Federal Appeals Court in D.C. Strikes Down Key Aspect of Health Care Reform (Just Before the 4th Circuit’s Opposite Ruling) – Any Impact on the Individual and Employer Mandates?


Yesterday, the U.S. Court of Appeals for the District of Columbia Circuit, in a 2-1 ruling by a three judge panel, invalidated an Internal Revenue Service regulation that interpreted section 36B of the Affordable Care Act ("ACA") as authorizing premium tax credits for insurance purchased on either a state or federally-facilitated Exchange. In striking down the IRS regulation, the majority found that the language in the ACA “unambiguously restricts the section 36B subsidy to insurance purchased on Exchanges ‘established by the State’.” The D.C. Circuit court’s decision could have far reaching implications given the fact that currently 36 states have chosen not to establish state Exchanges and instead rely on federally-facilitated Exchanges. If the court’s decision is upheld, it could result in significant premium increases for many individuals who purchased their coverage through a federally-facilitated Exchange, but who would qualify for a premium tax credit based on their household income if they had purchased coverage through a state-run Exchange. 

Possible Impact on Individual Mandate: The individual mandate generally requires that individuals maintain “minimum essential coverage”. Failure to maintain such coverage can result in a penalty.  However, the penalty would not apply to individuals for whom the annual cost of the cheapest coverage (reduced by any applicable tax credits) would exceed 8% of their projected household income. Since the premium tax credits would no longer be available in the 36 states with federally-facilitated Exchanges, the court’s decision, if upheld, may considerably decrease the number of people who could be subject to a penalty for failing to maintain coverage.  

Possible Impact on Employer Mandate: The employer mandate under Code section 4980H imposes penalties on certain large employers who fail to provide their full-time employees with health insurance that meet certain minimum value and affordability requirements. Specifically, the penalties under Code section 4980H apply to any large employer who fails to offer its full-time employees appropriate coverage if one or more of the employees enroll in an Exchange and qualify for a premium tax credit. If the court’s ruling is upheld, since premium tax credits would be unavailable in states with federally-facilitated Exchanges, large employers would not be subject to penalties for failing to offer coverage to employees who are residents in those 36 states. However, a large employer who employs individuals who reside in a state with a state Exchange could still be subject to penalties under Code section 4980H. 

Opposite Ruling by the Fourth Circuit: Also yesterday, the U.S. Court of Appeals for the Fourth Circuit issued a ruling that reached the opposite conclusion. The Fourth Circuit found that the language in section 36B was “ambiguous and subject to multiple interpretations”. The court upheld the IRS regulation “as a permissible exercise of the agency’s discretion.”  

What’s Next? The Department of Justice has already stated that it will appeal the D.C. Circuit court’s decision by seeking an en banc review, which would put the case before the entire appeals court. Given that the D.C. and Fourth circuits are now split on whether federal subsidies are available for coverage purchased through federally-facilitated Exchanges, the likelihood that the issue will ultimately be reviewed by the U.S. Supreme Court increases. In the meantime, we will continue to monitor this issue and provide updates.

Enhancements to Florida's Solicitation of Funds Law Now Effective - Charities Now Have Tighter Regulations


In response to the Tampa Bay Times investigative story, "America's Worst Charities," Florida’s Commissioner of Agriculture, Adam Putnam, worked with the Florida Legislature to enact material enhancements to Florida's Solicitation of Funds statutes (Chapter 496 – HB 629). Any charity that is subject to registration with the Department of Agriculture and Consumer Services (the Department), including not-for-profit hospitals and other not-for-profit health care providers which solicit charitable contributions, is impacted and will need to review and implement the new requirements that became effective July 1, 2014. 

Among the changes are the following:

  • The standard disclosure requirement, which is a statutory requirement that applies to all charities registered with the Department, must now include the Department's website.
  • If the solicitation is on the internet, each page may include the disclosure, and the disclosure must include the charity's phone number or address.
  • No officer, trustee, or director who has been convicted of a felony may solicit funds. We note that this is not a pleasant question to ask, but a necessary one.
  • Each charity that is registered with the Department must adopt a Conflict of Interest Policy, and each officer, director, or trustee must certify compliance with the Conflict of Interest Policy each year. The certification must be submitted with the annual registration. The required Conflict of Interest Policy is very specific and should be reviewed closely in order to meet compliance. It appears the IRS model conflict policy will not satisfy the law.
  • The professional solicitor rules have been greatly enhanced.
  • There are "collection receptacle" (donation drop box) disclosure requirements, for those who collect donations.
  • A disaster relief charity that has registered with the Department for four or fewer years and raises more than $50,000 must comply with substantial additional reporting requirements.
  • There are new financial reporting requirements for charities who receive contributions of more $500,000. For charities with contributions less than $500,000, there is no apparent change.

