The final rules regarding special compensation under 42 U.S.C. § 1395nn, the Physician Self-Referral or Stark Law, go into effect on January 1, 2022 and will require many physician group practices to modify their compensation methodologies, specifically the pooling and distribution of profits for the provision designated health services (“DHS”).

Under the current regulations, a physician in a group practice that relies on the in-office ancillary services exception can be paid a share of overall group profits, so long as that share is determined in a way that is not “directly related to the volume or value of referrals of DHS by the physician.”  The same is true of productivity bonuses based on services that a physician has performed. “A physician in the group practice may be paid a productivity bonus based on services that he or she has personally performed, or services ‘incident to’ such personally performed services, or both, provided that the bonus is not determined in any manner that is directly related to the volume or value of referrals of DHS by the physician (except that the bonus may directly relate to the volume or value of DHS referrals by the physician if the referrals are for services ‘incident to’ the physician’s personally performed services).”

This provision had previously been interpreted to allow “split pool” profit-sharing plans that create pools of DHS-derived profits for different services, in which only certain physicians benefit from certain profit pools.

Effective January 1, 2022, split pooling is no longer permitted.  In the final regulation, which modifies the special compensation rules under 42 C.F.R. §411.352(i), CMS clarifies that “if a group practice wishes to pay shares of overall profits to any of its physicians, it must first aggregate: (1) The entire profits from the entire group; or (2) the entire profits from any component of the group that consists of at least five physicians. Once aggregated, the group practice may choose to retain some of the profits or distribute all of the profits through shares of overall profits paid to its physicians.” Therefore, although a group practice may employ different profit distribution methods for the provision of DHS for each component of the group practice that consists of five or more physicians, the group practice must employ the same method for distributing overall profits to every physician within such a component. It is important to note that although CMS limited the general definition of DHS to “only DHS payable in whole or in part by Medicare” in § 411.351, “overall profits” for the purpose of the special compensation rules for group practices continues to include “the group’s entire profits derived from DHS payable to Medicare or Medicaid.”

Group practices that currently employ the split pool compensation structure for physicians and rely on the in-office ancillary services exception will need to modify their compensation structures to comply with this clarification.

Last week the FDA issued another draft guidance in its series of recent guidance documents setting forth the agency’s views regarding the generation and use of Real-World Data (RWD) and Real-World Evidence (RWE) for prescription drugs and biological products. (see our recent post on FDA’s draft guidance relating to registries).

This latest draft guidance, Considerations for the Use of Real-World Data and Real-World Evidence to Support Regulatory Decision-Making for Drug and Biological Products, clarifies the agency’s expectations for sponsors submitting new drug applications (NDAs) or biologics license applications (BLAs) with studies using Real-World Data (RWD) to support the safety or effectiveness of drugs or biological products, when such studies are not subject to FDA’s investigational new drug (IND) application requirements under 21 CFR Part 312.  The draft guidance focuses on non-interventional (a.k.a. observational) studies, in which patients receive a drug during routine medical practice, according to a medical provider’s clinical judgment and based on patient characteristics, rather than via assignment to a study arm and according to a clinical trial protocol.

Key considerations outlined in the guidance:

