Device Firms: What You Should Know About The 21st Century Cures Act

By Mason Weeda

Last month, legislation that would affect, among other things, FDA’s regulation of medical devices and the manufacturers of such devices took a considerable step forward when it was introduced and then unanimously approved by the House Energy and Commerce Committee by a vote of 51-0 on May 21.  Known as the 21st Century Cures Act (“Act”), the stated aim of the legislation is to modernize and personalize health care, encourage innovation, support research, and streamline the U.S. health care system to promote the delivery of better and faster “cures” to more patients.

In support of this goal, the Act would change the review of medical devices determined to be “breakthrough,” establish a third-party option for the inspection of medical device manufacturers, make changes to certain Humanitarian Device Exemption (“HDE“) requirements, institutionalize FDA’s ongoing efforts regarding the regulation of medical software applications, and loosen some clinical investigation requirements.  Significantly, the legislation also indicates an ongoing Congressional interest in the restrictions FDA has placed on the dissemination of truthful and nonmisleading off-label information.

Breakthrough Device Pathway

The Act would support faster “cures” by creating a “priority review” pathway for those devices that meet the definition of a “breakthrough device.”  These “breakthrough devices” include those that “represent breakthrough technologies… for which no approved alternative exist,” offer “significant advantages over existing approved or cleared alternative,” and are “otherwise in the best interest of patients.”

Upon a sponsor’s request, FDA would determine whether a device meets the “breakthrough device” designation using specified criteria.  If a device receives such designation, it would be eligible for expedited review by a team of staff that will interact with the device sponsor.  During this process, the Act would require FDA to “take steps to ensure that the design of clinical trials is as efficient as practicable, such as through adoption of shorter or smaller clinical trials, application of surrogate endpoints and use of adaptive trial designs and Bayesian statistics.”  Likewise, the agency would also be required to “facilitate … expedited and efficient development and review of the device through utilization of postmarket data collection.” Although these are laudable goals, the Act does not impose any specific timelines in which an “expedited review” must be completed or otherwise quantify how much existing review times will be reduced.

Third-Party Inspections of Device Manufacturers

The Act also contains provisions that could allow FDA to conserve its inspectional assets and speed up approval of modified versions of existing devices by allowing for the use of third party inspectors to conduct the necessary establishment inspections.  The theory being that creating a “quick” method to inspect facilities in these circumstances would promote the earlier availability of improved “cures.”

Under the provisions of the Act titled “Medical Device Regulatory Process Improvements,” Congress would require FDA to establish a “third-party quality system assessment” program, where accredited third parties would inspect manufacturers for compliance with the Quality System Regulation (“QSR”) (21 C.F.R. Part 820).  However, use of such third-party inspections would be limited only to QSR inspections necessary as the result of submissions involving “device related changes” and would not be available in other types of establishment inspections.

Changes to Humanitarian Device Exemptions

This section of the Act would double the number of patients that must suffer from a disease in order for FDA to consider it a “rare disease.”    Presently, the HDE pathway is intended to incentivize and encourage the development of devices to treat “rare” diseases or conditions affecting small patient populations when the device manufacturer`s research and development costs would otherwise exceed its market returns.  It does so by significantly reducing the clinical data that would be necessary for the manufacturer to generate to support the efficacy of the device that would otherwise be required by FDA in a traditional marketing application. To qualify for an HDE, the disease or condition must presently affect fewer than 4,000 individuals in the United States per year. The Act seeks to encourage additional development making “cures” more widely available by increasing this number to 8,000 individuals.

Medical Software

In an apparent effort to “modernize” the technology involved in health care, the Act would create a definition of “health software,” which generally would not be regulated unless it:

  • is intended for use to analyze information to provide patient-specific recommended options; or
  • FDA determines that it poses a significant risk to patient safety.

This provision continues to allow FDA some flexibility as to how it may regulate software.  The Act also would require the agency to review existing regulations and guidance regarding software, including the classification of software, standards of verification and validation, review of software, and quality system for software, among others.

