Digital Health Update: Recent FDA Cyber Initiatives

The Food and Drug Administration (“FDA”) has greatly increased its activity around cybersecurity initiatives and medical devices. As we approach the end of the year, this is a great opportunity to review recent developments.

FDA Medical Device Cybersecurity Guidance

On October 18, 2018, the FDA published draft guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” This draft replaces prior guidance from 2014, and the outlines recommendations for device design, data confidentiality, labeling conventions, and cybersecurity documentation. Key requirements include:

  • Risk-based categorization of devices into two tiers (based primarily upon device connectivity and risk of cybersecurity incidents);
  • Preparation of a cybersecurity bill of materials listing device components that could be vulnerable to cybersecurity incidents;
  • Recommendations such as requiring authentication before software or firmware updates; and
  • Application of the NIST Cybersecurity Framework.

The public comment period will end on March 18, 2019, and there will be a workshop open to the public on January 29-30. Industry professionals should take this opportunity to determine the effects this guidance could have on device approval in the future and consider commenting.

Partnership with Department of Homeland Security

The FDA and the Department of Homeland Security (DHS) announced on October 16, 2018 that the parties had entered into a memorandum of agreement (MOA) for Medical Device Cybersecurity Collaboration. The FDA’s press release described the agreement between FDA’s Center for Devices and Radiological Health (CDRH) and DHS’ National Protection and Programs Directorate (NPPD) as “meant to encourage even greater coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats.” Under the agreement, NPPD shall serve as the central medical device vulnerability coordination center, provide independent third party assistance to the FDA for technical assessments, and share information. The FDA shall coordinate regular communications with NPPD regarding cybersecurity vulnerabilities and threats, make cybersecurity vulnerability assessments, and share information.

Cybersecurity Playbook: Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the MITRE Corporation released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook developed in collaboration with the FDA and industry stakeholders. MITRE is a nonprofit that operates federally funded research and development centers and has assisted the FDA with growing its cybersecurity program at CDRH. The Playbook responds to concerns by industry stakeholders, including medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs), that they needed additional information and resources on how to respond to cybersecurity incidents such as the WannaCry event. It includes a customizable framework with recommendations that HDOs can use to “leverage as a part of their emergency response plans” to minimize patient care disruptions and harm that could occur from a medical device cybersecurity incident. Topics covered include items such as medical device procurement; hazard vulnerability analysis incident response training; detection and analysis; containment, eradication, and recovery; and post activity efforts.

Digital Health Precertification Program

On June 19, 2018, the FDA released the second version of its Pre-Certificate (“Pre-Cert”) Working Model that takes into consideration comments received on the April 2018 version. The agency accepted comments on the model until July 18, 2018. The goal, as outlined in the agency’s Digital Health Innovation Plan, is to develop a voluntary Pre-Cert program that would facilitate faster review of certain product submissions from pre-approved software and digital health firms and developers. The initial pilot program has been limited to software as a medical device (SaMD) but the second version of the framework indicates FDA may extend the program to software in a device (SiMD) and accessories to medical device hardware in the future. Pre-Cert 1.0 may be released as early as the end of 2018 with anticipated pilot testing in 2019.

Partnerships with Ethical Hackers

The FDA has recently pursued partnerships with ethical hackers in order to improve cybersecurity efforts with medical devices. This was highlighted by the recent discovery of a flaw in a Medtronic pacemaker that rendered the device vulnerable to hacking. Two cybersecurity researchers initially found the flaw and brought it to Medtronic and FDA’s attention. In a statement to media, the director of the FDA’s CDRH indicated the FDA plans to continue developing relationships with cybersecurity researchers.

Promoting the Use of Artificial Intelligence

FDA is moving toward approval of medical devices with artificial intelligence, and Commissioner Scott Gottlieb indicated in a speech earlier this year that the agency is working to develop “a new regulatory framework to promote innovation in this space and support the use of AI-based technologies.” Recent approvals by the agency have included a diagnostic system for diabetic retinopathy, clinical decision support software for strokes, and a program to assist medical professionals in detecting wrist fractures. A noteworthy characteristic of the approved diabetic retinopathy diagnostic system is that it does not require any additional layer of review by a medical professional. Future approvals could work in coordination with the Pre-Cert program.


