Appeals Court Decision is Positive News for Health Companies Concerned About Cyberliability Coverage

In a ruling particularly meaningful to health care companies, who are responsible for patients’ protected, personally-identifiable information, the U.S. Court of Appeals recently upheld a lower court’s decision finding coverage under a healthcare company’s comprehensive general liability (CGL) policy.  When the health care company inadvertently made certain confidential medical records accessible to the public online over a three month period, the court determined that the “publication” requirement under the CGL policy had been met, thus triggering coverage under the company’s CGL policy.

The decision turned on the fact that the term “publication” was not a defined term in the policy, thus coverage must be afforded in favor of the insured.  The opinion serves as a reminder that companies, when faced with a cyber claim,  should review their traditional lines of insurance – such as CGL and property policies – as part of a full assessment of their potential coverage. Although a dedicated cyberliability policy may provide more comprehensive coverage in response to data breach claims or losses, this recent decision shows that these “traditional” policies should also be part of a comprehensive breach response and risk management plan.

For a deeper look at the case and its implications, read our recent Client Alert, “Fourth Circuit Finds That Traditional CGL Policies May Continue to Provide Coverage for Cyberliability Claims.”

New VA Policy to Have Immediate Impact on Many Pharmaceutical Manufacturers, Suppliers

In a significant policy reversal that will affect many pharmaceutical manufacturers and suppliers – and that will require immediate action by many pharmaceutical manufacturers – the Department of Veterans Affairs is now requiring that all covered drugs under the Veterans Health Care Act be offered on Federal Supply Schedule (FSS) contracts, regardless of whether they meet the “country of origin” standards of the Trade Agreements Act (TAA).

Under the TAA, government agencies, including the VA, are generally prohibited from procuring goods that are not made in either the United States or certain “designated countries.”  A large number of drug manufacturers have products that aren’t TAA-compliant due to being manufactured with active pharmaceutical ingredients (API) from non-designated countries like India and China.

However, VA contracting officers will now have the authority to issue “non-availability determinations,” allowing the VA to list non-TAA-compliant covered drugs on FSS contracts under certain circumstances. This means that, for the first time, FSS contracts will be open to hundreds of pharmaceutical products that are manufactured in non-TAA designated countries.

The VA is fast-tracking implementation of the new policy. Manufacturers that already have FSS contracts must submit a Request for Modification to add their non-TAA-compliant products, and companies that currently do not have an FSS contract, because all their covered drugs are non-TAA compliant, must enter into an Interim Agreement with the VA, enabling their covered drugs to be considered for an FSS contract. Manufacturers should be aware of these key deadlines:

  • April 26, 2016: Submit Non-Federal Average Manufacturer Price (FAMP) information for TAA non-compliant covered drugs, if the company has not already been submitting Non-FAMPs for those products.
  • May 6, 2016: Submit signed mass modifications, requests for modification to add TAA non-compliant covered drugs, and Interim Agreements.
  • June 6, 2016: All TAA non-compliant drugs must be on an FSS contract or Interim Agreement.

For more information about this policy change, and what manufacturers need to do in the coming days and weeks to comply, read our recent Client Alert, “Veterans Affairs to Permit Acquisition of Non-TAA-Compliant Drugs.”

Mobile App Compliance for Dummies: New Tool Helps Developers Understand Their Legal Compliance Requirements

In a joint effort by the Federal Trade Commission (FTC), Office for Civil Rights (OCR), HHS Office of National Coordinator for Health Information Technology (ONC), and Food and Drug Administration (FDA), a new web-based tool has been released that is designed to help developers of mobile health apps understand the multitude of federal laws and regulations that may apply to them.

Through a series of 10 simple “yes or no” questions, mobile health app developers can learn about the laws they may be subject to, such as the Health Insurance Portability and Accountability Act (HIPAA), FDA’s medical device manufacturing regulations, and the FTC’s rules prohibiting deceptive or unfair acts or practices.  Sample questions include: “Are you a health care provider or health plan?” and “Do consumers need a prescription to access your app?”

