Join us for a webinar on the changing regulatory landscape of promotion: Drug/biologic advertising in the Trump era and beyond

As a part of our FDA Series, Reed Smith will be hosting an upcoming webinar, “The changing regulatory landscape of promotion: Drug/biologic advertising in the Trump era and beyond” on Thursday, September 19, 2019 at 2:00 PM ET.

This program will discuss promotional enforcement activity under the Trump Administration and how recent technological, demographic, and other developments are altering the landscape of drug and biologic promotion in the United States. In addition, we will take a closer look the new channels of advertising available to drug and biologic companies and their accompanying regulatory challenges.

Please click here to register for the webinar.

Malaysia seeks to hold listed companies accountable for implementing anti-corruption framework

It is imperative that life sciences companies operating globally stay on top of anti-corruption developments around the world, which is why we wanted to ensure our clients were aware of recent developments in Malaysia. In late July 2019, the Securities Commission Malaysia announced that it would implement an anti-corruption action plan (the Action Plan) seeking to improve the standards of corporate governance within the country.

The Action Plan supplements anti-corruption legislative changes recently introduced by the Malaysian government – the corporate liability provisions under a new Section 17A of Malaysia’s primary anti-corruption law, the Malaysian Anti-Corruption Commission Act (the MACCA). These provisions apply to Malaysian companies and foreign companies conducting business in Malaysia.

A key element of the Action Plan requires companies that are listed in Malaysia to implement an “effective anti-corruption framework” that corresponds with the Malaysian government’s Guidelines on Adequate Procedures provided in December 2018 (the Guidelines). This follows the Securities Commission’s May 31, 2019 evaluation of Malaysia-listed companies. The evaluation found that only 59 percent of these companies have an anti-corruption policy, with a majority of these policies having gaps with regard to the Guidelines.

To read more about Malaysia’s anti-corruption Action Plan and its implications, visit Reed Smith’s website.

Biometric privacy legislation trends rise nationwide

Several states are following the path of Illinois’ Biometric Information Privacy Act (BIPA), a law that has led to a rise in the volume of class action privacy litigation and underlined the significance of enterprise-level management of biometric data (e.g., fingerprint, voiceprint, and retina, facial, or iris image). Organizations that gather and utilize biometric data for employee tracking or consumer-facing uses (including the gathering and utilization of characteristics like heart rate or step counts) should be conscious of growing trends in biometric privacy laws (and corresponding risk of possible follow-on class actions) and should be proactive by assessing their compliance with existing and soon-to-be-effective laws and anticipating new laws in other states.

To read more on this topic, visit Technology Law Dispatch.

Join Us: Free CLE Webinar on Best Practices for Managing Privacy Risks in Vendor Engagements

Reed Smith will be hosting an upcoming CLE webinar, “Best Practices for managing privacy risks in vendor engagements – diligence, contracting, and oversight under the California law” on Wednesday, September 11, 2019 at 2:00 PM ET.

This program will offer a review on how organizations can approach third-party information sharing under the CCPA. Furthermore, as this webinar is just days before California’s 2019 legislative session ends, we will discuss the current status of various CCPA amendments that are still on the table.

This program is presumptively approved for 1.0 general CLE credit in California, Illinois, New Jersey, Pennsylvania, Texas and West Virginia. For lawyers licensed in New York, this course is eligible for 1.0 credit under New York’s Approved Jurisdiction Policy. Please allow four weeks after the program to receive a certificate of attendance.

Please click here to register for the webinar.

About That Brand Memo . . .

Issued in January 2018, the so-called Brand Memo reminded Department of Justice (DOJ) attorneys that “[g]uidance documents cannot create binding requirements that do not already exist by statute or regulation.” It also instructed DOJ attorneys that they “may not use noncompliance with guidance documents as a basis for proving violations of applicable law in affirmative civil enforcement cases” such as those brought under the False Claims Act (FCA). “That a party fails to comply with agency guidance expanding upon statutory or regulatory requirements,” the Brand Memo explained, “does not mean that the party violated those underlying legal requirements; agency guidance documents cannot create any additional legal obligations.”

The Brand Memo was welcomed by the defense bar and signaled an appropriate return to first principles of federal administrative law—principles that may easily get lost in the zeal to recover money for the Federal Treasury (and potentially for oneself in the case of a qui tam relator).

