Category: Health Care Law

Top Takeaways from FDA Draft Guidance on Software as Medical Device

FDA software as medical deviceFDA’s proposed adoption of an IMDRF document raises questions.

On October 14, the US Food and Drug Administration (FDA) released a new draft guidance document, Software as a Medical Device (SaMD): Clinical Evaluation (Draft Guidance).[1] The Draft Guidance was developed by the SaMD Working Group of the International Medical Device Regulators Forum (IMDRF),[2] a voluntary group of medical device regulators from around the world, including FDA. This is the first time that FDA has proposed issuing an IMDRF document as an official FDA guidance document.

The Draft Guidance discusses clinical evaluation recommendations for SaMD and focuses on the general principles of clinical evaluation, which include establishing scientific validity, clinical performance, and analytical validity for an SaMD. The Draft Guidance is available for public comment until December 13, 2016. We have highlighted below key takeaways.

1. Cart Before the Horse?

Over the years, FDA has issued several guidance documents attempting to clarify its position on software products. For instance, in 2015, the Agency issued its final guidance on Mobile Medical Applications, which describes when FDA will or will not actively regulate software that can be executed on a mobile platform.[3] However, the Mobile Medical Apps guidance is limited to the specific mobile app examples listed in that guidance, and FDA has yet to issue its long-promised draft guidance on clinical decision support software. Thus, there is no clear overarching policy on when software used for health- or medical-related purposes would be considered SaMD, subject to FDA regulation. In this context, issuing guidance on FDA’s expectations for the clinical evaluation for SaMD seems premature. Software developers need to first understand where the proverbial line is before investing in clinical evaluation activities.

2. New Unadopted Terminology and Reference Documents Used

The Draft Guidance uses terminology defined in other IMDRF documents and also incorporates by reference findings from other IMDRF documents; however, FDA has not officially adopted those other IMDRF documents as FDA guidances. Thus, it is not clear whether FDA intends for this Draft Guidance to be the first volley, followed up by formally issuing other IMDRF documents on SaMD as FDA guidances, or whether FDA would simply consider the terminology and principles in those other IMDRF documents to be adopted by proxy if and when it finalizes this current Draft Guidance. It also is not clear how the principles and terminology in these other IMDRF documents align with FDA’s existing regulations and guidance documents. For instance, the Draft Guidance discusses a system of classifying SaMD based on its intended use and risk; however, it is not clear how this classification system would translate to FDA’s existing device classification system (Class I, Class II, and Class III) and classification regulations. Such an understanding is important for SaMD developers to determine the premarket review standard that will apply (e.g., establishing substantial equivalence vs. safety and effectiveness), because this will inform the goals for SaMD clinical evaluation.

3. Context Is Important

Although this Draft Guidance’s focus is SaMD clinical evaluation, a significant part of its 45 pages is used to provide definitions, general principles, context, and SaMD categorization principles (not to mention the references to other IMDRF documents, as described above). Only Section 6 directly addresses clinical evaluation. On that point, the new Draft Guidance describes clinical evaluation as the process for establishing the scientific validity, analytical validity, and clinical performance of an SaMD and provides recommendations for generating evidence in these three areas. The Draft Guidance further describes how to determine the required level of evidence based on the SaMD’s categorization. With regard to categorization, the Draft Guidance proposes a SaMD categorization scheme based on: (1) how the information generated by the SaMD will be used (for nondiagnostic, diagnostic, or therapeutic purposes), and (2) the criticality of the healthcare situation or condition in which the SaMD is to be used. An SaMD intended to treat or diagnose critical healthcare situations or conditions is considered higher risk and thus would be subject to more rigorous clinical evaluation requirements.

4. FDA Requests for Feedback

In its Federal Register notice announcing the new Draft Guidance, FDA highlighted specific areas for which it would like feedback, including the following:

  • Does the document appropriately translate and apply current clinical vocabulary for SaMD?

  • Are there other types of SaMD beyond those intended for nondiagnostic, diagnostic, and therapeutic purposes that should be highlighted or considered in the document?

  • Does the document adequately address the relevant clinical evaluation methods and processes for SaMD to generate clinical evidence?

