Tag Archive for: business associates

surgery medical equipment

The Revised AdvaMed Code of Ethics on Commercial Interactions with U.S. Health Care Professionals

/in /by

Advanced Medical Technology Association (AdvaMed) is a trade association for companies producing medical devices, diagnostic products, and health information systems. Relationships between AdvaMed member companies and Health Care Professionals (HCPs) are vital to the development of medical technologies, their safe and effective use, and medical research and education. However, these relationships can also create risk under state and federal laws. To avoid such risks, AdvaMed created the AdvaMed Code of Ethics on Interactions with U.S. Health Care Professionals (AdvaMed Code) in 1993. Recently, AdvaMed has announced revisions to its code to clarify and refine its discussion of interactions between HCPs and AdvaMed member companies. Revisions become effective January 1, 2020.

AdvaMed Code: New Sections

Jointly Conducted Education and Marketing Programs: Companies who partner with HCPs to conduct joint education and marketing programs, which must be designed to highlight medical technology and an HCP’s ability to diagnose or treat medical conditions, should comply with the following guidelines:

  • A legitimate need must exist for the company to engage in the activity for its own educational or marketing benefit;
  • Companies should establish controls to ensure that the decisions to engage in such arrangements are not an unlawful inducement;
  • Jointly conducted education and marketing programs should be balanced and should promote all parties;
  • All parties should make equitable contributions towards the activity and costs of the program; and
  • The arrangement should be documented in a written agreement.

Communicating Information for the Safe and Effective Use of Medical Technology: Communicating information about unapproved or uncleared (off-label) uses for approved or cleared products should be in accordance with the code’s established principles. These principles recognize the industry’s responsibility to communicate medical and scientific information to achieve positive patient outcomes and to support public health. The code’s off-label communication guidelines reflect recent judicial opinions affirming First Amendment protections for truthful and non-misleading off-label speech. Industry appropriate communications can include:

  • Proper dissemination of peer-reviewed scientific and medical journal articles, reference texts, and clinical practice guidelines;
  • Presentations at education and medical meetings; and
  • Discussions with consultants and HCPs to obtain advice or feedback.

Companies should evaluate and implement these guidelines in light of existing FDA laws and the HHS/OIG instruction on off-label communications.

Company Representatives Providing Technical Support in the Clinical Setting: Company representatives may play an important role in the clinical setting by providing technical support on the safe and effective use of medical technology. For company representatives providing technical support, representatives should . . .

  • Be present in the clinical setting only at the request of and with supervision by an HCP;
  • Be transparent that they are acting on behalf of the company in a technical support capacity;
  • Not interfere with an HCP’s independent clinical decision-making;
  • Comply with applicable hospital or facility policies and requirements; and
  • Not eliminate an expense that the HCP should otherwise incur while providing patient care.

AdvaMed Code: Consolidations and Clarifications

Cornerstone Values:  Innovation, education, integrity, respect, responsibility, and transparency form the basis of the updated AdvaMed Code. It directs medical technology companies to review all interactions with HCPs in light of these values and to avoid interactions designed to circumvent the code.

Scope and Applicability: The updated AdvaMed Code applies to all interactions regardless whether an interaction occurs outside the United States (such as at a conference or other event). The updated code clarifies that for companies with multiple lines of business, the code applies only to the company’s interactions linked to medical technology, including all interactions related to combination products that include a medical technological component (i.e., combination of biologic devices and drug products).

Consulting: Although the content regarding consulting remains mostly unchanged, the updated AdvaMed Code adds clarifying language defining what constitutes a “legitimate need” for the consultation. According to the code, a legitimate need arises when a company requires the services of an HCP to achieve a proper business objective. However, engaging an HCP for the purpose of generating business directly from such HCP (or health care provider affiliated with the HCP) is not a proper business objective.  

The AdvaMed Code also explains how a company can establish “fair market value.” A third party may assist in developing an approach to assess fair market value, but in all instances, a company should incorporate objective and verifiable criteria. Companies are encouraged to document their methods to evaluate whether compensation reflects the fair market value of the services provided.

