits must do so through contracted providers; such benefits as provided by non-contracted providers would need to be covered as MA supplemental benefits.

The final rule also will allow MA plans to continue to separately offer as “MA supplemental benefits” those telehealth services that do not meet the requirements for coverage under original Medicare or to be considered MA additional telehealth benefits. For example, an MA plan may offer, as an MA supplemental benefit, a videoconference dental visit to assess dental needs because services primarily provided for the care, treatment, removal, or replacement of teeth or structures directly supporting teeth are not currently covered Part B benefits and thus would not be allowable as MA additional telehealth benefits.

Importantly, the final rule will allow MA enrollees to receive certain health care services via telehealth (e.g., ESRD-related, stroke-related) from places other than an authorized health care facility, such as beneficiaries’ homes.

While the final rule ensures that MA plans will have greater flexibility in providing a broader range of telehealth-delivered services and services in more locations, a plan’s choice to offer such benefits remains optional. The final rule may create widely varying offerings between otherwise comparable MA plans, as well as hesitation among MA plans to offer these additional telehealth benefits, for example, due to the requirement that only certain provider-types may provide these services. For plan year 2017, CMS reported that 219 MA plans (or 8 percent of plans) covered remote patient monitoring services and that 2,115 plans MA plans (or 77 percent of plans) covered “remote access technologies” (a term broadly describing services such as e-mail, two-way video, and nurse call-in telephone lines).[5] How many MA plans will take advantage of this new flexibility, how far they will go, and how these utilization numbers may change, remains to be seen. CMS’s hope is that the change in how MA additional telehealth benefits are financed will encourage MA plans to offer them which, in turn, will improve access for more MA enrollees in need of such benefits.

 

[1] See 84 Fed. Reg. 15680 (Apr. 16, 2019).

[2] Centers for Medicare & Medicaid Services, Press Release, CMS Finalizes Policies to Bring Innovative Telehealth Benefit to Medicare Advantage (Apr. 5, 2019).

[3] 84 Fed. Reg. 15680, 15684 (Apr. 16, 2019).

[4] However, MA plans may not use differential cost sharing to limit enrollee choice by steering or inhibiting enrollee access to services.

[5] The Medicare Payment Advisory Commission, Report to the Congress: Medicare Payment Policy, ch. 16 (Mar. 2018), at 483, available at http://www.medpac.gov/. In this March 2018 report, MedPAC stated that the Commission “supports expanding telehealth coverage in MA beyond the current level” and made recommendations related to a proposed two-phase plan for expansion. Id. at 499.

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring reasonable network security safeguards without considering threats to DNS. The statutory requirements do not generally mandate the particular mix of cybersecurity controls required to protect DNS. Rather, the frameworks require organizations to implement formalized processes to anticipate and assess risks from cyber threats and then adopt reasonable safeguards.[i] Organizations may reference NIST publications and other technical guidance for a catalog of controls to choose from based on the risk assessment.[ii] Consistent with the regulatory imperatives requiring vigilance and appropriate counter-measures to safeguard data when threats evolve, organizations should revisit their defenses given the recent threats to DNS.

Attackers seek to disrupt the normal operations of DNS servers and applications responsible for resolving domain names to properly route network communications between computers. DNS looks up the IP address of the computer to receive the communication based on its domain name and advises the computer requesting a connection of the associated IP address to send the request to. For example, when a user types “www.anycompany.com” in his or her web browser or sends an email (e.g., “tsmith@anycompany.com”) DNS resolves the domain name (“www.anycompany.com”) to a numerical IP address, such as 172.30.xxx.xxx. DNS advises the requesting computer of the IP address corresponding to the domain name and the requesting computer accordingly directs the traffic.

