Coronavirus is Deregulating Healthcare One FDA Guidance At a Time

One unintended consequence of COVID-19 has been the paradigm shift within the healthcare industry which has turned to prioritize value-based, patient centric remote monitoring solutions and non-contact technologies. COVID-19 has created a demand for digital health technologies to provide relief for public health professionals and individuals alike. This is not to say that digital technologies have not been in existence, because they have. Rather, according to a 2019 Price Waterhouse Cooper survey, 94% of participants pointed to data-protection and privacy regulations, the Health Insurance Portability and Accountability Act (HIPAA) and the expansion of HIPAA rules and penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act as factors limiting implementation of digital technologies. This blogpost will explain the significant de-regulation efforts enacted by the Federal Drug Administration (FDA) to ultimately conclude why it is such an important time for the private sector to invest in digital health technologies.

Historically, venture capitalists and businesses looking to build and invest in digital health products and services have viewed the FDA as being “closed for business when it comes to innovation.”[1] However, the COVID-19 pandemic has drastically changed the regulatory giant’s approach to healthcare related products and services. At the end of March 2020, the FDA created the Coronavirus Treatment Acceleration Program (CTAP) to provide regulatory advice, guidance and technical assistance to potential sponsors seeking to develop drugs and biologic therapies for COVID-19. The FDA’s new approach is to accelerate the investigation of safe and effective therapies that could benefit people affected by the COVID-19 pandemic.

On May 11, 2020, the FDA finally issued two guidances intended to ease the regulatory burden of developing drugs and biologics to treat or prevent COVID-19. The first guidance document is titled, “COVID-19, Public Health Emergency:  General Considerations for Pre-IND Meeting Requests for COVID-19 Related Drugs and Biological Products” (Pre-IND Guidance). The Pre-IND Guidance directs sponsors to “initiate all drug development interactions for COVID-19 related drugs through Investigational New Drug (IND) meeting requests,” instead of submitting a pre-emergency use authorization (pre-EUA) requests. The Pre-IND Guidance highlights the importance of putting together a quality submission when engaging with FDA. Now, the pre-IND meeting request and package development process has been streamlined into a single step. This is especially important because the FDA will respond to a pre-IND meeting request as “written response only meeting,” meaning that there may not be an opportunity to provide additional information. The goal of this guidance is to provide explicit direction in assisting drug manufacturers to get their products into clinical trials efficiently.

The second guidance provides recommendations for clinical trial design for Phase 2 and 3 clinical trials intended to establish safety and efficacy for therapeutic or prophylactic drugs and biologics with the goal of potentially approving safe and effective drugs to address the COVID-19 pandemic. The guidance “strongly recommends that drugs to treat or prevent COVID-19 be evaluated in randomized, placebo-controlled, double-blind clinical trials using a superiority design.” It also includes a list of what it believes to be important clinical outcome measures for treatment trials, including all-cause mortality, respiratory failure, need for invasive mechanical ventilation and sustained clinical recovery.

Additionally, the FDA has also started Emergency Use Authorization (EUA) as one tool to help make certain medical products become quickly available during COVID-19. The issuance of an EUA essentially allows access to medical products that can be used when there are no adequate, approved and available options. Under the EUA, the FDA authorizes the product’s use based on the best available evidence. For example, after initial data from a clinical trial showed that remdesivir may benefit some patients with COVID-19, the FDA authorized remdesivir to be provided under the terms of an EUA to hospitalized patients with severe COVID-19.

We are seeing the fruits of this de-regulation. On June 6, 2020, the FDA authorized the first standalone at-home sample collection kit that can be used with certain authorization tests. The FDA issued an EUA to Everlywell, Inc. for the Everlywell COVID-19 Test Home Collection Kit. Individuals at home, who have been screened using an online questionnaire that is reviewed by a health care provider, can self-collect a nasal sample at home using the kit. The FDA also authorized two COVID-19 diagnostic tests, performed at specific laboratories, for use with the samples collected by individuals using the Everlywell kit. In the future, additional tests may be authorized for use with the kit. This exemplifies how de-regulation opens the door for innovative digital services that focus on public-private partnerships to deliver personalized, at home medical access. Currently, the Everlywell home-collection kit is the only authorized COVID-19 at-home sample collection kit for use with multiple authorized COVID-19 diagnostic tests.

Sadly, as of this writing we are seeing an uptick in the rise of confirmed COVID cases across the country. Given the FDA’s loosened regulations, there is a greater potential to meet the continued need to bring digital health services, medical devices, and drugs to the market to safely and effectively prevent or treat COVID-19. Stay tuned for Vandenack Weaver’s continuing coverage on the changing landscape of health-care law during this turbulent and historic time. Next week we will evaluate the changes related to certain device software functions and the shift to prioritize personalized-healthcare through post-acute care and interoperability.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

Privacy Policies and Procedures for Small Healthcare Providers Under Scrutiny.

