Can a hospital be sued as a seller in a pharmaceutical product liability action?

That may be the case in Oregon as a result of a recent Court of Appeals decision there. Given the strict liability nature of the Oregon law, this is an important determination.

Stephen McConnell has the details in a post on the Reed Smith Drug & Device Law Blog.

The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023

For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.

As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations.

Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA

The Consolidated Appropriations Act, 2023 (P.L. 117-328) (referred to hereafter as 2023 CAA) runs more than 1,600 pages long in the official PDF version, so you would be excused if you missed a few key substantive health provisions that were included in the law.

Many of the substantive provisions of the law had been proposed as parts of other packages throughout the year, including the Infrastructure law, the FDA User Fee legislation and the Inflation Reduction Act. However, for one reason or another, these provisions were eliminated from the final versions of the laws that were passed.

The 2023 CAA included, among other aspects, changes to the Medicare payment program and sequestration requirements, additions to the accelerated approval process for drugs, a regulatory regime for cosmetics, and changes related to pre-approval communication of health care economic information to payors, formularies and similar entities.

This is the first in a series of posts exploring some of the more important policy aspects of the law. With part 1, we will explore the changes to Medicare payment rules.

Continue Reading Health Provisions of the Consolidated Appropriations Act, 2023: Part 1 Medicare Payments

The Centers for Medicare & Medicaid Services (“CMS”) has proposed a new rule that, among other changes, would amend the “identified overpayment” standard in the current regulations for Medicare to align with the False Claims Act’s (“FCA”) “knowingly” standard. The proposed rule plans to remove “the exercise of reasonable diligence” language from the relevant regulations and replace that language with the “knowingly” standard from the FCA.

The regulations at issue — 42 C.F.R. § 401.305(a)(2); 42 C.F.R. § 422.326(c) and 42. C.F.R. § 423.360(c) — are supposed to implement, in part, Section 6402(a) of the Affordable Care Act (“ACA”), codified at 42 U.S.C. § 1320a-7k. This section of the ACA explains that if an overpayment under the various Medicare programs has been identified and has not been reported and returned in a set amount of time, then an enforcement action can be brought under the FCA. This section also states that the terms “knowing” and “knowingly” have the same meaning as under the FCA.

The FCA defines these terms to mean that a person has actual knowledge of information, acts in deliberate ignorance of the truth or falsity of information, or acts in reckless disregard of the truth or falsity of information; the terms do not require a specific intent to defraud. 31 U.S.C. § 3729(b)(1).

Continue Reading CMS Proposes Amending Identified Overpayment Rules to Align with FCA Knowledge Standard

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.

To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.

In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care

Continue Reading HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies 

Under provisions of the 21st Century Cures Act (Cures Act), providers of Medicaid-funded personal care services (PCS) and home health care services (HHCS) will need to be fully compliant with their state’s electronic visit verification (EVV) systems by January 1, 2023

Congress passed the Cures Act on December 13, 2016. Among other things, in an effort to increase transparency and reduce fraud in connection with the delivery of health care services, this law mandated that states implement EVV systems for all Medicaid-funded (including under waiver programs) PCS by January 1, 2019, and HHCS by January 1, 2023, in each case where services include an in-home visit by a provider. Subsequent legislation extended the deadline for PCS to implement EVV requirements to January 1, 2020. However, the deadline for HHCS remains January 1, 2023, and is quickly approaching.

Providers of PCS and HHCS services should make sure that they are working towards implementing EVV systems in their own business operations in compliance with applicable state requirements, the majority of which also are requiring provider compliance by January 1, 2023

Continue Reading Home Health Care Services Electronic Visit Verification System Implementation Required by January 1, 2023

The Department of Health and Human Services (“HHS”) has proposed a rule that updates retail pharmacy standards for electronic transactions adopted under the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  There is a 60-day public comment period for this rule, which closes on January 9, 2023.  This proposed rule, if finalized, would modify the currently adopted National Council for Prescription Drug Programs (“NCPDP”) Telecommunications Standard Implementation Guide (“TSIG”) and its equivalent batch standards. 

Specifically, the proposed rule would adopt TSIG version F6, and its equivalent batch standards NCPDP Batch Standard Implementation Guide, Version 15, and Batch Standard Pharmacy Subrogation Implementation Guide Version 10 (for non-Medicaid health plans).

The new standards will allow retail pharmacies with multiple locations to send one batch mode transaction that meets the F6 standard.  Among the changes from version to version are new data fields, new data segments, and new functionality.

Continue Reading HHS Proposes Rule to Update Retail Pharmacy Standards for Electronic Transactions under HIPAA

In its latest effort to increase transparency and improve patient access to information about their health care providers the U.S. Department Health and Human Services Centers for Medicare & Medicaid Services (CMS) published a Request for Information (RFI) on October 7, 2022, seeking input on creation of a national provider directory for use by patients, regulators, and insurers.  

