As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data.  As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.  Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence. Continue Reading Be Aware Before You Share: Vetting Third Party Apps Prior to Data Transfer

FDA took two important steps last week to clarify the regulatory landscape for cannabis products, including CBD products.  First, FDA issued a draft guidance on Quality Considerations for Clinical Research Involving Cannabis and Cannabis Derived Compounds.  This guidance builds off of earlier guidance FDA has issued about the quality and regulatory considerations that govern the development and FDA approval of cannabis and/or cannabinoid drug products.  See e.g., here and here.  The draft guidance iterates a federal standard for calculating delta-9 THC content in cannabis finished products, which addresses a significant gap in federal policy regarding those products.  While the testing standard is neither final nor binding on FDA or DEA, when finalized it would iterate what FDA considers to be a scientifically valid method for making the determination of whether a cannabis product is a Schedule I controlled substance.  Therefore, it may be useful in many contexts, including federal and state cannabis enforcement actions.  We encourage affected parties to file comments on FDA’s Guidance, which they may do until September 21, 2020.

Second, FDA sent to the Office of Management and Budget for review a proposal on how FDA intends to exercise enforcement discretion over CBD consumer products.  See here.  While the contents of this guidance have not yet been made public, we forecast that it likely will align with FDA’s past enforcement actions and memorialize the agency’s intent to pursue enforcement actions against CBD consumer product companies that make egregious claims about their products treating or preventing serious diseases or conditions.

Guidance on Considerations for Cannabis Clinical Research

FDA’s guidance recognizes that Congress’s enactment of the Agricultural Improvement Act of 2018 (“2018 Farm Bill”) improved domestic access to pre-clinical and clinical cannabis research material that may be used in the research and development of novel therapies.   However, currently marijuana only may be obtained domestically from the University of Mississippi under contract with the National Institute on Drug Abuse.  While DEA issued a policy in 2016 to allow for the additional registration of marijuana cultivators for legitimate research and licit commercial purposes, the Office of Legal Counsel in June 2018 issued an opinion finding that such policy violates the United States’ obligations under applicable treaties.  However, in March of this year, DEA issued a proposed rule to allow for the registration of additional cultivators of cannabis for these licit purposes.  See here.

There is an alternative pathway to the procurement of Schedule I research material which FDA’s guidance does not mention: importation.  Researchers may obtain certain Schedule I material pursuant to a federal DEA Schedule I importer registration, and DEA has in the past issued such registrations.  See 21 CFR 1301.13(e)(1)(viii).

Continue Reading FDA Issues Draft Guidance on Cannabis Clinical Research and Sends CBD Enforcement Discretion Guidance to OMB for Review

On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). More than 5,000 organizations in the United States have certified their adherence to this framework, and have relied on it to receive personal data from organizations in the EU in compliance with the General Data Protection Regulation (GDPR) since 2016. The framework was a joint effort between the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Department of Commerce released the following statement:

The United States shares the values of rule of law and protection of our democracies with our partners in the European Union (EU).  Therefore, we are deeply disappointed that the Court of Justice of the European Union (“ECJ”) has invalidated the EU-U.S. Privacy Shield framework.  The United States is reviewing this outcome and the consequences and implications for more than 5,300 European and U.S. companies, representing millions of transatlantic jobs and over $7.1 trillion in commercial transactions.

The United States and the EU have a shared interest in protecting individual privacy and ensuring the continuity of commercial data transfers.  Uninterrupted data flows are essential to economic growth and innovation, for companies of all sizes and in every sector, which is particularly crucial now as both our economies recover from the effects of the COVID-19 pandemic.  This decision directly impacts both European companies doing business in the United States as well as American companies, of which over 70 percent are small and medium enterprises.  The United States will continue to work closely with the EU to find a mechanism to enable the essential unimpeded commercial transfer of data from the EU to the United States.