• Sponsors designing a non-interventional study to support a marketing application should engage early with the relevant FDA review division (e.g., through a Type C meeting) and be prepared to submit draft protocols and SAPs for FDA feedback before conducting the study analyses.
• To assure the FDA that the results of a non-interventional study were not skewed to favor a particular conclusion, sponsors should provide evidence that the non-interventional study protocol and statistical analysis plan were finalized prior to reviewing outcome data and before performing prespecified analyses. Sponsors should provide a justification for selecting relevant data sources and generate audit trails in their datasets. FDA also recommends that sponsors post their non-interventional study protocols on a publicly available website, such as ClinicalTrials.gov.
• Sponsors must be able to submit patient-level data from the RWD. Where a third party owns or controls the RWD, sponsors should have agreements with such parties to ensure that patient-level data and source data to verify the RWD can be provided to the FDA for inspection, as applicable. Sponsors should have well-documented programming codes and algorithms that would allow the FDA to replicate the study analysis using the same dataset and analytic approach.
• Non-interventional studies should be monitored. The FDA advises sponsors to use a risk-based quality management approach, with a focus on preventing or mitigating important and/or likely risks to study quality.  If a non-interventional study does not include any activities or procedures involving patients, monitoring can focus on assuring the data integrity of the RWD, from extraction to analysis to reporting of results.  When a non-interventional study protocol includes ancillary activities or procedures, sponsors should exercise appropriate oversight of processes critical to human subject protection.
• Adverse events that a sponsor becomes aware of through a non-interventional study must be submitted in accordance with postmarketing safety reporting regulations. However, the agency acknowledges that if a sponsor is conducting a non-interventional study that appropriately utilizes only a subset of a larger dataset, the sponsor will not have to search the entirety of the dataset for adverse events.
• Sponsors should take responsibility for all activities related to the design, conduct and oversight of a non-interventional study that is being submitted for regulatory review. This includes selecting qualified researchers, ensuring the study is conducted in accordance with the protocol, maintaining and retaining adequate study records, and maintaining an electronic system to manage RWD that complies with 21 CFR Part 11. Where a sponsor engages third parties to perform certain study-related tasks, the responsibilities of each organization should be documented and made readily available to the FDA upon request.

Comments on the guidance should be submitted to the docket by March 9, 2022.

Today, developers of innovative medical devices are increasingly utilizing artificial intelligence (AI) and machine learning (ML) technologies to derive important insights with the promise of transforming the delivery of healthcare. Yet, concerns regarding the transparency of AI/ML-enabled devices, or the degree to which information about such devices is communicated to stakeholders, threatens not only perceptions as to the safety and effectiveness of such devices by regulators, but also trust in such technologies from patients and healthcare providers alike.

Read the full article written by Steven Tjoe in PM360 Magazine.

Visit the Goodwin on Medtech hub to stay informed on important developments affecting medtech innovators and investors.

The Department of Justice recently announced the launch of its new Civil Cyber-Fraud Initiative (the “Initiative”) which intends to use the False Claims Act to pursue “cybersecurity-related fraud by government contractors and grant recipients.”

Specifically, the Initiative will target those who:

1. knowingly provide deficient cybersecurity products or services,
2. knowingly misrepresenting their cybersecurity practices or protocols, or
3. knowingly violate obligations to monitor and report cybersecurity incidents and breaches.

This new initiative significantly expands the potential liability of federal contractors and healthcare provider that participate in federal healthcare programs related to data privacy and cybersecurity issues.

False Claims Act

The False Claims Act broadly prohibits anyone from, among other things, knowingly presenting, or “causing to be presented” a false claim for payment if the claim will be paid directly or indirectly by the federal government. The False Claims Act is the government’s main enforcement tool for fighting healthcare fraud, with over $2.2 billion recovered in 2020.  Penalties for False Claims Act violations include three times the actual damages sustained by the government, mandatory civil penalties of between $11,181 and $22,363 for each separate false claim, and attorneys’ fees and costs. Further, the False Claims Act allows whistleblowers to bring lawsuits on behalf of the federal government. Also known as a “qui tam” realtor, a whistleblower who brings a successful qui tam action can receive 15 to 30 percent of the damages the government recovers from the defendants. The ability for an individual within one’s own organization to raise flags with the federal government under the False Claims Act especially heightens risk.

HIPAA

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), “covered entities” and their “business associates” are subject to certain obligations and limitation related to their use and disclosure of “protected health information” (“PHI”). Covered entities are health care providers, health plans and health care clearing houses that transmit any information in an electronic form in connection with a transaction for which HHS has adopted standards. A business associate is a person or entity that performs certain services for or functions on behalf of the covered entity that involve the use or disclosure of PHI.  Finally, PHI is any individually identifiable information, including demographic data, that relates to an individual’s past, present or future health or payment for the provision of healthcare.

