Our colleague Melissa L. Jampol of Epstein Becker Green has a new post on the Commercial Litigation Update blog that will be interest to our readers: “Opioids, Sober Homes and ‘Telefraud’: An Overview of the DOJ 2020 Healthcare Fraud Takedown.”

The following is an excerpt:

As we have previously reported, opioids have been a large focus of DOJ in the past few years in an attempt to stem the opioid epidemic through increased enforcement and this takedown is a continuation of those efforts. DOJ stated that the charges involved in the opioid-related takedown involved the submission of $800 million in false and fraudulent claims to Medicare, Medicaid, TRICARE, and private insurance companies for treatments that were allegedly medically unnecessary and often never provided. DOJ also continued the trend of charging medical professionals with the illegal distribution of opioids (or operating pill mills). Providers need to be mindful of safe opioid prescribing guidelines, develop and implement rigorous compliance programs, and keep up to date on ever shifting federal and state laws in this area.

Over the past few years, we have been predicting that telehealth is ripe for enforcement. Although we have seen enforcement activity involving telehealth providers in the past, this is the first time that DOJ/HHS has focused so sharply on telehealth providers as the target of a major takedown. The 2020 Takedown is a warning to those in the telehealth industry to pay special attention to compliance infrastructures and efforts especially as use of telehealth to serve patients expands, and related regulations loosen in light of the COVID-19 pandemic.

Click here to read the full post on the Commercial Litigation Update blog.

Ransomware basics

Ransomware is a serious form of cyber extortion that employs malware to prevent users from accessing their systems or data, either by locking the system or encrypting critical files until a ransom is paid. The hacker holds the key to unlock the system and usually demands payment in cryptocurrency.

Ransomware has been a known cyber threat vector for over a decade. In recent years, hackers have embraced increasingly sophisticated methods to exploit vulnerabilities and introduce ransomware into systems. They have also expanded the scope of impact by targeting enterprise-wide systems and databases, crippling many companies across industry sectors, including healthcare. Recently, the Federal Bureau of Investigation (FBI), U.S. Department of Health and Human Services (HHS) and the Federal Cybersecurity and Infrastructure Security Agency (CISA) released a report calling attention to the rampant ransomware activity targeting the healthcare sector.

Lessons learned from impact in healthcare

Ransomware affects companies of all shapes and sizes across all industry segments, but there have been several high-profile cases where healthcare companies were infected by ransomware and held hostage for millions of dollars in ransom. These companies were temporarily forced to shut down operations, turn away patients, and attempt to work on paper-based records. Ransomware is uniquely problematic in healthcare settings where disruption of IT systems can directly harm patient safety.

The human factor

Human error is still one of the primary reasons ransomware infects systems.

Ransomware attacks typically begin by phishing or spoofing, fooling users into downloading malware by opening infected emails, clicking on attachments, or visiting illegitimate webpages. Hackers similarly entice users to click on catchy banner ads that may appear legitimate, but actually trigger a download of ransomware. One predominant example of ransomware is called “Ryuk” and you can read about how it works here.

Requested ransom has been known to vary greatly, and can increase dramatically depending on the target and sensitivity of the systems or files that have been encrypted.

What can you do to protect against ransomware?

In the past, ransomware focused on localized attacks like locking down a target’s keyboard or computer, but more recently hackers have expanded to encrypting enterprise-wide networks and file shares, rather than individual endpoint devices.

Key mitigation activities may include:

