On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.

On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related topics such as Big Data, Privacy, and Competition, and Algorithms, Artificial Intelligence (AI), and Predictive Analytics. The FTC will seek comments on the privacy and data security hearings through March 13, 2019.

These hearings serve as a signpost of a long-standing movement within the FTC to establish itself as the governing body over consumer data privacy and data security in the United States.[2] [3] This move however runs counter to the power that Congress has afforded it throughout the years. In particular, some of the most powerful enforcement tools for data breaches, such as the Computer Fraud and Abuse Act (CFAA) have been created outside of the FTC’s toolbox of enforcement. There are many reasons for this, including that acts like the CFAA include both criminal provisions and private causes of action, but it also speaks to a wider question of industry specific agency enforcement of data protection and privacy. As every industry and sector of American life becomes more digitally data-centric, the question of which government agency or agencies are best suited to ensure that sector-specific data is private and secure becomes more pressing.

As Congress considers following the European Union in increasing data privacy and security laws, it will have essential decisions to make regarding which agency is in charge of citizen data. Should this data be regulated by sector? Or should this data be regulated by a central agency? From the actions of the FTC, it is clear that the agency sees itself as a large part of the solution.

____

[1] https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its?mkt_tok=eyJpIjoiTlRWalpqZzFOV0ptWVRobCIsInQiOiJFSTc1UkdqZ0YyUWpKZG1WK3Z3K0RjbHNhd3ZQXC9SemtGelkzeVp6bGZyaXpwSGVaUUEzUU96bUtIRlpWdThuWmhsbGdhNmszb1U0TDhaelVCRExuXC9ieDd6Zk9VUTdvT3lKemJYZzJwdnBmTnozSUNHd3F0OGxTQzJJY1VaaTU3In0%3D

[2] 83 FR 38307

[3] https://www.law360.com/articles/495364/ftc-head-wants-more-power-to-penalize-for-data-breaches

Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live podcast taping. Chopra also stated that he was troubled by current federal enforcement action in the United States, the answer to which appears in part to come with heftier fines.

While the FTC hopes to have a bigger bite, it appears that Congressional action, or lack thereof, is in many ways muzzling the agency. During a House Subcommittee hearing in July, FTC officials indicated that while they were aggressively pursuing action regarding data and privacy security, they also said that their hands were tied in regard to bringing more aggressive enforcement. As stated by Chairman Joe Simmons, “In my view, we need more authority. I support data security legislation that would give us three things: (1) the ability to seek civil penalties to effectively deter unlawful conduct, (2) jurisdiction over non-profits and common carriers, and (3) the authority to issue implementing rules under the Administrative Procedure Act. And we should consider additional privacy authority as well….” In part, Chairman Simmons may be referencing Congress’s failure to pass a comprehensive data protection law, particularly in the shadow of the European Union’s GDPR standards, which are continuing to impact American companies.

These comments come at a time where companies face ever increasing risk as the economy becomes more and more data-centric. Across the country, companies and their boards are faced with an ever more complex business decision on how to make cyber-security make business sense. On the one hand, investing in a robust cyber-security program, both in terms of designing a compliance strategy and investing in technology, is balanced with the risk and cost of a data breach. While the risks appear to be increasing, the cost of such a breach may also be increasing as well. In addition to a loss of revenue due to a drop in consumer confidence, Chairman Simmons and Commissioner Chopra’s comments should make companies aware that enforcement and increased civil monetary penalties may also be more of a threat towards business’s bottom lines.

The American Clinical Laboratory Association (“ACLA”) challenged the final rules promulgated by the Department for Health and Human Services (“HHS”) pertaining to how the Medicare Clinical Laboratory Fee Schedule (“CLFS”) payment rates are established for laboratory services (Am. Clinical Lab. Ass’n v. Azar, No. 17-2645 ABJ, 2018 U.S. Dist. LEXIS 161639, 2018 WL 4539681 (D.D.C. Sept. 21, 2018)). The U.S. District Court of the District of Columbia granted HHS’ motion for summary judgment to dismiss the complaint after concluding that the court lacked subject matter jurisdiction to hear the case. This is a significant set-back for the laboratory industry that has been fighting against the reductions in Medicare reimbursement under the new payment methodology, but it is not the end of the road.

In accordance with Section 216 of Protecting Access to Medicare Act of 2014 (“PAMA”), beginning January 1, 2018 the Medicare CLFS payment rate was established using a volume-weighted median of private payor rates for laboratory services as reported by applicable laboratories. What laboratories met the definition of an “applicable laboratory” and whether HHS had the authority to redefine the term was at the center of the challenge by the ACLA.

In December 2017, ACLA filed a lawsuit arguing that in the final rule HHS redefined the term “applicable laboratory” from the plain text of the statute and in doing so excluded almost 90% of hospital laboratories which reduced private-payment data reported and in turn resulted in lower CLFS payment rates. HHS argued that the terms “laboratory” and “revenue” relevant to determining an “applicable laboratory” were ambiguous and regardless PAMA includes a statutory bar to judicial review.

