Today, developers of innovative medical devices are increasingly utilizing artificial intelligence (AI) and machine learning (ML) technologies to derive important insights with the promise of transforming the delivery of healthcare. Yet, concerns regarding the transparency of AI/ML-enabled devices, or the degree to which information about such devices is communicated to stakeholders, threatens not only perceptions as to the safety and effectiveness of such devices by regulators, but also trust in such technologies from patients and healthcare providers alike.

Read the full article written by Steven Tjoe in PM360 Magazine.

The Department of Justice recently announced the launch of its new Civil Cyber-Fraud Initiative (the “Initiative”) which intends to use the False Claims Act to pursue “cybersecurity-related fraud by government contractors and grant recipients.”

Specifically, the Initiative will target those who:

1. knowingly provide deficient cybersecurity products or services,
2. knowingly misrepresenting their cybersecurity practices or protocols, or
3. knowingly violate obligations to monitor and report cybersecurity incidents and breaches.

This new initiative significantly expands the potential liability of federal contractors and healthcare provider that participate in federal healthcare programs related to data privacy and cybersecurity issues.

False Claims Act

The False Claims Act broadly prohibits anyone from, among other things, knowingly presenting, or “causing to be presented” a false claim for payment if the claim will be paid directly or indirectly by the federal government. The False Claims Act is the government’s main enforcement tool for fighting healthcare fraud, with over $2.2 billion recovered in 2020.  Penalties for False Claims Act violations include three times the actual damages sustained by the government, mandatory civil penalties of between $11,181 and $22,363 for each separate false claim, and attorneys’ fees and costs. Further, the False Claims Act allows whistleblowers to bring lawsuits on behalf of the federal government. Also known as a “qui tam” realtor, a whistleblower who brings a successful qui tam action can receive 15 to 30 percent of the damages the government recovers from the defendants. The ability for an individual within one’s own organization to raise flags with the federal government under the False Claims Act especially heightens risk.

HIPAA

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), “covered entities” and their “business associates” are subject to certain obligations and limitation related to their use and disclosure of “protected health information” (“PHI”). Covered entities are health care providers, health plans and health care clearing houses that transmit any information in an electronic form in connection with a transaction for which HHS has adopted standards. A business associate is a person or entity that performs certain services for or functions on behalf of the covered entity that involve the use or disclosure of PHI.  Finally, PHI is any individually identifiable information, including demographic data, that relates to an individual’s past, present or future health or payment for the provision of healthcare.

The obligations imposed on covered entities and business associates under HIPAA  include maintaining and following specific privacy and security policies and procedures regarding access to, use, processing, transfer, storage, and disclosure of PHI and implementing physical, technical, and administrative safeguards to protect the privacy and security of PHI.  In addition, covered entities are required to notify affected individuals, the Department of Health and Human Services, and, for certain larger breaches, the media of data breaches.  Similarly, business associates are required to notify covered entities of data breaches.

Implications

The goal of holding accountable those who “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches” presents particular risk for covered entities and their business associates.

For example, consider a revenue cycle management (“RCM”) company that submits claims on behalf of a healthcare provider (including claims to government payors) that experiences a security incident, conducts a HIPAA risk assessment, and shares that assessment with the Covered Entity customer who determines the RCM company did not implement the necessary physical, technical and administrative safeguards required under HIPAA. Could the customer, the government, or a whistleblower allege that the RCM company knowingly misrepresented its cybersecurity practices or protocols and thereby caused the submission of false claims?

Further, consider an electronic health records company (“EHR”) that is certified by the Office of the National Coordinator who experiences a breach of unsecured PHI, conducts a HIPAA risk assessment and determines it is not obligated to report the breach based on a low risk of compromise in accordance with 45 C.F.R. 164.402. Could the government or a whistleblower allege that the EHR company failed to report a breach and thus caused the submission of false claims by healthcare providers that use its EHR and are able to avoid reductions in Medicare reimbursement by using a certified EHR?

False Claims Act cases are commonly pursued under what is known as the “false certification theory”. A claim is considered false when a claimant “certifies compliance with a statute or regulation as a condition to governmental payment.” The false certification theory considers a claimant’s request for payment as “implied certification” of compliance with said statutes or regulations. Despite the broad implications of the false certification theory, there is some check on the ability of the government or a whistleblower to bring cases on failure to comply with HIPAA through what is known as the materiality requirement under the False Claims Act. In Universal Health Services v. United States ex rel. Escobar, the U.S. Supreme Court held that the government and whistleblowers bear the burden of proving the “rigorous and demanding” materiality requirement under the False Claims Act. The Supreme Court further stated that the False Claims Act is “is not a means of imposing treble damages and other penalties for insignificant regulatory or contractual violations.” Accordingly, the government and whistleblowers must demonstrate that allegedly insufficient technical safeguards or that an alleged failure to report a breach are actually material to the government’s payment decision.

