Topics covered in this issue of the Health Law Update include:
DRUG PEDIGREE STALLED ON CONSTITUTIONAL GROUNDS
A portion of FDA's drug pedigree requirements have been stalled by court order. Drug wholesalers filed a complaint claiming that the FDA drug pedigree rule unconstitutionally imposed different requirements on authorized and unauthorized distributors. The Prescription Drug Marketing Act (PDMA) defines authorized distributors as those "with whom a manufacturer has established an ongoing relationship to distribute such manufacturer's products." Under the PDMA, all authorized distributors are exempt from the pedigree requirements.
FDA's implementation of a drug pedigree system, originally mandated by Congress in 1988, has been delayed most often due to the unavailability of the technology necessary to seamlessly integrate a drug pedigree system. This track-and-trace capability originally tested on several drug products most susceptible to counterfeiting and diversion will be required for all drug products once implemented. Another issue stalling the start of the drug pedigree system is that while FDA requires pharmaceutical tracking, responsibility for implementation falls to the states. Those states facing the most problems with drug counterfeiting and diversion have developed pedigree plans, but with different tracking requirements placed on pharmaceutical manufacturers, wholesalers, and retail establishments.
This patchwork approach prompted Rep. Steve Buyer (R-Indiana) and Rep. Jim Matheson (D-Utah) to introduce legislation in April 2008 requiring the FDA, with oversight by the Government Accountability Office, to develop a drug identification and tracking system that will "authenticate the wholesale distribution history of any prescription drug." This legislation, "The Safeguarding America's Pharmaceuticals Act of 2008" (H.R. 5839) requires development of a standardized numerical system that is unique to each unit of a prescription drug.
Costs associated with implementation of track-and-trace technology is estimated at $84,000 to $110,000 per pharmacy site. These costs have prompted groups such as the National Community Pharmacists Association and the National Association of Chain Drug Stores to push back, citing that other more cost-effective measures to ensure the security of the U.S. drug supply be explored.
For more information, please contact Karen A. Weaver, kweaver@bakerlaw.com or 310.442.8866.
IDENTITY THEFT—RED FLAG RULES
The Federal Trade Commission, together with most other federal financial regulators jointly issued "Red Flag rules" under the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C. 1681m(e)) to require creditors to develop and implement written programs to detect, prevent, and mitigate identity theft in connection with credit transactions (hereinafter, "Program") by November 1, 2008. As is the case with the Health Insurance Portability and Accountability Act (HIPAA), the Red Flag rules provide covered healthcare entities with significant flexibility in implementing their Program, taking into account the size, complexity and nature of a healthcare provider's operations.
Hospitals and healthcare providers are generally subject to the Red Flag rules only if the provider regularly extends, renews or continues credit; arranges for the extension of credit; or is an assignee of an original creditor and participated in the decision to extend the credit, with respect to a "covered account." A covered account includes any account where (1) the debt was for personal, family, or household purposes and the credit involves or was designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to (a) customers or patients, or (b) the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The term "credit" refers to the right to defer payment of a debt or to purchase property or services and defer payment therefor. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor.
Under the Red Flag rules, creditors' written Programs must establish policies and procedures to:
Guidelines (published as Appendix J to 12 C.F.R. Pt. 41) also were promulgated by the federal agencies to assist creditors in creating a Red Flag Program.
Providers must obtain approval of the initial written Program from either the board of directors or an appropriate committee of the board of directors. Providers must assign specific responsibility for carrying out the Program to the board of directors, an appropriate board committee, or a designated employee at the level of senior management with respect to the oversight, development, implementation, and administration of the Program. In addition, staff must be trained to effectively implement the Program.
It is important to remember that the Red Flag rules are in addition to the HIPAA privacy rule as well as the various state security breach notification statutes, identity theft prevention laws, and federal (15 U.S.C. § 1681c(g)) and state limitations on credit card account number receipt truncation laws (i.e., laws that prohibit disclosing more than the last five digits of a credit card account number, and in some cases, the expiration date of a credit card on a credit card receipt).
A good listing of the various state security breach statutes is available online. For a more complete discussion of the Texas identity theft prevention statute, please see the May 2, 2007, issue of the Health Law Update.
For more information, please contact Robert M. Wolin, rwolin@bakerlaw.com or 713.646.1327.
HIPAA: OCR OFFERS PRACTICAL COMMUNICATIONS GUIDANCE FOR PATIENTS AND PROVIDERS
On September 16, 2008, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued two brochures, one for patients and the other for providers, that offer guidance under HIPAA regarding when healthcare providers may communicate about a patient with the patient's family, friends, or others involved in their care (hereinafter collectively referred to as "OCR Guidance"). Formatted as a list of commonly-asked questions about HIPAA, the OCR Guidance could be construed as "common sense" answers to questions that typically arise when the HIPAA privacy rule is interpreted so literally as to cause providers to unnecessarily withhold a patient's healthcare information from family and friends.