  • Given the uniqueness of SaMD and the proposed framework, is there any impact on currently regulated devices or any possible adverse consequences?

Next Steps

The Draft Guidance document indicates that it is intended to provide globally harmonized principles of when and what type of clinical evaluation is appropriate based on the SaMD risk. However, questions remain about how these principles translate to FDA regulatory requirements.

The Guidance Document is available for comment until December 13, 2016 (Docket No. FDA–2016–D–2483).

ARTICLE BY Michele L. Buenafe & M. Elizabeth Bierman of Morgan, Lewis & Bockius LLP
Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

[1] 81 Fed. Reg. 71105 (Oct. 14, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-10-14/pdf/2016-24805.pdf.  

[2] FDA,International Medical Device Regulators Forum (IMDRF) (last updated May 5, 2015), http://www.fda.gov/MedicalDevices/InternationalPrograms/IMDRF/default.htm.

[3] FDA, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff, (Feb. 9, 2015), http://www.fda.gov/downloads/MedicalDevices/…/UCM263366.pdf.

It’s Not Really ”Repeal and Replace”; It’s Transition – pt 1

FAffordable Care Actor the last six years, Republicans have talked about repeal and replacement of the Affordable Care Act.  The election outcome now puts Republicans in a position of authority to take action on the Affordable Care Act.  As we look ahead to the 115th Congress, it is important to move away from political rhetoric and consider what can actually be achieved as a matter of public policy.

First, the Affordable Care Act is an extremely complex law including many more provisions than those related to coverage.  Complete repeal of the law is not remotely realistic.  For years Republicans have claimed support for provisions within the bill, some of which were actually bipartisan ideas.  No one should assume complete repeal.  The President-elect has already publicly voiced his support, for example, for continuing the bar on pre-existing condition exclusions from coverage.

Second, repeal and replace has been the mantra for many years, but that’s not actually the most accurate description of what Republicans want to do with the Affordable Care Act.  Republicans want to provide consumers with market-driven, high-value, cost-efficient health care coverage choices provided by private insurers.  That’s what Democrats arguably intended to do with the coverage provisions of the Affordable Care Act.

Ultimately, Republicans are going to transition the Affordable Care Act to function more to their liking.  The core of that function will still be covering millions of Americans through market-driven, high-value, cost-efficient health care coverage choices provided by private insurers.  The challenge for Republicans will be to limit the number of people who lose coverage in the transition, and it is simply wrong to assume Republicans intend to cause people to lose coverage.  For example, merely repealing the individual mandate will lead to significant market disruption and loss of coverage.  But if the individual mandate is transitioned to a late enrollment penalty, disruption and loss of coverage could be greatly minimized.

Finally, transition will not occur quickly.  While there is much more information about the consequence of policy decisions today than there was in 2009, writing legislation, determining the impact of legislation, and then moving legislation through Congress will take much of 2017.  This is not something that is likely to happen in a special session early in 2017.

This post is the first in a series.  In the posts that follow, we will describe the critical issues that Republicans must tackle as they transition the Affordable Care Act into a version of health care reform that they must own and defend.

ARTICLE BY Stephen M. Weiner & Rodney L. Whitlock of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Election 2016 Likely to Result in End of ACA as We Know It, But Employers and Plan Sponsors Should Stay Course for Now

affordable care act acaOver the past five years or so, Republican Congressmen have repeatedly taken steps to repeal President Obama’s landmark legislative effort – the Patient Protection and Affordable Care Act (the “ACA”). However, those efforts either failed to advance in Congress or were vetoed by President Obama. Tuesday’s Presidential and Congressional election, in which Donald Trump was elected President and Republicans maintained a Congressional majority in both houses, puts the future of the ACA in jeopardy. Indeed, President-elect Trump and Congressional leaders have already confirmed that repeal of the ACA is a top priority.

Although the ACA is certainly in the crosshairs, the path to outright repeal is not so clear. Republicans have majority control in both chambers of Congress, but they do not have a filibuster-proof supermajority in the Senate. This means that unless Congress changes procedural rules, Democratic Senators can effectively block though filibuster any blanket repeal of the ACA.

