On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records.  The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to pay $417,816 and implement a corrective action plan, including a comprehensive and thorough risk assessment, to improve its data privacy and security practices.

The breach occurred when its medical transcription company, an unrelated subcontractor with whom the Medical Group maintained a HIPAA business associate agreement, updated a file transfer protocol (“FTP”) site used for medical information storage.  In the process of implementing the update, the medical transcription company mistakenly removed password protection and allowed sensitive patient records to be accessed on the open internet.  Without the password protection in place, patient records could be accessed through Google searches for terms contained in the records themselves, as a web crawler from Google crawled and indexed the FTP site using an algorithmic process.

A patient discovered the breach when she found portions of her own medical records through a Google search.  The Medical Group then launched an internal investigation and notified state and federal law enforcement authorities.

The State of New Jersey has made it clear that it holds the Medical Group responsible for the breach, even though it was caused by a subcontractor.  The Acting Director of the New Jersey Division of Consumer Affairs stated:

Although it was a third-party vendor that caused this data breach, [Medical Group] is being held accountable because it was their patient data and it was their responsibility to protect it….This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.

It is no longer sufficient, if it ever was, for a covered entity (or upstream business associate) to rely solely on “satisfactory assurances” obtained pursuant to a written HIPAA business associate agreement that the business associate (or downstream business associate) will appropriately safeguard the health information shared with it.  This settlement clearly signals the need to vet a new vendor’s security practices and to continue ongoing vendor management and oversight during the course of the business relationship.

Venable’s healthcare practice group is continuously monitoring these issues and tracking the latest developments.  Please contact your Venable attorneys with any questions.

On February 28, Ethan Davis, the U.S. Department of Justice’s (DOJ) deputy assistant attorney general responsible for consumer protection, gave a speech discussing the Department’s plans for enforcement of laws governing the marketing of medical products. Mr. Davis highlighted recent DOJ enforcement actions and previewed how the Department intends to approach the issue in the Trump administration. The speech was an important marker of how the current administration will navigate the tension between First Amendment protection for commercial speech and government enforcement in misbranding cases. The message: A renewed emphasis on what may be called “plus factors” and on the “rule of law” does not mean the DOJ will stop pursuing misbranding cases.

For those in the life sciences industry who expected the still-new administration to effect radical change in this always contentious area of enforcement, the speech offered little that was truly new. Now is by no means the time for industry to relax its compliance vigilance.

Click here to continue reading this article written by Venable’s Investigations and White Collar Defense attorneys.

 

Digital health companies continue to forge ahead with plans to delve into the medical cannabis industry, despite uncertainty surrounding the legal status of medical cannabis at the federal level.

On March 1, 2018, Revive Therapeutics Ltd. (“Revive”), a Toronto-based company focused on the research, development, and commercialization of novel cannabinoid solutions, announced that it has entered into a collaboration agreement with Ehave, Inc. (“Ehave”), a California digital healthcare company dedicated to providing the mental health community with digital solutions for treatment. The collaboration will enable enhanced patient and clinical research data management in Revive’s research initiatives involving the use of medical cannabis in the treatment of liver diseases.

The collaboration agreement is said to leverage Ehave’s expertise in health informatics through its “Ehave Connect” platform by integrating the platform’s diagnostic and treatment tools with Revive’s ongoing research initiatives in liver disease. The end product is intended to collect and integrate patient data from clinical systems, licensed health surveys, and Ehave’s own patient- and clinician-reported outcome applications to provide users with an easily navigable, tech-friendly patient management solution.

While digital health innovation continues to prosper, at the federal level the legal status of medical cannabis will soon face uncertainty once again as the Rohrabacher-Blumenauer Amendment (formerly known as the Rohrabacher-Farr Amendment) (“Amendment”) must be re-authorized at the end of this month. In December 2014, Congress passed the original Amendment, which maintains that federal funds allocated to the Department of Justice (“DOJ”) cannot be used to prevent states from “implementing their own state laws that authorize the use, distribution, possession or cultivation of medical marijuana.” H.R. 4660, 113th Cong. § 558 (2014), Public Law 113-235 (December 16, 2014). Because the Amendment was approved as a budgetary measure, it must be explicitly re-authorized by Congress as part of either a continuing resolution or a new fiscal year appropriations bill in order to remain in effect. The Amendment expired temporarily on January 20, 2018 during the government shutdown, but subsequently has been extended approximately eight times; the latest extension occurred on February 9, 2018 as a part of the continuing budget resolutions.

The most recent Amendment extension expires on March 23, 2018. Without its renewal, the medical cannabis industry will face uncertainty regarding the legal status of medical cannabis at the federal level, because Attorney General Jeff Sessions changed DOJ prosecutorial policy on cannabis—medical or otherwise—on January 4, 2018, when he rescinded several Obama-era memoranda, including the memoranda commonly referred to as the “Cole and Ogden Memoranda.” The Cole and Ogden Memoranda had provided that the DOJ would focus its prosecutorial efforts on illegal cannabis activities rather than medical marijuana activities operating under legal state-level programs.

Without the Cole or Ogden Memoranda, the only protection the medical cannabis industry has against potential DOJ prosecution is the Rohrabacher-Blumenauer Amendment. Therefore, only time will tell whether innovative collaborations between digital health and medical cannabis companies will continue to thrive or face potential federal scrutiny under the Trump administration.

