Kusserow on Compliance: Whistleblowers receive $98M in $784.6M FCA settlement

Pharmaceutical companies Wyeth and Pfizer Inc., agreed to pay $784.6 million to resolve allegations that Wyeth knowingly reported to the government false and fraudulent prices on two of its proton pump inhibitor (PPI) drugs, Protonix Oral® and Protonix IV®. The case was brought under the qui tam provisions of the federal False Claims Act (FCA) (31 U.S.C. § 3729 et seq.) by two relators, a former hospital sales representative for AstraZeneca Pharmaceuticals and a practicing physician. They will receive $98,058,190.00 as their share from the settlement. This amount ranks among the largest award for whistleblowers ever.

Pfizer acquired New Jersey-based Wyeth in 2009, approximately three years after Wyeth had ended the conduct that gave rise to the settlement. The Department of Justice (DOJ) alleged that Wyeth failed to report deep discounts on Protonix Oral and Protonix IV that it made available to thousands of hospitals nationwide through a bundled sales arrangement in which a hospital could earn deep discounts on both drugs, if it placed them on formulary and made them “available” within the hospital. Through this bundled arrangement, Wyeth sought to induce hospitals to buy and use Protonix Oral, which hospitals otherwise would have had little incentive to use, because other pre-existing oral PPI drugs were priced competitively and were considered to be as safe and effective. Wyeth wanted to control the hospital market because patients discharged from the hospital on Protonix Oral were likely to stay on the drug for long periods of time, rather than switch to competing PPIs, during which time payers, including Medicaid, would pay nearly full price for the drug.

All this resulted in their wrongfully avoiding paying hundreds of millions of dollars in rebates to Medicaid. Under the terms of the settlement, Wyeth will pay $413,248,820 to the federal government and $371,351,180 to state Medicaid programs.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.


FDA tackles postmarket medical device cybersecurity

By Kathryn Brown, DePaul University College of Law, WK Legal Scholar

Increasingly, medical devices may be accessed via wireless technologies which transform health care by improving patient mobility, enabling the remote programing of devices, and allowing remote access to and monitoring of patient data. Despite these apparent benefits, medical devices pose serious safety and security risks to patients and health care entities. Like other computer systems, medical devices are vulnerable to security breaches. The FDA stated, “[t]he failure to maintain the cybersecurity of medical devices can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of connected devices or networks to security threats.” This vulnerability has led to many concerns about potential harms that could arise via medical devices. For example, according to ABC News, Thomas Lewis, Partner-in-Charge at LBMC Information Security, stated that “[a] hacker attempting to get patient data could accidentally knock out medical devices connected to the Wi-Fi network, such as an MRI or X-ray machine.” Additionally, as an extreme example of the harm that device hackers could cause, The Washington Post reported that Former Vice-President Dick Cheney chose to disable the wireless function of his heart implant in fear that it could be hacked in an assassination attempt.

In response to growing concerns about the cybersecurity vulnerability of medical devices, the FDA issued a draft guidance entitled “Postmarket Management of Cybersecurity of Medical Devices.” This new draft guidance builds on the FDA’s prior cybersecurity guidance issued in October 2014, which encouraged medical device manufacturers to develop and incorporate cybersecurity controls into medical devices at the premarket design stage. The new draft guidance outlines recommendations to aid medical device manufacturers in monitoring, identifying, and addressing cybersecurity vulnerabilities in devices that have already entered the market. This guidance applies to medical devices that contain software or programmable logic, as well as software that qualifies as a medical device. It does not apply to experimental or investigational medical devices.

Overview of the Draft Guidance

The draft guidance provides overarching recommendations on assessing cybersecurity risk, as well as manufacturers’ remediation and reporting obligations. In order to determine whether their device vulnerability is controlled, the FDA encourages manufacturers to “define and document their process for objectively assessing the cybersecurity risk for their devices.” This process should be tailored to the device as well as the clinical performance and situation. The FDA’s draft guidance indicates that “critical components” of a cybersecurity surveillance program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.

The FDA further advises manufacturers to exercise “good cyber hygiene” through routine device maintenance and the timely implementation of a comprehensive risk management program to mitigate cybersecurity risks and vulnerabilities. Manufacturers are reminded that they must report to the FDA any device vulnerability that poses an uncontrolled risk. As an additional security measure, the FDA suggests implementing the 2014 National Institute of Standards and Technology (NIST) Voluntary Framework for Improving Critical Infrastructure Cybersecurity.

Impact of the Draft Guidance

The FDA draft guidance is neither final nor codified; however, attorney Ronald Lee, as well as several of his colleagues, believe that the FDA has “essentially made cybersecurity vulnerability management throughout the lifecycle of medical devices a long-term and likely permanent aspect of regulatory compliance.” The proactive recommendations for device manufacturers demonstrate that medical device cybersecurity is a priority for the FDA. However, medical devices and cybersecurity threats are continually evolving; therefore, postmarket controls will not entirely eliminate these risks. Device manufacturers need to implement comprehensive cybersecurity risk management programs to address any device security vulnerabilities. The FDA accepted comments on the draft guidance until April 21, 2016, and will consider the comments before drafting the final version of the guidance. Whether or not these recommendations are codified, device manufacturers ought to be carefully assessing and evaluating the potential vulnerabilities that may appear throughout a device’s lifecycle, so as to better protect patient safety.

