Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

This post was written by Brad Rostolsky, Nan Bonifant, and Jen Pike

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules.

According to Susan McAndrew, deputy director of health information privacy at OCR, “this case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Generally, local and county governments are subject to HIPAA because certain departments within the government are involved in the provision of or payment for health care services. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Importantly, a single legal entity whose business activities include both HIPAA covered and non-covered services (like a county government) may designate itself as a “hybrid entity” by identifying its “health care components.” This designation, however, must be formally documented in the entity’s policies and procedures. Most of the requirements of the Privacy, Security and Breach Notification Rules apply only to the hybrid entity’s health care components.

OCR began investigating Skagit County following a breach self-report notifying OCR that the electronic protected health information (“ePHI”) of seven individuals receiving services from the Skagit County Public Health Department was posted on a publicly available server maintained by the county and accessed by unknown parties. The investigation revealed that the ePHI of not just seven – but 1,581 – individuals, was made available on the public server. The ePHI, which could be accessed through a simple Google search, included highly sensitive information, such as the testing and treatment of infectious diseases. OCR’s investigation further revealed Skagit County’s general and widespread non-compliance with the HIPAA Privacy, Security and Breach Notification Rules, including the implementation of sufficient policies and procedures.

In addition to the $215,000 settlement, the Resolution Agreement between Skagit County and OCR included a corrective action plan (“CAP”) that requires Skagit County to, among other things, (1) provide substitute breach notification to affected individuals not previously notified; (2) create and revise written policies and procedures to comply with HIPAA; and (3) submit for OCR’s review and approval hybrid entity documents designating the county’s covered health care components. The CAP also requires Skagit County to provide regular status updates to OCR, which will work closely with the county to correct deficiencies.

While OCR marks this settlement as the first with a county government, it is not the first for a public entity. In June 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to settle possible violations of the Security Rule. Notably, both of these enforcement actions, and most actions since 2012, have resulted from a breach self-report used by OCR as an opportunity to conduct a de-facto audit of the entity’s general HIPAA compliance. Whether this enforcement trend will continue will likely depend upon the scope (and perhaps more importantly, the funding), of OCR’s second round of statutorily required audits of covered entities and business associates. Regardless, given the environment of increased OCR enforcement, regulated entities should ensure, at a minimum, that they have implemented the basic elements of HIPAA compliance—performance of a Security Rule risk analysis, implementation of sufficient policies and procedures (including documentation of any hybrid entity designation), and adequate training of workforce members.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Don't Forget: FDA Frequents Facebook

This post was written by Jillian Riley and Kevin Madagan

In only the second Untitled Letter of the year, FDA’s Office of Prescription Drug Promotion warned a Swiss drug company about statements the company made on its Facebook page. Notably, FDA became aware of the company’s Facebook promotion through its own monitoring and surveillance program.

The alleged violations themselves were straightforward and similar to more traditional advertising actions: failure to include risk information and omission of material facts. What makes this letter interesting is that the activity occurred on a social network. On its Facebook page, the company suggested consumers talk to their doctor if they have been diagnosed with the condition for which the drug at issue is indicated. Nowhere on the page did the company warn consumers about the risks associated with the product – risks serious enough to require a boxed warning on the label. Neither did the company include any discussion about limitations of the drug’s use. FDA requested the company immediately cease this promotional activity – and the company has complied. The Facebook page at issue is no longer active.

The takeaway here is to remember that FDA’s advertising and promotion rules apply regardless of how or where you promote your product.  You must assume that all activity on social media networks, including Facebook and others, will be scrutinized by the FDA.

EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector; NHS Advocates Selling Confidential Patient Data For Secondary Purposes

Reed Smith’s Global Regulatory Enforcement Law blog features two posts of interest to those in the life sciences industry, both written by Reed Smith partner Cynthia O’Donoghue. “EU Research Group Condemns EU Regulation for Restricting Growth in Life Sciences Sector” discusses the opposition of a lobbying group, led by the Wellcome Trust, to amendments to the proposed General Data Protection Regulation – amendments that they believe could severely inhibit future growth of the life sciences sector in the European Union. “NHS Advocates Selling Confidential Patient Data For Secondary Purposes” discusses the criticism of the UK’s Health and Social Care Information Centre and NHS England’s new initiative known as ‘care.data,' which involves the extraction, anonymization, and aggregation of patient data from GP practices in a central database for sale to third parties such as drug and insurance companies.

