Guidance Helps Medical Device Companies Determine Substantial Equivalence


When is a medical device substantially equivalent to another device? Like so much else, it depends. On July 15, 2014, the U.S. Food and Drug Administration (FDA) issued a draft guidance that aims to clarify that question. The document is officially directed at FDA staff, but it is equally instructive to companies seeking FDA approval for their devices. 

The FDA reviews medical devices before they can be sold in the United States, and manufacturers that prove their devices are substantially equivalent to existing products can undergo an abbreviated review process. However, substantial equivalence is a subjective target.  

The U.S. Food, Drug and Cosmetics Act at 21 U.S. Code 360c(i) states that a new device is substantially equivalent to an existing "predicate" device when the new device:

  1. has the same intended use as the predicate device; and
  2. either has the same technological characteristics as the predicate or has 
    different technological characteristics but is as safe and effective and does not
    raise different questions of safety and effectiveness than the predicate.

The guidance document focuses on the last step of the analysis – how FDA determines a device is as safe and effective as a predicate. The safety and effectiveness need not be identical. A new device can have increased safety and decreased effectiveness – or decreased safety and increased effectiveness – and still be considered substantially equivalent. When making these assessments, the FDA will weigh the benefits and risks of the new device versus the predicate. When considering benefits, the FDA will weigh:

  • Type of benefit
  • Magnitude of the benefit
  • Probability of the patient experiencing the benefit
  • Duration of the benefit

When assessing risks, the FDA will consider:

  • Severity, types, number, and rates of harmful events associated with use of the device
  • Probability of a harmful event
  • Probability of a patient experiencing one or more harmful events
  • Duration of harmful events
  • Risk from false-positive or false-negative results (for diagnostic devices)

The guidance provides several examples, including one in which a manufacturer wishes to market a tool for spinal surgery. The tool has a different shape and a deeper cutting action than the predicate device. Animal and clinical studies show the deeper cutting action leads to a greater risk of injuring surrounding tissue, but the new tool also shortens the duration of surgery and allows improved access to certain parts of the anatomy. The guidance concludes that the new device does not raise different questions of safety and effectiveness, and because the increased risk is accompanied by an increased benefit and a comparable benefit-risk profile, the new device would likely be found substantially equivalent to the predicate. 

Of course, the specific analysis will vary for every product and predicate. Companies seeking FDA approval should consult the guidance and an attorney to help prove their devices are substantially equivalent.

Tags: ,

Florida Board of Medicine Opts for Less Regulation of Office Surgical Procedures


The Florida Board of Medicine recently amended its office surgery rules to exclude numerous facilities, and providers who inadvertently may have been in violation of the previous rule requirements by not having registered their offices to perform office surgery. Rule 64B8-9.009, Fla. Admin. Code, sets forth the standard of care for office surgery. The rule previously defined office surgery, in part, as the type of surgical procedures that "do not result in blood loss of more than ten percent of estimated blood volume in a patient with normal hemoglobin; require major or prolonged intracranial, intrathoracic, abdominal, or major joint replacement procedures except for laparoscopic procures; directly involve major blood vessels; or are generally emergent or life threatening in nature."

The exclusion of surgical procedures that "directly involve major blood vessels" from the type of procedure that could be done in an office setting was confusing for many physicians. It was unclear whether procedures that require insertion of catheters, wires or other devices to advance through blood vessels, using imaging guidance, would be considered office surgery such that these physicians would be required to register their offices and comply with all office surgery rule requirements. The matter was brought to the attention of the Board of Medicine, input was solicited and gathered from the profession and other States, and the Board came up with a solution rather quickly. Rather than require these facilities and physicians to register and come under the regulatory scheme for office surgery providers, the Board opted to amend the rule to clarify that percutaneous endovascular intervention does not constitute office surgery. 

The amended rule defines percutaneous intervention as:

"a procedure performed without open direct visualization of the target vessel, requires only needle puncture of an artery or vein followed by insertion of catheters, wires, or similar devices which are then advanced through the blood vessels using imaging guidance. Once the catheter reaches the intended location, various maneuvers to address the diseased area may be performed which include, but are not limited to, injection of contrast for imaging, treatment of vessels with angioplasty, artherectomy, covered or uncovered stenting, intentionally occluding vessels or organs (embolization), and delivering medications, radiation, or other energy such as laser, radiofrequency, or cryo."