Clinical Trials

The Act would also make it easier for sponsors conducting clinical investigations by requiring the Department of Health and Human Services (“HHS”) to harmonize its requirements applicable to clinical investigations with FDA’s own requirements. This supports the Act’s goals by significantly reducing the regulatory burden imposed on sponsors who must presently ensure that their clinical investigations meet the often duplicitous requirements imposed by both HHS and FDA controls.  The Act also would make it easier for sponsors to meet Institutional Review Board (“IRB”) requirements by allowing the use of non-local IRBs to review medical device trials, including Investigational Device Exemptions (“IDE”) and HDEs. Permitting the use of non-local IRBs support the Act’s goal of “quicker cures” by eliminating the “log jam” and delays sometimes associated with the use (and overuse) of local IRBs by giving sponsors additional options that are potentially faster than the traditional ones.


Lastly, and without limitation, the Act’s section on “Facilitating Responsible Communication of Scientific and Medical Developments,” provides that FDA “shall, within 18 months, issue draft guidance on facilitating the responsible dissemination of truthful and non-misleading scientific and medical information not included in the approved labeling of drugs and devices.”  This provision appears to be in response to the Coronia Case (U.S. v. Caronia, 703 F.3d 149 (2d Cir. 2012)), which holds that representatives of pharmaceutical manufacturers have a right under the First Amendment to make truthful statements regarding their products, even if such statements indirectly promote drugs for uses not approved by FDA.  The Act does not provide further direction on this topic, but Congress is clearly nudging FDA to update its position on off-label promotion which may affect medical device manufacturers.

It may be an uphill battle for Congress to agree on all topics involved in the 308 pages of 21st Century Cures Act.  However, as reported by the House Energy and Commerce Committee Press Releases, the bill appears to have support from industry and consumer groups, which may help bring Congress together.

May 19 Webinar on the Drug Supply Chain Security Act

Tish Eggleston Pahl will be speaking on May 19 at a webinar on dispenser obligations under the Drug Supply Chain Security Act (DSCSA).  The webinar is sponsored by the Healthcare Distribution Management Association (HDMA).  This “DSCSA Overview for Dispensers” continues HDMA’s education and outreach on the pharmacy and hospital–related implementation requirements under the DSCSA.  Particular focus will be on the data requirements for dispensers that go into effect on July 1 and also will address many of the questions that HDMA received during its previous April 21 webinar for dispensers.

Topics will include:

  • The loan or sale of medication from one dispenser to another;
  • The definition of “dispenser” and whether hospital and clinic pharmacies qualify;
  • Questions pertaining to suspect and illegitimate products;
  • Data that must be provided with the product, including questions about lot number and data pertaining to returned products;
  • Exempt products and transactions;
  • Questions around authorized trading partners and more.

The webinar is free.  More information about the webinar and how to sign up is available here.

Hand Washing: A Simple Step

By Barbara J. Masters, D.V.M.

How many of you have ever sat in a public location, such as the airport, and watched the number of people that enter the restroom talking on their cell phone?  Creepy, huh?  Not nearly as creepy as the same number of people that exit a very short time later still talking on their cell phone.  I always question how they washed their hands.

According to the Center for Disease and Prevention (CDC), “Washing hands prevents illnesses and spread of infections to others.”  It is a simple step we can all take before, during, and after preparing food, before eating, after using the toilet or assisting a child use the toilet, after blowing your nose, coughing, or sneezing, after touching animals or animal food or animal waste, and after touching garbage.  Washing hands keeps them clean and prevents the spread of bacteria that can make people sick.

It is especially critical to wash your hands when preparing food to prevent the spread of common foodborne bacteria such as E. coli O157:H7 and Salmonella.  To wash your hands, use soap and warm water and lather your hands for at least twenty seconds.  It is important to get the back of your hands, between fingers and under your nails.  If you are not certain how long twenty seconds is, hum “Happy Birthday” two times while washing.

If you are out on a picnic or do not have access to soap and water, then use of a hand sanitizer can be substituted.  If you must use a sanitizer, first wipe hands with a paper towel or a napkin to remove the visible dirt.  Then apply the sanitizer and rub hands together until the sanitizer dries.

The CDC has promotional materials that can be utilized to encourage hand washing at your work site or in schools.  Clean hands are a simple step we can all take to improve public health.

