Category: Health Care Law

Breach Notification Rules under Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule

DrinkerBiddle

This is the fourth in our series of bulletins on the Department of Health and Human Services’ (HHS) HIPAA Omnibus Final Rule. In our bulletins issued on February 28, 2013 and March 18, 2013, available here, we described the major provisions of this rule and explained how the provisions of the rule that strengthen the privacy and security of protected health information (PHI) impact employer sponsored group health plans, which are covered entities under the HIPAA privacy rules. In our bulletin issued on April 4, 2013, available here, we focused on changes that will need to be made to business associate agreements under the Omnibus Final Rule. In this bulletin, we discuss the modifications to the breach notification rules made by the Omnibus Final Rule and provide health plan sponsors with information regarding the actions they must take to meet their breach notification obligations in the event of a breach of unsecured PHI.

Key Considerations for Health Plan Sponsors

  • Health plan sponsors must be able to identify when a breach occurs and when breach notification is required.
  • Health plan sponsors should review their procedures for evaluating potential breaches and should revise those procedures to incorporate the new “risk assessment” required under the Omnibus Final Rule.
  • Health plan sponsors should review their procedures for notifying individuals, HHS, and the media (to the extent required) when a breach of unsecured PHI occurs.
  • Health plan sponsors should make training workforce members about the breach notification rules a priority. Workforce members should be prepared to respond to breaches and potential breaches of unsecured PHI. A breach is treated as discovered by the covered entity on the first day a breach is known, or, by exercising reasonable diligence would have been known, to the covered entity. This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the privacy officer. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, which are described below.
  • Health plan sponsors should review each existing business associate agreement to make sure that responsibility for breach notification is allocated between the business associate and the health plan in a manner that is appropriate based on the business associate’s role with respect to PHI and the plan sponsor’s preferences for communicating with employees.

Health plan sponsors will want to review and revise, as necessary, the following to comply with the new rules described below:

Compliance Checklist

 Business Associate Relationships and Agreements 
 Policies and Procedures 
 Security Assessment and Breach Notification Plan 
 Risk Analysis — Security 
 Plan Document and SPD 
 Notice of Privacy Practices 
 Individual Authorization for Use and Disclosure of PHI
 Workforce Training

What is a Breach?

Background

In general terms, a breach is any improper use or disclosure of PHI. While HIPAA requires mitigation of any harmful effects resulting from an improper use or disclosure of PHI, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 added a notification requirement. HITECH requires covered entities to notify affected individuals, HHS and, in some cases, the media following a breach of unsecured PHI. HITECH defined “breach” as an acquisition, access, use, or disclosure of an individual’s PHI in violation of the HIPAA privacy rules, to the extent that the acquisition, access, use or disclosure compromised the security or privacy of the PHI. The HHS interim final regulations further specified that PHI was compromised if the improper use or disclosure posed a significant risk of financial, reputational, or other harm. The interim final regulations also contained four exceptions to the definition of breach, adding a regulatory exception to the three statutory exceptions.

General Definition of Breach under the Omnibus Final Rule

Under the Omnibus Final Rule, “breach” continues to be defined as an acquisition, access, use, or disclosure of PHI that both violates the HIPAA privacy rules and compromises the security or privacy of the PHI. However, the Omnibus Final Rule modifies the interim final regulations in two important ways:

  • The interim final regulatory exception for an unauthorized acquisition, access, use, or disclosure of PHI contained in a limited data set from which birth dates and zip codes have been removed is eliminated.
  • The risk of harm standard is eliminated and replaced with a presumption that any acquisition, access, use, or disclosure of PHI in violation of the HIPAA privacy rules constitutes a breach. However, a covered entity (such as a health plan) can overcome this presumption if it concludes following a risk assessment that there was a low risk that PHI was compromised (see “Presumption that a Breach Occurred” below).

Statutory Exceptions to “Breach”

HITECH provided three statutory exceptions to the definition of breach that are also set forth in the Omnibus Final Rule. If an improper acquisition, access, use, or disclosure of PHI falls within one of the following three exceptions, there is no breach of PHI:

  • The acquisition, access, or use is unintentional and is made in good faith by a person acting under a covered entity’s (or business associate’s) authority, as long as the person was acting within the scope of his or her authority and the acquisition, access, or use does not result in a further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is inadvertent and is made by a person who is authorized to access PHI at a covered entity (or business associate), as long as the disclosure was made to another person within the same covered entity (or business associate) who is also authorized to access PHI, and there is no further impermissible use or disclosure of the PHI.
  • The disclosure of PHI is to an unauthorized person, but the covered entity (or business associate) has a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI.

The interim final regulations added a fourth exception for impermissible uses or disclosures of PHI involving only PHI in a limited data set, which is PHI from which certain identifiers are removed, provided birth dates and zip codes are also removed. The Omnibus Final Rule eliminates this exception so an impermissible use or disclosure of PHI in a limited data set will be presumed to be a breach of PHI as described below.

Presumption that a Breach Occurred

Under the Omnibus Final Rule, a breach is presumed to have occurred any time there is an acquisition, access, use, or disclosure of PHI that violates the HIPAA privacy rules (subject to the statutory exceptions outlined above).

However, a covered entity may overcome this presumption by performing a risk assessment to demonstrate that there is a low probability that the PHI has been compromised. If the covered entity chooses to conduct a risk assessment, the assessment must take into account at least the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

The covered entity may consider additional factors as appropriate, depending on the facts and circumstances surrounding the improper use or disclosure. After performing its risk assessment, if the covered entity determines that there is a low probability that the PHI has been compromised, there is no breach and notice is not required. If the covered entity cannot reach this conclusion and if no statutory exception applies, then the covered entity must conclude that a breach has occurred.