 

Under the HIPAA Breach Notification Rule, Covered Entities must report to the Secretary of the U.S. Department of Health and Human Services (HHS) breaches of unsecured protected health information  affecting fewer than 500 individuals (“small breaches”) no later than 60 days after the end of the calendar year in which the breaches were discovered. This year’s small breach reporting deadline is Thursday, March 1, 2018. Covered Entities must submit their reports of small breaches discovered in 2017 electronically on the HHS Office for Civil Rights website (located here) if they have not done so already.

Recent enforcement actions highlight the importance of the timely reporting of small breaches to HHS and impacted individuals. For example, in a resolution agreement announced in 2017, a large healthcare system agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a two-year corrective action plan following one large breach and several small breaches. Moreover, earlier this month, a large kidney dialysis provider entered into a $3.5 million resolution agreement and a two-year corrective action plan with HHS to settle potential HIPAA violations stemming from five separate small breaches. (For more information regarding the settlement with the large dialysis provider, click here.)

Covered Entities should take note of the significance HHS places on timely breach reporting—even for breaches that are “small.”

Late last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.5 million settlement with a large provider of kidney dialysis services (the “Provider”) for multiple violations of the Health Insurance Portability and Accountability Act and its associated regulations (HIPAA).  In early 2013, the Provider filed five separate breach reports for incidents that occurred in 2012 and involved several of its facilities.  These breaches involved, among other things, theft of desktop computers from a medical office, theft of a USB drive from a workforce member’s car, loss of a computer hard drive, and theft of a laptop from a parked car.

As part of its settlement with OCR, the Provider entered into a corrective action plan (CAP) that requires the company to improve its policies and procedures for the protection of patient health information.  The CAP specifically requires the Provider to conduct a thorough, system-wide risk analysis of potential risks to and vulnerabilities of the confidentiality, integrity, and availability of its ePHI; review and revise its policies and procedures, including those concerning device and media controls and facility access controls; and revise and enhance its health privacy training program.

This settlement once again emphasizes the importance of a comprehensive, up-to-date risk analysis.  It also highlights the fact that mobile device privacy and security continue to be important issues for a range of healthcare providers.  Moreover, it is a reminder that OCR can, and does, take interest in smaller breaches.  Each of the five reported breaches affected fewer than 500 individuals.  Contact a member of Venable’s health law team to discuss how your organization can stay ahead of the curve in today’s enforcement environment.

Please find the OCR press release here.

  • Draft guidance documents propose a framework for clinical and patient decision software and explain policy changes driven by 21st Century Cures Act
  • Final guidance document adopts International Medical Device Regulators Forum principles for addressing “clinical evaluation” of Software as Medical Device
  • Public Workshop (January 2018) will discuss progress of pilot precertification program

The FDA’s December 8 announcement of the availability of three new guidance documents, and of a public workshop to be held in January 2018, demonstrates the agency’s commitment to prioritizing the development of digital health software policy. As we previously reported here, Commissioner Gottlieb made it the subject of his first public statement and shortly afterward led the FDA’s rollout of a framework – the Digital Health Innovation Action Plan – for ensuring that its policies enable innovators to efficiently deliver safe and effective digital health technologies to patients and consumers. The publication of these documents and announcement of the workshop fulfill a few of the ambitious promises contained in the agency’s Action Plan.

Continue Reading Regulating at the Speed of Digital: FDA Implementation of Key Aspects of Digital Health Innovation Action Plan Progressing Quickly

No two health care companies are alike, but many face similar challenges when managing their data risk. Many of these challenges arise due to the competing desires with which every modern organization now struggles—one between innovation and growth on the one hand and compliance and legal risk on the other.

Specifically, the following five issues are top of mind:

  1. The tension between data growth and analytics and data minimization;
  2. Handling connected devices and mobile apps;
  3. Creating effective cross-functional privacy and security teams;
  4. The data implications of acquisitions; and
  5. Effective and tiered vendor management.

We discuss these issues and offer practical guidance on each.

Continue Reading Top Five Privacy and Data Security Issues Facing Healthcare Companies

The fast-growing field of digital health is transforming healthcare by bringing together digital communications technology, electronic health information, electronic prescribing, connected medical devices, and telehealth. These technologies are being deployed by healthcare entities ranging from small health tech startups to large, established hospital systems, medical device companies, and other traditional healthcare companies. Telehealth systems are already in use for applications as varied as direct-to-consumer urgent care and remote provider-to-provider consultations for treatment of complex conditions such as strokes or rare genetic diseases. With these exciting new developments comes a new set of regulatory challenges and concerns for companies in the space. This alert provides a brief overview of some of the laws and regulations that may apply to health companies engaging in digital health.

Continue Reading Digital Health Law: What Digital Health Companies Need to Keep in Mind

  • Opens application process and public comment period for precertification pilot program
  • Nine companies to be chosen by September 1, 2017

Last June, FDA Commissioner Scott Gottlieb made his first public statement as Commissioner by announcing the imminent rollout of a new “Digital Health Innovation Plan.” This statement signaled his intent to prioritize the agency’s efforts to create – and clearly articulate – a regulatory regime that promises to “help innovators navigate a new, modern regulatory process” that will efficiently enable the delivery of safe and effective digital health technologies to patients and consumers.

On July 28, FDA formally rolled out its Digital Health Innovation Action Plan, along with a process for companies to apply to participate in one key component: the Software Precertification Pilot Program. The Action Plan describes several concrete deliverables that the agency plans to complete by the first quarter of 2018 to put a “reimagined” regulatory regime for digital health technologies in place. This will include:

Continue Reading FDA Launches Action Plan for Digital Health Regulation