Medical device and diagnostics companies and laboratories should anticipate significant legal, regulatory and market changes in 2020 that will have a lasting impact on the industry. From revisions to how the government regulates value-based care, to shifts in the marketplace for medtech mergers and acquisitions (M&A), 2020 will prove to be another year of evolution.
Based on recent trends and developments, Akin Gump has prepared this client alert to provide the medtech industry with a landscape overview of the following issues in the year ahead: FDA regulatory developments; federal health care programs; international trade; transactions; intellectual property (IP) litigation; False Claims Act enforcement and health information and privacy and data protection.
We plan to monitor and report on these developments and potential updates as the year unfolds.
FDA Regulatory Developments:
FDA To Continue Reforms to Premarket Review Pathways. Across the globe, countries are revamping their regulatory oversight of medical technologies. The European Union is implementing the new European Medical Device Regulation (MDR), which governs the manufacture and distribution of medical devices in Europe and takes a life-cycle approach to product regulation. India very recently extended regulatory oversight to all medical devices that did not already require registration for marketing in the country, and China, in late 2017, issued 36 “Opinions on Deepening the Reform of the Evaluation and Approval System and Encouraging the Innovation of Drugs and Medical Devices.” The U.S. Food and Drug Administration (FDA) is not standing pat, either. In 2020, FDA will continue advancing new approaches to premarket review, particularly for novel device technologies.
- Software Pre-Certification Pilot Program (Pre-Cert): FDA’s concept for the future regulation of software as a medical device (SaMD) emphasizes oversight of the developer’s record of quality and organizational excellence with a focus on real-world performance, in exchange for greater flexibility for the software to evolve without need for supplemental reviews of new iterations. Pre-Cert 1.0, the first “test phase” version, is currently underway for pilot testing for certain SaMD developers.i Ultimately, the goal for this test phase is to determine whether the results of the Pre-Cert pathway align with the results of the traditional premarket pathway and satisfy FDA’s regulatory requirements for safety and effectiveness, and whether Pre-Cert can be implemented under FDA’s current regulatory authorities. In 2020, FDA will continue to test the Pre-Cert model and release updates that will hopefully provide more granular insights into the contours of a future Pre-Cert program for SaMD.
- Artificial Intelligence (AI) and Machine Learning (ML): FDA’s 2019 white paper on medical software employing AI or ML,ii which Akin Gump analyzed when it was released, introduced important terminology, including a core distinction between “locked” and “adaptive” algorithms, and contemplated the use of change protocols for leveraging AI/ML to advance SaMD tools. In the new year, FDA is likely to take tentative steps to advance these concepts in the context of individual SaMD clearances and approvals before establishing formal policies (or, alternatively, determining that legislation is required); companies leveraging AI/ML should consider advancing specific proposals for the use of change protocols.
- Alternative 510(k) Pathway: In 2019, FDA issued guidance establishing a Safety and Performance Based Pathway, which is an offshoot of the Abbreviated 510(k) program for certain well-understood device types. Once this pathway is operationalized, a manufacturer of a 510(k) eligible device would be able to obtain clearance by meeting FDA-identified performance criteria to demonstrate substantial equivalence, rather than through a direct comparison to a predicate device.iii In September 2019, FDA issued several draft guidances identifying performance criteria and testing methodologies for certain devices within four class II device types. Expect further development of this pathway in the coming year.
- Safer Technologies Program: FDA also introduced the Safer Technologies Program (or STeP) via draft guidance in September,iv which is intended for finalization and implementation in 2020. STeP will provide expedited development support for devices and device-led combination products that are expected to improve the safety of currently available treatments or diagnostics, but that are not eligible for the Breakthrough Device pathway because they are intended for morbidities and mortalities less serious than Breakthrough-eligible devices.
FDA’s Evolving Postmarket Expectations. Postmarket oversight of devices at FDA has undergone dramatic restructuring, through the development of product-specific inspection cadres under the agency’s Program Alignment and through the reorganization of the Center for Devices and Radiological Health, to embrace a “total product life cycle” approach to device oversight. While these changes have coincided with a longer historical trend of a decrease in the use of warning letters, FDA’s postmarket oversight has not waned, and, in fact, has become more intensive in certain respects.
