Health Information Technology

The Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services issued Advisory Opinion No. 18-03 in support of an arrangement where a federally qualified health center look-alike (the “Provider”) would donate free information technology-related equipment and services to a county health clinic (the “County Clinic”) to facilitate telemedicine encounters with the County Clinic’s patients (the “Proposed Arrangement”).  The OIG concluded that although the Proposed Arrangement could potentially generate prohibited remuneration under the federal Anti-Kickback Statute (“AKS”) and Civil Monetary Penalties Law (“CMPL”) with the requisite intent to induce or reward referrals of federal health care programs, the OIG would exercise its discretion and not sanction the Provider or the County Clinic (collectively the “Requestors”).

The OIG’s analysis and conclusion of the Proposed Arrangement provides new insight into the government’s position on these type of donations that facilitate telemedicine encounters.  Specifically, how the government views these type of donations with the continued expansion of coverage and reimbursement of telemedicine services under federal health care programs.  The Advisory Opinion indicates support for the development of collaborative telemedicine affiliations and that the potential remuneration from the future referrals can be outweighed by the access to health care services and benefits actually received by rural or remote communities.

Proposed Arrangement

The County Clinic is a division of the County Department of Health that furnishes certain confidential sexually transmitted infection testing, treatment and counseling. The Provider has an existing referral relationship with the County Clinic but the facilities are separated by about 80 miles making it difficult for patients to access the Provider.  Under the Proposed Arrangement, the Provider would donate information technology-related equipment and services to the County Clinic to facilitate telemedicine encounters between the Provider and the County Clinic’s patients for certain HIV prevention and treatment services.  The Provider would cover the costs of the equipment, its set up, and maintenance through grant-funding from the State Department of Health.  The Provider would bill the Medicare program for the professional services delivered in the telemedicine encounters.  The County Clinic would house the equipment and bill the state Medicaid program an originating site fee related to the telemedicine encounters. The originating site is not required to provide any personnel or equipment in order to bill for the facility fee (Q3014) (which is only a coverage requirement to provide the telehealth consult).

OIG Analysis

AKS makes it a criminal offense to knowingly and willfully offer or receive remuneration in an effort to induce or reward referrals of items or services reimbursable by federal health care programs. CMP provides for penalties against any person who offers or transfers remuneration to a Medicaid or Medicare beneficiary that the benefactor knows or should know is likely to influence the beneficiary’s selection of a specific provider, service, or item that will be paid, in whole or part, by Medicaid or Medicare.

Under the Proposed Arrangement, the County Clinic would receive remuneration of the free equipment and services and the Provider would have the opportunity to bill for the telehealth consultation referred by the County Clinic.  As such, the OIG acknowledged that the Proposed Arrangement could potentially generate prohibited remuneration under the federal AKS with the requisite intent to induce or reward referrals of services payable by a federal health care program.  However, the OIG identified the following factors as minimizing the potential risk of fraud and abuse:

  • There are safeguards in place to prevent patient steering to the Provider for treatment; namely use of technology with any other provider is not restricted and patients are given the option to have either a virtual or in-person consultation
  • Not likely to result in patient steering for prescriptions to any pharmacy operated by the Provider or County Clinic
  • There would be no increased cost to any federal health care program
  • Patients would benefit by having increased access to treatment; making it more likely that patients will seek out and receive such services

It is important to keep in mind that under the Proposed Arrangement the County Clinic would not obtain ownership of the equipment, as the Provider would use grant funds awarded by the State Department of Health to cover the costs of the equipment and services and the state agency would retain title and have the authority to recover the equipment at any time.  This could prove to be an important distinction concerning whether and how donating providers can provide information technology-related equipment and services to referring facilities in the other arrangements.

Notes and Comments

In prior Advisory Opinions (99-14, 04-07 and 11-12) concerning donations of information technology-related equipment and supplies, the OIG similarly concluded that it would not pursue sanctions; however, those proposed arrangements would not have directly resulted in a service payable by a federal health care program, but rather would only potentially result in other items or services to the patient by the donating provider. Under the Proposed Arrangement, both the County Clinic and the Provider would be in a positon to submit claims to a federal health care program as a result of the telemedicine encounter and follow-up services.  Nevertheless, the OIG concluded that there would be no increased cost to any federal health care program because the County Clinic would have performed the preliminary tests and referred clinically appropriate patients for in-person consultations and, potentially, follow-up items and services regardless of the Proposed Arrangement.

