Doctors Wary of New Health IT

The Washington Post recently featured Lena Sun’s reporting on why many physicians are wary of adopting an electronic medical records system.  As noted in the piece,

Many are aware that beginning this year, health-care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.  But to qualify, doctors must meet a host of strict criteria, including regularly using computerized records to log diagnoses and visits, ordering prescriptions and monitoring for drug interactions. And starting in 2015, those who aren’t digital risk having their Medicare reimbursements cut.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, complains that, despite all these requirements, patient confidentiality concerns are being neglected:

But no federal regulations clearly require that doctors turn the data encryption on or prevent those who don’t do so from getting paid. . . . “This is a point of frustration,” said McGraw, who sits on an advisory group that sought unsuccessfully to prevent those who violate privacy regulations of the federal Health Insurance Portability and Accountability Act, or HIPAA, from getting incentive money.

Some older doctors may find it easier to retire than to get on board with new EMR systems.  We frequently hear complaints about Luddite doctors resisting technology that has long been adopted by other sectors.   But, as one commentator recently insisted, a doctor is not a bank.  To get a sense of how frustrated doctors can become because of the new health IT (and the legal contracts that accompany it), check out this parody website for the faux firm Extormity.  It announces a memorable experience for doctor clients/conscripts:

At the confluence of extortion and conformity lies Extormity, the electronic health records mega-corporation dedicated to offering highly proprietary, difficult to customize and prohibitively expensive healthcare IT solutions. Our flagship product, the Extormity EMR Software Suite, was recently voted “Most Complex” by readers of a leading healthcare industry publication.

I loved this description of a firm committed to maximizing the value of it’s intellectual property:

The Extormity EMR Software Suite is built on a proprietary software model renowned for its complexity. This proprietary platform and all of its components must be procured and implemented as a complete package we call the Extormity BundleTM (which describes both our comprehensive package and its associated cost).

Operating the Extormity Bundle requires a phalanx of servers, which of course need to be replicated for redundancy. Fortunately, Extormity acts as a value-added reseller of these servers, which we pre-load with operating software. This allows us to mark-up the cost of the servers and charge for server configuration. In addition, the server software carries with it steep annual license fees.

Let’s hope the ONC’s ongoing regulatory process can help reduce the risk of Extormity-style raw deals for doctors. Given the recent flap over the FDA’s effective imprimatur for an extreme drug price increase, no DC agency should set in motion a process that could lead to prohibitively expensive fees for an essential aspect of health care.

X-Posted: Health Law Prof Blog.

The Limits of Disclosure as a Response to Finanacial Conflicts of Interest in Clinical Research

Seton Hall University School of Law’s Center for Health & Pharmaceutical Law & Policy has issued a White Paper, “The Limits of Disclosure as a Response to Financial Conflicts of Interest in Clinical Research,” in which the Center agrees that public policy should encourage researchers and institutions to make information about their financial relationships with industry available to the public, but-contrary to many other commentators’ recommendations- concludes that disclosure of financial information should not routinely be required as part of the informed consent process.

While reiterating the Center’s prior recommendations for direct measures to eliminate, reduce, and manage problematic financial relationships in clinical research, the Center notes that, despite “the importance of transparency as an ethical value, incorporating financial issues into the informed consent process would provide few, if any benefits to research subjects and could in fact cause significant harms.”

The Center notes the problem of “information overload,” as clinical research informed consent documents have already become “long and complex, thereby confusing and overwhelming potential research participants,” and evidence indicates that “participants are often unable to sift through the morass of information to tease out the content they find salient or material.” In addition, qualitative studies have shown that “brief concise statements about financial interest within informed consent documents were rarely understood, and sometimes only served to confuse potential participants.

The Center concludes that, if a conflict of interest is so serious that its disclosure would lead a reasonable person to refuse to participate in a study, the proper remedy is to eliminate the conflict. It is therefore essential to ensure that information about financial interests is made available to institutional review boards (IRBs) and conflicts of interest committees, so that they can ensure that any problematic conflicts are eliminated before a study begins.

The Center notes that its conclusion that financial conflicts of interest should not be routinely disclosed as part of the informed consent process is not inconsistent with the California Supreme Court’s decision in Moore v. Regents of the University of California.

