Category: Health Care Law

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

Health Resources and Services Administration (HRSA) Publishes Orphan Drug Rule for 340B Program

Morgan Lewis logo

Rule requires most manufacturers to change government pricing methodologies, calculations, and systems.

On July 23, the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) published a regulation[1] increasing the number of entities to which pharmaceutical manufacturers must sell orphan drugs at statutory ceiling prices under the 340B drug discount program, and complicating the determination of eligibility to purchase these drugs at the 340B price. This regulation conditions the ability of certain hospitals to purchase orphan drugs at the 340B price on implementation of costly new systems for tracking drug use and requires virtually every brand drug manufacturer to change its government pricing methodologies, calculations, and systems.

340B Program Background

The 340B drug discount program is a voluntary program created by section 340B of the Public Health Service Act, 42 U.S.C. § 256b, and implemented through a pharmaceutical pricing agreement (PPA) between manufacturers and HHS. Manufacturers opt into the program by signing these agreements and assuming the obligations set forth in their terms, which are specified by statute and linked, in many respects, to the terms of the Medicaid drug rebate statute. At the core of the agreement is the obligation to charge covered entities no more than a statutory ceiling price for drugs covered by the statute, which are defined by the term “covered outpatient drug” in the Medicaid statute.

Section 7101 of the Affordable Care Act (ACA) expanded the categories of hospitals eligible to purchase at the 340B ceiling price to include freestanding cancer hospitals, sole community hospitals, rural referral centers, and critical access hospitals. The ACA, as amended, simultaneously limited these hospitals’ participation in the program by excluding “a drug designated by the Secretary [of HHS] under section [526 of the Federal Food, Drug, and Cosmetic Act (FFDCA)] for a rare disease or condition”[2] from the definition of “covered outpatient drug.”

Orphan Drug Rule

HRSA’s regulation, codified at 42 C.F.R. part 10, includes a new section 10.21 (the Final Rule or the Orphan Drug Rule), which establishes standards for determining when the statutory exclusion applies, i.e., when a drug designated under section 526 is excluded from the definition of “covered outpatient drug.”[3]

The Final Rule interprets the statutory exclusion from manufacturers’ obligations under their pharmaceutical pricing agreements as being limited to purchases of designated drugs when used by their customers to treat orphan indications. As a result of this regulatory limitation, the Final Rule requires manufacturers to charge the newly added hospitals no more than the statutory ceiling price for drugs designated as orphan drugs when these drugs are used for nonorphan indications. At the same time, the Final Rule allows an affected hospital to purchase drugs at the 340B price only if the hospital has developed a system for tracking outpatient use of a purchased drug that satisfies the requirements of the Final Rule.

HRSA’s regulatory requirements are predicated on an interpretation of congressional intent underlying this provision of the ACA, which ties the definition of “covered outpatient drug” under the 340B drug discount program to the scope of other unrelated benefits of orphan drug designation, such as marketing exclusivity and tax credits. However, there are other indicia that Congress did not intend the orphan drug exclusion to be as narrow as HRSA has now declared through rulemaking. When asked to clarify the scope of the exclusion for all the newly added hospitals, Congress instead removed children’s hospitals (originally subject to the orphan drug exclusion in the ACA) from the provision and restated the exclusion for the rest.[4]

Legislative Rulemaking Authority

Congress has not yet delegated authority to HRSA to promulgate substantive regulations that set standards for determining the scope of manufacturers’ obligations under the statute or that impose new duties on manufacturers not specified in the terms of their agreements. The only authority that Congress has previously delegated to HRSA to promulgate regulations is the limited authority provided in section 7102 of the ACA, which allows HRSA to issue the following: 1) regulatory standards and methodology for calculating ceiling prices; 2) regulations establishing standards for the imposition of civil monetary penalties; and 3) a regulation establishing an administrative process for the resolution of claims.

HRSA has called the Orphan Drug Rule a “clarification” of the statutory exclusion; however, the rule imposes new obligations on all stakeholders. It requires manufacturers to include in the program drugs designated under section 526 of the FFDCA and concurrently allows affected hospitals to purchase them at the 340B price, under certain circumstances, and then establishes standards and requirements for determining those circumstances.

340B Entity Implementation Issues

In order to ensure that drugs used by covered entities for orphan diseases or conditions are excluded, the Final Rule provides that covered entities may not purchase designated orphan drugs for nonorphan indications under the 340B drug discount program unless they provide HRSA with assurances that they have systems capable of identifying and tracking the use of designated drugs in treating their patients and transmitting the data to their purchasing systems. Thus, a sale of a particular drug to a particular affected hospital could be classified as purchased under the 340B program or outside the 340B program, depending on whether the purchaser 1) has informed HRSA that it has a system capable of complying with the rule’s requirements and 2) uses the drug to treat a patient for an orphan disease or condition.

Because the 340B program is an outpatient program only, hospitals must distinguish between drugs purchased for inpatient and outpatient purposes. HRSA allows hospitals to have a single physical inventory and maintain separate accounts for inpatient purchases and outpatient purchases, and many hospitals have split-billing systems that order 340B drugs only as needed under the program. The same rules apply when contract pharmacies order drugs to fill prescriptions of 340B hospital patients and the hospital purchases drugs to replenish the pharmacy’s inventory.

