A U.S. Department of Health and Human Services (“HHS”) administrative law judge (“ALJ”) ordered the University of Texas MD Anderson Cancer Center (“MD Anderson”) last month to pay a $4,348,000 civil monetary penalty because of violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the vast majority of enforcement actions taken against covered entities and business associates to date have been voluntary settlements, this action came in the form of summary judgment in favor of HHS.  MD Anderson has stated that it intends to appeal the ALJ’s decision.  If upheld, the civil monetary penalty would be the fourth-largest amount in HHS’s enforcement history.

The alleged HIPAA violations arose from three separate breaches reported by MD Anderson in 2012 and 2013, involving:  (1) the theft of an unencrypted laptop from the home of an MD Anderson physician and (2) the loss of two unencrypted thumb drives by MD Anderson personnel.  The lost devices in total contained the protected health information (“PHI”) of 34,883 patients, including information such as patient names, Social Security numbers, medical record numbers, and clinical and research information.

The ALJ’s sharp-tongued opinion provides several important reminders to covered entities and business associates with respect to HIPAA.

First, encryption is a strong mechanism for protecting organizations from breaches involving theft or loss of portable electronic devices.  Breach reports involving the loss or theft of portable electronic devices have triggered many of the HHS inquiries resulting in enforcement actions for HIPAA violations.  While the ALJ noted in his opinion that encryption is not specifically required by the HIPAA Security Rule, it is one way to help prevent reportable breaches involving the loss or theft of a portable electronic device containing PHI.

Second, the failure to implement approved security controls for the protection of PHI in a timely manner exposes organizations to significant risk.  The ALJ noted that MD Anderson first identified the need to encrypt its data in 2006—six years before the first breach reported in connection with the recent enforcement action occurred.  The ALJ stated that MD Anderson “delayed encryption of laptop devices for years, and then, proceeded with encryption at a snail’s pace.”  Indeed, MD Anderson had not encrypted all of its computers by January 2014.  Once MD Anderson decided to adopt encryption as its determined control for the protection of PHI on portable devices, according to the ALJ, “it was obligated to make it work.”  MD Anderson’s delay in fully implementing its encryption solution was ultimately found to be an aggravating factor supporting the reasonableness of the civil monetary penalty.

Third, establishing a HIPAA compliance program that exists solely on paper is not enough.  The 2006 edition of MD Anderson’s Information Resources Security Operations Manual required that data stored on laptops and other portable media be encrypted or protected with access controls.  In 2007, MD Anderson directed that confidential data should not be stored on portable devices, but that if it was, it must be encrypted using approved methods.  The ALJ was not persuaded by MD Anderson’s written commitments to encryption without follow-through on implementation and enforcement.

Fourth, organizations must consider how to sufficiently control PHI on portable electronic media purchased with technology stipends (sometimes called “Bring Your Own Devices” or “BYOD”).  One of the reported breaches that led to the recent enforcement action involved the theft of a laptop purchased by a physician with MD Anderson’s funds.  Because MD Anderson had not yet fully implemented its encryption plan in 2012 when the theft occurred, the laptop was not encrypted.  The laptop was not even password-protected.  Organization-issued laptops and other devices come standard with the organization’s access controls, including password protections, encryption, and other administrative controls preventing users from circumventing security efforts.  Organizations that offer technology stipends for the purchase of devices of the employees’ choosing should consider the mechanisms through which they should protect the security of the data accessed by such BYOD devices.  These could include, for example, mobile device management software or remote access controls that disallow storage of PHI on those devices, in addition to the policies and procedures governing the use of such devices.

Fifth, research data maintained by a covered entity must be protected in accordance with the HIPAA Privacy Rule and Security Rule.  MD Anderson argued that HIPAA did not apply to the data maintained on the lost and stolen devices because it was used in research, relying on preamble language that HIPAA does not apply to research records obtained by a researcher in its role as a researcher.  While MD Anderson attempted to read the pertinent preamble language broadly, the ALJ focused on the role of the institution conducting the research.  If the research was being conducted by a non-covered entity or non-business associate, that information would be subject to that narrow exception.  The ALJ suggested that a covered entity may be able to segregate its clinical functions from its research functions, which could be accomplished by a hybrid entity designation.  MD Anderson, however, did not argue that it segregated its clinical and research functions in this manner, resulting in the continued application of HIPAA to the data used for research.

