Coronavirus is Deregulating Healthcare One FDA Guidance At a Time

One unintended consequence of COVID-19 has been the paradigm shift within the healthcare industry which has turned to prioritize value-based, patient centric remote monitoring solutions and non-contact technologies. COVID-19 has created a demand for digital health technologies to provide relief for public health professionals and individuals alike. This is not to say that digital technologies have not been in existence, because they have. Rather, according to a 2019 Price Waterhouse Cooper survey, 94% of participants pointed to data-protection and privacy regulations, the Health Insurance Portability and Accountability Act (HIPAA) and the expansion of HIPAA rules and penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act as factors limiting implementation of digital technologies. This blogpost will explain the significant de-regulation efforts enacted by the Federal Drug Administration (FDA) to ultimately conclude why it is such an important time for the private sector to invest in digital health technologies.

Historically, venture capitalists and businesses looking to build and invest in digital health products and services have viewed the FDA as being “closed for business when it comes to innovation.”[1] However, the COVID-19 pandemic has drastically changed the regulatory giant’s approach to healthcare related products and services. At the end of March 2020, the FDA created the Coronavirus Treatment Acceleration Program (CTAP) to provide regulatory advice, guidance and technical assistance to potential sponsors seeking to develop drugs and biologic therapies for COVID-19. The FDA’s new approach is to accelerate the investigation of safe and effective therapies that could benefit people affected by the COVID-19 pandemic.

On May 11, 2020, the FDA finally issued two guidances intended to ease the regulatory burden of developing drugs and biologics to treat or prevent COVID-19. The first guidance document is titled, “COVID-19, Public Health Emergency:  General Considerations for Pre-IND Meeting Requests for COVID-19 Related Drugs and Biological Products” (Pre-IND Guidance). The Pre-IND Guidance directs sponsors to “initiate all drug development interactions for COVID-19 related drugs through Investigational New Drug (IND) meeting requests,” instead of submitting a pre-emergency use authorization (pre-EUA) requests. The Pre-IND Guidance highlights the importance of putting together a quality submission when engaging with FDA. Now, the pre-IND meeting request and package development process has been streamlined into a single step. This is especially important because the FDA will respond to a pre-IND meeting request as “written response only meeting,” meaning that there may not be an opportunity to provide additional information. The goal of this guidance is to provide explicit direction in assisting drug manufacturers to get their products into clinical trials efficiently.

The second guidance provides recommendations for clinical trial design for Phase 2 and 3 clinical trials intended to establish safety and efficacy for therapeutic or prophylactic drugs and biologics with the goal of potentially approving safe and effective drugs to address the COVID-19 pandemic. The guidance “strongly recommends that drugs to treat or prevent COVID-19 be evaluated in randomized, placebo-controlled, double-blind clinical trials using a superiority design.” It also includes a list of what it believes to be important clinical outcome measures for treatment trials, including all-cause mortality, respiratory failure, need for invasive mechanical ventilation and sustained clinical recovery.

Additionally, the FDA has also started Emergency Use Authorization (EUA) as one tool to help make certain medical products become quickly available during COVID-19. The issuance of an EUA essentially allows access to medical products that can be used when there are no adequate, approved and available options. Under the EUA, the FDA authorizes the product’s use based on the best available evidence. For example, after initial data from a clinical trial showed that remdesivir may benefit some patients with COVID-19, the FDA authorized remdesivir to be provided under the terms of an EUA to hospitalized patients with severe COVID-19.

We are seeing the fruits of this de-regulation. On June 6, 2020, the FDA authorized the first standalone at-home sample collection kit that can be used with certain authorization tests. The FDA issued an EUA to Everlywell, Inc. for the Everlywell COVID-19 Test Home Collection Kit. Individuals at home, who have been screened using an online questionnaire that is reviewed by a health care provider, can self-collect a nasal sample at home using the kit. The FDA also authorized two COVID-19 diagnostic tests, performed at specific laboratories, for use with the samples collected by individuals using the Everlywell kit. In the future, additional tests may be authorized for use with the kit. This exemplifies how de-regulation opens the door for innovative digital services that focus on public-private partnerships to deliver personalized, at home medical access. Currently, the Everlywell home-collection kit is the only authorized COVID-19 at-home sample collection kit for use with multiple authorized COVID-19 diagnostic tests.

