Top Takeaways from FDA Draft Guidance on Software as Medical Device

FDA software as medical deviceFDA’s proposed adoption of an IMDRF document raises questions.

On October 14, the US Food and Drug Administration (FDA) released a new draft guidance document, Software as a Medical Device (SaMD): Clinical Evaluation (Draft Guidance).[1] The Draft Guidance was developed by the SaMD Working Group of the International Medical Device Regulators Forum (IMDRF),[2] a voluntary group of medical device regulators from around the world, including FDA. This is the first time that FDA has proposed issuing an IMDRF document as an official FDA guidance document.

The Draft Guidance discusses clinical evaluation recommendations for SaMD and focuses on the general principles of clinical evaluation, which include establishing scientific validity, clinical performance, and analytical validity for an SaMD. The Draft Guidance is available for public comment until December 13, 2016. We have highlighted below key takeaways.

1. Cart Before the Horse?

Over the years, FDA has issued several guidance documents attempting to clarify its position on software products. For instance, in 2015, the Agency issued its final guidance on Mobile Medical Applications, which describes when FDA will or will not actively regulate software that can be executed on a mobile platform.[3] However, the Mobile Medical Apps guidance is limited to the specific mobile app examples listed in that guidance, and FDA has yet to issue its long-promised draft guidance on clinical decision support software. Thus, there is no clear overarching policy on when software used for health- or medical-related purposes would be considered SaMD, subject to FDA regulation. In this context, issuing guidance on FDA’s expectations for the clinical evaluation for SaMD seems premature. Software developers need to first understand where the proverbial line is before investing in clinical evaluation activities.

2. New Unadopted Terminology and Reference Documents Used

The Draft Guidance uses terminology defined in other IMDRF documents and also incorporates by reference findings from other IMDRF documents; however, FDA has not officially adopted those other IMDRF documents as FDA guidances. Thus, it is not clear whether FDA intends for this Draft Guidance to be the first volley, followed up by formally issuing other IMDRF documents on SaMD as FDA guidances, or whether FDA would simply consider the terminology and principles in those other IMDRF documents to be adopted by proxy if and when it finalizes this current Draft Guidance. It also is not clear how the principles and terminology in these other IMDRF documents align with FDA’s existing regulations and guidance documents. For instance, the Draft Guidance discusses a system of classifying SaMD based on its intended use and risk; however, it is not clear how this classification system would translate to FDA’s existing device classification system (Class I, Class II, and Class III) and classification regulations. Such an understanding is important for SaMD developers to determine the premarket review standard that will apply (e.g., establishing substantial equivalence vs. safety and effectiveness), because this will inform the goals for SaMD clinical evaluation.

3. Context Is Important

Although this Draft Guidance’s focus is SaMD clinical evaluation, a significant part of its 45 pages is used to provide definitions, general principles, context, and SaMD categorization principles (not to mention the references to other IMDRF documents, as described above). Only Section 6 directly addresses clinical evaluation. On that point, the new Draft Guidance describes clinical evaluation as the process for establishing the scientific validity, analytical validity, and clinical performance of an SaMD and provides recommendations for generating evidence in these three areas. The Draft Guidance further describes how to determine the required level of evidence based on the SaMD’s categorization. With regard to categorization, the Draft Guidance proposes a SaMD categorization scheme based on: (1) how the information generated by the SaMD will be used (for nondiagnostic, diagnostic, or therapeutic purposes), and (2) the criticality of the healthcare situation or condition in which the SaMD is to be used. An SaMD intended to treat or diagnose critical healthcare situations or conditions is considered higher risk and thus would be subject to more rigorous clinical evaluation requirements.

4. FDA Requests for Feedback

In its Federal Register notice announcing the new Draft Guidance, FDA highlighted specific areas for which it would like feedback, including the following:

  • Does the document appropriately translate and apply current clinical vocabulary for SaMD?

  • Are there other types of SaMD beyond those intended for nondiagnostic, diagnostic, and therapeutic purposes that should be highlighted or considered in the document?

