The Food and Drug Administration (FDA) has announced several new initiatives that reflect its ongoing commitment to maintain patient safety, while also championing the need and opportunity for health care innovation.

During opening day of Health Datapalooza, FDA Commissioner Scott Gottlieb highlighted the critical import of novel digital health tools in achieving patient-centered care, and outlined how the agency is committed to moving the ball forward in health care innovation through the following initiatives:

  1. Multi-Function Device Draft Guidance. FDA’s new draft guidance, “Multiple Function Device Products: Policy and Considerations,” explains the FDA’s regulatory approach to multi-function digital health devices—where some functionalities fall under the FDA’s definition of a medical device, and other functionalities do not. The guidance, mandated by the 21st Century Cures Act, provides examples in which the FDA will review certain functional software capabilities in a medical device. Consistent with previous guidance and risk-based frameworks from the FDA, the agency’s enforcement focus will be on medical device functions that diagnose and treat patients. For example, data analysis will be considered a device function for which the FDA would enforce compliance, but data tracking and trending will not.
  2. Software Precertification Pilot Program Expansion and “Pre-Cert 1.0” Roll-Out. Gottlieb outlined three updates to the Software Pre-Cert Pilot Program, originally announced last Fall. The FDA will hold a “user session” on May 10, 2018 to discuss the agency’s general progress on the pilot program, and to conduct an in-depth discussion of the three updates:
    • Draft Working Model – An initial framework and vision which outlines the program’s key components: Excellence Appraisal and Determining Precertification Level, Review Pathway Determination, Streamlined Premarket Review Process, and Monitoring Real-world Performance.
    • Challenge Questions – Key questions about various components of the Pre-Cert program for stakeholders to consider with regard to the areas outlined in the Draft Working Model.
    • Roadmap – An overview of the program’s milestones and timeline toward launching the first version of the program (“PreCert 1.0”).
  3. Expansion of Digital Health Tools for Drug Development. The FDA announced its intention to establish clear policies for integrating the review and validation of digital health tools into drug development programs. The FDA will publish a policy framework, through new guidance, and seek public input on the best practices to incorporate software intended for use with prescription drugs.
  4. Precertification Approach to Artificial Intelligence (AI). Gottlieb recognized the novel role that AI and machine learning can have on the medical device submission process (obviating the need to make multiple submissions) and new software validation tools. Gottlieb also discussed “employing the Pre-Cert approach to AI.” This suggests the FDA’s interest in a more effective approach to regulation of medical devices that use AI. This announcement expands upon the FDA’s brief mention of regulatory oversight of devices using “proprietary algorithms,” included in December’s Draft Clinical Decision Support and Patient Decision Support Guidance. (See our prior blog post analyzing the guidance.)
  5. Premarket Digital Safety Program Launch. Gottlieb announced the creation of a Premarket Digital Safety Program, which would allow for electronic submissions of premarket safety reports for an Investigational New Drug Application.
  6. Information Exchange and Data Transformation Incubator. Gottlieb announced the agency’s new digital health/technology incubator, to be known as the Information Exchange and Data Transformation (INFORMED). The incubator will initially be launched in the cancer context, with fellowship collaborations between the FDA and the National Cancer Institute, as well as with Harvard on AI and machine learning. Crowell & Moring’s Digital Health team is ready to assist with the submission of industry input, as well as strategic counseling on these issues.

The various initiatives, guidance, and calls for industry input reflect the FDA’s quest to be flexible in the face of digital health opportunity and innovation. Not only will the FDA’s newest initiatives support its quest to advance safe, patient-centered care, but these initiatives will provide the regulatory predictability critical to encouraging business investment in innovative technologies and products.

Crowell & Moring’s Digital Health team is ready to assist with the submission of industry input, as well as strategic counseling on these issues.

Despite the Trump Administration’s declaration of a state of emergency on October 26, 2017, the federal response to the opioid crisis largely languished on the back burner—much to the chagrin of states in the trenches of the opioid epidemic. However, based on the flurry of activity over the past several weeks, the federal government response now seems to be gathering substantive momentum, with various agencies and government actors launching attacks on all fronts—administrative, legislative, and enforcement alike. The federal government’s recent efforts present opportunities for health care organizations, life sciences companies, and health tech companies to get involved at the ground level to help influence opioid policy and provide needed products, services, and support to reduce the incidence of opioid abuse and address the health care needs of patients.

