The Point of Care National Presented by DTC Perspectives, Inc. in Partnership with PoC 3 Baltimore, MD Examining The Unique POC Regulatory Landscape Jonathan M. Weinrieb Principal, OFW Law www.ofwlaw.com October 1, 2014
This presentation is for general information only. It is not intended to be legal advice from DTC Perspectives, Inc., PoC 3, or OFW Law. Regulators and/or your company s business partners may not agree with some of the possible interpretations in this presentation. Your company should consult with its legal and regulatory advisors about its specific questions. 2
Win-Win-Win-Win Sponsored patient-specific educational communications are a WIN for all Patients: health benefits from better Rx drug compliance and adherence; better education to interact with health care providers Providers: increased store/office traffic and cost recovery; help with patient education Government: 1% increase in refill rate $35 billion Medicare savings over 10 years (CBO) Pharma: increased product sales 3
Legal/Regulatory Framework Federal Medical Privacy (HIPAA/HITECH) FDA Regulations OIG Enforcement (Anti-Kickback/Inducement) 4
Medical Privacy/HIPAA HIPAA (1996 law), amended by the HITECH Act (2009), governs the privacy and security of patients Protected Health Information (PHI) Privacy Rule Protects privacy of PHI and establishes patients rights regarding that PHI. Security Rule Standards for the security of electronic PHI (ephi). Breach Notification Rule Requires notification following a breach of unsecured PHI. Enforcement Rule Provides for HHS enforcement of above. 5
Privacy Rule Basics Who s Who? HIPAA applies to Covered Entities and their Business Associates Covered Entities (CE) (your clients/audience): Health Care Providers (e.g., pharmacies, physicians) that transmit electronic information in connection with a covered transaction (these generally concern billing/payment for services). Health Plans (e.g., insurance companies, HMOs, Medicare/Medicaid). Health Care Clearinghouses (e.g., billing services, switches that process health information). Business Associates (BA) (for the most part, you!): Person or entity performing covered function for CE that involves the use or disclosure of PHI. Does not include CE employees. 6
Key Question Under HIPAA What types of sponsored, patient-specific communications can be conducted/initiated at POC without patient authorization (opt-in)? 7
Old Rule (Pre-HITECH) Essentially all pharma-sponsored communications including switch and adjunctive did not need patient authorization because they qualified as treatment. Independently, all in-person (e.g., in-pharmacy, at-doctor s-office) communications were face-to-face no authorization needed regardless of content. 8
New Rule (post-hitech) Three independent exceptions from need for patient authorization under new rule: Face-to-Face (unchanged); Refill Reminders (new exception); and Messages that do not promote the sponsor s specific product (unchanged). 9
Sponsored Face-to-Face Communications No limitations on substantive content. Examples: In-pharmacy ( stapled to the drug bag ); and In-office (doctor hands information to patient). Strengthened by new rule and RR Guidance HHS expressly: recognized that written materials (e.g., pamphlets) handed to a patient qualify as face-to-face communications (no dialogue necessary); and accepted communications about alternative medication in the face-to-face context. 10
Sponsored Refill Reminders Requirements Two separate requirements to qualify for exception from authorization: 1) Must be about a drug or biologic that is currently being prescribed for the individual ; and 2) Compensation to CE must be reasonably related to its cost of making the communication. 11
Sponsored Refill Reminders Types of Qualifying Communications Adherence communications (including but not limited to refill reminders); Generic equivalent of prescribed drug; and Drug-delivery system for self-administered drug (e.g., insulin pump). Test Strips? 12
Sponsored Refill Reminders Types of Qualifying Communications Recently Lapsed Prescriptions Prescription must have lapsed within last 90 calendar days. Lapse not defined. HHS commented (at Feb. 2014 HIPAA Summit : lapse defined by state law; for typical 1-year Rx life, can message about recently lapsed Rx up to 1 year +90 days after original Rx date 15 months). Seasonal allergy drugs, based on last year s script? EpiPen? 13
Sponsored Refill Reminders Types of Qualifying Communications Alternative/New Formulations/Adjunctive: Expressly not within the scope of Refill Reminder exception. Can send communication without authorization in face-toface setting. Can also send unbranded Ask Your Doctor communication without authorization. 14
Sponsored Refill Reminders Reasonable Compensation Limit HITECH Act: any payment received by the covered entity must be reasonable in amount. Omnibus final rule text: any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity s cost of making the communication (emphasis added). 15