The obligations imposed on covered entities and business associates under HIPAA  include maintaining and following specific privacy and security policies and procedures regarding access to, use, processing, transfer, storage, and disclosure of PHI and implementing physical, technical, and administrative safeguards to protect the privacy and security of PHI.  In addition, covered entities are required to notify affected individuals, the Department of Health and Human Services, and, for certain larger breaches, the media of data breaches.  Similarly, business associates are required to notify covered entities of data breaches.

Implications

The goal of holding accountable those who “knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches” presents particular risk for covered entities and their business associates.

For example, consider a revenue cycle management (“RCM”) company that submits claims on behalf of a healthcare provider (including claims to government payors) that experiences a security incident, conducts a HIPAA risk assessment, and shares that assessment with the Covered Entity customer who determines the RCM company did not implement the necessary physical, technical and administrative safeguards required under HIPAA. Could the customer, the government, or a whistleblower allege that the RCM company knowingly misrepresented its cybersecurity practices or protocols and thereby caused the submission of false claims?

Further, consider an electronic health records company (“EHR”) that is certified by the Office of the National Coordinator who experiences a breach of unsecured PHI, conducts a HIPAA risk assessment and determines it is not obligated to report the breach based on a low risk of compromise in accordance with 45 C.F.R. 164.402. Could the government or a whistleblower allege that the EHR company failed to report a breach and thus caused the submission of false claims by healthcare providers that use its EHR and are able to avoid reductions in Medicare reimbursement by using a certified EHR?

False Claims Act cases are commonly pursued under what is known as the “false certification theory”. A claim is considered false when a claimant “certifies compliance with a statute or regulation as a condition to governmental payment.” The false certification theory considers a claimant’s request for payment as “implied certification” of compliance with said statutes or regulations. Despite the broad implications of the false certification theory, there is some check on the ability of the government or a whistleblower to bring cases on failure to comply with HIPAA through what is known as the materiality requirement under the False Claims Act. In Universal Health Services v. United States ex rel. Escobar, the U.S. Supreme Court held that the government and whistleblowers bear the burden of proving the “rigorous and demanding” materiality requirement under the False Claims Act. The Supreme Court further stated that the False Claims Act is “is not a means of imposing treble damages and other penalties for insignificant regulatory or contractual violations.” Accordingly, the government and whistleblowers must demonstrate that allegedly insufficient technical safeguards or that an alleged failure to report a breach are actually material to the government’s payment decision.

The potential use of the False Claims Act to enforce HIPAA compliance may also change how due diligence is conducted on covered entities who bill government payors and their and business associates. While security incidents are common, the potential for liability under the False Claims Act related to such an incident increases the importance of conducting thorough diligence related to such incidents. The importance of conducting due diligence on a seller’s compliance with HIPAA’s requirements related to administrative, technical, and physical safeguards is also magnified by the potential for liability under the False Claims Act for failure to comply with those requirements.  The risk related to conducting a risk assessment related to a data breach is similarly increased and such assessments should be scrutinized carefully in due diligence.

Showing no signs of food coma, the FDA issued draft guidance on the Monday following the Thanksgiving holiday weekend that outlines considerations for sponsors proposing to design a registry or use an existing registry to support regulatory decision-making about a drug’s effectiveness or safety.  This draft guidance represents the Agency’s latest response to the mandate in the 21^st Century Cures Act to issue guidance on the use of real world evidence in regulatory decision-making, and expands on the Framework for FDA’s Real-World Evidence Program from December 2018.

The draft guidance, Real-World Data: Assessing Registries to Support Regulatory Decision-Making for Drug and Biological Products, defines a registry as “an organized system that collects clinical and other data in a standardized format for a population defined by a particular disease, condition, or exposure,” and identifies three general categories of registries: disease registries, health service registries, and product registries.