The Omnibus Final Rule also makes clear that a covered entity may decide not to conduct a risk assessment and may instead treat every impermissible acquisition, access, use, or disclosure of PHI as a breach.

Drinker Biddle Note: Covered entities have the burden of proof to demonstrate either that an impermissible acquisition, access, use, or disclosure of PHI did not constitute a breach, or that all required notifications (as discussed below) were provided. Covered entities should review and update their internal HIPAA privacy and security policies to include procedures for performing risk assessments, as well as procedures for documenting all risk assessments and determinations regarding whether a breach has occurred and whether notification is required.

Providing Breach Notification

Covered entities are required to notify all affected individuals when a breach of unsecured PHI is discovered (unless an exception applies or it is demonstrated through a risk assessment that there is a low probability that the PHI has been or will be compromised). Notification to HHS is also required, but the time limits for providing this notification vary depending on the number of individuals affected by the breach. In addition, covered entities may be required to report the breach to local media outlets. The Omnibus Final Rule describes in detail the specific content that is required to be included in notifications to affected individuals, HHS, and the media.

Drinker Biddle Note: Although the Omnibus Final Rule defines when a “breach” has occurred, notification is required only when the breach involves unsecured PHI. PHI is considered “unsecured” when it has not been rendered unusable, unreadable, or indecipherable to unauthorized persons. HHS has issued extensive guidance on steps that can be taken to render PHI unusable, unreadable, and indecipherable.

Notification to Affected Individuals

Covered entities must notify affected individuals in writing without unreasonable delay, but in no event later than 60 calendar days, after discovery of a breach of unsecured PHI. The notice may be sent by mail or email (if the affected individual has consented to receive notices electronically). The Omnibus Final Rule also provides additional delivery methods that apply when an affected individual is deceased, and when a covered entity does not have up-to-date contact information for an affected individual.

Drinker Biddle Note: Again, a breach is deemed discovered on the first day such breach is known or by exercising reasonable diligence would have been known by any person who is a workforce member or agent of a covered entity or business associate.

Drinker Biddle Note: Please note that 60 days is an outer limit for providing the notice and is not a safe harbor. The operative standard is that the notice must be provided without unreasonable delay. Thus, based on the circumstances, a notice may be unreasonably delayed even though provided within the 60-day period.

Notification to HHS

Covered entities must notify HHS of breaches of unsecured PHI by electronically submitting a breach report form through the HHS website. If a breach of unsecured PHI affects 500 or more individuals, HHS must be notified at the same time that notice is provided to the affected individuals. For breaches of unsecured PHI that affect fewer than 500 individuals, the covered entity may keep a log of all such breaches that occur in a given year and submit a breach report form through the HHS website on annual basis, but not later than 60 days after the end of each calendar year.

Notification to the Media

When there is a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. This media notification must be provided without unreasonable delay, and in no case later than 60 days after the breach is discovered.

State Law Requirements

Separate breach notification requirements may apply to a covered entity under state law. HIPAA’s breach notification laws preempt “contrary” state laws. “Contrary” in this context generally means that it is impossible to comply with both federal and state laws. As state breach notification laws are not typically contrary to the HIPAA breach notification rules, covered entities may have to comply with both laws.

Drinker Biddle Note: Covered entities should review applicable state breach notification laws and consider to what extent those laws should be incorporated into their HIPAA privacy policies and procedures.

Implications for Business Associate Agreements

If a covered entity’s business associate discovers that a breach of unsecured PHI has occurred, the Omnibus Final Rule requires the business associate to notify the covered entity without unreasonable delay, but in no event later than 60 days following the discovery of the breach. The notice must include, to the extent possible, the identification of each affected individual as well as any other information the covered entity is required to provide in its notice to individuals.

Although a covered entity is ultimately responsible for notifying affected individuals, HHS and the media (as applicable) when a breach of unsecured PHI occurs, the covered entity may want to delegate some or all of the notification responsibilities to its business associate. If a covered entity and its business associate agree that the business associate will be responsible for certain breach notification obligations, the scope of the arrangement should be clearly memorialized in the business associate agreement. In negotiating its business associate agreements, a covered entity should consider provisions such as:

  • Which party determines whether a breach occurred?
  • Who is responsible for sending required notices, and the related cost?
  • Indemnification in the event a business associate incorrectly determines that a breach did not occur, or a business associate otherwise fails to act appropriately.

Drinker Biddle Note: Covered entities that choose to delegate breach notification responsibilities to business associates should pay close attention to how such delegation provisions are drafted to minimize the possibility that the business associate will be considered an “agent” of the covered entity. Under the Omnibus Final Rule, when a business associate acts as an agent of the covered entity, the business associate’s discovery of a breach is imputed to the covered entity, and, therefore, a covered entity could be liable for civil monetary penalties related to the business associate’s act or omission. More information about issues related to drafting business associate agreements can be found in our bulletin issued on April 4, 2013, available here.

Compliance Deadline

Group health plans have until September 23, 2013 to comply with the new requirements of the Omnibus Final Rule. During the period before compliance is required, group health plans are still required to comply with the breach notification requirements of the HITECH Act and the interim final regulations.

Of course, the best course of action is to maintain adequate safeguards to prevent any breach. A recent settlement of HIPAA violations resulting in a $1.7 million payment to HHS is discussed in a separate publication, available here.

Article By:

of

Will Obesity Claims Be the Next Wave of Americans with Disabilities Act (ADA) Litigation?

Poyner SpruillIn a new federal lawsuit in the U.S. District Court for the Eastern District of Missouri, Whittaker v. America’s Car-Mart, Inc., the plaintiff is alleging his former employer violated the Americans with Disabilities Act (ADA) when it fired him for being obese.  Plaintiff Joseph Whittaker claims the company, a car dealership chain, fired him from his job as a general manager last November after seven years of employment even though he was able to perform all essential functions of his job, with or without accommodations.  He alleges “severe obesity … is a physical impairment within the meaning of the ADA,” and that the company regarded him as being substantially limited in the major life activity of walking.