This extensive definition covers a long list of procedures performed by a variety of specialties. Registration for all of the providers of these procedures could have overwhelmed regulatory inspectors and other staff. Moreover, given the other criteria for procedures eligible for office surgery—non emergent and not life threatening, no major blood loss, not overly invasive—percutaneous intervention fit nicely within the intended scope of the original rule. 

However, despite the amendment, all physicians should remain mindful of the preamble to the office surgery rule:


This remains good advice.

Tags: ,

New ACA Rules Could Require Broader Provider Networks


"If you like your doctor, you can keep your doctor." President Obama repeated this assurance to the American public numerous times, and the statement was prominently featured on the White House web site prior to and after adoption of the Affordable Care Act in 2010.  

The Obama administration is developing regulations to address the concerns of consumers who say the Affordable Care Act ("ACA") has restricted their ability to choose doctors and hospitals, without incurring sizeable medical bills for out-of-network services.

In order to create health insurance plans with lower premiums, so as to be more affordable and more attractive to individuals shopping for insurance on the ACA-mandated, newly-created insurance exchanges, many insurers have established plans with narrower provider networks, giving plan members fewer doctors and hospitals to choose from. Smaller networks allow the insuror to exercise greater control over provider charges and to limit their networks to only the highest quality providers, enabling them to offer high-value plans with lower premiums. The "flip side" of this trend, however, is that patients have fewer doctors and hospitals to choose from, and may incur substantial medical expenses if they receive services from doctors or hospitals which are not part of the network.

To address the concerns of patients who say that many health plans offered under the ACA unduly limit their choice of providers, CMS is developing new requirements which will require health plans to offer broader provider networks. Federal officials have said the new requirements will be similar to the standards currently used to determine whether Medicare Advantage Plans have a sufficient number of doctors and hospitals in their networks. Federal standards specify the minimum number of primary care doctors and specialists which must be included in the network for a Medicare Advantage Plan, based on population in the area served by this Plan, population density, and other factors. Medicare also establishes maximum travel time and distance criteria.  Similar travel standards are already in place for Florida HMOs.

A number of insurers have opposed detailed federal rules, arguing that consumers should be able to choose more affordable, high-value plans, with narrower provider networks.

Florida Information Protection Act of 2014 - Florida Means Business When It Comes to Protecting Customers' Personal Information


On June 20, 2014, Governor Rick Scott signed into law the Florida Information Protection Act of 2014 ("FIPA"), which became effective July 1, 2014. FIPA expands the obligations of businesses and government entities that maintain data containing personal information of individuals to safeguard and provide notice of breaches of such information. As a result, Florida now has one of, if not the most strict breach notification statutes in the country.

What should entities conducting business with Florida customers do to comply with FIPA?

  • Evaluate your current policies and security measures for electronic personal information and update them as necessary;
  • Develop new policies or update existing policies for identifying breaches and providing appropriate notification to affected individuals.
  • Ensure that your company is using proper methods to destroy or dispose of personal information;
  • Review and update your agreements with third party agents who maintain or transmit electronic personal information to address the new requirements of § 501.171, Florida Statutes, regarding notification of breaches suffered by the third party agent and what precautions the third party agent takes to safeguard and properly destroy data.
  • Review your liability policies to determine what coverage is available in the event of a breach. The cost to respond to a data breach continues to climb, and some insurers are revising their CGL policies to exclude coverage for data breaches. Separate cyber liability policies are available in the marketplace.

For more information about FIPA, click here.


Physicians and Photography Don't Mix


A gynecologist who secretly photographed and videotaped women's bodies in the examining room will cost one of the world's leading medical institutions $190 million.  In a damaging blow to its reputation, Johns Hopkins Hospital has agreed to a settlement with more than 8,000 patients of Dr. Nikita Levy, who wore a pen-like camera around his neck to secretly record videos and photos of his patients, including 62 girls.  Dr. Levy, a 25-year physician with Johns Hopkins Health System in Baltimore, Maryland, had seen approximately 12,600 patients during his tenure.  He was fired in February 2013 after a co-worker spotted the camera and alerted authorities.  Investigators discovered roughly 1,200 videos and 140 images stored on his home computer.  Dr. Levy committed suicide days after his termination.

Although the women's faces were not visible in the images, and it could not be established with certainty which patients were recorded or how many, thousands of patients were traumatized, according to lawyers.  A class action lawsuit was brought against Johns Hopkins on behalf of the more than 8,000 patients, who claimed the hospital should have known what Dr. Levy was up to.  Each plaintiff was interviewed by a forensic psychologist and a post-traumatic stress specialist to determine how much trauma she suffered and how much money she will receive.  The settlement is one of the largest on record in the United States involving a physician who took photographs of patients without their consent. 

