On February 15, 2019, the U.S. Food and Drug Administration (“FDA”) finalized two guidance documents regarding regenerative medicine therapies (see FDA’s announcement here). This development comes nearly 14 months after FDA issued both guidance documents in draft form, which also coincided with FDA’s announcement of a new comprehensive regenerative medicine policy framework intended to spur innovation and efficient access to new regenerative medicine products.

FDA Commissioner Scott Gottlieb remarked that the finalization of regenerative therapy guidance documents “demonstrate[s] [FDA’s] continued commitment” to fulfilling the promise of providing a clear and predictable pathway to approval. Moreover, he noted that these guidance documents help stakeholders to “understand our regulatory framework” and, in turn, “may help to more efficiently advance access to safe and effective regenerative medicine therapies.” These guidance documents, which are discussed in further detail below, provide information to product developers about FDA’s current thinking with respect to evaluating devices used with regenerative medicine advanced therapies and provide information on the expedited development programs that may be available.

Guidance for Industry: Evaluation of Devices Used with Regenerative Medicine

The final guidance entitled “Evaluation of Devices Used with Regenerative Medicine Advanced Therapies” (available here) clarifies how FDA will evaluate devices used in the recovery, isolation, or delivery of regenerative medicine advanced therapies (RMATs). This guidance finalizes FDA’s current thinking on how the agency will streamline and simplify its application of regulatory requirements for combination device and cell or tissue products.

In this guidance document, FDA acknowledges that a wide range of devices may be used in conjunction with an RMAT, ranging from simple, low-risk devices to complex, higher risk devices to devices that are constituent parts of an RMAT that is classified as a combination product. FDA reiterates that the primary factor in determining the availability of premarket pathways for a device is the device’s classification (i.e., Class I, Class II, or Class III), followed by the risks associated with the device type and the level of regulatory controls necessary to provide a reasonable assurance of safety and effectiveness.

In addition, FDA discusses the factors it will consider when determining whether a device may be labeled for use with a specific RMAT or class of RMATs. When determining which devices may be suitable for use with a specified RMAT or type of RMAT, FDA will consider the distinct biological and physical characteristics of RMATs, intended use, and conditions for use. With respect to cellular products that are RMATs, FDA intends to review the cellular products’ characteristics, their interaction with different devices, as well as any impact on cell viability, differentiation potential, activation state and ability to respond to stimuli after administration and other similar factors.

Substantively, there were no major or unexpected changes between the draft guidance and the final guidance issued by FDA.

Guidance for Industry: Expedited Programs for Regenerative Medicine Therapies for Serious Conditions

The second final guidance, “Expedited Programs for Regenerative Medicine Therapies for Serious Conditions” (available here), provides information regarding the use of accelerated approval pathways for regenerative medicine therapies that have been granted designation as an RMAT, as well as considerations in the clinical development of regenerative medicine therapies and opportunities for sponsors of such products.

This guidance makes clear that the following therapies could qualify for an RMAT designation: cell therapies, therapeutic tissue engineering products, human cell and tissue products, and combination products using any such therapies or products, except those regulated solely under section 361 of the Public Health Service Act (42 U.S.C. 264) and 21 C.F.R. Part 1271. Notably, the final version of this guidance clarifies that “cell therapies” includes both allogeneic and autologous cell therapies, as well as xenogenic cell products. Products that qualify for an RMAT designation receive all of the benefits of the fast track and breakthrough therapy designation programs, including early interactions with FDA. Although sponsors may apply for and receive both breakthrough and RMAT designation for a product, FDA advised that each designation requires a separate application.

Factors that FDA may consider when determining whether the preliminary clinical evidence is sufficient to support RMAT designation include, but are not limited to, the rigor of data collection; the consistency and persuasiveness of outcomes; the number of subjects and sites contributing to the data; and the severity, rarity, or prevalence of the condition. Unlike the breakthrough therapy designation, RMAT designation does not require a sponsor to produce evidence indicating that the drug offers a substantial improvement over available therapies.

To apply for RMAT designation, a sponsor should submit either a new investigational new drug application (“IND”) or an IND amendment, along with a concise summary of information in support of the RMAT designation. The application should include a description of the investigational product; rationale for the investigational new drug meeting the definition of an RMAT; a discussion to support that the disease or condition the product is intended to treat is serious; and preliminary clinical evidence that the product has the potential to address the specified unmet medical need for the serious condition. The requirement to provide a description of the product is new to the final guidance.  No later than 60 calendar days after receipt of the designation request, FDA will notify the sponsor as to whether the regenerative medicine therapy has received the RMAT designation.