However, hospitals’ existing 340B purchasing systems and pharmacy prescription data do not currently include hospital billing codes or other information from patients’ medical records indicating the diseases or conditions for which drugs are prescribed. Thus, it may be some time before hospitals seeking to purchase orphan drugs for nonorphan indications at 340B prices are able to comply with the requirements of the Orphan Drug Rule. Due to the difficulties in satisfying the requirements, some affected hospitals may choose to purchase all of their orphan drugs outside the 340B program if they cannot or do not wish to develop a compliant tracking system. Alternatively, some hospitals may choose to have certain of their facilities purchase outside the 340B program.

The Orphan Drug Rule provides for acceptable “alternate” tracking systems if HRSA approves such systems, but the rule does not provide hospitals with the standards for what would be acceptable to ensure compliance. It also does not appear that manufacturers will have any advance insight into the systems or an opportunity to comment on them. Additionally, the Final Rule does not offer assistance to stakeholders on how contract pharmacies can ascertain from prescription information whether a patient of a 340B hospital has been prescribed a drug to treat an orphan indication or some other indication.

Alternatives for Hospitals 

Hospitals affected by the Orphan Drug Rule, such as rural referral centers, may also qualify for 340B participation as disproportionate share hospitals, which are not subject to the rule. In that case, they may choose not to satisfy the requirements of the rule (applicable to rural referral centers) but would be prohibited from purchasing outpatient drugs outside the program, such as those carved out for Medicaid, through group purchasing organization (GPO) agreements (applicable to disproportionate share hospitals).

For most of the new categories of hospitals, individual entities may purchase orphan drugs outside the program under GPO agreements and benefit from the discounts available through those agreements. Thus, they are not disadvantaged by the 340B drug discount program if they cannot or are unwilling to satisfy the requirements to purchase orphan drugs under the program. However, for freestanding cancer hospitals, the Final Rule maintains the statutory prohibition against purchasing covered outpatient drugs through GPO arrangements. If these hospitals do not comply with the regulatory requirements, they must purchase orphan drugs in the open market or negotiate contracts with manufacturers.

Manufacturer Government Pricing System Issues

Based on the Final Rule, the classification of a manufacturer’s sale as a 340B program sale for purposes of the manufacturer’s drug price reporting obligations depends on each eligible hospital’s compliance with the rule’s requirements. That means a manufacturer’s operations must code each affected hospital and, in some cases, facilities within a medical center to determine whether the purchase of an orphan drug for a nonorphan indication is under the program or outside the program. These codings can change quarter to quarter as 340B hospital entities elect either to start or stop using the required tracking systems. Likewise, wholesalers processing invoices must be provided with information that allows them to know when a hospital is eligible to order an orphan drug under the 340B agreement at statutory ceiling prices (as opposed to under a GPO agreement, other contract, or open market), and the manufacturer’s chargeback validation system must be able to differentiate as well. Otherwise, a manufacturer could easily and inadvertently provide 340B pricing outside the program, which could trigger a best price under the Medicaid drug rebate program and simultaneously drive down the quarterly 340B statutory ceiling price. Many manufacturers’ current government pricing systems seek to identify best price-eligible sales at the class-of-trade level, with sales of orphan drugs to 340B entities coded for inclusion in best price, while sales of nonorphan drugs to these same entities are excluded from best price. Manufacturers of orphan drugs must now develop solutions that permit identification of the eligible and ineligible price points necessitated by the Final Rule.

Since the inception of the Medicaid drug rebate program, the Centers for Medicare and Medicaid Services (CMS) has refused to consider all transactions with covered entities to be exempt from best price and—in the absence of a clear statutory provision, such as the exemption of inpatient drug prices paid by disproportionate share hospitals—it is risky for manufacturers to assume all outpatient sales of orphan drugs to 340B eligible hospitals will be exempt from best price. Currently, for example, CMS’s proposed government pricing rule excludes from best price only “[p]rices charged under the 340B drug pricing program to a covered entity described in section 1927(a)(5)(B) of the Act.”[5]

Off-Label Use

The Final Rule does not answer comments about concerns with off-label use. The Final Rule states that a drug must be approved by the Food and Drug Administration for marketing to be in the program; however, it does not answer the question of whether a drug should be excluded if it is designated for an orphan indication, approved only for a nonorphan indication, but used by a covered entity off-label for the designated orphan indication. The Final Rule also does not indicate whether a manufacturer with a product approved only for an orphan indication will be deemed to be selling the product to a hospital for off-label use if it provides the 340B price for that off-label nonorphan use.

Implications

Hospitals added to the 340B program by the ACA (other than children’s hospitals) need to review their existing systems and modify them to satisfy their obligations under the Final Rule before they can purchase orphan drugs under the program. Manufacturers need to review their drug price reporting systems to ensure they are able to identify when a covered hospital is purchasing orphan drugs outside the program to avoid inadvertently setting their best price at the 340B price.

[1]. Exclusion of Orphan Drugs for Certain Covered Entities Under 340B Program, 78 Fed. Reg. 44,016 (July 23, 2013) (to be codified at 42 C.F.R. pt. 10), available here.

[2]. 42 U.S.C. § 256b(e).

[3]. Exclusion of Orphan Drugs, supra note 1.

[4]See Medicare and Medicaid Extenders Act of 2010, Pub. L. 111-309, § 204.

[5]. Medicaid Program; Covered Outpatient Drugs 77 Fed. Reg. 5318, 5363 (Feb. 2, 2012) (emphasis added), available here.

Article By:

Health Care Reform Update – Week of July 29, 2013

Mintz Logo

Leading the News

Senate HELP Updates Track-and-Trace, Compounding Proposals

On July 24th, the Senate Health, Education, Labor, and Pensions (HELP) Committee released updates to its drug compounding and track and trace legislation. Committee Chairman Tom Harkin (D-IA) and Ranking Member Lamar Alexander (R-TN) say they hope the Senate will pass the measure by unanimous consent in the near future. On July 25th, the Congressional Budget Office (CBO)indicated the bill would have virtually no impact on the federal budget.