The potential use of the False Claims Act to enforce HIPAA compliance may also change how due diligence is conducted on covered entities who bill government payors and their and business associates. While security incidents are common, the potential for liability under the False Claims Act related to such an incident increases the importance of conducting thorough diligence related to such incidents. The importance of conducting due diligence on a seller’s compliance with HIPAA’s requirements related to administrative, technical, and physical safeguards is also magnified by the potential for liability under the False Claims Act for failure to comply with those requirements.  The risk related to conducting a risk assessment related to a data breach is similarly increased and such assessments should be scrutinized carefully in due diligence.

Showing no signs of food coma, the FDA issued draft guidance on the Monday following the Thanksgiving holiday weekend that outlines considerations for sponsors proposing to design a registry or use an existing registry to support regulatory decision-making about a drug’s effectiveness or safety.  This draft guidance represents the Agency’s latest response to the mandate in the 21^st Century Cures Act to issue guidance on the use of real world evidence in regulatory decision-making, and expands on the Framework for FDA’s Real-World Evidence Program from December 2018.

The draft guidance, Real-World Data: Assessing Registries to Support Regulatory Decision-Making for Drug and Biological Products, defines a registry as “an organized system that collects clinical and other data in a standardized format for a population defined by a particular disease, condition, or exposure,” and identifies three general categories of registries: disease registries, health service registries, and product registries.

Given the range of registry types, FDA notes that registry data can have varying degrees of suitability for use in a regulatory context depending on several factors, including how the data are intended to be used for regulatory purposes, the patient population enrolled, the data collected, and how registry datasets are created, maintained, curated, and analyzed.  FDA advises sponsors to be mindful of both the strengths and limitations of using registries as a source of data to support regulatory decision-making.  In general, the draft guidance advises that (i) a registry that captures objective endpoints, such as death or hospitalization, is more likely to be suitable to support regulatory decision-making than a registry that collects subjective endpoints, such as pain; and (ii) a registry that is specifically designed to answer a particular research question is more likely to be useful to support regulatory decision-making than a registry that was designed for a different purpose.

At the same time, the Agency acknowledges that an existing registry can be used to collect data for purposes other than those originally intended, and that leveraging an existing registry’s infrastructure to support multiple purposes can be efficient.  Therefore, the draft guidance describes factors sponsors can use to assess the relevance and reliability of a registry’s data to determine whether the registry data may be fit-for-use.

When determining relevance of registry data, the draft guidance advises sponsors to consider, among other things, whether the data elements captured by the registry are sufficient given the intended use or uses of the registry (e.g., external control arm vs. a tool to enroll participants in an interventional study) and whether the methods involved in patient selection may have impacted the representativeness of the population in the registry.

When assessing the reliability of registry data, the draft guidance advises sponsors to assure the registry has appropriate governance measures in place to help ensure the registry can meet its objectives, such as processes and procedures governing the operation of the registry, adequate training of staff, and other recommended practices including:

• Defined processes and procedures for data collection, management and storage;
• A data dictionary and rules for validation of queries and edit checks of registry data;
• Conformance with 21 CFR part 11, as applicable, including access controls and audit trails; and
• Adherence to applicable human subject protection requirements, including safeguarding the privacy of patient health information.

The draft guidance specifically recommends that sponsors interested in using a registry to support a regulatory decision should meet with the relevant FDA review division (e.g., through a Type C meeting), before conducting a study that will include registry data.  Sponsors also should be prepared to submit protocols and statistical analysis plans for FDA feedback prior to conducting a study that includes data from registries.

Comments on the guidance should be submitted to the docket by February 28, 2022.

Last week, Diana DeGette (D-CO) and Fred Upton (R-MI) introduced in the House highly anticipated bill language for “Cures 2.0”, a follow-up to the transformational 21^st Century Cures Act enacted in 2016.  For full text of the bill, click here.  The 21^st Century Cures Act included a variety of measures seeking to accelerate medical product development and bring advancements and innovations to patients more efficiently. Cures 2.0 seeks to improve and expand on those strides, as well as address pressing public health priorities that became apparent through the COVID-19 pandemic.

The Cures 2.0 bill is structured around five main topics:

• Title I—Public Health
• Title II—Patients and Caregivers
• Title III—Food and Drug Administration
• Title IV—Centers for Medicare & Medicaid Services
• Title V—Research

While all of these sections are ripe for further analysis, we selected a few provisions to highlight here that may be of particular interest for the pharmaceutical and biotechnology companies out there.  We’ll keep tracking these as the bill moves through the legislative process:

Section 204: Patient Experience Data

• Would require sponsors developing a drug under an IND to collect standardized patient experience data during clinical trials and include that patient experience data “and such related data” in an NDA or BLA; and
• Would direct FDA to consider this patient experience data and “related information” in its approval decision for the NDA or BLA.
• These proposals to standardize and require patient experience data collection could be significant, and they underscore lawmakers’ continued interest in elevating the relevance of clinical outcomes that are meaningful to patients living with a disease or condition.