Kathryn Brown is pursuing her law degree from DePaul University College of Law. She completed her undergraduate degree summa cum laude from St. Ambrose University with a Bachelor’s Degree in Political Science and a concentration in International Politics. Kathryn is a Staffer on the DePaul Law Review, Fellow and Vice-Director of Programming for the Jaharis Health Law Institute, and a General Staff Writer for the Institute’s E-Pulse newsletter.

Highlight on North Carolina: State entities join to build mental health workforce

North Carolina local management entities (LMEs) and managed care organizations (MCOs) announced a joint workforce-development initiative to offer training resources to professionals on the front lines of providing services to individuals with disabilities. Cardinal Innovations Healthcare, Smoky Mountain LME/MCO, and Trillium Health Resources will offer both raining and evidence-based curricula to direct support professionals through DirectCourse.

Workforce development

CMS standards for direct support professionals focus on improving the quality of services for individuals with intellectual and developmental disabilities. The curricula offered by the initiative were created to align with the CMS competencies adopted in the NC Innovations Waiver. The waiver was created to help the state’s Medicaid beneficiaries with intellectual or developmental disabilities live a more independent lifestyle. Under the waiver, LME/MCOs receive a set amount of money each year to help these individuals get specialized services. The curricula offered through the initiative includes: College of Direct Support & College of Frontline Supervision and Management; College of Employment Services; College of Personal Assistance and Caregiving; and College of Recovery Community and Inclusion.

Increasing mental health workforce

Recent recommendations from members of the state’s Task Force on Mental Health and Substance Abuse focus on increasing the number of mental health providers in the state. The Task Force noted that about 60 counties in North Carolina have no psychiatric provider and suggested expanding the scope of practices for nurses, as well as education loan-repayment programs to make mental health treatment more accessible. The issue reflected in the governor’s budget, with $30 million directed toward enhancing case management for those with mental health disabilities and creating transitional housing.

Kusserow on Compliance: Tips and lessons learned from new OCR findings and settlements

The HHS Office of Civil Rights (OCR) has begun its second round of HIPAA audits by notifying randomly selected covered entities (CEs) and business associates (BAs) that they have been selected for review to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules. While doing this, the agency has also been reporting recent record settlements with HIPAA violators.

Recent settlements

The most recent action is the $2.2 million settlement with New York Presbyterian Hospital for disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. The OCR will monitor this hospital for two years to ensure they remain compliant with its HIPAA obligations.

This settlement followed on the heels of a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. of North Carolina for potential violation of the HIPAA Privacy Rule by handing over PHI of approximately 17,300 patients to a potential business partner without first executing a BA agreement. The clinic was also required to revise its HIPAA policies and procedures to: (1) establish a process for assessing whether entities are BAs; (2) designate a responsible individual to ensure BA agreements are in place prior to disclosing PHI; (3) create a standard template BA agreement; (4) establish a standard process for maintaining documentation of a BA agreements for at least six years; and (5) limit disclosures of PHI to any BA to the minimum necessary to accomplish the purpose for which they were hired.

These are only the latest in a series of settlements in the last 60 days and follow the $3.9 million settlement with the Feinstein Institute for Medical Research, a not-for-profit corporation biomedical research institute, for violating HIPAA privacy. This settlement was the result of losing a laptop with 13,000 names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. A few days earlier the OCR announced another settlement with North Memorial Health Care of Minnesota of $1.5 million, which settled allegations that HIPAA was violated when the organization failed to enter into a BA agreement with a major contractor and failed to address the risks and vulnerabilities to its patients’ information.

 Tips and lessons learned

Based on these actions by the OCR, entities should:

  • Ensure that this subject is included in reports to executive and board oversight committees;
  • Conduct a complete a security risk analysis that addresses PHI vulnerabilities including issues of confidentiality, integrity, and availability;
  • Ensure that security management processes are adequate to address potential PHI risks and vulnerabilities;
  • Ensure laptops and mobile devices are properly encrypted and password protected;
  • Keep track of mobile devices and employee access to such;
  • Follow the basics in reviewing compliance for information security risks PHI breaches;
  • Implement safeguards to restrict access to unauthorized users;
  • Maintain a list of all BAs including contact information;
  • Verify that all have signed BA agreements;
  • Note that research programs meet HIPAA compliance standards for participating patients;
  • Implement adequate policies and procedures for authorizing access to PHI;
  • Train the workforce on all policies and procedures developed or revised;
  • Implement policies and procedures governing receipt and removal of laptops containing PHI and for controlling access to PHI by workforce members and users; and
  • Develop a corrective action plan to promptly address any weaknesses identified.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.