Site moved to www.healthblawg.com/2009/07, redirecting in 1 second...

« June 2009 | Main | August 2009 »

9 posts from July 2009

July 30, 2009

The 30th Pan Mass Challenge: Follow the livetweeting right here and please sponsor my ride

 

30thride This weekend I'll be riding in the Pan-Mass Challenge, a two-day, 5000-rider, 200-mile bicycle ride that is the granddaddy of all athletic fundraisers.  You can get a taste of past years' rides here and hereBilly Starr, the ride's founder, was profiled in the Boston Globe this week -- check that out too.

This year's goal is a $30 million gift to the Dana Farber Cancer Institute's Jimmy Fund.  Money is a little tighter than usual all around this year, so please pitch in and sponsor my ride -- help me help the Dana Farber.  Thanks to corporate partnerships and sponsorships, 100% of all contributions made go directly to the Jimmy Fund. 

For a twitter-sized window into the PMC weekend experience, please follow the livetweeting right here on HealthBlawg, or follow tweets at the #pmc hashtag in your reader of choice starting Friday afternoon, and running through Sunday.  I'll be tweeting along the way, and many others will be, too. 
Tweets will be archived here after the ride.  You can also tune in to an inspirational kickoff broadcast on NECN Friday night at 7, and check in for updates at NECN throughout the weekend.  Maybe the video will inspire you to contribute.  To quote one of the PMC slogans: "Let's Make Cancer History!" 

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 29, 2009

David Harlow quoted in US News & World Report health care reform story

The saga continues in our nation's capital, and Kent Garber of US News &World Report provided a roundup of the current state of health care reform this Tuesday -- encompassing the positions of the President, the Blue Dogs, the CBO, Speaker Pelosi, Sen. Baucus, and a raft of other Congressional committee leaders -- as the deadlines for legislative action are extended further and further out.  We discussed the issues last week, and he quoted me briefly in his article.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 26, 2009

The Lawyers Don't Always Say No: Bringing Legal into Health Care Social Media Strategic Planning

I led one of the roundtable discussions at last Thursday's Social Communications & Healthcare conference in New York City.  After a morning of back-to-back case studies presented by folks from the CDC (swine flu resources) to McNeil (online ADHD communities) to Pfizer (on twitter and other forms of transparency) to word-of-mouth marketing consultants (for all presentations, see agenda, audio and tweetstream at link), participants had two rounds of social media roundtable speed dating -- there were about 30 simultaneous sessions.  My sessions' topic: "The Lawyers Don't Always Say No: Bring Legal Into Health Care Social Media Strategic Planning."

The participants in my sessions included hospital administrators, pharma marketers, PR and media consultants, and one or two lawyers.

I kicked things off by observing that many organizations decide that they ought to have a social media presence and jump in without exploring why they are doing so, what they hope to accomplish, and what level of resources they plan to devote to such efforts.  Folks chimed in with the need to listen as a first step: listening to competitors, and listening to what the public is saying about you.  Listening to competitors allows you to benchmark what other folks are doing, and get a sense of best practices.  Listening to the public is a strategy followed by strong brands across the entire economy, not just in health care.  It allows you to pick up on complaints, problems, peeves, and step in and address them, either on line or off line, as appropriate, and to communicate publicly (within limits) about how issues have been addressed.

We focused on the following key areas of concern:

  • Privacy.  This realm is governed by HIPAA and related state law.  Particular conditions have additional layers of regulation and issues.  For example, one participant raised the issue of communication in a branded forum by a parent of a minor child with AIDS.  How can one establish consent to the release of such information in a public forum, and what is the exposure of the forum's sponsor with respect to an unauthorized release of that information?  My take: include disclaimers and warnings galore, so that posting in such a form constitutes consent to the public discussion.  The question of who has the right to grant such consent (parent vs. minor child vs. emancipated minor) is the same whether we are talking about the social media context or other situations.
  • Liability.  Several types of liability concerns seem to be holding back many healthcare and pharma organizations from getting their feet wet in social media.  
Many pharma organizations seem paralyzed when it comes to branded online social media forums, due to concerns about the obligation to report adverse events involving their products that come to their attention.  My take: this is ostrich-like behavior.  While the safest course is to wait for the FDA to come out with social media guidelines, some common sense can be applied in this situation: Don't set up an online forum unless you are prepared to moderate and filter comments, and forward reports of adverse events to regulatory and compliance departments for review and reporting if necessary.  Avoiding reports of adverse events doesn't mean they're not happening, and learning about more such events earlier on will ultimately lead to improvements to products and perhaps avoidance of the multimillion dollar lawsuit.  Finally, many online comments are made anonymously (or untraceably), and anonymous reports are not reportable.