Sponsored Refill Reminders What Is Reasonable Compensation? Refill Reminder Guidance: payments may cover only the reasonable direct and indirect costs of the program, including labor, materials, and supplies, as well as capital and overhead costs. Refill Reminder Guidance sets forth a broad interpretation that appears to demonstrate HHS s support of these programs; interpreted to mean not limited to a CE s additional or incremental costs. 16
Sponsored Refill Reminders What Is Reasonable Compensation? Profit for CE? Profit not defined but expressly not allowed per final rule (guidance silent). HHS does allow recovery of a broad range of direct and indirect costs; strong argument for reasonable profit for a BA (i.e., fair market value compensation for services). 17
Sponsored Messages That Do Not Promote The Sponsor s Specific Products Not regarded as Marketing and authorization not required. Disease management program which does not encourage patients to use the pharma company s drug. Unbranded educational content about disease or condition being treated. Unbranded Ask Your Doctor messages about unnamed potentially helpful drugs, more convenient formulations, and the like. 18
Opt-Out? No federal requirement. May be required by state law (e.g., California). Good business practice promotes transparency. Must be part of authorization if used. 19
State Privacy Laws HIPAA rules expressly do not preempt (trump) more restrictive state laws. Practical bottom line: more restrictive of applicable federal or state requirement controls. 20
California Only state where patients being denied benefits of sponsored patient-specific communications program. Does not recognize face-to-face exception to authorization. May be possible to run programs, without patient authorization, related to a chronic and seriously debilitating or life-threatening conditions ; additional requirements apply. 21
HIPAA Risk Analysis REQUIRED!! NIST, Framework for Improving Critical Infrastructure Cybersecurity, http://www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214-final.pdf. OCR, Security Risk Assessment Tool, http://www.healthit.gov/providersprofessionals/security-risk-assessment. OCR, Guidance on Risk Analysis Requirements under the HIPAA Security Rule, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalgui dancepdf.pdf. 22
HHS Audits BAs will be audited but HHS recognizes that there are a wide variety of BAs, making standard protocol challenging. No timeframe for audit program because of lack of funding (no audits so far in 2014). 23
Yes: No: Who s A Business Associate Subcontractors; Persons/entities that facilitate data transmission and storage; Vendors of Personal Health Records; Cloud computing providers; Data storage vendors; Paper shredding/document destruction vendors. CEs (e.g., health care providers and health plans); Common carriers (e.g., USPS, FedEx, UPS); Internet service providers; Other conduits (i.e., transient possession (including temporary storage ) of PHI transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. ). 24
BA Agreements (BAAs) Existence or absence of BAA does not determine whether a CE has a BA relationship with other entity. 12 required elements + other permissions. 45 C.F.R. 164.504. ALL BAAs must now be HITECH-compliant (as of Sept. 22, 2014). HHS updated BAA template on website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coverede ntities/contractprov.html 25
Analytics By BAs Typically in context of sponsored programs to measure how well the programs are working. Good practice to specify in BAA parameters for BA to use PHI for data analysis on behalf of CE. Typically uses de-identified data. De-Identification of data is a health care operations activity; no authorization needed but must be on behalf of the CE (within scope of BAA). De-identified data is not PHI. 26
Breach Standard/threshold for breach lowered by omnibus final rule. Harm standard from 2009 interim final rule replaced with more objective standard: an impermissible use or disclosure of [PHI] is presumed to be a breach unless the [CE] or [BA], as applicable, demonstrates... through a risk assessment... that there is a low probability that the protected health information has been compromised. 78 Fed. Reg. at 5641 (emphasis added); 45 C.F.R. 164.402 (definition of breach ). Example: PHI inadvertently faxed from one physician s office to another physician s office? Only applies to PHI that is unsecured (i.e., unencrypted). Bottom Line: ENCRYPT!! NIST, Cryptographic Standards and Guidelines Development Process, http://csrc.nist.gov/publications/drafts/nistir-7977/nistir_7977_draft.pdf. 27