- Safety Communications: In recent years, the agency has placed increased emphasis on emerging signals, or information that substantiates or suggests associations between a marketed device and an adverse event, and the role these signals should play in postmarket surveillance. FDA issued guidance in late 2016 detailing what circumstances would warrant public release of emerging signals information. Overall, however, confusion remains about how such information is validated and used, and how it relates to existing tools to address potential safety issues. Stakeholders should be on the lookout for a public meeting or additional clarification on this topic in the first half of 2020.
- Pharmacogenomics: FDA has taken an aggressive stance on pharmacogenomics claims made by test developers and software developers. In early 2019, FDA began raising concerns about pharmacogenomics information related to how a patient is likely to respond to a particular medication. FDA issued a warning letter to one laboratory that refused to omit such information from its test reports. Akin Gump issued a client alert on this development at the time. FDA has expressed concerns with pharmacogenomics claims that are not supported by approved drug labeling and are not otherwise clinically validated.v Given that pharmacogenomic information is heavily relied upon in the clinical community, expect to see continued focus on these claims, and FDA’s expectations for substantiating them, in 2020.
Federal Health Care Programs
HHS Expected to Issue Final Value-Based Rules. In 2020, the medtech industry should prepare for final rules from the Department of Health and Human Services (HHS) on value-based care, and, potentially, new proposed rules to address medtech’s role in value-based arrangements. On October 17, 2019, the HHS Office of Inspector General (OIG) and Centers for Medicare and Medicaid Services (CMS) jointly released long-awaited proposals to revise the Federal Anti-Kickback Statute (AKS) safe harbors and the Physician Self-Referral Law (“Stark Law”) regulatory exceptions, respectively.vi Akin Gump has issued client alerts on both the AKS and Stark proposals.
HHS will likely issue its final rules in the first half of 2020, which may greatly expand the scope of permissible activities under the AKS and the Stark Law. Medtech companies should pay particular attention to how OIG and CMS address the industry’s products, technologies and related services under the final rules. While the proposed rule excludes pharmaceutical manufacturers, durable medical equipment suppliers and laboratories from participating in value-based enterprises that merit protection under the new safe harbors and exceptions, OIG and CMS solicited comments on whether value-based arrangements involving medical technology should be protected. OIG, in particular, expressed skepticism about whether medtech companies should participate in safe harbor-protected value-based arrangements.
We also expect that that OIG will release a second proposed rule on value-based care. This second proposed rule will address value-based arrangements under the AKS involving pharmaceutical companies and medical device and medical technology companies, including how products are purchased and used as part of a value-based arrangement.
Clarification of Sunshine Act Requirements for Medical Devices. In November 2019, CMS issued much-anticipated regulations on a statutorily-mandated expansion of the U.S. Physician Payments Sunshine Act.vii The SUPPORT Act of 2018 expands the scope of the Sunshine Act to require medical technology companies to disclose virtually all payments and transfers of value made to advanced practice registered nurses, nurse practitioners, certified nurse anesthetists, certified nurse midwives and physician assistants. Previously, companies were only required to report payments and transfers to physicians and teaching hospitals. The 2018 law also requires companies to include a portion of the “Unique Device Identifier” or UDI as part of each line item disclosed under the Sunshine Act.
Medical technology companies must start tracking and collecting this information on January 1, 2021. Companies should therefore begin expanding their internal reporting systems and Sunshine Act capabilities. We also anticipate additional guidance from CMS in 2020 about how to collect this information and more of the technical specifications as to how CMS will validate such information, whether the agency will issue a list of all advanced practice registered nurses and other professionals on which companies must report, and how CMS plans to assess and review device identifier disclosures.
Codes Changes Go into Effect. Medtech companies should also be mindful of revisions to longstanding industry codes that go into effect in January 2020. This includes changes to AdvaMed’s Code of Ethics, as well as similar changes to the Medical Device Manufacturers Association Code (revised in Oct. 2019).
