HIPAA For HealthTech


Darshan: Today's recording is based on the idea that we should be discussing privacy more and we should be talking about what privacy means, and we should be talking about what the legal requirements are versus what is a good thing to do and what is smart to do.

Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast, with host, Darshan Kulkarni. You can find the show on Twitter, @DarshanTalks, or the shows website at darshantalks.com.

Darshan: When we think about it, again, we'll go back to our four major pillars of patient centricity. The four major pillars of patient centricity are transparency, number two is the congress of that, which is privacy. The third one is innovation, and the last one is access, i.e., patients want information. They want to make sure their information is private and controlled, and in a way that's not just being spread, that they have access to innovations and access to new and updated technologies. Finally, the most important part, which is being able to actually access those innovations in a transparent and private way. So, we're only talking about one aspect of it, which is the privacy aspect of it. When we start discussing that privacy aspect, the most common topic to come up is HIPA. It's important to recognize that when you're talking about HIPA, it's not just the only game in town. There are state laws that also have coverage for health information and privacy associated with that health information.

Darshan: It's also important to recognize that it's only relating to health, so there are non-HIPA laws that control the privacy associated with that information, the most famous of which right now is GDPR. There's also CCP and Like as well. The converse of that, which is just because something has health information, doesn't necessarily make it subject to HIPA, and that's actually really surprising to a lot of people. This was sort of interesting to me, because I started looking up some information around HIPA and I was surprised that IRB's and privacy boards can potentially waive the need for HIPA authorizations on cases. So, just because it is a health-based scenario and just because it may be even done in the context of a physician relationship, doesn't necessarily mean that HIPA is always applicable. A privacy board or an IRB may be be able to waive that requirement. The next thing to look at is the idea that the information is always unavailable. You have to recognize that if you're doing a study, the information should be the information that is being protected.

Darshan: If you're collecting that information, it has to be focused and it has to be responsive to the study itself. So, you can't just go willy-nilly collecting everything you wanted to collect, just because it would be interesting. So, let's take a step back and let's talk about why this came about. So, I had a discussion on Twitter a little bit ago around HIPA and how health tech companies manage HIPA versus what is actually required. I'm not going to name names or anything, quite honestly, because I don't even remember the names. It was just an interesting conversation and I thought that it's a valid conversation to have. So, HIPA, again, stands for the Health Insurance Portability and Accountability Act, off 1996. So, it's one of the first privacy laws that we think of and people therefor think that it's all encompassing, it's the broadest, it's the mother of all privacy laws. Just because it's the mother, doesn't mean it's the most encompassing. What HIPA was set up to do was provide the ability to transfer and continue health insurance coverage for millions of people.

Darshan: Surprisingly, it also was supposed to help control health fraud and help with managing industry wide standards of health information on electronic ability and other processes. So, the controls came around that. As it relates to privacy, there are other laws that do come into place as the common rule, the FDA itself has some controls around privacy associated with subject. They're limited, but they exist. Surprisingly, the OCR, with is the Office of Civil Rights, does have controls around it, HIPA being one of them. So, keep that in mind. The other piece around HIPA is the fact that it's not just one law, it's not just here's a list of things you need to do to comply with HIPA. They have the privacy rule and they have a security rule, and they're related, but they're not the same thing. So, people always go, "I have all these controls in place, therefor, I am HIPA compliant." No, that just means that you've potentially met a lot of the security requirements around HIPA, but are you taking all the right steps to maintain an individual's privacy? Those are the questions that started coming into place.

Darshan: So, what is HIPA? The general purpose of HIPA was the idea that if I go to a physician, go to a doctor, you want to have the information you share with your doctor to be private, and that makes sense. You don't want that doctor turning around and selling that information to the highest bidder in a way that compromises their identity. Now, here's an important question, important consideration. The idea that if you have information and that information does have HIPA components to it, or at least private components to it, the idea is that it will never get shared. No, you could theoretically be in a scenario where that information gets de-identified, and then it gets shared. That would actually be compliant with HIPA. There are also scenarios in which that information, even in an identified manner, can be shared, but then all the people associated with it would need to have appropriate controls in place. So, just recognize that just because something is subject to HIPA, doesn't mean that it can or cannot be shared.