According to the announcement, the RFI was prompted by inefficiencies arising from “the fragmentation of current provider directories” maintained by providers, insurers and/or third-party sources that CMS believes could be remedied by a federal provider directory containing “digital contact information containing the most accurate, up-to-date, and validated . . . data in a publicly accessible index.”

The stated goal of the RFI is to examine the feasibility and requirements for a proposed National Directory of Healthcare Providers and Service (NDH). Responses to the RFI are due by December 6, 2022, and stakeholder comments already are being submitted.

Continue Reading CMS Considers National Directory of Healthcare Providers and Services

Health care and life science companies operating globally should be aware of the increased regulatory scrutiny in the U.S., the UK and Asia-Pacific when considering their obligations to monitor and retain business communications conducted through messaging platforms on employees’ personal devices. It is vital for these companies review the effectiveness of their compliance policies and procedures to monitor and preserve business communications and ensure that employees are properly disciplined when such policies are violated.

In a recent client alert, authored by Calvin ChanMichael J. LowellRizwan A. QureshiMark E. BiniDaniel H. AhnJonathan L. MarcusRosanne KaySteven LiRuiteng LiuMin Jian Chan, and Stefanie Dai, the team looks at the DOJ’s updated criminal enforcement program, the SEC and CFTC’s nearly $2 billion fines imposed on companies failing to monitor and retain business communications on messaging platforms, plus regulator activity in the UK and Asia-Pacific region in relation to this topic.

The Inflation Reduction Act included some very significant changes to the ways in which the Medicare program handles drug pricing.

Among the changes are a redesign of the Medicare Part D (prescription drug benefit) program, as well as requirements that certain drug prices be negotiated with the Centers for Medicare & Medicaid Services and a provision that drug manufacturers pay inflation rebates to on utilization of drugs covered by Medicare Part B and Part D in certain circumstances.

To address these changes to the law, Reed Smith has put together a series of alerts and webinars on the topics.

Continue Reading Analysis of Medicare Prescription Drug Pricing Changes in Inflation Reduction Act

On September 27, 2022, FDA announced the publication of a  final guidance  document entitled Clinical Decision Support Software, Guidance for Industry and Food and Drug Administration Staff (Final CDS Guidance), which focuses on clarifying the types of clinical decision support (CDS) software functions that are excluded from the definition of device by the criteria in section 520(o)(1)(E) of the Federal Food Drug and Cosmetic Act.

This final guidance document addresses industry comments made in response to FDA’s September 2019 draft guidance (Draft CDS Guidance). The Final CDS Guidance streamlines the Draft CDS Guidance by focusing the scope on CDS intended to be used by state licensed, registered, or certified health care professionals , rather than those also used by patients and caregivers, which were included in the scope of the Draft CDS Guidance.

Continue Reading FDA Announces Final Guidance on Clinical Decision Support Software

The U.S. Court of Appeals for the Eighth Circuit recently weighed in on the causation standard for False Claims Act (“FCA”) cases premised on Anti-Kickback Statute (“AKS”) violations. United States ex rel. Cairns v. D.S. Med. LLC, 42 F.4th 828 (8th Cir. 2022). The panel adopted a strict interpretation, finding that the government or whistleblowers must show a “but-for” causal relationship between kickbacks and claims for payment to establish the requisite link in the FCA liability chain, creating a circuit split on an issue that courts have struggled with for years.

The decision is notable for FCA defendants as it offers support for a defense they have long asserted, and that courts have been reluctant to condone, including an opinion from the U.S. Court of Appeals for the Third Circuit that refused to require a direct causal link between an AKS violation and a false claim.

Continue Reading Eighth Circuit Finds “But-For” Causation Standard for AKS-Premised FCA Cases

Following closely after the clarifying independent dispute resolution process Final Rule, the four executive branch entities tasked with implementing the provisions of the No Surprises Act, the Office of Personnel Management, the Centers for Medicare & Medicaid Services (CMS), Employee Benefits Security Administration and the Internal Revenue Service have issued a request for information to help the agencies craft the next stage of regulations for the surprise billing law.

The request is the latest effort by agencies to seek stakeholder input on the contours of the regulations implementing the No Surprises Act, this time with a focus on the requirements in the law for providers to issue a good faith estimate (GFE) to plans for services that their covered patients will submit for reimbursement and for insurers to issue an advanced explanation of benefits (AEOB) to their plan participants based on estimated charges relayed to them by providers.

Specifically, the entities are looking for information and recommendations on the process of transferring data from providers and facilities to plans, issuers and carriers to facilitate the GFE and AEOB processes, as well as the economic impacts of implementing these requirements. The notice was added to the Federal Register on Friday, Sept. 16 and comments are due to the agencies by November 15.

