Maddie Gilmore, Class of 2023, Belmont Law.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) was first enacted more than twenty-five years ago. As such, the drafters of that legislation could not foresee the proliferation of new and emerging technologies that collect and process private health information of users which exists today. On February 9, 2022, legislators reached across party lines to come up with a solution to the non-regulation of this private data. HIPAA focused on privacy and preventing potential abuse of private health information of individuals, but only contemplated regulation as to health care providers and the like. What was not contemplated, or regulated, was digital health companies that collect health information directly from consumers.

Although the Department of Health and Human Services Office for Civil Rights (OCR) have attempted to address these companies using interpretive guidance, such guidance is non-binding on the industry. Furthermore, the regulation of digital health companies and data harboring apps is exceedingly difficult to regulate given the untraceability between the initial collection of any given dataset and its ultimate sale and use. Newly proposed bipartisan legislation called The Health Data Use and Privacy Commission Act, is intended to modernize HIPAA. Thus, Congress is attempting to address the problem head-on, by delegating the research and discovery process to individuals better suited than Congress themselves, the job of analyzing modern issues and possible modern solutions to health data privacy.

If passed, the Act would establish a Commission to assess any gaps in the privacy protections under HIPAA resulting from data collection and use by non-covered entities. However, the Act would not only have obvious ripple effects on the application of HIPPA, but other legislation as well, such as Section Five of the FTC Act which gives the Federal Trade Commission its current authority to regulate many direct-to-consumer digital health products that are not subject to HIPAA.

Under the current statutory framework, there are major risks to personal health information (PHI) created by new healthcare technology that extends beyond the scope of HIPAA given the onset of technologies like apps, wearable devices, and social media, and the increase in generating, collecting, using, sharing, and selling PHI. Such actors have generally been beyond the bounds of the Acts reach, creating a necessity to restructure the legislation to account for emerging health care technologies. The Health and Privacy commission formed under the Act, which would be made up of representatives with competing interests (such as providers, health plans, health technology developers, researchers, and consumers) would be charged with conducting research, creating reports, and submitting reform recommendations to Congress and the President.

Interestingly, the proposal may be based on state law, such as the California Consumer Privacy Act of 2018 (CCPA). The Act has been referred to the U.S. Senate Committee on Health, Education, Labor, and Pensions and it is still in its early stages of development. The Act is not only supported by a variety of industry healthcare representatives (such as the Association of Clinical Research Organizations), but also by both Democrat and Republican representatives alike, being bipartisan legislation. This agreement demonstrates the consensus that updates to HIPAA are necessary. Furthermore, the U.S. is now echoing international consensus on this emerging issue and is closely tied to the General Data Protection Regulation (GDPR) which is a European law. If the new Act can apply consistently with the GDPR, then American companies will no longer face two different standards depending on where their operations are taking place.

Works Cited:

https://www.carltonfields.com/insights/publications/2022/health-data-use-privacy-commission-act-hipaa

https://www.cassidy.senate.gov/newsroom/press-releases/cassidy-baldwin-introduce-legislation-to-begin-modernization-of-health-privacy-laws

https://www.dataguidance.com/news/usa-bill-health-data-use-and-privacy-commission-act

https://www.baldwin.senate.gov/imo/media/doc/Health%20Data%20Use%20and%20Privacy%20Commission%20Act.pdf

https://www.morganlewis.com/blogs/healthlawscan/2022/02/new-legislation-aims-to-upgrade-hipaa-to-account-for-new-healthcare-technologies

https://www.congress.gov/bill/117th-congress/senate-bill/3620/text?r=2&s=1

 

 

 

 

David Brust, Class of 2022, Belmont Law

On Wednesday, March 9, 2022, Bankruptcy Judge Robert Drain gave tentative approval to the Purdue Pharma bankruptcy settlement. Members of the Sackler family, who founded Purdue Pharma (the creator of OxyContin), are set to pay an estimate $5.5 billion to $6 billion as part of the settlement. The money is to mainly go towards fighting the opioid crisis in the United States. However, $750 million is set to go directly to victims or their surviving family members.  Another key element of the settlement is that Sackler family members are protected from any future civil lawsuits over opioids, however, they are not immune from any potential criminal charges. Thus far, no member of the Sackler family has ever been charged with a crime related to the opioid crisis and there has been no indication that charges are coming any time soon. Although, Purdue Pharma twice plead guilty to criminal charges and currently seven U.S. senators have asked the Department of Justice to consider charges against members of the Sackler family.