International Trade—Customs, Export Controls, Sanctions, CFIUS and Trade Policy
Section 301 Customs Duties Continue to Expand—With the Possibility for More in 2020. Since 2018, the Trump administration has engaged in its own “trade war” by using established statutory authority—Section 301 of the Trade Act of 1974—to issue additional customs duties on various goods imported into the U.S. Although President Trump insists that Section 301 duties help American industry, many businesses, including ones in the medtech and health care sectors, have struggled to keep pace with the ever-changing Section 301 landscape.
In July 2018, President Trump first used Section 301 to impose additional duties against certain goods of Chinese origin. Now, the U.S. government has placed additional duties on almost all goods of Chinese origin.viii In mid-December 2019, there was some good news, as China and the U.S. reached a “phase one” deal, which resulted in the U.S. declining to add Section 301 tariffs to a final $160 billion worth of Chinese-origin goods (which were originally scheduled to take effect on December 15th).ix In 2020, medtech companies should monitor the Section 301 China duties to ensure that they meet their legal requirement to pay any customs duties owed to the U.S. government—otherwise, they could be subject to severe penalties.
The U.S. has also used Section 301 to issue duties on goods from other countries. In October 2019, it placed Section 301 duties on goods coming from various EU countries (e.g., Germany, United Kingdom)x, and it has indicated that it may extend these duties.xi And, in December 2019, the U.S. government proposed another set of Section 301 duties, this time against French goods. Some of the targeted tariff codes include ones that have been used by consumer health care companies on products like soap. And, although the U.S. government has not launched an official investigation yet, there have been rumblings of using Section 301 duties against India.xii
In sum, there is a growing trend to use Section 301 as a means of molding trade and customs policy. Medtech companies should consider ways to minimize Section 301 duty impact, including, but not limited to, product exclusion requests (which can mean big savings and retroactive refunds from U.S. Customs and Border Protection of already-paid Section 301 duties), country of origin and classification assessment and product sourcing modifications. A thorough review of the related U.S. Customs legal principles may end up providing a duty mitigation strategy that could result in significant savings.
Heightened Scrutiny on Health Data-related Transactions involving Foreign Persons. Starting in 2020, the Committee on Foreign Investment in the United States (CFIUS) will have enhanced authority to scrutinize non-controlling foreign investments into the U.S. medtech sector that involves “sensitive personal data” regarding U.S. citizens. CFIUS reviews focus on the national security concerns of such investments. These reviews can add time and costs to deal-making, require mitigating measures to be taken and even lead to the blockage or forced divestiture of investments, which threaten U.S. national security. In recent years, CFIUS has increased its focus on investments into businesses that collect or maintain sensitive personal data and/or large amounts of data, especially when Chinese investors are involved.
In September 2019, CFIUS issued proposed regulations that implement CFIUS reform legislation that was signed into law in 2018. Among other things, the proposed rules define what constitutes “sensitive personal data” of U.S. citizens. This term will capture genetic information and categories of “identifiable information” (i.e., traceable to individuals), which would include health and insurance data, that is held by certain U.S. businesses. Importantly, investments in such businesses that involve a “substantial interest” held by a foreign government may be subject to mandatory CFIUS reporting. Subject to additional modification, these rules will become effective by February 2020.
U.S. Sanctions Actions Should Be Closely Watched to Assess Medtech Business Challenges and Opportunities. The Trump administration has made significant use of economic sanctions to further its foreign policy goals, and it is likely to continue to do so in 2020. While medtech businesses should ensure they have established adequate measures to comply with all U.S. sanctions, those seeking to engage in dealings with Venezuela and Iran will want to be especially vigilant in 2020, as sanctions programs targeting these countries are particularly complex and continue to evolve.
The U.S. government’s sanctions regime against Venezuela expanded significantly in 2019. While the President, through U.S. Department of the Treasury, Office of Foreign Asset Controls (OFAC), recently prohibited U.S. persons from dealing with the government of Venezuela, it also issued General License 4C xiii, which authorizes transactions involving medicine and medical devices to Venezuela, keeping the door open to opportunities for medtech companies to do business in Venezuela in compliance with U.S. sanctions.
