Federal Trade Commission

Data is king!  A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing, and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • the Common Rule
  • the EU General Data Protection Regulation (“GDPR”)
  • 42 C.F.R. Part 2
  • State data protection and breach laws and regulations
  • Food and Drug Administration (“FDA”) regulations; or
  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements
  • Data Use Agreements
  • Business Associate Agreements
  • Data Sharing Agreements
  • Confidentiality/Non-disclosure Agreements
  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including:  openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation and data security.


Patricia M. Wagner


Alaap B. Shah

On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related topics such as Big Data, Privacy, and Competition, and Algorithms, Artificial Intelligence (AI), and Predictive Analytics. The FTC will seek comments on the privacy and data security hearings through March 13, 2019.

These hearings serve as a signpost of a long-standing movement within the FTC to establish itself as the governing body over consumer data privacy and data security in the United States.[2] [3] This move however runs counter to the power that Congress has afforded it throughout the years. In particular, some of the most powerful enforcement tools for data breaches, such as the Computer Fraud and Abuse Act (CFAA) have been created outside of the FTC’s toolbox of enforcement. There are many reasons for this, including that acts like the CFAA include both criminal provisions and private causes of action, but it also speaks to a wider question of industry specific agency enforcement of data protection and privacy. As every industry and sector of American life becomes more digitally data-centric, the question of which government agency or agencies are best suited to ensure that sector-specific data is private and secure becomes more pressing.

As Congress considers following the European Union in increasing data privacy and security laws, it will have essential decisions to make regarding which agency is in charge of citizen data. Should this data be regulated by sector? Or should this data be regulated by a central agency? From the actions of the FTC, it is clear that the agency sees itself as a large part of the solution.

____

[1] https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its?mkt_tok=eyJpIjoiTlRWalpqZzFOV0ptWVRobCIsInQiOiJFSTc1UkdqZ0YyUWpKZG1WK3Z3K0RjbHNhd3ZQXC9SemtGelkzeVp6bGZyaXpwSGVaUUEzUU96bUtIRlpWdThuWmhsbGdhNmszb1U0TDhaelVCRExuXC9ieDd6Zk9VUTdvT3lKemJYZzJwdnBmTnozSUNHd3F0OGxTQzJJY1VaaTU3In0%3D

[2] 83 FR 38307

[3] https://www.law360.com/articles/495364/ftc-head-wants-more-power-to-penalize-for-data-breaches

On October 2, 2018, FDA Commissioner Scott Gottlieb released a statement announcing new agency actions to further deter “gaming” of the generic drug approval process through the use of citizen petitions.  Among these actions, the most significant was the issuance of a revised draft guidance on citizen petitions subject to Section 505(q) of the Federal Food, Drug, and Cosmetic Act (“FDCA”), published on the same day.  The stated goal of this revision was to create a more efficient approach to 505(q) petitions and to allow the Agency to focus reviewer resources on scientific reviews.

For years, FDA has been addressing allegations that companies have been using the citizen petition process to delay competitor approval, thereby “gaming” the system, while also balancing the value of individuals exercising their First Amendment rights through the citizen petition process.  In 2007, Section 505(q) was added to the FDCA through the FDA Amendments Act (“FDAAA”).  This new statutory provision provided that FDA shall not delay the approval of a pending abbreviated new drug application (“ANDA”) or 505(b)(2) application as a result of a citizen petition (pursuant to 21 CFR 10.30) or a petition for stay of action (pursuant to 21 CFR 10.35), unless the Agency determines that a delay is necessary to protect public health.  Section 505(q) also requires FDA to take final agency action on a petition “not later than 150 days after the date on which the petition is submitted.”  In 2014, FDA issued a guidance document describing the Agency’s interpretation of Section 505(q) and the process by which it determines whether the section applies to a particular petition.

The revised draft guidance document that was released last week includes much of the same information contained in the 2014 guidance.  However, it also includes substantially more detail and clarification on how the Agency makes a determination that a petition would delay an ANDA or 505(b)(2) application.  For example, the revised guidance states that one criterion in finding a delay is that the ANDA or 505(b)(2) applicant has less than 150 days left on a pending review.  The draft guidance also explains that FDA will apply a “but for” test in evaluating whether a delay is caused, essentially asking, “Would the application be ready for approval but for the issues raised by the petition?”

The revised draft guidance also provides a number of factors that FDA will consider in making a determination that a petition was filed with the primary purpose of delaying approval.  These include factors such as whether the petition was submitted close in time to the expiration of a patent or exclusivity period, or whether the petition raises the same or substantially similar issues as a prior petition to which FDA has already responded.  FDA will also consider whether the petitioner took an unreasonable amount of time in filing the petition based on when the relevant information relied upon in the petition became known (or should have become known).  A full list of the factors can be found on page 16 of the guidance.