The next day, on March 10, 2022, several victims of the opioid crisis and their family members had an opportunity to directly address the Sackler family in court via zoom. Several people gave detailed accounts to Richard, David, and Theresa Sackler about how OxyContin and other opioids impacted their lives. One victim gave an account of how she was told her she could have a healthy baby while still taking OxyContin. However, her daughter was born with “physical, developmental, and emotional difficulties,” something the settlement seeks to address by dedicating over $100 million for “medical monitory and payments for children born in withdrawal from opioids.” Members of the Sackler family were not allowed to reply to the victim testimony directly. However, Richard Sackler, Purdue Pharma’s former president and board chair, maintains that neither Purdue Pharma nor his family have any responsibility for the opioid crisis. The settlement still requires approval from other courts before it goes into effect.

In other news, Kathy Hochul, the Governor of New York, announced that New York will contribute up to $1 million to combat the opioid crisis. The program is partially funded through a federal State Opioid Response grant. The money will go to the Opioid treatment program whose providers will establish “mobile medication units (MMUs) to provide medications such as methadone and buprenorphine, to treat substance abuse disorders.” Other services offered by these MMUs include “admission assessments, medication induction, medication administration and observation, toxicology tests, and other substance abuse disorder related medical services.” Recently, the DEA finalized regulations to MMUs, so their prevalence should increase within the next few years. Providers hope that MMUs will increase access to treatment for substance abuse disorders. MMUs allow greater flexibility in providing substance abuse treatment because the units can go directly to places such as homeless shelters and tent cities that have many people with a substance abuse disorder. Thus, MMU programs such as New York’s should be able to provide health care and treatment to those most in need and help to get the opioid crisis under control.

Works Cited:

https://www.pbs.org/newshour/nation/after-years-of-pain-opioid-crisis-victims-confront-sackler-family-in-court

https://www.natlawreview.com/article/behavioral-health-law-ledger-march-2022

https://www.pewtrusts.org/en/research-and-analysis/articles/2021/11/22/mobile-medication-units-help-fill-gaps-in-opioid-use-disorder-treatment

Will Brandt, Class of 2022, Belmont Law

If you believe that problems and opportunities in healthcare are largely centered around data, including patient sovereignty over data, Non-Fungible Tokens (NFTs) may have a critical role to play in the advancement of the healthcare industry and legal framework surrounding that industry.

In the current state of the healthcare industry, everything that is done regarding data, involves infinitely copying that data. For example, sharing Electronic Health Information (EHI) between Health Information Networks, involves copying data repeatedly so it can be distributed where it needs to be distributed.  This is problematic for many reasons, but the idea that patients want sovereignty over their date continues to be evidenced. There is a principle that has grown in popularity, and largely backstops the ideals of the European Union’s General Data Privacy Regulation, which mandates businesses to collect data that is relevant, adequate, and limited to what is necessary, with regards to the purpose for which it is being processed. This principle is data minimization. Data minimization refers to the practice of limiting the collection of personal information to data that is relevant and necessary to accomplish a specific purpose. NFTs offer a unique opportunity for the healthcare industry to work towards achieving the principles of data minimization.

If you have heard of NFTs, you have most likely seen pictures of kittens, apes, or some other “JPEG-like” image. Further, you may have seen that these images have sold for hundreds of thousands, or even millions of dollars. The easiest way to understand this phenomenon is that blockchain technology has introduced the idea of digital scarcity, and many participants in the market have assigned value to that digital scarcity. Whether or not these assets are overvalued or there is a bubble, it irrelevant for the purpose of this note.

What is relevant about NFTs, is that underneath the technological hood of their functionality, they represent, and store, a specific set of data in a specific location on a blockchain. NFTs are an efficient way to store data without infinitely copying it because although one may take a screenshot of an NFT, the underlying data remains with the true owner. Hang with me here because I want to briefly introduce another innovation in the healthcare industry and then bring this all together. This innovation is the idea of a digital twin.

