At first blush, the passage of House Bill 5483, entitled the “Special Registration for Telemedicine Clarification Act of 2018” (the “Bill”), appears to address the issue concerning the lack of regulatory guidance regarding the “Special Registration” exception to the Ryan Haight Act of 2008; however, a deeper and more careful analysis reveals that the Bill may not be as effective as most health care practitioners may hope. The Bill, sponsored by Rep. Carter (R-Georgia), a pharmacist, Rep. Bustos (D-Illinois), and nine others, cleared the House on June 12, 2018 without objection. The Bill would require the federal Drug Enforcement Agency (“DEA”) to promulgate rules that would allow health care providers to apply for a “Special Registration” that would allow a provider to prescribe controlled substances via telehealth without first conducting an initial in-person examination of the patient. A transcript of the testimony in support of the Bill (“Transcript”) reveals enthusiasm by the sponsors of the Bill, as well as by Representatives Pallone (D-New Jersey) and Walden (R-Oregon), who called the Bill “a commonsense measure that cuts through the red tape to provide more treatment options to underserved communities through the use of telemedicine.” While Section 413 of the current version of S.B. 2680 would only give the DEA six months to promulgate such rules, the two bills are very similar and almost guarantee that a law will be signed in the coming months that will require DEA to promulgate rules that will finally create a Special Registration exception to the Ryan Haight Act. While the prospect of rules implementing the Special Registration may be exciting for many practitioners, it should be noted that the DEA has been obligated to create these regulations, and has ignored this obligation, for a decade.

Once enacted, the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the “Act”) effectively banned the prescription of controlled substances via telehealth without an in-person examination of the patient. While there are exceptions to the Act, these exceptions are very technical and do not apply to the majority of treatment settings for which a controlled substance could be prescribed by a treating physician to a patient in his or her home. When the Act was passed, Congress appeared to have the foresight to know that the Act was restrictive and that the Act should have some mechanism by which its prohibitions could be relaxed, because the Act also created 21 U.S.C. § 831(h)(2), which orders the Attorney General of the United States and the DEA to “promulgate regulations specifying the limited circumstances in which a special registration under this subsection may be issued and the procedures for obtaining such a special registration.”  However, as we have previously discussed, the only related action the DEA has taken in the decade between the passage of the Act and today was, in 2016, to mark the creation of these rules a “Long-Term Action” that has not substantively been addressed. By suggesting that the DEA “understand[s] the need to implement this provision of law” Rep. Walden appears to be incognizant of the historical lack of the DEA’s movement to promulgate the Special Registration rules, despite the DEA having the authority to do so since the Act originally was passed in 2008. Mr. Walden also seems to advocate for the DEA, as he supports revising the Bill’s original 90-day deadline for the promulgation of rules to implement a one-year deadline on account of the DEA’s position it would be burdensome. As such, the question remains whether the DEA, who has avoided this exact obligation for nearly a decade, will at last take action within the year if the Bill becomes law.

Even if the DEA promulgates rules to create the Special Registration, there is no indication how broadly such rules will be written. In this regard, the transcript illustrates a fundamental difference in how Representatives Walden and Carter view the value of the DEA creating a Special Registration process and, importantly, what the scope of that Special Registration process should be from many psychiatrists and other practitioners. For example, Rep. Walden described the exception to the Act in narrow terms: “for emergency situations, like the lack of access to an in-person specialist” (a phrase also used by Rep. Carter). Mr. Carter stated as well that the original purpose of the Special Registration was for “legitimate emergency situations” as follows:

“The law included the ability for the Attorney General to issue a special registration to healthcare providers detailing in what circumstances they could prescribe controlled substances via telemedicine in legitimate emergency situations, such as a lack of access to an in-person specialist.”

Rep. Carter further stated that the Special Registration could serve as a tool to fight the opioid crisis “to connect patients with the substance use disorder treatment they need without jeopardizing important safeguards to prevent misuse or diversion,” but he did not speak of the Special Registration in broader terms. The statements by Reps. Walden and Carter mischaracterize the original language of the Act regarding the “Special Registration for Telemedicine,” which does not limit the Special Registration to emergency situations.  Rather, the Act explicitly authorizes the Attorney General to issue the Special Registration to a practitioner who “demonstrates a legitimate need for the special registration” without defining the phrase “legitimate need”. As such, “legitimate need” could include “emergency situations” but also could be interpreted to include circumstances under which a physician is authorized to prescribe a controlled substance via telehealth as long as such prescription is in accordance with the substance’s label or the applicable standard of care for treatment of the illness for which the prescription was issued to treat,

If the DEA takes its cues from the recent House testimony supporting the Bill, the agency may decide the Special Registration should be limited to certain declarations of emergencies, such as the declaration of the opioid crisis as a Public Health Emergency. Such a narrow definition may be fruitful in the fight against opioid use disorder, but may ultimately fall short of expectations held by telehealth practitioners interested in providing services to patients via telehealth that involve prescribing controlled substances.