Sadly, as of this writing we are seeing an uptick in the rise of confirmed COVID cases across the country. Given the FDA’s loosened regulations, there is a greater potential to meet the continued need to bring digital health services, medical devices, and drugs to the market to safely and effectively prevent or treat COVID-19. Stay tuned for Vandenack Weaver’s continuing coverage on the changing landscape of health-care law during this turbulent and historic time. Next week we will evaluate the changes related to certain device software functions and the shift to prioritize personalized-healthcare through post-acute care and interoperability.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

Provider Preparation for Infectious Diseases

Most hospitals and health-care providers have protocols and procedures for contending with infectious diseases, including those creating public-panic, such as the Ebola outbreak. However, when a new crisis hits, many of these protocols may have been forgotten or ignored. This was seen with the Nebraska Medical Center firing two health workers that treated an Ebola patient because they violated the Health Information Portability and Accountability Act (HIPAA). In light of a public health scare, maintaining current policy standards will help limit liability.

 

Beyond existing rules and regulations, with each specific outbreak, both federal and state agencies may update protocols and guidance to contend with the unique nature of that disease. As an example of outbreak specific guidance, in response to Ebola, the Center for Disease Control and Prevention (CDC) issued new guidance on personal protection equipment (PPE) for use in connection with the disease. Other guidance includes new Occupational Safety and Health Act (OSHA) standards, designed to protect the healthcare worker. This was seen at Texas Health Presbyterian Hospital in Dallas, when two nurses were infected with the disease. Failure to properly comply with newly issued, as well as existing, OSHA and CDC regulations may result in significant potential liability both to patients and workers.

 

Although many providers may believe they are properly equipped to handle potential Ebola patients, careful consideration must be paid to the newest guidance and regulations, without forgetting existing policy. Failure to do so could result in significant civil liability. As the examples in Texas and Nebraska teach us, hospital and health-care providers should take extra steps to limit their potential liability.

 

*CDC Guidance: http://www.cdc.gov/vhf/ebola/hcp/procedures-for-ppe.html ; http://www.cdc.gov/vhf/ebola/pdf/hospital-checklist-ebola-preparedness.pdf

*OSHA Guidance: https://www.osha.gov/Publications/OSHA_FS-3756.pdf 

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Final HIPAA/HITECH Rule Released

HHS has recently released final rules modifying HIPAA under the HITECH Act. The rules make several changes for both providers and business associates. First, the regulations expand the definition of business associate. Thus, businesses need to figure out whether they are now subject to HIPAA. Business associates may face up to $1.5 million in fines per year if they do not comply with the new rules.

Providers will have to make several changes as well. The new rules give providers less flexibility to decide when to report a breach and restrict when PHI can be used for marketing. Providers must provide patients with records in electronic form on request. Also, they must revise their Notices of Privacy Practices. If providers do not comply, they will face harsher fines and new enforcement tools. Providers should start revising their business associate agreements, NPPs, and other policies to comply by September 23.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

Final HIPAA/HITECH Regulations Delayed

Publication of the HIPAA/HITECH Act Omnibus Final Rule has been delayed. The Office of Information and Regulatory Affairs, the department responsible for reviewing the regulations, has requested an extended review period for the rules. This extended review period will last for 30 days, and requires special approval for further extension. Commentators anticipate that a decision on the rule should be issued by July 23.

The proposed rule is expected to modify several components of HIPAA, including the Breach Notification Rule, the Enforcement Rule, and the Privacy and Security Rules. Furthermore, the proposed rule will expand the scope of HIPAA provisions to cover business associates of entities subject to HIPAA. Healthcare professionals should be aware of these changes and proactively plan to comply with the revised HIPAA regulations.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

CMS Issues HIPAA Standard for Electronic Funds Transfers

CMS has issued a new rule that adopts standards for electronic funds transfers (“EFT”) under HIPAA.  The standards could reduce costs for providers by streamlining electronic payments from a health plan to a provider.  The rule requires the use of a trace number that automatically matches a remittance advice (“RA”), or notice of payment, and an EFT payment.  Currently, health plans often send RA’s separately from the EFT payment making it difficult to match up the bill and corresponding payment.  By requiring the trace number to match up the RA and EFT payment, the rule will save providers time by not having to manually reconcile the notice of payments from the EFT payment.  The regulation is effective January 1, 2012.  Covered entities must use the health care EFT standards by January 1, 2014.