While these are only the high points of the enhancements, each not-for-profit health care provider that raises funds in Florida must review the new statutory requirements closely or risk being in violation of them.  Every not-for-profit health care provider that registers with the Department is potentially impacted by the amendments and should seek proper legal advice to determine the most appropriate method to come into compliance.


New OIG Special Fraud Alert Aimed at Laboratory Payments to Referring Physicians


On June 25, 2014, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a Special Fraud Alert entitled "Laboratory Payments to Referring Physicians." While the Alert breaks no new ground (see, e.g., its 1994 Special Fraud Alert), it demonstrates the OIG's continuing concerns about clinical laboratories' offering inducements to referring physicians. 

The Alert provides an in-depth discussion of laboratories' paying referring physicians for collecting specimens and paying physicians for submitting patient data to a registry or database. The Alert explains that physicians who prepare specimens for transfer from the office to a laboratory have a CPT code (99000) to bill Medicare for a nominal charge. Where laboratories are separately paying the same physician for specimen collection, the double billing is evidence to the OIG of an obvious intent to induce referrals. Similarly, with respect to physicians submitting patient data for a database, even if the project has legitimate underpinnings, it may still be illegal if an intent is to induce referral. The Alert contains a detailed list of characteristics of specimen processing and data registry arrangements that it finds suspect.

The OIG 's concerns are not lessened in referral arrangements that "carve out" Medicare and other federal programs and focus only on commercial insurance. The OIG takes the position that, because physicians refer to a limited number of labs, inducements with respect to commercial insurance are likely intended to induce Medicare referrals also. Equally important, inducements for commercial insurance referrals may violate applicable state laws (for example, Florida's Patient Brokering law).  

Physicians should review their financial arrangements with outside clinical labs. The question to be asked always is whether one of the reasons for the arrangement is to induce referrals of patients for lab services. Although the Alert focuses on specimen processing and data registry arrangements, that does not mean that other arrangements are OK. The fraud and abuse concerns set forth in the Alert extend to any arrangement that provides some sort of financial benefit to physicians with the intent to induce referrals of patients for lab services. 


Following publication of the Alert, the OIG published a study entitled "Questionable Billing for Medicare Part B Clinical Laboratory Services." In the Study, the OIG found that "[a]lmost half of the labs that exceeded the thresholds for five or more measures of questionable billing—compared to 13 percent of all labs—were located in California and Florida, areas known to be vulnerable to Medicare fraud." The OIG's recommended that it "[r]eview the labs identified as having questionable billing and take appropriate action" and also "[r]eview existing program integrity strategies to determine whether these strategies are effectively identifying program vulnerabilities associated with lab services." As a result, clinical labs and physicians should exercise great vigilance in reviewing their financial and referral relationships with each other to insure that they comply with applicable federal (and state) fraud and abuse and other healthcare laws.

Tags: , ,

Patient Records: Increasing Exposure for Privacy Breaches


Healthcare providers and businesses that store or process protected health information ("PHI") face increased scrutiny and significant fines for data privacy breaches and security lapses in the coming months. In the past 12 months, the U.S. Department for Health and Human Services Office for Civil Rights ("OCR") has recovered more than $10 million in fines for alleged violations of HIPAA. Enforcement is likely to become even more aggressive in the next year, according to Jerome Meites, a chief regional civil rights counsel at HHS, who spoke last month at the American Bar Association Physician Legal Issues Conference. "Knowing what's in the pipeline, I suspect that number will be low compared to what's coming up," Meites said during his presentation.
Meites noted that companies need to ensure the security of laptops and other portable devices that carry patient information. "Everywhere in your system where [patient information] is used, you have to think about how to protect it." Meites also noted the importance of performing a comprehensive risk analysis. Most of the cases in which breaches led to financial settlements, and not just corrective actions, involved entities who had not performed the required risk assessment.

The need to analyze risks, adopt safeguards, and train staff extends beyond healthcare providers and applies to anyone who stores, processes or has access to protected health information. Covered entities should ensure they have Business Associate Agreements with those who handle, process or have access to protected health information. All of the foregoing will be increasingly important as OCR turns up the heat on enforcement efforts.