In 2019, OFAC designated the Central Bank of Iran (CBI) as a Specially Designated Global Terrorist, thus making the delivery of humanitarian goods to Iran unlawful if CBI is involved.xiv However, in October 2019, the U.S. Treasury and State departments announced a new mechanism by which humanitarian goods, including medicine and medical devices, can be provided to Iran in compliance with U.S. sanctions.xv The mechanism requires certain enhanced due diligence and reporting from foreign financial institutions serving as channels to effectuate the transactions, but so long as these are met, medtech companies may find a permissible opportunity to continue to provide medicine and medical devices to Iran.
Export Controls on Encryption and Telecommunications Continue to Evolve and Affect the MedTech Industry. In May 2019, the U.S. Department of Commerce announced export controls restrictions against Chinese telecommunications equipment provider Huawei. U.S. export controls limit the export of items, software and data, to include by electronic transmission outside of the U.S. and to non-U.S. persons within the U.S. (i.e., deemed exports). Companies may need authorization from the U.S. Department of Commerce, Bureau of Industry and Security (BIS) prior to exporting items, such as electronic devices that use WiFi, Bluetooth and other telecommunications equipment. In part, the new Huawei restrictions prohibit sending any U.S.-origin items, software or technology to Huawei without written authorization from Commerce. This is having a major impact on U.S. technology companies, including companies in the medtech industry that, for example, may rely on Huawei smartphones or other equipment to deploy user applications. After significant debate, Commerce is starting to issue licenses allowing some transactions with Huawei. However, the restrictions remain in place, and medtech companies who may be providing any items, software or technology to Huawei and/or whose own customers may rely on using Huawei devices need to carefully review their compliance protocols, supply chains and export licensing requirements.
In June 2019, Commerce also presented updates regarding their perspective on threats to national security, encryption controls and deemed export controls. In a session regarding encryption controls, Commerce noted various changes, including decontrols on “internet of things” items. This includes changes to reduce controls on items that are connected for consumer applications, which could include some medtech devices designed for patient use and which have encryption to flow data between the patient’s device and other systems. Additionally, in a session regarding deemed exports, Commerce specifically flagged that companies in the biotechnology and pharmaceuticals, acoustic communications and sensors, quantum computing, and communications and encryption technology are being targeted by foreign nations to use clandestine and illegal methods to collect those companies’ technologies. Commerce also provided guidance on its concerns and how to successfully structure deemed export license applications. Those licenses can be critical to medtech companies who want to share controlled technology with non-U.S. employees. In the coming year, medtech companies should carefully monitor what technology they have, how it is controlled under the export regulations, their internal access—and facility—control compliance programs and any licensing requirements.
Likely Developments—Both Positive and Negative—in Trade Agreements and Market Access. The medtech industry can expect developments on international trade agreements and market access issues during 2020. Trade agreements often include provisions related to tariffs as well as non-tariff issues, such as standard-setting, licensing, price controls and intellectual property rights. For example, the Office of the U.S. Trade Representative (USTR) recently finalized the U.S.-Mexico-Canada Agreement (USMCA) with House Democrats. The final amended USMCA removed the original provision on biologics, which provided 10 year data exclusivity protections for the class of drugs.xvi USTR is also negotiating a limited trade agreement with India. During negotiations, the countries have been working to establish a pricing management system for medical devices that would eliminate India’s current price caps on many devices.xvii USTR has ongoing or upcoming bilateral negotiations with Japan, the European Union, the United Kingdom and Brazil, all of which could affect the medtech industry. Globally, several regional trade agreements may also be negotiated or concluded in 2020, including the 10 member Regional Comprehensive Economic Partnership (RCEP) and the expansion of the 11 member Comprehensive and Progressive Trans-Pacific Partnership (CPTPP).
Likely to See Potential Uptick in Data-Related Acquisitions. The average hospital in the U.S. produces 50 petabytes of data every year in the form of medical records, scans, x-ray images, sensor and monitor readings and hundreds of other inputs. Only three percent of that data is used. This data influx is not limited to hospitals—it is a challenge faced by the whole medical sector. Traditional healthcare setups do not have the expertise or capacity to store or deal with such volumes of data.