Continue Reading The Freight Train Gathers Steam: An Update on the Federal Response to the Opioid Crisis

On March 6, 2018 at the Healthcare Information and Management Systems Society (HIMSS) 2018 conference, Centers for Medicare & Medicaid Services (CMS) Administrator Seema Verma announced a new initiative furthering the current Administration’s focus on value-based care and increasing patient access to healthcare data. The initiative — called MyHealthEData — will be led by the White House Office of American Innovation, in collaboration with the Department of Health and Human Services (HHS), CMS, the Office of the National Coordinator for Health Information Technology (ONC), the National Institutes of Health (NIH), and the Department of Veterans Affairs (VA). (CMS press release here.) Continue Reading Liberating Data to Transform Value-Based Care: MyHealthEData, Blue Button 2.0, and Price Transparency

On September 26, 2016, the Office of the National Coordinator for Health Information Technology (ONC) released guidance, entitled EHR Contracts Untangled, to help providers navigate the complexities of electronic health record (EHR) vendor contracting. The guidance breaks down important considerations for selecting EHR systems, and provides strategic pointers – including sample contract language – to help facilitate the contracting process. While the guidance is largely an attempt to level the playing field for providers in the EHR arena, it also has broader applicability to contract negotiations for a variety of other digital health tools.

For the most critical “need-to-know” points from ONC’s new guidance, see our recent client alert.

Earlier this month, the Office of the National Coordinator for Health Information Technology (ONC) released a report to Congress on the feasibility of creating tools to help providers compare and select certified health IT products. As part of the Medicare Access and CHIP Reauthorization Act (MACRA), Congress required ONC to conduct a study to examine the feasibility of establishing mechanisms to assist providers in comparing and selecting certified EHR technology products. Congress suggested that ONC consider mechanisms like establishing a website of aggregated survey results that would allow meaningful EHR users to directly compare the functionality of certified health IT products. Congress also suggested compiling information from vendors of certified health IT products, and making that information publicly available in a standardized format.

In response to its Congressional directive, and drawing upon recommendations from the Certified Technology Comparison (CTC) Task Force, public input, and its own market analysis, ONC’s report focused on two subgroups of the health care community – providers and comparison tool developers – and identified specific problem areas in the comparison tool marketplace. Ultimately, the report proposed four mechanisms to improve the health IT comparison marketplace:

Continue Reading The Rise of the One-Stop Shop? ONC Outlines Four Mechanisms to Help Providers Compare Certified Health IT Products

Continuing to usher in a new wave of EHR technology changes, on September 11, 2014, the Office of the National Coordinator for Health Information Technology (“ONC”) adopted the “2014 Edition Release 2” final rule, which provides alternative criteria and approaches for the voluntary certification of heath information technology. The final rule, effective October 14, 2014[1], introduces regulatory flexibilities and general improvements to the certification processes.

First, the rule adopts a new (albeit smaller) subset of optional EHR Certification Criteria. Of the 57 proposed certification criteria in the February 26, 2014 notice of proposed rulemaking, the final rule adopts only ten optional and two revised EHR Certification Criteria. The Certification Criteria changes include:

Continue Reading ONC Announces New EHR Certification Criteria

On September 4, 2014, the Department of Health and Human Services (“HHS”) published a final rule modifying the Medicare and Medicaid Electronic Health Record (“EHR”) Meaningful Use Incentive Program. The modification brings welcome change, allowing increased flexibility while also assuaging several provider concerns.

The new rule, effective October 1, 2014, comes in response to numerous public comments lamenting the inability of providers to meet the 2014 meaningful use objectives—an inability that brought with it financial penalties. As part of the new rule, HHS made four distinct changes to the EHR Incentive Program:

1. Altered the meaningful use stage timeline and definition of certified electronic health record technology (“CEHRT”). The new rule implements a one-year extension of Stage 2 for providers that first joined the Program in 2011 or 2012. The timeline to begin Stage 3 has thus been postponed until 2017. In keeping with this timeline shift, HHS also formally modified the CEHRT definition to reflect this date change, thus postponing until 2015 the required start date for exclusive use of 2014 Edition CEHRT.

