HHS Launches HIPAA Platform for Medical Application Developers

On Monday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an online platform designed for use by developers of mobile medical applications (apps).  The site allows users to submit questions regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) and to access basic HIPAA resources.  HIPAA compliance by mobile medical apps has been an area of significant confusion.  The intent of the site is to provide these developers, often small start-ups, with a low cost and easy way to become familiar with HIPAA. Continue reading

Leave a comment

Filed under Health Care, Health Information Privacy, Health IT, HIPAA, HIPAA Omnibus Rule, HITECH Act, Medical Devices, Mobile Health, Privacy and Security, Technology

HHS To Launch New HIPAA Audits in Early 2016 in Response to OIG Reports

The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports  yesterday calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts.   In response to these reports, HHS announced that it will launch HIPAA audits early next year in order to be more proactive in HIPAA enforcement. Continue reading

Leave a comment

Filed under Health Care, Health Information Privacy, Health IT, HIPAA, HITECH Act, OIG Guidance, Privacy and Security

Joining the Debate, Hillary Clinton Releases Plan to Curb Drug Prices

In the wake of the uproar about drug pricing, Hillary Clinton unveiled on Tuesday, a plan to address the rising cost of prescription drugs. The plan will focus on ending “excessive” profits, lowering out-of-pocket costs, encouraging greater competition from generics and biologics and leveraging Medicare to negotiate drug prices.

To curb profits, the plan will end write-offs for direct to consumer advertising and shift that money to making the R&D tax credit permanent. In addition, the plan would require the Food and Drug Administration (FDA) to create a “mandatory…pre-clearance procedure for these ads funded through user-fees paid for by pharmaceutical manufacturers[.]” This section of the plan also includes one of the more controversial elements – mandatory R&D spending. The plan would “require pharmaceutical companies that benefit from federal support to invest a sufficient amount of their revenue in R&D, and if they do not meet targets, boost their investment or pay rebates to support basic research.” This requirement would be coupled with a convening of “business leaders, experts on drug pricing, and consumer advocates to set new parameters for federal support in order to ensure” drug companies are investing sufficient revenue in research.

The plan proposes to lower out-of-pocket costs by requiring “health insurance plans to place a monthly limit of $250 on covered out-of-pocket prescription drug costs for individuals to provide financial relief for patients with chronic or serious health conditions[.]”

On the matter of competition, the plan proposes to “clear out the FDA generic backlog” and reduce the exclusivity period for biologics to seven from 12 years. The plan would also eliminate “pay for delay” arrangements. Another element in the competition component is to allow for importation. Specifically, the plan would allow American patients to “import drugs for personal use from foreign nations whose safety standards are a strong as those in the United States.” The FDA and “other regulatory agencies” would be charged with creating safety standards.

The last element of the plan would focus on using Medicare to lower drug prices. The plan would require drug companies to provide Medicare rebates that are equal to those provided under Medicaid. The plan would also allow Medicare to bargain for drug and biologic prices.

The plan comes on the heels of articles on Turing Pharmaceutical’s significant price increase for its drug Daraprim, congressional inquiries and national polls that suggest drug prices are the number one healthcare concern for many Americans. Not surprisingly, the pharmaceutical and insurer industries pushed back on the Clinton plan.

The fate of this plan is uncertain but it builds on the growing number of political and policy constituencies calling for action on drug pricing. We will be monitoring this discussion and its outcomes closely.

Leave a comment

Filed under FDA, Government Pricing

Excellus is Latest in Line of BCBS Insurers Experiencing Cyberattack

Excellus, a BlueCross BlueShield (BCBS)  provider servicing upstate New York, announced last week that it was the latest in a string of BCBS providers that experienced a data breach as a result of a cyberattack.  CareFirst BlueCross Blue Shield, Anthem, and Premera Blue Cross all recently announced they were the victims of sophisticated cyberattacks impacting millions of consumers.

Excellus stated that it discovered this breach on August 5th as a result of the company’s ongoing security efforts in the wake of recent health industry cyberattacks.  The company hired cybersecurity firm Mandiat to conduct a forensics analysis of the information technology (IT) system.  Mandiat found evidence that cyberattackers had executed a sophisticated attack to gain unauthorized access to Excellus’ IT systems and have been in the IT systems since December 23, 2013.

The information potentially accessed includes, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information for its memebers. This incident also affected members of other BCBS plans who sought treatment in the 31 county upstate New York service area of Excellus BCBS.  Additionally, individuals who do business with Excellus were also affected.

This incident again highlights the ongoing efforts that companies, particularly those in the health industry, must take to protect against and responding to cyberattacks.  Hackers are using more sophisticated techniques against those in the health care industry and may be able to conduct attacks for long periods of time without detection if appropriate actions are not taken.