The rule can be accessed at:  Adoption of Standards for Health Care Electronic Funds.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

HITECH Breach Logs Due March 1

Under the HITECH Breach Notification Rule, covered entities must notify certain parties following a breach of unsecured protected health information (“PHI”).  First, covered entities must notify affected individuals following the discovery of a breach.  If the breach affects more than 500 residents of a State or jurisdiction, covered entities are also required to provide notice to prominent media outlets.

Additionally, covered entities must provide notice of breaches to the Secretary of the U.S. Department of Health and Human Services (“HHS”).  The timing of the notification obligation to the HHS Secretary depends on the number of affected individuals for a particular breach.  If a breach involves 500 or more individuals, the Secretary must be notified “contemporaneously” with the notice to affected individuals.    45 CFR § 164.408(b).   If a breach involves less than 500 individuals, a covered entity is required to maintain a log or other documentation of the breach and provide notice to the Secretary “not later than 60 days after the end of each calendar year.”  45 CFR § 164.408(c). 

By March 1, 2011, covered entities must notify the Secretary of all breaches that occurred during 2010. The notification must be submitted electronically by using the following form: http://transparency.cit.nih.gov/breach/index.cfm. A separate form must be completed for each breach that occurred during the preceding calendar year. 

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

 

HIPAA, HITECH FINAL RULES ANTICIPATED BY EARLY 2011

The HIPAA and HITECH final rules could be published by the end of 2010 or early 2011.

Adam H. Greene, JD, MPH, senior health information technology and privacy specialist for the Office for Civil Rights (“OCR”), announced this prediction on October 4, 2010 during the Fourth Annual HIPAA Summit West: Healthcare Privacy and Security after HITECH and Health Reform.

Greene would not guarantee his prediction.  However, this past summer, Greene accurately said he expected a proposed rule on changes to the HIPAA privacy, security and enforcement rules to be released around July 8, 2010.  That is exactly the date that the display copy of the rule was released.  The proposed rule was published in the Federal Register on July 14, 2010.

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Data Security Breaches Give State Attorneys General a Chance to Exercise New HIPAA Powers

The Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that the plans failed to disclose for several months.  This is a definite sign that state attorneys general may be using the HIPAA enforcement powers granted by the HITECH Act provisions in the Recovery Act.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.

Connecticut Attorney General Richard Blumenthal has come forth as possibly the first attorney general to take on a HIPAA investigation, and Arizona’s attorney general may also be pursuing a similar route. The larger of the two breaches that have come to the attorney generals’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, also including individuals from New Jersey and New York.

Health Net reported the loss to the Connecticut attorney general on November 19. On the same day Blumenthal issued a harsh statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated “federal laws,” as well as his state’s own data protection laws.

 Blumenthal said he would “seek to establish what happened and why the company kept its customers and the state in the dark for so long.” Blumenthal said he was “outraged and appalled” by Health Net’s actions and stated that failure to provide notice sooner was “unconscionable foot-dragging.”

Health Net’s hard drive, which disappeared from its offices in Shelton, Connecticut, required a special reader to view, but it was not encrypted.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

HIPAA Mandates, Coverage Set to Expand in Near Future

Introduction

As many of you are aware, the American Recovery and Relief Act of 2009, better known as the “Bailout Bill”, did much more than funnel government spending in an effort to boost the economy.  Within the Bailout Bill package, Congress enacted a separate act known as the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act.  HITECH included several important changes to substantive law, and mandated the Department of Health and Human Services (HHS) to promulgate new regulations under HIPAA.  On August 24, 2009, HHS issued interim final regulations, effective September 23, 2009, implementing several of the changes mandated by HITECH.  Other changes will not take effect until February 2010.  Health Care providers and their Business Associates subject to HIPAA requirements should be aware of several fundamental reforms contained within the law. 