Recent HIPAA Settlements

In the past two months, two healthcare organizations agreed to pay $4.8 million to settle charges that they potentially violated HIPAA Privacy and Security Rules. These organizations failed to secure thousands of patients' electronic protected health information (ePHI) held on their network. A third organization agreed to pay $800,000 after its employees left 71 boxes of patient records in a departing physician's driveway.

These recent settlements are a reminder that covered entities and businesses who handle or have access to patient information cannot ignore the need to safeguard the privacy of all records in their possession. Healthcare providers not only must consider how to store and dispose of paper records that have been transferred to electronic health records, but also how to ensure that IT professionals involved in the conversion have been properly trained on HIPAA.

Second Round of HIPAA Audits

The next round of HIPAA audits will begin this fall. OCR already has sent questionnaires to approximately 800 covered entities to screen them for selection for the audit. These upcoming audits will be much more targeted than the first round of HIPAA audits and will be conducted as "desk audits" by OCR staff, rather than as field audits by outside accounting firms.  Approximately 100 covered entities will be audited on their compliance with the requirements for notices of privacy practices and providing individuals with access to PHI; 100 covered entities will be audited to evaluate whether they have a risk analysis and have implemented a corresponding risk management plan; and 150 covered entities will be audited for their policies related to the content of and timeliness of notice of a breach. OCR will use information gleaned from the audit responses to identify business associates that will be audited beginning in early 2015.

To prepare for this increased scrutiny, healthcare providers and their business associates should:

  • Conduct a thorough risk analysis of the threats and vulnerabilities to their electronic PHI and update that risk analysis annually or more often if there is a significant change in the operations of the entity.
  • Implement security measures to reduce the risks identified in the risk analysis. It is not enough to do the risk analysis: covered entities and business associates must follow up on the findings to reduce risk.
  • Remember to address risks associated with PHI that is in paper format, including methods of storage and disposal of the paper. As recent and not-so-recent HIPAA settlements have shown, leaving paper records in public areas such as driveways or open dumpsters or trash bins is not an appropriate way to dispose of records.
  • Make sure your breach notification policies and procedures are current. As part of this assessment, identify potential vendors, i.e., forensic experts, vendors to assist with mitigation efforts, outside law firms to conduct the investigation and to assist in the event of a breach.
  • Make sure your Notice of Privacy Practices is current and review your policies and procedures for responding to requests from individuals for access to their PHI.

Akerman's Healthcare team stands ready to assist businesses in assessing risks and adopting compliance plans.

Tags: , , ,

FDA Offers Guidance for Choosing Prescription Drug Names


If you've seen your share of prescription drug commercials, you've likely marveled at the odd drug names: Moexipril. Oxcarbazepine. Zafirlukast. You might think pharmaceutical companies just prefer complex, new combinations of letters, but naming a drug requires more than a marketing brainstorm session. A recent draft guidance document from the U.S. Food and Drug Administration ("FDA") shows many considerations go into choosing a drug name. Names that are too similar can be confused, and names that include descriptive phrases or abbreviations could be misunderstood, leading to unfair marketing and drug errors. In order to improve safety and reduce ambiguous or misleading names, the FDA suggests that drug makers follow the nonbinding guidelines in the guidance document. The guidelines advise:

  • Avoid similarities in spelling or pronunciation with names of other drugs, even if those other drugs are discontinued or only sold in foreign countries.
  • Avoid including medical abbreviations within the name. For example, the NameQD could be mistaken on a prescription for the medical abbreviation QD, or quaque die in Latin, meaning every day.
  • Avoid using the same proprietary name or the same root proprietary name for products that do not contain at least one common active ingredient.
  • Avoid names that include product-specific attributes, dosage form, or route of administration. (NameOral, Nametabs, etc.)
  • Avoid non-standard suffixes or modifiers that could cause confusion. For example, Name3 could be misunderstood as a drug to be taken for 3 days or a drug that includes 3 active ingredients.
  • Avoid using different names for products with identical active ingredients.  Unaware prescribers could put a patient on both at the same time, possibly causing overdose.
  • Avoid fanciful names that state or imply a quality of the drug, such as BestMed or DrugSuper.
  • Avoid symbols. For example, if a drug is called Name+, the plus sign could be confused on a prescription pad for "and" or the number 4.

Knowing these naming constraints exist, the next time you see a drug commercial, you'll realize that a new drug name might sound arbitrary, but it definitely isn't.

Tags: ,

FDA Issues Draft Guidance for Drug and Device Information on Social Media


The Food and Drug Administration ("FDA") recently issued two draft guidance documents relating to the use of Twitter and other social media by drug and medical device companies. Emphasizing that companies must give a balanced presentation of their products, the Agency stated that companies must provide risk information along with any benefit information within a tweet or similar promotional message.

