Categories
Around the Web

FDA to Refuse Medical Device Submissions For Cybersecurity Reasons Beginning in October

Jill McKeon, for Health IT Security:

Effective immediately, the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.

Key Medical Device Security Requirements Included in Omnibus Bill
HSCC Publishes Guidance On Managing Legacy Medical Tech Security
Outdated Operating Systems Remain Key Medical Device Security Challenge
For any submission after March 29, manufacturers must include a “plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures,” the FDA stated.

In addition, manufacturers must develop and maintain procedures that provide a reasonable assurance that the device and systems are cybersecure and incorporate plans to patch and update the device and related systems at the postmarket stage.

Lastly, manufacturers are required to provide a software bill of materials (SBOM) for their devices, including commercial, open-source, and off-the-shelf software components. The FDA issued an accompanying FAQ document to help manufacturers determine their obligations.

FDA: Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)

Categories
Around the Web

FDA Cybersecurity Requirements for Medical Devices Now in Effect

From the HIPAA Journal:

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

Categories
Around the Web

A Federal Judge Suspends FDA’s Longtime Approval of an Abortion Pill, but Gives the Government 7 Days to Appeal

Medication abortions typically use two drugs taken together: Mifepristone and Misoprostol. This ruling only affects Mifepristone. The other drug, Misopostol, is still available, but its use has always required the physician to prescribe it “off-label,” meaning it is not FDA-approved for abortions. It is FDA-approved only for use to prevent stomach ulcers while taking NSAIDs.

Chloe Atkins writing for NBC News:

In an unprecedented move, U.S. District Judge Matthew Kacsmaryk on Friday suspended the Food and Drug Administration’s longtime approval of key abortion pill mifepristone, though he gave the government a week to appeal his decision. If the ruling does eventually go into effect, it would curtail access to the standard regimen for medication abortion nationwide.

The FDA approved mifepristone more than 20 years ago to be used in combination with a second drug, misoprostol, to terminate pregnancies at up to 10 weeks. Over half of U.S. abortions are done by medication abortion, according to the Guttmacher Institute, a research group that supports abortion rights.

If the stay on the FDA’s mifepristone approval goes into effect, the drug would no longer be available anywhere in the U.S. That would leave a surgical procedure or off-label use of misoprostol on its own as the only options in states where abortion is legal.

Categories
Alert

Telemedicine Prescribing of Controlled Substances When the Practitioner and the Patient Have Not Had a Prior In-Person Medical Evaluation

When the public health emergency ends, so do many of the waivers that were created to facilitate healthcare during the pandemic. One such concession involves the The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the “Act”).

Generally, the Act provides that no controlled substance may be delivered, distributed, or dispensed by means of the Internet without a valid prescription. A valid prescription requires a medical practitioner to conduct at least one in-person medical evaluation of a patient before issuing a prescription for a controlled substance. There are seven exceptions, one of which is during a public health emergency.

For the past three years, many telehealth providers have become accustomed to prescribing controlled substances following a telehealth visit, without first conducting an in-person exam.

With the PHE coming to an end in May, an in-person exam will be required. However, the Drug Enforcement Agency (DEA) has proposed rules to that will create additional flexibilities on the timing and manner for obtaining an in-person exam.

Federal Register

Categories
Alert

OIG Expands Topics for Frequently Asked Questions

OIG has used various avenues to communicate its views on various healthcare compliance issues, such as advisory opinions, contractor self-disclosures, corporate integrity agreements, and exclusions. In March, the OIG has expanded the number of topics it will consider for FAQs submitted by the healthcase stakeholders:

  1. general questions regarding the Federal anti-kickback statute and the civil monetary penalty (CMP) provision prohibiting certain remuneration to Medicare and State health care program beneficiaries and OIG’s administrative enforcement authorities in connection with these statutes
  2. inquiries regarding the general application of the Federal anti-kickback statute and Beneficiary Inducements CMP to a type of arrangement that may implicate these statutes,
  3. questions regarding compliance considerations, and
  4. OIG’s Health Care Fraud Self-Disclosure Protocol.

More information at Frequently Asked Questions | Office of Inspector General | U.S. Department of Health and Human Services.

Categories
Around the Web

Judge Strikes Down ACA’s Preventive Care Requirement

A Fort Worth federal judge yesterday ruled that insurers cannot be compelled under the Affordable Care Act to provide preventative care free of charge to insureds. The basis of the ruling involves the U.S. Preventive Services Task Force, which is the body tasked with enforcing the ACA. The judge determined that the Task Force is unlawful because the members are not appointed by the President or confirmed by the Senate.

Julia Forrest, writing for the The Texas Tribune:

O’Connor found that preventive care recommendations issued by the panel do not have to be followed because he found their volunteer members, who are 16 medical professionals and scientists charged with issuing the recommendations, do not have to be appointed by the president nor confirmed to their posts by the Senate.

Categories
Article

The Med Spa on the Corner Is Probably Breaking the Law

Look better. Feel better. Fountain of youth promises are making med spas one of the fastest-growing segments in healthcare. Botox injections, laser hair removal, IV hydration and therapy, medical weight loss, and hormone therapy seem to be available on every corner.

But most med spas are not compliant with Texas law. Either they are formed as the wrong entity type, they lack proper oversight and ownership, or all the above.

The consequences can be significant for everyone involved.

Med spa owners face potential civil and criminal liability for the unauthorized practice of medicine. Physicians associated with those med spas could find themselves subject to disciplinary action from the Texas Medical Board. And patients are caught in the middle.

The “med” in med spa stands for medical because many of the services they provide are medical in nature. Botox, Disport, Juvederm, and Kybella injections, microneedling, chemical peels, laser hair removal, dermaplaning, and CoolSculpting are considered “nonsurgical medical cosmetic procedures” by the Texas Medical Board.

IV hydration and therapy, platelet-rich plasma injections, medical weight loss injections, and hormone therapy are also medical services. If a procedure involves injecting a patient intravenously or subcutaneously, it is probably a medical procedure.

Before any medical procedure, a physician or midlevel provider (like a physician assistant or nurse practitioner) must perform a good faith exam, establish a medically appropriate treatment plan, and document everything in a medical record.

Midlevel providers must be supervised by a physician under a Prescriptive Authority Agreement. The physician must review a sample of the charts regularly and generally be available to the midlevel if they have questions.

This does not happen in many med spas.

Then there’s the business side. The practice of medicine in Texas is regulated by the Texas Medical Practice Act, the Texas Medical Board, and administrative rules. Because med spas provide medical services to the public, they must comply with all these rules just like any other medical practice.

Med spas must be formed as an acceptable legal entity type. In Texas, medical practices are limited to professional associations (PAs), professional limited liability companies (PLLCs), and general partnerships with other licensed physicians. Many med spas are incorrectly formed as corporations or regular LLCs.

This is not just a technical problem. It leads to improper ownership. Medical entities, like med spas, cannot be owned by non-physicians. They must be owned by persons licensed to practice medicine in Texas.

There is a lot of information on the Internet, much of which is incomplete or wrong.

Texas is a “Corporate Practice of Medicine” state, which means that physicians cannot be employed to provide medical services by companies not owned by licensed physicians. In practical terms, a non-physician cannot start a company and then hire a physician to provide medical services to patients of that company. With very few exceptions, medical services can only be provided through professional entities owned by physicians.

These same prohibitions apply to midlevel providers like Physician Assistants and Nurse Practitioners. Physician Assistants can co-own a medical practice with a physician only if the physician controls a majority interest in the practice. Nurse Practitioners cannot own any percentage of a medical practice.

These are just a few of the compliance issues for Texas med spas. There are also in-office and website disclosure requirements, registration requirements, reporting requirements, and restrictions on the type of marketing or advertising the practice can engage in.

Patients are caught in the middle. Those injured at a non-compliant med spa may not know where to turn.

These types of complaints to the Texas Medical Board are growing at an alarming rate. If the non-compliant med spa has a Medical Director, the Board can discipline the physician for inappropriate supervision or unprofessional conduct. Physicians associated with non-compliant med spas are putting their medical licenses at risk.

For the unlicensed med spa owner, the Medical Board can shut down their business. In extreme cases, the unlicensed med spa owner could be charged with practicing medicine without a license. If the patient suffers a physical or psychological injury, the owner could be charged with a third-degree felony which carries jail time of two to ten years and a fine of $10,000.

If the patient hires an attorney to sue for malpractice, the med spa’s insurance company may deny coverage if the med spa was not formed or owned in compliance with Texas law.

Med spas are big business and growing rapidly. But with great reward comes great responsibility. Entrepreneurs owe it to themselves and patients to set up the med spa the right way, with the right supervision, and the right ownership.

Categories
Around the Web

Hospital to Pay False Claims Act Penalty for Allegedly Letting Unsupervised Residents Interpret X-Rays

When a healthcare provider submits claims to Medicare, they are making several implied representations: 1) the service was medicaly necessary; 2) the service was performed; and 3) the service was performed by someone with the proper credentials. If any of those implied representations are not accurate, and the provider has the requisite “knowledge” of the falsity, the claims violate the civil False Claims Act.

A hospital in Iowa learned this lesson the hard way. Marty Stempniak, writing for Radiology Business:

The U.S. Attorney’s Office first filed suit against University of Iowa Health Care in 2019, accusing the institution of perpetuating a “batch signing scheme.” Through it, the Iowa City hospital would allegedly bill for radiology services rendered by residents during 12- to 15-hour on-call shifts.

However, the physician supervision and approval required by Medicare never occurred, the office alleged in its complaint. …

Rather than complete the necessary review, the office alleged, physicians instead would engage in “rapid-fire signing of dozens of reports within a matter of a minute or so, solely in order to falsely bill the government for ‘interpretations’ that never took place,” the complaint alleged.

Categories
Around the Web

Two nurses sent to prison for illegal kickback scheme

Healthcare providers besides physicians can also violate the Anti-Kickback Statute. And, do not think that only physicians can make illegal refurrals. Paying anyone something of value for patient referrals—even a marketing company—can be illegal.

Southern District of Texas Press Release:

At the time of their pleas, they admitted that from 2014 through 2016, both obtained patient referrals by paying marketers and patients. Nwankwo further admitted to bribing a physician to authorize medically unnecessary home health services for Hefty patients.

Categories
Around the Web

DSOs vs. Texas’ Corporate Practice of Dentistry Doctrine: What You Need to Know

The Corporate Practice of Medicine (CPOM) is deeply rooted in Texas law. But the Corporate Practice of Dentistry similarly provides that “a person may not practice dentistry without a valid license issued by the Texas State Board of Dental Examiners. The Texas Dental Practices Act sets forth several categories of activities that constitute the practice of dentistry. For example, a person who owns, maintains, or operates a business which engages another person to practice dentistry – under any type of contract or arrangement – may be considered as engaging in the practice of dentistry.”

Like in the medical context, DSOs are often to allow unlicensed persons to share in the revenue of the dental practice.

As Keith Lefkowitz, Hendershot Cowart, P.C. points out:

In 2015, the Texas legislature passed a law requiring Dental Support Organizations to register with the state annually and provide “the name and business address of each dentist in this state with which the dental support organization has entered into an agreement.” 

The Secretary of State shares this information with the State Board of Dental Examiners, allowing them to monitor which practices are receiving services from a DSO. 

As a result, it is imperative for licensed dentists to ensure that contracts and arrangements for business support services comply with state law and TBSDE rules and regulations, especially the Corporate Practice of Dentistry doctrine.

This type of registration system is not required for MSOs, Management (or Medical) Services Organizations. MSOs are very common in the medical industry, but, in some contexts, have been abused.