So what other options do Congress and President-elect Trump have? First, Congress could invalidate many of the ACA’s revenue-related provisions through budget recollection legislation. This is not a novel approach to effect healthcare legislation – the ACA itself was a product of budget reconciliation legislation passed after Democrats lost their Senate supermajority in 2010. Budget reconciliation legislation cannot be held-up by filibuster, but the subject of the legislation must be related to revenue. Non-revenue related provisions can be struck from this type of legislation.

In 2015, the Republican-controlled Congress passed budget reconciliation legislation to invalidate many of the ACA’s revenue-related provisions. Although that legislation was vetoed by President Obama, it might be used as a template for new legislation once President-elect Trump takes office. Here are some key parts of the 2015 legislation:

  • The individual and employer mandates (and associated reporting requirements) would be repealed.

  • Expansion of Medicaid to electing States would be repealed.

  • The availability of premium and cost-sharing subsidies on the public insurance Marketplace would be repealed.

  • Taxes, such as the “Cadillac Tax”, medical device tax and increased Medicare taxes on high-earners would all be repealed.

Other ACA market reforms, such as first-dollar coverage of preventive healthcare, prohibition on preexisting condition exclusions, prohibition of annual and lifetime limits on certain benefits, and required coverage of dependents through age 26, are generally not related to revenue and probably cannot be included in budget reconciliation legislation.

Second, President-elect Trump could take immediate action to impact agency enforcement of various aspects of the ACA. For example, President-elect Trump could issue a directive to agencies to stop all enforcement of regulations currently in effect under the ACA. In addition, incoming Presidents often take immediate action to stop regulatory efforts in process. This means that proposed and pending regulations would never become effective. At the moment, regulations related to expatriate healthcare coverage and opt-out payments are currently proposed and regulations related to the Cadillac Tax are being drafted. In addition, recently proposed regulations would expand Form 5500 filing requirements to include attestations regarding compliance with the ACA. Presumably, those regulatory efforts would end.

Moreover, a significant part of the ACA’s enforcement infrastructure is found in sub-regulatory guidance – there are 34 interpretive FAQs alone – meaning that there are opportunities for the new administration to take action without significant procedural hurdles. One could surmise that the days of expansive interpretations of the ACA in sub-regulatory guidance are over and, in some cases, prior sub-regulatory guidance would be reversed.

To the extent that the ACA is limited or eliminated by these actions, there is then the question of what stands in its place. Throughout his campaign, President-elect Trump has made clear that he intends not just to repeal the ACA, but also replace it with something new. Concrete details are lacking at the moment, but the following are possible components of his replacement plan:

  • A cap on the employer deduction for health coverage provided to employees.

  • Individuals without employer-provided health coverage would receive a tax credit against the cost of coverage purchased on the individual market. The tax credit would not be an advanced premium credit, but would instead be taken in full when filing income tax returns.

  • Expansion of health savings accounts, including increased contribution limits, and improved price transparency from healthcare providers.

  • Insurance companies would be able to sell policies across state lines.

  • Provide block grants to states for Medicaid.

  • Allow consumer access to imported drugs meeting safety standards.

Ultimately, it is far too early to know exactly what President-elect Trump and the Republican-controlled Congress will do with respect to the repeal of the ACA and the enactment of new health care reform or what the impact of any of those changes will be. Even if the ACA is ultimately repealed in full or in part, it is unlikely to happen on “day one.” Therefore, at least for the time being, employers and plan sponsors should continue operating their health plans in compliance with the ACA.

ARTICLE BY Robert M ProjanskySteven D Weinstein & Damian A Myers of Proskauer Rose LLP
© 2016 Proskauer Rose LLP.

President-Elect Trump’s Impact on Affordable Care Act

Health, Stethoscope, Affordable Care ActFor years, the Republican-controlled Congress has vowed to repeal or significantly scale back President Obama’s landmark legislation – the Patient Protection and Affordable Care Act (the “ACA”). During his campaign, President-elect Donald Trump repeatedly promised that he would “immediately repeal and replace” the ACA upon taking office.  Assuming Trump follows through on his promise, the ACA’s days are likely to be numbered, at least in its current form.  The scope of such repeal remains uncertain, however.  Trump has indicated that the ACA cannot simply be repealed – it must be replaced.  To date, he has not provided the details of any alternative to the ACA.