House Energy and Commerce Subcommittee Advances SGR Bill

On July 24th, the House Energy and Commerce Subcommittee on Health passed by voice vote a bill to repeal the sustainable growth rate (SGR) Medicare physician payment method. The bill now moves to the full committee, which will consider a repeal of the SGR on July 31st. Rep. Michael Burgess (R-TX) suggested the committee will support the bill, but he said the legislation could become part of larger budget negotiations near the end of 2013.

Implementation of the Affordable Care Act

On July 22nd, Republicans on the House Ways and Means Committee sent a letter to Treasury Secretary Lew requesting information regarding a delay of the ACA employer mandate. The letter criticizes testimony provided by Treasury official Mark Iwry in previous committee hearings, stating he failed to provide sufficient information.

On July 22nd, House and Senate Republicans sent a letter to HHS Secretary Sebelius that urges a release of information regarding health insurance premiums in 34 states taking part in the ACA federal and federal-state partnership exchanges.

On July 23rd, while speaking with members of the National Council of La Raza, First Lady Michelle Obama urged supporters to go out and inform their families and friends about the facts regarding the implementation of the ACA.

On July 23rd, the Government Accountability Office (GAO) issued a report on pre-ACA base insurance premium rates. The report was requested by Senator Orrin Hatch (R-UT).

On July 24thRep. Diane Black (R-TN) introduced H.R. 2775, a bill to prohibit ACA subsidies from being provided to Americans until a system is in place to verify the financial standing of individuals applying for subsidies.

On July 24th, the American Medical Association (AMA) and the American Hospital Association (AHA) called on HHS to delay Stage Two requirements relating to the development of meaningful use of electronic health records (EHRs). The AMA and AHA suggest Stage Two should be delayed by one year to provide flexibility to small and rural providers.

On July 25th, during a Senate Small Business Committee hearing on the implementation of the ACA, Senator Mary Landrieu (D-LA)said she understands some business owners are harmed by coverage mandates of the law. Senator Landrieu said she is open to exploring ACA changes that will avoid harming business owners.

On July 25th, Speaker of the House John Boehner (R-OH) said no decision has been made on if Republicans will use a continuing resolution to block additional funding for ACA implementation and enforcement.

On July 26th, CMS announced a moratorium on enrollment of home health agencies in Miami and Chicago and a temporary halt on ambulance suppliers in Houston.

On July 26thMaryland released premium rates for individual health insurance to be sold on the state’s ACA exchange. Nine carriers will offer plans through the exchange.

Other HHS and Federal Regulatory Initiatives

On July 22nd, the Food and Drug Administration (FDA) provided Teva Pharmaceuticals exclusive rights until 2016 to sell its Plan B One-Step emergency contraception over the counter and without age restrictions.

On July 22nd, CMS announced the suspension of the National Average Retail Prices (NARP) survey, which provided pricing information on over 4,000 common drugs.

On July 23rd, the U.S. District Court of Appeals for D.C. ruled that the HHS Secretary is able to delegate his or her authority to outside contractors.

On July 23rd, HHS issued a final rule that orders discounts for orphan drugs, which are often used to treat rare conditions, to apply when used to treat non-orphan conditions.

On July 26th, the FDA released two proposed rules to regulate the safety of imported food. The first rule is available here, and the second rule can be found here.

Other Congressional and State Initiatives

On July 24th, the House Appropriations Labor-HHS Subcommittee delayed a markup of the FY 2014 appropriations bill that was scheduled for July 25th. A spokesperson for the full committee indicated scheduling conflicts resulted in the delay.

On July 25th, the CBO wrote a letter noting the Senate’s immigration bill, S. 744, will reduce deficits largely because of cash flows related to Social Security and Medicare Part A.

Other Health Care News

On July 24th the Institute of Medicine (IOM) published a report on the variation in health care spending among Medicare beneficiaries.

Hearings and Mark-Ups Scheduled

Senate

On July 30th, the Senate Budget Committee will conduct a hearing to examine containing health care costs.

On July 31st, the Senate Environment and Public Works Committee will conduct a hearing to examine toxic chemical threats and public health protections.

House of Representatives

On July 30th, the House Energy and Commerce Committee will conduct a markup of legislation to reform the sustainable growth rate (SGR) Medicare physician payment method. The markup is scheduled to continue on July 31st.

On July 31st, the House Ways and Means Health Subcommittee will hold a hearing to analyze the Obama administration’s authority to offer tax credits through the ACA exchanges.

On July 31st, the House Science Research and Technology Subcommittee will hold a hearing on the frontiers of human brain research.

On August 1st, the House Ways and Means Committee will hold a hearing to analyze the implementation of the ACA.

On August 1st, the House Energy and Commerce Committee will hold hearing to understand the latest issues relating to the implementation of the ACA. 

David Shirbroun also contributed to this update.

Article By:

of

Health Resources and Services Administration (HRSA) Clarifies 340B Orphan Drug Exception But 340B Audit Enforcement Remains Murky

McDermottLogo_2c_rgb

Recently, HRSA publicly announced the issuance of a final rule clarifying when 340B covered entities can purchase and distribute orphan drugs through the 340B Drug Pricing Program.  Separately, HRSA quietly posted a report on its completed audits of 340B covered entities through July 12, 2013.  While the new rule does shed light on when 340B entities can purchase orphan drugs at 340B discounted prices, the new audit report keeps 340B entities in the dark on HRSA enforcement of established regulatory violations.

