The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently issued a proposed rule (Proposed Rule) that would significantly scale back the non-discrimination regulations applicable to health care entities under the authority of Section 1557 of the Affordable Care Act (ACA). This Proposed Rule, issued on May 24, 2019 and scheduled to be published in the Federal Register June 14, 2019, would limit to whom and how Section 1557’s non-discrimination provisions apply, how they will be enforced, and what activities will be required to demonstrate compliance. Entities covered by Section 1557 will need to know what the Proposed Rule would change, what would remain the same, and what OCR may emphasize in the future as it takes a new position on nondiscrimination enforcement. Here are five key takeaways.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form of FAQs, the new fact sheet signifies another example of OCR’s recent efforts to clarify new and outstanding questions from the ever-evolving health care industry.
In the new fact sheet, OCR first recalls the procedural history by which the application of certain aspects of HIPAA extended to business associates – the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which dramatically extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since that time, business associates have made efforts to comply with these HIPAA requirements but with little insight as to whether OCR will come after them (as opposed to their covered entity counterparts) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
Life sciences companies doing business in France will be interested in the recent results of Optical Center’s appeal of a penalty assessed by the Commission nationale de l’informatique et des libertés, the French data protection authority, surrounding a data breach. The data breach allowed access to invoices and purchases containing personal and sensitive customer data. Optical Center appealed the initial 250,000 euro penalty, and the French Highest administrative Court (Council of State) lowered the penalty fee to 200,000 euros. The possibility to file an appeal following a decision by the CNIL may be considered a strategic option for companies operating in France.
To read more on this recent update, please visit technologylawdispatch.com.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of HIPAA FAQs addressing the applicability of HIPAA to certain health apps and the covered entities and business associates that interact with them. These FAQs build upon prior guidance from OCR that outlined the framework for evaluating whether a health app developer must comply with HIPAA, but tackle a different question – when are covered entities or business associates liable under HIPAA for the subsequent misuse of electronic protected health information (ePHI) by a health app developer?
To answer questions about an app developer’s HIPAA obligations, OCR’s prior guidance focused on the direct-to-consumer nature of the app. OCR concluded that if the patient initiated use of the app, or brought the app to his or her health care provider (i.e., a covered entity), the app developer would not be considered a business associate of that covered entity. Notably, OCR also did not consider the existence of an interoperability agreement between the patient’s health care provider and the app developer to change this analysis. By contrast, in circumstances where a health care provider contracts with the app developer for purposes of patient management services, or for remote patient health counseling, monitoring, or messaging services, and the provider recommends its patients to download the app, then OCR considers the app developer a business associate of the covered entity.
OCR’s new FAQs extend upon this discussion of the business associate relationship between a covered entity and app developer, and highlight the vicarious liability faced by a covered entity if and when an impermissible use or disclosure of ePHI involves the app. The new FAQs reiterate that if the app was not provided by or on behalf of the covered entity, then the covered entity will not be liable for a breach of any information later experienced by the app. However, if the app was developed for, or provided for or on behalf of, the covered entity, then the covered entity could be held responsible for an impermissible use or disclosure of the ePHI in the app. In other words, if OCR determines that an app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity for its patients, then the app developer is a business associate of the covered entity, and the covered entity may be liable for an impermissible use or disclosure of ePHI in connection with the app. Importantly, according to the FAQs, the same logic applies to business associates who engage app developers on behalf of covered entities.
Yet, OCR appears to miss a critical element in its analysis of liability to be imposed on a covered entity when a business associate runs afoul of its HIPAA obligations, or on the latter when a business associate subcontractor violates HIPAA. With the promulgation of the Health Information Technology for Economic and Clinical Health Act (HITECH) Final Rule, covered entities became liable for the actions of their business associates, but only so long as a federal common law relationship of agency exists between the two.1 As a result, HITECH made covered entities significantly more responsible for the actions of their business associates, but with careful consideration that not all business associates would be considered agents of covered entities. According to OCR, the agency relationship would be a fact-specific determination, taking into account the terms of the BAA as well as the totality of the circumstances of the relationship between the two entities.
