Postmarket Cybersecurity Recommendations for Medical Devices Issued by the FDA

We’ve blogged about medical device cybersecurity topics here and most recently here. The topic is in the news yet again with the FDA issuing a draft guidance outlining postmarket recommendations for medical device manufacturers to address cybersecurity risks. The draft guidance recommends that manufacturers should execute a structured, systematic, and comprehensive cybersecurity risk management program that includes several components, as well as voluntary participate in information sharing via an Information Sharing Analysis Organization (“ISAO”) – a collaborative and transparent group in which public and private-sector members share confidential cybersecurity information.

For more information on the draft guidance and the essential components medical device manufacturers need to know about, read the blog post authored by Reed Smith Associate Vicki Morris on Health Industry Washington Watch.

Please note that comments to the draft guidance are due April 21, 2016  and can be submitted here.

Another Day, Another Whistleblower Retaliation Suit

A False Claims Act (“FCA”) retaliation claim, 31 U.S.C. 3730(h), filed January 26, 2016 in federal district court in Oregon, provides a perfect example of the type of challenging cases confronting health care employers today.

Pediatrician Robert Dannenhoffer, MD, the former CEO of a joint venture between a hospital and physicians’ group, alleges that he was fired after he reported to the Centers for Medicare & Medicaid Services some $10 million in improper Medicare payments. He seeks reinstatement as CEO, two times his lost compensation with interest, punitive damages, and attorney’s fees and costs.

While it is not known if Dr. Dannenhoffer also has or had a qui tam suit pending under the FCA, his counsel has experience with such cases. That firm’s website has included an announcement of the pendency of the retaliation case.

Moreover, the complaint includes the mixed bag of allegations that characterize so many FCA cases today brought by qui tam relators against health care entities:  violations of the physician self-referral prohibitions of the Stark statute, violations of the felony provisions of the anti-kickback statute, and filing claims for goods and services ordered as a result of kickbacks. Further, as part of the recitation of facts, the suit contends there was a knowing retention of Medicare overpayments – another basis for a false claims action.

It goes without saying that health care employers today need both strong and effective compliance programs and sound employment policies and procedures to reduce the risk of having to defend cases like this one. For example, despite the fact that the hospital/physician venture terminated him, Dr. Dannenhoffer alleges that he “had never had a performance review and never had any verbal or written warnings from the board about his management of [the joint venture].” If those allegations are true, Dr. Dannenhoffer’s case is a perfect example of how the failure to have sound policies and procedures can open the door to costly litigation.

For more information about this topic, please click here to listen to a free recording of our recent webinar, “FCA Whistleblower Claims: What Life Sciences and Health Care Employers Need to Know.”

Medicaid Rebate Program Final Rule Issued….Finally!

As previously discussed here and over on Health Industry Washington Watch here, this past Thursday, CMS and OMB issued the final, 600+ page Medicaid Rebate Program Final Rule. The pre-Federal Register version of the final rule may be accessed here. While we are still processing what this will mean for drug manufacturers and other health care providers, Reed Smith’s Joe Metro and Jackie Godin are already preparing a full analysis of the final rule, which we will share with you in the future.

In the meantime, this Friday, January 29, at 11:00 am ET, Joe will be participating in a free CBI webinar titled, “Final Medicaid Rebate Rule Review with Huron” in conjunction with representatives of Huron Consulting. The webinar will provide an overview of some of the key provisions of the final rule and highlight potential operational implications, priorities, and timelines.  Registration and additional information about the program can be found here.

Current State of “Safe Harbor 2.0” And Steps Your Business May Need to Take

Last year, the European Court of Justice issued a judgment invalidating the safe harbor framework for US-EU data sharing, creating uncertainty and a number of questions about what is, and is not, permissible when sharing data involving personal information across borders. The Safe Harbor decision has clear implications for our pharmaceutical and medical device clients, and we’ve covered the issue often, starting with the European Court of Justice’s judgment in Maximillian Schrems v. Data Protection Commissioner (C-362-14), which we discussed here.