The FDA also provided guidelines for companies wishing to respond to misinformation posted on blogs or other social media platforms. The Agency stressed that, while a company has no obligation to correct independently-posted information, any correction must consist of truthful and non-misleading information that, among other requirements, is limited to the scope of the misinformation and non-promotional in nature. A more detailed update highlighting main compliance points and areas of risk can be accessed here.


IRS Disallows Shifting Employee Health Coverage Burden to Exchanges


Certain employers hoped that they had discovered a way to "have their cake and eat it too". In response to the looming employer mandate for employers with 50 or more employees – the requirement to offer full - time employees group health plan coverage or else face penalties under the Affordable Care Act, - some creative Human Resource leaders had suggested that employers could send their employees to a health insurance exchange, while still offering those employees a tax-free contribution to assist with the exchange insurance premiums. This proposed "solution" would have theoretically permitted employers to save money by terminating their group health plan obligations, while still preserving the existing employer-based system's tax advantages, whereby employer contributions toward employees' coverage are not included as taxable income to workers. This would have provided employees with a variation of the current system, by offering a tax advantaged way to purchase replacement medical coverage through the exchange.

Through a question-and-answer issued on May 13, 2014, the IRS stated that this approach was not acceptable. Specifically, the IRS reasoned that such a pre-tax funding arrangement itself would be considered a "group health plan" under the Affordable Care Act and, therefore, the pre-tax funding arrangement would be required to comply with the Affordable Care Act's market reforms. So exposure to penalties would remain if the pre-tax funding arrangement was not compliant. In particular, failure to satisfy those market reforms would expose the employer to excise tax penalties of $100 per day per affected employee (i.e., $36,500 per year for every employee).

The IRS guidance does not allow such an incentive for large employers to drop employer-sponsored coverage. As expected, the Obama administration has expressed its agreement with and appreciation for the IRS' position, since the entire Affordable Care Act financial and administrative structure requires at its core the fundamental continuation of employer-based health insurance coverage.

Tags: ,

HHS Proposes Extension of Deadline for EHR Compliance


According to the federal government, over 370,000 providers have participated in the Medicare and Medicaid Electronic Health Record ("EHR") incentive program since its inception in 2011. However, providers nationwide continue to grapple with the challenges of complying with federal EHR requirements, and many such providers have voiced their displeasure to the federal government regarding the tight compliance timeframes. On Tuesday, May 20, 2014, the U.S. Department of Health and Human Services Centers for Medicare and Medicaid Services ("CMS"), as well as the Office of the National Coordinator for Health Information Technology, in part in reaction to comments and submissions to the agency from providers nationwide, published a proposed rule that provides additional time for providers to meet the operationally challenging standards surrounding electronic health records.

The proposed rule extends the deadline for providers to meet the so-called Stage 2 criteria for making meaningful use of electronic health records. Under Stage 2, providers not only transmit patient records electronically when making referrals, but they also must be capable of sending charts to a physician with a different EHR system. Another notable Stage 2 requirement puts the onus on providers to ensure that patients make use of EHRs by mandating that at least 5 percent of patients send a message to their doctors utilizing a portal within the EHR system and that 5 percent access their health information online.

Under the proposed rule, providers have greater flexibility in how they use certified electronic health record technology ("CEHRT") to meet the meaningful use standard. Specifically, the proposed rule allows providers to use the 2011 edition CEHRT or a combination of the 2011 and 2014 editions for reporting in 2014 under the Medicare and Medicaid EHR incentive programs.

Additionally, the proposed rule serves as CMS' formal announcement of previously announced plans in December to extend Stage 2 through 2016 and begin Stage 3 in 2017, after many providers and EHR providers said it would be nearly impossible to meet the Stage 2 goals by the original deadline. Please note, though, that even with the extension, beginning in 2015, providers will still be required to report to CMS utilizing the new technology.

As originally structured, CMS issued billions of dollars in payments to health care providers to incentivize adoption of EHRs. However, beginning in 2015, lack of EHR compliance means penalties for providers in the form of reduced reimbursements. For the first year, Medicare reimbursements will be reduced by 1 percent for providers that don't meet EHR standards. That penalty jumps to 2 percent the following year and 3 percent every year afterward.

While this extension of time to allow compliance of Stage 2 is welcome news, implementation and compliance are still a priority that must stay on all providers' radar screens. As Stage 2 reaches completion, CMS and providers will turn to Stage 3, which will focus on improving outcomes. Final rules regarding Stage 3 compliance are expected in the first half of 2015.