In Florida, although such conduct would likely be seen as outrageous by the regulators at the Department of Health and the members of the Board of Medicine, there is no specific statutory prohibition against photographing a patient without his or her consent.   Section 458.331(1)(p), Fla. Stat., subjects a physician to discipline for performing "professional services" that have not been authorized by the patient. Photography is not likely a professional service provided by a physician.  Likewise, sexual  misconduct, although clearly prohibited, as defined in section 458.329, Fla. Stat., involves using the patient-physician relationship to induce the patient into sexual activity.  Taking unauthorized photographs in and of itself might not be considered sexual misconduct.  Despite those legal pitfalls, the conduct could be considered outside the standard of care and, therefore, be subject to disciplinary action.  Physicians simply should not take any photograph or create any image of a patient without his or her consent, even if the physician has no plan to share the information.  Surgical consent forms routinely disclose the potential for photographs or videos to be created during the surgery and spell out any use planned for them.  This should be the routine practice for any examination or other service that creates an opportunity for images to be taken and preserved.   

Unfortunately, the Johns Hopkins lawsuit is not the only case involving a physician photographing a patient inappropriately.  In 2013, Dr. Patrick Yang, an anesthesiologist at Torrance Memorial Medical Center in Torrance, California, said he believed an unconscious patient "would get a kick" out of him cutting up sticky medication labels with scissors to put a mustache and gang tears on her face during surgery.  Instead, the woman sued him and the hospital for breach of medical privacy over allegedly spreading a cellphone photograph on the internet.  Dr. Yang's action during the surgery also prompted a state investigation and a rebuke from the hospital, which called his joke a "breach of professionalism."  He was disciplined but kept his privileges at the hospital.    

Also in 2013, a former Northwestern University student claimed that after she was admitted to Northwestern Memorial Hospital in Chicago, Illinois, for extreme intoxication, a physician at the hospital took photos of her and posted them to social media sites, Instagram and Facebook, with commentary about her condition.  She is seeking compensation from Dr. Vinaya Puppala, the hospital and the Feinberg School of Medicine in excess of $1.5 million.  In 2010, four employees were terminated at St. Mary's Medical Center in Long Beach, California, because they used cellphones to photograph a dying emergency room patient and then shared the photos on Facebook.  In 2007, the Mayo Clinic in Rochester, Minnesota faced a lawsuit over the acts of Dr. Adam Hansen, chief resident of general surgery, who used his cell phone to take a picture of a patient's penis during surgery.

In this era of social media where the use of smartphones and tablets make sharing data so easy, these cases raise fresh concerns about a hospital's ability to protect patients' privacy.  Accordingly, it is imperative that hospitals implement comprehensive policies regarding patient photography, video imaging and audio recording.  Such policies should:

  • Define allowable purposes and circumstances for obtaining film, digital photographs, video images or recording patients using a camera or other device.
  • Set forth standards for the creation, use, disclosure and retention of the images.
  • Ensure that patient/legal representative consent is given in writing or by verbal consent documented through an appropriate authorization form.
  • Identify prohibited activities and behaviors relating to photography, video or audio recordings of patients, including personal use, entertainment purposes, posting on social media or in public areas, malicious use, or using such images in a way that is disruptive to patient care or the work environment.  Staff failing to comply with such policies must be subject to disciplinary action.

Tags: ,

Federal Appeals Court in D.C. Strikes Down Key Aspect of Health Care Reform (Just Before the 4th Circuit’s Opposite Ruling) – Any Impact on the Individual and Employer Mandates?


Yesterday, the U.S. Court of Appeals for the District of Columbia Circuit, in a 2-1 ruling by a three judge panel, invalidated an Internal Revenue Service regulation that interpreted section 36B of the Affordable Care Act ("ACA") as authorizing premium tax credits for insurance purchased on either a state or federally-facilitated Exchange. In striking down the IRS regulation, the majority found that the language in the ACA “unambiguously restricts the section 36B subsidy to insurance purchased on Exchanges ‘established by the State’.” The D.C. Circuit court’s decision could have far reaching implications given the fact that currently 36 states have chosen not to establish state Exchanges and instead rely on federally-facilitated Exchanges. If the court’s decision is upheld, it could result in significant premium increases for many individuals who purchased their coverage through a federally-facilitated Exchange, but who would qualify for a premium tax credit based on their household income if they had purchased coverage through a state-run Exchange. 