Healthcare organizations are concerned about medical malpractice liability as well.  Again, disclaimers are the order of the day.  While one can conduct a physician-patient relationship online, best practice would be to initiate the relationship in real life, and obtain appropriate authorization from the patient to continue the dialogue on line.  Some folks are more open than others, and are willing to post details about themselves that others consider private.  If someone posts these details in a public forum, that constitutes consent to the disclosure itself.  A provider's response, however, should be more circumspect, absent a prior written authorization to communicate more publicly.

All organizations may be concerned about the public posting of derogatory or defamatory opinions or information about employees, administrators, patients.  My take: policies and procedures should be in place regarding the making or circulating of such statements in whatever form or forum: real life, web 1.0, web 2.0.  The social web does not always require the creation of new rules of the road; often, it requires a re-examination of organizational culture and approach in other contexts, and those approaches may then be extended into the web 2.0 environment.
  • Regulation.  I used the FDA's warning letter to General Mills about its marketing of Cheerios as a cholesterol-fighting drug as an example of the need to be flexible in anticipating the unexpected: the regulatory salvo fired across the bow with no warning, the issue coming at you out of left field.  Privacy and liability concerns seems to cover the waterfront of regulatory concerns right now, but other issues are likely to arise over time.
  • Flexibility.  There was consensus around the table that it is difficult, if not impossible, to establish a social media policy in a vacuum, and that it is paralyzing to think that one may not begin to allocate resources to the effort without putting such policies in place up front.  My take:  Social media strategy is a journey, not a destination.  There will be many mid-course corrections.  My main piece of advice to the social media practitioners around the table: talk to legal early and often, so that you don't find yourself too far down a path that turns out to be a legal or regulatory dead end.

My discussion notes (linked to above) include links to other posts of mine on social media topics.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 24, 2009

Blog Carnivals: Lawyers, Medbloggers and Health Wonks (Oh My)

Just catching up on the week's blog carnivals ....

Blawg Review #221 at The Complex Litigator begins with an exposition on Guy Fawkes Night, and takes us on a tour of the blawgosphere, touching on imagined Senate confirmation hearing testimony from Yoda, hamsters, and class actions.

This week's host of Grand Rounds, Doc Gurley, presents the Mystery! edition, and the HealthBlawger appears in Act Three - The Law Gets Involved; no mystery there.

And speaking of carnivals, Paul Testa at the New Health Dialogue Blog has found his calling as a carnival barker and asks us all to step right up and "wander through a spectacle that's as uniquely American as apple pie and health reform."  That can mean only one thing, dear reader: Health Wonk Review.

Try not too eat too much cotton candy.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 23, 2009

Social Communications & Healthcare Conference in NYC

Today I participated in the Social Communications & Healthcare conference in New York City. (PDF agenda here.)  About 375 folks heard a series of case studies presented by social media leaders from within large corporations and from consultancies, followed by roundtable discussions on a variety of related topics.  Many attendees were livetweeting the case studies portion of the event; these tweets are archived and presented here for your review.  The case study presentations are also archived at Blog Talk Radio.  I moderated two roundtable discussions titled: The Lawyers Don't Always Say No: Bringing Legal into Health Care Social Media Strategic Planning.  I will post about those discussions soon. 

It was a lively event with an energized crowd.  As an added bonus, I had the opportunity to see, in real life, a number of folks from around the country with whom I generally interact on line.

