On December 11, 2018, the Food and Drug Administrative (“FDA”) issued a draft guidance for comment entitled, “Biomarker Qualification: Evidentiary Framework” (the “Guidance”).  The Guidance provides insight regarding standards for biomarker qualification under the 21st Century Cures Act (“Cures Act”).

FDA defines the term “biomarker” as a “characteristic that is measured as an indicator of normal biological processes, pathogenic processes, or responses to an exposure or intervention, including therapeutic interventions.” There are various types of biomarkers including, but not limited to: molecular – (i.e. blood glucose); radiographic (i.e. the size of a tumor); and physiologic (i.e. blood pressure), and each of these biomarkers fall into various categories, all of which are regulated by FDA. The term “biomarker qualification” is defined as “a conclusion, based on a formal regulatory process that within the stated context of use, can be relied upon to have a specific interpretation and application in medical product development and regulatory review.” Importantly, once a biomarker is qualified for a particular context of use, it becomes publicly available, and can be applied in any drug development program for that qualified context of use.

The Guidance discusses the evidentiary framework for supporting biomarker qualification, including needs assessments; context of use; and benefit-risk considerations, and how these considerations can relate to determine the type and level of evidence required to support the qualification of a biomarker. Additionally, the Guidance addresses general statistical and clinical considerations related to the correlation between the biomarker and outcome of interest, and general analytical considerations related to performance characteristics of the biomarker test.

Ultimately, the success of the Guidance in advancing biomarker qualification will turn on its contents and stakeholder input.  The Agency has asked for comments on the Guidance by February 9, 2019, to ensure that comments can be fully considered before the Guidance is finalized, although comments may be submitted on FDA guidance at any time. The formal announcement about the draft Guidance issued by FDA is available here.

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
  3. Providing certain practices that cybersecurity experts rank as most effective against such threats.

This technical assistance comes at a critical time.  Healthcare organizations, regardless of size, complexity or sophistication are vulnerable to cyber-attacks. For example, while smaller organizations may think that cyber threats, such as ransomware, tend to affect the larger organizations, approximately 58% of malware attack victims affect small businesses. Furthermore, cybersecurity attacks in 2017 cost small and medium-sized businesses an average of $2.2 million.

Most surprisingly, despite increased frequency of cyber-attacks over the last two years, coupled with cost of data breaches being highest in healthcare, the healthcare industry continues to lag behind in cybersecurity preparedness. About 4-7% of total IT budgets, across healthcare organizations, are being spent on cybersecurity, while other industries spend approximately 10-14%.  There is certainly a need and significant room for improvement across the industry.

The main volume of the new HHS guidance document cites the five most prevalent cybersecurity threats as:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

The guidance document also shares ten best practices to mitigate cybersecurity threats (covered in more detail in corresponding Technical Volumes):

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

With this new cybersecurity guidance from HHS, healthcare companies can be better equipped to strengthen their security and more effectively tackle cyber threats.  Companies should prioritize these efforts because cybersecurity preparedness can reduce patient privacy risk, protect patient safety and ultimately preserve an organization’s reputation.


Alaap B. Shah


Daniel Kim

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

The FDA has recognized cybersecurity risk related to medical devices for quite some time, and has taken this step to further protect patients from such risks.  Other organizations have also taken aim at this issue, such as the National Institute of Standards and Technology (NIST) issuing guidance related to telehealth monitoring devices.  However, medical device manufacturers may continue to struggle to address these risks in design, development and implementation.  As a result, with Internet of Things (IoT)-enabled device innovation continuing to expand and the expectation of new threats, it is imperative that medical device consumers and manufacturers keep pace to ensure device network security.

There are several complexities that exist relative to securing medical devices. First, many devices no longer function as stand-alone components in healthcare settings as they are being integrated into the health care IoT.  Second, an increasing number of medical devices are network-connected and transmitting sensitive patient data through other wired or wireless components.  These two factors create quality improvements, convenience and flexibility to physicians and patients, but they can also introduce new security vulnerabilities that could adversely affect clinical operations as well as put patients at risk.