Continue Reading New HHS Rules Focus on Increased Flexibility, Improvements in the World of EHR Technology

The Centers for Medicare & Medicaid Services (“CMS”) recently announced that it had identified and contacted more than 300,000 people to obtain proof of their citizenship or legal residency status. Failure to provide this documentation by September 5 could result in these individuals losing their Affordable Care Act (“ACA”) health coverage, effective September 30. This loss of coverage conforms to the ACA’s prohibition on coverage for individuals illegally residing in the United States.

As of May 2014, according to CMS, about 1 million people who had signed up for private health insurance plans under the ACA had failed to provide required proof-of-citizenship or legal residency status. By August, however, that number had been cut by more than 660,000.

In addition to residency issues, another 1 million people who signed up for ACA coverage failed to verify their incomes, according to the Department of Health and Human Services’ June 2014 report on the Marketplace. This income verification is required under the ACA to determine, among other things, an enrollee’s eligibility for premium subsidies. See 45 C.F.R. § 155.320(c). To date, CMS has not said how many of these cases have been resolved. Unlike the residency requirement, no deadline has yet been set to cancel coverage for these individuals absent provision of the necessary information.

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced in an April 22, 2014, press release that two separate entities—Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. (“QCA”)—collectively have paid almost $2 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. OCR began its investigations of both entities after receiving breach reports regarding the theft of unencrypted laptop computers.

OCR received a breach report from Concentra on December 28, 2011, indicating that an unencrypted laptop was stolen on November 30, 2011, out of one of its physical therapy centers in Springfield, MO. Upon investigation, OCR discovered that Concentra had previously identified its lack of encryption as a risk, but had failed to adequately remediate and manage that risk, failed to document why encryption was not a reasonable and appropriate security measure, and failed to implement an equivalent alternative to encryption. Concentra also failed to adequately execute risk management procedures to reduce its identified lack of encryption risk. Based on the discovery of such potentially-violative conduct, Concentra agreed to pay OCR $1,725,220, and will be required (in addition to its reporting obligations) to encrypt all of its new devices and equipment, including its laptops, desktops, medical equipment, tablets, and other storage devices containing electronic protected health information (ePHI).

Mandatory encryption represents a more strict interpretation of HIPAA’s plain language, since the statute itself lists encryption as an “addressable” rather than a “required” safeguard implementation specification. See 45 C.F.R. § 164.312(a)(2)(iv). Admittedly, it is unclear whether OCR’s focus on and remedial mandate of encryption stemmed from Concentra’s own identification of its lack of encryption as a security risk. But recent comments by Susan McAndrew, Deputy Director for Health Information Privacy at OCR, while speaking at a HIMSS14 HIPAA compliance session, suggest that an increased wave of HIPAA enforcement and compliance audits are on the horizon. Combined with the encryption obligations listed in the Concentra Resolution Agreement, it is possible that OCR sees encryption as an emerging best practice, if not a close-to-required HIPAA safeguard.

In a similar set of events, OCR began its investigation of QCA after receiving a February 21, 2012, breach report that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from an employee’s car. OCR’s investigation revealed that QCA failed to implement policies and procedures to prevent, detect, contain, and correct security violations. QCA also failed to physically safeguard its ePHI-accessible workstations by neglecting to restrict access to authorized users. As a result, QCA has agreed to pay OCR $250,000, and will be required to develop risk analyses and risk management plans, provide mandatory security training to its employees, and promptly investigate any information that an employee failed to comply with security and privacy policies and procedures. Notably, although this breach implicated the ePHI of a smaller set of individuals, it still triggered an OCR investigation.

These two settlements represent the latest in a series of OCR compliance investigations and fines, including WellPoint Inc.’s July 2013 $1.7 million penalty for leaving ePHI accessible over the internet, thereby impermissibly disclosing the ePHI of 612,402 individuals. In addition, Affinity Health Plan received a $1.2 million fine in August 2013 for failing to properly dispose of a photocopier, which impermissibly disclosed the PHI of up to 344,579 individuals.