Finally, this guidance provides recommendations for clinical trial design. FDA states that it will consider clinical trials in support of a Biologics License Application (“BLA”) that “incorporate adaptive designs, enrichment strategies, or novel endpoints.” This final guidance provides new language indicating that historical controls and natural history data (the course a disease takes from its onset, through presymptomatic and clinical stages, to a final outcome in the absence of treatment) may be considered, if appropriate. Natural history data, however, may only provide the basis of a historical control if the “control and treatment populations are adequately matched, in terms of demographics, concurrent treatment, disease state, and other relevant factors.”

FDA’s continued focus on developing and finalizing guidance in the regenerative medicine space suggests that FDA is serious about helping industry to both navigate the application process in an effort to streamline the premarket approval process and to better understand and address identified regulatory pain points. For these reasons, sponsors of investigational regenerative therapies should pay close attention to and take into consideration the recommendations set forth in these final guidance documents.

On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing.  These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.

First, CMS published a proposed rule that seeks to increase interoperability and patient access to health records. CMS Administrator, Seema Verma, explained that the proposal seeks to “break down existing barriers to important data exchange needed to empower patients by giving them access to their health data.”  Second, ONC published a proposed rule aiming to deter and penalize information blocking.  As a result of lack of interoperability and information blocking, data sharing has been challenging across the industry and patients have historically struggled to gain access to their health records, which health providers and payors claimed they owned.  These proposed rules take notable steps to open avenues for data sharing and shift the role of patients with respect to their own health data.

The CMS proposed rule requires Medicare Advantage (“MA”) organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee for Service (“FFS”) programs, Medicaid Managed Care Plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers in federally facilitated exchanges (“FFE”) to (1) provide convenient access to health care records to patients, (2) support the electronic exchange of data for transitions of care as patients move between the aforementioned plan types, and (3) require participation in trust networks to improve interoperability. Additionally, the proposed rule requires Medicare-participating hospitals, psychiatric hospitals, and Critical Access Hospitals (“CAHs”) to send electronic notifications when a patient is admitted, discharged, or transferred.

The ONC proposed rule establishes conditions for maintaining electronic health record (“EHR”) certification centered around preventing information blocking and developing technical methods for data sharing.  Specifically, health IT developers will be required to (1) attest not to engage in information blocking, (2) include application programming interfaces (API) in certified EHR technology, and develop common data export formats to allow for transitions of care, data sharing, and EHR switching.  It is also important to note that the proposed rule established seven explicit exceptions to the information blocking prohibition, including promoting privacy and security of health information.

These rules could serve as a watershed moment in terms of data ownership, sharing and patient access.  Yet, these rules could be disruptive to the way stakeholders in healthcare have historically operated relative to each other and the patients they serve.  In any case, the regulators have sent their message . . . the “walls” must come down and data ought to flow more freely.

CMS and ONC have requested that stakeholders provide comments within 60 days of issuance of the proposed rule.


Alaap B. Shah


Ebunola Aniyikaiye

GenomeDx Biosciences Corp., which markets a genomic test (Decipher®) intended to assess the aggressiveness of prostate cancer, has agreed to pay $1.99 million to the U.S. Department of Justice to resolve allegations that it violated the False Claims Act (31 U.S.C. §§ 3729 et seq.)(“FCA”) by submitting claims to Medicare for tests conducted to evaluate treatment options for men after prostate surgery.

The government and a whistleblower alleged that between September 2015 and June 2017, GenomeDx knowingly submitted Medicare reimbursement claims for the Decipher® test that did not meet the six clinical prerequisites in the Local Coverage Determinations (“LCDs”) published by each of the Medicare Administrative Contractors (MACs). LCDs are published by MACs when they make a determination that an item or service meets (or does not meet) the “reasonable and necessary” test in Section 1862(a)(1)(A) of the Social Security Act and under what circumstances. The prerequisites for a prostate cancer classifier assay to be deemed medically necessary include (1) evaluation for postoperative secondary therapy due to one or more risk factors for a recurrence within 60 months after a radical prostatectomy surgery, (2) no evidence of any distant metastasis, and (3) pathological stage T2 disease with a positive surgical margin or pathological stage T3 disease, or rising prostate-specific antigen levels after an initial test result of 0.2 ng/ml or less.

Therefore, for each claim, the government and the whistleblower alleged that GenomeDx had certified that the test was reasonable and necessary as defined in the LCD  even though the clinical criteria or documentation requirements had not been met because the patients did not have risk factors necessitating the test.