Possible Impact on Individual Mandate: The individual mandate generally requires that individuals maintain “minimum essential coverage”. Failure to maintain such coverage can result in a penalty.  However, the penalty would not apply to individuals for whom the annual cost of the cheapest coverage (reduced by any applicable tax credits) would exceed 8% of their projected household income. Since the premium tax credits would no longer be available in the 36 states with federally-facilitated Exchanges, the court’s decision, if upheld, may considerably decrease the number of people who could be subject to a penalty for failing to maintain coverage.  

Possible Impact on Employer Mandate: The employer mandate under Code section 4980H imposes penalties on certain large employers who fail to provide their full-time employees with health insurance that meet certain minimum value and affordability requirements. Specifically, the penalties under Code section 4980H apply to any large employer who fails to offer its full-time employees appropriate coverage if one or more of the employees enroll in an Exchange and qualify for a premium tax credit. If the court’s ruling is upheld, since premium tax credits would be unavailable in states with federally-facilitated Exchanges, large employers would not be subject to penalties for failing to offer coverage to employees who are residents in those 36 states. However, a large employer who employs individuals who reside in a state with a state Exchange could still be subject to penalties under Code section 4980H. 

Opposite Ruling by the Fourth Circuit: Also yesterday, the U.S. Court of Appeals for the Fourth Circuit issued a ruling that reached the opposite conclusion. The Fourth Circuit found that the language in section 36B was “ambiguous and subject to multiple interpretations”. The court upheld the IRS regulation “as a permissible exercise of the agency’s discretion.”  

What’s Next? The Department of Justice has already stated that it will appeal the D.C. Circuit court’s decision by seeking an en banc review, which would put the case before the entire appeals court. Given that the D.C. and Fourth circuits are now split on whether federal subsidies are available for coverage purchased through federally-facilitated Exchanges, the likelihood that the issue will ultimately be reviewed by the U.S. Supreme Court increases. In the meantime, we will continue to monitor this issue and provide updates.

Enhancements to Florida's Solicitation of Funds Law Now Effective - Charities Now Have Tighter Regulations


In response to the Tampa Bay Times investigative story, "America's Worst Charities," Florida’s Commissioner of Agriculture, Adam Putnam, worked with the Florida Legislature to enact material enhancements to Florida's Solicitation of Funds statutes (Chapter 496 – HB 629). Any charity that is subject to registration with the Department of Agriculture and Consumer Services (the Department), including not-for-profit hospitals and other not-for-profit health care providers which solicit charitable contributions, is impacted and will need to review and implement the new requirements that became effective July 1, 2014. 

Among the changes are the following:

  • The standard disclosure requirement, which is a statutory requirement that applies to all charities registered with the Department, must now include the Department's website.
  • If the solicitation is on the internet, each page may include the disclosure, and the disclosure must include the charity's phone number or address.
  • No officer, trustee, or director who has been convicted of a felony may solicit funds. We note that this is not a pleasant question to ask, but a necessary one.
  • Each charity that is registered with the Department must adopt a Conflict of Interest Policy, and each officer, director, or trustee must certify compliance with the Conflict of Interest Policy each year. The certification must be submitted with the annual registration. The required Conflict of Interest Policy is very specific and should be reviewed closely in order to meet compliance. It appears the IRS model conflict policy will not satisfy the law.
  • The professional solicitor rules have been greatly enhanced.
  • There are "collection receptacle" (donation drop box) disclosure requirements, for those who collect donations.
  • A disaster relief charity that has registered with the Department for four or fewer years and raises more than $50,000 must comply with substantial additional reporting requirements.
  • There are new financial reporting requirements for charities who receive contributions of more $500,000. For charities with contributions less than $500,000, there is no apparent change.

While these are only the high points of the enhancements, each not-for-profit health care provider that raises funds in Florida must review the new statutory requirements closely or risk being in violation of them.  Every not-for-profit health care provider that registers with the Department is potentially impacted by the amendments and should seek proper legal advice to determine the most appropriate method to come into compliance.


New OIG Special Fraud Alert Aimed at Laboratory Payments to Referring Physicians


On June 25, 2014, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a Special Fraud Alert entitled "Laboratory Payments to Referring Physicians." While the Alert breaks no new ground (see, e.g., its 1994 Special Fraud Alert), it demonstrates the OIG's continuing concerns about clinical laboratories' offering inducements to referring physicians. 