A digital twin is essentially a set of data that is used to represent and function like the physical alternative. The physical alternative can be a company or even a person. For example, a grocery store may be able to set up a digital twin, where current inventory levels are stored in a dataset and update in real time. Thus, utilizing certain AI technology, the digital twin can learn to know when a specific item is running low on stock and be used to order more product. The healthcare industry has begun to adopt this powerful tool, and specifically, as we have discovered the ability to map human genomes, we have the possibility use the data of a person’s genome to create their digital twin. What does this mean? As Ghada Trobatas, the CMO at Siemen Healthineers writes, “A digital twin can be used to predict the outcome of specific procedures. It can provide assistance in determining the right therapy option for a specific patient. Or, if behavioral data and social determinants are also integrated, digital twins can help to better manage chronic diseases and population health.”

So, if health records, hospital systems, and human genomes can all theoretically be turned into a dataset and represented as a digital twin, there remains the possibility that these datasets can be programmed into and NFT and stored on a secure blockchain. If something as powerful as a human genome, with back-end AI that can help predict the likely outcome of certain procedures or the effects of certain medication can be stored on an NFT, the health law community has a lot of work to do to ensure that HIPAA, HITECH, and other healthcare data regulations are complied with, even updated to allow life-changing technologies to be implemented.

Works Cited:

https://gdpr.eu/what-is-gdpr/

https://medium.com/geekculture/digital-twin-ignition-of-nfts-evolution-eb8d647d80de

https://www.youtube.com/watch?v=R6hXmSK_32M

https://www.euruni.edu/blog/what-are-nfts-a-beginners-guide/

https://www.linkedin.com/pulse/digital-twin-healthcare-what-why-matters-ghada-trotabas/

https://dataprivacymanager.net/what-is-the-data-minimization-principle-benefits-and-importance/.

 

 

Maddie Gilmore, Class of 2023, Belmont Law.

Laurence F. Doud III, former head of Rochester Drug Co-Operative Inc., could very easily face life in prison for his role in conspiring to distribute controlled substances and defrauding the DEA. A Florida jury convicted Doud of one count of conspiracy to distribute controlled substances, carrying a mandatory minimum sentence of ten years, and one count of conspiracy to defraud the United States. Doud is scheduled to be sentenced on June 29, 2022.

Doud allegedly engaged in a variety of misconduct that contributed to the growing opioid epidemic in his role as CEO of Rochester. The U.S. Attorney Damian Williams said: “In a first of its kind prosecution, Laurence Doud was held responsible for conspiring with others in his company to ship massive amounts of dangerous and highly-addictive oxycodone and fentanyl to pharmacies that he knew were illegally dispensing those controlled substances to drug dealers and addicts.”

At the direction of Doud, the company supplied large quantities of oxycodone, fentanyl, and other dangerous opioids to pharmacy customers that its own compliance personnel determined were dispensing those drugs to individuals who had no legitimate medical need for them. Even after “red flags” of the targeted pharmacies were brought to Doud’s attention, the violation of federal narcotics laws continued. The targeted pharmacies, among other things, dispensed quantities of controlled substances in amounts consistently higher than accepted medical standards.

Instead of reporting such findings to the DEA, Doud directed the company’s compliance department not to report them, and instead to continue supplying those customers with dangerous controlled substances that the company knew were being dispensed and used for illicit purposes. This was the basis of the conspiracy charge.

The evidence presented that resulted in Doud’s conviction is an unambiguous example of drug company higher-ups taking advantage and seeking financial gain at the expense of the country and in the midst of an opioid crisis that people like Doud and companies like Rochester contributed to. Yet, defenders of Doud and others in the pharmaceutical industry have found the action against Doud excessive. They claim that by setting this precedent, the action will expose executives to liability and thereby deter companies from pursuing innovative medications. Indeed, some claim there is no basis for enforcing the DEA’s administrative requirements to individuals instead of companies as a whole.

Harry Nelson, founding partner at life sciences firm Nelson Hardiman LLP, said: “Drug distributors, like pharmacies and physicians, have been beaten into submission. I find the effort to paint Doud as a villain is over the top.”