The FDA guidance addresses a number of key areas of risk.  In particular, the guidance recognized vulnerabilities stemming from insufficient access control safeguards medical devices.  For instance, administrators often assign the same password to multiple devices, which could provide unauthorized access to each device and its data.  Additionally, the FDA noted that data transmitted through the devices is not always encrypted, which could allow unauthorized individuals to intercept and even modify clinical information impacting patients’ privacy and/or safety.  Finally, a number of devices are vulnerable to malware without the ability to apply security patches.

To reduce risk, there are several measures that can be implemented to enhance device security.   For instance, hospitals and health systems should include medical devices in security risk analyses and risk management plans. Additionally, organizations should thoroughly evaluate security risks related to devices and vendors before purchasing devices (e.g. request disclosure of device cybersecurity properties).  As for device manufacturers, enhanced security systems should be baked into devices to monitor device networks and ensure device authorization is limited to assigned authorized users.

EBG will continue to keep an eye on how the industry reacts and implements the FDA’s guidance over time.


Brian Hedgeman


Alaap B. Shah

The federal government entered into a partial shutdown at midnight on Saturday, December 22, 2018. The implications of the ongoing shutdown are far-reaching, but its impact on the Food and Drug Administration (“FDA”) is of particular concern to members of FDA-regulated industries and those with a role in ensuring the public health. Thousands of FDA employees considered non-essential were furloughed and, consequently, routine regulatory and compliance activities at FDA were put on hold. On his Twitter account (@SGottliebFDA), Scott Gottlieb, M.D., Commissioner of the FDA (“Dr. Gottlieb”), has tweeted frequent updates regarding FDA operations. As he explained, FDA officials initially consulted with public health experts and other senior leaders regarding which FDA activities address threats to human life and safety and, thus, should continue during the shutdown.

Many FDA operations halted for two weeks during the holidays, according to schedule. Accordingly, many activities were not considered delayed until early January when FDA was scheduled to resume all operations. To provide examples of the shutdown’s implications at FDA, FDA is currently not accepting new medical product applications that require fee payment or reviewing drug applications that are not user-funded, and FDA’s Center for Drug Evaluation and Research (“CDER”) has paused all non-emergency over-the-counter monograph drug activities because these activities were determined not to address immediate threats to human life and safety. In addition, the thirty-day waiting period before sponsors of investigational new drugs may conduct clinical trials is paused during the shutdown unless the drugs are considered emergency drugs.

During the shutdown, FDA will utilize carryover “user fee” funding to continue review of certain applications that require a user fee, such as New Drug Applications, Biologics License Applications, and Premarket Approval applications for medical devices, if such fee has been paid. However, FDA may require more time than what agency timeframes allot to review these applications. FDA cannot accept new user fees during the shutdown. If fee payment is required, sponsors must wait until the government reopens. Some companies and industry segments, such as allergenic products, negotiated to be excluded from user fees and chose to instead rely on budget authority. Accordingly, when budget authority lapses, routine review activity for these products halts unless an emergency involving safety of human life warrants review.

As the shutdown entered week three, FDA determined it would resume activities necessary to identify and respond to threats to the safety of human life. On January 15, 2019, furloughed food safety inspectors returned to work without pay after Dr. Gottlieb days earlier sought and received permission from the Department of Health and Human Services and the White House to call the inspectors back to work. Resumed FDA activities include:

  • expanded monitoring and analysis of food safety surveillance and detection;
  • surveillance sampling of high-risk foods, drugs, and devices;
  • expanded monitoring and evaluating of medical device adverse event and malfunction reports to include additional types of medical devices;
  • expanded activities related to surveillance and response for recalls as necessary to identify and respond to threats to the safety of human life; and
  • expanded inspection activities beyond “for-cause” inspections to also include foreign and domestic food, drug, medical, device, and pharmacy compounding surveillance inspections focused on the highest risk products and facilities.