Under the current House proposal, the ACA’s individual and employer mandates would be repealed outright.  Although the controversial excise tax on high-cost health care (i.e., the so-called “Cadillac Tax”) would also be repealed, the proposal would put a cap on the deduction that employers can take for the cost of healthcare provided to employees.  It is also expected that the proposed alternative would give tax credits to individuals without employer-provided health coverage and expand the tax benefits associated with health savings accounts.  Certain popular aspects of the ACA, such as the prohibition of preexisting condition exclusions, dependent coverage through age 26 and Medicaid expansion, would remain in place. Democrats are likely to strongly oppose the House proposal. There probably will be little that Democrats will be able to do, however, to stop the repeal/replacement of the ACA facing Trump and a Republican-controlled Congress.

ARTICLE BY Paul M Hamburger of Proskauer Rose LLP

© 2016 Proskauer Rose LLP.

New Presidency Will Compel Action in Key Areas of Health Care in 2017

health careAs we enter the final stretch of the U.S. presidential election, health care remains one of the most contested issues with great potential for change, particularly to existing insurance and patient care systems. Compounding matters is the opening of enrollment season for exchange plans, which places the already hotly debated Affordable Care Act (ACA) at the forefront of the national health care discussion.

Former U.S. Congressman Dennis Cardoza, co-chair of Foley’s Federal Public Affairs Practice, and Public Affairs Director Jennifer Walsh opined recently about how our next president could symbolically break the congressional logjam on several health care-related fronts and why the industry is poised for more market-driven disruption.

What follows are a few highlights of their conversation.

1. What health policy issues will be most impacted by the next administration?

Cardoza: Since the passage of the ACA, there has been very little legislative activity when it comes to health care, as everything has been done at the administrative level and spread across various departments. During the honeymoon period that follows every newly elected president, we’ll likely see an immediate and significant push around the ACA marketplaces, especially in light of some high-profile defections, decreasing competition and increasing premiums. It doesn’t matter who is in the White House; there are things happening in the market that can’t be ignored.

Walsh: I agree that legislation concerning the exchanges will be the first out of the gate. There is a strong impetus to fix the system, but it may happen initially as part of the reauthorization of the Children’s Health Insurance Program (CHIP) that is set to expire in 2017. CHIP is a bi-partisan issue and no one wants to see it lapse. This must be passed in the first or second-quarter and could grease the skids for other ACA measures that are either attached as amendments or follow in subsequent bills.

On a separate, simultaneous track, drug pricing will continue to be scrutinized. Lawmakers will pick up where they left off leading up to the August recess. It’s now part of the national dialogue and lawmakers will continue to discuss how to address the issue.

2. Will merger activity continue on its current, accelerated pace?

Cardoza: The ACA has forced market consolidation due to everyone’s ability, or rather inability to compete over costs. We may see other large insurance plans leave the exchanges if the Department of Justice doesn’t approve their respective mergers.

Walsh: Mergers have been an interesting consequence of the ACA, and we’ll see more alignment in this regard. They don’t always generate big news headlines, but smaller acquisitions of technology assets and payments systems are happening all over, so health care organizations can build their portfolios.

3. What are some other noteworthy developments you’re watching closely?

Cardoza: Concluding a long, iterative process, the Centers for Medicare & Medicaid Services will soon be rolling out its new health care payment and service delivery models as part of the transition from fee-for-service. Next year will be a key period as we work toward full-blown implementation of new reimbursement practices that reflect better value and promote quality care for patients.

Walsh: The 21st Century Cures Act, which is Representative Fred Upton’s legacy issue, has received broad bipartisan support and already passed the House. It will allocate more funding to the National Institutes of Health to explore new cures and treatments, and incent to innovative approaches to disease management. It should get a fair shake in 2017, if not during the upcoming lame duck session.

4. What should health care executives be thinking about heading into 2017?

Cardoza: Complacency has set in with the Washington gridlock, and many executives with bearish outlooks have accepted the broken system and are merely just controlling costs. However, they need to change their mindset and be more cognizant of what could soon affect their business, as we’re about to enter a transformative year where there will be a lot of moving parts. If they’re not informed and engaged, they’re going to get left behind.