Now, with its recently released FAQs, OCR has signaled its intention to pay closer attention to the fault attributable to a covered entity when a business associate breaches the integrity or security of a patient’s ePHI. The requirement for an agency relationship between the covered entity and business associate places some guardrails around the possibility of vicarious liability, but also makes the need to clearly define the relationship between the parties critically important. OCR’s new focus reflects the importance of covered entities identifying their business associates correctly and contracting with them appropriately.
From a practical perspective, this is not as easy as it may sound. Health care providers and other entities in the health care industry are becoming structurally more complicated as many such entities no longer act solely as HIPAA-covered entities or business associates. For example, health care providers may provide technology and related services as a business associate to other covered entities. Or, as another example, a covered entity could have a dual relationship with another covered entity: one relationship where they exchange ePHI to provide health care to mutual patients and another where they act as a business associate. Moreover, covered entities and business associates may be hybrid entities when they provide technology and related services as part of and separate from their HIPAA-regulated roles.
The technology arrangements may also be complicated and tangle the agency analysis assessing the potential risk of vicarious liability. Application developers may provide technology solutions with various levels of interaction with HIPAA-regulated entities, including off-the-shelf, configurable, or fully customized products and services. The technological details of the solution may be integral to the agency analysis for vicarious liability. For example, is an agency relationship created when an entity is providing a cloud-based platform that has a standard foundation for all customers but includes the ability for both the application developer and the covered entity to configure and customize some portions of it? Is a covered entity insulated from vicarious liability if it uses a technology solution that it can configure for its purposes, but exposed to vicarious liability if it requests customizations from an application developer that will have the exact same result? Should a covered entity use out-of-the-box technology solutions that may not ideally fit its business operations (possibly creating risk) rather than work with a third party to build a solution that better meets its operational objectives but increases the risk of vicarious liability?
We work with HIPAA-regulated entities to analyze how these relationships with technology providers can impact their HIPAA risk exposure. These FAQs seem to further muddy an already murky legal analysis by ignoring the critical agency element limiting the applicability of vicarious liability, and emphasize that HIPAA-regulated entities should pay close attention to whether they are creating an agency relationship with technology providers. Such entities may significantly increase their HIPAA-related risk if they treat technology-related agreements as business-as-usual deals. While the legal agency analysis can be complicated, they should thoroughly understand the parties’ roles, the technology involved, the actual tasks performed by the application developers, and other factors so they can accurately assess the potentially significant impact on their HIPAA risk exposure from using technology provided by third parties.
1 45 CFR 160.402(c)(1). Interestingly, in another FAQ that predates HITECH, but was reviewed by OCR subsequent to the HITECH Final Rule, OCR did not consider a covered entity to be liable for, or required to monitor, the actions of its business associates if the parties had signed a business associate agreement (BAA), and the covered entity took reasonable steps, to cure a breach in the event one occurred.
On Friday, April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) filed a Notice of Enforcement Decision (the “Notice of Enforcement”), confirming the agency’s reconsideration of its prior interpretation of the Health Information Technology for Economic and Clinical Health Act’s (the “HITECH Act’s”) penalty structure. In doing so, HHS announced the abandonment of a previous annual penalty cap that did not vary based on an entity’s level of culpability.
Effective immediately, the maximum penalty that the HHS Office for Civil Rights (“OCR”) will impose for a particular violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that occur within a single calendar year has been generally, and significantly reduced. Except for violations that are due to a regulated entity’s willful neglect and have not been timely corrected (which maintain the annual penalty limit of $1.5 million), OCR will impose a lesser annual limit to violations that occur (a) without a regulated entity’s knowledge – and with reasonable diligence it would not have known about the violation; (b) due to reasonable cause and not willful neglect; and (c) due to willful neglect that is timely corrected.
The Food and Drug Administration (FDA) will hold a public hearing on May 31, 2019, “to obtain scientific data and information about the safety, manufacturing, product quality, marketing, labeling, and sale of products containing cannabis or cannabis-derived compounds.”1 This offers those within the cannabis industry a unique opportunity to speak on their concerns and interests over regulation of cannabis plants and cannabis-derived products, including Cannabidiol (CBD).
