Archives for September 2017

Cosmetic drug companies scarred by misbranding

A district court enjoined two individuals and two New Jersey drug companies from distributing unapproved injectable skin whitening drugs. In addition to preventing Flawless Beauty LLC and RDG Imports LLC from distributing the unapproved and misbranded drugs, the injunction requires the companies to recall and destroy all of the unapproved and misbranded injectable skin whitening drugs. The companies and individuals agreed to settle the case and be bound by a permanent injunction.

Complaint

According to the complaint, in addition to making skin whitening claims, the companies’ skin whitening drug products make other unsubstantiated therapeutic claims. For example, some of the products asserted that the drugs “contribute to good liver function” and “clinically treat degenerative brain & liver diseases including Parkinsons.” The complaint also identified public health risks associated with the companies purportedly sterile injectable skin whitening drugs—nerve or blood vessel damage, blood-borne infection, superficial skin infection, cellulitis, abscess formation, and toxic systemic reactions.

The complaint asserted that the products were misbranded because they contained false or misleading information, including the false implication of FDA approval. Other labeling issues identified in the complaint include improper directions for use and the absence of “Rx” on the label.

Injunction. Until the companies meet specific remedial measures, the injunction requires them to stop importing, receiving, manufacturing, preparing, processing, packing, labeling, holding, and/or distributing unapproved drugs. The companies have 20 days to meet the mandate to recall and destroy the unapproved drugs.

House committee takes interest in ‘NotPetya’ malware attack fallout

House Energy and Commerce Committee leaders are concerned that a malware attack from late June 2017, known as “Petya” or “NotPetya,” may have lingering effects on Merck & Co, Inc. The leaders sent letters to Merck’s CEO and HHS Secretary Price expressing this concern and requesting additional information about the attack and the effects on the company.

NotPetya

The malware infection began on June 27, 2017, and spread across the world, infecting businesses from a variety of sectors. At the time of the attack, the extent of Merck’s vulnerability was not precisely known, although an employee reported that they were told to stop working and some computers appeared to be wiped and that all U.S. offices were affected by the attack. The committee letters referred to information provided in Merck’s second-quarter 2017 financial outlook, which stated that packing operations were mostly restored, formulation operations were partially restored, and active pharmaceutical ingredient operations were partially restored but bulk product was not yet being produced.

Patient risk

The committee’s interest in the matter stemmed from concern that patients may have been negatively impacted by manufacturing disruption. Although evidence of such risk was not present, the committee pointed to an announcement from the Centers for Disease Control and Prevention (CDC) that certain formulations of Merck’s Hepatitis B vaccine would not be available. The committee requested that Merck provide a formal briefing to the committee on the initial infection and Merck’s steps to recover and resume manufacturing by October 4, 2017. The committee also requested an HHS briefing on the agency’s steps to understand and respond to the situation as well as plans for addressing drug shortages or other consequences stemming from cyberattacks.

Fraudulent medical evaluations earn psychologist 25-year prison term

A former clinical psychologist received a 25-year prison sentence and was ordered to pay $93 million in restitution to HHS and the Social Security Administration (SSA) for his participation in a scheme to obtain over $550 million in fraudulent federal disability payments. In addition to the prison sentence, the clinical psychologist was ordered to pay restitution of over $93 million to the SSA and HHS.

The scheme was initiated by an SSA administrative law judge (ALJ) who reassigned, to himself, pending disability cases associated with a particular attorney. The ALJ contacted the attorney and urged him to provide either physical or mental medical documentation supporting disability determinations, regardless of the actual disability status of the claimants. In cases where medical documentation was required, the clinical psychologist participated in the scheme. The clinical psychologist signed medical evaluation forms prepared by the attorney, without reviewing those forms. The attorney paid the ALJ more than $609,000 for granting benefits in his cases and nearly $200,000 to the clinical psychologist for his participation. The attorney received over $7 million in attorney’s fees.

As a result of the scheme, the SSA paid more than $550 million in lifetime benefits to claimants. The ALJ and the attorney pleaded guilty, receiving sentences of four and 12 years, respectively. Subsequently, the attorney absconded from electronic monitoring and is now considered a fugitive.

IT experts say foreign actors, human error biggest threats to health record security

Foreign hackers and human error are two of the most significant threats to protected health information (PHI) and other health records that providers and health care entities must prepare for, according to four information technology experts speaking at a conference sponsored by Becker’s Hospital Review. They all agreed that breaches and cyberattacks will continue, so health care institutions must be diligent about security systems, audits, training, insurance, and adequately responding to breaches to mitigate punishment and quickly recovery from an attack..

Weakest link 

Aaron Miri, chief information officer for Imprivita, and Michael Leonard, director at Commvault, both noted that regardless of the tools and systems put in place to ward off breaches, malware, ransomware, and other cybersecurity threats, people will always be the weakest link. Leonard noted that when it comes to an institution’s cybersecurity program, “people training has to be continuous and repetitive.”

Katherine Downing, senior director at the American Health Information Management Association (AHIMA), highlighted one type of “insider threat”—physicians who do work arounds that bypass the security features of electronic health record (EHR) systems (like texting PHI about patients to each other). Although David Miller, CEO of HCCIO Consulting, LLC, was blunter when asked what the biggest threat was to PHI and other health records—”Russia and China.”

Jurisdictions

Miri noted that providers must deal with a “wide disparity of laws” regarding the security and privacy of health information, not just federal and state laws, but, starting in May 2018, the General Data Protection Regulation (GDPR) issued by the European Union. The GDPR replaces a framework of different information security measures that mainly affected just European companies with a national network and information security strategy that will impact American life sciences and healthcare entities that collect and/or use any data concerning health, genetic data, or other types of protected health information (PHI).

Audits

Miller expressed amazement at how many health care institutions have not had a HIPAA audit in the previous two years. The HHS Office for Civil Rights (OCR) reviews organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules and looks for documentary proof that entities have conducted risk assessments and created and implemented policies and procedures governing areas including the shielding of PHI. Miller noted that providers must continually educate and re-educate staff on policies related to HIPAA. But he added that providers can also “take advantage of a breach situation to talk to senior management to increase security measures.”

Record retention

In addition to protecting PHI, health care entities have to make decisions about destroying records after record retention periods have ended. Katherine Downing, senior director at the American Health Information Management Association (AHIMA), noted that entities “can’t keep everything forever.” Downing noted that health care entities already have the expense of saving, backing up, and securing required health records; doing the same for older records that no longer have to be retained is just an added expense.

In the end, Miri noted that these are the questions that health care entities have to ask: What are they willing to spend to avoid a breach? What are they willing to risk regarding their reputations?