While ACLA presented multiple claims and arguments, the court focused on the threshold question: whether PAMA bars judicial review of HHS’ authority in “establishment of payment amounts under this section [of PAMA].” The court concluded that the statute did not permit judicial review; relying heavily on Florida Health, a D.C. Circuit case (Fla. Health Scis., Ctr., Inc. v. Sec’y of HHS, 830 F.3d 515 (D.C. Cir. 2016)). In Florida Health, the D.C. Circuit found that the statute gave HHS the power to make the choice as to what data should be used to calculate payment for hospitals’ uncompensated patient care. The reasoning in Florida Health is sound as it relates to the statutory authority granted under at issue in that case. Florida Health, however, seems to be easily distinguishable from the case brought by ACLA because, as the court itself recognized, “Florida Health did not involve a rule about how the Secretary would obtain the data needed … like this case does.” That is, Congress already defined under PAMA what data to be reported and who should report that data. In doing so, we believe the court conflated the breadth of the judicial review bar under PAMA and failed to differentiate between challenging the validity of HSS’ decisions made in the rulemaking process and contesting how and what data must be received and processed as per statutory procedure.

Here, ACLA argued that HHS overstepped its authority by redefining a clear statutory term; however, this was essentially ignored by the court by using the statutory judicial bar as a red-herring and conveniently limiting its analysis. Even though the court acknowledged that ACLA’s arguments “raise important questions,” the court refused to answer those very questions upon its determination that it could not hear the case. The court’s failure to address these issues likely gives ACLA grounds for appeal.

ACLA’s statement, released in response to the decision, reports that the association is exploring further legal options. The statement expresses concern that the decision “sets a harmful precedent that allows agencies to circumvent Congress’ express directions at the expense of patient care.” The association also urged Congress to take immediate action to resolve the issues raised in the lawsuit; specifically, the impact the reduction in Medicare CLFS payment rates will have on the laboratory industry. In the meantime, ACLA must seriously and carefully consider filing an appeal to request their central arguments be addressed and prepare to show the D.C. Circuit how this case can easily be distinguished from Florida Health and the underlying notion of judicial deference for an agency’s implementation of a complex statute.

Of course, even if successful, the ACLA must still address the other jurisdictional issues raised by HHS, such as whether ACLA had standing to bring suit on behalf of its members and if injury to labs or impact on Medicare rates had been proven.

 

Sydney Reed, a Law Clerk (not admitted to the practice of law) in the firm’s Houston office, contributed significantly to the preparation of this post.

On September 20, 2018, the U.S. Food and Drug Administration (“FDA”) released draft guidance “Civil Money Penalties Relating to the ClinicalTrials.gov Data Bank” (“Guidance”). The purpose of this Guidance is to explain FDA’s protocol in (1) determining how the centers will identify whether responsible parties failed to comply with submission and certification requirements to the ClinicalTrials.gov or submitted false or misleading documents to the data banks and (2) deciding when, why, and what civil monetary penalties will be assessed against the responsible parties or submitters. The new guidance seeks to address requirements of responsible parties involved in the performance of clinical research and submission of applications for marketing authorizations to register their trial, submit clinical results information and make certain certifications regarding their compliance with these requirements.  In order to mitigate their risk of civil money penalties in accordance with this guidance,  sponsors and researchers should (1) have policies and procedures that ensure correct clinical trial information is submitted to the ClinicalTrials.gov data bank, (2) have policies and procedures that ensure routine monitoring for missing or inaccurate clinical trial information in the data bank, (3) make timely submissions of the required information, and (4) remain responsive to any inquiries by FDA concerning clinical trial data and/or certifications to FDA.

Background

Under section 801 of the Food and Drug Administration Amendments Act of 2008 (the “FDAAA”), which amended section 402(j) of the Public Health Service Act (42 U.S.C. 282(j)(5)(B)), responsible parties engaged in certain clinical research activities are required to submit registration and results information to the ClinicalTrials.gov data bank. Additionally, submitters of certain applications and other items to FDA regarding drug, biological, and medical device products are required to certify to FDA that all requirements of section 402(j) have been met. Similarly, the FDAAA amended section 301(jj) of the Food Drug and Cosmetics Act (the “FD&C Act”) to prohibit: (1) the failure of submitting or knowingly submitting a false certification to FDA, (2) the failure to submit required clinical trial information, and (3) submitting false or misleading clinical trial information to the ClinicalTrials.gov data bank. Further, the FDAAA amended section 303(f)(3) of the FD&C Act, authorizing FDA to assess civil monetary penalties against the person committing the prohibited acts.

