The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities.  For example, AI may offer assistance in breach prevention by proactively searching and identifying previously unknown malware signatures.  By using historical data, these applications learn to detect malware issues even when such threats are not previously known. Utilizing these tools may prove more effective compared to conventional cybersecurity practices.

Recently, government agencies have endorsed the use of AI as having tremendous potential moving forward.  In December 2018, HHS launched a pilot that combined AI, automation, and blockchain technology.  This pilot was used to create cost savings as well as design better contracts while also ensuring sensitive data was encrypted and secured within a cloud-based system. Additionally, in January 2019, the Department of Health and Human Services’ shared services organization began building a contract vehicle, known as the Intelligent Automation/Artificial Intelligence (IAAI) contract, which offers “a host of automation and AI technologies and support services, including robotic process automation, machine and supervised learning and machine,” to help other agencies integrate AI technologies into their workflows.  Yet, certain lawmakers continue to express concern regarding appropriate and ethical use of AI.

Though AI is having a transformative effect on the healthcare industry relative to cybersecurity, there are still serious concerns regarding the technology.  First, some AI tools could be used maliciously by criminals to threaten digital and physical security.  External threats may train machines to hack systems at human or superhuman levels.  Secondly, organizations relying too heavily on AI may fail to hire sufficient specialized security personnel to properly manage and oversee cybersecurity operations.  For instance, a 2018 Ponemon report provided that 67 percent of IT and security professionals believed that automation was “not capable of performing certain tasks that the IT security staff can do” and roughly 55 percent believe automation cannot “replace human intuition and hands-on experience.”  Thus, poorly implemented and managed AI could result in greater risk.

Given the nascent state of AI in cybersecurity, entities should approach adoption of AI with caution.  Further, successful implementation and use of AI should be predicated on first establishing policies and procedures for managing cyberrisk.  Organizations should continue to maintain a team of highly skilled security personnel to oversee the implementation and use of AI tools and be on hand to make critical, real-time decisions where automation cannot resolve a cybersecurity issue.  O, brave new world….


Brian Hedgeman


Alaap B. Shah

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney General (AG) Becerra introduced a new bill (SB561) that will expand the consumer’s right to bring private lawsuits for violations of the CCPA. If passed, SB561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day period for businesses to cure after receiving notice of an alleged violation; and (3) allow the AG to publish guidance materials for businesses instead of allowing businesses’ the option to seek specific opinions of the AG. Currently, the CCPA allows the AG office to bring action against business, in most instances, only allowing consumers to bring private action in instances of data breach resulting from a business’s failure to implement reasonable security measures. If SB561 is passed, the CCPA will materially expose businesses to private actions for damages applicable to other violations under the CCPA, including failure to provide consumers with proper notifications required under the CCPA.

These developments are just the tip of the iceberg.  Emboldened by California’s example, many other states are following suit. As such, businesses that implement an effective CCPA compliance program will likely position them to satisfy potential compliance obligations in other states moving forward.  For example, Colorado recently passed as sweeping law to protect patient privacy (HB18-1128), which went into effect September 1, 2018.  Colorado now requires covered entities (e.g., business entities that maintain, own, or licenses personal identifying information (PII) in the course of their business) to implement, and ensure that third-party service providers implement, reasonable security procedures and practices.  Additionally, the law requires covered entities to develop written policies and procedures concerning the destruction of paper and electronic documents that contain PII. Further, the law authorizes the AG to bring criminal prosecution against covered entities that violate the new rules.

Other states including Hawaii, Maryland, MassachusettsNew Mexico, New York, North Dakota, Rhode Island, and Washington are also using the CCPA and the GDPR as templates to perform similar overhaul of their privacy laws. As a result of this state law trend, businesses should closely monitor the legislative progress of these state bills.  Further, if businesses have not yet started shoring up their privacy and data security practices and programs, they had better do so in short order. It is likely that many of these state laws, if passed, will carry stiff penalties for noncompliance and may subject businesses to class actions.