  • Does the document adequately address the relevant clinical evaluation methods and processes for SaMD to generate clinical evidence?

  • Given the uniqueness of SaMD and the proposed framework, is there any impact on currently regulated devices or any possible adverse consequences?

Next Steps

The Draft Guidance document indicates that it is intended to provide globally harmonized principles of when and what type of clinical evaluation is appropriate based on the SaMD risk. However, questions remain about how these principles translate to FDA regulatory requirements.

The Guidance Document is available for comment until December 13, 2016 (Docket No. FDA–2016–D–2483).


[1] 81 Fed. Reg. 71105 (Oct. 14, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-10-14/pdf/2016-24805.pdf.  

[2] FDA,International Medical Device Regulators Forum (IMDRF) (last updated May 5, 2015), http://www.fda.gov/MedicalDevices/InternationalPrograms/IMDRF/default.htm.

[3] FDA, Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff, (Feb. 9, 2015), http://www.fda.gov/downloads/MedicalDevices/…/UCM263366.pdf.

New Presidency Will Compel Action in Key Areas of Health Care in 2017

health careAs we enter the final stretch of the U.S. presidential election, health care remains one of the most contested issues with great potential for change, particularly to existing insurance and patient care systems. Compounding matters is the opening of enrollment season for exchange plans, which places the already hotly debated Affordable Care Act (ACA) at the forefront of the national health care discussion.

Former U.S. Congressman Dennis Cardoza, co-chair of Foley’s Federal Public Affairs Practice, and Public Affairs Director Jennifer Walsh opined recently about how our next president could symbolically break the congressional logjam on several health care-related fronts and why the industry is poised for more market-driven disruption.

What follows are a few highlights of their conversation.

1. What health policy issues will be most impacted by the next administration?

Cardoza: Since the passage of the ACA, there has been very little legislative activity when it comes to health care, as everything has been done at the administrative level and spread across various departments. During the honeymoon period that follows every newly elected president, we’ll likely see an immediate and significant push around the ACA marketplaces, especially in light of some high-profile defections, decreasing competition and increasing premiums. It doesn’t matter who is in the White House; there are things happening in the market that can’t be ignored.

Walsh: I agree that legislation concerning the exchanges will be the first out of the gate. There is a strong impetus to fix the system, but it may happen initially as part of the reauthorization of the Children’s Health Insurance Program (CHIP) that is set to expire in 2017. CHIP is a bi-partisan issue and no one wants to see it lapse. This must be passed in the first or second-quarter and could grease the skids for other ACA measures that are either attached as amendments or follow in subsequent bills.

On a separate, simultaneous track, drug pricing will continue to be scrutinized. Lawmakers will pick up where they left off leading up to the August recess. It’s now part of the national dialogue and lawmakers will continue to discuss how to address the issue.

2. Will merger activity continue on its current, accelerated pace?

Cardoza: The ACA has forced market consolidation due to everyone’s ability, or rather inability to compete over costs. We may see other large insurance plans leave the exchanges if the Department of Justice doesn’t approve their respective mergers.

Walsh: Mergers have been an interesting consequence of the ACA, and we’ll see more alignment in this regard. They don’t always generate big news headlines, but smaller acquisitions of technology assets and payments systems are happening all over, so health care organizations can build their portfolios.

3. What are some other noteworthy developments you’re watching closely?

Cardoza: Concluding a long, iterative process, the Centers for Medicare & Medicaid Services will soon be rolling out its new health care payment and service delivery models as part of the transition from fee-for-service. Next year will be a key period as we work toward full-blown implementation of new reimbursement practices that reflect better value and promote quality care for patients.

Walsh: The 21st Century Cures Act, which is Representative Fred Upton’s legacy issue, has received broad bipartisan support and already passed the House. It will allocate more funding to the National Institutes of Health to explore new cures and treatments, and incent to innovative approaches to disease management. It should get a fair shake in 2017, if not during the upcoming lame duck session.

