This month, we’re going to look at a visualization that uses network techniques. Visualizing a network is a matter of nodes and edges. If the network were Facebook, the nodes would be people, and the edges would be the relationships between those people. Instead of people, we are going to look at specific device functionalities as defined by the product codes. And instead of relationships, we are going to look at when device functionalities (i.e., product codes) are used together in a marketed device as evidenced by a 510(k) submission.

Continue Reading Unpacking Averages: Popular Ways to Combine Device Functionality

From our Thought Leaders in Health Law video series:  Is your organization ready for the No Surprises Act (NSA)? The law goes into effect January 1, 2022, and contains a new federal ban on surprise billing as well as new disclosure requirements.

The NSA applies to certain payors, providers, facilities, and ancillary service entities that support patients who receive emergency services or other non-emergency services at certain facilities, such as hospitals, hospital outpatient departments, and ambulatory surgical centers.

What does this mean for you?

  • Health care businesses should design a detailed “operationalized” NSA compliance program now but stay flexible as additional regulations are issued.
  • If you have operations in multiple states, assess whether state laws may apply and how they will interact with the federal law.
  • Calculate your median contracted rates for common services in each sector for billing guidance.
  • Ancillary service providers, in particular, must determine how to obtain the necessary information to help determine if federal protections apply to services they provide to patients in facilities in which they are not physically located.

For more information on the NSA, visit: https://www.ebglaw.com/trending-issues/no-surprises-act/

The Thought Leaders in Health Law® video series tracks the latest trends in multiple areas of the health care and life sciences industries, featuring attorneys and advisors from Epstein Becker Green and EBG Advisors.

On November 12, 2021, the Centers for Medicare and Medicaid Services (“CMS”) released final guidance confirming that hospitals can be co-located with other hospitals or healthcare providers. CMS’ aim for the guidance is to balance flexibility in service provision for providers with ensuring patient confidence in CMS’ quality of care oversight functions.  The final guidance provides direction to state surveyors in the evaluation of a hospital’s compliance with the Medicare Conditions of Participation (“CoPs”) when it is sharing space or contracted staff through service arrangements with another co-located hospital or healthcare provider.  CMS also reiterated a key tenet of co-location arrangements: that each provider must independently meet its applicable CoPs, but, overall, the final guidance is less prescriptive than the draft guidance CMS released in May 2019, and in its wake raises new questions for providers.

The final guidance directs providers to evaluate any co-location arrangement based on its impact to the totality of the CoPs, and directs surveyors to use compliance with the CoPs as the basis for their surveying.  CMS may have intended this lack of specificity to provide more flexibility to hospitals in how they ensure compliance with the CoPs in co-location situations.  However, the elimination of most of the specific bright-line examples regarding the sharing of space, contracted services, staffing, and emergency services has increased uncertainty and lowered predictability among providers as to whether specific co-located practices are generally allowed or not.

With few specific examples to rely on in the final guidance, the onus will be on hospitals to document and demonstrate to surveyors their compliance with the CoPs when they are co-located with other hospitals or healthcare facilities.  Of note, the guidance states that references to other “healthcare providers” excludes critical access hospitals and private physician offices.  The latter exclusion raises questions as to how hospitals co-located with physician offices in multi-tenant buildings will be surveyed.  The allowableness of shared-space arrangements in such circumstances may hinge on compliance with the provider-based regulation, 42 C.F.R. 413.65.  Hospitals, including provider-based locations of hospitals, are required to meet the definition of a hospital at all times and should note CMS’s longstanding position that hospital space must be under the hospital’s control and be considered hospital space 24/7. Such space cannot be part-time hospital space and part-time used as a physician office or for other non-hospital activities.