The party didn’t last long, although relatively few people yet realize it.

In late December 2018, DOJ made little-noticed changes to a DOJ manual and, in so doing, effectively reversed course in a wide swath of FCA cases involving Medicare and/or Medicaid. The Justice Manual (formerly known as the United States Attorneys’ Manual) serves as a collection of DOJ policies and procedures. In the midst of the holiday season and without fanfare, DOJ added a new section 1-20.202 to the Justice Manual. Section 1-20.202, which applies equally to federal criminal cases, states in relevant part:

[DOJ] may use a guidance document as probative evidence that a party has satisfied, or failed to satisfy, professional or industry standards or practices relating to applicable statutory or regulatory requirements. . . . This rationale applies more broadly in the healthcare arena, where guidance documents, like other statements of professional standards such as CMS’s Medicare Benefit Policy Manual or Local Coverage Determinations, are relevant evidence of violations of the principal requirement that procedures billed to Medicare or Medicaid be medically “reasonable and necessary.”  E.g., 42 U.S.C. § 1395y(a)(1)(A); 42 U.S.C. § 1396 et seq.; 42 C.F.R. § 410.50. Such usage does not give these documents the force of law, but rather aids in demonstrating that the standards in the relevant statutory and regulatory requirements have been or have not been satisfied.

Lest there be any lingering doubt regarding the Brand Memo’s continued viability, the December 2018 amendments to the Justice Manual concluded by stating: “This section fully implements, clarifies, and supersedes prior [DOJ] memoranda on this topic.”

In other words, bye-bye Brand Memo.

It remains to be seen whether this course reversal will hold up in court. It shouldn’t. FCA cases based on questions of medical necessity are a growing and highly controversial segment of FCA cases generally. While such cases typically involve significant amounts of money, that fact alone does not justify disregarding the fundamental principle of federal administrative law that guidance documents such as agency manuals are non-binding and do not have the force of law. And following the recent decision by the Supreme Court of the United States in Azar v. Allina Health Services, No. 17-1484 (June 3, 2019)—which reinforced the importance of the Medicare Act’s unique notice-and-comment rulemaking requirements and their applicability to any “rule, requirement, or other statement of policy . . . that establishes or changes a substantive legal standard governing the scope of [Medicare] benefits, the payment for services, or the eligibility of individuals, entities, or organizations to furnish or receive services or benefits”—DOJ may soon have to revisit its December 2018 amendments to the Justice Manual.

Join Us: Free CLE Webinar on Value-Based Reimbursement Programs

Reed Smith will be hosting an upcoming CLE webinar, “Physician Compensation Issues in the World of Evolving Value-Based Payment Programs” on Wednesday, August 28, 2019 at 12:00 PM ET.

This program will provide an overview of the most prevalent value-based reimbursement programs in the market today. This overview will be followed by a discussion of what it takes for providers to transition to and thrive in a value-based reimbursement environment, including a discussion of the operational and regulatory considerations for doing so.

This program is presumptively approved for 1.0 general CLE credit in California, Illinois, New Jersey, Pennsylvania, Texas and West Virginia. For lawyers licensed in New York, this course is eligible for 1.0 credit under New York’s Approved Jurisdiction Policy. Please allow four weeks after the program to receive a certificate of attendance.

Please click here to register for the webinar.

Join Us: Free CLE Webinar on Privacy Practices in Compliance with the CCPA

Reed Smith presents the latest installment in our Countdown to CCPA Compliance webinar series, “Privacy by Accident”, now available to watch on demand.

Whether by accident or by design, many organizations have implemented privacy practices or programs that will help toward compliance with the CCPA. This webinar will discuss these practices and how they can be leveraged as the countdown to the CCPA continues.

Specifically, we will discuss:

  • How compliance for the GDPR will translate to the CCPA and what additional measures may be needed to fill compliance gaps
  • How having a strong general privacy program in place could mean that not much more needs to be done
  • Where a strong data security program and vendor management program meets the standards of the CCPA

This webinar is part of our Countdown to CCPA Compliance webinar series that will go beyond simply explaining the CCPA and its requirements. Each webinar will dive deep into different key provisions, exemptions and exceptions, and operational challenges. The series will provide case studies, tools, techniques, and practical tips for compliance with the CCPA.