Section 302: Grants for Novel Trial Designs and Other Innovations in Drug Development & Section 310: Recommendations to Decentralize Clinical Trials

• Section 302 would appropriate $25 million annually, for 3 years, for the FDA to award grants to clinical trials conducted under an IND with protocols incorporating complex adaptive or other novel trial designs and that collect patient experience data. The section further specifies that grant awards should prioritize the incorporation of digital health technologies and real world evidence.
• Section 310 proposes a multi-stakeholder meeting, including industry representatives and patient advocacy groups, to discuss incentives to adopt decentralized clinical trials. The section also would adopt a definition of decentralized trials: “a clinical trial method that includes the use of telemedicine or digital technologies to allow for the remote collection of clinical trial data from subjects, including in the home or office setting.”
• These provisions reflect a sustained emphasis on fostering clinical trial innovation, including building on the experience with remote clinical trials during the COVID-19 pandemic.

Section 304: Increasing Use of Real World Evidence (RWE) & Section 309: Post-Approval Study Requirements for Accelerated Approval

• Section 304 would call for new guidance on the use of RWE in post-market review of drugs that were designated as a breakthrough therapy or fast track product, or considered for accelerated approval. Section 309 would further specify that the post-approval study requirements to verify and describe the clinical benefit for products granted accelerated approval could be satisfied through RWE, including analyses of data in clinical care repositories or patient registries.
• Section 304 also would establish a permanent Real World Evidence Task Force to coordinate programs and activities within the Department of Health and Human Services related to the collection and use of RWE.
• These and other sections of Cures 2.0 share a common theme of enhancing the use of RWE in regulatory decision-making. Although the inherent variability in RWE likely will continue to present challenges to doing so, the signal is clear that legislators would like to see FDA and HHS continue to move forward in this area.

Last week’s introduction of Cures 2.0 and President Biden’s announcement that he will nominate Robert Califf for FDA Commissioner contributed to a newsworthy week for those of us who follow the FDA.  We look forward to seeing how Cures 2.0 develops and how the Agency’s policy priorities unfold in the coming months.

On October 28, a majority of members on the Senate Judiciary Committee voted 15-7 to advance to the full Senate a bipartisan bill that would make a number of amendments to the False Claims Act (“FCA”), including one that would make significant changes to the FCA’s definition of “materiality.” Senator Chuck Grassley of Iowa, who serves as the ranking member of the Judiciary Committee, argued for the materiality amendment, stating that it is intended to correct the “misinterpretations” of the FCA “created by the Escobar court.”

Under the FCA, only a material violation – one that has “a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property by the government” – can form the basis for liability. The Supreme Court in Universal Health Services v. United States ex rel. Escobar stated that the FCA’s materiality standard is “rigorous” and “demanding,” and held that a violation of a particular requirement would likely not be considered material if (for example) the government had actual knowledge of the violation and chose to pay the claim anyway.

The materiality amendment advanced to the full Senate would undo the protections offered by the Escobar ruling, and instead states that “in determining materiality, the decision of the government to forego a refund or pay a claim despite actual knowledge of fraud or falsity shall not be considered dispositive if other reasons exist for the decision of the government with respect to such refund or payment.”

The number of suits filed under the qui tam provisions of the FCA are steadily increasing over the years, with 672 qui tam actions filed in 2020 alone. Should this FCA amendment be enacted, its lowered materiality standard will make it significantly more difficult for defendants in qui tam actions to win motions to dismiss on materiality grounds, or to obtain summary judgment; as a result, many more of these cases will move forward to more expensive and time-consuming stages of litigation.

Health care providers and other health care companies who are the potential defendants in FCA cases already often spend significant resources defending against these claims. While the proposed amendment advanced by the Judiciary Committee last week is intended to reduce fraud and abuse – for example, the amended materiality standard would be particularly important in situations in which the government is aware of fraudulent claims but is unable or unwilling to stop paying for the provision of critical healthcare services; but, it may also have an effect on the overall costs of defending a claim, whether or not meritorious.  We will continue to monitor updates with respect to the FCA and related legislation.

On October 27, 2021, the U.S. Food and Drug Administration (FDA), Health Canada and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) issued a set of ten guiding principles meant to aid the development of Good Machine Learning Practice (GMLP).

Artificial intelligence and machine learning (AI/ML) offers the potential to analyze the vast amount of real-world data generated from health care every day to provide transformative insights. These insights can not only help improve individual product design and performance, but also hold the promise of transforming health care.

However, AI/ML technology has unique complexities and considerations. The goal of these guiding principles is to help promote safe, effective, and high-quality medical devices that use AI/ML to best cultivate the future of this rapidly progressing field.

Although not formal or binding, as companies continue to leverage AI/ML in their medical devices, they should remain mindful of each of the ten guiding principles:

1. Leveraging Multi-Disciplinary Expertise Throughout the Total Product Life Cycle

Companies should leverage internal and external multi-disciplinary expertise to ensure they have a thorough understanding of the model’s integration into the clinical workflow, and the desired benefits and associated patient risks, to ensure the safety and effectiveness of the device while serving clinically meaningful needs throughout the product lifecycle.

2. Implementing Good Software Engineering and Security Practices

Companies should implement as part of model design data quality assurance, data management, good software engineering practices, and robust cybersecurity practices.