Update 7/24/09: And speaking of online interaction, @andrewspong followed the tweets and broadcast from across the pond, participated in the twitter conversation, and posted his take on the top ten social media best practices discussed at the conference.

Update 7/26/09:  See my post on the roundtable discussions I led on the subject of The Lawyers Don't Always Say No: Bringing Legal into Health Care Social Media Strategic Planning.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 15, 2009

Red Flags Rule: The FTC piles on, because HIPAA, ARRA and overlapping state laws just weren't enough

Update 5/28/10:  Red Flags? Nah ... nothin' but blue skies.  The FTC delays implementation of the Red Flags Rule yet again, to December 31.

Update 11/3/09:  The FTC announced that implementation of the Red Flags Rule will be delayed once more, this time until June 1, 2010.  The announcement came on the heels of losing a court case to the American Bar Association -- the court ruled that the rule does not apply to lawyers -- and on the heels of a legislative attempt to bar its applicability to small health care, accounting and legal practices.  Stay tuned.  

Update 7/29/09:  The FTC announced today that implementation of the Red Flags Rule will be delayed once again, this time til November 1, 2009.  The agency promises to roll out additional information targeted at low-risk entities covered under the rule.  Thus far, nothing has changed with respect to the rule and its ultimate effect, so organizations subject to the rule should take the extra time to assess their compliance needs and implement their plans in advance of November 1.

After a couple of delays, the FTC Red Flags Rule will be effective August 1, 2009.  This rule requires "creditors" under certain "covered accounts" to maintain a heightened alertness to numerous categories of "red flags" that may indicate that the consumer who is the rightful account holder is the victim of identity theft.  If a red flag is triggered, the creditor must take steps to notify the consumer and correct any inappropriate information included the creditor's records.

As you probably already know, the FTC is extending its reach with this rule (among others) into the health care sector.  (Cf. the FTC's role in enforcing certain Son of HIPAA provisions.)  The AMA has all but dropped a draft complaint on the FTC's desk, citing assorted legal precedents in its correspondence with the FTC arguing that the Red Flags Rule should not apply to physician practices.  The FTC is unmoved -- except to the extent that it has been willing to delay the effective date twice (from November 2008 to May 2009 to August 2009).

At any rate, the August 1 effective date is around the corner, and affected health care entities need to develop and implement compliance plans now, if they haven't already.  (Even the AMA says so, and has published guidance and a sample policy for members.)

A few more general comments before stepping back and examining the language of the rule and its applicability to health care providers.

The federales are taking something of a common-sense approach here, recognizing that a compliance plan needs to be tailored to the specific entity, the nature of its "covered accounts" and its operations.  Bank of America, N.A. and Springfield Medical Associates, P.C. will have very different compliance plans, because their potential red flags and the potential risks are vastly different.

Affected health care providers need to understand that the Red Flag Rule requirements overlap with HIPAA and state privacy law requirements (and looming Son of HIPAA requirements in ARRA), but will not be satisfied by implementation of existing privacy policies and compliance plans.  Review of the intersection of existing policies and procedures with the new rule's requirements is the first order of business.

As with any other new regulatory scheme, preparing a compliance plan and putting it on the shelf won't cut it.  The rule calls for regular monitoring of the plan and issues that arise by a senior manager.  Furthermore, best practices would dictate the training of staff to deal with individual issues and, most importantly, with the affected consumers.

Even if not clearly subject to the Red Flags Rule, providers should undertake to comply, for a couple of interrelated reasons:

  • Good patient PR.  Data security is top of mind these days.  Much of the effort required under the rule should be expended anyway simply to respond to market pressures calling for improved data security.
  • Potential liability.  The creative trial attorney will seek to use the Red Flags Rule as establishing a standard of care for the stewardship of personal information.  The incensed jury will go along.  The health care provider caught in the middle between thieves and victims may be the only perceived deep pocket available.

OK, so what is a "creditor" and what is a "covered account?"

Any entity that accepts payment other than payment in full at the time of service is a creditor.  Health care providers that go the cash-on-the-barrelhead route aren't creditors; all others are creditors.