Darshan: So, the next question is who is subject to HIPA? So, covered entities are subject to HIPA. So, what is a covered entity? Covered entities are health plans, healthcare providers, healthcare clearing houses, so your health insurance companies in the like. What is interesting to recognize in that is pharmaceutical companies are not a covered entity. Health tech companies are not a covered entity. So, if you are a pharmaceutical company or you are a health tech company, just because someone gives you data, doesn't necessarily mean that it's automatically covered under HIPA. The second piece of that is if you get the data from someone else, you may be subject to HIPA requirements because of your business associates agreement. So, that's your BAA that a lot of people signed. So, a lot of people assume that if you have health information, it is automatically protected health information, or PHI. Therefor, you require BAA.

Darshan: No, I could theoretically, and again, I'm not giving legal advice, create a website and say, "People, give me your health information." If they give me that health information on the website, if I'm not acting as a physician, that's not covered under HIPA. So, again, there are other laws that may take into place, things like GDPR, but as a general rule under HIPA, you aren't necessarily subject to HIPA. So, the most common misconceptions. This only applies to data directly or indirectly from covered entities. So, well, it's not a misconception. This only applies to data that came to you from a covered entity, so therefor, if the data did not come to you from a covered entity, like from a regular website, you would not be covered under HIPA. Just because it didn't come from a covered entity, doesn't mean your exempt.

Darshan: SO, it could've gone from a covered entity, like a doctor, to another person, to you, and you're probably in that chain, and therefor, will be covered under HIPA. Conversely, just because it's health information, doesn't mean it's not automatically protected, like that website example I just gave you. So, keep these scenarios in mind. If you need to, again, reach out to me, I'm happy to talk to you to explain what's on these situations you might be in, whether you need to be covered or don't. The next question to think about is, does that mean I'm safe? You've got CCP and GDPR, the Indian Privacy Act, that's being proposed, state laws, all of which could cover patient privacy.

Darshan: There are specific laws, for example, around disease states, like AIDS has state level laws that will say that you need to maintain certain privacy requirements that are different from the requirements for HIPA. So, keep that in mind. Can I be HIPA-certified? I see this a lot. I see people saying, "I'm dealing with this company and they're HIPA-certified." There's no such thing, you can't be HIPA-certified. I've worked with these organizations, they're reputable. What you get is basically a third-party vendor that says, "We will come examine your processes, we'll audit those processes, and we'll say that you meet these standards. So, this way, if you have 50 people who want to go look at your certification, they can just come to us, we'll share what our requirements are and we'll certify that you meet those requirements." That doesn't mean you're HIPA-certified, that just means that you meet the standards that this organization has, and those include HIPA.

Darshan: If OCR comes up, audits you, you can't go, "We have this documentation." That doesn't mean anything, it just means that you've tried to meet those standards. That might be helpful, but it's not the overarching argument. What about all these other certification agencies that I see? Does that mean I'm covered? Like we just expressed, it's part of the story, it's not the full story. There are more bits of information that they're trying to cover. If you're processing, for example, credit card information, there are other laws that come in. If you are just collecting information, willy-nilly, for a sales reason, there are other laws that come in, whether it's CCPR, GDPR, et cetera.

Darshan: So, stay tuned, listen in. If you have questions about HIPA, about high-tech, how it applies to you, feel free to reach out. Hopefully, I'll be able to provide some answers. Otherwise, I can find out those answers for you. Stay tuned.

Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast, with host, Darshan Kulkarni. You can find the show on Twitter, @DarshanTalks, or the show's website at darshantalks.com.

+ Click to view entire transcript
- Click to collapse

Cannabis Use Policy for Employers


Darshan: So the talk today is about, what should employers do about employees who use cannabis?

Narrator: This is the DarshanTalks podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @DarshanTalks or the show's website at darshantalks.com.

Darshan: Let's first take a step back and talk about the fact that, what are the laws around cannabis? So to do that appropriately, what you really have to start thinking about is, what level are you talking about? There is the federal level, there's the state level, and then there's the local level. At the federal level you've got the DEA, USDA, and FDA, who basically take the position that there are ... For the most part, the DEA asserts that it's a schedule one substance, cannabis is a schedule one. And when I say cannabis I really mean THC, or tetrahydrocannabinol. It's a schedule one, and in those specific instances there's no good reason to use it. Having said that, it does have exceptions. For example, there are products like Marinol that are actually FDA approved, and therefore the DEA takes the position that that specific one is okay and appropriate, assuming certain other conditions are met. The FDA, like I said, has done an evaluation, and for very specific reasons and very specific positions, they have approved THC and CBD-containing products.