Identifying Noncompliant Responsible Parties and Submitters

In this Guidance, FDA states its intention to utilize evidence collected during FDA’s Bioresearch Monitoring Program (“BIMO”) inspections to assess compliance with registration and results reporting requirements as described in Form FDA 2438 – Chapter 48 – Bioresearch Monitoring (Apr. 19, 2017). FDA also intends to identify violations as a result of complaints received by the Agency, which may entail reviewing public and non-public information, including, but not limited to information submitted to the ClinicalTrials.gov data bank and to FDA.

It is in the best interest of sponsors, researchers, and other parties subject to an obligation to submit clinical trial registration, information, results, and/or certifications to FDA to have policies and procedures in place to ensure correct information is submitted to ClinicalTrials.gov data bank. Policies and procedures should also include periodic review of the data bank to monitor for any missing or inaccurate clinical trial information. Developing and implementing these policies and procedures will mitigate the risk of enforcement for noncompliance with registration and clinical trial results reporting requirements, as outlined in the Guidance.

Determining When to Seek Civil Monetary Penalties

Under Guidance, FDA intends to provide the responsible parties with an opportunity to remedy any prohibited acts under section 301(jj) of the FD&C Act and corresponding regulations (42 CFR Part 11) before initiating an action to recover penalties. Pursuant to the procedures detailed in the Guidance, when FDA determines that when submissions are not timely filed or inaccurate, FDA will generally send the responsible party or submitter a Preliminary Notice of Noncompliance Letter describing the potential violation. The responsible party or submitter will have thirty (30) calendar days to remedy the violation. Should FDA conduct further review and find further or continued noncompliance with the applicable clinical trial requirements, the agency will then issue a Notice of Noncompliance, giving the responsible party or submitter another thirty (30) days to remedy noncompliance after receipt of the notice.

It is in the best interest of sponsors and researchers to promptly respond to any FDA inquiries and notices concerning registration, clinical trial information or certification issues related to the ClinicalTrials.org data bank. Failure to comply within the thirty (30) days of receipt of Notice of Noncompliance will result in FDA escalating regulatory action, including civil monetary penalties, of up to $10,000 for all violations adjudicated in a single proceeding.  Additional penalties of up to $10,000 each day may be included if the violation continues and if said violation is not corrected within thirty (30) days following notification. FDA may also pursue injunction and/or criminal prosecution.

In determining monetary penalties, the FDA will evaluate the circumstances, nature, extent, and gravity of the violation(s) with respect to the individual.  Other factors will include the violator’s ability to continue conducting business, any prior history of such violations, and the degree of culpability in the matter.

Responding To Civil Monetary Penalties by FDA

If FDA seeks civil monetary penalties, according to 21 CFR Part 17, the responsible party or submitter has the opportunity to either: (1) pay the penalty prescribed in the complaint or (2) file an Answer, contesting the allegations either in part or in whole, within thirty (30) days of date of service.

Should the responsible party or submitter contest the allegations by submitting an Answer, generally settlement discussions with FDA are entered into, providing the responsible party or submitter to present mitigating evidence to FDA for purposes of reducing the penalty amount. If a settlement is not reached before a decision on appeal, a presiding officer will make an initial decision, followed by the usual administrative appeal process (e.g., Department of Health and Human Services Departmental Appeal Board and then the U.S. Court of Appeals for the District of Columbia or any other circuit in which the responsible party or submitter resides or conducts business), should either party appeal the initial decision.

 

* * *

A recent BMJ article, “Compliance with requirement to report results on the EU Clinical Trials Register: cohort study and web resource,” reported that for approximately half of the clinical trials, the responsible person did not report results on the EU register while a 2015 New England Journal of Medicine article, “Compliance with Results Reporting at ClinicalTrials.gov,” reported that approximately 20% of industry trials did not report results when required to do so, and 50% of NIH-sponsored research went unreported. While the registration, reporting, certification requirements, and the penalties for noncompliance are not new, FDA’s release of this Guidance should be taken as a signal to sponsors and researchers of its plan to enforce those requirements more rigorously. Therefore, sponsors and researchers should take this opportunity to evaluate the sufficiency of their policies and procedures for compliance with registration and reporting requirements and audit their submissions to ensure they are up-to-date.  Comments are due by November 20, 2018.

On Monday, August 12, 2018, the U.S. Department of Justice (“DOJ”) announced a new addition to its regional Medicare Fraud Strike Forces: a Newark/Philadelphia Regional Medicare Strike Force that will target both healthcare fraud and opioid overprescription.[1] The newly-formed Newark/Philadelphia Strike Force joins nine existing regional Medicare Strike Forces, all of which are focused in geographical areas of high healthcare fraud risk: Miami, Florida; Los Angeles, California; Detroit, Michigan; Southern Texas; Southern Louisiana; Brooklyn, New York; Tampa, Florida; Chicago, Illinois; and Dallas, Texas.[2] The Newark/Philadelphia Strike Force will be supported by the resources of several federal agencies, including the Health Care Fraud Unit of the Justice Department’s Criminal Division’s Fraud Section, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of Pennsylvania, the FBI, U.S. Department of Health and Human Services Office of the Inspector General (“OIG”), and the U.S. Drug Enforcement Administration.[3]

The creation of the regional Newark/Philadelphia Strike Force comes as little surprise as this heavily populated region is home to many major players in the healthcare industry, including pharmaceutical companies and healthcare facilities. Significantly, earlier this year, Maureen Dixon, the Special Agent in Charge of OIG’s Philadelphia Regional Office testified before the U.S. Senate Committee on Finance’s Health Care Subcommittee and highlighted many cases in the New Jersey/Philadelphia region as prototypical examples of patient harm and prescription and treatment fraud and addressed efforts to prevent opioid overutilization and misuse.

