This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai. 

Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.

This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.

1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?

Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.

Category Definition Key Regulatory Compliance Focus

Health Care Big Data

The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)

Data relating to health care generated in the course of disease prevention and control as well as health management

Note: the Measures do not clarify what data qualifies as health care “big” data.

Localisation and storage

Transfer: Cross-border data transfer is subject to security assessment.

Human Genetic Resources

The Interim Administrative Measures for the Management of Human Genetic Resources

Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.

Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.

Localisation and storage

Transfer: Approval from administrative bodies is required before cross-border transfer.

Pharmaceutical Data

The Pharmaceutical Data Management Specification (Draft for Comments)

Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Device Data

The Guidelines for Technical Review of Network Security Registration for Medical Devices

Health care data and device data. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Records

The Regulations for Medical Institutions on Medical Records Management

All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.

Medical records are filed as medical history.

Collection: Consent from data subject is required.

Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.

Scientific Data

The Measures for the Management of Scientific Data

Primarily data produced from basic research, application research, pilot development and other endeavours in such areas as natural science and engineering technology science, and the original data and data derived via observation and monitoring, survey and investigation, and inspection and detection that is used for scientific research activities. Transfer: Data involving state secrets are strictly forbidden to be transferred to a third party.

 

2. What are the key compliance steps for health care data collection in China?

Collection of any health care data involving personal information should be based on the three principles of China’s Cybersecurity Law (legitimacy, justification and necessity) and requires the consent of the data subject. The rules, purposes, methods and ranges of such collection should also be disclosed to the data subject.

Collection of human genetic information by foreign entities or foreign individuals is strictly regulated, and such collection is subject to the approval of regulatory authorities.

Multinationals may wish to consider taking the following steps to be compliant with Chinese laws:

Continue Reading Health Care Data Compliance in China: 4 Key Questions and Compliance Steps for Multinationals

The federal government has offered substantial incentives to providers to adopt and use certified electronic health record (EHR) technology. As of October 2018, the federal government had paid over $38 billion in EHR incentive payments through the Promoting Interoperability Program (formerly, the Meaningful Use Program). Other federal health care program policies also encourage use of certified EHR technology through enhanced payments or avoidance of decreased reimbursement. These EHR-related payment policies, however, have triggered increased oversight and enforcement attention on EHR vendors who have allegedly misrepresented the capabilities of their EHR software and allegedly paid kickbacks to customers.

In 2017, DOJ announced a settlement with eClinicalWorks (eCW), an EHR vendor, to resolve an FCA lawsuit originally brought as a qui tam action by a whistleblower. DOJ’s complaint-in-intervention alleged that eCW made material false statements and concealed material facts about the capabilities of its software in connection with the government’s EHR certification process.[1] It also alleged that eCW paid purported kickbacks in connection with certain marketing arrangements (i.e., a referral program, site visit program, and a reference program) with influential customers to induce them to recommend eCW’s EHR software, in violation of the federal Anti-Kickback Statute (AKS).[2]

As part of the settlement, eCW agreed to pay $155 million and to enter into a novel, five-year Corporate Integrity Agreement (CIA) with the HHS OIG. Among other things, the CIA required eCW to engage an independent Software Quality Oversight Organization to assess eCW’s software quality control systems and to regularly report to OIG and eCW on its reviews and recommendations. Further, the CIA required eCW to offer free upgrades and data transfers to its current customers. This was a ground-breaking settlement that raised the question of whether this was the beginning of government and whistleblower attention on (and FCA actions against) EHR vendors. This question was seemingly answered in the affirmative when DOJ announced a second settlement with an EHR vendor in early 2019.

On February 6, 2019, EHR vendor Greenway Health LLC (Greenway) entered into a similar settlement to resolve an FCA case filed by the US Attorney’s Office in Vermont. Interestingly, a whistleblower did not initiate the Greenway case. Rather, DOJ pursued it directly. Like eCW, Greenway faced allegations that its EHR system did not function in the way it represented it during the certification process.[3] One specific allegation was that Greenway provided some customers whose EHR software was improperly calculating certain meaningful use measures (which providers are required to achieve to be eligible for incentive payments) with incorrect calculations in order to enable them to receive incentive payments.[4] According to DOJ, this allegedly caused some Greenway customers to submit false claims to HHS for payment under the Promoting Interoperability Program.

Like in the eCW case, the government complaint against Greenway also alleged that certain payments from Greenway to its customers pursuant to certain reference, referral, and site visit programs violated the AKS.[5] Additionally, the government accused Greenway of giving its favored customers extravagant gifts, including “iPads, meals, travel, tickets to sporting events and entertainment, all for the purpose of inducing these users to either continue using Greenway’s products or recommend Greenway to other health care providers . . . .”[6] To resolve these allegations, Greenway agreed to pay $57.25 million, and to enter into an eCW-like CIA.