Although privacy incidents at the largest healthcare providers attract the most attention, The Department of Health and Human Services Office for Civil Rights enforcement (“OCR”) is actively investigating privacy and security incidents at small healthcare providers. This means that small healthcare providers, including solo practitioners, need to actively review their privacy policies and procedures to ensure full compliance with the Health Insurance Portability and Accountability Act Privacy Rule.

As an example, a small dental practice in Texas responded to a bad review by a patient on its yelp page, accidentally revealing protected health information (“PHI”) about the patient. The violation itself would have had consequences, but this dental practice failed to have sufficient privacy policies and procedures to protect the PHI, resulting in OCR settling with the dental practice in October of 2019. The corrective action settlement included a severe fine and a mandate to correct its policies and procedures. Another recent example pertains to a single physician that received a complaint from a patient through a reporter, and subsequently responded to questions from that reporter. OCR determined that the physician revealed PHI and violated the privacy rule, resulting in a six figure fine and corrective actions to its privacy policies and procedures.

For smaller healthcare providers, these examples are reminders to frequently review and update the privacy policies and procedures, then test to ensure such policies and procedures are enforced. A common issue is that many providers assume simply having the policy is enough, but OCR will review whether the policies are in place and that the policies and procedures are actually followed. Another common shortcoming by a small healthcare provider is neglecting to conduct sufficient diligence on their business associates, including a review of their healthcare technology providers. For a small healthcare provider, best practices means having policies and procedures that contemplate annual diligence on business associates, testing of the procedures, and review of the policies against the latest updates to the privacy and security rule.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

U.S. Healthcare System Faces Mounting Cybersecurity Risks

The heightened use of technology in healthcare is coupled with mounting cyberattacks. Recently, the healthcare industry experienced a global cyberattack when malicious software targeted the industry. The attack hit Britain’s National Health Service the hardest, affecting sixty-five of its hospitals. Cyberattackers stole healthcare information after using phishing emails to take control of the organizations’ computers, encrypting the computers’ information, and threatening to release the patient information contained on the systems if the organizations failed to satisfy payment demands.

According to the U.S. Department of Health and Human Service’s Office for Civil Rights, over 100 million Americans’ health records were divulged in 2015. In early 2017, Experian predicted the health care industry would be the biggest target for an attack. Moreover, an Identity Theft Resource Center report revealed that more than 25% of all data breaches occurred in the healthcare industry, costing an estimated $5.6 billion each year.

Congress created the Health Care Industry Cybersecurity Task Force through the Cybersecurity Act of 2015 to examine the healthcare industry’s vulnerabilities and create solutions to the cyber threats that place millions of patients’ information at risk each year. In light of the recent attack, the task force investigated the state of health information systems security in the U.S. and found a desperate need to increase health IT security.

In its report to Congress, the task force made a series of recommendations that suggested how to fend off the increasing threats. Among others, the recommendations include creating programs to cleanse healthcare organizations of vulnerable hardware and software and inserting more people with security skills into the healthcare field. The report emphasizes that failure to intervene could lead to catastrophic losses for organizations and patients.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

The task force notes that the successful implementation of its recommendations will require significant time and resources, but it hopes the government will promptly respond to its report with efforts to improve cybersecurity in healthcare organizations.

 

© 2017 Vandenack Weaver LLC
For more information, Contact Us

Changes Coming to Meaningful Use

The government program providing incentives to health providers for meaningful use of electronic health records continues to be troubled as the final rule for stage 3  has been delayed until 2018. Coupled with recent comments by the Centers for Medicare and Medicaid Services (CMS), it appears that the entire program will undergo substantive changes in the year ahead. However, CMS notes, it is important to continue under the old program until the changes start being unveiled in the spring of 2016.

When meaningful use started in 2009, the intent was to induce medical providers to use the new technology purchased with the help of the federal government. By providing incentive payments to the physicians that showed they were using the new technology in a meaningful way, the government believed it would improve quality, safety, and efficiency of care through electronic health records. However, CMS has found that the program did not operate as envisioned, resulting in the forthcoming changes to the program, expected to start in the spring of 2016.