Orphan Drugs

The Orphan Drug Act specifies that drugs used to treat a specific rare condition or disease, such as ALS or Huntington’s disease, qualify as orphan drugs, and provides incentives for manufacturers of such drugs.  The FDA designates which drugs qualify as orphan drugs.

The Affordable Care Act excludes orphan drugs from 340B pricing, but does not provide specifics on the breadth of the exclusion.  The new 340B rule, which will go into effect October 1, 2013, specifies that the orphan drug exclusion only applies to three types of qualified 340B covered entities:

  • Free standing cancer hospitals
  • Critical access hospitals, and
  • Rural referral and sole community hospitals.

Other types of covered entities can still purchase orphan drugs at 340B prices, as long as the entity is in compliance with other conditions of the 340B program.

Under the final rule, the orphan drug exception is only applicable to the three types of entities if the drug at issue is designated as orphan by the FDA and is being transferred, prescribed or sold for the rare condition or disease for which it was designated as orphan by the FDA.  So, for example, if drug X is designated as orphan for treatment of ALS, but is also FDA-approved to treat anorexia, it may be purchased at 340B discounts to dispense to anorexia patients.

A word of warning – providers can potentially qualify as a 340B covered entity under more than one of the eligibility classifications.  Going forward, HRSA will require that each covered entity designate itself as a single type of covered entity and abide by all governing regulations specific to that type of entity.   Providers will want to consider the applicability of the orphan drug exception when deciding which type of entity they will be for 340B purposes.

Audit Update

HRSA did not announce that it posted a report on completed FFY 2012 program audits through July 12, 2013.  While there is some interesting information in the report, the report is more striking for what it doesn’t say.

The report reflects:

  • HRSA completed a total of 34 FFY 2012 audits.
  • HRSA conducted audits of 340B covered entities in 20 different states:  5 audits in Texas, 3 in Georgia and Illinois, and 2 in California, Florida, Kentucky, Washington and Wisconsin, and multiple states had only 1 reported audit.
  • Half of the audits had no adverse findings and half had 1 or more adverse findings.
  • The most common adverse finding was dispensing drugs to ineligible patients, this included situations involving ineligible sites and or use of ineligible providers.
  • The second most common finding was a violation of the duplicate discount prohibition through Medicaid billings.
  • The third most common adverse finding was inaccurate record entries, involving incorrect addresses, listing of closed facilities, or use of an unlisted contract pharmacy.

The report does not reflect the total number of entities audited during FFY 2012 or how many audits are yet to be completed.

In several audits where the only listed violation involved an incorrect record regarding a site or contact, no sanction was imposed and corrective action was either limited to correction of the database or is pending.  But where the inaccurate record included use of an unlisted contract pharmacy, or where there were other findings regarding ineligible patients or duplicate discounts, sanctions are reported as “to be determined” and corrective action remains “pending.”

So we know HRSA is actively auditing 340B entities and the activities it finds problematic, but we still don’t know what they are going do about those activities.

Centers for Medicare and Medicaid Services (CMS) Spells Out Requirements in New Rule for Consumer Helpers in Insurance Exchanges

Barnes & Thornburg

Amid ongoing political debate about implementation of the Affordable Care Act and the ability of average Americans to understand the complexities of the health reform law, the Centers for Medicare and Medicaid Services on July 12, 2013 released a final rule that sets forth requirements for different types of entities and individuals who will aide consumers in learning about and enrolling in health coverage plans on insurance marketplaces created by the law, called exchanges.

The rule distinguishes between three categories of consumer helpers: “navigators,” “non-navigator assistance personnel,” and “certified application counselors.” All three types, which may include community nonprofit organizations and their staffs, and other entities and individuals, will perform similar functions, such as helping consumers establish their eligibility for coverage on an exchange and enrolling them where eligible. The primary differences lie in how they are funded and in the exchanges in which they will provide assistance. Navigators will provide assistance in all exchanges—federal exchanges, state exchanges, and federal-state partnership exchanges—and will be funded by federal and state grants. Non-navigator assistance personnel will provide assistance in federal-state partnership exchanges and optionally in state exchanges, and will be funded through separate state-administered grants or contracts. Certified application counselors will provide assistance in all exchanges and will not receive exchange-related funds (although they may receive funds from other federal programs).

The rule lays out standards with which navigators and non-navigator assistance personnel must comply. These standards include conflict-of-interest standards that limit affiliations with insurance companies and standards governing certification, recertification, and training in particular subjects. The rule establishes additional standards to ensure that the services of navigators and non-navigator assistance personnel are culturally and linguistically appropriate and also accessible to the disabled.

As to certified application counselors, the rule authorizes exchanges to designate an organization to certify its staff members or volunteers as application counselors, or to directly certify these individuals, who in both cases must comply with certification standards similar to those applicable to navigators and non-navigator assistance personnel. Correspondingly, the rule requires withdrawal of an organization’s designation or a counselor’s certification in the event of noncompliance with the rule. Finally, the rule requires that certain information about certified application counselors be available to health coverage applicants, and it prohibits the imposition of any charge on applicants for application or other exchange-related assistance.

The rule takes effect on August 12, 2013.