As key deadlines and decisions relating to the EU-U.S. Safe Harbor framework loom, there have been several recent developments that may be of interest to businesses operating in the European Union and United States.

Reed Smith’s Client Alert “If Safe Harbor is dead in the water, what does that mean for you?” written by Cynthia O’Donoghue, Daniel Kadar, Kate Brimsted, Dr. Thomas Fischl, Philip Thomas, Katalina Bateman, Doretta Frangaki, Caroline Gouraud, Chantelle A. Taylor, Tom C. Evans, Dr. Alexander Hardinghaus, LL.M., and Dr. Alin Seegel discusses the steps your company might need to be taking now, as well as the state of “Safe Harbor 2.0” negotiations.

Continue Reading

Breaking News – High Wattage Reasoning – Arizona Adopts Learned Intermediary

This post was first published on the Drug and Device Law Blog.

We’ve been following Watts v. Medicis Pharmaceutical Corp. ever since the Arizona Court of Appeals issued its bizarre ruling that the learned intermediary doctrine (“LID”), which has been adopted in almost every state, was somehow incompatible with the Uniform Contribution Among Tortfeasors Act (“UCATA”), which has been adopted in over half of the states – although no other jurisdiction following both ever thought so.  Fortunately, the Arizona Supreme Court granted review, which we hoped would lead to the 37th state high court adoption of the LID.

We weren’t disappointed.

Today, the Arizona Supreme Court brought Arizona into the ranks of the vast majority of states that follow the learned intermediary doctrine:

Although the court of appeals has embraced the LID, this Court has not yet addressed the doctrine. In our view, the Third Restatement properly states the LID, and therefore we adopt § 6(d) as our expression of it.  Adopting the doctrine places us with the majority of jurisdictions that have considered the matter.

Contrary to [plaintiff’s] assertion, the LID does not create a blanket immunity for pharmaceutical manufacturers. . . .  [I]f the manufacturer fails to provide adequate warnings to the learned intermediary . . ., a patient could sue and directly recover from a drug manufacturer based on its failure to properly warn the prescribing physician.

[Plaintiff] also asserts, and the court of appeals agreed, that the underlying rationale for the LID is no longer viable.  But we find persuasive the reasoning of the Texas Supreme Court in rejecting this argument.

Prescription drugs are likely to be complex medicines, esoteric in formula and varied in effect.  As a medical expert, the prescribing physician can take into account the propensities of the drug, as well as the susceptibilities of his patient.  His is the task of weighing the benefits of any medication against its potential dangers.  The choice he makes is an informed one, an individualized medical judgment bottomed on a knowledge of both patient and palliative.  Pharmaceutical companies then, who must warn ultimate purchasers of dangers inherent in patent drugs sold over the counter, in selling prescription drugs are required to warn only the prescribing physician, who acts as a “learned intermediary” between manufacturer and consumer. . . .  Because patients can obtain prescription drugs only through their prescribing physician or another authorized intermediary and because the “learned intermediary” is best suited to weigh the patient’s individual needs in conjunction with the risks and benefits of the prescription drug, we are in agreement with the overwhelming majority of other courts that have considered the learned intermediary doctrine and hold that, within the physician-patient relationship, the learned intermediary doctrine applies and generally limits the drug manufacturer’s duty to warn to the prescribing physician.

Centocor [v. Hamilton], 372 S.W.3d [140,] 159 [(Tex. 2012)](citations omitted); see also Larkin [v. Pfizer, Inc.], 153 S.W.3d [758,] 763–64 [(Ky. 2004)].

Watts v. Medicis Pharmaceutical Corp., No. CV-15-0065-PR, slip op. at 6-8 (Ariz. Jan. 21, 2016) (lots of other citations omitted).