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

China Issues New Regulations Prohibiting Commercial Bribery in the Health Care Industry

This post was written by John Tan, Amy Yang, and Crystal Xu.

In late December, China’s National Health and Family Planning Commission (NHFPC), the successor organization to the Ministry of Health, issued two sets of anti-corruption regulations for the health care industry: the 2013 Regulations on the Establishment of a Commercial Bribery Blacklist for the Purchase and Sale of Medicines (关于建立医药购销领域商业贿赂不良记录的规定) (2013 Blacklist Regulations), and The 9 Prohibitions for Building a Healthy Medical Industry (加强医疗卫生行风建设"九不准) (The 9 Prohibitions). The 2013 Blacklist Regulations target pharmaceutical and medical device manufacturers and distributors. These regulations revise and update earlier blacklist regulations issued in 2007 (2007 Blacklist Regulations). In contrast, The 9 Prohibitions focus on health care providers and institutions, providing general principles for eliminating corruption in the Chinese health care industry.

These new regulations are part of the Chinese government’s ongoing focus on corruption in the health care industry, and significantly increase the risks faced by pharmaceutical and medical device manufacturers and distributors.

Blacklist Regulations

The 2013 Blacklist Regulations maintain the 2007 Blacklist Regulations’ system of provincial blacklists for pharmaceutical and medical device manufacturers and distributors who are found to have engaged in commercial bribery based on any of the following criteria:

  • A judicial finding of guilt, even if the offense was so minor that a fine or other penalty did not need to be imposed
  • The bribery was so minor that the People’s Procuratorate decided not to bring criminal charges
  • Communist Party disciplinary agencies investigated and imposed discipline for bribery
  • An administrative punishment for bribery was imposed by the Treasury Department, the Administration for Industry and Commerce (AIC), the China Food and Drug Administration (CFDA) or other administrative agency; or
  • Other evidence as determined by relevant laws and regulations

Although these criteria are the same as under the 2007 Blacklist Regulations, there are a number of new developments under the 2013 regulations.

National Publication

The 2007 Blacklist Regulations called for blacklists to be maintained by each province’s local health authorities. In practice, implementation was sporadic, with many provinces never publishing a blacklist. Although the 2013 Blacklist Regulations maintain the provincial blacklist system, they call for each province to report the contents of its blacklist to the NHFPC, which will publish a national blacklist on its website.

National Punishment

Under the 2007 Blacklist Regulations, manufacturers or distributors who were blacklisted in a province could not sell to public health care entities, e.g., government-run hospitals, in that province for two years. The 2013 Blacklist Regulations maintain this prohibition, and further provide that companies that are blacklisted in any province will receive less consideration when bidding to supply public health care entities in other provinces nationwide for two years after blacklisting.

Repeat Offenders

The 2013 Blacklist Regulations contain new penalty provisions indicating that companies that are blacklisted twice in five years will be subject to a two-year nationwide ban on procurement by public health care entities.

Integrity Agreements

The 2013 Blacklist Regulations contain a new requirement that when health care entities contract with manufacturers or distributors for the purchase of pharmaceuticals or medical devices, they should also sign an "ethical sales contract," which will list the names of relevant sales representatives and contain anti-bribery language.

Detailed Listing

The 2013 Blacklist Regulations contain new, detailed requirements for the information that will be published as part of the blacklist, including the name of the manufacturer or distributor; its place of business; the name and title of the legal representative or person responsible; the reason for listing; documents relating to the finding of commercial bribery; and the duration of listing.

The 2013 Blacklist Regulations are part of an increased focus on eradicating corruption in the Chinese health care industry. In recent years, the Chinese government has issued the Regulations on Centralized Procurement of Pharmaceuticals by Medical Institutions (医疗机构药品集中采购工作规范) in 2010; the Trial Regulations on Centralized Procurement of High Value Consumable Medical Supplies (高值医用耗材集中采购工作规范(试行)) in 2012; the Trial Regulations on Centralized Procurement of Large Scale Medical Equipment (甲类大型医用设备集中采购工作规范(试行)) in 2012; and the Ministry of Health Guidance on Strengthening Anti-Bribery Control at Public Medical Institutions (卫生部、国家中医药管理局关于加强公立医疗机构廉洁风险防控的指导意见), also in 2012 – all of which contain similar blacklisting provisions for commercial bribery, as well as procurement-specific provisions for blacklisting companies that provide falsified bidding documentation, etc.