Tags: , ,

Florida Board of Pharmacy Clarifies that Pharmacies Can't Compound Sterile Human Drugs for "Office Use"


The Florida Board of Pharmacy rules allow pharmacies to engage in office-use compounding. Rule 64B16-27.700, FAC. This allows pharmacies to compound drugs for physicians to use in treating their patients in the office without writing a patient-specific prescription. It does not allow the physician to dispense the office-use drugs to their patients (i.e. give the patient a supply to take with them).

The Federal Quality Compounding Act enacted on November 27, 2013, at 21 USC 353a and 353b, states that, other than registered outsourcing facilities that compound sterile human products for office use, such compounding by state licensed pharmacies should be patient specific.  The Board and its legal counsel wanted to place Florida pharmacies holding the Sterile Compounding Permit on notice of this change in federal law so these pharmacies did not mistakenly rely on Florida's rule and engage in office use sterile human compounding in possible violation of federal law. The Board of Pharmacy voted to approve language amending the Florida Compounding Rule at its meeting on May 1, 2014. The amendment adds new Subsection (3)(g) to the Compounding Rule to provide:

64B16-27.700(3)(g) In the case of compounded sterile products intended for human use, the pharmacy must be in full compliance with 21 U.S.C. § 353b, including being registered as an Outsourcing Facility. 21 U.S.C. § 353b (eff. Nov. 27, 2013) is hereby adopted and incorporated by reference.

This rule change will still need to go through the rulemaking process before becoming law, but because it relies on existing federal law, pharmacies should not wait to comply.

Key Takeaways:

  • Florida pharmacies cannot compound sterile human products for office use;
  • Florida pharmacies holding the sterile compounding pharmacy permit may continue to compound patient-specific sterile products;
  • Florida physicians and hospitals should acquire office-use sterile human products from registered outsourcing facilities, rather than facilities licensed only as sterile compounding pharmacies; and
  • The Board's rule does not change other office-use compounding.

Tags: , , ,

The Downside to Sharing – Two Hospitals to Pay Largest HIPAA Fine Yet


On May 7, 2014, the U.S. Department of Health and Human Services Office for Civil Rights  ("OCR") announced the largest settlement to date under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  New York and Presbyterian Hospital ("NYP") and Columbia University ("Columbia") agreed to pay $4.8 million and enter into resolution agreements as the result of a breach of NYP's data system resulting in the disclosure of personal information of 6,800 patients.  

NYP and Columbia are each covered entities under HIPAA and participate in a joint arrangement where they operate a shared data network and a shared network firewall that is administered by employees of both entities.  The shared network links to NYP patient information systems containing electronic protected health information ("e-PHI").

The breach occurred when a Columbia physician tried to deactivate a personally-owned computer server on the network containing the e-PHI of NYP patients.  According to OCR, due to a lack of technical safeguards, deactivation of the server resulted in e-PHI being accessible on internet search engines.  NYP and Columbia learned of the breach after receiving a complaint from an individual who found the e-PHI of the individual's deceased partner, a former patient of NYP, on the internet.  The OCR investigation revealed that neither NYP or Columbia made efforts before the breach to ensure that the server was secure and contained appropriate software protections, and neither entity conducted an accurate risk analysis that identified all systems that access patients' e-PHI.

Under the settlement agreement, NYP will pay $3,300,000 and Columbia will pay $1,500,000.  Also, the entities entered into separate resolution agreements that require corrective action.  The corrective steps that NYP must take include:

  • Modify its existing risk analysis process, including developing a complete inventory of all electronic equipment, data systems, and applications that contain or store e-PHI;
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities found in the risk analysis.  The plan must be reviewed by OCR;
  • Review and revise policies and procedures for authorizing access to NYP e-PHI;
  • Implement a process for evaluating environmental and operational changes that affect the security of NYP e-PHI;
  • Review and revise policies and procedures on device and media controls, including identifying criteria for the use of such devices and procedures for obtaining authorization for the use of personal devices and media that use NYP e-PHI systems;
  • Develop an enhanced privacy and security awareness training program to train workforce members and affiliated staff on the necessity of prohibitions on the purchase, use or administration of computer equipment that accesses NYP e-PHI, except under the explicit management of NYP IT personnel.

Columbia must take many of the same corrective steps.  NYP's corrective action plan also requires it to collaborate with Columbia to implement the corrective actions described above.