3. Utilizing Clinical Study Participants and Data Sets that Are Representative of the Intended Patient Population

Companies should ensure that their data collection protocols have sufficient representation of relevant characteristics of the intended patient population, use, and measurement inputs in an adequate sample size in their clinical study and training and test datasets so that results can reasonably be generalized to the population of interest.  Data collection protocols appropriate for the intended patient population may help to identify where the model may underperform and may mitigate bias.

4. Keeping Training Sets and Test Sets Independent

Companies should consider and address all sources of dependence between the training and test datasets, including patient, data acquisition, and site factors to guarantee independence.

5. Selecting Reference Datasets Based Upon Best Available Methods

Companies should use accepted, best available methods for developing a reference dataset, i.e., a reference standard, to ensure clinically relevant and well characterized data are collected (and that the reference’s limitations are understood).  Where available, companies should use accepted reference datasets in model development and testing that promote and demonstrate model robustness and generalizability across the target population.

6. Tailoring Model Design to the Available Data and Reflecting the Intended Use of the Device

Companies should have a solid understanding of the clinical benefits and risks related to the product and utilize this understanding to create clinically meaningful performance goals.  Additionally, companies should ensure the model design is suited to the available data and supports active mitigation of the known risks.

7. Focusing on the Performance of the Human-AI Team

Where the model has a human element, companies should consider human factors and human interpretability of the model outputs.

8. Testing Demonstrates Device Performance during Clinically Relevant Conditions

Companies should develop statistically sound tests and execute them to assess device performance data independent of the training data set. Such assessment should be conducted in clinically relevant conditions with consideration given to the intended use population, important subgroups, clinical environment and use by the Human AI-Team, measurement inputs, and potential confounding factors.

9. Providing Users Clear, Essential Information

Companies should provide users ready access to clear, contextually relevant information that is appropriate for the target audience. Such information includes not only information pertaining to the product’s intended use and indications for use, performance of the model for appropriate subgroups, characteristics of the data used to train and test the model, acceptable inputs, known limitations, user interface interpretation, and clinical workflow integration of the model, but also users should be made aware of device modifications, updates from real-world performance monitoring, the basis for decision-making (when available), and a way to communicate product concerns to the company.

10. Monitoring Deployed Models for Performance and Managing Re-Training Risks

Companies should deploy models that are capable of being monitored in real-world usage with a focus on maintaining or improving safety and performance. Further, when models are trained after deployment, companies should ensure there are appropriate controls in place to manage risks that may impact the safety and performance of the model.

FDA’s expectations with respect to GMLP will continue to advance and become more granular as additional stakeholder input is considered.  The docket for FDA’s GMLP Guiding Principles, FDA-2019-N-1185, is open for public comment.

Telehealth’s exponential growth –in part due to the COVID-19 pandemic – has highlighted both its value in increasing access to care and the potential for misuse. The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) released a report in September 2021 that found many state Medicaid programs do not sufficiently evaluate whether telehealth improves access to care, reduces costs, or boosts the quality of care for Medicaid recipients receiving behavioral health services.  Further, the OIG found that many state Medicaid programs do not provide the appropriate oversight necessary to reduce fraud, waste, and abuse.  In fact, only two (2) states have measured the efficacy of telehealth on access to behavioral health services for Medicaid beneficiaries.  In short, the OIG concludes that more steps should be taken to maintain oversight over telehealth, especially in the behavioral health context.

Background

When it comes to behavioral health services such as mental health assessments and therapy, generally, depending on insurance coverage limitations, telehealth can be used and could be covered.  The OIG report addresses this concept and states: “As the nation confronts the psychological and emotional impact of COVID-19, the use of telehealth will be important in addressing behavioral health needs for Medicaid enrollees.”  However, providers must first understand where the value lies, how best to deliver these services, and how to avoid fraud and abuse; and that begins with monitoring and evaluating telehealth services in the Medicaid program.

OIG Findings

The OIG report found the following:

• A few states (3 of 37) could not identify which telehealth services are even offered to Medicaid beneficiaries. Not being able to identify services provided to Medicaid beneficiaries limits the state’s ability to analyze the effects of telehealth for Medicaid enrollees, monitor and provide oversight specific to telehealth, or detect and prevent fraud.
• Only a few states assessed the impact of telehealth usage on behavioral health services for Medicaid beneficiaries, despite states’ responsibilities to ensure access to care and address quality of care. An accompanying report showed that states described the challenges and limitations of using telehealth to meet the behavioral needs of Medicaid enrollees.  As the reimbursement landscape continues to change and there is an increased shift towards telehealth service offerings to Medicaid beneficiaries, the OIG stated that it is critical for all states to evaluate the impact of telehealth.
• Despite concerns of states about telehealth abuse (e.g., inappropriate billing for delivering both telehealth and in-person services, billing for services not rendered, and billing for services provided from outside the country) and states’ joint responsibility to monitor their Medicaid programs, the OIG report concluded that many states (26 of 37) do not perform adequate monitoring or oversight on telehealth services to detect any fraud, waste, and abuse meaningfully. Because of the virtual nature of telehealth services and the complex regulatory environment, states cannot monitor telehealth services to the same degree as in-person services.  The report also found that several states’ program integrity efforts are insufficient to monitor telehealth.

