On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing.  These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.

First, CMS published a proposed rule that seeks to increase interoperability and patient access to health records. CMS Administrator, Seema Verma, explained that the proposal seeks to “break down existing barriers to important data exchange needed to empower patients by giving them access to their health data.”  Second, ONC published a proposed rule aiming to deter and penalize information blocking.  As a result of lack of interoperability and information blocking, data sharing has been challenging across the industry and patients have historically struggled to gain access to their health records, which health providers and payors claimed they owned.  These proposed rules take notable steps to open avenues for data sharing and shift the role of patients with respect to their own health data.

The CMS proposed rule requires Medicare Advantage (“MA”) organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee for Service (“FFS”) programs, Medicaid Managed Care Plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers in federally facilitated exchanges (“FFE”) to (1) provide convenient access to health care records to patients, (2) support the electronic exchange of data for transitions of care as patients move between the aforementioned plan types, and (3) require participation in trust networks to improve interoperability. Additionally, the proposed rule requires Medicare-participating hospitals, psychiatric hospitals, and Critical Access Hospitals (“CAHs”) to send electronic notifications when a patient is admitted, discharged, or transferred.

The ONC proposed rule establishes conditions for maintaining electronic health record (“EHR”) certification centered around preventing information blocking and developing technical methods for data sharing.  Specifically, health IT developers will be required to (1) attest not to engage in information blocking, (2) include application programming interfaces (API) in certified EHR technology, and develop common data export formats to allow for transitions of care, data sharing, and EHR switching.  It is also important to note that the proposed rule established seven explicit exceptions to the information blocking prohibition, including promoting privacy and security of health information.

These rules could serve as a watershed moment in terms of data ownership, sharing and patient access.  Yet, these rules could be disruptive to the way stakeholders in healthcare have historically operated relative to each other and the patients they serve.  In any case, the regulators have sent their message . . . the “walls” must come down and data ought to flow more freely.

CMS and ONC have requested that stakeholders provide comments within 60 days of issuance of the proposed rule.


Alaap B. Shah


Ebunola Aniyikaiye

GenomeDx Biosciences Corp., which markets a genomic test (Decipher®) intended to assess the aggressiveness of prostate cancer, has agreed to pay $1.99 million to the U.S. Department of Justice to resolve allegations that it violated the False Claims Act (31 U.S.C. §§ 3729 et seq.)(“FCA”) by submitting claims to Medicare for tests conducted to evaluate treatment options for men after prostate surgery.

The government and a whistleblower alleged that between September 2015 and June 2017, GenomeDx knowingly submitted Medicare reimbursement claims for the Decipher® test that did not meet the six clinical prerequisites in the Local Coverage Determinations (“LCDs”) published by each of the Medicare Administrative Contractors (MACs). LCDs are published by MACs when they make a determination that an item or service meets (or does not meet) the “reasonable and necessary” test in Section 1862(a)(1)(A) of the Social Security Act and under what circumstances. The prerequisites for a prostate cancer classifier assay to be deemed medically necessary include (1) evaluation for postoperative secondary therapy due to one or more risk factors for a recurrence within 60 months after a radical prostatectomy surgery, (2) no evidence of any distant metastasis, and (3) pathological stage T2 disease with a positive surgical margin or pathological stage T3 disease, or rising prostate-specific antigen levels after an initial test result of 0.2 ng/ml or less.

Therefore, for each claim, the government and the whistleblower alleged that GenomeDx had certified that the test was reasonable and necessary as defined in the LCD  even though the clinical criteria or documentation requirements had not been met because the patients did not have risk factors necessitating the test.

The issue of medical necessity for diagnostic services continues to be a primary issue in many health care-related cases filed pursuant to the FCA.  The federal courts have confirmed that a laboratory may rely on the ordering physician’s determination of medical necessity because laboratories do not and cannot treat patients or make medical necessity determinations; however, laboratories may still be liable under the FCA if the laboratory knowingly presents claims for reimbursement that are not medically necessary.

Moreover, Medicare will still require documentation that demonstrates medical necessity to support payment for the test services. Thus, if adequate documentation is not provided, even when the ordering provider failed to maintain the appropriate diagnostic or other medical information for his or her patient, it is the laboratory that will suffer the consequences of the denial or recovery of reimbursement for the claim.

