Tag: healthcare

FDA Regulation of mHealth Updates

Covington & Burling LLP

At the Food Drug and Law Institute’s annual conference on April 21, 2015, Bakul Patel, Associate Director for Digital Health, Office of Center Director, Center for Devices and Radiological Health (CDRH), held a discussion of “FDA Regulation of Mobile Health/Medical Applications.”  There have already been several important developments in FDA regulation of mHealth products this year.  Patel stated that FDA recognizes the importance of digital health, and its potential to drive be

ARTICLE BY

Cassie Scherer
Covington & Burling LLP
Covington E-Health

tter health outcomes and promote patient engagement.  Patel discussed two recently released draft guidances that impact FDA regulation of mHealth, the draft General Wellness Guidance and the draft Accessories Guidance, and highlighted that FDA continues to work promote innovation while at the same time protecting patient safety.  The public comment period for these guidances ended on April 20th, and Patel noted that CDRH did not receive many comments.  Finally, Patel emphasized that industry can continue to reach out to FDA with questions about mobile health at mobilemedicalapps@fda.hhs.gov or digital health at digitalhealth@fda.hhs.gov.

The discussion draft of the 21st Century Cures Act includes sections that would exclude “health software” from regulation as a medical device, and would require FDA to promulgate regulations to establish standards and procedures for regulating “medical software.”  New 21st Century Cures language may be released by the end of this month.  We will be watching closely to see if there are any changes to the software language.

Pay for Delay – Big Pharma’s Dirty Secret

Mahany Law Firm

For most Americans, generic drugs are a godsend. Prescription drug prices have become so high that many folks simply can’t afford to purchase needed medications.  It’s not uncommon for some cancer and hepatitis medications to cost $1000 or more per dose. Generics, however, can cut prescription bills by 90% or more.

As much as consumers love generic drugs, big pharma hates them. Once a branded drug goes “off patent,” sales usually plummet. Most health plans, insurance companies and Medicare require physicians to dispense less costly generics.

The loss of profits can be so great when a drug goes generic that many pharmaceutical companies are now engaging in “pay for delay” tactics.

What is “pay for delay”? It is the payment by a pharmaceutical company to would be competitors to not copy a certain medication.  The results are more profits for big pharma and therefore an extension of their monopoly on pricing. The Federal Trade Commission says pay for delay costs taxpayers, insurance companies and consumers almost $4 billion per year.

Is this legal? Probably not.

Congress wanted to encourage generic manufacturers to quickly enter the marketplace and lower drug costs. In 1984, Congress passed the Hatch Waxman Act. That law encourages generic manufacturers to challenge pharmaceutical companies.  The first company that seeks to make a generic of a branded drug is given an expedited review by the FDA.

Unfortunately, what started out as a law with good intentions soon turned horribly bad. Big pharma began suing the generic manufacturers for patent infringement. The pharmaceutical companies would then settle the suits and pay the generic company not to compete for a period of time, often 5 years.

A few court victories later, the pay for delay industry was in full swing.

Thankfully the Federal Trade Commission has stepped in and appears to be gaining traction. The government says that many of these pay for delay schemes violate federal anti-trust laws. In 2013, the United States Supreme Court ruled that pay for delay does automatically violate antitrust laws but still must be carefully scrutinized. (FTC v. Actavis). Georgetown University Professor Lawrence Gostin, writing for the Journal of the American Medical Association, hailed the decision and says it will save consumers and taxpayers billions of dollars.

Some may be wondering why the generic manufacturers go along with these payments.  Obviously big pharma likes these settlements because they can extend their monopolies for years. Generic manufacturers find these settlements economically worthwhile too. Because the profits made on branded drugs are so large, big pharma can pay millions to the generic manufacturers and still make a profit.  The smaller generic companies make just as much profit from the settlements and don’t have to produce a single pill.

The Motley Fool investigated one branded drug, Provigil, manufactured by Cephalon. The drug was due to come off patent in 2005 but Cephalon paid four generic companies $200 million to delay manufacturer of generic equivalents until 2012. The cost of a three-month supply of Provigil? $3600. The cost after generics were finally introduced? About $5 per month according to fool.com.

With the courts and regulators finally looking hard at these arrangements, we hope more whistleblowers come forward. Under the federal False Claims Act, whistleblowers with inside information about fraud involving a government program can receive up to 30% of whatever is recovered from drug companies. To qualify for an award, whistleblowers need inside, “original source” information about the fraud.