OIG Recommendations

Because the Centers for Medicare & Medicaid Services (CMS) plays an equally important role in evaluating and overseeing state Medicaid programs, the OIG recommends that CMS work with the three states that are unable to distinguish telehealth from in-person services to ensure implementation of indicators to identify which services are provided via telehealth.  The OIG suggests that CMS conduct evaluations, and support state efforts to evaluate the effects of telehealth on access, cost, and quality of behavioral health services and conduct monitoring for fraud, waste, and abuse.  Furthermore, the OIG encourages CMS to specifically support state efforts to oversee and monitor telehealth for behavioral health services.

Notably, CMS agreed with at least one of OIG’s recommendations; namely, CMS indicated that “it is currently monitoring the impact of the COVID-19 pandemic on behavioral health services delivered via telehealth by managed care organizations and has provided States with a Risk Assessment Template to assist State efforts in identifying and addressing program risks.” Further, CMS stated that “it will consider the results from OIG’s study to develop ways to support State efforts to oversee behavioral health services delivered via telehealth by managed care organizations.”  Whether these efforts from CMS will be sufficient to help the states at issue remains to be seen.

Takeaways

Telehealth providers should be mindful that states may begin to undertake more robust and comprehensive measures to assess and ultimately restrict access to Medicaid funds for telehealth services.  Based on the OIG’s report, we anticipate that, because states are charged with determining how their Medicaid programs cover the use of telehealth, the OIG’s report may trigger more active and meaningful monitoring and oversight of the use of telehealth with Medicaid beneficiaries.  States may also start to more thoroughly evaluate the impact of telehealth on access, quality, and cost.  And, we anticipate that state Medicaid programs will likely undertake more significant analysis as they determine which services will continue to be covered in a post-COVID-19 pandemic world.

Accordingly, providers should heed CMS’s anticipated increased monitoring of behavioral health services delivered via telehealth. Providers receiving state-based healthcare reimbursement, for example, should undertake a risk assessment and remedial steps to ensure that telehealth services provided to Medicaid beneficiaries are in compliance with that state’s telehealth laws.  This includes reviewing credentialing policies to ensure that each healthcare professional is licensed in the state in which the patient is receiving services and that the company is tracking compliance. Further, as a general practice, telehealth providers should verify that the correct Current Procedural Terminology medical codes are utilized when providing behavioral health telehealth services to Medicaid enrollees. Lastly, telehealth providers should confirm that they are properly tracking the effects of their telehealth program on Medicaid beneficiaries to better understand the impact telehealth has on access, cost, and quality.

For emerging companies establishing their first supply chains, ensuring notification requirements in supply agreements for when commercial-stage manufacturing issues arise may not be top of mind. However, it is important for drug developers whose contracts enable continuation of a supply arrangement into the commercial-stage to be familiar with the U.S. Food and Drug Administration’s (FDA’s) field alert reporting (FAR) requirements for new drug application (NDA) and abbreviated new drug application (ANDA) holders to ensure adequate communication between developers and their suppliers.

By way of background, the FAR regulations at 21 C.F.R. §§ 314.81(b)(1) and 314.98(b) require NDA and ANDA holders to notify their FDA field office (using an Form FDA 3331a) within three business days of “receipt” of: (1) information concerning any incident that causes a distributed drug product or its labeling to be mistaken for, or applied to, another article; or (2) information concerning any bacteriological contamination, or any significant chemical, physical, or other change or deterioration in the distributed drug product, or any failure of one or more distributed batches of the drug product to meet the specification established for it in its approved application. In brief, timely notification by suppliers really does matter here and should not extend past one business day if at all possible.

This past summer, the FDA issued final guidance clarifying reporting timelines and the facts and circumstances that trigger submission of FARs. Amongst other things, the FDA clarified that the FAR requirements apply to all products marketed under an NDA or ANDA, including positron emission tomography drugs, designated medical gases, and combination products containing a drug constituent part. However, products that are only marketed abroad pursuant to a foreign approval with non-U.S. labeling are not subject to FDA’s FAR requirements. FDA also clarified that report-triggering events are not limited to active ingredient issues but can also include issues related to inactive ingredients, processing aids, and packaging.

Additional key takeaways include:

• FARs are required even when a problem is identified and corrected within the three business day reporting window.
• FARs are required even when a problem is identified beyond the three business day reporting window; however, a Form FDA 483 finding can result from the failure to submit timely FARs.
• Day “0” for calculation of the three business day reporting window is the day information triggering the report was received, even if received by a third-party contractor or supplier.
• Follow-up or final FARs are recommended but not required if significant new information is received.
• Separate initial FARs are required for a problem impacting drug products covered by multiple applications, but if conducting a single investigation into the issue after submitting the initial FARs, any follow-up can be provided in a single follow-up or final FAR.
• Investigations into issues identified with undistributed products should consider whether those issues may exist in distributed products, triggering a FAR.
• Possible changes or deterioration in distributed products triggering FARs include contamination by bacteria, yeast, mold, virus or other microorganisms.
• Issues leading to recalls do not release an NDA or ANDA holder from FAR reporting responsibility.