Leave a comment

Filed under Health Care, Health Information Privacy, Health IT, HIPAA, HITECH Act, Privacy and Security

Trend watch: First Amendment challenges to FDA promotional requirements continue

In the wake of Amarin Pharma’s victory in securing a preliminary injunction against the Food and Drug Administration’s (FDA) prohibition of off-label communication of Vacepa , Pacira Pharmaceuticals has filed a First Amendment challenge to the FDA’s attempt to restrict communications about its postsurgical pain drug, Exparel. Pacira’ s lawsuit, filed in the U.S. District Court for the Southern District of New York, argues that the FDA’s restriction on promotion of Exparel for a range of surgeries violates its First Amendment rights by abridging its “truthful and non-misleading speech.” The genesis of the dispute is a September 2014 warning letter from the FDA that told Pacira to stop promoting Exparel for use in any surgeries other than the two for which it was approved, bunionectomies or hemorrhiodectomies.

What makes the Pacira lawsuit interesting is that is not solely focused on off-label restrictions, which were the core of the Amarin case. It also alleges violations of free speech for prohibiting the sharing truthful and non-misleading information with “sophisticated audiences” about use of Exparel in other surgical sites, its ability to control pain for up to 72 hours and its comparative effectiveness to other products. Some commentators, such as the Collation for Healthcare Communication, claim that “the Pacira complaint may be even more compelling [than Amarin] because it challenges under the First Amendment many traditional theories that the FDA’s Office of Prescription Drug Promotion [OPDP] has used to regulate marketing.” These two cases could signal a trend toward companies becoming more willing to aggressively challenge the FDA when it comes to promotional issues. We continue to watch how the FDA responds and whether Congress will take up the issue as it debates comprehensive biomedical reform in the 21st Century Cures and Innovation for Healthier Americans legislative initiatives.

In addition to the First Amendment claim, the Pacira lawsuit alleges that the FDA violated the Administrative Procedure Act, the Fifth Amendment, as well as its own guidance materials and prior precedent. The full library of Pacira’s materials is available here: http://phx.corporate-ir.net/phoenix.zhtml?c=220759&p=irol-lawsuit

Leave a comment

Filed under FDA, Litigation

BEWARE: DOJ Announces New Policy to Increase Prosecutions of Individuals Involved in Corporate Fraud

Earlier this week, Deputy Attorney General (AG) Sally Quillian Yates issued a memorandum to Department of Justice (DOJ) attorneys discussing the need to hold individuals accountable for corporate wrongdoing in both civil and criminal enforcement actions. Deputy AG Yates further discussed the memo in a speech yesterday at the New York University School of Law, emphasizing that “it is our obligation at the Justice Department to ensure that we are holding lawbreakers accountable regardless of whether they commit their crimes on the street corner or in the boardroom.”

The memo outlines 6 key steps for pursuing individual enforcement actions:

  1. To be eligible for anv cooperation credit, corporations must provide to the DOJ all relevant facts about the individuals involved in corporate misconduct. The memo makes it clear that companies seeking credit for cooperation will not be eligible until they satisfy the “threshold requirement” of “identify[ing] all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority”, and provide all facts related to that misconduct.
  2. Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation. In doing so, the DOJ “maximize[s] the chances that the final resolution of an investigation uncovering the misconduct will include civil or criminal charges against” both the corporation and culpable individuals.
  3. Criminal and civil attorneys handling corporate investigations should be in routine communication with one another. The memo highlights the importance of regular communication between criminal and civil DOJ attorneys to ensure that parallel civil and criminal proceedings are pursued, when appropriate, against both corporations and individuals.
  4. Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals. Any such release of individual liability must be personally approved in writing by the relevant Assistant Attorney General or United States Attorney.
  5. Corporate cases should not be resolved without a clear plan to resolve related individual cases before the statute of limitations expires and declinations as to individuals in such cases must be memorialized. Any such declination must be approved by the United States Attorney or Assistant Attorney General whose office handled the investigation, or their designees.
  6. Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay. Acknowledging the dual interest in returning funds to the public fisc and deterring future misconduct, the memo emphasizes that individuals suits should be considered regardless of the individual’s ability to pay any settlement amounts because such actions “will result in significant long-term deterrence” and “minimize losses to the public fisc through fraud” over time.

The memo states that these process changes apply to all future civil and criminal investigations, as well as any current investigations to the extent practicable.

Public statements regarding the need for increased individual enforcement are not new. By way of example, see statements by DOJ officials here, here, and here. However, health care and life sciences companies need to recognize that the Yates memo represents a key shift in the DOJ by putting into place a specific framework for ensuring that DOJ civil and criminal investigators actively pursue individual enforcement actions in parallel with investigations of corporate misconduct.

Leave a comment

Filed under Government Enforcement

Cancer Care Group Reaches Agreement to Settle Alleged HIPAA Violations

Last week, Cancer Care Group, P.C. (CCG), an Indiana radiation oncology practice, agreed to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $750,000 and adopting a three year corrective action plan.

Continue reading

Leave a comment

Filed under Cooley Trackers, Government Enforcement, Health Information Privacy, Health IT, HIPAA, Privacy and Security