The issue of medical necessity for diagnostic services continues to be a primary issue in many health care-related cases filed pursuant to the FCA.  The federal courts have confirmed that a laboratory may rely on the ordering physician’s determination of medical necessity because laboratories do not and cannot treat patients or make medical necessity determinations; however, laboratories may still be liable under the FCA if the laboratory knowingly presents claims for reimbursement that are not medically necessary.

Moreover, Medicare will still require documentation that demonstrates medical necessity to support payment for the test services. Thus, if adequate documentation is not provided, even when the ordering provider failed to maintain the appropriate diagnostic or other medical information for his or her patient, it is the laboratory that will suffer the consequences of the denial or recovery of reimbursement for the claim.

This settlement highlights the need for clinical laboratories, and all Medicare providers and suppliers, to determine if any national or local coverage policies apply to their services and the prerequisites prior to submission of claims, and to file those claims only where there is a good faith belief that any relevant prerequisites have been met.  Jurisdiction of claims for laboratory services furnished by an independent laboratory normally lies with the MAC serving the area in which the laboratory test is performed.  If there is a disagreement with the national or local coverage determination, there are procedures to either challenge the policy or to request that the policies be revised and updated.

Data is king!  A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing, and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • the Common Rule
  • the EU General Data Protection Regulation (“GDPR”)
  • 42 C.F.R. Part 2
  • State data protection and breach laws and regulations
  • Food and Drug Administration (“FDA”) regulations; or
  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements
  • Data Use Agreements
  • Business Associate Agreements
  • Data Sharing Agreements
  • Confidentiality/Non-disclosure Agreements
  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including:  openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation and data security.


Patricia M. Wagner


Alaap B. Shah

Did you know that your zip code is a better predictor of your health than your genetic code? Public health experts – and your health insurance provider – have long known that the air you breath, the education you receive, your net worth, and even the music that you listen to are strong indicators of your overall health – and the possibility that you might need expensive medical procedures in the future. By some measures, up to 50% of your overall health is determined by social, economic, and environmental factors. As the movement to value-based payment continues in health care, there has been a renewed focus from policymakers and payors on “social determinants of health” in an attempt to curtail health care costs by addressing the root problems of poor health; before the patient is at-risk and when the interventions may be cheaper than medical care.

The concept that social determinants of health play a crucial role in limiting health care costs is hardly new, but has been more prominently incorporated into payment reform programs recently. New York, for example, has established the Health and Recovery Plan (“HARP”), a program designed for Medicaid beneficiaries with serious mental illness or substance use disorders. The HARP program combines traditional medical care with “Home and Community Based Services,” with the intent to ensure that HARP beneficiaries also receive care for underlying social factors that exacerbate their mental health or substance use issues. HARP now includes, as part as the Medicaid managed care premium paid by New York State to managed care organizations administering the program, coverage for services ranging from assistance in accessing transportation, locating and securing housing, instruction on personal budgeting, and both general and vocational education services. While HARP is intended for beneficiaries over 21, New York is launching a similar program for children with behavioral health needs. New York has recently also implemented a rule for Medicaid managed care organizations requiring them to include services offered by “community-based organizations,” such as food programs or job training programs, in value-based contracts between Medicaid managed care organizations and downstream providers with the intent to address social factors in “traditional” health care payment arrangements.

While policymakers and payors are expanding attention to social determinants of health to shape health programs (and in so doing decrease money spent on medical interventions), so too are they eyeing social factors in determining the cost of health care. Companies, such as LexisNexis, are aggregating personal data and developing risk scores that are based almost entirely on an individual’s socioeconomic factors, and marketing that information to health care payors. Though LexisNexis states that it does not intend for the scores to be used to price insurance products, experts have identified risk scores as a potentially useful tool in pricing health plans. Since social factors tend to benefit wealthier individuals, with pricing health plans based on socioeconomic data has a potential to exacerbate disparities in health care access between the rich and poor. The connection between steady employment and better health outcomes has been used to justify Medicaid work requirements in states that have recently requested waivers from the federal government to implement such requirements. Others have pointed that this approach may confuse cause and effect; people with jobs are in a better socioeconomic position than those who aren’t, and therefore are generally healthier. These programs and products simply demonstrate the wide-ranging effect “social determinants of health” already have on health care and the opportunity for their role to grow substantially.