Overall, FDA’s FAR requirements necessitate prompt or immediate notification of any information discovered by suppliers that could trigger a FAR for NDA and ANDA holders. For supplier agreement negotiations, requiring prompt or immediate notification of issues in clinical-stage agreements positions a developer well to require the same in the commercial stage when FAR requirements apply. Additionally, in the commercial stage, FARs can prompt unannounced FDA for cause inspections and can also lead to expensive product recalls, so early notification, investigation, and remediation of issues warranting a FAR submission can help minimize potential liability and resource expenditure to remedy any issues that arise.

In 2016, states began passing pharmaceutical price reporting laws.  These laws are designed to bring transparency to a pharmaceutical manufacturer’s drug pricing process by requiring drug manufacturers to report pricing and other information related to the cost, development, and sale of drugs.  By October 2021, approximately twenty states have passed or are implementing transparency laws.  While many of these laws are applicable to drug manufacturers, pharmacy benefit managers, and health carriers, recent enforcement of these laws has focused only on drug manufacturers.

Each state has its own set of unique requirements that drug manufacturers must meet in order to distribute drugs within each individual state.  Reporting is often completed via an online portal administered by the state’s implementing agency.  Some states will use this submitted data to produce public reports about the cost of prescription drugs with a goal of educating the state legislature and the public about the cost of drugs and to provide accountability for increased prices.

Enforcement of these state reporting laws is beginning to take shape as states pass legislation and implement administrative guidance – the majority of which provide for civil or administrative penalties.  Enforcement authorities typically assess fines for each day a manufacturer is in violation and may increase penalties the longer the violation persists.  Additionally, the appeals process for any enforcement action typically follows either a prescribed process codified by the state law or defaults to the appeals process under the state’s administrative procedure act.

Accordingly, pharmaceutical manufacturers will need to be vigilant as more sates pass and implement drug transparency laws. These laws require different reporting deadlines, the reporting of different information, disclosures based on different dollar thresholds, and have different requirements and processes for protecting confidential information and trade secrets.  For the latest developments in this area, please see Goodwin’s recent client alert.  For an in-depth analysis of these laws, please see our publication, State Drug Transparency Laws: Considerations for Pharmaceutical Manufacturers, in Chapter 8 of the American Health Law Association’s  2021 edition of Health Law Watch.

Laboratory tests play a critical part of the healthcare system.  Ordering and billing for these tests, however, is not always cut-and-dry.  Compliance with federal laws and rules (like the Clinical Laboratory Improvement Amendments (CLIA), the Anti-Kickback Statute (AKS), and the Eliminating Kickbacks in Recovery Act (EKRA) – not to mention Medicare billing requirements is essential.  but, laboratory testing companies and physician practice groups must also pay attention to an array of state laws and regulations that place restrictions on which parties can bill for laboratory tests and for how much, among other requirements.  These laws are important, as they can dictate significantly how, where, and with which entities laboratory testing companies do business.  These laws can also have a significant impact on how physicians can order critical tests for their patients.

As laboratories and medical groups continue expand nationally, and the trend in mail-order laboratory testing, spurred by the COVID-19 pandemic, continues, it is important for both laboratories and practice groups not to overlook compliance with applicable state laws and regulations, including states’ direct billing, anti-mark-up, and disclosure laws.

What tests are at issue?

State laws regarding laboratory billing practices are focused on “anatomic pathology services.”  This could include, for example, cytology, molecular pathology, hematopathology, histopathology, surgical pathology, and blood banking services performed by a pathologist.  Put another way, state laws focused on billing for laboratory tests are concerned with those procedures that diagnose disease based on the macroscopic, microscopic, biochemical, and immunologic and molecular examination of organs and tissues.

Hypothetical Example:  Patient Smith visits Dr. Jorgensen, a dermatologist.  Dr. Jorgensen seeks to biopsy a suspicious mole that she spots when Patient Smith visits.  Dr. Jorgensen’s practice group does not have an in-house laboratory with the capabilities needed to run the relevant pathology test.  Dr. Jorgensen regularly sends tissue samples for processing to Oncology Lab LLC, a nationwide provider of pathology testing services for dermatologists and other specialists.  Oncology Lab receives the tissue sample, conducts the relevant testing, and returns the test results to Dr. Jorgensen’s office to deliver to the patient.  Oncology Lab charges $100 per test.

In the hypothetical above, for example, the referring physician and the lab that runs the test are both subject to a series of laws and about who can bill for these tests, who can pay for the tests, and how much can be charged, all depending upon where Dr. Jorgensen, Patient Smith, and Oncology Lab LLC are located.  These state direct billing laws, anti-markup laws, and disclosure laws, apply regardless of whether the test is paid or covered by government insurance, commercial insurance, or the patient directly on a cash pay basis.