Given the range of registry types, FDA notes that registry data can have varying degrees of suitability for use in a regulatory context depending on several factors, including how the data are intended to be used for regulatory purposes, the patient population enrolled, the data collected, and how registry datasets are created, maintained, curated, and analyzed.  FDA advises sponsors to be mindful of both the strengths and limitations of using registries as a source of data to support regulatory decision-making.  In general, the draft guidance advises that (i) a registry that captures objective endpoints, such as death or hospitalization, is more likely to be suitable to support regulatory decision-making than a registry that collects subjective endpoints, such as pain; and (ii) a registry that is specifically designed to answer a particular research question is more likely to be useful to support regulatory decision-making than a registry that was designed for a different purpose.

At the same time, the Agency acknowledges that an existing registry can be used to collect data for purposes other than those originally intended, and that leveraging an existing registry’s infrastructure to support multiple purposes can be efficient.  Therefore, the draft guidance describes factors sponsors can use to assess the relevance and reliability of a registry’s data to determine whether the registry data may be fit-for-use.

When determining relevance of registry data, the draft guidance advises sponsors to consider, among other things, whether the data elements captured by the registry are sufficient given the intended use or uses of the registry (e.g., external control arm vs. a tool to enroll participants in an interventional study) and whether the methods involved in patient selection may have impacted the representativeness of the population in the registry.

When assessing the reliability of registry data, the draft guidance advises sponsors to assure the registry has appropriate governance measures in place to help ensure the registry can meet its objectives, such as processes and procedures governing the operation of the registry, adequate training of staff, and other recommended practices including:

• Defined processes and procedures for data collection, management and storage;
• A data dictionary and rules for validation of queries and edit checks of registry data;
• Conformance with 21 CFR part 11, as applicable, including access controls and audit trails; and
• Adherence to applicable human subject protection requirements, including safeguarding the privacy of patient health information.

The draft guidance specifically recommends that sponsors interested in using a registry to support a regulatory decision should meet with the relevant FDA review division (e.g., through a Type C meeting), before conducting a study that will include registry data.  Sponsors also should be prepared to submit protocols and statistical analysis plans for FDA feedback prior to conducting a study that includes data from registries.

Comments on the guidance should be submitted to the docket by February 28, 2022.

Last week, Diana DeGette (D-CO) and Fred Upton (R-MI) introduced in the House highly anticipated bill language for “Cures 2.0”, a follow-up to the transformational 21^st Century Cures Act enacted in 2016.  For full text of the bill, click here.  The 21^st Century Cures Act included a variety of measures seeking to accelerate medical product development and bring advancements and innovations to patients more efficiently. Cures 2.0 seeks to improve and expand on those strides, as well as address pressing public health priorities that became apparent through the COVID-19 pandemic.

The Cures 2.0 bill is structured around five main topics:

• Title I—Public Health
• Title II—Patients and Caregivers
• Title III—Food and Drug Administration
• Title IV—Centers for Medicare & Medicaid Services
• Title V—Research

While all of these sections are ripe for further analysis, we selected a few provisions to highlight here that may be of particular interest for the pharmaceutical and biotechnology companies out there.  We’ll keep tracking these as the bill moves through the legislative process:

Section 204: Patient Experience Data

• Would require sponsors developing a drug under an IND to collect standardized patient experience data during clinical trials and include that patient experience data “and such related data” in an NDA or BLA; and
• Would direct FDA to consider this patient experience data and “related information” in its approval decision for the NDA or BLA.
• These proposals to standardize and require patient experience data collection could be significant, and they underscore lawmakers’ continued interest in elevating the relevance of clinical outcomes that are meaningful to patients living with a disease or condition.

Section 302: Grants for Novel Trial Designs and Other Innovations in Drug Development & Section 310: Recommendations to Decentralize Clinical Trials

• Section 302 would appropriate $25 million annually, for 3 years, for the FDA to award grants to clinical trials conducted under an IND with protocols incorporating complex adaptive or other novel trial designs and that collect patient experience data. The section further specifies that grant awards should prioritize the incorporation of digital health technologies and real world evidence.
• Section 310 proposes a multi-stakeholder meeting, including industry representatives and patient advocacy groups, to discuss incentives to adopt decentralized clinical trials. The section also would adopt a definition of decentralized trials: “a clinical trial method that includes the use of telemedicine or digital technologies to allow for the remote collection of clinical trial data from subjects, including in the home or office setting.”
• These provisions reflect a sustained emphasis on fostering clinical trial innovation, including building on the experience with remote clinical trials during the COVID-19 pandemic.