In addition to these piecemeal state law efforts to strengthen privacy, the U.S. Chamber of Commerce is currently exploring whether a Federal consumer privacy protection law should be enacted.  It appears that the privacy tidal wave starting on California’s west coast is making its way eastward . . . .

 


Daniel Kim


Alaap B. Shah

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify de-identified data stripped of identifiable demographic and health information. In the demonstration, an algorithm was utilized to identify individuals by pairing daily patterns in physical mobility data with corresponding demographic data. This study revealed that re-identification risks can arise when a de-identified dataset is paired with a complementary resource.

In light of this seeming erosion of anonymity, entities creating, using and sharing de-identified data should ensure that they (1) employ compliant and defensible de-identification techniques and data governance principles and (2) implement data sharing and use agreements to govern how recipients use and safeguard such de-identified data.

De-identification Techniques and Data Governance

The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications (45 C.F.R. §164.514(a)-(b)).

In 2012, the Office for Civil Rights (OCR) provided guidance  on the de-identification standards. Specifically, OCR provided granular and contextual technical assistance regarding (i) utilizing a formal determination by a qualified expert (the “Expert Determination” method); or (ii) removing specified individual identifiers in the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (the “Safe Harbor” method).

As publicly-available datasets expand and technology advances, ensuring the Safe Harbor method sufficiently mitigates re-identification risk becomes more difficult.  This is due to the fact that more data and computing power arguably increase the risk that de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the apparent practical defects in the “Safe Harbor” method, many organizations are applying a more risk-based approach to de-identification through the use of the “Expert Determination” method.  This method explicitly recognizes that risk of re-identification may never be completely removed. Under this method, data is deemed de-identified if after applying various deletion or obfuscation techniques the “risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information . . . .”

In light of the residual risks associated with de-identified data generally, it is important that organizations continue to apply good data governance principles when using and disclosing such data.  These best practices should include: data minimization, storage limitation, and data security.  Organizations should also proceed with caution when linking data sets together in a manner that could compromise the integrity of the techniques used to originally de-identify the data.

Data Sharing and Use Agreements

Regardless of the de-identification approach, the lingering risk of re-identification can be further managed through contracts with third parties who receive such data.  Though not required by the Privacy Rule, an entity providing de-identified data to another party should enter into a data sharing and use agreement with the recipient.  Such agreements may include obligations to secure the data, prohibit re-identification of the data, place limitations on linking data sets, and contractually bind the recipient to pass on similar requirements to any downstream other party with whom the data is subsequently shared. Further, such agreements may include provisions prohibiting recipients from attempting to contact individuals who provided data in the set and may also include audit rights to ensure compliance.

The risk of re-identification may be a tradeoff to realize the vast benefits that sharing anonymized health data provides; however, entities creating, using and sharing de-identified data should doing so responsibly and defensibly.


Alaap B. Shah


Elizabeth Scarola

On February 15, 2019, the U.S. Food and Drug Administration (“FDA”) finalized two guidance documents regarding regenerative medicine therapies (see FDA’s announcement here). This development comes nearly 14 months after FDA issued both guidance documents in draft form, which also coincided with FDA’s announcement of a new comprehensive regenerative medicine policy framework intended to spur innovation and efficient access to new regenerative medicine products.

FDA Commissioner Scott Gottlieb remarked that the finalization of regenerative therapy guidance documents “demonstrate[s] [FDA’s] continued commitment” to fulfilling the promise of providing a clear and predictable pathway to approval. Moreover, he noted that these guidance documents help stakeholders to “understand our regulatory framework” and, in turn, “may help to more efficiently advance access to safe and effective regenerative medicine therapies.” These guidance documents, which are discussed in further detail below, provide information to product developers about FDA’s current thinking with respect to evaluating devices used with regenerative medicine advanced therapies and provide information on the expedited development programs that may be available.