4. What should health care executives be thinking about heading into 2017?

Cardoza: Complacency has set in with the Washington gridlock, and many executives with bearish outlooks have accepted the broken system and are merely just controlling costs. However, they need to change their mindset and be more cognizant of what could soon affect their business, as we’re about to enter a transformative year where there will be a lot of moving parts. If they’re not informed and engaged, they’re going to get left behind.

Walsh: The uncertainty surrounding the ACA has certainly caused a lot of angst, and makes planning for businesses extremely difficult. Companies need to channel that energy into advocacy for their organization. Although every system is different, the industry-wide movement toward modernization, value, and quality will affect all parties. While it will be incremental, the change that will be prompted by the election is inevitable.

© 2016 Foley & Lardner LLP

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.


[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

The UK Psychoactive Substances Act 2016: An Example of Poor Drafting and Unintended Consequences for Food?

The UK has enacted new legislation to address the issue of so-called ‘legal highs’ following a number of cases of paranoia, seizures, hospitalisation and even death after consumption of certain psychoactive substances.  The Psychoactive Substances Act 2016 (the “Act”) was granted Royal Assent on 28 January 2016.  It is expected to come into force on 6 April 2016.  The Act makes it an offence to produce, supply, offer to supply, possess with intent to supply, possess in a custodial institution, import or export psychoactive substances.

A psychoactive substance is defined very broadly to cover “any substance which is capable of producing a psychoactive effect in a person who consumes it”.  A substance produces a psychoactive effect in a person if it affects the person’s mental functioning or emotional state  by stimulating or depressing the person’s central nervous system.  There are a number of specific exemptions, including controlled drugs, medicinal products, alcohol, nicotine and tobacco products, caffeine and food.  However, the definition of food has left a number of questions since it does not align with the legal definition of food set out in EU Regulation 178/2002.  Rather, the Act defines food as:

Any substance which—

            (a) is ordinarily consumed as food, and

            (b) does not contain a prohibited ingredient (emphasis added).

In this paragraph—

  • “food” includes drink;

  • “prohibited ingredient”, in relation to a substance, means any

psychoactive substance—

            (a) which is not naturally occurring in the substance, and

            (b) the use of which in or on food is not authorised by an EU instrument.

The authorities have stated that the Act is not intended to capture foods with a “negligible” psychoactive effect, such as chocolate and nutmeg, but concerns were raised during the legislative debates that the Act could capture inadvertently a much broader range of food substances, including energy drinks and certain botanical ingredients used in foods and dietary supplements.  It is hoped that guidance from the enforcement authorities will make clear exactly which foods and drinks are exempted.

Lucie Klabackova, paralegal, also contributed to this article.

© 2016 Covington & Burling LLP

Hollywood Presbyterian Concedes to Hacker’s Demands in Ransomware Attack

In a chain of events that should be a wake-up call to any entity using and storing critical health information, Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a malware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.

Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired,questioned that assertion.

The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.

  2. Ensuring software patches and anti-virus are current and updated.

  3. Installing pop-up blockers and ad-blocking software.

  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security measures that ought to be in place generally. As OCR indicates, smart email practices and training the workforce on them are key elements to preventing phishing scams. Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.

  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.

  • A bank with whom you do not do business asking you to reset your password.

  • A message with an attachment but no text in the body.

All health care providers, payors, and their business associates need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Congress Awaits Health Provisions in President’s Budget

Health Bills Slated for House Floor Consideration; SAMHSA Releases Proposed Rule Focused on Confidentiality of Substance Use Disorder Patient Records

Legislative Activity

Congress Awaits Health Provisions in President’s Budget

On Tuesday, February 9, President Barack Obama will submit his FY 2017 Budget Request to Congress, which is expected to include several large-scale investments for the nation’s health. Last week, the White House released a “sneak preview” of the Budget, which includes: $755 million for cancer research as part of the “moonshot” to cure cancer; a legislative proposal to provide any state that takes up the Medicaid expansion option the same three years of full federal support that states that expanded in 2014 received; a commitment to changes in the excise tax on high-cost employer-sponsored health coverage, otherwise known as the “Cadillac Tax”; and $1 billion in mandatory funding over two years to address prescription drug abuse and heroin use.