The FTC’s Bureau of Competition concluded that of the 145 final patent dispute settlements in 2013, 29 represent potential pay for delay schemes.  Recently the agency launched a hotline to help people report illegal pay for delay schemes.

Whistleblowers using the hotline should know, however, that calling the hotline does not make them eligible for a whistleblower award. To claim an award, one must first file a lawsuit in federal court.

As a law firm that has helped clients receive over $100,000,000.00 in whistleblower award payments, we want to see whistleblowers properly awarded for coming forward and reporting illegal behavior.

ARTICLE BY

Brian Mahany
Mahany Law

Moving to the Cloud: Some Key Considerations for Healthcare Entities

Covington & Burling LLP

Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data.  A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020.  As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data.  Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.

Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI.  By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider.  Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements.  There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically.  The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.

Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.

Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network.  The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.

ARTICLE BY

Paige M. Jennings
Anna Kraus
Ramy Ramadan
Lee J. Tiedrich
Covington & Burling LLP
Covington E-Health

Important Recommendations from the MedPAC March Report to Congress, Part Two

McBrayer, McGinnis, Leslie and Kirkland, PLLC

Earlier we have discussed the recommendations of the Medicare Payment Advisory Commission (“MedPAC” or the “Commission”) with regard to fee-for-service (“FFS”) payment systems. Today’s post will discuss the Commission’s recommendations with regard to making FFS payments site-neutral, as well as its status reports on Medicare Advantage (“MA”) and the Medicare prescription drug program (“Part D”).

Similar Services in Different Settings

Inpatient and outpatient hospital rates for 2016 would receive an update of 3.25% per the Commission, provided that changes would be made to equalize payments for similar services provided in different care settings, making them site-neutral. Certain conditions treated both in skilled nursing facilities and in inpatient rehabilitation facilities would receive site-neutral payments, for example. Payments under the long-term care hospital payment system would also be reduced for patients who are not characterized as chronically critically ill, so that the payment rate would then be similar to what acute care hospitals receive.

Medicare Advantage

The Commission made some of the same recommendations in 2015 about MA as it did in March 2014, namely that hospice care should be integrated into the MA benefit package and bidding rules should be improved. According to MedPAC, Hospice inclusion in MA would increase coordination of care as well as innovation in end-of-life care, in addition to promoting accountability. The Commission also believes that employer group MA plans should be more consistent with comparable nonemployer plans in terms of payment, and the application of the national average bid-to-benchmark ratio for nonemployer plans to employer plans could achieve this goal. The Commission also recommended a decrease in benchmarks to equalize the payment system between MA and the FFS program enough to where neither is favored.

As for access to MA, MedPAC found that 99 percent of all Medicare beneficiaries have access to an MA plan. The report also found that data from a quality bonus program shows that plans are responding favorably to the measure by paying closer attention to quality measures that form the basis of these payments.

Medicare Part D

MedPAC made no recommendations as to Part D. It found high participation in the plan, with premiums remaining stable over the past year. The Commission did note an increase in spending between 2007 and 2013, which it attributed to two trends: (1) an overall shift towards the use of generic drugs, which affects the benefit spending that plan sponsors base premiums on, and (2) reinsurance payments have grown every year at an average rate of 16 percent.

ARTICLE BY

Christopher J. Shaughnessy
McBrayer, McGinnis, Leslie and Kirkland, PLLC

French Supreme Court Specifies Requirements for Health Care Companies Under the Sunshine Act

McDermott Will & Emery

Law no. 2011-2012 of 29 December 2011, also known as the French Sunshine Act, introduced into French law disclosure obligations imposed on health care companies (HCC).  The French Medical Board and a nonprofit organisation challenged the law’s implementing decree of 21 May 2013 and its explanatory circular of 29 May 2013.  On 24 February 2015, the Conseil d’Etat annulled some of the challenged provisions of the aforementioned decree and circular, and provided useful clarifications on the scope of the disclosure obligations.

Pursuant to the decree of 21 May 2013 and the explanatory circular of 29 May 2013, there were three exceptions to the obligation to disclose (i) benefits in kind or cash exceeding EUR10 and (ii) written agreements:

  • Payments made as reasonable compensation for services rendered and for salaries did not have to be disclosed.

  • Companies that manufacture or commercialise cosmetic and tattoo products did not have to disclose agreements other than those relating to the conduct of health and safety work assessments and biomedical or observation research on these products.

  • Companies that manufacture or commercialise health products did not have to disclose commercial sales agreements of goods and services.