HHS’s press release, the Notice of Proposed Determination, and the ALJ’s opinion are available here.

Commissioner Scott Gottlieb of the U.S. Food and Drug Administration (“FDA”) stole the spotlight this past month when he delivered a speech discussing big promises from the agency regarding artificial intelligence (“AI”) in healthcare. “One of the most promising digital health tools is artificial intelligence, particularly efforts that use machine learning,” said Gottlieb when explaining that the FDA was “actively developing a new regulatory framework to promote innovation in this space.”

Indeed, this year the FDA has shown a lot of support for AI in healthcare by authorizing the marketing of several cutting-edge AI technologies—one of which was even permitted to be marketed without the requirement for additional clinician oversight.

In February, the FDA permitted marketing of clinical decision support software that uses algorithms to help neurovascular specialists arrive at answers more quickly and speed time to treatment for potential stroke patients.

Then in April, the FDA permitted marketing of the first device to use AI to detect a medical condition. Called IDx-DR, the device utilizes an AI algorithm to screen for diabetic retinopathy. This device is unique in that its results do not require additional review by a specialized clinician, which allows the test to be performed in a primary care setting. Like many devices in the digital health space, IDx-DR was reviewed through the FDA’s De Novo premarket review pathway, which is a way for new medical devices that present “a low to moderate risk to patients” and have no legally marketed predicate device on which to base a determination of substantial equivalence to be reclassified into Class I or Class II and avoid the need for a full Premarket Approval (“PMA”) application.

IDx-DR was also granted Breakthrough Device designation, which expedites the review of medical devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. The FDA has consistently shared its intention to be flexible with digital health product developers whose software and devices do not fall neatly into the FDA’s well-established “product types.” Most recently, in May, the FDA permitted the marketing of OsteoDetect, an AI algorithm for aiding providers in the detection of wrist fractures by analysis of two-dimensional X-ray images.

These examples of successful utilization of the De Novo pathway and Breakthrough Devices program are likely to continue to encourage AI innovation by medical device and digital health companies by using these pathways to market as an FDA roadmap for marketing authorization of their own products.

The U.S. Food and Drug Administration’s (FDA’s) Center for Devices and Radiological Health (CDRH) recently issued its Medical Device Safety Action Plan:  Protecting Patients, Promoting Public Health (Action Plan), an aspirational set of goals concerning the agency’s approach to medical device safety.  This Action Plan can be considered the FDA’s attempt to reorganize its toolbox to make its regulatory efforts more efficient, effective, and responsive.  The Action Plan describes the FDA’s intentions to:

  1. Integrate CDRH’s premarket and postmarket offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety;
  2. Establish a robust medical device patient safety net in the United States;
  3. Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations;
  4. Spur innovation towards safer medical devices; and,
  5. Advance medical device cybersecurity.

Radically Restructuring CDRH

The cornerstone of the Action Plan is a TPLC approach intended to enable nimble and comprehensive medical device regulation, especially as it concerns postmarket medical device surveillance and response, balancing patient benefit, device safety, and innovation.  Perhaps the clearest indicator of the FDA’s embrace of the TPLC approach is the proposed radical restructuring of CDRH, which has been talked about for some time.  The Action Plan sets out the FDA’s rationale for the restructuring:

Rather than assessing a device only at one point in time – for instance, to evaluate whether a device meets the standard for approval, or to evaluate post-market data involving a device safety signal – reviewers, compliance officers, and other experts would work in teams with responsibility for device oversight throughout the product’s development and commercialization.