Enforcement in the Region: Expect More Enforcement Against Providers and Home Health Care Agencies

The new Newark/Philadelphia Strike Force is expected to usher in quickly a new wave of fraud enforcement to the region. Historically, DOJ’s Strike Forces have targeted provider activity, with enforcement often aimed at clinicians and home health care agencies. The new Strike Force’s dedicated focus on opioid overutilization is in line with the priorities of the District of New Jersey’s U.S. Attorney Craig Carpenito, who has made the abuse of opioid prescriptions a target for his district.  In February of this year, the District of New Jersey’s U.S. Attorney’s Office reorganized and announced the formation of an Opioid Abuse Prevention and Enforcement Unit to complement the existing Healthcare and Government Fraud Unit within that Office’s Criminal Division.

Notably, the addition of the new Newark/Philadelphia Strike Force demonstrates DOJ’s continued belief that behavior – both on the provider and the patient sides – can be changed through enforcement. The Strike Forces’ data-driven model of health care enforcement eschews reliance on qui tam filings and whistleblowers for investigative leads in favor of identifying and targeting health care fraud through data analytics.  Nationwide, the Strike Forces have brought a significant increase in healthcare fraud prosecutions since the concept was first introduced in 2007. Indeed, since their creation in 2007, the Strike Forces have been instrumental in obtaining nearly 2,500 indictments related to over $3 billion in fraudulent health care payments.[4]Most recently, DOJ’s Medicare Strike Forces were in part responsible for the DOJ’s July 2018 health care fraud takedown, the nation’s largest to date, resulting in 601 arrests in connection with over $2 billion of fraudulent billings.[5] 162 defendants, including 32 doctors, were charged for their roles in prescribing and distributing opioids and other narcotics.[6]

Impact on Provider Exclusion Actions

It is likely that the number of exclusion actions pursued by OIG will increase in the region because of the Newark/Philadelphia Strike Force. In the intervening year between DOJ’s June 2017 and July 2018 health care fraud takedowns, the OIG issued nearly 600 exclusion notices to individuals and entities whose conduct “contributed to opioid diversion and abuse.”[7] Among those issued exclusion notices were 67 doctors, 402 nurses, and 40 pharmacy services.[8]

Opioid Overutilization Enforcement

The Newark/Philadelphia Strike Force is the first of its kind to have a specific focus on targeting opioid overutilization. Identifying and targeting the opioid epidemic is a top priority of both DOJ and the OIG; according to Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, CDC data found that over 40 percent of all U.S. opioid overdose deaths involved a prescription opioid in 2016.[9][10] A 2018 OIG report on opioid abuse in the Medicare Part D program found that about 460,000 beneficiaries received high amounts of opioids in 2017, and about 71,000 beneficiaries are at serious risk of opioid misuse or overdose.[11]

* * *

Both the Eastern District of Pennsylvania and the District of New Jersey have developed novel, cutting-edge healthcare fraud cases time and time again over the past decade.  The addition of expertise and resources provided by the new Strike Force in these two districts demonstrate a clear intent to continue this trend. However, it remains to be seen if the new Strike Force and its opioid focus will divert resource away from other more long-term, complex investigations these Districts have traditionally concentrated on.

[1] https://www.justice.gov/opa/pr/assistant-attorney-general-benczkowski-announces-newarkphiladelphia-medicare-fraud-strike

[2] https://www.justice.gov/opa/pr/assistant-attorney-general-benczkowski-announces-newarkphiladelphia-medicare-fraud-strike

[3] Id.

[4] https://oig.hhs.gov/fraud/strike-force/

[5] https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-charges-against-601-individuals-responsible-over

[6] https://www.fda.gov/ICECI/CriminalInvestigations/ucm612183.htm; https://oig.hhs.gov/newsroom/media-materials/2018/takedown/2018HealthCareTakedown_FactSheet.pdf; https://www.law360.com/articles/1064720/doj-s-health-care-enforcement-initiative-is-still-going-strong.

[7] https://oig.hhs.gov/newsroom/media-materials/2018/takedown/2018HealthCareTakedown_FactSheet.pdf

[8] Id.