Walsh: The uncertainty surrounding the ACA has certainly caused a lot of angst, and makes planning for businesses extremely difficult. Companies need to channel that energy into advocacy for their organization. Although every system is different, the industry-wide movement toward modernization, value, and quality will affect all parties. While it will be incremental, the change that will be prompted by the election is inevitable.

ARTICLE BY Dennis A. Cardoza & Jennifer F. Walsh of Foley & Lardner LLP

© 2016 Foley & Lardner LLP

DOJ-AmEx Case Could Have Ramifications for Health Care Providers

AmEx American ExpressThe U.S. Department of Justice’s loss to American Express sends a message to health care providers: Steering, tiering, exclusive dealing and other contractual arrangements that appear to suppress competition in one part of the market may be legitimate where the arrangements facilitate lower prices and better access to services in another part of the market, or have other valid business purposes.

The decision came Sept. 26 when the Second Circuit Court of Appeals reversed a judgment for the DOJ in a suit accusing AMEX of violating antitrust laws by initiating rules prohibiting merchants who accept AMEX’s credit cards from steering its cardholders to other credit card brands. The court of appeals directed the district court to enter a judgment for AMEX, saying the trial court erred when it found that AMEX’s anti-steering provisions were anticompetitive by focusing only on the interests of merchants and not also on those of cardholders.

The court of appeals said that the district court’s approach “does not advance overall consumer satisfaction.” It concluded that “[t]hough merchants may desire lower fees, those fees are necessary to maintaining cardholder satisfaction—and if a particular merchant finds that the cost of AMEX fees outweighs the benefit it gains by accepting AMEX cards, then the merchant may choose to not accept AMEX cards.”

At issue was whether AMEX’s nondiscriminatory provisions (“NDPs”) in agreements with merchants prohibiting them from encouraging consumers to use other credit cards were anticompetitive. The court of appeals found that the trial court’s ruling against AMEX was wrong in several ways, including its market definition, its analysis of AMEX’s market power and its finding of an adverse effect on competition.

The district court wrongly concluded that the relevant product market consisted of services offered by credit card companies to merchants, while excluding services offered to cardholders. The Second Circuit said that the functions provided by the credit card industry are inter-dependent, and result in what is called a “two-sided market.” The district court erroneously failed “to define the relevant product market to encompass the entire multi-sided platform.”

In addition, the court of appeals said that the district court erroneously determined that AMEX had significant market power. The trial court found that AMEX was able to unilaterally impose price increases on merchants, but it did not acknowledge that AMEX’s increase in merchant fees was necessary to provide increased benefits to cardholders, which amounts to a price reduction to cardholders. “A firm that can attract customer loyalty only by reducing its price does not have the power to increase prices unilaterally.”

Also, the district court’s erroneous market definition resulted in it wrongly finding that the NDPs had an anticompetitive effect on the market. The court of appeals said that “the market as a whole includes both cardholders and merchants, who comprise distinct yet equally important and interdependent sets of consumers sitting on either side of the payment-card platform.” The DOJ made no showing at trial that the NDPs caused anti-competitive effects on the relevant market as a whole.

In 2011, the DOJ issued a policy giving guidance to accountable care organizations that said anti-steering provisions may raise antitrust concerns and should not be implemented by providers with a large market share. Federal Trade Commission and Department of Justice, “Statement of Antitrust Enforcement Policy Statement Regarding Accountable Care Organizations Participating In the Medicare Shared Savings Program,” 76 Fed. Reg. 67026, 76030 (2011) (“An ACO with high PSA shares or other possible indicia of market power may wish to avoid . . . [p]reventing or discouraging private payers from directing or incentivizing patients to choose certain providers, including providers that do not participate in the ACO, through ‘anti-steering,’ ‘anti-tiering,’ ‘guaranteed inclusion,’ ‘most-favored-nation,’ or similar contractual clauses or provisions”).

Healthcare markets have aspects of a two-sided market, including separate interests of insurers and of patients. As a result, after AMEX, claims that steering provisions initiated by providers are anticompetitive because they thwart competition with other providers in the market will likely be evaluated by fully considering the anticompetitive effect of the provisions on the entire marketplace, rather than taking the DOJ’s more narrow enforcement view.