In addition to being the largest HIPAA settlement to date, this is the first settlement involving multiple covered entities.  According to a statement by an OCR spokeswoman, "When entities participate in joint compliance arrangements, they share the burden of addressing the risks to [PHI].  Our cases against NYP and [Columbia] should remind health care organizations of the need to make data security central to how they manage their information systems."

This settlement is another reminder of the importance that OCR places on an accurate risk analysis that identifies all places within a system that e-PHI resides.  To avoid shared settlement payments, covered entities that permit shared access to e-PHI should closely read the NYP and Columbia resolution agreements and implement the described action items.    

Tags: , , , ,

New Rules Would Amend COBRA Notification Requirements to Include ACA Alternatives


The U.S. Department of Labor ("DOL") has proposed new rules that would revise an employer’s notification requirements under the Consolidated Omnibus Budget Reconciliation Act of 1985 ("COBRA") to align them with Affordable Care Act ("ACA") provisions already in effect.  

Under COBRA, group health plans must provide a general notice of COBRA rights to each covered employee and spouse at the time of commencement of coverage under the plan.  In addition, group health plans must provide qualified beneficiaries with an election notice at the time of certain qualifying events, such as termination of employment or reduction in hours that causes loss of coverage under the plan.  The election notice describes a qualified beneficiary’s rights to continuation coverage and how to make an election.  The election notice must be provided to the qualified beneficiaries within 14 days after the plan administrator receives the notice of a qualifying event.  

The DOL had previously issued a model general notice and a model election notice that were available for download on DOL's website.

On May 8, 2013, the DOL issued technical guidance which explained that some qualified beneficiaries may want to consider and compare health coverage alternatives to COBRA continuation coverage that are available under the ACA through a private health insurance market – the Health Insurance Marketplace ("the Marketplace").  The DOL also noted that some qualified beneficiaries may also be eligible for a premium tax credit to help pay for some or all of the cost of coverage in plans offered through the Marketplace.

The proposed regulations issued on May 1, 2014 eliminate the older version of the model general notice and the model election notice and permit the Department to amend the model notices as necessary and provide the most current versions of the model notices on its website.  While use of the new model notices is not required, using them will ensure compliance with COBRA notice requirements, at least until the new rules are finalized.  The proposed rules note that "[u]ntil rulemaking is finalized and effective, the Department of Labor will consider use of the model notices available on its website, appropriately completed, to be good faith compliance with the notice content requirements of COBRA."


Florida Says Can Do To Medical Cannabis


In the waning days of the 2014 legislative session, the Florida Legislature passed the Compassionate Medical Cannabis Act of 2014.  It is a very limited medical marijuana bill with very strict restrictions and conditions on use.  The bill allows access to only low-THC (tetrahydrocannabinol) cannabis (so-called "Charlotte's Web") for persons with cancer or another condition that produces seizures or severe and persistent muscle spasms.  Only physicians who are medical doctors (M.D.) or osteopathic doctors (D.O.) may order the low-THC cannabis for patients.

Among the bill's highlights are:

  • Medical use does not include smoking but can include vaporizing;
  • Patients must be Florida residents and added to a "compassionate use registry" by their physician;
  • Physicians may order this drug for these patients beginning January 1, 2015 if 
    • Patient is a Florida resident;
    • Physician has completed an 8-hour course on medical marijuana and passed an examination which must be retaken at license renewal;
    • Physician has treated the patient for one of the above conditions and "no other satisfactory alternative treatment options exist"
    • Physician determines the risks to patient are reasonable in light of potential benefits;
    • For patients under 18 years old, a second physician concurs and the concurrence is documented in the patient record;
    • Physician registers as an orderer on the compassionate use registry and lists the contents of each order on such registry;
    • Physician inactivates patient's compassionate use registration when treatment is discontinued;
    • Physician maintains a treatment plan to include dose, route of administration; planned duration, and monitoring of symptoms and reactions to treatment;
    • Physician submits the treatment plan to the University of Florida College of Pharmacy quarterly for research;
    • Physician obtains informed consent for the treatment;

The Florida Department of Health must establish an Office of Compassionate Use to regulate the medical marijuana procedures, including a secure online registry accessible to law enforcement and dispensing organizations. Up to 5 dispensing organizations – one for each region of the state – may be approved by the Department of Health in order to cultivate, process, and dispense  low-THC cannabis.  The dispensing organizations must:

  • receive approval from the Florida Department of Health;
  • employ a medical director who has completed a 2-hour course and examination;
  • possess a valid certificate of registration issued by the Department of Agriculture and Consumer Services that is issued for the cultivation of more than 400,000 plants, be operated by a nurseryman, and have been operated as a nursery continuously for 30 years;
  • have the ability to secure the premises and maintain accountability of the marijuana;
  • have an infrastructure to dispense the low-THC cannabis;
  • have the financial ability to operate for two years and post a $5 million dollar bond; and
  • pass background checks on owners and managers.

