Thank you for subscribing

Thank you for subscribing to and reading Healthcare Law Matters. Beginning July 8, content will be posted to Please re-subscribe here so that you continue to receive these important alerts and updates.

Happy New Year! 2015 Brings More Reasonable Breach Notification Reporting Periods for CA Health Care Providers

Contributed by Marcia Augsburger, Lara Compton, and Carissa Bouwer as part of the ongoing Privacy Matters series

In 2008 California put into effect breach reporting laws applicable to certain licensed health care providers Healthcare Entities that are more stringent than HIPAA - so stringent that Healthcare Entities have been required to report a suspected violation of the California Medical Information Act (CMIA) without completing a meaningful investigation to determine whether an incident constituted or led to an unlawful or unauthorized access to, and use or disclosure of, an individual’s medical information.  Under California’s health care licensing laws, clinics, health facilities, home health agencies, and hospice services required to be licensed under Health & Safety Code Sections 1204, 1250, 1725, or 1745 (collectively “Healthcare Entities”) were, and are until January 1, 2015, required to report a violation to the California Department of Public Health (CDPH) and to the affected individual within five business days of discovering the unlawful or unauthorized access.  Fortunately, under AB 1755, effective January 1, 2015,  Healthcare Entities have fifteen business days to investigate and report. 


Continue Reading

California Court of Appeal Rules Damages Are Unavailable To Plaintiff Patients Where Patient Information On Stolen Computer Was Not Disclosed!

dreamstime_s_18044924.jpgContributed by Marcia Augsburger and Jacquelyn Loyd as part of the ongoing Privacy Matters series

Until last week, Sutter Health was looking at a potential jury verdict in excess of $4 billion against several of its affiliated hospitals in a class action suit filed under the California Medical Information Act, California Civil Code § 56 et seq (“CMIA”) and arising from the theft of a computer containing patient health information.  Many providers believed that the CMIA was essentially a “strict liability statute,” i.e., that they could be liable for “nominal damages” under the CMIA without proof of fault, actual disclosure, or injury to patients arising from the disclosure.  Many plaintiffs successfully argued that the mere theft of a laptop, thumbdrive, or other device containing patient information was enough to establish liability and entitle them to an award of nominal damages in the amount of $1,000 per patient.

On  July 21, 2014, the third district court of appeals published an important decision changing all of this:  Sutter Health v. Superior Court (Atkins), Case No. C072591 (Cal. App. 3d Dist. July 21, 2014).  While limited to the CMIA, the decision may affect interpretations of certain HIPAA provisions in practice, administrative proceedings, and court cases arising from HIPAA violations.

Continue Reading

FDA seeking comments on Health IT report

dreamstime_xs_30981995.jpgContributed by Doreen Bartlett as part of the ongoing Compliance Matters series.

Exchange of information in an electronic environment (health IT) has provided and continues to provide opportunities to improve the quality, safety, cost and efficiency of health care and encourage patient involvement.  Health IT covers an array of products, technologies and services, including EHRs and medical devices.  If not designed, developed, implemented, maintained, or used properly, health IT can pose risks to patients.  Given these potential risks, how closely should health IT be regulated?

Recently, the FDA, in consultation with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Federal Communications Commission (“FCC”) (referred to as “the Agencies”), released a non-binding report containing a proposed risk-based regulatory framework for regulating health IT, including medical mobile applications. This report was drafted in response to mandates from the Food and Drug Administration Safety and Innovation Act of 2012 (“FDASIA”) and with input from both regulators and external stakeholders.  Some believe the report is overall unremarkable, largely reiterating previous agency statements and not providing clear guidance.

The FDASIA  report  can be downloaded here.

The FDASIA report outlines a risk based approach, focusing on three categories of health IT subject to regulatory oversight: 1) administrative health IT functions, 2) health management health IT functions, and 3) medical device health IT functions.   Using this risk based approach, the Agencies determined that: 

  • administrative health IT functionalities, such as billing and claims processing, practice and inventory management, and scheduling, pose limited or no risk to patient safety, and therefore warrant no additional oversight.
  • health management health IT functionalities, such as health information and data exchange, data capture and encounter documentation, electronic access to clinical results, most clinical decision support, medication management, electronic communication and coordination, provider order entry, knowledge management, and patient identification and matching, in general pose low patient safety risks.   Consequently, if a product with health management health IT functionality meets the definition of a medical device, the FDA does not intend to focus its oversight on it. 
  • medical device health IT functionality, such as computer aided detection software, remote display or notification of real-time alarms from bedside monitors, and robotic surgical planning and control, generally poses greater risks to patient safety, and thus will continue to be the focus of FDA’s oversight.

 The Agencies identified the following four key priority areas and outlined potential next steps that can be taken to help more fully realize the benefits of health IT:

            I.          Promote the Use of Quality Management Principles;

            II.        Identify, Develop, and Adopt Standards and Best Practices;

            III.       Leverage Conformity Assessment Tools; and

            IV.       Create an Environment of Learning and Continual Improvement.

In addition, they recommended the creation of a Health IT Safety Center – a public-private entity which would convene stakeholders, including federal agencies, in order to focus on activities that “promote health IT as an integral part of patient safety with the ultimate goal of assisting in the creation of a sustainable, integrated health IT learning system that avoids regulatory duplication and leverages and complements existing and ongoing efforts.”