[9] https://oig.hhs.gov/oei/reports/oei-02-18-00220.pdf; https://oig.hhs.gov/reports-and-publications/featured-topics/opioids/

[10] https://www.justice.gov/opa/pr/assistant-attorney-general-benczkowski-announces-newarkphiladelphia-medicare-fraud-strike

[11] https://oig.hhs.gov/oei/reports/oei-02-18-00220.pdf

The Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services issued Advisory Opinion No. 18-03 in support of an arrangement where a federally qualified health center look-alike (the “Provider”) would donate free information technology-related equipment and services to a county health clinic (the “County Clinic”) to facilitate telemedicine encounters with the County Clinic’s patients (the “Proposed Arrangement”).  The OIG concluded that although the Proposed Arrangement could potentially generate prohibited remuneration under the federal Anti-Kickback Statute (“AKS”) and Civil Monetary Penalties Law (“CMPL”) with the requisite intent to induce or reward referrals of federal health care programs, the OIG would exercise its discretion and not sanction the Provider or the County Clinic (collectively the “Requestors”).

The OIG’s analysis and conclusion of the Proposed Arrangement provides new insight into the government’s position on these type of donations that facilitate telemedicine encounters.  Specifically, how the government views these type of donations with the continued expansion of coverage and reimbursement of telemedicine services under federal health care programs.  The Advisory Opinion indicates support for the development of collaborative telemedicine affiliations and that the potential remuneration from the future referrals can be outweighed by the access to health care services and benefits actually received by rural or remote communities.

Proposed Arrangement

The County Clinic is a division of the County Department of Health that furnishes certain confidential sexually transmitted infection testing, treatment and counseling. The Provider has an existing referral relationship with the County Clinic but the facilities are separated by about 80 miles making it difficult for patients to access the Provider.  Under the Proposed Arrangement, the Provider would donate information technology-related equipment and services to the County Clinic to facilitate telemedicine encounters between the Provider and the County Clinic’s patients for certain HIV prevention and treatment services.  The Provider would cover the costs of the equipment, its set up, and maintenance through grant-funding from the State Department of Health.  The Provider would bill the Medicare program for the professional services delivered in the telemedicine encounters.  The County Clinic would house the equipment and bill the state Medicaid program an originating site fee related to the telemedicine encounters. The originating site is not required to provide any personnel or equipment in order to bill for the facility fee (Q3014) (which is only a coverage requirement to provide the telehealth consult).

OIG Analysis

AKS makes it a criminal offense to knowingly and willfully offer or receive remuneration in an effort to induce or reward referrals of items or services reimbursable by federal health care programs. CMP provides for penalties against any person who offers or transfers remuneration to a Medicaid or Medicare beneficiary that the benefactor knows or should know is likely to influence the beneficiary’s selection of a specific provider, service, or item that will be paid, in whole or part, by Medicaid or Medicare.

Under the Proposed Arrangement, the County Clinic would receive remuneration of the free equipment and services and the Provider would have the opportunity to bill for the telehealth consultation referred by the County Clinic.  As such, the OIG acknowledged that the Proposed Arrangement could potentially generate prohibited remuneration under the federal AKS with the requisite intent to induce or reward referrals of services payable by a federal health care program.  However, the OIG identified the following factors as minimizing the potential risk of fraud and abuse:

  • There are safeguards in place to prevent patient steering to the Provider for treatment; namely use of technology with any other provider is not restricted and patients are given the option to have either a virtual or in-person consultation
  • Not likely to result in patient steering for prescriptions to any pharmacy operated by the Provider or County Clinic
  • There would be no increased cost to any federal health care program
  • Patients would benefit by having increased access to treatment; making it more likely that patients will seek out and receive such services

It is important to keep in mind that under the Proposed Arrangement the County Clinic would not obtain ownership of the equipment, as the Provider would use grant funds awarded by the State Department of Health to cover the costs of the equipment and services and the state agency would retain title and have the authority to recover the equipment at any time.  This could prove to be an important distinction concerning whether and how donating providers can provide information technology-related equipment and services to referring facilities in the other arrangements.

Notes and Comments

In prior Advisory Opinions (99-14, 04-07 and 11-12) concerning donations of information technology-related equipment and supplies, the OIG similarly concluded that it would not pursue sanctions; however, those proposed arrangements would not have directly resulted in a service payable by a federal health care program, but rather would only potentially result in other items or services to the patient by the donating provider. Under the Proposed Arrangement, both the County Clinic and the Provider would be in a positon to submit claims to a federal health care program as a result of the telemedicine encounter and follow-up services.  Nevertheless, the OIG concluded that there would be no increased cost to any federal health care program because the County Clinic would have performed the preliminary tests and referred clinically appropriate patients for in-person consultations and, potentially, follow-up items and services regardless of the Proposed Arrangement.