Darshan: And again, they've been synthetic versus naturally produced, etc., etc., etc. And we don't need to get into the details of this. It's really more about, what is the federal level versus the state level kind of issues. And then the USDA, which actually has a slightly different version on all of this. And it basically says that, it ties itself basically to the states, and we'll talk about that in a second. So for the most part it's illegal at the federal level unless you've actually gone through the FDA approval process. On the other hand, at the state level they take a slightly different position. And individual states have actually said that depending on whether it's for ... Some states basically still do the blanket, "It's illegal." There are some states who say that you can use it, but it has to be for medicinal uses.

Darshan: And there's another piece, another group of states that come out and say, "We'll allow it not only for medical but also for recreational use. And for medical reasons you have to meet certain conditions, and that it has to be one of 22 or 23 different indications. And again, each state chooses which ones they want. It may be more than 23, it may be less than 23. But that's really where it stands. And then you've got the recreational, which, it's not tied to a specific disease at all. And then you've got the local, which basically is, some cities like ... Well, before I go to the local, we spoke about state, we talked about medicinal uses versus recreational uses. And the USDA takes the position that if you're going to do state level cannabis, the labs that measure this need to be DEA approved.

Darshan: And that's become a source of issues. And the DEA is now taking a step back from that position, the USDA is taking a step back from that position, but that's really where that world plays. And again, we can get into details if you need to reach out to me.

Darshan: At the local level, you have cities taking the position that, "Yes, we recognize that at the federal level it's generally illegal to use cannabis. However, we're not going to prosecute," which basically means that they're "decriminalizing." So at no point is it legalized, it is just decriminalized. And that's the distinction between the two. On the other hand, when you actually start looking at the different states, they do have, from an employee/employer standpoint, there are a couple of different standards. The first thing to recognize is, where is the cannabis being used?

Darshan: Is it being used at your facility as an employer, or is it being used on the individual's own personal time? If it's being used in their own personal time, there are, depending on the state, there's probably about half a dozen ... Well, no, about a dozen states or so who have anti-discrimination employee protection policies. And different states have started, Rhode Island started in 2013 and Oklahoma had one in 2019, and there have been a series between that. And essentially what it comes down to is, you can't discriminate against employees or potential employees for using medical cannabis. On the other hand, some will go one step further and say that if you're using medical cannabis, you need to accommodate for that. Nevada is the one that really comes to mind. And that may mean mean things like you need to allow them to start later, etc., etc., etc.

Darshan: Then you've actually got states which will say that it's not just accommodating, or it's not just not discriminating against people in the context of medical cannabis, but also in the context of recreational cannabis. And this one's sort of interesting, because Nevada had one in 2019. However, Maine had one, but they repealed it in 2017. So that's an interesting glitch, if you will. So for the most part, as long as employees aren't bringing the medical cannabis to work, they aren't working in a job where impairment may result in serious harm to others, and they aren't working in a federally related job, employers cannot take medical cannabis use or positive drug results into consideration when making hiring and firing decisions. People will go one step further, and you've got Alaska, Illinois, and Indiana, which is sort of interesting. So in 2019 Alaska introduced a bill that would restrict the release of certain records pertaining to low-level cannabis convictions.

Darshan: So we spoke earlier about the idea of decriminalization. They're taking this one step further and saying it's not only decriminalized, but you can't get the records associated with prosecution for these low-level cannabis uses. Then Illinois actually took the bill that they would seal the records of non-violent criminal convictions for 10 years after termination of the petitioner's last sentence. And the petitioner may actually petition the court to expunge records of a conviction or a guilty plea if it meets certain criteria. And then you had Indiana. And Indiana introduced a bill that would outlaw employment discrimination against medical cannabis patients, but they would also actually add protections for employers.