Justice Department Allots Additional US$70 Million to Battle Opioid Crisis

In tandem with President Trump’s signing of H.R. 6, (now former) US Attorney General Jeff Sessions announced new Department of Justice (DOJ) funding awards aimed at curbing drug trafficking and supporting youth impacted by America’s opioid epidemic.

At DOJ’s first-ever National Opioid Summit, Sessions and Deputy Attorney General Rod Rosenstein highlighted sustained federal law enforcement efforts to combat opioid abuse and related substance issues. DOJ’s nearly US$70 million investment, which closely follows the recent announcement of nearly US$320 million in grant funding by its Office of Justice Programs, is expected to bolster a variety of department divisions and initiatives. Specific disbursements include:

  1. US$34.6 million for the Office of Victims of Crime and Bureau of Justice Assistance, which funded 41 victim service sites and a technical assistance provider for the purpose of expanding services to children affected by the opioid crisis
  2. US$27.8 million for the Community Oriented Policing Services (COPS) Office’s Anti-Heroin Task Force Program, which funded 17 state law enforcement agencies to better probe the illicit distribution of heroin and prescription opioids
  3. US$7.2 million for the COPS Anti-Methamphetamine Program (CAMP), which funded nine state law enforcement agencies seeking to more effectively seize methamphetamine and shutter unlawful drug laboratories

DOJ officials also announced the formation of the Appalachian Regional Prescription Opioid Strike Force, which involves US Attorney’s Offices for nine federal districts in five states and DOJ’s Health Care Fraud Unit, as well as other divisions within the Federal Bureau of Investigation, US Department of Health and Human Services (HHS) and US Drug Enforcement Administration. The joint DOJ and HHS initiative will seek to improve the identification, investigation and prosecution of illegal prescription schemes in Appalachia and surrounding areas. The strike force will also rely on expertise from the US Postal Inspection Service, Internal Revenue Service Criminal Investigation Division and state Medicaid Fraud Control Units.


Congress’ Extensive Opioid Legislation Becomes Law

On Wednesday, October 24, President Trump signed the Substance Use Disorder Prevention that Promotes Opioid Recovery and Treatment (SUPPORT) for Patients and Communities Act (H.R. 6) into law.

The bill signing occurred three weeks following Congress’ overwhelming approval of the measure, and nearly one year since the Trump Administration deemed America’s opioid crisis a federal public health emergency. House Energy and Commerce Committee Chairman Greg Walden (R-OR) and Senate Health, Education, Labor, and Pensions (HELP) Committee Chairman Lamar Alexander (R-TN), chief architects of the legislation, joined patient advocates and congressional and agency leaders at the White House ceremony.

H.R. 6, which represents a bipartisan, bicameral agreement, largely modifies Medicare and Medicaid policies to better prevent and combat opioid abuse. Other elements seek to expand comprehensive substance use disorder treatment supports, particularly in local communities, as well as address associated health workforce shortages.

While House and Senate leadership embraced pre-conference discussions to allow for the swift negotiation of a final package, differing opinions on several provisions still proved contentious.

By approving a partial repeal of the decades-old Institutions for Mental Diseases (IMD) exclusion, conferees ultimately permitted states for five years to request Medicaid payment for 30-day inpatient addiction treatment at facilities with more than 16 beds.

Additionally, following considerable debate and stakeholder input, conferees opted not to loosen certain information-sharing amongst providers by rejecting the alignment of privacy provisions governing patient substance use disorder records with 42 CFR, Part 2 laws.