The Alert provides an in-depth discussion of laboratories' paying referring physicians for collecting specimens and paying physicians for submitting patient data to a registry or database. The Alert explains that physicians who prepare specimens for transfer from the office to a laboratory have a CPT code (99000) to bill Medicare for a nominal charge. Where laboratories are separately paying the same physician for specimen collection, the double billing is evidence to the OIG of an obvious intent to induce referrals. Similarly, with respect to physicians submitting patient data for a database, even if the project has legitimate underpinnings, it may still be illegal if an intent is to induce referral. The Alert contains a detailed list of characteristics of specimen processing and data registry arrangements that it finds suspect.

The OIG 's concerns are not lessened in referral arrangements that "carve out" Medicare and other federal programs and focus only on commercial insurance. The OIG takes the position that, because physicians refer to a limited number of labs, inducements with respect to commercial insurance are likely intended to induce Medicare referrals also. Equally important, inducements for commercial insurance referrals may violate applicable state laws (for example, Florida's Patient Brokering law).  

Physicians should review their financial arrangements with outside clinical labs. The question to be asked always is whether one of the reasons for the arrangement is to induce referrals of patients for lab services. Although the Alert focuses on specimen processing and data registry arrangements, that does not mean that other arrangements are OK. The fraud and abuse concerns set forth in the Alert extend to any arrangement that provides some sort of financial benefit to physicians with the intent to induce referrals of patients for lab services. 


Following publication of the Alert, the OIG published a study entitled "Questionable Billing for Medicare Part B Clinical Laboratory Services." In the Study, the OIG found that "[a]lmost half of the labs that exceeded the thresholds for five or more measures of questionable billing—compared to 13 percent of all labs—were located in California and Florida, areas known to be vulnerable to Medicare fraud." The OIG's recommended that it "[r]eview the labs identified as having questionable billing and take appropriate action" and also "[r]eview existing program integrity strategies to determine whether these strategies are effectively identifying program vulnerabilities associated with lab services." As a result, clinical labs and physicians should exercise great vigilance in reviewing their financial and referral relationships with each other to insure that they comply with applicable federal (and state) fraud and abuse and other healthcare laws.

Tags: , ,

Patient Records: Increasing Exposure for Privacy Breaches


Healthcare providers and businesses that store or process protected health information ("PHI") face increased scrutiny and significant fines for data privacy breaches and security lapses in the coming months. In the past 12 months, the U.S. Department for Health and Human Services Office for Civil Rights ("OCR") has recovered more than $10 million in fines for alleged violations of HIPAA. Enforcement is likely to become even more aggressive in the next year, according to Jerome Meites, a chief regional civil rights counsel at HHS, who spoke last month at the American Bar Association Physician Legal Issues Conference. "Knowing what's in the pipeline, I suspect that number will be low compared to what's coming up," Meites said during his presentation.
Meites noted that companies need to ensure the security of laptops and other portable devices that carry patient information. "Everywhere in your system where [patient information] is used, you have to think about how to protect it." Meites also noted the importance of performing a comprehensive risk analysis. Most of the cases in which breaches led to financial settlements, and not just corrective actions, involved entities who had not performed the required risk assessment.

The need to analyze risks, adopt safeguards, and train staff extends beyond healthcare providers and applies to anyone who stores, processes or has access to protected health information. Covered entities should ensure they have Business Associate Agreements with those who handle, process or have access to protected health information. All of the foregoing will be increasingly important as OCR turns up the heat on enforcement efforts.

Recent HIPAA Settlements

In the past two months, two healthcare organizations agreed to pay $4.8 million to settle charges that they potentially violated HIPAA Privacy and Security Rules. These organizations failed to secure thousands of patients' electronic protected health information (ePHI) held on their network. A third organization agreed to pay $800,000 after its employees left 71 boxes of patient records in a departing physician's driveway.

These recent settlements are a reminder that covered entities and businesses who handle or have access to patient information cannot ignore the need to safeguard the privacy of all records in their possession. Healthcare providers not only must consider how to store and dispose of paper records that have been transferred to electronic health records, but also how to ensure that IT professionals involved in the conversion have been properly trained on HIPAA.

