Life Science Compliance Update

« December 2015 | Main | February 2016 »

26 posts from January 2016

January 29, 2016

ProPublica HIPAA Helper or HIPAA Wall of Shame

ProPublica, the same organization who brought us "Dollars for Docs" and the "Surgeon Scorecard," is once again making a foray into the medical transparency world. This time, they focus on the Health Insurance Portability and Accountability Act (HIPAA), and provide information on whether "your hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations."

In creating this "HIPAA Helper," ProPublica sifted through data provided by the U.S. Department of Health and Human Services Office for Civil Rights (HIPAA's enforcer), the California Department of Public Health, and the U.S. Department of Veterans Affairs.

How Does it Work?

Patients and the general public can go to the HIPAA Helper and search for providers and hospitals in the search box. Once the search is completed, a list of results will be displayed. A brief explanation of the issue and any outcome will be included in the results list. One can click on the date and get a more "in depth" look, which explains which database ProPublica found the complaint logged in, as well as how many "other reports" cite the alleged violation.

Many news outlets around the country have already taken the liberty of looking up their local hospitals and care facilities and reporting on "privacy violations" that have allegedly taken place at those hospitals and care facilities. According to the website major HIPAA violators included the Veterans Administration, CVS, Walgreens, Walmart, and Kaiser Permanente.


While we are wary of the HIPAA Helper and the reliability of the data included, our concern does not stop there. We have previously written about the Surgeon Scorecard possibly being used by the American Board of Orthopaedic Surgery for assessing competency in surgeon recertification. Fears that this HIPAA information could also be used for similar purposes are looming, front and center.

However, equally as concerning, as previously alluded to, is the concern that the data is not reliable. Unreliable data has been proven to dissuade patients from seeing certain doctors and using certain hospitals. The possibility that the information found within the HIPAA Helper is not completely accurate and may lead to similar situations in the future is a major concern.

ProPublica has already proven that their information is not always fully reliable and accurate. As we previously wrote, Rand Corp. took issue with the methodology and accuracy of the Surgeon Scorecard by ProPublica. Rand considered the issues with methodology alone to be "so serious that patients should not view the Scorecard as 'a valid or reliable predictor of the health outcomes any individual surgeon is likely to provide.'"

The information found in the HIPAA Helper is so broad and will likely prove to not be very helpful to patients. One example, from the U.S. Department of Veterans Affairs, involves a "reported breach of medical information" that was also cited in "336 other reports." The only description of the issue is "Unauthorized Access/Disclosure Involving Paper/Films."

Another problem is a mere complaint versus an actual violation will get you on the list. This could eventually serve as a vehicle for intimidating health systems or pharmacy chains by simply increasing the number of complaints.

Not only is the information overbroad, but in some cases, it isn't even there. A search of "Quest Diagnostics," for example, comes up with 59 results, but the top results are full of issues where the "data [is] not available." It is questionable what good such a result will do for patients, as there is absolutely no information on the alleged violation, not even an overbroad one.


It does not seem as though ProPublica offers a "legend" of any sort to help aid in patient understanding, nor does ProPublica make an attempt to explain what the aforementioned "Unauthorized Access/Disclosure Involving Paper/Films" problem, or any of the other cited problems, mean. The lack of clear information and explanations may very well wind up being a curse to patients and the medical professionals that aim to serve them.

Another Transparency Threat – Health Education Exchanges and Medical Identity Theft

We have previously drawn attention to some of the downsides of transparency as it relates to medical information. Those downsides typically revolve around the Sunshine Act and Open Payments data. However, there is another major concern about a yet another aspect of medical information transparency. Electronic health records, which allow a primary care physician to quickly send information to other physicians, are starting to become more prominent, easily accessible, and dangerous.

Health information exchanges (HIEs) allow doctors to share information amongst each other and help healthcare agencies to track and respond to emerging health threats. Storing patient medical records in the cloud instead of on-site helps cut down on IT costs and storage costs, and allows medical providers to focus on their primary mission of providing healthcare to patients.

While there are some positives to health records being easily accessible by medical professionals, medical data being so easily accessible also presents a huge attack surface for cyber thieves. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014 and those victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.

While the 2014 figures may astound you, The Washington Post reports that the Department of Health and Human Services (HHS) estimates over 120 million Americans have had some of their protected health information (PHI) compromised in data breaches since 2009.

