The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring reasonable network security safeguards without considering threats to DNS. The statutory requirements do not generally mandate the particular mix of cybersecurity controls required to protect DNS. Rather, the frameworks require organizations to implement formalized processes to anticipate and assess risks from cyber threats and then adopt reasonable safeguards.[i] Organizations may reference NIST publications and other technical guidance for a catalog of controls to choose from based on the risk assessment.[ii] Consistent with the regulatory imperatives requiring vigilance and appropriate counter-measures to safeguard data when threats evolve, organizations should revisit their defenses given the recent threats to DNS.

Attackers seek to disrupt the normal operations of DNS servers and applications responsible for resolving domain names to properly route network communications between computers. DNS looks up the IP address of the computer to receive the communication based on its domain name and advises the computer requesting a connection of the associated IP address to send the request to. For example, when a user types “www.anycompany.com” in his or her web browser or sends an email (e.g., “tsmith@anycompany.com”) DNS resolves the domain name (“www.anycompany.com”) to a numerical IP address, such as 172.30.xxx.xxx. DNS advises the requesting computer of the IP address corresponding to the domain name and the requesting computer accordingly directs the traffic.

DNS is under constant attack because of its open and distributed nature. Organizations under persistent threat, particularly healthcare, financial services and technology companies, should be concerned. DHS recently issued its first emergency alert to all its agencies about attacks to hijack DNS resolutions and misdirect the government’s traffic.[iii] Typically, the attacks involved compromise of credentials initially through a phishing attack. DHS reported: “Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.” Further, “because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.” DHS emphasizes the criticality of the threat: “This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox.” As DHS also noted, security researchers have identified a wave of other DNS hijacking that affected dozens of government, telecommunications and internet infrastructure entities.[iv]

The risks from DNS exploitation are not exclusively from external hackers. Using DNS to exfiltrate information is also a well-recognized technique for malicious insiders because DNS must permit queries to resolve to perform its functions. Malicious employees and other insiders will try to exploit this functionality for unlawful purposes, including theft of trade secrets and protected data, and to conceal their activities. Hijacking and tunneling attacks to compromise DNS are not new, but the recent attacks highlight how damaging the attacks can be.[v] Moreover, recent caselaw holds that employers may lose statutory protection of their trade secrets if they do not make reasonable efforts to maintain its secrecy and protect it from insider threat.[vi]

Because cybersecurity should be a team effort, here are some steps that IT, HR and Legal should be considering to protect DNS in their particular organization from hijacking and tunneling attacks. Ensure that DNS servers are up to date on all patches and running the latest version of the name server software. Implement complex passwords and multifactor authentication for DNS administrator credentials to prevent unauthorized changes. Implement a formalized system to monitor/proxy DNS traffic to ensure DNS is being used as intended. Implement a formalized system to audit DNS logs to verify that queries are resolving to the intended location. Monitor encryption certificates for your organization’s domain. Consider implementing DNSSEC (which builds trust in the DNS query and resolution process) if technically feasible.[vii] Train your employees in phishing, social engineering and protecting their credentials. Ask basic questions: e.g., What processes are in place to prevent or discover an employee exploiting DNS to exfiltrate sensitive information? What processes are in place to protect administrator credentials? Implement written policies and procedures around protecting DNS, including configuration management, patching, passwords, monitoring and audit. Ultimately, the right mix of DNS safeguards depends on the risks to your particular organization after conducting a risk assessment.

___

[i] See, e.g., 45 C.F.R. §164.306(b); 15 U.S.C. §6801;  23 NYCRR §500.00, 500.02, 500.09; Cal. Civ. Code 1798.81.5; GDPR Article 32; Massachusetts (M.G.L. c. 93H; 201 CMR 17; Frequently Asked Questions).

[ii] See, e.g., NIST 800-53v4 – Security and Privacy Controls for Federal Information Systems and Organizations, NIST Cybersecurity Framework, HHS Technical Volumes 1 & 2: Cybersecurity Practices for Small, Medium and Large Health Care Organizations.

[iii] DHS Alert (AA19-024A) – DNS Infrastructure Hijacking Campaign; DHS Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering; CISA Blog – Why CISA issued our first emergency directive.

