January FDA Updates

As we move into 2020, we’re starting a regular blog series highlighting noteworthy FDA updates regarding regulatory compliance, fraud and abuse cases, and product development issues every month. Our January recap is below.

1. FDA, USDA and EPA announce joint platform to streamline information about agricultural biotechnology products (Jan. 9, 2020). The U.S. Food and Drug Administration (FDA), the Department of Agriculture (USDA) and the Environmental Protection Agency (EPA) launched a Unified Website for Biotechnology Regulation. The website streamlines information about the three regulatory agencies charged with overseeing agriculture biotechnology products and is part of President Donald J. Trump’s Executive Order on Modernizing the Regulatory Framework for Agricultural Biotechnology Products. The website describes the federal review process for certain biotechnology products and allows users to submit questions to the three agencies. The goals of this website are to provide enhanced customer service to innovators and developers, while ensuring Americans continue to enjoy the safest and most affordable food supply in the world and can learn more about the safe use of biotechnology innovations. This collaboration emphasizes the need for considering multiple regulatory frameworks when dealing with biotechnology innovations.

2. Patient Services Inc. Agrees to Pay $3 Million for Allegedly Serving as a Conduit for Pharmaceutical Companies to Illegally Pay Patient Copayments (Jan. 21, 2020). Patient Services Inc. (PSI), a foundation based in Virginia, has agreed to pay $3 million to resolve allegations that it violated the False Claims Act by acting as a conduit to enable certain pharmaceutical companies to provide kickbacks to Medicare patients taking the companies’ drugs, by paying the patients’ copayments. When a Medicare beneficiary obtains a prescription drug covered by Medicare Part B or Part D, the beneficiary may be required to make a partial payment, which may take the form of a co-payment, co-insurance, or deductible (collectively, copays). Congress included co-pay requirements in these programs, in part, to encourage market forces to serve as a check on healthcare costs, including the prices that pharmaceutical manufacturers can demand for their drugs. The Anti-Kickback Statute prohibits pharmaceutical companies from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value — to induce Medicare patients to purchase the companies’ drugs, and it prohibits third parties, such as copay foundations, from acting as a conduit for such payments. Additionally, state insurance fraud statutes protect private insurers against actions, such as copay assistance or waiver.

3. FDA informs healthcare providers, facilities and patients about potential cybersecurity vulnerabilities for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers (Jan. 23, 2020). The FDA issued a safety communication informing healthcare providers, facilities and patients about cybersecurity vulnerabilities identified for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers. These devices are primarily used in healthcare facilities, for displaying patient information, such as the physiologic status (i.e., temperature, heartbeat, blood pressure, etc.) of a patient and monitoring patient status from a central location in a facility, such as a nurse’s bay. The cybersecurity vulnerabilities identified could allow an attacker to remotely take control of the device to silence alarms, generate false alarms, or interfere with the function of patient monitors connected to these devices. These cybersecurity vulnerabilities were identified by a third-party security firm, which may have been engaged by the FDA directly or by GE Healthcare; it is not clear. The FDA’s safety communication alerts healthcare providers and facilities of the risk posed by these vulnerabilities and provides recommendations on actions that can be taken to mitigate risks. These recommendations include advising healthcare facilities to segregate the network connecting the patient monitors with the affected GE Healthcare Clinical Information Central Stations and Telemetry Servers from the rest of the hospital network and using firewalls, segregated networks, virtual private networks, network monitors, or other technologies that minimize the risk of remote or local network attacks. The FDA has continued to develop guidance for medical device manufacturers on cybersecurity standards, and this safety alert provides additional emphasis on this important issue that spans FDA regulatory, healthcare and public health, and privacy protections.

4. Electronic Health Records Vendor to Pay $145 Million to Resolve Criminal and Civil Investigations (Jan. 27, 2020). Practice Fusion Inc., a San Francisco-based health information technology developer, will pay $145 million to resolve criminal and civil investigations relating to its electronic health records (EHR) software. As part of the criminal resolution, Practice Fusion admits that it solicited and received kickbacks from a major opioid company in exchange for utilizing its EHR software to influence physician prescribing of opioid pain medications. The resolution announced by the Department of Justice (DOJ) addresses allegations that Practice Fusion extracted unlawful kickbacks from pharmaceutical companies in exchange for implementing clinical decision support (CDS) alerts in its EHR software designed to increase prescriptions for their drug products. Specifically, in exchange for “sponsorship” payments from pharmaceutical companies, Practice Fusion allowed the companies to influence the development and implementation of the CDS alerts in ways aimed at increasing sales of the companies’ products. Practice Fusion allegedly permitted pharmaceutical companies to participate in designing the CDS alert, including selecting the guidelines used to develop the alerts, setting the criteria that would determine when a healthcare provider received an alert, and in some cases, even drafting the language used in the alert itself. The CDS alerts that Practice Fusion agreed to implement did not always reflect accepted medical standards. In discussions with pharmaceutical companies, Practice Fusion touted the anticipated financial benefit to the pharmaceutical companies from increased sales of pharmaceutical products that would result from the CDS alerts. Between 2014 and 2019, healthcare providers using Practice Fusion’s EHR software wrote numerous prescriptions after receiving CDS alerts that pharmaceutical companies participated in designing.

“Practice Fusion’s conduct is abhorrent. During the height of the opioid crisis, the company took a million-dollar kickback to allow an opioid company to inject itself in the sacred doctor-patient relationship so that it could peddle even more of its highly addictive and dangerous opioids,” said Christina E. Nolan, U.S. Attorney for the District of Vermont.

The FDA has issued two draft guidance documents focused on CDS products, with the most recent version focusing on a risk-based approach to determining the FDA regulation over software that is clinical decision support. Changes to the Food, Drug, and Cosmetic (FD&C) Act made by the 21st Century Cures Act in late 2016 amended section 520 and excludes certain software functions from the device definition, including limited types of CDS products. Technology companies developing electronic medical records, clinical decision support, or other software or a medical device should be made aware of both the DOJ position on external sponsorship of CDS and also the pending FDA regulatory framework for CDS.