Additional observations about the final guidance on co-location and shared space:

  • Does not expressly distinguish between distinct and shared spaces or public spaces/paths of travel and clinical care spaces as the draft guidance did, nor does the final guidance explicitly prohibit the sharing of space where patients receive care.
  • Clarifies that co-located hospitals are permitted to provide services either directly or under contract or arrangement and cites as examples the following services: laboratory, dietary, pharmacy, maintenance, housekeeping, security, food preparation, delivery services and utilities such as fire detection and suppression, medical gases, suction, compressed air, and alarm systems including oxygen alarms.
  • Omits nearly all of the detail from the draft guidance in the instructions to surveyors regarding evaluating contracted services. Instead, CMS simply directs that: “The procedures for surveying contracted services would be the same for co-located hospitals as it would be for surveying any other hospital that has contracted services, see [42 CFR] §482.12(e).”
  • Omits the discussion of clinical services contracts and medical staff being shared or “floating” between co-located hospitals and instead just references the responsibility of each hospital to comply with the medical staff requirements of 42 CFR § 482.22.
  • Clarifies that hospitals can meet the CoP staffing requirements either directly or under arrangement or contract with another entity, including a co-located entity.
  • Clarifies that while hospitals are not required to have an emergency department, they must still provide care to patients in an emergency and “must have appropriate policies and procedures in place for addressing individuals’ emergency care needs at all times.”
  • Omits the proposed guidance discussion related to the hospital contracting with another hospital or entity for the appraisal and initial treatment of its patients experiencing an emergency.
  • Omits the proposed guidance discussion prohibiting hospitals without emergency departments that are co-located with another hospital from arranging for that other hospital to respond to its emergencies to appraise patients and provide initial treatment.
  • Omits much of the language that was in the proposed guidance instructing surveyors on what deficiencies should be cited in particular situations. Surveyors are directed to cite all operational CoP deficiencies “in the same manner as in other hospital surveys.”
  • In addition to a direction to cite the governing-body CoP, directs surveyors to assess the impact of a deficiency at one hospital on the co-located provider. If the deficient practice extends to the co-located provider, CMS may initiate a complaint investigation of the co-located provider.

We will provide more insight and clarity on the final guidance as it becomes available from CMS.

In this episode of the Diagnosing Health Care Podcast:  We’re beginning to see how mergers and acquisitions in the hospital industry are being impacted by President Biden’s executive order promoting competition in the American economy. The Federal Trade Commission recently announced policy changes, and the Department of Justice has been asked to consider policy changes, that boards of directors and C-suite officers must take into account when weighing transactions.

Special guest Dr. Subramaniam (Subbu) Ramanarayanan, Managing Director at NERA Economic Consulting, and Epstein Becker Green attorneys John SterenPatricia Wagner, and Dan Fahey discuss what leaders need to know about the government’s heightened antitrust scrutiny in the hospital market.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

Interest in, and acceptance of, telehealth services continues to grow. Federal and state legislators are under pressure to codify the flexibilities granted in response to the COVID-19 pandemic that increased access to telehealth services. Meanwhile, increased use of telehealth has put a much greater focus on the potential for fraudulent behavior and increased enforcement activity as a result. Telehealth providers should continue to monitor developments in federal and state laws, regulations, and policies to capitalize on telehealth opportunities while at the same time making investments in compliance infrastructures in order to operate in accordance with applicable laws.

Since 2016, Epstein Becker Green has researched, compiled, and analyzed state-specific content relating to the regulatory requirements for professional mental/behavioral health practitioners and stakeholders seeking to provide telehealth-focused services. We are pleased to release our 2021 Telemental Health Laws app, featuring the latest and most comprehensive compilation of state telehealth laws, regulations, and policies within the mental/behavioral health practice disciplines.

The survey’s complete findings are available to download for free as an app for iPhone, iPad, and Android devices. Download the app now and instantly have access to information about:

  • The increased recognition of telehealth benefits
  • The growing focus on telehealth fraud and enforcement
  • General telemental/telebehavioral provisions across the 50 states plus the District of Columbia and Puerto Rico
  • COVID-19’s impact on telehealth at the state and federal levels

Please contact Amy Lerman or Francesca Ozinal with questions.