This settlement highlights the need for clinical laboratories, and all Medicare providers and suppliers, to determine if any national or local coverage policies apply to their services and the prerequisites prior to submission of claims, and to file those claims only where there is a good faith belief that any relevant prerequisites have been met.  Jurisdiction of claims for laboratory services furnished by an independent laboratory normally lies with the MAC serving the area in which the laboratory test is performed.  If there is a disagreement with the national or local coverage determination, there are procedures to either challenge the policy or to request that the policies be revised and updated.

Gummies, brownies, sodas, cookies . . . consumer appetite for food and dietary supplement products containing cannabidiol (“CBD”) has grown over the last few years as states have moved to legalize cannabis for medical or limited recreational use.  With the passage of the 2018 Farm Bill on December 20, 2018, which legalized the cultivation of hemp for certain purposes, the “edibles” industry appeared poised for further expansion.

However, recent developments at both the federal and state level may be putting the “edibles” industry on a diet.  In the past week, bans on the sale of foods and beverages with added CBD have been reported in three jurisdictions—Maine, Ohio, and New York City. Maine Department of Health and Human Services officials are reported to have ordered the removal of any edible product containing CBD from store shelves, including foods, tinctures, and capsules.  Further, the Ohio Department of Agriculture is reported to have put an “embargo” on products containing CBD. News sources report that government officials from these states began enforcement of this policy by seizing products from local businesses.  Finally, the New York City Department of Health and Mental Hygiene appears to have instructed New York City businesses to stop selling any foods or drinks with CBD as a food additive.

These state and municipal actions are the most recent governmental bite out of the edibles industry.  Concurrent with the passage of the Farm Bill, FDA Commissioner Scott Gottlieb released a statement cautioning that the new law did not alter the agency’s position on CBD added to food or contained in dietary supplements.  Rather, according to the statement, it is unlawful under the Federal Food, Drug, and Cosmetic (“FD&C”) Act “to introduce food containing added CBD . . . into interstate commerce, or to market CBD . . . products as, or in, dietary supplements, regardless of whether the substances are hemp-derived. This is because both CBD and THC are active ingredients in FDA-approved drugs and were the subject of substantial clinical investigations before they were marketed as food or dietary supplements.” A newly-added FDA webpage, “FDA and Marijuana: Questions and Answers,” similarly asserts this view.

FDA’s position is rooted in two provisions of the FD&C Act, namely 21 U.S.C. §§ 331(ll) and 321(ff)(3)(B). These provisions prohibit the sale of any food or dietary supplement, respectively, which contains an ingredient that was the subject of clinical investigations or approved as a drug by FDA before the ingredient was marketed in the food or dietary supplement. FDA maintains that CBD was approved as a drug ingredient by the agency (i.e., the anti-epilepsy drug Epidiolex®) before it was marketed in food, and therefore “it is a prohibited act to introduce or deliver for introduction into interstate commerce any food . . . to which . . . CBD has been added.”

It remains to be seen whether other state and local governments will follow the lead of Maine, Ohio, and New York City by banning the sale of edibles, either for public health concerns or to conform with FDA policy. Given consumer demand for and industry investment in CBD products, other states and localities may face opposition to such actions.

These same factors also may encourage FDA to reexamine its current policy; indeed, the Commissioner’s statement acknowledged that FDA could, through rulemaking, allow the use of CBD in traditional food and dietary supplement products, and announced the agency’s intent to “hold a public meeting in the near future for stakeholders to share their experiences and challenges with these products, including information and views related to the safety of such products.”  Stakeholders with an interest in consumer-based CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—may wish to consider an FDA engagement strategy as part of their business development plans.

There is a new kid on the block . . . the Chief Data Officer (CDO).  There is no surprise in our data-driven world that such a role would exist. Yet, many organizations struggle with defining the role and value of the CDO. Effective implementation of a CDO may be informed by other historical evolutions in the C-Suite.

Examining the rise of the Chief Compliance Officer (CCO) in the 2000’s mirrors some of the same frustrations that organizations faced when implementing the CCO role. While organizations were accustomed to having legal, HR, and internal audit departments working together to ensure compliance, suddenly CCOs stepped in to pull certain functions from those departments into the folds of the newly-minted Compliance department.  Integrating CDOs appears to follow a similar approach. Particularly in health care, the CDO role is still afloat, absorbing functionality from other departments as demand inside of organizations evolves and intensifies to focus on the financial benefits of their data pools.

Corporate evolution is challenging and often uncomfortable, but the writing is on the wall . . . there are two types of companies:  ones that are data-driven and ones that should be.  Which will you be?

What Is a Chief Data Officer?

