The E-Cigarettes Industry Fights Back Challenging the FDA in Federal Court

e cig

Days after the publication of the Food and Drug Administration’s controversial final rule regarding e-cigarettes (and other nicotine-delivering products), a company called Nicopure Labs LLC filed a lawsuit challenging it in the U.S. District Court for the District of Columbia.  Nicopure seeks to have the rule vacated and declared unlawful, and has requested a preliminary injunction barring enforcement of the rule and prohibiting the FDA from taking any action under the rule pending resolution of the lawsuit.

The final rule, which will take effect on August 8, 2016 absent an injunction, grants the FDA authority to regulate electronic cigarettes and other vaping products and imposes rules on the industry that many insiders fear will leave it decimated.  These rules include banning sales to anyone younger than 18 years of age, requiring extensive warning labels on packing and — most significantly — subjecting all products (even those currently on the market) to the FDA approval process and the FDA’s reporting and recordkeeping requirements.  The price tag associated with the FDA approval process alone likely will pose an insurmountable barrier for the small vape shops, device manufacturers and e-liquid producers that currently drive most of the industry.

Nicopure, a Florida company that distributes battery-powered vaping devices and manufactures and distributes e-liquid, seeks to have the Final Rule vacated on several grounds.  First, Nicopure alleges that the deeming rule defines “tobacco product” so broadly that it constitutes an unreasonable construction of the authority granted under the Administrative Procedure Act (APA).  Additionally, Nicopure contends that the rule should be vacated as arbitrary and capricious in violation of the APA.  Finally, Nicopure brings a constitutional challenge, arguing that the rule violates the First Amendment by prohibiting manufacturers from “making truthful and nonmisleading statements regarding vaping devices, e-liquids and related products” and from “engaging in other forms of protected expression, including by distributing free samples of vaping devices or e-liquids.”

As of this writing, the FDA has not responded to Nicopure’s complaint, but the case (Nicopure Labs, LLC v. Food and Drug Administration, et al.,1:16-cv-00-878) will no doubt be closely watched by the rule’s proponents and detractors alike.

For more information you can contact Ryan Blaney or another member of Cozen O’Connor’s Health Law team.

 

Share on Twitter

Tags: , , ,

Medical Marijuana in Pennsylvania: What Physicians Should Know

shutterstock_244196869On April 17, 2016, Governor Wolf signed Act 16 of 2016, making Pennsylvania the 24th state (plus the District of Columbia) to legalize marijuana for medical use. The full text of the act is available here.

Physicians, not surprisingly, will play a vital role in making medical marijuana available to Pennsylvanians, while ensuring patient safety in the process.  This is what they should know about Act 16: Continue reading…

Share on Twitter

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Cyber-Security Alert: D.C. Area Hospital Chain MedStar Targeted By Hackers

Posted by Dana Petrillo on March 30, 2016
Healthcare, Hospital / No Comments

MedStar, a Washington, D.C.-area hospital chain, became the latest healthcare industry victim of a cyber-attack when hackers breached its systems with a crippling virus. MedStar operates 10 hospitals in the D.C./Baltimore region, employs 30,000 staff, has 6,000 affiliated physicians, and serviced more than 4.5 million patient visits in 2015.

After being paralyzed by the virus, MedStar’s entire IT system for its 10 hospitals was forced to shut down and revert to paper records. The chain’s approximately 35,000 employees do not have access to emails and cannot look up digital patient records in the attack’s wake. The FBI is assisting the chain by investigating the incident. It’s unclear at the moment whether or not the hackers are demanding ransom from MedStar in exchange for removing the virus.

Monday’s cyber-attack at MedStar comes weeks after Hollywood Presbyterian Medical Center in Los Angeles paid hackers 40 bitcoins, or about $17,000, to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hackers increasingly target healthcare entities as security protections in healthcare often lag behind those in banking and financial sectors. Healthcare information contains a treasure trove of patients’ personal information, and a complete healthcare record is worth at least ten times more on the black market than credit card information. Also, hospitals are considered critical infrastructure that cannot reasonably be closed or incapacitated for any great length of time, and so may be more inclined to bowing to hackers’ demands for ransom.

This latest attack just goes to show the importance of cybersecurity at hospitals and other healthcare entities. In addition to the recent Hollywood Presbyterian Medical Center attack, data breaches and cyber-attacks have also recently occurred at Excellus Blue Cross Blue Shield, UCLA Health System, Premera Blue Cross, and Anthem Inc.

For more information, please contact Dana Petrillo, or another member of Cozen O’Connor’s Health Law team.