Other Resources:
Watch our instructional video.
Read our full announcement.

As featured on the Diagnosing Health Care Podcast:  As 2021 nears a close, acute care hospitals and health systems are facing a host of financial, regulatory, and legislative challenges. In this special episode of Diagnosing Health CareRick Pollack, President and CEO of the American Hospital Association, and Epstein Becker Green’s Ted Kennedy, Jr., discuss the ways in which the industry is working with the Biden administration and Congress to shape policy around critical issues, such as surprise billing, coverage expansion, value-based care, and telehealth.

Rick and Ted look at how these policy issues relate to broader market trends. They also dive into the short- and long-term solutions that will affect acute care hospitals into the future.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

While this column typically uses data visualizations you’ve probably seen before, I want to introduce one that perhaps you have not.  This is in the realm of text analysis.  When looking at FDA data, there are numerous places where the most interesting information is not in a data field that can be easily quantified, but rather in narrative text.  Take, for example, Medical Device Reports of adverse events, or “MDRs.”  While we can do statistical analysis of MDRs showing, for example, which product categories have the most, the really interesting information is in the descriptions of the events.

Why do we care?  Those focused on product quality want to learn from history, and how better than from everyone’s history, not just your own.  We can use the MDR data to find out product experiences with broad or narrow product categories.  In the year 2020, for example, there were over 1.5 million such reports.

In this month’s column, I’m going to focus on cardiovascular devices.  I could just as easily focus on software, or all implants or orthopedic devices or any other term that might cover a broad range of products.  Because this stuff isn’t common, I’m going to include the methodology first, and then the visualization.

Methodology

I’m using what is known in data science as topic modeling to extract information from the event descriptions in MDRs.  Topic modeling is an approach that allows us to see the big picture from a long list of documents.  Essentially, topic modeling seeks to identify common topics discussed in a corpus of records.

While the output sort of looks like English, it also sort of does not.  The algorithm is looking for words that are used together frequently.  The algorithm strings those words together based on statistical importance, not based on how an English major would write them.  Further, to help the algorithm recognize that the word “implant,” “implanted,” “implants,” and “implantation” are all pretty similar, we reduce each word to its stem.  In the chart, you will see all variations of the word valve as “valv”.  It takes some getting used to.

In addition, because context is usually important to understand how words are used, we look for phrases, in this case two words that are typically strung together.  We could use however as many words in a phrase as we want, but more words means a lot more computer resources.  In this case, two-word phrases seems to work adequately.

This exercise is a blend of art and science, and one of the judgments to make is the number of topics to consider.  We typically make that decision based on what we refer to as coherence, which is a statistical measure of what is a logical principle: how well the words go together.  We want to find topics that are meaningful to humans.  Another area for using judgment is getting rid of words we don’t care about because they are too common and uninformative.  I removed words such as “complaint” and “patient,” because they were in many of the event descriptions and didn’t add any particularly useful information.

From a technical standpoint, for those interested, I’m using a specific technique called Latent Dirichlet Allocation, a form of unsupervised learning, implemented through the Python library genism.

For cardiovascular devices, I thought it might be interesting to compare the topics that MDRs included in 2010 with those from 2020.  I wanted to see how much change there might be over time.  In the year 2010, there were over 45,000 MDRs for cardiovascular devices, and in 2020, there were almost 85,000.

Charts

A word about reading these charts.  These are what are referred to as heat maps.  The colors correspond with the intensity or value of a particular word, in this case to the topic.  The darker the color, the more important the word in characterizing the meaning of the topic.

Interpretation

An expert in cardiovascular devices will undoubtedly be able to offer much greater insights into what these data mean, but it’s actually interesting that over the course of 10 years, the software found what turned out to be many very similar topics.  The order changed.  But many of the topics seem to be pretty similar.  For those in the industry, that may be a bit depressing as it suggests a lack of progress in fixing common problems.