Article By:

 of

Insurer Enters Into $1.7 Million Health Insurance Portability and Accountability Act (HIPAA) Settlement

vonBriesen

The U.S. Department of Health and Human Services (HHS) announced yesterday that it has entered into a resolution agreement with a national managed care organization and health insurance company (hereinafter “Company”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Investigation and Resolution Agreement

The HHS Office for Civil Rights (OCR) conducted an investigation after receiving the Company’s breach report, a requirement for breaches of unsecured protected health information (PHI) pursuant to the Health Information Technology for Economic Clinical Health Act (HITECH) Breach Notification Rule.

The investigation indicated that the Company had not implemented appropriate administrative and technical safeguards required by the Security Rule; and as a result, security weaknesses in an online application database left electronic PHI (ePHI) of 612,042 individuals unsecured and accessible to unauthorized individuals over the internet. PHI at issue included names, dates of birth, addresses, social security numbers, telephone numbers, and health information. Specifically, with regard to ePHI maintained in its web-based application database, the Company did not:

  1. Adequately implement policies and procedures for authorizing access to ePHI;
  2. Perform an adequate technical evaluation in response to a software upgrade affecting the security of ePHI; or
  3. Adequately implement technology to verify the identity of the person/entity seeking access to ePHI.

HHS and the Company entered into a resolution agreement, and the Company agreed to pay a $1.7 million settlement.  Notably, the resolution agreement did not include a corrective action plan for the Company.

Stepped up Enforcement

Beginning with the September 23, 2013 Omnibus Rule compliance date, HHS will have direct enforcement authority over business associates and subcontractors.  The settlement is an indication that HHS will not hesitate to extend enforcement actions to business associates and subcontractors.

The settlement is also a reminder of HHS expectations regarding compliance with HIPAA and HITECH standards.  HHS noted “whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.”

More information regarding the Omnibus Rule and its expanded liability is available here.

Article By:

 of

What Have We Learned from Audits under the Medicare Electronic Health Record (EHR) Incentive Program?

McDermottLogo_2c_rgb

Through the first half of this year, the Centers for Medicare & Medicaid Services auditor has conducted numerous pre- and post-payment audits of meaningful use attestations submitted by eligible providers to the Medicare Electronic Health Record Incentive Program.  This newsletter provides an overview of pre- and post-payment audit activity as well as recommendations for how Eligible Providers should prepare themselves for audits.

Through the first half of this year, Figliozzi & Company (Figliozzi), the audit contractor for the Medicare Electronic Health Record (EHR) Incentive Program (EHR Incentive Program), has conducted numerous pre-payment and post-payment audits of meaningful use attestations submitted by eligible professionals, eligible hospitals and critical access hospitals (collectively, Eligible Providers).  This experience navigating pre-payment and post-payment audits has generated several recommendations that Eligible Providers should consider, whether or not they are under audit.

The following sections of this On the Subject provide an overview of Medicare EHR Incentive Program pre- and post-payment audit activity, an overview of the more recently implemented pre-payment audit program and recommendations for how Eligible Providers should prepare themselves for audits.

Overview of Incentive Program Audit Activity

The Centers for Medicare & Medicaid Services’ (CMS) EHR Incentive Program regulations authorize CMS to review an Eligible Provider’s meaningful use attestation to determine whether the Eligible Provider has met the requirements for an incentive payment.  Since its inception, CMS has incorporated automatic pre-payment edit checks into the EHR Incentive Program attestation and payment systems.  According to a February 2013 publication from CMS titled “EHR Incentive Programs Supporting Documentation for Audits” (CMS Audit Publication), CMS uses such pre-payment edit checks “to detect inaccuracies in eligibility, reporting and payment.”  Beginning with attestations submitted in January 2013, CMS also conducts pre-payment audits, which are “random and may target suspicious or anomalous data.”

In addition to pre-payment edit checks and audits, CMS also conducts post-payment audits, amounting to approximately 5 percent to 10 percent of Eligible Providers receiving incentive payments.  Eligible Providers selected for post-payment audits must present supporting documentation to validate their submitted attestation data, and CMS will withhold payment of the incentive payment for the Eligible Provider’s subsequent EHR incentive payment year until the audit is resolved.

Pre-Payment Audit Program

Implementation of pre-payment audits was widely anticipated in response to criticism from the Department of Health and Human Services Office of Inspector General (OIG).  In November 2012, the OIG released a report titled “Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare EHR Incentive Program” (OIG Report).    The OIG Report noted that “CMS does not verify the accuracy of professionals’ or hospitals’ self-reported meaningful use information prior to payment.”

In recommending pre-payment audits, the OIG Report states that “[a]lthough CMS is not required to verify the accuracy of this information prior to payment, doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments.  Verifying self-reported information prior to payment could also reduce the need to identify and recover erroneous payments after they are made.”

CMS initially resisted the implementation of pre-payment audits in an October 2012 letter from CMS Acting Administrator Marilyn Tavenner to the OIG, speculating that implementation of pre-payment audits could significantly delay payments to Eligible Providers and, further, that requesting additional documentation from Eligible Providers would also impose an increased upfront burden.

Notwithstanding the initial resistance, CMS began conducting pre-payment audits for attestations submitted in 2013.  Figliozzi, which was previously appointed as a CMS contractor for purposes of conducting post-payment audits, conducts pre-payment audits on behalf of CMS.

As with the post-payment audits, CMS intends to conduct pre-payment audits of approximately 5 percent to 10 percent of Eligible Providers submitting attestations for meaningful use; according to the CMS Audit Publication, some Eligible Providers will be selected at random, while others will be audited based on submission of “suspicious or anomalous data.”  Given the unrelated process for selecting Eligible Providers for pre- and post-payment audits, it is possible that CMS may audit up to 20 percent of Eligible Providers submitting attestations for meaningful use in a given year.