Share on Twitter

Tags: , , , , , , , , , , ,

Heads-up! HIPAA Phase Two Audits Begin – Business Associates Included!

Posted by Gregory M. Fliszar, Ryan Blaney, and J. Nicole Martin on March 22, 2016
HHS, OCR / No Comments

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) finally announced on March 21 that it is ready to begin Phase Two of its HIPAA audit program, which will include business associates. These audits, mandated by HITECH, will primarily be comprised of desk audits, scheduled for completion by the end of December 2016, followed by onsite audits.

OCR explained it will immediately commence Phase Two by verifying, via email, cover entities’ and business associates’ contact information. The OCR is requesting timely responses, so that it can send pre-audit questionnaires out in order to gather data from covered entities and business associates for the creation of potential audit subject pools. The data will relate to the entities’ size, type and operations. Should covered entities and business associates fail to respond to OCR’s requests, they may still be part of OCR’s potential subject pools because OCR plans to compile publically available information about covered entities and business associates that do not respond to its requests.

The first round of desk audits will focus on covered entities, and the second round will focus on business associates. The third round will be onsite audits, with a greater focus on the HIPAA requirements. OCR explains that some covered entities and business associates who are subject to desk audits may also be subject to onsite audits. According to OCR, all covered entities and business associates are eligible to be audited. The audits will focus on identifying compliance with specific privacy and security requirements under HIPAA/HITECH, and OCR will notify auditees by letter, regarding the subject(s) of their specific audits. On the HHS website, OCR provides a sample letter for review. Subsequent to the audits, OCR will review and analyze information from audit final reports.

Importantly, if an audit report uncovers significant noncompliance with HIPAA, it could prompt an investigation by OCR. The areas of interest for OCR in Phase Two will become clearer as the Phase Two audit program gets underway, but for now, we know OCR will focus on assessing covered entities’ and business associates’ HIPAA compliance, identifying best practices and discovering risks and vulnerabilities.

More information about the Phase Two audits is available here, and you can also contact Greg Fliszar, Ryan Blaney, J. Nicole Martin or another member of Cozen O’Connor’s Health Law team.

 

Share on Twitter

Tags: , , , , , , , , , , , , , , , ,

OCR Announces Two Significant HIPAA Breach Settlements

Posted by Gregory M. Fliszar and J. Nicole Martin on March 21, 2016
HHS, OCR / No Comments

shutterstock_62667685On consecutive days, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) recently announced two large HIPAA breach settlements. On March 16, 2016, OCR announced that it entered into a Resolution Agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective action plan. On March 17, 2016 OCR followed by announcing that Feinstein Institute for Medical research, a New York biomedical research institute, agreed to pay to OCR $3.9 million and enter into a three-year corrective action plan to settle potential HIPAA violations. Both cases resulted from the all too familiar scenario of breaches resulting from stolen, unencrypted laptops.

In the Minnesota hospital breach, the unencrypted laptop containing the PHI of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the ePHI it maintained, accessed or transmitted.

In the New York research corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability or integrity. Notably, the stolen, unencrypted laptop contained the PHI of approximately 13,000 individuals.

As above, both OCR settlements also include multiple year corrective action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place. The Resolution Agreement for the Minnesota hospital breach is available here, and the Resolution Agreement for the New York research institute breach is available here.

Takeaways: The OCR’s 2016 breach enforcement is off to a very strong start with two high dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI, including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.

 

For more information, contact Greg Fliszar, J. Nicole Martin, or a member of Cozen O’Connor’s Health Law team.

 

Share on Twitter

Tags: , , , , , , , , , , , , , , , , ,

Update No. 2: Is This The Year Florida Recognizes Direct Primary Care?

Posted by Marc Goldsand on March 14, 2016
primary care / No Comments

House Bill 37 (“HB 37”), a bill intended to codify and regulate direct primary care in the State of Florida, which had sailed through the Florida House with virtually unanimous support, died in the Senate as the legislative clock ran out on it last week. When the Senate failed to take it up for vote before the session expired on March 11th, it had the effect of killing the bill. The 60-day 2017 legislative session begins on March 14, 2017.

 

For more information, please contact Marc I. Goldsand of Cozen O’Connor at mgoldsand@cozen.com or (786) 871-3935, or a member of Cozen O’Connor’s Health Law team.

 

 

Share on Twitter

Tags: ,

Does Arbitration Belong in the Nursing Home World?