DNS is under constant attack because of its open and distributed nature. Organizations under persistent threat, particularly healthcare, financial services and technology companies, should be concerned. DHS recently issued its first emergency alert to all its agencies about attacks to hijack DNS resolutions and misdirect the government’s traffic.[iii] Typically, the attacks involved compromise of credentials initially through a phishing attack. DHS reported: “Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.” Further, “because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.” DHS emphasizes the criticality of the threat: “This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox.” As DHS also noted, security researchers have identified a wave of other DNS hijacking that affected dozens of government, telecommunications and internet infrastructure entities.[iv]

The risks from DNS exploitation are not exclusively from external hackers. Using DNS to exfiltrate information is also a well-recognized technique for malicious insiders because DNS must permit queries to resolve to perform its functions. Malicious employees and other insiders will try to exploit this functionality for unlawful purposes, including theft of trade secrets and protected data, and to conceal their activities. Hijacking and tunneling attacks to compromise DNS are not new, but the recent attacks highlight how damaging the attacks can be.[v] Moreover, recent caselaw holds that employers may lose statutory protection of their trade secrets if they do not make reasonable efforts to maintain its secrecy and protect it from insider threat.[vi]

Because cybersecurity should be a team effort, here are some steps that IT, HR and Legal should be considering to protect DNS in their particular organization from hijacking and tunneling attacks. Ensure that DNS servers are up to date on all patches and running the latest version of the name server software. Implement complex passwords and multifactor authentication for DNS administrator credentials to prevent unauthorized changes. Implement a formalized system to monitor/proxy DNS traffic to ensure DNS is being used as intended. Implement a formalized system to audit DNS logs to verify that queries are resolving to the intended location. Monitor encryption certificates for your organization’s domain. Consider implementing DNSSEC (which builds trust in the DNS query and resolution process) if technically feasible.[vii] Train your employees in phishing, social engineering and protecting their credentials. Ask basic questions: e.g., What processes are in place to prevent or discover an employee exploiting DNS to exfiltrate sensitive information? What processes are in place to protect administrator credentials? Implement written policies and procedures around protecting DNS, including configuration management, patching, passwords, monitoring and audit. Ultimately, the right mix of DNS safeguards depends on the risks to your particular organization after conducting a risk assessment.

___

[i] See, e.g., 45 C.F.R. §164.306(b); 15 U.S.C. §6801;  23 NYCRR §500.00, 500.02, 500.09; Cal. Civ. Code 1798.81.5; GDPR Article 32; Massachusetts (M.G.L. c. 93H; 201 CMR 17; Frequently Asked Questions).

[ii] See, e.g., NIST 800-53v4 – Security and Privacy Controls for Federal Information Systems and Organizations, NIST Cybersecurity Framework, HHS Technical Volumes 1 & 2: Cybersecurity Practices for Small, Medium and Large Health Care Organizations.

[iii] DHS Alert (AA19-024A) – DNS Infrastructure Hijacking Campaign; DHS Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering; CISA Blog – Why CISA issued our first emergency directive.

[iv] Fireeye Threat Research – Global DNS Hijacking Campaign: DNS Manipulation at Scale (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html ); Crowd Strike: Widespread DNS Hijacking Activity Targets Multiple Sectors (https://www.crowdstcrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/).

[v] NIST Special Publication 800-81-2 – Secure Domain Name Systems (DNS) Deployment Guide

[vi] EBG Blog: Even if “Secret” Information Will Not Qualify As A “Trade Secret” Unless Adequate Measures Were Taken To Protect That Secrecy;  Abrasic 90 Inc., d/b/a CGW Camel Grinding Wheels, USA v. Weldcote Metals, Inc., Joseph O’Mera and Colleen Cervencik, No. 18 Civ. 05376 (N.D. Ill. March 4, 2019).

[vii] ICANN – DNSSEC – What Is It and Why Is It Important; ICANN Calls For Full DNSSEC Deployment Promotes Community Collaboration To Protect The Internet; ICANN Alert Regarding Published Reports of Attacks On Domain Name System.

On March 27, 2019, the FDA announced that it would be proposing new amendments to key regulations regarding mammography facilities that would require these entities “to tell women more about how dense breast tissue can affect their health and increase their cancer risk.”  The proposed changes to mammography facility regulations would be the first issued in more than 20 years.  The FDA believes the change will “expand the information mammography facilities must provide to patients and health care professionals, allowing for more informed medical decision-making.”  In addition, FDA is proposing to modernize quality standards by, for example, expressly authorizing FDA communications with patients and practitioners in the event of quality issues, requiring use of FDA-approved or -cleared digital accessories, and strengthening recordkeeping requirements.  These changes not only enhance regulatory requirements, but likely foreshadow increasing enforcement and communications from FDA with regard to mammography services.