About Dr. Masters

Mixed in with the attorneys at OFW Law is the former USDA Food Safety Inspection Service’s (FSIS) Administrator, Dr. Barbara Masters.  Dr. Masters is a veterinarian who spent eighteen years with FSIS – the final three years as Acting Administrator and Administrator.  During her rise to the Administrator’s position, Dr. Masters served as the Deputy Assistant Administrator for Office of Field Operations.  While in these key leadership positions at FSIS, Dr. Masters’ primary focus was on the implementation of science-based policies for the protection of public health.

Warning Letters Update

By Mason Weeda

This past week FDA made a number of Warning Letters available on its website, with issues ranging from Juice HACCP to cGMPs for finished pharmaceuticals. A Warning Letter is informal and advisory, with the aim to achieve voluntary compliance and to establish prior notice. It communicates the agency’s position on a matter, but it does not commit FDA to taking enforcement action. Basically, you should read Warning Letters relevant to your industry because they can provide you with examples of what not to do. Here’s a quick run-down of Warning Letters published this week that we thought merited a closer look:

  • FDA issued a March 31, 2015 Warning Letter to Hospira S.p.A. for alleged violations of current good manufacturing practice regulations (cGMP) for finished pharmaceuticals at a manufacturing plant in Italy. The Warning Letter provides that Hospira failed to:
    • establish procedures to prevent microbiological contamination of sterile drug products and include validation of sterilization processes;
    • thoroughly investigate any unexplained discrepancy or failure of any batch;
    • exercise appropriate controls over computer or related systems so that only authorized personnel institute changes in master production/controls records; and
    • ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards.

The Warning Letter details Hospira’s failure to evaluate certain airflow studies, and its improper rejection of various vials during the manufacturing process without explanation. Ultimately, FDA stated that Hospira’s response to its inspectional observations lacked adequate corrective action.

  • FDA issued March 27, 2015 Warning Letters respectively to Avanti Health Care and Kings Pharmacy regarding deficiencies in their practices for producing sterile drug products. Both firms compound drugs and registered with FDA as outsourcing facilities and, therefore, were required to, among other things, comply with the Compounding Quality Act and cGMP requirements. Though Avanti was cited for six (6) cGMP violations and Kings was cited for three (3), the letters are very similar in many respects. During the inspections of both facilities, respectively, FDA observed that, among many violations, drug products were prepared under insanitary conditions, where operators failed to use proper aseptic technique in designated areas. Both firms also failed to include mandatory labeling for compounded products (i.e., “this is a compounded drug” and “not for resale”). These letters demonstrate FDA’s ongoing effort to more closely regulate and inspect outsourcing facilities. Avanti registered as an outsourcing facility on April 21, 2014, and FDA began its inspection only two (2) months later on June 23; Kings Pharmacy registered on December 23, 2013, and was inspected just three (3) months later.
  • FDA issued a March 25, 2015 Warning Letter to Skin Authority, LLC for making promotional claims on its website that indicate that its products, though labeled as cosmetics, were, in fact, promoted as drugs. The Warning Letter lists examples of drug claims for serums, scrubs and creams made on the website, including, for example, “help inhibit cellular breakdown,” “foster skin growth,” “help counteract infection,” “improve anti-inflammatory response,” and “increase cell growth.” The products were not generally recognized as safe and effective for the uses listed on the website, were not subject to any FDA-approved New Drug Application, and, therefore, were “new drugs” that required FDA approval prior to marketing.

The information that the agency communicates in a Warning Letter can be invaluable as it provides important, cautionary lessons for regulated industry and provides a view into the agency’s current thinking. You can keep tabs on Warning Letters by checking our blog periodically or by looking on FDA’s Warning Letters webpage.

2015 Dietary Guidelines Advisory Committee Report Mixes Science and Policy

By Robert A. Hahn

The 2015 Dietary Guidelines Advisory Committee (DGAC) submitted its report to the Secretaries of Agriculture and Health and Human Services last month and disbanded.  It is now up to the USDA and HHS to take the DGAC’s conclusions and recommendations and issue a revised edition of the Dietary Guidelines for Americans.  Interested persons may submit comments on the DGAC report until May 8, 2015.

Some aspects of the DGAC report have been controversial.

