U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Recent Data Breaches Serve as Warning for Companies to Assess Their Cybersecurity Insurance Coverage

Earlier this week, numerous media outlets reported on the Russian crime ring which had managed to steal more pieces of Internet data than any other group of hackers in history – a whopping collection of at least 1.2 billion user name and password combinations and over 500 million email addresses. The magnitude of data that this group has managed to accumulate, coupled with several other recent high-profile hacking incidents, is a wake-up call for businesses that cybersecurity has become a major contemporary concern. Data breaches are increasing in frequency, severity, and cost, and the potential consequences for an affected company can be devastating.

This trend and its insurance implications are discussed in a client alert by Reed Smith partners Doug Cameron, David Weiss, Andy Moss, and Cristina Shea, who point out that companies must start being proactive with their cybersecurity efforts. Businesses should take the time to assess their current cybersecurity insurance coverage as well as their coverage needs. Cyber-related insurance is an evolving area, so extensive research and consulting with counsel may be necessary before a company can select an insurance policy that maximizes its coverage.
 

Are You Sure Your Company Is "At Home" In All 50 States?

As Jim Beck (of the Drug and Device Law Blog) and Michelle Cheng explain in a recent Washington Legal Foundation Legal Backgrounder, "The Other Shoe Drops on General Jurisdiction: Making the Most of Supreme Court’s Bauman & Goodyear Rulings," corporate defendants might want to think twice before making a general appearance in new cases filed in states other than the states in which they have incorporated or have located their principal place of business.

In short, doing business in all 50 states no longer necessarily subjects a corporation to suit in all 50 states, and International Shoe v. Washington, 326 U.S. 310 (1945) is not the last word on general jurisdiction. Based on the Supreme Court’s 2011 decision in Goodyear Dunlop Tires Operations, S.A. v. Brown, 131 S. Ct. 2846 (2011), and this term’s Daimler AG v. Bauman, 134 S. Ct. 746 (2014), “general” personal jurisdiction has been limited, and should no longer be assumed to support jurisdiction over a non-resident corporation—even one engaged in substantial, continuous and systematic business. These recent decisions establish that general personal jurisdiction can be asserted against corporations only in three limited circumstances: (1) the corporate defendant’s state of incorporation, (2) its principal place of business, or (3) “in an exceptional case” where the corporation’s in-state activities are “so substantial and of such a nature as to render the corporation at home in that State.”

Specific personal jurisdiction may still exist based on corporate activities related to a particular resident plaintiff, but this newly defined general personal jurisdiction standard bodes well for corporate defendants who would like to limit forum shopping but often are forced to litigate in other states against non-resident plaintiffs, merely because their products or services enter the “stream of commerce” within that state. As a result, when new lawsuits are filed by non-resident plaintiffs in states other than the state of incorporation and the state of the principal place of business, corporate defendants may wish to dust off procedural options many have not used for some time, like FRCP 12(b)(2) motions to dismiss for lack of personal jurisdiction, or state court motions to quash.

For more, click here. You can also read about the implications of the Bauman decision as discussed in Jim’s Drug and Device Law blog post.

Was It Worth the Wait? - FDA Releases Two Social Media Guidance Documents for Drug/Device Industry

Earlier this week, the FDA issued two draft guidances on social media, and in this client alert, attorneys Colleen Davies, Celeste Letourneau, Kevin Madagan, and Jennifer Pike have analyzed them both in detail. The first guidance pertains to product claims and risk information on platforms like Twitter and sponsored links, and the second to correcting third party misinformation that appears in social media, such as in comments on a Facebook page or website.

A key date to keep in mind is that the deadline for comments is September 16, 2014.

To read the client alert, click here.

Law360 Article - U.S. and French Sunshine Laws Present Compliance Challenges for Manufacturers

In “From Sea to Shining Sea: French and US Sunshine Laws,” (Law360 subscription required), Reed Smith attorneys Elizabeth Carder-Thompson and Daniel Kadar discuss recent legislation from both sides of the Atlantic designed to increase the transparency of relationships between drug and medical device manufacturers on one hand and physicians and teaching hospitals on the other. While both the U.S. and French Sunshine Acts are intended to address the same general issue, there are several key differences between the two resulting from the respective environments in which they were passed. In addition to providing an overview of the legislation and its immediate effects, the article also discusses some of the compliance issues that have resulted from these laws, including determination of the extent to which non-U.S. headquartered entities or non-U.S. based physicians are subject to U.S. Sunshine Act requirements, and regulation of the amount, organization, and frequency of data disclosure required under the French Sunshine Act.

French Class Actions: How potentially dangerous will they be?

This post was written by Daniel Kadar

I.
Since the entry into force of the new Law on Consumer Protection 17 March 2014 – also known as “Hamon Law” – France now has its own version of a class action, different by many ways from its American counterpart.

To prevent any of what are considered as abuses on the Eastern side of the Atlantic, the French legislator has framed this legal action in several limits, which in turn seems to call in question the effectiveness of the mechanism.

II.
Pursuant to article L. 423-1 of French Consumer Code, officially recognised national consumer protection associations are now allowed to seek damages before civil courts, in order to obtain compensation for the individual and material losses suffered by consumers placed in a similar or identical situation. The harm must have its common cause in a breach by one or several same professionals of their legal or contractual obligations in the context of a sale of goods or provision of services, or when the harm derives from a breach of competition law.

Therefore, the French class action is restricted by four means:

  1. Only individuals can be provided with some compensation through this action since the Hamon Law, for the first time, also defined the consumer as a natural person acting for non-work-related purposes, excluding legal persons from its scope.
  2. Officially recognised associations of national dimension – only 15 to date – are granted an exclusive right to initiate the proceedings, which puts an important limitation to the role of legal counsels in this field, as opposed to the American class action.
  3. These associations can only seek to obtain damages to compensate losses resulting from material or financial damage suffered by the consumers. Such a limitation excludes moral harm or physical injuries, which may be of particularly great importance in many cases (sale of defective or spoiled goods, for instance). Punitive damages are also excluded so far.
  4. As its place in the French Consumer Code clearly indicates, the scope of this mechanism is limited to consumer claims. The legislator’s purpose here was to avoid class actions in sensitive areas, such as public health and environmental damage. However, the legislator has inserted an unusual provision according to which the exclusion of health and environmental damages shall be reconsidered within 30 months after passing the regulation. In fact, discussions have already started with professional health organisations.

III.
The procedure has been broken down in a three-step process:

  • A judgment must find that the conditions for admissibility are fulfilled, rule on the professional’s liability in relation to the individual cases presented by the association, define the concerned group of consumers, and determine which criteria consumers must meet in order to join the group of consumers to whom the professional is liable.
  • The adhesion of consumers to the class action is based on an “opt-in” system: it is subject to a positive expression of the victim’s will. To make the proceeding operational, the judgment must therefore order publicity measures intended for consumers most likely to belong to the group. The decision also states by which means consumers may join the group (by approaching the professional directly or the association), and in which delay (no less than two months and no more than six months after the publicity measures are taken).
  • Regarding the effective compensation of the consumers, the judgment must fix the timeframe within which the damages have to be paid by the professional and, in the event of a dispute over payment, the judge is required to give its decision in the same ruling.

When “the identity and the number of consumers having suffered harm are known” and “when these consumers have suffered the same loss, or loss of an identical value for a given service or over a given period of time or duration," a simplified procedure is provided, through which the judge may rule on the liability and may order the professional to compensate victims directly and individually, within a fixed delay.

Class actions related to anticompetitive practices suffer a last limitation, since a “follow on” rule is applied in those cases: professionals may only be held liable on the basis of a definitive decision made by competent national or EU authorities or jurisdictions.

Innovative, this class action surely is; its numerous safeguards appear, however, as important obstacles to its success to-date.

An extension to health-related litigation is to be monitored closely.

OIG Advisory Bulletin Addresses Independent Charity Patient Assistance Program Risks

Patient Assistance Programs (PAPs) provide important help to patients of limited means who do not have insurance coverage for drugs and need assistance covering drug costs, often for chronic illnesses. The Office of the Inspector General (OIG) of the Department of Health and Human Services has now issued an advisory bulletin, dated May 21, 2014, intended to expand existing OIG guidelines related to PAPs, which can give rise to anti-kickback statute issues in some circumstances.

The new advisory bulletin, which is summarized in a client alert by Reed Smith partner Joe Metro and summer associate Peter Vogel, focuses specifically on Independent Charity PAPs. Among the issues discussed are the relationship between donors and Independent Charity PAPs, Independent Charity PAPs’ definitions of disease funds and eligible recipients, and the potential illegality of donor actions in relation to support for their own products. The OIG has stated that it will be working with PAPs that previously received advisory opinions to identify potential changes that could provide some clarity to these issues.

China's Medical Device Regulations Receive Notable Revisions

Significant Revisions to China's Regulations on the Supervision and Administration of Medical Devices (State Council Order No. 650)

China’s State Council released its new Administrative Regulation on the Supervision and Administration of Medical Devices March 7, 2014, which will be effective June 1, 2014 (the New Regulation).

The State Council Legislative Affairs Office worked more than six years revising the predecessor of the New Regulation (the Old Regulation), which had been effective since 2000. The revisions are intended to establish a more efficient and scientific regulatory regime for supervision and administration of medical devices. The New Regulation addresses research and development, clinical trials, product approvals, manufacturing, business operations, sales, and advertising. Generally, the New Regulation moderates the oversight of low-risk medical devices and strengthens the supervision on high-risk devices. The New Regulation, summarized in a full client alert written by Reed Smith attorneys Jay Yan, Gordon Schatz, Mao Rong, and Liu Yang, will have a significant impact on all medical device enterprises.

Revised Administrative Measures on Medical Device Quality – CFDA Seeks Comments by June 15

On May 15, CFDA released its Measures on the Supervision and Administration of the Quality of Medical Devices in Use for public comment. Under the measures, medical device operators will be required to establish a quality management system especially for Class III devices. Features of this proposed system cover the purchase of medical devices, an incoming stock inspection and recording system, an inbound and outbound management system, a daily maintenance and recording system, a quality traceability recording system, a management system for disposable medical devices, and a management system for contracts and technical documents for products. Comments are due to CFDA by June 15, 2014 at: 26 Xuanwumen West Street, Beijing, China 100053, and email: xuxy@sda.gov.cn. The proposal can be viewed here.

The French Sunshine Act: Towards simplification and new deadlines?

This post was written by Daniel Kadar

Similar to the U.S. Sunshine Act (as has been explored before on this blog), the French Sunshine Act (“Loi Bertrand”) made mandatory the publication of benefits (in kind or in cash) granted by pharmaceutical laboratories to health professionals, as soon as they reach a certain amount.

An implementing decree published 21 May 2013 has set out in detail its conditions, quickly followed, in December, by a second regulatory text regarding the unique website where those benefits are supposed to be published.

Nevertheless, this body of rules might be amended again soon, with a new draft order released recently by the Ministry of Social Affairs and Healthcare. In view of the modifications it proposes, the regulation of these issues seems to be moving in three different directions:

  1. Simplification in both the form and substance of the applicable regulation, which concerns, essentially, the health care providers (HCPs) whose agreement(s) with a health care company have to be published: the new text shall simply refer to the current article L.1453-1 of the French Public Health Code, which provides a list substantially similar to the existing one. It also plans to remove some pieces of the information the laboratories are required to make public (qualification, title, college register number, event’s schedule…). In other words, same substance but less detail. It is important to keep in mind that the amount of the payments made to HCPs through these agreements does not need to be disclosed under French law.
  2. Regarding the website where the declaration of interests should be made, the Sunshine Act sets forth that personal data of the HCPs (data that would allow, according to EU regulation, the identification of HCPs either directly or indirectly) is to be protected against indexing on search engines. The draft order reduces the scope of such protection, maintaining only protections of the “directly identifying data” against this type of indexing.
  3. Last but not least, the main purpose of the draft is obviously to change the schedule initially set up to declare the benefits and the conventions: it removes the existing 15-day deadline after the signature of the convention, and allows the advent of a biannual schedule. The draft order goes even further by postponing the declarations regarding the benefits granted in 2012 and 2013 to August 2015, and its publication on the unique website to October 2015. In the meantime, rules are drafted to organize a publication on the personal websites of the companies.

Setting up the new transparency requirements in France obviously takes more time than expected…

California AG's Guidance on California Online Privacy Protection Act

The California Attorney General, Kamala D. Harris, has issued a long-awaited guide on how companies can comply with the California Online Privacy Protection Act (CalOPPA). CalOPPA applies to all companies which collect personally identifiable information from California residents online, regardless of whether that information is collected via a commercial website or a mobile application. This far-reaching statute requires virtually every company with an online presence in California, including drug and device companies, to have a company-drafted privacy policy that conforms with its guidelines.

The Attorney General’s guide, entitled “Making Your Privacy Practices Public,” can be found here. It provides specific recommendations on how businesses are to comply with CalOPPA’s requirements to disclose and comply with a company-drafted privacy policy. CalOPPA was recently amended to include information on how the website operator responds to Do Not Track signals or similar mechanisms. The law also requires company privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

Reed Smith attorneys Lisa Kim, Paul Cho, and Divonne Smoyer have written a client alert summarizing the recommendations made by the Attorney General in this guide. To read the alert, click here.

OIG Proposes Amendment of Health Care Program Civil Monetary Penalty Regulations

The Office of Inspector General (OIG) of the Department of Health and Human Services has issued a proposed rule that would institute several changes to the health care program civil monetary penalty (CMP) regulations. Under the proposed rule, which is analyzed in a client alert prepared by Reed Smith lawyers Paul Pitts, Joe Metro, and Susan Edwards, the OIG would have the expanded authority to enforce significant CMPs on providers and suppliers in a variety of scenarios.

In addition, the rule proposes a reorganization and clarification of current CMP regulations, including the methods used to determine when and how a CMP should be issued and how a CMP should be calculated. The OIG estimates that enforcement of the proposed rule would result in an increase in CMP collections by the government. Comments on the rule are due by July 11, 2014.

Closing Time: Considerations and Hurdles in Completing Pennsylvania-Based Health Care Transactions

The health care industry has seen a recent shift towards consolidation, driven in part by legislation such as the Patient Protection and Affordable Care Act which encourages integration within the industry. As a result, health care entities are increasingly considering opportunities to merge with or acquire other companies. While this can be an exciting prospect for many organizations, the health care industry’s high level of both federal and state regulation has resulted in a myriad of potential legal issues that can stand in the way of a successful transaction. In particular, there are a number of regulatory hurdles that must be cleared in the state of Pennsylvania before a health care transaction can take place.

To address many of the potential issues that deal counsel must consider when involved in health care transactions in Pennsylvania, Reed Smith attorneys Karl Thallner and Zach Portin authored “Seal the Deal: Health Care Mergers and Acquisitions in Pennsylvania,” which was published in the April 2014 edition of the Pennsylvania Bar Association Quarterly. The article addresses a wide range of topics, including review by the state attorney general’s office and the Orphans’ Court; regulatory approvals at both the federal and state level; antitrust; the corporate practice of medicine doctrine; fiduciary duties; and other various matters for consideration.

Exclusion Rules For Those Who Receive Funds From Federal Health Care Programs May Get Even More Complicated

The Office of Inspector General (OIG) of the Department of Health and Human Services identifies the underlying purpose of its exclusion authority as to protect federal health care programs and their beneficiaries from “untrustworthy health care providers, i.e., individuals and entities who pose a risk to program beneficiaries or the integrity of these programs.” The OIG now has published a new proposed rule that would greatly expand the bases upon which it could affirmatively exclude an individual or entity from participation in federal health care programs, and Reed Smith lawyers Carol Loepere, Elizabeth Carder-Thompson, Scot Hasselman, Katie Hurley, and Erin Atkins have prepared a full summary of this proposed rule.

In particular, this summary examines the OIG’s position that there should be no statute of limitations applicable to when it may seek exclusion, because limitless look-back authority could place a tremendous burden on providers and suppliers if their conduct and compliance efforts are second-guessed many years into the future, when supporting documentation and witnesses are long gone. The proposed rule also revises relevant definitions, provides new grounds for exclusion, proposes procedures for early reinstatement, among other things, and is a by-product of provisions of the Affordable Care Act, which expanded the OIG’s exclusion authority and allowed for testimonial subpoenas in investigations of exclusion cases.

Navigating the Complicated, Yet Rewarding, World of Social Media

The social media phenomenon has radically transformed the ways in which commercial businesses promote their services and products. However, as a result, companies must consider potential legal risks from an entirely new angle. To become a successful user of social media, a company must draft, review, disseminate and enforce a social media policy that addresses potential legal issues while at the same time emphasizing positive exposure for the business.

For more information on how your business can utilize social media to maximum effect while exercising compliance with legal guidelines, see Reed Smith’s newly published Third Edition of its white paper on social media, “Network Interference: A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon (3rd Edition).” This updated guide now covers practical, action-oriented guidelines as to the state of law in both the United States and Europe, and is an invaluable resources for companies navigating the social media world.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.