As a general rule, it is a well settled rule of law that FDA does not regulate the practice of medicine, but mammography services are a notable exception.  Congress provided the FDA with regulatory oversight of mammography facilities in 1992 following passage of the Mammography Quality Standards Act (MQSA). The MQSA entrusts FDA with facility accreditation, annual inspections, certification, and enforcement of standards to assist in ensuring such facilities provide quality care.  FDA Commissioner Scott Gottlieb remarked that the new rule proposal would “modernize our oversight of mammography services, by capitalizing on a number of important advances in mammography, like the increased use of 3-D digital screening tools and the need for more uniform breast density reporting.”

Under the proposed rule, mammography providers would be required to tell women whether they have dense breast tissue, which may increase cancer risk and mask tumors, making cancer detection more challenging.  Women with dense tissue are often advised to seek other screening tests along with mammograms, such as M.R.I. scans or ultrasound, but in many states this is left to the discretion of providers.  (Currently, there are roughly 36 states already requiring that female patients be given information about breast density).  The new rule proposes specific language that would be implemented nationwide to explain breast density, note that some women may need additional imaging tests and recommend patients consult their physicians regarding their results.  The FDA language would set a minimal standard, and will not preempt states from imposing additional requirements regarding disclosures.

The content of communications beyond basic diagnosis have been raised as a concern under current state law disclosure standards. Some within the medical profession have argued that disclosure laws could provide women with information that does not necessarily reflect their condition, and could lead to a demand for expensive, unnecessary tests.  Further, some physicians have also suggested that state-mandated letters may be too complex for patients to understand.  For instance, the Journal of the American Medical Association (JAMA) published a study analyzing notification letters sent out in over 20 states and found that “many use such complex language that patients need a college degree to understand them.”  Acknowledging the pushback, Commissioner Gottlieb stated that women had a right to receive such information regarding their health in order to make an informed decision about next steps.

Moving forward, entities and medical professionals should be mindful of these regulations when providing mammography services to female patients.  It will be important to exercise best medical judgment when examining mammogram results as dense breast tissue may represent a significant confounder when assessing breast cancer risk.  Communications on these topics could face additional scrutiny as medical practitioners try to balance obligations in regulations with general principles about informing patients about their condition in an understandable manner.  In addition, there is potential that changes could drive an increase the use of additional diagnostic testing.  Thus, there is some uncertainty as to whether there should be a push for enhanced screening.

EBG will continue to monitor this proposed rule.  The FDA is accepting comments on these proposed changes until June 26, 2019.  The notice and comment portal for submitting comments is available at https://www.regulations.gov/document?D=FDA-2013-N-0134-0006.


Brian Hedgeman

On April 2, 2019, FDA issued a press release featuring a statement from FDA Commissioner Scott Gottlieb announcing the Agency’s latest enforcement actions taken against companies engaging in unlawful marketing of cannabidiol (CBD) products.  Coming just days before Gottlieb’s anticipated departure from the Agency, this news otherwise is unsurprising given recent events on the federal and state level.  In a December 2018 press release issued on the heels of the Farm Bill’s passage, FDA forecast its intention to step up enforcement against CBD products, and earlier this year state and local governments initiated seizures of CBD products from store shelves.  For manufacturers, retailers, and consumers, the takeaway from these recent statements and actions is that it remains unlawful under the Federal Food Drug and Cosmetic (FD&C) Act to market conventional foods or dietary supplements containing CBD.

The April 2, 2019 press release announces the issuance of three Warning Letters to companies marketing CBD products using “egregious and unfounded claims that are aimed at vulnerable populations.”  Notably, the Warning Letters were issued jointly by FDA and the Federal Trade Commission, which has authority to protect consumers from unfair trade practices, including false or misleading advertising claims. As examples of unlawful claims, the Warning Letters cite assertions that CBD products stop growth of cancer cells, slow the progression of Alzheimer’s, and reduce withdrawal symptoms in individuals with substance use disorders.  While FDA’s position is that the inclusion of CBD as an ingredient in conventional foods and dietary supplements is per se unlawful, the Agency’s focus on companies making cure or treatment claims for serious diseases and conditions is consistent with the December 2018 statement that the Agency would prioritize enforcement against products the Agency believes put consumers at risk.