The FTC Guide defines covered accounts as follows: either

  • a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or
  • any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

Any creditor with covered accounts must have a red flags rule compliance plan in place with policies and procedures for dealing with "red flags" -- i.e., signs that personal information may have been compromised.  The World Privacy Forum suggests that the following red flags are the ones most applicable in the health care context:

• A complaint or question from a patient based on the patient’s receipt of:
   o a bill for another individual
   o a bill for a product or service that the patient denies receiving
   o a bill from a health care provider that the patient never patronized or
   o a notice of insurance benefits (or Explanation of Benefits) for health services never received.
• Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
• A complaint or question from a patient about the receipt of a collection notice from a bill collector.
• A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
• A complaint or question from a patient about information added to a credit report by a health care provider or insurer.
• A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
• A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
• A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.

If a situation is flagged, a creditor must take steps to mitigate the risk of identity theft or continued identity theft.  Again, the World Privacy Forum notes:

There need to be uniform but appropriately flexible answers to these questions:

  • What do we do when a patient claims fraud is in their files?
  • What do we do when a patient says the bills are for services she did not receive?
  • What do we do for patients and other impacted victims when we uncover a fraudulent operation?
  • When we have a real case of medical identity theft, how can we work with patients to fix the records and limit future damages?
  • What do we do when a provider has altered the patient records?
  • How do we handle police reports and requests for investigation from victims?

The answers to these questions need to viewed not just from the provider’s perspective, but also from the victim’s perspective, which can differ substantially.

There are a number of useful resources available for health care providers seeking to take stock of their situation, establish Red Flags Rule compliance policies and procedures, and undertake staff training on the subject.  For example, the FTC, the AMA and the World Privacy Forum have all released valuable guidance documents (all linked to above) that would assist any organization with coming into compliance. 

As with any effort of this sort, it is often valuable to have someone outside the organization come in to review existing policies, procedures and workflow in order to highlight potential risks and opportunities for improvement.  The HealthBlawger and members of the HealthBlawger's virtual consulting network are available to come in and assess, plan and help implement compliance strategies for organizations large and small touched by the Red Flags Rule.

Whatever the size or nature of your business, please take a moment to consider how the Red Flags Rule may apply to its operations, and how it may relate to other regulatory schemes such as HIPAA and state laws.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 13, 2009

Marc Rodwin, Suffolk University law professor, speaks with David Harlow about his proposal for public ownership of health data published in JAMA

I spoke with Marc Rodwin last week about his proposal that there should be public ownership of all de-identified health record data, to guarantee the availability of complete data in improving public health and advancing evidence-based medicine: goals of the Obama Administration articulated as part of the rationale for expanding the use of EHRs and promoting that expansion through unprecedented grants to providers for meaningful use of certified EHRs.  Professor Rodwin is on the faculty of the Suffolk University Law School; his piece on public ownership of health record data was published in JAMA earlier this month.

The audio file of my interview with Marc Rodwin (about 20 minutes long) is available for download/podcast A full transcript is at the end of this post (and in the linked transcript here). 


Rodwin's proposal, which would require legislative action, runs near the Declaration of Health Data Rights, which asserts individuals' control over their own health data.  The two initiatives should not be mutually exclusive


Rodwin notes that in the current flurry of
health care legislative activity it's more likely that data mining firms will get legislative protection for the status quo than public ownership of health data will be recognized.  The resulting fragnmentation of control of, and access to, health data, would undercut the value of the pending investment in health data infrastructure in this country.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting


HealthBlawg Interview of Prof. Marc Rodwin, JD, PhD, Suffolk University Law School
July 7, 2009

David Harlow:  Hello. This is David Harlow on HealthBlawg and I have with me today Marc Rodwin, Professor at the Suffolk University Law School in Boston, who has a piece published in the current issue of JAMA, the Journal of the American Medical Association, regarding the case for public ownership of patient data. Good afternoon Marc.

Marc Rodwin:  Good afternoon, David. Nice to speak with you.

David Harlow:  Thank you for being with us. The case that you make is a compelling one and I wonder if you could lay it out in brief for our listeners and readers.