  1. Employ reputable antivirus software and strong firewall. A company should maintain a strong firewall, and keep its security software patched and updated at all times. This prevents ransomware from entering the system. Companies should also use strong next generation antivirus software, which regularly scans the networks for signature-based malware as well as uses behavioral analysis to ferret out ransomware.
  2. Back up often. A company should regularly back up files to minimize risk of data loss. This reduces the impact of ransomware, as impacted systems can be disconnected, shut down, wiped and restored using backups.
  3. Enable website popup blockers. Popups are a prime tactic used to conduct ransomware attacks. Company web browsers are configured to prevent popups by default. Company personnel should also be trained on phishing and malware prevention.
  4. Enable proxy blocking. A company should set website filtering rules to block website software and access to certain domains. Proxy blocking also has the ability to block downloadable content from websites. This approach prevents users from inadvertently visiting malicious website or downloading malicious files.
  5. Limiting file sharing. A company’s sensitive data should be segregated from its organizational and operational data. Sharing of sensitive data has been restricted to the highly secure production environment.
  6. Patching and installing the latest versions of critical software: Companies should apply security patches on an ongoing basis, which can significantly reduce vulnerability and blunt the impact of ransomware.
  7. Employ secure Internet and email practices. Organizations should block certain file extensions sent by email, especially executable files like .exe, .js, and .wsf. They should also scan contents of certain compressed files like .zip files. Users can be trained not to click on links inside suspicious emails and to avoid visiting suspicious websites.
  8. Conduct ongoing security training. A business should routinely train its personnel on malware, hacking threats, and best cybersecurity practices. Employees should be trained to be cautious with emails and requests for personal data (especially login information). Personnel should also be careful when opening email attachments or clicking on links in emails, no matter the sender, and should check that the website they are visiting is secure (look for a URL that starts with https://”—”s” for security—rather than just http://).

What do you do if you suspect a system is infected with ransomware?

  • First, report the suspicious activity to the Legal Department and IT security.
  • Follow incident response policies and procedures.
  • If possible, disconnect from the internet immediately to reduce the risk of the hacker remaining in the system, spread of the ransomware in the network, and exfiltration of sensitive data.
  • Shut down the computers or servers that have been infected.
  • Do NOT negotiate or pay the ransom amount. This should be determined by your organization’s leadership in consultation with legal counsel, law enforcement, and its insurance company.
  • Cooperate fully in any follow up investigations conducted by the company as well as government agencies like the FBI Cybersecurity Task Force.

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.

In order to isolate and contain the spread of COVID-19, one critical component of an effective workplace safety plan is for employers to be able to monitor social distancing practices and to notify employees that they need to self-quarantine if they have come in close contact with an individual in the workplace who has symptoms of, or tested positive for, COVID-19. Also known as “contact tracing”, the faster that affected individuals can be notified and isolated the slower the virus will spread. Technology developers have stepped up to automate the contact tracing process and there has been a proliferation of mobile tracking tools, including phone apps that monitor social distancing practices and conduct contact tracing in near real-time that can be used in the workplace. Yet, these tools raise an intricate web of considerations under applicable privacy, security and other consumer protection rules and regulations.

The following addresses common questions employers are currently facing:

  1. Are employers required to use HIPAA-compliant mobile tracking tools in the workplace for social distancing and contact tracing purposes?

Even though the information about an individual’s COVID-19 status may be health related, as a general rule, employers are not covered entities regulated by HIPAA. That being said, employers should make efforts to limit the amount of information being collected to serve the intended goals and not retain it longer than needed. For example, an employer interested in adopting an app approach for contact tracing may want to consider an app that relies on Bluetooth technologies rather than geo-tracking capabilities so that they can provide a notification to individuals who have come in close contact with an affected individual rather than the specific geographic location information about employees or specific status of individuals.

  1. How can my organization implement mobile tracking tools without collecting medical information or PHI?

An employer who wants to limit data collection can deploy mobile tracking technological tools, such as lanyards or wrist bands worn by employees in the confines of the workplace, which can be used to identify an employee’s location in the workplace throughout the work day and used to identify close contact with other individuals to remind employees to maintain a safe distance from others. With respect to contact tracing, these tools do not have to collect medical information or PHI. Many rely on an employee self-reporting that they are experiencing symptoms of COVID-19 or that they tested positive for COVID-19. This would cause the sensors in the lanyard and located throughout the workplace to identify the other employees that would need to be notified that they may have come in close contact with someone who reported symptoms or tested positive for COVID-19, and the areas in the workplace that the exposed individual had been to ensure that those areas are cleaned and appropriately sanitized.

