Upcoming Reed Smith Webinar On The General Data Protection Regulation

The Reed Smith Information Technology, Privacy & Data Security Group will be hosting an upcoming webinar “The Biggest Shake Up of European Data Protection Law in 20 Years: What Your Organisation Needs to Do to Comply with the General Data Protection Regulation on June 7, 2016 at 11:00 a.m. ET, 16:00 p.m. BST and 17:00 p.m. CEST. Reed Smith presenters including London-based Kate Brimsted, Cynthia O’Donoghue and Philip Thomas; Munich-based Dr. Thomas Fischl; and Paris-based Daniel Kadar will be discussing some of the key provisions of the General Data Protection Regulation (GDPR) which will come to fruition on May 25, 2018. The webinar will explore the following topics:

  • Jurisdictional scope of the General Data Protection Regulation (“GDPR”)
  • Rights of individuals and consent
  • Processors under the GDPR
  • Accountability
  • Data transfers
  • Profiling and research
  • Regulators, investigations and sanctions

To register for the free webinar, please click here.

Senate Finance Committee Issues Report on POD Industry and its Surgeon Participants

For some time, we have been reporting on issues involving federal government scrutiny of physician-owned distributors (“PODs”). From our blog post here on the Department of Health and Human Services Office of Inspector General’s (“OIG”) issuance of the March 2013 OIG Special Fraud Alert (“Special Fraud Alert”), to our post here on the Reliance Medical Systems challenge to the Fraud Alert, as well as here – the controversy over PODs has continued. This month the Senate Finance Committee issued a comprehensive report entitled Physician Owned Distributorships: An Update on Key Issues and Areas of Congressional Concern (“Report”). The Committee continue to be highly critical of the entire POD industry and its surgeon participants, and it stressed not only expanded guidelines in this area, but also increased and expanded investigative and enforcement activity by the OIG and DOJ.

To read more about the POD update, including key take-aways from the Report, read our Client Alert here.


FDA Publishes Draft Guidance Regarding 3D Printing Of Medical Devices

The U.S. Food and Drug Administration (FDA) has approved more than 80 medical devices that involve 3D printing and one prescription drug.  It also held a public workshop to obtain information and input about 3D printing issues on October 8 and 9, 2014.  FDA brought together technical 3D printing expertise from various industries and sectors to help the agency develop an evaluation process for future submissions of medical devices resulting from additive manufacturing techniques.  Based on the feedback from the workshop, FDA yesterday issued a draft guidance for Technical Considerations for Additive Manufactured Devices.

According to FDA, the draft guidance is a “leap-frog” guidance to share FDA’s “initial thoughts regarding technologies that are likely to be of public health importance early in product development.”  While the draft guidance is not meant to be a comprehensive document to address all regulatory requirements, it highlights the technical considerations and recommendations for design, manufacturing, and testing of medical devices that include at least one fabrication step using additive manufacturing.

The guidance is split up into two categories of considerations: (1) design and manufacturing, and (2) device testing.  Both sections overlap in substance, and the device testing section provides strong recommendations of what a device manufacturer should include in a premarket submission for a device that uses additive manufacturing.  This will likely have an effect on how 3D printing device companies design, manufacture, and test their devices, especially those that manufacture patient-matched devices (devices that are “customized” for a specific patient’s anatomy, usually based on medical imaging data), to which the FDA draft guidance pays particular attention.

For more about legal issues involving 3D printed medical devices, read our white paper: 3D Printing of Medical Devices: When a Novel Technology Meets Traditional Legal Principles.

UPDATED:  For a fuller analysis of this new draft guidance, see our post over at the Drug and Device Law blog.