A physician commits a first-degree misdemeanor if he or she orders low-THC cannabis for a patient without a reasonable belief that the patient is suffering from cancer or another condition that produces seizures or severe and persistent muscle spasms. 

Persons who fake an illness for the purpose of obtaining low-THC cannabis also commit a first-degree misdemeanor.

The bill also authorizes universities to conduct research on low-THC cannabis without violating drug laws.
Governor Scott is expected to sign the bill within the next few weeks. Although the bill allows physicians to begin ordering the low-THC cannabis on January 1, 2015, it is not clear if the Florida Department of Health will complete the rulemaking process to establish the Compassionate Use Registry and approve dispensing organizations by that date.  In the meantime, Florida voters will decide in November whether to more broadly legalize medical marijuana for the treatment of other medical conditions.

Tags: , ,

Coming Fall 2014: HHS Launches Permanent Audit Program


    Beginning in the Fall of 2014, a substantial number of covered entities and business associates will receive a notification and data request from the Health and Human Services' (HHS) Office for Civil Rights (OCR).  According to Rachel Seeger, an OCR spokeswoman, "we hope to audit 350 covered entities and 50 business associates in this first go-around…Selected entities will receive notification and data requests in fall 2014, with business associate audit subjects being included in 2015."  The lucky recipients will be the first participants in the OCR's effort to adopt a more aggressive approach to investigating compliance with HIPAA standards for privacy, security and breach notification.  This initiative comes just months after a December 2013 report from the HHS's Office of Inspector General (OIG), which criticized the OCR for falling behind on HIPAA enforcement and recommended that the OCR implement an audit-type function rather than relying solely on complaints as a means of assessing compliance.  In response, OCR officials have expressed agreement with this recommendation and continued steps toward maintaining a permanent audit program. 

    Over the past six years, the OCR has favored voluntary compliance or corrective action, as opposed to monetary settlements, but many fear that's about to change.  The looming permanent audit program could translate into open season on covered entities and business associates.  Since 2008, the OCR has sought and obtained 19 settlements related to HIPAA privacy and security issues, typically for some kind of data breach.  Recently, the second largest settlement on record was reached with Concentra Health Services, a Humana subsidiary, despite there having been no indication that any information was accessed or used inappropriately.  The $1.7 million settlement was obtained after Concentra self-reported data breaches, including the theft of two unencrypted laptops.  Many privacy and security experts believe large settlements will become increasingly common as a result of the OCR's increased enforcement efforts.

    So, how can covered entities prepare for the upcoming audits and continue to operate in an environment of increasing regulatory enforcement?  In March, the HHS released a security risk assessment tool to help providers with HIPAA compliance.  Significantly, this is a resource provided by HHS, and it is on the agency’s website.  While use of the tool does not guarantee that a covered entity will survive an audit unscathed, it's use very likely will be a factor in how the government views a provider’s overall compliance efforts.  Just how much of a factor remains to be seen, but a prudent HIPAA compliance program would be well served to use the tools provided by HHS. 

Tags: , , ,

Security Breach May Not be Covered by Your General Liability Policy


Data breaches are certainly not unique to the healthcare industry.  Large data breaches like the one experienced by Target stores in late 2013 seem increasingly common. Retail, financial, and other types of companies hold consumers' financial information, but the healthcare industry also holds sensitive health information protected by HIPAA, making a data breach all the more problematic.  Especially given the added risk, healthcare providers and insurers should make sure they are covered from lawsuits, administrative fines, and other financial losses that result from a breach. 

However, many companies still rely on corporate general liability insurance to soften the blow of a security breach.  Often, the language in those policies was drafted before so much information was digital and proven vulnerable to hackers around the globe.  Now, increasingly, general liability policies are excluding breaches, carving out those benefits into separate cybersecurity policies.  Such policies typically cover privacy notification expenses, administrative penalties, crisis management, and other costs.  This shift to separate policies can cause companies to mistakenly believe that their general liability policies still cover breaches.  Thus, healthcare companies should review their coverage and make sure that if their firewalls fail, their liability insurance won't.



