Health Law Advisor

On August 4, 2023, the Drug Enforcement Administration (“DEA”) announced plans to host two public listening sessions, scheduled to take place on September 12 and 13, 2023 at DEA’s headquarters in Arlington, VA, to collect additional input regarding the practice of telemedicine and specifically the remote prescribing of controlled substances without conducting an in-person evaluation of patients before prescribing.

The listening sessions will be open to the public, and those who anticipate attending must register through DEA’s Diversion Control website. The registration process opens today (August 7, 2023). DEA also plans to make the listening sessions available via livestream and copies of transcripts from the sessions also will be made available at a later date on the DEA Diversion Control Program website.

In this episode of the Diagnosing Health Care Podcast:  In July, the Centers for Medicare & Medicaid Services made significant headway in its implementation of the drug pricing provisions of the Inflation Reduction Act (IRA).

How can stakeholders respond to, implement, and comply with all these new provisions? On this episode, hear from special guest Sylvia Yu, Vice President and Senior Counsel of Federal Programs at PhRMA.

Sylvia and Epstein Becker Green attorneys Connie Wilkinson and Alexis Boaz discuss the recent updates on the quickly moving implementation of the drug pricing provisions under the IRA and the industry’s response.

As discussed in our June Insight, earlier this year FDA publicly announced its development of a proposed rule that would expressly define laboratory developed tests (“LDTs”) as medical devices and subject them to the agency’s regulatory authority. Such a rule would be FDA’s first comprehensive attempt to impose its authority over LDTs since its 2014 draft guidance, which FDA ultimately chose not to finalize, and comes after several failed congressional legislative attempts to do the same.

Recently Colleen and Brad had a debate about whether Medical Device Reports (“MDRs”) tend to trail recalls, or whether MDRs tend to lead to recalls. Both Colleen and Brad have decades of experience in FDA regulation, but we have different impressions on that topic, so we decided to inform the debate with a systematic look at the data. While we can both claim some evidence in support of our respective theses based on the analysis, Brad must admit that Colleen’s thesis that MDRs tend to lag recalls has the stronger evidence. We are no longer friends. At the same time, the actual data didn’t really fit either of our predictions well, so we decided to invite James onto the team to help us figure out what was really going on. He has the unfair advantage of not having made any prior predictions, so he doesn’t have any position he needs to defend.

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

The federal government’s announcement that the COVID-19 public health emergency (“PHE”) declaration would end on May 11, 2023 marked the end of various federal mandates and benefits. The Centers for Disease Control’s authorizations to collect certain types of public health data expired, as did the requirement that insurance providers waive costs or provide free COVID-19 tests. However, the Biden Administration announced that COVID-19 hospital admissions, deaths, emergency department visits, test positivity and results of wastewater surveillance will continue to be reported, although the sources of some of this information will change.

On June 22, 2023, the Centers for Medicare & Medicaid Services (CMS) announced its proposed “Transitional Coverage for Technologies” (TCET) pathway—the Biden administration’s highly anticipated take on a mechanism to expedite coverage for certain devices designated by the U.S. Food and Drug Administration (FDA) as breakthrough devices.[1]

As described in the notice with comment period (the “Procedural Notice”), the voluntary TCET pathway aims to streamline efforts between CMS, the FDA, and manufacturers of certain FDA-designated breakthrough devices to more efficiently advance breakthrough devices through the CMS coverage determination processes using a “coverage with evidence development” (CED) approach.

Under the proposed three-phase framework, manufacturers of breakthrough devices accepted into the TCET pathway would enter a period of transitional coverage through a TCET national coverage determination (NCD), during which the device’s manufacturer would be able to generate evidence for CMS to use to determine the breakthrough devices’ post-TCET final coverage status.

Notably, CMS stated that the agency only anticipates accepting five candidates to participate in the TCET pathway each year.[2] Stakeholders must submit comments on the TCET pathway by August 28, 2023.

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

New York recently enacted new legislation that will amend Article 45-A of the New York Public Health Law, entitled “Disclosure of Material Transactions”.  Although the legislation, as enacted, contains no description of legislative intent, the budget bill language originally proposed referenced concerns with the “proliferation of large physician practices being managed by entities that are investor-backed” (e.g., private equity platforms) and which are otherwise unregulated by the state outside of the licensure of the individual practitioners.

Effective August 1, 2023, the new legislation requires thirty (30) days advance notice to the New York State Department of Health (“Department”) of any “material transactions” involving “health care entities” that provide administrative or management services for physician practices, provider-sponsored organizations, health insurance plans, “or any other kind of health care facility, organization, or plan providing health care services. . . .”