  • More than any previous committee, the 2015 DGAC wades heavily into the policy arena. Its report includes a number of controversial policy prescriptions such as the following:
    • FDA should revise the Nutrition Facts label to include a mandatory declaration for Added Sugars, in both grams and teaspoons per serving, as well as a % Daily Value based on a DV of no more than 10% of total calories (e., 50 g);
    • FDA should create a standardized front-of-pack (FOP) nutrition label that would appear on all food products and that would provide clear guidance regarding a food’s healthfulness;
    • FDA should establish mandatory national standards for the sodium content of foods;
    • Federal nutrition assistance programs, including Food Stamps (the Supplemental Nutrition Assistance Program), should be aligned with the Dietary Guidelines; and
    • Governments should use economic and tax policies to encourage the production and consumption of healthy foods and reduce consumption of unhealthy foods (g., by taxing sugar-sweetened beverages, snack foods, and desserts; by restricting marketing of certain foods to children and teens).

We expect USDA and HHS to take these policy recommendations under advisement, but not include them in the Dietary Guidelines.

  • For the first time, the DGAC report includes a chapter devoted mainly to the issue of sustainability. While the committee offers a justification for addressing environmental sustainability in a document about nutrition, some have questioned whether environmental issues are within its mandate.
  • While acknowledging that virtually all foods can be part of a healthy dietary pattern, the DGAC strongly favors a diet higher in vegetables, fruits, whole grains, low and non-fat dairy products, seafood, legumes, and nuts and lower in red and processed meats, sugar-sweetened foods and beverages, and refined grains.  There is a concern that some of the complexities of previous nutritional recommendations may be lost in this emphasis on a healthy dietary pattern.  For example, the emphasis on whole grains might lead some consumers to neglect enriched refined grains, which also play a significant nutritional role.  The emphasis on reducing consumption of red and processed meats may cause some consumers to overlook lean meat as a good source of heme iron, even though the report notes that iron is a nutrient of concern for adolescent girls and premenopausal women.

While these controversial aspects of the DGAC report have received the most attention, there are some other interesting findings and recommendations in the report worth noting:

  • While continuing to recommend reductions in intake of sodium and saturated fat, the 2015 DGAC backs away from the sharper reductions recommended by the 2010 committee. Whereas the 2010 DGAC recommended no more than 1,500 mg/day of sodium, the 2015 DGAC recommends no more than 2,300 mg/day.  Whereas the 2010 DGAC called for gradually reducing saturated fat to <7% of total calories, the 2015 DGAC only recommends reducing saturated fat to <10% of total calories.
  • The report deflates some of the recent concerns expressed by FDA and members of Congress about caffeine. The DGAC concludes that U.S. caffeine intake does not exceed what is currently considered to be a safe level in any group.
  • The DGAC concludes that there is limited and inconsistent evidence that calorie labeling on menus and menu boards affects food selection or consumption.
  • For commonly consumed fish species (g., cod, trout, salmon), the DGAC found that farm-raised seafood contains as much or more of the omega-3 fatty acids EPA and DHA as the same species caught in the wild.

The 2015 Dietary Guidelines is expected to be released in the fall.

Dietary Guidelines – Confused About Caffeine

By OFW Law founding principal Richard L. Frank, sitting in for former USDA Secretary John R. Block

The news wires have been buzzing lately about the recently released scientific report of the Dietary Guidelines Advisory Committee. One of the hottest topics for discussion is how out of step the report is on a number of issues, including the Committee’s dive into political matters like sustainability, soda taxes, and “added sugar” labeling. These topics are outside the jurisdiction of the Dietary Guidelines and should be addressed by Congress or the FDA.

Today, I want to discuss caffeine consumption. Caffeine is something that has never been addressed before by the Dietary Guidelines for Americans and probably for good reason. First, caffeine is safe…and safety is outside the mandate of the Dietary Guidelines. It is a topic that fits firmly within the jurisdiction of the FDA. Secondly, America seems to know what it’s doing when it comes to caffeine. 85% of Americans consume caffeine every day – and they have done so safely for generations.

In the Committee’s conclusions on caffeine, they suggest that 3 to 5 cups of “Morning Joe” are just fine – up to a moderate intake level of 400 milligrams per day for healthy adults. Inexplicably, however, they seem to suggest that energy drinks with the same amount of caffeine should be avoided.

The Committee’s approach is troubling for a number of reasons, the least of which is that many coffee house chains serve coffee beverages that contain twice as much caffeine per fluid ounce as a standard energy drink. A typical small can of a leading energy drink contains 80 mg caffeine, which is roughly the same as a regular cup of coffee or a 20 ounce bottle of cola.