Second Round of HIPAA Audits

The next round of HIPAA audits will begin this fall. OCR already has sent questionnaires to approximately 800 covered entities to screen them for selection for the audit. These upcoming audits will be much more targeted than the first round of HIPAA audits and will be conducted as "desk audits" by OCR staff, rather than as field audits by outside accounting firms.  Approximately 100 covered entities will be audited on their compliance with the requirements for notices of privacy practices and providing individuals with access to PHI; 100 covered entities will be audited to evaluate whether they have a risk analysis and have implemented a corresponding risk management plan; and 150 covered entities will be audited for their policies related to the content of and timeliness of notice of a breach. OCR will use information gleaned from the audit responses to identify business associates that will be audited beginning in early 2015.

To prepare for this increased scrutiny, healthcare providers and their business associates should:

  • Conduct a thorough risk analysis of the threats and vulnerabilities to their electronic PHI and update that risk analysis annually or more often if there is a significant change in the operations of the entity.
  • Implement security measures to reduce the risks identified in the risk analysis. It is not enough to do the risk analysis: covered entities and business associates must follow up on the findings to reduce risk.
  • Remember to address risks associated with PHI that is in paper format, including methods of storage and disposal of the paper. As recent and not-so-recent HIPAA settlements have shown, leaving paper records in public areas such as driveways or open dumpsters or trash bins is not an appropriate way to dispose of records.
  • Make sure your breach notification policies and procedures are current. As part of this assessment, identify potential vendors, i.e., forensic experts, vendors to assist with mitigation efforts, outside law firms to conduct the investigation and to assist in the event of a breach.
  • Make sure your Notice of Privacy Practices is current and review your policies and procedures for responding to requests from individuals for access to their PHI.

Akerman's Healthcare team stands ready to assist businesses in assessing risks and adopting compliance plans.

Tags: , , ,

FDA Offers Guidance for Choosing Prescription Drug Names


If you've seen your share of prescription drug commercials, you've likely marveled at the odd drug names: Moexipril. Oxcarbazepine. Zafirlukast. You might think pharmaceutical companies just prefer complex, new combinations of letters, but naming a drug requires more than a marketing brainstorm session. A recent draft guidance document from the U.S. Food and Drug Administration ("FDA") shows many considerations go into choosing a drug name. Names that are too similar can be confused, and names that include descriptive phrases or abbreviations could be misunderstood, leading to unfair marketing and drug errors. In order to improve safety and reduce ambiguous or misleading names, the FDA suggests that drug makers follow the nonbinding guidelines in the guidance document. The guidelines advise:

  • Avoid similarities in spelling or pronunciation with names of other drugs, even if those other drugs are discontinued or only sold in foreign countries.
  • Avoid including medical abbreviations within the name. For example, the NameQD could be mistaken on a prescription for the medical abbreviation QD, or quaque die in Latin, meaning every day.
  • Avoid using the same proprietary name or the same root proprietary name for products that do not contain at least one common active ingredient.
  • Avoid names that include product-specific attributes, dosage form, or route of administration. (NameOral, Nametabs, etc.)
  • Avoid non-standard suffixes or modifiers that could cause confusion. For example, Name3 could be misunderstood as a drug to be taken for 3 days or a drug that includes 3 active ingredients.
  • Avoid using different names for products with identical active ingredients.  Unaware prescribers could put a patient on both at the same time, possibly causing overdose.
  • Avoid fanciful names that state or imply a quality of the drug, such as BestMed or DrugSuper.
  • Avoid symbols. For example, if a drug is called Name+, the plus sign could be confused on a prescription pad for "and" or the number 4.

Knowing these naming constraints exist, the next time you see a drug commercial, you'll realize that a new drug name might sound arbitrary, but it definitely isn't.

Tags: ,

FDA Issues Draft Guidance for Drug and Device Information on Social Media


The Food and Drug Administration ("FDA") recently issued two draft guidance documents relating to the use of Twitter and other social media by drug and medical device companies. Emphasizing that companies must give a balanced presentation of their products, the Agency stated that companies must provide risk information along with any benefit information within a tweet or similar promotional message.

The FDA also provided guidelines for companies wishing to respond to misinformation posted on blogs or other social media platforms. The Agency stressed that, while a company has no obligation to correct independently-posted information, any correction must consist of truthful and non-misleading information that, among other requirements, is limited to the scope of the misinformation and non-promotional in nature. A more detailed update highlighting main compliance points and areas of risk can be accessed here.