Therefore, instead of the current structure that focuses on stages of a product’s life cycle, CDRH would be reorganized into one office and seven smaller “device-specific offices that would each be responsible for premarket review, postmarket surveillance, manufacturing and device quality, and enforcement.”  A separate office focused on clinical evidence and analysis is being considered, and it would comprise teams working on “clinical evidence policy, evidence synthesis and analysis, biostatistics, bioresearch compliance, and collaboration and outreach to clinical researchers outside of the FDA.”  With this kind of structure, it is clear that the FDA expects CDRH to adopt a “universal” view of and an integrated approach to medical device regulation, with the goal of eliminating regulatory silos.  The proposed reorganization should also enhance information sharing and analysis.

Establishing a Robust Medical Device Safety Net and Streamlining Implementation of Postmarket Mitigations

Another important theme of the Action Plan is to address some of the limitations of current postmarket surveillance tools (e.g., that Medical Device Reports (MDRs) rely on a clinician to recognize a problem and its relationship to the device rather than some other factor, or that there are few incentives for patients to participate in postmarket surveillance studies of a device).  To that end, the Action Plan seeks to position CDRH to have access to the vast and growing amount of available digital health data.  By focusing attention on developing a robust medical device safety net and the impact that will have on improving the timeliness and effectiveness of postmarket mitigations, the FDA is positioning itself squarely at the crossroads of Big Data and complex data analysis.  CDRH already has programs in place to track medical devices – the Global Unique Device Identification Database (GUDID) – and to understand and use real world evidence (RWE).  Unique device identifiers (UDIs) now appear on most medical device labels, and labelers are required to submit information about each medical device bearing a UDI to the FDA; this information is stored in the GUDID.  According to the FDA, UDIs provide a way to document device use (e.g., electronic health records and registries can include UDI information) so that there can be, among other things, “more accurate reporting, reviewing, and analyzing of adverse event reports” because “healthcare professionals and others [will be able] to more rapidly and precisely identify a device and obtain important information concerning the device’s characteristics.”  RWE (comprised of raw patient health information) typically originates from non-clinical research sources, such as health monitoring devices and claims and billing activities.  RWE can be aggregated and analyzed to assess and identify trends, though special attention must be paid to data quality and privacy issues.

According to the Action Plan, the FDA plans to use this data collection in two critical data evaluation programs:  The National Evaluation System for Health Technology (NEST) and CDRH’s Signal Management Program (SMP).  The SMP uses signals (defined by the FDA as “a new potentially causal association or a new aspect of a known association between a medical device and an adverse event or set of adverse events”) to connect postmarket surveillance with the premarket review process by informing the design and use of similar devices that are in the premarket review phase.  By integrating postmarket surveillance information into pre-market review, the FDA intends for similar devices seeking entry into the market to have already accounted for known safety risks.

It appears that the FDA will make NEST, a public-private partnership (or PPP), the central hub for data evaluation and management that, according to the FDA, will enable improved safety risk identification and postmarket mitigation activity and strategy.  NEST is intended to “facilitate detection of potential safety risks that would not otherwise have been identified as quickly, or at all, as well as facilitate more timely capture of potential safety signals.”  However, by the FDA’s own admission, NEST is currently underfunded; realizing its full potential in the way the FDA envisions remains an open and unaddressed issue.

A critical part of this robust patient safety net, according to the FDA, is attention to women’s health.  The FDA stated that, over the last several years, there have been “several significant medical device safety issues [involving] devices intended for women’s health uses.”  To that end, the Action Plan contemplates building out, for example, the Women’s Health Technologies Strategically Coordinated Registry Network (CRN) to improve its functionality and utility for providing the evidence needed to improve women’s medical device safety evaluation.

The Action Plan also contemplates the FDA using these data collection and analyses portals to improve postmarket mitigations (e.g., labeling or user training).  The FDA plans to examine its current statutory authority to determine whether it can develop a so-called “umbrella regulation” to enable quicker implementation of certain postmarket mitigations.  Because issues related to medical device safety may not be known until the device is used in a clinical setting or among a diverse population, the FDA frequently identifies necessary improvements for medical device safety after a medical device is on the market.  To implement postmarket mitigations, however, the FDA typically must engage in rulemaking, which is a lengthy process involving notice and comment.  Though the FDA is often able to work with manufacturers to voluntarily implement postmarket mitigations, the agency is clearly unhappy with having to resort to this option.  The “umbrella regulation” mentioned in the Action Plan is a way for the FDA to have a more rapid and direct response to postmarket safety incidents.