Developers that discover they are subject to HIPAA can learn more about their obligations by visiting OCR’s health app developer portal.

Expect Increased State AG Enforcement Actions on Health Data Incidents

Businesses working with U.S. customer or employee data are very familiar with the roles the Federal Trade Commission (FTC), U.S. Department of Health and Human Services, and other federal agencies play in privacy regulation and enforcement.

But, increasingly, if your company ends up facing a health – or other data – incident, you may find yourself dealing with state attorneys general as well. Recent comments by privacy and consumer protection officials indicate that states are looking to shift their attention from retail breaches (involving compromised credit card information) to breaches involving personal information of “higher-risk,” including health care data.

As enforcement activity in the health care privacy/security sector continues to reflect significant participation by both the OCR and FTC, state AGs may start to bridge the gap between the two federal agencies.

To learn more about State AGs’ increasing interest in this area, and how it could affect your company, read our post “State AGs Upping the Ante on Health (and Other) Information Data Incidents – Expect Increased Enforcement Actions” on Reed Smith’s Technology Law Dispatch blog.

Privacy Shield Details Have Been Revealed: Here’s What Companies Need to Know

The European Commission has published its draft adequacy decision on the EU-U.S. Privacy Shield, the proposed data transfer framework that would replace the defunct Safe Harbor program. The draft adequacy decision formally supports the view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the new program.

The draft decision also provides full details of the Privacy Shield framework for the first time.

The earliest the Privacy Shield is likely to be available is June, but if your company relies on transatlantic data-sharing, as many pharmaceutical and medical device companies do, it’s worth reviewing the details of the framework now to determine whether it might make sense for your business.

Some key aspects of the Privacy Shield include the following:

  • As with Safe Harbor, the Privacy Shield will not be available to companies in specific sectors which are outside the jurisdiction of the U.S. Federal Trade Commission or Department of Transportation. This means that companies in the financial services and insurance sectors will not be eligible to join.
  • EU citizens will have several options for pursuing claims regarding alleged misuse of their data, including (a) directly with the allegedly offending company, (b) through alternative dispute resolution provided by an independent third party, (c) with the EU Data Protection Authority (which will then work with the Department of Commerce and Federal Trade Commission), and (d) with the Privacy Shield Panel, which operates as a last resort and provides a binding decision via an arbitration mechanism. Privacy Shield certified businesses will have to put in place an effective redress mechanism, including responding substantively within 45 days to complaints received from EU individuals about the treatment of their personal data. Failure to respond to complaints will result in the individuals having recourse to alternative redress mechanisms.
  • Privacy Shield members must provide individuals with notice of the organization’s participation in Privacy Shield, the type of data affected and the purposes for which it will be used. Individuals must be informed of any third parties to whom their data will be transferred and must also be provided with “clear, conspicuous, and readily available mechanisms” for opting out of these disclosures to third parties or for preventing use of their personal data for a new purpose.
  • Tightened rules will apply around onward transfers of data by a Privacy Shield member to third parties, whether a data controller or a data processor. If compliance problems arise in this sub-processing chain, the Privacy Shield organization acting as data controller of the data will face liability unless it can prove that it was not responsible for the event causing the damage.

For more details on what will be different under the Privacy Shield, what will be largely the same as it was under Safe Harbor, and what kind of companies may be best positioned to transition to the Privacy Shield, read our recent client alert, “Now That Details of the EU-U.S. Privacy Shield Have Been Revealed, Should Your Company Get Ready to Embrace It or Avoid It?”

We’ll continue to monitor developments in this area and keep our readers posted.

Navigating the Regulatory Issues of 3D Printing

The increasing popularity of 3D printing is changing the future of health care far more dramatically than we would have ever imagined. Although we have blogged about 3D printing, and the Reed Smith white paper, “3D Printing of Medical Devices: When a Novel Technology Meets Traditional Legal Principles” addressed regulatory issues for medical devices and pharmaceuticals (among myriad topics), the regulatory issues warrant continuing attention.

