Welcome to this week's edition of the Health Law Update. In this Issue:

  • More Than the Leaves Are Changing: Clinical Trial Research Regulations and Policies Get a Fall Makeover
  • ONC Contracting Guide Aims to Restore Balanced Bargaining Betweeen Providers and EHR Vendors
  • The 60-Day Rule: Failure to Return Overpayments Caused by Software Glitch Costs Hospital $2.95 Million
  • Select Issues in Negotiating Drug Pricing and Reimbursement Contracts
  • Events Calendar

More Than the Leaves Are Changing: Clinical Trial Research Regulations and Policies Get a Fall Makeover

These changes represent a new season of responsibilities for those who manage and oversee clinical trials.

The Food and Drug Administration (FDA) and National Institutes of Health (NIH) have recently finalized or signaled intent to finalize numerous proposals that promise to change the landscape of clinical trial reporting, clinical researcher responsibility and Institutional Review Board (IRB) oversight. These federal agencies have been busy tidying up existing policies and implementing various requirements to promote better practices in clinical trial research. So what is shaking from the trees? This article provides an overview of the recent proposals and regulations for clinical research.

FDA Draft Guidance for Institutional Review Boards

The Office for Human Research Protections (OHRP) and the FDA have proposed new draft guidance on the written policies and procedures that an IRB should maintain. Although the draft guidance is not binding on IRBs, it provides significant insight into OHRP and FDA expectations for IRB policies and procedures and references specific statutory and regulatory requirements that should be included. The draft guidance is a user-friendly, comprehensive checklist with questions about each policy area, and IRBs are encouraged to take a fresh look at their policies and procedures with this draft guidance in mind.

Clinical Trials Registration and Results Information Submission

Almost two years after its proposed rulemaking, the U.S. Department of Health and Human Services (HHS) issued a final rule for the reporting of clinical trial information on clinicaltrials.gov. Effective January 18, 2017, clinical trial sponsors must register online within 21 days of enrolling the first trial participant. Study sponsors should be aware of this new reporting requirement, as it broadens the breadth of information they must report about the clinical trial.

One of the most critical aspects relates to reporting results about the clinical trial, if collected. Study sponsors will now be required to disclose information regarding outcomes, testing, participant characteristics and adverse events. This information also will be available regardless of whether the study results in a marketed product. The rule applies to an “applicable clinical trial,” which typically includes studies on biological devices, drugs and other products subject to FDA oversight.

Revisions to the Common Rule

The clinical research community is anxiously awaiting finalized revisions to the long-standing “Common Rule” governing the protection of human subjects in research and HHS has signaled that a final rule will be released before the end of 2016. HHS and 15 other federal departments and agencies issued a proposed rulemaking on September 8, 2015. The subject of more than 2,000 comments, the proposed rule is largely in response to recent advances in technology and the evolving use of multiple research sites for clinical trials. Public comments from researchers, institutions and the public generally disagreed with many of the rule’s proposals, including a redefinition of “biospecimen” as a “human subject” and a controversial overhaul of the informed consent process. For additional information about these and other proposed changes to the Common Rule, please see the May 31, 2016, May 17, 2016, and September 28, 2015, postings to the Health Law Update blog.

Use of Single IRBs for NIH-Funded Studies

In an effort to streamline administrative processes and create greater reporting efficiency, the NIH recently finalized a new policy that requires a single IRB for purposes of all ethical reviews required by HHS regulations and policies. Applicable to studies involving NIH-funded, non-exempt human subject research conducted across multiple sites, the new policy is effective for all applications submitted on or after May 25, 2017. Under the new requirements, an applicant submitting a request for NIH funding for a multi-site study will be required to submit a plan selecting a site as the IRB of record for all study sites. An applicant may request additional funding to help it comply with the NIH requirements. The IRB of record and the other participating sites must ensure appropriate coordination regarding local regulatory requirements and contextual issues.