The EEOC has also alleged morbid obesity is a disability protected under the ADA.  In a 2011 lawsuit filed on behalf of Ronald Katz, II against BAE Systems Tactical Vehicle Systems, LP (BAE Systems), the EEOC alleged the company regarded Mr. Katz as disabled because of his size and terminated Katz because he weighed over 600 lbs.  The suit alleged Mr. Katz was able to perform the essential functions of his job and had received good performance reviews.  The case was settled after BAE Systems agreed to pay $55,000 to Mr. Katz, provide him six months of outplacement services, and train its managers and human resources professionals on the ADA.  In a press release announcing the settlement, the EEOC said, “the law protects morbidly obese employees and applicants from being subjected to discrimination because of their obesity.”

Similarly, in 2010, the EEOC sued Resources for Human Development, Inc. (RHD) in the U.S. District Court for the Eastern District of Louisiana, for firing an employee because of her obesity in violation of the ADA. According to the suit, RHD fired Harrison in September of 2007 because of her severe obesity.  The EEOC alleged that, as a result of her obesity, RHD perceived Harrison as being substantially limited in a number of major life activities, including walking.  Ms. Harrison died of complications related to her morbid obesity before the case could proceed.

RHD moved for summary judgment, arguing obesity is not an impairment.  The court, having reviewed the EEOC’s Interpretive Guidance on obesity, ruled severe obesity (body weight more than 100% over normal) is an impairment.  The court held that if a plaintiff is severely obese, there is no requirement that the obesity be caused by some underlying physiological impairment to qualify as a disability under the ADA.  The parties settled the case before trial for $125,000, which was paid to Ms. Harrison’s estate.

In June 2013, the American Medical Association (AMA) declared that obesity is a disease.  Although the AMA’s decision does not, by itself, create any new legal claims for obese employees or applicants under the ADA, potential plaintiffs are likely to cite the new definition in support of ADA claims they bring.  In light of these recent developments, obesity related ADA claims will likely become more common.

Article By:

 of

Centers for Medicare and Medicaid Services (CMS) Issues Revised Process for Making National Coverage Determinations

vonBriesen

Yesterday, the U.S. Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS) published its revised process for external requests and internal reviews for new national coverage determinations (NCDs) or for reconsideration of existing NCDs.  Today’s guidance supersedes CMS’s previous process issued in 2003.

Prior to formally requesting an NCD or reconsideration, CMS encourages requesters to contact CMS staff in the Coverage and Analysis Group (CAG).  The CAG staff may identify additional needed information and supporting documentation.  The requester may also find that a formal request is not needed.  For example, CAG staff could determine that coverage of the item or service is already available or that the item or service falls outside the scope of an NCD.

If the requester decides to move forward with requesting an NCD review, the requester must provide the following, which would constitute a “complete, formal request”:

  1. A final letter of request that is clearly identified as “A Formal Request for A National Coverage Determination.”
  2. A full and complete description of the item or service in the request.
  3. The scientific evidence supporting the clinical indications for the item or service, including the proposed use of the item or service, the target Medicare population, the medical indication(s) for which the item or service can be used, and whether the item or service is used by health care providers or beneficiaries.
  4. The Medicare Part A or B benefit category or categories in which the item or service falls.
  5. Additional information if the item or service is currently under FDA review.

Once CMS receives the complete formal request, it will add the request to its tracking sheet on the CMS website and permits public comments on the request.  CMS will also initiate a formal evidence review and will generally issue a proposed decision within six months of opening the NCD review.  CMS will accept public comments for 30 days after issuing the proposed decision.  CMS will then issue a final NCD within 60 days of the end of the public comment period.  These timeframes could be extended, however, if CMS commissions a third party technology assessment, convenes the Medicare Evidence Development and Coverage Advisory Committee, or requests a clinical trial.

Today’s guidance also provides the process for requesting reconsideration of an NCD.  The reconsideration must be in writing and clearly identified.  The requester must also provide documentation meeting one of the following:

  1. Additional scientific evidence not considered at the most recent review and a “sound premise” that the evidence may change the NCD decision.
  2. Arguments that CMS’s conclusion materially misinterpreted the existing evidence at the time the NCD was decided.

CMS will generally accept or reject an external NCD reconsideration request within 60 days of receiving the request.

In certain circumstances, CMS may internally initiate review of an NCD.  CMS will also periodically review NCDs that have not been reviewed in the past 10 years.  CMS will publish a list of NCDs proposed for removal and rationale for removal and provide a 30 day public comment period.  CMS anticipates that this process will reduce the timeframe for removal or amendment of an NCD.  Currently, removal or amendment takes 9 to 12 months.

For more information, please see the guidance at this link.

Article By:

 of

Health Care Reform Update – Week of August 5th, 2013

Mintz Logo

Leading the News

Office of Personnel Management Addresses Premiums for Congressional Staffers On August 1st, the U.S. Office of Personnel Management (OPM) announced it will release proposed regulations within the next week to allow the federal government to contribute to the health care premiums of members of Congress and their staffs. Earlier in the week, President Obama said he was working with Congress to address the issue, which had prompted concerns about a brain drain from Capitol Hill. Senator Tom Coburn (R-OK) said he intended to place a hold on Katherine Archuleta, the nominee to be the chief at OPM, until the issue was resolved.

House Energy and Commerce Committee Unanimously Approves SGR Bill On July 31st, by a unanimous 51-0 vote, the House Energy and Commerce passed legislation that would repeal the sustainable growth rate (SGR) Medicare physician payment method and shift payment to quality-based measures.

