Health Law Update – February 11, 2016

Alerts / February 11, 2016

Welcome to this week's edition of the Health Law Update.

  • Breaking News: 60-Day Overpayment Rule Finalized
  • FDA Issues Guidance on Cybersecurity Issues for Postmarket Medical Devices
  • SAMHSA Proposes Updates to Substance Abuse Records Security and Confidentiality Regulations
  • Providers Oppose CMS Proposal Targeting Prescription Drug Abuse by Part D Enrollees
  • Pharmaceutical Life Cycle Management: Navigating the New IP, FDA, and Antitrust Terrain
  • Lee Rosebush Authors Book Chapter on Pharmacy Compliance Issues
  • Events Calendar
Breaking News: 60-Day Overpayment Rule Finalized

By B. Scott McBride and Darby C. Allen

The Centers for Medicare and Medicaid Services (CMS) released its final rule implementing Section 6402(a) of the Affordable Care Act that requires Medicare providers and suppliers to report and return overpayments within 60 days after the date on which the overpayment was identified in most instances. Failure to report and return overpayments in accordance with this provision could expose a provider to False Claims Act liability, civil monetary penalties, or exclusion. CMS spent nearly four years considering significant concerns to the proposed rule that were raised by stakeholders and has made a number of changes in the final regulation. There are two changes in the final rule that are particularly important to providers and suppliers as they conduct internal reviews of potential overpayments.

The first issue is the definition of “identified.” The date an overpayment is “identified” is vitally important under the statute because it starts the clock on the 60-day deadline to report and return an overpayment. CMS originally proposed that a person has identified an overpayment “if the person has actual knowledge of the existence of the overpayment or acts in reckless disregard or deliberate ignorance of the overpayment.” As we described in our comment to the proposed rule, this proposed definition was not supported by legislative history, raised significant practical concerns, and failed to recognize the operational and practical realities involved in investigation and quantification of an overpayment. The final rule is much improved and provides that a person will be deemed to have “identified an overpayment when the person has, or should have through the exercise of reasonable diligence, determined that the person received an overpayment and quantified the amount of the overpayment.” Of note, “reasonable diligence” is being interpreted by CMS as the timely, good faith investigation of credible information, which is at most six months from receipt of the credible information, except in extraordinary circumstances.

The second major change in the final rule is the length of the lookback period. CMS originally proposed a 10-year lookback period to correspond with the outer limit of the False Claims Act statute of limitations. Many comments to the proposal pointed out that a 10-year lookback period would be inconsistent with longstanding CMS policies regarding reopening and administrative finality, and would exceed record-retention requirements. The final rule adopts a reduced lookback period of six years. Of note with this change are comments by CMS that providers and suppliers reporting overpayments through the CMS Self-Referral Disclosure Protocol on or after the effective date of the rule are subject to the six-year lookback period as opposed to the four-year reopening period that is currently considered by CMS, although there are certain nuances of how that would operate. Also, CMS confirmed that recovery audit contractor (RAC) findings are credible information of potential overpayments and can trigger obligations to conduct further review.

We will provide further analysis of CMS commentary to the final rule in the coming weeks.

FDA Issues Guidance on Cybersecurity Issues for Postmarket Medical Devices

By Lance L. Shea and Joel D. Gottesman

On January 22, 2016, the Food and Drug Administration (FDA) issued draft guidance on cybersecurity risks associated with medical devices, and addressed steps that device manufacturers should take to mitigate such risks. The guidance, titled Postmarket Management of Cybersecurity in Medical Devices (Postmarket), is intended to clarify the FDA’s recommendations and emphasize the importance of monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market. It applies to those medical devices that contain software (including firmware) or programmable logic, and to software that itself is a medical device.

The FDA’s guidance is the latest in a continuing effort to address ongoing cybersecurity threats standing in the way of safe and effective healthcare. It follows the FDA’s heavily criticized premarket guidance from 2014, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, and also builds on steps the federal government has taken in recent years, including executive orders aimed at improving cybersecurity infrastructure and promoting cybersecurity information sharing, and a public workshop hosted by various federal agencies to discuss collaborative approaches to the issue. Incorporating guidance from these and other findings, Postmarket provides medical device manufacturers with the FDA’s current thinking on how best to institute a comprehensive risk-management framework.

What Steps Should I Take to Best Mitigate Risk?

Postmarket discusses numerous steps which manufacturers should take to help mitigate cybersecurity risks of postmarket devices. Some of these steps include:

  • Applying the 2014 National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This voluntary guidance incorporates the core principles of Identify, Protect, Detect, Respond, and Recover. The FDA maintains that implementing a framework that includes these five principles is integral to any comprehensive plan to manage postmarket cybersecurity threats, and provides device manufacturers detailed guidance on how to implement this framework effectively.
  • Participating in an Information Sharing Analysis Organization (ISAO). As was first suggested by President Obama in a February 2015 executive order titled Promoting Private Sector Cybersecurity Information Sharing, the FDA believes that ISAOs are key information sharing vehicles between the private and public sectors and considers voluntary participation in an ISAO a critical component of an effective approach to managing cybersecurity threats. In some cases, participation in an ISAO may relieve a manufacturer of certain federal reporting requirements.