In 2020, we anticipate seeing a continuation of the recent uptick in M&A deals involving large healthcare providers seeking to acquire companies that specialize in data technology (including AI), to effectively bring the task in-house, as a solution to expensive outsourcing.
In related developments, digital health companies are thriving and, overall, outperforming the medtech sector. For example, in 2018-19 at least 33 AI-related algorithms gained FDA clearance or approval, with diagnosis being the most common use. Meanwhile, China has become a key player in the digital health sector, with 37 percent of global health funding coming from China in 2019. Furthermore, as compliance understanding of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) rules grows, corporations are becoming less reluctant to bring data handling in-house through the acquisition of specialist setups.
Software-Related Deals are also Expected to Rise. The recent trend of medtech companies seeking to make strategic acquisitions in software and robotic surgery companies is also expected to continue in 2020. As life expectancy lengthens and treatments become more successful, patients are living longer with conditions that need to be managed and monitored. Monitoring software can be used at every stage of the care continuum: from the operating table, to the care home, to the wrist of the healthy consumer. Robotic surgery is also emerging as a hard-fought market, with Siemens making a recent $1.1 billion acquisition in the space.
Strategic Convergence Deals Likely to Continue. 2020 should also see a continued rise in non-traditional medical sector combinations, which has been on the ascendancy over the past 12 months. Corporations are turning away from traditional lateral acquisitions and seeking to consolidate into a group structure, which will allow them to provide for consumers on multiple levels of their medical needs as the corporations race to maximize economies of scale. The first half of 2019 saw more multibillion dollar deals than 2018 saw in total, and fewer deals worth less than $1 billion, as companies look to add strings to their bow rather than expanding their existing operations through smaller acquisitions. Even medical device manufacturers are also diversifying, expanding into patient care and hospital services.
2020 May Mean More Private Equity Focus on Medtech. Private equity (PE) investors have maintained their traditionally strong foothold in the medical sector throughout 2019. The time taken for a medical device to enter full operation means that projects can last a number of years, often with a substantial payout at the end of that term. PE houses with an understanding of the sector and a willingness to take a longer-term view can reap big rewards. Further, PE houses are subject to far less scrutiny than public corporations, and no public reporting requirements, so they have more freedom to make the longer-term decisions that are often required in the medical sector. Despite these attractions, few specifically medtech-orientated funds exist. Vensana capital recently launched an inaugural $225 million medtech fund, and with smaller companies playing an ever increasingly important role in producing fresh technology for the medical giants, Vensana’s move may indicate a gap in the market that will be open in months and years to come. In the U.K., September 2019 saw Europe’s largest private financing round in the medtech sector, with Cambridge-based CMR Surgical raising £195 million ($240 million) of private financing to develop its Versius surgical robot system.
2020 Should Bring More Opportunities Outside of EU and US. The European and U.S. medical sectors have a tendency to look to themselves, or each other, for the latest research and startups. However, recent increases in startup funding and seed funding in Asia, the Middle East and even Iceland and Scandinavia mean that new opportunities are increasingly becoming available overseas. It is thought that by 2023, Asia will become the second largest regional market for medtech after the U.S., contributing 35 percent of the growth from 2017 to 2023. Asia, however, is not just a target: M&A activity from Asia-Pacific buyers increased by almost 250 percent in 2019, with seven of these 61 deals targeting companies within Europe and the U.S. Therefore, the emerging opportunities between Asia-Pacific, Europe and the U.S. are not one-way traffic.
Expect Possible Changes to Section 101 Challenges on “Patentable Subject Matter.” In recent years, courts have invalidated many patent claims as covering unpatentable subject matter under 35 U.S.C. § 101. Courts have rejected claims covering natural phenomena, laws of nature and abstract ideas, and many stakeholders have increasingly questioned the propriety and application of these decisions.
Over the past 12 months, lawmakers have proposed to eliminate the judicially created exceptions under Section 101. Under their legislative proposal, patent claims would rarely be unpatentable solely because of the type of subject matter they cover. Instead, useful inventions would be patentable so long as they meet the other requirements of the patent laws, including that the invention be new and nonobvious.