Direct Bill Laws

Many states have so-called “direct billing” laws that require the laboratory that performed the anatomic pathology services must bill the patient (or the patient’s payor, or a limited set of other individuals or entities) for the test.  According to the College of American Pathologists (“CAP”), the idea is that “payment for anatomic and clinical pathology services should be made only to the person or entity who performed or supervised the service.”   The purpose of these laws is to prohibit so-called “pass-through billing” or “client billing,” under which a laboratory bills the practice group that ordered the test, and the practice group then in turn bills the patient.

Under a direct billing model, the treating physician is not incentivized to order additional or unnecessary testing or to refer patients to one specific laboratory over another, simply on the basis of the amount of profit the treating physician might earn.  Rather, the physician orders the tests that the patient needs, the laboratory runs the tests, and the laboratory bills the patient or payor for the tests.  Direct billing, according to CAP, helps make certain that quality – as opposed to financial considerations – influence the physician’s selection of a pathology services laboratory.

Under a pass-through or client billing model, the treating physician can score an extra profit by charging the patient for the full price of the laboratory service that the physician received at a discount. This practice may also incentivize health care providers to choose certain laboratories (i.e., lower quality laboratories charging lower fees) or order certain laboratory tests (i.e., to increase profits) – both of which are not in the best interest of the patient.

Because of the perverse incentives, and the potential effect on quality of care, many states prohibit pass-through or client billing and mandate direct billing as the only acceptable pathology services billing practice. In fact, the pass-though billing prohibition under California law was spurred by a September 2005 Wall Street Journal article, titled How Some Doctors Turn a $79 Profit from a $30 Test. The article describes startling studies indicating that “physicians are more likely to order services for patients if they have a financial incentive.” An author of one such study by the Center for Health Policy, described in the article, stated that pass-through laboratory testing “appears to be done exclusively to earn more revenue and increase profits.”

For example, California law states, “A [licensed health care provider] shall not charge, bill, or otherwise solicit payment, directly or indirectly, for anatomic pathology services if those services were not actually rendered by that person or under his or her direct supervision.” [Cal. Bus. & Prof. Code § 655.7(a)(1).] New York law similarly restricts billing of clinical laboratory services to the “recipient of the services, such recipient being the person upon whom the clinical services have been or will be rendered.” [N.Y.P.H.L. § Sec. 586(1).]

Why Care?

First, state laws vary – while some states are only focused on tests that require the use of a pathologist to read the results, many other tests are not.  Most states indicate that a laboratory can bill a patient, the patient’s payor, a patient’s representative, a patient’s employer or health plan, a patient’s union, or a relevant government agency; some states permit a laboratory to bill a health care facility or hospital for a pathology test; other states (like Maryland) appear to prohibit it.  Similarly, some states’ laws apply where the patient is located, some apply where the provider who ordered the test is located, and others could even apply where the lab is located.  Put another way, laboratories that operate in multiple states need to clearly understand the rules in all of their states of operation and may need to adjust and modify their practices accordingly.  There is a potential lack of consistency across states that can create disruption and require complicated and administratively burdensome internal policies and practices.

Second, not all physicians may understand how direct billing works, especially when they order expensive laboratory tests for their patients.  Some practice groups include billing for lab tests as part of their financial projections; however, direct bill laws may prohibit this practice and mandate that the laboratory that performed the test bills the patient directly.  By failing to account for whether an entity is in a direct bill state or not, their financial projections may fall flat.

At the federal level, Medicare rules clearly require direct billing for outpatient hospital laboratory services – i.e., in order to receive Medicare reimbursement for a laboratory test, the laboratory must bill the patient or the payor directly – and pass-through billing is prohibited.  However, physicians may be reimbursed for clinical laboratories services performed by third party laboratories so long as certain disclosures are made to Medicare. [45 C.F.R. § 405.515.] This adds yet another layer of complication for laboratory testing companies and for practice groups, as a patient’s status as a Medicare beneficiary must be factored into account.

Hypothetical Example:  In a state with a direct billing requirement, Oncology Lab must bill Patient Smith (or Patient Smith’s insurance company or other relevant payor) the $100 for the cost of the mole biopsy test.

Anti-Markup Laws

A second type of law that applies to pathology testing services is the so-called “anti-markup” law.  Anti-markup laws might technically permit a lab to bill a physician practice group for a test performed.  But, these laws also prohibit the physician practice group from charging a patient or the patient’s payor any more than the amount the group paid to the lab.

At a national level, Medicare has a similar anti-markup rule, prohibiting physicians and practice groups from marking up the cost of purchased laboratory tests.  The idea is “that allowing physician group practices or other suppliers to purchase or otherwise contract for the provision of diagnostic tests and then to realize a profit when billing Medicare may lead to patient and program abuse in the form of over utilization of services and result in higher costs to the Medicare program.” [71 Fed.Reg. 69624, 69688.]

Why Care?