This program is presumptively approved for 1.0 general CLE credit in California, Illinois, New Jersey, Pennsylvania, Texas and West Virginia. For lawyers licensed in New York, this course is eligible for 1.0 credit under New York’s Approved Jurisdiction Policy. Please allow four weeks after the program to receive a certificate of attendance.

You can register to view the webinar on demand here.

Cannabis Regulation: Trending Towards Change in the UK?

Following a recent fact-finding trip to Canada undertaken by three British MPs interested in understanding the effects of a more relaxed regulatory environment for cannabis, the MPs predicted the UK would legalize cannabis for adult use in the next decade.

As the potential offered by the cannabis industry continues to intrigue more and more life sciences companies, this statement is of course interesting to consider. But with products containing extracts from cannabis plants already swarming UK store shelves, companies are also interested in understanding the current rules regarding the regulation of cannabis products and medicinal cannabis in the UK.

We provide such a primer, and also discuss current areas of legal uncertainty, in our recent client alert, “Cannabis in the UK – a regulatory environment in transition?” which is available on reedsmith.com.

Newly introduced bill could provide for additional protections for biological data collected by non-covered entities

Over the past few years, genetic testing services have become a widespread phenomenon. Companies providing these services gather certain biological data from consumers who sign up for their services and then analyze this data to ascertain information about the consumer’s ancestry and/or genetic traits, among other things. These companies, however, are typically considered “non-covered entities” (NCEs), meaning the Health Insurance Portability and Accountability Act (HIPAA) generally does not apply to nor protect the collected biological data. This presents a whole host of issues, particularly with respect to the question of how we ensure the data remains protected. Biological data of this nature is susceptible to breaches in light of the format in which it is stored, and some genetic testing companies are disclosing this data to pharmaceutical companies to facilitate research and the development of new drugs.

In July of 2016, the Department of Health and Human Services (DHHS) issued a report entitled “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA” in which it highlighted this gap in the current legal landscape—the gap where HIPAA ends and modern technology begins. The report focused on two categories of NCEs: “mHealth technologies” and “health social media”:

“The former includes entities that collect or deal in personal health records (PHRs) and cloud-based or mobile software tools that intend to collect health information directly from individuals and enable sharing of such information, such as wearable fitness trackers. The latter includes internet-based social media sites on which individuals create or take advantage of specific opportunities to share their health conditions and experiences.”

Relevant here, the report specifically examined the differences in the security and disclosure standards applicable to covered and non-covered entities, such as the “mHealth technologies” and “health social media” organizations.

Now we fast-forward to June of 2019. Just last month, Senator Amy Klobuchar introduced the Protecting Personal Health Data Act (S. 1842, 116th Congress). The Act specifically applies to “consumer devices, services, applications, and software,” which include “direct-to-consumer genetic testing services.” The Act calls for the Secretary of HHS to “promulgate regulations to help strengthen privacy and security protections for consumers’ personal health data that is collected, processed, analyzed, or used by consumer devices, services, applications, and software.” It also explicitly requires that, in promulgating these regulations, the Secretary keep a number of enumerated considerations in mind, as well as those points outlined in the initial 2016 DHHS report, which is referenced in the Act. If passed, the Act would also provide for the creation of a 15-member task force to monitor and contribute to the development of such regulations and standards.

While it is still very early on in the legislative process, the Act’s introduction will (hopefully) further a very important conversation among legislators regarding the current state of the protections afforded to biological data, and the protections that still need to be implemented to keep up with the modern age. The Act was referred to the Committee on Health, Education, Labor, and Pensions. You can track the Act’s progress here.

HIPAA-Regulated Entities Take Notice – States are Teaming Up on Enforcement

In an unprecedented settlement arising from a federal lawsuit in the U.S. District Court for the Northern District of Indiana, a medical software provider agreed to pay $900,000 to 16 state attorneys general (AGs) for alleged violations of a conglomerate of state and federal privacy laws. The settlement represents the resolution of the first-ever multistate data breach suit based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The matter arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the electronic protected health information (“ePHI”) of approximately 3.5 million individuals whose health care providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.

Continue Reading

LexBlog