Currently the FDA has approved one 3D printed drug and cleared no fewer than 85 medical devices through the 510(k) process that are made by device manufacturers using 3D printing additive manufacturing processes.

Under the existing FDA regulatory framework, a “manufacturer” is defined broadly to include “any person who designs, manufactures, fabricates, assembles, or processes a finished device.” Although Compassionate Use and Emergency Use pathways remain possibilities in rare circumstances when a hospital or surgeon concludes that on-site printing of a custom implantable medical device is necessary for a particular patient, how the FDA will address non-traditional device “manufacturers” remains an open question.  It is hard to imagine hospital 3D printing labs moving beyond using 3D printing for surgical planning purposes, to the printing of custom implantable devices, until the FDA provides further regulatory guidance.  Given that they have been looking at these issues, including through a Public Workshop held in October 2014, there is hope that guidance will come soon.

Other open regulatory questions include:

  • Will the FDA regulate the 3D printer, or just the end product?
  • Will the FDA view shared design files as the unauthorized promotion of the device if the device’s benefits and risks are not disclosed?
  • To what extent might FDA exercise its enforcement discretion for 3D products?

These issues, as well as other concerns currently facing this industry, are covered in “3D Printing of Medical Devices: When a Novel Technology Meets Traditional Legal Principles.

A Proposed End to “Amarin Pharm v. FDA” has FDA Agreeing to Abide by District Court’s Order

We have been closely following Amarin Pharm, Inc. v. FDA with respect to the preliminary injunction granted by the Southern District of New York that prohibited the FDA from taking action against Amarin over truthful, non-misleading “off-label” statements about its prescription drug Vascepa. We’ve also been following the similar Pacira Pharm., Inc. v. FDA case, which settled in December 2015. Yesterday, the parties in Amarin filed a letter advising the court that those parties also had reached a settlement, and its terms are notable in several respects.

As you may recall, Vascepa was approved by the FDA to treat adult patients with “very high” triglyceride levels, and Amarin sought to disclose truthful, non-misleading information to doctors that Vascepa could also be used to treat patients with “high” triglyceride levels. The District Court’s Opinion and Order is available at:  Amarin Pharma, Inc. v. FDA, 119 F. Supp. 3d 196 (SDNY 2015).

Since the court’s August 2015 order, the parties have been discussing settlement, and the proceedings have been stayed while they did so.

The parties’ March 8, 2016 proposed order of settlement includes the following provisions:

  • Defendants agree to be bound by the Court’s conclusion that Amarin may engage in truthful and non-misleading speech promoting the off-label use of Vascepa and, under United States v. Caronia, 703 F.3d 149 (2d Cir. 2012), such speech may not form the basis of a prosecution for misbranding.
  • Defendants agree to be bound by the Court’s conclusion that the combination of statements and disclosures that Amarin proposes to make to doctors relating to the use of Vascepa in patients with persistently high triglycerides, as those statements were modified in the court’s August 7, 2015 Order, are truthful and non-misleading.
  • Amarin bears the responsibility, going forward, of assuring that its communications to doctors regarding off-label use of Vascepa remain truthful and non-misleading.
  • Amarin may submit to the FDA, through certain pre-clearance procedures, up to two proposed communications per calendar year about the off-label use of Vascepa before communicating them in promotion to doctors to determine if the FDA has concerns with Amarin’s proposed communications. If the FDA has any concerns, it will contact Amarin. The proposed order of settlement includes the timeline and procedure for resolving any dispute.
  • The parties also waive all rights to appeal the proposed settlement order.

The Amarin settlement is notable because the FDA now has agreed that a manufacturer can engage in truthful, non-misleading promotion about off-label uses that fall outside the scope of its scientific and medical publications Guidance, and its responding to unsolicited requests Guidance. Whether it signals that the FDA agrees that, more generally, truthful, non-misleading promotion is permissible remains to be seen, however, because the Amarin settlement comes within the context of some rather case-specific facts. Moreover, even if the Amarin settlement does reflect FDA recognition that the First Amendment protects rather more speech than it has acknowledged to date, determining whether given speech is “truthful” and “not misleading” may pose its own challenges as well.