Eligible Providers selected for pre-payment audits must present supporting documentation to validate data submitted during attestation before CMS will release their incentive payments.  The CMS regulations for the Medicare and Medicaid Program provide that Eligible Providers must keep documentation supporting their demonstration of meaningful use for six years.

Pre-Payment Audit Preparation Best Practices

Based on Eligible Providers’ experience with the pre-payment and post-payment audits, we recommend the following practices to improve the chance of a successful audit:

  • Understand Core and Menu Set Measures.  An Eligible Provider should review and be familiar with the specification sheets and frequently asked questions (FAQs) for the core and menu set meaningful use measures published by CMS on the EHR Incentive Program website.  The specification sheets and FAQs resolve many ambiguities created by the measures themselves and the auditors rely upon them as interpretive guidance to the measures.
  • Use Multi-Disciplinary Teams.  Eligible Providers should utilize a multi-disciplinary team of information technology and clinical personnel for the implementation and management of their EHR systems and meaningful use requirements to ensure the system is properly configured for measures (such as the drug-drug and drug-allergy interaction checks measure) that simply require functionality to be activated during the Eligible Provider’s meaningful use reporting period.
  • Documenting Measure Compliance.  Eligible Providers should retain documentation for each of the measures.  Such documentation may include: dated screen captures that demonstrate the Eligible Provider met the measure during the reporting period or otherwise by the applicable deadline, security risk assessment reports or an e-mail from an immunization registry confirming receipt.
  • Security Assessment. If an Eligible Provider relies upon a vendor hosting its EHR to conduct the security risk analysis required for the protection of electronic health information meaningful use measure, then the Eligible Provider should request a letter from the vendor stating the timing of the vendor’s assessment in order to demonstrate that the security assessment was completed before the end of the Eligible Provider’s meaningful use reporting period.
  • Certification of EHR System.  Eligible Providers should be prepared to provide documentation that they have implemented the version of a vendor’s EHR that has been certified as supporting meaningful use by the Office of the National Coordinator for Health Information Technology rather than an earlier uncertified version.  Eligible Providers using an EHR system that is provided on a “software-as-a-service” (SaaS) basis or otherwise from a cloud environment should be prepared for the auditor to request verification regarding the version number of the EHR system in use during the applicable reporting period.  Eligible Providers must obtain such verification from their EHR vendor and, as such, should maintain a relationship with an appropriate contact person at the vendor.  Eligible Providers should also monitor upgrades and version changes pushed by EHR vendors to ensure any upgrade does not affect the certified status of the EHR technology.  A significant change to an EHR system may require the vendor to seek re-certification of the system.
Article By:

 of

2013 Family and Medical Leave Act (FMLA) Amendments: Have you Complied?

Odin-Feldman-Pittleman-logo

In February 2013, the U.S. DOL published the Final Rule implementing statutory changes to the Family and Medical Leave Act of 1993 (FMLA).  The final rule expanded the military family leave provisions, among other changes.  The following chart was adapted from the DOL’s Wage and Hour Division website and shows a side-by-side comparison of the salient provisions of the current regulations:

Qualifying Exigency Leave (§ 825.126)
2008 Regulations 2013 Regulations
An eligible employee may take FMLA leave for qualifying exigencies arising out of the fact that the employee’s spouse, son, daughter or parent (the covered military member) is on active duty or has been notified of an impending call or order to   active duty in support of a contingency operation.

Eligible employees may take qualifying exigency leave for any of the
following reasons:

(1) short notice deployment; (2) military events and related activities; (3) childcare and school activities; (4) financial and legal arrangements; (5) counseling; (6) rest and recuperation; (7) post-deployment activities; and (8) additional activities.

Employees who request qualifying exigency leave to spend time with a military member on Rest and Recuperation leave may take up to five days of leave.

 “Covered military   member” is now “military member” and includes both members of the National Guard and Reserves and the Regular Armed Forces.

“Active duty” is now “covered active duty” and requires deployment to a foreign country.

A new qualifying exigency leave category for parental care leave is added.  Eligible employees may take leave to care for a military member’s parent who   is incapable of self-care when the care is necessitated by the member’s covered active duty. Such care may include arranging for alternative care, providing care on an immediate need basis, admitting or transferring the parent to a care facility, or attending meetings with staff at a care facility.

The amount of time an eligible employee may take for Rest and Recuperation qualifying exigency leave is expanded to a maximum of 15 calendar days.
 

Military Caregiver Leave (§ 825.127)
2008 Regulations 2013 Regulations
An eligible employee who is the spouse, son, daughter, parent, or next of kin of a covered servicemember (a current servicemember) of the Armed Forces, including National Guard and Reserve members, with a serious injury or illness incurred in the line of duty on active duty for which the servicemember is undergoing medical treatment, recuperation, or therapy, is otherwise in outpatient   status, or is otherwise on the temporary disability retired list, may take up to 26 work weeks of FMLA leave to care for the servicemember in a single 12-month period. The definition of covered servicemember is expanded to include covered veterans who are undergoing medical treatment, recuperation, or therapy for a serious injury or illness.

A covered veteran is an individual who was discharged or released under conditions other than dishonorable at any time during the five-year period prior to the first date the eligible employee takes FMLA leave to care for the covered veteran.

The period between enactment of the FY 2010 NDAA on October 28, 2009 and the effective date of the 2013 Final Rule is excluded in the determination of the five-year period for covered veteran status.
 