The 9 Prohibitions

The 9 Prohibitions prohibit bribery, re-emphasize existing PRC regulations on donations to hospitals, and prohibit linking doctors’ income with prescriptions or medical tests. The 9 Prohibitions also forbid health care professionals from providing statistics about the use of pharmaceuticals or medical devices to manufacturers’ sales representatives. Where the 2013 Blacklist Regulations focus on medical manufacturers and distributors, The 9 Prohibitions primarily focus on health care professionals and institutions, although they instruct local officials to create commercial bribery blacklists as well.

Just as the 2013 Blacklist Regulations follow on earlier regulations, The 9 Prohibitions are not entirely new, but follow on the Health Care Professionals’ Code of Conduct (医疗机构从业人员行为规范), published in June 2012, and other similar regulations.

China's Life Sciences Regulatory Crackdown: September 10 Update

The regulatory enforcement environment in China remains tense, as both the Chinese government and media bring new actions and allegations against life sciences manufacturers in both the pharmaceutical and device sectors. We are seeing:

  • Increased attention to medical device sector
  • Enforcement actions spreading to smaller cities
  • Continued pressure on pharmaceutical sector
  • Reports of misconduct by local manufacturers
  • Questionable vendors named

Reed Smith continues to monitor the life sciences regulatory and media environment in China and has prepared a summary of recent developments. For additional information, please contact Reed Smith lawyer John Tan at jtan@reedsmith.com.

China: Life Sciences Regulatory Crackdown Spreads to Medical Device Sector

This post was written by John Tan and Crystal Xu.

On August 15, 2013, the local Beijing office of the Ministry of Health (MOH) of the People's Republic of China announced (Chinese link) that it has started a three-month review of the use of high-value medical consumables and large-scale medical equipment in Beijing. In its announcement, the Beijing MOH noted that prior inspections of hospitals had found continuing problems with the misuse and overuse of medical devices to increase profits. The investigation is intended to strengthen hospitals’ management of the use of medical devices and to regulate the use of high value medical consumables.

In addition to this investigation, the Beijing MOH will also develop a database that will track the price and model of devices implanted in each patient, require hospitals to improve their purchasing management systems, and conduct periodic inspections of hospitals’ purchasing and management of medical consumables.

This latest investigation follows on increased regulatory enforcement actions throughout China's life sciences industry. In the last two months, there have been criminal and administrative enforcement actions targeting the pharmaceutical sector and a pricing investigation by the National Development and Reform Commission (NDRC) into the infant formula sector that culminated in the largest fine in the history of China's enforcement of its anti-monopoly law. The NDRC is also conducting an ongoing investigation of pharmaceutical industry pricing practices and considering systemic revisions to China's drug pricing system. Additionally, on August 14, 2013 the State Administration for Industry and Commerce (SAIC) announced a new three-month-long investigation into the pharmaceutical and medical services sectors, targeting bribery, fraud and anti-competitive practices.

The August 15th announcement by the Beijing MOH appears to signal the first recent enforcement action to specifically target the medical device sector.

In the run up to these enforcement actions, Chinese authorities issued a number of administrative regulations targeting the life sciences industry, including a new code of conduct for HCPs, and new guidance on strengthening anti-bribery controls in public medical institutions. Authorities also issued regulations on the centralized purchasing of medical consumables and large scale medical equipment containing provisions that would exclude companies found to have engaged in commercial bribery from participation in centralized purchasing.

At the end of 2012, China's Supreme People's Court, in conjunction with the Supreme People's Procuratorate, issued a new judicial interpretation of China's criminal law prohibiting bribery. This interpretation was widely viewed as signaling a new emphasis by Chinese authorities on prosecuting not just officials who accept bribes, but those who pay bribes as well.

Affordable Care Act and the Post-Election Implications for Radiology

This post was written by Thomas W. Greeson and Paul W. Pitts.

As the dust settles from Tuesday’s election, pundits and prognosticators are predicting the future of the world based on highly charged and deeply polarized perspectives. Those predictions are sweeping in scope and many we have seen tend toward dire scenarios - even for the diagnostic imaging industry. The more prudent course is to step back for a moment and assess the situation in a more pragmatic and dispassionate way. With this in mind, we wanted to take this opportunity to describe what we expect to see as health reform efforts continue.

In planning for the future, it is vital to take into account that there are things we know for certain, things that are unknown at the moment and things that are simply unknowable. We have to do planning, preparation and decision making taking those factors into consideration. In every situation where change happens (and change happens constantly) there are threats and opportunities. Often we miss the opportunities because we are so focused on the loss of the known and familiar. The well-known adage, “Success is where preparation meets opportunity” applies here. The radiology practice that carefully considers how to position itself for a future that has not fully revealed itself is more likely to be ready to seize the opportunities that come with change.

The Affordable Care Act is here to stay as a result of President Obama’s reelection. Even if Governor Romney had been elected, changes to the health system were inevitable. In some markets, accountability, transparency and greater integration is being driven as much by commercial payers as from the government. We don’t expect everyone to agree with the following comments, but this is how we see the short and mid-term time horizon:

  • Continuing Integration. CMS will continue to foster integration efforts via its shared savings program that calls for creation of accountable care organizations (ACOs) to coordinate care, encourage use of evidence-based measures, reduce costs and achieve betters outcomes for patients. Many of you practice in hospitals that want to be the drivers of ACOs and other integrated delivery systems. Although these organizations are centered around primary care providers, imaging is a necessary component of any ACO’s portfolio of services. The prudent group will try to find some way to “be at the table” to help shape the governance, appropriateness of the imaging service and especially, to shape the compensation model. While we expect these integration efforts to continue, we do not believe that employment by hospitals is the necessary fate of most radiologists. We feel it is critical for the group culture of radiologists to endure to allow radiologists to determine selection and retention of radiologists, scheduling of services and the compensation of individual radiologists. Employment is not necessary to achieve that group role. A carefully drawn contractual agreement can address a health system’s desire for integration while preserving the independence of a radiology practice. CMS requires all ACOs to be legal entities. Many radiology groups may want to consider taking an investment interest in the legal entity organized to operate as the ACO and strive to have key governance and committee roles in those organizations.
  • The Value Proposition. The challenge for the specialty may be a contest between commoditization of the professional services via teleradiology and the local delivery of those same services. The groups that succeed in offering a viable alternative to cost-based marketing of radiology services will learn to sell the value proposition for their services locally. Technology will play a key role, but so will the willingness of radiologists to truly offer consultative services that will be valued by local referring physicians, hospital administrators and payers. Radiologists can be the gatekeepers for appropriate care. There is a need for your role in controlling appropriateness and overall imaging costs in a manner that complies with the fraud and abuse laws and rules governing participation in Medicare.
  • Ventures. The efficiency and patient preference for free standing imaging is unlikely to change. It is even more likely, however, that such free standing facilities will be part of the offerings of an integrated delivery system. Hospitals, will likely have some ownership in an increasing percentage of the outpatient imaging that is delivered in this country. Not all of those facilities will be provider based. It is incumbent, therefore, that radiologists understand the Medicare enrollment rules and the options that are available as they work with their hospitals in organizing free standing imaging services. Here again, we recommend that radiologists work to “be at the table” and strive for ownership and participation in the governance and management of these facilities.
  • Regulatory Awareness. The government is likely to double down in its enforcement activities. Radiologists operate under a complex set of rules and guidelines. Radiology groups will have to remain vigilant to understand the rules that govern how your services are ordered, delivered and billed for Medicare patients. We anticipate those rules could apply to the delivery of certain non-Medicare patients as well.
  • Antitrust and Competition. As health systems continue their efforts to control costs through integration of all stages of care, we foresee greater competition in delivery of imaging services in the future and more disputes regarding whether health systems and large practices misuse their market power.
  • Curtailment of Self-Referral. After more than two decades of radiologists’ advocacy for retrenchment of self-referral, the regulatory climate appears more favorable than ever toward a roll back of in-office imaging. Both governmental and private payers appear now to perceive how the conflicts of interest caused by referral to a physician’s own imaging services is a driver in increased health care costs. The report of the General Accountability Office released last month contained specific policy suggestions for curbing self-referral. As payers adopt various strategies for steering patients away from centers that are higher priced and high utilizers of imaging services, centers owned and operated by radiologists or by radiologists and hospitals are likely to be very competitive in many markets.

Bottom line, we believe that the groups that prepare for these changes, and look for opportunities as a result of these changes, will not only survive but can thrive in the health care delivery system that will emerge.
 

Increased Scrutiny for the 510(k) Process

This post was written by Michelle Lyu Cheng.

On November 14, 2011, the Senate Health, Education, Labor and Pensions Committee held a hearing called "Medical Devices: Protecting Patients and Promoting Innovation." The hearing focused on the continued viability of a medical device clearance process that clears for market medical devices that are "substantially equivalent" devices to previously cleared devices (also known as the "510(k) process," in reference to the statutory provision governing this process). Class III medical devices not cleared through this process must undergo the more rigorous and time-consuming Premarket Approval process. Among the issues considered were whether the 510(k) process sufficiently evaluated the safety of devices when clinical data is not necessarily always considered or part of the submission; whether high-risk medical devices should always be considered for the 510(k) process; the user fees for medical device applications; strengthening post-approval monitoring requirements; and the resources and needs for the FDA and the Center of Devices and Radiological Health (CDRH) in reviewing, clearing and approving medical devices. 

Testifying witnesses before the panel were as follows: Jeffrey Shuren, Director of the CDRH of the Food and Drug Administration; Ralph Hall, Professor of Practice, University of Minnesota, Minneapolis; David R. Challoner, M.D., Vice President (emeritus) of Health Affairs, University of Florida, and Chair, IOM Committee on the Public Health Effectiveness of the FDA 510(k) Clearance Process, Gainesville, Fla.; and Gregory Curfman, M.D., Executive Editor, New England Journal of Medicine, Boston. 

The first discussion panel centered on Dr. Shuren and his work with CDRH. In late 2009, the CDRH initiated a review of the 510(k) process, among others, and in 2010, released two reports concluding that the FDA had not managed its premarket programs sufficiently, with the most dire problem being unpredictability in the 510(k) and other premarket processes. This led to other increases in costs to the industry and delays in bringing innovation to the market. The root causes were determined to be the lack of personnel resources in CDRH, as compared with the center for drugs and biologics, insufficient reviewer training, insufficient managers and frontline reviewers, rapidly growing workload caused by increased complexity of devices and number of admissions, insufficient guidance for FDA, and poorly drafted submissions by the industry. In 2011, Dr. Shuren testified that concrete steps for improving the transparency, predictability and consistency of the premarket programs were outlined and evaluated. The Committee members generally focused on the sufficiency of CDRH/FDA's resources and an increase in review times for both the 510(k) and the Premarket Approval processes. One suggestion from Sen. Harkin (D-Iowa) was that the user fees for these submissions should be increased, although later it was conceded that the optimal solution would be if the FDA was independently funded. 

The second discussion panel with Mr. Hall and Drs. Challoner and Curfman focused on the 510(k) process and the National Academies of Science, Institute of Medicine (IoM) report that heavily criticized the 510(k) process. Mr. Hall started first, outlining that the drug and medical device sectors are very different, including because medical device development is an iterative process that builds upon previously created devices, and clinical testing is not necessarily an optimal or feasible method of measuring safety and effectiveness for medical devices compared with drugs. In response to Sen. Harkin's question about 510(k) devices bearing little resemblance to each of its predicate devices that may compromise patient safety, Mr. Hall noted the FDA has resources and regulatory powers at its disposal to satisfy itself for any issues relating to safety and effectiveness. Mr. Hall also stated in response to Sen. Blumenthal's (D-Conn.) question that post-market surveillance should be improved but that currently, FDA does have controls and regulatory systems in place for monitoring. Mr. Hall also emphasized that the 510(k) process does control for safety and effectiveness.

The discussion with Dr. Challoner primarily focused on IoN's report, as he chaired the committee that drafted it. The IoN report concluded that the 510(k) process generally does not evaluate safety and effectiveness, but only evaluates whether it is substantively equivalent to prior devices previously cleared. He stated that the IoN committee concluded that overhauling the 510(k) process was an optimal scenario, but per Sen. Mikulski's (D-Md.) question, Dr. Challoner stated that he did not expect the 510(k) process be eliminated overnight. He considered the IoN report to be a conversation starter. Dr. Challoner also testified that since the 510(k) process will not be immediately overhauled, it may be necessary to evaluate and strengthen the post-market processes and improve quality control. Dr. Curfman provided testimony similar to Dr. Challoner, namely that post-market surveillance controls would be helpful in monitoring the safety and effectiveness of devices. One potential way of doing so would be to institute a uniform device identification system so that a device can be tracked over its lifetime.

