As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate. These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.
On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million). This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people. The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months. Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people. Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls. …
Continue Reading Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic
On Tuesday, September 1, 2020, the Drug Enforcement Agency (“DEA”) proposed 2021 aggregate production quotas (APQs) for controlled substances in schedules I and II of the Controlled Substances Act (“CSA”) and an Assessment of Annual Needs (“AAN”) for the List I Chemicals pseudoephedrine, ephedrine, and phenylpropanolamine. This marks the second year that DEA has issued APQs pursuant to Congress’s changes to the CSA via the SUPPORT Act. After assessing the diversion rates for the five covered controlled substances, DEA reduced the quotas for four: oxycodone, hydrocodone, hydromorphone and fentanyl.
DEA recently increased the APQ to allow for the additional manufacture of certain controlled substances in response to the COVID-19 pandemic and the need to provide greater access to these medications for patients on ventilator treatment. According to DEA, that increased demand has been factored into the proposed APQs for 2021.
Comments are due by October 1, 2020. Because DEA’s APQs determine the amount of quota DEA can allocate to individual manufacturers in 2021, adversely impacted parties should file comments soon.
Background on APQs
The CSA requires the establishment of aggregate production quotas for schedule I and II controlled substances, and an assessment of annual needs for the list I chemicals ephedrine, pseudoephedrine, and phenylpropanolamine. These aggregate quotas limit the quantities of these substances to be manufactured – and with respect to the listed chemicals, imported – in the United States in a calendar year, to provide for the estimated medical, scientific, research, and industrial needs of the United States, for lawful export requirements, and for the establishment and maintenance of reserve stocks.
Changes in Setting APQs Under The SUPPORT Act
The Substance Use-Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (“SUPPORT Act”) signed into law October 24, 2018, provided significant changes to the process for setting APQs. First, under the CSA, aggregate production quotas are established in terms of quantities of each basic class of controlled substance, and not in terms of individual pharmaceutical dosage forms prepared from or containing such a controlled substance. However, the SUPPORT Act provides an exception to that general rule by giving the DEA the authority to establish quotas in terms of pharmaceutical dosage forms if the agency determines that doing so will assist in avoiding the overproduction, shortages, or diversion of a controlled substance.
Additionally, the SUPPORT Act changed the way the DEA establishes APQs with respect to five “covered controlled substances”: fentanyl, oxycodone, hydrocodone, oxymorphone, and hydromorphone. Under the SUPPORT Act, when setting the APQ for any of the “covered controlled substances,” DEA must estimate the amount of diversion. The SUPPORT Act requires DEA to make appropriate quota reductions “as determined by the [DEA] from the quota the [DEA] would have otherwise established had such diversion not been considered.” Furthermore, when estimating the amount of diversion, the DEA must consider reliable “rates of overdose deaths and abuse and overall public health impact related to the covered controlled substance in the United States,” and may take into consideration other sources of information the DEA determines reliable.
In accordance with this mandate under the SUPPORT Act, in setting the proposed APQs for 2021 DEA requested information from various agencies within the Department of Health and Human Services (“HHS”), including the U.S. Food and Drug Administration (“FDA”), Centers for Disease Control and Prevention (“CDC”), and the Centers for Medicare and Medicaid Services (“CMS”), regarding overdose deaths, overprescribing, and the public health impact of covered controlled substances. DEA also solicited information from each state’s Prescription Drug Monitoring Program (“PDMP”), and any additional analysis of prescription data that would assist DEA in estimating diversion of covered controlled substances.
After soliciting input from these sources, DEA extracted data on drug theft and loss from its internal databases and seizure data by law enforcement nationwide. DEA then calculated the estimated amount of diversion by multiplying the strength of the active pharmaceutical ingredient (“API”) listed for each finished dosage form by the total amount of units reported to estimate the metric weight in kilograms of the controlled substance being diverted.
