Page 3 of 6

HIPAA and the Law of Unintended Consequences

puzzle

Identity theft is so prevalent that we are almost desensitized to its effects – unless of course we’re speaking about its victims who are left with the unenviable task of sifting through the rubble and trying to re-create their medical and/or credit identities. What is surprising is that the very laws that were enacted ( HIPAA etc. ) to protect patient privacy hinder the victims of medical/identity theft from accessing THEIR OWN medical records. The Wall Street Journal had an illuminating article regarding the rise of medical/identity theft ( How Identity Theft Sticks You With Hospital Bills ). There is no way to offer absolute protection under all circumstances. I am reminded of the tragedy that occurred when the captain and flight attendants could not gain access to the cabin of a German Wings flight, because the cabin was virtually impregnable as a safety measure against terrorists. The very measures that were put into effect to protect the passengers were the ones that ultimately cost them their lives. We cannot totally escape the Law of Unintended Consequences, but in making rules or drafting laws it is helpful to be aware of the potential for looming risks.

Please follow and like us:
LinkedIn
Twitter
SHARE

Ashley Madison Writes Rx for Doctors About Safe Sex(curity) and HIPAA

Nurse

 

There are many lessons that the Medical Community– Covered Entities, Business Associates and their subcontractors – can learn from the Ashley Madison hack. Please forgive me if I omit the prurient details and/or any “holier than thou” statements about the AM business, except to say that it was a site that needed security, dealt with highly sensitive and personal matters, and the very people who sought to obtain a “full delete” of their personal information, are the ones who apparently were caught “flapping in the wind” – please forgive the pun.

  1. How could a subscriber/patient/doctor or medical provider (CE, BA or Sub) have known that the information they retained made them a prime target?In the case of Ashley Madison, assuming itdid not possess the native intelligence to realize that we live in an age of website breaches, the WSJ.com actually warned/predicted that Friend Finder networks (a website with similar appeal to individuals seeking extracurricular activities) was hacked, and that Avid Life Media (owner of AM), which was seeking to raise $200 million in an IPO,warned that “investors will have to think of hack attacks as a risk factor.” In the case of CEs BAs and their subcontractors, and in addition to HIPAA, HITECH and the Omnibus Rule, the internet is replete with stories of both medical and nonmedical private information being hacked.
  1. How could the information have been safeguarded? In the case of AM, prepaid credit cards, anonymous browsing and encryption would or could have mitigated or eliminated the risk. On the Medical side, awareness and compliance with the regulatory requirements (which incidentally, includes encryption as a safe harbor) would similarly substantially mitigate the risk and the amount of damage a breach may cause. Starting with a risk analysis, proper security and privacy protocols, management oversight, and adequate resources devoted to regulatory compliance would go a long way.

The basic problem is that the NIMBY (not in my back yard) type of denying reality has a way of catching up and exploiting vulnerabilities. The new reality is that with every passing day, more private information is being entrusted to others. Cyber security is playing a cat and mouse game with hackers and ignoring the realities of the digital age can lead to embarrassment, financial loss (or ruin) and governmental scrutiny and fines.

What do you think?

Please follow and like us:
LinkedIn
Twitter
SHARE

Will Your Recruitment Initiatives Invite and Welcome Computer Hackers?

inside threat

It is very clear that the current landscape is replete with stories of improper intrusion and hacking of computer systems leading to improper dissemination of proprietary or other types of protected information.

Most organizations try to block the unwanted intruder (hacker) from ever gaining access to their computer systems. A common method utilized by hackers is known as phishing, which is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to get the unsuspecting victim to click on a particular link, oftentimes seeking private information. Clicking on that link may also allow for malware/viruses to enter the unsuspecting victim’s computer system. So far, we see nothing new.

I recently read that there is a variant on the phishing scheme which comes into play when a company advertises that it is seeking to fill a position. In essence, it is inviting applicants to send resumes which normally and, in fact, are expected to be sent as email attachments. The person tasked with hiring, oftentimes HR, or in smaller organizations, someone with admin responsibilities receives a series of e-mails from would-be applicants. The attachment, however, can contain malware which would not necessarily be detected.

Frankly, I found this situation to be alarming because the general rule of “don’t open e-mails or attachments from people you don’t know” realistically falls by the wayside. In fact, the refrain “you really should have known better” also falls by the wayside.