Florida Acknowledges Exemption for Intracompany Sales of Pharmaceuticals


A new declaratory statement from Florida regulators clarifies the restrictions on intracompany sales of pharmaceuticals.  Previously, if one pharmacy in Florida wanted to send a bottle of prescription medicine to its sister pharmacy down the street, it had to obtain a type of wholesale drug distributor permit, as well as provide pedigree papers for the drug.  However, the new decision means intracompany sales are acceptable without such permit or pedigree.

The Florida Department of Business and Professional Regulation, Division of Drugs, Devices and Cosmetics ("Department") issued the declaratory statement in response to a request from Publix Super Markets, Inc.  Florida law requires wholesale distributors of pharmaceuticals to obtain a permit from the Department. §§ 499.01(1)(d), (2)(d), 499.003(54), Fla. Stat.  The law does not include an exemption for intracompany sales.  State law provides an exemption for drug distributions by entities under "common control", but the state exemption would still require the distributor to obtain a restricted drug distributor's permit.

However, the federal Drug Quality and Security Act ("DQSA") became law in November 2013, and in very broad language, it preempts state drug wholesale licensing laws.  The law requires a uniform national system for tracking and tracing prescription drugs through the supply chain and a uniform licensing system for prescription drug wholesale distributors, repackagers, and third-party logistics providers.  DQSA amended section 503(e) of the federal Food, Drug and Cosmetic Act, adding an exemption from the definition of "wholesale distribution" for "intracompany distribution among members of an affiliate", but that language does not go into effect until January 1, 2015.  However, the preemption language allows reliance on the Prescription Drug Marketing Act of 1997's exemption to the definition of wholesale distribution for intracompany sales. 

As a result, the Department agreed that DQSA preempts state licensing laws that are inconsistent with the law.  The Department's declaratory statement makes the following conclusions.  Although they are specific to Publix, they show how the Department would likely treat drug distributions by other pharmacies under common ownership in Florida.

  1. Publix pharmacies' sale of prescription drugs from one Publix pharmacy to other Publix pharmacies is not the wholesale distribution of prescription drugs
  2. Publix pharmacies' transfer of prescription drugs from one Publix pharmacy to other Publix pharmacies is not wholesale distribution of prescription drugs so long as such transfers are intracompany sales.
  3. Publix pharmacies' sale of prescription drugs from one Publix pharmacy to other Publix pharmacies does not require a Florida prescription drug wholesale distributor permit.
  4. Publix pharmacies' transfer of prescription drugs from one Publix pharmacy to other Publix pharmacies does not require prescription drug pedigrees to be provided at this time, so long as such transfers are intracompany sales.  In the future, federal tracking and tracing requirements may apply.
  5. Publix pharmacies' sale of prescription drugs to the Publix chain pharmacy warehouse is not the wholesale distribution of prescription drugs.
  6. Publix pharmacies' transfer of prescription drugs to the Publix chain pharmacy warehouse is not the wholesale distribution of prescription drugs, so long as such transfers are intracompany sales.
  7. Publix pharmacies' sale of prescription drugs to the Publix chain pharmacy warehouse does not require a Florida prescription drug wholesale distributor permit and does not require Publix to provide pedigree papers for these returns.
  8. Publix pharmacies' transfer of prescription drugs to the Publix chain pharmacy warehouse does not require a Florida prescription drug wholesale distributor's permit, so long as such transfers are intracompany sales, and does not require Publix to provide pedigree papers for these returns.

Nevertheless, although intracompany sales are exempt, pharmacies that engage in other, non-exempt transactions still must obtain a Florida prescription drug wholesale distributor permit and provide a federal drug pedigree, if required.

Key Takeaways:

Corporate Florida community pharmacy businesses with more than one pharmacy may engage in intracompany sales of prescription drugs among their pharmacies without obtaining a retail pharmacy wholesale distributor permit and without providing a drug pedigree.

Pharmacies should still track these drug sales so they will have drug inventory documentation needed to defend a private or government pharmacy inventory audit.

Hospital systems should be mindful of the Robinson-Pattman and contractual "own use" requirements if they engage in intracompany sales of drugs among hospital pharmacies. Thus an institutional pharmacy may not be able to engage in an intracompany sale of own use drugs to the hospital's community pharmacy, but institutional to institutional and community to community should be acceptable.

The broad federal preemption likely also applies to other states' (beyond Florida) wholesale prescription drug distribution requirements which are inconsistent with the DQSA, but potentially impacted companies should carefully review any situations outside Florida.  Even companies in Florida should consult with their attorneys to ensure their actions fall within the exemptions.

Tags: ,

Useful Resources