Serious Injury or Illness for a Current Servicemember (§ 825.127)
2008 Regulations 2013 Regulations
A serious injury or illness means an injury or illness incurred by a covered servicemember in the line of duty on active duty that may render the servicemember medically unfit to perform the duties of his or her office, grade, rank, or rating. The definition of a serious injury or illness for a current servicemember is expanded to included injuries or illnesses that existed before the beginning of the member’s active duty and were aggravated by service in the line of duty on active duty in the Armed Forces.
 

Serious Injury or Illness for a Covered Veteran (§ 825.127)
2008 Regulations 2013 Regulations
Not applicable. A serious injury or illness for a covered veteran means an injury or illness that was incurred or aggravated by the member in the line of duty on active duty in the Armed   Forces and manifested itself before or after the member became a veteran, and is:

(1) A continuation of a serious injury or illness that was incurred or aggravated when the covered veteran was a member of the Armed Forces and rendered the servicemember unable to perform the duties of the   servicemember’s office, grade, rank, or rating; OR

(2) A physical or mental condition for which the covered veteran has received a VA Service Related Disability Rating (VASRD) of 50 percent or greater and such VASRD rating is based, in whole or in part, on the condition precipitating the need for caregiver leave; OR

(3) A physical or mental condition that substantially impairs the veteran’s ability to secure or follow a substantially painful occupation by reason of a disability or disabilities related to military service or would do so absent treatment; OR

(4) An injury, including a psychological injury, on the basis of which the covered veteran has been enrolled in the Department of Veterans Affairs Program of Comprehensive Assistance for Family Caregivers.
 

Appendices
2008 Regulations 2013 Regulations
The FMLA optional-use forms and Notice to Employees of Rights Under the FMLA (poster) are provided in the appendices to the regulations. The FMLA optional-use forms and poster are removed from the regulations and no longer available in the appendices. They are now available on the Wage and Hour Division website, www.dol.gov/whd, as well as at local Wage and Hour district offices.

 

If you are a covered employer under FMLA, have you done the following?

Displayed the new DOL FMLA Notice Poster, electronically or in hard copy?

  • Updated your FMLA policy, which must be in your
    employee handbook or distributed to each employee?
  • Started using the new FMLA forms, such as the
    Notice of Eligibility, Designation Notice, and various Certification forms?
Article By:
 of

A Short-Lived Victory for Generic Drug Manufacturers?

Sheppard Mullin 2012

On June 24, 2012, the U.S. Supreme Court handed down its decision in Mutual Pharmaceutical Co. Inc. v. Bartlett, 570 U.S. ____ (2013), finding that design-defect claims against generic drug companies are pre-empted where federal law prohibits an action required by state law. The Supreme Court had previously held in Pliva v. Mensing, 564 U.S. ____ (2011) that failure to warn claims against generic drug manufacturers are pre-empted by the Federal Food Drug and Cosmetic Act since generic drug makers must copy innovator drug labeling precisely in order to obtain approval of their products by the U.S. Food and Drug Administration (“FDA”). The Court in Mutual rejected the argument of lower courts that the generic manufacturer could comply with both federal and state law by choosing not to make and distribute the product at all.

The case in question involved the drug sulindac, a non-steroidal anti-inflammatory drug product marketed by the innovator as Clinoril®. The plaintiff in the case had been prescribed sulindac for treatment of shoulder pain. She subsequently developed a case of toxic epidermal necrolysis following taking an FDA approved generic product equivalent to Clinoril®, which resulted in significant and permanent disability (including blindness) and disfigurement. Subsequent to the event, the FDA required a more specific warning as to this possible side effect on sulindac products. A jury found the generic manufacturer liable under a theory that there was a design defect with the product, and the First Circuit affirmed, holding that the generic manufacturer could have complied with both federal and state law by not manufacturing and distributing the product. This was the method by which the lower courts overcame prior precedent that a state law may be impliedly pre-empted when it is not possible to comply with both federal and state law.

The Supreme Court in Mutual noted that the generic manufacturer could not comply with the state law, since federal law requires that the active ingredient, the amount of the active ingredient, the dosage form, and the labeling had to be identical to the innovator product. In this case, it was not possible to redesign the product, and the only way, under New Hampshire law, to remedy the design defect would have been to strengthen the product’s warnings. That too could not be done, as FDA rules require the labeling of the generic to be identical to that of the innovator. The Court ruled that in such a case the state law is without effect, and relevant New Hampshire warning-based design defect cause of action was pre-empted with respect to FDA-approved generic drugs sold in interstate commerce.

The scope of the Mutual decision may be limited to those states where design-defect claims allow for a risk-utility approach such as that the New Hampshire requires. The New Hampshire standard requires, among other things in determining whether there is a valid cause of action for a design defect, a determination as to whether there is a possible warning to avoid unreasonable risk of harm from the design defect and the efficacy of such warning. So not every design-defect claim may be pre-empted, depending on each state’s laws are interpreted. But given the Court’s reasoning, even state laws that do not take into effect the presence of and efficacy of a warning, may be pre-empted, as the generic must copy the formula of the innovator in all respects, except for the inactive ingredients in the product. (It should be noted that generics of some dosage forms – ophthalmic products and injectable products – must, in most cases, contain the same inactive ingredients as in the innovator product in the same amounts).