Investigator and Research Staff Training on Good Research Practices

In a recent notice, the NIH instituted a new policy that requires all NIH-funded clinical investigators and staff to complete training in Good Clinical Practice effective January 2017. Building on existing training for the protection of human research participants, the NIH is adding specific training on best clinical practices. Investigators and their staff may receive the training through a course, academic training program, or certification from a recognized clinical research professional organization. Participants will be required to complete the training every three years and maintain documentation evidencing such trainings. While the new policy is specific to NIH-funded clinical trials, IRBs may nevertheless consider reviewing their policies and procedures in light of this new training requirement.

Try Not to Fall Back Into Old Habits

These changes represent a new season of responsibilities for those who manage and oversee clinical trials. IRBs, clinical research organizations and investigators have an unprecedented opportunity to get an early start on implementing the new requirements to ensure compliance. So now is the time to rake up those outdated policies and procedures to make way for the new clinical research regulatory landscape.

ONC Contracting Guide Aims to Restore Balanced Bargaining Between Providers and EHR Vendors

The HHS Office of the National Coordinator for Health Information Technology (ONC) recently published a contracting Guide to assist healthcare providers when entering into electronic health record (EHR) contracts with EHR vendors. Issued in response to provider complaints that EHR contracts often contain hidden fees and restrictions that prevent sharing of patient health records with other providers, the Guide seeks to restore balanced bargaining between providers and their EHR vendors in their contract negotiations.

The 56-page Guide begins by explaining the steps providers should take before selecting an EHR vendor. It highlights the pros and cons of the two principal types of EHR models: the provider-hosted EHR in which EHR software is licensed to a healthcare provider, and the cloud-based EHR. According to ONC, when selecting an EHR vendor, providers should first prepare a list of key issues and technical and operational requirements that will enable them to prioritize and focus on key terms during the due diligence phase and contract negotiations.

ONC strongly encourages that providers consult with both a technical adviser and legal counsel when evaluating an EHR vendor contract to minimize problems during the contract period, anticipate future needs and assess available options. Providers also should conduct parallel negotiations with more than one EHR vendor and consider retaining a different vendor if their preferred vendor refuses to compromise on key issues. The Guide also discusses the importance of selecting ONC-certified EHR technology, a listing of which is available on a searchable website at http://chpl.healthit.gov.

Emphasizing the importance of providers and EHR vendors sharing responsibility with providers for ensuring secure implementation and use of the EHR system in accordance with HIPAA, the Guide encourages providers to consider requiring EHR vendors to:

  • Complete a security assessment questionnaire,
  • Obtain an independent security audit conducted by a third party and share the results with the provider annually or more frequently in the event of a security breach,
  • Comply with the provider’s information security program, and
  • Employ encryption methodology and secure data destruction.

The bulk of the Guide highlights the covenants and warranties that an EHR contract should include. The ONC also focuses on the importance of the vendor’s service and performance obligations as specified in the EHR contract. Risk allocation is another key area in the Guide and the ONC encourages providers to allocate each risk to the party with the most control over the factors giving rise to that risk.

Below is a summary of some of the key terms the Guide recommends for inclusion in EHR contracts.

Click here to view table.

A software glitch can be just as risky for a healthcare provider as submitting a false claim. Or so it was declared on August 24, 2016 when the U.S. Attorney for the Southern District of New York announced that Continuum Health Partners, Inc. and two of its New York City network hospitals would pay $2.95 million to resolve False Claims Act allegations that they had knowingly retained more than $843,000 in government funds in violation of the “60-day overpayment rule.” The settlement concludes the first chapter in the judicial development of the rule: United States of America ex rel. Kane v. Continuum Health Partners, Inc., No. 11 CIV 2325 (S.D.N.Y. Aug. 23, 2016), a case that presented such compelling facts in favor of liability and a correspondingly strict inaugural judicial opinion that providers are left wondering whether the “unforgiving” 60-day rule imposes unworkable compliance obligations or is, instead, limited to its facts.

Although most False Claims Act (FCA) cases involve some fraudulent scheme to submit claims to the government, liability may also arise from retaining a Medicare or Medicaid overpayment. The Affordable Care Act added an extra weapon to the government’s arsenal by stating that an obligation to repay the government materializes 60 days after the date on which the provider identifies the overpayment. The statute leaves undefined what it means to “identify” an overpayment. Although the Centers for Medicare & Medicaid Services (CMS) recently finalized a regulation interpreting this provision, providers should be mindful of the pitfalls in Kane.