While the analysis acknowledges the additional reimbursement the County Clinic would receive for serving as the originating site (i.e., the location of the Medicaid beneficiary when the service furnished via a telecommunications system occurs), there is no actual analysis of this facility fee and why it is not considered an increased cost.  To be clear, the County Clinic does not provide the HIV preventative services to be delivered by the Provider via the telemedicine consultation, and therefore, would not have previously received any payments if and when the patient was referred to the Provider for an in-person consultation.

Again, it appears that the OIG is willing to prioritize the health benefits to patients over any secondary or tertiary benefits to the referring provider; especially when such subsequent benefits are unlikely to result in overutilization and have the potential to decrease costs to federal health care programs.

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack.

The current announcement is reflective of the interest of NIST and the Food & Drug Administration (“FDA”), the primary regulatory agency for medical devices, within the so-called Internet of Things (“IoT”).  Thus, NIST, through its National Cybersecurity Center of Excellence, will accept proposals up to  June 8, 2018, for “products and technical expertise” relevant to the creation of guidelines for securing data used by Picture Archiving and Communication Systems (“PACS”). NIST will attempt to harmonize the requirements for patient imaging devices with NIST’s overall cybersecurity framework.

The proposed project will examine the specific uses and regulatory requirements for patient imaging devices, and how those varying considerations apply to the use of the NIST cybersecurity framework. As the NIST project summary notes PACS are regulated by the FDA as “class II” devices that provide one or more functions related to the “acceptance, transfer, display, storage, and digital processing of medical images.”  These devices, which can be found in virtually every hospital, are not only vulnerable to cyber-attack in and of themselves, but NIST sees them as a “pivot point into an integrated healthcare information system.”

The current imaging device project follows last year’s release of draft guidelines for wireless infusion pumps, and evidences the government’s continuing concern, not only with the security of the IoT, but with specific reference to the vulnerable health care sector.

Epstein Becker Green routinely deals with questions related to medical device regulation and cybersecurity. For further information, you can contact Stuart Gerson, Adam Solander, Bradley Merrill Thompson or James Boiani.

Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens). …

Read the full post here.

On January 5, 2018, consistent with the 21st Century Cures Act’s focus on creating interoperability and correspondingly a Trusted Exchange, the Office of the National Coordinator for Health Information Technology (“ONC”) released its “Draft Trusted Exchange Framework” (“Draft Framework”).  The Draft Framework is intended to streamline the exchange of Electronic Health Information (“EHI”) so that both health care providers and patients have better access to health information, thus improving communication and quality health care.  EHI includes information beyond protected health information, such as health information from other consumer driven devices.  ONC has asked for public comments; the comment period is open until February 18, 2018.

ONC’s Draft Framework develops a mechanism to connect Health Integrated Networks (“Qualified HINs”) across the country. The ONC intends to select a single Recognized Coordinating Entity (“RCE”) through a competitive bidding process, which will be open in the spring of 2018.  The RCE’s responsibilities will be to develop the Common Agreement and operationalize the Trusted Exchange.  The Draft Framework includes the Principles of a Trusted Exchange (Part A) and the minimum terms and conditions that will be required for a Trusted Exchange (Part B) (the contractual terms that operationalize the principles of Part A).

The Draft Framework sets a number of conditions on Qualified HINs, some of which may require more direct interaction with patients than currently exists, or may require the Qualified HIN to disclose information that might otherwise be considered proprietary to the Qualified HIN. The biggest takeaways from the Principles (Part A) are:

  • Qualified HINs will be expected to use standards adopted or recognized by ONC’s Health IT Certification Program and Interoperability Standards Advisory (“ISA”) or industry standards readily available to all stakeholders;
    • Participants of Qualified HINs that provide services and functionality to providers are expected to follow the 2015 Edition Health IT Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modification final rule (“2015 Edition final rule”), and associated guidance for the certification of health IT; and
    • Qualified HINs and participants will be expected to implement processes that encourage more “person-centered” care;
  • Qualified HINs will be required to operate openly and transparently by:
    • Making terms and conditions for participation publicly available;
    • Supporting permitted uses and disclosures of EHI. Qualified HINs that only support HIPAA Treatment purpose exchanges, may want to support additional permitted purposes;
    • Making their privacy practices publicly available;
  • Qualified HINs must cooperate with and not discriminate among the various stakeholders across the continuum of care by not implementing policies, procedures, technology or fees that will obstruct access and exchange of EHI between other Qualified HINs, participants, and end users;
  • Qualified HINs must exchange EHI securely and in a manner that preserves data integrity by:
    • Including appropriate information to ensure the correct matching of individuals to their EHI; and
    • Ensuring providers and other organizations are confident that appropriate consents and authorizations have been captured;
  • Qualified HINs must ensure that individuals have easy access to their information by:
    • Ensuring full and consistent access to information; and
    • Having policies in place to allow an individual to withdraw or revoke his or her participation in the Qualified HIN; and
  • Qualified HINs will be expected to support the ability for participants to pull and push population level records—bulk transfer—in a single transaction rather than transmit one record at a time.

