Examining The Unique POC Regulatory Landscape

Similar documents
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

AFTER THE OMNIBUS RULE

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Management Alert Final HIPAA Regulations Issued

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Highlights of the Omnibus HIPAA/HITECH Final Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

To: Our Clients and Friends January 25, 2013

OMNIBUS RULE ARRIVES

Changes to HIPAA Under the Omnibus Final Rule

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Compliance Steps for the Final HIPAA Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

LEGAL ISSUES IN HEALTH IT SECURITY

Getting a Grip on HIPAA

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

503 SURVIVING A HIPAA BREACH INVESTIGATION

MEMORANDUM. Kirk J. Nahra, or

Fifth National HIPAA Summit West

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

"HIPAA RULES AND COMPLIANCE"

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Omnibus Rule Compliance

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA OMNIBUS FINAL RULE

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

ARRA s Amendments to HIPAA Privacy & Security Rules

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Omnibus HIPAA Rule: Impact on Covered Entities

Health Law Diagnosis

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Determining Whether You Are a Business Associate

Compliance Steps for the Final HIPAA Rule

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

The HIPAA Omnibus Rule

HIPAA Compliance Guide

New HIPAA Rules and Implications for the Industry January 29, 2013

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

ARRA 2009: Privacy and Security Provisions. Deven McGraw

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA & The Medical Practice

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HIPAA Data Breach ITPC

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Compliance Under the Magnifying Glass

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

HIPAA Privacy Overview

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

GUIDANCE ON HIPAA & CLOUD COMPUTING

Manufacturer Patient Support Initiatives: Current Practices and Recent Challenges. Andrew Ruskin Morgan Lewis

HEALTHCARE BREACH TRIAGE

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Supplemental Special Advisory Bulletin: Independent Charity. Patients who cannot afford their cost-sharing obligations

Business Associate Risk

HIPAA: Impact on Corporate Compliance

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA Omnibus Final Rule and Research

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

VOL. 0, NO. 0 JANUARY 23, 2013

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Pharmaceutical Regulatory and Compliance Congress

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Business Associate Agreement

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

Transcription:

The Point of Care National Presented by DTC Perspectives, Inc. in Partnership with PoC 3 Baltimore, MD Examining The Unique POC Regulatory Landscape Jonathan M. Weinrieb Principal, OFW Law www.ofwlaw.com October 1, 2014

This presentation is for general information only. It is not intended to be legal advice from DTC Perspectives, Inc., PoC 3, or OFW Law. Regulators and/or your company s business partners may not agree with some of the possible interpretations in this presentation. Your company should consult with its legal and regulatory advisors about its specific questions. 2

Win-Win-Win-Win Sponsored patient-specific educational communications are a WIN for all Patients: health benefits from better Rx drug compliance and adherence; better education to interact with health care providers Providers: increased store/office traffic and cost recovery; help with patient education Government: 1% increase in refill rate $35 billion Medicare savings over 10 years (CBO) Pharma: increased product sales 3

Legal/Regulatory Framework Federal Medical Privacy (HIPAA/HITECH) FDA Regulations OIG Enforcement (Anti-Kickback/Inducement) 4

Medical Privacy/HIPAA HIPAA (1996 law), amended by the HITECH Act (2009), governs the privacy and security of patients Protected Health Information (PHI) Privacy Rule Protects privacy of PHI and establishes patients rights regarding that PHI. Security Rule Standards for the security of electronic PHI (ephi). Breach Notification Rule Requires notification following a breach of unsecured PHI. Enforcement Rule Provides for HHS enforcement of above. 5

Privacy Rule Basics Who s Who? HIPAA applies to Covered Entities and their Business Associates Covered Entities (CE) (your clients/audience): Health Care Providers (e.g., pharmacies, physicians) that transmit electronic information in connection with a covered transaction (these generally concern billing/payment for services). Health Plans (e.g., insurance companies, HMOs, Medicare/Medicaid). Health Care Clearinghouses (e.g., billing services, switches that process health information). Business Associates (BA) (for the most part, you!): Person or entity performing covered function for CE that involves the use or disclosure of PHI. Does not include CE employees. 6

Key Question Under HIPAA What types of sponsored, patient-specific communications can be conducted/initiated at POC without patient authorization (opt-in)? 7

Old Rule (Pre-HITECH) Essentially all pharma-sponsored communications including switch and adjunctive did not need patient authorization because they qualified as treatment. Independently, all in-person (e.g., in-pharmacy, at-doctor s-office) communications were face-to-face no authorization needed regardless of content. 8

New Rule (post-hitech) Three independent exceptions from need for patient authorization under new rule: Face-to-Face (unchanged); Refill Reminders (new exception); and Messages that do not promote the sponsor s specific product (unchanged). 9

Sponsored Face-to-Face Communications No limitations on substantive content. Examples: In-pharmacy ( stapled to the drug bag ); and In-office (doctor hands information to patient). Strengthened by new rule and RR Guidance HHS expressly: recognized that written materials (e.g., pamphlets) handed to a patient qualify as face-to-face communications (no dialogue necessary); and accepted communications about alternative medication in the face-to-face context. 10

