Author: WadeEmmert

Web tracking technology has been in the news a lot lately. Most websites use such tools to track users as they navigate through a particular site and around the web. Nothing new here. But in doing so, user data gets transferred from one site to another, or actively collected, posing privacy risks for healthcare providers.

A new study, published in Health Affairs, indicates that 99% of hospital websites use third-party tracking code on their sites, creating privacy risks for patients and legal liability for hospitals:

We found that third-party tracking is present on 98.6 percent of hospital websites, including transfers to large technology companies, social media companies, advertising firms, and data brokers. Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses. By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties. These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.

OIG has approved the use of gift cards to incentivize patients to return sample collection kits, provided there are certain safeguards in place:

• Mailing the gift cards only to those patients who return the kits by the deadline specified in the reminder letter.
• Advising patients that they may not use the gift cards on items or services provided by the requestors.
• Limiting patients to one gift card every 36 months, which is consistent with Medicare’s coverage period for the screening test.
• Implementing processes to ensure patients who received a gift card during the 36-month period do not receive another one during that period.
• Refraining from patient-focused promotional activities that advertise the availability of the gift card.
• Prohibiting advertising or marketing the proposed arrangement to healthcare providers who may order the test.
• Excluding tests ordered by healthcare providers through the requestors’ website from the proposed arrangement.

Dee Harleston, Stewart Kameen, Jinnifer Michael, and Danielle Sloane, for Bass Berry & Sims:

The U.S. Department of Health and Human Services Office of Inspector General (OIG) recently issued Advisory Opinion 23-03, approving a proposal by the manufacturer of a colorectal cancer screening test and its wholly owned laboratory to provide gift cards to certain patients to encourage them to return the sample collection kits. While limited in scope, this favorable opinion is noteworthy because OIG typically disfavors arrangements under which providers or suppliers distribute gift cards to incentivize patients to obtain federally reimbursable services. Although OIG approved the proposed arrangement at issue in Advisory Opinion 23-03, the agency also pointedly warned entities against structuring arrangements that differ from the facts of the proposed arrangement.

OIG Advisory Opinion 23-03

Jill McKeon, for Health IT Security:

Effective immediately, the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.

…

Key Medical Device Security Requirements Included in Omnibus Bill
HSCC Publishes Guidance On Managing Legacy Medical Tech Security
Outdated Operating Systems Remain Key Medical Device Security Challenge
For any submission after March 29, manufacturers must include a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA stated.

In addition, manufacturers must develop and maintain procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the postmarket stage.

Lastly, manufacturers are required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components. The FDA issued an accompanying FAQ document to help manufacturers determine their obligations.

FDA: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

From the HIPAA Journal:

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

Medication abortions typically use two drugs taken together: Mifepristone and Misoprostol. This ruling only affects Mifepristone. The other drug, Misopostol, is still available, but its use has always required the physician to prescribe it “off-label,” meaning it is not FDA-approved for abortions. It is FDA-approved only for use to prevent stomach ulcers while taking NSAIDs.

Chloe Atkins writing for NBC News:

In an unprecedented move, U.S. District Judge Matthew Kacsmaryk on Friday suspended the Food and Drug Administration’s longtime approval of key abortion pill mifepristone, though he gave the government a week to appeal his decision. If the ruling does eventually go into effect, it would curtail access to the standard regimen for medication abortion nationwide.

The FDA approved mifepristone more than 20 years ago to be used in combination with a second drug, misoprostol, to terminate pregnancies at up to 10 weeks. Over half of U.S. abortions are done by medication abortion, according to the Guttmacher Institute, a research group that supports abortion rights.

…

If the stay on the FDA’s mifepristone approval goes into effect, the drug would no longer be available anywhere in the U.S. That would leave a surgical procedure or off-label use of misoprostol on its own as the only options in states where abortion is legal.

A Fort Worth federal judge yesterday ruled that insurers cannot be compelled under the Affordable Care Act to provide preventative care free of charge to insureds. The basis of the ruling involves the U.S. Preventive Services Task Force, which is the body tasked with enforcing the ACA. The judge determined that the Task Force is unlawful because the members are not appointed by the President or confirmed by the Senate.

Julia Forrest, writing for the The Texas Tribune:

O’Connor found that preventive care recommendations issued by the panel do not have to be followed because he found their volunteer members, who are 16 medical professionals and scientists charged with issuing the recommendations, do not have to be appointed by the president nor confirmed to their posts by the Senate.