AMEX’s analysis likely has ramifications for any case challenging steering provisions or other allegedly anticompetitive restraints in multi-sided markets. For example, Methodist Medical Center in Peoria, Illinois, brought suit against its rival, St. Francis Medical Center, also in Peoria, challenging St. Francis’ exclusive contracts with health insurers that allegedly foreclosed Methodist from competing for patients in the Peoria hospital market. Consistent with the analysis of antitrust violations that was used in AMEX, on Sept. 30 a federal district court granted summary judgment for St. Francis, saying:

“Market dynamics at each level impact the ultimate inquiry of whether a provider is foreclosed from competing for a commercially insured patient’s business. Accordingly, whether Methodist was foreclosed from competition must be analyzed at each level in the distribution chain—its ability to compete to be included in a payer’s network, the ability of end users to choose among plans that feature each hospital, and also the hospitals’ ability to reach retail customers notwithstanding out-of-network status.”

Applying this analysis at each level, the court found that the exclusive arrangements excluded Methodist from a limited portion of patients and, as a result, the arrangements did not violate antitrust law.

ARTICLE BY Dennis D. Palmer & Mitchell D. Raup of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

OFAC Allows Joint Medical Research with Cuba

OFAC Medical ResearchThe Department of the Treasury, Office of Foreign Assets Control (OFAC), has modified the Cuban Assets Control Regulations (CACR) (31 C.F.R. Part 515) to allow joint medical research between persons subject to U.S. jurisdiction and Cuban nationals. In the context of the CACR, a “person subject to U.S. jurisdiction” includes any non-U.S. entity owned or controlled by a U.S. person or company directly or indirectly.

It is important to note that the focus of this rule is the development and sale of Cuban origin pharmaceutical products into the United Sates and not the sale of U.S. origin products into Cuba. The changes published today have no impact on the sale of U.S. origin pharmaceutical products into Cuba, and the modified rules do not eliminate the need for sales into Cuba to be licensed by the U.S. Department of Commerce and/or the Department of the Treasury.

As a result of this rule change, effective October 17, 2016, U.S. pharmaceutical companies and their foreign subsidiaries, as well as U.S. nationals, are authorized to engage in various types of transactions “incident to obtaining approval from the U.S. Food and Drug Administration (FDA) of Cuban origin pharmaceuticals, including discovery and development, pre-clinical research, clinical research, regulatory review, regulatory approval and licensing, regulatory post-market activities, and the importation into the United States of Cuban-origin pharmaceuticals,” as well as the “marketing, sale, or other distribution in the United States of FDA-approved Cuban-origin pharmaceuticals, including the importation into the United States of Cuban-origin pharmaceuticals.”

In its most recent Portfolio of Opportunities for Foreign Investment, Cuba identified the biotechnology and pharmaceutical sector, where BioCubaFarma has been producing vaccines and drug products for years, as one of the targets of foreign investment through strategic partnerships. Specifically, the Cuban government stated that it was promoting joint R&D projects, distribution and representation arrangements and technology transfer arrangements that complemented domestic projects in the sector. This week’s changes to the CACR will facilitate participation in these types of investments and activities in Cuba by U.S. companies.

ARTICLE BY Joan Koenig & Mollie D. Sitkowski of Drinker Biddle & Reath LLP

©2016 Drinker Biddle & Reath LLP. All Rights Reserved

Dynamic Political and Public Policy Landscape in DC on Pharmaceutical Issues

Pharmaceutical IssuesThe post-election period — from the lame duck congressional session to the first 100 days and beyond of a new Administration and Congress — is expected to be a time of extraordinary, if not unprecedented, public policy debate on issues that impact pharmaceutical/life sciences companies and interest groups. These issues present both significant threats and possible opportunities to all stakeholders.