If FDA makes the determination that a petition has been submitted with the primary purpose of delaying an application, it will then decide whether the petition can be summarily denied pursuant to Section 505(q)(1)(E).  In addition, if the Agency makes such a determination, it intends to refer the matter to the Federal Trade Commission and notify Congress in its annual report. Such an FDA determination could potentially have serious consequences as it may support causes of action related to unfair competition under the Federal Trade Commission Act, Lanham Act, and various state laws, which can carry substantial penalties.

The state-action antitrust exemption grew out of the 1943 decision of Parker v. Brown, 317 U.S. 341 (1943), in which the Supreme Court explained that “nothing in the language of the Sherman Act or in its history suggests that its purpose was to restrain a state or its officers or agents from activities directed by its legislatures.”  And, relying on principles of federalism, the Supreme Court gave deference to the state as a sovereign body.

Subsequent decisions expanded the reach of state-action to state and local governmental agencies (including counties and municipalities), as well as private parties.  In California Retail Liquor Dealers Ass’n v. Midcal Aluminum, Inc., 445 U.S. 97 (1980), the Supreme Court held that the actions of state and local governmental agencies was exempt if they were undertaken pursuant to a clearly articulated state policy.  Also in Midcal, the Supreme Court ruled that private parties could take cover under this exemption if they acted pursuant to a clearly articulated state policy and were actively supervised.

However, the federal enforcement agencies have become increasingly frustrated with what, in their view, are the adverse competitive consequences of state-action, particularly as it relates to the health care industry. And, over the years they have actively pursued cases designed to shape and narrow this judicially created exemption.  For example, based on cases brought by the Federal Trade Commission, the Supreme Court clarified that only activity that is undertaken pursuant to a “clearly articulated and affirmatively expressed” state policy to displace competition, and is the “foreseeable result” of what the state authorized, can be covered by state-action, see FTC v. Phoebe Putney Health Sys., 568 U.S. 261 (2013), and, more recently, the Supreme Court agreed that even activities of a state agency (such as a state licensing board) must be actively supervised before state-action can apply if the agency is dominated by market participants, see N.C. State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015).

And the assault on state-action continues. Maureen K. Ohlhausen, the acting Chair of the Federal Trade Commission (until confirmation of Joseph Simon), in a recent speech given at the George Washington University Law School entitled Competition Policy at the FTC in the New Administration, indicated that the Commission will continue to “work to define and confine the anticompetitive effects that flow from state action.”  And earlier in November, the Federal Trade Commission and the Antitrust Division of the Department of Justice jointly filed an amicus brief in the United States Court of Appeals for the Ninth Circuit in the matter of Chamber of Commerce v. City of Seattle (Appeal No. 17-35640), seeking to convince the Court (in a case to which neither federal agency is a party) to apply an extremely narrow interpretation of conduct covered by a Seattle ordinance regulating the provision of taxi services.

The bottom line is that as a matter of stated policy, the federal antitrust enforcement agencies will continue their pursuit to limit application of the state-action exemption, and parties looking to rely on state-action to insulate their activity from antitrust challenge should take note. Attacks on other judicially created antitrust exemptions, and to the extent possible, Certificate of Need and Certificate of Public Advantage statutes, will also continue.

In an Advisory Opinion dated October 20, 2017, to Crouse Health Hospital (“Crouse Hospital”), the Federal Trade Commission (“FTC”) agreed that the Non-Profit Institutions Act (“NPIA”) would protect the sale of discounted drugs from Crouse Hospital to the employees, retirees, and their dependents of an affiliated medical practice (Crouse Medical Practice, PLLC) (“Medical Practice”) from antitrust liability under the Robinson-Patman Act.  Significantly, the FTC provided this advice despite the fact that the Medical Practice is a for-profit entity, and is not owned by Crouse Hospital.

The Robinson-Patman Act is primarily a consumer protection statute that prohibits, among other things, discrimination in the sale of like kind products, including pharmaceuticals, to different buyers.  As a result, and absent some exemption, the resale of discounted drugs purchased by a not-for-profit hospital to its patients would be subject to challenge.