These arguments are unfounded. This lawsuit, although the first of its kind, is not removing the liability shield that would normally fall on the company rather than the individual on mere whim to shift the responsibility. Rather, it is shifting responsibility based on the evidence. The individual, Doud, in this case is the proper target for the noncompliance of administrative regulations, because he in his individual capacity is responsible for much of the harm that occurred here. He directed Rochester to “supply tens of millions of oxycodone, fentanyl, and other dangerous opioids to pharmacy customers that its own compliance personnel determined, and reported to Doud, were dispensing those drugs to individuals who had no legitimate medical need for them,” according to the complaint. Furthermore, the arguments that this will deter ‘necessary opioid innovation research’ is also unsupported, as recognized by legal experts in the field.

The impact on research and development of drugs will not be impacted by Doud’s criminal sentence. Big pharma will not be deterred from continuing the race to discover and develop new marketable drugs. Neither will curing the way we prescribe them. Enforcing correct and medically appropriate prescribing of medications is not going to have any impact on research and development. Furthermore, it is already prescribed by law, so it is in the pharmaceutical industry’s best interest to ensure that patients are given access only to necessary medication and are taking those medications appropriately.

The “intentional malfeasance” committed by Doud is not simply the latest CEO taking the bullet for an industry created practice, but rather the appropriate recognition that, with power, comes responsibility. Doud would not have been able to cause the harm without using the corporate scheme as well as his authority to continue distributing addictive substances in mass amounts and in violation of the law.

Works Cited:

https://www.justice.gov/usao-sdny/pr/laurence-doud-former-ceo-pharmaceutical-distributor-convicted-conspiring-distribute’

https://news.bloomberglaw.com/health-law-and-business/ex-drug-ceos-criminal-trial-raises-stakes-for-opioid-producers

David Brust, Class of 2022, Belmont Law

In recent years, the call for price transparency for medical care has increased. People often go to the doctor for non-routine medical care with no idea what it could end up costing them. In response to this, Congress passed the No Surprises Act which “protects people covered under group and individual health plans from receiving surprise medical bills when they receive most emergency services, non-emergency services from out-of-network providers at in-network facilities, and services from out-of-network air ambulance service providers.” The Act also sets up an independent dispute resolution process for different kinds of disputes, including those for self-pay and uninsured patients who receive a final bill that is “substantially greater” (defined as $400) than the good faith estimate they received from the provider. Patients have 120 days to file a dispute.

The Act went into effect on January 1, 2022, and since then some providers have already voiced their concerns about staying in compliance with the Act. One of these groups is mental and behavioral health providers. Recently, a group of various mental and behavioral health providers sent a letter to the Secretary and the US Department of Health & Human Services asking for an exemption from the Good Faith Estimate requirement. The providers state that while they agree with the overall goal of the Act, the Good Faith Estimate (“GFE”) requirement places a unique burden on them. The Good Faith Estimate requirements mandates that medical professionals give patients a cost estimate that includes a diagnosis and “information about the length and costs involved in a typical course of treatment.” Mental and behavioral health providers state that they are already bound by professional ethics to be up front about the costs of treatment. However, the providers are concerned that the diagnosis requirement of the GFE will in turn limit the care of their patients. They claim that mental health is a continuum and a diagnosis can take time and eventually change due to various factors. Thus, they are concerned that by having to give a diagnosis on the GFE, a patient’s insurer may limit coverage only to the diagnosis given on the GFE despite the diagnosis changing over time. This could ultimately hurt the patient and keep the provider from fully treating a patient. Therefore, it will be interesting to see whether the exemption is granted.

Overall, the goal of the No Surprises Act is to provide patients with an estimate of the cost of their medical care in most situations. However, in the first month of the Act being in effect, some providers have begun to express concerns about how the Act will impact their ability to provide the best care they can. So far mental and behavioral health providers have asked for an exemption, and it is likely other groups of providers will follow. At this time, it is unclear whether these providers will be granted an exemption, however until that happens, they must comply with the law as it currently stands.

Works Cited:

https://www.cms.gov/newsroom/fact-sheets/no-surprises-understand-your-rights-against-surprise-medical-bills

https://www.fiercehealthcare.com/providers/mental-health-therapists-seek-exemption-part-law-ban-surprise-billing

https://www.apaservices.org/advocacy/no-surprises-act-letter.pdf

Will Brandt, Class of 2022, Belmont Law

After five years of work, the Office of the National Coordinator of Health (ONC) has released the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA is essentially a plan for an interoperability framework between healthcare information networks that was mandated by the Twenty First Century Cures Act of 2016. The purpose of this mandate was to create a network where patients have better access to their electronic healthcare information (EHI).