Potential changes to 35 U.S.C. § 101 would affect at least two areas of medical technology—diagnostic tests and computer-associated devices.
- Diagnostic Tests. Courts have routinely struck down claims that link genetic or biomarker information to specific human conditions as unpatentable laws of nature. For example, a court invalidated claims to a new maternal blood test that allowed detection of fetal abnormalities in a pregnant mother. Another court invalidated claims to a method of detecting an autoimmune disease in a group of individuals for whom other tests failed. Some industry stakeholders are concerned that such decisions lead to uncertainty in patent rights and a decrease in investment into new technologies. The proposed reforms would eliminate the “law of nature” exception. If enacted, claims to useful, new and nonobvious diagnostic tests would be more likely to withstand a Section 101 challenge.
- Computer-Associated Medical Devices. Like most industries, medical device manufacturers routinely integrate software applications, including blockchain, artificial intelligence, wearable devices and telehealth platforms into medical devices. Just as courts have routinely invalidated claims to diagnostic tests as unpatentable laws of nature, courts have invalidated claims to devices that incorporate software applications as covering only abstract ideas. For example, one court recently determined that claims covering a heart rhythm detector that warns an individual of conditions like stroke, heart failure or cardiomyopathy covered an “abstract idea.” But similar to the diagnostic test analysis, the proposed 35 U.S.C. § 101 reforms would eliminate the need to determine whether a claim covering a device is actually an “abstract idea,” and would focus instead on whether the claimed invention was useful, new and nonobvious.
- Timing. Although Senate sponsors had planned to revise their initial proposal and introduce a bill in the summer of 2019, a bill has not yet been proposed. As more medical device companies develop and incorporate these emerging technologies, they can expect the rise in the number of Section 101 challenges to continue into 2020, particularly while awaiting proposed legislative changes to Section 101.
2020 May Bring Changes to Statutory Language on “Functional Claiming.” To counterbalance the proposed broader scope of patentable subject matter under Section 101, lawmakers have also proposed narrowing the breadth of functional claiming under 35 U.S.C. § 112(f) by requiring enhanced specificity of the disclosure in the specification. The proposed legislative change would limit any purely functional patent claim language—regardless of the actual language used—expressly to the structures disclosed in the specification. We expect that any reform to Section 112(f) would likely be introduced in conjunction with the proposed Section 101 reforms; however, disagreement over the exact statutory language used in Section 112(f) appears to be the holdup of actual introduction of a bill.
PTO Trends on Inter Partes Reviews Will Likely Continue in 2020. Since its inception in 2012, the inter partes review system at the U.S. Patent and Trademark Office (PTO) has been a popular venue for challengers to attack the claims of an issued patent based on prior art patents and printed publications. In May 2019, the PTO designated as precedential two of its decisions explaining the scope of the Director’s discretion to institute review specifically related to follow-on petitions and petitions that challenge the patent based on art or arguments the PTO has otherwise already considered. By the end of 2019, a large number of patent owner preliminary responses included arguments that the Director should exercise discretion and not institute review. We expect that trend to continue into 2020.
False Claims Act Enforcement
The False Claims Act (FCA) is the government’s primary weapon for police fraud committed against the government. The FCA’s qui tam provisions authorize private citizens, known as “relators,” to file lawsuits and obtain a substantial statutory bounty from funds that otherwise would be remitted to the government. Over the last few years, the Department of Justice (DOJ) and relators have specifically targeted medtech companies.
There are three trends in FCA enforcement that are especially important to watch in 2020 for medtech companies:
Continued Application of AKS to Medtech Consulting Arrangements. A primary enforcement mechanism of the AKS is the FCA. There has been an uptick in qui tam cases alleging an AKS violation. One area of scrutiny continues to be medical device and drug manufacturers retaining health care professionals as consultants to educate other health care professionals regarding the benefits of the product. FCA plaintiffs frequently characterize such payments as kickbacks to induce referrals. In these lawsuits, courts typically evaluate whether, under the facts and circumstances, the payments are for bona fide work or are more fairly characterized as sham payments.xviii
In 2019 the Eleventh Circuit, in Bingham v. HCA, Inc., found that there is no AKS violation if fair market value is paid to the physician.xix An issue to watch in 2020 will be the extent to which other courts adopt Bingham’s reasoning and that proof, by itself, that payment is set at fair market value will be a dispositive defense regardless of the parties’ intent.