While Moore creates the possibility that, in the right set of circumstances, a physician’s failure to disclose research-related financial interests could give rise to liability, it does not mean that any and all financial relationships with industry must necessarily be disclosed. Rather, as in any informed consent claim, liability would depend on the plaintiff’s ability to establish the element of causation–i.e., that, if the omitted information had been disclosed, a reasonable person in the plaintiff’s position would not have consented to the procedure. As explained above, under the Center’s proposed framework, any conflict serious enough to affect a reasonable person’s decision about enrollment would already have been eliminated before the research began.

“The Limits of Disclosure as a Response to Financial Conflicts of Interest in Clinical Research” may be found at http://law.shu.edu/HealthLawPublications.

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy is a think tank that fosters dialogue, scholarship, and policy solutions to critical issues in health and pharmaceutical law. As part of its mission, it convenes policymakers, consumer advocates, the medical profession, industry, and government in the search for concrete solutions to the ethical, legal, and social questions presented in the health and pharmaceutical arenas. The Center also runs a compliance training program covering the state and federal laws governing the development and marketing of drugs and medical devices.

HHS OIG Notifies Drug Manufacturers of New Enforcement Initiative for Price Reporting Requirements

On September 28, the Office of the Inspector General (”OIG”) released a Special Advisory Bulletin regarding a new enforcement initiative regarding the timely submission of certain pharmaceutical data.  Manufacturers will face civil money penalties (CMP) for failing to comply with reporting requirements.

The Center for Medicare & Medicaid Services (”CMS”) relies on the timely reporting of average manufacturer prices (”AMPs”) and average sales prices (”ASPs”) for the implementation of four different programs: the Medicaid Drug Rebate Program, the 340B Drug Pricing Program (340B Program), the Federal Upper Limit (FUL) Program, and the Medicare Part B outpatient prescription drug benefit.

Under the Medicaid Drug Rebate Program, CMS uses AMPs to calculate the rebates owed to state Medicaid programs.  The 340B Program, which requires manufacturers to sell their prescription drugs to certain safety net health care providers at or below specified prices, also uses AMPs to establish price ceilings.  Medicaid’s FUL Program uses AMPs to act as a prudent buyer of multiple-source drugs.  Finally, the Medicare Part B outpatient drug benefit relies on ASPs to establish Part-B covered drug and biologic payment amounts.

Timely and accurate price reporting is important to the effective and efficient administration of the Medicaid Drug Rebate Program, the 340B Program, the FUL Program, and the Medicare Part B drug benefit.   Manufactures are required to report and certify timely and accurate drug pricing information, including AMPs on a monthly and quarterly basis and ASPs on a quarterly basis.

However, multiple reviews of historical reporting by OIG have demonstrated that voluntary compliance has not been fully effective.  For instance:

• The February 2008 report, “Average Sales Prices: Manufacturer Reporting and CMS Oversight,” found that, “between 41 and 52 percent of manufacturers provided ASPs after the statutorily defined due date.”
• The OIG report, “Drug Manufacturers’ Noncompliance With Average Manufacturer Price Reporting Requirements,” released the same day as the Special Advisory Bulletin, determined that during 2008:
  • 53 percent of the 592 manufacturers that were required to submit quarterly AMP reports failed to provide pricing data by the statutorily defined due date.
  • 78 percent of the 579 manufacturers that were required to submit monthly AMP reports failed to provide pricing data by the statutorily defined due date.

Moving forward, OIG will work with CMS to “identify and penalize noncompliant manufacturers through the CMP process.”  Upon a report from CMS that a manufacturer has not submitted a timely report of product pricing information, OIG will exert its authority to impose CMPs of $10,000 per day upon the manufacturer in an effort to improve compliance.

Reform Rodeo: PPACA Provisions Go Live; Victor Fuchs; Physicals; Google Health

1. PPACA News: Kaiser Health News reports on the health care overhaul changes that are occurring this week, including eliminating copays for preventive services and allowing children to stay on their parents’ health plans until 26 years of age.

2. Quality not Quantity: Famed health care economist Victor Fuchs discusses the importance that health care must place on increasing the quality of life as opposed to increasing longevity.

2b. On the Health Care Blog, Matthew Holt interviews Fuchs. Maggie Mahar provides extended commentary.

3. Examining the Exam: NPR has a piece on technology’s role in the fading art of the physical examination.

4. Google Health’s Health: On the Health Care Blog, John Moore of Chilimark Research discusses a recent meeting he had with Google about the future of their once promising but recently stagnant cloud-based EHR system.

5. Mark Your Calendars: Health Affairs announces an October 5th event they will be hosting in Washington D.C. which look at comparative effectiveness research.