The NPIA, however, exempts from the reach of the Robinson-Patman Act the sale of discounted drugs to “schools, colleges, universities, public libraries, churches, hospitals, and charitable institutions not operated for profit,” provided those drugs are purchased for that entity’s “own use”.  15 U.S.C.A. § 13(f). The Supreme Court, in Abbott Laboratories v. Portland Retail Druggists Ass’n, 425 U.S. 1 (1976), defined “own use” to mean “what reasonably may be regarded as use by the hospital in the sense that such use is a part of and promotes the hospital’s intended institutional operation in the care of persons who are its patients.”  Id. at 14.  The Supreme Court went on to conclude, among other things,  that the resale of discounted drugs to a hospital’s employees and their dependents would qualify as the hospital’s “own use.”  The FTC, in a number of prior Advisory Opinions, further extended the application of the NPIA to the sale of discounted drugs to employees of hospital affiliates, and other similar entities.  However, those entities were generally not-for-profit entities, likely eligible for protection under the NPIA on their own, and owned and/or controlled by the hospital.

The Advisory Opinion to Crouse Hospital is unique in that the Medical Practice is a for profit entity and clearly would not be eligible for protection on its own under the NPIA.  Furthermore, the Medical Practice is not directly owned by Crouse Hospital calling into question whether the resale could qualify as the hospital’s “own use” as required by the NPIA.

Despite these facts, the FTC concluded that NPIA should apply to the resale of discounted drugs to the employees, retirees, and their dependents of the Medical Group because: 1) Crouse Hospital was responsible for the formation of the Medical Practice and did so “to develop an integrated medical service system to encourage both organizations to work together to improve care and promote the charitable purposes of Course Hospital”; 2) Crouse Hospital, despite not owning the Medical Practice, still had ultimate decision-making control and authority over the Medical Practice; and, 3) all profits earned by the Medical Practice were assigned to Crouse Hospital.  Based on these factors, the FTC determined that “Crouse Medical Practice is an integral part of Crouse Hospital’s ability to fulfill its intended institutional function of providing care and promoting community health,” and, therefore, the resale was for Crouse Hospital’s own use.

Hospitals and health systems should take note that simply because an affiliate is a for profit entity does not automatically mean NPIA protection does not apply. A deeper look into the relationship between the hospital and affiliate, and consideration of the affiliate’s mission may support an extension of the NPIA.

Patricia M. WagnerPaul A. GomezWest Virginia recently took a bold step to set the stage to shield an in-state hospital merger from further antitrust scrutiny by the Federal Trade Commission (FTC).  Certain healthcare stakeholders are likely watching these developments with some excitement and with some thought toward pursing similar initiatives in their respective states.  Although this may have some positive effects for healthcare mergers (depending upon one’s point of view) it is not altogether clear that state review processes that might shield a merger from federal antitrust enforcement will necessarily be less burdensome to those who want to merge.

Governor Tomblin recently signed into law a West Virginia bill to create a state authority for approval of certain healthcare mergers and other collaborations that involve teaching hospitals.  The measure would also give the state authority power to approve certain treatment cost increases, among other things.  This measure appears to have been designed to shield a particular hospital merger in West Virginia from FTC antitrust scrutiny via the state action immunity doctrine, although it will have application to certain other hospital mergers involving a teaching hospital that may be forthcoming in the state.  The state action immunity doctrine requires that the state policy must be articulated clearly and that the state must actively supervise the policy.  On March 24, 2016 in response to a joint request from the West Virginia hospitals and the FTC staff, the Commission issued an order withdrawing the matter from adjudication for thirty days.  As stated in the order, the withdrawal was to allow “the Commission to review the legislation- and to hear from both Complaint Counsel and Respondents as to the relevance of the legislation” to the pending proceeding.  That delay order expires at midnight on April 25th.

Some observers, including a former director of the FTC Bureau of Competition, believe that the FTC will most likely abandon its current action to block the pending merger for now in light of this state law development, potentially opting to wait to observe whether the state actually does actively monitor the merger and its conditions with sufficient zest to continue to confer the protection of the state action immunity doctrine over the longer run.  The FTC may also opt to wait for now and observe whether any anti-competitive effects actually manifest as a result of the merger.

This instance of West Virginia acting to protect a particular merger may be somewhat unique, with the state attorney general having already approved the merger with certain protective conditions, but the FTC electing to challenge it nonetheless.  However, some other states have also taken similar steps to potentially construct a shield against federal scrutiny of hospital or other healthcare provider mergers through the state action immunity doctrine.  And in at least some cases, it may not be clear that the state approval process for such mergers will generally be less onerous or more desirable than potential antitrust scrutiny from either the FTC or the U.S. Department of Justice.  For example, often in order to be granted such protection, the parties must submit extensive materials to the state demonstrating plans for improving access to care, quality of care, addressing patients’ needs, and lowering costs of care (and the benefit of that lower cost of care will passed on to patients).   In addition, the state maintains review authority over the parties, so that the parties must continue to report on their ability to meet the goals and benchmarks described.  The state retains the ability to revoke approval of the transaction if the parties fail to meet the commitments made as part of the approval process.