CMS Updates the Part D Prescription Drug Benefit Manual – Chapter 13 & 14

Last month, CMS updated Chapters 13 and 14 from the Part D Prescription Drug Benefit Manual (PDBM). These updates affect Part D plan sponsor operations as well as network and non-network pharmacies. In Chapter 13, CMS updated its guidance on premium and cost sharing subsidies for low-income beneficiaries under the Part D program. In Chapter 14, CMS updated its guidance on coordination of benefits. A selection of CMS’s updates to those chapters are highlighted below: Continue Reading

Supreme Court To Decide If HHS May Skip Notice And Comment Requirements For Certain Payment Rules

On September 27, 2018, the U.S. Supreme Court agreed to review a D.C. Circuit Court of Appeals decision that had tossed out a new calculation method, employed by the U.S. Department of Health and Human Services (“HHS”), which had cut Medicare payments to hospitals. Azar v. Allina Health Services (“Allina Health”). HHS itself estimated that the D.C. Circuit’s ruling implicates between $3 and $4 billion in so-called Medicare “DSH” payments to hospitals for federal fiscal year (“FY”) 2005 through FY 2013. While those huge amounts are directly at stake, so too is the public’s right to weigh in on HHS’s policy governing Medicare payments. If the D.C. Circuit’s ruling stands the agency will be required to submit far more of its payment policies to the rigors of notice and comment rulemaking. Continue Reading

Unauthorized TV Cameras in Hospitals Yield Costly HIPAA Penalties of $999,000

For the second time in as many years, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into settlement agreements with and levied hefty fines on three hospitals that allegedly impermissibly disclosed patients’ protected health information to ABC News in the course of filming a television network documentary series.  OCR announced on September 20 that Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital each reached agreements with HHS in which they agreed to pay a collective $999,000 to settle potential violations of the HIPAA Privacy Rule.  According to each of the settlement agreements, HHS alleges that the covered entities allowed film crews into patient areas of the hospitals in late 2014 and January 2015 without appropriately safeguarding patients’ PHI from disclosure.  In April 2016, a New York hospital agreed to pay $2.2 Million and enter into a settlement agreement and corrective action plan with OCR for similar alleged HIPAA violations that occurred during the filming of the television show “NY Med.”

The take away for covered entity providers, here, is that written authorization from patients must be obtained prior to allowing media personnel to enter non-public areas of facilities and especially prior to allowing filming of patients for non-clinical purposes, including for medical documentaries, news pieces, or tv dramas.  As OCR made clear in its FAQ guidance document on this topic, it is not sufficient to simply require the film crew to later obscure the identity (via blurring, pixilation, or voice alteration) of any patients whose image or voice were recorded but who did not provide written authorization because the HIPAA Privacy Rule does not allow media access to the patients’ PHI in the first place absent an authorization.   When providers require filming services to produce training videos or marketing materials in which patients are identified or PHI may be accessible, entering into a HIPAA business associate agreement is the best practice in addition to obtaining prior written authorizations from patients whose PHI is included in any public materials.

For more information and recommendations on avoiding HIPAA liability, please contact the authors or your regular SPB contact.

Senate Overwhelmingly Clears Bipartisan Opioid Package

Nearly three months following House passage of a legislative proposal related to America’s opioid epidemic, the Senate overwhelmingly cleared its own comprehensive, bipartisan package to address the crisis.

On Monday, September 17, senators replaced the House-passed text with a substitute amendment and approved The Opioid Crisis Response Act of 2018 (H.R. 6) by a vote of 99-1. The bill, authored by Senate Health, Education, Labor, and Pensions (HELP) Committee Chairman Lamar Alexander (R-TN), resulted from more than 70 pieces of legislation recommended by members of five different committees: Banking, Housing, and Urban Development; Commerce; Finance; HELP; and Judiciary. Continue Reading

Firm to Host Life Sciences Day in Frankfurt

Along with the Federal Association of the Pharmaceutical Industry (BPI), the American Chamber of Commerce in Germany and the Federal Association of German In-house Lawyers (BUJ), we cordially invite you to attend our Life Sciences Day on 20 September 2018 in Frankfurt.

The trend for public and private healthcare systems over the past few years has involved strained revenues and declining margins. Finite resources will continue to be taxed with necessary infrastructure projects and an increase in demand, plus advancements in technology and healthcare in general. Investment will need to focus on a growing, and aging, population, along with market expansion, advancements and cost-of-living increases that include greater labour costs. All of this makes it difficult to retain full insurance coverage in an affordable manner, with healthcare providers needing to join forces to attain any advantage in the market.