Why is the Committee treating caffeine in coffee differently from the caffeine in energy drinks? This is puzzling when we consider that caffeine is caffeine is caffeine – whether found in coffee, tea, cola, or energy drinks.

The report acknowledges that the largest sources of caffeine among both adults and children come from coffee, tea, and soda. So why is caffeine in coffee okay, while tea and soda are ignored and energy drinks are vilified? Possibly it’s politics!
The Dietary Guidelines should provide a practical and achievable set of dietary and nutrient recommendations, based on balance, variety, and moderation. It should not delve into political topics that are outside its mandate.

If the Dietary Guidelines are to address topics like caffeine, it should be done holistically and in an unbiased way. Consumers need to understand caffeine in context and be provided information with respect to all sources to enable them to make informed dietary decisions; otherwise they will get confused.

Let’s hope that the USDA and HHS take the lead on the important task of finalizing the 2015 Dietary Guidelines for Americans in a scientific, rather than a political and an emotional, way.

Who Regulates the Advertising of Your App?

By Mason Weeda

We have blogged and hosted numerous webinars on FDA regulation of mobile medical apps (see here, here, here, here and here); but if you are an app developer, you should be aware that FDA is not the only agency looking at your app.  The Federal Trade Commission (FTC) may also be watching how you promote your app.  In fact, on February 23, 2015 the FTC announced that it reached settlements with two firms marketing melanoma detection apps.  The agency was unable to reach a settlement with a third developer and intends to pursue a judgment through litigation.  Both apps claimed to provide an “automated analysis of moles and skin lesions for symptoms of melanoma and increase consumers’ chances of detecting melanoma in its early stages.”  In sum, the FTC alleged in its complaints that the mobile app developers lacked adequate evidence to support such claims.

FTC authority coincides with other agencies in many respects, see e.g. here, and here.   And there is nothing really new with the FTC taking action against mobile app developers.  In 2011, the FTC filed complaints against developers of “acne cure” apps that claimed to treat acne through a light emitted from the device if you held it close to your face. The FTC alleged that those claims were unsubstantiated.

The FTC regulates many types of advertising and protects consumers by stopping unfair, deceptive or fraudulent practices in the marketplace. Under the Federal Food Drug and Cosmetic Act, the Food and Drug Administration (FDA) has regulatory authority over the labeling of all medical devices. Labeling includes any “written, printed, or graphic matter upon any article or any of its containers or wrappers, or accompanying such article…”   Sections 502(q) and 502(r) of the FD&C Act authorize FDA to regulate the advertising of certain devices, which are known as restricted devices.  Section 502(r) also states that restricted devices are not subject to FTC’s broad authority over advertising under 15 U.S.C. § 52-55.

Dr. Jeffery Shuren, Director of FDA’s Center for Devices and Radiological Health, summarized the FTC/FDA division of authority best: “FDA regulates the advertising of restricted medical devices while the FTC regulates the advertising of non-restricted devices.”   A device becomes a “restricted device” when:

  1. FDA by regulation restricts a device to sale, distribution or use only upon the authorization of a practitioner licensed by law to administer or use such device, or upon other conditions that FDA prescribes in the regulation, if FDA determines that there cannot otherwise be reasonable assurance of the device’s safety and effectiveness.  (Note that prescription devices may or may not be restricted devices).
  1. FDA requires, as a condition of approval of a Class III device, that its sale and distribution be restricted, but only to the extent that the sale and distribution of the device may be restricted by a regulation.
  1. FDA establishes, as part of a performance standard promulgated in accordance with section 514(b) of the FD&C Act, requirements that restrict  the sale and distribution of a device, but only to the extent that the sale and distribution of the device may be restricted by a regulation.

Based on FTC’s description of the melanoma detection apps, it appears that the app developers are likely required to obtain premarket approval (PMA).  FDA’s Mobile Medical Application Guidance provides that the Agency intends to actively regulate mobile apps that “use the mobile platform’s built in features, such as… a camera, to perform medical device functions.”  The melanoma apps use the device platform (i.e. the camera) to collect and review an image for use in providing a diagnosis.   Furthermore, this type of app appears to perform the same medical device functions of an “optical diagnostic device for melanoma detection” which FDA classifies as Class III under product code OYD, which requires a PMA.  In addition, FDA premarket approval letters indicate that “optical diagnostic devices for melanoma detection” are restricted devices pursuant to 21 C.F.R. § 801.109.