Podcast: Gibbons Institute Hosts Panel on Pay for Delay in Hatch-Waxman Patent Litigation

Seton Hall Law’s Gibbons Institute of Law, Science & Technology and the New Jersey Intellectual Property Law Association presented a panel discussion entitled, “Pay for Delay: Views from the FTC, Industry and Legal Economists on Reverse Payment Settlements in Hatch-Waxman Patent Litigation.”

The pay for delay debate essentially rests on two competing public interests: scientific innovation and access to medicines.  Reverse settlements, which are sometimes referred to as “pay for delay,” involve the practice of name-brand pharmaceutical companies paying would-be generic competitors to delay the entry into the market of a particular generic drug. The Federal Trade Commission and the Department of Justice decry the practice because they claim it results in higher prices for consumers who do not have access to cheaper generics. Many in the brand-name pharmaceutical industry defend the practice because, they argue, extending the patent exclusivity period of an innovator drug better allows innovator companies to improve their return on investment and thus underwrite further research and innovation.

Panelists included Michael Kades, Attorney Advisor, Federal Trade Commission; Charles A. Gallia, Counsel, Gibbons P.C.; Anastasia Winslow, Assistant General Counsel, Bristol-Myers Squibb; and David Opderbeck, Associate Professor of Law and Director, Gibbons Institute of Law, Science & Technology. You can listen to their discussion here.

Hatch-Waxman “Pay for Delay Audio

Revised Horizontal Merger Guidelines issued by FTC and DOJ

On August 19, the Federal Trade Commission (”FTC”) and Department of Justice (”DOJ”) issued revised Horizontal Merger Guidelines (”guidelines”).  First adopted in 1968 and revised in 1992, the guidelines are an outline of the primary “analytical techniques, practices and enforcement policies” used to evaluate mergers and acquisitions of actual or potential competitors under federal antitrust laws, including Section 7 of the Clayton Act, 15 U.S.C. § 18, Sections 1 and 2 of the Sherman Act, 15 U.S.C. §§ 1, 2, and Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45.

As the first major revision in 18 years, the FTC and DOJ assert that the guidelines are not a change in policy, but a clarification of the merger review process.  In 2006, both agencies issued “Commentary on the Horizontal Merger Guidelines,” the first step towards the refinement of the guidelines.  The agencies jointly announced the project in September 2009.  They posed a number of questions for public comment and conducted a series of workshops this past winter.  As a result, 51 parties provided comments for the revisions.  The agencies further considered 31 written comments to the proposed revisions issued on April 20.

According to the FTC Press Release, the guidelines are primarily aimed to “help the agencies identify and challenge competitively harmful mergers while avoiding unnecessary interference with mergers that are either competitively beneficial or likely will have no competitive impact on the marketplace.” In addition, the guidelines are intended to assist private parties, courts and antitrust practitioners.  Representatives of both agencies had the following to say:

“Because of the hard work of all involved at both agencies, private parties and judges will be better equipped to understand how the agencies evaluate deals. That improvement in clarity and predictability will benefit everyone,” said FTC Chairman Jon Leibowitz…

“The revised guidelines better reflect the agencies’ actual practices,” said Christine Varney, Assistant Attorney General in charge of the Department of Justice’s Antitrust Division. “The guidelines provide more clarity and transparency, and will provide businesses with an even greater understanding of how we review transactions.”

What Has Changed?

According to the FTC Press Release, the guidelines do the following:

• Clarify that merger analysis does not use a single methodology, but is a fact-specific process through which the agencies use a variety of tools to analyze the evidence to determine whether a merger may substantially lessen competition.
• Introduce a new section on “Evidence of Adverse Competitive Effects.” This section discusses several categories and sources of evidence that the agencies, in their experience, have found informative in predicting the likely competitive effects of mergers.
• Explain that market definition is not an end itself or a necessary starting point of merger analysis, and market concentration is a tool that is useful to the extent it illuminates the merger’s likely competitive effects.
• Provide an updated explanation of the hypothetical monopolist test used to define relevant antitrust markets and how the agencies implement that test in practice.
• Update the concentration thresholds that determine whether a transaction warrants further scrutiny by the agencies.
• Provide an expanded discussion of how the agencies evaluate unilateral competitive effects, including effects on innovation.
• Provide an updated section on coordinated effects. The guidelines clarify that coordinated effects, like unilateral effects, include conduct not otherwise condemned by the antitrust laws.
• Provide a simplified discussion of how the agencies evaluate whether entry into the relevant market is so easy that a merger is not likely to enhance market power.
• Add new sections on powerful buyers, mergers between competing buyers, and partial acquisitions.