In an effort to provide preventative information to other health organizations, OCR has made available six educational programs for health care providers. Topics range from understanding the basics of HIPAA security risks to mobile device compliance measures.

In a March 2014 report, the United States Government Accountability Office (GAO) identified major and on-going challenges with the practical implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act provides funding to promote the adoption and “meaningful use” of health information technology (HIT), as well as certified electronic health record (EHR) systems. While the Act itself provides the funding and statutory framework, the Department of Health and Human Services (HHS) and two of its subsidiary agencies—the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC)—have also developed and issued strategic guidance in order to promote and advance the exchange of electronic health information under the Act.

Unfortunately, to date, many providers and stakeholders have reported difficulties with implementing the exchange and those difficulties have yet to be remedied. Based on in-depth interviews with providers and stakeholders across four states, the GAO report cites four major issues that continue to plague the electronic health information exchange (HIE):

Insufficient Standards for Electronic Health Information Exchange. Providers cited compatibility problems when exchanging certain types of health information with other providers that have different EHR systems, primarily due to a lack of sufficient standards supporting the exchange. The most common example included differing standards in the terminology, definitions, and classifications of certain health information (e.g., whether an allergic reaction should be classified as a side effect or an allergy). In response to this concern, HHS now requires participating providers use the 2014 edition of HHS-certified technology when exchanging health information. This technology now: (1) identifies certain vocabularies to be used by providers; (2) provides a structured format/template for patient care summaries (referred to as continuity of care documents (CCD)); and (3) defines a standard format for the transmission of secure health messages (called the Direct Protocol). Despite this move towards standardization, however, providers remain concerned by the standards’ sufficiency, the inability to measure the standards’ success, and the limited capabilities of the Direct Protocol system.

Varying Privacy Rules Across States and Lack of Clarity. Providers and stakeholders also expressed concerns about variations in state privacy laws, particularly where those laws vary significantly from or are stricter than federal or other state privacy laws. This issue is especially vexing for providers that border other states and serve a large number of patients across state lines. ONC has responded by offering high-level guidance directing providers to seek state privacy law information from state agencies, regional extension centers (RECs), and other professional associations. ONC also implemented the Data Segmentation for Privacy Initiative to develop and pilot test standards for managing patient consents and data segmentation (e.g., sharing some, but not all, of a patient’s health information). Despite these efforts, providers have requested additional training and suggested that HHS focus its resources on consent policies and electronically-obtained consents to address some of these challenges.

Difficulties Matching Patients to their Records. Providers and stakeholders noted difficulties with accurately and efficiently matching patients to their records when exchanging health information. Inaccurate matches naturally raise safety concerns, and inefficient matching processes are time-consuming and deter participation in the exchanges. To address these concerns, HHS implemented the Patient Matching Initiative (officially launched in September 2013) to: (1) asses the current approaches used; (2) identify key attributes and algorithms; and (3) define best practices. HHS also sought recommendations from the two federal advisory committees established by the HITECH Act, and HHS is currently working to respond to the recommendations. Providers themselves have suggested alternative methodologies, such as algorithms, and the creation of a national patient identifier for matching patients to their records.

Difficulties Regarding the Cost of Exchanging Health Information. Finally, providers identified financial concerns based on the costs of upfront expenses associated with purchasing and implementing EHR systems, as well as establishing the additional interfaces needed to fully utilize the exchanges. Providers also noted that limited participation by other providers in state or regional exchanges has created fewer opportunities to exchange health information, and therefore do not justify the costs associated with joining the exchange.

Based on the aforementioned challenges, the GAO recommended that HHS: (1) develop and prioritize specific actions that it will take to advance the health insurance exchange, and (2) develop milestones and timeframes for the completion of these actions. While these solutions are both practical and relevant to the concerns raised by providers, the on-going and fairly basic nature of the challenges has the potential to significantly slow the use of HIEs. Moreover, as providers move forward in an effort to embrace the Act’s mandate, the fact that many of the costs currently outweigh the benefits could chill and perhaps even deter full-scale implementation of the HITECH Act in the immediate future.