Resumed activities are being funded by carryover user fees and from the reduction of any overhead charges to CDER and the Center for Biologics Evaluation and Research. Dr. Gottlieb claims these funding sources give FDA roughly five weeks of funding to review new drug applications. FDA is seemingly operating at the best of its ability despite the circumstances. According to Dr. Gottlieb, carryover user fees supported the January 16, 2019 FDA guidance on drug development to treat rare diseases. Also on January 16, FDA issued draft guidance to support companies seeking final approval for tentatively-approved generic drug applications to promote timely access to safe and effective generic medicines. However, the Prescription Drug User Fee Act, which authorizes FDA to collect fees from companies that produce certain human drug and biological products, is the most vulnerable program, likely to run out of money the first week of February.

Manufacturers, researchers, and others involved in the creation of these products should continue to monitor for developments but should expect likely delays in all FDA review activity. Additional operations may resume as determined to be necessary if the shutdown continues. If the shutdown lasts for more than five additional weeks, it is unclear which FDA operations not addressing an immediate threat to human life can continue. Once the government reopens, FDA will still face a backlog of applications and other regulatory activity, almost guaranteeing a ripple effect of delays that will continue for the foreseeable future.

On December 7, 2018, the U.S. Food and Drug Administration (“FDA”) published a proposed rule (“Proposed Rule”) that, if finalized, would clarify the de novo classification process for medical devices, including (1) the format and contents of a de novo request and (2) the criteria for accepting or denying a de novo request. FDA intends to “enhance regulatory clarity and predictability… [and] provide a regulatory framework that sets clear standards, expectations and processes for de novo classification” through this proposed rulemaking.[1]

FDA regulates medical devices based on risk and has established three general classifications: “class I” (general controls required to provide reasonable assurance of the safety and effectiveness of the device), “class II” (special controls required), or class III (premarket approval required). The regulatory framework for class III devices is especially stringent—FDA reviews class III device safety and effectiveness under a premarket approval (“PMA”) application that takes six months or more to approve, if the device is found suitable for marketing. The 510(k) “premarket notification” submission, however, enables lower-risk devices that are “substantially equivalent” to existing, legally marketed (“predicate”) devices not subject to a PMA to obtain marketing clearance without a PMA. Under section 513(f)(1) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), new devices receiving not substantially equivalent (“NSE”) determinations are automatically designated a class III device. The de novo process serves as an alternative pathway for receiving marketing authorization for class I or II devices.

In the Proposed Rule, FDA seeks to clarify and formalize the de novo pathway for novel devices without predicates. Many of these proposals are contained in various recent guidances from FDA.[2] Below we break down key components of the Proposed Rule:

 

FDA Reviewing Procedures: Facility Inspections Proposed

Perhaps the most controversial component of the proposed de novo pathway is a provision that enables FDA to conduct premarket manufacturing inspections of “relevant facilities” as part of its de novo review process. Although these manufacturing inspections are authorized under the FDCA as an element of the PMA application review, the FDCA does not grant this authority to FDA for de novo review.[3] If this provision remains upon rule finalization, de novo requesters must have their quality systems prepared for inspection. Failing to permit an authorized FDA employee to inspect a relevant facility results in automatic “withdrawal” of the de novo request.

This provision may also be problematic in light of FDA’s proposed timeline for de novo request acceptance. The Proposed Rule requires FDA to grant or decline a de novo request within 120 days from when it receives the request or any additional information. While de novo request devices are required to be classified within the same timeframe under the FDCA, 120 days is rarely met. According to the Medical Device User Fee Amendments 2017 (“MDUFA IV”), FDA articulates that it aims to “issue a MDUFA decision within 150 FDA days of receipt of the submission for . . . 55% of de novo requests received in FY 2019.” (emphasis added). FDA’s self-stated goals appear to make the proposed 120-day codification lofty, especially considering FDA’s authorization and intention to make premarket manufacturing inspections during its de novo request reviews.