Facilitating Medical Device Innovation and Safety

As the FDA identifies postmarket mitigations necessary to improve medical safety, so too do manufacturers, on their own, modify and improve the safety of medical devices (e.g., by adding new features).  According to the FDA, however, this kind of innovation is not readily incentivized by the marketplace unless there is a known safety concern.  The FDA is concerned with the effect on the quality of medical devices on the market.  Within the bounds of the FDA’s statutory authority and to encourage innovation – as has been done, for example, with the Breakthrough Devices Program – the Action Plan mentions several things that the FDA intends to do to support and facilitate medical device innovation as it concerns safety.  Among the options the FDA will explore are encouraging greater collaboration between the FDA’s staff and medical device developers, developing a discrete program like the Breakthrough Devices Program, focusing regulatory science resources on safety innovation, and developing scientific toolkits for developers to use to integrate safety risk management into medical device design and development.

Medical Device Cybersecurity as a Patient Safety Issue

Finally, but importantly, medical devices are like every other connected device in today’s world:  They are not immune to the dangers posed by cyber threats.  As interconnectivity increases, so too does exposure to cyber risk, and the Action Plan recognizes this by including a focus on medical device cybersecurity as a patient safety issue.  During the pre-market review process, the FDA will consider requiring firms to embed cybersecurity capabilities (e.g., the capacity to patch a software vulnerability) into the design of the medical device.  Such an approach should emphasize for manufacturers that cybersecurity considerations cannot be an afterthought in medical device design.  Another way the FDA plans to emphasize its commitment to managing cybersecurity issues is by considering postmarket authority that would “require that firms adopt policies and procedures for coordinated disclosure of vulnerabilities as they are identified.”  Consistent with its use of PPPs in other data collection and analysis areas, the FDA is also considering developing a team of experts across several disciplines to be a resource for device makers and the FDA staff.  This CyberMed Safety (Expert) Analysis Board (CYMSAB) would, among other things, assess vulnerabilities, evaluate patient safety risks, consult with organizations, and be a rapid-response field team that investigates the circumstances surrounding a compromised medical device (at the manufacturer’s or the FDA’s request).

The Action Plan:  Looking Ahead

Though aspirational, the Action Plan implicates a number of legal issues, including the traditional (e.g., medical device marketing applications and postmarket surveillance, intellectual property protection) and the novel, emerging, and rapidly-evolving (e.g., cybersecurity threat and risk management, medical device software development, digital health data access, privacy, and protection).  In only a short five item list, the FDA presents a dense, ambitious plan to build on its existing resources and to shift its regulatory approach to one that considers the TPLC of a medical device and that continues to refine the patient benefit-risk framework currently in use.  Only time will tell if this Action Plan will meet the FDA’s quest to be more comprehensive and nimble.  Funding for existing programs and for the expansions contemplated by this Action Plan was not specifically addressed, but the FDA has indicated that it is ready to embrace fresh thinking in medical device regulation.

Venable’s team of attorneys is ready and able to help you plan for the multi- and inter-disciplinary issues presented by this Action Plan, and for the many changes it could introduce into the medical device regulatory space and for your business.  In addition, the FDA is accepting comments on the Medical Device Action Plan: Protecting Patients, Promoting Public Health, and our attorneys are prepared to assist with the drafting and submission of comments.

On April 24, the Center for Medicare and Medicaid Services (“CMS”) made major changes to the electronic health record (“EHR”) Meaningful Use Program.  Issued as part of a proposed rule updating the Medicare Inpatient Prospective Payment System and Long-Term Care Hospital Prospective Payment System requirements, these changes will significantly shift an important program that helped drive the widespread adoption of EHR tools in the U.S. healthcare industry.

