On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting written comments from the public on these proposed revisions to the regulations until October 28, 2020 at 5:00 p.m. PST.

Notable changes in these regulations include:

  • A requirement for businesses that collect personal information in the course of interacting with consumers offline to provide notice of the consumer’s right to opt out through an offline method;
  • A requirement that the methods for consumer to opt out be easy for consumers to execute and involve minimal steps;
  • Clarification of how businesses may require authorized agents and consumers to submit proof to verify their data subject requests; and
  • A specific requirement that businesses subject to either Rules Regarding Consumers Under 13 Years of Age or Rules Regarding Consumers 13 to 15 Years of Age (or both) must include a description of the processes set forth in those Rules in their privacy policies.

Earlier this year on August 31, 2020, the California Legislature passed AB 1281 to extend the partially excluded employee information and business-to-business (B2B) information from the coverage of the CCPA until the end of 2021, citing primarily to the COVID-19 economic disruption in the state. This bill modified the Cal. Civ. Code § 1798.145(h) moratoria on the applicability of covered information related to job applicants, employees, contractors, and agents until the start of 2021. Previously these exemptions were set to expire January 1, 2020.

Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.

California’s New Consumer Privacy Act: What Employers Need to Know

Follow the Leader: California Paves the Way for Other States to Strengthen Privacy Protections

Proposed Amendment to California Consumer Privacy Act (CCPA) Reaffirms Employer Notice Requirement and Employee Private Right of Action for Failure to Implement Cybersecurity Safeguards to Take Effect January 1, 2020

Data Privacy: What to Watch in 2020

On the Verge of CCPA Enforcement: What Should Companies Do to Comply?

CCPA Regulations Approved by the CA Office of Administrative Law

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls. Continue Reading Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic

I knew Justice Ginsburg had been seriously ill, so I shouldn’t have been surprised when I heard the news of her passing. But it was still a big shock, and tears started falling. I thought to myself, “I don’t even personally know her—why am I crying?” It was because of all that she represented. She was truly inspirational. She had a tough life—losing her mother at a young age and trying to get her foot in the door and succeed in a male-dominated profession, not to mention numerous serious health issues. Yet she persevered, and she became a “first” in so many ways, even in death—being the first woman and first Jewish American to lie in state at the U.S. Capitol.

Reading about her life has been fascinating, but two parts I especially enjoyed were her sense of humor and her friendship with the late Justice Antonin Scalia. The two justices were on opposite ends of the law but close friends. I love the picture of the two of them in India on an elephant. She was behind him, and when asked why she, an advocate of women’s rights, would agree to sit behind a man, she explained that it was for weight distribution purposes! It also just goes to show that you can be on polar opposite ends of important and often contentious issues, but still be respectful and mindful of others and their opinions.

Justice Ginsburg’s cachet was appealing to multiple generations—young, old, and everyone in between. I was surprised that even my 17-year-old twins knew of her and something about her life even if only because of “Notorious RBG” mania! That’s something special that not many public personas are able to achieve. She fought for equality and opened doors for the rest of us so that we could also succeed in professions previously dominated by men. Not only have I managed to succeed as an attorney and working mother because women like Ruth Bader Ginsburg paved the way, but I know that my daughter will have fewer challenges as a result. For that, I am so grateful to Justice Ginsburg, and she will be missed so very much.

“My mother told me to be a lady. And for her, that meant be your own person, be independent.” – Ruth Bader Ginsburg

A couple days after Ruth Bader Ginsburg passed away, my eight year old daughter asked me, when I was her age, what I wanted to be when I grew up. I paused and swallowed hard. I had wanted to be a doctor, but despite how well I performed in school, the more conservative environment I grew up in did not support such dreams because it was “not something that moms did”.

My daughter’s question allowed me to explain to her how lucky she is to grow up in the world we now live in where women can do anything they put their minds to, a trail blazed by none other than Ruth Bader Ginsburg. Justice Ginsburg fought for women to be treated equally not only by the law but in all facets of life. She knew women deserved a seat at the table. Thankfully other women have followed in her footsteps. It is because of these women, and the men who have accepted our right to be where we are, that I am where I am today.

I pivoted from my dream of being a doctor to pursuing a career in nursing. Although I still toyed with the idea of going back to school for years, it was hard to break from the messaging that I had heard for so long–that working and being a mother did not co-exist. I started working for a law firm as a nurse analyst and became very interested in the law. An older woman colleague of mine picked up on my interest and encouraged me to consider law school. I had finally found something I was interested in and realized how valuable my background could be to clients. However, I hesitated with concerns of wanting to start a family. I will never forget the encouragement I received from attorneys I worked with that I really could do both.