 

Notable De Novo Request Content Requirements

The Proposed Rule intends to clarify the minimum content requirements as prescribed in section 513(f)(2) of the FDCA. Most of these components are consistent with de novo guidance recommendations, but there are a handful of new proposed requirements:

  • Bibliography of “all published reports” and other unpublished “identification, discussion, and analysis of any other data, information, or report” relevant to the safety and effectiveness of the device. This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(8).
  • Samples of the device and its components (if requested by FDA). This practice is typically reserved to higher-risk PMA applications under 21 C.F.R. 814.20(b)(9).
  • Proposed advertisements and labels for the device. Although not uncommon for companies to include sample labeling information in 510(k) notifications, this proposed provision would now make it a requirement in de novo requests, similar to PMA applications under 21 C.F.R. 814.20(b)(10).
  • Information about “known or reasonably known existing [device] alternative[s].”
  • Statement that provides (1) a list of any required information that is omitted in the de novo request and (2) “a justification” for any omissions.

 

Acceptance Review

FDA proposes an acceptance review stage for de novo submissions during which FDA makes a “threshold determination” as to whether the de novo request contains sufficient information to warrant substantive review. Within 15 days of receiving the de novo request or additional information, FDA must complete the acceptance review and notify the requester—after 15 days, the de novo request is automatically accepted for substantive review. The Proposed Rule identifies several “deficiencies” that warrant a refusal to accept (“RTA”), including: (1) incorrect de novo request format; (2) incomplete submission of required content; and (3) the failure to provide a “complete response” to FDA requests for additional information or deficiencies identified by FDA in any prior submissions for the same device. These deficiencies are similar to the Refuse to Accept Policy for 510(k)s guidance and “Acceptance Checklist[s]” issued by FDA in January 2018.

 

Confidentiality Provisions

FDA sets forth confidentiality provisions that are similar to other FDA marketing submissions. FDA must maintain confidentiality of the requester’s de novo application until it issues an order granting the request. FDA must also maintain confidentiality of all information provided in the request. Public disclosure by the requester, however, renders these confidentiality requirements inapplicable.

The preamble makes it clear that FDA is proposing this rule to bring greater structure, clarity, and efficiency to the de novo classification process. This rule essentially formalizes many of the criteria recommended in various FDA guidances and provides more certainty (albeit less flexibility) for both de novo requesters and FDA enforcement.

The Proposed Rule is available for public comment until March 7, 2019. If finalized, FDA the regulations would go into effect 90 days after the final rule is published.

 

[1] 83 Fed. Reg. 63,129 (Dec. 7, 2018).

[2] See, e.g., U.S. FDA, Guidance: De Novo Classification Process (Evaluation of Automatic Class III Designation) (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm080197.pdf; U.S. FDA, Draft Guidance: Acceptance Review for De Novo Classification Requests (Oct. 30, 2017), available at https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev-gen/documents/document/ucm582251.pdf.

[3] In fact, the FDCA expressly prohibits FDA from conducting these premarket facility inspections in its 510(k) review (“other than a finding that there is a substantial likelihood that the failure to comply with such regulations will potentially presents a serious risk to human health”). See FDCA Sec. 513(f)(5).

According to a report by West Monroe Partners, approximately 40% of companies engaged in corporate transactions reported finding a cybersecurity issue during post-acquisition integration of the target company.  While companies routinely conduct robust transactional due diligence to manage legal risk, many fail to adequately conduct cybersecurity due diligence. As a consequence, many companies and investors are leaving themselves vulnerable to potentially severe latent cyber risks.