Earlier this week, a popular source of regulatory news published an article claiming FDA “finalized a new rule this week that prohibits manufacturers from using so-called “split-predicates”. However, it appears that the article may instead be referencing the Final Guidance for Industry and Food and Drug Administration Staff entitled “The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)]” that FDA published earlier this week.  Unfortunately, as often occurs on the Internet, the post was disseminated by several other popular sources of regulatory news.

This confusion comes a little less than three months after four Senator’s sent a letter to FDA raising concerns about FDA draft guidance “becoming the default FDA policy and position.”

Guidances and final rules carry different legal weight.  Final regulations are legislative rules that have the force of law. Whereas, guidances do not set new legal standards, impose legal requirements or have the force of law. Instead guidances are issued to help interpret or clarify an existing regulation.   

FDA certainly understands this difference.  As FDA notes, “FDA regulations are [] federal laws, [even though] they are not part of the [federal Food Drug & Cosmetic Act (FD&C Act)].”  Whereas, “FDA guidance describes the agency’s current thinking on a regulatory issue [but guidance] is not legally binding on the public or FDA.”

FDA also emphasizes this latter point in many of its guidance documents by including the following disclaimer:

This guidance represents the Food and Drug Administration’s (FDA’s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.

Unfortunately, not everyone fully appreciates the difference between rules and guidance. The recent confusion suggests that there is a disconnect between FDA’s position on the difference between guidance and final rules and the understanding of at least some in industry.  Therefore, as FDA reviews its current guidance development practice, it is important that FDA look for ways to ensure (draft or final) guidance is just that, guidance.  For example,

  • FDA should make the guidance development process more efficient and so that there is a significant difference between the time it takes to publish a final guidance and the time it takes to implement a final rule;
  • If a manufacturer uses an alternative approach and provides reasonable support for taking such an approach, FDA should be required to provide a reasonably explanation as to why the alternative is insufficient;
  • FDA should include a process for quickly and efficiently incorporating alternative approaches into existing final guidance.

Mobile application (“app”) development is the new boon for technology companies of all sizes, and the phrase “There’s an app for that” tells the story of just how much this market has grown and matured.  Most of the early app development focused on low risk opportunities—those involving free or low-cost social media or gaming apps.  While protecting privacy and security of personally-identifiable information is generally important, privacy and security concerns typically do not rank as high priorities in decision-making when developing these types of apps.

By contrast, some developers focused on creating apps that promote healthcare.  Current estimates suggest that about 13,000 healthcare apps exist today.  Recent research suggests the healthcare app marketplace will be valued at nearly $12 billion by 2018.  Due to the sensitive nature of health information, privacy and security have become important considerations throughout the lifecycle of the app from financing through end-user adoption.  Yet, it is unclear to what extent technology companies have factored health-related privacy and security standards into their development and marketing plans.  Just saying that you are a technology company, and not a healthcare company, does not insulate you from risk should you decide to work in the space between both sectors.

There are four main reasons why technology companies should evaluate whether a healthcare app adequately safeguards privacy and security of health information.

1.      Tech companies must build trust with healthcare entities to facilitate health information sharing. 

The healthcare sector currently constitutes approximately $2 trillion on spending in the United States.  Even in the current down economy, healthcare entities continue to spend money to seek ways to improve efficiency through use of health information technologies.  However, healthcare companies are acutely aware of the importance of privacy and security related to health information. Partnering with healthcare entities as their business associates to develop apps necessitates that technology companies take privacy and security just as seriously.

2.      Technology companies must build trust with end users of apps to increase adoption. 

Recent financial incentives, such as those offered by the federal government’s Innovations (i2) Initiative and private entities have drawn technology companies into the healthcare sector, but consumers are still concerned about the privacy and security of their information.  For example, non-governmental organizations have recently published best practices to protect privacy recognizing that end users of health apps are acutely sensitive to the privacy and security of their health information.  Even the  Department of Health and Human Services (“HHS”), Office of the National Coordinator for Health Information Technology (“ONC”) in cooperation with the HHS  Office of Civil Rights (“OCR”) have teamed up to launch a Privacy & Security Mobile Device project which aims to develop best practices to help developers better protect health information while using mobile devices.  Thus, if a technology company seeks to obtain one of the many financial incentives, it should prioritize privacy and security issues as these are on top of mind for consumers.