While the analysis acknowledges the additional reimbursement the County Clinic would receive for serving as the originating site (i.e., the location of the Medicaid beneficiary when the service furnished via a telecommunications system occurs), there is no actual analysis of this facility fee and why it is not considered an increased cost.  To be clear, the County Clinic does not provide the HIV preventative services to be delivered by the Provider via the telemedicine consultation, and therefore, would not have previously received any payments if and when the patient was referred to the Provider for an in-person consultation.

Again, it appears that the OIG is willing to prioritize the health benefits to patients over any secondary or tertiary benefits to the referring provider; especially when such subsequent benefits are unlikely to result in overutilization and have the potential to decrease costs to federal health care programs.

Eighty years ago today, President Roosevelt signed the Federal Food, Drug, and Cosmetic Act (“FD&C Act”).  In recognition of this anniversary, EBG reviews how the FD&C Act came to be, how it has evolved, and how the Food and Drug Administration (“FDA”) is enforcing its authority under the FD&C Act to address the demands of rapidly evolving technology.

I’m Just a Bill

The creation of the FD&C Act stems from a sober event in American History.  In 1937, a Tennessee drug company marketed elixir sulfanilamide for use in children as a new sulfa drug.  The diethylene glycol (“DEG”) used as a solvent for the elxir is poisonous to humans.  The untested drug killed over 100 people, including children.  The public’s response to the disaster prompted and ensured the passage of the FD&C Act in 1938, which included the creation of the process known as pre-market approval, requiring that new drugs be proven safe before going on the market.

Growing Pains and Milestones

Since 1938, FDA’s jurisdiction has expanded as various public health emergencies and other challenges faced by the health care system have caught national attention.  Among the many legislative acts passed over the years, the following are of particular relevance to current developments:

(1) Food Additives Amendment of 1958, addressing safety concerns over new food additives and implementing generally recognized as safe (“GRAS”) requirements;

(2) Drug Price Competition and Patent Term Restoration Act of 1984 (the “Hatch-Waxman” Act), establishing the modern generic drug approval system;

(3)  Nutrition Labeling and Education Act of 1990, granting FDA authority to require nutrition labels on most foods, and compelling FDA-compliant nutrient and health claims;

(4) Safe Medical Device Amendments of 1990, giving FDA post-market device surveillance authority and device tracking capability at the user level;

(5) Dietary Supplement Health and Education Act of 1994, defining “dietary supplement” and establishing a regulatory framework for such products;

(6) Food and Drug Administration Modernization Act of 1997, making changes to several FDA regulatory schemes, including biologics, devices, pharmacy compounding, food safety and labeling, and standards for medical products;

(7) Food and Drug Administration Amendments Act of 2007, authorizing FDA to require a Risk Evaluation and Mitigation Strategy (“REMS”) to ensure that drug benefits outweigh risks;

(8) Family Smoking Prevention and Tobacco Control Act of 2009, expanding FDA authority over manufacturing, distribution, and marketing of tobacco products;

(9) Drug Quality and Security Act of 2013, expanding FDA’s authority to regulate the manufacturing of compounded drugs as a reaction to a meningitis outbreak caused by contaminated compounded drug products; and

(10) 21st Century Cures Act of 2016, creating the Breakthrough Devices Program, the Regenerative Medicine Advanced Therapy Designation, and exempting certain software products from the definition of “medical device.”

An Old Dog Learning New Tricks

Over the last few years, FDA has felt the impact of and the need to respond to several societal developments.  The country is calling for the government to address drug prices and to gain better control over access to drugs containing controlled substances, such as opioids.  The surge in development of new technology has forced FDA to adapt its historically rigid device regulatory structure to accommodate innovations such as regenerative medicine therapies.  A renewed public focus on the nutritional value of food requires updates to nutritional labeling and food safety regulations, and the new “vaping” trend raises questions surrounding the sale and promotion of new tobacco products.  Across all of these developments, there is a trend toward more focused regulatory pathways that take into account the particular needs and challenges of specific product categories.  Many of these changes are either required or authorized by legislation, such as the 21st Century Cures Act; and statements by the agency, as well as numerous new draft and final guidance documents, give indications as to where FDA is headed in the next few years.

A. Drugs

Increasing Market Competition and Access: FDA is focused on increasing market competition for and patient access to prescription drugs. In furtherance of its Drug Competition Action Plan, the agency published a draft guidance to address the exploitation of REMS and prevent problematic pay-for-delay schemes. In the same vein, FDA implemented a Biosimilar Innovation Plan to facilitate development and approval of biosimilars, hoping to increasing patient access to costly biologics. Last week, FDA also withdrew its draft guidance on biosimilar analytical studies, announcing intent to issue a revised draft guidance in the future.

Drug Development Efficiency: Recent FDA publications also suggest that the agency is prioritizing a more streamlined drug development process. In February 2018, FDA released five guidance documents emphasizing a faster, patient-focused approach for drug development for neurological conditions. In March 2018, FDA updated its benefit-risk framework to further incorporate patient experience into the agency’s regulatory decision-making process. FDA published the first of four of its patient-focused drug development guidances on June 13, 2018.