First, and again, state laws vary.  Therefore, laboratory companies’ business plans must vary by state and may not be subject only to the federal Anti-Markup Rule.  Second, physician practice groups seeking to turn a profit on laboratory tests ordered from outside labs could easily run afoul of these state requirements.  States that prohibit marking up laboratory services include like California, Michigan, and Oregon, as follows:

• Bus. & Prof. Code § 655.5(c). “It is also unlawful for any person licensed under this division or under any initiative act referred to in this division to charge additional charges for any clinical laboratory service that is not actually rendered by the licensee to the patient and itemized in the charge, bill, or other solicitation of payment…”
• Michigan, Comp. Laws Ann. § 445.161(1). “A person licensed to practice medicine by an agency of the department of licensing and regulation, a hospital, agency or any other entity billing patients or third parties for laboratory work, shall not bill a patient for laboratory work performed by a clinical laboratory for any amount in excess of the amount billed by the clinical laboratory to the licensed person for such services.”
• R.S. § 676.310(1). “…However, a practitioner shall not mark up, or charge a commission or make a profit on services rendered by an independent person or laboratory.”

Penalties for violation of state anti-markup rules include imprisonment for up to one year and/or fines ranging from $500 up to $10,000 – and may include reprimand by the state medical board.

Failing to comply with Anti-Markup Rule may also mean a violation of the federal Anti-Kickback Statute (AKS) and/or the Stark Law. Penalties for violating AKS include incarceration, exclusion from federal health care programs, and civil monetary penalties of $11,803 to $23,607 per claim, plus three times the amount of damages.

Hypothetical Example:  In a state with an anti-markup rule and no direct bill rule, Oncology Lab may be able to bill Dr. Jorgensen for the $100 cost of the mole biopsy test.  Dr. Jorgensen can then pass the test’s charge through to the patient; however, Dr. Jorgensen cannot charge the patient more than $100.

Disclosure Laws

A third type of state law governs the ordering of pathology testing services:  disclosure laws.  Disclosure laws do not technically prohibit labs from billing physician practice groups, and they also do not technically prohibit practice groups from marking up laboratory test prices.  Instead, these laws require that a physician practice that purchases a test from a laboratory (and passes the cost of such test along to the patient) must disclose the price that the physician paid for the test to the patient and the applicable non-federal third-party payors. These laws do not ban markups for laboratory services, so long as the markup is disclosed. States with disclosure laws include but are not limited to, Arizona, Pennsylvania, and Texas, as follows:

• Stat. Sec. 36-472(B). “The bill to the patient shall specify the actual charge by the reference laboratory together with the reasonable specimen collection charge by the referring laboratory or physician.”
• Admin. Code § 5.48. “A notification of charges for laboratory tests performed for the patient shall be sent to the patient by the clinical laboratory unless the patient has been billed directly or otherwise notified of the charges by the laboratory.”
• Health & Saf. Code § 161.061. “(a) A person licensed in this state to practice medicine, dentistry, podiatry, veterinary medicine, or chiropractic may not agree with a clinical, bioanalytical, or hospital laboratory to make payments to the laboratory for individual tests, combinations of tests, or test series for a patient unless:

1. 1. the person discloses on the bill or statement to the patient or to a third party payor the name and address of the laboratory and the net amount paid to or to be paid to the laboratory; or
   2. discloses in writing on request to the patient or third party payor the net amount.

(b)The disclosure permitted by Subsection (a)(2) must show the charge for the laboratory test or test series and may include an explanation, in net dollar amounts or percentages, of the charge from the laboratory, the charge for handling, and an interpretation charge.”

Why Care?

Importantly, physician practice groups need to be aware when they are operating in a disclosure state so that their billing and invoicing systems are appropriately calibrated to include any lab testing costs.

In addition, we often think of the federal ban on pass-through billing and the federal anti-markup rule, but laboratories, hospitals, and physician practice groups that order lab tests from outside labs should be aware of and make sure their practices comply with this complicated web of state requirements.  Providers may be using one compliance model to comply with federal laws in connection with federal health care programs, but such model may violate applicable state laws.

Hypothetical Example:  In a state with a simple disclosure requirement, Oncology Lab could submit a bill to Dr. Jorgensen (instead of Patient Smith); however, when Dr. Jorgensen bills Patient Smith for the test, the physician must also disclose that she paid Oncology Lab $100 for the test.

Nationwide telehealth groups and digital health providers ordering tests for patients located in different states or hospitals, laboratories, or physician groups ordering laboratory tests from outside their home state, may also prefer a one-size fits all model; however, this might require tailoring all operations to fit the strictest regime of no pass-through billing or markups across the board.  Other providers – particularly those that are more local or regional in nature – might find it more feasible to have a state-by-state model with laboratory billing policies and procedures tailored to each state.  Further, Medicare providers may find it easiest and most efficient to implement Medicare markup restrictions for all laboratory billing, including cash pay and commercial patients.

*          *          *          *          *

As depicted above, states vary widely on their regulation of laboratories and violations of state law may trigger not only civil penalties but criminal prosecution as well.  Laboratory testing companies and physician practice groups should pay particular attention to their policies and compliance programs, which must be crafted to account for these additional complexities.  In addition, existing laboratories and physician practice groups should analyze and update their compliance policies to ensure that they are aligned with existing state and federal requirements.

For questions regarding current laboratory compliance with federal and state laws or for questions related to expansion and compliance concerns, please reach out to Anne Brendel at abrendel@goodwinlaw.com or Matt Wetzel at mwetzel@goodwinlaw.com.