Under the Conseil d’Etat decision of 24 February 2015, the two first exceptions no longer apply, and the scope of the third exception has been specified.  The three main changes entailed by this decision are described herein.

All payments made from 1 January 2012 by HCCs to HCPs that do not constitute salaries must be disclosed.

The Conseil d’Etat specified the limits of the concept of “benefit in cash or in kind” that must be disclosed.  The 2013 explanatory circular had given a narrow definition of this concept, stating that it excluded payment made as reasonable compensation for services rendered and for salaries.

According to the Conseil d’Etat, however, the provisions of Law no 2011-2012 exclude only salaries received by health care professionals (HCPs) working exclusively as employees of HCCs.  According to the words of the General Advocate (Rapporteur Public) before the Conseil d’Etat, the exclusion relates to an “HCP who works exclusively as an employee in a HCC.”

Consequently, the Conseil d’Etat annulled the provisions of the explanatory circular which disregarded both Law no. 2011-2012 and the decree of 21 May 2013 by excluding from the scope of the disclosure obligations payment made as reasonable compensation for services rendered.

Companies manufacturing or distributing non-corrective contact lenses, cosmetic or tattoo products must disclose all agreements concluded with French HCPs, regardless of the object of the agreement.

With regard to companies manufacturing or distributing non-corrective contact lenses, cosmetic or tattoo products, the decree limited the scope of the disclosure obligations to agreements concluded with HCPs relating to the conduct of health and safety work assessments and biomedical or observation research on the products.

The Conseil d’Etat stated that by limiting the scope of the disclosure obligations, the decree disregarded the provisions of Law no. 2011-2012, and therefore annulled the regulatory provisions at stake.

The only commercial sales agreements of goods and services that are excluded from the disclosure obligations are those in which the HCP is the buyer.

The Conseil d’Etat clarified the content of Article R. 1453-2 of the French Code of Public Health, which excluded from the disclosure obligations commercial sales agreements of goods and services.  Even though this article was explained in the circular, it remained unclear which agreements it really targeted.

According to the judges, this exemption concerns solely commercial sales agreements of goods and services in which the HCP is the buyer.  Furthermore, despite the rather unclear wording of Conseil’s decision, it must be noted that, in light of the words of the General Advocate, the decision clarified that this exemption does not apply to purchase of advertising space by HCCs in medical journals.

Conclusions

Since the Conseil d’Etat did not time-differentiate the effects of its decision, its 24 February 2015 interpretation of the Sunshine Act is deemed to apply to all conventions concluded and benefits paid from 1 January 2012.  Therefore, HCCs should now disclose the following:

  • All payments made from 1 January 2012 by HCCs to HCPs for services rendered that do not constitute salaries

  • All agreements concluded from 1 January 2012 between companies manufacturing or distributing non-corrective contact lenses, cosmetic or tattoo products and French HCPs

  • Commercial sales agreements of goods and services in which the HCP is not the buyer

In accordance with the principle of legal certainty, HCCs should be given reasonable and sufficient time to adapt to the regulation as interpreted by the Conseil d’Etat, during which period of time they should not be sanctioned.

ARTICLE BY

Charlotte Michellet
Sabine Naugès
McDermott Will & Emery

The Unhappy Intersection of Hospital Mergers and Antitrust Laws

McBrayer, McGinnis, Leslie and Kirkland, PLLC

The rapidly-evolving field of health care has been moving lately towards a single-minded goal – coordination of patient care in the name of efficiency and efficacy. Hospital systems are more and more often merging with other medical practices to better achieve the standards and goals of the Patient Protection and Affordable Care Act (“ACA”). TheNinth Circuit Court of Appeals, however, recently provided a stark reminder that the ACA isn’t the only law hospitals need to consider compliance with in these mergers.

Saltzer Medical Group in Nampa, Idaho, had been seeking to make a change from fee-for-service to risk-based reimbursement and approached St. Luke’s Health System in Boise in 2012about a formal partnership. They entered into a five-year professional service agreement that contained language about wanting to move away from fee-for-service reimbursement but without any clear language on making that change. Saltzer received a $9 million payment on the deal. Other hospital systems in the area, the FTC, and the Idaho Attorney General all filed suit to enjoin the merger.

The Ninth Circuit affirmed the district court’s holding that St. Luke’s violated state and federal antitrust laws when acquiring Saltzer. St. Luke’s argued that acquisition of the other provider would improve patient outcomes and care in the community of Nampa, Idaho, where Saltzer operates, but both courts agreed that the anticompetitive concerns surrounding the merger outweighed the benefits to quality care.