On Wednesday, February 10, U.S. Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell will provide testimony on the Budget to the House Committee on Ways and Means. The next day, she will also address the Budget in her testimony to the Senate Committee on Finance.

Health Bills Slated for House Floor Consideration

House Majority Leader Kevin McCarthy (R-CA) has announced that several health care bills will be considered on the floor this week.

On Tuesday, the following pieces of health legislation are expected to be considered under suspension of the rules: H.R. 3016, the Veterans Employment, Education, and Healthcare Improvement Act, as amended, which clarifies the role of podiatrists in the Department of Veterans Affairs (VA); H.R. 3106, the Construction Reform Act of 2016, which makes certain changes in the administration of Department medical facility construction projects; H.R. 3262, To provide for the conveyance of land of the Illiana Health Care System of the Department of Veterans Affairs in Danville, Illinois; H.R. 4056, To authorize the Secretary of Veterans Affairs all right, title, and interest of the United States to the property known as “The Community Living Center” at Lake Baldwin Veterans Affairs Outpatient Clinic, Orlando, Florida, as amended; H.R. 4437, To extend the deadline for the submittal of the final report required by the Commission on Care; H.R. 3234, the VA Medical Center Recovery Act, which establishes within the VA an Office of Failing Medical Center Recovery; and H.R. 2915, the Female Veteran Suicide Prevention Act, which directs the Secretary of the VA to identify mental health care and suicide prevention programs that are effective in treating women veterans.

Later in the week, the House is expected to consider H.R. 2017, the Common Sense Nutrition Disclosure Act of 2015, which seeks to improve and clarify disclosure requirements for restaurants and other retail food establishments.

Senate HELP Committee to Mark Up Health Legislation

On Tuesday, February 9, the Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a markup to consider several health care bills. In January, Committee Chairman Lamar Alexander (R-TN) announced the Committee’s schedule for the “step by step” consideration of biomedical innovation bills. This process, aimed at legislation that is somewhat similar to language in the House-passed 21st Century Cures Act (H.R. 6), begins with this markup.

Legislation to be considered on Tuesday includes: S. 2030, the Advancing Targeted Therapies for Rare Diseases Act of 2015, which allows the sponsor of an application for the approval of a targeted drug to utilize data and information from the sponsor’s previously approved targeted drugs; S. 1622, the FDA Device Accountability Act of 2015, which requires the Food and Drug Administration (FDA) to ensure training on least burdensome requirements for employees who review premarket submissions of medical devices; S. 2014, the Next Generation Researchers Act, which seeks to demonstrate a commitment to our nation’s scientists by increasing opportunities for the development of future researchers; S. 800, the Enhancing the Stature and Visibility of Medical Rehabilitation Research at NIH Act, which seeks to improve, coordinate, and enhance National Institutes of Health (NIH) rehabilitation research; S. 849, the Advancing Research for Neurological Diseases Act of 2015, which provides for systematic data collection and analysis and epidemiological research regarding neurological diseases; S. ___, the Preventing Superbugs and Protecting Patients Act; and S. ___, the Improving Health Information Technology Act.

This Week’s Hearings:

  • Tuesday, February 9: The Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a markup of health care bills, as described above.

  • Wednesday, February 10: The House Committee on Energy and Commerce Subcommittee on Health will hold a hearing titled “Examining Medicaid and CHIP’s Federal Medical Assistance Percentage.”

  • Wednesday, February 10: The House Committee on Veterans’ Affairs will hold a hearing titled “U.S. Department of Veterans Affairs Budget Request for Fiscal Year 2017.”

  • Wednesday, February 10: The House Committee on Foreign Affairs Subcommittee on Africa, Global Health, Global Human Rights, and International Organizations and Subcommittee on the Western Hemisphere will hold a joint hearing titled “The Global Zika Epidemic: Emerging in the Americas.”

  • Wednesday, February 10: The House Committee on Ways and Means will hold a hearing titled “Department of Health and Human Services’ (HHS) Fiscal Year 2017 Budget Request.”

  • Wednesday, February 10: The House Committee on Rules will meet on H.R. 2017, the Common Sense Nutrition Disclosure Act of 2015.