CMS’s stated goals are to transform the Meaningful Use Program to make it more flexible and less burdensome, emphasize measures that require the exchange of health information between providers and patients, and incentivize providers to make it easier for patients to obtain their medical records electronically.  Reflecting a changed focus, the new program will no longer be called “Meaningful Use.”  Instead, it will now be known as the “Promoting Interoperability” program.  The proposed rule includes requirements that providers use the 2015 edition of certified EHR technology in 2019 in order to demonstrate meaningful use, avoid penalties, and qualify for incentive payments.  Importantly, this set of requirements mandates the integration of Application Programming Interfaces (“APIs”) to streamline the flow of information between providers and patients.

These proposed changes could facilitate patients’ collection of their EHR information from multiple providers and incorporation of such information into a combined portal or personal health record. They could also improve access to a patient’s EHR data by the patient’s providers and reduce the administrative burden to transfer records between non-interoperable IT systems.  The “Promoting Interoperability” program is a part of a larger effort by CMS to create a patient-driven healthcare system that provides high quality care and eliminates outdated and redundant regulatory requirements.

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to pay $417,816 and implement a corrective action plan, including a comprehensive and thorough risk assessment, to improve its data privacy and security practices.

The breach occurred when its medical transcription company, an unrelated subcontractor with whom the Medical Group maintained a HIPAA business associate agreement, updated a file transfer protocol (“FTP”) site used for medical information storage.  In the process of implementing the update, the medical transcription company mistakenly removed password protection and allowed sensitive patient records to be accessed on the open internet.  Without the password protection in place, patient records could be accessed through Google searches for terms contained in the records themselves, as a web crawler from Google crawled and indexed the FTP site using an algorithmic process.

A patient discovered the breach when she found portions of her own medical records through a Google search.  The Medical Group then launched an internal investigation and notified state and federal law enforcement authorities.

The State of New Jersey has made it clear that it holds the Medical Group responsible for the breach, even though it was caused by a subcontractor.  The Acting Director of the New Jersey Division of Consumer Affairs stated:

Although it was a third-party vendor that caused this data breach, [Medical Group] is being held accountable because it was their patient data and it was their responsibility to protect it….This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

It is no longer sufficient, if it ever was, for a covered entity (or upstream business associate) to rely solely on “satisfactory assurances” obtained pursuant to a written HIPAA business associate agreement that the business associate (or downstream business associate) will appropriately safeguard the health information shared with it.  This settlement clearly signals the need to vet a new vendor’s security practices and to continue ongoing vendor management and oversight during the course of the business relationship.

Venable’s healthcare practice group is continuously monitoring these issues and tracking the latest developments.  Please contact your Venable attorneys with any questions.

On February 28, Ethan Davis, the U.S. Department of Justice’s (DOJ) deputy assistant attorney general responsible for consumer protection, gave a speech discussing the Department’s plans for enforcement of laws governing the marketing of medical products. Mr. Davis highlighted recent DOJ enforcement actions and previewed how the Department intends to approach the issue in the Trump administration. The speech was an important marker of how the current administration will navigate the tension between First Amendment protection for commercial speech and government enforcement in misbranding cases. The message: A renewed emphasis on what may be called “plus factors” and on the “rule of law” does not mean the DOJ will stop pursuing misbranding cases.

For those in the life sciences industry who expected the still-new administration to effect radical change in this always contentious area of enforcement, the speech offered little that was truly new. Now is by no means the time for industry to relax its compliance vigilance.

Click here to continue reading this article written by Venable’s Investigations and White Collar Defense attorneys.

 

Digital health companies continue to forge ahead with plans to delve into the medical cannabis industry, despite uncertainty surrounding the legal status of medical cannabis at the federal level.

On March 1, 2018, Revive Therapeutics Ltd. (“Revive”), a Toronto-based company focused on the research, development, and commercialization of novel cannabinoid solutions, announced that it has entered into a collaboration agreement with Ehave, Inc. (“Ehave”), a California digital healthcare company dedicated to providing the mental health community with digital solutions for treatment. The collaboration will enable enhanced patient and clinical research data management in Revive’s research initiatives involving the use of medical cannabis in the treatment of liver diseases.