  1. How could a non-HIPAA compliant mobile tracking tool collect PHI (such as COVID-19 test results)?

An individual may authorize a health care provider, like a lab or their physician, to disclose their electronic PHI through a mobile application that is not subject to HIPAA requirements. The authorization must meet HIPAA’s requirements for a valid authorization and, if an employer requires the use of a mobile app that relies on such authorization, the employer should also provide clear notice to employees about what information will be collected, how it will be used, with whom it will be shared, and how long it will be retained. Employers should review the terms of service for any tools they seek to deploy to determine if there are options that should be disabled or whether employees must take action on their devices to disable certain functions. Employers should also consider whether an alternative for employees that might need an accommodation is needed if they are unable to use the mobile app that the employer wishes to deploy.

  1. How can my organization vet mobile tracking tools?

From the outset, it is important to undertake diligence regarding the vendor providing the tool or app. Some technology developers may be well-established companies with robust privacy and security procedures and controls, while others may be entities that have not yet invested in, or developed compliant, procedures and controls. It is also critical to undertake diligence regarding the manner in which the information and data transmitted to, collected and stored by the tool or app will be handled. Consider asking the vendor the following types of questions:

  • What information is collected through the tracking tool or app and is it encrypted?
  • Will the vendor company utilize any information collected through the tool or app for any purpose (e.g., for research, analytics, marketing, or whether it can be sold)?
  • Is the information collected through the tool or app shared with any third parties (including public health authorities)?
  • Does the tool or app send data to any domestic government (or international) sites or apps?
  • How is the information obtained?
  • Is the information actively or passively (through the user’s URL or web behavior) collected?
  • Does the tool or app utilize Bluetooth technology (e.g., proximity notification) or GPS (location identification)?
  • Who owns the data?
  • How long will the data be kept, where will it be retained and what safeguards will be in place to protect it? (e.g., data back-up, disaster recovery and/or contingency plans)?
  • What security and privacy standards/protections does the vendor have in place for its tools or apps?
  • What data breach notification requirements does the vendor have in place?
  • What happens if there is a breach?
  • Does the vendor carry cyber insurance?
  • Has the app developed user friendly notifications with information for employers to pass along to employees that will instruct them on how to download the app to their phone, including an appropriate Privacy Notice and instructions on how to mitigate risks, for example instructions on how to disable the app from connecting to other functions on their phones?
  • Does the app itself include a notice that comports with the organization’s requirements to obtain consent from employees to collect information and proper consent to share the information with their employer?

It is critical to verify that the data is retained only for the required amount of time, and meets requirements for each state and locale in which your organization has reporting obligations. It is necessary to review the tool or app’s privacy policies and service agreement terms and, to pay careful attention to the vendor’s service agreement representations and any carve outs for adherence to applicable law. Given the evolving laws in this area, as well as the evolving definition of “close contact”, it is also important for employers to stay abreast of changes that may impact the tools and apps in use and address any updates that may need to be made. In the event that a vaccine is widely distributed and accepted by employees, contact tracing efforts may become moot.

  1. How can individuals protect their personal data when using mobile tracking tools for social distancing and contact tracing purposes?

Though most contact tracing tools and apps are unlikely to be covered by HIPAA, employers should ensure that they obtain clear, conspicuous, and specific consent/authorization from the employee to obtain and store their data, and specific requirements to do so will vary based on applicable state law. In theory an employee could limit his or her employer’s right to access only certain types of data (including non-PHI data). To enable an employee to do so, the employer should ensure that the app authorization can be tailored to permit such narrow authorization. Otherwise, with most app authorizations being provided via click wrap text, it is unlikely that an individual can modify the authorization to limit such data access.

To the extent the mobile tracking tool or app seeks to collect PHI, the new Interoperability Rules place the burden on the individual to decide whether they would like to share their PHI with a third party. These Rules permit individuals to access and transfer their electronic protected health information (“e-PHI”) to mobile apps and other tracking tools through application programming interfaces (“APIs”). The Office of the National Coordinator for Health Information Technology (“ONC”) Final Rule, which became effective on June 30, 2020, requires developers of certified health IT to include secure, standards-based APIs to support patients’ access and control of their e-PHI.