Sponsored Refill Reminders Requirements Two separate requirements to qualify for exception from authorization: 1) Must be about a drug or biologic that is currently being prescribed for the individual ; and 2) Compensation to CE must be reasonably related to its cost of making the communication. 11

Sponsored Refill Reminders Types of Qualifying Communications Adherence communications (including but not limited to refill reminders); Generic equivalent of prescribed drug; and Drug-delivery system for self-administered drug (e.g., insulin pump). Test Strips? 12

Sponsored Refill Reminders Types of Qualifying Communications Recently Lapsed Prescriptions Prescription must have lapsed within last 90 calendar days. Lapse not defined. HHS commented (at Feb. 2014 HIPAA Summit : lapse defined by state law; for typical 1-year Rx life, can message about recently lapsed Rx up to 1 year +90 days after original Rx date 15 months). Seasonal allergy drugs, based on last year s script? EpiPen? 13

Sponsored Refill Reminders Types of Qualifying Communications Alternative/New Formulations/Adjunctive: Expressly not within the scope of Refill Reminder exception. Can send communication without authorization in face-toface setting. Can also send unbranded Ask Your Doctor communication without authorization. 14

Sponsored Refill Reminders Reasonable Compensation Limit HITECH Act: any payment received by the covered entity must be reasonable in amount. Omnibus final rule text: any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity s cost of making the communication (emphasis added). 15

Sponsored Refill Reminders What Is Reasonable Compensation? Refill Reminder Guidance: payments may cover only the reasonable direct and indirect costs of the program, including labor, materials, and supplies, as well as capital and overhead costs. Refill Reminder Guidance sets forth a broad interpretation that appears to demonstrate HHS s support of these programs; interpreted to mean not limited to a CE s additional or incremental costs. 16

Sponsored Refill Reminders What Is Reasonable Compensation? Profit for CE? Profit not defined but expressly not allowed per final rule (guidance silent). HHS does allow recovery of a broad range of direct and indirect costs; strong argument for reasonable profit for a BA (i.e., fair market value compensation for services). 17

Sponsored Messages That Do Not Promote The Sponsor s Specific Products Not regarded as Marketing and authorization not required. Disease management program which does not encourage patients to use the pharma company s drug. Unbranded educational content about disease or condition being treated. Unbranded Ask Your Doctor messages about unnamed potentially helpful drugs, more convenient formulations, and the like. 18

Opt-Out? No federal requirement. May be required by state law (e.g., California). Good business practice promotes transparency. Must be part of authorization if used. 19

State Privacy Laws HIPAA rules expressly do not preempt (trump) more restrictive state laws. Practical bottom line: more restrictive of applicable federal or state requirement controls. 20

California Only state where patients being denied benefits of sponsored patient-specific communications program. Does not recognize face-to-face exception to authorization. May be possible to run programs, without patient authorization, related to a chronic and seriously debilitating or life-threatening conditions ; additional requirements apply. 21

HIPAA Risk Analysis REQUIRED!! NIST, Framework for Improving Critical Infrastructure Cybersecurity, http://www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214-final.pdf. OCR, Security Risk Assessment Tool, http://www.healthit.gov/providersprofessionals/security-risk-assessment. OCR, Guidance on Risk Analysis Requirements under the HIPAA Security Rule, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalgui dancepdf.pdf. 22

HHS Audits BAs will be audited but HHS recognizes that there are a wide variety of BAs, making standard protocol challenging. No timeframe for audit program because of lack of funding (no audits so far in 2014). 23

Yes: No: Who s A Business Associate Subcontractors; Persons/entities that facilitate data transmission and storage; Vendors of Personal Health Records; Cloud computing providers; Data storage vendors; Paper shredding/document destruction vendors. CEs (e.g., health care providers and health plans); Common carriers (e.g., USPS, FedEx, UPS); Internet service providers; Other conduits (i.e., transient possession (including temporary storage ) of PHI transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. ). 24

BA Agreements (BAAs) Existence or absence of BAA does not determine whether a CE has a BA relationship with other entity. 12 required elements + other permissions. 45 C.F.R. 164.504. ALL BAAs must now be HITECH-compliant (as of Sept. 22, 2014). HHS updated BAA template on website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coverede ntities/contractprov.html 25

Analytics By BAs Typically in context of sponsored programs to measure how well the programs are working. Good practice to specify in BAA parameters for BA to use PHI for data analysis on behalf of CE. Typically uses de-identified data. De-Identification of data is a health care operations activity; no authorization needed but must be on behalf of the CE (within scope of BAA). De-identified data is not PHI. 26

