More Related Content
Similar to MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matters_1_2017.PPT
Similar to MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matters_1_2017.PPT (20)
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matters_1_2017.PPT
- 1. © 2017 Foley Hoag LLP. All Rights Reserved.
HIPAA, Industry-Provider
Interactions, and Related
Compliance Matters
MichBIO Bioscience
Regulatory Compliance Workshop
January 17, 2017
Colin J. Zick
Co-Chair, Health Care and Data
Privacy and Security Practices
Foley Hoag LLP
(617) 832-1275
czick@foleyhoag.com
- 2. MichBIO - HIPAA | 2© 2017 Foley Hoag LLP. All Rights Reserved.
It’s Good to Be Back….
- 3. MichBIO - HIPAA | 3© 2017 Foley Hoag LLP. All Rights Reserved.
Overview: Privacy, Security and
Industry-Provider Interactions
Data privacy and security issues
are driven by more and more data.
Industry – provider
interactions have grown
and evolved, despite
scrutiny and regulation.
These areas pose distinct
and significant challenges
for biotechs.
- 4. MichBIO - HIPAA | 4© 2017 Foley Hoag LLP. All Rights Reserved.
4
an Effective Compliance
Plan
The OIG Compliance Guidance lists seven elements of
an effective compliance plan:
1)implementing written policies and procedures;
2)designating a compliance officer and compliance committee;
3)conducting effective training and education;
4)developing effective lines of communication;
5)conducting internal monitoring and auditing;
6)enforcing standards through well-publicized disciplinary
guidelines; and
7)responding promptly to detected problems and undertaking
corrective action.
- 5. MichBIO - HIPAA | 5© 2017 Foley Hoag LLP. All Rights Reserved.
All That Data!
Therapies, diagnostics, and connected devices now
gather huge amounts of data
That data can be more valuable than the “thing” that is
treated, diagnosing, or connecting, provided you have
the legal ability to use that data, by:
–Direct consent
–Operation of law
–Aggregation/anonymization
- 6. MichBIO - HIPAA | 6© 2017 Foley Hoag LLP. All Rights Reserved.
2016: A Busy (and Dangerous)
Year for Data and Data Security
The flip side: breaches and cyber
attacks continue to occur at a high
frequency.
A high percentage of the known
breaches/attacks could have been
prevented.
While some attacks are very high tech,
low tech attacks are very popular and
often successful.
Perpetrators know this and exploit
human and systemic weaknesses.
- 7. MichBIO - HIPAA | 7© 2017 Foley Hoag LLP. All Rights Reserved.
The Worst Case….
Dick Cheney’s Heart
In 2008, a team of security researchers proved they
could gain access through a pacemaker’s wireless
control system
Vice President Cheney had an implanted pacemaker
This led to the communications capabilities of his
pacemaker being disabled
“Disconnection” is not a viable business model
- 8. MichBIO - HIPAA | 8© 2017 Foley Hoag LLP. All Rights Reserved.
What is Protected By Law?
“Personal Information”
“Personal Information”:
Individual’s name + one or more of the following:
– Social Security number
– Financial account number
– Credit card number
– Driver’s license number
– Biometric indicators (fingerprints, DNA, voice print)
Personal facts
– Financial
– Health
– Family
Medical records and health information
- 9. MichBIO - HIPAA | 9© 2017 Foley Hoag LLP. All Rights Reserved.
HIPAA Overview
What is HIPAA?
–“Health Insurance Portability and Accountability Act of
1996”
–A federal statute with related regulations and guidance
What does HIPAA do?
–The statute covers a lot of different subjects. The focus
of this session is the part of HIPAA that deals with
confidentiality of Protected Health Information (“PHI”),
which is referred to as “administrative simplification”
–PHI is any “individually identifiable health information”
that is transmitted by a “covered entity” in connection with
specified electronic transactions (which makes it “ePHI”)
- 10. MichBIO - HIPAA | 10© 2017 Foley Hoag LLP. All Rights Reserved.
Does HIPAA Apply to
Biotech Companies?
What kinds of businesses are HIPAA “covered entities”?
–Health care providers
–Health plans
–Health care clearinghouses
Biotechs may be considered a HIPAA “covered entity”
–Could also be HIPAA “business associate” working with
various types of health care providers, who themselves
are HIPAA “covered entities”.
- 11. MichBIO - HIPAA | 11© 2017 Foley Hoag LLP. All Rights Reserved.