Needless to say, I ended up having my three children during law school. I interviewed for summer associate positions six weeks after I had my first child. I wondered if a law firm would take a chance on a new mother. Fortunately, Epstein Becker Green did. When I showed up for my summer position, I was pregnant with twins. As a first year, I had three children under two years old. It was a challenge but the support from those who believed I could shoulder both the responsibilities at work and home meant everything. I am beyond thankful that the change in mindset that Ruth Bader Ginsburg fought so hard to achieve made way for mothers like me to be successful both at work and at home.

Ginsburg’s mom said it best, to be a lady was to be your own person, be independent. This is what I want to impart to my daughters: There are no limits. You can be anything you want to be.  Surround yourself with those who support your dreams.

 

On Tuesday, September 1, 2020, the Drug Enforcement Agency (“DEA”) proposed 2021 aggregate production quotas (APQs) for controlled substances in schedules I and II of the Controlled Substances Act (“CSA”) and an Assessment of Annual Needs (“AAN”) for the List I Chemicals pseudoephedrine, ephedrine, and phenylpropanolamine. This marks the second year that DEA has issued APQs pursuant to Congress’s changes to the CSA via the SUPPORT Act.  After assessing the diversion rates for the five covered controlled substances, DEA reduced the quotas for four: oxycodone, hydrocodone, hydromorphone and fentanyl.

DEA recently increased the APQ to allow for the additional manufacture of certain controlled substances in response to the COVID-19 pandemic and the need to provide greater access to these medications for patients on ventilator treatment.  According to DEA, that increased demand has been factored into the proposed APQs for 2021.

Comments are due by October 1, 2020.  Because DEA’s APQs determine the amount of quota DEA can allocate to individual manufacturers in 2021, adversely impacted parties should file comments soon.

Background on APQs

The CSA requires the establishment of aggregate production quotas for schedule I and II controlled substances, and an assessment of annual needs for the list I chemicals ephedrine, pseudoephedrine, and phenylpropanolamine.  These aggregate quotas limit the quantities of these substances to be manufactured – and with respect to the listed chemicals, imported –  in the United States in a calendar year, to provide for the estimated medical, scientific, research, and industrial needs of the United States, for lawful export requirements, and for the establishment and maintenance of reserve stocks.

Changes in Setting APQs Under The SUPPORT Act

The Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (“SUPPORT Act”) signed into law October 24, 2018, provided significant changes to the process for setting APQs.  First, under the CSA, aggregate production quotas are established in terms of quantities of each basic class of controlled substance, and not in terms of individual pharmaceutical dosage forms prepared from or containing such a controlled substance.  However, the SUPPORT Act provides an exception to that general rule by giving the DEA the authority to establish quotas in terms of pharmaceutical dosage forms if the agency determines that doing so will assist in avoiding the overproduction, shortages, or diversion of a controlled substance.

Additionally, the SUPPORT Act changed the way the DEA establishes APQs with respect to five “covered controlled substances”: fentanyl, oxycodone, hydrocodone, oxymorphone, and hydromorphone.  Under the SUPPORT Act, when setting the APQ for any of the “covered controlled substances,” DEA must estimate the amount of diversion.  The SUPPORT Act requires DEA to make appropriate quota reductions “as determined by the [DEA] from the quota the [DEA] would have otherwise established had such diversion not been considered.”  Furthermore, when estimating the amount of diversion, the DEA must consider reliable “rates of overdose deaths and abuse and overall public health impact related to the covered controlled substance in the United States,” and may take into consideration other sources of information the DEA determines reliable.

Estimating Diversion  

In accordance with this mandate under the SUPPORT Act, in setting the proposed APQs for 2021 DEA requested information from various agencies within the Department of Health and Human Services (“HHS”), including the U.S. Food and Drug Administration (“FDA”), Centers for Disease Control and Prevention (“CDC”), and the Centers for Medicare and Medicaid Services (“CMS”), regarding overdose deaths, overprescribing, and the public health impact of covered controlled substances.  DEA also solicited information from each state’s Prescription Drug Monitoring Program (“PDMP”), and any additional analysis of prescription data that would assist DEA in estimating diversion of covered controlled substances.