Breach Standard/threshold for breach lowered by omnibus final rule. Harm standard from 2009 interim final rule replaced with more objective standard: an impermissible use or disclosure of [PHI] is presumed to be a breach unless the [CE] or [BA], as applicable, demonstrates... through a risk assessment... that there is a low probability that the protected health information has been compromised. 78 Fed. Reg. at 5641 (emphasis added); 45 C.F.R. 164.402 (definition of breach ). Example: PHI inadvertently faxed from one physician s office to another physician s office? Only applies to PHI that is unsecured (i.e., unencrypted). Bottom Line: ENCRYPT!! NIST, Cryptographic Standards and Guidelines Development Process, http://csrc.nist.gov/publications/drafts/nistir-7977/nistir_7977_draft.pdf. 27

Risk Assessment Breach? Must evaluate: 1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2) the unauthorized person who used the PHI or to whom the disclosure was made; 3) whether the PHI was actually acquired or viewed; and 4) the extent to which the risk to the PHI has been mitigated. 28

Penalties for Breach OCR will look at all factors surrounding a breach but the fact that a breach occurred is not the sole determining factor for OCR. OCR will determine whether the entity used available tools and protected the health information to the best of its ability. Underscores the importance of Risk Analysis Update routinely. Encryption. 29

Breach Notification Notice to individuals required in all cases. Notice to media required notice to prominent media outlets if > 500 individuals affected in a single state or jurisdiction. Notice to HHS If > 500 individuals affected without unreasonable delay (60 days max.). 30

Recent Enforcement Majority of breaches caused by theft. Most common compliance issues investigated: 1) Impermissible uses and disclosures of protected health information; 2) Lack of safeguards of protected health information; 3) Lack of patient access to their protected health information; 4) Uses or disclosures of more than the minimum necessary protected health information; and 5) Lack of administrative safeguards of electronic protected health information 31

Recent Enforcement 22 resolution agreements to date. 12,915 complaints reported in 2013. Up from 10,454 in 2012. Nearly 100,000 since April 2003 compliance date (96% resolved). Although majority of cases do not result in enforcement, some cases have resulted in significant CMPs and corrective action. 2012 audits revealed that 2/3 CEs had not done Risk Analysis. No 2014 audits yet Pre-audit surveys forthcoming to determine which CEs (and BAs) to audit. Next audit phase will include only desk audits (i.e., OCR will ask entities to provide specific documents). 32

HHS Forthcoming Guidance Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing More factsheets on other provisions 33

FDA Regulations FDA regulates manufacturer-prepared communications Labels (what s on the box or bottle) and labeling (e.g., brochures, slides, anything accompanying any drug). Advertising (e.g., newspapers, magazines, TV, radio) of Rx drugs. (FTC regulates advertising of OTC drugs claims must be substantiated by competent and reliable scientific evidence.) Does not regulate if not prepared by manufacturer. 34

FDA Regulations Prescription drug promotion must: Include drug s brand and established name (e.g., Lexapro (escitalopram oxalate)); Not be false or misleading (includes no off-label promotion); If benefits are presented, must have fair balance of risks; Be consistent with the approved product labeling the package insert (PI); Only include claims substantiated by adequate and well-controlled clinical studies; and If any safety or effectiveness claims, will need to include accompanying information (AI) (Guidance on AI forthcoming): Full PI (labeling); or A brief summary of the PI (advertising). NOTE: Boxed Warning drugs always need AI. 35

FDA Social Media Slow to clarify application to Rx promotion over social media. Basically, same requirements apply. No real accommodations for limited character formats. Any piece (including sponsored links) must be fairly balanced. Click through to risk information not sufficient. Link to AI. Requirements don t apply if content truly independent of manufacturer (e.g., healthcare professional providing opinion in Tweet or blog). OPDP Guidance: http://www.fda.gov/aboutfda/centersoffices/officeofmedic alproductsandtobacco/cder/ucm109905.htm. 36

OIG Enforcement Anti-Kickback Federal anti-kickback law broadly prohibits giving or receiving anything of value that could affect the decision to use/prescribe a product (e.g., Rx drug) or service reimbursable by federal health insurance (including Medicare Part D). Longstanding industry interpretation, to which OIG has not objected no need to exclude federal insurance beneficiaries from scope of pharma-sponsored communications programs provided any payment to pharmacy or physician is limited to reasonable reimbursement of its direct and indirect costs of program participation. 37

OIG Enforcement Anti-Inducement Co-Pay Assistance Programs Federal anti-inducement law prohibits offer or provision of anything of value to an individual eligible under federal health insurance that is likely to influence individual to choose product (e.g., Rx drug) or service. New OIG Special Advisory Bulletin (Sept. 2014): Coupons need to expressly exclude federal insurance recipients from eligibility to use. If possible, federal insurance beneficiaries should not receive coupon at all. Bulletin does not set forth new interpretation and is consistent with prevailing, longstanding industry practices. 38

QUESTIONS? Jonathan M. Weinrieb, Esq. OFW Law Olsson Frank Weeda Terman Matz PC 600 New Hampshire Avenue, N.W. Suite 500 Washington, D.C. 20037 202/518-6352 jweinrieb@ofwlaw.com 39

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback