Health Law Advisor

FDA took two important steps last week to clarify the regulatory landscape for cannabis products, including CBD products.  First, FDA issued a draft guidance on Quality Considerations for Clinical Research Involving Cannabis and Cannabis Derived Compounds.  This guidance builds off of earlier guidance FDA has issued about the quality and regulatory considerations that govern the development and FDA approval of cannabis and/or cannabinoid drug products.  See e.g., here and here.  The draft guidance iterates a federal standard for calculating delta-9 THC content in cannabis finished products, which addresses a significant gap in federal policy regarding those products.  While the testing standard is neither final nor binding on FDA or DEA, when finalized it would iterate what FDA considers to be a scientifically valid method for making the determination of whether a cannabis product is a Schedule I controlled substance.  Therefore, it may be useful in many contexts, including federal and state cannabis enforcement actions.  We encourage affected parties to file comments on FDA’s Guidance, which they may do until September 21, 2020.

Second, FDA sent to the Office of Management and Budget for review a proposal on how FDA intends to exercise enforcement discretion over CBD consumer products.  See here.  While the contents of this guidance have not yet been made public, we forecast that it likely will align with FDA’s past enforcement actions and memorialize the agency’s intent to pursue enforcement actions against CBD consumer product companies that make egregious claims about their products treating or preventing serious diseases or conditions.

Guidance on Considerations for Cannabis Clinical Research

FDA’s guidance recognizes that Congress’s enactment of the Agricultural Improvement Act of 2018 (“2018 Farm Bill”) improved domestic access to pre-clinical and clinical cannabis research material that may be used in the research and development of novel therapies.   However, currently marijuana only may be obtained domestically from the University of Mississippi under contract with the National Institute on Drug Abuse.  While DEA issued a policy in 2016 to allow for the additional registration of marijuana cultivators for legitimate research and licit commercial purposes, the Office of Legal Counsel in June 2018 issued an opinion finding that such policy violates the United States’ obligations under applicable treaties.  However, in March of this year, DEA issued a proposed rule to allow for the registration of additional cultivators of cannabis for these licit purposes.  See here.

There is an alternative pathway to the procurement of Schedule I research material which FDA’s guidance does not mention: importation.  Researchers may obtain certain Schedule I material pursuant to a federal DEA Schedule I importer registration, and DEA has in the past issued such registrations.  See 21 CFR 1301.13(e)(1)(viii).

On July 20, 2020, the United States Food and Drug Administration (FDA) announced a six-month extension of its enforcement discretion policy for certain regenerative medicine products requiring pre-market review due to the COVID-19 pandemic. Included in a final guidance document entitled, “Regulatory Considerations for Human Cells, Tissues, and Cellular and Tissue-Based Products: Minimal Manipulation and Homologous Use,” this extension will give manufacturers additional time to determine whether they need to submit an investigational new drug (IND) or marketing ...

In an important win for healthcare providers, on July 17, 2020, the Third Circuit determined in a published opinion that an out-of-network provider’s direct claims against an insurer for breach of contract and promissory estoppel are not pre-empted by ERISA.  In Surgery Ctr., P.A. v. Aetna Life Ins. Co.^[1] In an issue of first impression, the Third Circuit addressed the question of what remedies are available to an out-of-network provider when an insurer initially agrees to pay for the provision of out-of-network services, and then breaches that agreement.

This case arose because two patients—identified as J.L. and D.W.—required medical procedures that were not available in-network through Aetna. J.L. needed bilateral breast reconstruction surgery following a double mastectomy and D.W. required “facial reanimation surgery,” which the Third Circuit describes as “a niche procedure performed by only a handful of surgeons in the United States.” Neither J.L. nor DW had out-of-network coverage for these procedures. D.W.’s plan also contained an “anti-assignment” clause, which would have prevented D.W. from assigning his or her rights under the plan to the Plastic Surgery Center, P.A.

On March 18, 2020, the United States Food and Drug Administration (FDA) announced the suspension of all domestic routine surveillance facility inspections until further notice. FDA took this measure to protect the health and well-being of its staff and those who conduct the inspections for the agency under contract at the state level, and due to industry concerns regarding visitors. During this interim period, the FDA conducted only a limited number of mission critical inspections using a risk-based approach. On July 10, 2020, FDA announced its plans to resume on-site inspections ...

The cannabidiol (“CBD”) consumer product marketplace is booming.  And, while FDA has maintained its position that CBD, even hemp-derived CBD, may not be included as an ingredient in conventional foods or dietary supplements, FDA has signaled its intent to create a lawful marketing pathway for these products.  Also, while FDA has issued Warning Letters to companies who made egregious claims about their products curing serious diseases and conditions like Alzheimer’s disease and cancer, FDA has also signaled a willingness to exercise enforcement discretion over CBD products that pose less serious safety concerns.  What has resulted is CBD manufacturers, retailers, and other businesses living in FDA regulatory purgatory.  Fortunately, several courts have recently held that CBD companies will not face consumer product liability, at least while their FDA regulatory fate is being decided.

A number of federal lawsuits were recently brought by consumers against manufacturers of various types of CBD products, ranging from ingestible foods and beverages, dietary supplements, topical oils and sprays, and vape products. The plaintiffs in these cases all bring similar claims, that the products purchased were misleading as to the amount of CBD in the product and/or that the products were mislabeled and falsely advertised as dietary supplements.  The plaintiffs’ claims are based, at least in part, on assertions that the defendants violated the federal Food, Drug, and Cosmetic Act (“FD&C Act”) by introducing adulterated and misbranded products into the U.S. market.

However, over the course of 2020, at least three judges have found that the outcome of these cases will have to wait until FDA completes its rulemaking on the regulation of CBD products. Citing the primary jurisdiction rule, the judges each issued a stay on their respective cases. The judges found that FDA has primary oversight over claims involving the illegal sale or marketing of CBD products, and that regulatory clarity is needed before a decision may be made on the matters brought by the plaintiffs. Thus, the fate of these cases now depend on when and whether FDA will issue regulations governing CBD products.

On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]

FDA recently published its “Good Manufacturing Practice Considerations for Responding to COVID-19 Infection in Employees in Drug and Biological Products Manufacturing Guidance for Industry” (“Guidance”) which provides suggestions on managing the potential risk of products being contaminated by SARS-CoV-2, the virus behind COVID-19 infections for drug and biological product manufacturers, 503B outsourcing facilities, and 503A compounding pharmacies.

The Guidance builds on the current Good Manufacturing Practices (cGMPs) regulations for drugs and biological products, which require personnel with an illness that could adversely affect drug safety or quality be excluded from direct contact with drugs and drug components used in manufacturing.[1]  As the Guidance states, preliminary research indicating that SARS-CoV-2 “is stable for several hours to days in aerosols and on surfaces,” and that it has an incubation period of 2 to 14 days, which are both factors that increase the risk of spread and introduction into products.  The actual health risk is hard to calculate – FDA itself notes that there have not been documented transmissions through pharmaceuticals to date.  The regulatory risk, however, is an easier formula – FDA has a clear expectation that drug and biological product manufacturers evaluate the potential for COVID-19 contamination of their products under existing controls, or risk being out of compliance with cGMPs.

The FDA has issued the Temporary Policy on Prescription Drug Marketing Act Requirements for Distribution of Drug Samples During the COVID-19 Public Health Emergency.  The Prescription Drug Marketing Act of 1987 (PDMA) describes manufacturers’ drug sample storage, handling, and recordkeeping obligations as well as the written request and receipt requirements for prescribers.

Many manufacturers utilize their field sales representatives to deliver drug samples directly to, and collect written receipts from, prescribers at prescriber offices during sales calls. The COVID-19 crisis has disrupted field sales representatives’ ability to have face to face visits with prescribers, preventing them from delivering samples and collecting required receipts.  In addition, as a result of the crisis, many prescribers are providing telehealth services from their homes, impacting prescribers’ ability to receive, store and distribute samples at their offices.

On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations.  As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution.  Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the authority to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.

Re-issued Proposed CCPA Regulations

After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations.  The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020.  These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies.  These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review.  The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.

CCPA Proposed Regulatory Framework

The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.  Businesses that hit the thresholds will be covered even if they are located outside the state of California.

Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company.  In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says "Do Not Sell My Personal Information" and then to enable consumers to opt-out of the sale of their data to third parties.  CCPA also establishes a wide-range of rights to consumers (as specified below).  Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.

On Tuesday June 16^th, the U.S. Court of Appeals for the District of Columbia Circuit upheld a District Court decision that invalidated a Department of Health and Human Services (“HHS”) rule requiring pharmaceutical companies to include the wholesale prices of their drugs in direct to consumer TV advertising.  See Regulation to Require Drug Pricing Transparency, 84 Fed. Reg. 20732 (May 10, 2019) (the “Disclosure Rule”).  Ruling in favor of Merck & Co., Inc., Eli Lilly and Company and Amgen, Inc., the Appeals Court held that HHS lacked statutory authority to establish the Disclosure Rule.

The Court found that HHS “acted unreasonably in construing its authority to include the imposition of a sweeping disclosure requirement that is largely untethered to the actual administration of the Medicare or Medicaid programs.  Because there is no reasoned statutory basis for its far-flung reach and misaligned obligations, the disclosure rule is invalid and is hereby set aside.”