Appeals Court Decision is Positive News for Health Companies Concerned About Cyberliability Coverage

In a ruling particularly meaningful to health care companies, who are responsible for patients’ protected, personally-identifiable information, the U.S. Court of Appeals recently upheld a lower court’s decision finding coverage under a healthcare company’s comprehensive general liability (CGL) policy.  When the health care company inadvertently made certain confidential medical records accessible to the public online over a three month period, the court determined that the “publication” requirement under the CGL policy had been met, thus triggering coverage under the company’s CGL policy.

The decision turned on the fact that the term “publication” was not a defined term in the policy, thus coverage must be afforded in favor of the insured.  The opinion serves as a reminder that companies, when faced with a cyber claim,  should review their traditional lines of insurance – such as CGL and property policies – as part of a full assessment of their potential coverage. Although a dedicated cyberliability policy may provide more comprehensive coverage in response to data breach claims or losses, this recent decision shows that these “traditional” policies should also be part of a comprehensive breach response and risk management plan.

For a deeper look at the case and its implications, read our recent Client Alert, “Fourth Circuit Finds That Traditional CGL Policies May Continue to Provide Coverage for Cyberliability Claims.”

New VA Policy to Have Immediate Impact on Many Pharmaceutical Manufacturers, Suppliers

In a significant policy reversal that will affect many pharmaceutical manufacturers and suppliers – and that will require immediate action by many pharmaceutical manufacturers – the Department of Veterans Affairs is now requiring that all covered drugs under the Veterans Health Care Act be offered on Federal Supply Schedule (FSS) contracts, regardless of whether they meet the “country of origin” standards of the Trade Agreements Act (TAA).

Under the TAA, government agencies, including the VA, are generally prohibited from procuring goods that are not made in either the United States or certain “designated countries.”  A large number of drug manufacturers have products that aren’t TAA-compliant due to being manufactured with active pharmaceutical ingredients (API) from non-designated countries like India and China.

However, VA contracting officers will now have the authority to issue “non-availability determinations,” allowing the VA to list non-TAA-compliant covered drugs on FSS contracts under certain circumstances. This means that, for the first time, FSS contracts will be open to hundreds of pharmaceutical products that are manufactured in non-TAA designated countries.

The VA is fast-tracking implementation of the new policy. Manufacturers that already have FSS contracts must submit a Request for Modification to add their non-TAA-compliant products, and companies that currently do not have an FSS contract, because all their covered drugs are non-TAA compliant, must enter into an Interim Agreement with the VA, enabling their covered drugs to be considered for an FSS contract. Manufacturers should be aware of these key deadlines:

  • April 26, 2016: Submit Non-Federal Average Manufacturer Price (FAMP) information for TAA non-compliant covered drugs, if the company has not already been submitting Non-FAMPs for those products.
  • May 6, 2016: Submit signed mass modifications, requests for modification to add TAA non-compliant covered drugs, and Interim Agreements.
  • June 6, 2016: All TAA non-compliant drugs must be on an FSS contract or Interim Agreement.

For more information about this policy change, and what manufacturers need to do in the coming days and weeks to comply, read our recent Client Alert, “Veterans Affairs to Permit Acquisition of Non-TAA-Compliant Drugs.”

Mobile App Compliance for Dummies: New Tool Helps Developers Understand Their Legal Compliance Requirements

In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and regulations that may apply to them.

Through a series of 10 simple “yes or no” questions, mobile health app developers can learn about the laws they may be subject to, such as the Health Insurance Portability and Accountability Act (HIPAA), FDA’s medical device manufacturing regulations, and the FTC’s rules prohibiting deceptive or unfair acts or practices.  Sample questions include: “Are you a health care provider or health plan?” and “Do consumers need a prescription to access your app?”

Developers that discover they are subject to HIPAA can learn more about their obligations by visiting OCR’s health app developer portal.

Expect Increased State AG Enforcement Actions on Health Data Incidents

Businesses working with U.S. customer or employee data are very familiar with the roles the Federal Trade Commission (FTC), U.S. Department of Health and Human Services, and other federal agencies play in privacy regulation and enforcement.