Balloons rupturing still seems to be an issue.  Guidewire tips still seem to be an issue.  Battery problems still seem to be an issue.  But we also have some new issues, such as problems with a surface cooling device (Arctic Sun®) for therapeutic hypothermia following cardiac arrest.

This technique of topic modeling can be applied as broadly or as narrowly as we wish.  It can be very helpful when doing trend analysis where the valuable underlying data is in large volumes of text rather than structured data.  In future columns, I will dig into other sources of regulatory text to see what information we can mine.

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The FTC’s policy statement, entitled “On Breaches by Health Apps and Other Connected Devices,” attempts to clarify the Rule by stating that mobile health applications and interactive tools used by organizations that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are regulated by the Rule.[1] Significantly, the FTC’s guidance broadly deems developers of health care apps or connected devices to be “health care providers” subject to the Rule because they “furnish health care services or supplies.” It also clarifies that health apps that collect non-health data (such as calendar dates) are within the scope of the Rule. In the wake of the FTC’s statement, any organization that is not covered by HIPAA, but provides or uses mobile or web-based health apps to collect personal health information, should evaluate their coverage under the Rule.

The FTC’s recent expansive view of this Rule—which was initially passed pursuant to the 2009 American Recovery and Reinvestment Act—covers many popular mobile health and fitness related applications and wearables on the market. For example, the FTC explained that any application that “collects information directly from consumers” and has the “technical capacity to draw information through an API [application programming interface] that enables syncing with a consumer’s fitness tracker” is covered under its interpretation of the Rule. The FTC further stated that “an app that draws information from multiple sources is covered, even if the health app comes from only one source.” For example, an application that monitors blood sugar and also takes non-health information from a consumer’s phone’s calendar (i.e., dates) would also be covered. The FTC specifically called attention to “apps and other technologies [that] track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.” The FTC press release noted that the increased use of COVID-19 related health applications impacted its policy statement. Entities subject to the Rule may be required to provide notice, including in certain circumstances to the media, in the event of a cybersecurity breach or even in the case of “sharing of covered information without an individual’s authorization.”

The Rule contains statutory definitions that should now be read in light of the policy guidance, applying its provisions to (i) vendors of personal health records (“PHR”); (ii) “PHR related entities”; and (iii) “third party service providers.” The Rule generally requires “vendors of personal health records”, and PHR-related entities to provide notice to affected individuals and the FTC within 60 calendar days after the discovery of a “breach of security.” A provider must notify the vendor or PHR related entity of a breach.

A violation is treated as an unfair and deceptive act or practice under the FTC Act which may carry steep civil penalties of up to $43,792 per violation per day. As of the date of the FTC’s policy statement, however, the FTC has not yet enforced the Rule, and, according to the remarks of FTC Commissioner Rohit Chopra, the FTC and the public have been notified only four times about a breach under the Rule since February 2010.

It is also important to note that there remains a dispute about the scope of the Rule even among the FTC’s commissioners, especially because it has not been interpreted in the context of an FTC enforcement action. For example, Commissioner Christine Wilson wrote, in her dissenting statement, that the Rule was narrowly crafted to apply in limited, highly specific circumstances, and that its scope may depend on whether the personal health records at issue interact with personal health records held by a different vendor. In response to the FTC’s use of the moniker “health care provider” when referring to mobile health applications, Ms. Wilson asked: “How broadly does the Commission intend to read this language?” Similarly, Commissioner Noah Joshua Phillips argued in his dissenting statement that the FTC’s majority goes beyond the text of the Rule in interpreting the definition of “breach of security” to include the unauthorized sharing.