FCA Materiality Defenses Will Continue to Be Tested. Historically, relators have asserted that medtech companies and drug manufacturers committed fraud by failing to report adverse events,xx producing products with a higher than expected failure ratexxi and failing to adhere to current good manufacturing practices.xxii For the most part, courts have rejected these theories, finding that qui tam relators should not be permitted to supplant the FDA’s expertise regarding what products should be allowed into the market and what remedy should be imposed when a product fails.xxiii The Supreme Court’s decision in Universal Health Services, Inc. v. United States ex rel. Escobar cemented this line of precedent, noting that in assessing materiality, the court should look at the actual behavior of the government.xxiv If the government pays on the claim and does not seek repayment, this is considered strong evidence that any alleged infraction is not material to the government under the FCA.xxv Post-Escobar, courts have expanded this defense.xxvi Both the government and relator have contended that this line of precedent ignores that the agency does not always have all the facts when it continues to approve the product.xxvii An issue to watch in 2020 is whether DOJ and relators will start to have more success in dismantling the strong FCA materiality defense the Supreme Court erected in Escobar or seek legislative relief.
Continued Challenges to the Use of Subregulatory Guidance as the Foundation for an FCA Action. A third trending development is the extent to which alleged violations of subregulatory guidance can result in an FCA violation. Just recently, one district court concluded that substantive legal rules must be issued pursuant to notice and comment rulemaking to serve as a basis to assert FCA liability. In Polansky v. Exec. Health Res., Inc.,xxviii the court considered whether subregulatory guidance CMS issued in manuals for hospitals to determine the inpatient status of patients for purposes of seeking reimbursement under the Medicare Act could serve as the basis for determining whether claims are false under the FCA. The court noted that in light of a recent Supreme Court casexxix and a D.C. Circuit case, Allina Health Servs. v. Price,xxx the Medicare Act requires that a substantive legal standard be subject to notice and comment rulemaking. The district court, after adopting the D.C. Circuit’s construction of substantive legal standard as “at a minimum … a standard that creates, defines, and regulates the rights, duties, and powers of parties,” concluded that CMS’ manual guidance constituted a substantive legal standard “and therefore required notice and comment rulemaking procedures.”xxxi Because the guidance at issue in the case was not issued pursuant to notice and comment, the court concluded that there was not a binding rule, and hence there could be no FCA liability.xxxii
Because of CMS’ and FDA’s substantial reliance on subregulatory guidance, how other court’s view the district court ruling in Polansky will be worth watching in 2020.
Health Information Privacy and Data Protection
The past two decades marked a time of unprecedented change and development in the health information privacy and data protection landscape in the U.S. As we move into 2020, here are a few key issues to watch in the health information privacy and data protection space, which are likely to have a substantial impact on medtech operations (including research and development), compliance activities and transactions:
Potential Updates to the HIPAA Regulations. The Health Insurance Portability and Accountability Act (HIPAA) regulations, which have been the dominant force in the health information privacy and data protection landscape since the interim final HIPAA privacy rule was promulgated in 2000, evolved significantly over the past two decades. These changes were driven by statutory action, formal and informal regulatory action and increasingly steady enforcement, as well as by market forces and the new value proposition presented by big data and related tools. The HIPAA privacy, security, enforcement and breach notification regulations were last overhauled by the omnibus rulemaking promulgated in 2013. At the end of 2018, CMS issued a broad request for information to help the agency identify and address aspects of HIPAA that hinder information sharing among health care providers, payers, patients and caregivers. The Fall 2019 Unified Agenda published November 20, 2019 (Unified Agenda), indicated that the HHS Office of Civil Rights (OCR) would release a notice of proposed rulemaking (NPRM) regarding updates to HIPAA by the end of 2019. That did not happen, but we expect that NPRM will be released in early 2020. Notably, OCR could propose changes to promote new or expanded disclosures related to value-based care, coordinated care and the opioid crisis, potentially including material changes to existing HIPAA access requirements.