  1. What is the best way for an employer to approach contact tracing in the workplace?

 Since many Americans spend a significant portion of time at work, employers are uniquely situated and can play an important role in slowing the spread of COVID-19. As such, state re-opening plans require employers to develop a plan to bring employees back to the workplace safely. But without authority from a federal or state mandate to use an app to contact trace, employers face a number of legal challenges.

If the employer offers an app as a value added feature of its group health plan, the data becomes HIPAA protected and the app developer has to agree to enter into a BAA with the health plan. The data would then become part of the group health plan, which makes data sharing from the health plan back to the employer complicated because: (i) the health plan cannot report individual employee health information back to the employer; and (ii) any aggregated and de-identified sharing would have to comport to all of the company’s and employee’s state/city/county authority data sharing and reporting requirements.

To address privacy concerns, employers should collect only the data that is needed to know when an employee is suspected or actually infected by the virus so that other employees that have been exposed to the infected employee can be warned of their potential exposure and can be instructed to take measures to isolate and get tested.

Employers should be mindful that, as with any collection of sensitive data, information can be hacked. Contact tracing apps and technologies could collect personal information, including information considered medical or biometric identifiers, that is potentially subject to state breach notification laws.

Finally, being transparent, clear and frequently communicating about any changes goes a long way in helping employees understand the important role they play in keeping themselves, their families and their fellow employees safe.

  1. Are state government apps that have been developed for contact tracing purposes required to be HIPAA-compliant?

No. The information collected through apps developed and deployed by state governments is being used for a public health service. State government apps rely on individuals voluntarily downloading the app to their device. Generally, these apps can use Bluetooth to sense close contacts and exchange a secure random code with the close contact’s phone. These apps can also use the positive COVID-19 test results reported to the state and Bluetooth to recognize when one individual who has downloaded the app has been exposed to another individual who has tested positive for the virus and send an anonymized exposure alert to close contacts.

  1. Are employees tracked when they leave the workplace site and travel for business domestically? What about internationally?

Perhaps. The details of data collection depend upon the design of the mobile tool or app and the authorization provided by the individual. Inadvertent data collection or use may heighten an organization’s compliance risk.

  1. If employees work remotely, is contact tracing necessary?

 Employers may need to consider application of mobile tracking tools to remote- work employees.  Protocols should consider work schedules which include hybrid work arrangements and any business travel to other employer work locations.

  1. Must the mobile tracking tools track employees nationally and internationally? Should employers track employees 24/7?

It depends upon the goal of the organization’s contact tracing, and its governmental and regulatory reporting requirements. Arguably, contact tracing can best work when all movement is tracked and data is provided back to individuals in real-time about exposure risk. However, this must be balanced with privacy and security concerns. Limiting data collection for contact tracing purposes to the employee’s location within the confines of the workplace during the regular work day would be the least invasive.

  1. Do employees have rights to have their data deleted or will it reside indefinitely in a larger data set (Big data?)

Data retention depends upon obligations in state law/international law. A definitive timeline for data retention is not entirely clear at this time. So, employers should hold onto the data for now. However, employers should review and update their data retention policies as federal, state, and international guidance is issued and applicable statutes of limitations are analyzed. Some technologies may also allow individuals to delete their data and these should be evaluated. Employers should keep any data retained separate from employee personnel files and it should not be used for employment purposes.

  1. What types of updates should employers make to their privacy and security policies to address use of mobile tracking tools in the workplace and breach response procedures?

Employers should ensure that their privacy and security policies address the types of tools and apps utilized. Specific changes will depend upon the type of tool or app utilized, the data collected, and whether the tool or app is administered internally or through an employer’s health plan.

  1. What can an employer do to mitigate risk? 

Vet the mobile tracking tool or app vendor and developer and the tools or apps themselves to ensure that they comply with the organization’s applicable reporting policies and applicable privacy and security laws. Then, review the service agreement with the vendor or provider and any authorization that the employee may be required to sign to ensure compliance with applicable law. The employer may also want to review their cyber insurance policies and make sure that the terms of services and other agreements appropriately allocate cyber risk and breach responsibilities between the parties and that the vendor has adequate cyber/breach coverage.