Cybersecurity is especially relevant in healthcare transactions as the industry continues to be riddled with cyber-attacks.  Protenus Breach Barometer reports that healthcare has been the most targeted industry over the last few years, with 1.13 million, 3.15 million, and 4.4 million patient records compromised in the first three quarters of 2018, respectively, and more than half of breaches occurring due to hacking.  The cat is out of the bag.  Healthcare entities usually amass very lucrative personal data – social security numbers, demographic information, health insurance records, and prescription information – making them attractive targets for hackers.

Despite the high frequency of cyber-attacks in the industry, many healthcare entities spend only half as much to improve security protections when compared to other industries.  As a result, these companies remain vulnerable to cyber threats.  In the case of a breach, companies could face penalties from government agencies as well as class action lawsuits. Cyber risks may intensify during acquisitions, as the likelihood of a breach increases with the expansion of the overall cyber footprint.  Further, in a transaction, the target company’s vulnerabilities ultimately become an issue for the acquiring company.  Thus, if the target entity does not have adequate safeguards to protect patient records, then the acquiring company is at financial and reputational risk for those failings.

Given the potential risks, it is important that acquiring companies prioritize cybersecurity as an integral part of due diligence efforts.  An effective due diligence process should at a minimum evaluate cybersecurity preparedness and risks related to the following: 1) current state of risk assessment; 2) technical security features of business critical information systems and network architecture; 3) implementation of policies and procedures related to information security; 4) policies and procedures related to detecting, responding to, and recovering from cyber incidents; and 5) historical indicators of legal and regulatory compliance issues related to cybersecurity.


Alaap B. Shah


Eric W. Moran


Brian Hedgeman

On December 18, 2018 the Food and Drug Administration (“FDA”) finalized guidance on its existing Breakthrough Device Program and announced plans for advancement of the Safer Technologies Program (“STeP”).  In the announcement, FDA Commissioner Scott Gottlieb emphasized the FDA’s efforts to promote innovation in medical devices that advance patient safety. This new medical device guidance could signal a year of opportunity for innovative medical device manufacturers that seek to advance patient safety.

Breakthrough Device Program

The Breakthrough Device program was created under the 21st Century Cures Act and seeks to facilitate the development and expedite the review of breakthrough technologies that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. Medical devices and device-led combination products that qualify for this program must meet specific criteria.  First, the device must provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating human diseases or conditions. Second, the device must meet at least one of the following criteria: (1) represent a breakthrough technology, (2) no approved or cleared alternatives exist, (3) offer significant advantages over existing approved or cleared alternatives, or (4) device availability is in the best interest of patients.  A manufacturer can send a breakthrough designation request at any time prior to sending its marketing submission. The Breakthrough Devices program replaces the Expedited Access Pathway and Priority Review for medical devices.

Safer Technologies Program (“STeP”)

STeP was first revealed in the Medical Device Safety Action Plan published in April 2018. The purpose of the program is to serve as an alternative for devices that cannot or do not fit into the breakthrough device construct, but still seek to make current treatments or diagnostics significantly safer.  The FDA anticipates creating guidelines for the STeP in 2019.

Opportunities for Stakeholders

The objective of both programs is to improve development through providing opportunity for additional interactions with FDA and faster reviews through a priority review designation and/or improving alignment on device development prior to regulatory marketing submissions.  These features can provide value to device manufacturers, and potentially accelerate development, although they are not a substitute for a manufacturer’s own planning regarding regulatory strategy.  Since its implementation in late 2016, approximately 110 devices have received Breakthrough Designation, so more manufacturers continue to take advantage of this program.  The STeP program could create even more opportunities.

On January 17, 2019, the FDA will host a webinar to help clarify the Breakthrough Devices program’s final guidance for manufacturers. Manufacturers should view this webinar to become better acquainted with the program and consider its potential benefits to products in development.

As 2019 begins, companies should seriously consider the financial and reputational impacts of cyber incidents and invest in sufficient and appropriate cyber liability coverage. According to a recent published report, incidents of lost personal information (such as protected health information) are on the rise and are significantly costing companies. Although cyber liability insurance is not new, many companies lack sufficient coverage. RSM US LLP, NetDiligence 2018 Cyber Claims Study (2018).