Analysis by private parties is mixed.  Constantine Cannon LLP writes that the guidelines “reflect a more tolerant approach to mergers, stressing the need to ‘avoid unnecessary interference with . . . competitively beneficial’ mergers.”   In support, Constantine Cannon cites the increased Herfindahl-Hirschman Index (”HHI”) thresholds and statements clarifying that coordination can be legal.

On the other hand, Weil Gotshal writes that the guidelines “appear to provide the agencies with more tools… [and] offer less predictability regarding which analytical methodology will be applied.”  Of primary concern is the decreased emphasis on market definition and increased emphasis on a fact-specific process with a variety of analytical tools.  Revised definitions may create narrower relevant markets which will negate any benefits of higher HHI thresholds.  The newly enumerated categories of evidence may lead to broader document requests and longer investigations.  In providing many alternative techniques and theories, the agency has provided “few true guidelines to assist parties considering a transaction.”

Criticism From Within the Commission

Commissioner J. Thomas Rosch issued a separate concurring statement, in which he “acknowledged” flaws in the guidelines.  According to Commissioner Rosch, the following substantial changes since the 1992 revisions are not reflected in the new guidelines:

First, the Commission is increasingly challenging mergers in preliminary injunction and administrative (Part 3) proceedings…   Second, economic theories embedded in the 1992 Guidelines emphasized price effects almost exclusively. Increasingly, the Agencies and courts have considered nonprice effects, like effects on quality, variety, and innovation, to be no less important. Third, for a variety of reasons, many, if not most, courts have relied on empirical evidence instead of economic evidence, and have considered economic evidence as corroborative of that empirical evidence, if they have considered it at all…  As previously discussed, that in turn has led the staff reviewing mergers ex ante to devote more attention to the empirical evidence that can be presented and defended at trial.

As a result, Commissioner Rosch believes the guidelines do not reflect the way staff at the FTC conduct ex ante merger reviews or the information courts should be told about merger analysis.

According to Commissioner Rosch, the guidelines possess the following additional flaws:

• Stakeholder perspectives were considered unequally. As a result, the guidelines overemphasize “economic formulae and models based on price theory.” Commissioner Rosch credits the large influence of the defense bar, academics, and other kindred souls and at least one private meeting held with the leadership of the ABA Antitrust Section.
• The economic theories of the revised guidelines are improperly based wholly or partially on margins (prices minus incremental costs). Although the draft guidelines acknowledge in two footnotes that “high margins are not in themselves of antitrust concern,” Section 4.1.3 discusses the role of margins in critical loss analysis and as an indication of the sensitivity of demand to price.
• The guidelines say little about non-price competitive effects (ie., how a transaction affects quality, service innovation, and product variety). See page 2 of the guidelines, “[f]or simplicity of exposition, these Guidelines generally discuss the analysis in terms of… price effects.”
• The guidelines fail to offer a clear framework for analyzing non-price considerations. Commissioner Rosch supports this claim with four non-exhaustive illustrations of guideline deficiencies.

Commissioner Rosch’s statement raises many questions about the future of the guidelines.  Are the revised guidelines an accurate statement of current practices?  Will the issuance of the guidelines lead to a greater number of enforcement actions?  How will courts square this administrative document with prior merger and acquisition case law?  Only time will tell.

An ERISA Defense Conference with Nine “Renowned Federal Judges”

On Health Reform Watch we’ve written quite a bit about transparency, accountability and gifts as it regards Pharma and Physicians. I saw this today on Illness and Insurance Hell, a rather wide ranging and interesting blog devoted to procuring assistance to a spouse with multiple sclerosis. The author takes a macro view, however, and this wound up in her web: A conference held, it seems, yearly now, in October:

“ERISA LITIGATION: Expert defense strategies for leading outside counsel and in-house counsel on litigating today’s key issues involving benefit plans and fiduciaries”

For those of you who don’t know, ERISA stands for the Employee Retirement Income Security Act of 1974. (Pub.L. 93-406, 88 Stat. 829, enacted September 2, 1974. Erisa is a

federal statute that establishes minimum standards for pension plans in private industry and provides for extensive rules on the federal income tax effects of transactions associated with employee benefit plans. ERISA was enacted to protect the interests of employee benefit plan participants and their beneficiaries by requiring the disclosure to them of financial and other information concerning the plan; by establishing standards of conduct for plan fiduciaries; and by providing for appropriate remedies and access to the federal courts.