Sen. Harkin, the Committee Chair, concluded that this hearing was helpful in illustrating the need to take a more intense look at the approval process and post-surveillance controls, especially for certain higher-risk devices. While Sen. Harkin conceded that user fees may not be the optimal solution to compensate for the FDA's lack of resources, he did not consider that any changes to this would be feasible in light of the current climate. Based on some of the discussion points raised during this hearing, the 510(k) process and the post-market surveillance requirements may see increased scrutiny.

A link to the videotaped hearing is here.

Notes on the National Summit on Health Care Fraud

This post was written by Elizabeth Carder-Thompson.

Last week, in my capacity as president of the American Health Lawyers Association, I attended the first National Summit on Health Care Fraud, a joint undertaking by the U.S. Department of Health and Human Services and the U.S. Department of Justice. The conference brought together private sector leaders, law enforcement personnel, and health care experts as part of the Obama Administration’s coordinated effort to fight health care fraud. This was the first national gathering on health care fraud between law enforcement and the private and public sectors.

I.      Presentations and Trends

Leading the morning session, HHS Secretary Kathleen Sebelius vowed to “prevent, catch, and discourage fraudsters,” stating “Criminals – your days are numbered.” She promised an aggressive new fraud prevention focus, including enhanced Medicare Strike Force activities in a number of US cities, and continued coordinated, multi-agency initiatives under HEAT – the Health Care Fraud Prevention and Enforcement Action Team Secretary Sebelius also stated that, next week, the President’s budget likely will request an additional $1.7 billion in funding for fraud prevention and detection.

Attorney General Eric Holder disclosed that, in 2009, DOJ charged over 800 individuals in health care fraud cases, and obtained 580 convictions so far. DOJ also recovered billions of dollars in False Claims Act (qui tam) recoveries. He also promised that future fraud-busting efforts will include actively engaging the private sector (including Medicare beneficiaries recruited to serve on “Senior Medicare Patrols”), the insurance industry, and health care providers.

A panel comprised of representatives from CMS, FBI, OIG, DOJ, and others who have worked on what they call “the viral fraud cases in the Miami-Dade area” (i.e., spreading like a virus) told stories about the highly-aggressive and coordinated tactics and techniques they now employ. An Assistant United States Attorney who serves as the South Florida Health Fraud Coordinator, Luis Perez, said the days of prolonged subpoena productions, accountant analyses, extended research into cases, and deference to white collar defendants, are over: “We arrest everyone,” he said. His team of government agents and prosecutors seeks to bring the highest possible provable charges as offenses are committed, and then bring in additional evidence during the sentencing phase in order to seek upward adjustments under the Sentencing Guidelines to obtain maximum prison times.

The CEO of the Tufts Health Plan in Boston, James Roosevelt, highlighted anti-fraud tactics increasingly employed by private payers. For example, Tufts has hired Nick Messuri – formerly head of the Massachusetts Attorney General’s Medicaid Fraud Control Unit and a well-known, tough prosecutor in the state – as head of its antifraud group, which includes nine other attorneys. Tufts and other payers conduct their own clinical and other investigations relating to medical necessity, upcoding, miscoding, overutilization, outliers, illegal referrals, and more. Tufts currently has 128 open investigations, some of which are being conducted in cooperation with governmental entities to which it has made reports. 

II.      Investigative and Enforcement Predictions

During the afternoon, attendees were divided into discussion groups to consider such issues as effective law enforcement tactics, the role of states in fraud prevention, effective use of data, and more. A report on the break out-sessions will be published in the future, but some of the common themes I observed – and the future actions I predict – are as follows:

1) There will be heightened cooperation and more aggressive, coordinated enforcement in the public and private sectors to combat fraud, abuse, and waste. The main focus used to be Medicare fraud – now it is health care fraud across-the-board.

2) Increasingly, efforts will be directed at fraud and abuse prevention, and pre-payment scrutiny, rather than just focusing on “pay-and-chase” enforcement. CMS and private payers will be seeking to justify deviating from “prompt pay” requirements in the name of fraud and abuse prevention. A number of speakers commented that investment in health care fraud provides a multiple return – for DOJ, it was a $4 return for every dollar; for Tufts, a $7 return for every dollar; and for OIG, an $8 return for every dollar.

3) There will be increased attention paid to data coordination. Currently, Medicare, Medicaid, and private payers collect and maintain data in different ways, making utilization and other “pattern” comparisons difficult. This is going to change.

