FDA Issues Guidance on Clinical and Patient Decision Support Software

On December 8, 2017, the Food and Drug Administration (FDA) published a notice of availability for the Clinical and Patient Decision Support Software – Clinical and Patient Decision Support Software – Draft Guidance for Industry and Food and Drug Administration Staff (“Draft Guidance”). The Draft Guidance, available here, provides clarity on the scope of FDA’s regulatory oversight of (1) clinical decision support software intended for health care professionals, and (2) patient decision support software intended for patients and caregivers who are not health care professionals.

The purpose the Draft Guidance is to identify the types of decision support software functionalities that: (1) do not meet the definition of a “device” as amended by the 21st Century Cures Act (“Cures”); (2) may meet the definition of a “device” under Cures but for which FDA does not intend to enforce compliance with applicable regulatory requirements, including, but not limited to, premarket clearance and premarket approval; and (3) “devices” that will be the focus of FDA’s regulatory and enforcement oversight.

Medical device and software manufacturers with products that may influence medical decision-making should study the Draft Guidance since it reflects FDA’s current regulatory thinking.

Section 3060(a) of Cures amended section 520 of the Food, Drug, and Cosmetic Act to exclude certain software functions from the definition of a “device,” thereby reducing the regulatory obligations applicable to such software. Specifically, under Cures, “clinical decision support software” (CDS) that meets all four of the following criteria excluded from the definition of a medical device:

  1. Software that is not intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system;
  2. Software that is intended for the purpose of displaying, analyzing, or printing medical information about a patient, or other types of information (such as a peer-reviewed clinical studies and clinical practice guidelines);
  3. Software that is intended for the purpose of supporting or providing recommendations to a health care professional about prevention, diagnosis, or treatment of a disease or condition; and
  4. Software that is intended to enable a health care professional (HCP) to independently review the basis for the recommendations that the software presents so that it is not the intent that such HCP rely primarily on any of such recommendations to make a clinical diagnosis or treatment decision regarding an individual patient.

Cures does not apply to patient decision support software (PDS), which refers to software that a patient or non-HCP caregiver may use to help make a medical decision. PDS implicates a much different balance of risks and benefits because the software must make up the difference between a lay patient and a physician’s education and training. With respect to PDS, the fourth criteria should allow patients or their non-HCP caregivers to independently review the software’s recommendation. FDA states that it does not intend to take enforcement action against manufacturers with PDS for violating the applicable regulatory requirements if the PDS meets all of the above criteria.

FDA does not single-out any one of the four criteria as being more important, but it does identify the fourth criteria as the lynchpin of its analysis. Therefore, manufacturers seeking apply the Draft Guidance must ensure that an HCP or a patient (or their non-HCP caregiver) can reach the same recommendation as the software, without relying primarily on the software to come to that decision. In practice, this means that the software functions clearly explain (1) the purpose or intended use of the software function; (2) the intended user (e.g., patient, non-HCP); (3) the inputs used to generate the recommendations (e.g., patient age and gender); and (4) the rationale or support for the recommendation.

The Draft Guidance provides many examples that manufactures can review to help understand how these criteria will be evaluated in practice. For example, software that simply identifies drug-allergy contraindications based on FDA-approved labeling, or identifies patients that meet the clinical definition of a disease based on test results, are no longer medical devices. On the other hand, software that conducts its own analyses on a patient and, for example, uses those analyses to create treatment or surgical plans, will continue to be medical devices under FDA’s oversight.

Either electronic or written comments on the Draft Guidance may be submitted to FDA by February 6, 2018 to ensure that the FDA considers all comments on the Draft Guidance before it begins work on the final version. Submit electronic comments to https://www.regulations.gov or submit written comments to the Dockets Management Staff (HFA-305), Food and Drug Administration, 5630 17 Fishers Lane, Rm. 1061, Rockville, MD 20852. Identify all comments with Docket No. FDA–2017–D–6569.

If you have any questions regarding the Draft Guidance, please contact the authors or your regular Squire Patton Boggs attorney.