We will update this post when the court enters an order of settlement.

Obama Signs Judicial Redress Act (JRA) – Another Step on the Way to Securing EU-U.S. Data Flows

President Obama signed the U.S. Judicial Redress Act (JRA) into law on 24 February 2016, giving European citizens the same right as U.S. citizens to bring actions against the U.S. government if their personal data are misused.

While the JRA is not a formal prerequisite to finalizing the EU-U.S. Privacy Shield transatlantic data-sharing framework, it’s considered to be a key step in this direction – which means it’s highly relevant for businesses with transatlantic data-sharing needs, such as many pharmaceutical and medical device companies.

The JRA signing is the final step needed for the conclusion of the “Umbrella Agreement” on EU-U.S. law enforcement data-sharing, which will govern all personal data exchanged between the EU and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement will also provide safeguards and guarantees of lawfulness for data transfers, strengthening fundamental rights and helping to restore trust.

The Umbrella Agreement itself does not provide a legal basis for data transfers to the United States. However, individuals’ rights of redress played an important role in the downfall of the Safe Harbor transatlantic data-sharing framework, the EU-U.S. Privacy Shield’s predecessor, last October in Maximillian Schrems v Data Protection Commissioner. Failure to ensure such rights could have set up the EU-U.S. Privacy Shield for a similar fate.

The JRA comes into force 90 days after its signing, and paves the way to the formal signing of the Umbrella Agreement. For more information, read our recent Client Alert, “Passage of the U.S. Redress Act Raises Confidence in Privacy Protection for Transatlantic Data Flows.”

We’ll continue to follow developments in this area and keep our readers updated.

After a Strong Enforcement Presence in 2015, OCR Starts 2016 with a $239,000 Civil Money Penalty Judgment

It has been a busy winter for the US Department of Health and Human Service, Office for Civil Rights (“OCR”).  Since November 2015, the agency has announced three settlements and one civil money penalty judgment amounting to over $5 million in fines and settlements.  Most recently, on February 3, 2016, a U.S. Department of Health and Human Services’ Administrative Law Judge (“ALJ”) granted summary judgment in favor of OCR thereby confirming that a national home health medical equipment company, had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule.  As a result, the company was required to pay $239,000 in civil money penalties (“CMPs”) for its violations.  Over the years, OCR has rarely (only twice) sought such penalties but when it has, the ALJ has upheld OCR’s decision.

Continue Reading

FDA Gauges Coverage Organizations’ Interest in Connecting with Device Sponsors to Discuss Evidence Needs During Clearance Process

The FDA published a notice on February 24, 2016 requesting whether organizations (e.g. insurers, health technology assessment organizations) that evaluate clinical evidence used to support private payer medical device coverage decisions are interested in providing input to medical device developers on clinical trial design or other evidence-gathering needed to support positive coverage decisions.  If coverage organizations express interest, the FDA intends to provide a mechanism for such organizations to identify themselves so that medical device sponsors who would like to obtain coverage input can voluntarily contact them to participate in a FDA Pre-Submission meeting.

According to the FDA, early input from payers regarding their evidence needs “can streamline the process from FDA approval or clearance to payer coverage and improve public health by facilitating earlier access to innovative, safe, and effective medical devices.”  For instance, sponsors that voluntarily meet with coverage organizations early in the development process may obtain information needed to:

  1. Initially design a clinical trial that can capture the data necessary for both FDA marketing clearance or approval and to support a positive payer coverage decision,
  2. Modify their pivotal study to satisfy both sets of requirements, or
  3. Develop other plans to collect necessary data

For more information, see https://www.gpo.gov/fdsys/pkg/FR-2016-02-24/pdf/2016-03909.pdf.

LexBlog