Continue Reading ECJ Invalidated the EU-US Privacy Shield Framework

On July 20, 2020, the United States Food and Drug Administration (FDA) announced a six-month extension of its enforcement discretion policy for certain regenerative medicine products requiring pre-market review due to the COVID-19 pandemic. Included in a final guidance document entitled, “Regulatory Considerations for Human Cells, Tissues, and Cellular and Tissue-Based Products: Minimal Manipulation and Homologous Use,” this extension will give manufacturers additional time to determine whether they need to submit an investigational new drug (IND) or marketing application and to prepare and submit to FDA any required IND or marketing application before the enforcement discretion period expires on May 31, 2021. This extension should come as a welcome reprieve to manufacturers of affected products, many of which delayed seeking FDA approval of their products following release of the enforcement discretion policy guidance in November 2017.

Originally announced in November 2017 as part of a suite of guidance documents outlining FDA’s regenerative medicine policy framework, FDA’s enforcement discretion policy was intended to provide manufacturers and health care providers a period of three years to come into compliance with the pre-market review requirements for those Human Cells, Tissues, and Cellular and Tissue-Based Products (HCT/Ps) that do not meet the criteria for regulation solely under section 361 of the Public Health Service (PHS) Act and 21 CFR Part 1271.  The enforcement discretion period was originally set to expire on November 30, 2020.

The substance of FDA’s enforcement discretion policy has not changed in the final guidance. FDA still intends to exercise enforcement discretion with respect to the IND and the premarket approval requirements for HCT/Ps that do not meet one or more of the criteria for regulation solely as an HCT/P including those relating to minimal manipulation and homologous use, provided that use of the HCT/P does not raise significant safety concerns, such as those based on the route and site of administration and the intended use.

The guidance reiterated that FDA has increased its oversight of cellular and tissue products that do not comply with current standards and that patients should ensure that any regenerative medicine products they are using are FDA-approved or covered by an IND.

Spreeha Choudhury, a 2020 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC, office, contributed significantly to the preparation of this post.

In an important win for healthcare providers, on July 17, 2020, the Third Circuit determined in a published opinion that an out-of-network provider’s direct claims against an insurer for breach of contract and promissory estoppel are not pre-empted by ERISA.  In Surgery Ctr., P.A. v. Aetna Life Ins. Co.[1] In an issue of first impression, the Third Circuit addressed the question of what remedies are available to an out-of-network provider when an insurer initially agrees to pay for the provision of out-of-network services, and then breaches that agreement.

This case arose because two patients—identified as J.L. and D.W.—required medical procedures that were not available in-network through Aetna. J.L. needed bilateral breast reconstruction surgery following a double mastectomy and D.W. required “facial reanimation surgery,” which the Third Circuit describes as “a niche procedure performed by only a handful of surgeons in the United States.” Neither J.L. nor DW had out-of-network coverage for these procedures. D.W.’s plan also contained an “anti-assignment” clause, which would have prevented D.W. from assigning his or her rights under the plan to the Plastic Surgery Center, P.A. Continue Reading Third Circuit: Provider’s Out-of-Network Claims not Pre-empted by ERISA

On March 18, 2020, the United States Food and Drug Administration (FDA) announced the suspension of all domestic routine surveillance facility inspections until further notice. FDA took this measure to protect the health and well-being of its staff and those who conduct the inspections for the agency under contract at the state level, and due to industry concerns regarding visitors. During this interim period, the FDA conducted only a limited number of mission critical inspections using a risk-based approach. On July 10, 2020, FDA announced its plans to resume on-site inspections during the week of July 20th with the assistance of a newly developed COVID-19 Advisory Rating System for assessing the risk of carrying out an inspection in a particular location.

The Advisory Level uses real-time state and national data on the number of COVID-19 cases, and based on the outcome of three metrics, helps to identify those geographic regions in which domestic inspections can restart. The metrics are: Phase of the State (as defined by White House guidelines), statistics measured at the county level to gauge the current trend in infections, and intensity of infection. The agency further stated that its ability to restart on-site inspections also depends on other factors impacted by the pandemic, such as availability of public transportation and downward trends in new cases of COVID-19.

Additional guidance on resuming inspections is anticipated to come soon, but for now entities should be aware that prioritized domestic inspections will resume in the coming weeks, but they are anticipated to be pre-announced for the foreseeable future.