It appears that FDA would, upon premarket approval, treat these types of melanoma apps as restricted devices and therefore would have authority to regulate the app’s advertising.  However, it remains that these app developers never submitted a premarket application or received premarket approval from FDA.  Therefore, the Agency was not able to require, as a condition of approval, that their sale and distribution be restricted.  As such, FDA does not have the ability to regulate the advertising of these apps.

The instant FTC complaints and settlements appear relatively minor compared the potential FDA issues involving marketing a product without approval. More importantly, FDA is in no way foreclosed from taking action so we will see if and when FDA acts in the coming months against the app developers.

Privacy Update: White House Drops Draft Consumer Privacy Bill . . . Splat!

By Jonathan M. Weinrieb

The White House (via the Department of Commerce) has released a “discussion draft” of consumer privacy legislation intended to codify President Obama’s 2012 Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy.  The 2012 Framework included a Consumer Privacy Bill of Rights and called for baseline protections for consumers and greater certainty for businesses founded on the following principles:

  • Individual control over personal data;
  • Transparency regarding an entity’s privacy and security practices;
  • Respect for context in which consumers provide/businesses collect the data;
  • Security and responsible handling of personal data;
  • Consumer access to data to ensure accuracy;
  • Focused collection to ensure reasonable limits on the data collected and retained; and
  • Accountability for companies handling that data.

Although each of those laudable notions is reflected in the Bill, in the view of the FTC and many privacy advocates, the draft Consumer Privacy Bill of Rights Act of 2015 (the “Bill” or “Act”) comes up short of the consumer protection–minded goals of the 2012 framework.  We see other problems as well.

Ostensibly, the Bill is intended to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”  Act, § 1.  In other words, those subject to the Act would be permitted a safe harbor by establishing (and adhering to) their own codes of conduct.  See generally Act, § 301 (Safe Harbor Through Enforceable Codes of Conduct).

For its part, the FTC would enforce the Act via civil fines; however, those fines are contingent on the number of days over which a violation occurs – not the number of affected individuals or monetary impact.  A one-day violation could not exceed $35,000 in fines, regardless of whether the violation affected ten, 10,000, or 10,000,000 individuals.  See Act, § 203(a)(1).  A compounding issue is that the Act would apply to non-profit entities, Act, § 4(b), however, the FTC can only bring an action against a for-profit enterprise.

Of particular concern, the draft raises a number of issues given HHS’s Office for Civil Rights’ (OCR) recent and ongoing implementation of the HITECH Act and regulation of medical privacy under the HIPAA Privacy Rule.  Following are a smattering of the issues that we see.

First and foremost, the Bill’s preemption language is confusing in the context of HIPAA.  It provides that “[t]his Act preempts any provision of a statute, regulation, or rule of a State or local government, with respect to those entities covered pursuant to this Act, to the extent that the provision imposes requirements on covered entities with respect to personal data processing.”  Act, § 401(a) (emphasis added).  It goes on to state, however, that “[n]othing in this Act may be construed to modify, limit, or supersede the operation of privacy or security provisions in Federal laws . . . .”  Act, § 404(d)(1).  The federal HIPAA Privacy Rule does not preempt more stringent state laws and regulations that are otherwise consistent with the federal rule.  Accordingly, it appears that the Act would preempt an otherwise permissible (and arguably “stronger”) state medical privacy law – yet leave HIPAA alone.  Such a result would seemingly be at odds with the underlying intent of the federal Privacy Rule.

In certain respects, the draft Bill appears incredibly broad.  As alluded to above, it applies to a “covered entity” – i.e., anyone who “collects, creates, processes, retains, uses, or discloses ‘personal data’.”  Act, § 4(b).  That suggests that both HIPAA Covered Entities and Business Associates would be subject to the Act.