There can be major implications for worker benefits, including  health care benefits, in cases brought against employers under ERISA. It is a complex area of law, to say the least. And it is entirely understandable that those charged with the oversight of such plans, should want to meet to discuss how best to discharge their complex duties; how best to comport themselves in a manner in accord and compliance with law; how best, as is their duty if they are attorneys, to zealously represent their clients.

The conference provides a veritable smorgasbord of effective strategies and interesting panels presented by what seems  to be a truly stellar faculty of practitioners:

Senior in-house counsel, top outside defense litigators and renowned

jurists will provide you with winning strategies and practical information on:

• Preventing improper parties from being named as defendants and identifying available remedies

under §502(a)

• Using the claims review process to set up, control and strengthen the defense
• Effective strategies to strengthen the administrative record and memorialize the decision-making

process

• Addressing evidence outside the administrative record, standards of review, conflicts of interest

& discovery once a suit is filed

• The newest theories of liability in 401(k) fee cases and what to do when your plan discovers it has

paid unknown fees

• Defending against stock drop suits and other defined contribution plan claims
• Tibble v. Edison: the trial, theories of the defense, selection of experts, and other practical insights
• ERISA fiduciary litigation: The newest plaintiffs’ liability theories, substantive defenses and trends

in defense pleadings and motions

• How to structure your fiduciary’s role to minimize risk
• Underwriting of fiduciary liability insurance and strategic ideas for litigating and settling cases

when a fiduciary (and their insurance plan) is involved

• Judicial communication: Explaining plan documents and ERISA nuances to the court
• New areas of liability as a result of healthcare reform
• ERISA preemption - the procedural and substantive aspects of the defense
• Defending against age-based and other “recessionary economy” ERISA claims: Cash balance plans,

early retirement, reductions in force, multi-employer plan funding and beyond

If you’re a law geek (I am), a legal practitioner in this area of the law, a representative of an insurer, or a member of a corporation bound by these laws, this conference looks absolutely fascinating (click here, for an overview, download pdf for the full view). And I have no doubt that attendance will be rewarded with a great deal of newly acquired knowledge and an important grasp of methodology. But the faculty also includes nine “renowned federal judges,” who “will help you convey ERISA complexities to a court.”

Having had the benefit of a legal education, I have some idea of the complexity of the matter at hand ( a quick look here will give you some idea as well)  and can fully understand how judges would want to educate practitioners defending claims so as to better execute and expedite the process.  A case, court system or retirement plan riddled with ignorance is in no one’s best interest. And a knowledge of the law enables compliance with the law.

But I would suggest, humbly, that it just doesn’t look good.  It is, after all, a conference designed to “defend against” ERISA claims. I would be at least somewhat surprised if these federal judges were speaking at a conference for impoverished workers who were deprived of their retirement benefits. If am wrong, I am gladly so. And one could make the case that the many federal judges who teach as adjuncts at law schools across the United States are doing just that–taking time out of an arduous schedule to teach law, compliance and process to what will be both defense and prosecution– because we all benefit from an effective legal system. But this conference seems a bit more–or less– than that; at least in the eyes of smart non-lawyers like the author of Illness and Insurance Hell. To her it just looks like “the fix is in.” Like Big Money is courting the Law and those inviolable robes, the buttresses of justice, have shown a slip. I have a great deal more faith in the Law than that. I capitalize the word without apology. And I have no doubt that this is just a matter of appearances–and that appearances can be misleading. But despite my efforts here, I really don’t think she, who has struggled in the legal system against an insurer to get medical help for her very sick husband, and people like her, will believe me. Or the judges. And that’s a problem.

Everybody in the Pool — High Risk That Is

By Labinot A. Berlajolli

Individuals with pre-existing medical conditions may now begin applying for the Pre-Existing Condition Insurance Plan. Under the recently passed health care law (PPACA), the government set aside $5 billion to fund the plan from July 1, 2010 through Jan 1, 2014. Money is expected to be allocated based on each state’s population as well as its costs. Although, HHS officials said they might shift funding among states if the new $5 billion program to cover the uninsured runs out more quickly in some states than in others.

To qualify for coverage, individuals must be U.S. citizens or legal residents, have been denied coverage because of a preexisting medical condition, and have been uninsured for the past six months.  Administration officials said people who apply by July 15 will begin receiving coverage by Aug. 1.   States were required to let HHS know by April 30 whether they wanted to use federal grant money to set up a high-risk pool.  As of now, 21 states have chosen to join the federal run pools and 29 states and the District of Columbia have chosen to go it alone.  The 21 states that have chosen to opt into the federal plan are: Alabama, Arizona, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Nebraska, Nevada, North Dakota, South Carolina, Tennessee, Texas, Virginia, and Wyoming.  Several of the largest states operating their own plans, including California, Illinois and New York, are not expected to begin enrollment until August. The administration expects that all states will begin enrolling people by the end of the summer.