This case and other similar cases brought by the FTC provide a bleak outlook for health care providers looking to merge with other entities to provide care and efficiency under the aims of the ACA. While the court ultimately found that St. Luke’s aims were beneficial and not anticompetitive in and of themselves, antitrust laws only truly take the effect on competition into account, and courts are not ready to place quality of care under the ACA on equal footing.

ARTICLE BY

Molly Nicol Lewis
McBrayer, McGinnis, Leslie and Kirkland, PLLC

Nation’s Highest Court Schedules Oral Arguments in King v. Burwell re: Affordable Care Act

Sheppard Mullin Law Firm

A Supreme Court of the United States (SCOTUS) spokesperson announced on December 22, 2014, that the Court will hear oral arguments in King v. Burwell on March 4, 2015. This means that not only could the highest court soon resolve the circuit split on the case’s key issue, but that the future course of the landmark Affordable Care Act (ACA) could be decided as soon as June 2015.

At issue in King is whether a May 2012 IRS rule should be upheld or stricken.[1] The rule provides that health insurance premium tax credits are available to all U.S. taxpayers, irrespective of whether they obtain coverage through a state or federal exchange. Challengers to the IRS rule contend that the plain language of the ACA restricts the availability of the tax credits to health insurance policies purchased through state exchanges and not through the federal exchange. Reading the ACA statutory language strictly, challengers note that there is no alternative interpretation to the words noting that premium tax credits are available for plans obtained “through an Exchange established by the State under section 1311” of the Act.[2] (italics added).

The government has countered that other provisions of the ACA support the legislative intent of Congress—that the premium tax credits are meant to be made available for all taxpayers nationwide, including those who purchase plans on the federal exchange. It has noted that the IRS rule should not be invalidated because of a simple drafting error.

Earlier this year in July, the U.S. Court of Appeals for the Fourth Circuit had unanimously concluded in King that the ACA was ambiguous on the question of whether the tax credits applied to plans purchased through the federal exchange. Because of this, it allowed for the government to have a “reasonable interpretation” of the ACA via the IRS rule.[3]This decision directly conflicted with the July 2014 U.S. Court of Appeals (District of Columbia) decision in Halbig v. Burwellon the same issue.

The D.C. Court sided with the plain language interpretation and restricted the tax credits to plans purchased through the state exchanges. The Court subsequently vacated the decision and is not expected to render its opinion until Spring 2015.

If SCOTUS resolves the circuit split in favor of the challengers, there are several potential implications that could leave millions of Americans without health insurance:

  • Coverage would be less affordable for those on the federal exchange;

  • Without the tax credit, individuals would be exempt from the individual mandate;[4] and

  • The ACA employer “pay-or-play” provision would not apply to as many employers.

The latter implication is likely due to the fact that pay-or-play penalties are triggered only if a covered employer fails to offer health insurance coverage and an employee takes advantage of a tax subsidy by purchasing an exchange plan.  Without premium tax credits or subsidies available through the federal exchange, fewer employers would be penalized for failure to provide coverage in the first place.

The Supreme Court’s decision in the summer of 2015 may set the tone for the longevity of the ACA in light of the most recent mid-term elections.

ARTICLE BY

Florence T. Wang
OF
Sheppard, Mullin, Richter & Hampton LLP

[1] See 26 C.F.R. § 1.36B–1(k); Health Insurance Premium Tax 7 Credit, 77 Fed.Reg. 30,377, 30,378 (May 23, 2012) (collectively the “IRS Rule”).

[2] See ACA § 1401(a), codified at 26 U.S.C. § 26B(c)(2)(A)(i).

[3] The Fourth Circuit U.S. Court of Appeals opinion can be found here.

[4] As a matter of law, health insurance would be “unaffordable” and the individual mandate would be waived. See 26 U.S.C. § 5000A.

The Affordable Care Act—Countdown to Compliance for Employers, Week 1: Going Live with the Affordable Care Act’s Employer Shared Responsibility Rules on January 1, 2015

Mintz Levin Law Firm

Regulations implementing the Affordable Care Act’s (ACA) employer shared responsibility rules including the substantive “pay-or-play” rules and the accompanying reporting rules were adopted in February.  Regulations implementing the reporting rules in newly added Internal Revenue Code Sections 6055 and 6056 came along in March. And draft reporting forms (IRS Forms 1094-B, 1094-C, 1095-B and 1095-C) and accompanying instructions followed in August.