Marc Rodwin:  Sure, maybe I should give a little background.

David Harlow:  Thank you.

Marc Rodwin:  There is a new emerging market in patient data -- de-identified or anonymized data, aggregate data -- and it’s growing particularly because of the move to electronic medical records.  The significance of this is that it will now be much easier to do all sorts of analysis of public health, of marketing trends, of valuation of healthcare systems, of hospitals, epidemiological research and so it’s a very valuable development.

David Harlow:  Yes and that’s part of the background for the push to add electronic medical records to our healthcare system.

Marc Rodwin:  Right, but what hasn’t been discussed very much – it’s been overshadowed by the talk of confidentiality issues or technology or making this happen – is how to make this work for the public and for private parties too, and the main question that’s been ignored is who owns this data, who should own it and what is the consequence of the law on ownership in this area and in fact there is an area of great uncertainty because the law has really been established to decide ownership of medical records, tangible property in the past and there, there is a pretty clear resolution of records pretty much in most states owned by providers but patients have access to the records and their limits on provider use of it for confidentiality.  But with electronic data you don’t necessarily have exclusive ownership and it’s not really clear what its status is. There are a few parameters so it’s pretty clear from what's been said so far that this is not something that the law would normally allow to be copyrighted or patented because it doesn’t involve (the raw data on patients) creativity and it’s not an invention but there is some referring to data that comes from a billing record or a patient record something that’s been produced there and in that sense it’s not protected.  On the other hand, what has happened so far is people who have been selling the data they have both for-profit firms, not-for-profit hospitals, insurance companies and they have often used contracts in selling it to restrict others from using it and they have put the data in -.

David Harlow:  Just to be clear we are talking about aggregated de-identified data for the most part.

Marc Rodwin:  Yes, absolutely, I thought I said that up front. So there is an effort to really make this a private property and there have actually been some people out there in the policy world suggesting that it should be private, not public: The Heritage Foundation in a brief a while ago said that government shouldn’t have any privileged access and so they have to buy it and other groups that have looked it have said don’t think about ownership, just about access. But if there isn’t some provision set up to make it public, publicly available, then it’s going to be treated quite possibly as private property and that’s going to create problems most with the public and for private development is my argument.  Now for the public the problem is this: if individual insurance companies and hospitals have a right to own the data, they can restrict who uses it and they can not make it available, they can sell it only on terms that they want, and even if it’s made sellable to public health authorities it maybe simply to expensive to get.  The problem is larger than you might think, because the value of this data is particularly if you have a comprehensive database; so fracturing it into parts owned by lots of different entities makes it much harder to collect together and to use, and even the transaction cost -- if you have the money -- would impede use, so that would really limit many of the public health and research functions of it. We have seen this happen in other areas there has been some discussion of patenting genes, Lori Andrews and others have written about that and there is actually an economic literature that discusses what's called “the tragedy of the anti-commons” and the basic idea is that if you allow private ownership but such that the values are really downstream it becomes very hard for private owners to collect them together and get the beneficial uses. That’s what I am saying is going to occur here and why I recommend that there be a mandate to have reporting of certain aggregate data to say HHS or a new government entity and that that data then be made available to the public.  Now there actually are some precedents for that in limited ways: California requires hospital discharge data to be reported for all hospitals, Medicare requires all hospitals to report certain cost data -- so this is not a totally new approach or a radical approach. The other thing that is important to know is making this publicly available doesn’t impede commercialization of sorts, it just makes a better market for it because once that’s public you can have different firms take the data, analyze it and put it into software in different ways, do all the kind of things that make it valuable and usable, the only thing that happens when its public is you prevent these parties that analyze the data from having a monopoly and applying and kind of having that tie in with the data ownership in their analysis.

David Harlow:  So whatever the value they add in terms of analysis would be added in, and you create a market for that sort of analysis.