“Personal data” includes, but is not limited to: a first name (or initial) and last name; a postal or email address; a telephone or fax number; a social security number; any biometric identifier; or any other “unique persistent identifier.”  Act, § 4(a)(1).  It specifically excepts, however, “de-identified data” from the definition of personal data, but fails to square the concept of de-identified data with HIPAA.  Whereas the Privacy Rule sets forth two very specific methods by which to de-identify data (see Statistical and Safe Harbor methods), the Bill simply allows a covered entity to “alter . . . personal data . . . such that there is a reasonable basis for expecting that the data could not be linked as a practical matter to a specific individual or device . . . .”  Act, § 4(a)(2)(A)(i).  It is unclear how such a standard would be consistently and reliably implemented.

The Act also introduces a similarly amorphous concept in “Respect for Context.”  In a rather confusing bit of draftsmanship, the Bill calls for a covered entity to perform a risk analysis when it “processes personal data in a manner that is not reasonable in light of context . . . .”  Act, § 103.  If it determines that the manner is not reasonable in the particular context, it would appear to contemplate affirmative consumer opt-in – as opposed to opt-out – for such processes.  Such provisions could be read to stand at odds with HIPAA’s authorization requirements and broad exceptions for face-to-face communications and refill reminders (an exception to the definition of “marketing”).

By way of further example, and particularly with respect to reconciling the Act with HIPAA, a covered entity would not include one that collects, creates, processes, retains, uses, or discloses the personal data of fewer than 10,000 individuals in a 12-month period, or has fewer than 5 employees.  That exception alone would likely sever the world the HIPAA Covered Entities in two.

The Bill also exempts seemingly broad categories of data (e.g., “customary business records”) from certain requirements such as data minimization and individual control.  “Customary business records” include data “typically collected in the ordinary course of conducting business and that is retained for generally accepted purposes for that business . . . .”  Act, § 4(j).  Put bluntly, it is difficult to conjure categories of data that would not fit comfortably into that exemption.

Furthermore, in somewhat striking contrast to HIPAA’s concept of Breach, the Bill defines “privacy risk” in subjective fashion – i.e., as that which could “cause emotional distress, or physical, financial, professional or other harm to an individual.”  Act, § 4(g).  OCR did away in 2013 with its similar subjective “risk of harm” standard in favor of a more objective risk assessment: “[a]n impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a [formal] risk assessment . . . .”  45 C.F.R. § 164.402 (emphasis added).

Finally, there is no provision in the Bill that would require FTC rulemaking.  As written, and without agency regulation and guidance, the Bill will almost assuredly spawn significant consumer and stakeholder confusion.

In our view, which appears largely consistent with various media reports and fellow bloggers, the current Bill is unlikely to go anywhere in Congress.

Drug Supply Chain Security Act – What’s Next? A whole lot.

By Tish Eggleston Pahl

The passage of the Drug Supply Chain Security Act (DSCSA) in November 2013 led to a very busy 2014 as FDA and manufacturers, wholesale distributors, and dispensers began the statute’s complex 10-year implementation.  2015 promises to be equally busy.

A Surge Of Activity At Year-End In 2014

2014 closed in a flurry of DSCSA action.  As we reported here, FDA posted a Draft Guidance on Standards for the Interoperable Exchange of Information for Tracing of Certain Human, Finished, Prescription Drugs: How to Exchange Product Tracing Information (the Standards Draft Guidance) on November 26.  Then, just days later, FDA opened a web portal and issued guidance so that wholesale distributors and third-party logistics providers (3PLs) could begin submitting licensure information (as we discussed here).  Finally, FDA issued a Draft Guidance setting out its interpretation of the extent to which the agency believes the DSCSA displaces and preempts state law.  We took issue with the legal analysis in that preemption Draft Guidance, which you can read about here.

On January 1, 2015, one of the DSCSA’s big milestones arrived.  Among other things, the statute required that, on that date, manufacturers begin sending, and wholesale distributors begin receiving and transmitting, transaction information, histories, and statements for human prescription drug products.  At the end of December, FDA issued a Guidance stating that the agency intended to temporarily exercise enforcement discretion with regard to these product tracing information requirements.  FDA stated that it did not intend to take action against manufacturers, wholesale distributors, and repackagers who do not, prior to May 1, 2015, provide or capture the transaction information, transaction history, and transaction statement required by the DSCSA.

So, What’s Next? 