The OCR Guidance clarifies that a provider may discuss a patient's healthcare information with a family member, friend, or other person involved in the patient's care or payment for such care, when the patient is present and either agrees, or when given the opportunity, does not object to the disclosure. For example, an emergency room doctor may discuss a patient's treatment in front of a patient's friend if the patient asks that the friend come into the treatment room; or a doctor may give information about a patient's mobility limitations to a family member who is driving the patient home from the hospital.
Providers are reminded by the OCR Guidance that they may share or discuss only the information that the person involved needs to know about the patient's healthcare or payment. Additionally, in circumstances where a patient is not present or is incapacitated, a provider may share information which the provider determines, in his or her professional judgment, is in the best interest of the patient.
Healthcare providers are not required to document a patient's decision to allow the provider to share information with family or friends who are involved in the patient's care. When a provider is allowed to share information as described above it may be shared over the phone, face-to-face, or in writing. If over the phone, HIPAA does not require proof of identity.
Finally, the OCR Guidance (1) clarifies that a family member, friend, or other person may pick up a filled prescription, medical supplies, X-rays, or similar forms of patient information for the patient, and (2) addresses instances when a provider must share information with an interpreter for communicating with patients or their families, friends, or others involved in their care or payment for care.
For more information, please contact Laurie Levin, llevin@bakerlaw.com or 407.649.4076.
ADDITIONAL EMPLOYER COSTS UNDER BLOODBORNE PATHOGEN RULE
The Third Circuit Court of Appeals recently ruled that healthcare employers must not only pay for the cost of the medical evaluations and vaccinations for workers who have had a bloodborne pathogen exposure, but also must (1) reimburse workers for transportation expenses incurred to obtain care, and (2) compensate workers for their non-work hours spent receiving initial or follow-up bloodborne pathogen exposure treatments. Secretary of Labor v. Beverly Healthcare-Hillview, No. 06-4810 (3d Cir. Sept. 4, 2008).
This ruling confirmed OSHA's Director of Compliance Programs opinion letter dated July 7, 1999, which provided that (1) transportation costs incurred for medical evaluations and procedures including the hepatitis B vaccine and vaccination series and post-exposure evaluation and follow-up, including prophylaxis, must be covered by the employer; and (2) when receiving the hepatitis B vaccine or commuting to have it administered, employees must be considered "on-duty" for compensation purposes.
Neither the court nor the opinion letter offers guidance with respect to the compensation rate to be paid to former employees receiving initial or follow-up bloodborne pathogen exposure treatments.
TEXAS SUPREME COURT UPHOLDS HOLDING OF GROSS NEGLIGENCE IN MEDICAL MALPRACTICE CASE
On August 29, 2008, the Texas Supreme Court upheld a jury finding of gross negligence in a decision that serves as warning to providers who may elect to outsource emergency medical services without guaranteeing response time. Additionally, the case addresses the application of damage caps to both actual and punitive damages awarded by the trial court. In Columbia Medical Center of Las Colinas Inc. v. Hogue, the lower court awarded punitive damages in the amount of $21 million and actual damages in the amount of $9.2 million. These were adjusted in accordance with tort reform caps to $1.47 and $3.36 million. The Supreme Court upheld the actual and punitive damages, as adjusted by the Texas Court of Appeals, of $3.36 million for punitive and $1.47 million for actual damages.
The hospital elected to outsource echocardiograms, declined a more expensive option to obtain immediate echocardiogram response, and failed to communicate this restriction to its medical staff, which ultimately was determined to have caused the death of a patient.
The court determined that while outsourcing in itself is not necessarily problematic, "the lack of an effective procedure for getting these critical services on a stat basis…supports the jury's gross negligence finding." The court warns that it does "not hold that Texas law requires all hospitals to provide all services to all patients." However, the determinative facts in this case include the fact that the hospital knew of the necessity of rapid echocardiogram capabilities in emergency care but failed to (1) ensure an appropriate response time, (2) inform the medical staff of that restriction, and (3) provide an effective procedure to respond to the situation.
For more information, please contact Susan Feigin Harris, sharris@bakerlaw.com or 713.646.1307, or Ameena N. Ashfaq, aashfaq@bakerlaw.com or 713.646.1329.
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. [Florida Rule 4-7.2(d)] © 2008 Baker & Hostetler LLP