CDO responsibilities will vary depending on the organization. Some organizations position the CDO to oversee data monetization strategies, which requires melding business development acumen with attributes of a Chief Information Officer. In some organizations, the CDO may oversee the collection of all of the company’s data in order to transform it into a more meaningful resource to power analytical tools.

A survey of CDO positions identified three common aspirations that organizations have for the role: Data Integrator, Business Optimizer, and Market Innovator. Data Integrators primarily focus on infrastructure to give rise to innovation. Business Optimizers and Market Innovators focus on optimizing current lines of business or creating new ones. These aspirations will likely vary depending on the nature and maturity of organizations. Regardless of the specific role, CDOs can help organizations bridge the widening gap between business development, data management, and data analytics.

Further, a key component of a CDO’s activity will relate to responsible data stewardship.  CDO activities will heavily depend on developing a data strategy that complies with legal, regulatory, contractual and data governance boundaries around data collection, use and disclosure.  CDOs should work closely with legal counsel and compliance personnel to effectively navigate these challenges.  Further discussion of the legal and regulatory landscape around data use is available here.

The Importance of CDOs in Transforming Healthcare Companies

It is clear that leveraging data will be key to innovating, gaining efficiencies, and driving down costs over time.  Yet, many organizations continue to struggle with making sense of the data they possess.   For some, the CDO may be a critical driving force to advance a business into a new landscape.  Just as the CCO helped address decades of frustration with corporate ethics and practices (and was soon demanded by lawmakers and regulators), the role of the CDO has emerged in response to demand for efficiencies in business practices and the recognition that data has become the world’s most valuable commodity.

In light of the explosion of data in the healthcare industry, organizations should consider whether and how a CDO will fit into the corporate structure. Furthermore, organizations should work to understand how having a person at the table with a keen eye towards giving life to an organization’s data resources can benefit the business long term from internal and external perspectives.  The ultimate question a CDO can help solve is:  What don’t we know that, if we knew, would allow our organization to innovate or operate more efficiently or effectively?


Alaap B. Shah


Andrew Kuder

For the first time since 2008, the Advanced Medical Technology Association (“AdvaMed”) has updated its “Code of Ethics on Interactions with Health Care Professionals.”  These updates were announced on January 9, 2019 and will become effective on January 1, 2020.

AdvaMed’s goal in updating the Code was to address the evolving nature of interactions between the medical device industry and health care professionals (“HCPs”), bring existing examples up-to-date, and enhance user-friendliness.  Topics that were previously covered in multiple areas of the Code are now consolidated into more comprehensive sections on Company programs, Third-Party Programs, Travel and Meals.  There are also three new sections on: Jointly Conducted Education and Marketing Programs, Communicating for the Safe and Effective Use of Medical Technology, and Company Representatives Providing Technical Support in the Clinical Setting.  Additionally, the updated Code includes language that clarifies when it is acceptable to provide evaluation products, and adds additional detail to the section on Consulting.  These changes are explained in further detail below.

Consulting Arrangements with HCPs

While the updated section on consulting arrangements retains much of the same content as the previous version, it also provides additional clarity on determining whether there is a legitimate need for consulting services, explaining that a legitimate need arises when a company requires the services of an HCP to achieve a specific objective.  It also specifies that rewarding an HCP for referrals, or designing an arrangement to generate business, are not considered legitimate needs.  Additionally, the updated section includes criteria on how manufacturers can establish fair market value compensation rates for consulting services.  These include the HCP’s specialty, years and type of experience, geographic location, practice setting, and the type of service performed.

Third-Party Programs

The updated Code consolidates existing language on providing support for third-party educational, charitable, and research programs into one section on grants, donations, and commercial sponsorships.  This section includes a checklist that companies can use to review requests for educational grants, and adds language on whether companies can host satellite symposia.  It also expands and clarifies the requirements for supporting independent research grant requests or charitable donations.

Travel and Meals

The updated Code also consolidates its previous guidance on travel and lodging into one section and provides clarity on situations for which a company may pay for travel and lodging expenses (e.g., consulting, training, legitimate need for meeting, HCP presence) and when such payments are prohibited (e.g., general education, attending a third-party program, no legitimate need).  It also includes additional information on evaluating appropriate venues for meetings, taking into consideration whether the venue is in a central location and whether it is conducive to an exchange of information. The added language also places a limit on “top category” or luxury hotels.