Guidance for Industry: Evaluation of Devices Used with Regenerative Medicine

The final guidance entitled “Evaluation of Devices Used with Regenerative Medicine Advanced Therapies” (available here) clarifies how FDA will evaluate devices used in the recovery, isolation, or delivery of regenerative medicine advanced therapies (RMATs). This guidance finalizes FDA’s current thinking on how the agency will streamline and simplify its application of regulatory requirements for combination device and cell or tissue products.

In this guidance document, FDA acknowledges that a wide range of devices may be used in conjunction with an RMAT, ranging from simple, low-risk devices to complex, higher risk devices to devices that are constituent parts of an RMAT that is classified as a combination product. FDA reiterates that the primary factor in determining the availability of premarket pathways for a device is the device’s classification (i.e., Class I, Class II, or Class III), followed by the risks associated with the device type and the level of regulatory controls necessary to provide a reasonable assurance of safety and effectiveness.

In addition, FDA discusses the factors it will consider when determining whether a device may be labeled for use with a specific RMAT or class of RMATs. When determining which devices may be suitable for use with a specified RMAT or type of RMAT, FDA will consider the distinct biological and physical characteristics of RMATs, intended use, and conditions for use. With respect to cellular products that are RMATs, FDA intends to review the cellular products’ characteristics, their interaction with different devices, as well as any impact on cell viability, differentiation potential, activation state and ability to respond to stimuli after administration and other similar factors.

Substantively, there were no major or unexpected changes between the draft guidance and the final guidance issued by FDA.

Guidance for Industry: Expedited Programs for Regenerative Medicine Therapies for Serious Conditions

The second final guidance, “Expedited Programs for Regenerative Medicine Therapies for Serious Conditions” (available here), provides information regarding the use of accelerated approval pathways for regenerative medicine therapies that have been granted designation as an RMAT, as well as considerations in the clinical development of regenerative medicine therapies and opportunities for sponsors of such products.

This guidance makes clear that the following therapies could qualify for an RMAT designation: cell therapies, therapeutic tissue engineering products, human cell and tissue products, and combination products using any such therapies or products, except those regulated solely under section 361 of the Public Health Service Act (42 U.S.C. 264) and 21 C.F.R. Part 1271. Notably, the final version of this guidance clarifies that “cell therapies” includes both allogeneic and autologous cell therapies, as well as xenogenic cell products. Products that qualify for an RMAT designation receive all of the benefits of the fast track and breakthrough therapy designation programs, including early interactions with FDA. Although sponsors may apply for and receive both breakthrough and RMAT designation for a product, FDA advised that each designation requires a separate application.

Factors that FDA may consider when determining whether the preliminary clinical evidence is sufficient to support RMAT designation include, but are not limited to, the rigor of data collection; the consistency and persuasiveness of outcomes; the number of subjects and sites contributing to the data; and the severity, rarity, or prevalence of the condition. Unlike the breakthrough therapy designation, RMAT designation does not require a sponsor to produce evidence indicating that the drug offers a substantial improvement over available therapies.

To apply for RMAT designation, a sponsor should submit either a new investigational new drug application (“IND”) or an IND amendment, along with a concise summary of information in support of the RMAT designation. The application should include a description of the investigational product; rationale for the investigational new drug meeting the definition of an RMAT; a discussion to support that the disease or condition the product is intended to treat is serious; and preliminary clinical evidence that the product has the potential to address the specified unmet medical need for the serious condition. The requirement to provide a description of the product is new to the final guidance.  No later than 60 calendar days after receipt of the designation request, FDA will notify the sponsor as to whether the regenerative medicine therapy has received the RMAT designation.

Finally, this guidance provides recommendations for clinical trial design. FDA states that it will consider clinical trials in support of a Biologics License Application (“BLA”) that “incorporate adaptive designs, enrichment strategies, or novel endpoints.” This final guidance provides new language indicating that historical controls and natural history data (the course a disease takes from its onset, through presymptomatic and clinical stages, to a final outcome in the absence of treatment) may be considered, if appropriate. Natural history data, however, may only provide the basis of a historical control if the “control and treatment populations are adequately matched, in terms of demographics, concurrent treatment, disease state, and other relevant factors.”