The FDA, ONC, and FCC are seeking  public comment on whether the focus areas identified in the report are the appropriate ones, and whether the proposed next steps will produce the intended results.   The report is worth reading and worthy of stakeholder comment.   Once the report is finalized the FDA is expected to issue more substantive guidance. 


Treating Mental Illness? Special Privacy Considerations Apply to Healthcare Providers

dreamstime_s_18044924.jpgContributed by Lara Compton as part of the ongoing Privacy Matters series

Decisions and unresolved questions about when and how to share information about mental illness treatment continue to make headlines.  A variety of groups, including health care providers, law enforcement and mental health advocates, have voiced concerns and expressed confusion. 

 The Office of Civil Rights recently released guidance on disclosure of mental health information under HIPAA.  The following are questions and answers that summarize the OCR’s answers to common questions related to mental health information, but keep in mind that complete answers to most of the questions require analysis of state law.

Continue Reading


Read about recently proposed changes to the food regulatory landcape in this alert by Mary B. Langowski and Tiffani V. Williams.



FDA Medical Product Activities During the Federal Government Shutdown

FDA has summarized its anticipated scope of activities during the federal government shutdown, with information available here.

HIPAA Toolbox: 13 Steps for a Healthy Checkup

September 23 is the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule compliance deadline. We have solutions and tools that may help you meet these changes now.  Read more here.

Summertime Brings the Sunshine

Sun / Courtesy of Salvatore Vuone /

Mary B. Langowski, Kristen E. Ratcliff, and Rebecca Jones McKnight discuss the implications of "sunshine" on financial relationships between industry and physicians in the July issue of Compliance Today

Read their article, "Don't Fear the Sunshine (but wear your sunscreen)," here.



Contributed by Rebecca Jones McKnight and So-Eun Lee as part of our ongoing Quality Matters series.


FDA guidance on Quality Agreements for drug manufacturing has been somewhat scattered, with companies left to glean FDA expectations from interpretations of the regulations, portions of a number of different cGMP-related guidance documents, 483s and Warning Letters, and informal statements of FDA policy. 


In late May, FDA issued a new draft guidance for industry, “Contract Manufacturing Arrangements for Drugs: Quality Agreements.” 


The draft guidance addresses – in one place – methods of defining, establishing and documenting the responsibilities of each party involved in the contract manufacturing of drugs subject to current Good Manufacturing Practice (cGMP), with special emphasis on Quality Agreements.  Although FDA’s expectation of Quality Agreements has been evident in recent years, the issuance of this draft guidance is still significant; due to some differences in the underlying regulations, the basis of FDA’s expectation of a Quality Agreement has historically been more clear on the device side, due to “purchasing controls” requirements in 21 C.F.R. § 820.50.


While the draft guidance is new, concern around cGMP compliance is not.  In recent years, industry has seen the potential for significant consequences of alleged non-compliance with FDA quality requirements.  See our prior discussion on the topic here.  Because the agency considers contractors an “extension of the manufacturer’s own facility,” both the owner (i.e., the party that introduces a drug into interstate commerce) and contracted facilities are responsible for ensuring that their products are not adulterated or misbranded.  21 C.F.R. § 210.10.  Although the drug cGMP regulations do not explicitly require owners and contracted facilities to document their respective responsibilities in contract manufacturing arrangements, the regulations do require that Quality Unit responsibilities and procedures be in writing.  Id. § 211.22(d).  Accordingly, the agency encourages all parties involved to work together to ensure that the drug is neither adulterated nor misbranded as a result of its contract manufacturing operations and recommends the use of Quality Agreements to facilitate compliance with cGMP requirements


In the draft guidance, FDA suggests that a Quality Agreement clarify which of the cGMP activities are to be carried out by each party and track the basic subparts of the cGMP regulations or guidelines (e.g., for APIs, ICH Q7 guidance).  At a minimum, a Quality Agreement should contain the following basic sections: 

  • Purpose/scope
  • Terms (including effective date and termination clause)
  • Dispute resolution
  • Responsibilities, including communication mechanisms and contacts, and
  • Change control and revisions (including subcontractors).


Areas of responsibility include Quality Unit, facilities and equipment, materials management, product-specific requirements and responsibilities, laboratory controls and documentation.


FDA has issued various guidelines addressing quality management principles related to contract manufacturing operations and recommended the use of Quality Agreements in the past, but the new draft guidance is significant for its focus on the importance and the details of written Quality Agreements.  Although, as the agency notes, written Quality Agreements do not relieve either party of their respective cGMP responsibilities under the regulations (you can’t contract away regulatory responsibility), parties can draw on quality management principles to carry out the complicated process of contract drug manufacturing by utilizing Quality Agreements.  In other words, a Quality Agreements is an important tool that  can be used to achieve compliance, to the benefit of all involved.


The draft guidance would apply to human drugs, veterinary drugs, certain combination products, biological and biotechnology products, finished products, active pharmaceutical ingredients (APIs or drug substances, or their intermediates) and drug constituents of combination drug/device products. 

* * * *


Please contact us if you would like more information about  how we can assist you with Quality Agreements and cGMP compliance.