The Draft Framework is ONC’s most significant push toward interoperability among electronic health care systems and most likely will affect all stakeholders in the health IT industry and their participants at some point.

The 21st Century Cures Act (“Cures Act”) was enacted in December of 2016.  Among other things, the Cures Act includes provisions to encourage the interoperability of electronic health records. Specifically, the Cures Act provides for civil penalties for those who engage in “information blocking.”  The Cures Act defines “information blocking” broadly as a “practice that . . . is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information” if that practice is known by a developer, exchange, network, or provider as being likely to “interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information.”  42 U.S.C. §300jj-52(a).  The penalty for vendors is up to $1 million “per violation.”

The Office of the National Coordinator for Health IT is reported to be currently working on a draft rule on information blocking – which many hope will address a number of issues including guidance that: distinguishes between information blocking and technology implementation issues; provides for a standard for when a practice is “known” or should have been known; and describes how the “per violation” will be defined and applied.  Although there has been some suggestion that the proposed rules will be released prior to the end of the year, the Director of the Office of the National Coordinator has not indicated when he thinks the proposed rule will be released.

On July 7, 2016, the Centers for Medicare and Medicaid Services (“CMS”) imposed several administrative penalties on Theranos, a clinical laboratory company that proposed to revolutionize the clinical laboratory business by performing multiple blood tests using a few drops of blood drawn from a finger rather than from a traditional blood draw that relies on needles and tubes. However, after inspecting the laboratory, CMS concluded that the company failed to comply with federal law and regulations governing clinical laboratories and it posed an immediate jeopardy to patient health and safety. CMS has revoked the CLIA certification of the company’s California lab, imposed a civil monetary penalty of $10,000 per day until all deficiencies are corrected, barred Medicare or Medicaid reimbursement for its services, and excluded its founder and CEO from owning or operating a clinical laboratory for two years.

Although Theranos’s history has received an outsize amount of media attention, its experience with regulatory agencies highlights several important issues for start-up and emerging health care entities:

What Do Regulators Want?

It is no surprise that health care is one of the most highly regulated sectors of the U.S. economy, and that noncompliance with health care laws and regulations can result in penalties that can cripple an organization or force it to shut down. As a result, even in an environment that encourages innovation, health care organizations must understand the scope of regulatory oversight at the federal and state levels, and the range of remedies available to regulators for noncompliance. Every organization should also have a protocol in place for responding to regulatory inquiries or inspections.

What Do Health Care Providers and Payors Want?

Adopting a new health care technology is an intensely data-driven process. This is especially the case with clinical laboratories, which are subject to rigorous requirements for proficiency, quality assurance, and training. This burden is greater for laboratory-developed tests, commonly known as “home brew” tests, because they are currently exempt from FDA oversight.

In most cases, the innovator sponsors clinical studies subject to peer review and publication to demonstrate the efficacy of the new technology. These trials can also generate the clinical and cost data needed to convince practitioners that the test has reliable diagnostic or clinical value, and to persuade payors that the test is medically necessary.

However, Theranos declined requests to sponsor studies or disclose data. This was a red flag for many clinicians. In the interim, a group of independent investigators published a study based on a small sample of patients and found that the Theranos’s results were more variable than the results obtained from the same blood samples sent to laboratories using standard equipment. These variations were significant enough that they had the potential to affect clinical decision-making and jeopardize patients.

Who Is Investing in the Venture?

For start-up companies, committed investors are indispensable. Although early-stage investors are accustomed to risk, they also depend on reliable data to gauge whether health care professionals will adopt a new technology, and whether health plans will cover and pay for that technology. In Theranos’s case, several investors with experience in health care start-ups did not invest in the company because it did not release data on its proprietary technology and did not conduct or sponsor well-controlled clinical trials.

Who’s on Board?

The critical role of health care regulations demands that a company’s management and board be familiar with the key challenges and potential barriers to entry under the applicable regulatory framework. Nevertheless, at the time of the CMS survey Theranos’s board reportedly lacked individuals with specific experience in health care operations or clinical laboratories; however, it included two former Secretaries of State (one of whom had also been the dean of a business school), two former U.S. senators, the CEO of a bank, and retired military officers. While it is unclear how much the board knew of potential regulatory risks, the fact that CMS determined that the company had not made a “credible allegation of compliance” in response to any of the deficiencies in the initial survey report is an indicator that CMS did not believe that the company’s management and directors may not have appreciated the regulatory requirements or how to avoid or minimize these significant risks.