FDA’s continued focus on developing and finalizing guidance in the regenerative medicine space suggests that FDA is serious about helping industry to both navigate the application process in an effort to streamline the premarket approval process and to better understand and address identified regulatory pain points. For these reasons, sponsors of investigational regenerative therapies should pay close attention to and take into consideration the recommendations set forth in these final guidance documents.

On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing.  These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.

First, CMS published a proposed rule that seeks to increase interoperability and patient access to health records. CMS Administrator, Seema Verma, explained that the proposal seeks to “break down existing barriers to important data exchange needed to empower patients by giving them access to their health data.”  Second, ONC published a proposed rule aiming to deter and penalize information blocking.  As a result of lack of interoperability and information blocking, data sharing has been challenging across the industry and patients have historically struggled to gain access to their health records, which health providers and payors claimed they owned.  These proposed rules take notable steps to open avenues for data sharing and shift the role of patients with respect to their own health data.

The CMS proposed rule requires Medicare Advantage (“MA”) organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee for Service (“FFS”) programs, Medicaid Managed Care Plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers in federally facilitated exchanges (“FFE”) to (1) provide convenient access to health care records to patients, (2) support the electronic exchange of data for transitions of care as patients move between the aforementioned plan types, and (3) require participation in trust networks to improve interoperability. Additionally, the proposed rule requires Medicare-participating hospitals, psychiatric hospitals, and Critical Access Hospitals (“CAHs”) to send electronic notifications when a patient is admitted, discharged, or transferred.

The ONC proposed rule establishes conditions for maintaining electronic health record (“EHR”) certification centered around preventing information blocking and developing technical methods for data sharing.  Specifically, health IT developers will be required to (1) attest not to engage in information blocking, (2) include application programming interfaces (API) in certified EHR technology, and develop common data export formats to allow for transitions of care, data sharing, and EHR switching.  It is also important to note that the proposed rule established seven explicit exceptions to the information blocking prohibition, including promoting privacy and security of health information.

These rules could serve as a watershed moment in terms of data ownership, sharing and patient access.  Yet, these rules could be disruptive to the way stakeholders in healthcare have historically operated relative to each other and the patients they serve.  In any case, the regulators have sent their message . . . the “walls” must come down and data ought to flow more freely.

CMS and ONC have requested that stakeholders provide comments within 60 days of issuance of the proposed rule.


Alaap B. Shah


Ebunola Aniyikaiye

GenomeDx Biosciences Corp., which markets a genomic test (Decipher®) intended to assess the aggressiveness of prostate cancer, has agreed to pay $1.99 million to the U.S. Department of Justice to resolve allegations that it violated the False Claims Act (31 U.S.C. §§ 3729 et seq.)(“FCA”) by submitting claims to Medicare for tests conducted to evaluate treatment options for men after prostate surgery.

The government and a whistleblower alleged that between September 2015 and June 2017, GenomeDx knowingly submitted Medicare reimbursement claims for the Decipher® test that did not meet the six clinical prerequisites in the Local Coverage Determinations (“LCDs”) published by each of the Medicare Administrative Contractors (MACs). LCDs are published by MACs when they make a determination that an item or service meets (or does not meet) the “reasonable and necessary” test in Section 1862(a)(1)(A) of the Social Security Act and under what circumstances. The prerequisites for a prostate cancer classifier assay to be deemed medically necessary include (1) evaluation for postoperative secondary therapy due to one or more risk factors for a recurrence within 60 months after a radical prostatectomy surgery, (2) no evidence of any distant metastasis, and (3) pathological stage T2 disease with a positive surgical margin or pathological stage T3 disease, or rising prostate-specific antigen levels after an initial test result of 0.2 ng/ml or less.

Therefore, for each claim, the government and the whistleblower alleged that GenomeDx had certified that the test was reasonable and necessary as defined in the LCD  even though the clinical criteria or documentation requirements had not been met because the patients did not have risk factors necessitating the test.