Practice Note: While many questions remain, including whether a court would agree with DOJ that the AKS applies to these situations, we expect to see continued government and relator scrutiny of EHR vendors. In light of this continued focus, EHR vendors should ensure that they: (1) take care to accurately and transparently demonstrate their software during HIT certification program testing; (2) review, and consider improvements to, their systems and other procedures for identifying, responding to and correcting software design and quality issues that call into question EHR software’s conformity to applicable EHR certification criteria or present patient safety or clinician usability risks; and (3) review existing customer reference, referral and marketing arrangements for compliance with the Anti-Kickback Statute. If an EHR vendor receives investigative requests from the federal government, it should engage outside counsel.

This blog post was originally published in McDermott’s Health Care Enforcement Quarterly Roundup | Q1 2019. Click here to view the full report. 

[1] United States , ex rel. Brendan Delaney v. eClinicalWorks, LLC, Complaint in Intervetion, 2:15-CV-00095, D. Vermont (May 12, 2017).
[2] Id. ¶¶79-85.
[3] Id.
[4] United States v. Greenway Health, LLC, Complaint, 2:19-CV-00020 at ¶¶ 76-112, D. Vermont (February 6, 2019).
[5] Id. ¶¶113-125.
[6] Id. ¶¶ 126-27.

DOJ’s focus on individual accountability is particularly important with respect to telemedicine. Telemedicine is a burgeoning field, with a projected market increase of 18 percent annually over the next six years, reaching $103 billion in 2024. In light of this recent surge in profitability, DOJ has begun paying extra attention to telemedicine, with at least one recent HHS-OIG report asserting that more than one-third of all telemedicine claims are improper.

The report’s claim is further supported by a recent increase in telemedicine prosecutions. In April 2019, DOJ announced charges against 24 defendants, including owners of various telemedicine companies, for their alleged involvement in a health care fraud scheme resulting in $1.2 billion in loss. This scheme involved the payment of kickbacks and bribes by durable medical equipment (DME) companies to medical professionals working with telemedicine companies, in exchange for the referral of Medicare beneficiaries. DOJ alleges that the defendants paid doctors to prescribe medically unnecessary DME without ever seeing patients or after only a brief telephone conversation. The prosecution involves charges in at least seven districts across the United States, including New Jersey, Florida, Texas, Pennsylvania, and California. Additionally, DOJ prosecuted several other individuals in connection with unrelated telemedicine schemes in late 2018 (see the agency’s press releases here, here and here). In light of this recent trend, companies should exercise extreme caution and consult with regulatory experts prior to opening telemedicine practices. Companies can expect to see increased scrutiny and further prosecution of telemedicine companies moving forward.

Practice Note: DOJ has recently re-emphasized its willingness to exercise significant discretion and reward companies that invest in strong compliance programs. Looking forward, health care companies should maintain detailed and up-to-date documentation of all compliance programs, in case such an FCA case should arise. A lawyer should be consulted if an updated compliance program is needed.

This blog post was originally published in McDermott’s Health Care Enforcement Quarterly Roundup | Q1 2019. Click here to view the full report. 

We are pleased to share that Chambers USA has once again named McDermott Health the only firm to receive a Band 1 national ranking in health care. This year’s Band 1 placement marks 10 consecutive years of securing a top national ranking in this prestigious law firm directory, and the ninth year that we have held this position exclusively. The Health team also garnered Band 1 state-level rankings in California, Florida, Illinois, Massachusetts and Washington, DC—cities and states where we have substantial health law teams—and 29 McDermott health lawyers were ranked individually.

Click here to view the full announcement. 

The end of 2018 and the first months of 2019 brought a number of regulatory developments impacting care coordination and the adoption and reimbursement of digital health services. From the Centers for Medicare & Medicaid Services’ (CMS) Regulatory Sprint to Coordinated Care and Pathways to Success initiatives to the updated Physician Fee Schedule, speakers Dale Van Demark and Lisa Schmitz Mazur discuss the rules and regulations that have the potential to enhance or hinder access to digital health solutions and how digital health companies can position themselves for success in this evolving regulatory landscape.

Click here to listen to this episode of the Of Digital Interest podcast. 

The digital health market is expected to grow beyond $379 billion by 2024, with a 27.7 percent compounded annual growth rate over the coming years. This activity is fueled by increasing demand for remote monitoring services, favorable government initiatives and funding, and the proliferation of mobile intelligent devices. An article by Rock Health noted that in 2018, “investors poured nearly $8.1B into the sector, surpassing 2017’s record-setting total of $5.7B by a whopping 42%.”

Amidst this growth, digital health startups are seeking to make the most of their funding and protect the innovations that drive their product. To do so, they must protect their intellectual property from being copied or duplicated by others in the market. Patents offer the strongest form of protection for innovations and can lead directly lead to increased investment. For digital health startups that eventually go public, valuation can reach $1.1 million per software patent application filed.

