The federal government has declared that the COVID-19 Public Health Emergency (PHE) expires on 5/11/23. Many things will occur on that day which I will endeavor to write about in the coming days. I have many clients and colleagues concerned with rules governing telehealth, so I will focus in my first posting for HLO on what may happen to the rules for tele-prescribing controlled substances post-PHE. The DEA and HHS jointly proposed rules early in 2023, largely characterized by institutional providers as burdensome and hindering access to care. The sponsoring agencies interpreted the responses to be overwhelmingly in opposition to the proposed rules, and so the proposed rules were abandoned. The Ryan Haight Act of 2008, established the requirement that the practitioner prescribing controlled substances via the internet must have conducted at least one in-person medical evaluation of the patient, but the option the statute provided of a special registration requirement for telehealth-limited prescribers was also dismissed as too limited. DEA and HHS have now offered a Temporary Rule to the Office of Management and Budget (OMB) which was available online at federalregister.gov/d/2023-09936 on 5/9/23. It seems that the agencies heard and acted upon the demand for continued flexibility for these providers and their patients’ needs. That rule provides that “[t]he full set of telemedicine flexibilities regarding prescription of controlled medications as were in place during the COVID-19 PHE will remain in place through November 11, 2023.” In addition, a one-year grace period is established for any practitioner-patient telemedicine relationships established on or before 11/11/23 preserving the “full set of telemedicine flexibilities” in place during the COVID PHE. DEA is evaluating comments and preparing for implementation of final regulations. The temporary rule, in effect until 11/11/24, adds new 21 C.F.R. 1307.41 and 42 C.F.R. 12.1.
The following summary of the Oklahoma Johnson & Johnson opioid decision is also published at Lexology.com.
The decision in the non-jury trial, Oklahoma ex rel. Mike Hunter, Attorney General of Oklahoma v. Purdue Pharma L.P. et al was filed on August 26, 2019. The trial, which lasted for thirty-three days, focused on the State’s sole claim against the defendants for public nuisance under state statute, during which forty-two witnesses were called by the parties and 874 exhibits were submitted into evidence, along with 225 additional court exhibits.
In the first such decision in the United States among a plethora of cases filed across the nation, the Court held that the State had met its burden of proof that the defendant, Johnson & Johnson, was the cause-in-fact of the extensively described injuries and that the harm suffered was the kind recognized by the state law. Purdue and Teva Pharmaceuticals settled prior to trial. The court found no intervening causes to defeat a finding of direct and proximate cause.
Testimony ran the gamut of describing the development of opioids in the 1950s and research and development that occurred from the 1990s until recent years, and it focused on what the Court considered intentionally misleading marketing information and activities. It is noteworthy that the Court included in its findings that there was no opioid epidemic in Oklahoma through the mid-1990s, according to the state Commissioner of Mental Health.
The Court found that “Defendants, acting in concert with others, embarked on a major campaign in which they used branded and unbranded marketing to disseminate the messages that pain was being undertreated and ‘there was a low risk of abuse and a low danger’…designed to reach Oklahoma doctors through multiple means and at multiple times over the course of the doctor’s professional education and career” in the state. The defendants were found to have deceptively marketed the concepts of “undertreatment” and “pseudoaddiction” in the effort to avoid the “addiction ditch,” to increase the volume of prescriptions and increase use by state physicians.
An Abatement Plan was relied upon to represent the cost of addiction treatment included in the: assessment and treatment at all levels for addicted individuals; supplementary treatment; public medication and disposal programs; screening; Brief Intervention and Referral to Treatment (SBIRT) for all primary care practices and emergency departments; universal screening; pain management program for state Medicaid members; education; naloxone treatment and education; law enforcement and provider licensure agency investigation activities; and perinatal preventive services.
The total yearly costs for remediation as described to the Court for 2019 is $572,102,028. While State witnesses testified that the abatement Plan will require twenty years, the Court found that “…the State did not present sufficient evidence of the amount of time and costs necessary, beyond year one, to abate the Opioid Crisis.” Oklahoma ex rel. v. Purdue Pharma L.P. et al at 41.
In a news release, counsel for Johnson & Johnson stated that it is confident that it has strong grounds for an appeal of Oklahoma’s opioid decision. This decision is expected to influence the settlement talks taking place in Ohio currently related to thousands of pending lawsuits against twenty-two opioid manufacturers and distributors, including Purdue.
Mary Holloway Richard, participated in a CLE webinar panel for healthcare counsel on Wednesday.
Strafford Publications presented the webinar on protecting patients’ behavioral health information, and disclosure requirements and limitations.
Richard’s presentation defines best practices for healthcare providers in situations where a potential breach in patient privacy may arise.
The panel addressed the distinction between instances when the release of behavioral health information is permissible or required.