In 2009, system incompatibilities between the Continuum hospitals and the Medicaid managed care organization Healthfirst resulted in a coding error that incorrectly indicated to the hospitals that certain claims were not only payable by Healthfirst, but were also payable by secondary payers such as the state Medicaid program. As a result, the hospitals’ billing systems automatically billed the Medicaid program, which paid the claims. The New York State Comptroller’s Office discovered the error in 2010, and, working with Continuum, implemented a software fix. Continuum tasked employee Robert Kane with identifying the impact of the software bug, and in February 2011, Kane presented Continuum with a list of 890 potentially-impacted hospital claims. Kane indicated that his list was probably over-inclusive and would require further analysis (indeed, only half of the claims were actually overpayments). Four days after Kane presented his list, however, Continuum fired him. Kane’s spreadsheet of 890 claims and his analysis never made it to the Comptroller. That month, Continuum only repaid five of the overpaid claims, and ultimately took more than two years to repay the government for the balance.

The defendants contended that Kane’s list was uncertain and that the 60-day period should not have begun until each repayment had been “classified with certainty.” The defendants argued that if the clock begins to tick when potential overpayments are identified, this would unduly tax a provider’s compliance program and would deny it the time needed to conduct a full and effective investigation. The government alleged, on the other hand, that an overpayment is identified when the provider is put on notice that a certain claim may have been overpaid. Judge Ramos adopted the government’s position, noting that under the FCA, an “obligation” means an established duty, “whether or not fixed.” Accordingly, the court stated that the rule encompasses not only a fixed obligation where all the particulars are defined, but also one where the duty is established and the amount owed is not yet determined.

In reaching this decision, the court acknowledged the “demanding standard of compliance in particular cases,” noting that an overpayment would still be an obligation under the FCA even when a provider receives an analysis like Kane’s, struggles to conduct an internal audit, reports its efforts to the government within the 60-day window, but has yet to isolate and return all overpayments on the 61st day. As the court held:

The ACA itself contains no language to temper or qualify this unforgiving rule; it nowhere requires the Government to grant more leeway or more time to a provider who fails timely to return an overpayment but acts with reasonable diligence in an attempt to do so.

Accordingly, under the Kane analysis, a provider only has 60 days from when a potential overpayment is identified to return the funds to the government, or risk FCA liability under the statute. The court suggested “prosecutorial discretion would counsel against the institution of enforcement actions aimed at well-intentioned healthcare providers working with reasonable haste to address erroneous overpayments.” For many in the field, however, this is little comfort: although a prosecutor may ultimately decide not to pursue the case, that does not relieve the provider from responding to the government’s investigative subpoenas, or from the expense of litigating the case against the relator if the government declines to intervene.

Following the Kane opinion, CMS issued a final rule clarifying, and in some cases softening, the “unforgiving” 60-day rule. See our analysis of the rule here. Unfortunately for healthcare providers seeking relief in light of the Kane decision and settlement, the rule is not applicable to overpayments providers receive from Medicaid and Medicare Parts C and D. Until CMS promulgates rules for these programs, providers will remain in the shadow of Kane. In the meantime, providers and their compliance officers should learn from the defendants’ mistakes, which turned a 2009 programming error into a treble damages settlement in 2016.

First and foremost, providers should not wait to identify and return known overpayments “until they receive[ ] the Government’s CID[,]” as the government alleged in Kane. If the key to prosecutorial discretion is actually a “well-intentioned healthcare provider,” then a government subpoena should not signal the start of overpayment identification efforts. Second, providers should follow up on potential overpayment issues raised by their employees and should ensure that those workers charged with verifying the provider’s compliance with government regulations have the support and resources needed to investigate and take corrective action when warranted. Finally, if an issue is identified, the provider should consider CMS’s guidance on using claims adjustments and credit balance mechanisms as well as appropriate self-disclosure protocols.

Proactive identification of overpayments is critical: for now, Kane stands as a stark reminder of how Congress designed the 60-day rule to operate and just how damaging a provider’s failure to act on credible information can be.