An issued patent in the United States gives the patent owner a 20-year monopoly right to stop others from making, using or selling the patented invention. A digital health company with a patent on a software feature—for example, a unique approach to dynamically generate a questionnaire based on user information for a remote health consult—has the right to stop competitors from making, selling or using software that includes that feature. Digital health companies, particularly pre-IPO, should develop a patenting strategy to assess how best to protect the innovations that drive their business and increase the company’s monetary value and longevity. If you have ever said one of the following phrases, your company likely will benefit from a discussion with patent counsel on how to protect your inventions:

  • We’re the first ones to ever do this.
  • None of our competition does this.
  • This feature drives a lot of business to our company.
  • This feature was really hard to implement, but we found a way to do it.

Continue Reading Patenting Your Digital Health Tech: When, Why and How

We greatly appreciate our readers continuing to turn to us for insight on the most critical legal, regulatory and transactional developments impacting digital health, and the innovative collaborations transforming health care. Over the past year, McDermott’s Health practice made headlines for our work on several of the most high-profile collaborative transformations that took place in 2018: We were one of several law firms to advise CVS Health Corp. on its approximately $70 billion cash and stock purchase of health insurer Aetna Inc. McDermott also assisted Air Medical Group Holdings in its $2.44 billion acquisition of American Medical Response (AMR), a medical transportation company, from Envision Healthcare Corporation. It is because of our role in ground-breaking transactions like these that—for the fifth time in 10 years—McDermott was recognized by Law360 as the Health Practice Group of the Year.

We’re passionate about the results our digital health clients are achieving and our role in helping them transform health care. We are equally passionate about what these results mean for the industry and health care consumers. Through our blogs, articles and health-focused events, we are committed to providing you with thought leadership that will help expand your field of vision as you navigate the rapidly changing health care landscape.

To read Law360’s profile of McDermott’s industry-leading health care practice, click here. McDermott was also named Practice Group of the Year in the Tax category. For more information about our approach to Collaborative Transformation, visit mwe.com/collaborativetransformation.

New digital health regulations arose at the federal and state level in 2018, bolstering the existing legal framework to further support and encourage digital health adoption in the context of care coordination and the move to value-based payment. McDermott’s 2018 Digital Health Year in Review: Focus on Care Coordination and Reimbursement report – the second in a four-part series – highlighted these developments within the digital health landscape. These efforts brought changes to coverage of telehealth and other virtual care services, as well as information gathering for regulatory reform, and can help bridge the gap between research, funding and implementation as regulations build a framework within which companies can deploy their products, receive reimbursement and demonstrate value to patients. Here we outline digital health developments from the second half of 2018 and how they can help drive digital health forward in 2019. For a closer look at key care coordination and reimbursement developments that shaped digital health in 2018, along with planning considerations and predictions for the digital health frontier in the year ahead, download our full report.

To view the first report in the series, 2018 Digital Health Year in Review: Focus on Data, click here.

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

  1. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
  2. California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
  3. US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
  4. Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

Last week, President Trump signed the SUPPORT for Patients and Communities Act (SUPPORT Act), a bipartisan piece of legislation designed to tackle the opioid crisis by, among other approaches, increasing the use of telemedicine services to treat addiction. Several key provisions are summarized below.

The package includes provisions to expand public reimbursement for telemedicine services that focus on addiction treatment. Specifically, the legislation removes Medicare’s originating site requirement for substance abuse treatment provided via telemedicine, meaning that health professionals can receive Medicare reimbursement even if the patient is not located in a rural area. In addition, the Centers for Medicare and Medicaid Services (CMS) has been directed to issue guidance to states regarding possible ways that Medicaid programs can receive federal reimbursement for treating substance abuse via telemedicine. The legislation explicitly identifies services provided via a hub and spoke model and in school-based health centers, among others, as those that should be eligible for federal reimbursement.

In another development, the US Drug Enforcement Agency (DEA) is now required to implement regulations regarding a special registration process for telemedicine providers within one year of the passage of the SUPPORT Act. The aim of this process is to expand health providers’ ability to prescribe controlled substances to patients in need of substance use disorder treatment based on a telemedicine consultation, without having to conduct an in-person evaluation first. This special registration process was originally contemplated 10 years ago under the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (Ryan Haight Act) as one of the seven pathways through which a telemedicine provider could prescribe a controlled substance to his/her patient without having first conducted an in-person evaluation, but the DEA never issued any regulations to effectuate it. At present, the special registration process and requirements (e.g., registration costs, application processing timeline, provider qualifications) are still largely unknown. The answers to these open issues will determine how accessible this new registration pathway will be to substance use disorder providers and, therefore, how impactful it will be in connecting patients in need of substance use disorder treatment with qualified providers.

In addition to these policy reforms, the SUPPORT Act also directs government agencies to conduct additional research into the possible benefits of telemedicine technology for treating substance abuse. Both CMS and the Government Accountability Office (GAO) are tasked with publishing reports concerning the use of telemedicine technology for treating children: CMS is directed to analyze how to reduce barriers to adopting such technology, and GAO is directed to evaluate how states can increase the number of Medicaid providers that treat substance use disorders via telemedicine in school-based clinics. Furthermore, the Department of Health and Human Services must issue a report regarding the impact of using telemedicine services to treat opioid addiction within five years.