According to the 2018 study, cyber claims are impacting companies of all sizes with revenues ranging from less than $50 million to more than $100 billion.  Further, the average total breach cost alone is $603.9K. This does not include crisis services cost (average $307K), the legal costs (defense = $106K; settlement = $224K; regulatory defense = $514K; regulatory fines = $18K), and the cost of business interruption (all costs = $2M; recovery expense = $957K).  In addition to these financial costs, reputational impact stemming from cyber incidents can materially set companies back for a long-period of time after the incident.

Companies can reduce risk associated with cyber incidents by developing and implementing privacy and security policies, educating and training employees, and building strong security infrastructures.  Nevertheless, there is no such thing as 100% security, and thus companies should consider leveraging cyber liability insurance to offset residual risks.  With that said, cyber liability coverages vary across issuers and can contain many carve outs and other complexities that can prevent or reduce coverage.  Therefore, stakeholders should review their cyber liability policies to ensure that they understand the terms and conditions of such policies. Key items to evaluate can include: coverage levels per claim and in the aggregate, retention amounts, notice requirements, exclusions, and whether liability arising from malicious third party conduct are sufficiently covered.

While cyber liability insurance will not practically reduce risk or a cyber incident, it is increasingly a critical component of a holistic risk mitigation strategy given the world we live in.


Alaap B. Shah


Daniel Kim

On December 21, 2018, the Department of Justice (“DOJ”) announced in a press release the recoveries obtained in settlements and judgments from civil matters involving fraud and those brought under the False Claims Act (“FCA”) for the fiscal year (“FY”) ending September 30, 2018. While total recoveries were $2.88 billion—the ninth consecutive year exceeding $2 billion—this was down almost $600 million from FY 2017, the lowest level since 2009 and the second year in a row that total recoveries fell.

However, and of particular note to those involved in the healthcare and life sciences industries, over $2.5 billion—$329 million more than in FY 2017, and almost 88 percent of all recoveries—were generated from healthcare-related matters. Notably, recoveries in such cases brought by the DOJ directly rose to $568 million, the second-highest level since 1987. And, while more than 50 percent of the recoveries are identified as attributable to a finite number of matters, pharmaceutical and medical device companies, managed care providers, hospitals, pharmacies, hospice organizations, laboratories, and physicians all continued to be enforcement targets.

Qui Tam Cases: A Concentration on Healthcare

The statistics also reflect that cases filed by qui tam relators are a principal driver of DOJ’s FCA enforcement efforts. While the number of qui tam cases filed dropped in FY 2018, 645 matters were brought last year, representing almost 85 percent of all new matters. Relative to the healthcare industry, 446 new qui tam cases were brought in FY 2018, a drop from FY 2017 but the fifth highest number since 1987. About 88 percent of all new FCA matters pursued against entities involved in the healthcare industry were brought by relators.

The greatest risk to entities continues to be qui tam matters in which the United States elects to intervene. More than 90 percent of all dollars recovered from qui tam cases in FY 2018 were from cases in which the government elected to intervene. However, relators continue to pursue matters post-declination. In FY 2018, almost $120 million was recovered from such matters; while a sharp decline from the $445 million collected in FY 2017, almost 70 percent of all recoveries in cases pursued post-declination were from the healthcare industry.

Although plainly not a record year, expect that these statistics will still serve to encourage new filings. In FY 2018, more than $300 million was paid out in relators’ share awards; more than $266 million of which came from matters involving the healthcare industry. While these were the lowest levels since 2009, since 1988 relators have been paid over $5 billion for matters brought involving the healthcare industry alone (total payments, all industries, exceed $7 billion). The potential for a major reward—as supported by these numbers—clearly continues to drive the filing of new cases.