The issue of medical necessity for diagnostic services continues to be a primary issue in many health care-related cases filed pursuant to the FCA.  The federal courts have confirmed that a laboratory may rely on the ordering physician’s determination of medical necessity because laboratories do not and cannot treat patients or make medical necessity determinations; however, laboratories may still be liable under the FCA if the laboratory knowingly presents claims for reimbursement that are not medically necessary.

Moreover, Medicare will still require documentation that demonstrates medical necessity to support payment for the test services. Thus, if adequate documentation is not provided, even when the ordering provider failed to maintain the appropriate diagnostic or other medical information for his or her patient, it is the laboratory that will suffer the consequences of the denial or recovery of reimbursement for the claim.

This settlement highlights the need for clinical laboratories, and all Medicare providers and suppliers, to determine if any national or local coverage policies apply to their services and the prerequisites prior to submission of claims, and to file those claims only where there is a good faith belief that any relevant prerequisites have been met.  Jurisdiction of claims for laboratory services furnished by an independent laboratory normally lies with the MAC serving the area in which the laboratory test is performed.  If there is a disagreement with the national or local coverage determination, there are procedures to either challenge the policy or to request that the policies be revised and updated.

Gummies, brownies, sodas, cookies . . . consumer appetite for food and dietary supplement products containing cannabidiol (“CBD”) has grown over the last few years as states have moved to legalize cannabis for medical or limited recreational use.  With the passage of the 2018 Farm Bill on December 20, 2018, which legalized the cultivation of hemp for certain purposes, the “edibles” industry appeared poised for further expansion.

However, recent developments at both the federal and state level may be putting the “edibles” industry on a diet.  In the past week, bans on the sale of foods and beverages with added CBD have been reported in three jurisdictions—Maine, Ohio, and New York City. Maine Department of Health and Human Services officials are reported to have ordered the removal of any edible product containing CBD from store shelves, including foods, tinctures, and capsules.  Further, the Ohio Department of Agriculture is reported to have put an “embargo” on products containing CBD. News sources report that government officials from these states began enforcement of this policy by seizing products from local businesses.  Finally, the New York City Department of Health and Mental Hygiene appears to have instructed New York City businesses to stop selling any foods or drinks with CBD as a food additive.

These state and municipal actions are the most recent governmental bite out of the edibles industry.  Concurrent with the passage of the Farm Bill, FDA Commissioner Scott Gottlieb released a statement cautioning that the new law did not alter the agency’s position on CBD added to food or contained in dietary supplements.  Rather, according to the statement, it is unlawful under the Federal Food, Drug, and Cosmetic (“FD&C”) Act “to introduce food containing added CBD . . . into interstate commerce, or to market CBD . . . products as, or in, dietary supplements, regardless of whether the substances are hemp-derived. This is because both CBD and THC are active ingredients in FDA-approved drugs and were the subject of substantial clinical investigations before they were marketed as food or dietary supplements.” A newly-added FDA webpage, “FDA and Marijuana: Questions and Answers,” similarly asserts this view.

FDA’s position is rooted in two provisions of the FD&C Act, namely 21 U.S.C. §§ 331(ll) and 321(ff)(3)(B). These provisions prohibit the sale of any food or dietary supplement, respectively, which contains an ingredient that was the subject of clinical investigations or approved as a drug by FDA before the ingredient was marketed in the food or dietary supplement. FDA maintains that CBD was approved as a drug ingredient by the agency (i.e., the anti-epilepsy drug Epidiolex®) before it was marketed in food, and therefore “it is a prohibited act to introduce or deliver for introduction into interstate commerce any food . . . to which . . . CBD has been added.”

It remains to be seen whether other state and local governments will follow the lead of Maine, Ohio, and New York City by banning the sale of edibles, either for public health concerns or to conform with FDA policy. Given consumer demand for and industry investment in CBD products, other states and localities may face opposition to such actions.

These same factors also may encourage FDA to reexamine its current policy; indeed, the Commissioner’s statement acknowledged that FDA could, through rulemaking, allow the use of CBD in traditional food and dietary supplement products, and announced the agency’s intent to “hold a public meeting in the near future for stakeholders to share their experiences and challenges with these products, including information and views related to the safety of such products.”  Stakeholders with an interest in consumer-based CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—may wish to consider an FDA engagement strategy as part of their business development plans.

There is a new kid on the block . . . the Chief Data Officer (CDO).  There is no surprise in our data-driven world that such a role would exist. Yet, many organizations struggle with defining the role and value of the CDO. Effective implementation of a CDO may be informed by other historical evolutions in the C-Suite.

Examining the rise of the Chief Compliance Officer (CCO) in the 2000’s mirrors some of the same frustrations that organizations faced when implementing the CCO role. While organizations were accustomed to having legal, HR, and internal audit departments working together to ensure compliance, suddenly CCOs stepped in to pull certain functions from those departments into the folds of the newly-minted Compliance department.  Integrating CDOs appears to follow a similar approach. Particularly in health care, the CDO role is still afloat, absorbing functionality from other departments as demand inside of organizations evolves and intensifies to focus on the financial benefits of their data pools.

Corporate evolution is challenging and often uncomfortable, but the writing is on the wall . . . there are two types of companies:  ones that are data-driven and ones that should be.  Which will you be?

What Is a Chief Data Officer?

CDO responsibilities will vary depending on the organization. Some organizations position the CDO to oversee data monetization strategies, which requires melding business development acumen with attributes of a Chief Information Officer. In some organizations, the CDO may oversee the collection of all of the company’s data in order to transform it into a more meaningful resource to power analytical tools.

A survey of CDO positions identified three common aspirations that organizations have for the role: Data Integrator, Business Optimizer, and Market Innovator. Data Integrators primarily focus on infrastructure to give rise to innovation. Business Optimizers and Market Innovators focus on optimizing current lines of business or creating new ones. These aspirations will likely vary depending on the nature and maturity of organizations. Regardless of the specific role, CDOs can help organizations bridge the widening gap between business development, data management, and data analytics.

Further, a key component of a CDO’s activity will relate to responsible data stewardship.  CDO activities will heavily depend on developing a data strategy that complies with legal, regulatory, contractual and data governance boundaries around data collection, use and disclosure.  CDOs should work closely with legal counsel and compliance personnel to effectively navigate these challenges.  Further discussion of the legal and regulatory landscape around data use is available here.

The Importance of CDOs in Transforming Healthcare Companies

It is clear that leveraging data will be key to innovating, gaining efficiencies, and driving down costs over time.  Yet, many organizations continue to struggle with making sense of the data they possess.   For some, the CDO may be a critical driving force to advance a business into a new landscape.  Just as the CCO helped address decades of frustration with corporate ethics and practices (and was soon demanded by lawmakers and regulators), the role of the CDO has emerged in response to demand for efficiencies in business practices and the recognition that data has become the world’s most valuable commodity.

In light of the explosion of data in the healthcare industry, organizations should consider whether and how a CDO will fit into the corporate structure. Furthermore, organizations should work to understand how having a person at the table with a keen eye towards giving life to an organization’s data resources can benefit the business long term from internal and external perspectives.  The ultimate question a CDO can help solve is:  What don’t we know that, if we knew, would allow our organization to innovate or operate more efficiently or effectively?


Alaap B. Shah


Andrew Kuder

For the first time since 2008, the Advanced Medical Technology Association (“AdvaMed”) has updated its “Code of Ethics on Interactions with Health Care Professionals.”  These updates were announced on January 9, 2019 and will become effective on January 1, 2020.

AdvaMed’s goal in updating the Code was to address the evolving nature of interactions between the medical device industry and health care professionals (“HCPs”), bring existing examples up-to-date, and enhance user-friendliness.  Topics that were previously covered in multiple areas of the Code are now consolidated into more comprehensive sections on Company programs, Third-Party Programs, Travel and Meals.  There are also three new sections on: Jointly Conducted Education and Marketing Programs, Communicating for the Safe and Effective Use of Medical Technology, and Company Representatives Providing Technical Support in the Clinical Setting.  Additionally, the updated Code includes language that clarifies when it is acceptable to provide evaluation products, and adds additional detail to the section on Consulting.  These changes are explained in further detail below.