Implementation of the Affordable Care Act

On July 29th, CMS issued a release that indicates the ACA and its gradual closure of the donut hole coverage gap has saved 6.6 million Americans over $7 million, an average savings of $1,061 per beneficiary.

On July 29th, the White House issued a blog post noting nationwide health care costs grew just 1.1% from May 2012 – May 2013. The 1.1% growth is the slowest in 50 years.

On July 30th, House Republicans released a playbook for the August recess that encourages members to hold “emergency town halls” in response to ACA implementation.August 5, 2013

On July 30th, the CMS released an application that allows organizations to become “Champions for Coverage” under the ACA.

On July 30th, CMS released an application for community health centers and other health providers that want to become certified application counselor organizations and help people searching for insurance coverage on the ACA exchanges.

On July 30th, the Congressional Budget Office (CBO) and the Joint Committee on Taxation (JTC) issued an estimate that the employer mandate delay of the ACA will cost about $12 billion.

On July 31st, HHS issued a request for information from stakeholders regarding section 1557 of the ACA, which prohibits discrimination based on race, color, national origin, sex, age, or disability in health care programs.

On July 31st, the Kaiser Family Foundation (KFF) released a report and interactive map on how insurance coverage would be expanded as a result of the ACA.

On July 31st, House Speaker John Boehner (R-OH) said he is still unsure if House Republicans will use the threat of a government shutdown in an effort to defund the ACA.

On July 30th, EHealthInsurance reached a deal to sell its products on the ACA insurance exchanges. EHealth CEO Gary Lauer says his company’s involvement on the exchanges will lead to increased enrollment and improved competition in the insurance marketplace.

On August 1st, California announced six insurers that will offer coverage on the state’s Small Business Health Options Program (SHOP). A summary of the Covered California plan indicates the premium prices and coverage options for hypothetical business operations.

On August 1st, 38 Republican Senators sent a letter to White House Counsel Kathryn Ruemmler with a request for information on the government agencies involved in ACA implementation.

On August 1st, the House Ways and Means Committee held a hearing on the role of the IRS in ACA implementation. Gary Cohen of the CMS Center for Consumer Information and Insurance Oversight (CCIIO) and Daniel Werfel of the IRS testified before the committee.

On August 1st, the House Energy and Commerce Committee conducted a hearing with CMS Administrator Marilyn Tavenner to discuss the current state of ACA implementation.

On August 2nd, the House voted, 232-185, to prohibit the IRS from being involved in enforcement of the ACA. The vote was the 40th time the House has attempted to repeal components of the ACA.

Other HHS and Federal Regulatory InitiativesAugust 5, 2013

On July 30th, the Department of Justice (DOJ) announced Wyeth Pharmaceuticals agreed to pay over $490 million to resolve criminal and liability issues arising from the company’s unlawful marketing of Rapamune, a drug only approved by the Food and Drug Administration (FDA) for kidney transplants.

On July 31st, CMS issued final payment rules to increase payments to skilled nursing facilities by 1.3%, at a cost of $470 million, and increase payments to inpatient rehabilitation facilities by 2.3%, a $170 million cost.

On August 1st, the FDA released 2014 user fee rates for biosimilars, brand name prescription drugs, generic prescription drugs, and medical devices.

On August 2nd, the FDA issued a rule addressing ‘gluten-free’ food labeling. The rule states foods that claim to be gluten-free but contain more than 20 parts per million of gluten will be considered misbranded products.

On August 2nd, CMS released a final rule relating to payments for acute care and long-term care hospitals in 2014. The rule increases payment to the nation’s 3,400 acute care hospitals by $1.2billion. Payment to 440 long-term care facilities is set to increase $72 million.

Other Congressional and State Initiatives

On July 31st, Rep. Daniel Lipinski (D-IL) introduced legislation to require hospitals to publicly disclose the prices charged for the most common medical procedures.

On August 1st, Democratic Senators sent a letter to President Obama urging the White House to establish set targets for Medicare and Medicaid cost savings.

On August 1st, Senators Mark Warner (D-VA) and Johnny Isakson (R-GA) introduced The Care Planning Act of 2013, a bill to improve palliative care and provide seriously ill patients with greater control of their own care.

On August 2nd, Michigan and Illinois announced a partnership to share Medicaid information systems, a plan expected to save millions of dollars for both states.

On August 2nd, Senators Mike Crapo (R-ID), Ben Cardin (D-MD), and Angus King (I-ME) introduced a bill, S. 1422, to require the CBO to more completely address the cost-savings of preventive healthcare.

Other Health Care News

On July 29th, doctors from the National Cancer Institute published a report suggesting the word ‘cancer’ is overused. The report argues the overuse of the term leads to unnecessary and potentially harmful treatment in many patients.August 5, 2013

On July 29th, Gallup released a poll indicating Americans have exercised less each month in 2013 than during the same months in 2012. About half of Americans say they exercise at least 30 minutes three or more days each week.

On August 2nd, the Institute of Medicine released a report on the efforts needed to tackle obesity in the United States.

Hearings and Mark-Ups Scheduled

The Senate and the House of Representatives are in recess until the week of September 9th.

David Shirbroun also contributed to this article.

Article By:
of

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

Health Resources and Services Administration (HRSA) Publishes Orphan Drug Rule for 340B Program

Morgan Lewis logo

Rule requires most manufacturers to change government pricing methodologies, calculations, and systems.

On July 23, the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) published a regulation[1] increasing the number of entities to which pharmaceutical manufacturers must sell orphan drugs at statutory ceiling prices under the 340B drug discount program, and complicating the determination of eligibility to purchase these drugs at the 340B price. This regulation conditions the ability of certain hospitals to purchase orphan drugs at the 340B price on implementation of costly new systems for tracking drug use and requires virtually every brand drug manufacturer to change its government pricing methodologies, calculations, and systems.

