April 2014 Health Law Updates
Dear Health Law Section Members:
The Section website has been updated with articles on significant developments in the health law arena that may be of interest to you in your practice. These summaries are presented for general information only as a courtesy to Section members and do not constitute legal advice from The Florida Bar or its Health Law Section. On behalf of the Section, I extend my deepest appreciation to the following volunteers who have generously donated their time to prepare these summaries for your review:
Kimberly J. Donovan
Alina Denis Jarjour
Malinda R. Lugo, Esq.
You can download copies of the article in our document library using the links below:
Health Information Technology & Privacy
Proposed Florida Legislation Would Overhaul Florida’s Current Data Breach Statute, Including Expanding the Definition of Personal Information to Include Health Insurance Member Numbers.
The Florida Legislature is considering proposed legislation introduced as the Florida Information Protection Act of 2014. There are two nearly identical bills currently pending in the Florida Legislature: CS/CS/SB 1524 and CS/HB 7085. If enacted, this proposed legislation would repeal Florida’s current data breach statute, section 817.5681, Florida Statutes, and replace it with section 501.171, Florida Statutes. Health care entities should review the proposed act carefully as it is significantly different from the current law.
One of the changes that will affect the health care industry is the expansion of the definition of personal information to include data sets containing (1) an “individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual” and (2) an individual’s first name (or last name and first initial). In addition, the definition includes “any information regarding the individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” when coupled with the individual’s first name (or first initial and last name).
The proposed legislation requires notification of the “unauthorized access” of electronic data containing personal information. The covered entity must notify each individual in Florida whose personal information was either accessed or the covered entity reasonably believes was accessed no later than 30 days after there is reason to believe that a breach occurred or a determination is made that a breach occurred. However, the covered entity is not required to provide such notification if it reasonably determines after an investigation and consultation with relevant government authorities that the breach has not and will not result in identity theft or other financial harm to the affected individuals. The covered entity also would be required to notify the Department of Legal Affairs within the same time period if 500 or more individuals are affected. If the covered entity is required to notify more than 1,000 individuals of the breach, it also is required to notify the credit reporting authorities.
Only the Department of Legal Affairs is authorized to bring an action to enforce violations of the proposed act, which are treated as unfair or deceptive trade practices and subject to civil penalties. The proposed legislation expressly precludes a private cause of action.
Reported by Kimberly J. Donovan, Esq.
Stolen laptops lead to important HIPAA settlements
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act(HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.OCR's investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security management processes in place to safeguard patient information.
Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
OCR received a breach notice in February 2012 from QCA Health Plan, Inc.of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member's car. While QCA encrypted their devices following discovery of the breach, OCR's investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a$250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.QCA is also required to retrain its workforce and document its ongoing compliance efforts. The Resolution Agreements can be found on the OCR website at
OCR has six educational programs for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Each of these programs is available with free Continuing Medical Education credits for physicians and Continuing Education credits for health care professionals, with one module focusing specifically on mobile device security: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training
Reported by Monica Rodriguez, Esq.
Coming Soon: FDA's Final Guidance on the Use of Social Media to Advertise Drugs and Biologics
By no later than July 2014, as mandated by the Food and Drug Administration Safety and Innovation Act (FDASIA), the FDA must issue final social media advertising guidance to industry. Draft guidance: http://www.fda.gov/drugs/guidancecomplianceregulatoryinformation/default.htm was provided in January 2014 (and comments from the public relating to same closed in April 2014).
Creators of social media advertising for prescription drugs and biologics must have in place robust Internet advertising policies and monitoring processes, particularly since the soon-to-be-issued final guidance will no doubt add other compliance responsibilities not covered by the draft guidance.
The draft guidance makes clear that content relating to social media advertising or “interactive promotional media” (e.g., on blogs, microblogs, social networking sites, live podcasts, etc.) are to be submitted to the FDA Office of Prescription Drug Promotion (OPDP) at time of initial use and on an ongoing monthly basis (with the affected company listing all interactive sites for which it is responsible or in which it remains an active participant).