Social determinants of health are not a new idea, but they have a renewed focus as a cost-effective way to decrease health care expenditures. For providers, it may mean incentives or requirements to incorporate external factors into their delivery of care. For organizations that address such social issues, it may portend increased funding. Attention to this area may provide a unique opportunity to realize savings for providers in risk-based agreements and allow providers to get ahead of the curve in a “new” trend in health care.

Cassie Chang, a Legal Intern (not admitted to the practice of law) in the firm’s New York office, contributed significantly to the preparation of this post.

On August 31, 2016, FDA issued a notification of public hearing and request for comments on manufacturer communications regarding unapproved uses of approved or cleared medical products. The hearing will be held on November 9-10, 2016, and individuals wishing to present information at the hearing must register by October 19, 2016. The deadline for written comments is January 9, 2017.

In the notice, FDA posed a series of questions on which it is seeking input from a broad group of stakeholders, including manufacturers, health care providers, patient advocates, payors, academics and public interest groups. The topics on which FDA is seeking feedback are broad, but generally include:

  • The impact of off-label communications on public health,
  • The impact of changes in the health care system on the development of high-quality data on new uses of cleared or approved products,
  • Preserving incentives for manufacturers to seek approval for new uses, standards for truthful and non-misleading information,
  • Factors FDA should consider in monitoring and bringing enforcement actions based on off-label communications by manufacturers,
  • The extent to which data on which off-label communications are based should be publicly available, and
  • The changes FDA should consider to existing regulations governing manufacturers’ communications regarding their products.

This announcement comes in the wake of increased pressure from lawmakers, public interest groups, and regulated industry for FDA to issue guidance or propose regulatory changes to address recent litigation clarifying commercial speech protections for pharmaceutical and medical devices manufacturers under the First Amendment. On May 26, 2016, the House Committee on Energy and Commerce sent a letter to HHS Secretary Sylvia Burwell expressing concern that FDA had failed to clarify its current thinking on permissible manufacturer communications about uses of cleared and approved drugs and devices beyond the scope of their approved labeling. In the letter, the committee noted that FDA had neither issued guidance, including guidance on the permissible scope of “scientific exchange” that has been on FDA’s Guidance Agenda since 2014, nor conducted the public hearing it announced in May 2015 in connection with negotiations on the proposed 21st Century Cures bill.  The committee expressed concern that HHS was preventing FDA from issuing guidance or proposing new regulations to address a string of recent court victories for companies and individuals prosecuted for off-label communications about drug and medical devices.

In light of the current state of First Amendment commercial speech protections, which makes it clear that manufacturers’ truthful and non-misleading speech regarding their products is not unlawful even if that speech includes uses of their products that have not been approved or cleared by FDA, other stakeholders have actively encouraged FDA to issue guidance or modify its regulations to conform its regulatory oversight and enforcement activities to this reality. While stakeholder groups have been actively engaged on these issues for several years, recent examples include the February 2016 white paper issued by the Duke-Margolis Center for Health Policy outlining policy options for off-label communications, and the joint release by BIO and PhRMA of the Principles on Responsible Sharing of Truthful and Non-Misleading Information about Medicines with Health Care Professionals and Payers on July 27, 2016.

Despite pressure from interested stakeholders, FDA has yet to propose changes to its regulations or issue long-awaited guidance on a number of topics related to manufacturers’ communications regarding off-label uses of their cleared or approved products. While FDA’s 2016 Guidance Agenda, updated most recently on August 6, 2016, continues to promise guidance on manufacturer communications regarding unapproved, unlicensed, or uncleared uses of approved, licensed, or cleared human drugs, biologics, animal drugs and medical devices and the inclusion of health care economic information in promotional labeling and advertising for prescription drugs, among others, the post-election timeline for the public hearing and FDA’s ongoing collection of feedback announced in the August 31st notice may suggest that FDA is going back to the drawing board. In particular, the focus in the notice’s background discussion and in FDA’s questions on the public health impact of off-label communications may suggest that FDA is re-evaluating its position in response to the HHS concerns about broader dissemination of off-label by manufacturers that were highlighted in the Energy and Commerce committee letter.  While FDA’s notice and request for comments is a step in the right direction, it likely signals a further delay in the issuance of guidance that is needed to bring greater clarity to the currently unsettled regulatory framework for FDA’s oversight of manufacturers’ off-label communications, and a punting of these important decisions to the next administration.

On May 19th, the FDA again postponed publication of the Final Rule entitled, “Supplemental Applications Proposing Labeling Changes for Approved Drugs and Biological Products” to April 2017 (the “Final Rule”).  On May 19th, the House of Representatives Committee on Appropriations approved the 2017 Agriculture Appropriations bill, which includes provisions within Section 747 expressly defunding any efforts by the FDA to enact the rule. The Notice of Proposed Rule-Making (“NPRM”) was originally published in November 2013 to provide generic drug and biologics manufacturers with the ability to update safety information on their labels independently of the brand manufacturer.

The proposed rule was published in response to the decision by the Supreme Court of the United States in the case of PLIVA, Inc. v. Mensing, 131 S. Ct. 2567 (2011), which held that generic drug manufacturers cannot be held liable for failure to update the safety label of a drug or biologic in violation of state “failure to warn” tort law.  FDA regulations currently require that the label of a generic drug must match the wording of the label of the corresponding name brand drug.  The Court found that, under its reading of those regulations, the generic manufacturer could not unilaterally update the generic drug’s label without violating these regulations.  As such, the Court held that FDA regulations preempt state tort law with regard to such failure to warn claims such that the generic manufacturer cannot be held liable for any failure to update the label except to match the label of the corresponding brand drug.

The goal of the proposed rule is to allow certain generic drug or biologics manufacturers to update the label of the generic drug or biologic upon receipt of new safety information and with notice to the FDA.  The proposed rule would not require, under certain circumstances and for limited durations, the generic label to match the label of the brand drug; however, it would require generic manufacturers to review and monitor safety information and scientific literature regarding its drugs in the same manner as brand manufacturers must monitor and review information about their marketed compounds and biologics.  Adoption of the proposed rule would likely give state courts the freedom to impose liability upon generic manufacturers for failure-to-warn claims given that the rule would undercut the basic premise of the Supreme Court’s holding in PLIVA, Inc. v. Mensing.

This is the second time the Final Rule has been postponed.  The FDA originally closed notice and comment on March 13th, 2014 with a projected publication date for the Final Rule in September 2015.  Rather than issue the Final Rule, the FDA reopened the comment period in February 2015, held a one day public meeting, and revised the anticipated publication date of the Final Rule to the Spring of 2016.  While the NPRM was originally meant to quell public outcry over the Supreme Court’s decision not to hold generic manufacturers liable for the labeling of their drugs, the proposed rule has caused possibly even greater controversy.  Trade groups for generic manufacturers opposed the original NPRM and continue to oppose any efforts to finalize the proposed rule.  Now that the House of Representatives has passed its appropriations bill the possibility that the proposed rule may be abandoned altogether is becoming more likely.

On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations (“Draft Guidance”).  This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA’s expectations for the use of Electronic Health Record (“EHR”) data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an Investigational New Drug Application or Investigational Device Exemption.

While the recommendations set forth in the Draft Guidance do not represent a significant departure from existing guidance, research sponsors, institutions and investigators should consider the extent to which their existing policies and procedures, template agreements, protocols and informed consent documents should be updated to incorporate FDA’s recommendations.

Specifically, the draft guidance provides additional detail on FDA’s expectations for the due diligence to be performed by sponsors prior to determining the adequacy of any EHR system used by a clinical investigator to capture source data for use in a clinical investigation. FDA expects sponsors to assess whether systems have adequate controls in place to ensure the confidentiality, integrity, and reliability of the data. FDA encourages the use of EHR systems certified through the ONC Health IT Certification Program, and will presume that source data collected in Health IT certified EHR systems is reliable and that the technical and software components of privacy and security protection requirements have been met. Sponsors should consider requesting additional detail in site pre-qualification questionnaires or pre-study visits regarding any EHR system utilized by clinical investigators to record source data, including whether such systems are Health IT certified. Sponsors may also consider the extent to which their existing site qualification policies and clinical trial agreements templates adequately reflect the technical requirements for sites utilizing EHR systems to record source data, the need to ensure that any updates to those systems do not impact the reliability of the security of the data, and the extent to which the data, including all required audit trails, are backed up and retained by the site to ensure necessary access by FDA.

The Draft Guidance also includes recommendations regarding the information it expects to be included in study protocols and informed consent documents. When the use of EHR systems is contemplated, FDA recommends that study protocols include a description or diagram of the electronic data flow between the EHR and the sponsor’s EDC system, along with information regarding the manner in which the data are extracted and imported from the EHR and monitored for consistency and completeness. FDA also recommends incorporation into informed consent forms of information regarding the extent of access to EHRs granted to sponsors, contract research organizations, and study monitors, as well as a description of any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches. While information related to third party access to health information is typically addressed in informed consent documents, specific details related to access to EHRs and their associated risks are less common. Sponsors and research institutions should consider the extent to which their template informed consent documents should be updated to incorporate the best practice recommendation in the Draft Guidance.

In addition, in the Draft Guidance, FDA encourages the development and use of interoperable EDC and EHR systems to permit electronic transfer of EHR data into the eCRFs being utilized for a clinical trial, including the adoption of data standards and standardization requirements of the ONC Health Information Technology (Health IT) Certification Program. While interoperability of EHR and EDC systems offers the promise of increasing efficiency of clinical trial data collection and reducing the transcription errors that commonly result from the maintenance of this information in separate repositories, FDA acknowledges challenges related to the diverse ownership of the data and EHR systems used to capture them, and the confidentiality of clinical trial information, that will need to be overcome in order to realize the benefits offered by interoperability.

By Alan J. Arville, Constance A. Wilkinson and Selena M. Brady

The House of Representatives Energy and Commerce Committee (“the Committee”) circulated draft language to include in its 21st Century Cures legislation earlier this week to reform the 340B drug discount program (the “340B Program”). Although the draft 340B language was pulled from the legislation yesterday, the language proposed provides insight into what future legislative reform may include. The draft language, if adopted, would have a substantial impact on all 340B Program stakeholders, including, covered entities, contract pharmacies, 340B technology vendors, and drug manufacturers.

The draft language addressed the concerns of several Committee members during the Health Subcommittee hearing on March 24, 2015 (discussed here), including the lack of clarity surrounding the patient eligibility definition, the lack of transparency on how hospital-based covered entities use 340B savings to benefit underserved patients, and the Health Resources and Services Administration’s (“HRSA”) limited authority to issue regulations and enforce 340B Program requirements. In addition, the draft language would impose several new requirements on 340B contract pharmacy arrangements. The following summarizes several key provisions included in the draft language.

Patient Eligibility Definition

The proposed language defining “patient” did not significantly deviate from the existing definition set forth in HRSA’s 1996 guidance, but added a requirement that the patient have an “in-person” clinical or medical visit at the covered entity.

New Obligations for Covered Entities

The draft language proposed several new requirements of covered entities in order to participate in the 340B Program, including the following:

  • Covered entities would pay a user fee not to exceed 0.1 percent of covered outpatient drug purchases.
  • Covered entities with high volume purchases would be required to conduct an annual independent audit of the entities’ 340B Program compliance, and provide the results to the Department of Health and Human Services (“HHS”).
  • Hospital-based covered entities (except for critical access hospitals) would be subject to substantial new reporting requirements, including the submission of an annual report detailing the following: (1) patient breakdown by payor and the aggregated amount of acquisition cost and reimbursement for covered outpatient drugs by payor, (2) the use of its 340B Program revenue relating to the access and provision of health care for the uninsured, underinsured, underserved and medically vulnerable, (3) its prevention of duplicate discounts, (4) the number of covered outpatient drugs dispensed by each of its contract pharmacies, (5) the amount of uncompensated care, and (6) the name of any third parties or vendors that administer its inventory management system or contract pharmacy arrangement.

Guidance on Contract Pharmacies

The proposed language also addressed contract pharmacies and imposed some potentially onerous obligations for covered entities and contract pharmacies. The contract pharmacy language required covered entities utilizing contract pharmacies to:

  • Have a contractual agreement in place with each contract pharmacy;
  • Register the contract pharmacy agreement and the contract pharmacy’s “distance” from the covered entity with HRSA;
  • Ensure compliance of each contract pharmacy agreement with the requirements to prevent drug diversion and duplicate discounts;
  • Develop a mechanism to track the income of the patients of the covered entity and the amount such patients pay to receive covered outpatient drugs from the contract pharmacy;
  • Maintain and ensure that each contract pharmacy maintains, auditable records;
  • Develop a process and conduct review of prescribing and dispensing records to identify irregularities; and
  • Provide annual audits of the contract pharmacy to be conducted by an independent auditor.

Expanded HHS Authority

The proposed changes would have provided HHS with the authority to establish limits on what the uninsured pay for 340B drugs and allowed HHS to impose new penalties on covered entities for non-compliance with the 340B Program. Perhaps, most significantly, the proposed language would have given HHS the authority to issue regulations addressing several areas of the 340B Program including, but not limited to, covered entity eligibility, patient definition, contract pharmacy arrangements, covered entity reporting requirements, duplicate discounts, limits on amounts charged to uninsured patients, and penalties for non-compliance.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.