We are pleased to share that Chambers USA has once again named McDermott Health the only firm to receive a Band 1 national ranking in health care. This year’s Band 1 placement marks 10 consecutive years of securing a top national ranking in this prestigious law firm directory, and the ninth year that we have held this position exclusively. The Health team also garnered Band 1 state-level rankings in California, Florida, Illinois, Massachusetts and Washington, DC—cities and states where we have substantial health law teams—and 29 McDermott health lawyers were ranked individually.
Companies looking to enter the digital health field face myriad legal implications unique to doing business in this sector. Whether emerging or established, companies exploring health care opportunities benefit from careful planning around complex issues such as pace of development, reimbursement systems, strategies for responsible data collection and use, and effective corporate compliance programs. In this podcast, McDermott partners Sarah Hogan, Lisa Schmitz Mazur and Dale Van Demark take a closer look at these and other important factors companies should review when contemplating a move into the digital health ecosystem.
Q. What issues should companies consider before they enter today’s digital health care market?
DV: The first and perhaps most important thing to focus on is the business plan. A lot of business plans that may work in other service sectors may not work in the health care industry because of the way that it is structured or because of consumer expectations.
Beyond that, there are real cultural differences that we see technology companies come up against when they enter into the health care market. Frequently, technology companies are used to a very fast pace. They are used to making mistakes and learning from them, and evolving and developing to move forward. The health care industry has traditionally been much slower and more deliberative, with the goal of getting it right the first time being predominant. That cultural difference can cause problems in building relationships and setting expectations for both pace and service levels.
Finally, understanding the complexity of health care infrastructure is very important. Understanding how the health care system works and how your product, service and business plan work within that ecosystem is critical to establishing the relationships you want and really selling into that marketplace. (more…)
Live from JPM: Collaboration or Consternation, the state of Digital Heath Devices—a conversation with McDermott’s Digital Health Thought Leaders
The proliferation of digital health devices and solutions is at hand. Demand exists around every corner with applications ranging from personal wellness to remote patient monitoring. They are being offered by industry stalwarts and upstarts alike. Collaborations amongst tech companies, academics, big data providers, entrepreneurs and traditional healthcare players—all of whom bring something valuable to the table and all of whom want to be involved in delivering solutions that can help predict, prevent or more effectively respond to disease—are catalyzing digital health product and service development. These new relationships are bringing the power of multiple competencies and game-changing perspectives to today’s health care challenges. They have the potential to revolutionize the way we approach health care delivery. The question is: do these players really know what it will take to work together successfully and, if so, will they be able to get digital health solutions over the finish line?
False Claims Act Settlement with eClinicalWorks Raises Questions for Electronic Health Record Software Vendors
On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.
The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them.
On January 18, 2017, the Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule overhauling the federal human subjects research regulations known as the “Common Rule.” These are the first revisions to the Common Rule since its original enactment in 1991, and have been in progress since HHS first published an Advanced Notice of Proposed Rulemaking in July 2011. According to the press release accompanying the final rule, HHS made “significant changes” to its most recent proposals (published in September 2015) in response to the 2,100+ public comments they received.
The majority of the Common Rule’s changes and new provisions will go into effect in 2018. We are reviewing the final rule in detail, and a summary of changes and new provisions is forthcoming.
On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.
Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.
Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.
The current status of OMB’s review is pending.
The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.
TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.
Read more here about how this clarification impacts health care organizations.
On August 17, 2015, the Federal Trade Commission (FTC) announced settlements with 13 companies on charges that they misled consumers by claiming that they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor programs when in fact their certifications had lapsed or never existed in the first place. The FTC’s announcement comes on the heels of two previous settlements reached in late May 2015 with companies that had lapsed certifications despite representations to the contrary made to online consumers. This recent activity by the FTC serves as yet another reminder to businesses to monitor their Safe Harbor program certification renewal dates and to exercise care when making representations in privacy policies related to Safe Harbor program certification.
The Safe Harbor programs provide a method for U.S. companies to transfer personal data outside of the European Union (EU) or European Economic Area (EEA) consistent with the requirements of the European Union Directive on Data Protection or the Swiss Federal Act on Data Protection. To participate in a Safe Harbor program, a company must self-certify to the U.S. Department of Commerce that it complies with seven privacy principles and related requirements. Once certified, a company is required to renew its certification with the Department of Commerce each year to maintain its status as a current member of the Safe Harbor program.
The companies at the center of the recent enforcement actions represent a variety of industries, including app development, pharmaceutical and biotechnology research, medical waste processing and wholesale food manufacturing. This broad industry representation suggests to us that the FTC is committed to ongoing enforcement. Accordingly, we want to remind readers of these tips:
- Check your company’s certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
- Review any privacy policies and online statements referencing the Safe Harbor programs to ensure that they properly reflect the certification status and the company’s actual privacy and data security practices;
- Institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline;
- Remove all references to the Safe Harbor programs from publicly available privacy policies and statements if the company’s certification status is unclear; and
- Review substantive compliance with the Safe Harbor programs and institute corrective action and controls to ensure that compliance is maintained.
On July 6, 2015, the Korean National Assembly passed a bill containing several amendments to the Personal Information Protection Act (PIPA). This bill (the Amendment Bill) combines a number of major provisions from nine previous different bills – e.g., one introduced in 2013 and eight proposed in 2014 following the massive data breach of three major credit card companies that occurred in January 2014 (the Credit Card Company Data Breach). Although the amended version of the PIPA (the Amended Act) will take effect upon its promulgation (yet to be determined), most of the provisions that will significantly affect the obligations and responsibilities of data handlers are scheduled to take effect either a year after the Amended Act’s promulgation or on January 1, 2016. For timely compliance with the amended law, companies processing customer or employee data need to keep an eye on the respective effective dates of provisions of the Amended Act that are particularly applicable to them.
1. Significance of the Amendment
The PIPA was adopted in 2011, among others, to protect the privacy of individuals and their personal information from unlawful collection, leakage, appropriation and misuse. However, even after the PIPA’s enactment in 2011, large-scale data breaches were not uncommon, and the Credit Card Company Data Breach last year was the final straw that prompted a call for stricter data protection and privacy regulations across the board to raise awareness of the significance of data protection and security and potential serious risks. The Amendment Bill keeps pace with the stricter rules of the recently amended version of the Utilization and Protection of Credit Information Act.
More specifically, the Amendment Bill extends stronger protection measures to individuals affected by data breaches by providing for punitive damages and statutory damages. Further, heavier penalties are imposed on those who violate certain provisions of the PIPA, and illegal proceeds generated from such violations are subject to forfeiture and collection. Whereas the current version of the PIPA provided for the recovery of damages in the event an individual’s personal information was stolen, lost, leaked, falsified or damaged, the Amendment Bill explicitly prescribes “fabrication” of personal information as an additional type of data breach, so that affected individuals will also be able to claim damages if their personal information is fabricated. The Amendment Bill also awards broader authority to the Personal Information Protection Committee (PIPC) to address loopholes relating to the practical operation of the PIPC in the PIPA, and provides for the legal grounds for the designation of institutions for data protection certification. Overall, the Amendment Bill contains provisions that increase the level of penalties imposed on violators.
Some of the key changes to the PIPA pursuant to this amendment are summarized below.
2. Adoption of Punitive Damages and Statutory Damages Provisions
The Amendment Bill deletes Article 39(2) of the PIPA which sets forth the mitigating circumstances of a data handler’s liability for damages incurred by a data subject whose personal information is mishandled. Furthermore, under the Amendment Bill, if a person suffers [...]