Is HIPAA Relevant If You Are
Not a “Covered Entity”?
Even if HIPAA does not literally apply, it is a widely-
accepted standard for health information and its
management.
Courts will look to HIPAA for guidance in determining what
is appropriate under the laws of the states in which you do
business.
Therefore, even if you are not a “covered entity,” you need
to know, understand and apply HIPAA’s standards for
privacy and security of health information.
- 12. MichBIO - HIPAA | 12© 2017 Foley Hoag LLP. All Rights Reserved.
Disclosure and Use
Under HIPAA
With notice
(treatment, payment and health care operations)
With authorization
(marketing, research)
Subject to objection
(family, friends, clergy)
By HIPAA “override”
(public health, law enforcement, certain research)
- 13. MichBIO - HIPAA | 13© 2017 Foley Hoag LLP. All Rights Reserved.
Keys to Protecting
Personal Information
Awareness
Physical Security
Electronic Security
Data Retention/Destruction
- 14. MichBIO - HIPAA | 14© 2017 Foley Hoag LLP. All Rights Reserved.
Security Risks – Wikileaks
Type Email Hacks
How did Team Clinton fail?
– Inappropriate IT vetting of phishing scam
– Podesta failed to use two factor authentication
– Poor virtual situational awareness
- 15. MichBIO - HIPAA | 15© 2017 Foley Hoag LLP. All Rights Reserved.
Information Security Risks
Spoofing and Identity Theft
–A major issue, and not just for credit card companies, but for
any entity that has an individual’s:
• Name
• Address
• Email address
• Social Security number
• Financial Account number(s)
• Credit Card number(s)
• Drivers’ License number
Confidential Information Breaches and Leaks
– Impact on customers and customer relations
– Negative PR for “brand”
- 16. MichBIO - HIPAA | 16© 2017 Foley Hoag LLP. All Rights Reserved.
Contracts and Data Use
Contracts are key to data use:
–Consents and authorizations
–Terms of use and privacy policies
–Notices of privacy practices
–Licenses
–HIPAA business associate agreements
- 17. MichBIO - HIPAA | 17© 2017 Foley Hoag LLP. All Rights Reserved.
Industry-Provider Interactions
Basic principles: Avoid fraud, abuse, kickbacks
What are the relevant laws?
–Federal and state anti-kickback statutes
–Federal and state false claims acts
–Federal Stark anti-self-referral law and state
analogues
–Federal and state Sunshine Acts/physician
transparency laws
–Federal exclusion sanctions
- 18. MichBIO - HIPAA | 18© 2017 Foley Hoag LLP. All Rights Reserved.
Privileged and Confidential: Attorney-Client Materials 18
Relevant Marketing Codes Governing
Industry – Provider Interactions
OIG Compliance Guidance:
Compliance Program Guidance for Pharmaceutical Manufacturers,
issued by the Department of Health and Human Services Office of
Inspector General, 68 Fed. Reg. 23731 (May 5, 2003)
Trade Association Codes:
–PhRMA Code on Interactions with Healthcare Professionals
–AdvaMed Code of Ethics on Interactions with Healthcare
Professionals
–International Federation of Pharmaceutical Manufacturers &
Associations Code of Pharmaceutical Marketing Practices
–Association of the British Pharmaceutical Industry Code of
Practice
- 19. MichBIO - HIPAA | 19© 2017 Foley Hoag LLP. All Rights Reserved.
Federal Anti-Kickback Statute
Federal anti-kickback statute (AKS) makes it a criminal
offense to knowingly and willfully offer, pay, solicit or receive
any remuneration to induce referrals of items or services
reimbursed by federal health care programs.
–Payments, credits or other forms of remuneration provided
to Medicare/Medicaid beneficiaries can implicate the
federal anti-kickback statute, 42 U.S.C. § 1320a-7b(b).
–However, if no federal programs currently reimburse the
product/service and you do not believe that any federal
programs will pay for the product/service for an extended
period of time, then the federal anti-kickback statute is
probably not applicable.
- 20. MichBIO - HIPAA | 20© 2017 Foley Hoag LLP. All Rights Reserved.
20
Anti-Kickback Statute (cont.)
Remuneration includes anything of value and can take many forms
besides cash, such as free rent, expensive hotel stays and meals, and
excessive compensation for medical directorships or consultancies. In
some industries, it is acceptable to reward those who refer
business to you. However, in the Federal health care programs,
paying for referrals is a crime.