The FTC’s policy statement also comes during the ongoing rulemaking process by the FTC concerning the Rule and the Department of Health and Human Services’ ongoing rulemaking concerning the application of the HIPAA Privacy Rule to mobile health applications. As such, vendors of PHRs should monitor these ongoing rulemaking efforts, which could impact the FTC’s current interpretation of the Rule. Nevertheless, companies subject to the Rule under the current interpretation, can still take proactive measures to avoid a violation by, among other things, assessing the categories of its stored data, undertaking a cybersecurity risk assessment and comprehensive review of privacy policies, and ensuring the existence of a robust security incident response protocol. Notably, the breach notification requirement under the Rule generally only applies to a breach of unsecured PHR identifiable health information. In addition, such entities may have notification obligations under applicable state laws. You can reach out to Epstein Becker Green for further guidance as we will be monitoring the FTC’s enforcement activity closely moving forward.

******************************************************************

[1] 16 C.F.R. §318.1 provides, the rule “applies to foreign and domestic vendors of personal health records, PHI related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission Act (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” HIPAA covered entities and business associates must instead comply with HHS’s breach notification rule. See Dissenting Statement of Commissioner Christine S. Wilson.

Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.

On September 30, 2021, the Provider Reimbursement Review Board (the “Board”) issued a revised set of rules that become effective November 1, 2021. These new and revised rules affect all new and some pending Medicare Part A provider appeals. These rules clarify several aspects of Board appeals and simplify some of the Board’s complex procedures.

The most significant change is the requirement that all submissions to the Board must be made electronically through the Office of Hearings Case and Document Management System (“OH-CDMS”) unless the provider or representative submits a request to the Board for an exemption and the Board grants that request. If an exemption is necessary, a provider or representative may communicate with the Board at a new email address (PRRB@cms.hhs.gov).   In order to file documents electronically, providers or their representatives should register with OH-CDMS in advance of any filing date.

In addition to the shift to electronic filing, the Board adopted several changes that are intended to simplify the appeals process and promote greater disclosure.  The most significant changes are summarized below.

  • If a provider designates a representative, it must do so in a letter on the provider’s letterhead. However, if the provider is under the ownership or control of a parent entity, then the representation letter must be on the parent organization’s letterhead and signed by an authorized official of the parent organization.
  • Similarly, a new rule requires that if a provider is owned or controlled by a parent organization, the appeal request must identify the name and address of the parent organization for the year under appeal. This is a departure from past practice, which identified only the legal entity that had been granted a Medicare provider number.
  • The Board clarified the requirements for appeals of self-disallowed and protested costs, and now requires that the provider specify the disputed item in its cost report in order to preserve the claim for review.
  • A new rule obligates the Medicare Administrative Contractor (“MAC”) to ensure that any evidence the MAC, CMS, or the Secretary considered in making its determination is included in the case record. This new rule may reduce the necessity for discovery requests and delays in resolving appeals.
  • For group appeals, the Board added a new requirement that a group representative must report to the Board that a group is either complete or provide reasons why the group should be held open.
  • A new rule that applies to appeals filed after August 29, 2018 would give providers the option of relying on their preliminary position paper and waive the filing of a final position paper. Providers would have to submit all of their arguments and exhibits with the preliminary position paper, and could elect to submit a rebuttal to the MAC’s position paper. This step would avoid duplicating arguments, and may reduce the number of appeals dismissed based on a failure to file a timely final position paper.
  • The new rules also revise the Board procedures when a party requests expedited judicial review (“EJR”) that involves a challenge to a statute, regulation, or CMS ruling. If a MAC opposes a provider’s request for EJR, then it must now file any jurisdictional challenge within five days of the date that the EJR request is filed.
  • The Board revised its rules governing substantive claim challenges to specify that when any party questions whether a cost report included an appropriate claim for reimbursement, that challenge must be filed no later than the filing deadline for the MAC’s preliminary position paper. If the matter involves a request for EJR, then any substantive claim challenge must be filed within five business days of the EJR request. This would allow for better coordination of proceedings before the Board before any decision to allow the provider to bypass the Board and seek judicial review.

The changes made by the Board in this version of its procedural rules continue the trend of requiring additional specificity and clarity when providers prepare their cost reports, and obligate the MACs to disclose more information earlier in the appeal process. With the adoption of these new rules, providers must plan and consider potential appeal issues during the cost report filing stage to ensure that their appeal rights are protected.

In this column, in the coming months we are going to dig into the data regarding FDA regulation of medical products, deeper than the averages that FDA publishes in connection with its user fee obligations.  For many averages, there’s a high degree of variability, and it’s important for industry to have a deeper understanding.  In each case, we will offer a few preliminary observations on the data, but we would encourage a conversation around what others see in the data.

Chart

This is an interactive chart that you can explore by clicking on the colors in the legend to see how specific therapeutic areas stack up against the average.

Methodology

We want to understand FDA’s performance generally with regard to review times associated with 510(k)s across all medical devices.  Using data available from openFDA, we selected the data for the last almost 12 years, from January 1, 2010 until September 1, 2021, based on the date FDA receives the premarket notification.  Data older than that are probably not terribly relevant.  We further filtered for traditional 510(k)s because special and abbreviated submissions have different review processes, and likewise we removed any that had received expedited review.  We then removed any product codes that had three or fewer submissions during that time.  We wanted to get rid of anything that was simply too anecdotal, too noisy.  That sorting left us with just over 25,000 submissions, and 852 pro codes used.

To calculate the review time, we used the difference between date received and date decided, although we realize that FDA has additional data that it uses to calculate its actual review time in a more nuanced way, differentiating between time at FDA and time where the clock is turned off because the manufacturer is supposed to be doing something.  We calculated averages for each individual pro code.  The x-axis in the graph is simply all of the product codes sorted by average review time from the quickest to the longest.

We wanted to add in an average, and the most natural probably would’ve been the average of the pro code averages included in the graphic.  But that ignores the fact that some pro codes have lots more products than others.  The average of the pro code averages was 176.5 days.  The average of all the 25,000 submissions was 163.5 days.  It’s apparently lower because some of the quicker pro codes apparently have more devices in them.  In the chart, we went with the simple average of submissions, as that is most akin to the data that FDA typically publishes.

Observations

We would note that we aren’t entirely sure the range of factors that drive review times.  Certainly it would seem that higher risk and complexity would be likely to lead to higher review times.  But in the years that we’ve been doing this work, those are not by themselves reliable predictors of how long a review will take.  Novelty is also important, although novelty is less of a factor in the 510(k) process because the process is based on a substantial equivalence claim.  But it’s also pretty obvious that a lot of administrative circumstances impact review times, such as high reviewer turnover in a branch.  At any rate, this data does not give us information on why certain product codes would have higher review times.  We will leave that to future inquiry.  Here we just want to tease apart the variance.

Big Picture

At each end of the graph, we see sharp nonlinear growth, presumably for what are in a sense outliers.  On the left-hand side, we have rapid acceleration from the quickest reviews of about 50 days up to about 100.  At the other side, we have a quick increase from 300 to the very top at over 500 days.  But in between those two extremes, from about a review time of 100 days to about 300, it’s a pretty steady linear climb.  That’s a bit surprising, and it reveals that really there is no such thing as an average.  There is no plateau among the review times around the mathematical average.  Indeed, we don’t see any plateaus at all.  Apparently, it really does matter what product we are talking about when trying to predict a review time.

Therapeutic Areas

Remember that in FDA’s organizational chart, reviews within the Office of Device Evaluation (“ODE”) are organized by therapeutic area.  That makes sense, as you want the same people generally with therapeutic expertise reviewing devices in that therapeutic area.  In this graph, product codes are assigned to an applicable therapeutic area.

Notice that really none of the product codes in a given therapeutic areas are extremely clustered, either low or high.  That suggests that no particular therapeutic review branch is substantially quicker than the rest.  But within that general observation, there are definitely some small clusters of review times for product codes within the different therapeutic areas.

It would actually be pretty remarkable if an organization the size of ODE could achieve uniformity of review times across all review branches.  But this is unexpectedly evenhanded.