Marc Rodwin:  Sure so if Harlow and Rodwin Associates does very good graphics on the data and puts it into a usable friendly format, we could sell that.  But given that the data is out there and others could do it we wouldn’t be able to sell it with a monopoly profit based on our having the data or on having an inferior product that no one else could compete with.  Someone else down the street, Tom Jones, could say I can do that even better, or sell it with different unit pricing and make it and compete with you so you can actually have two or three folks developing the analysis and delivery in certain ways and none would be able to require that you only go to them for their services because you have to buy the services with the data.  So I can say a bit more, but why don’t I let you ask some questions.

David Harlow:  What I was going to ask next is: Would you see the sort of protection of rights or protection of the usability of this data, as something that could fit in with the framework for meaningful use that’s been articulated under the Recovery Act?

Marc Rodwin:  Well I don’t think it’s been sufficiently articulated yet and I think it’s yet to be articulated with regulation.

David Harlow:  There is a draft definition or working definition if you will out there for comment and I guess one of the ways that’s being framed is: What are the health outcomes or policy priorities that are going to be advanced by a definition of meaningful use and you have articulated a very important one which is the use of all of this data for population-based, evidence-based healthcare.

Marc Rodwin:  Yes, we will see what comes out in the regulations and how they develop, but what I am suggesting is a broadest possible definition, possible and that would require that it all be made available and what worries me is that “meaningful use” might significantly restrict it in different ways and the approach I am taking is that it’s all reported and made -- through a government entity -- available to everybody who wants to use it once it’s protected, and that would preclude anyone not making something available or making it available later or on less favorable terms and for broader than just population data, conceivably. While I am very interested in the public health uses, it would be also usable for a subpopulation, for the Boston area population or for studying of one hospital system or one HMO.

David Harlow:  Or for a particular disease.

Marc Rodwin:  That’s right and so I think there is a value to having some mandatory reporting which will certainly get the data out there in a way that’s saying the data has to be made available to those who request it or  in certain circumstances that puts the cost of collecting it elsewhere. Right now we have done this with Medicaid data in California and there are certain times you just have to report certain things and maybe there should be some compensation for that but basically we are talking about people reporting things that they already have and do report to others so if you have to turnover information already for billing or for Medicare cost data and the like, we are not talking about a lot more burden to make that same data available more broadly.

David Harlow:  Now in this piece you have highlighted the fact that some data sellers will draft agreements that limit buyers of the data from further disseminating that information and I guess the question I would have on that front is whether you are aware of law suits or decisions that have addressed the enforceability of those agreements?  Take the case that the work that’s done in manipulating that data doesn’t really create something that copyrightable. So the question is can the seller really enforce an agreement that requires someone to not disseminate that information further?

Marc Rodwin:  Right, well I am not aware of decisions that have ruled on it but there is a difference between the copyrightability and enforceability of a contract.  It could be, I assume, the evidence I have, it’s not copyrightable. A breach of copyright would mean someone could claim a copyright infringement for use and you have the remedies there, a breach of contract is a different matter and even if they can't copyright the data they might be able to, under the terms of the contract, have contract remedies.  It’s also quite possible that simply having that clause in contracts is going to chill and limit what different people do with their data and limit access there, and in addition what I have been reading about and told is that people are trying to put this data into software in ways to limit its access. But the tension is basically here: if the data really is available publicly, you are going to have less of a primary market in people buying it from others without the analysis and the fact is if you want to buy certain data now there are known sellers and they can deliver a database and certain kind of databases and there really aren’t a lot of alternatives at this point.

David Harlow:  Right, so you are talking about encouraging a much more robust secondary use of the data.

Marc Rodwin:  Yes, that’s what I think would be beneficial.

David Harlow:  Now, do you see patient rights activist is being opposed to this sort of approach?

Marc Rodwin:  Well you know it doesn’t fit into standard categories and I think a lot of people’s initial reaction is that you don’t want something public -- with the idea that it’s safer when it’s private, in the sense that it’s confidential.  But I think that misconstrues what's going on, because public doesn’t mean that it’s not protected in terms of confidentiality, nor does not public or private mean that it is.  In fact there are, of course, risks any time there is data available, whether it’s publicly available or private, on a private market, that there will be a breach of confidentiality.  If the data is not properly coded or if it’s broken down in certain ways and there’s other information you can combine with it, you might be able to then identify patient information, but my point is that that’s equally a problem if there is a private market where you can buy this data, where firms have exclusive ownership interests in the data and in a situation where it’s available through a government entity like HHS.  So it hasn’t really been broached; as far as I know much of the public and patient rights groups haven’t been talking about this so far, they have been talking about privacy as a separate issue.