On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations (“Draft Guidance”).  This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA’s expectations for the use of Electronic Health Record (“EHR”) data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an Investigational New Drug Application or Investigational Device Exemption.

While the recommendations set forth in the Draft Guidance do not represent a significant departure from existing guidance, research sponsors, institutions and investigators should consider the extent to which their existing policies and procedures, template agreements, protocols and informed consent documents should be updated to incorporate FDA’s recommendations.

Specifically, the draft guidance provides additional detail on FDA’s expectations for the due diligence to be performed by sponsors prior to determining the adequacy of any EHR system used by a clinical investigator to capture source data for use in a clinical investigation. FDA expects sponsors to assess whether systems have adequate controls in place to ensure the confidentiality, integrity, and reliability of the data. FDA encourages the use of EHR systems certified through the ONC Health IT Certification Program, and will presume that source data collected in Health IT certified EHR systems is reliable and that the technical and software components of privacy and security protection requirements have been met. Sponsors should consider requesting additional detail in site pre-qualification questionnaires or pre-study visits regarding any EHR system utilized by clinical investigators to record source data, including whether such systems are Health IT certified. Sponsors may also consider the extent to which their existing site qualification policies and clinical trial agreements templates adequately reflect the technical requirements for sites utilizing EHR systems to record source data, the need to ensure that any updates to those systems do not impact the reliability of the security of the data, and the extent to which the data, including all required audit trails, are backed up and retained by the site to ensure necessary access by FDA.

The Draft Guidance also includes recommendations regarding the information it expects to be included in study protocols and informed consent documents. When the use of EHR systems is contemplated, FDA recommends that study protocols include a description or diagram of the electronic data flow between the EHR and the sponsor’s EDC system, along with information regarding the manner in which the data are extracted and imported from the EHR and monitored for consistency and completeness. FDA also recommends incorporation into informed consent forms of information regarding the extent of access to EHRs granted to sponsors, contract research organizations, and study monitors, as well as a description of any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches. While information related to third party access to health information is typically addressed in informed consent documents, specific details related to access to EHRs and their associated risks are less common. Sponsors and research institutions should consider the extent to which their template informed consent documents should be updated to incorporate the best practice recommendation in the Draft Guidance.

In addition, in the Draft Guidance, FDA encourages the development and use of interoperable EDC and EHR systems to permit electronic transfer of EHR data into the eCRFs being utilized for a clinical trial, including the adoption of data standards and standardization requirements of the ONC Health Information Technology (Health IT) Certification Program. While interoperability of EHR and EDC systems offers the promise of increasing efficiency of clinical trial data collection and reducing the transcription errors that commonly result from the maintenance of this information in separate repositories, FDA acknowledges challenges related to the diverse ownership of the data and EHR systems used to capture them, and the confidentiality of clinical trial information, that will need to be overcome in order to realize the benefits offered by interoperability.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

Security Image

Tuesday, March 24, 2015 at 12:00 p.m. – 1:00 p.m. EDT

The past year has demonstrated that no organization is immune to security incidents that could affect its employees, customers, and reputation.  Understanding the complex legal framework governing data privacy and developing a plan to mitigate risk can be the difference between an incident and a disaster.

Join Epstein Becker Green’s Privacy & Security Practice for a comprehensive overview of data breach priorities impacting organizations that deal in electronic data.  Presenters will identify strategies to prepare for and prevent security incidents as well as summarize key takeaways from the biggest breaches of 2014.

Attendees will also learn about:

  • Complying with the evolving legal landscape
  • Minimizing data breach exposure
  • Developing an incident response plan and effectively responding to an incident
  • Setting organizational priorities, and getting buy-in

Speakers:

Adam C. Solander, Member of the Firm

Patricia M. Wagner, Member of the Firm

Who Should Attend:

Compliance Professionals, In-House Counsel, Board Members, and Information Security Professionals

To register for this webinar, please click here.

Epstein Becker Green’s recent issue of its Take 5 newsletter focuses on the 25th Anniversary of the ADA and recent developments and future trends under Title III of the ADA.

  1. Website Accessibility
  2. Accessible Point-of-Sale Devices and Other Touchscreen Technology
  3. Movie Theater Captioning & Audio (Narrative) Description
  4. The Availability of Sign Language Interpreters at Health Care Facilities
  5. “Drive By” Design/Construction Lawsuits

Read the full newsletter here.