The problem that inspired TEFCA was that many hospital systems and medical providers use multiple different healthcare information networks (HINs) to store EHI. What this means for patients seeking access to their EHI unnecessary delays and expense when attempting to access their data. The promise of TEFCA was a network where HINs could become qualified HINs and the data that one HIN stores will be interoperable with other HINs. However, as Rebecca Pfifer points out in her article, The future of ONC’s interoperability framework hinges on adoption. But the agency — and industry — is optimistic, there is generally a lack of incentive for most HINs to participate in the ONC’s plane for healthcare information interoperability.

The primary issue is the business model that currently exists for HINs. HINs make money by storing EHI and providing access to that EHI to patients through medical providers. By winning the business of more healthcare providers and hospital systems, HINs gain more business and can make more money. By participating in TEFCA, an HIN, that becomes a qualified HIN, merely becomes qualified to share their business (stored EHI) with other businesses. Although the many revisions of TEFCA seem to provide a robust method of interoperability, the plan lacks any fundamental business incentive for HINs to participate. However, the industry is optimistic that adoption will come to fruition.

So, what is the value proposition of HINs to participate? Lee Barrett, CEO of EHR standards development organization EHNAC, supports the ONCs position that not participating will be a competitive disadvantage. He says, “The hope is that the more networks use it, the more its value proposition will be proved. Patients will inquire why their provider doesn’t have their data from other facilities, and the provider will then wonder why the exchanges it’s a participant in aren’t qualified to work with other networks.” Essentially, the argument supporting the notion that HINs will choose to participate is that patients seeking their EHI at an HIN who are not yet participating, will not only be aware of the option for HINs to participate, but will make the inquiry to their provider about why they don’t have access their healthcare date from another provider. Moreover, the argument is that these inquiries will put enough pressure on providers to switch to a qualified HIN, that providers will bear the cost and time that it takes to switch from a HIN to a qualified HIN. Will this bottom-up pressure be enough?

Works Cited:

https://www.fiercehealthcare.com/tech/hhs-hits-major-interoperability-milestone-as-tefca-goes-live-to-advance-health-data-sharing

https://www.healthcaredive.com/news/oncs-interoperability-framework-adoption-tefca/617391/

https://onlinemasters.ohio.edu/blog/health-information-systems/

David Brust, Class of 2022, Belmont Law

On January 10, 2022, the Biden Administration announced starting January 15, 2022, private insurance companies are required to cover eight at-home COVID-19 tests per month per individual. While an individual may have to pay up front for the tests, their insurer will be required to reimburse them if a claim is submitted. This rule was made pursuant to §6001 of the Families First Coronavirus Response Act and covers only the eight over the counter tests that are currently FDA approved. This new rule will help to ensure that Americans can afford to obtain an at-home test, so long as they are able to find one.

In the first nine days of insurers covering at-home tests, it has come to light that one major insurer of many at risks individuals is not included in the new rule. This insurer is Medicare.  Medicare is not permitted by law to pay for self-administered diagnostic tests such as rapid at-home COVID-19 tests. This is concerning as there are 62 million Medicare beneficiaries and older people who are considered more at risk if they catch COVID-19. However, if a Medicare beneficiary wants a free at-home test, they can find one a couple of ways. First, people covered by Medicare Advantage, which is more akin to traditional insurance, may have their over-the-counter test covered by their insurance. Additionally, Medicare covers one rapid antigen test or PCR test done by a lab per year. Once that test is exhausted or if the beneficiary does not want to see a doctor, the beneficiary can visit COVIDtests.gov and order a free at-home test. COVIDtests.gov was recently launched after the Biden Administration purchased 500 million at-home tests to deliver to Americans at their homes free of charge. Each individual is limited to four free tests per month. The administration hopes to purchase another 500 million tests. Lastly, Medicare beneficiaries can visit a local community health center or a Medicare-certified health clinic to obtain one of the 50 million tests the federal government has provided these facilities.