340B Program Background

The 340B drug discount program is a voluntary program created by section 340B of the Public Health Service Act, 42 U.S.C. § 256b, and implemented through a pharmaceutical pricing agreement (PPA) between manufacturers and HHS. Manufacturers opt into the program by signing these agreements and assuming the obligations set forth in their terms, which are specified by statute and linked, in many respects, to the terms of the Medicaid drug rebate statute. At the core of the agreement is the obligation to charge covered entities no more than a statutory ceiling price for drugs covered by the statute, which are defined by the term “covered outpatient drug” in the Medicaid statute.

Section 7101 of the Affordable Care Act (ACA) expanded the categories of hospitals eligible to purchase at the 340B ceiling price to include freestanding cancer hospitals, sole community hospitals, rural referral centers, and critical access hospitals. The ACA, as amended, simultaneously limited these hospitals’ participation in the program by excluding “a drug designated by the Secretary [of HHS] under section [526 of the Federal Food, Drug, and Cosmetic Act (FFDCA)] for a rare disease or condition”[2] from the definition of “covered outpatient drug.”

Orphan Drug Rule

HRSA’s regulation, codified at 42 C.F.R. part 10, includes a new section 10.21 (the Final Rule or the Orphan Drug Rule), which establishes standards for determining when the statutory exclusion applies, i.e., when a drug designated under section 526 is excluded from the definition of “covered outpatient drug.”[3]

The Final Rule interprets the statutory exclusion from manufacturers’ obligations under their pharmaceutical pricing agreements as being limited to purchases of designated drugs when used by their customers to treat orphan indications. As a result of this regulatory limitation, the Final Rule requires manufacturers to charge the newly added hospitals no more than the statutory ceiling price for drugs designated as orphan drugs when these drugs are used for nonorphan indications. At the same time, the Final Rule allows an affected hospital to purchase drugs at the 340B price only if the hospital has developed a system for tracking outpatient use of a purchased drug that satisfies the requirements of the Final Rule.

HRSA’s regulatory requirements are predicated on an interpretation of congressional intent underlying this provision of the ACA, which ties the definition of “covered outpatient drug” under the 340B drug discount program to the scope of other unrelated benefits of orphan drug designation, such as marketing exclusivity and tax credits. However, there are other indicia that Congress did not intend the orphan drug exclusion to be as narrow as HRSA has now declared through rulemaking. When asked to clarify the scope of the exclusion for all the newly added hospitals, Congress instead removed children’s hospitals (originally subject to the orphan drug exclusion in the ACA) from the provision and restated the exclusion for the rest.[4]

Legislative Rulemaking Authority

Congress has not yet delegated authority to HRSA to promulgate substantive regulations that set standards for determining the scope of manufacturers’ obligations under the statute or that impose new duties on manufacturers not specified in the terms of their agreements. The only authority that Congress has previously delegated to HRSA to promulgate regulations is the limited authority provided in section 7102 of the ACA, which allows HRSA to issue the following: 1) regulatory standards and methodology for calculating ceiling prices; 2) regulations establishing standards for the imposition of civil monetary penalties; and 3) a regulation establishing an administrative process for the resolution of claims.

HRSA has called the Orphan Drug Rule a “clarification” of the statutory exclusion; however, the rule imposes new obligations on all stakeholders. It requires manufacturers to include in the program drugs designated under section 526 of the FFDCA and concurrently allows affected hospitals to purchase them at the 340B price, under certain circumstances, and then establishes standards and requirements for determining those circumstances.

340B Entity Implementation Issues

In order to ensure that drugs used by covered entities for orphan diseases or conditions are excluded, the Final Rule provides that covered entities may not purchase designated orphan drugs for nonorphan indications under the 340B drug discount program unless they provide HRSA with assurances that they have systems capable of identifying and tracking the use of designated drugs in treating their patients and transmitting the data to their purchasing systems. Thus, a sale of a particular drug to a particular affected hospital could be classified as purchased under the 340B program or outside the 340B program, depending on whether the purchaser 1) has informed HRSA that it has a system capable of complying with the rule’s requirements and 2) uses the drug to treat a patient for an orphan disease or condition.

Because the 340B program is an outpatient program only, hospitals must distinguish between drugs purchased for inpatient and outpatient purposes. HRSA allows hospitals to have a single physical inventory and maintain separate accounts for inpatient purchases and outpatient purchases, and many hospitals have split-billing systems that order 340B drugs only as needed under the program. The same rules apply when contract pharmacies order drugs to fill prescriptions of 340B hospital patients and the hospital purchases drugs to replenish the pharmacy’s inventory.

However, hospitals’ existing 340B purchasing systems and pharmacy prescription data do not currently include hospital billing codes or other information from patients’ medical records indicating the diseases or conditions for which drugs are prescribed. Thus, it may be some time before hospitals seeking to purchase orphan drugs for nonorphan indications at 340B prices are able to comply with the requirements of the Orphan Drug Rule. Due to the difficulties in satisfying the requirements, some affected hospitals may choose to purchase all of their orphan drugs outside the 340B program if they cannot or do not wish to develop a compliant tracking system. Alternatively, some hospitals may choose to have certain of their facilities purchase outside the 340B program.

The Orphan Drug Rule provides for acceptable “alternate” tracking systems if HRSA approves such systems, but the rule does not provide hospitals with the standards for what would be acceptable to ensure compliance. It also does not appear that manufacturers will have any advance insight into the systems or an opportunity to comment on them. Additionally, the Final Rule does not offer assistance to stakeholders on how contract pharmacies can ascertain from prescription information whether a patient of a 340B hospital has been prescribed a drug to treat an orphan indication or some other indication.