  • Wednesday, February 10: The Senate Committee on the Judiciary will hold a hearing titled “Breaking the Cycle: Mental Health and the Justice System.”

  • Wednesday, February 10: The Senate Special Committee on Aging will hold a hearing which “will unveil and examine a new, troubling scam by global drug traffickers perpetrated against our nation’s seniors.”

  • Thursday, February 11: The House Committee on Veterans’ Affairs Subcommittee on Health will hold a hearing titled “Choice Consolidation: Improving VA Community Care Billing and Reimbursement.”

  • Thursday, February 11: The House Committee on Homeland Security Subcommittee on Emergency Preparedness, Response, and Communications will hold a hearing titled “Improving the Department of Homeland Security’s Biological Detection and Surveillance Programs.”

  • Thursday, February 11: The Senate Committee on Finance will hold a hearing titled “The President’s Fiscal Year 2017 Budget.”

  • Thursday, February 11: The Senate Committee on the Judiciary will hold a markup, which will include consideration of: S. 483, the Ensuring Patient Access and Effective Drug Enforcement Act of 2015, which seeks to improve enforcement efforts for prescription drug diversion and abuse; and S. 524, the Comprehensive Addiction and Recovery Act of 2015, which authorizes the Attorney General to award grants to address prescription opioid abuse and heroin use.

  • Friday, February 12: The House Committee on Energy and Commerce Subcommittee on Oversight and Investigations will hold a hearing titled “Outbreaks, Attacks, and Accidents: Combatting Biological Threats.”

Regulatory Activity

SAMHSA Releases Proposed Rule Focused on Confidentiality of Substance Use Disorder Patient Records

On Friday, February 5, the Substance Abuse and Mental Health Services Administration (SAMHSA) released a proposed rule titled “Confidentiality of Substance Use Disorder Patient Records.” The proposed rule seeks to amend the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, which were last substantively updated in 1987. According to HHS, the proposed rule will “facilitate health information exchange to support delivery system reform efforts” and ensure privacy for patients seeking substance use disorder treatment.

The proposed rule will be published in the Federal Register on February 9, and comments are due April 11.

Gun Control: HIPAA Final Rule Targets Background Checks and Mental Health Reporting

President Obama has announced plans to tighten gun control regulations, including applying the background check requirement to dealers at gun shows and on websites.  Federal law already requires that those “engaged in the business” of selling guns must have a Federal Firearms License (FFL) and conduct background checks at the time of every purchase.  Some sellers assert they are not gun dealers but collectors or hobbyists who do not sell regularly and, therefore, are not “engaged in the business” of selling firearms and not required to have a FFL and conduct background checks.  The Obama administration has clarified that people who claim to be hobbyists may be engaged in the business if, for example, they operate an online gun store, frequently sell guns in their original packaging, or pass out business cards.  The Bureau of Alcohol, Tobacco and Firearms (“ATF”) issued Guidance to help individuals understand when a FFL is required.

Consistent with this initiative, the Office for Civil Rights (“OCR”) released a Final Rule modifying the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to permit certain covered entities to disclose identifying information on persons subject to a “Federal mental health prohibitor “ to the National Instant Criminal Background Check System (“NICS”).

Intersection of NICS and HIPAA

As background, the NICS is a national system mandated by the Brady Handgun Violence Prevention Act of 1993.  Maintained by the FBI since November 1998, NICS is used by Federal Firearms Licensees to instantly determine whether an individual seeking to buy firearms is eligible to do so.  Federal law provides that it is unlawful for certain categories of persons to ship, transport, possess, or receive a firearm.  These categories are referred to as “prohibitors.” Among them  are the following mental health prohibitors, which provide that it is unlawful for the following individuals to possess a firearm:

  • individuals who have been involuntarily committed to a mental institution, for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity; or

  • those otherwise determined by a court, board, commission or other lawful authority to be a danger to themselves or unable to manage their own affairs as a result of marked subnormal intelligence, or mental illness, incompetency, condition or disease.