After soliciting input from these sources, DEA extracted data on drug theft and loss from its internal databases and seizure data by law enforcement nationwide.  DEA then calculated the estimated amount of diversion by multiplying the strength of the active pharmaceutical ingredient (“API”) listed for each finished dosage form by the total amount of units reported to estimate the metric weight in kilograms of the controlled substance being diverted.

Continue Reading Deadline Looms for Responding to DEA’s Proposed Aggregate Production Quotas for 2021

Earlier this summer, Ethan P. Davis, Principal Deputy Assistant Attorney General for the Civil Division of the U.S. Department of Justice (DOJ) delivered remarks addressing DOJ’s top priorities for enforcement actions related to COVID-19 and indicating that DOJ plans to “vigorously pursue fraud and other illegal activity.”[1] As discussed below, Davis’s remarks not only highlighted principles that will guide enforcement efforts of the Civil Fraud Section under the False Claims Act (FCA) and of the Consumer Protection Branch (CPB) under the Food, Drug, and Cosmetic Act (FDCA) and the Controlled Substances Act (CSA) in response to the COVID-19 public health emergency (PHE), they also provide an indication of how DOJ might approach enforcement over the next few years.

DOJ’S KEY CONSIDERATIONS & ENFORCEMENT STRATEGY FOR COVID-19

Davis highlighted two key principles that would drive DOJ’s COVID-related enforcement efforts: the energetic use of “every enforcement tool available to prevent wrongdoers from exploiting the COVID-19 crisis” and a respect of the private sector’s critical role in ending the pandemic and restarting the economy.[2] Under that framework, DOJ plans to pursue fraud and other illegal activity under the FCA, which Davis characterizes as “one of the most effective weapons in [DOJ’s] arsenal.”[3]

However, as DOJ pursues FCA cases, it will also seek to affirmatively dismiss qui tam claims that  DOJ finds meritless or that interfere with agency policy and programs.[4] DOJ also plans to collect certain information from qui tam relators regarding third-party litigation funders during relator interviews.[5] DOJ’s emphasis on qui tam cases—cases brought under the FCA by relators or whistleblowers—for COVID-related enforcement highlights the impact such matters have on DOJ’s enforcement agenda.[6]

  1. DOJ will consider dismissing cases that involve regulatory overreach and are not otherwise in the interest of the United States.

Although Davis emphasized that the majority of qui tam cases would be allowed to proceed, in order to “weed out” cases that lack merit or that DOJ believes should not proceed, DOJ will consider dismissing cases that “involve regulatory overreach or are otherwise not in the interest of the United States.”[7] This is consistent with the principles reflected in the 2018 Granston Memo that instructed DOJ attorneys to consider “whether the government’s interests are served” when considering whether cases should proceed and listed considerations for seeking alternative grounds for dismissal of FCA cases.[8] Davis gave examples throughout his speech of actions DOJ might consider dismissing:

  • Cases based on immaterial or inadvertent mistakes, such as technical mistakes with paperwork
  • Cases based on honest misunderstandings of rules, terms, and conditions
  • Cases based on alleged deviations from non-binding guidance documents
  • Cases against entities that reasonably attempted to comply with guidance and “in good faith took advantage of the regulatory flexibilities granted by federal agencies in the time of crisis.”[9]

DOJ litigators have been advised to inform relators of the possibility of dismissal.[10] Additionally, qui tam suits based on behaviors temporarily permitted during the COVID-19 pandemic, particularly in circumstances in which agencies exercised discretion to waive or not enforce certain requirements, might
“fail as a matter of law for lack of materiality and knowledge.”[11]

  1. DOJ will now include a series of questions during relator interviews to identify third-party litigation funders.

During each relator interview, DOJ has instructed line attorneys to ask a series of questions to identify whether the relator or their counsel has a third-party litigation funding agreement,[12] which is an agreement in which a third party—such as a commercial lender or a hedge fund—finances the cost of litigation in return for a portion of recoveries.[13] Under the new policy detailed in Davis’s speech, if a third-party funder is disclosed, DOJ will ask for the following:

  • the identity of the third-party litigation funder,
  • information regarding whether information of the allegations has been shared with the third party,
  • whether the relator or their counsel has a written agreement with the third party, and
  • whether the agreement between the relator or their counsel and the third party includes terms that entitles the third-party funder to exercise direct or indirect control over the relator’s litigation or settlement decisions.