Overall, the new rule will give Americans greater access to at-home COVID-19 tests so long as the tests can be kept in stock. Additionally, every American and, most importantly, those who are uninsured or have traditional Medicare can still obtain free tests at COVIDtests.gov.

Works Cited:

https://www.dol.gov/sites/dolgov/files/EBSA/about-ebsa/our-activities/resource-center/faqs/aca-part-51.pdf

https://www.hhs.gov/about/news/2022/01/10/biden-harris-administration-requires-insurance-companies-group-health-plans-to-cover-cost-at-home-covid-19-tests-increasing-access-free-tests.html

https://www.npr.org/sections/health-shots/2022/01/24/1074964627/seniors-are-at-high-risk-of-covid-but-medicare-doesnt-pay-for-rapid-tests

Maddie Gilmore, Class of 2023, Belmont Law

On January 13^th, the Supreme Court stopped the Biden administration’s push to enact its policy of encouraging vaccine use through a mandate that would apply to 84.2 million employees to get vaccinated or “obtain a medical test each week at their own expense and on their own time and wear a mask each workday.”  While the Court is allowing the administration to continue to impose a vaccine requirement on most U.S. health care workers, the opinion is sharply worded to emphasize that this is outside the scope of OSHA’s domain and is unprecedented.

Some key aspects of the original mandate highlight that this was less about health and safety, and more about imposing the Biden administration’s executive policies. Health and safety, no doubt, are at play behind both the mandate and the administration’s policies, however the sweeping nature of the mandate is unprecedented, which is exactly how the Supreme Court in its recent opinion justified continuing delay of enforcement. Employees would face a choice, vaccines or weekly testing and masks. Arguably masks at work while most of the workforce is vaccinated and unmasked, serve as a mark of segregation as to certain political leanings. You might as well have to wear a sticker that indicates to co-workers your political feelings about the vaccine and the Biden administration’s policies. While it might not feel like a coercive choice to some, to others, it is a closely guarded and sincerely held belief.

Furthermore, the employers are duty-bound to enforce this requirement. The penalty on employers for failing to do so is up to $13,653 for a standard violation, and up to $136,532 for a willful one. 29 CFR §1903.15(d) (2021). The mandate preempts contrary state laws. Neither OSHA nor Congress has ever imposed a mandate this broad. To justify the mandate and avoid notice-and comment procedures, OSHA invoked its “emergency temporary standards.” Although the standards take immediate effect, they are only permissible if the Secretary shows (1) that employees are exposed to grave danger from exposure to substances or agents determined to be toxic or physically harmful or from new hazards,” and (2) that the “emergency standard is necessary to protect employees from such danger.” This has only been invoked by the agency nine times, and of the six times the standards were challenged in court, only one was upheld.

In addition to the mandate being so broad as to cover 84.2 million employees, the exceptions are limited to foreclose exempting workers who pose a significantly lower risk of transmission. For example, there is an exception for workers who work outside. However, the wording of the exceptions is too limited and only exempt outside workers if they spend 100 percent of their time outside. The Secretary has estimated, for example, that only nine percent of landscapers and groundskeepers qualify as working exclusively outside.

The combination of the controversial politics behind the mandate, the unprecedented and general scope of the authority claimed by OSHA to impose such a mandate, as well as the limited exceptions and broad reach of the mandate are all reasons cited by the Supreme Court in their finding that those challenging the mandate are extremely “likely to succeed on the merits of their claim that the Secretary lacked authority to impose the mandate.”

However, instead of resting its decision solely on precedent and politics, the Supreme Court in large part reasoned that the risks of COVID-19 are not a workplace-specific threat. The Court emphasized that OSHA’s responsibilities are limited to correcting overly hazardous workplace conditions and implementing protocols to combat health and safety dangers that specifically emanate from the workplace. What effect this will have on OSHA’s latitude in future cases remains to be seen. Creative administrative lawyers might use this as precedent to further constrain OSHA’s ability to implement certain unpopular health and safety protocols.

Works Cited:

https://www.supremecourt.gov/opinions/21pdf/21a244_hgci.pdf

https://apnews.com/article/supreme-court-vaccine-mandate-eb5899ae1fe5b62b6f4d51f54a3cd375?utm_campaign=SocialFlow&utm_medium=AP&utm_source=Twitter