First is that the agency’s enforcement discretion expires on May 1 and, thereafter, manufacturers, wholesale distributors, and repackagers must be transmitting and receiving the transaction data the DSCSA requires.  Closely thereafter, beginning July 1, dispensers must begin receiving this transaction data – though, given the enforcement discretion FDA provided to manufacturers, wholesale distributors, and repackagers, the agency may be asked to extend enforcement discretion for a period of time to dispensers.

The HHS semi-annual regulatory agenda, the CDER Guidance Agenda, and the DSCSA itself provide clues as to what else is coming in 2015.

By November 27, FDA must issue final regulations setting out national standards for the licensure of wholesale distributors and 3PLs.  According to this entry in HHS’s semi-annual regulatory agenda, FDA hopes to have a proposed rule issued in April.  Meeting these deadlines, however, will be challenging, both for the agency and stakeholders.  This will be a significant rulemaking and the DSCSA’s provisions for establishing national standards for licensure of wholesale distributors and 3PLs are new, a bit vague, and, in some places, appear internally inconsistent.

FDA must issue two guidances within 2 years of enactment on the DSCSA (i.e., by November 27, 2015).  First, the agency must establish by guidance a process for the review and granting of exceptions, waivers, and exemptions from the DSCSA.  Second, the statute also mandates issuance of a guidance on grandfathering – that is, continued distribution – of product that is not affixed with a product identifier by November 27, 2017.

The statute specifically requires that the grandfathering guidance be “finalize[d].”  As this language is not present in the section of the DSCSA mandating guidance on waivers, exemptions, and exceptions, it is reasonable to conclude that the grandfathering guidance will need to be finalized by November 27 and the guidance on waivers, exemptions, and exceptions need only be in draft by that date.  However, the waivers, exemptions, and exception guidance must have an effective date that is not later than 180 days prior to the date on which manufacturers must begin affixing product identifiers to products; as such, that guidance will need to be finalized on or about May 26, 2017.

In addition to what must be issued in 2015, the CDER Guidance Agenda published in January sets out an ambitious list of other DSCSA guidances the agency intends to promulgate.  Notably, FDA appears poised to finalize the current Draft Guidance on Annual Reporting by Prescription Drug Wholesale Distributors and Third-Party Logistics Providers.

In the Standards Draft Guidance released in November, the agency stated it intended to issue additional guidance to facilitate the interoperable exchange of product tracing information through standardization of data and documentation practices.  This planned guidance on standardizing data and documentation appears on the 2015 Guidance Agenda.  Numerous questions and requests for clarification have been posed to the agency, and it is possible that FDA will use this guidance to answer some of those queries.

The agency also intends to issue two other guidances:

  • DSCSA Implementation: The Product Identifier for Human, Finished, Prescription Drugs
  • DSCSA: Verification Systems for Prescription Drugs

As manufacturers must begin affixing product identifiers by November 27, 2017, guidance on these subjects, soon, would plainly aid that activity.  What the verification guidance might be is curious – the term is used in several ways in the DSCSA.  Given that it is also addressing product identifier requirements in guidance, this may mean the agency intends to provide guidance on how to determine whether the product identifier affixed to, or imprinted upon, a drug package or homogeneous case corresponds to the standardized numerical identifier or lot number and expiration date assigned to the product by the manufacturer or the repackager.

2014 was a busy year for DSCSA implementation; 2015 promises to be even busier.

Statement by Senator Bob Dole on Nutrition Report

Contact: Marshall Matz (202) 789-1212; or Marion Watkins (202) 654-4863;

“As co-author with Senator George McGovern of the original 1977 ‘Dietary Goals for the United States’ report, I commend the USDA, HHS and its Dietary Guidelines Advisory Committee for continuing to focus attention on human nutrition.  The Committee’s recently-released report notes the staggering numbers of Americans struggling with obesity and/or preventable chronic diseases.

The science of human nutrition is constantly evolving, making it important to update the U.S. government’s dietary guidelines every five years.

While I agree with much of the report, I believe the Committee exceeded its mandate when it made dietary recommendations based on environmental concerns of “sustainability.”  I urge the Secretary of Agriculture and the Secretary of Health and Human Services to omit those recommendations in issuing their final guidelines.  The science of nutrition can be confusing to the average consumer.  Integrating environmental considerations into dietary recommendations lessens the report’s impact and usefulness.”