Section 304: Increasing Use of Real World Evidence (RWE) & Section 309: Post-Approval Study Requirements for Accelerated Approval

• Section 304 would call for new guidance on the use of RWE in post-market review of drugs that were designated as a breakthrough therapy or fast track product, or considered for accelerated approval. Section 309 would further specify that the post-approval study requirements to verify and describe the clinical benefit for products granted accelerated approval could be satisfied through RWE, including analyses of data in clinical care repositories or patient registries.
• Section 304 also would establish a permanent Real World Evidence Task Force to coordinate programs and activities within the Department of Health and Human Services related to the collection and use of RWE.
• These and other sections of Cures 2.0 share a common theme of enhancing the use of RWE in regulatory decision-making. Although the inherent variability in RWE likely will continue to present challenges to doing so, the signal is clear that legislators would like to see FDA and HHS continue to move forward in this area.

Last week’s introduction of Cures 2.0 and President Biden’s announcement that he will nominate Robert Califf for FDA Commissioner contributed to a newsworthy week for those of us who follow the FDA.  We look forward to seeing how Cures 2.0 develops and how the Agency’s policy priorities unfold in the coming months.

On October 28, a majority of members on the Senate Judiciary Committee voted 15-7 to advance to the full Senate a bipartisan bill that would make a number of amendments to the False Claims Act (“FCA”), including one that would make significant changes to the FCA’s definition of “materiality.” Senator Chuck Grassley of Iowa, who serves as the ranking member of the Judiciary Committee, argued for the materiality amendment, stating that it is intended to correct the “misinterpretations” of the FCA “created by the Escobar court.”

Under the FCA, only a material violation – one that has “a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property by the government” – can form the basis for liability. The Supreme Court in Universal Health Services v. United States ex rel. Escobar stated that the FCA’s materiality standard is “rigorous” and “demanding,” and held that a violation of a particular requirement would likely not be considered material if (for example) the government had actual knowledge of the violation and chose to pay the claim anyway.

The materiality amendment advanced to the full Senate would undo the protections offered by the Escobar ruling, and instead states that “in determining materiality, the decision of the government to forego a refund or pay a claim despite actual knowledge of fraud or falsity shall not be considered dispositive if other reasons exist for the decision of the government with respect to such refund or payment.”

The number of suits filed under the qui tam provisions of the FCA are steadily increasing over the years, with 672 qui tam actions filed in 2020 alone. Should this FCA amendment be enacted, its lowered materiality standard will make it significantly more difficult for defendants in qui tam actions to win motions to dismiss on materiality grounds, or to obtain summary judgment; as a result, many more of these cases will move forward to more expensive and time-consuming stages of litigation.

Health care providers and other health care companies who are the potential defendants in FCA cases already often spend significant resources defending against these claims. While the proposed amendment advanced by the Judiciary Committee last week is intended to reduce fraud and abuse – for example, the amended materiality standard would be particularly important in situations in which the government is aware of fraudulent claims but is unable or unwilling to stop paying for the provision of critical healthcare services; but, it may also have an effect on the overall costs of defending a claim, whether or not meritorious.  We will continue to monitor updates with respect to the FCA and related legislation.

On October 27, 2021, the U.S. Food and Drug Administration (FDA), Health Canada and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) issued a set of ten guiding principles meant to aid the development of Good Machine Learning Practice (GMLP).

Artificial intelligence and machine learning (AI/ML) offers the potential to analyze the vast amount of real-world data generated from health care every day to provide transformative insights. These insights can not only help improve individual product design and performance, but also hold the promise of transforming health care.