4) Governmental entities are directing their resources in a more data-driven and targeted way in order to identify fraudulent patterns. For example, they know that “fraudsters” who used to operate in Miami-Dade are moving up Route 95 into South Carolina and other states. Data shows that those who defrauded fee-for-service programs for a specific item or service, e.g., orthotics and diabetes supplies, are now moving to defraud Medicare Advantage plans. Providers sanctioned and excluded in one state are moving to another. Some of these schemes have worked in the past – but they will not in the future.

5) There will be greatly increased efforts to engage the general public – Medicare beneficiaries, their families, and others – in whistleblowing.

III.     What Does All of This Mean for the Future?

None of us committed to health care in America would countenance or want less than full punishment for “real” health care fraud. Unquestionably, many of the cases cited at the Summit fall in this category – billing for services not rendered, beneficiaries selling their Medicare numbers, false certifications by physicians for items of durable medical equipment, dental clinics pulling children’s teeth unnecessarily to obtain Medicaid payment, clinics billing for outmoded infusion therapy for HIV/AIDS patients, and more. I applaud aggressive and coordinated investigation and enforcement efforts to rid our system of these practices and their perpetrators, and the fraud-fighters in the government clearly are a very smart, very dedicated group 

I worry, however, that the zeal for health care fraud enforcement will inappropriately ensnare committed, compassionate health care providers, suppliers, and manufacturers. In our practice, we are increasingly seeing qui tam relators – whistleblowers – with dollar signs in their eyes, bringing questionable and even frivolous actions against their employers or former employers. We are seeing overburdened prosecutors taking years to make qui tam intervention decisions – while the relators continue to work and gather “data” at their employers’ places of business, to “support” their cases. 

I worry about Medicare contractors, eager to keep their contracts, trying a little too hard to prove to CMS that they are fraud-conscious. I have several supplier clients on 100% pre-pay Medicare review facing significant potential disallowances because a contractor decided for the first time to implement a technical Medicare manual provision about recording a specific date of service – when there is no question from the medical record that medically necessary, physician ordered, and readily documented services were in fact provided.

I worry about constitutional due process. One private insurance company representative at the Summit suggested that the government send announcements to all private payors when any qui tam cases are unsealed, so that the insurance companies can place “edits” on claims filed by the defendants, or at least pre-payment reviews – well before the case has been decided. I worry that the “arrest them all” enforcement mentality will harm the reputations and future livelihood of individuals not yet tried, who are later exonerated. 

There are no easy answers. At a minimum, though, in this rapidly-evolving investigative and enforcement environment, health care providers, suppliers, and manufacturers need to concentrate more than ever before on compliance. Moreover, their compliance efforts need to be real and not token ones, including comprehensive training, and internal auditing and monitoring with real consequences for employees and representatives falling short. The stakes are very high, and the so-called “radar screen” that companies used to joke about “flying under” now reaches all the way to the ground.

Reed Smith will continue to monitor developments with respect to health care fraud as the health care reform debate continues. In the interim, please contact Elizabeth Carder-Thompson in our Washington office if you have questions regarding this topic.

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

FDA Commissioner Announces Aggressive New Enforcement Policy

This post was written by Frederick H. Branding, R.Ph., JD, Areta L. Kupchyk and Kevin M. Madagan.

After just passing her eighth week as FDA Commissioner, Dr. Margaret Hamburg announced on August 6, 2009, six new enforcement procedures to a group of industry representatives, attorneys, consumers, and others attending a speech sponsored by the Food and Drug Law Institute in Washington, D.C.

“The FDA must be vigilant, the FDA must be strategic, the FDA must be quick, and the FDA must be visible,” according to Commissioner Hamburg. She stated that vigilance means regular inspections and follow-up to ensure problems are resolved; identifying and resolving problems early; a “greater emphasis on significant risk and violations”; rapidly responding to egregious violations or violations that jeopardize public health; and using “meaningful penalties to send a strong message” to discourage future offenses. The Commissioner also said that the agency must be visible and publicize its enforcement actions (and the rationale for those actions) widely and effectively. Commissioner Hamburg described six new policy changes to meet these goals.

 

1. 15 Day Post-Inspection Deadline

FDA will now set post-inspection deadlines. When FDA finds that a firm is significantly out of compliance and issues inspectional observations on Form FDA-483, it will expect a prompt response, generally no more than 15 days. Failing to respond in 15 days will trigger FDA to move forward with a warning letter or enforcement action.