Furthermore, the FDA encourages manufacturers to abide by federal code and implement a comprehensive cybersecurity risk management program which addresses, among other things, vulnerabilities which may permit the unauthorized access, modification, misuse, or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient which may impact patient safety. Critical aspects of such a program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing, and detecting the presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations to protect against, respond to and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk earlier and prior to exploitation.

What Should I Do if I Find Vulnerabilities?

In most cases where cybersecurity vulnerability is present, corrective actions taken by manufacturers to address it will be considered “routine updates or patches” and will not require advance notification, additional premarket review, or reporting under federal regulations. However, where vulnerabilities compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death, the agency will require notice.

Where vulnerabilities are quickly addressed in a manner that “sufficiently reduces the risk of harm to patients,” and where certain conditions are met, the agency does not intend to enforce urgent reporting requirements. These conditions include:

  • There are no known serious adverse events or deaths associated with the vulnerability.
  • Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users.
  • The manufacturer is a participating member of an ISAO.

The latest FDA guidance underscores the federal government’s commitment to mitigating growing cybersecurity threats in the healthcare sector. It also signals the importance to medical device manufacturers of being proactive in their efforts to mitigate cybersecurity threats, not only in design and implementation, but also in the continued use of their devices. Those device manufacturers that take proactive measures using the framework provided by the FDA may be subject to less scrutiny and fewer federal reporting requirements, and will be best positioned to effectively manage unforeseen threats to patient safety.

The FDA is seeking public comment on this draft guidance through April 21, 2016.

SAMHSA Proposes Updates to Substance Abuse Records Security and Confidentiality Regulation

By Suchismita Pahi

The U.S. Department of Health and Human Services’ (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) has released proposed changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 C.F.R. Part 2) for the first time since 1987. The proposed changes address challenges that 42 C.F.R. Part 2 programs have faced since the health industry began adopting electronic health information records systems. To that end, the revisions set out in the February 9, 2016 proposed rule are largely meant to facilitate the transfer of information in Health Information Exchanges (HIEs) and establish protection for substance abuse records in the electronic health records environment. The proposed rule will enable entities to properly vet HIEs, ensure that patients can receive appropriate emergency care and disclose patient information in a less segmented manner, facilitating greater coordinated patient care.

Originally enacted in 1975, the law governing the confidentiality of substance abuse records was written to protect the confidentiality of patient records (specifically patient identity, diagnoses, prognoses, and treatment) “in any federally assisted program or activity relating to substance abuse education, prevention, training, rehabilitation or research.” The proposed rule seeks to maintain the balance established by the existing rule for accessing information for treatment with the need to protect patients – due to the potential for negative effects if the records are exposed. These include loss of housing, loss of child custody, discrimination by medical professionals and insurers, loss of employment, arrest, prosecution and incarceration.

Specific changes in the proposed rule include, among others:

  • Allowing patients to use a general designation for disclosure of information (such as a treatment facility, instead of a specific treatment provider).
  • Requiring Part 2 programs or holders of patient identifying information to include a statement on the disclosure consent form explaining that patients have the right to request and obtain a list of entities to which their information has been disclosed.
  • Clarifying that only information that indirectly or directly identifies an individual as having been diagnosed, treated, or referred for treatment for a substance abuse disorder is prohibited from re-disclosure.
  • Adapting the medical emergency exception regulatory language to match the statutory language, thus allowing providers greater flexibility in determining when a “bona fide medical emergency” exists.
  • Revising research exceptions.
  • Permitting audits or evaluations necessary to meet the requirements of accountable care or similar organizations regulated by CMS, including a CMS-regulated Qualified Entity.

SAMHSA is specifically soliciting public input on the following:

  • Whether or not to expand data linkages for researchers beyond federal data repositories – and if yes – to describe confidentiality, privacy, and security safeguards in place for non-federal repositories and whether those safeguards are sufficient to protect the security and confidentiality of patient information; and
  • Whether patients should be able to determine the specific members or participants authorized to receive their information from an organization that is an “intermediary” and what changes this would require for the consent form.

According to HHS, the proposed rule provides “more stringent federal protections for patients with substance use disorders records than most other health privacy laws, including HIPAA.” The comment period is open until April 11, 2016, through mail, hand delivery, or courier and the Federal eRulemaking Portal.