The collaboration agreement is said to leverage Ehave’s expertise in health informatics through its “Ehave Connect” platform by integrating the platform’s diagnostic and treatment tools with Revive’s ongoing research initiatives in liver disease. The end product is intended to collect and integrate patient data from clinical systems, licensed health surveys, and Ehave’s own patient- and clinician-reported outcome applications to provide users with an easily navigable, tech-friendly patient management solution.

While digital health innovation continues to prosper, at the federal level the legal status of medical cannabis will soon face uncertainty once again as the Rohrabacher-Blumenauer Amendment (formerly known as the Rohrabacher-Farr Amendment) (“Amendment”) must be re-authorized at the end of this month. In December 2014, Congress passed the original Amendment, which maintains that federal funds allocated to the Department of Justice (“DOJ”) cannot be used to prevent states from “implementing their own state laws that authorize the use, distribution, possession or cultivation of medical marijuana.” H.R. 4660, 113th Cong. § 558 (2014), Public Law 113-235 (December 16, 2014). Because the Amendment was approved as a budgetary measure, it must be explicitly re-authorized by Congress as part of either a continuing resolution or a new fiscal year appropriations bill in order to remain in effect. The Amendment expired temporarily on January 20, 2018 during the government shutdown, but subsequently has been extended approximately eight times; the latest extension occurred on February 9, 2018 as a part of the continuing budget resolutions.

The most recent Amendment extension expires on March 23, 2018. Without its renewal, the medical cannabis industry will face uncertainty regarding the legal status of medical cannabis at the federal level, because Attorney General Jeff Sessions changed DOJ prosecutorial policy on cannabis—medical or otherwise—on January 4, 2018, when he rescinded several Obama-era memoranda, including the memoranda commonly referred to as the “Cole and Ogden Memoranda.” The Cole and Ogden Memoranda had provided that the DOJ would focus its prosecutorial efforts on illegal cannabis activities rather than medical marijuana activities operating under legal state-level programs.

Without the Cole or Ogden Memoranda, the only protection the medical cannabis industry has against potential DOJ prosecution is the Rohrabacher-Blumenauer Amendment. Therefore, only time will tell whether innovative collaborations between digital health and medical cannabis companies will continue to thrive or face potential federal scrutiny under the Trump administration.

 

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered in 2017 electronically on the HHS Office for Civil Rights website (located here) if they have not done so already.

Recent enforcement actions highlight the importance of the timely reporting of small breaches to HHS and impacted individuals. For example, in a resolution agreement announced in 2017, a large healthcare system agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a two-year corrective action plan following one large breach and several small breaches. Moreover, earlier this month, a large kidney dialysis provider entered into a $3.5 million resolution agreement and a two-year corrective action plan with HHS to settle potential HIPAA violations stemming from five separate small breaches. (For more information regarding the settlement with the large dialysis provider, click here.)

Covered Entities should take note of the significance HHS places on timely breach reporting—even for breaches that are “small.”

A new administrative rule issued by the New Jersey Attorney General took effect last month that places significant limitations on the payments and gifts that pharmaceutical manufacturers can provide to prescribers licensed in the Garden State.  The rule, “Limitations on and Obligations Associated with Prescriber Acceptance of Compensation from Pharmaceutical Manufacturers,” is set forth at N.J. Admin. Code 13:45J.

Unlike other so-called sunshine laws and the PhRMA Code of Ethics, this new rule applies directly to prescribers in the state, including physicians, podiatrists, physician assistants, advanced practice nurses, dentists, and optometrists.  Prescribers who violate the law may be subject to disciplinary action by their licensing board (including revocation or suspension of their license) and civil monetary penalties.  However, pharmaceutical manufacturers should also familiarize themselves with the particulars of the new rule and adjust their own internal policies, procedures, and prescriber arrangements accordingly, to assist their prescriber partners with these new compliance obligations.