Continue Reading Agencies Look for Input on No Surprises Act Good Faith Estimate Rules

The Department of Health and Human Services Office of Inspector General (HHS-OIG) recently published a Special Fraud Alert warning health care providers (e.g., prescribers, pharmacies, durable medical equipment providers, clinical laboratories) to steer clear of certain telemedicine arrangements and outlining seven “suspect” characteristics that may present heightened risk of fraud and abuse.

The alert coincides with a third round of criminal “telemedicine takedowns” announced by the Department of Justice (DOJ)  in the last several years, reflecting DOJ’s continued focus on identifying and dismantling fraudulent arrangements that exploit telemedicine technologies and related regulatory flexibilities in the wake of the COVID-19 pandemic.

Telemedicine technologies have created a multitude of opportunities for growth and innovation within the health care industry and are well-positioned to become an ongoing cornerstone of our health care delivery system. However, given the increased level of regulatory scrutiny of telemedicine arrangements, providers and telehealth technology companies, including drug and device manufacturers that offer telemedicine technologies (e.g., platforms, mobile applications) for prescribers and patients that facilitate virtual care,  should carefully plan and closely evaluate existing arrangements to ensure compliance with applicable state and federal laws and avoid implication amongst the recent uptick in enforcement.

Continue Reading Telehealth Under Scrutiny: OIG Special Fraud Alert and DOJ Enforcement Highlights Suspect Characteristics Associated with High-Risk Telemedicine Arrangements

After a long line of opinions scrutinizing the use of rewards programs offered by providers, the Department of Health and Human Services’ Office of Inspector General (“OIG”) issued Advisory Opinion 22-16 on August 19, 2022– a favorable opinion for the provision of gift cards to Medicare Advantage (“MA’) plan enrollees who complete educational modules as part of an online surgical treatment learning tool.

The opinion adds flexibility to existing opinions on gift cards and patient engagement programs and, while binding only on the requestor, provides insight into the OIG’s evolving view of these programs.

Continue Reading OIG Approves Rewards Program for Medicare Advantage Organizations

On August 26, 2022, the Departments of Health and Human Services, Labor, and Treasury (the “Departments”) issued the highly anticipated Requirements Related to Surprise Billing (“August 2022 Final Rule”) and associated guidance materials concerning the independent dispute resolution (“IDR”) process established by the No Surprises Act. The August 2022 Final Rule is narrow in scope and responds to two recent decisions by the Eastern District of Texas vacating portions of the October 2021 Interim Final Rule, Requirements Related to Surprise Billing: Part II (“IFR II), and incorporates stakeholder comments solicited by the Departments.

Importantly, as discussed more below, the August 2022 Final Rule removes the qualifying payment amount (“QPA”) as the presumptive factor in IDR payment decisions and requires health plans to submit additional information in the IDR process for cases where a claim at issue was “downcoded” by the plan.   

The August 2022 Final Rule will take effect October 25, 2022, 60 days after its publication in the Federal Register

Continue Reading Departments issue new Final Rule and guidance materials for No Surprises Act IDR process

The U.S. Supreme Court on July 26 issued its judgment in the case of Dobbs v. Jackson Women’s Health, officially setting in motion abortion bans in at least four states.

A “judgment” is distinct from the opinion and typically follows issuance of the opinion by about a month. This certified document from the clerk of The Supreme Court is usually simply a formality to allow the Court of Appeals from which the case originated to either close its docket or begin the process of implementing what was ordered on remand.

In the Dobbs case, the Supreme Court issued its opinion (142 S. Ct. 2228) on June 28, but the judgment issued from the clerk’s office to the Fifth Circuit about 30 days later.

Because of the way the trigger bans in at least four states were worded, the issuance of the judgment on July 26 also started the clock on the enforcement of those states’ laws. The trigger laws in Texas, Tennessee, Idaho, and North Dakota will each take effect 30 days after the judgment was issued, i.e., on August 25, 2022.

Continue Reading Supreme Court judgment triggers abortion bans in states, legislative action in others

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.

Continue Reading ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Health Care Organizations

On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health. 

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.

Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health

As the health care industry as a whole comes to grips with the fallout from the U.S. Supreme Court’s decision to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health, here at Reed Smith we have formed a Reproductive Health Working Group to bring expertise from the across our many specialty areas to help our clients to prepare for the post-Dobbs reality.

To that end, we have generated a series of “unanswered questions” client updates to reflect the issues that a Roe reversal may have for the health care industry. Earlier posts on this blog have shared the parts of that series that focused on pharmacieshealth care providers, and fertility practices, and employee benefit plans.

The Working Group has put together two new updates to branch into the employment and privacy areas.

Continue Reading Unanswered Questions on Privacy and Employment from Supreme Court Overturn of Roe v. Wade