By: Andrew Silverio, Esq.
In December 2020, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released the findings of an extensive audit of Covered Entities and Business Associates, performed in 2016 and 2017 for compliance with various HIPAA requirements. This data, available at https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf, provides valuable insight into what Covered Entities are doing right, and what they’re doing wrong, when it comes to HIPAA compliance (of the Covered Entities audited, 90% were health care providers, 9% were health plans, and 1% were health care clearinghouses).
Rather than a general audit for compliance with all of HIPAA’s requirements, the audit focused on seven provisions. It looked at compliance with the notice of privacy practices and content requirements, provision of notice – electronic notice (website posting), and right of access requirements (from the Privacy Rule), the timeliness of notification and content of notification requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule). For Business Associates, the scope of the audit was more narrow, focusing only on the notification by a business associate requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule).
Overall, the audit found that compliance with requirements that come into play after a security issue or breach occur, such as breach notification requirements, is generally good. Compliance with the requirement to make the applicable Notice of Privacy Practices online was also good. However, the results were less positive in regard to other requirements which represent more of the “groundwork” in setting up proper safeguards and procedures. For example, “… OCR also found that most covered entities failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding protected health information (PHI), ensuring the individual right of access, and providing appropriate content in their NPP. OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.”
These findings make sense from an intuitive standpoint – it’s easy to simply not think about HIPAA’s requirements until a problem arises. However, this audit underscores the importance of creating proper safeguards proactively – doing so can result in less damage when and if a breach occurs, both financially and when it comes to preserving client and participant good will.
By: Nicholas Bonds, Esq.
Health and Human Services (HHS) Secretary Alex Azar’s recent rule requiring drug manufacturers to include the list prices of their drugs in their television ads is being received by big voices in the industry with about as much enthusiasm as you might expect. Although the rule will not take effect until July 9, big-name manufacturers Merck, Eli Lilly, and Amgen, with the Association of National Advertisers in their corner, are suing HHS and Secretary Azar to block the policy on a combination of likelihood of confusion and First Amendment grounds. Lawsuit aside, the HHS rule drew heavy inspiration from trademark law for its design, and the Federal Government continues to look towards the intellectual property framework for ideas to drag drug prices out of the stratosphere.
Representative Elijah Cummings, Chairman of the Committee on Oversight and Reform, has been among those in Congress leading the charge in this battle over drug prices. Representative Cummings and Senator Debbie Stabenow have joined forces to enlist the Government Accountability Office (GAO) to review HHS’s system for managing patent licenses, with a special focus on Gilead Science’s HIV pill. The drug manufacturer relied, to an extent, on taxpayer-funded research to invent this drug, and are now charging rates that puts it out of reach for many desperate patients. Lawmakers like Cummings and Stabenow believe HHS could better enforce the government’s rights to royalties and licenses, and should take pricing into account when granting such valuable licenses.
Meanwhile, Senators John Cornyn and Richard Blumenthal have introduced the Affordable Prescriptions for Patients (APP) Act, which is designed to empower the Federal Trade Commission to challenge the anti-competitive nature of patent thickets using its antitrust authority. These thickets encircle drugs like Humira and Lantus with dozens of overlapping patents, effectively foreclosing the possibility of generics or biosimilars from giving consumers cheaper alternatives. The bill also takes aim at the practice of pharmaceutical “product hopping,” a practice similarly designed with an eye toward keeping generics out of the market. By tweaking the absorption rate or dosage level of a drug, manufacturers can take advantage of state substitution laws that prohibit pharmacists from offering a generic if the drug is not bioequivalent or therapeutically equivalent. The AAP would deem both patent thicketing and product hopping to be anticompetitive behavior, and could have sweeping implications for patent prosecution and enforcement.
Some lawmakers, however, have jumped in the trenches alongside the pharmaceutical industry and are actively fighting to loosen requirements for securing patents. Senators Thom Tillis and Chris Coons have written a bill, to big pharma’s delight, that would amend Section 101 of the Patent Act to allow patents on products and laws of nature, abstract ides, and other areas of general knowledge – all areas the Supreme Court has previously ruled ineligible for patent protection under the current wording of the Patent Act.
Most on Capitol Hill agree: the drug prices are too damn high. IP law is indelibly embroiled in the battle to bring these prices down, and combatants on both sides are turning to the IP well for any tactical advantage they can find.