However, AI/ML technology has unique complexities and considerations. The goal of these guiding principles is to help promote safe, effective, and high-quality medical devices that use AI/ML to best cultivate the future of this rapidly progressing field.

Although not formal or binding, as companies continue to leverage AI/ML in their medical devices, they should remain mindful of each of the ten guiding principles:

1. Leveraging Multi-Disciplinary Expertise Throughout the Total Product Life Cycle

Companies should leverage internal and external multi-disciplinary expertise to ensure they have a thorough understanding of the model’s integration into the clinical workflow, and the desired benefits and associated patient risks, to ensure the safety and effectiveness of the device while serving clinically meaningful needs throughout the product lifecycle.

2. Implementing Good Software Engineering and Security Practices

Companies should implement as part of model design data quality assurance, data management, good software engineering practices, and robust cybersecurity practices.

3. Utilizing Clinical Study Participants and Data Sets that Are Representative of the Intended Patient Population

Companies should ensure that their data collection protocols have sufficient representation of relevant characteristics of the intended patient population, use, and measurement inputs in an adequate sample size in their clinical study and training and test datasets so that results can reasonably be generalized to the population of interest.  Data collection protocols appropriate for the intended patient population may help to identify where the model may underperform and may mitigate bias.

4. Keeping Training Sets and Test Sets Independent

Companies should consider and address all sources of dependence between the training and test datasets, including patient, data acquisition, and site factors to guarantee independence.

5. Selecting Reference Datasets Based Upon Best Available Methods

Companies should use accepted, best available methods for developing a reference dataset, i.e., a reference standard, to ensure clinically relevant and well characterized data are collected (and that the reference’s limitations are understood).  Where available, companies should use accepted reference datasets in model development and testing that promote and demonstrate model robustness and generalizability across the target population.

6. Tailoring Model Design to the Available Data and Reflecting the Intended Use of the Device

Companies should have a solid understanding of the clinical benefits and risks related to the product and utilize this understanding to create clinically meaningful performance goals.  Additionally, companies should ensure the model design is suited to the available data and supports active mitigation of the known risks.

7. Focusing on the Performance of the Human-AI Team

Where the model has a human element, companies should consider human factors and human interpretability of the model outputs.

8. Testing Demonstrates Device Performance during Clinically Relevant Conditions

Companies should develop statistically sound tests and execute them to assess device performance data independent of the training data set. Such assessment should be conducted in clinically relevant conditions with consideration given to the intended use population, important subgroups, clinical environment and use by the Human AI-Team, measurement inputs, and potential confounding factors.

9. Providing Users Clear, Essential Information

Companies should provide users ready access to clear, contextually relevant information that is appropriate for the target audience. Such information includes not only information pertaining to the product’s intended use and indications for use, performance of the model for appropriate subgroups, characteristics of the data used to train and test the model, acceptable inputs, known limitations, user interface interpretation, and clinical workflow integration of the model, but also users should be made aware of device modifications, updates from real-world performance monitoring, the basis for decision-making (when available), and a way to communicate product concerns to the company.

10. Monitoring Deployed Models for Performance and Managing Re-Training Risks

Companies should deploy models that are capable of being monitored in real-world usage with a focus on maintaining or improving safety and performance. Further, when models are trained after deployment, companies should ensure there are appropriate controls in place to manage risks that may impact the safety and performance of the model.

FDA’s expectations with respect to GMLP will continue to advance and become more granular as additional stakeholder input is considered.  The docket for FDA’s GMLP Guiding Principles, FDA-2019-N-1185, is open for public comment.

Visit the Goodwin on Medtech hub to stay informed on important developments affecting medtech innovators and investors.