But, increasingly, if your company ends up facing a health – or other data – incident, you may find yourself dealing with state attorneys general as well. Recent comments by privacy and consumer protection officials indicate that states are looking to shift their attention from retail breaches (involving compromised credit card information) to breaches involving personal information of “higher-risk,” including health care data.

As enforcement activity in the health care privacy/security sector continues to reflect significant participation by both the OCR and FTC, state AGs may start to bridge the gap between the two federal agencies.

To learn more about State AGs’ increasing interest in this area, and how it could affect your company, read our post “State AGs Upping the Ante on Health (and Other) Information Data Incidents – Expect Increased Enforcement Actions” on Reed Smith’s Technology Law Dispatch blog.

Privacy Shield Details Have Been Revealed: Here’s What Companies Need to Know

The European Commission has published its draft adequacy decision on the EU-U.S. Privacy Shield, the proposed data transfer framework that would replace the defunct Safe Harbor program. The draft adequacy decision formally supports the view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the new program.

The draft decision also provides full details of the Privacy Shield framework for the first time.

The earliest the Privacy Shield is likely to be available is June, but if your company relies on transatlantic data-sharing, as many pharmaceutical and medical device companies do, it’s worth reviewing the details of the framework now to determine whether it might make sense for your business.

Some key aspects of the Privacy Shield include the following:

  • As with Safe Harbor, the Privacy Shield will not be available to companies in specific sectors which are outside the jurisdiction of the U.S. Federal Trade Commission or Department of Transportation. This means that companies in the financial services and insurance sectors will not be eligible to join.
  • EU citizens will have several options for pursuing claims regarding alleged misuse of their data, including (a) directly with the allegedly offending company, (b) through alternative dispute resolution provided by an independent third party, (c) with the EU Data Protection Authority (which will then work with the Department of Commerce and Federal Trade Commission), and (d) with the Privacy Shield Panel, which operates as a last resort and provides a binding decision via an arbitration mechanism. Privacy Shield certified businesses will have to put in place an effective redress mechanism, including responding substantively within 45 days to complaints received from EU individuals about the treatment of their personal data. Failure to respond to complaints will result in the individuals having recourse to alternative redress mechanisms.
  • Privacy Shield members must provide individuals with notice of the organization’s participation in Privacy Shield, the type of data affected and the purposes for which it will be used. Individuals must be informed of any third parties to whom their data will be transferred and must also be provided with “clear, conspicuous, and readily available mechanisms” for opting out of these disclosures to third parties or for preventing use of their personal data for a new purpose.
  • Tightened rules will apply around onward transfers of data by a Privacy Shield member to third parties, whether a data controller or a data processor. If compliance problems arise in this sub-processing chain, the Privacy Shield organization acting as data controller of the data will face liability unless it can prove that it was not responsible for the event causing the damage.

For more details on what will be different under the Privacy Shield, what will be largely the same as it was under Safe Harbor, and what kind of companies may be best positioned to transition to the Privacy Shield, read our recent client alert, “Now That Details of the EU-U.S. Privacy Shield Have Been Revealed, Should Your Company Get Ready to Embrace It or Avoid It?”

We’ll continue to monitor developments in this area and keep our readers posted.

Navigating the Regulatory Issues of 3D Printing

The increasing popularity of 3D printing is changing the future of health care far more dramatically than we would have ever imagined. Although we have blogged about 3D printing, and the Reed Smith white paper, “3D Printing of Medical Devices: When a Novel Technology Meets Traditional Legal Principles” addressed regulatory issues for medical devices and pharmaceuticals (among myriad topics), the regulatory issues warrant continuing attention.

Currently the FDA has approved one 3D printed drug and cleared no fewer than 85 medical devices through the 510(k) process that are made by device manufacturers using 3D printing additive manufacturing processes.