Jointly Conducted Education and Marketing Programs

The Code’s new section on Jointly Conducted Education and Marketing Programs explains that these types of programs are typically educational programs that are aimed at highlighting a medical technology as well as an HCP’s ability to treat a condition using that technology (e.g., a manufacturer promotes its surgical implant device while a surgeon discusses his or her ability to perform the implant procedure using the device.)  AdvaMed acknowledges the benefits of such jointly conducted programs; however, it also advises manufacturers to follow certain principles to ensure that the program does not unduly benefit the HCP in a manner that violates the Anti-Kickback Statute.  For example, the manufacturer and the HCP must establish a bona fide partnership, meaning the arrangement should be documented in a written agreement and any contributions and costs should be shared equitably between them.

Communications & Technical Support

The updated Code also features a new section on communicating for the safe and effective use of medical technology, which sets forth principles for communicating information on unapproved or uncleared uses. For example, communications should be truthful and non-misleading, provided by authorized personnel, and appropriately identified as off-label.  AdvaMed advises that companies develop policies on the dissemination of off-label information based on existing guidance.

The final new section added to the Code is on the provision of technical support in the clinical setting. This section provides guidelines for company representatives who provide technical support in this setting to follow.  This includes, but is not limited to, being transparent that they are acting on behalf of the company and not interfering with an HCP’s clinical decision-making.

Although only certain states, such as California, Nevada, and Connecticut, have required device manufacturers to model their compliance programs after principles set forth in AdvaMed’s Code of Ethics, the Code has long been relied upon as the industry standard for maintaining ethical and compliant relationships between device manufacturers and HCPs. As such, manufacturers should carefully review the changes that have been made to the Code and update their internal policies and procedures as necessary.  Manufacturers in states like California, Nevada, and Connecticut should also look out for any updates in their states’ legislation to adopt the changes made to the Code.

The updated Code is available here and a brief overview of the changes can be found here.

Data is king!  A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing, and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • the Common Rule
  • the EU General Data Protection Regulation (“GDPR”)
  • 42 C.F.R. Part 2
  • State data protection and breach laws and regulations
  • Food and Drug Administration (“FDA”) regulations; or
  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements
  • Data Use Agreements
  • Business Associate Agreements
  • Data Sharing Agreements
  • Confidentiality/Non-disclosure Agreements
  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including:  openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation and data security.


Patricia M. Wagner


Alaap B. Shah

On December 11, 2018, the Food and Drug Administrative (“FDA”) issued a draft guidance for comment entitled, “Biomarker Qualification: Evidentiary Framework” (the “Guidance”).  The Guidance provides insight regarding standards for biomarker qualification under the 21st Century Cures Act (“Cures Act”).

FDA defines the term “biomarker” as a “characteristic that is measured as an indicator of normal biological processes, pathogenic processes, or responses to an exposure or intervention, including therapeutic interventions.” There are various types of biomarkers including, but not limited to: molecular – (i.e. blood glucose); radiographic (i.e. the size of a tumor); and physiologic (i.e. blood pressure), and each of these biomarkers fall into various categories, all of which are regulated by FDA. The term “biomarker qualification” is defined as “a conclusion, based on a formal regulatory process that within the stated context of use, can be relied upon to have a specific interpretation and application in medical product development and regulatory review.” Importantly, once a biomarker is qualified for a particular context of use, it becomes publicly available, and can be applied in any drug development program for that qualified context of use.

The Guidance discusses the evidentiary framework for supporting biomarker qualification, including needs assessments; context of use; and benefit-risk considerations, and how these considerations can relate to determine the type and level of evidence required to support the qualification of a biomarker. Additionally, the Guidance addresses general statistical and clinical considerations related to the correlation between the biomarker and outcome of interest, and general analytical considerations related to performance characteristics of the biomarker test.

Ultimately, the success of the Guidance in advancing biomarker qualification will turn on its contents and stakeholder input.  The Agency has asked for comments on the Guidance by February 9, 2019, to ensure that comments can be fully considered before the Guidance is finalized, although comments may be submitted on FDA guidance at any time. The formal announcement about the draft Guidance issued by FDA is available here.

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
  3. Providing certain practices that cybersecurity experts rank as most effective against such threats.

This technical assistance comes at a critical time.  Healthcare organizations, regardless of size, complexity or sophistication are vulnerable to cyber-attacks. For example, while smaller organizations may think that cyber threats, such as ransomware, tend to affect the larger organizations, approximately 58% of malware attack victims affect small businesses. Furthermore, cybersecurity attacks in 2017 cost small and medium-sized businesses an average of $2.2 million.