Darshan: So what that really means is that this would allow employers to prohibit medical patients from performing any tasks while under the influence of cannabis, and provision of the performance-specific tasks would not be considered to be unlawful discrimination, even if it resulted in a financial harm to the employee. I.e., states are taking different positions, they're taking different considerations. Indiana's position seems to be more considerate of the employer's position, Alaska and Illinois are really looking at the employee perspective. And there's probably going to have to be something that considers all of these perspectives and some level of harmonization that takes place eventually. If you have questions about what that means, how you should consider that, feel free to reach out to me. I'd be happy to talk to you further.

Narrator: This is the DarshanTalks podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @DarshanTalks or the show's website at darshantalks.com.

+ Click to view entire transcript
- Click to collapse

Financial Assistance from a Pharma Company


Darshan: So let's ask a question. Is it legal for a pharmaceutical company to provide financial assistance for travel, lodging and other expenses to certain patients prescribed the manufacturer's drug?

Narrator: This is the Darshan Talks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website @darshantalks.com.

Darshan: This was an OIG opinion from January 2020. And I thought it would make sense to explore exactly what the OIG gave an opinion on, what the implications are, and why it matters.

Darshan: So the drug in question is a personalized medicine made from the patient's own cells in a one time potentially curative treatment. The drug is approved for one of two indications, it's either refractory or recurrent. Generally affects children or young adults, or it's affecting adults. So what is the drug itself? It's a drug that has what's called a REMS on it and only REMS certified physicians can ... treat the disease using the drug.

Darshan: The physicians who are allowed to do this, they accept the responsibility for implementing the necessary safety protocols and may prescribe and administer the drugs. Consistent with the REMS, the requestors enter into arrangements with certain inpatient/outpatient facilities, which we're calling the centers, to infuse the drug.

Darshan: These facilities also additionally perform leukapheresis and collect, process, package, and ship the patient's white blood cells to the requestor, so that requestor may use the patient's cells. The requestor being the pharmaceutical company in this specific instance, I expect ... May use the patient's cells to individually manufacturer the drug.

Darshan: So what does the center need to be able to do? The facility, the center must meet applicable regulatory requirements for third party cell collection, processing and other requirements, including having onsite immediate access to the drug itself, which is used to treat severe instances of therapy related syndrome.

Darshan: Essentially they need to be able to manage results that can come out ... the adverse events of this drug and of disease itself. They must ensure that physicians who prescribe, dispense or otherwise administer the drug, are trained in the management of the syndrome and potential neurological toxicities.

Darshan: And the pharmaceutical manufacturer in this specific instance certifies that it does not require either the physicians or the centers to prescribe the drug exclusively. And that any facility that meets all the REMS with the ETASU requirements and the requestor's criteria may become a center. So the key piece here is, why is the proximity necessary?

Darshan: The proximity of the center is necessary because, A, number one to handle the fact that these patients may be required to stay there for a little bit, and only certain facilities can handle it and handle the training that's required. Under the arrangement, the pharmaceutical company proposes treating eligible Disease A patients, being the older patients, and disease B patients as well.

Darshan: And depending on whether you have Disease A or Disease B, they give up to two caregivers for lodging, travel, meals and certain out of pocket expenses. So if you're a child, you'd get two caregivers. I expect it might be the parents ... up to two caregivers.

Darshan: For Disease B, patients who are 26 and older, they provide the same level of support for a patient and one caregiver. The requestor does not provide assistance with patient travel or expenses associated with the initial patient consultations with the leukapheresis, or following up visits beyond the post infusion monitoring required by the drugs prescribing information.

Darshan: The requestor does not authorize lodging under the arrangement to a patient being treated by the center when the pharmaceutical companies knows that the patient's eligible to receive lodging from the center and such lodging is available for that patient's use.

Darshan: Requestor has also certified that it does not advertise the arrangement. Patients do not learn about or become eligible for the arrangement until they've been diagnosed with the disease ... with either one of the two diseases, if you will, and until they've been diagnosed. So it's not like you can entice someone to stay over with it.

Darshan: So what would be provided? The requestor would offer to provide reimbursement for the gas and tolls or arrange for transportation by bus, rail, rental car, or air travel. They would use potential third party travel vendors. And the assistance is available for one round trip for the patient's and each caregiver's place of residence to a center.

Darshan: The requestor would also reimburse certain out-of-pocket expenses up to $50 per day per person. To receive the reimbursement, the patients or caregivers must submit written receipts to the requestor documenting the expenses. Patients may receive assistance for four weeks post infusion. However, if the patient's physician determines that it's medically necessary, it may go further than four weeks.