How many people has your organization hired by placing ads on websites and then sifting through the e-mail responses?

Antivirus software and keeping current on software patches are an obvious first step.

Internal firewalls with dual factor authentication may be the next step.

Please follow and like us:
LinkedIn
Twitter
SHARE

How Much Does a Data Breach Cost in Dollars and Cents?

Online Security

In my last few posts, I wrote about causes of HIPAA breaches and the possible course of a compliance agreement. ( “The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See” , “Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions” , “The Seven Most Likely Causes of Major HIPAA Breaches” , “The Five Most Likely Types of Major HIPAA Breaches” ) A basic question though is how much does a data breach cost in dollars and cents?

I am reasonably certain that as with all statistical matters, depending on how you skew the numbers, there can be vastly different results. I recently came across a report by the Ponemon Institute/IBM dated May 2015, which deals with global data breaches (not restricted to healthcare and/or HIPAA breaches) which I believe is both timely and highly informative.

Some of the key findings of this report indicate that there has been a 23% increase in the total cost of data breaches since 2013 (understanding that this 2015 report represents 2014).

The simple study of 350 companies dealt with data breaches. The average cost of a breach increased from $3.52 to $3.79 million during a one year period.

An interesting finding was that 79% of C-level US and UK executives surveyed said that executive level involvement is necessary to achieve an effective incident response to a data breach and 70% believe that board level oversight is critical. The reason I point out this factoid is that too many small to medium companies approach HIPAA compliance (which to me is really a subset of the need for data security) with the belief that outsourcing compliance is enough.

All of the participating companies experienced a data breach ranging from a low of approximately 2,000 to slightly more than 100,000 compromised records. For the purposes of this study, a compromised record was one that identified the individual whose information was lost or stolen in a data breach. A breach was defined as an event in which an individual’s name plus a medical record and/or financial record or debit card is potentially put at risk. (Obviously, the report did not deal with the 19 identifiers relating to HIPAA.)

Malicious or criminal attacks were 47% of the root causes as opposed to 42% a year earlier, and similarly the report shows an increased cost from $159 to $170 per record. The cost is highest in the United States, with an average of $230 per record.

The smaller the breach the greater the likelihood, and apparently, the higher the cost per record.

Costs relating to detection increased as well from $0.76 million to $0.99 million. The costs included forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

The cost of the data breach ranges by industry, and while the average is $154, the average cost for a healthcare organization is $363.

The cost can vary based on the initial safeguards put in place.

While notification costs are relatively low, the cost associated with lost business is increasing.

The general attitude of NIMBY (Not in my backyard) seems to be a common mindset with small to medium Covered Entities (CEs) and/or Business Associates (BAs) – this only happens to the other guy. The threat of a data breach is real.

In communication I had with the FBI Cyber Crime and US Attorney prosecutors, the question they pose is not IF you will have a breach, but rather WHEN you will have a breach. The key is preparation and implementing safeguards.

When virtually every company surveyed had a breach of some size, it is fair to assume that this mindset (even absent the significant regulatory issues) is misguided.

Please follow and like us:
LinkedIn
Twitter
SHARE

The Most Detailed and Costly Compliance Agreement You Are Ever Likely to See”

whitehouse

Corporate integrity agreements or the consent agreements which are reached between the government (HHS) and Covered Entities and Business Associates can be extremely detailed, comprehensive and costly.

In my last post (http://bit.ly/1RsCwLP ) I went so far as to say that these agreements and their implementation are often more expensive than the actual fines, and that I would discuss one of the most far reaching consent agreements I had ever seen, namely, the corporate integrity agreement between OIG-HHS and Nason Medical Center.

While I cannot incorporate the totality of an agreement that is over 50 pages long into a few paragraphs, I think that I can convey the spirit of this agreement.

  1. The length of the agreement is five years.
  2. The people covered by the agreement include all owners, officers, directors, managers (which include members of the mandated “Management Committee”) and all employees, contractors, subcontractors, agents and other persons who provide patient care items or services or who perform billing or coding functions on behalf of Nason, as well as all physicians or other non-physician practitioners who work within one or more of Nason’s facilities.
  3. Establishment of a Compliance Officer and Compliance Committee – and with respect to the Compliance Officer, that individual must be a member of senior management, report directly to the CEO, cannot be subordinate to the General Counsel or CFO, and must be required to visit each location where Nason provides patient services at least every two weeks.

Responsibilities include developing and implementing policies, procedures and practices designed to ensure compliance, making periodic (at least quarterly) reports regarding compliance matters directly to the “Management Committee” with written reports to the “Management Committee” made available to OIG on request, as well as monitoring the day-to-day compliance activities engaged in by Nason.

Not surprisingly, Nason must report to OIG in writing any changes in the identity or description of the compliance officer.

  1. Compliance committee, which at a minimum must include the Compliance Officer and other members of senior management, including senior executives of relevant departments such as billing, clinical, human resources, audit, and operations as well as at least one employee who works at least 20 hours per week at each building where Nason sees patients. The Compliance Officer chairs the Compliance Committee. The Compliance Committee must support the Compliance Officer in fulfilling his/her responsibilities.
  1. Management Committee’s compliance obligations include meeting at least quarterly to review and oversee Nason’s compliance program, the performance of the Compliance Officer and the Compliance Committee, submitting to OIG a description of the documents and other materials reviewed as well as any additional steps taken in its oversight of the compliance program. In addition, each reporting period, the committee must adopt a resolution signed by each “manager” of the “Management Committee” summarizing its review and oversight of Nason’s compliance with Federal Health Care program requirements and the obligations of the agreement.

This resolution at a minimum must certify that the Management Committee” has made reasonable inquiry into the operations of Nason’s compliance program including the performance of the Compliance Officer and the Compliance Committee. Based on its inquiry and review, the Management Committee must be able to conclude that, to the best of its knowledge, Nason has implemented an effective compliance program to meet Federal Health Care program requirements and the obligations of this agreement. Conversely, if they are unable to provide the required conclusion, they must provide an explanation to OIG explaining why.

  1. In addition, managers (people with management responsibilities) are specifically expected to monitor and oversee activities within their areas of authority and annually certify that the applicable Nason department is in compliance with applicable Federal Health Care requirements and with the obligations of this agreement. These employees include but are not limited to the billing manager; director of Human Resources; medical director; Nason medical center manager and CEO; laboratory director; radiology director; business administration manager; accounting director; director of business analysis; and parent company CEO.

The certification must include language that “I have been trained on and understand the compliance requirements and responsibilities as they relate to my department, and/or facility, an area under my supervision” ensuring that the department complies with all applicable Federal Health Care program requirements, obligations of the agreement, and Nason policies, and that they have taken steps to promote such compliance. To the best of their knowledge, except as specifically stated in the certification, they must attest that Nason is in compliance with all applicable Federal Health Care program requirements and the obligations of this agreement.

The list goes on and on, and in fact I have just turned to page six of the agreement. At this point, you could probably imagine that the cost of compliance, and the responsibility placed on the majority of the organizational chart (including new positions that were created based on this agreement) will have a heavy impact on the operations of the organization.

  1. An independent monitor selected by OIG must be retained. The monitor may retain additional personnel including independent consultants to help meet the monitor’s obligation under the agreement. The monitor may confer and correspond with Nason, OIG, or both. The monitor is not an agent of OIG; the monitor, however, may be removed by OIG at its sole discretion. If the monitor resigns or is removed, Nason must retain another monitor selected by OIG within 60 days. The monitor is granted virtually unlimited access to all of Nason’s records and documents. The length and breadth of the reports that the monitor must prepare is extensive. Nason is responsible for all reasonable costs incurred by the monitor in connection with the engagement, including labor costs, indirect labor costs, consultant and subcontractor costs, material costs and other direct costs such as travel, etc.

Nason must pay the monitor’s bills within 30 days of receipt. Failure to timely pay the bills constitutes a default under the agreement with OIG, unless said bills are contested and taken up with OIG.

In case you thought that this was not oppressive enough, the agreement also requires engaging an independent review organization.

  1. The independent review organization, such as an accounting, auditing or consulting firm, must perform various reviews on Nason. This organization is charged with the responsibility of reviewing Nason’s coding, billing and claims submission to Medicare and state Medicaid programs and the reimbursement received. Of course, OIG reserves the right to do its own independent reviews. The independent review organization must certify its independence and objectivity.

I could go on and “get into the weeds” regarding the highly detailed requirements (both in terms of staff compliance, report generation, and resulting certifications) but I am concerned that I will lose the readers’ attention and distract them from the point I am trying to make.

Noncompliance with HHS-OIG may result in a corporate integrity agreement or consent agreement which is set forth in news releases. The cost of the actual fine, however, does not necessarily begin to give the reader the picture of the burdens, costs, and potential liability that these agreements create.

HIPAA, HITECH and the Omnibus Rule place specific requirements on covered entities and their business associates. Audits can be triggered randomly (as HHS is ramping up audits) or can be triggered by a reported breach by the entity or by an individual whose privacy was violated. In addition, audits have been triggered by media reports and/or reports brought by members of the public at large.

The bottom line is that an ounce of prevention is worth a pound of cure. What do you think?

Please follow and like us:
LinkedIn
Twitter
SHARE

Seven Noteworthy HIPAA Breaches & the Recent Enforcement Actions

Puzzle

The following unlucky seven were subject to substantial fines. The costs associated with defending the audit, negotiating the settlement and the cost of implementing the invariable forward-going consent agreements/corporate action plans (CAP), however, are separate and above (and often higher) than the reported fine.

These cases range from relatively small to admittedly large breaches, from the unlikely event to situations that could happen to any entity without implementation of well thought out and vigorously monitored policies and procedures.

In my next post, I will detail one of the most burdensome consent agreements I have ever seen, namely, the Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Nason Medical Center.

It is evident that the ever increasing enforcement of HIPAA and the Omnibus Rule, as well as both the increased use of electronic data and the commonplace reports of mass data breaches are forcing Covered Entities (CE) and their business associates (BA) to increase the resources dedicated to compliance with the Omnibus Rule.

1. Cornell Prescription Pharmacy ($125,000)

The Denver compounding pharmacy will pay this fine after HHS learned of the potential HIPAA violations from a television news report that PHI was improperly disposed of after a garbage dumpster with un-shredded PHI was discovered. Cornell also agreed to develop and implement a comprehensive set of policies and procedures to comply with HIPAA rules, and to provide staff training. OCR Director Jocelyn Samuels stated that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

2. Anchorage Community Mental Health Services, Inc. ($150,000)

Malware compromised the security of ePHI due to a failure to update software patches as well as unsupported software.

HHS Office for Civil Rights (OCR) received notification from ACMHS, a non-profit, regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. It was later determined that ACMHS had not timely installed patches to its software as mandated by its very own policies and procedures. The takeaway is that entities are not only required to follow the regulations, but they are also being held accountable for compliance with their own policies and procedures.

3. Parkview Health System ($800,000)

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. Parkview entered into a one year corrective action plan without admission of any wrongdoing.

4. NY Presbyterian Hospital and Columbia University Medical Center ($4.8 million)

An investigation revealed that a breach was caused when a physician employed by Columbia University Medical Center who developed applications for both New York Presbyterian Hospital and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. The noteworthy point is that it seems that the person who caused the breach had all the right intentions but the result was catastrophic.

Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet. Another noteworthy point is that knowledge of a breach is often only discovered by the breaching entity after receiving reports from third parties. This general situation was confirmed to me by an FBI cybercrime agent.

In addition to the impermissible disclosure of ePHI on the Internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU paid $1,500,000, with both entities agreeing to a substantive corrective action plan which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

5. Concentra Health Services ($1,725,220)

OCR opened an investigation following a reported breach that an unencrypted laptop containing the ePHI of 870 individuals was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.

The investigation found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were “incomplete and inconsistent over time,” according to an HHS press release, leaving patient PHI vulnerable throughout the organization.

Essentially, Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices).

Concentra did not make any admissions of liability but entered into a CAP – corrective action plan.

6. Adult & Pediatric Dermatology, P.C. ($150,000)

An investigation of Adult & Pediatric Dermatology was initiated upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that A&P Derm had not conducted an accurate and thorough risk analysis as part of its security management process. Further, it did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. It did not admit liability and entered into a CAP. The takeaway is that the use of thumb drives to store ePHI is inherently problematic and the use of unencrypted storage devices is courting disaster.

7. Affinity Health Plan, Inc. ($1,215,780)

OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its risk analysis as required by the Security Rule, and accordingly failed to implement policies and procedures when returning the hard drives to the companies from whom it leased its copiers. Affinity did not admit liability and entered into a short term CAP. The takeaway is the required scope, detail and individual nature of the required risk analysis.

 

About Mendel Zilberberg:

An attorney, visionary and entrepreneur admitted to practice in New York, New Jersey and Florida who has represented and counseled clients with nationwide interests in many areas of the healthcare arena.

The use of ePHI is growing exponentially, the likelihood of a breach is ever increasing, and the regulating authorities are ramping up their audit/enforcement programs. Covered Entities (CE) and Business Entities (BA) must understand the importance of maintaining the integrity of ePHI, compliance with the relevant regulations as well as thoroughly understand the potential consequences for non-compliance.

Please follow and like us:
LinkedIn
Twitter
SHARE

The Seven Most Likely Causes of Major HIPAA Breaches

Computer Security

While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015, OCR’s records indicate that the following were the percentages attributable to the causes/circumstances for those breaches:

  1. Paper records 22%
  2. Laptop 21%
  3. Desktop computer 12%
  4. Network server 12%
  5. Portable Electronic device 11%
  6. Email 7%
  7. EMR 4%
  8. Other 11%
Please follow and like us:
LinkedIn
Twitter
SHARE

The Five Most Likely Types of Major HIPAA Breaches

Theft

While it is important to comply with all of the mandates of the Omnibus Rule, I think it is instructive to know from where the most vulnerable areas of breach of PHI arise.

In a recent presentation to a limited number of attorneys in which I participated, an investigator for the Office for Civil Rights (OCR) advised that with respect to breach notification of major HIPAA breaches (those in which the PHI of 500+ individuals had been disclosed), as of February 27, 2015, OCR’s records indicate that the following were the percentages attributable to the types of breaches:

  1. Theft 51%
  2. Unauthorized Access/Disclosure 19%
  3. Loss 9%
  4. Hacking /IT Incident 7%
  5. Improper Disposal 4%
  6. Other 9%
  7. Unknown 1%
Please follow and like us:
LinkedIn
Twitter
SHARE

Does the FDA Need a Comprehensive Reassessment?

Testing
Has technology outpaced the laws and regulations that guide/drive the FDA?

In recent years, advances in technology have precipitated quantum leaps in bothmedical/diagnostic and treatment alternatives. The controlling laws and regulations which guide and govern the FDA may either not have kept pace, or as result of technology advances, be subject to unintended consequences which may negatively impact the very people the FDA seeks to protect.

Prevailing wisdom, law and popular opinion strongly allow for and suggest:

  1. That if medical data is properly and responsibly aggregated and analyzed, the process has the capacity to lead to significant improvement and efficiencies in the delivery of medical care. (The issue of the protections needed with the aggregation and de-identification of data is beyond the scope of this post, but in any case does not appear to be an FDA concern.)
  2. Thatpatients have unrestricted access to their personal medical data.

On the other hand, the FDA is guided by a statutory framework that goes back to the late 1950s/early 1960s.

As many of you may be aware, in the late 1950s thalidomide was first marketed in West Germany and was primarily prescribed as a sedative or hypnotic. There were also claims that it might cure anxiety, insomnia and tension among other assorted conditions. Thereafter, it was apparently used in the treatment of nausea and to alleviate morning sickness in pregnant women. On October 1, 1957,thalidomide became an over-the-counter drug in West Germany. The popularity of thalidomide, particularly among pregnant women precipitated an unmitigated catastrophe. Thousands of infants were born with malformation of the limbswith an approximate 60% mortality rate.

Not surprisingly, these events sent shock waves through the global medical/pharmaceutical world. It is readily apparent that not enough had been done to ensure the safety of this drug before it was approved.

The United States responded with the passage of the Kefauver Harris Amendment or “Drug Efficacy Amendment” as a 1962 amendment to the Federal Food, Drug and Cosmetic Act. This amendment required proof of efficacy in addition to safety for the approval of new drugs — despite the fact that the thalidomide crisis was entirely a safety issue. Proving efficacy is apparently much more expensive and timeconsuming than proving safety.

It is important to note that the authority of the FDA extends both to drugs and medical devices. In order to understand the possible issue here, it is important to understand the difference between the two. Even a cursory review of the FDA website highlights the distinct difference between drugs (which are generally ingested) and medical devices which are generally used outside of the body for diagnostic or treatment purposes.

More particularly, a medical device is an instrument, apparatus, implant or similar or related article that is used to diagnose, prevent or treat disease or other conditions, and does not achieve its purposes through chemical action within or on the body.

On the other hand, drugs achieve their principal action by pharmacological, metabolic or immunological means.

So far so good.

The problem arises when we have reached the point where in a totally safe way (a cheek swab), we are able to obtain enough genetic information to be able to assess the genetic makeup of an individual. The twofold advantage with this technology (in no particular order of significance as I am not sure which is more important) is that individuals are able to gain insight into their personal health, and the data can be aggregated and analyzed allowing for an unprecedented view into our collective health. Both these areas have the potential to yield significant personal comfort and preservation of health, as well as a better understanding of both the role of genetics and the relationship between possible predisposition and incidence of numerous medical issues, which ultimately may point us in the direction of prevention or cure.

In fact, one company, 23andMe, is and was able to complete a relatively low cost genetic analysis that was available to individual consumers and allowed for the aggregation and analysis of data.

There seems to be little doubt that this type of testing does not pose any safety issue. The FDA, however, has determined that by definition it is a MEDICAL DEVICE,and therefore not only must the safety of this service be proven (which is apparently not a problem) but that 23andMe has not yet proven the efficacy of its broad rangetesting. As a result, in 2013 the FDA issued a demand that 23andMe stop marketing its personal genome service. The FDA allowed 23andMe to continue marketing the service to possibly help find customers’ relatives – if they were in the database.

As this service is available in Canada, a visit to the Canadian 23andMe website is extremely informative and sets forth that its genome service covers more than 40 inherited condition reports, more than 10 drug response reports, more than 10 genetic risk factor reports, and more than 40 reports relating to varioustraits.

On the other hand, the FDA might be concerned that the information should not be handed over to patients without an interpretation by a physician. The two answers that come to mind are either to require prominent labeling (it can’t be worse than cigarettes) or to recognize that there is virtually nothing (meaningful or of FDA concern) that a person can do with the information without enlisting the services of a physician.

It is beyond the scope of the article to explain how these reports can and should be used, however the 23andMe website is straightforward. In addition, I think that when giving patients access to their medical records, it must be assumed that people have a certain minimum level of native intelligence.

Apple (yes, the iPhone, iPad, iWatch company) is also entering this arena with its recently announced ResearchKit, which will aggregate data from individual participants. Apparently, there is a real possibility that allowing this type of activity may actually inure to the benefit of the general public.

The FDA may finally have realized the possibility that its stand and reasoning was somewhat flawed as it announced in February 2015 that it would allow the direct marketing by 23andMe of a specific test for Bloom Syndrome to the general market. There are also indications that in the future, the FDA may allow other tests to be marketed directly. There is no protocol in place for this process, however, nor is there any indication of how long it will take. Clearly, it is a meaningful first step, but I think it really misses the point.

How many millions of dollars – how many years – and how much lost opportunity will we suffer, either directly or through opportunity cost (the lost time in which substantive progress could have been made) because the FDA worldview is not keeping pace with medical technology?

As a lawyer, I may not have the educational background that many of my readers who are more closely allied with the medical/Pharma world may have. In addition, I am sure that there are many differing perspectives on this issue.

My basic question is if the FDA, which is functionally charged with determining the efficacy of drugs and medical devices, should be subjected to a similar examination with respect to the efficacy of the guidelines under which it currently operates?

What do you think?

Please follow and like us:
LinkedIn
Twitter
SHARE

Nurses make fun of their dying patients. Is that ok.

nurses

The linked article in the Washington Post raises an interesting question, namely, if it is appropriate for dark humor in a medical setting to possibly offset the difficulties inherent in dealing with the sick and infirm. The question may in fact be a little deeper, namely, if it is appropriate to enact myriad rules and regulations that may generally have a negative effect in the hopes of protecting a few instances where through unintended consequences, third parties are offended. I thought the article was thought-provoking and would love to hear what you think.

http://www.washingtonpost.com/opinions/2015/04/13/18ecc874-d309-11e4-ab77-9646eea6a4c7_story.html?hpid=z2

Please follow and like us:
LinkedIn
Twitter
SHARE
« Older posts Newer posts »

© 2018

Theme by Anders NorenUp ↑