Most surprisingly, despite increased frequency of cyber-attacks over the last two years, coupled with cost of data breaches being highest in healthcare, the healthcare industry continues to lag behind in cybersecurity preparedness. About 4-7% of total IT budgets, across healthcare organizations, are being spent on cybersecurity, while other industries spend approximately 10-14%.  There is certainly a need and significant room for improvement across the industry.

The main volume of the new HHS guidance document cites the five most prevalent cybersecurity threats as:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

The guidance document also shares ten best practices to mitigate cybersecurity threats (covered in more detail in corresponding Technical Volumes):

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

With this new cybersecurity guidance from HHS, healthcare companies can be better equipped to strengthen their security and more effectively tackle cyber threats.  Companies should prioritize these efforts because cybersecurity preparedness can reduce patient privacy risk, protect patient safety and ultimately preserve an organization’s reputation.


Alaap B. Shah


Daniel Kim

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA (“Dr. Gottlieb”), has tweeted frequent updates regarding FDA operations. As he explained, FDA officials initially consulted with public health experts and other senior leaders regarding which FDA activities address threats to human life and safety and, thus, should continue during the shutdown.

Many FDA operations halted for two weeks during the holidays, according to schedule. Accordingly, many activities were not considered delayed until early January when FDA was scheduled to resume all operations. To provide examples of the shutdown’s implications at FDA, FDA is currently not accepting new medical product applications that require fee payment or reviewing drug applications that are not user-funded, and FDA’s Center for Drug Evaluation and Research (“CDER”) has paused all non-emergency over-the-counter monograph drug activities because these activities were determined not to address immediate threats to human life and safety. In addition, the thirty-day waiting period before sponsors of investigational new drugs may conduct clinical trials is paused during the shutdown unless the drugs are considered emergency drugs.

During the shutdown, FDA will utilize carryover “user fee” funding to continue review of certain applications that require a user fee, such as New Drug Applications, Biologics License Applications, and Premarket Approval applications for medical devices, if such fee has been paid. However, FDA may require more time than what agency timeframes allot to review these applications. FDA cannot accept new user fees during the shutdown. If fee payment is required, sponsors must wait until the government reopens. Some companies and industry segments, such as allergenic products, negotiated to be excluded from user fees and chose to instead rely on budget authority. Accordingly, when budget authority lapses, routine review activity for these products halts unless an emergency involving safety of human life warrants review.

As the shutdown entered week three, FDA determined it would resume activities necessary to identify and respond to threats to the safety of human life. On January 15, 2019, furloughed food safety inspectors returned to work without pay after Dr. Gottlieb days earlier sought and received permission from the Department of Health and Human Services and the White House to call the inspectors back to work. Resumed FDA activities include:

  • expanded monitoring and analysis of food safety surveillance and detection;
  • surveillance sampling of high-risk foods, drugs, and devices;
  • expanded monitoring and evaluating of medical device adverse event and malfunction reports to include additional types of medical devices;
  • expanded activities related to surveillance and response for recalls as necessary to identify and respond to threats to the safety of human life; and
  • expanded inspection activities beyond “for-cause” inspections to also include foreign and domestic food, drug, medical, device, and pharmacy compounding surveillance inspections focused on the highest risk products and facilities.

Resumed activities are being funded by carryover user fees and from the reduction of any overhead charges to CDER and the Center for Biologics Evaluation and Research. Dr. Gottlieb claims these funding sources give FDA roughly five weeks of funding to review new drug applications. FDA is seemingly operating at the best of its ability despite the circumstances. According to Dr. Gottlieb, carryover user fees supported the January 16, 2019 FDA guidance on drug development to treat rare diseases. Also on January 16, FDA issued draft guidance to support companies seeking final approval for tentatively-approved generic drug applications to promote timely access to safe and effective generic medicines. However, the Prescription Drug User Fee Act, which authorizes FDA to collect fees from companies that produce certain human drug and biological products, is the most vulnerable program, likely to run out of money the first week of February.

Manufacturers, researchers, and others involved in the creation of these products should continue to monitor for developments but should expect likely delays in all FDA review activity. Additional operations may resume as determined to be necessary if the shutdown continues. If the shutdown lasts for more than five additional weeks, it is unclear which FDA operations not addressing an immediate threat to human life can continue. Once the government reopens, FDA will still face a backlog of applications and other regulatory activity, almost guaranteeing a ripple effect of delays that will continue for the foreseeable future.