Relators must inform DOJ of changes as the case proceeds through the course of litigation.[14] While Davis characterizes these changes as a “purely information-gathering exercise for the purpose of studying the issues,” the questions are in furtherance of DOJ’s ongoing efforts to uncover the potential negative impacts third-party litigation financing may have in qui tam actions. [15] The questions Davis referenced in his remarks reflect DOJ’s concerns with third-party litigation funding as expressed by Deputy Associate Attorney General Stephen Cox in a January 2020 speech.[16] Davis emphasized that DOJ particularly sought to evaluate the extent to which third-party litigation funders were behind qui tam cases DOJ investigates, litigates, and monitors; the extent of information sharing with third-party funders; and the amount of control third-party funders exercised over the litigation and settlement decisions.[17] While the Litigation Funding Transparency Act of 2019 has remained inactive since its introduction in February 2019 by Senator Grassley[18] and the 2018 proposal by the U.S. Court’s Advisory Committee on Civil Rights’ Multidistrict Litigation Subcommittee to require disclosure of third-party litigation funding remains under consideration,[19] DOJ’s plans to include this line of questioning potentially signals DOJ’s intention to take more concrete and significant steps to address third-party litigation funding in the future.

Continue Reading False Claims Act Enforcement During the COVID-19 Pandemic and Beyond

The regulations for the California Consumer Protection Act (“CCPA”) were approved by the California Office of Administrative Law on August 14, 2020 and went into effect immediately.   Earlier this year, the California Department of Justice proposed these regulations to govern the California Attorney General’s enforcement of CCPA. CCPA was signed into law on June 28, 2018 and went into effect on January 1, 2020.

Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.

As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data.  As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.  Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence. Continue Reading Be Aware Before You Share: Vetting Third Party Apps Prior to Data Transfer

FDA took two important steps last week to clarify the regulatory landscape for cannabis products, including CBD products.  First, FDA issued a draft guidance on Quality Considerations for Clinical Research Involving Cannabis and Cannabis Derived Compounds.  This guidance builds off of earlier guidance FDA has issued about the quality and regulatory considerations that govern the development and FDA approval of cannabis and/or cannabinoid drug products.  See e.g., here and here.  The draft guidance iterates a federal standard for calculating delta-9 THC content in cannabis finished products, which addresses a significant gap in federal policy regarding those products.  While the testing standard is neither final nor binding on FDA or DEA, when finalized it would iterate what FDA considers to be a scientifically valid method for making the determination of whether a cannabis product is a Schedule I controlled substance.  Therefore, it may be useful in many contexts, including federal and state cannabis enforcement actions.  We encourage affected parties to file comments on FDA’s Guidance, which they may do until September 21, 2020.

Second, FDA sent to the Office of Management and Budget for review a proposal on how FDA intends to exercise enforcement discretion over CBD consumer products.  See here.  While the contents of this guidance have not yet been made public, we forecast that it likely will align with FDA’s past enforcement actions and memorialize the agency’s intent to pursue enforcement actions against CBD consumer product companies that make egregious claims about their products treating or preventing serious diseases or conditions.

Guidance on Considerations for Cannabis Clinical Research

FDA’s guidance recognizes that Congress’s enactment of the Agricultural Improvement Act of 2018 (“2018 Farm Bill”) improved domestic access to pre-clinical and clinical cannabis research material that may be used in the research and development of novel therapies.   However, currently marijuana only may be obtained domestically from the University of Mississippi under contract with the National Institute on Drug Abuse.  While DEA issued a policy in 2016 to allow for the additional registration of marijuana cultivators for legitimate research and licit commercial purposes, the Office of Legal Counsel in June 2018 issued an opinion finding that such policy violates the United States’ obligations under applicable treaties.  However, in March of this year, DEA issued a proposed rule to allow for the registration of additional cultivators of cannabis for these licit purposes.  See here.

There is an alternative pathway to the procurement of Schedule I research material which FDA’s guidance does not mention: importation.  Researchers may obtain certain Schedule I material pursuant to a federal DEA Schedule I importer registration, and DEA has in the past issued such registrations.  See 21 CFR 1301.13(e)(1)(viii).

Continue Reading FDA Issues Draft Guidance on Cannabis Clinical Research and Sends CBD Enforcement Discretion Guidance to OMB for Review

On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:

The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU).  Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework.  The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers.  Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.  This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.  The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.

Continue Reading ECJ Invalidated the EU-US Privacy Shield Framework