On the positive side, the 114th Congress has unfinished business in the form of the House’s 21st Century Cures Act and the Senate’s companion package of Medical Innovation bills, provisions of which are intended to streamline FDA review and approval processes as well as authorize key programs such as the Precision Medicine Initiative. And Prescription Drug User Fee (PDUFA) reauthorization is also right around the corner. These positive developments could come at a cost to the life sciences industry, however, with growing indications that a proverbial perfect storm is brewing in the U.S. on issues surrounding pharmaceutical pricing.  The presidential candidates, who find little else on which to agree, have criticized drug prices and espoused strong support for proposals — including ones that would allow HHS to directly negotiate with manufacturers and the importation of lower-priced drugs from Canada and elsewhere — that are anathema to industry. As shown in the pending Medicare Part B national demonstration project, presidential administrations, in addition to the bully pulpit, have used their perceived regulatory authority to elevate the executive branch role in the drug pricing debate in the absence of congressional action, and we would expect that to continue in the next Administration.

Furthermore, recent developments suggest that whoever the next president is might find willing partners in both parties on Capitol Hill on pharmaceutical pricing-related issues, regardless of the outcome of the general election in Congress. As evidenced in recent high profile oversight and investigations hearings, criticism of the pharmaceutical industry has become bipartisan fodder. Members on both sides of the aisle have to answer a growing chorus from their constituents who seek relief from high drug prices.  While Republicans historically provided some level of firewall for efforts to fend off price controls and other adverse policy prescriptions, the reservoir of political capital with the GOP is arguably less deep post enactment of the Affordable Care Act.  At the same time, there are fewer moderate Democrats who in the past helped defend the industry.

Growing public opinion and ongoing critical publicity around drug prices contribute to a political environment that is more likely to result in active consideration of a variety of unfavorable legislative proposals in the drug pricing space. To date, there has been a veritable menu of bipartisan options offered, which include, among many others, requiring greater transparency by manufacturers who raise prices above a certain percentage, allowing the government to directly negotiate prices with manufacturers, importation of lower priced drugs, reduction of the data exclusivity for biologics, policy changes to encourage even greater utilization of generics, reform of patient assistance programs, and curtailing of certain practices in patent settlement agreements and REMS programs.

Momentum for any or all of these proposals might further increase if Congress and the Administration pursue a deficit reducing budgetary deal or other policy priorities that must be paid for with policy changes affecting the Medicare program. The prospect for action on anti-industry proposals is further enhanced by the reality that congressional authorization of the industry supported PDUFA will be on tap in 2017.  Because PDUFA is considered “must-pass” legislation, it is recognized as a prime moving vehicle to which any number of healthcare-related proposals might be attached.  It remains uncertain whether pharmaceutical pricing and access will continue to be more of a rhetorical subject or if the rhetoric translates into significant changes in federal policy.  What is virtually certain is that this debate will rage on in the months ahead and that the outcome could have major ramifications for industry — whether or not new laws are ultimately enacted.

Against this backdrop, it is imperative that stakeholders follow the anticipated fast-moving developments, understand the substantive implications and political prospects for various proposals, and, where appropriate, engage in informed advocacy on Capitol Hill with the Administration and the public.

ARTICLE BY Gary A. Heimberg & Joan L. Kutcher of Covington & Burling LLP

© 2016 Covington & Burling LLP

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

ARTICLE BY Amy GordonAnn KillileaMichael G. MorganSusan M. Nash & Angela M. Stockbridge of
McDermott Will & Emery
© 2016 McDermott Will & Emery

Pokémon Go – Staying Ahead of Game and Avoiding Unexpected HIPAA Risks

HIPAA RisksIt was inevitable – Pokémon Go fever has swept the nation, and now little cartoon creatures have found their way into your health care facility.

Wait, what!?

Yes, you read that right, those pesky (or beloved, depending on your point of view) creatures are popping up literally everywhere, and unfortunately hospitals and other health care facilities are no exception. As a result, in addition to keeping up with the various advances in mobile technology related to health care and patient management, health care facilities across the country must now add keeping up with virtual and augmented reality to their to-do lists.

So why should this matter to your health care facility?

Currently, industry trends suggest that hospitals and other health care facilities are taking two divergent views when it comes to this new frontier – (a) asking to be taken off the “map” (i.e., having Pokémon removed from their property), or (b) embracing the game, as it motivates the young (and old) to be active. While the latter could be tempting – and for some facilities with proper controls it could be successful – for most, we recommend taking whatever steps possible to prohibit game play within your health care facility.