Risk Assessment Breach? Must evaluate: 1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2) the unauthorized person who used the PHI or to whom the disclosure was made; 3) whether the PHI was actually acquired or viewed; and 4) the extent to which the risk to the PHI has been mitigated. 28
Penalties for Breach OCR will look at all factors surrounding a breach but the fact that a breach occurred is not the sole determining factor for OCR. OCR will determine whether the entity used available tools and protected the health information to the best of its ability. Underscores the importance of Risk Analysis Update routinely. Encryption. 29
Breach Notification Notice to individuals required in all cases. Notice to media required notice to prominent media outlets if > 500 individuals affected in a single state or jurisdiction. Notice to HHS If > 500 individuals affected without unreasonable delay (60 days max.). 30
Recent Enforcement Majority of breaches caused by theft. Most common compliance issues investigated: 1) Impermissible uses and disclosures of protected health information; 2) Lack of safeguards of protected health information; 3) Lack of patient access to their protected health information; 4) Uses or disclosures of more than the minimum necessary protected health information; and 5) Lack of administrative safeguards of electronic protected health information 31
Recent Enforcement 22 resolution agreements to date. 12,915 complaints reported in 2013. Up from 10,454 in 2012. Nearly 100,000 since April 2003 compliance date (96% resolved). Although majority of cases do not result in enforcement, some cases have resulted in significant CMPs and corrective action. 2012 audits revealed that 2/3 CEs had not done Risk Analysis. No 2014 audits yet Pre-audit surveys forthcoming to determine which CEs (and BAs) to audit. Next audit phase will include only desk audits (i.e., OCR will ask entities to provide specific documents). 32
HHS Forthcoming Guidance Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing More factsheets on other provisions 33
FDA Regulations FDA regulates manufacturer-prepared communications Labels (what s on the box or bottle) and labeling (e.g., brochures, slides, anything accompanying any drug). Advertising (e.g., newspapers, magazines, TV, radio) of Rx drugs. (FTC regulates advertising of OTC drugs claims must be substantiated by competent and reliable scientific evidence.) Does not regulate if not prepared by manufacturer. 34
FDA Regulations Prescription drug promotion must: Include drug s brand and established name (e.g., Lexapro (escitalopram oxalate)); Not be false or misleading (includes no off-label promotion); If benefits are presented, must have fair balance of risks; Be consistent with the approved product labeling the package insert (PI); Only include claims substantiated by adequate and well-controlled clinical studies; and If any safety or effectiveness claims, will need to include accompanying information (AI) (Guidance on AI forthcoming): Full PI (labeling); or A brief summary of the PI (advertising). NOTE: Boxed Warning drugs always need AI. 35
FDA Social Media Slow to clarify application to Rx promotion over social media. Basically, same requirements apply. No real accommodations for limited character formats. Any piece (including sponsored links) must be fairly balanced. Click through to risk information not sufficient. Link to AI. Requirements don t apply if content truly independent of manufacturer (e.g., healthcare professional providing opinion in Tweet or blog). OPDP Guidance: http://www.fda.gov/aboutfda/centersoffices/officeofmedic alproductsandtobacco/cder/ucm109905.htm. 36
OIG Enforcement Anti-Kickback Federal anti-kickback law broadly prohibits giving or receiving anything of value that could affect the decision to use/prescribe a product (e.g., Rx drug) or service reimbursable by federal health insurance (including Medicare Part D). Longstanding industry interpretation, to which OIG has not objected no need to exclude federal insurance beneficiaries from scope of pharma-sponsored communications programs provided any payment to pharmacy or physician is limited to reasonable reimbursement of its direct and indirect costs of program participation. 37
OIG Enforcement Anti-Inducement Co-Pay Assistance Programs Federal anti-inducement law prohibits offer or provision of anything of value to an individual eligible under federal health insurance that is likely to influence individual to choose product (e.g., Rx drug) or service. New OIG Special Advisory Bulletin (Sept. 2014): Coupons need to expressly exclude federal insurance recipients from eligibility to use. If possible, federal insurance beneficiaries should not receive coupon at all. Bulletin does not set forth new interpretation and is consistent with prevailing, longstanding industry practices. 38
QUESTIONS? Jonathan M. Weinrieb, Esq. OFW Law Olsson Frank Weeda Terman Matz PC 600 New Hampshire Avenue, N.W. Suite 500 Washington, D.C. 20037 202/518-6352 jweinrieb@ofwlaw.com 39