The statute covers the payers of kickbacks—those who offer or pay
remuneration— as well as the recipients of kickbacks—those who
solicit or receive remuneration. Each party’s intent is a key element of
their liability under the AKS.
Generally, the difficulty in determining potential liability lies in
distinguishing between:
– remuneration intended to induce referrals; and
– remuneration paid to the referral source in return for legitimate services and in
appropriate amounts
- 21. MichBIO - HIPAA | 21© 2017 Foley Hoag LLP. All Rights Reserved.
21 21
Anti-Kickback Statute (cont.)
Criminal penalties and administrative sanctions for violating the AKS
include fines, jail terms, and exclusion from participation in the Federal
health care programs.
– Under the civil monetary penalty provisions, physicians who pay or
accept kickbacks also face penalties of up to $50,000 per kickback
plus three times the amount of the remuneration.
Safe harbors protect certain payment and business practices that
could otherwise implicate the AKS from criminal and civil prosecution.
– To be protected by a safe harbor, an arrangement must fit squarely
in the safe harbor and satisfy all of its requirements.
– Some safe harbors address personal services and rental
agreements, investments in ambulatory surgical centers, and
payments to bona fide employees.
- 22. MichBIO - HIPAA | 22© 2017 Foley Hoag LLP. All Rights Reserved.
Privileged and Confidential: Attorney-Client Materials 22
Stark Law: What Is It and What Services
Are Covered By It?
Stark prohibits certain
physician referrals to entities
they have an interest in:
Clinical laboratories
Physical therapy
Occupational therapy
Certain radiology services
Radiation therapy services
and supplies
Durable medical equipment
and supplies
Parental and enteral
nutrients, equipment, and
supplies
Prosthetics, orthotics, and
prosthetic devices and
supplies
Home health services
Outpatient prescription
drugs
Inpatient and outpatient
hospital services
- 23. MichBIO - HIPAA | 23© 2017 Foley Hoag LLP. All Rights Reserved.
The Federal Sunshine Act
Enacted as Section 6002 of the Patient Protection and Affordable
Care Act (“ACA”) on March 23, 2010.
Creates significant new legal obligations for drug and device
manufacturers.
Requires every “applicable manufacturer” to file an annual
disclosure report with the federal government. (Requires actual
sales….)
This annual report must detail the manufacturers’ financial
relationships with physicians and teaching hospitals (“covered
recipients”) over the previous year.
Known as the “Sunshine Act” provisions, since they were originally
proposed in 2007 as the “Physician Payments Sunshine Act”
(sponsored by Senators Charles Grassley and Herb Kohl).
Unlikely to be repealed….
Several states have similar reporting laws or outright prohibitions.
- 24. MichBIO - HIPAA | 24© 2017 Foley Hoag LLP. All Rights Reserved.
Sunshine Act Basics
Disclosure
–Requires manufacturers to disclose almost all
payments and “transfers of value” made to physicians
or teaching hospitals.
–Requires manufacturers to disclose specific
payments made to physicians and teaching hospitals,
rather than simply disclosing aggregate payments.
–Disclosures will be made public in a online,
searchable database.
Penalties
– Imposes significant financial penalties on
manufacturers for noncompliance.
- 25. MichBIO - HIPAA | 25© 2017 Foley Hoag LLP. All Rights Reserved.
Sunshine Act Penalties
Manufacturers can face two types of noncompliance penalties –
one for unknowing failures to report, and one for knowing failures
to report.
Unknowing Failures to Report
–Subject to a penalty of between $1,000 and $10,000 for each
unreported payment, transfer, or ownership interest.
–Total penalties for unknowing omissions are capped at
$150,000 annually.
Knowing Failures to Report
–Subject to significantly steeper penalties: between $10,000 to
$100,000 per each unreported payment, transfer, or ownership
interest.
–Total penalties for unknowing omissions are capped at
$1,000,000 annually.
- 26. MichBIO - HIPAA | 26© 2017 Foley Hoag LLP. All Rights Reserved.
Colin Zick
Partner and Co-Chair,
Health Care and
Privacy & Data Security
Practice Groups
Foley Hoag LLP
czick@foleyhoag.com
617.832.1275
Editor's Notes
- Internet of Devices
Me – telemedicine in the 1990s