Adult Stem Cell Treatments: Cosmetic or Drug?

A recent article in Scientific American described the use of stem cells in cosmetic procedures and resulting injury to a patient. Although the Food and Drug Administration (FDA) has approved only one medical use for stem cells, other purported therapies using stem cells are marketed in the United States and elsewhere. Some of these use “autologous” stem cells, which are harvested from the patient’s body and are later reimplanted.

In the Scientific American story, the patient had undergone cosmetic surgery in which mesenchymal stem cells were isolated from fat cells that had been removed via liposuction.  These stem cells were injected into her face, particularly in the area around her eyes. During the same procedure, dermal filler also was injected into her face.

A few months later, the patient could not open her right eye without pain, and when she did, she heard “clicks.” The area around the eye was swollen.  What had gone wrong? Mesenchymal stem cells may develop into fat, cartilage, or bone. Some of the stem cells that were injected into her eyelid had become small fragments of bone. Dermal fillers have been used safely for many years, but, sometimes cell biologists use them to encourage bone growth. Apparently, the dermal filler interacted with the stem cells, and bone grew in an inappropriate site.

This use of stem cells had not been approved by the FDA. It had not been subjected to clinical trials. Other products derived from stem cells are actively marketed in the United States without FDA approval. Some may be legal, others, not. The doubt stems from the murky legal classification of  the cells. The FDA’s regulation of human cells, tissue, and cellular and tissue-based products exempts the use of an individual’s own cells when harvested from one area and applied to another area in the same surgical procedure. But a court upheld the FDA’s injunction against a company that harvested stem cells and then implanted them into the same patient after four to six weeks of processing.  The company continues to offer other procedures in the United States using autologous stem cells that are reinjected into patient after two days, but it has moved the challenged procedure to a facility in the Cayman Islands. Meanwhile, it argues that the FDA considers your body a drug that it can regulate.

The extent of regulation of a substance may depend on its intended use, which is based, in part, upon the claims made for it. If the label says, “for younger looking skin”, the product is probably not a drug, but a label that says “boosts production of collagen and elastin” may prompt the FDA to treat the product as a drug.

A New Jersey company markets two kinds of autologous stem cell services. The company  will freeze and store the customer’s stem cells in case they are needed in the future for medical treatment. It also offers Autokine-CM skin care products, which are manufactured with two ounces of stem cells harvested from the consumer’s fatty tissues and cultured in the company’s “proprietary media.” The stem cells are then combined with other ingredients to create an “anti-aging skin care suite.” The company has tested the product in an eight-week clinical trial. What would the FDA make of that?

HHS and HONI Settle ePHI Breach Affecting Less Than 500 Individuals for $50,000

HHS and the Hospice of North Idaho (HONI) have agreed to the first ever settlement involving a breach of unprotected electronic protected health information (ePHI) affecting less than 500 individuals. Under the terms of the agreement, HONI has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Security Rule for $50,000. The HIPAA Security Rule created a set of security standards for the confidentiality, integrity, and availability of ePHI that applies to covered entities. Covered entities include health care providers and professionals who transmit electronic health information in relation to certain transactions. A copy of the resolution agreement between HHS and HONI is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

HHS Investigation

The investigation began when HONI reported to the HHS’ Office of Civil Rights (OCR) an unencrypted laptop computer had been stolen in June, 2010. HHS’ investigation found that HONI staff regularly used laptops as part of their fieldwork; however, HONI had failed to do risk analysis to protect the ePHI contained in the laptop computers. HHS also found that HONI had violated the HIPAA Security Rule because it did not have any organizational policies or procedures to deal with security issues posed by mobile devices. The Health Information Technology for Economic and Clinical Health (HITECH) (P.L. 111-5) Breach Notification Rule requires covered entities to report to the HHS Secretary within 60 days impermissible uses or disclosures of protected information, or “breaches,” when 500 or more individuals are concerned. In cases where breaches affect less than 500 individuals, reports must be submitted to the HHS Secretary annually.

Provider Education

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the OCR is offering providers and covered entities educational tips and guidance on how to protect ePHI on mobile devices. The www.healthit.gov site provides several links that providers can use to learn about protecting and securing mobile devices, steps organizations can take to manage mobile devices, and a list of frequently asked questions. There are also downloadable materials that include fact sheets and a presentation titled Mobile Devices: Know the RISKS, Take the STEPS, PROTECT and SECURE Health Information to help providers protect ePHI on tablets, smartphones, and laptops.