Individual companies and agencies have reported their own data breaches of PHI as well. Excellus BlueCross BlueShield suffered a data breach that affected 10.5 million people; Premera had a breach that affected up to 11 million people; and the Office of Program Management breach affected up to 21.5 million. It is estimated that in total, as much as half of the United States population has had PHI compromised.

These data breaches are the results of a new form of cyber attack. While there isn't just one purpose or motivation behind cyber attacks, there are several plausible ones. One reason may be because when the cyber attackers steal medical identities, they are able to monetize the financial information included within them. Dwayne Melancon, chief technology officer with Tripwire, says that the healthcare industry is ahead of the retail industry, but behind the financial industry, when it comes to protecting consumer data. The growth of the Dark Web has provided a ready and simple market for thieves who sell financial and other personal information, such as medical records. As such, it is possible that cyber attackers are turning to an easier approach when it comes to taking your financial information.

Further, while financial information can be monetized almost immediately, medical records can take a bit longer to exploit. If someone seeking medical treatment is using health information of another patient to receive free medical care, they need to be sure their provider doesn't already know who the real patient is and that the identity they stole matches them and their health issues close enough so that the fraud will not be immediately detected.

It isn't just the possibility of free medical care that could be motivating healthcare cyber attackers. Personal medical information can also be useful to those perpetrating phishing attacks. Parents of children who are terminally ill who receive calls from their doctors, or others purporting to be linked to the doctor, are not likely to be as cautious when told their child has been recommended for a promising clinical trial, and may give financial information over the phone.

Another use for stolen health data is extortion. UCLA Health dealt with a data breach in July 2014, after which Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is to find personal health information on celebrities and hold that information for ransom or sell it to news organizations. He states that, "[t]he most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc."

Unfortunately, these data breaches are not always avoidable. Dwayne Melancon stated, "There is a tendency to say a company didn't know what they were doing. That is not always the case...In a lot of those cases it isn't negligence, its just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that."

When personal health information is exposed through breaches, patient lives can hang in the balance. It is important for all decision makers in healthcare organizations to understand these threats and work to combat them daily, from IT staff to privacy and compliance staff.

January 28, 2016

FDA CDER Update 2016

We recently reported that 2015 resulted in the highest level of newly approved U.S. drugs in nineteen years. This reflects an industry-wide desire to research and develop drugs for rare and hard-to-treat diseases. As has been reported, while speaking at a recent meeting in Washington, D.C., the U.S. Food and Drug Administration's Director of the Center for Drug Evaluation and Research (CDER), Janet Woodcock, noted the agency has moved to address the backlog of abbreviated new drug applications (NDA). Woodcock added that CDER is working to prepare for the emerging biosimilars market. Additionally, John Jenkins, Director of the Office of New Drugs at CDER, outlined drug approval statistics, particularly as CDER has seen a steep rise in orphan drug approvals.

CDER in 2016

In 2016, Woodcock stressed the need to fill vacancies at the agency's drug offices as of critical importance. CDER will also be engaged in the re-negotiations of the generic drug, prescription drug, and biosimilar user fee programs—the programs expire in 2017, adding to FDA's focus. Other areas of focus for CDER include issuing draft guidance on generic versions of abuse-deterrent opioid formulations, streamline clinical trial monitoring and data cleaning practices, develop and standardize electronic submissions to CDER, and reevaluation of drug advertising and promotion regulations in light of recent court decisions.

Woodcock's comments on promotional activity come as it has been reported in 2015 the Office of Prescription Drug Promotion (OPDP) issued a record-low nine letters to companies for advertising and promotion violations. Four of the letters involved inadequate or omitted risk information and other common citations involved unsubstantiated or misleading statements. FDA has still not finalized its guidance on social media, although the agency has issued several guidances that deal with the issue.

Legislation Stalled

As FDA grapples with staffing concerns and regulatory developments, Congress continues to debate the 21st Century Cures legislation. It easily passed the House, but for months has been stuck in the Senate. Now, news comes that the Senate Health, Education, Labor and Pensions (HELP) Committee will not take up the bill as it marks up legislation on neurological diseases research and electronic medical records. The measure has stalled in the Senate, mostly because Republicans and Democrats have failed to agree on how to pay for the bill. The House bill included more than $8 billion in new funding for researchers at agencies like the National Institutes of Health and provisions seeking to overhaul the FDA.