FCC Focuses on Critical Role of $400 Million Rural Health Care Program

Noting that technology and telemedicine are assuming an increasingly critical role in healthcare delivery, the FCC has initiated a proceeding to consider changes to its Rural Health Care Program (RHCP), which provides $400 million in annual subsidies for telecommunications and broadband services to eligible rural healthcare providers (HCP). These changes would potentially affect existing as well as future Program participants.

Continue Reading

Recent Federal District Court Ruling Considers Who May Bring EMTALA Claims

Emergency Room

The United States District Court for the Northern District of Georgia recently granted several defending healthcare insurers’ motions to compel arbitration and (in part) to dismiss claims alleging improper reimbursement practices brought under the Emergency Medical Treatment and Labor Act (“EMTALA”), Affordable Care Act (“ACA”), COBRA, and various Georgia state law theories.  The order, styled Apollo MD Business Services v. Amerigroup Corporation (Delaware), No. 1:16-cv-4814, Dkt. 70 (N.D. Ga. Nov. 27, 2017), is available here. Continue Reading

CMS Republishes the 2018 OPPS Final Rule

On December 14, 2017, the Centers for Medicare & Medicaid republished the final rule with comment period for the Medicare hospital outpatient prospective payment system (OPPS) and the Medicare ambulatory surgical center (ASC) payment system for CY 2018 (“Final Rule”). The republication included an editorial note stating that the Final Rule was originally published in the federal register on November 13, 2017 but that publication omitted a section of the document due to a printing error. Instead of publishing only the missing section, CMS republished the Final Rule in its entirety. The Final Rule retains the January 1, 2018 effective date and the December 31, 2017 deadline for submitting comments.

Government rewards biopharma by declining penalty

In a settlement this week, the government rewards prompt action of a biopharma company by declining a penalty. Although an enforcement action by the Securities and Exchange Commission, the approach corresponds to a recent announcement by the Department of Justice. Companies that self-report, cooperate, and remediate will receive lenient treatment. This settlement makes clear just how valuable those efforts can be, allowing a company to settle violations of accounting controls and disclosure with no financial penalty whatsoever. On the other hand, the settlement confirms the government’s intent to prosecute culpable individuals.

Benefit to Company

According to the SEC’s announcement, from 2012 to early 2016, the former CEO and CFO of Provectus Biopharmaceuticals, Inc. obtained millions of dollars from the company by using insufficient or non-existent expense documentation, causing the company to materially understate their compensation in annual reports and proxy statements. While the SEC order directs Provectus to cease and desist from committing any further accounting controls and disclosure violations, it notably imposes no financial penalty on the company. The SEC’s order states that it took into consideration Provectus’ prompt remedial acts and cooperation with the Commission, including (i) the retention of independent counsel and a forensic accounting firm to conduct an internal investigation; (ii) the replacement of the CFO and CEO accused of wrongdoing; (iii) the decision to hold the former executives accountable through legal process; (iv) the creation of new finance positions; (v) the hiring of new auditing and bookkeeping firms; and (vi) the revamping of  internal control measures related to expense reimbursement. The SEC also credits the company for voluntarily sharing the findings of its internal investigation with the Commission, saving the Enforcement staff both time and resources.

Holding Individuals Accountable

In contrast to leniency for the company, the SEC charged the CEO individually in federal court for using the company “as his personal piggy bank.” The government is seeking disgorgement plus interest, penalties, and a officer-and-director bar. Similarly focusing on individual conduct, the SEC settled with the company’s CFO by obtaining disgorgement and interest, a civil penalty, and suspension from practicing before the SEC.

This settlement reminds companies that prompt, thorough, and independent inquiry into potential wrongdoing, swift remedial action, and transparency can substantially mitigate enforcement exposure. It also maintains the focus on holding individuals responsible for their conduct.

