New law stops potential criminalization of EMS ‘standing orders’ for timely controlled-substance use

A new bipartisan law, the Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, signed by President Trump on November 17, 2017, amends the Controlled Substances Act (CSA) (P.L. 91-513) to clarify that emergency medical services (EMS) professionals (including nurses, paramedics, and emergency medical technicians) are able to continue administering controlled substances (contained in schedules II, II, IV, or V) to critical patients, such as pain narcotics and anti-seizure medications, pursuant to standing (written medical protocol) or verbal (oral directive) orders when authorized by state law (Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, enacted November 17, 2017).

It has been a long-standing practice for medical directors of EMS agencies to write standing orders for the administration of controlled substances by EMS professionals. As reported by Emergency Physicians Monthly, in a January 2015 meeting with the National Association of EMS Physicians (NAEMSP) Executive Committee to discuss possible EMS regulations, the Drug Enforcement Administration (DEA) stated its position that the CSA only allows for patient-specific orders for controlled substances and that it is illegal for EMS agencies to deliver any controlled substances under written medical protocols or standing orders. Therefore, absent this new legislation, it was the position of the DEA that any regulations concerning EMS agencies would be required to prohibit the continued use of standing orders for EMS professionals.

The law also allows EMS agencies the option of having a single DEA registration in each state where the EMS agency administers controlled substances, in lieu of requiring a separate registration for each location of the EMS agency within the state, as long as certain transportation, storage, re-stocking, and recordkeeping rules for controlled substances are followed by the EMS agency. The act further provides that a hospital-based EMS agency may use the DEA registration of the hospital to administer controlled substances without an additional registration of its EMS agency.

The law was introduced as H.R. 304 in the House of Representatives by Reps. Richard Hudson (R-NC) and G.K. Butterfield (D-NC). The Senate version, S. 916, was introduced by Sens. Bill Cassidy (R-La) and Michael Bennet (D-Colo). H.R. 304 initially passed the House by a vote of 404-0 on January 9, 2017. It passed the Senate, as amended, by unanimous consent, on October 24, 2017.

New York dietary supplement maker accused of failing to comply with cGMP regulations

At the request of the FDA, the U.S. Department of Justice filed a civil complaint against Riddhi USA Inc. of Ronkonkoma, New York, and its owner and President Mohd M. Alam, to enjoin the distribution of adulterated and misbranded dietary supplements. The complaint alleges that Riddhi and Alam prepared, packed, and held dietary supplements under conditions that failed to comply with the FDA’s current good manufacturing practice (cGMP) regulations for these products.

According to the complaint, the FDA inspected the Riddhi facility in January 2017 and found numerous significant deviations from cGMP regulations, including a failure to: (1) establish product specifications for identity, purity, strength, and composition of their finished dietary supplements; (2) conduct at least one appropriate test to verify the identity of a dietary ingredient; and (3) establish and follow written procedures for quality control operations.

The complaint further alleges that many of the cGMP deviations were the same as those observed by the FDA during a previous inspection that occurred in January 2016. The complaint notes that on April 27, 2016, the FDA issued a warning letter detailing violations of cGMP regulations observed during the 2016 inspection and that these violations are the same as those observed during the FDA’s subsequent 2017 inspection.

The complaint also alleges that the dietary supplements were misbranded under the labeling provisions of the federal Food, Drug & Cosmetic Act (FDC Act) (21 U.S.C. §301 et seq.) because the products are fabricated from two or more ingredients but fail to declare any ingredients on their product labels or labeling. Specifically, the complaint alleges that the dietary supplement Neuroxygen is misbranded because it is manufactured using soy lecithin, which contains “soy,” but soy is not listed on the product label. The complaint also alleges that the products Prenatal Formula, Osteo Gest, Neuroxygen, Inflam-Ease, and All-Ease, are misbranded because their label or labeling fails to declare the place of business of the manufacturer, packer, or distributor.

Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

More choices and lower premiums available for MA and PDPs in CY 2018

As calendar year (CY) 2018 approaches, CMS reports that both the Medicare Advantage (MA) and the Part D prescription drug plan (PDP) programs continue to grow, currently providing care and services to more than one-third of Medicare beneficiaries. CMS also reports that the average monthly premium for an MA plan will decrease, enrollment in MA is projected to reach an all-time high, and premiums for a basic PDP will fall for the first time since 2012.

Earlier this year, CMS announced new policies in the 2018 Rate Announcement and Final Call Letter that support flexibility, efficiency, and innovative approaches that are designed to improve quality accessibility and affordability in MA and PDP programs.

MA program data

CMS data provides the following information regarding the MA program for CY 2018:

  • MA enrollment is projected to be an all-time high of 20.4 million beneficiaries, representing a 9-percent (1.7 million) increase from 18.7 million in CY 2017.
  • MA average monthly premiums will decrease by $1.91 to $30.
  • 99 percent of Medicare beneficiaries will have access to at least one MA health plan in their area.
  • More than 85 percent of Medicare beneficiaries will have access to 10 or more MA plans.
  • The average number of MA plan choices per county will increase by two plans—up to approximately 29 plan choices per county.
  • Access to popular supplemental benefits, such as dental, vision, and hearing, continues to grow in MA plans.
  • Approximately 77 percent of MA enrollees in 2017 will have the same or lower premium in 2018 if they continue in the same plan.

PDP program data

CMS projects that the average monthly premium for a basic Medicare PDP in CY 2018 will decrease by $1.20 to an estimated $33.50 per month. CMS also reports that all Medicare beneficiaries will have access to at least one stand-alone Medicare PDP.

Medicare Open Enrollment improvements

CMS is announcing several consumer-friendly improvements so that people with Medicare can make an informed choice between original fee-for-service Medicare and MA plans during open enrollment. These improvements include: (1) updating the “Medicare & You” handbook to better explain coverage options; (2) establishing a help wizard on Medicare.gov that will point to resources to help make informed health care decisions; and (3) establishing a new email communication opportunity to improve the customer service experience through important messages and reminders.