Boosts in Ransomware Attacks Spark Multiple Government Agency Responses

Following a recent U.S. government interagency report indicating that, on average, there has been an alarming 300 percent spike in daily ransomware attacks since early 2016 as compared with 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released new Health Insurance Portability and Accountability Act (“HIPAA”) guidance on ransomware.  In addition to OCR’s guidance, the Secretary of HHS sent a letter to chief executive officers of companies in the health care sector stressing the importance of robust security compliance to combat ransomware attacks.

Ransomware, as explained by OCR, is a type of malware (i.e., malicious software) that most often attempts to deny access to a user’s data, usually by encrypting the data, until a ransom is paid. Hackers may also deploy ransomware in conjunction with other malware that destroys or transfers data from the infected information system.  Indicators of a ransomware attack could include, for example, an inability to access certain files, or a user’s realization that a link or file attachment that was opened may have been malicious in nature.

Continue Reading

Privacy Shield to Enter into Force Immediately in EU, on August 1 in U.S.

The EU-U.S. Privacy Shield has been adopted by the European Commission. On July 12, 2016, following a positive vote from the member states (the Article 31 Committee) on July 8, the EU College of Commissioners formally adopted the Privacy Shield. The Privacy Shield enters into force immediately in the EU. In the U.S., the Privacy Shield will be published in the Federal Register, becoming effective on August 1.

To learn more about this development, please read the recent Reed Smith Client Alert, “EU-U.S. Data Privacy Shield adopted – a phoenix rising from the ashes of Safe Harbour?” written by Cynthia O’Donoghue, Kate Brimsted, Philip Thomas, Paul Bond, and Gerard M. Stegmaier.

Reed Smith Attorneys to Speak at Upcoming “Women Leaders in Life Sciences Law” Conference

Two members of Reed Smith’s Life Sciences Health Industry (LSHI) group will be speaking at the American Conference Institute’s 3rd Annual Conference on Women Leaders in Life Sciences Law taking place in Boston on July 27-29, 2016.

On July 28, Reed Smith partner and co-chair of the firm’s LSHI group, Melissa A. Geist will discuss some of the most cutting-edge legal challenges in the life sciences space in a panel entitled, “What Women Leaders in Life Sciences Law Must Know About Products Liability, Mass Torts, and ‘Bet-the-Company’ Litigation.” On July 29, Reed Smith partner Gail L. Daubert will be speaking on building a pricing and reimbursement strategy during the panel presentation, “Key Regulatory and Pricing Developments Affecting How Life Sciences Companies Bring Products to Market.”

The “Women Leaders in Life Sciences Law” event was created to increase the prominence of women in the life sciences legal community through substantive legal discussion, professional development and woman-to-woman networking. This year’s program features an impressive lineup of women leaders throughout the life sciences community poised to discuss key legal developments for pharmaceutical, biotech and medical device companies as well as engage in candid discussion of gender stereotypes and other implicit obstacles to advancement.

As a proud sponsor of this event, Reed Smith is able to offer a 15 percent registration discount for clients who would like to attend. To obtain the discount, enter the code P15-999-RSH16 while registering online. (Your discount will be manually applied at the end of the registration process by American Conference Institute customer service staff.)

What Brexit Means for Data Protection

For global pharmaceutical and medical device companies handling personal data in the European Union (EU) or engaged in transatlantic data transfers, some of the many questions created by the Brexit vote include what its impact will be on the United Kingdom’s (UK) data protection laws.

These questions also arise in the context of the EU’s General Data Protection Regulation (GDPR), due to come into force in May 2018, which coincides with the period during which the UK will be negotiating its EU exit, and the impending agreement by the EU to the Privacy Shield.  The GDPR is designed to strengthen and harmonise data protection within the EU and the Privacy Shield is meant to replace the now invalid EU-US Safe Harbor Framework. Given this, it is important for manufacturers to consider the following:

How will personal data be regulated under UK law?

If the UK exits the EU before the GDPR comes into force, it will not be without a data protection law. The UK’s own Data Protection Act 1998 (DPA) is currently and would remain the law of the land. Even now, the UK’s Information Commissioner’s Office interprets the DPA in a manner that is consistent with some of the GDPR requirements, such as privacy by design and accountability through the use of privacy impact assessments. Compliance with the DPA provides a degree of compliance with the GDPR.

What will the UK-EU relationship look like with respect to data protection?

Given that the GDPR may come into force in the UK and EU before the UK’s negotiation period to leave the EU is complete, the UK should not find it difficult to achieve the ‘adequate’ data protection status necessary to maintain current trade and commercial relationships with the EU. It may be that the UK adopts much of the GDPR into its law, either as an update to the DPA, or as a new legislative measure.

How will Brexit affect data transfers?

Brexit will not affect the Privacy Shield agreement, and for the UK, Brexit should not change UK policy in relation to the Privacy Shield. Since the DPA permits UK data controllers to make their own adequacy determination for transferring data outside the UK and the European Economic Area (EEA), it may be that the UK’s Information Commissioner’s Office deems certification to the Privacy Shield by US companies adequate even if the UK is outside the EU. Such a stance would not be unprecedented, since other countries, such as Israel, had taken a similar position in relation to the US-EU Safe Harbor Framework before it had been ruled invalid by the CJEU. If that is the case, then transfers of data to the US on the basis of certification to the Privacy Shield could be deemed per se adequate by the UK.