Many of the records qualifying an individual for a Federal mental health prohibitor are maintained by the criminal justice system, which does not generally include HIPAA covered entities.  However, some qualifying information may be housed within HIPAA covered entities that are either (i) involved in involuntary commitments or mental health adjudications; or (ii) have been designated by states to serve as repositories to collect applicable mental health data and report it to the NICS.

In balancing individuals’ privacy with public safety, the Final Rule modifies HIPAA to permit the disclosure of select demographic information to the NICS by covered entities that either (i) function as repositories of information relevant to the Federal mental health prohibitor on behalf of the state; or (ii) are responsible for ordering the involuntary commitments or other adjudications.  The Final Rule limits disclosure to demographic and other information needed for purposes of reporting to the NICS, and disclosure of diagnostic or clinical information is not permitted.

Potential Impact on Mental Health Legislation

This Final Rule is one aspect of a multi-faceted approach the Obama administration is taking on gun control.  An open question remains as to whether Congress will act with respect to gun control and mental health, and if so, how?  Certain Republicans are already looking for ways to halt President Obama’s actions, while, others in Congress do not believe that the actions go far enough and seek additional gun control measures.

At a minimum, the President’s decision to take action related to gun controls is certain to have an impact on mental health legislation.  Congressional Republicans have been discussing improving the nation’s mental health system since 2013.  Many see this focus on mental health as an effort to redirect the conversation away from gun control.  As such, the President’s recent actions propose adding $500 million to increase access to mental health care.

The combination of Republicans seeking to dismantle the recent executive actions, while redirecting the conversation to mental health may place Senate Democrats in a tough position.  The President’s action increases the likelihood that gun control measures may be attached to mental health legislation.  The issue is whether Senate Democrats are willing to filibuster mental health legislation in order to keep the focus on gun control and prevent the unraveling of some of the President’s executive actions.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

CMS’s Top 7 Changes to Stark Law

On November 16, 2015, the Department of Health and Human Services, Centers for Medicare and Medicaid Services, issued a final rule revising, clarifying, and adding exceptions to the Physician Self-referral Law (“Stark”) in order to (1) accommodate delivery and payment system reform; (2) reduce burdens; and (3) ensure and facilitate compliance. These changes include two new exceptions, clarifications adding additional explanations to existing policies, and revisions to existing definitions and exceptions.

Below are the top 7 changes providers and physicians should note:

  1. New “assistance to compensate a nonphysician practitioner (NPP)” exception: allows remuneration from a hospital, federally qualified health center, or rural health clinic to a physician to recruit a NPP, where substantially all (i.e., 75%) of the services furnished by the NPP to the patients of the physician’s practice are for primary care services or mental health care services. Please note this exception applies to the following NPPs: (1) physician assistants; (2) nurse practitioners; (3) clinical nurse specialists; (4) certified nurse midwives; (5) clinical social workers; and (6) clinical psychologists.

  2. New “timeshare arrangements” exception: this exception covers “use” arrangements only, which includes the use of premises, equipment (excluding advanced imaging equipment, radiation therapy equipment, and (most) clinical or pathology laboratory equipment), personnel, items, supplies, or services. Traditional office space leases and arrangements conveying a possessory leasehold interest in office space are not covered under this exception. Compensation for such arrangements must be carefully structured, as percentage compensation and per-unit services fees (i.e., “per-use” and “per-patient” rates) are prohibited but hourly or half day rates are acceptable.

  3. Clarification on the writing requirement: exceptions containing a writing requirement for certain compensation arrangements use “arrangement” and “agreement” interchangeably. The rule now clarifies that this requirement only requires an arrangement be set out in writing. Although CMS recommends having one signed written contract that satisfies every requirement of the exception, the preamble clarifies that this requirement may also be satisfied through a collection of documents that relate to one another and to the exact arrangement.

  4. Clarification on the 1-year term requirement for office space rental, equipment rental, and personal service arrangements exceptions: the final rule clarifies the arrangement itself must have a duration of at least one year, but a formal “term” provision in a contract is not required. Instead, the duration requirement can be shown through contemporaneous documents establishing the arrangement lasted for at least one year. However, if the arrangement was terminated during the first year, the parties must be able to show they did not enter into a new arrangement for the same space, equipment, or services during the first year.