Alternatives for Hospitals 

Hospitals affected by the Orphan Drug Rule, such as rural referral centers, may also qualify for 340B participation as disproportionate share hospitals, which are not subject to the rule. In that case, they may choose not to satisfy the requirements of the rule (applicable to rural referral centers) but would be prohibited from purchasing outpatient drugs outside the program, such as those carved out for Medicaid, through group purchasing organization (GPO) agreements (applicable to disproportionate share hospitals).

For most of the new categories of hospitals, individual entities may purchase orphan drugs outside the program under GPO agreements and benefit from the discounts available through those agreements. Thus, they are not disadvantaged by the 340B drug discount program if they cannot or are unwilling to satisfy the requirements to purchase orphan drugs under the program. However, for freestanding cancer hospitals, the Final Rule maintains the statutory prohibition against purchasing covered outpatient drugs through GPO arrangements. If these hospitals do not comply with the regulatory requirements, they must purchase orphan drugs in the open market or negotiate contracts with manufacturers.

Manufacturer Government Pricing System Issues

Based on the Final Rule, the classification of a manufacturer’s sale as a 340B program sale for purposes of the manufacturer’s drug price reporting obligations depends on each eligible hospital’s compliance with the rule’s requirements. That means a manufacturer’s operations must code each affected hospital and, in some cases, facilities within a medical center to determine whether the purchase of an orphan drug for a nonorphan indication is under the program or outside the program. These codings can change quarter to quarter as 340B hospital entities elect either to start or stop using the required tracking systems. Likewise, wholesalers processing invoices must be provided with information that allows them to know when a hospital is eligible to order an orphan drug under the 340B agreement at statutory ceiling prices (as opposed to under a GPO agreement, other contract, or open market), and the manufacturer’s chargeback validation system must be able to differentiate as well. Otherwise, a manufacturer could easily and inadvertently provide 340B pricing outside the program, which could trigger a best price under the Medicaid drug rebate program and simultaneously drive down the quarterly 340B statutory ceiling price. Many manufacturers’ current government pricing systems seek to identify best price-eligible sales at the class-of-trade level, with sales of orphan drugs to 340B entities coded for inclusion in best price, while sales of nonorphan drugs to these same entities are excluded from best price. Manufacturers of orphan drugs must now develop solutions that permit identification of the eligible and ineligible price points necessitated by the Final Rule.

Since the inception of the Medicaid drug rebate program, the Centers for Medicare and Medicaid Services (CMS) has refused to consider all transactions with covered entities to be exempt from best price and—in the absence of a clear statutory provision, such as the exemption of inpatient drug prices paid by disproportionate share hospitals—it is risky for manufacturers to assume all outpatient sales of orphan drugs to 340B eligible hospitals will be exempt from best price. Currently, for example, CMS’s proposed government pricing rule excludes from best price only “[p]rices charged under the 340B drug pricing program to a covered entity described in section 1927(a)(5)(B) of the Act.”[5]

Off-Label Use

The Final Rule does not answer comments about concerns with off-label use. The Final Rule states that a drug must be approved by the Food and Drug Administration for marketing to be in the program; however, it does not answer the question of whether a drug should be excluded if it is designated for an orphan indication, approved only for a nonorphan indication, but used by a covered entity off-label for the designated orphan indication. The Final Rule also does not indicate whether a manufacturer with a product approved only for an orphan indication will be deemed to be selling the product to a hospital for off-label use if it provides the 340B price for that off-label nonorphan use.

Implications

Hospitals added to the 340B program by the ACA (other than children’s hospitals) need to review their existing systems and modify them to satisfy their obligations under the Final Rule before they can purchase orphan drugs under the program. Manufacturers need to review their drug price reporting systems to ensure they are able to identify when a covered hospital is purchasing orphan drugs outside the program to avoid inadvertently setting their best price at the 340B price.

[1]. Exclusion of Orphan Drugs for Certain Covered Entities Under 340B Program, 78 Fed. Reg. 44,016 (July 23, 2013) (to be codified at 42 C.F.R. pt. 10), available here.

[2]. 42 U.S.C. § 256b(e).

[3]. Exclusion of Orphan Drugs, supra note 1.

[4]See Medicare and Medicaid Extenders Act of 2010, Pub. L. 111-309, § 204.

[5]. Medicaid Program; Covered Outpatient Drugs 77 Fed. Reg. 5318, 5363 (Feb. 2, 2012) (emphasis added), available here.

Article By:

Health Care Reform Update – Week of July 29, 2013

Mintz Logo

Leading the News

Senate HELP Updates Track-and-Trace, Compounding Proposals

On July 24th, the Senate Health, Education, Labor, and Pensions (HELP) Committee released updates to its drug compounding and track and trace legislation. Committee Chairman Tom Harkin (D-IA) and Ranking Member Lamar Alexander (R-TN) say they hope the Senate will pass the measure by unanimous consent in the near future. On July 25th, the Congressional Budget Office (CBO)indicated the bill would have virtually no impact on the federal budget.

House Energy and Commerce Subcommittee Advances SGR Bill

On July 24th, the House Energy and Commerce Subcommittee on Health passed by voice vote a bill to repeal the sustainable growth rate (SGR) Medicare physician payment method. The bill now moves to the full committee, which will consider a repeal of the SGR on July 31st. Rep. Michael Burgess (R-TX) suggested the committee will support the bill, but he said the legislation could become part of larger budget negotiations near the end of 2013.

Implementation of the Affordable Care Act

On July 22nd, Republicans on the House Ways and Means Committee sent a letter to Treasury Secretary Lew requesting information regarding a delay of the ACA employer mandate. The letter criticizes testimony provided by Treasury official Mark Iwry in previous committee hearings, stating he failed to provide sufficient information.

On July 22nd, House and Senate Republicans sent a letter to HHS Secretary Sebelius that urges a release of information regarding health insurance premiums in 34 states taking part in the ACA federal and federal-state partnership exchanges.