Topics the FDA is considering and collecting data and information are as follows:
- Possible health and safety risks related to cannabis and cannabis-derived products;
- Manufacturing and product quality of cannabis and cannabis-derived products (not including those marked as drugs already in compliance with the Food, Drug & Cosmetic Act (FDCA); and
- The marketing, labeling and selling of cannabis and cannabis-derived products (other than those drug products previously approved by FDA for human and animal use).
To read more on the FDA’s public hearing, please visit reedsmith.com.
- Food & Drug Administration, HHS, April 3, 2019, Scientific Data and Information about Products Containing Cannabis or Cannabis-Derived Compounds; Public Hearing; Request for Comments, 84 FR 12969.
Just prior to departing the FDA (U.S. Food and Drug Administration) Commissioner Scott Gottlieb, M.D., and Deputy Commissioner Anna Abram issued a statement (the “Statement”) on the Agency’s 2019 goals to improve the quality of compounded drugs. While the change of leadership at the Agency may affect how these efforts will be managed and implemented, the Statement provides helpful insight into the timing of Agency action in the compounding space, including:
- Maintaining Quality and Compliance for Outsourcing Facilities and Traditional Compounding Pharmacies
- Regulating Compounding from Bulk Drug Substances
- Finalizing the Agency’s Memorandum of Understanding with the States
- Compounding by Hospital and Health Systems
- Additional Compounding Priorities
Please read our client alert for a deeper summary of the Statement written by our compounding pharmacy team.
The Supreme Court of the United States heard oral argument on March 27, 2019 concerning a case (Kisor v. Wilkie, No. 18-15) involving the Department of Veteran Affairs (VA). The case asks the Supreme Court to consider overruling the current doctrine which allows an agency to interpret its own regulation unless it is clearly incorrect. A merits brief has been filed by the Solicitor General of the United States (SG) in Kisor on behalf of the VA, in agreeance that the Supreme Court should clarify and narrow the deference standard applied to agency regulatory interpretations. A decision is expected prior to the Court’s recess in June. To read more on the case, please visit our Health Industry Washington Watch blog.
The Advanced Medical Technology Association (AdvaMed) – the national industry association of medical technology manufacturers – recently issued an updated Code of Ethics on Interactions with Health Care Professionals (HCPs) (the AdvaMed Code or Code). Last revised in 2009, AdvaMed’s updated Code will go into effect January 1, 2020. The Code speaks to the evolving regulatory risk landscape in relation to manufacturers’ interactions with the modern medical technology marketplace.
A select committee of AdvaMed members, with Reed Smith’s support, worked to revise the Code to include learning from the last decade, and to offer guidance on common, but not previously addressed, interactions and arrangements between medical technology companies and HCPs (which include virtually all manufacturer customers, and sales and marketing targets). The new Code includes the following sections:
- Joint Education and Marketing Programs
- Communications about Safe & Effective Use of Products
- Consigned Products
- Company Representatives providing Technical Support in the Clinical Setting
Reed Smith served as outside counsel to AdvaMed and was honored to help draft the original, current, and revised versions of the AdvaMed Code; our attorneys work with clients worldwide in optimizing their compliance programs to more effectively and efficiently manage organization risk in line with business and operational priorities. We are happy to provide additional information on the updated Code and the assistance it provides medical technology manufacturers.
To read our entire overview of the updated Code, please visit reedsmith.com.
In-house counsel at pharmaceutical, medical device, and health companies are invited to join their peers and leading Reed Smith life sciences lawyers for a roundtable discussion on how to identify and mitigate risk. The event will be held on 5 March in Reed Smith’s London office. A networking breakfast will be provided at 8:30 a.m., with the program itself starting at 9 a.m. and ending at 11:30 a.m.
Panels will cover “The Intersection of Digital Health and Data Protection: Devices, Data Collection and Analytics and Control,” “Patents: A Discussion of What Keeps the In-House Practitioner Awake at Night,” and “Global Investigations of Companies and their People: A Look at Current Issues through the Lens of a Case Study.”
We are pleased to welcome several in-house and industry speakers, including Helen Barraclough (Associate General Counsel, Smith & Nephew), Andrew Davies (Director, Market Access, Association of British HealthTech Industries), Alexander Povey (Consultant Patent Attorney, MSD), and Brooke Daley (Investigations and Compliance Counsel, Zimmer Biomet).