Predictably, the plaintiff in Watts first urged West Virginia’s rejection of the LID in State ex rel. Johnson & Johnson Corp. v. Karl, 647 S.E.2d 899 (W. Va. 2007), with her fallback position being the DTC advertising exception allowed in Perez v. Wyeth Laboratories Inc., 734 A.2d 1245, 1247, 1256 (N.J. 1999).  The Arizona high court rejected both.  Karl was “not . . . persuasive.”  Watts, slip op. at 8.  “No other court has followed Karl, and several courts have criticized it.  Even the West Virginia Supreme Court itself later relegated Karl to a ‘but see’ citation.”  Id. (citations omitted).  The Perez exception was “adopted only in New Jersey,” and was unnecessary, given the Third Restatement’s exception for situations where “health-care providers will not be in a position to reduce the risks of harm.”  Id. at 8-9.

As for UCATA, the Arizona Supreme Court found no incompatibility:

Neither UCATA nor our case law undermines the LID. . . .  UCATA’s scheme is premised on notions of fault, which necessarily presuppose a breach of duty.  Under the LID, however, a manufacturer satisfies its duty to warn the end user by adequately warning the learned intermediary, which duty, if satisfied, means that no actionable breach of a legal duty to the end user occurs.  Because the LID and UCATA address two distinct subjects, they are not mutually exclusive.  The LID identifies circumstances when a manufacturer has met its duty to warn and thus is not at fault.  UCATA does not identify the scope of duties or when parties are at fault; instead, given a determination that multiple parties are at fault, it specifies how liability is apportioned among them.

Watts, slip op. at 10 (citations omitted).  “A manufacturer that properly warns the learned intermediary fulfills its duty, a result that comports with UCATA because the drug manufacturer in that circumstance has not breached its duty and therefore is not at fault.”  Id. (citation omitted).

Finally, plaintiff claimed that the LID violated a provision of the Arizona constitution that tort compensation cannot be “abrogated” and “shall not be subject to any statutory limitation.”  Id. at 11 (quoting Ariz. Const. art. 18, §6).  That was pretty weak, since the LID is not statutory.  “Article 18, §6 does not preclude this Court from declaring, clarifying, or modifying the common law, and therefore the LID does not offend that clause.”  Watts, slip op. at 11.  Nor did the LID “abrogate” anything.  The LID allows suits “when the full medical information and warnings are not given to the medical provider” and “does not prevent the plaintiff from suing the prescribing medical provider.”  Id.

We’re pleased that the latest threat to the LID has gone by the boards.  That makes 37 state (and DC) high courts adopting the rule versus only Karl on the other side.  Bexis, is particularly pleased, since he filed an amicus curiae brief in Watts.  Bexis is now seven for seven in state supreme court cases involving either adoption or retention of the LID – with the aforementioned Centocor and Larkin decisions that Watts found so persuasive being two of those seven.

Russia to Increase Data Audits in 2016 With Data Localization Law & More News on The EU’s Safe Harbor Ruling

Russia announced its plan to increase data localization audits in 2016 pledging to conduct around 1,000 data localization compliance audits and 2,000 monitoring procedures, under Russia’s data protection authority, the Roskomnadzor. This stems from Russia’s data localization law which came into effect September 1, 2015, requiring that all companies that collect or process personal data of Russian citizens, process and store that information on servers in Russia. Companies also have an obligation to notify the Roskomnadzor of the location of these servers. Although the law has been in place for some time now, uncertainty remains as to the full extent of enforcement action that may be taken against non-compliant companies.

To read more about Russia’s data localization law and what this means for Russian companies, read Reed Smith attorney Cynthia O’Donoghue and Chantelle Taylor’s blog post on Technology Law Dispatch here.

Also on the Technology Law Dispatch is information on an upcoming webinar on January 12 from 1:00 p.m. – 2:00 p.m. ET by the Association of National Advertisers titled, “LEGAL & REGULATORY SERIES: The European Union’s Safe Harbor Ruling: A Practical Discussion of the Impact and Solutions” where Reed Smith attorneys Paul Bond and Cynthia O’Donoghue will discuss practical solutions to companies to mitigate risks while transferring data across global borders due to the EU Safe Harbor ruling. The ruling is no stranger to the blog, as we’ve posted about it here, and authored two Reed Smith Client Alerts here and here. Fallout remains from the Court of Justice of the European Union (CJEU) ruling in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) that the Safe Harbor Decision no longer provides adequate protection for data transferred between the EU and the U.S.