Our experts, with extensive industry and country experience in the US and Germany, will present the latest developments and look forward to answering your individual questions from your daily business.  More information, including the program agenda, may be found here.



On August 2, 2018, The Federal Communications Commission has unanimously approved a Notice of Inquiry (“NOI”) to establish a $100-million  telehealth pilot program. FCC seeks to identify how the agency can “help advance and support the movement in telehealth towards connected care everywhere and improve access to the life-saving broadband-enabled telehealth services it makes possible.” The NOI seeks public comment: initial comments by September 10 and reply comments by October 10, on various aspects of the contemplated program

Focus – The creation of the program would be to support delivery of broadband enabled telehealth services and applications by low-income Americans and low-income veterans, with a focus on direct delivery of such services and applications to patients beyond the doors of brick-and- mortar health care facilities. To that end, the Commission’s NOI prominently mentions remote patient monitoring and success stories, such as the Veterans Health Administration.

Budget and Program Structure – The Commission expects to set aside up to $100m in total funding from the Universal Service Fund for the pilot program. This would permit, for example, up to 20 health care providers that serve primarily law-income populations to partner with at least one facilities-based broadband provider and apply for a maximum of $5-million in universal service funding for supported services that would be used to deliver these connected care services to eligible patients.

Who Should Be Potential Eligible Health Care Providers? – The NOI seeks comment on establishing a threshold criterion for eligibility that limits the pilot program to health care providers (i.e., clinics and hospitals) that predominantly serve low-income patients. It also asks for potential proxies for identifying such entities (e.g., percentage of Medicaid patients served, location of such entities).

Who Should Be Potential Eligible Broadband Providers? – The NOI expresses a preference for facilities-based eligible telecommunications carriers to participate with health care providers. The Commission believes that a health care provider should have a partnership in place with at least one such broadband provider before applying for funds.

Who Should Be Potential Eligible Low-Income Subscribers? – The Commission seeks comment on limiting participating health care providers’ use of pilot program funding to Medicaid-eligible patients, as well as veterans who qualify based on income for cost-free health care benefits through the Department of Veterans Affairs.

What Services Should Be Supported? – The NOI envisions that the pilot program would help fund broadband connectivity that eligible low-income patients of participating clinics and hospitals would use to receive connected care services (and other services), and broadband connectivity that participating clinics or hospitals need to conduct its proposed connected care pilot project. However, the Commission also asks whether funding should be permitted to support equipment necessary for effective use of the broadband service and end-user devices, such as remote patient monitoring equipment.

Number of Projects, Support Amount and Disbursement? – The Commission seeks comment on whether there should be a set number of projects funded (e.g., no more than 20) and if a $5-million cap on each project is appropriate or larger amounts (e., maximum of $20-million) should be permitted. Finally, the NOI asks how funds should be disbursed, noting existing Universal Service Fund models.

Program Duration? – The Commission asks for comment on the duration of the Program and whether a 2 or 3-year funding period should be adopted.

Other IssuesThe NOI asks about potential federal, state or local regulatory barriers that it should consider in designing the program. It seeks recommendations on how best to ensure that funds are used only for intended purposes. The Commission also raises the question of protecting patient information, while gathering data to measure the effectiveness/success of the pilot. Finally, the NOI seeks comment on how to best measure the program’s effectiveness in improving health outcomes for low-income consumers through increased access to broadband-enabled telehealth services.

Next Steps? – As noted above the FCC will be accepting public comments on these and related questions. We would expect a formal set of proposed rules to follow, perhaps by early next year. We sense a high degree of interest in this proposal, which Commissioner Brendan Carr is leading. Parties interested in helping shape the program on such key issues as, for example, amount of funding per project should be weighing in now, over the comment period. Squire Patton Boggs is fully able to assist in that effort.

Pharma Company Denied C Plea

Many may view a C plea to mean a Corporate Plea. Used infrequently, a C plea restricts discretion of a federal district judge to sentence a criminal defendant. When one federal judge expressed his concerns about a proposed C plea for a pharmaceutical company, he changed the result. In an article published by the American Health Lawyers Association, Rebecca Worthington and Tom Zeno analyze the case. Additional posts about this case can be found here and here.