In response to the opioid crisis, FDA is focusing heavily on changes to the drug compounding and controlled substance space. In March 2018, FDA published a draft guidance on evaluation of bulk drug substances nominated for inclusion in the 503(B) bulks list, requiring a showing of clinical need. FDA also plans to issue notice of proposed regulations for outsourcing facilities later in 2018.  FDA held a Patient-Focused Drug Development Meeting for Opioid Use Disorder in April 2018 and published an associated draft guidance on buprenorphine drug development and clinical trial design issues. We expect to see more FDA movement on drug development as the year progresses, particularly with respect to opioid use disorder treatment therapies.

B. Devices

Streamlining the Device Pathway: FDA continues to implement changes to the regulatory pathway for manufacturers to bring their devices to market.  Per a draft guidance released in April 2018, the agency is expanding the abbreviated 510(k) pathway by creating a voluntary option for manufacturers when there is no acceptable predicate for a new device, but there is another device with the same intended use.  Manufacturers will be able to use the similar device as a “predicate” and demonstrate how their product conforms to newly-developed device-specific objective performance criteria.  While these performance criteria are still under development, they will eventually pave the way for more manufacturers to bring their products to market faster.

Precision Medicine: The national focus on precision medicine has encouraged many manufacturers to develop new products that incorporate genomics-based technology.  FDA is encouraging development of next generation sequencing (“NGS”)-based tests, which analyze larger sequences of the human genome, if not the whole genome, for a variety of different genetic variants.  FDA released two final guidance documents in April 2018, making recommendations on (1) the design and development of a NGS-based test for germline diseases and (2) use of public human genetic variant databases to support clinical validity of NGS-based tests and routes for establishing and justifying algorithms for variant annotation and filtering.

FDA is also evaluating its approach to the regulation of gene therapy products. Commissioner Gottlieb stated that the agency is at “an inflection point” with gene therapy thanks to increased reliability of vectors.  The focus has shifted from the efficacy of gene therapy to its durability, i.e. the long term effects of the treatment.  Recently, Commissioner Gottlieb announced FDA’s intent to start developing gene therapy guidance for products intended to treat hemophilia.

Regenerative Medicine: In efforts to implement its comprehensive policy framework for regenerative medicine and respond to certain provisions of the 21st Century Cures Act, FDA intends to create an expedited regulatory pathway for novel regenerative medicine therapies.  FDA is also actively enforcing against stem cell clinics promoting certain regenerative medicine therapies without approval and in violation of current good manufacturing practices.

Software and Artificial Intelligence (“AI”): In acknowledgment of the current “digital age,” FDA published a Digital Health Innovation Action Plan.  In April 2018, FDA released two policy documents – (1) a working model for the Digital Health Software Pre-Certification (Pre-Cert) Program Pilot and (2) guidance on regulation of digital health products with both FDA-regulated and unregulated functions.  Also in 2018, FDA authorized the marketing of AI-based clinical decision software (“CDS”) that functions to alert specialists when computed tomography (“CT”) indicates a potential stroke, as well as an AI algorithm for detection of wrist fractures.

C. Food

Food Safety: Since the Food Safety Modernization Act (“FSMA”) was passed, sixteen rules and dozens of guidances have been released (many of which have been in the last two years), bringing the law close to full implementation. These rules and guidances address the mandatory preventive controls for food manufacturing facilities; mandatory product safety standards; FDA’s new mandatory food recall authority; and the initial required inspection of over 600 foreign facilities and the subsequent requirement to “double those inspections every year for the next five years.” In light of the recent high profile foodborne illness outbreaks at chain restaurants and attributed to romaine lettuce, the agency is hoping the full implementation of the FSMA rules, in tandem with keeping food safety as a high priority for the agency, will minimize the risk of future outbreaks.

Nutrition: In 2018, the agency launched the FDA Nutrition Innovation Strategy, which, in addition to implementing new Nutrition Facts Label and Menu Labeling requirements, demonstrates that the agency is looking for more ways to modernize food labels and standards of food product identity to help consumers make healthier decisions. FDA also plans to release short-term voluntary sodium targets for food products in 2019.

Food Labeling: FDA issued a guidance in 2016 on the use of the term “healthy” in food labeling, and continues today to seek stakeholder input on how to redefine the term in such a way as will keep up with scientific advancements and help consumers understand what is in their food products.  FDA is also reviewing stakeholder input on how to define “natural,” and indicated in March 2018 that the agency will “have more to say on the issue soon.”

Dietary Supplements: The dietary supplement industry is a growing industry, and consumers are more interested in alternative products to promote wellness lifestyles. The industry is considered by some to still be the “wild wild west” in terms of enforcement, but FDA seems to be putting its foot down on companies making unsubstantiated claims about dietary supplement products or making claims that would otherwise classify the product as a drug.