David Harlow:  So we are talking about privacy and control of health records and I was getting at the question of whether you think some folks would see this putting of records into public hands as a concern when some patient advocacy groups who prefer to see rate of patient control of records.

Marc Rodwin:  Right, there are some people out there that talk about patients owning the data: that’s a proposal, that’s not what current law is and the current situation is that even if you would like patients to own data and stop others from doing anything with it that’s not happening now, and the law is not allowing it. And it’s not the public access that’s the problem; if there is a problem it’s private firms appropriating it without consulting them and without any oversight, and I think to the extent that this is made public it’s going to have to be done through a statute that will design what the limits are and the uses in confidentiality in a way that they can guarantee much more safety for patients and currently exists.

David Harlow:  Do you think that the current legislative debate on healthcare reform provides a vehicle for such a statute?

Marc Rodwin:  Well, it provides a vehicle for doing it but it’s not what's the focus of most people’s attention so it’s unlikely to. At this point the center of the debate in the editorials in the press and the like is elsewhere. It may well be that when there is, if there is, a major bill in Congress someone there will slip in something that relates to this but it’s not an issue that’s been debated at all, and that’s a little bit worrisome, because I think there is a significant chance that some groups that are doing well with the current situation will try to put in some kind of legislation to the do the opposite: to make it private, to not allow public access, and since a lot of the public is not aware of this issue yet they won’t see what's happening and they won’t be able to prevent that.

David Harlow:  All right -- so that could be a surprise. Well hopefully we don’t get a surprise like that. I appreciate very much you taking the time to discuss this issue with me, it is an interesting topic and a very interesting proposal, a valuable proposal and perhaps that can get some traction of the current environment as we are discussing this.

Marc Rodwin:  Well wherever you come out on it, it’s worth thinking about, it’s a major policy issue, it’s opening up, it’s new and it will make a big difference.

David Harlow:  Yes, well, Professor Marc Rodwin, thank you very much for taking the time with HealthBlawg today, I appreciate your thoughts and your insights and thank you again for being with us.

Marc Rodwin:  It’s my pleasure; thank you.

July 09, 2009

Large molecules, biosimilars, patent protection, and the cost of health care reform

As may be expected, interested parties are hard at work in our nation's capital lobbying key health care committee members and their staffs.  Today I want to share a small window into this usually closed-off world, informed in part by a conference call with a handful of bloggers yesterday, hosted by Jim Greenwood, President of BIO, the biotech industry association.

"Large molecule" biotech compounds used as next generation drugs for a whole range of diseases and conditions do not get the same sort of patent protection as "small molecule" drugs.  Small molecule drugs start the patent and FDA new drug application (NDA) process at the same time, with the usual effect that FDA approval for a new drug comes about 7 years after an initial application, thus giving the patent holder about 12 or 13 years of patent-protected time on the market before generic manufacturers can horn in.  Large molecules are not patented directly; the processes by which they are generated are.  Thus, a competitor may develop a means to generate a "biosimilar" -- a large molecule that has the same therapeutic effect as the original, even though its production and chemical formulation are not identical -- and market it without infringing on the innovator's patent.  The key to being able to do so is the ability to rely on the innovator's study data as part of its NDA.  The key to the innovator's ability to have the market to itself for the equivalent of the term of a patent in the small molecule world is a period of "data exclusivity" (when others can't use its data for their own applications regarding biosimilars) equal to the effective term of patent protection: 12 or 13 years.

Greenwood said yesterday that Peter Orszag and Nancy-Ann Min DeParle have suggested that 7 years' data exclusivity should be sufficient, and that the FTC opposes any data exclusivity.  Legislation filed in the last session supported by BIO would have provided 12 years of data exclusivity.  The Senate HELP bill provides for 9 years of data exclusivity, with the opportunity to get a 3-year extension in the case of a novel use for the product. 