Regardless of the road taken by your facility, there are a few key considerations to keep in mind when evaluating potential HIPAA risks related to virtual and augmented reality games, which are only likely to grow substantially in number in the future.

How do Pokémon Go and augmented reality games work?

On first glance, this specific game (which is fairly primitive as augmented reality) doesn’t appear problematic from a HIPAA perspective. However, there are some hidden risks. The Pokémon game’s functionality allows for a user to switch between a virtual map and camera mode which literally shows the Pokémon in the world around the player. The images seen on the player’s phone do not appear to be saved or shared automatically – however, the mobile application does offer the option of letting you take a photo of what you see from within the app. In a world dominated by social media, this is where the problem arises.

Pokémon Go and other augmented realty games allow a player to engage in a virtual game which takes place in the real world around them. Pokémon Go players are motivated to take photos of their surroundings and share them with third parties and on social media. In a health care environment, this could easily result in a player – whether patient, employee or third-party gamesman – inadvertently sharing protected health information (PHI) with all of his or her followers in as little as four clicks from taking a screenshot.

Many hospitals are already dealing with the unintended consequences of individuals playing Pokémon Go and wandering into areas containing sensitive information. Even if photographs are not taken, the mere presence of individuals who are only on premises for the purpose of playing a game heightens potential information privacy and security risks.

What is this picture worth?

Hospitals have learned the hard way the high cost of a HIPAA violation. In April of this year the Department of Health and Human Services, Office for Civil Rights (OCR) reached a $2.2 Million settlement with New York Presbyterian Hospital for the filming of “NY Med” on the premises, which resulted in the unauthorized sharing of two patients’ images. OCR also determined that the hospital failed to safeguard health information when it offered the film crew access to an environment where PHI could not be effectively protected.

OCR is likely to follow the same logic in the context of augmented reality games and the potential exposure of PHI to unauthorized parties. Having Pokémon Go players on hospital premises – including patients, visitors, employees and, most especially, those present solely for the purpose of playing the game – could lead to unnecessary HIPAA risks.

Best practices for Pokémon Go and its successors:

  • Take yourself off the “map,” but remember this is not where the story ends: To alleviate the a number of risks, you can, of course, submit an online request to Niantic Labs – the creator of Pokémon Go – to be removed as an in-game location. However, this step alone will not be sufficient to end all possible risks related to Pokémon Go, and the universe of augmented realty that could pop up next. It is also notable the removal process to be a stop has proven lengthy, therefore it would be advisable to also take additional steps regarding your stance on Pokémon Go and augmented realty games. To speed up the process, consider writing a formal demand – above and beyond the online system – to have your coordinates removed from game play.

  • Determine your stance on patient play: Aside from hospital policies on visitor and patient cell phone use, determine if your establishment wants to promote patient use of Pokémon Go. Many facilities are finding Pokémon Go to be a valuable tool in promoting exercise and activity – especially post procedures. If your hospital wants to take that approach – consider limited play to “Pokémon Zones” where PHI is less accessible and adequately protected. However, keep in mind that significant risks remain related to permitted access to PHI to unauthorized individuals.

  • Determine if health care providers and hospital staff should be prohibited from playing: Reevaluate your social media and bring-your-own-device policies to determine if augmented reality games such as Pokémon Go need to be specifically addressed. The player base of Pokémon Go appears to be growing exponentially, and it is highly unlikely that facilities’ employees are not among those playing or considering playing. While taking photographs is often prohibited in hospital settings, make sure the policy is clear that the prohibition applies to photos in the augmented reality space. Take the opportunity to clarify and reiterate acceptable social media practices. Also, if your hospital is creating “Pokémon Zones,” stress to health care providers and staff that this applies to them as well.

While Pokémon Go took over the scene almost literally overnight, this is just a glimpse of what the future holds. As augmented reality mobile applications and games become even more popular, and more immersive, these issues are bound to come up again and reinvent themselves in the form of new challenges. Now is the time to determine your organization’s policy on augmented reality and revisit social media and BYOD policies. Pokémon Go may or may not be here to stay – but it is definitely not one of a kind.

ARTICLE BY Mita K. Lakhia of Drinker Biddle & Reath LLP
©2016 Drinker Biddle & Reath LLP. All Rights Reserved