IRS Disallows Shifting Employee Health Coverage Burden to Exchanges


Certain employers hoped that they had discovered a way to "have their cake and eat it too". In response to the looming employer mandate for employers with 50 or more employees – the requirement to offer full - time employees group health plan coverage or else face penalties under the Affordable Care Act, - some creative Human Resource leaders had suggested that employers could send their employees to a health insurance exchange, while still offering those employees a tax-free contribution to assist with the exchange insurance premiums. This proposed "solution" would have theoretically permitted employers to save money by terminating their group health plan obligations, while still preserving the existing employer-based system's tax advantages, whereby employer contributions toward employees' coverage are not included as taxable income to workers. This would have provided employees with a variation of the current system, by offering a tax advantaged way to purchase replacement medical coverage through the exchange.

Through a question-and-answer issued on May 13, 2014, the IRS stated that this approach was not acceptable. Specifically, the IRS reasoned that such a pre-tax funding arrangement itself would be considered a "group health plan" under the Affordable Care Act and, therefore, the pre-tax funding arrangement would be required to comply with the Affordable Care Act's market reforms. So exposure to penalties would remain if the pre-tax funding arrangement was not compliant. In particular, failure to satisfy those market reforms would expose the employer to excise tax penalties of $100 per day per affected employee (i.e., $36,500 per year for every employee).

The IRS guidance does not allow such an incentive for large employers to drop employer-sponsored coverage. As expected, the Obama administration has expressed its agreement with and appreciation for the IRS' position, since the entire Affordable Care Act financial and administrative structure requires at its core the fundamental continuation of employer-based health insurance coverage.

Tags: ,

HHS Proposes Extension of Deadline for EHR Compliance


According to the federal government, over 370,000 providers have participated in the Medicare and Medicaid Electronic Health Record ("EHR") incentive program since its inception in 2011. However, providers nationwide continue to grapple with the challenges of complying with federal EHR requirements, and many such providers have voiced their displeasure to the federal government regarding the tight compliance timeframes. On Tuesday, May 20, 2014, the U.S. Department of Health and Human Services Centers for Medicare and Medicaid Services ("CMS"), as well as the Office of the National Coordinator for Health Information Technology, in part in reaction to comments and submissions to the agency from providers nationwide, published a proposed rule that provides additional time for providers to meet the operationally challenging standards surrounding electronic health records.

The proposed rule extends the deadline for providers to meet the so-called Stage 2 criteria for making meaningful use of electronic health records. Under Stage 2, providers not only transmit patient records electronically when making referrals, but they also must be capable of sending charts to a physician with a different EHR system. Another notable Stage 2 requirement puts the onus on providers to ensure that patients make use of EHRs by mandating that at least 5 percent of patients send a message to their doctors utilizing a portal within the EHR system and that 5 percent access their health information online.

Under the proposed rule, providers have greater flexibility in how they use certified electronic health record technology ("CEHRT") to meet the meaningful use standard. Specifically, the proposed rule allows providers to use the 2011 edition CEHRT or a combination of the 2011 and 2014 editions for reporting in 2014 under the Medicare and Medicaid EHR incentive programs.

Additionally, the proposed rule serves as CMS' formal announcement of previously announced plans in December to extend Stage 2 through 2016 and begin Stage 3 in 2017, after many providers and EHR providers said it would be nearly impossible to meet the Stage 2 goals by the original deadline. Please note, though, that even with the extension, beginning in 2015, providers will still be required to report to CMS utilizing the new technology.

As originally structured, CMS issued billions of dollars in payments to health care providers to incentivize adoption of EHRs. However, beginning in 2015, lack of EHR compliance means penalties for providers in the form of reduced reimbursements. For the first year, Medicare reimbursements will be reduced by 1 percent for providers that don't meet EHR standards. That penalty jumps to 2 percent the following year and 3 percent every year afterward.

While this extension of time to allow compliance of Stage 2 is welcome news, implementation and compliance are still a priority that must stay on all providers' radar screens. As Stage 2 reaches completion, CMS and providers will turn to Stage 3, which will focus on improving outcomes. Final rules regarding Stage 3 compliance are expected in the first half of 2015.

Tags: , ,

Florida Board of Pharmacy Clarifies that Pharmacies Can't Compound Sterile Human Drugs for "Office Use"


The Florida Board of Pharmacy rules allow pharmacies to engage in office-use compounding. Rule 64B16-27.700, FAC. This allows pharmacies to compound drugs for physicians to use in treating their patients in the office without writing a patient-specific prescription. It does not allow the physician to dispense the office-use drugs to their patients (i.e. give the patient a supply to take with them).