Breach Notification 

HITECH requires any Covered Entity (such as a health plan, health care clearinghouse, or health care provider) holding or using “unsecured” protected health information to notify the affected individuals in the even there is a breach of that individual’s protected health information (“Breach Notification”).  Any breach must also be reported to HHS and, under some circumstances, to the local media as well.  Essentially, covered entities and business associates are now required to act as their own whistleblowers.  This Breach Notification requirement was promulgated in an interim final rule on August 24, 2009 and takes effect September 23, 2009.

The Breach Notification rule requires that Covered Entities must notify affected individuals “without unreasonable delay” and in no case more than 60 days after the breach is “discovered”.  A breach is treated as discovered when it is known to the entity, employee, or agent of the entity.  An unknown breach will be treated as discovered if it would have been known had the entity exercised “reasonable diligence”.   This highlights the importance of having internal policies in place to ensure that any breach will be promptly discovered, reported, and dealt with.

As mentioned above, Covered Entities are also required to provide notice to the Secretary of HHS and, in some cases, local media outlets.  If the breach affects more than 500 residents of a state or jurisdiction, the entity must notify “prominent media outlets” “without unreasonable delay” and in no case more than 60 days after discovery of the breach.  In the case of such a large breach, the entity must notify HHS contemporaneously with the sending of individual notices, according to the procedure on the department’s website.   If the breach affects less than 500 residents, there is no requirement to notify the local media.  There is also no immediate requirement to notify HHS.  Instead, the entity is required to maintain a log of all breaches and notify HHS within 60 days of the end of the calendar year of all breaches during the prior year according to the procedure outlined on HHS’s website. 

The new regulations list specific guidance regarding the content of the required notice.  The notice must be in writing and sent via first-class mail, unless the individual has otherwise agreed to electronic notification.  Five topics are required to be addressed within the contents, all written in “plain language”.

Business Associates of Covered Entities (anyone handling protected health information on behalf of a Covered Entity) are required to notify the covered entity for which they are providing services of any breach discovered by the Business Associate.  Again, this notice must be given without unreasonable delay and in no case more than 60 days after the discovery of the breach.  Rules similar to those imposed on covered entities for the determination of when a breach is “discovered” also apply to Business Associates.    

Only those covered entities or business associates dealing in “unsecured” protected health information are subject to the Breach Notification requirements.  To avoid being deemed to be operating “unsecured”, the Covered Entity or Business Associate may conform to the guidance for technologies and methodologies issued by HHS on April 27 in order to qualify for a safe harbor from the definition of using “unsecured” protected health information.  To the extent feasible, Covered Entities and Business Associates should comply with this guidance to avoid being subject to the embarrassing requirements of the Breach Notification rule.

Expansion of HIPAA Coverage

In addition to the Breach Notification rule, HITECH imposes both the HIPAA Security Rule and the HIPAA Privacy Rule directly on Business Associates of Covered Entities.  Prior to this change, Business Associates were not directly subject to the security and privacy requirements of HIPAA.  Instead, Covered Entities were required to obtain “satisfactory assurance” that their Business Associates would safeguard protected health information.  These assurances are typically exchanged through a written Business Associate Agreement.  Only Covered Entities were subject to the civil and criminal penalties of HIPAA should there be a violation of the security or privacy rules, even if such breach was committed by the Business Associate.  The Covered Entity’s recourse against the Business Associate was limited to initiating a lawsuit based on a breach of the Business Associate Agreement.  HITECH changes all this.

Under HITECH, the security and privacy rules of HIPAA are made directly applicable to Business Associates effective February 17, 2010.  Business Associates will thereafter be subject to direct HIPAA enforcement, including the imposition of civil and criminal penalties, for a breach of either rule.  HITECH still contemplates the use of Business Associate Agreements and requires that they be updated to reflect the Breach Notification rule outlined above.

Summary

Several significant changes to HIPAA and its implementing regulations were made by the Bailout Bill.  Health care providers which are Covered Entities under HIPAA and their Business Associates should be prepared to meet the new legal and administrative requirements of such changes.  If you would like to discuss the matters discussed in this article, or any other matter regarding your health care practice, feel free to contact Parsonage Vandenack Williams LLC at your convenience.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com