Consolidations: The AdvaMed Code consolidates the following sections:

  • Industry conducted training, education, and other business meetings into a comprehensive section that provides parameters for all industry-conducted programs;
  • Third-party education, charitable, and research programs into a comprehensive section regarding grants, donations, and commercial sponsorships; and
  • Meals, travel, lodging and venue sections into a comprehensive section that encourages companies to avoid selecting a setting because of its entertainment or recreational facilities, as well as encouraging companies to develop meal policies and review benchmarking information.

Next Steps

The updated AdvaMed Code notes that it does not replace any state laws, regulations, or codes that contain stricter requirements. Certain states, including California, Connecticut, and Nevada, have made the code’s provisions mandatory. Alleged violations of the federal Anti-Kickback Statute may provide a basis for whistleblowers or the government to file cases alleging that AdvaMed Code noncompliance is evidence of improper conduct. To reduce compliance risks, medical technology companies and HCPs should consider whether the updates to the AdvaMed Code warrant changes to their policies, procedures and practices, and contracts regarding interactions with one another. The delayed effective date of the new Code is intended to provide time to conduct this review.

Legal Assistance

Medical companies and Health Care Providers are well-advised to seek legal counsel to conduct a review of the paperwork governing their interactions. The health law attorneys at Farrow-Gillespie Heath Witter LLP can assist in that review.

Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP.  Mr. Chase has been named to the lists of Best Lawyers in America (U.S. News & World Report), Texas Super Lawyers (a Thomson Reuters service), and Best Lawyers in Dallas (D Magazine) in every year for more than a decade.

Physician Payments Sunshine Act PPSA white background

The Physician Payments Sunshine Act

/in /by

The Physician Payments Sunshine Act (“PPSA”) requires medical product manufacturers of drugs, devices, biologics, and medical supplies covered by Medicare, Medicaid, or the Children’s Health Insurance Program to annually disclose to the Centers for Medicare and Medicaid Services (“CMS”) any payments or transfers of value made to physicians or teaching hospitals. The PPSA is designed to increase transparency around the financial relationships between physicians and manufacturers by requiring manufacturers to report to CMS in three broad categories of payments or transfers of value:

(A) payments for meals, travel reimbursement, and consulting fees

(B) ownership and investment interests in manufacturers held by physicians and their immediate family members

(C) research payments, including any payment made for participation in preclinical research, clinical trials, or other product development activities

While these categories cover a wide range of relationships, certain transactions and transfers are exempt from disclosure.  Manufacturers are not required to report on any payments under $10 (unless those individual payments total more than $100 annually), on educational materials intended solely for patients, or on product samples. After undergoing a verification process, any data reported under the three categories listed above, will be published annually in a publicly searchable database.

These reports inform patients of any incentive their physician may have for recommending a certain medical device or drug and allows them to make an informed decision on whether to follow the physician’s recommendation or not.

In addition, the PPSA imposes penalties for failure to comply with these reporting requirements. For each payment that a manufacturer or GPO fails to report, a penalty of $1,000 to $10,000 may be applied. The maximum annual penalty for failure to report is $150,000. However, the penalties are more severe in cases where the manufacturer or GPO knowingly fails to report, in which case the penalties range from $10,000-$100,000 per payment, up to a maximum penalty of $1 million. Individual physicians are not required to report, but physicians are encouraged to monitor the manufacturers’ reports for inaccuracies.

The PPSA is not the only federal statute that governs financial relationships between physicians and medical product manufacturers but it is unique in that it creates a report of such relationships.

In order to determine if a payment made by a manufacturer to a physician needs to be reported in compliance with the PPSA, please consult a healthcare attorney.

Tahlia Clement Headshot

Author Scott Chase is a health law and corporate attorney at Farrow-Gillespie Heath Witter LLP.  Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.

Tahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

medical person typing

HIPAA and business associates

/in /by

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information.A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For assistance in assessing security risks, updating policies, and training employees, please contact board-certified healthcare attorney Scott Chase.

HIPAA Medical Record

What is HIPAA?

/in /by

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand.   Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.

Farrow-Gillespie Heath Witter LLP - Health Care Law

$150,000 Fine for HIPAA Violation

/in /by

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule.  The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years.  The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.  Please let me know if you, or any of your clients, would like to discuss any of these activities with me.