On July 23rd, while speaking with members of the National Council of La Raza, First Lady Michelle Obama urged supporters to go out and inform their families and friends about the facts regarding the implementation of the ACA.

On July 23rd, the Government Accountability Office (GAO) issued a report on pre-ACA base insurance premium rates. The report was requested by Senator Orrin Hatch (R-UT).

On July 24thRep. Diane Black (R-TN) introduced H.R. 2775, a bill to prohibit ACA subsidies from being provided to Americans until a system is in place to verify the financial standing of individuals applying for subsidies.

On July 24th, the American Medical Association (AMA) and the American Hospital Association (AHA) called on HHS to delay Stage Two requirements relating to the development of meaningful use of electronic health records (EHRs). The AMA and AHA suggest Stage Two should be delayed by one year to provide flexibility to small and rural providers.

On July 25th, during a Senate Small Business Committee hearing on the implementation of the ACA, Senator Mary Landrieu (D-LA)said she understands some business owners are harmed by coverage mandates of the law. Senator Landrieu said she is open to exploring ACA changes that will avoid harming business owners.

On July 25th, Speaker of the House John Boehner (R-OH) said no decision has been made on if Republicans will use a continuing resolution to block additional funding for ACA implementation and enforcement.

On July 26th, CMS announced a moratorium on enrollment of home health agencies in Miami and Chicago and a temporary halt on ambulance suppliers in Houston.

On July 26thMaryland released premium rates for individual health insurance to be sold on the state’s ACA exchange. Nine carriers will offer plans through the exchange.

Other HHS and Federal Regulatory Initiatives

On July 22nd, the Food and Drug Administration (FDA) provided Teva Pharmaceuticals exclusive rights until 2016 to sell its Plan B One-Step emergency contraception over the counter and without age restrictions.

On July 22nd, CMS announced the suspension of the National Average Retail Prices (NARP) survey, which provided pricing information on over 4,000 common drugs.

On July 23rd, the U.S. District Court of Appeals for D.C. ruled that the HHS Secretary is able to delegate his or her authority to outside contractors.

On July 23rd, HHS issued a final rule that orders discounts for orphan drugs, which are often used to treat rare conditions, to apply when used to treat non-orphan conditions.

On July 26th, the FDA released two proposed rules to regulate the safety of imported food. The first rule is available here, and the second rule can be found here.

Other Congressional and State Initiatives

On July 24th, the House Appropriations Labor-HHS Subcommittee delayed a markup of the FY 2014 appropriations bill that was scheduled for July 25th. A spokesperson for the full committee indicated scheduling conflicts resulted in the delay.

On July 25th, the CBO wrote a letter noting the Senate’s immigration bill, S. 744, will reduce deficits largely because of cash flows related to Social Security and Medicare Part A.

Other Health Care News

On July 24th the Institute of Medicine (IOM) published a report on the variation in health care spending among Medicare beneficiaries.

Hearings and Mark-Ups Scheduled

Senate

On July 30th, the Senate Budget Committee will conduct a hearing to examine containing health care costs.

On July 31st, the Senate Environment and Public Works Committee will conduct a hearing to examine toxic chemical threats and public health protections.

House of Representatives

On July 30th, the House Energy and Commerce Committee will conduct a markup of legislation to reform the sustainable growth rate (SGR) Medicare physician payment method. The markup is scheduled to continue on July 31st.

On July 31st, the House Ways and Means Health Subcommittee will hold a hearing to analyze the Obama administration’s authority to offer tax credits through the ACA exchanges.

On July 31st, the House Science Research and Technology Subcommittee will hold a hearing on the frontiers of human brain research.

On August 1st, the House Ways and Means Committee will hold a hearing to analyze the implementation of the ACA.

On August 1st, the House Energy and Commerce Committee will hold hearing to understand the latest issues relating to the implementation of the ACA. 

David Shirbroun also contributed to this update.

Article By:

of

Health Resources and Services Administration (HRSA) Clarifies 340B Orphan Drug Exception But 340B Audit Enforcement Remains Murky

McDermottLogo_2c_rgb

Recently, HRSA publicly announced the issuance of a final rule clarifying when 340B covered entities can purchase and distribute orphan drugs through the 340B Drug Pricing Program.  Separately, HRSA quietly posted a report on its completed audits of 340B covered entities through July 12, 2013.  While the new rule does shed light on when 340B entities can purchase orphan drugs at 340B discounted prices, the new audit report keeps 340B entities in the dark on HRSA enforcement of established regulatory violations.

Orphan Drugs

The Orphan Drug Act specifies that drugs used to treat a specific rare condition or disease, such as ALS or Huntington’s disease, qualify as orphan drugs, and provides incentives for manufacturers of such drugs.  The FDA designates which drugs qualify as orphan drugs.

The Affordable Care Act excludes orphan drugs from 340B pricing, but does not provide specifics on the breadth of the exclusion.  The new 340B rule, which will go into effect October 1, 2013, specifies that the orphan drug exclusion only applies to three types of qualified 340B covered entities:

  • Free standing cancer hospitals
  • Critical access hospitals, and
  • Rural referral and sole community hospitals.

Other types of covered entities can still purchase orphan drugs at 340B prices, as long as the entity is in compliance with other conditions of the 340B program.

Under the final rule, the orphan drug exception is only applicable to the three types of entities if the drug at issue is designated as orphan by the FDA and is being transferred, prescribed or sold for the rare condition or disease for which it was designated as orphan by the FDA.  So, for example, if drug X is designated as orphan for treatment of ALS, but is also FDA-approved to treat anorexia, it may be purchased at 340B discounts to dispense to anorexia patients.