  5. Clarification regarding “split bill” arrangements: “split bill” arrangements do not involve remuneration between physicians and designated health services (DHS) entities, for items or services such as examination rooms, nursing personnel, and supplies, “because the physician and DSH entity do not provide items, services, or other benefits to one another.” 80 Fed. Reg. 70,886, 71,321 (Nov. 16, 2015). However, outpatient departments billing a payor in one single bill will establish a compensation arrangement and must fit under an exception.

  6. Revision to “temporary noncompliance with signature” requirement: prior to this final rule, parties who inadvertently failed to comply with the signature requirement had 90 days to comply and others had 30 days. Now, there is a blanket 90 day period to comply with this requirement, regardless of whether the failure to obtain a signature was inadvertent or not.

  7. Indefinite holdover provisions: expired arrangements under the office space and equipment rental exceptions and the personal service arrangements exception can be “heldover” indefinitely rather than for only six months, provided the arrangement: (1) satisfies all of the requirements at the time of expiration; (2) continues on the same terms and conditions; and (3) continues to satisfy all of the requirements during the holdover. Current arrangements in a valid holdover under the current six month holdover provisions on January 1, 2016 may qualify for an indefinite holdover.

Article By

© Copyright 2015 Squire Patton Boggs (US) LLP

Five Telemedicine Trends Transforming Health Care in 2016

Telemedicine is a key component in the health care industry shift to value-based care as a way to generate additional revenue, cut costs and enhance patient satisfaction. One of the biggest changes to health care in the last decade, telemedicine is experiencing rapid growth and deployment across a variety of applications.

The quick market adoption of telemedicine is fueled by powerful economic, social, and political forces — most notably, the growing consumer demand for more affordable and accessible care. These forces are pushing health care providers to grow and adapt their business models to the new health care marketplace.

Simultaneously changing is the misconception that telemedicine creates a financial strain or relies on grant funding. Smart health system leadership are creating sustainable telemedicine arrangements that generate revenue, not just cost savings, while improving patient care and satisfaction. Research conducted by the American Telemedicine Association reveals that telemedicine saves money for patients, providers, and payers compared to traditional health care practices, particularly by helping reduce the frequency and duration of hospital visits.

It is expected that the global telemedicine market will expand at a compound annual growth rate of 14.3 percent through 2020, eventually reaching $36.2 billion, as compared to $14.3 billion in 2014. And while the growing demand for convenience, innovation, and a personalized health care experience may be the greatest factor, other forces are at work as well.

These five trends will drive telemedicine’s continued growth and transformation of health care delivery in 2016:

1. Expanding Reimbursement and Payment Opportunities

Both private and government payers will continue to expand telemedicine coverage as consumers gain experience with the technology and increasingly demand access to telemedicine-based services. Some health plans have already begun bolstering their coverage of telemedicine, which they view as a form of value-based care that can improve the patient experience and offer substantial cost savings. On the government side, 2016 will particularly see more coverage among Medicaid managed care organizations and Medicare Advantage plans.

While reimbursement was the primary obstacle to telemedicine implementation, new laws requiring coverage of telemedicine-based services have been implemented at the state level, and 2016 will be the year these laws drive implementation in those states. Similarly, providers are becoming increasingly receptive to exploring payment models beyond fee-for-service reimbursement, and 2016 will continue the growth of these arrangements. Examples include institution-to-institution contracts and greater willingness by patients to pay out-of-pocket for these convenient, valuable services.

2. Uptick in International Arrangements

In 2016, more U.S. hospitals and health care providers will forge ties with overseas medical institutions, spreading U.S. health care expertise abroad. These cross-border partnerships will provide access to more patients, create additional revenue and help bolster international brands. According to the American Telemedicine Association, more than 200 academic medical centers in the U.S. already offer video-based consulting in other parts of the world. While many of these are pilot programs, 2016 will see a maturation and commercialization of much of these international arrangements, as they are a win-win for participants in both countries.