To read more about the EU Safe Harbor ruling and the upcoming webinar, read Reed Smith attorneys Douglas J. Wood, Paul Bond and  Cynthia O’Donoghue blog post here.

UPDATE: Pacira Pharmaceutical Inc. v. FDA Lawsuit Settled

The Pacira Pharmaceutical Inc. v. FDA lawsuit has been a frequent topic of discussion on the blog, and now, in breaking news, the case has been settled.  Pacira will be receiving essentially everything it wanted in a “favorable resolution,” and the FDA is formally withdrawing its warning letter that attempted a retroactive reduction in the scope of the indications of Exparel’s (the drug at issue) approval. Under the agreement, Exparel’s label will be updated to say the drug is indicated for the treatment of pain at any surgical site.

To read more about the settlement and what it means with respect to truthful off-label promotion, read Jim Beck’s post here, which was posted to the popular Drug and Device Law blog.

In addition to Jim’s post, he was also quoted on the settlement in the December 15 Financial Times article titled, “FDA in pain drug restriction U-turn.” (Subscription required).

U.S. Supreme Court Will Review the Validity of “Implied Certification” Liability Under the FCA

On December 4, the U.S. Supreme Court granted certiorari in Universal Health Services, Inc. v. U.S. ex rel. Escobar, No. 15-7, raising the question of whether “implied certification” liability is permissible under the False Claims Act and, if so, under what circumstances. Under the implied certification theory, defendants are presumed to have certified that they are in compliance with the law or a contractual obligation, even when they have not explicitly made that certification, thus bringing them within the FCA’s ambit. Given the breadth of circumstances in which the implied certification has been, and can be, applied, the Court’s ruling in Universal Health Services could bring far-reaching changes to the scope of FCA liability.

The Court accepted two questions for review—(1) whether the theory is valid at all and, if it is, (2) whether it applies only where the defendant fails to comply with a statute, regulation, or contractual provision that expressly provides that compliance is a condition of receiving payment from the government.

To learn more about “implied certification” liability under the FCA, read the Client Alert written by Reed Smith attorneys James C. Martin, Colin E. Wrabley and Patrick Yingling.

Stay tuned for more updates as we continue to monitor this important case.

FDA to Hold Upcoming Medical Device Cybersecurity Workshop

The FDA announced that it will be holding a public two-day workshop at its White Oak Campus in Silver Spring, Md., on January 20-21, 2016, from 9:00 a.m. to 5:30 p.m. titled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” The FDA, in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services, and the Department of Homeland Security, seeks to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem.

The purpose of the public workshop is to highlight past collaborative efforts; increase awareness of existing maturity models (i.e., frameworks leveraged for benchmarking an organization’s processes) that are used to evaluate cybersecurity status, standards, and tools in development; and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

For more information on the location, agenda and how to register, please click here. Please note that the meeting will be available to view via webcast on their site after January 13, 2016.

Life Sciences Health Industry Group Winter 2015/2016 Course Offerings

The Reed Smith Life Sciences Health Industry Group (LSHI) recently released their “Winter 2015/2016 Webinar Course Offerings,” which once again features timely webinars and in-person programs on a wide variety of topics. Upcoming events include:

  • January 19, 2016 – Webinar: The Good, the Bad and the Ugly: The Best and Worst Prescription Drug/Medical Device
  • January 24, 2016 – Webinar: Whistleblower Retaliation Claims: What Employers Need to Know During an Investigation
  • February 18, 2016 – Live Event: 25th Anniversary of the Medicaid Drug Rebate Program (Location: KPMG Offices, Short Hills, NJ)

For further information on upcoming programs or to register, please contact To view a list of the current and past webinar offerings, please click here.