Furthermore, the FDA may amend its rules to permit ANDA holders to make changes in labeling. See “FDA Rule Could Open Generic Drug Makers to Suits,” The New York Times, Business, July 4, 2013, at B2. As stated in the posting on the OMB website (RIN 0910-A694):

Abstract: This proposed rule would amend the regulations regarding new drug applications (NDAs), abbreviated new drug applications (NDAs), abbreviated new drug applications (ANDAs), and biologics license applications (BLAs) to revise and clarify procedures for changes to the labeling of an approved drug to reflect certain types of newly acquired information in advance of FDA’s review of such change. The proposed rule would describe the process by which information regarding a “changes being effected” (CBE) labeling supplement submitted by an NDA or ANDA holder would be made publicly available during FDA’s review of the labeling change. The proposed rule also would clarify requirements for the NDA holder for the reference listed drug and all ANDA holders to submit conforming labeling revisions after FDA has taken an action on the NDA and/or ANDA holder’s CBE labeling supplement. These proposed revisions to FDA’s regulations would create parity between NDA holders and ANDA holders with respect to submission of CBE labeling supplements.

The expected date for a Notice of Proposed Rulemaking is September 2013. It could, of course, take FDA quite some time to propose a rule, and put it into effect, given the requirements of the Administrative Procedure Act. And Congressional action is also a possibility.

For the present, however, generic drug manufacturers appear to be shielded from liability under the doctrine of pre-emption from most, if not all, failure to warn and design defect claims under state law. Whether that victory is short-lived or not remains to be seen.

Article By:

 of

Obama Administration Delays Until 2015 Large Employer Shared Responsibility Requirements, Reporting and Tax Penalties

Dickinson Wright LogoOn July 2, 2013, the Department of Treasury announced a one-year delay in the employer shared responsibility mandate under the Affordable Care Act (“ACA”) and related information reporting.

Complexity Leads to Delayed Reporting Implementation

The Department said that over the past several months, the Administration engaged in dialogue with businesses about the new employer and insurer reporting requirements under ACA. It took into account employer concerns about the complexity of the requirements and their need for more time to implement them effectively. Based on this, the Administration announced that it will provide an additional year, to January 1, 2015, before the ACA mandatory employer and insurer reporting requirements begin. It said the delay is designed to meet two goals. First, it will allow the Department to consider ways to simplify the new reporting requirements consistent with the law. Second, it will provide time to adapt health coverage and reporting systems while employers are moving toward making health coverage affordable and accessible for their employees. The Department said that within the next week, it will publish formal guidance describing the transition. In doing so, it said it is working hard to adapt and be flexible about reporting requirements as it implements the law.

More specifically, the Department said that the ACA includes information reporting (under Code Section 6055) by insurers, self-insured employers, and other parties that provide health coverage. It also requires information reporting (under Code Section 6056) by certain employers with respect to the health coverage offered to their full-time employees. The Department expects to publish proposed rules implementing these provisions this summer, after a dialogue with stakeholders – including responsible employers that already provide their full-time work force with coverage that exceeds the minimum employer shared responsibility requirements – in an effort to minimize the reporting, consistent with effective implementation of the law.

Once these rules have been issued, the Administration will work with employers, insurers, and other reporting entities to strongly encourage them to voluntarily implement this information reporting in 2014, in preparation for the full application of the provisions in 2015. It said that real-world testing of reporting systems in 2014 will contribute to a smoother transition to full implementation in 2015.

Delayed Implementation of Shared Responsibility and Tax Penalties

The Department said it recognizes that this transition relief will make it impractical to determine which applicable large employers owe the shared responsibility tax payment for not providing minimum essential coverage that is affordable and provides minimum value (under Code Section 4980H) for 2014. Accordingly, the Department is extending transition relief on the employer shared responsibility payments. Under the transition relief, applicable large employers will not owe either the $2,000 tax or the $3,000 tax for 2014. Any employer shared responsibility tax payments will not apply until 2015. During the 2014 transition period, the Department strongly encourages employers to maintain or expand the health coverage they provide to their employees.

Importantly, the Department said its actions do not affect employees’ access to the premium tax credits available under the ACA, although without employers reporting on who they provide coverage to, it is hard to see how the government will know which individuals qualify for a tax credit. Without more, this suggests that the Department intends that marketplaces for individuals will still be available January 1, 2014. It also suggests that most Americans will still have to obtain health benefits coverage or pay the individual tax. It is not clear if the notice employers are required to send to all employees by October 1, 2013 advising them of the marketplaces will still be required. The upcoming guidance should address this and other requirements. The Department also said that this delay does not change the compliance requirements under any other provision of the ACA. This suggests that the PCORI fee payable by July 31, 2013 is still due, the 90-day maximum waiting period for benefits eligibility in 2014 still applies, etc.

Hopefully, the upcoming guidance will provide more detail on on-going employer responsibilities. Until then, it appears that, presuming there are no additional delays or relief:

  • Employers will not have to count full-time employees and full-time equivalents in 2013 to determine if they are applicable large employers beginning January 1, 2014.
  • Applicable large employers will not have to determine their full-time employees for purposes of providing minimum essential coverage in 2014.
  • Applicable large employers who do not provide minimum essential coverage to all full-time employees in 2014 will not owe the $2,000 tax times all full-time employees (minus 30) if one full-time employee purchases coverage through a marketplace and obtains a tax credit or subsidy.
  • Applicable large employers that provide minimum essential coverage that is not affordable or does not provide minimum value in 2014 will not owe the $3,000 tax times all full-time employees who purchase coverage through a marketplace and receive a tax credit or subsidy.
  • Employers will not have to report to the government on their full-time employees and health plan coverage in 2014, although the government will urge voluntary reporting.
  • Employers that have been considering adjusting the structure of their workforces to minimize the number of their full-time employees appear to have additional time in which to analyze and implement workforce changes.
Article By:

 of