The growing purchasing power of middle-class populations in countries like China is giving more patients the means and opportunity to pursue treatment from Western medical centers. We have seen both for-profit and non-profit models for international telemedicine — hospitals partnering with organizations in the developing world to expand health care availability or offering commercial care to customers in nations with areas of concentrated wealth but lacking the capabilities and access of Western health care.

3. Continued Momentum at the State Level

State governments across the U.S. are leading the way in telemedicine expansion. According to a study by the Center for Connected Health Policy, during the 2015 legislative session, more than 200 pieces of telemedicine-related legislation were introduced in 42 states. Currently, 29 states and the District of Columbia have enacted laws requiring that health plans cover telemedicine services. In 2016, we will see more bills supporting health insurance coverage for telemedicine-based services introduced in various state legislatures.

While state lawmakers are leading the way in incorporating telemedicine into the health care system, two recent developments point to a burgeoning interest at the federal level. The Centers for Medicare and Medicaid Services (CMS) is considering expansion of Medicare coverage for telemedicine, and a bill working its way through the U.S. House of Representatives would pay physicians for delivering telemedicine services to Medicare beneficiaries in any location.

4. Retail Clinics and Employer Onsite Health Centers on the Rise

A recent Towers Watson study found that more than 35 percent of employers with onsite health facilities offer telemedicine services, and another 12 percent plan to add these services in the next two years. Other studies suggest that nearly 70 percent of employers will offer telemedicine services as an employee benefit by 2017. The growth of nation-spanning telemedicine companies such as MDLIVE and the now publicly-traded Teladoc, which offer health services tailored to the specific needs of employers and other groups, is a reflection of the demand for these services.

Additionally, consumers are increasingly willing to visit retail medical clinics and pay out-of-pocket for the convenience and multiple benefits of telemedicine services when telemedicine is not covered by their insurance plans. Both CVS Health and Walgreens have publicly announced plans to incorporate telemedicine-based service components in their brick and mortar locations.

5. More ACOs Using Technology to Improve Care and Cut Costs

2016 will be the year of telemedicine and ACOs. Since the advent of Medicare Accountable Care Organizations (ACOs), the number of Medicare beneficiaries served has consistently grown from year to year, and early indications suggest the number of beneficiaries served by ACOs is likely to continue to increase in 2016. These organizations present an ideal avenue for the growth of telemedicine.

While CMS offers heavy cost-reduction incentives in the form of shared-saving payments, only 27 percent of ACOs achieved enough savings to qualify for those incentives last year. Meanwhile, only 20 percent of ACOs use telemedicine services, according to a recent study. We believe the widespread need to hit the incentive payment metrics, coupled with the low adoption rate will lead to significantly greater telemedicine use among ACOs in 2016.

© 2015 Foley & Lardner LLP

Going Before a Higher Power – Nuns Take on Obamacare

On Nov. 6, 2015, the U.S. Supreme Court agreed to hear the appeals of several religious employers challenging the contraceptive mandate under the Patient Protection and Affordable Care Act (ACA).  The court will consolidate seven cases, the most prominent of which was brought by the Little Sisters of the Poor, an order of Catholic nuns who dedicate their lives to helping the elderly poor.  The other employers include several Catholic dioceses, a religious non-profit group and several Christian colleges.

The contraception mandate requires religious employers who object to providing contraceptive services to notify the government of their objection, which transfers the responsibility of providing those services to the employer’s insurer.  The petitioners argue that this procedure violates the Religious Freedom Restoration Act because it effectively forces the employer’s health plan to cover services the employer finds objectionable.  They argue that the government has less restrictive means available to provide these services.

The consolidation of these seven cases is particularly interesting because the employers have varied insurance arrangements.  While some of the employers are insured by large insurance carriers, others are self-insured, or have “church plans” as defined by ERISA.  It is unclear whether these different arrangements will affect the outcomes for the particular employers.

The court is expected to hear oral argument in the case in March 2016.

© 2015 BARNES & THORNBURG LLP