Continued Emphasis on Interoperability. In March 2019, the HHS Office of National Coordinator for Health Information Technology (ONC) published a proposed rule aimed largely at improving access to health information. The Unified Agenda projected publication of the final rule in November of 2019. The rule remains pending and is highly anticipated. Medtech companies should be prepared to evaluate their information sharing practices to ensure processes currently in place to protect data privacy do not run afoul of anticipated provisions regarding information blocking. Challenges may also arise in reconciling potentially competing privacy and security requirements under shifting federal and state regimes.
Targeted—and Increasing—HIPAA Enforcement Activity. HIPAA enforcement activity has been building rather steadily since 2008. Earlier this year, HHS OCR announced an initiative to focus on the rights of patients to access their medical information under HIPAA. In September, OCR announced an $85,000 settlement with a hospital over the hospital’s alleged failure to timely provide a patient with fetal heart monitor records from her pregnancy. Just last month, OCR settled an enforcement action against a health care provider for allegedly failing to promptly provide a patient’s health records to a third party upon the patient’s request, as required by HIPAA. We anticipate that more health care providers, as well as other entities that create, receive, maintain or transmit HIPAA-protected information, may face enforcement action in 2020 regarding patient access rights. Overall, dollar amounts captured by regulators through settlements and penalties continue to climb, making HIPAA compliance an increasingly high-stakes endeavor at a time when the regulatory landscape is changing.
State Law Developments. State legislatures were active on privacy issues in 2019, and we anticipate that robust legislative activity will continue in 2020. States jumping into the privacy law space will add to the existing patchwork of state law requirements for health care entities, including medical device companies. Notably, the expansive CCPA took effect January 1, 2020. The CCPA includes exemptions based on HIPAA, but these exemptions do not cover the field. In particular, non-covered entities relying on HIPAA standards as a best practice may need to adjust their practices to satisfy differing CCPA requirements. Further, questions remain regarding the extent to which standards for de-identification of personal information under the CCPA align with HIPAA’s well-established de-identification provisions. Additionally, the narrowness of the CCPA’s exception for use of personal information in clinical research could create obstacles for the medtech sector. Beyond California, states across the country have adopted or considered privacy laws that could have implications for the medtech industry, and this trend is expected to continue.
Congressional Focus on Privacy and Data Protection. As the end of first session of the 116th Congress rapidly approaches, optimism for a bipartisan federal privacy bill has dwindled. Critical issues debated have included whether legislation protecting online consumer privacy rights should include a private right of action and preempt state privacy law. We expect to see continued debate over these issues, and increasing Congressional interest in privacy matters, in 2020.
Continued Privacy Regulation and Enforcement in Europe. The EU’s GDPR entered its second year of enforcement this past May, and EU regulators have maintained an interest in health data. In the past year, the EU Member State data protection authorities (DPAs) have issued fines for GDPR violations committed by hospitals and research organizations for issues related to health data, such as data breaches, insufficient data security practices and non-compliant processing activities. Additionally, in January 2019, the European Data Protection Board (EDPB)—the EU body in charge of the application of the GDPR—issued an opinion on the interaction between the GDPR and the EU’s Clinical Trials Regulation (CTR), which addressed, among other things, requirements regarding the legal basis for processing personal data in the course of a clinical trial (as required under GDPR Art. 6) and the ability to further use clinical trial data for other scientific purposes. Further, there is an increasing awareness among the European population of their rights under the GDPR, including the right to complain to a DPA about an entity’s data processing practices and activities. The European Commission noted that the DPAs have collectively received over 140,000 queries and complaints from data subjects since May 2018.xxxiii Medical device companies should be prepared for continued guidance and enforcement in Europe, particularly as regulators seek to harmonize the different regulatory frameworks, including, potentially, the European Medical Device Regulation (MDR).