As with implementing any new organization-wide policy, employers should consider developing communication or a training session where employees can be provided with information about the technology, a notice that is clear and understandable, and affords them the opportunity consent to participate by agreeing to download the app or activate the technology.

  1. What should an employer do next?

All employers and organizations are grappling with re-opening and the social distancing and contact tracing requirements for employees returning to the workplace. Employers must carefully consider the privacy and security implications of using mobile tracking tools and apps because these technologies may remain active in the workplace for the foreseeable future and will likely shape how workplace surveillance technology will be used in the future. Therefore, employers should be mindful to vet the apps they choose, review the service agreements and negotiate the privacy and security provisions to ensure that personal information is protected and used appropriately and that the appropriate cyber breach protocols are in place. For organizations that have already deployed these tools and apps without evaluating these considerations, it would be advisable to revisit these issues and address them. As the law changes, consideration should also be given to re-evaluating whether the tool or app remains compliant. Organizations should also develop a communications plan for employees in order to address their concerns about utilizing these tools and apps, educate them on how their data is protected and cybersecurity best practices, and obtain any required consents.

On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting written comments from the public on these proposed revisions to the regulations until October 28, 2020 at 5:00 p.m. PST.

Notable changes in these regulations include:

  • A requirement for businesses that collect personal information in the course of interacting with consumers offline to provide notice of the consumer’s right to opt out through an offline method;
  • A requirement that the methods for consumer to opt out be easy for consumers to execute and involve minimal steps;
  • Clarification of how businesses may require authorized agents and consumers to submit proof to verify their data subject requests; and
  • A specific requirement that businesses subject to either Rules Regarding Consumers Under 13 Years of Age or Rules Regarding Consumers 13 to 15 Years of Age (or both) must include a description of the processes set forth in those Rules in their privacy policies.

Earlier this year on August 31, 2020, the California Legislature passed AB 1281 to extend the partially excluded employee information and business-to-business (B2B) information from the coverage of the CCPA until the end of 2021, citing primarily to the COVID-19 economic disruption in the state. This bill modified the Cal. Civ. Code § 1798.145(h) moratoria on the applicability of covered information related to job applicants, employees, contractors, and agents until the start of 2021. Previously these exemptions were set to expire January 1, 2020.

Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.

California’s New Consumer Privacy Act: What Employers Need to Know

Follow the Leader: California Paves the Way for Other States to Strengthen Privacy Protections

Proposed Amendment to California Consumer Privacy Act (CCPA) Reaffirms Employer Notice Requirement and Employee Private Right of Action for Failure to Implement Cybersecurity Safeguards to Take Effect January 1, 2020

Data Privacy: What to Watch in 2020

On the Verge of CCPA Enforcement: What Should Companies Do to Comply?

CCPA Regulations Approved by the CA Office of Administrative Law

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls. Continue Reading Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic

I knew Justice Ginsburg had been seriously ill, so I shouldn’t have been surprised when I heard the news of her passing. But it was still a big shock, and tears started falling. I thought to myself, “I don’t even personally know her—why am I crying?” It was because of all that she represented. She was truly inspirational. She had a tough life—losing her mother at a young age and trying to get her foot in the door and succeed in a male-dominated profession, not to mention numerous serious health issues. Yet she persevered, and she became a “first” in so many ways, even in death—being the first woman and first Jewish American to lie in state at the U.S. Capitol.

Reading about her life has been fascinating, but two parts I especially enjoyed were her sense of humor and her friendship with the late Justice Antonin Scalia. The two justices were on opposite ends of the law but close friends. I love the picture of the two of them in India on an elephant. She was behind him, and when asked why she, an advocate of women’s rights, would agree to sit behind a man, she explained that it was for weight distribution purposes! It also just goes to show that you can be on polar opposite ends of important and often contentious issues, but still be respectful and mindful of others and their opinions.