According to Sen. Lamar Alexander (R-Tenn.): "Senators and staff on our committee have been working together throughout 2015 to produce a number of bipartisan pieces of legislation that are ready for the full committee to consider". "The House has completed its work on the 21st Century Cures Act. The president has announced his support for a precision medicine initiative and a cancer 'moonshot.' It is urgent that the Senate finish its work and turn into law these ideas that will help virtually every American," he said.

GAO: FDA Lacks Reliable and Accessible Postmarket Data

When there is an unmet need for the treatment of a serious condition, FDA may use one or more of its expedited programs, such as fast track and breakthrough therapy designation, which are intended to bring drugs to market more quickly. FDA is also responsible for monitoring the safety of drugs and reporting on those efforts.

With this in mind, the GAO was tasked with providing information about FDA's expedited programs and its postmarket monitoring of expedited and nonexpedited drugs. The report examined (1) the number and types of requests for fast track or breakthrough therapy designation, (2) the number and types of FDA-approved drug applications that used an expedited program, and (3) the extent to which FDA's data on tracked safety issues and postmarket studies allowed the agency to meet its reporting and oversight responsibilities.

The GAO looked at FDA data on requests for fast track or breakthrough therapy designation and approved drug applications that used an expedited program from October 1, 2006, to December 31, 2014. It also reviewed FDA information on tracked safety issues and postmarket studies, including FDA internal evaluations and guidance, and interviewed FDA officials. In its findings, the GAO recommends the FDA develop plans to correct problems with its postmarket safety data and ensure that these data can be easily used for oversight. HHS agreed with GAO's recommendations, according to the report.

Rep. Rosa DeLauro (D-CT), who commissioned the GAO report, said in a statement: "The GAO report confirms my greatest fear, that FDA lacks fundamental resources and leadership in ensuring that drugs brought quickly to market are truly safe and effective." She added: "If FDA is shifting more of the safety risk to consumers by allowing fewer and shorter clinical trials on expedited drugs, adequate tracking of drug safety issues and review of post market studies are absolutely vital."

The GAO's report was especially critical of FDA's CDER office. According to the report, FDA lacks reliable, readily accessible data on tracked safety issues and postmarket studies needed to meet certain postmarket safety reporting responsibilities and to conduct systematic oversight. CDER's internal evaluations of data in its database revealed problems with the completeness, timeliness, and accuracy of the data. These problems have prevented FDA from publishing some required postmarket safety reports in a timely manner, and have restricted its ability to perform systematic oversight.

CDER's data on tracked issues was not complete, indicating that 144 issues had not been formally entered into its database. The time consuming nature of data entry was cited by FDA as a potential reason. GAO reports FDA officials acknowledged that staff were not following CDER's policies and procedures for tracking and documenting potential safety issues, but said that given the high workload of its review staff it had prioritized identifying, assessing, and addressing potential safety issues over administrative tracking. CDER's information on postmarket study status was found to be outdated and inaccurate, also related to staff delays in reviewing submissions.

Additionally, tracked safety issue and postmarket study data were not readily accessible to the GAO for analysis. FDA officials told the GAO much of the information has to be manually reviewed and cannot be accessed electronically. FDA reported to GAO that some information about postmarket studies, such as the date FDA requested or required a study, must be manually collected from the text of letters to sponsors; these letters are not automatically linked to information about the study in internal systems, which can make them challenging to locate.

GAO concludes the FDA's lack of reliable and accessible postmarket safety data prevents the agency from publishing required reports in a timely manner and restricts the FDA's ability to conduct effective oversight. As of October 2015, GAO notes that FDA had not published required annual reports containing data on postmarket studies for fiscal years 2013 and 2014. FDA officials told GAO that the agency had decided to delay publication of the reports primarily due to CDER's internal evaluation of the postmarket study data and subsequent efforts to address the data problems that were identified.

However, to its credit, GAO reported that FDA has taken some steps to address the problems identified with the postmarket safety data, although the agency is not currently announcing any comprehensive plans with goals and time frames. FDA said it intends to address its incomplete data on tracked safety issues by revising and streamlining its processes for reviewing and tracking these issues. FDA officials said that CDER has formed a workgroup that is considering options to clarify which potential safety issues should be centrally tracked, and how the tracking and review processes could be streamlined. Additionally, FDA intends to increase the timeliness and accuracy of its postmarket study data by improving tools for oversight and data collection. FDA officials said the agency is aiming to facilitate more timely review of sponsor submissions that contain information on postmarket studies by improving internal oversight.



Preview | Powered by FeedBlitz


April 2018
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30