D. Tobacco Products

Using its authority to regulate all tobacco products, FDA is addressing the rise in the use of vapes, vaporizers, pens and electronic cigarettes by children.  In April 2018, Commissioner Gottlieb announced the intent to issue new enforcement actions against bad actors, as well as to implement a Youth Tobacco Prevention Plan, seeking to reduce the amount of children exposed to e-cigarettes and vapes and those manufactures who target children with enticing flavors.   In May 2018, Commissioner Gottlieb stated “If you target kids, then we’re going to target you.”  FDA is also in the process of developing guidance for the development and regulation of e-cigarettes generally, suggesting that e-cigarettes could fall into the over-the-counter pathway due to their potential role in smoking cessation, and is reviewing the toxicology of the products.

Andrew Do, a Summer Associate (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed  to the preparation of this post.

On June 20, 2018, the Centers for Medicare and Medicaid Services (“CMS”) published an advance copy of a request for information seeking public input on reforms to the Physician Self-Referral Law (or “Stark Law”).

The request for information stems from on-going efforts by the Department of Health and Human Services (“HHS”) to accelerate the government’s transformation from a fee-for-service to a value-based system focused on care coordination.  Dubbed the “Regulatory Sprint to Coordinated Care” (#RS2CC), HHS expressed an intent to first identify regulatory requirements that act as obstacles to coordinated care, and then issue guidance or revise regulations to address these obstacles and/or incentivize coordinated care.

In connection with this HHS initiative, CMS acknowledged and identified that certain aspects of the Stark Law may pose potential obstacles to coordinated care.  Through their request for information, CMS seeks additional information and input from the public to help achieve their goal of “reducing regulatory burden and dismantling barriers to value-based care transformation.”  In particular, CMS has asked the public to share their thoughts and experiences related to:

  • the structure of arrangements between DHS entities that are used to effectuate alternative payment models and novel financial arrangements;
  • potential revisions to current Stark Law exceptions and key defined terms that would serve to permit or encourage the implementation of alternative payment models; and
  • the creation of new Stark Law exceptions to permit or encourage the implementation of alternative payment models.

The request for information follows a number of other administrative actions and announcements focused on reforming the current regulatory environment, particularly with respect to physician arrangements and, more specifically, the Stark Law. In January, CMS Administrator Seema Verna announced a plan to form an interagency group focused on reviewing the regulatory barriers to alternative payment models created by the Stark Law.  In addition, the Fiscal Year 2019 budget proposal, issued by the Office of Management and Budget in February, includes a proposal to reform the Stark Law to “better support and align with alternative payment models and to address overutilization.”  These more recent actions continue to build on concerns and suggestions identified in a white paper released by the Senate Finance Committee in 2016 titled “Why Stark? Why Now? Suggestions to Improve the Stark Law to Encourage Innovative Payment Models.”

This request is only the first formal step in the combined efforts of HHS and CMS to adopt what may be significant changes to the Stark Law.  However, the government appears to be poised to move quickly on regulatory reforms now that the ball is rolling, as evidenced by their branding of these efforts as a “sprint.”

Epstein Becker Green is in the process of coordinating with clients that are interested in submitting responses to the request for information.  If your organization is interested in developing comments to this request and would like assistance in these efforts, please contact Victoria Sheridan by e-mail at vsheridan@ebglaw.com or by phone at (973) 639-8296.

The final copy of the request for information is scheduled to be published in the Federal Register on June 25, 2018.

The Health Care Compliance Association (HCCA) kicked off its 22nd Annual Compliance Institute on Monday, April 16, 2018. During the opening remarks, Inspector General Daniel Levinson, of the Department of Health and Human Services (HHS) Office of Inspector General Office (OIG), announced the rollout of a new public resource to assist companies in ensuring compliance with Federal health care laws. The Compliance Resource Portal on the OIG’s website features:

  • Toolkits
  • Advisory opinions
  • Provider Compliance Resource and Training
  • Voluntary Compliance and Exclusions Resources
  • Resources for Health Care Boards and Physicians
  • Accountable Care Organizations
  • Special Fraud Alerts, Other Guidance, and Safe Harbors

The main benefit of the portal is that it streamlines public access to helpful compliance guidance resources, and allows for OIG to highlight new materials and updates.  For example, the portal already indicates that a Toolkit to Identify Patients at Risk of Opioid Misuse is “coming soon.”

In addition to announcing the portal, the Inspector General also touched on the dynamic shift in compliance considerations due to changes in the health care industry. Shifts such as the move towards value based care and the increase in role of technology create new risks and issues for providers, which makes user-friendly public access to compliance resources increasingly more important.

The Inspector General also emphasized the OIG’s focus on the “power of data” when it comes to compliance.  Mr. Levinson’s remarks indicated that data-driven decision making is crucial to navigating risk-mitigation waters, and that consequently the OIG places high value on the diligent collection and review of data in the compliance context.