Posted by J. Nicole Martin and Kate Layman on March 07, 2016
CMS / No Comments

shutterstock_336389885As part of admission into a nursing home, a facility typically requires prospective residents to agree to binding arbitration. Arbitrating disputes generally allows nursing facilities to handle disputes without incurring the onerous costs – both of time and money – associated with litigation. Nursing facilities, which operate on razor thin margins, consider the costs of litigation to be an unnecessary burden for resolving disputes that could be resolved more efficiently and just as fairly in the arbitration context. Moreover, nursing facilities fear believe that they are not operating on a level playing field in a jury trial, because juries are typically biased in favor of residents and do not understand the constraints under which facilities operate. At the same time, nursing home resident advocates have long argued that use of arbitration in the nursing home setting is a legitimate concern because residents may feel coerced into signing them and may not fully understand the implications of signing such an agreement–that it means they are waiving their right to a jury trial.

Since last year, the use of arbitration agreements in nursing facilities has been in the forefront, both in state courts, and in the July 16, 2015 CMS proposed rule regarding the regulation of nursing homes, where the Centers for Medicare & Medicaid Services (“CMS”) proposed specific requirements regarding arbitration agreements (“Proposed Rule”).

For example, in Wert v. Manorcare of Carlisle PA, LLC (2015 WL 6499141, No. 62 MAP 2014 (Pa. Oct. 27, 2015)), the Pennsylvania Supreme Court addressed the enforceability of a nursing home’s arbitration agreement. While the Wert Court did not squarely address the issue of whether the arbitration clause is void as against public policy, the Wert Court stated it “recognize[s that premising the integrality of a contractual term on the subjective understanding of a far less sophisticated non-drafting party is ill-advised public policy that would further distort an already lopsided balance of power.” Despite the Wert Court’s acknowledgement of this being a public policy concern, the decision turned on the procedural validity of the clause because it required the use of the National Arbitration Forum’s code, which the Wert Court found the clause unenforceable. However, the brief reference to the public policy implications of arbitration agreements suggests that if the actual clause is called into question—other than for procedural reasons—Pennsylvania courts may void them as against public policy. On February 29, 2016, the United States Supreme Court (GGNSC Gettysburg LP v. Wert, U.S., No. 15-820) refused to review the Wert decision. The United States Supreme Court’s refusal is in line with other states as well, which like Pennsylvania, have found such agreements requiring the use of the National Arbitration Forum’s code to govern and address disputes between nursing homes and residents unenforceable.

In contrast, in Carrigan v. Live Oak Nursing Ctr., LLC (2015 WL6692199, No. 2:15–CV–319 (S.D. Tex. Nov. 3, 2015)), a Texas federal court decided late last year that an arbitration agreement signed along with the resident admission agreement was enforceable and that the parties would have to resolve their dispute through arbitration. The Carrigan Court further found that all parties who benefited from the resident admission agreement would be bound by the arbitration clause even though they did not sign it, that is, those parties who were suing to enforce duties under the resident admission agreement—that existed because of the relationship between the former resident and facility under the resident admission agreement—would also be bound by the arbitration agreement.

In the Proposed Rule, CMS expressed concern about the use of arbitration agreements in nursing homes. While soliciting comments on whether binding arbitration agreements should be prohibited, CMS nevertheless proposed a new regulation (42 C.F.R. 483.70(n)) with the following requirements:

  • The agreement is to be explained to the residents who acknowledge that they understand the agreement;
  • The agreement is to be entered into voluntarily;
  • Arbitration sessions be conducted by a neutral arbitrator in a location that is convenient to both parties.
  • Admission to the facility is not contingent upon the resident or the resident representative signing a binding arbitration agreement.
  • The agreement could not prohibit or discourage the resident or anyone else from communicating with federal, state, or local health care or health-related officials, including representatives of the Office of the State Long-Term Care Ombudsman.

Both the Wert case and the Proposed Rule highlight concerns about the use of arbitration agreements in the nursing home world. Given CMS’ expressed concern about them, nursing homes who ask residents to sign binding arbitration agreements would be well advised to look carefully at the process by which the residents agree to binding arbitration and to implement policies that ensure that residents clearly understand what they are signing and that they are not pressured to sign these agreements.

For more information regarding the use of arbitration agreements in the nursing home context, contact J. Nicole Martin or any member of Cozen O’Connor’s healthcare law team.

 

 

Share on Twitter

Update: Is This The Year Florida Recognizes Direct Primary Care?

Posted by Marc Goldsand on March 02, 2016
DPC / No Comments

House Bill 37 (“HB 37”) passed the Florida House 116-0 today. In a hostile political environment, the unanimous vote in Florida’s more conservative chamber confirms what many in the direct primary care medical (“DPC”) space already believe: that DPC is not a political issue.