Justice Ginsburg’s cachet was appealing to multiple generations—young, old, and everyone in between. I was surprised that even my 17-year-old twins knew of her and something about her life even if only because of “Notorious RBG” mania! That’s something special that not many public personas are able to achieve. She fought for equality and opened doors for the rest of us so that we could also succeed in professions previously dominated by men. Not only have I managed to succeed as an attorney and working mother because women like Ruth Bader Ginsburg paved the way, but I know that my daughter will have fewer challenges as a result. For that, I am so grateful to Justice Ginsburg, and she will be missed so very much.

“My mother told me to be a lady. And for her, that meant be your own person, be independent.” – Ruth Bader Ginsburg

A couple days after Ruth Bader Ginsburg passed away, my eight year old daughter asked me, when I was her age, what I wanted to be when I grew up. I paused and swallowed hard. I had wanted to be a doctor, but despite how well I performed in school, the more conservative environment I grew up in did not support such dreams because it was “not something that moms did”.

My daughter’s question allowed me to explain to her how lucky she is to grow up in the world we now live in where women can do anything they put their minds to, a trail blazed by none other than Ruth Bader Ginsburg. Justice Ginsburg fought for women to be treated equally not only by the law but in all facets of life. She knew women deserved a seat at the table. Thankfully other women have followed in her footsteps. It is because of these women, and the men who have accepted our right to be where we are, that I am where I am today.

I pivoted from my dream of being a doctor to pursuing a career in nursing. Although I still toyed with the idea of going back to school for years, it was hard to break from the messaging that I had heard for so long–that working and being a mother did not co-exist. I started working for a law firm as a nurse analyst and became very interested in the law. An older woman colleague of mine picked up on my interest and encouraged me to consider law school. I had finally found something I was interested in and realized how valuable my background could be to clients. However, I hesitated with concerns of wanting to start a family. I will never forget the encouragement I received from attorneys I worked with that I really could do both.

Needless to say, I ended up having my three children during law school. I interviewed for summer associate positions six weeks after I had my first child. I wondered if a law firm would take a chance on a new mother. Fortunately, Epstein Becker Green did. When I showed up for my summer position, I was pregnant with twins. As a first year, I had three children under two years old. It was a challenge but the support from those who believed I could shoulder both the responsibilities at work and home meant everything. I am beyond thankful that the change in mindset that Ruth Bader Ginsburg fought so hard to achieve made way for mothers like me to be successful both at work and at home.

Ginsburg’s mom said it best, to be a lady was to be your own person, be independent. This is what I want to impart to my daughters: There are no limits. You can be anything you want to be.  Surround yourself with those who support your dreams.

 

On Tuesday, September 1, 2020, the Drug Enforcement Agency (“DEA”) proposed 2021 aggregate production quotas (APQs) for controlled substances in schedules I and II of the Controlled Substances Act (“CSA”) and an Assessment of Annual Needs (“AAN”) for the List I Chemicals pseudoephedrine, ephedrine, and phenylpropanolamine. This marks the second year that DEA has issued APQs pursuant to Congress’s changes to the CSA via the SUPPORT Act.  After assessing the diversion rates for the five covered controlled substances, DEA reduced the quotas for four: oxycodone, hydrocodone, hydromorphone and fentanyl.

DEA recently increased the APQ to allow for the additional manufacture of certain controlled substances in response to the COVID-19 pandemic and the need to provide greater access to these medications for patients on ventilator treatment.  According to DEA, that increased demand has been factored into the proposed APQs for 2021.

Comments are due by October 1, 2020.  Because DEA’s APQs determine the amount of quota DEA can allocate to individual manufacturers in 2021, adversely impacted parties should file comments soon.

Background on APQs

The CSA requires the establishment of aggregate production quotas for schedule I and II controlled substances, and an assessment of annual needs for the list I chemicals ephedrine, pseudoephedrine, and phenylpropanolamine.  These aggregate quotas limit the quantities of these substances to be manufactured – and with respect to the listed chemicals, imported –  in the United States in a calendar year, to provide for the estimated medical, scientific, research, and industrial needs of the United States, for lawful export requirements, and for the establishment and maintenance of reserve stocks.

Changes in Setting APQs Under The SUPPORT Act

The Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (“SUPPORT Act”) signed into law October 24, 2018, provided significant changes to the process for setting APQs.  First, under the CSA, aggregate production quotas are established in terms of quantities of each basic class of controlled substance, and not in terms of individual pharmaceutical dosage forms prepared from or containing such a controlled substance.  However, the SUPPORT Act provides an exception to that general rule by giving the DEA the authority to establish quotas in terms of pharmaceutical dosage forms if the agency determines that doing so will assist in avoiding the overproduction, shortages, or diversion of a controlled substance.

Additionally, the SUPPORT Act changed the way the DEA establishes APQs with respect to five “covered controlled substances”: fentanyl, oxycodone, hydrocodone, oxymorphone, and hydromorphone.  Under the SUPPORT Act, when setting the APQ for any of the “covered controlled substances,” DEA must estimate the amount of diversion.  The SUPPORT Act requires DEA to make appropriate quota reductions “as determined by the [DEA] from the quota the [DEA] would have otherwise established had such diversion not been considered.”  Furthermore, when estimating the amount of diversion, the DEA must consider reliable “rates of overdose deaths and abuse and overall public health impact related to the covered controlled substance in the United States,” and may take into consideration other sources of information the DEA determines reliable.

Estimating Diversion  

In accordance with this mandate under the SUPPORT Act, in setting the proposed APQs for 2021 DEA requested information from various agencies within the Department of Health and Human Services (“HHS”), including the U.S. Food and Drug Administration (“FDA”), Centers for Disease Control and Prevention (“CDC”), and the Centers for Medicare and Medicaid Services (“CMS”), regarding overdose deaths, overprescribing, and the public health impact of covered controlled substances.  DEA also solicited information from each state’s Prescription Drug Monitoring Program (“PDMP”), and any additional analysis of prescription data that would assist DEA in estimating diversion of covered controlled substances.

After soliciting input from these sources, DEA extracted data on drug theft and loss from its internal databases and seizure data by law enforcement nationwide.  DEA then calculated the estimated amount of diversion by multiplying the strength of the active pharmaceutical ingredient (“API”) listed for each finished dosage form by the total amount of units reported to estimate the metric weight in kilograms of the controlled substance being diverted.

Continue Reading Deadline Looms for Responding to DEA’s Proposed Aggregate Production Quotas for 2021

Earlier this summer, Ethan P. Davis, Principal Deputy Assistant Attorney General for the Civil Division of the U.S. Department of Justice (DOJ) delivered remarks addressing DOJ’s top priorities for enforcement actions related to COVID-19 and indicating that DOJ plans to “vigorously pursue fraud and other illegal activity.”[1] As discussed below, Davis’s remarks not only highlighted principles that will guide enforcement efforts of the Civil Fraud Section under the False Claims Act (FCA) and of the Consumer Protection Branch (CPB) under the Food, Drug, and Cosmetic Act (FDCA) and the Controlled Substances Act (CSA) in response to the COVID-19 public health emergency (PHE), they also provide an indication of how DOJ might approach enforcement over the next few years.

DOJ’S KEY CONSIDERATIONS & ENFORCEMENT STRATEGY FOR COVID-19

Davis highlighted two key principles that would drive DOJ’s COVID-related enforcement efforts: the energetic use of “every enforcement tool available to prevent wrongdoers from exploiting the COVID-19 crisis” and a respect of the private sector’s critical role in ending the pandemic and restarting the economy.[2] Under that framework, DOJ plans to pursue fraud and other illegal activity under the FCA, which Davis characterizes as “one of the most effective weapons in [DOJ’s] arsenal.”[3]

However, as DOJ pursues FCA cases, it will also seek to affirmatively dismiss qui tam claims that  DOJ finds meritless or that interfere with agency policy and programs.[4] DOJ also plans to collect certain information from qui tam relators regarding third-party litigation funders during relator interviews.[5] DOJ’s emphasis on qui tam cases—cases brought under the FCA by relators or whistleblowers—for COVID-related enforcement highlights the impact such matters have on DOJ’s enforcement agenda.[6]

  1. DOJ will consider dismissing cases that involve regulatory overreach and are not otherwise in the interest of the United States.

Although Davis emphasized that the majority of qui tam cases would be allowed to proceed, in order to “weed out” cases that lack merit or that DOJ believes should not proceed, DOJ will consider dismissing cases that “involve regulatory overreach or are otherwise not in the interest of the United States.”[7] This is consistent with the principles reflected in the 2018 Granston Memo that instructed DOJ attorneys to consider “whether the government’s interests are served” when considering whether cases should proceed and listed considerations for seeking alternative grounds for dismissal of FCA cases.[8] Davis gave examples throughout his speech of actions DOJ might consider dismissing:

  • Cases based on immaterial or inadvertent mistakes, such as technical mistakes with paperwork
  • Cases based on honest misunderstandings of rules, terms, and conditions
  • Cases based on alleged deviations from non-binding guidance documents
  • Cases against entities that reasonably attempted to comply with guidance and “in good faith took advantage of the regulatory flexibilities granted by federal agencies in the time of crisis.”[9]

DOJ litigators have been advised to inform relators of the possibility of dismissal.[10] Additionally, qui tam suits based on behaviors temporarily permitted during the COVID-19 pandemic, particularly in circumstances in which agencies exercised discretion to waive or not enforce certain requirements, might
“fail as a matter of law for lack of materiality and knowledge.”[11]

  1. DOJ will now include a series of questions during relator interviews to identify third-party litigation funders.

During each relator interview, DOJ has instructed line attorneys to ask a series of questions to identify whether the relator or their counsel has a third-party litigation funding agreement,[12] which is an agreement in which a third party—such as a commercial lender or a hedge fund—finances the cost of litigation in return for a portion of recoveries.[13] Under the new policy detailed in Davis’s speech, if a third-party funder is disclosed, DOJ will ask for the following:

  • the identity of the third-party litigation funder,
  • information regarding whether information of the allegations has been shared with the third party,
  • whether the relator or their counsel has a written agreement with the third party, and
  • whether the agreement between the relator or their counsel and the third party includes terms that entitles the third-party funder to exercise direct or indirect control over the relator’s litigation or settlement decisions.

Relators must inform DOJ of changes as the case proceeds through the course of litigation.[14] While Davis characterizes these changes as a “purely information-gathering exercise for the purpose of studying the issues,” the questions are in furtherance of DOJ’s ongoing efforts to uncover the potential negative impacts third-party litigation financing may have in qui tam actions. [15] The questions Davis referenced in his remarks reflect DOJ’s concerns with third-party litigation funding as expressed by Deputy Associate Attorney General Stephen Cox in a January 2020 speech.[16] Davis emphasized that DOJ particularly sought to evaluate the extent to which third-party litigation funders were behind qui tam cases DOJ investigates, litigates, and monitors; the extent of information sharing with third-party funders; and the amount of control third-party funders exercised over the litigation and settlement decisions.[17] While the Litigation Funding Transparency Act of 2019 has remained inactive since its introduction in February 2019 by Senator Grassley[18] and the 2018 proposal by the U.S. Court’s Advisory Committee on Civil Rights’ Multidistrict Litigation Subcommittee to require disclosure of third-party litigation funding remains under consideration,[19] DOJ’s plans to include this line of questioning potentially signals DOJ’s intention to take more concrete and significant steps to address third-party litigation funding in the future.

Continue Reading False Claims Act Enforcement During the COVID-19 Pandemic and Beyond

The regulations for the California Consumer Protection Act (“CCPA”) were approved by the California Office of Administrative Law on August 14, 2020 and went into effect immediately.   Earlier this year, the California Department of Justice proposed these regulations to govern the California Attorney General’s enforcement of CCPA. CCPA was signed into law on June 28, 2018 and went into effect on January 1, 2020.

Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.