With these regulations and forms, and a handful of other, related guidance items (e.g., a final rule governing waiting periods), the government has assembled a basic—but by no means complete—compliance infrastructure for employer shared responsibility. But challenges nevertheless remain. Set out below is a partial list of items that are unresolved, would benefit from additional guidance, or simply invite trouble.

1.  Variable Hour Status

The ability to determine an employee’s status as full-time is a key regulatory innovation. It represents a frank recognition that the statute’s month-by-month determination of full-time employee status does not work well in instances where an employee’s work schedule is by its nature erratic or unpredictable. We examined issues relating to variable hour status in previous posts dated April 14July 20, and August 10.

An employee is a “variable hour employee” if—

Based on the facts and circumstances at the employee’s start date, the employer cannot determine whether the employee is reasonably expected to be employed on average at least 30 hours of service per week during the initial measurement period because the employee’s hours are variable or otherwise uncertain.

The final regulations prescribe a series of factors to be applied in making this call. But employers are having a good deal of difficulty applying these factors, particularly to short-tenure, high turnover positions. While there are no safe, general rules that can be applied in these cases, it is pretty easy to identify what will not work: classification based on employee-type (as opposed to position) does not satisfy the rule. Thus, it is unlikely that a restaurant that classifies all of its hourly employees, or a staffing firm that classifies all of its contract and temporary workers, as variable hour without any further analysis would be deemed to comply. But if a business applies the factors to, and applies the factors by, positions,  it stands a far greater chance of getting it right.

2.  Common Law Employees

We addressed this issue in our post of September 3, and since then, the confusion seems to have gotten worse. Clients of staffing firms have generally sought to take advantage of a special rule governing offers of group health plan coverage by unrelated employers without first analyzing whether the rule is required.

While staffing firms and clients have generally been able to reach accommodation on contractual language, there have been a series of instances where clients have sought to hire only contract and temporary workers who decline coverage in an effort to contain costs. One suspects that, should this gel into a trend, it will take the plaintiff’s class action bar little time to respond, most likely attempting to base their claims in ERISA.

3.  Penalties for “legacy” HRA and health FSA violations

A handful of promoters have, since the ACA’s enactment, offered arrangements under which employers simply provided lump sum amounts to employees for the purpose of enabling the purchase of individual market coverage. These schemes ranged from the odd to the truly bizarre. (For example, one variant claimed that the employer could offer pre-tax amounts to employees to enroll in subsidized public exchange coverage.) In a 2013 notice, the IRS made clear that these arrangements, which it referred to as “employer payment plans,” ran afoul of certain ACA insurance market requirements. (The issues and penalties are explained in our June 2 post.) Despite what seemed to us as a clear, unambiguous message, many of these schemes continued into 2014.

Employers that offered non-compliant employer-payment arrangements in 2014 are subject to penalties, which must be self-reported. For an explanation of how penalties might be abated, see our post of April 21.

4.  Mergers & Acquisitions

While the final employer shared responsibility regulations are comprehensive, they fail to address mergers, acquisitions, and other corporate transactions. There are some questions, such as the determination of an employer’s status as an applicable large employer, that don’t require separate rules. Here, one simply looks at the previous calendar year. But there are other questions, the answers to which are more difficult to discern. For example, in an asset deal where both the buyer and seller elect the look-back measurement method, are employees hired by the buyer “new” employees or must their prior service be tacked? The IRS invited comments on the issue in its Notice 2014-49.

Taking a page from the COBRA rules, the IRS could require employers to treat sales of substantial assets in a manner similar to stock sales, in which case buyers would need to carry over or reconstruct prior service. While such a result might be defensible, it would also impose costly administrative burdens. Currently, this question is being handled deal-by-deal, with the “answers” varying in direct proportion to the buyer’s appetite for risk.

5.  Reporting

That the ACA employer reporting rules are in place, and that the final forms and instructions are imminent should give employers little comfort. These rules are ghastly in their complexity. They require the collection, processing and integration of data from multiple sources—payroll, benefits admiration, and H.R., among others. What is needed are expert systems to track compliance with the ACA employer shared responsibility rules, populate and deliver employee reports, and ensure proper and timely delivery of employee notices and compliance with the employer’s transmittal obligations. These systems are under development from three principal sources: commercial payroll providers, national and regional consulting firms, and venture-based and other start-ups that see a business opportunity. Despite the credentials of the product sponsors, however—many of which are truly impressive—it is not yet clear in the absence of actual experience that any of their products will work. It is not too early for employers to contact their vendors and seek assurances about product delivery, reliability, and performance.