2. Streamlined Warning Letter Process – Chief Counsel Pre-Review Policy Abandoned

Abandoning a policy implemented in 2002, FDA’s Chief Counsel Office will no longer review every warning letter issued by the agency. The Chief Counsel will limit warning letter review to significant legal issues only. In other words regional offices will now be permitted to issue warning letters.

3. Closer Collaboration with Regional Partners

FDA will continue to seek to work more closely with regulatory partners (e.g., state, local, and international officials) to develop risk control and enforcement strategies, as these entities have more authority to take action quickly than FDA. “When the public health is at risk, the FDA will reach out to our partners to take rapid action while we alert the public and prepare longer-term responses.”

4. Prioritize Enforcement Follow-Up

FDA will prioritize its follow-up with non-compliant firms. After a warning letter is issued or a product recall occurs, FDA will “make it a priority to follow up promptly with appropriate action.” This may include an inspection or investigation to ensure the problem has been resolved.

5. Swift and Aggressive Action Without a Warning Letter

FDA is prepared to take swift aggressive action to protect the public. The agency will no longer issue multiple warning letters. In addition, FDA will consider immediate action, such as action before it issues a warning letter, to address significant health concerns or egregious violations. Although FDA has had the authority to take enforcement action without issuing a warning letter, the agency generally reserves use of enforcement actions such as seizure or injunction for serious public safety situations requiring immediate action to stop manufacturing or distribution to prevent harm. 

6. Warning Letter “Close-Out” Process

FDA is developing a formal warning letter close-out process. For example, after FDA reinspects a facility to ensure that a firm has fully corrected violations identified in a warning letter, FDA may provide to the firm a formal “close-out” letter, indicating that the issues have been successfully addressed. This letter will then be posted on FDA’s website. However, not every warning letter will be eligible for a formal close-out letter. Such letters will likely be sent to companies with a history of ongoing violations. 

Commissioner Hamburg expects these new policies will ensure violative inspection results are taken seriously, warning letters and enforcement actions occur in a timely manner, and steps are taken promptly to protect consumers.

Hospital Agrees to Pay $700,000 To Texas AG For Allegedly Orchestrating an Insurer Boycott of Competitor

This post was written by Diane Green-Kelly and Karl A. Thallner.

In a time of economic crisis, when hospitals, like most other businesses, are struggling to operate within a constrained budget, Memorial Hermann Healthcare System (“Memorial Hermann”) agreed Jan. 26, 2009 to pay $700,000 to settle claims of the Texas Attorney General alleging that Memorial Hermann orchestrated an agreement among health plans not to do business with a new competitor, Town and County Hospital (“Town and Country”).  According to the complaint, Memorial Hermann, which owns and operates acute care hospitals furnishing inpatient care, is the largest hospital system in the Houston area.  Town and County, a physician-owned hospital, opened in November 2005.  Before opening, Town and County approached insurers to enter into contracts to be included in those insurers’ hospital networks.  Memorial Hermann allegedly took steps to discourage insurers from entering into contracts with Town and Country, including sending notification of an intent to terminate its contract with one insurer as to all Memorial Hermann facilities, and subsequently renegotiating a contract with the insurer for substantially higher rates. 

According to the complaint, the rate increase proposed by Memorial Herman exceeded any increase reflective of a reasonably foreseeable change in volume resulting from increased competition from Town and Country. Memorial Hermann also was alleged to have notified another insurer of a 25 percent rate increase after learning that that insurer was considering entering into a contract with Town and Country. According to the Texas AG, that increase exceeded any reasonably expected economic impact of increased competition. Pursuant to the settlement agreement, Memorial Hermann has agreed to refrain from engaging in the foregoing conduct and pay $700,000 to the Texas AG as partial reimbursement for the cost of the investigation.

Now more than ever, especially in light of the current economic woes and the new administration’s stated intention to focus on health care and antitrust enforcement, it is essential that health care providers be prepared for an increase in antitrust enforcement activities at the state and federal levels, and be ready to ensure that contract negotiations are conducted with this in mind. What may be intended to be merely tough negotiation tactics designed to increase revenue or reduce costs may be viewed by government authorities as anti-competitive conduct when coupled with other factors. The decision of a health care provider, or group of health care providers, to revise contractual arrangements to respond to changes in the competitive environment should take care to support proposed changes with objective data. Further, exclusive arrangements between health care providers and suppliers, while often considered to be pro-competitive, should be approached with careful consideration.