For those who may be considering pursuit of a state approval process for healthcare mergers as a potentially “better” alternative to federal antitrust scrutiny, one should also consider the political climate of the state and to what degree state politicians and regulators consider encouragement of mergers and acquisitions to be needed for better access and better integrated healthcare.  The prevailing wisdom in one state with a large rural population and a scarcity of healthcare providers may be significantly different than one with several major metropolitan areas and/or a large suburban population with multiple healthcare providers.  In sum, those who may be considering pursuit of similar measures as those enacted in West Virginia and certain other states should carefully assess political, economic and healthcare climate and market conditions of the state that they are in before investing heavily in such an endeavor.  One size does not necessarily fit all when it comes to potential use of the state action immunity doctrine.

M. Brian Hall, IV

Daniel C. Fundakowski

On October 26, 2015, the Federal Trade Commission (“FTC”) and the Antitrust Division of the U.S. Department of Justice (“DOJ”) (collectively the “Agencies”) issued a joint statement to the Virginia Certificate of Public Need (“COPN”) Work Group encouraging the Work Group and the Virginia General Assembly to repeal or restrict the state’s certificate of need process.  The Virginia COPN Work Group was tasked by the Virginia General Assembly to review the current COPN process and recommend any changes that should be made to it.

Thirty-six states currently maintain some form of certificate of need (“CON”) program.  Although there are variations in the programs, in general, new entrants and incumbent providers are required to obtain state-issued approval before constructing new facilities, or in some cases prior to offering certain health care services, or making major capital expenditures—such as expanding the number of beds in a hospital or investing in robotic surgery equipment.

In their statement, the Agencies outlined their concerns that state certificate of need (“CON”) laws fail to achieve their original conceived goals of improving access to care and reducing health care costs.  Instead, the Agencies remarked that programs like the Virginia COPN process “prevent the efficient functioning of health care markets” in numerous ways:

  • By creating barriers to entry and expansion, limiting consumer choice, and stifling innovation;
  • By allowing incumbent firms to use CON laws to thwart or delay market entry by new competitors;
  • By denying consumers of an effective remedy following the consummation of an anticompetitive merger (specifically referencing the FTC v. Phoebe Putney case, which we previously reported on here); and
  • By failing to assist states in controlling health care costs or improving care quality (based on studies referenced by the Agencies).

For these reasons, the Agencies have historically taken the position that state CON laws should be repealed or limited.

In a concurring statement, FTC Commissioner Julie Brill agreed that the FTC was capable to advise the Virginia COPN Work Group about the impact of CON laws on competition. But Commissioner Brill took exception to the FTC’s comments concerning non-competition-related public policy goals, noting that the FTC lacks evidence of the impact of repealing CON laws.

The Virginia COPN Work Group issued its final report to the General Assembly in December 2015, recommending several changes to the COPN requirement but stopping short of recommending that Virginia repeal it.  The Work Group noted that the program currently lacks a statement of purpose and urged the General Assembly to draft one.  In addition, the Work Group suggested several steps to make the current application submission and review process more efficient and streamlined, including adopting a 45-day expedited review process for projects that are non-contested and raise few health planning concerns. The Work Group also suggested making the COPN program more transparent, including improved online access to COPN filings and other related documents.

On January 11, 2016, the Agencies submitted a similar joint statement, upon the request of South Carolina Governor Nikki Haley, regarding the competitive implications of CON laws and South Carolina House Bill 3250—a bipartisan bill that ultimately would repeal South Carolina’s CON program effective January 1, 2018.  While the Agencies observed certain flaws in the legislation, they expressed broad support for the proposed repeal of South Carolina’s CON program.  FTC Commissioner Brill also issued a dissenting statement, noting in large part the commendable non-competition policy goals advanced by CON programs.

Virginia’s COPN law also survived a recent constitutional challenge in the U.S. Court of Appeals for the Fourth Circuit.  In the case, Colon Health Centers v. Hazel, No. 14-2283 (4th Cir. Jan. 21, 2015), two providers of medical imaging services alleged that Virginia’s COPN law violated the dormant aspect of the Commerce Clause.  The Fourth Circuit affirmed the district court’s holding that the COPN requirement neither discriminated against nor placed an undue burden on out-of-state health care providers (and granting summary judgment to the Commonwealth).  This recent Fourth Circuit precedent may decrease the likelihood of the Agencies formally challenging Virginia’s COPN program following their joint statement encouraging that it be repealed.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.