The press release also sets a date for the previously promised public hearing on the future of CBD product regulation. The hearing, which is scheduled for May 31, 2019, will provide a platform for interested parties to “share their experiences and challenges” under the current regulatory environment.  A newly-created internal Agency working group will be tasked with reviewing and analyzing stakeholder feedback and exploring potential regulatory pathways for CBD products.  FDA seeks stakeholder feedback on issues including the levels of cannabis and cannabis-derived compounds that cause safety concerns; how the mode of delivery (e.g., ingestion, absorption, inhalation) affects the safety of, and exposure to, these compounds; and how cannabis and cannabis-derived compounds interact with other substances such as drug ingredients.

Stakeholders with an interest in developing, marketing, distributing, or purchasing consumer-focused CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—can submit comments or a request to make an oral presentation at the hearing by May 10, 2019.  Stakeholders can also submit comments for FDA’s consideration after the hearing via regulations.gov by July 2, 2019.

Many physicians rely on publicly available reports to assess the safety of the devices they use on patients, but in some cases, these reports aren’t painting the full picture.  A recent Kaiser Health News (“KHN”) article raises serious questions about FDA’s practice of allowing a significant number of medical device injury and malfunction reports to stay out of the public eye.

Under FDA’s Medical Device Reporting (“MDR”) regulation (21 CFR part 803), device manufacturers, importers, and device user facilities (which include hospitals, ambulatory surgery centers, nursing homes, and outpatient diagnostic and treatment facilities (but not physician offices)) are required to submit reports of adverse events and product problems to the Agency.  Outside of this mandatory reporting structure, FDA also encourages health professionals and patients to submit voluntary reports of significant device adverse events and product problems through MedWatch.

Both mandatory and voluntary adverse event reports dating back to the 1990s are housed in FDA’s publicly-accessible Manufacturer and User Facility Device Experience Database (“MAUDE”), which is updated by the Agency monthly.  However, according to FDA’s website, MAUDE may not include reports made according to “exemptions, variances, or alternative reporting requirements granted under 21 CFR 803.19.”

The KHN article examined the scope of such “hidden” reporting channels, which keep certain device injury and malfunction reports from ever seeing the light of day.  In fact, according to KHN’s investigation, since 2016, more than one million device incidents have been able to bypass inclusion in the MAUDE database as a result of FDA’s “alternative summary reporting program.”

Under this program, which launched in 2000, device manufacturers have been able to seek an “alternative summary” reporting exemption, permitting them to send FDA an accounting of device injuries and malfunctions on a periodic basis (e.g., quarterly or annually) in lieu of fulfilling their standard public reporting obligations. Initially, only a few devices had been granted reporting exemptions, but today, about 100 devices, from surgical staplers to balloon pumps to mechanical breathing machines, are subject to exemptions.  The internal Agency database tied to this program is not open to the public.

FDA has also granted other types of reporting exemptions.  For example, pelvic mesh manufacturers have been granted a special “litigation complaint summary reporting” exemption.  This allows them to submit a single “injury” report to FDA, but attached to that summary report may be a listing of hundreds of patient injury reports (based on lawsuit allegations).  For someone reviewing pelvic mesh injuries in MAUDE, this would look like a single injury, with the underlying detail (and sometimes voluminous) patient injury reports tied to the summary report only being accessible through a Freedom of Information Act request.

According to FDA, for certain devices, alternative summary reporting helps eliminate redundant paperwork for the Agency.  But for physicians and patients, many of whom have no awareness of FDA’s “alternative” reporting mechanisms (and thus perceive the publicly available reports as the full universe of available safety information), the lack of transparency is troubling.  Where patient care decisions are in the balance, administrative efficiency should not trump the need for full public access to device injury and malfunction information.  At the very least, FDA should be completely transparent about the types of reporting exemptions that have been granted, and the specific devices that are subject to exemptions.