A word of warning – providers can potentially qualify as a 340B covered entity under more than one of the eligibility classifications.  Going forward, HRSA will require that each covered entity designate itself as a single type of covered entity and abide by all governing regulations specific to that type of entity.   Providers will want to consider the applicability of the orphan drug exception when deciding which type of entity they will be for 340B purposes.

Audit Update

HRSA did not announce that it posted a report on completed FFY 2012 program audits through July 12, 2013.  While there is some interesting information in the report, the report is more striking for what it doesn’t say.

The report reflects:

  • HRSA completed a total of 34 FFY 2012 audits.
  • HRSA conducted audits of 340B covered entities in 20 different states:  5 audits in Texas, 3 in Georgia and Illinois, and 2 in California, Florida, Kentucky, Washington and Wisconsin, and multiple states had only 1 reported audit.
  • Half of the audits had no adverse findings and half had 1 or more adverse findings.
  • The most common adverse finding was dispensing drugs to ineligible patients, this included situations involving ineligible sites and or use of ineligible providers.
  • The second most common finding was a violation of the duplicate discount prohibition through Medicaid billings.
  • The third most common adverse finding was inaccurate record entries, involving incorrect addresses, listing of closed facilities, or use of an unlisted contract pharmacy.

The report does not reflect the total number of entities audited during FFY 2012 or how many audits are yet to be completed.

In several audits where the only listed violation involved an incorrect record regarding a site or contact, no sanction was imposed and corrective action was either limited to correction of the database or is pending.  But where the inaccurate record included use of an unlisted contract pharmacy, or where there were other findings regarding ineligible patients or duplicate discounts, sanctions are reported as “to be determined” and corrective action remains “pending.”

So we know HRSA is actively auditing 340B entities and the activities it finds problematic, but we still don’t know what they are going do about those activities.

Centers for Medicare and Medicaid Services (CMS) Spells Out Requirements in New Rule for Consumer Helpers in Insurance Exchanges

Barnes & Thornburg

Amid ongoing political debate about implementation of the Affordable Care Act and the ability of average Americans to understand the complexities of the health reform law, the Centers for Medicare and Medicaid Services on July 12, 2013 released a final rule that sets forth requirements for different types of entities and individuals who will aide consumers in learning about and enrolling in health coverage plans on insurance marketplaces created by the law, called exchanges.

The rule distinguishes between three categories of consumer helpers: “navigators,” “non-navigator assistance personnel,” and “certified application counselors.” All three types, which may include community nonprofit organizations and their staffs, and other entities and individuals, will perform similar functions, such as helping consumers establish their eligibility for coverage on an exchange and enrolling them where eligible. The primary differences lie in how they are funded and in the exchanges in which they will provide assistance. Navigators will provide assistance in all exchanges—federal exchanges, state exchanges, and federal-state partnership exchanges—and will be funded by federal and state grants. Non-navigator assistance personnel will provide assistance in federal-state partnership exchanges and optionally in state exchanges, and will be funded through separate state-administered grants or contracts. Certified application counselors will provide assistance in all exchanges and will not receive exchange-related funds (although they may receive funds from other federal programs).

The rule lays out standards with which navigators and non-navigator assistance personnel must comply. These standards include conflict-of-interest standards that limit affiliations with insurance companies and standards governing certification, recertification, and training in particular subjects. The rule establishes additional standards to ensure that the services of navigators and non-navigator assistance personnel are culturally and linguistically appropriate and also accessible to the disabled.

As to certified application counselors, the rule authorizes exchanges to designate an organization to certify its staff members or volunteers as application counselors, or to directly certify these individuals, who in both cases must comply with certification standards similar to those applicable to navigators and non-navigator assistance personnel. Correspondingly, the rule requires withdrawal of an organization’s designation or a counselor’s certification in the event of noncompliance with the rule. Finally, the rule requires that certain information about certified application counselors be available to health coverage applicants, and it prohibits the imposition of any charge on applicants for application or other exchange-related assistance.

The rule takes effect on August 12, 2013.

Article By:

 of

Insurer Enters Into $1.7 Million Health Insurance Portability and Accountability Act (HIPAA) Settlement

vonBriesen

The U.S. Department of Health and Human Services (HHS) announced yesterday that it has entered into a resolution agreement with a national managed care organization and health insurance company (hereinafter “Company”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Investigation and Resolution Agreement

The HHS Office for Civil Rights (OCR) conducted an investigation after receiving the Company’s breach report, a requirement for breaches of unsecured protected health information (PHI) pursuant to the Health Information Technology for Economic Clinical Health Act (HITECH) Breach Notification Rule.

The investigation indicated that the Company had not implemented appropriate administrative and technical safeguards required by the Security Rule; and as a result, security weaknesses in an online application database left electronic PHI (ePHI) of 612,042 individuals unsecured and accessible to unauthorized individuals over the internet. PHI at issue included names, dates of birth, addresses, social security numbers, telephone numbers, and health information. Specifically, with regard to ePHI maintained in its web-based application database, the Company did not:

  1. Adequately implement policies and procedures for authorizing access to ePHI;
  2. Perform an adequate technical evaluation in response to a software upgrade affecting the security of ePHI; or
  3. Adequately implement technology to verify the identity of the person/entity seeking access to ePHI.

HHS and the Company entered into a resolution agreement, and the Company agreed to pay a $1.7 million settlement.  Notably, the resolution agreement did not include a corrective action plan for the Company.

Stepped up Enforcement

Beginning with the September 23, 2013 Omnibus Rule compliance date, HHS will have direct enforcement authority over business associates and subcontractors.  The settlement is an indication that HHS will not hesitate to extend enforcement actions to business associates and subcontractors.

The settlement is also a reminder of HHS expectations regarding compliance with HIPAA and HITECH standards.  HHS noted “whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.”

More information regarding the Omnibus Rule and its expanded liability is available here.

Article By:

 of