Joining the plan will not be cheap. The Los Angeles Times reports that premiums, as well as benefits, are expected to vary greatly from state to state, with some plans charging as little as $140 a month and some as much as $900 a month. Independent experts, on the other hand, estimate premiums will average around $400 to $600 a month.

However, serious questions remain about the new risk pools.  Specifically, whether the $5 billion allocated will be enough. Many experts expect the $5 billion to run out well before 2014 because of high demand. The Centers for Medicare and Medicaid Services has estimated that the $5 billion will last for only two years. The Congressional Budget Office has estimated that the funding is not enough to cover all eligible participants, and that the administration will have to limit enrollment to only 200,000 people through 2013, though there are roughly 12.6 million with pre-existing conditions, according to the Miami Herald.   Others who advise Congress and the administration have warned the funds could be exhausted as early as the end of 2011.

Those interested in applying for the high-risk pools may visit the newly launched website, healthcare.gov, for more information and instructions on how to apply.

Petro-spills, Public Health, and Trade Secrecy

Is BP (and the government) performing an unauthorized experiment on public health and the environment? That’s the unsettling conclusion one might draw, given the use of dispersants in the Gulf.

As Tom Dickinson’s excellent Rolling Stone article describes the issue,

On May 14th, two days after the first video of the gusher was released, the government allowed BP to apply a toxic dispersant that is banned in England at the source of the leak – an unprecedented practice in the deep ocean. “The effort should be in recovering the oil, not making it more difficult to recover by dispersing it,” says Sylvia Earle, a famed oceanographer and former NOAA chief scientist who helped the agency confront the world’s worst-ever oil spill in the Persian Gulf after the first Iraq War. The chemical assault appeared geared, she says, “to improving the appearance of the problem rather than solving the problem.”

Now we are learning that the some of the dispersants had “no toxicity studies” done to support their use, and we cannot even find out what is in them:
Read more

Bad Ads and Doctor Deputies

Earlier this month, the FDA launched a new initiative — the Bad Ad Program — to “help health care providers recognize misleading prescription drug promotion and provide them with an easy way to report this activity to the agency.”  In an article appearing earlier this week in Advertising Age, advertising executives and others decry the program as a “publicity stunt” with the potential to lead to physician “vigilantism” and to become “unbridled and messy.”  Also quoted in the article is PhRMA Senior Vice President Ken Johnson, who states that PhRMA views the Bad Ad Program as “another step to help educate — and receive feedback from — healthcare providers about prescription drug advertising and promotion.”  The Advertising Age article, correctly I think, characterizes this statement as offering only “tepid support.”

There appear to be two central criticisms of the Bad Ad Program: (1) that it is not as low-cost as it seems because it will take up physicians’ time and create more work for the FDA’s already overburdened Division of Drug Marketing, Advertising, and Communications (DDMAC) and (2) that it will be an ineffective compliance tool either because doctors cannot tell the difference between compliant and noncompliant advertising or because doctors will “go on personal jihads on ads they don’t like - ads that very well might be in perfect compliance.”

Both concerns seem overblown.  Doctors do not have to participate if they do not have the time or inclination — it seems likely that most will not — and pharmaceutical companies have been reporting each other’s marketing abuses to DDMAC for years, so the Division has experience sifting through more and less credible information.  Doctors may well have difficulty discerning which ads are compliant and which are not — see, e.g., this study revealing that doctors could not accurately identify the FDA-approval status of a significant percentage of the drugs they prescribe — but this is not an argument against the FDA’s effort to educate them.

The bottom line is that while pharmaceutical companies track what happens in physician offices in multiple ways, including through sales rep call notes and sales message recall studies, they do not, at least not consistently and/or voluntarily, use the information gathered in service of compliance, as opposed to sales, goals.  In the words of Arnie Friede, to the extent that the FDA’s Bad Ad Program creates “an additional incentive for a company to closely monitor and control communications by their sales people” it is “an understandable, perhaps even brilliant move.”

HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA.  This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent,  at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music  for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL.  It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically  focusing on EHRs or PHRs.  Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself.   To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force.  But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals.  Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more