11.09.12
Sunshine compliance is a “mess,” according to Michelle Axelrod. During the recent AdvaMed 2012 conference panel titled “Sunshine Act Compliance: Best Practices for Medical Device Companies,” Axelrod’s PowerPoint slide of different states across the United States and their respective histories of sunshine legislation made it clear that transparency and accountability are not easy to regulate and generate much disagreement. No two states have the same laws on the subject, and many have none.
“Sunshine” laws detail legislation that mandates the provision of data to interested and affected parties. In the medical device community, sunshine laws require companies to disclose money spent on sales events, dinners with potential customers such as doctors or hospital administrators, and other such expenditures that potentially could be likened to bribes. The intention of Sunshine laws is to “shine” a metaphorical light on business practices to maintain accountability and transparency.
The panel was moderated by Axelrod, an attorney and vice president at Porzio, Bromberg, and Newman P.C., a Morristown, N.J.-based law firm with offices in New York City, Princeton, N.J., and Westborough, Mass. On the panel were Edward Evantash, M.D., medical director and vice president of medical affairs at Hologic Inc.; Tracy Berns, chief regulatory counsel for Covidien plc; and Laure Le Calvé, a French attorney with expertise in medical device and life-science compliance law.
Le Calvé took the lead on the panel with a discussion of France’s sunshine laws for medical devices. As in the United States, French lawmakers are having difficulty finalizing the draft law. French lawmakers passed the French Sunshine Act (FSA) in December 2011 as a provision of the Bertrand Act, but it will not be implemented until a final draft of the law is published, which has not yet happened. Le Calvé said she is not sure when the law will be published (it already has been delayed several times).
Despite the similarities between sunshine laws paths both in the United States and France, Le Calvé noted that the laws actually are very different. “Companies operating in the United States with French affiliates might think they know what the French Sunshine Act is,” she warned, “but it’s different in France.”
According to the FSA, medtech companies must disclose “agreements and advantages” procured to health professionals and students; professional, student and patient associations; healthcare institutes, foundations and societies; press and media companies; and service providers working in healthcare. One of the most challenging aspects of the new law, Le Calvé said, is the lack of definition of “advantages.” In addition, the term “service providers working in the healthcare industry” is very broad. It could mean any number of workers or vendors, including contract research organizations. Since she works closely with the industry, Le Calvé joked that people often ask her whether she, too, could be included in that group.
In the United States, sunshine act compliance is in a similar state of disarray.
“Sunshine act is leading us to state of confusion,” said Evantash, the token physician on the panel of lawyers. “We don’t know what to anticipate. We understand there’s a need for transparency, but how it’s going to impact relationships is unclear—will doctors be anxious and pull back? We don’t want to fracture relationships.”
Berns agreed. “We’re concerned that sunshine act and disclosure of payments will be seen as a negative, that doctors are [seen as] tainted somehow. We just want to make sure there’s a proper relationship between industry and doctors. We want to provide that information to the public so they know it’s an appropriate relationship.”
Berns’ advice to companies dealing with sunshine compliance for the first time was to identify community leaders, and to work with them so they understand the value of what your company is doing. Direct communication with doctors also is key.
The panel stressed the importance of having a well-defined corporate team in charge of aggregate spending, or “ag-spend” (the total amount of money spent by healthcare manufacturers on gifts, payments, travel, etc.). A quick poll of the session’s attendees confirmed Axelrod’s suspicion that few companies have a team of people—let alone a single person—responsible for ag-spend.
“A lot of companies are not taking ownership of this issue,” said Axelrod. “No one in the company feels prepared. So many resources are needed. Ag-spend is not a one-person or even a one-department job. Companies need teams that span departments to take it on.”
The Patient Protection and Affordable Health Care Act, commonly called the healthcare reform law or “Obamacare” signed into law in March 2010, includes the Physician Payment Sunshine Act, which requires pharmaceutical, medical device, biological, and medical supply manufacturers to report any “payment or other transfer of value” to physicians and teaching hospitals. The first reports will be due March 31 for the calendar year 2012 reporting period. The report must include information about the amount of the payment, the date on which the payment was made, the form of payment, and the nature of the payment (e.g., gift, consulting fees, entertainment, etc.).
The law, to a certain extent, preempts state disclosure laws. Several states, including California, the District of Columbia, Massachusetts, Vermont and West Virginia, have laws that require manufacturers to report various types of spending.
FDA Calls for “Spying” Case to be Thrown Out
In July, The Wall Street Journal reported that documents had leaked revealing to the public an apparent case of the U.S. Food and Drug Administration (FDA) sanctioning spying on employees it found to be dissident. Now, the agency has asked a federal judge to dismiss the case brought against it by six current and former employees who claim they were targeted for pointing out problems with FDA practices. These employees told lawmakers the FDA was improperly approving cancer screening medical devices.
Termed “whistle-blowers,” the employees must first make claims of “alleged whistle-blower retaliation,” FDA’s counsel said in a filing with the United States District Court of the District of Columbia. Those claims then must be reviewed through an administrative process before the plaintiffs seek judicial action. The agency said five of the plaintiffs have complaints pending before the U.S. Office of Special Counsel, which handles government whistle-blower allegations.
The FDA’s complaint, according to the filing, is that there are simply too many people making a complaint at once, and it is not being handled correctly.
“Unlike most such cases . . . this action involves not a single federal employee (or former employee) complaining of personnel actions taken against him or her because of alleged whistleblowing, but rather six individuals complaining of various personnel actions. This unwieldy, hydra-headed action illustrates why a claim of whistleblower retaliation is supposed to be brought by ‘an employee.’”
The agency also claims that the plaintiffs are incorrectly bypassing the congressionally mandated procedure for bringing claims to court of the Civil Service Reform Act of 1978. “Plaintiffs are seeking both administrative and judicial relief simultaneously. Plaintiffs’ attempt at a procedural shotgun blast must fail,” W. Scott Simpson, a lawyer for the U.S. Department of Justice, said in the filing.
According to the filing, the monitoring began more than three years ago after nine FDA employees signed a letter to President Barack Obama’s transition team alleging government misconduct in the approval of medical devices including an imaging device used to diagnose breast cancer. The “spying” allegedly was expanded in 2010 after The New York Times published an article in which FDA scientists criticized the device approval process.
Malware Increasingly Found in Hospital Equipment
Health information technology (IT) is a sector that has the medtech industry buzzing lately. On Oct. 11, a medical device panel convened at the National Institute of Standards and Technology in Washington, D.C., to discuss the issue of device and equipment security in hospitals.
Kevin Fu, an expert on medical device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, took part in the panel discussion. The malware problem at hospitals, Fu noted, is rising nationwide. Malware, short for malicious software, includes computer viruses, worms, trojan horses, spyware, adware, and such programs.
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, also participated. He said 664 pieces of hospital medical equipment are running an older Microsoft Windows operating system that manufacturers will not modify or allow the hospital to change—even to add antivirus software. Beth Israel and the manufacturer disagree about how any updates or changes would affect the software’s regulatory approval from the U.S. Food and Drug Administration (FDA). The computers at Beth Israel are frequently infected with malware, and one or two have to be taken offline each week for cleaning, said Olson.
“I find this mind-boggling,” Fu said. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow operating system updates or security patches.”
Windows is the most commonly used system in hospitals and also the one usually targeted by hackers. Hospital equipment increasingly is interconnected internally, leaving it wide open to debilitating attacks. No patient injuries have been reported yet.
At the meeting, Olson described an incident of malware slowing down fetal monitors used on women with high-risk pregnancies being treated in the intensive-care ward.
“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an intensive care unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”
Olson later told the Massachusetts Institute of Technology publication Technology Review that the manufacturer Philips replaced the computer systems at fault in the monitors several months ago. The new systems, based on Windows XP, have better protections and the problem has been solved.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices. Olson said the problem is a patient-safety issue.
In September, the Government Accountability Office issued a report on computerized medical device security and urged the FDA to address the issue.
“Sunshine” laws detail legislation that mandates the provision of data to interested and affected parties. In the medical device community, sunshine laws require companies to disclose money spent on sales events, dinners with potential customers such as doctors or hospital administrators, and other such expenditures that potentially could be likened to bribes. The intention of Sunshine laws is to “shine” a metaphorical light on business practices to maintain accountability and transparency.
The panel was moderated by Axelrod, an attorney and vice president at Porzio, Bromberg, and Newman P.C., a Morristown, N.J.-based law firm with offices in New York City, Princeton, N.J., and Westborough, Mass. On the panel were Edward Evantash, M.D., medical director and vice president of medical affairs at Hologic Inc.; Tracy Berns, chief regulatory counsel for Covidien plc; and Laure Le Calvé, a French attorney with expertise in medical device and life-science compliance law.
Le Calvé took the lead on the panel with a discussion of France’s sunshine laws for medical devices. As in the United States, French lawmakers are having difficulty finalizing the draft law. French lawmakers passed the French Sunshine Act (FSA) in December 2011 as a provision of the Bertrand Act, but it will not be implemented until a final draft of the law is published, which has not yet happened. Le Calvé said she is not sure when the law will be published (it already has been delayed several times).
Despite the similarities between sunshine laws paths both in the United States and France, Le Calvé noted that the laws actually are very different. “Companies operating in the United States with French affiliates might think they know what the French Sunshine Act is,” she warned, “but it’s different in France.”
According to the FSA, medtech companies must disclose “agreements and advantages” procured to health professionals and students; professional, student and patient associations; healthcare institutes, foundations and societies; press and media companies; and service providers working in healthcare. One of the most challenging aspects of the new law, Le Calvé said, is the lack of definition of “advantages.” In addition, the term “service providers working in the healthcare industry” is very broad. It could mean any number of workers or vendors, including contract research organizations. Since she works closely with the industry, Le Calvé joked that people often ask her whether she, too, could be included in that group.
In the United States, sunshine act compliance is in a similar state of disarray.
“Sunshine act is leading us to state of confusion,” said Evantash, the token physician on the panel of lawyers. “We don’t know what to anticipate. We understand there’s a need for transparency, but how it’s going to impact relationships is unclear—will doctors be anxious and pull back? We don’t want to fracture relationships.”
Berns agreed. “We’re concerned that sunshine act and disclosure of payments will be seen as a negative, that doctors are [seen as] tainted somehow. We just want to make sure there’s a proper relationship between industry and doctors. We want to provide that information to the public so they know it’s an appropriate relationship.”
Berns’ advice to companies dealing with sunshine compliance for the first time was to identify community leaders, and to work with them so they understand the value of what your company is doing. Direct communication with doctors also is key.
The panel stressed the importance of having a well-defined corporate team in charge of aggregate spending, or “ag-spend” (the total amount of money spent by healthcare manufacturers on gifts, payments, travel, etc.). A quick poll of the session’s attendees confirmed Axelrod’s suspicion that few companies have a team of people—let alone a single person—responsible for ag-spend.
“A lot of companies are not taking ownership of this issue,” said Axelrod. “No one in the company feels prepared. So many resources are needed. Ag-spend is not a one-person or even a one-department job. Companies need teams that span departments to take it on.”
The Patient Protection and Affordable Health Care Act, commonly called the healthcare reform law or “Obamacare” signed into law in March 2010, includes the Physician Payment Sunshine Act, which requires pharmaceutical, medical device, biological, and medical supply manufacturers to report any “payment or other transfer of value” to physicians and teaching hospitals. The first reports will be due March 31 for the calendar year 2012 reporting period. The report must include information about the amount of the payment, the date on which the payment was made, the form of payment, and the nature of the payment (e.g., gift, consulting fees, entertainment, etc.).
The law, to a certain extent, preempts state disclosure laws. Several states, including California, the District of Columbia, Massachusetts, Vermont and West Virginia, have laws that require manufacturers to report various types of spending.
FDA Calls for “Spying” Case to be Thrown Out
In July, The Wall Street Journal reported that documents had leaked revealing to the public an apparent case of the U.S. Food and Drug Administration (FDA) sanctioning spying on employees it found to be dissident. Now, the agency has asked a federal judge to dismiss the case brought against it by six current and former employees who claim they were targeted for pointing out problems with FDA practices. These employees told lawmakers the FDA was improperly approving cancer screening medical devices.
Termed “whistle-blowers,” the employees must first make claims of “alleged whistle-blower retaliation,” FDA’s counsel said in a filing with the United States District Court of the District of Columbia. Those claims then must be reviewed through an administrative process before the plaintiffs seek judicial action. The agency said five of the plaintiffs have complaints pending before the U.S. Office of Special Counsel, which handles government whistle-blower allegations.
The FDA’s complaint, according to the filing, is that there are simply too many people making a complaint at once, and it is not being handled correctly.
“Unlike most such cases . . . this action involves not a single federal employee (or former employee) complaining of personnel actions taken against him or her because of alleged whistleblowing, but rather six individuals complaining of various personnel actions. This unwieldy, hydra-headed action illustrates why a claim of whistleblower retaliation is supposed to be brought by ‘an employee.’”
The agency also claims that the plaintiffs are incorrectly bypassing the congressionally mandated procedure for bringing claims to court of the Civil Service Reform Act of 1978. “Plaintiffs are seeking both administrative and judicial relief simultaneously. Plaintiffs’ attempt at a procedural shotgun blast must fail,” W. Scott Simpson, a lawyer for the U.S. Department of Justice, said in the filing.
According to the filing, the monitoring began more than three years ago after nine FDA employees signed a letter to President Barack Obama’s transition team alleging government misconduct in the approval of medical devices including an imaging device used to diagnose breast cancer. The “spying” allegedly was expanded in 2010 after The New York Times published an article in which FDA scientists criticized the device approval process.
Malware Increasingly Found in Hospital Equipment
Health information technology (IT) is a sector that has the medtech industry buzzing lately. On Oct. 11, a medical device panel convened at the National Institute of Standards and Technology in Washington, D.C., to discuss the issue of device and equipment security in hospitals.
Kevin Fu, an expert on medical device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, took part in the panel discussion. The malware problem at hospitals, Fu noted, is rising nationwide. Malware, short for malicious software, includes computer viruses, worms, trojan horses, spyware, adware, and such programs.
Mark Olson, chief information security officer at Beth Israel Deaconess Medical Center in Boston, also participated. He said 664 pieces of hospital medical equipment are running an older Microsoft Windows operating system that manufacturers will not modify or allow the hospital to change—even to add antivirus software. Beth Israel and the manufacturer disagree about how any updates or changes would affect the software’s regulatory approval from the U.S. Food and Drug Administration (FDA). The computers at Beth Israel are frequently infected with malware, and one or two have to be taken offline each week for cleaning, said Olson.
“I find this mind-boggling,” Fu said. “Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow operating system updates or security patches.”
Windows is the most commonly used system in hospitals and also the one usually targeted by hackers. Hospital equipment increasingly is interconnected internally, leaving it wide open to debilitating attacks. No patient injuries have been reported yet.
At the meeting, Olson described an incident of malware slowing down fetal monitors used on women with high-risk pregnancies being treated in the intensive-care ward.
“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors. “Fortunately, we have a fallback model because they are high-risk [patients]. They are in an intensive care unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.”
Olson later told the Massachusetts Institute of Technology publication Technology Review that the manufacturer Philips replaced the computer systems at fault in the monitors several months ago. The new systems, based on Windows XP, have better protections and the problem has been solved.
At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices. Olson said the problem is a patient-safety issue.
In September, the Government Accountability Office issued a report on computerized medical device security and urged the FDA to address the issue.