Consulting Arrangements with HCPs

While the updated section on consulting arrangements retains much of the same content as the previous version, it also provides additional clarity on determining whether there is a legitimate need for consulting services, explaining that a legitimate need arises when a company requires the services of an HCP to achieve a specific objective.  It also specifies that rewarding an HCP for referrals, or designing an arrangement to generate business, are not considered legitimate needs.  Additionally, the updated section includes criteria on how manufacturers can establish fair market value compensation rates for consulting services.  These include the HCP’s specialty, years and type of experience, geographic location, practice setting, and the type of service performed.

Third-Party Programs

The updated Code consolidates existing language on providing support for third-party educational, charitable, and research programs into one section on grants, donations, and commercial sponsorships.  This section includes a checklist that companies can use to review requests for educational grants, and adds language on whether companies can host satellite symposia.  It also expands and clarifies the requirements for supporting independent research grant requests or charitable donations.

Travel and Meals

The updated Code also consolidates its previous guidance on travel and lodging into one section and provides clarity on situations for which a company may pay for travel and lodging expenses (e.g., consulting, training, legitimate need for meeting, HCP presence) and when such payments are prohibited (e.g., general education, attending a third-party program, no legitimate need).  It also includes additional information on evaluating appropriate venues for meetings, taking into consideration whether the venue is in a central location and whether it is conducive to an exchange of information. The added language also places a limit on “top category” or luxury hotels.

Jointly Conducted Education and Marketing Programs

The Code’s new section on Jointly Conducted Education and Marketing Programs explains that these types of programs are typically educational programs that are aimed at highlighting a medical technology as well as an HCP’s ability to treat a condition using that technology (e.g., a manufacturer promotes its surgical implant device while a surgeon discusses his or her ability to perform the implant procedure using the device.)  AdvaMed acknowledges the benefits of such jointly conducted programs; however, it also advises manufacturers to follow certain principles to ensure that the program does not unduly benefit the HCP in a manner that violates the Anti-Kickback Statute.  For example, the manufacturer and the HCP must establish a bona fide partnership, meaning the arrangement should be documented in a written agreement and any contributions and costs should be shared equitably between them.

Communications & Technical Support

The updated Code also features a new section on communicating for the safe and effective use of medical technology, which sets forth principles for communicating information on unapproved or uncleared uses. For example, communications should be truthful and non-misleading, provided by authorized personnel, and appropriately identified as off-label.  AdvaMed advises that companies develop policies on the dissemination of off-label information based on existing guidance.

The final new section added to the Code is on the provision of technical support in the clinical setting. This section provides guidelines for company representatives who provide technical support in this setting to follow.  This includes, but is not limited to, being transparent that they are acting on behalf of the company and not interfering with an HCP’s clinical decision-making.

Although only certain states, such as California, Nevada, and Connecticut, have required device manufacturers to model their compliance programs after principles set forth in AdvaMed’s Code of Ethics, the Code has long been relied upon as the industry standard for maintaining ethical and compliant relationships between device manufacturers and HCPs. As such, manufacturers should carefully review the changes that have been made to the Code and update their internal policies and procedures as necessary.  Manufacturers in states like California, Nevada, and Connecticut should also look out for any updates in their states’ legislation to adopt the changes made to the Code.

The updated Code is available here and a brief overview of the changes can be found here.

Data is king!  A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing, and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • the Common Rule
  • the EU General Data Protection Regulation (“GDPR”)
  • 42 C.F.R. Part 2
  • State data protection and breach laws and regulations
  • Food and Drug Administration (“FDA”) regulations; or
  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements
  • Data Use Agreements
  • Business Associate Agreements
  • Data Sharing Agreements
  • Confidentiality/Non-disclosure Agreements
  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including:  openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation and data security.


Patricia M. Wagner


Alaap B. Shah