[iv] Fireeye Threat Research – Global DNS Hijacking Campaign: DNS Manipulation at Scale (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html ); Crowd Strike: Widespread DNS Hijacking Activity Targets Multiple Sectors (https://www.crowdstcrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/).

[v] NIST Special Publication 800-81-2 – Secure Domain Name Systems (DNS) Deployment Guide

[vi] EBG Blog: Even if “Secret” Information Will Not Qualify As A “Trade Secret” Unless Adequate Measures Were Taken To Protect That Secrecy;  Abrasic 90 Inc., d/b/a CGW Camel Grinding Wheels, USA v. Weldcote Metals, Inc., Joseph O’Mera and Colleen Cervencik, No. 18 Civ. 05376 (N.D. Ill. March 4, 2019).

[vii] ICANN – DNSSEC – What Is It and Why Is It Important; ICANN Calls For Full DNSSEC Deployment Promotes Community Collaboration To Protect The Internet; ICANN Alert Regarding Published Reports of Attacks On Domain Name System.

On March 27, 2019, the FDA announced that it would be proposing new amendments to key regulations regarding mammography facilities that would require these entities “to tell women more about how dense breast tissue can affect their health and increase their cancer risk.”  The proposed changes to mammography facility regulations would be the first issued in more than 20 years.  The FDA believes the change will “expand the information mammography facilities must provide to patients and health care professionals, allowing for more informed medical decision-making.”  In addition, FDA is proposing to modernize quality standards by, for example, expressly authorizing FDA communications with patients and practitioners in the event of quality issues, requiring use of FDA-approved or -cleared digital accessories, and strengthening recordkeeping requirements.  These changes not only enhance regulatory requirements, but likely foreshadow increasing enforcement and communications from FDA with regard to mammography services.

As a general rule, it is a well settled rule of law that FDA does not regulate the practice of medicine, but mammography services are a notable exception.  Congress provided the FDA with regulatory oversight of mammography facilities in 1992 following passage of the Mammography Quality Standards Act (MQSA). The MQSA entrusts FDA with facility accreditation, annual inspections, certification, and enforcement of standards to assist in ensuring such facilities provide quality care.  FDA Commissioner Scott Gottlieb remarked that the new rule proposal would “modernize our oversight of mammography services, by capitalizing on a number of important advances in mammography, like the increased use of 3-D digital screening tools and the need for more uniform breast density reporting.”

Under the proposed rule, mammography providers would be required to tell women whether they have dense breast tissue, which may increase cancer risk and mask tumors, making cancer detection more challenging.  Women with dense tissue are often advised to seek other screening tests along with mammograms, such as M.R.I. scans or ultrasound, but in many states this is left to the discretion of providers.  (Currently, there are roughly 36 states already requiring that female patients be given information about breast density).  The new rule proposes specific language that would be implemented nationwide to explain breast density, note that some women may need additional imaging tests and recommend patients consult their physicians regarding their results.  The FDA language would set a minimal standard, and will not preempt states from imposing additional requirements regarding disclosures.

The content of communications beyond basic diagnosis have been raised as a concern under current state law disclosure standards. Some within the medical profession have argued that disclosure laws could provide women with information that does not necessarily reflect their condition, and could lead to a demand for expensive, unnecessary tests.  Further, some physicians have also suggested that state-mandated letters may be too complex for patients to understand.  For instance, the Journal of the American Medical Association (JAMA) published a study analyzing notification letters sent out in over 20 states and found that “many use such complex language that patients need a college degree to understand them.”  Acknowledging the pushback, Commissioner Gottlieb stated that women had a right to receive such information regarding their health in order to make an informed decision about next steps.

Moving forward, entities and medical professionals should be mindful of these regulations when providing mammography services to female patients.  It will be important to exercise best medical judgment when examining mammogram results as dense breast tissue may represent a significant confounder when assessing breast cancer risk.  Communications on these topics could face additional scrutiny as medical practitioners try to balance obligations in regulations with general principles about informing patients about their condition in an understandable manner.  In addition, there is potential that changes could drive an increase the use of additional diagnostic testing.  Thus, there is some uncertainty as to whether there should be a push for enhanced screening.

EBG will continue to monitor this proposed rule.  The FDA is accepting comments on these proposed changes until June 26, 2019.  The notice and comment portal for submitting comments is available at https://www.regulations.gov/document?D=FDA-2013-N-0134-0006.


Brian Hedgeman

On April 2, 2019, FDA issued a press release featuring a statement from FDA Commissioner Scott Gottlieb announcing the Agency’s latest enforcement actions taken against companies engaging in unlawful marketing of cannabidiol (CBD) products.  Coming just days before Gottlieb’s anticipated departure from the Agency, this news otherwise is unsurprising given recent events on the federal and state level.  In a December 2018 press release issued on the heels of the Farm Bill’s passage, FDA forecast its intention to step up enforcement against CBD products, and earlier this year state and local governments initiated seizures of CBD products from store shelves.  For manufacturers, retailers, and consumers, the takeaway from these recent statements and actions is that it remains unlawful under the Federal Food Drug and Cosmetic (FD&C) Act to market conventional foods or dietary supplements containing CBD.

The April 2, 2019 press release announces the issuance of three Warning Letters to companies marketing CBD products using “egregious and unfounded claims that are aimed at vulnerable populations.”  Notably, the Warning Letters were issued jointly by FDA and the Federal Trade Commission, which has authority to protect consumers from unfair trade practices, including false or misleading advertising claims. As examples of unlawful claims, the Warning Letters cite assertions that CBD products stop growth of cancer cells, slow the progression of Alzheimer’s, and reduce withdrawal symptoms in individuals with substance use disorders.  While FDA’s position is that the inclusion of CBD as an ingredient in conventional foods and dietary supplements is per se unlawful, the Agency’s focus on companies making cure or treatment claims for serious diseases and conditions is consistent with the December 2018 statement that the Agency would prioritize enforcement against products the Agency believes put consumers at risk.

The press release also sets a date for the previously promised public hearing on the future of CBD product regulation. The hearing, which is scheduled for May 31, 2019, will provide a platform for interested parties to “share their experiences and challenges” under the current regulatory environment.  A newly-created internal Agency working group will be tasked with reviewing and analyzing stakeholder feedback and exploring potential regulatory pathways for CBD products.  FDA seeks stakeholder feedback on issues including the levels of cannabis and cannabis-derived compounds that cause safety concerns; how the mode of delivery (e.g., ingestion, absorption, inhalation) affects the safety of, and exposure to, these compounds; and how cannabis and cannabis-derived compounds interact with other substances such as drug ingredients.

Stakeholders with an interest in developing, marketing, distributing, or purchasing consumer-focused CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—can submit comments or a request to make an oral presentation at the hearing by May 10, 2019.  Stakeholders can also submit comments for FDA’s consideration after the hearing via regulations.gov by July 2, 2019.

Many physicians rely on publicly available reports to assess the safety of the devices they use on patients, but in some cases, these reports aren’t painting the full picture.  A recent Kaiser Health News (“KHN”) article raises serious questions about FDA’s practice of allowing a significant number of medical device injury and malfunction reports to stay out of the public eye.

Under FDA’s Medical Device Reporting (“MDR”) regulation (21 CFR part 803), device manufacturers, importers, and device user facilities (which include hospitals, ambulatory surgery centers, nursing homes, and outpatient diagnostic and treatment facilities (but not physician offices)) are required to submit reports of adverse events and product problems to the Agency.  Outside of this mandatory reporting structure, FDA also encourages health professionals and patients to submit voluntary reports of significant device adverse events and product problems through MedWatch.

Both mandatory and voluntary adverse event reports dating back to the 1990s are housed in FDA’s publicly-accessible Manufacturer and User Facility Device Experience Database (“MAUDE”), which is updated by the Agency monthly.  However, according to FDA’s website, MAUDE may not include reports made according to “exemptions, variances, or alternative reporting requirements granted under 21 CFR 803.19.”

The KHN article examined the scope of such “hidden” reporting channels, which keep certain device injury and malfunction reports from ever seeing the light of day.  In fact, according to KHN’s investigation, since 2016, more than one million device incidents have been able to bypass inclusion in the MAUDE database as a result of FDA’s “alternative summary reporting program.”

Under this program, which launched in 2000, device manufacturers have been able to seek an “alternative summary” reporting exemption, permitting them to send FDA an accounting of device injuries and malfunctions on a periodic basis (e.g., quarterly or annually) in lieu of fulfilling their standard public reporting obligations. Initially, only a few devices had been granted reporting exemptions, but today, about 100 devices, from surgical staplers to balloon pumps to mechanical breathing machines, are subject to exemptions.  The internal Agency database tied to this program is not open to the public.

FDA has also granted other types of reporting exemptions.  For example, pelvic mesh manufacturers have been granted a special “litigation complaint summary reporting” exemption.  This allows them to submit a single “injury” report to FDA, but attached to that summary report may be a listing of hundreds of patient injury reports (based on lawsuit allegations).  For someone reviewing pelvic mesh injuries in MAUDE, this would look like a single injury, with the underlying detail (and sometimes voluminous) patient injury reports tied to the summary report only being accessible through a Freedom of Information Act request.

According to FDA, for certain devices, alternative summary reporting helps eliminate redundant paperwork for the Agency.  But for physicians and patients, many of whom have no awareness of FDA’s “alternative” reporting mechanisms (and thus perceive the publicly available reports as the full universe of available safety information), the lack of transparency is troubling.  Where patient care decisions are in the balance, administrative efficiency should not trump the need for full public access to device injury and malfunction information.  At the very least, FDA should be completely transparent about the types of reporting exemptions that have been granted, and the specific devices that are subject to exemptions.

Despite recent welcome news to the home health agency (“HHA”) industry in Florida, Illinois, Michigan, and Texas following an end to Centers for Medicare & Medicaid Services’ (“CMS’s”) long-standing HHA provider enrollment moratoria, CMS subsequently announced that it would place some newly enrolled HHAs in a provisional period of enhanced oversight. The purpose of the enhanced oversight period and the corresponding additional restrictions placed on certain HHAs is to help CMS address and closely monitor fraud, waste, and abuse concerns in the HHA industry, thus signaling CMS’s ongoing industry-wide scrutiny.

Under the Affordable Care Act, CMS may subject providers and suppliers to enhanced oversight, such as prepayment review and payment caps.[1] CMS recently exercised its enhanced oversight authority, announcing that effective February 15, 2019, there would be a provisional period of enhanced oversight “on HHAs certified to participate in Medicare on or after January 1, 2019.” The provisional period of enhanced oversight includes a suppression of all Request for Anticipated Payment (“RAP”) payments. RAPs are upfront payments that HHAs receive before the beginning of a 60-day episode of home health services. During the period of time when an HHA is under enhanced oversight, which can vary from 30 days up to one year, the HHA will not receive RAPs as part of its reimbursement.[2] CMS indicated that it will make individual determinations as to the duration of the enhanced oversight and provide notice of the scope to the impacted HHAs.  Nonetheless, newly enrolled HHAs will need to consider the risks associated with launching de novo or expansion operations without the buffer of the advance funding from the RAP payment.  Furthermore, even though CMS ultimately pays the appropriate, total payment for their services for each particular home health episode after the submission of the final claim, HHAs that decide to enroll during the period of enhanced oversight may need to closely monitor their cash flow while they are affected by the RAP suppression.

The recent announcement comes on the heels of CMS’s November 2018 final rule that eliminates RAP payments for all newly enrolled HHAs beginning on January 1, 2020, with the implementation of an alternative case-mix adjustment methodology known as the Patient-Driven Groupings Model (“PDGM”).[3] Existing HHAs certified to participate in Medicare prior to January 1, 2019, will continue to receive RAP payments upon implementation of the PDGM on January 1, 2020. When it finalized the PDGM model, CMS indicated that it eliminated RAP payments for newly enrolled HHAs to combat program integrity vulnerabilities related to the potential overlap between RAP and final claim submission. As the implementation of PDGM changes the unit of payment from a 60-day episode of care to a 30-day unit of payment, this eliminates—or at least mitigates—the need for advance payments.

It is not clear from the final rule whether the enhanced oversight and RAP elimination applies only to newly enrolled HHA parent locations or whether it also extends to newly enrolled HHA branch locations. In response to a question from a commenter regarding whether HHAs acquired or opened under an HHA chain organization after January 1, 2019, would be “grandfathered” in and allowed to receive RAP payments, CMS explained that it “did not distinguish between solely-owned HHAs and HHAs that are owned by a parent company.” CMS stated the new policy is applicable to the CMS certification number (“CCN”) included on the Medicare claim and the RAP. Therefore, the new RAP rule applies to newly enrolled HHAs “regardless of whether they are solely-owned or owned by a parent or chain company.” Given that CMS assigns branch locations the same CCN number as the parent for billing purposes, this guidance may signal that a branch that enrolls after January 1, 2019, but is linked to a parent CCN certified prior to January 1, 2019, will still receive RAP payments. However, a branch that links to a parent that enrolled in Medicare after January 1, 2019, will not receive RAP payments.

The CMS announcement begins eliminating RAP payments as of early 2019 for newly enrolled HHAs, resulting in an acceleration of the PDGM RAP policy nearly one year sooner than the industry anticipated. We anticipate that CMS will continue to assess the necessity and advisability of RAPs for those “grandfathered” pre-2019 HHAs and that this may be the first step toward eliminating HHA RAPs altogether.

[1] See Patient Protection and Affordable Care Act, 42 U.S.C. § 1395cc(j)(3).

[2] However, CMS still requires HHAs subject to the enhanced oversight to submit a “no pay” RAP for each home health episode of care in order for CMS to process the final claim for payment.

[3] See 83 Fed. Reg. 56406, “CY 2019 Medicare Home Health Prospective Payment System (HH PPS) rates and wage index for calendar year (CY) 2019” (Nov. 13, 2019).

On March 15, 2019, the Centers for Medicare & Medicaid Services (CMS) released proposed changes to its methodology for calculating Civil Money Penalties (CMPs) for Medicare Advantage (MA) and Part D Prescription Drug Plan (MA and Part D) sponsors.  The proposed changes would impact both the calculation methodology for 2019 as well as the CMP amounts for 2019 and beyond in an effort to increase plan accountability.  CMS is accepting comments on these proposed changes until April 15, 2019 at 11:59 PM ET.

Though CMS has exercised its statutory and regulatory authority to impose CMPs on MA and Part D sponsors from the outset of these programs, it did not publicly release its methodology for calculating CMPs until December 2016.  The current proposed changes are the first to be issued since that initial release.

CMPs are calculated by applying a standard penalty amount to each deficiency committed by an organization.  The standard penalty amount imposed on an organization is calculated on either a “per enrollee” or “per determination” basis.  CMS may increase the standard penalty when specific aggravating factors (e.g., delay of prescription drugs for acute conditions) are identified. However, CMS places limits on CMP amounts imposed on organizations to ensure they are not paying excessive amounts compared to their number of enrollees.

Most significantly, CMS proposes to modify the aggravating factors considered in its determinations, to add, in cases of inappropriate denial of services/prescription drugs, consideration of whether the services/drugs were delayed or were, in fact, never received.  CMS further proposes to remove as an aggravating factor whether the violations were among the top conditions in the Annual MA/PD Audit and Enforcement Report.

In addition, CMS proposes to begin using the cost of living adjustment to calculate penalty increases in accordance with the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015 (Sec. 701 of Pub. L. 114-74).  CMS would calculate these amounts annually but would only implement the resulting increases to the standard penalty amounts no more often than every 3 years to correspond to its 3-year MA/PD audit cycles. In reliance on the proposed adjustment, for 2019, CMS would increase the standard per enrollee penalty, such as for inappropriate delay/denial of Part C medical services or part D drugs or for charging incorrect premium amounts,  by $12 (to $212 from the current $200).  It is unclear whether CMS would also apply this cost of living adjustment to its per determination penalty amounts.

EBG will continue to monitor all developments in CMS’ regulation of CMPs.

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities.  For example, AI may offer assistance in breach prevention by proactively searching and identifying previously unknown malware signatures.  By using historical data, these applications learn to detect malware issues even when such threats are not previously known. Utilizing these tools may prove more effective compared to conventional cybersecurity practices.

Recently, government agencies have endorsed the use of AI as having tremendous potential moving forward.  In December 2018, HHS launched a pilot that combined AI, automation, and blockchain technology.  This pilot was used to create cost savings as well as design better contracts while also ensuring sensitive data was encrypted and secured within a cloud-based system. Additionally, in January 2019, the Department of Health and Human Services’ shared services organization began building a contract vehicle, known as the Intelligent Automation/Artificial Intelligence (IAAI) contract, which offers “a host of automation and AI technologies and support services, including robotic process automation, machine and supervised learning and machine,” to help other agencies integrate AI technologies into their workflows.  Yet, certain lawmakers continue to express concern regarding appropriate and ethical use of AI.

Though AI is having a transformative effect on the healthcare industry relative to cybersecurity, there are still serious concerns regarding the technology.  First, some AI tools could be used maliciously by criminals to threaten digital and physical security.  External threats may train machines to hack systems at human or superhuman levels.  Secondly, organizations relying too heavily on AI may fail to hire sufficient specialized security personnel to properly manage and oversee cybersecurity operations.  For instance, a 2018 Ponemon report provided that 67 percent of IT and security professionals believed that automation was “not capable of performing certain tasks that the IT security staff can do” and roughly 55 percent believe automation cannot “replace human intuition and hands-on experience.”  Thus, poorly implemented and managed AI could result in greater risk.

Given the nascent state of AI in cybersecurity, entities should approach adoption of AI with caution.  Further, successful implementation and use of AI should be predicated on first establishing policies and procedures for managing cyberrisk.  Organizations should continue to maintain a team of highly skilled security personnel to oversee the implementation and use of AI tools and be on hand to make critical, real-time decisions where automation cannot resolve a cybersecurity issue.  O, brave new world….


Brian Hedgeman


Alaap B. Shah

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney General (AG) Becerra introduced a new bill (SB561) that will expand the consumer’s right to bring private lawsuits for violations of the CCPA. If passed, SB561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day period for businesses to cure after receiving notice of an alleged violation; and (3) allow the AG to publish guidance materials for businesses instead of allowing businesses’ the option to seek specific opinions of the AG. Currently, the CCPA allows the AG office to bring action against business, in most instances, only allowing consumers to bring private action in instances of data breach resulting from a business’s failure to implement reasonable security measures. If SB561 is passed, the CCPA will materially expose businesses to private actions for damages applicable to other violations under the CCPA, including failure to provide consumers with proper notifications required under the CCPA.

These developments are just the tip of the iceberg.  Emboldened by California’s example, many other states are following suit. As such, businesses that implement an effective CCPA compliance program will likely position them to satisfy potential compliance obligations in other states moving forward.  For example, Colorado recently passed as sweeping law to protect patient privacy (HB18-1128), which went into effect September 1, 2018.  Colorado now requires covered entities (e.g., business entities that maintain, own, or licenses personal identifying information (PII) in the course of their business) to implement, and ensure that third-party service providers implement, reasonable security procedures and practices.  Additionally, the law requires covered entities to develop written policies and procedures concerning the destruction of paper and electronic documents that contain PII. Further, the law authorizes the AG to bring criminal prosecution against covered entities that violate the new rules.

Other states including Hawaii, Maryland, MassachusettsNew Mexico, New York, North Dakota, Rhode Island, and Washington are also using the CCPA and the GDPR as templates to perform similar overhaul of their privacy laws. As a result of this state law trend, businesses should closely monitor the legislative progress of these state bills.  Further, if businesses have not yet started shoring up their privacy and data security practices and programs, they had better do so in short order. It is likely that many of these state laws, if passed, will carry stiff penalties for noncompliance and may subject businesses to class actions.

In addition to these piecemeal state law efforts to strengthen privacy, the U.S. Chamber of Commerce is currently exploring whether a Federal consumer privacy protection law should be enacted.  It appears that the privacy tidal wave starting on California’s west coast is making its way eastward . . . .

 


Daniel Kim


Alaap B. Shah

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify de-identified data stripped of identifiable demographic and health information. In the demonstration, an algorithm was utilized to identify individuals by pairing daily patterns in physical mobility data with corresponding demographic data. This study revealed that re-identification risks can arise when a de-identified dataset is paired with a complementary resource.

In light of this seeming erosion of anonymity, entities creating, using and sharing de-identified data should ensure that they (1) employ compliant and defensible de-identification techniques and data governance principles and (2) implement data sharing and use agreements to govern how recipients use and safeguard such de-identified data.

De-identification Techniques and Data Governance

The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications (45 C.F.R. §164.514(a)-(b)).

In 2012, the Office for Civil Rights (OCR) provided guidance  on the de-identification standards. Specifically, OCR provided granular and contextual technical assistance regarding (i) utilizing a formal determination by a qualified expert (the “Expert Determination” method); or (ii) removing specified individual identifiers in the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (the “Safe Harbor” method).

As publicly-available datasets expand and technology advances, ensuring the Safe Harbor method sufficiently mitigates re-identification risk becomes more difficult.  This is due to the fact that more data and computing power arguably increase the risk that de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the apparent practical defects in the “Safe Harbor” method, many organizations are applying a more risk-based approach to de-identification through the use of the “Expert Determination” method.  This method explicitly recognizes that risk of re-identification may never be completely removed. Under this method, data is deemed de-identified if after applying various deletion or obfuscation techniques the “risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information . . . .”

In light of the residual risks associated with de-identified data generally, it is important that organizations continue to apply good data governance principles when using and disclosing such data.  These best practices should include: data minimization, storage limitation, and data security.  Organizations should also proceed with caution when linking data sets together in a manner that could compromise the integrity of the techniques used to originally de-identify the data.

Data Sharing and Use Agreements

Regardless of the de-identification approach, the lingering risk of re-identification can be further managed through contracts with third parties who receive such data.  Though not required by the Privacy Rule, an entity providing de-identified data to another party should enter into a data sharing and use agreement with the recipient.  Such agreements may include obligations to secure the data, prohibit re-identification of the data, place limitations on linking data sets, and contractually bind the recipient to pass on similar requirements to any downstream other party with whom the data is subsequently shared. Further, such agreements may include provisions prohibiting recipients from attempting to contact individuals who provided data in the set and may also include audit rights to ensure compliance.

The risk of re-identification may be a tradeoff to realize the vast benefits that sharing anonymized health data provides; however, entities creating, using and sharing de-identified data should doing so responsibly and defensibly.


Alaap B. Shah


Elizabeth Scarola

On February 15, 2019, the U.S. Food and Drug Administration (“FDA”) finalized two guidance documents regarding regenerative medicine therapies (see FDA’s announcement here). This development comes nearly 14 months after FDA issued both guidance documents in draft form, which also coincided with FDA’s announcement of a new comprehensive regenerative medicine policy framework intended to spur innovation and efficient access to new regenerative medicine products.

FDA Commissioner Scott Gottlieb remarked that the finalization of regenerative therapy guidance documents “demonstrate[s] [FDA’s] continued commitment” to fulfilling the promise of providing a clear and predictable pathway to approval. Moreover, he noted that these guidance documents help stakeholders to “understand our regulatory framework” and, in turn, “may help to more efficiently advance access to safe and effective regenerative medicine therapies.” These guidance documents, which are discussed in further detail below, provide information to product developers about FDA’s current thinking with respect to evaluating devices used with regenerative medicine advanced therapies and provide information on the expedited development programs that may be available.

Guidance for Industry: Evaluation of Devices Used with Regenerative Medicine

The final guidance entitled “Evaluation of Devices Used with Regenerative Medicine Advanced Therapies” (available here) clarifies how FDA will evaluate devices used in the recovery, isolation, or delivery of regenerative medicine advanced therapies (RMATs). This guidance finalizes FDA’s current thinking on how the agency will streamline and simplify its application of regulatory requirements for combination device and cell or tissue products.