CMS to Reduce 340B Drug Payments to Hospitals by $1.6 Billion

On November 13, CMS published the final rule revising the Medicare hospital Outpatient Prospective Payment System for 2018.  Among a number of changes, the final rule dramatically reduces Medicare Part B payments to hospitals for separately payable drugs purchased through the 340B Program.  Currently, Medicare pays hospitals the Average Sales Price (ASP) plus 6% for these drugs regardless of whether the hospital purchased the drug at a discount through the 340B Program.  Under the final rule, Medicare will pay hospitals ASP minus 22% for separately payable drugs purchased through the 340B Program.  The change will reduce payments to 340B hospitals by an estimated $1.6 billion that will be redirected to payment for other services within the OPPS.

CMS’s stated goal in implementing this payment reduction is to better align Medicare payment for separately payable drugs with the resources hospitals actually expend to acquire such drugs.  While CMS acknowledged the intent behind the 340B Program, it also stated its belief that it is inappropriate for Medicare to subsidize other activities through Medicare payments for separately payable drugs.   Notably, not all hospitals will be subject to the payment reductions. SCHs, children’s hospitals and PPS-exempt cancer hospitals are excluded from the 340B Program payment reduction for 2018.  Nevertheless, the 340B Program payment changes will reduce payments to all non-exempted hospitals, and such reductions may have a more dramatic effect on urban, major teaching hospitals with 500 or more beds.

For a more through discuss of the 340B Program payment revisions, together with background on the 340B Program, please read our recent client alert on the issue, available here.

Judge Rejects Healthcare Company’s “C” Plea

Judge rejects C plea A federal judge rejects healthcare company’s “C” plea as not good enough.  Lessons from this decision apply to any healthcare provider trying to negotiate a specific sentence with the federal government. A summary of the judge’s criticism follows a short background about a C plea.

Types of Guilty Pleas

Federal Criminal Rule 11(c)(1) governs plea agreement procedure. It includes a limitation: “The court must not participate in these discussions.” The subsection describes three types of guilty pleas. Subsection (A) covers the common plea agreement in which the government dismisses charges as part of the agreement. Under subsection (B), the government agrees to recommend, or not oppose, the defendant’s request for a particular sentence. The C plea is named after its subsection, 11(c)(1)(C). A C plea agreement establishes that “a specific sentence or sentencing range is the appropriate disposition of the case.” A crucial difference is that the C plea operates only “once the court accepts the plea agreement.” In other words, the court has specific power to reject a C plea.

Need to Prepare Answers

In this case, US District Judge William Young of Massachusetts rejects the deal. The judge does not say what terms he will accept in a C plea. He feels that would be too close to bargaining. Nonetheless, the judge asks questions and expresses his dislike of a C plea for policy reasons.

A healthcare provider should prepare to answer a crucial question posed directly by the judge. Should the company be allowed to “collapse in disgrace?” Judge Young wonders why not partly because of circumstances of the alleged crime.

The Alleged Crime

With the knowledge of management, the company deceptively marketed a cholesterol medication for a rare genetic disease. These deceptions caused some patients, including elderly and children, to experience adverse reactions. The company netted a gross gain of more than $15.5 million.

Other Specific Concerns

“Most problematic” among his specific concerns is that the deal required restitution only to the government and payors. The deal provided nothing for elderly and children who received wrongfully diagnoses. A healthcare provider should prepare to explain compensation offered to victims who suffered mental and physical harm.

The judge also wants to know

  • Why no presentence report will be prepared. The judge considers this a “complex case” that he wants to understand better.
  • Whether the calculations proposed by the parties for the Sentencing Guidelines are correct. In particular, should upward adjustments be added for sophisticated means and vulnerable victim.
  • What particulars in the company’s finances justify a lower fine amount.
  • Should an external compliance monitor be appointed, even though the internal compliance program is “adequate.

The “Larger Issue”

The judge criticizes the “two-tier criminal justice system.” In his view, corporations strike C pleas “after closed door negotiations” with the government and limited judicial scrutiny. In addition to using arbitration clauses to avoid courtrooms, corporations also obtain “cozy” certainty through C pleas to which the executive branch accedes.

Individuals, on the other hand, do not obtain C pleas. According to the judge, individuals “plead guilty and face a truly independent judge.”