Notable aspects of the new administrative rule include the following:

$10,000 Annual Cap on Payments for Services.  Effective for contracts entered into on or after January 16, 2018, a prescriber licensed in New Jersey may not accept more than $10,000 in the aggregate from all pharmaceutical manufacturers in any calendar year for providing services such as speaking at promotional activities, participating on advisory boards, or consulting.  The cap does not apply to payments for presentations at educational events, research activities, or royalties and licensing fees.

Written Agreement.  For new arrangements entered into on or after January 16, 2018, a prescriber providing services to a pharmaceutical manufacturer must have a written agreement with the manufacturer formalizing the services to be provided.  The written agreement must:

  • Describe the services that the prescriber will provide;
  • Include the dollar value of the payment and other consideration to be received by the prescriber, which must be based on the fair market value of the services;
  • Require that meetings held in association with the services occur in venues and other circumstances conducive to the services provided and that the activities related to the services be the primary focus of the meeting; and
  • Describe or include the following:
    • The legitimate need for services;
    • The connection between the competence, knowledge, and expertise of the prescriber and the purpose of the arrangement;
    • How participation of the prescriber is reasonably related to achieving the identified purpose;
    • The manner by which the prescriber will maintain records concerning the arrangement and the services provided by the prescriber; and
    • An attestation that the prescriber’s decision to render services is not unduly influenced by a pharmaceutical manufacturer’s agent.

Permitted Gifts and Payments.  A prescriber licensed in New Jersey may accept the following from a pharmaceutical manufacturer or its agent:

  • Meals valued at $15 or less provided through the event organizer at an educational event, provided the meals facilitate the educational program to maximize prescriber learning;
  • Meals valued at $15 or less provided by a manufacturer to a non-faculty prescriber during promotional activities;
  • Items designed primarily for educational purposes for the patients or prescriber that have minimal or no value to the prescriber outside of his or her professional responsibilities, such as anatomical models or materials directly related to patient care or prescriber education;
  • A subsidized registration fee for an education event, provided that the subsidized fee is available to all event participants;
  • Payment for bona fide services (subject to the cap and written agreement requirements summarized above);
  • Reasonable payment for travel, lodging, and other personal expenses in connection with research activities or employment recruitment; and
  • Sample medications that are intended to be used exclusively for the benefit of the prescriber’s patients.

Prohibited Gifts and Payments.  A prescriber licensed in New Jersey may not accept the following from a pharmaceutical manufacturer or its agent:

  • Entertainment or recreational items, such as tickets to theater or sporting events, or leisure or vacation trips
  • Any item of value that does not advance disease or treatment education, including:
    • Pens, note pads, mugs, or other items with a company or product logo
    • Any item intended for the personal benefit of the prescriber or his or her staff, such as floral arrangements, sporting equipment, artwork, or electronic devices
    • Any payment in cash or a cash equivalent, such as a gift card
    • Any payment or subsidy associated with attending an educational event or promotional activity, unless the prescriber is a speaker at the event
  • Meals valued at more than $15

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate breach reports for incidents that occurred in 2012 and involved several of its facilities.  These breaches involved, among other things, theft of desktop computers from a medical office, theft of a USB drive from a workforce member’s car, loss of a computer hard drive, and theft of a laptop from a parked car.

As part of its settlement with OCR, the Provider entered into a corrective action plan (CAP) that requires the company to improve its policies and procedures for the protection of patient health information.  The CAP specifically requires the Provider to conduct a thorough, system-wide risk analysis of potential risks to and vulnerabilities of the confidentiality, integrity, and availability of its ePHI; review and revise its policies and procedures, including those concerning device and media controls and facility access controls; and revise and enhance its health privacy training program.

This settlement once again emphasizes the importance of a comprehensive, up-to-date risk analysis.  It also highlights the fact that mobile device privacy and security continue to be important issues for a range of healthcare providers.  Moreover, it is a reminder that OCR can, and does, take interest in smaller breaches.  Each of the five reported breaches affected fewer than 500 individuals.  Contact a member of Venable’s health law team to discuss how your organization can stay ahead of the curve in today’s enforcement environment.

Please find the OCR press release here.