The FDA wants to review content that is owned, controlled, created or operated by regulated firms, including if such promotion occurs on third party sites (provided influence ("direct or indirect control") is exerted by the product maker on those third party sites). FDA provides examples of what it means by direct or indirect control: it is meant to include editorial control, preview or review privilege, or collaboration with the poster of the information. And, the FDA expects all stakeholders to keep track of all product-related communications made by their employee and agents, whether generated within or outside of the workplace, and whether posted via personal or company email or through some other means.
Industry, compliance and legal professionals look forward to having the final guidance, particularly for direction on topics not covered in the draft guidance, including: if and how a product may be mentioned on sites with limited message space, e.g., on Twitter given a regulated company’s responsibility to provide comprehensive information about a product, including safety information; how to treat public responses in social media forums suggesting a drug for off-label use; and how to manage / respond to / track / report adverse events raised in the social media.
With the arrival of the final guidance around the corner, drug and biologics companies will soon have a more complete roadmap to govern their US Internet advertising activities; at the same time, these opportunities for more product visibility come with increased regulatory responsibilities for drug and biologics makers to monitor, track and report.
Reported by: Alina Denis Jarjour
2014 Public Health Law Conference. The 2014 Public Health Law Conference will take place October 16–17, 2014, in Atlanta, Georgia. The conference will gather public health and legal experts from across the country to examine and discuss today’s critical challenges in public health law. Find more information about the conference and learn how to get the early bird registration rate.
Selected federal legal authorities pertinent to public health emergencies. The Selected Federal Legal Authorities Pertinent to Public Health, originally published in 2009, has been updated to reflect the legislative and regulatory changes of the past five years. Public health professionals can use this document as a brief overview of the types of legal authorities granted to the federal government to prepare for and respond to public health emergencies. Find more information and read Selected Federal Legal Authorities Pertinent to Public Health Emergencies [PDF - 372KB].
Fact sheet of state pharmacist collaborative practice laws. CDC’s National Center for Chronic Disease Prevention and Health Promotion, Division of Heart Disease and Stroke Prevention released a fact sheet of state pharmacist collaborative practice laws. The fact sheet includes details about how many states authorize collaborative drug therapy management by physicians and pharmacists, whether pharmacists can prescribe drugs or order and interpret laboratory tests, whether the Board of Pharmacy must approve collaborative practice agreements, and whether specialized training or continuing education is required. Find more information and read the fact sheet [PDF - 227KB].
Washington Post (04/08/2014) Brady Dennis
The U.S. Food and Drug Administration (FDA) approved the first naloxone treatment designed to be used by laypeople and non-professional medical care providers. The treatment, a device named Evzio, is designed to administer the exact dose of Naloxone to patients who are known or suspected of overdosing on opioids such as OxyContin, Vicodin, and heroin.
Naloxone, the standard treatment for opioid overdose, reverses the effects of opioid overdose. The new, pocket-sized device gives the user verbal prompts for use when activated. Symptoms of opioid overdose are changes in heart rate, extreme fatigue, and slowed breathing. Regulators and officials warned that the device should not be used in lieu of medical care for opioid overdose and that victims and care givers should still seek emergency care.
Because opioid overdose symptoms usually appear and worsen quickly, allowing family members and care takers to administer Naloxone may save valuable time and therefore save more patients. The FDA estimates that the new device could prevent 16,000 deaths from prescription drug overdose annually.
“For years, the lack of a lay-friendly delivery system has made it difficult to make naloxone broadly available to the public and to foster its use in non-medical settings, where it is often most urgently needed. [Evzio is] . . . an extremely important innovation that will save lives,” said FDA Commissioner Margaret A. Hamburg.
[Editor’s note: Find more information and read the FDA’s press release about the first naloxone treatment specifically designed to be given by family members or care givers.
Prescription Drug Overdose Prevention
Prescription drug overdose in the United States is at epidemic levels. The Network and the CDC National Center for Injury Prevention and Control will host a workshop to discuss and examine legal and policy options to address this growing problem. Taking place at the Safe States Conference in May, the workshop will provide insights and best practices from public health attorneys and practitioners in states that have adopted overdose prevention initiatives.
Reported by Rodney Johnson, Esq.