On July 20, 2020, the United States Food and Drug Administration (FDA) announced a six-month extension of its enforcement discretion policy for certain regenerative medicine products requiring pre-market review due to the COVID-19 pandemic. Included in a final guidance document entitled, “Regulatory Considerations for Human Cells, Tissues, and Cellular and Tissue-Based Products: Minimal Manipulation…
On March 18, 2020, the United States Food and Drug Administration (FDA) announced the suspension of all domestic routine surveillance facility inspections until further notice. FDA took this measure to protect the health and well-being of its staff and those who conduct the inspections for the agency under contract at the state level, and due…
On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.
The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee. As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.
FDA recently published its “Good Manufacturing Practice Considerations for Responding to COVID-19 Infection in Employees in Drug and Biological Products Manufacturing Guidance for Industry” (“Guidance”) which provides suggestions on managing the potential risk of products being contaminated by SARS-CoV-2, the virus behind COVID-19 infections for drug and biological product manufacturers, 503B outsourcing facilities, and 503A compounding pharmacies.
The Guidance builds on the current Good Manufacturing Practices (cGMPs) regulations for drugs and biological products, which require personnel with an illness that could adversely affect drug safety or quality be excluded from direct contact with drugs and drug components used in manufacturing. As the Guidance states, preliminary research indicating that SARS-CoV-2 “is stable for several hours to days in aerosols and on surfaces,” and that it has an incubation period of 2 to 14 days, which are both factors that increase the risk of spread and introduction into products. The actual health risk is hard to calculate – FDA itself notes that there have not been documented transmissions through pharmaceuticals to date. The regulatory risk, however, is an easier formula – FDA has a clear expectation that drug and biological product manufacturers evaluate the potential for COVID-19 contamination of their products under existing controls, or risk being out of compliance with cGMPs.…
Continue Reading Current Good Manufacturing Practices in the Time of COVID-19: FDA Announces New Expectations on Risk Assessment and Risk Management
The FDA has issued the Temporary Policy on Prescription Drug Marketing Act Requirements for Distribution of Drug Samples During the COVID-19 Public Health Emergency. The Prescription Drug Marketing Act of 1987 (PDMA) describes manufacturers’ drug sample storage, handling, and recordkeeping obligations as well as the written request and receipt requirements for prescribers.
Many manufacturers utilize their field sales representatives to deliver drug samples directly to, and collect written receipts from, prescribers at prescriber offices during sales calls. The COVID-19 crisis has disrupted field sales representatives’ ability to have face to face visits with prescribers, preventing them from delivering samples and collecting required receipts. In addition, as a result of the crisis, many prescribers are providing telehealth services from their homes, impacting prescribers’ ability to receive, store and distribute samples at their offices.…
Continue Reading FDA PDMA Guidance in Response to COVID-19 Pandemic
On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations. As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution. Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the authority to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.
Re-issued Proposed CCPA Regulations
After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations. The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020. These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies. These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review. The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.
CCPA Proposed Regulatory Framework
The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Businesses that hit the thresholds will be covered even if they are located outside the state of California.
Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company. In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information” and then to enable consumers to opt-out of the sale of their data to third parties. CCPA also establishes a wide-range of rights to consumers (as specified below). Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.
Just a few months ago, the idea of a virtual jury trial probably seemed inconceivable to most judges and lawyers. Now, with the COVID-19 pandemic shuttering courthouses throughout the nation and most in-person proceedings suspended, many judges and attorneys are left wondering when and how civil jury trials will be able to safely resume. We suspect that most prospective jurors will not be enthralled with the idea of sitting shoulder to shoulder in a jury box while the outbreak is still raging. As litigators and the courts become comfortable with Zoom and other videoconferencing tools, it is apparent that we have the technology to hold virtual trials – the questions is should we?
The prospect of remote jury trials raises a host of serious issues ranging from how to overcome the constitutional hurdles to ensuring that witnesses, parties and jurors have access to high-speed internet so that they can participate in the first place. Some potential solutions for accessibility concerns are having pre-wired government offices for those who lack access or distributing common technology (such as an iPad, with a cellular connection). In addition to technology access, there will also be questions of whether a potential juror has access to a room where they can be alone and deliberate in private. …
Continue Reading Will Virtual Jury Trials Be Part of the “New Normal” Ushered in by the COVID-19 Pandemic?