3.      Numerous government agencies have regulatory jurisdiction over health apps.

A consequence of creating health apps is that a developer may become subject to a great deal of scrutiny by government agencies including FDA, FCC, FTC, CMS, OCR and ONC.   In addition to OCR, which typically enforces privacy and security rules, agencies that do not typically focus on privacy or security concerns have also exercised their authority to require certain safeguards.  For example, CMS has required privacy and security compliance in its requirements to achieve meaningful use of an electronic health record.  Further, the FDA has recently been authorized to issue regulations governing certain medical apps.  We have yet to see what these rules say, but the FDA has already been criticized for failing to ensure adequate privacy and security safeguards exist before approving medical devices for the marketplace.  As such, it is possible the FDA will also include privacy and security requirements in its rulemaking.

4.      States laws are sometimes more aggressive than federal laws.

Some states have taken steps to expand the scope of privacy and security protections beyond what is required under federal standards.  For example, Texas and California have certain requirements that go beyond federal privacy and security requirements.  Thus, technology companies should assess whether the states in which they operate or sell their technologies have more stringent privacy and security standards.

In short, technology companies looking to be successful in the healthcare space should seriously consider building privacy and security into the app lifecycle as a way to increase trust with healthcare partners, increase trust with end users, and comply with applicable federal and state legal requirements and meet industry best practices.

Follow me on Twitter: @HealthITLawyers

The following may surprise some: FDA approval or clearance is never enough. Not if manufacturers want a commercially successful product. There is no doubt that addressing FDA issues is critical. But without data to show effectiveness, payers will not reimburse a particular product or technology—and even the most promising product will languish in the market without the appropriate coverage and reimbursement.

The use of remote monitoring devices has increased significantly over the last few years. I think it is fair to say that many manufacturers of these devices worry far more about FDA clearance and approval issues than they do about coverage and reimbursement. And that is a critical mistake. Clearing FDA hurdles is surely an important step but without a sophisticated coverage and reimbursement strategy, a product has almost no chance of market success. So, why do many manufacturers and other stakeholders not prioritize coverage and reimbursement as part of product launch strategy? Part of the answer lies in the complex, often confusing rules and policies many payers (both public and private) have in place. For example, just to look at a few:

  • Differing reimbursement environment: reimbursement policies differ depending on the type of remote monitoring device in question.  In other words, a reimbursement system that supports one monitoring device may not always provide an opportunity for another. Each device is usually evaluated by the type of data monitored, the frequency and duration of monitoring, how engaged a health care professional must be to obtain and interpret the data, etc.
  • Multiple codes: a particular remote monitoring device may require multiple codes. Different codes may be required to capture the technical and professional components associated with a particular device.
  • Limited reimbursement: Devices are reimbursed either through the technical component of a physician service (Medicare Physician Fee Schedule) or as a piece of  durable medical equipment. How it is paid determines the amount of reimbursement.
  • Attended monitoring: The more a device includes attended monitoring (by a health care professional), the more complex the reimbursement policy is likely to be.

Another issue for stakeholders is that coverage and reimbursement for devices is the culmination of three separate but critical processes: a) coverage–the terms and conditions for payment; b) coding–the unique identifiers for diagnoses, procedures, devices & diagnostics, etc.; and c) payment–the reimbursement amounts paid by public and private payers. Each phase has its own unique and complex pathways, and although advocacy is a useful tool for each phase, knowing how to engage the relevant stakeholders for each process is more art than science. The final issue confronting stakeholders is that the time and resources spent trying to gain FDA approval or clearance often does not lead to the type of data payers often require to cover and reimburse new products—especially remote monitoring technologies.

So, given the importance of a sound reimbursement approach to the commercial survival of a remote monitoring device, here is a short list of some of the things that stakeholders should consider:

  • Assemble a team that includes lawyers, coding consultants, and health economists to develop and implement a reimbursement and commercialization strategy outside of FDA issues.
  • Ensure the clinical, commercial development, and reimbursement teams are collaborating to create a unified, coherent approach.
  • Examine the current reimbursement landscape.
  • Analyze similar devices in the same coding category.
  • Design clinical trials (wherever possible) to generate the type of data that can also be used to persuade payers regarding the effectiveness of a particular device.
  • Analyze the coding and coverage policies of major public and private payers.
  • Engage stakeholders (health professional societies, advocacy groups) early in the development process.

The main takeaway here is that remote monitoring device manufacturers need to incorporate a coverage/reimbursement strategy as early as they do an FDA strategy. Ultimately, the commercial success of a product depends on whether and how payers reimburse for a product just as much as it does on how well FDA issues have been addressed.