Individuals in Focus

DOJ’s announcement also emphasized its effort in holding individuals accountable. The press release lists multiple examples of individual enforcement, whether pursued through joint and several liability along with corporate defendants, or otherwise. Significantly, multimillion-dollar recoveries were generated this year from individuals involved in the healthcare industry.

Recent announcements from the DOJ reflecting revisions to the “Yates Memo” suggest that senior corporate management, as well as members of boards of directors, continue to face enforcement risk.

*************

While overall recoveries dropped, the dollars generated from enforcement in the healthcare space grew and remain staggering. The statistics will only serve to encourage the government and qui tam relators to continue to pursue corporations and individuals involved in the healthcare and life sciences industries. They are also a strong reminder of the importance of the development and maintenance of programs designed to deter improper conduct and promote compliance across all organizational levels.

 

Did you know that your zip code is a better predictor of your health than your genetic code? Public health experts – and your health insurance provider – have long known that the air you breath, the education you receive, your net worth, and even the music that you listen to are strong indicators of your overall health – and the possibility that you might need expensive medical procedures in the future. By some measures, up to 50% of your overall health is determined by social, economic, and environmental factors. As the movement to value-based payment continues in health care, there has been a renewed focus from policymakers and payors on “social determinants of health” in an attempt to curtail health care costs by addressing the root problems of poor health; before the patient is at-risk and when the interventions may be cheaper than medical care.

The concept that social determinants of health play a crucial role in limiting health care costs is hardly new, but has been more prominently incorporated into payment reform programs recently. New York, for example, has established the Health and Recovery Plan (“HARP”), a program designed for Medicaid beneficiaries with serious mental illness or substance use disorders. The HARP program combines traditional medical care with “Home and Community Based Services,” with the intent to ensure that HARP beneficiaries also receive care for underlying social factors that exacerbate their mental health or substance use issues. HARP now includes, as part as the Medicaid managed care premium paid by New York State to managed care organizations administering the program, coverage for services ranging from assistance in accessing transportation, locating and securing housing, instruction on personal budgeting, and both general and vocational education services. While HARP is intended for beneficiaries over 21, New York is launching a similar program for children with behavioral health needs. New York has recently also implemented a rule for Medicaid managed care organizations requiring them to include services offered by “community-based organizations,” such as food programs or job training programs, in value-based contracts between Medicaid managed care organizations and downstream providers with the intent to address social factors in “traditional” health care payment arrangements.

While policymakers and payors are expanding attention to social determinants of health to shape health programs (and in so doing decrease money spent on medical interventions), so too are they eyeing social factors in determining the cost of health care. Companies, such as LexisNexis, are aggregating personal data and developing risk scores that are based almost entirely on an individual’s socioeconomic factors, and marketing that information to health care payors. Though LexisNexis states that it does not intend for the scores to be used to price insurance products, experts have identified risk scores as a potentially useful tool in pricing health plans. Since social factors tend to benefit wealthier individuals, with pricing health plans based on socioeconomic data has a potential to exacerbate disparities in health care access between the rich and poor. The connection between steady employment and better health outcomes has been used to justify Medicaid work requirements in states that have recently requested waivers from the federal government to implement such requirements. Others have pointed that this approach may confuse cause and effect; people with jobs are in a better socioeconomic position than those who aren’t, and therefore are generally healthier. These programs and products simply demonstrate the wide-ranging effect “social determinants of health” already have on health care and the opportunity for their role to grow substantially.

Social determinants of health are not a new idea, but they have a renewed focus as a cost-effective way to decrease health care expenditures. For providers, it may mean incentives or requirements to incorporate external factors into their delivery of care. For organizations that address such social issues, it may portend increased funding. Attention to this area may provide a unique opportunity to realize savings for providers in risk-based agreements and allow providers to get ahead of the curve in a “new” trend in health care.

Cassie Chang, a Legal Intern (not admitted to the practice of law) in the firm’s New York office, contributed significantly to the preparation of this post.