Telehealth’s exponential growth –in part due to the COVID-19 pandemic – has highlighted both its value in increasing access to care and the potential for misuse. The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) released a report in September 2021 that found many state Medicaid programs do not sufficiently evaluate whether telehealth improves access to care, reduces costs, or boosts the quality of care for Medicaid recipients receiving behavioral health services.  Further, the OIG found that many state Medicaid programs do not provide the appropriate oversight necessary to reduce fraud, waste, and abuse.  In fact, only two (2) states have measured the efficacy of telehealth on access to behavioral health services for Medicaid beneficiaries.  In short, the OIG concludes that more steps should be taken to maintain oversight over telehealth, especially in the behavioral health context.

Background

When it comes to behavioral health services such as mental health assessments and therapy, generally, depending on insurance coverage limitations, telehealth can be used and could be covered.  The OIG report addresses this concept and states: “As the nation confronts the psychological and emotional impact of COVID-19, the use of telehealth will be important in addressing behavioral health needs for Medicaid enrollees.”  However, providers must first understand where the value lies, how best to deliver these services, and how to avoid fraud and abuse; and that begins with monitoring and evaluating telehealth services in the Medicaid program.

OIG Findings

The OIG report found the following:

• A few states (3 of 37) could not identify which telehealth services are even offered to Medicaid beneficiaries. Not being able to identify services provided to Medicaid beneficiaries limits the state’s ability to analyze the effects of telehealth for Medicaid enrollees, monitor and provide oversight specific to telehealth, or detect and prevent fraud.
• Only a few states assessed the impact of telehealth usage on behavioral health services for Medicaid beneficiaries, despite states’ responsibilities to ensure access to care and address quality of care. An accompanying report showed that states described the challenges and limitations of using telehealth to meet the behavioral needs of Medicaid enrollees.  As the reimbursement landscape continues to change and there is an increased shift towards telehealth service offerings to Medicaid beneficiaries, the OIG stated that it is critical for all states to evaluate the impact of telehealth.
• Despite concerns of states about telehealth abuse (e.g., inappropriate billing for delivering both telehealth and in-person services, billing for services not rendered, and billing for services provided from outside the country) and states’ joint responsibility to monitor their Medicaid programs, the OIG report concluded that many states (26 of 37) do not perform adequate monitoring or oversight on telehealth services to detect any fraud, waste, and abuse meaningfully. Because of the virtual nature of telehealth services and the complex regulatory environment, states cannot monitor telehealth services to the same degree as in-person services.  The report also found that several states’ program integrity efforts are insufficient to monitor telehealth.

OIG Recommendations

Because the Centers for Medicare & Medicaid Services (CMS) plays an equally important role in evaluating and overseeing state Medicaid programs, the OIG recommends that CMS work with the three states that are unable to distinguish telehealth from in-person services to ensure implementation of indicators to identify which services are provided via telehealth.  The OIG suggests that CMS conduct evaluations, and support state efforts to evaluate the effects of telehealth on access, cost, and quality of behavioral health services and conduct monitoring for fraud, waste, and abuse.  Furthermore, the OIG encourages CMS to specifically support state efforts to oversee and monitor telehealth for behavioral health services.

Notably, CMS agreed with at least one of OIG’s recommendations; namely, CMS indicated that “it is currently monitoring the impact of the COVID-19 pandemic on behavioral health services delivered via telehealth by managed care organizations and has provided States with a Risk Assessment Template to assist State efforts in identifying and addressing program risks.” Further, CMS stated that “it will consider the results from OIG’s study to develop ways to support State efforts to oversee behavioral health services delivered via telehealth by managed care organizations.”  Whether these efforts from CMS will be sufficient to help the states at issue remains to be seen.

Takeaways

Telehealth providers should be mindful that states may begin to undertake more robust and comprehensive measures to assess and ultimately restrict access to Medicaid funds for telehealth services.  Based on the OIG’s report, we anticipate that, because states are charged with determining how their Medicaid programs cover the use of telehealth, the OIG’s report may trigger more active and meaningful monitoring and oversight of the use of telehealth with Medicaid beneficiaries.  States may also start to more thoroughly evaluate the impact of telehealth on access, quality, and cost.  And, we anticipate that state Medicaid programs will likely undertake more significant analysis as they determine which services will continue to be covered in a post-COVID-19 pandemic world.