Providers Oppose CMS Proposal Targeting Prescription Drug Abuse by Part D Enrollees

By Kameron L. Brackins

Providers have voiced opposition to a proposal aimed at targeting Medicare Part D enrollees with “potential opioid or acetaminophen overutilization issues that indicate the need to implement appropriate controls on these drugs for the identified beneficiaries.” Under a recently proposed rule on revised discharge planning requirements, CMS solicited comments on whether providers should be required to consult a patient’s history on their state’s Prescription Drug Monitoring Program (PDMP) in an effort to identify the patient’s risk of nonmedical use of controlled substances. PDMPs are state-run electronic databases that track prescribed and dispensed controlled prescription drugs to patients. According to CMS, “This information can help prescribers and pharmacists identify high-risk patients who would benefit from early interventions.”

Comments to the proposed rule show strong opposition by providers to the PDMP review requirement. Of principal concern are the many challenges associated with obtaining a reliable picture of a patient’s history from the PDMPs. For example, the American Medical Association commented that a review of a patient’s history on the PDMP may not portray an accurate or complete picture of the patient’s history, noting that patients who receive multiple controlled substance prescriptions from multiple pharmacies may reveal uncoordinated care, a patient who needs counseling or a referral for treatment, or a patient who has legitimately been issued those prescriptions. Many commenters also pointed to the logistical burdens of a PDMP review requirement, noting that PDMPs do not coordinate local, intrastate, or international tracking.

The potential for inefficiencies with the patient discharge process was another worry reflected by the comments. Of particular concern was the agency’s solicitation of public input on whether a PDMP review should be required for all patients “even if the practitioner is not going to prescribe a controlled substance.” Commenters cautioned that a blanket review requirement would overwhelm current patient discharge and transfer systems and distract from the focus on true high-risk groups. They also expressed concern that a PDMP review program would require a substantial investment to ensure the accuracy of patient history.

CMS has not said when a final rule on the revised discharge planning requirements might be expected. However, the input received by CMS in response to its solicitation of comments on the proposed PDMP review requirement indicates that more work and further vetting will be required. Time will tell whether CMS will heed the warnings and concerns expressed by the provider community on the many challenges associated with implementing PDMP review.

Pharmaceutical Life Cycle Management: Navigating the New IP, FDA, and Antitrust Terrain

Efforts to extend the life cycle of pharmaceutical products frequently involve innovations and improvements in product design, formulation, route of administration and treatment indications. In addition, negotiation of agreements with competitors, including generic and biosimilar manufacturers, is frequently employed as part of a life cycle management strategy. However, recent changes in patent, regulatory, and antitrust laws have introduced greater complexity and higher risk into these strategies.

On October 23, 2015, a distinguished panel of BakerHostetler partners led an exclusive seminar in person and online at which they discussed these and related issues and provided suggestions for developing successful life cycle management strategies. Partners Carl Hittinger, Lee Rosebush, Lance Shea and Maurice Valla are all deeply knowledgeable attorneys with decades of experience in helping clients meet their pharmaceutical business objectives.

We are delighted to share with you a brief on the seminar highlights, and hope you enjoy these insider perspectives on issues and approaches for developing successful life cycle management strategies.

Read the brief.

Lee Rosebush Authors Book Chapter on Pharmacy Compliance Issues

Partner Lee Rosebush is the author of a chapter in Inside the Minds of FDA Experts, a Thomson Reuters book covering recent developments in Federal Drug Administration law. Rosebush’s chapter, “Pharmacy Compliance Issues: The DQSA and More,” discusses recent compliance news affecting pharmacies, including a new federal law specific to pharmacy compounding.

Read the chapter.

Events Calendar

February 25, 2016

Houston Partner Lynn Sessions will speak on “Cyber Liability and Privacy Issues” at the Central Texas Chapter Meeting of the Risk and Insurance Management Society in Austin, TX.

Washington, D.C., Partner Lee H. Rosebush will present on “Best Practices in Calculating & Reporting Transfers of Value for Medical & Scientific Communications” at the Q1 5th Annual Medical Communications & Scientific Information Conference in Boston, MA.

March 5, 2016

Washington, D.C., Partner Lee H. Rosebush will present on “Compounding Medication: Are You Liable?” at the American Pharmacists Association 2016 Annual Conference in Baltimore, MD.

April 4, 2016

Houston Partner Gregory S. Saikin will participate in a webcast, “FCPA Investigation Cooperation: Avoiding Common Mistakes,” for The Knowledge Group.

April 20, 2016

Houston Partner Lynn Sessions will participate on a panel along with other industry experts to discuss “Healthcare Data Breach: Another Day, Another Breach” at the 2016 Medical PL Symposium sponsored by the Professional Liability Underwriting Society in Chicago, IL.

April 21, 2016

Washington, D.C., Partner Lee H. Rosebush will present on “Drug Pricing in Pharmacy & PBM Contracting – What Does it all Really Mean?” at the Academy of Managed Care Pharmacy (AMCP): Managed Care & Specialty Pharmacy Annual Meeting in San Francisco, CA.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services