HB 37’s virtually identical Senate counterpart, Senate Bill 132 (“SB 132”), is on that chamber’s “Second Reading” calendar, and also appears to be moving forward. If SB 132 is indeed approved in the coming weeks it will be sent to Governor Scott for his signature. The 2016 legislative session ends on March 11th. This one is going down to the wire.

For more information, please contact Marc I. Goldsand of Cozen O’Connor at mgoldsand@cozen.com or (786) 871-3935, or a member of Cozen O’Connor’s Health Law team.

Share on Twitter

Finally! CMS Publishes the 60-Day Rule for Reporting and Repaying Medicare Overpayments

shutterstock_182401121

After four years and 200 comments, CMS finalized the much‑awaited “60‑Day Rule” for reporting and repaying Medicare Part A and B overpayments (CMS issued a Final Rule related to Medicare part C and D overpayments in the May 23, 2014 Federal Register, 79 FR 29844, and will address Medicaid overpayments in future rulemaking). The 60-Day Rule is part of CMS’s efforts to reduce fraud, waste, and abuse in the Medicare program.

Section 6402(d) of the Affordable Care Act (ACA), created section 1128J(d) of the Social Security Act (codified at 42 U.S.C. 1320a-7k(d)), requiring a person or entity who has received an overpayment to report and return the overpayment to the appropriate entity by the later of: (1) 60 days after the date on which the overpayment was “identified”; or (2) the date any corresponding cost report is due (if applicable). Importantly, the ACA also made reporting and repaying overpayments within 60 days an “obligation” under the False Claims Act (FCA), and therefore subject to FCA liability. Proof of specific intent to defraud the government is not required for a person or entity to be liable under the 60-Day Rule.

The Final Rule slightly relaxes some of the onerous requirements in the 2012 Proposed Rule:

Six Year Lookback Period: CMS responded to numerous comments and concerns that the proposed 10-year look back period for identifying overpayments was too long. The 60-Day Rule changed the lookback period to 6 years, consistent with the statutory limitations for the FCA.

Definition of Identify: CMS acknowledged the numerous comments submitted on what it means to “identify” an overpayment and said, “We agree and have revised the language … to clarify that part of identification is quantifying the amount, which requires a reasonably diligent investigation.” According to CMS, “[t]he Final Rule clarifies that a person has identified an overpayment when the person has or should have, through the exercise of reasonable diligence, determined that the person has received an overpayment and quantified the amount of the overpayment.” CMS warned Medicare providers and suppliers not to use the “ostrich defense”; reasonable diligence includes both proactive compliance activities conducted in good faith by qualified individuals, and good faith investigation of credible information conducted in a timely manner by qualified individuals. Quantification of the amount of the overpayment may be determined using statistical sampling and extrapolation methodologies.

How to Report and Return Overpayments: The Final Rule states that providers and suppliers must use an applicable claims adjustment, credit balance, self-reported refund, or another appropriate process to satisfy the obligation to report and return overpayments.

The Final 60-Day Rule is available at: https://federalregister.gov/a/2016-02789. By way of comparison, the February 16, 2012 Proposed Rule is available at:  https://www.gpo.gov/fdsys/pkg/FR-2012-02-16/pdf/2012-3642.pdf

To learn more about reporting or making repayments under the Final Rule, please contact Ryan Blaney, Dana Petrillo or any member of Cozen O’Connor’s Health Law team.

Share on Twitter

Tags: , , , , ,

Medical Home Plans Saved Minnesota $1 Billion from 2010-2014

Posted by Marc Goldsand on February 11, 2016
HCH / No Comments

shutterstock_320140895A five-year study released by the Minnesota Department of Health this week, which recorded reams of data in comparing traditional primary care practice patient and cost results with those of health care home practices (“HCH”), gives a fascinating, data-driven glimpse of patient center medical home plans established within the existing Medicare/Medicaid/third party payor system over a five-year period. The findings are especially notable in that these HCHs remained within the traditional reimbursement system as opposed to a direct primary care medical home practice model, which generally requires the practice to forego traditional insurance and seek payment only from the patient.

Some notable results:

  • HCHs had significant and substantial savings on their Medicare, Medicaid, and Medicare/Medicaid dual-eligible patients compared to non-HCHs between 2010 and 2014.
  • HCHs had lower costs.
  • In the subject population, there was a major decrease in the use of hospital services, which was the primary driver of cost savings.
  • In the subject population, there was a modest decrease in prescription drug use.
  • HCHs generated over $1 billion in savings.

The full study is available here.

For more information about this blog, please contact Marc I. Goldsand, Esq., or another member of Cozen O’Connor’s Health Care team.

Share on Twitter

Tags: , ,