The cannabidiol (“CBD”) consumer product marketplace is booming.  And, while FDA has maintained its position that CBD, even hemp-derived CBD, may not be included as an ingredient in conventional foods or dietary supplements, FDA has signaled its intent to create a lawful marketing pathway for these products.  Also, while FDA has issued Warning Letters to companies who made egregious claims about their products curing serious diseases and conditions like Alzheimer’s disease and cancer, FDA has also signaled a willingness to exercise enforcement discretion over CBD products that pose less serious safety concerns.  What has resulted is CBD manufacturers, retailers, and other businesses living in FDA regulatory purgatory.  Fortunately, several courts have recently held that CBD companies will not face consumer product liability, at least while their FDA regulatory fate is being decided.

A number of federal lawsuits were recently brought by consumers against manufacturers of various types of CBD products, ranging from ingestible foods and beverages, dietary supplements, topical oils and sprays, and vape products. The plaintiffs in these cases all bring similar claims, that the products purchased were misleading as to the amount of CBD in the product and/or that the products were mislabeled and falsely advertised as dietary supplements.  The plaintiffs’ claims are based, at least in part, on assertions that the defendants violated the federal Food, Drug, and Cosmetic Act (“FD&C Act”) by introducing adulterated and misbranded products into the U.S. market.

However, over the course of 2020, at least three judges have found that the outcome of these cases will have to wait until FDA completes its rulemaking on the regulation of CBD products. Citing the primary jurisdiction rule, the judges each issued a stay on their respective cases. The judges found that FDA has primary oversight over claims involving the illegal sale or marketing of CBD products, and that regulatory clarity is needed before a decision may be made on the matters brought by the plaintiffs. Thus, the fate of these cases now depend on when and whether FDA will issue regulations governing CBD products.

Continue Reading Federal Courts Say They Will Decide Cases Against CBD Product Manufacturers When the Smoke Clears

On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]

Continue Reading Every HIPAA Waiver Has Its Thorn

FDA recently published its “Good Manufacturing Practice Considerations for Responding to COVID-19 Infection in Employees in Drug and Biological Products Manufacturing Guidance for Industry” (“Guidance”) which provides suggestions on managing the potential risk of products being contaminated by SARS-CoV-2, the virus behind COVID-19 infections for drug and biological product manufacturers, 503B outsourcing facilities, and 503A compounding pharmacies.

The Guidance builds on the current Good Manufacturing Practices (cGMPs) regulations for drugs and biological products, which require personnel with an illness that could adversely affect drug safety or quality be excluded from direct contact with drugs and drug components used in manufacturing.[1]  As the Guidance states, preliminary research indicating that SARS-CoV-2 “is stable for several hours to days in aerosols and on surfaces,” and that it has an incubation period of 2 to 14 days, which are both factors that increase the risk of spread and introduction into products.  The actual health risk is hard to calculate – FDA itself notes that there have not been documented transmissions through pharmaceuticals to date.  The regulatory risk, however, is an easier formula – FDA has a clear expectation that drug and biological product manufacturers evaluate the potential for COVID-19 contamination of their products under existing controls, or risk being out of compliance with cGMPs. Continue Reading Current Good Manufacturing Practices in the Time of COVID-19: FDA Announces New Expectations on Risk Assessment and Risk Management

The FDA has issued the Temporary Policy on Prescription Drug Marketing Act Requirements for Distribution of Drug Samples During the COVID-19 Public Health Emergency.  The Prescription Drug Marketing Act of 1987 (PDMA) describes manufacturers’ drug sample storage, handling, and recordkeeping obligations as well as the written request and receipt requirements for prescribers.

Many manufacturers utilize their field sales representatives to deliver drug samples directly to, and collect written receipts from, prescribers at prescriber offices during sales calls. The COVID-19 crisis has disrupted field sales representatives’ ability to have face to face visits with prescribers, preventing them from delivering samples and collecting required receipts.  In addition, as a result of the crisis, many prescribers are providing telehealth services from their homes, impacting prescribers’ ability to receive, store and distribute samples at their offices. Continue Reading FDA PDMA Guidance in Response to COVID-19 Pandemic