In addition, the UK remains a member of the Council of Europe and a party to Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Convention provisions relating to transborder data flows permit the transfer of data between Convention 108 members, which include not only the EU member states, but a total of 50 countries, including Turkey, Russia, and Ukraine, among others.

To learn more about Brexit’s potential impact on the United Kingdom’s (UK) data protection laws, and about how Brexit could provide an unexpected opportunity for the UK to become a data haven, please read our recent Client Alert, “Data Protection in a Post-Brexit Landscape.”

Major Changes To Nondiscrimination Requirements Under ACA Effective Soon: Are Covered Entities Ready?

The HHS Office of Civil Rights (“OCR”) published a final rule May 18, 2016, broadening the nondiscrimination requirements applicable to all health programs and activities receiving federal financial assistance from HHS, those administered by HHS, and Health Insurance Marketplaces. The final rule implements section 1557 of the ACA and adds two important categories of protections: (1) prohibition of discrimination on the basis of sex; and (2) mandatory meaningful access for individuals with limited English proficiency. Also included in the final rule, OCR outlines specific actions covered entities must take to signal their compliance with these nondiscrimination requirements.

Effective July 18, 2016, the final rule has largely flown under the radar since its publication, begging the question: are covered entities prepared to comply with these new requirements? The deadline to implement changes applies to all covered entities, except health insurance or group health plans. As this July 18, 2016, date approaches rapidly, covered entities should understand the final rule’s key provisions and the changes they must make to ensure their health programs and activities are in compliance.

Continue Reading

Upcoming Free CLE Webinar on Country of Origin Issues for Pharmaceutical, Medical Device Companies

The Reed Smith Life Sciences Health Industry Group will be hosting a free CLE webinar, “Where Was This Made? Country-of-Origin Issues for Pharmaceutical & Medical Device Companies,” on July 19, 2016 at 12 p.m. ET. Drug and device manufacturers often struggle to correctly determine their products’ “country of origin” thanks to ever-changing global supply chains and the fact that different government agencies employ entirely different legal standards. As a result, a product’s country of origin may vary based on which agency is requiring a determination. This has caused considerable confusion and, yet, compliance has never been more important as multi-million dollar False Claims Act actions become more frequent for companies that incorrectly certify the origin of their products to the government.

In this webinar, Reed Smith presenters Jeffrey Orenstein and Lawrence Sher will be examining the numerous regulatory requirements that companies must take into consideration to ensure compliance over time. They will also be explaining the risks of non-compliance in the context of both administrative penalties and False Claims Act actions initiated by the government and whistleblowers.

This webinar is approved for 1 hour of general CLE credit in CA, IL, NJ, PA, TX and WV. To register for the free webinar, please click here.

Upcoming Free CLE Webinar on Medicare Secondary Payer, Best Practices for the Defense

The Reed Smith Life Sciences Health Industry Group will be hosting a free CLE webinar, “Medicare Secondary Payer: Issues and Best Practices for the Defense,” on July 13, 2016 at 12 p.m. ET. Reed Smith presenters Eric Gladbach and Mildred Segura will be providing an overview and timeline of Medicare Secondary Payer reporting responsibilities; discussing best practices in discovery demands, release language, check issuance, and requesting payment/no payment letters from Medicare; examining the Global Resolution Option alternative; and highlighting other issues corporate defendants may face, such as future costs and set-asides.

This webinar is approved for 1 hour of general CLE credit in CA, IL, NJ, PA, TX and WV. To register for the free webinar, please click here.

Please Join Us For A Reed Smith Webinar On 3D Printing – Will Regulatory Pathways and Reimbursement Change?

The Reed Smith Life Sciences Health Industry Group will be hosting an upcoming CLE webinar “Think Differently. 3D Printing – Will Regulatory Pathways and Reimbursement Change?” on July 21 , 2016 at 12:00 p.m. ET. Reed Smith presenters Gail Daubert, Celeste Letourneau and Kevin Madagan will be discussing the increasing popularity of 3D printing and how it is changing the future of health care far more dramatically than we would have ever imagined. Currently the FDA has approved one 3D printed drug, and cleared no fewer than 85 medical devices through the 510(k) process. As these products make their way to the market, manufacturers and providers are faced with another big hurdle – how to get reimbursed. This webinar will address current FDA regulatory pathways and explore the many unanswered questions surrounding 3D printing reimbursement issues for providers and manufacturers including:

  • How will providers/manufacturers be compensated, and how will it be determined?
  • Will there be coverage?
  • What are the current codes, and will new codes have to be written?
  • What is the future for health care, medical devices and drugs in relation to 3D printing?

This webinar is also approved for 1 hour of general CLE credit in CA, IL, NJ, PA, TX and WV. To register for the free webinar, please click here.