HIPAA concerns, established in 1996 and evolving ever since, continue to be a very real compliance concern for healthcare providers. As an example, last year HHS collected $28.7 million from providers of healthcare services and payers for responses to HIPAA data breaches that HHS considered inadequate.
According to Modern Healthcare, this is $5.2 million over the prior high for settlement and penalties reported in 2016. The data for 2018 may be skewed by the $16 million settlement by Anthem for a breach involving approximately 79 million people. That breach occurred in 2015, and the settlement was record-setting for the Office of Civil Rights.
Changes being discussed by HHS include the possibility of sharing a percentage of civil monetary penalties or monetary settlements with affected individuals; revisions to HIPAA rules that facilitate the additional information demanded by coordinated care, outcome-focused care and value-based payments; and reconciliation of behavioral health care’s 42 CFR Part 2 rules with HIPAA.
In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses GDPR, a newly enforced EU privacy law, and what it means for businesses in America.
Q: What is the General Data Protection Regulation (GDPR)?
A: It’s a law regulating data protection and privacy for all individuals within the European Union (EU). It gives control to individuals over their personally identifiable information. It both standardizes the requirements throughout the EU and bolsters protections available to individuals amid well-publicized, costly data breaches in Europe. It’s a regulation rather than a directive, which means national governments within the EU don’t have to pass enabling legislation for these requirements to be effective. Rather, the regulation is directly binding on the members of the EU. The spirit of the General Data Protection Regulation also is embodied in recent legislation in the United Kingdom, providing consistency across Europe even though the U.K. withdrew from the EU effective in March. The regulation, passed two years ago, became effective May 22. Because of the length of time between passage and enforcement, there’s no transitional or grace period before compliance is required.
Q: How is this relevant to American businesses?
A: In certain circumstances, the GDPR also applies to organizations and other businesses based outside of the EU if they collect and/or process personally identifiable information located within the EU. For example, U.S. companies offering a website to market their products or services to individuals within the European Community or scientific concerns actively engaged in recruiting individuals within the European Community to be subjects in clinical trials are required to comply. It’s important for such commercial concerns to act quickly to determine if they are covered by the General Data Protection Regulation as processors of data or collectors of such data from individuals within the EU. Concerned about the potential burden of compliance on foreign businesses, some international websites have taken steps to block EU users on the effective date, thereby removing the need to comply and ensuring against potential liability under the regulation. USA Today’s international website redirected users to simplified sites limited in scope. Other U.S. newspapers with European editions made them temporarily unavailable to readers in the EU. In another example of responses by U.S. companies, Instapaper, a read-it-later app, temporarily shut off access to European users to allow sufficient time for compliance.
Q: What type of data is protected by the General Data Protection Regulation and how’s it protected?
A: Personally identifiable information is anything that allows a living person to be identified directly or indirectly. Such data elements include name, email and home addresses, medical information, bank or other financial information, computer IP address and photos. A data processing officer must be appointed by businesses involved in processing or collecting data who is similar to a compliance officer with special information technology proficiency in managing and securing personal and sensitive data as well as a local representative for the company. Individuals have the right to the portability (access) of their stored data, erasure of data in certain circumstances, the right to file complaints with the data processing authority and the right to contract automated decision-making made on a solely algorithmic basis. Data breaches must be reported in a manner similar to the Health Information Portability and Accountability Act of 1996 and its amendments (HIPAA).
Q: You mentioned HIPAA. Is informed consent required for American businesses engaged in business in Europe similar to that required for HIPAA?
A: Personally identifiable information may be lawfully processed under the General Data Protection Regulation with informed consent or with a legal basis for doing so which ranges from legitimate interests of the entity collecting the data or a third party performing a task under official authority in the public’s interest, in compliance with the controller’s legal obligation, in fulfillment of a contract with a data subject, and to protect vital interests of a data subject or another person. There are some similarities to the HIPAA informed consent and the various exceptions to the consent requirement including the requirements of clarity and the opportunity to withdraw consent. As with HIPAA, individuals must be apprised of their privacy rights and their ability to withdraw consent at any time under the General Data Protection Regulation.
Q: Are there exceptions or limitations to an individual’s right of access to information?
A: Limitations to disclosure and the individual’s right of access to protected data exist for overriding interests such as national security. Further, in recognition of the importance of providing health care across country boundaries and clinical research to fight disease, the General Data Protection Regulation doesn’t apply to statistical and scientific analyses. A recognition of the need to maintain the integrity of clinical research resulted in the limitation of the erasure right of the individual. The strengthened data protections of the General Data Protection Regulation are limited in the face of requirements of good science although companies engaging in clinical research, including patient recruitment in the EU, will need to evaluate their data compliance plans considering the requirements of the newly enforced law. In addition, the General Data Protection Regulation doesn’t apply to data related to employer-employee relationships.