Under the existing FDA regulatory framework, a “manufacturer” is defined broadly to include “any person who designs, manufactures, fabricates, assembles, or processes a finished device.” Although Compassionate Use and Emergency Use pathways remain possibilities in rare circumstances when a hospital or surgeon concludes that on-site printing of a custom implantable medical device is necessary for a particular patient, how the FDA will address non-traditional device “manufacturers” remains an open question.  It is hard to imagine hospital 3D printing labs moving beyond using 3D printing for surgical planning purposes, to the printing of custom implantable devices, until the FDA provides further regulatory guidance.  Given that they have been looking at these issues, including through a Public Workshop held in October 2014, there is hope that guidance will come soon.

Other open regulatory questions include:

  • Will the FDA regulate the 3D printer, or just the end product?
  • Will the FDA view shared design files as the unauthorized promotion of the device if the device’s benefits and risks are not disclosed?
  • To what extent might FDA exercise its enforcement discretion for 3D products?

These issues, as well as other concerns currently facing this industry, are covered in “3D Printing of Medical Devices: When a Novel Technology Meets Traditional Legal Principles.

A Proposed End to “Amarin Pharm v. FDA” has FDA Agreeing to Abide by District Court’s Order

We have been closely following Amarin Pharm, Inc. v. FDA with respect to the preliminary injunction granted by the Southern District of New York that prohibited the FDA from taking action against Amarin over truthful, non-misleading “off-label” statements about its prescription drug Vascepa. We’ve also been following the similar Pacira Pharm., Inc. v. FDA case, which settled in December 2015. Yesterday, the parties in Amarin filed a letter advising the court that those parties also had reached a settlement, and its terms are notable in several respects.

As you may recall, Vascepa was approved by the FDA to treat adult patients with “very high” triglyceride levels, and Amarin sought to disclose truthful, non-misleading information to doctors that Vascepa could also be used to treat patients with “high” triglyceride levels. The District Court’s Opinion and Order is available at:  Amarin Pharma, Inc. v. FDA, 119 F. Supp. 3d 196 (SDNY 2015).

Since the court’s August 2015 order, the parties have been discussing settlement, and the proceedings have been stayed while they did so.

The parties’ March 8, 2016 proposed order of settlement includes the following provisions:

  • Defendants agree to be bound by the Court’s conclusion that Amarin may engage in truthful and non-misleading speech promoting the off-label use of Vascepa and, under United States v. Caronia, 703 F.3d 149 (2d Cir. 2012), such speech may not form the basis of a prosecution for misbranding.
  • Defendants agree to be bound by the Court’s conclusion that the combination of statements and disclosures that Amarin proposes to make to doctors relating to the use of Vascepa in patients with persistently high triglycerides, as those statements were modified in the court’s August 7, 2015 Order, are truthful and non-misleading.
  • Amarin bears the responsibility, going forward, of assuring that its communications to doctors regarding off-label use of Vascepa remain truthful and non-misleading.
  • Amarin may submit to the FDA, through certain pre-clearance procedures, up to two proposed communications per calendar year about the off-label use of Vascepa before communicating them in promotion to doctors to determine if the FDA has concerns with Amarin’s proposed communications. If the FDA has any concerns, it will contact Amarin. The proposed order of settlement includes the timeline and procedure for resolving any dispute.
  • The parties also waive all rights to appeal the proposed settlement order.

The Amarin settlement is notable because the FDA now has agreed that a manufacturer can engage in truthful, non-misleading promotion about off-label uses that fall outside the scope of its scientific and medical publications Guidance, and its responding to unsolicited requests Guidance. Whether it signals that the FDA agrees that, more generally, truthful, non-misleading promotion is permissible remains to be seen, however, because the Amarin settlement comes within the context of some rather case-specific facts. Moreover, even if the Amarin settlement does reflect FDA recognition that the First Amendment protects rather more speech than it has acknowledged to date, determining whether given speech is “truthful” and “not misleading” may pose its own challenges as well.

We will update this post when the court enters an order of settlement.