Darshan: So who's actually eligible? Eligible patients who have been prescribed a drug for an ... FDA approved indication and have a household income that does not exceed 600% of the federal poverty level. And who live more than two hours driving distance or over a hundred miles from the nearest center. So the idea would be that it's not just given to everyone, it's only to the people who need it and don't actually live close by.

Darshan: The requestor certified that the median household income for patients who received the assistance under the arrangement was $28,000 per year. And families with an annual household income of $28,000 per year would have difficulty affording travel to and a month long stay near a center for treatment. This is in line with certain other criteria.

Darshan: The travel, lodging, other assistance that the requestor offers beneficiaries, allows them to travel to and stay near a center may not actually be available otherwise. And for this lodging, the requestor provides that the arrangement ... the physicians must meet the FDA requirements, and this remuneration relates to expenses incurred by patient. And the processes that's required are actually in line with what the FDA is expecting.

Darshan: So it's necessary for the support for the financially needy patients. So the CMS technically, in this case, OIG, is open to the idea because of the very unique circumstances here. Is there a risk that the manufacturer's actions may limit drug distribution networks to particular facilities to reward their physicians and create risks under the anti kickback statute? There is a risk for that. There's no doubt about it.

Darshan: However, the pharmaceutical company is providing assurance that any willing provider that meets the uniform center eligibility criteria may participate in the arrangement. It does limit the likelihood the requestor uses the arrangement to reward a certain number of center physician. So it's not like they're specifically going after specific physicians.

Darshan: What about the risk for future marketing? Is this a type of seating trial, is this a type of seating? And what they're discovering is that it's a onetime treatment, it's potentially curative. So it's not like this causes the patients to come back over and over and over again. And additionally, these patients are not close by, they're actually over 100 miles from the closest center. So it's not like they're just going and bringing someone who lives five miles away. So OIG was actually open to this.

Darshan: Additionally, is there a risk of beneficiary inducements under CMP? And for that you need to generally do up to a three step process of analysis. So is the arrangement likely to influence a beneficiary selection of a particular provider? And the requestor assist eligible Disease A patients or Disease B patients up to two caregivers? These are valuable benefits. Therefore, an additional analysis needs to be done.

Darshan: The next question to ask is, does the remuneration offer improve a beneficiary's ability to obtain items and services payable by Medicare or Medicaid? So there's no existing authority that could pay the Secretary of HHS to pay for the nonmedical items and services such as lodging and travel. The pharmaceutical company certified that it would not authorize lodging to treat patients who would be treated by the center itself.

Darshan: Therefore, the assistance does not duplicate other available charitable assistance from the center. And therefore does the remuneration provided under the arrangement pose a low risk of harm to Medicare and Medicaid beneficiaries? And under the Promotes Access to Care exception to the Beneficiary Inducements Civil Monetary Penalties, it's a low risk of harm if it is unlikely to interfere with or skew clinical decision making, it's unlikely to increase cost to federal healthcare programs or the beneficiaries through over utilization or inappropriate utilization, and does not raise patient safety or quality of care concerns.

Darshan: So in this specific instance, they're actually adhering to the drug's REMS with the elements to assure safe use. And therefore to increase access to care for financially needy patients, this actually presents a low risk of harm and satisfies the Promotes Access to Care exception to the Beneficiary Inducement CMP.

Darshan: So overall, OIG said that in this specific instance they would allow for this type of assistance, this type of financial assistance. So it's interesting, unusual, even though the OIG said that you probably [Inaudible 00:09:58] they will allow it in this specific instance. Stay tuned, listen in, find out more about how this might play out.

Narrator: This is the Darshan Talks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website @darshantalks.com.

+ Click to view entire transcript
- Click to collapse
button for google podcasts
button for apple podcasts

Blog Disclaimer

The opinions stated in this blog are the sole and present opinions of the blogger and do not necessarily represent the opinions of the Kulkarni Law Firm, PC and/or its attorneys. Such opinion(s) may change over time. Such opinion(s) should not necessarily be attributed to the institution for which these individuals may work or otherwise represent in any capacity. These blogs do not constitute legal advice and should not be construed as such.