In this guidance document, FDA acknowledges that a wide range of devices may be used in conjunction with an RMAT, ranging from simple, low-risk devices to complex, higher risk devices to devices that are constituent parts of an RMAT that is classified as a combination product. FDA reiterates that the primary factor in determining the availability of premarket pathways for a device is the device’s classification (i.e., Class I, Class II, or Class III), followed by the risks associated with the device type and the level of regulatory controls necessary to provide a reasonable assurance of safety and effectiveness.

In addition, FDA discusses the factors it will consider when determining whether a device may be labeled for use with a specific RMAT or class of RMATs. When determining which devices may be suitable for use with a specified RMAT or type of RMAT, FDA will consider the distinct biological and physical characteristics of RMATs, intended use, and conditions for use. With respect to cellular products that are RMATs, FDA intends to review the cellular products’ characteristics, their interaction with different devices, as well as any impact on cell viability, differentiation potential, activation state and ability to respond to stimuli after administration and other similar factors.

Substantively, there were no major or unexpected changes between the draft guidance and the final guidance issued by FDA.

Guidance for Industry: Expedited Programs for Regenerative Medicine Therapies for Serious Conditions

The second final guidance, “Expedited Programs for Regenerative Medicine Therapies for Serious Conditions” (available here), provides information regarding the use of accelerated approval pathways for regenerative medicine therapies that have been granted designation as an RMAT, as well as considerations in the clinical development of regenerative medicine therapies and opportunities for sponsors of such products.

This guidance makes clear that the following therapies could qualify for an RMAT designation: cell therapies, therapeutic tissue engineering products, human cell and tissue products, and combination products using any such therapies or products, except those regulated solely under section 361 of the Public Health Service Act (42 U.S.C. 264) and 21 C.F.R. Part 1271. Notably, the final version of this guidance clarifies that “cell therapies” includes both allogeneic and autologous cell therapies, as well as xenogenic cell products. Products that qualify for an RMAT designation receive all of the benefits of the fast track and breakthrough therapy designation programs, including early interactions with FDA. Although sponsors may apply for and receive both breakthrough and RMAT designation for a product, FDA advised that each designation requires a separate application.

Factors that FDA may consider when determining whether the preliminary clinical evidence is sufficient to support RMAT designation include, but are not limited to, the rigor of data collection; the consistency and persuasiveness of outcomes; the number of subjects and sites contributing to the data; and the severity, rarity, or prevalence of the condition. Unlike the breakthrough therapy designation, RMAT designation does not require a sponsor to produce evidence indicating that the drug offers a substantial improvement over available therapies.

To apply for RMAT designation, a sponsor should submit either a new investigational new drug application (“IND”) or an IND amendment, along with a concise summary of information in support of the RMAT designation. The application should include a description of the investigational product; rationale for the investigational new drug meeting the definition of an RMAT; a discussion to support that the disease or condition the product is intended to treat is serious; and preliminary clinical evidence that the product has the potential to address the specified unmet medical need for the serious condition. The requirement to provide a description of the product is new to the final guidance.  No later than 60 calendar days after receipt of the designation request, FDA will notify the sponsor as to whether the regenerative medicine therapy has received the RMAT designation.

Finally, this guidance provides recommendations for clinical trial design. FDA states that it will consider clinical trials in support of a Biologics License Application (“BLA”) that “incorporate adaptive designs, enrichment strategies, or novel endpoints.” This final guidance provides new language indicating that historical controls and natural history data (the course a disease takes from its onset, through presymptomatic and clinical stages, to a final outcome in the absence of treatment) may be considered, if appropriate. Natural history data, however, may only provide the basis of a historical control if the “control and treatment populations are adequately matched, in terms of demographics, concurrent treatment, disease state, and other relevant factors.”

FDA’s continued focus on developing and finalizing guidance in the regenerative medicine space suggests that FDA is serious about helping industry to both navigate the application process in an effort to streamline the premarket approval process and to better understand and address identified regulatory pain points. For these reasons, sponsors of investigational regenerative therapies should pay close attention to and take into consideration the recommendations set forth in these final guidance documents.