While the new program has guiding themes that were issued by CMS, it is unclear what the new program will ultimately look like. However, many of the themes are to focus on the outcome of patient care, with less focus on the use of the new technology, in hopes that complaints by all stakeholders about the meaningful use program will be alleviated. For health providers, the pending changes will take time implement and until such time, the meaningful use program is still the operative requirements. To read more about the changes, please visit the official blog of CMS at: http://blog.cms.gov/2016/01/19/ehr-incentive-programs-where-we-go-next/

© 2015 Vandenack Williams LLC
For more information, Contact Us

Who Owns Medical Records in the Digital Age?

Determining who owns medical records in the age of electronic health records remains somewhat ambiguous. In fact, recent issues at the University of Rochester Medical Center highlight the confusion as the health provider recently reached settlement over a violation of protected health information because a nurse practitioner took patient information to a new practice. Thus, the relevant question is whether the provider, the physician, the electronic health record provider, or the patient own the information?

Many patients assume the Health Insurance Portability and Accountability Act (HIPAA) provides ownership of health information to the patient, but the law, in fact, fails to specify. Largely, this issue is left to state legislatures to determine, but the majority of states have failed to address the issue. According to a recent survey by the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation, only New Hampshire provides ownership of medical records to the patient, while in 20 other states, the healthcare provider owns them.

In the age of electronic health records, patient data is quickly shareable between physicians, patients, and other individuals. This poses new legal challenges for healthcare providers and physicians, especially as the laws and regulations on protected health information continue to evolve and state attorneys general start to enforce the privacy laws under the Health Information Technology for Economic and Clinical Health Act. This means that physicians and healthcare providers of all types should ensure that their internal policies on health records fully comply with the evolving legal landscape.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

HHS Releases Bulletin: HIPAA Privacy in Emergency Situations

Generally, when you visit a healthcare facility or receive any health treatments, you expect a certain level of privacy. Patient privacy is protected by HIPAA, or the Health Insurance Portability and Accountability Act. However, the Department of Health and Human Services released a bulletin this month outlining situations when the privacy rules are not applicable.

Private health information is not protected when public health is at risk, treatment of the individual patient so requires, and other moments that may be necessary. As an example, in the middle of a public health crisis, a healthcare provider may disclose critical information “to prevent or control the disease, injury, or disability.”

Although a provider must still be extremely careful to not over-disclose private information, the release will generally be protected if they comply with requests from Federal entities, such as the Centers for Disease Control. The provider can disclose to other health providers for coordination of care efforts, family and friends who are involved in the treatment, relief organizations such as Red Cross, and potentially media outlets.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Weak Passwords Put Patients’ EHR at Risk

By M. Thomas Langan II.

A recent government report criticized the current electronic health record certification process for failing to require strong passwords.  These vulnerabilities make it easier for hackers to penetrate electronic health record (“EHR”) systems and access patient records.  The report comes amid a study that many patients are reluctant to divulge their information when their physician uses EHR out of fear of their data’s security.  Despite the current lax requirements, it is recommended that all passwords be at least 8 characters long and contain 3 of the following: capital letters, lowercase letters, numbers and special characters and are changed at least monthly.

The government’s report can be found here: http://oig.hhs.gov/oas/reports/region6/61100063.asp

The study can be found here:  http://jamia.bmj.com/content/early/2014/07/24/amiajnl-2014-002804.abstract

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Nebraska Passes Bill Expanding Telehealth Coverage

The Unicameral has passed a bill that expands the definition of telehealth, which will presumably expand Medicaid coverage for these services. Under the new law, telehealth includes all usage of medical information electronically exchanged between sites to aid providers in diagnosing or treating patients. The bill explicitly includes telemonitoring and “store-and-forward” technology in the definition of telehealth. It also removes language from the prior statute that excluded telephone conversations, e-mails, and faxes from the definition of telehealth consultations.

The bill makes a number of other minor changes to the state’s telehealth laws. Specifically, it prohibits changes in reimbursement rates that depend on the distance between a patient and her healthcare provider. Thus, as a result of this bill, Nebraska providers may be able to claim reimbursement for new services, and are protected from changing reimbursement rates based on distance.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

FDA Releases New Report on Health IT Oversight

The FDA, in conjunction with other administrative agencies, has released a new report that describes its strategic plan for regulating health IT devices. The report suggests three different categories of health IT, based on the risks associated with each type. The lowest-risk category is administrative health IT functions. This includes software for admissions, scheduling, and practice management. The FDA has indicated that health management health IT functions pose a slightly higher risk. These include clinical decision support and medication management tools. Finally, the FDA identified medical device health IT functions, such as robotic surgical control and computer-aided detection software, as high risk areas.

The FDA has indicated that it will focus its attention on medical device health IT functions, and does not see a need for further regulatory oversight over the other two areas at this time.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us