European Patent Office to Make Pan-European Revocation Proceedings Faster, More Efficient as of July 1

European Patent Office oppositions are a very powerful way of litigating newly granted patents. In reality these are pan-European revocation proceedings, with profound strategic significance for life sciences companies – this is the only way through which all national parts of a European patent can be revoked simultaneously in one set of proceedings. Unsurprisingly, EPO oppositions are now an almost inevitable feature of the European life sciences litigation landscape.

In 2015, the EPO saw an increase of 17.6% in the total number of patents opposed, up to a total of 3,713 patents, with life sciences patents forming a substantial portion of these. Whilst not at U.S. litigation levels, this nonetheless starkly demonstrates oppositions’ strategic value in commercial battles between competitors in Europe. But the EPO opposition process has been a victim of its own success, attracting adverse judicial criticism for its lengthy and open-ended process. “Normal” cases have been taking an average of between four to eight years through to final determination (including appeals).

The EPO has now announced that from July 1, 2016, post-grant oppositions will be reformed so that they become significantly faster and more efficient. The effect of these changes is that in straightforward cases, the decision in a first instance opposition will be issued within 15 months from the opposition deadline. To learn more about these changes, read our client alert, “The European Patent Office introduces a ‘go-faster’ opposition process.”

U.S. Supreme Court Decision Upholds Implied Certification Theory of False Claims Act Liability, Articulates New Limits

Last month, Lindsey provided readers of the Drug and Device Law blog with an overview of United Health Services, Inc. v. U.S. ex rel. Escobar, a False Claims Act (FCA) case that was bringing the implied certification theory of FCA liability before the U.S. Supreme Court for review.

The FCA imposes liability on anyone who knowingly presents, or causes to be presented, false or fraudulent claims (or requests) for payment to the federal government. Under the implied certification theory, when a company submits a claim for payment to the government, it implies through this submission that it is in compliance with applicable contractual, regulatory or statutory requirements. If the company isn’t in compliance, it may find itself facing FCA liability. This has led to numerous FCA cases against companies in the life sciences and health care industry.

In January, members of Reed Smith’s global regulatory enforcement and appellate groups submitted an amicus brief on behalf of the National Association of Criminal Defense Lawyers in the Escobar case. The brief argued that the Court should reject the implied certification duty in its entirety absent the existence of a defined and legally cognizable duty to disclose noncompliance that is expressly stated in a contract, regulation, or statute as a precondition to payment from the government. The brief also emphasized the serious fair notice and due process concerns with the First Circuit’s decision, concerns the Court expressed in its opinion in Escobar.

On June 16, 2016, the Supreme Court issued its ruling in Escobar and, unfortunately, as Lindsey noted in a second Drug and Device Law post, the implied certification theory lives, but it does so with new limits. In its unanimous opinion, the Court issued three principal holdings:

First, the Court adopted a new, but qualified, version of the implied certification theory.

Implied certification theory is now the law of the land. This in itself is not a significant change since most of the federal circuit courts of appeal already had adopted the theory, and only one circuit had rejected it. What is significant is how the Court defines and constrains the implied certification theory; its decision now requires that “two conditions” be satisfied before the failure to disclose noncompliance to the government can lead to FCA liability:

  1. “the claim does not merely request payment, but also makes specific representations about the goods or services provided”
  2. “the defendants’ failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths”

Merely requesting payment—without also making “specific” statements about the goods or services the company is providing—is no longer enough to establish implied certification liability.

Second, the Court rejected the “express condition of payment” limitation on implied certification adopted by some lower courts.

A company’s failure to disclose violations of legal requirements also can now lead to implied certification liability even if the requirements “were not expressly designated as conditions of payment.”

This is a change from the law in several circuits, which had adopted the “express condition” limitation to confine implied certification liability and enable companies to determine precisely what requirements could trigger it. The Court did stress, however, that “even when a requirement is expressly designated a condition of payment, not every violation of such a requirement gives rise to liability.”

Third, the Court laid out a new materiality requirement that relators must satisfy.

The Court emphasized that misrepresentations about compliance must be material to the government’s decision to pay since the FCA is not an “all-purpose antifraud statute” or a “vehicle for punishing garden-variety breaches of contract or regulatory violations.” The Court ruled that a “misrepresentation cannot be deemed material merely because the Government designates compliance with a particular statutory, regulatory, or contractual requirement as a condition of payment.” The Court also stated that a requirement is not material simply because the government “would have the option to decline to pay if it knew of the defendant’s noncompliance.” Finally, the Court found that “minor or insubstantial” noncompliance is not material.

Given these definitions, the Court proceeded to specifically reject the government’s and First Circuit’s definition of materiality, which provided “that any statutory, regulatory, or contractual violation is material so long as the defendant knows that the Government would be entitled to refuse payment were it aware of the violation.”

What are the implications of this decision?

For a deeper look at the implications of Escobar, be sure to read our client alert, “U.S. Supreme Court Adopts a Limited Implied Certification Theory of FCA Liability, and Establishes a Robust New Materiality Requirement.” However, one key takeaway is that this decision likely means an increase in the filing of new FCA suits across all industries, especially those where companies customarily make specific statements to the government about the goods and services they are providing.