Just in Time for the Holidays: Another HIPAA Settlement

Mcdermott Will Emery Law Firm

On December 2, 2014, the Office for Civil Rights (OCR) and Anchorage Community Mental Health Services, Inc., (ACMHS) entered into a Resolution Agreement and Corrective Action Plan (CAP) to settle alleged violations of the HIPAA Security Rule, which governs the safeguarding of electronic protected health information (ePHI).  OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012 notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals.  The breach resulted from malware that compromised ACMHS’s information technology resources.

OCR’s investigation found that ACMHS (1) had never performed an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS; (2) had never implemented Security Rule policies and procedures; and (3) since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically, by failing to ensure that appropriate firewalls were in place and regularly updated with available patches.

ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations.  The CAP has a two-year term and obligates ACMHS to take the following actions:

  • Revise, adopt and distribute to its workforce updated Security Rule policies and procedures that have been approved by OCR

  • Develop and provide updated security awareness training (based on training materials approved by OCR) to applicable workforce members, and update and repeat the training annually

  • Conduct annual risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS, and document the security measures implemented to reduce the risks and vulnerabilities to a reasonable and appropriate level

  • Investigate and report to OCR any violations of its Security Rule policies and procedures by workforce members

  • Submit annual reports to OCR describing ACMHS’s compliance with the CAP

In announcing the settlement, OCR Director Jocelyn Samuels said, “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  A copy of the Resolution Agreement and CAP can be found here.

The settlement is another reminder that covered entities and business associates should ensure that they have taken steps necessary and appropriate to safeguard the ePHI in their possession.  Conducting regular ePHI risk assessments, addressing any identified security vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to ePHI are all steps that covered entities and business associates must take to comply with HIPAA and protect ePHI.

Health Resources and Services Administration (HRSA) Withdraws 340B Program Proposed Rule

Mcdermott Will Emery Law Firm

On November 14, 2014, the U.S. Department of Health and Human Services (HHS) Health Resources and Services Administration (HRSA) withdrew a proposed rule that would have provided guidance on a variety of topics related to the 340B Federal Drug Pricing Program.  The “mega rule,” which had been submitted to the White House Office of Management and Budget in April 2014, was expected to cover important 340B Program matters, such as patient eligibility, contract pharmacy arrangements, and eligibility for hospitals and off-site facilities.  Now, in lieu of the proposed rule, HRSA has announced its intention to release notice-and-comment guidance to “address key policy issues raised by various stakeholders committed to the integrity” of the 340B Program.  Additionally, HRSA plans to issue proposed rules related to civil monetary penalties for manufacturers, calculating the 340B ceiling price and administrative dispute resolution.

The decision to withdraw the proposed rule, coupled with HRSA’s intention to release regulatory guidance on similar issues, may be viewed as a response by HHS to a recent federal court decision limiting HHS’s ability to promulgate notice-and-comment rules.  In a May 23, 2014, decision, the U.S. District Court for the District of Columbia held that HHS did not have the requisite statutory authority to promulgate a notice-and-comment rule pertaining to the purchase of orphan drugs by certain Covered Entities.  Further, the withdrawal may indicate a decision by HRSA to scale back its issuance of notice-and-comment rules for the 340B Program, limiting formal rulemaking to areas where the statutory authority to do so is explicit.  The withdrawal of the proposed mega rule demonstrates HRSA’s position that it does not possess the broad authority necessary to issue a formal rule of this scope.

Without the proposed rule, important facets of the 340B Program remain uncertain.  Manufacturers and Covered Entities that sought guidance on key practical issues such as patient definition now must continue to wait for clarification.  As noted, going forward HRSA will seek to clarify “key policy issues” but has yet to announce whether the topics covered by the proposed rule will be addressed.  HRSA’s regulatory guidance on these issues may never come, however, if the U.S. District Court for the District of Columbia (which is hearing further briefing on the aforementioned case concerning HHS’s regulatory guidance on the orphan drug rule) further restricts HHS’s ability to issue guidance.

In the face of continuing uncertainty, 340B Program participants, including Covered Entities, should stay current and closely follow available guidance from HRSA and the 340B Prime Vendor (Apexus).  Until clear guidance has been issued pertaining to subjects such as patient definition and contract pharmacy compliance, 340B Program participants should continue to follow and document best practices to ensure compliance with all 340B Program requirements.

ARTICLE BY

David S. Ivill
Emily J. Cook
Joseph M. Parise
OF
McDermott Will & Emery