Judge Young finds this system “neither fair nor just.” He takes this position even while acknowledging the parties negotiated in good faith and recognizing “much to commend in the proffered plea.”


Because the judge poses questions without providing answers, time will tell what happens next in the case. However, a prudent healthcare company trying to negotiate a C plea will prepare answers in order to avoid this situation.


House Committee Chairman Asks HHS to Develop Health Care Cyber Risk Plan

Last week, the Chairman on the House of Representatives’ Committee on Energy and Commerce, Greg Walden (R-OR), sent a formal letter to the Dept. of Health and Human Services (“HHS”) requesting that HHS “develop a plan of action for creating, deploying, and leveraging [bill of materials] for health care technologies.” Walden gave HHS until December 15th to respond with a plan of action. This development is important for hospitals and other health care organizations because it could indicate that HHS may begin to prioritize examining (and/or enforcing existing requirements, such as the HIPAA risk analysis provisions in 45 C.F.R. § 164.308(a)(1)), related to the formal processes in which such organizations engage to identify and mitigate potential risks and vulnerabilities.

A bill of materials (“BOM”) is a list of each component, including software components, and any known risks associated with a component of a piece of medical technology.   The idea behind the request is that a BOM could potentially provide visibility on cybersecurity risks for health care organizations that use such technologies. Healthcare organizations, such as hospitals, may then use the BOM to assess and mitigate their own cybersecurity risks.

Citing many recent cybersecurity attacks against both hospitals and medical devices, Walden stated that it is important to elevate “the security posture of health care organizations,” by providing visibility into the products and systems the organization uses. Walden also pointed to similar recommendations made in the recent Health Care Industry Cybersecurity Task Force report and concerns raised by the WannaCry and NotPetya ransomware attacks (both of which we have covered extensively in the past – click here, here and here). Health care organizations will use this increased visibility to “assess their levels of risk and adjust their [cybersecurity risk management] strategies appropriately.” Health care organizations would then use the BOM to assess the risk of medical devices and other pieces of technology on their networks and implement any necessary mitigation strategies.

The natural outcome of greater transparency into risks is the impetus to mitigate the risks. This is important for hospitals and other health care organizations to keep in mind as the outcome of Walden’s request moves through HHS and its related agencies. Medical device manufacturers must already perform systematic risk management activities and keep records of the components that are used in their devices. “Covered Entities” and “Business Associates” subject to the HIPAA Security Rule must likewise conduct risk analyses and periodic evaluations of security efforts (see, for example, 45 C.F.R. §§ 164.308(a)(1) & 164.308(a)(8)). However, managing cybersecurity risks inherent in the interactions between medical devices, the resident IT systems, and operators could prove to be a larger task for health care organizations.

If you have questions about how to identify, evaluate, and manage the cybersecurity risks in your organization, please contact us or your regular SPB contact.

Congress Considering Tax Reform Bills with Major Impacts on Tax-Exempt Organizations

In recent weeks, we’ve highlighted provisions of the House and Senate tax bills that impact tax-exempt bonds.  However, the bills contain other provisions which may have a significant impact on tax-exempt organizations, including hospitals and other tax-exempt health care providers.  Specifically, provisions in the bills regarding charitable giving, tax-favored financing, governance and compensation, political activity, unrelated business taxable income, and others will be of significant importance to tax-exempt entities should either bill be adopted in current or modified form.  Our tax experts have prepared an extensive summary which discusses the relevant provisions in detail.  The summary may be found here.

More Countries Jump on the “Connected Medical Devices Are Risky” Bandwagon

There is an increasingly common recognition that internet-connected medical devices can dramatically improve health outcomes and lower costs, but also create tremendous privacy and cybersecurity risks. In the U.S., the Food and Drug Administration (“FDA”) has already issued substantial guidance regarding device cybersecurity, but other countries are now also jumping on the bandwagon. For example, the French National Agency for Safety of Medicines and Health Products recently announced the creation of a  “temporary specialized scientific committee” on the cybersecurity of medical device software. For more information, check out our blog post on our sister Data Privacy and Cybersecurity Blog – Security & Privacy // Bytes – by clicking here.