Accordingly, providers should heed CMS’s anticipated increased monitoring of behavioral health services delivered via telehealth. Providers receiving state-based healthcare reimbursement, for example, should undertake a risk assessment and remedial steps to ensure that telehealth services provided to Medicaid beneficiaries are in compliance with that state’s telehealth laws.  This includes reviewing credentialing policies to ensure that each healthcare professional is licensed in the state in which the patient is receiving services and that the company is tracking compliance. Further, as a general practice, telehealth providers should verify that the correct Current Procedural Terminology medical codes are utilized when providing behavioral health telehealth services to Medicaid enrollees. Lastly, telehealth providers should confirm that they are properly tracking the effects of their telehealth program on Medicaid beneficiaries to better understand the impact telehealth has on access, cost, and quality.

For emerging companies establishing their first supply chains, ensuring notification requirements in supply agreements for when commercial-stage manufacturing issues arise may not be top of mind. However, it is important for drug developers whose contracts enable continuation of a supply arrangement into the commercial-stage to be familiar with the U.S. Food and Drug Administration’s (FDA’s) field alert reporting (FAR) requirements for new drug application (NDA) and abbreviated new drug application (ANDA) holders to ensure adequate communication between developers and their suppliers.

By way of background, the FAR regulations at 21 C.F.R. §§ 314.81(b)(1) and 314.98(b) require NDA and ANDA holders to notify their FDA field office (using an Form FDA 3331a) within three business days of “receipt” of: (1) information concerning any incident that causes a distributed drug product or its labeling to be mistaken for, or applied to, another article; or (2) information concerning any bacteriological contamination, or any significant chemical, physical, or other change or deterioration in the distributed drug product, or any failure of one or more distributed batches of the drug product to meet the specification established for it in its approved application. In brief, timely notification by suppliers really does matter here and should not extend past one business day if at all possible.

This past summer, the FDA issued final guidance clarifying reporting timelines and the facts and circumstances that trigger submission of FARs. Amongst other things, the FDA clarified that the FAR requirements apply to all products marketed under an NDA or ANDA, including positron emission tomography drugs, designated medical gases, and combination products containing a drug constituent part. However, products that are only marketed abroad pursuant to a foreign approval with non-U.S. labeling are not subject to FDA’s FAR requirements. FDA also clarified that report-triggering events are not limited to active ingredient issues but can also include issues related to inactive ingredients, processing aids, and packaging.

Additional key takeaways include:

• FARs are required even when a problem is identified and corrected within the three business day reporting window.
• FARs are required even when a problem is identified beyond the three business day reporting window; however, a Form FDA 483 finding can result from the failure to submit timely FARs.
• Day “0” for calculation of the three business day reporting window is the day information triggering the report was received, even if received by a third-party contractor or supplier.
• Follow-up or final FARs are recommended but not required if significant new information is received.
• Separate initial FARs are required for a problem impacting drug products covered by multiple applications, but if conducting a single investigation into the issue after submitting the initial FARs, any follow-up can be provided in a single follow-up or final FAR.
• Investigations into issues identified with undistributed products should consider whether those issues may exist in distributed products, triggering a FAR.
• Possible changes or deterioration in distributed products triggering FARs include contamination by bacteria, yeast, mold, virus or other microorganisms.
• Issues leading to recalls do not release an NDA or ANDA holder from FAR reporting responsibility.

Overall, FDA’s FAR requirements necessitate prompt or immediate notification of any information discovered by suppliers that could trigger a FAR for NDA and ANDA holders. For supplier agreement negotiations, requiring prompt or immediate notification of issues in clinical-stage agreements positions a developer well to require the same in the commercial stage when FAR requirements apply. Additionally, in the commercial stage, FARs can prompt unannounced FDA for cause inspections and can also lead to expensive product recalls, so early notification, investigation, and remediation of issues warranting a FAR submission can help minimize potential liability and resource expenditure to remedy any issues that arise.