The Federal Quality Compounding Act enacted on November 27, 2013, at 21 USC 353a and 353b, states that, other than registered outsourcing facilities that compound sterile human products for office use, such compounding by state licensed pharmacies should be patient specific.  The Board and its legal counsel wanted to place Florida pharmacies holding the Sterile Compounding Permit on notice of this change in federal law so these pharmacies did not mistakenly rely on Florida's rule and engage in office use sterile human compounding in possible violation of federal law. The Board of Pharmacy voted to approve language amending the Florida Compounding Rule at its meeting on May 1, 2014. The amendment adds new Subsection (3)(g) to the Compounding Rule to provide:

64B16-27.700(3)(g) In the case of compounded sterile products intended for human use, the pharmacy must be in full compliance with 21 U.S.C. § 353b, including being registered as an Outsourcing Facility. 21 U.S.C. § 353b (eff. Nov. 27, 2013) is hereby adopted and incorporated by reference.

This rule change will still need to go through the rulemaking process before becoming law, but because it relies on existing federal law, pharmacies should not wait to comply.

Key Takeaways:

  • Florida pharmacies cannot compound sterile human products for office use;
  • Florida pharmacies holding the sterile compounding pharmacy permit may continue to compound patient-specific sterile products;
  • Florida physicians and hospitals should acquire office-use sterile human products from registered outsourcing facilities, rather than facilities licensed only as sterile compounding pharmacies; and
  • The Board's rule does not change other office-use compounding.

The Downside to Sharing – Two Hospitals to Pay Largest HIPAA Fine Yet


On May 7, 2014, the U.S. Department of Health and Human Services Office for Civil Rights  ("OCR") announced the largest settlement to date under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  New York and Presbyterian Hospital ("NYP") and Columbia University ("Columbia") agreed to pay $4.8 million and enter into resolution agreements as the result of a breach of NYP's data system resulting in the disclosure of personal information of 6,800 patients.  

NYP and Columbia are each covered entities under HIPAA and participate in a joint arrangement where they operate a shared data network and a shared network firewall that is administered by employees of both entities.  The shared network links to NYP patient information systems containing electronic protected health information ("e-PHI").

The breach occurred when a Columbia physician tried to deactivate a personally-owned computer server on the network containing the e-PHI of NYP patients.  According to OCR, due to a lack of technical safeguards, deactivation of the server resulted in e-PHI being accessible on internet search engines.  NYP and Columbia learned of the breach after receiving a complaint from an individual who found the e-PHI of the individual's deceased partner, a former patient of NYP, on the internet.  The OCR investigation revealed that neither NYP or Columbia made efforts before the breach to ensure that the server was secure and contained appropriate software protections, and neither entity conducted an accurate risk analysis that identified all systems that access patients' e-PHI.

Under the settlement agreement, NYP will pay $3,300,000 and Columbia will pay $1,500,000.  Also, the entities entered into separate resolution agreements that require corrective action.  The corrective steps that NYP must take include:

  • Modify its existing risk analysis process, including developing a complete inventory of all electronic equipment, data systems, and applications that contain or store e-PHI;
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities found in the risk analysis.  The plan must be reviewed by OCR;
  • Review and revise policies and procedures for authorizing access to NYP e-PHI;
  • Implement a process for evaluating environmental and operational changes that affect the security of NYP e-PHI;
  • Review and revise policies and procedures on device and media controls, including identifying criteria for the use of such devices and procedures for obtaining authorization for the use of personal devices and media that use NYP e-PHI systems;
  • Develop an enhanced privacy and security awareness training program to train workforce members and affiliated staff on the necessity of prohibitions on the purchase, use or administration of computer equipment that accesses NYP e-PHI, except under the explicit management of NYP IT personnel.

Columbia must take many of the same corrective steps.  NYP's corrective action plan also requires it to collaborate with Columbia to implement the corrective actions described above.

In addition to being the largest HIPAA settlement to date, this is the first settlement involving multiple covered entities.  According to a statement by an OCR spokeswoman, "When entities participate in joint compliance arrangements, they share the burden of addressing the risks to [PHI].  Our cases against NYP and [Columbia] should remind health care organizations of the need to make data security central to how they manage their information systems."

This settlement is another reminder of the importance that OCR places on an accurate risk analysis that identifies all places within a system that e-PHI resides.  To avoid shared settlement payments, covered entities that permit shared access to e-PHI should closely read the NYP and Columbia resolution agreements and implement the described action items.    

Tags: , , , ,

Useful Resources