While the arguments made by industry are reasonable, the issue must be placed in context.  Drugs and biologics, while undeniably a key component of our current health care system, have contributed greatly to the runaway cost inflation we have seen.  The proposed 21.5% cut to the Medicare Physician Fee Schedule -- the prospect of which horrifies not only physicians, but those of us who may ever want to obtain physician services in the future -- may be tempered by carving out physician-office-administered medications, which include some of the large molecule compounds at issue (an $87.5B line item, over 10 years).  Taking this expense out of the physician pot means it has to be dropped back in somewhere else; I mention this because it's an issue at the forefront of the debate, and the price tag (which is not the whole price tag for drugs and biologics) is a big number, which has the attention of policymakers.  The total annual cost of biologics has been pegged at $60B.  While the industry rightfully wants large molecule protection equivalent to small molecule protection, the public and the government are rightfully concerned about the ultimate cost of such protection, and are seeking an appropriate balance.

The lobbying on this and many other provisions continues in the Senate HELP Committee and other committees.  Many compromises lie ahead.

Update 7/16/09:  The Senate HELP Committee bill was reported out with 12 years of protection.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

July 02, 2009

2010 MPFS: CMS proposes 21.5% physician pay cut (yes, really)

Let's go down the rabbit hole with the federales. 

Remember the Sustainable Growth Rate, that congressional hedge against inflation of health care costs, specifically payments under the Medicare Physician Fee Schedule?  Well, the CY 2010 MPFS went on display yesterday, and is due to be published in a couple weeks.  As written, the rule would (among other things) fully implement the SGR by cutting physician payments 21.5% (see the press release).  That's because Congress has overridden every other cut mandated by the law since 2002, yet has not taken the time to rethink it -- even though it called for a review in 2005's DRA, and MedPAC obliged in 2007.  To cut to the chase, MedPAC recommended that Congress either (a) come up with another cockamamie formula or (b) repeal the SGR and develop incentives for providers to provide higher quality care at lower cost.  Yes, they've done a fine job so far . . . .

So, we all know that Congress will step in before the rule takes effect January 1, 2010; perhaps it will be in a systematic way this time, however, with a real replacement for the SGR wrapped into a broader health care reform bill.  The Tri-Committee bill in the House (see sec. 1121, p. 181) is the only leading bill that addresses this issue head-on, as far as I know (please let me know if I'm missing something), though it does not include a radical enough reformation and seems to fall in line with MedPAC recommendation (a).

As the WSJ Health Blog notes, another part of the crazy logic at work in the draft rule is a CMS proposal to carve out reimbursement for physician-administered drugs ($87.5B over ten years, per the CBO) from that which is subject to the SGR.  That would help with the narrow issue of how-many-percentage-points-of-the-SGR-can pass through the eye of a needle, but obviously doesn't address the fundamental systems issue.  (I'll take (b) for $2.4 trillion, Alex.)

There's plenty of other goodies in this draft rule -- especially around imaging -- but the big across-the-board cuts certainly deserve the headline.  For example:

  • Capital reimbursement for physician-office diagnostic equipment was originally calculated by CMS based on the assumption of a 50% utilization rate.  Since the actual utilization rates are much higher, that assumption is now being formally thrown out the window.
  • Under MIPPA, imaging providers will be subject to new accreditation requirements as of January 2012; accreditation organizations are identified in the rule, and additional controls will be forthcoming in separate rulemaking.
  • Finally, more measures are being added to the PQRI set, and automatic EHR-to-CMS reporting is being explored (as is the case with hospital RHQDAPU reporting), as pay-for-reporting (in lieu of meaningful pay-for-performance) continues at the Federal level.

Bottom line: This is a complicated set of issues, but it is only one of many that Congress and the President hope to have all wrapped up neatly by November.  Perhaps a post-SGR approach to physician payment will help build the coalition necessary for meaningful systemic reform.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting