May 20, 2025
Presented by
Porzio, Bromberg & Newman, P.C.
DISCLAIMER
The views expressed by the speakers in this program represent their personal thoughts and opinions and do not necessarily reflect the views of our current or past employers or clients.
Nothing presented as part of this program should be considered legal advice or as creating an attorney-client relationship.
RECENT ENFORCEMENT EXAMPLES
QOL Medical (Nov. 2024)
• Company and its CEO agreed to pay $47 million; state suits followed
• Allegations of Anti-kickback and False Claims Act violations regarding provision of free Carbon-13 breath testing services, to induce claims for QOL’s drug Sucraid.
• QOL shared lab results with field force that contained the names of the health care provider who ordered the test, and the patient’s age, gender, symptoms and test result
• Allegedly made claims that test could definitely diagnose Congenital Sucrase-Isomaltase Deficiency
• Allegations brought in part by qui tam filed by Medical employees.
Pfizer/BioHaven (Jan, 2025)
• Almost $60 million settlement for alleged Anti-kickback and False Claims Act violations related to HCP activities regarding Nurtec
• Allegations involved inappropriate speaker honoraria, meals at high end restaurants, and HCP repeat attendees at programs
• Qui tam brought by former sales representative.
RECENT ENFORCEMENT EXAMPLES
The Prometheus Group (March 2025)
• Company and president/owner agreed to pay $550,000
• Allegedly violated False Claims Act by causing health care providers to bill Medicare for re-use of single-user rectal sensors and single-use catheters on multiple patients.
Assertio Therapeutics (formerly DepoMed) (May 2025)
• Company agreed to pay $3.6 million for alleged violations of False Claims Act related to its product Lazanda, a fentanyl nasal spray, approved for break-through cancer pain
• Company allegedly targeted prescribers who prescribed immediate-relief fentanyl, including those flagged for diversion
• Used those same prescribers for its Speaker’s Bureau and Advisory Boards
• Qui tam brought by two sales representatives
OTHER DEVELOPMENTS
OTHER DEVELOPMENTS
• Discusses the agency’s evolving enforcement policy regarding how scientific information on unapproved uses (“SIUU”) of approved/cleared medical products can be communicated to HCPs engaged in prescribing or administering medical products to individual patients.
Interesting Development: Vanda Pharmaceuticals, Inc. v. FDA
ONGOING DOJ FOCUS
EXAMPLE: DOJ CRIMINAL MEMORANDUM, May 12, 2025
Focus, Fairness and Efficiency in the Fight Against White-Collar Crime
STATE OF THE STATES: STATE TRANSPARENCY AND COMPLIANCE CONSIDERATIONS
Sara R. Simon, Esq. Counsel, Porzio, Bromberg & Newman, P.C Grant Ostlund
Sr. Director, Strategy & Operations, US Operations, Ethics & Compliance
Novo Nordisk .
Grant Ostlund Sr. Director – Strategy & Operations
Novo Nordisk
Sara
Esq. Counsel
TODAY’S AGENDA
➢ Drug Price Transparency Laws ➢ Including PDABs
➢ HCP Spend Transparency laws
➢ Sales Rep Registration and Reporting ➢ Marketing Laws
DRUG PRICE TRANSPARENCY
➢ Annual or Quarterly WAC Reporting
➢ Quarterly- Louisiana*
➢ Annual- Texas and West Virginia
➢ New High Cost Drug Reporting/Notification
➢ California, Maine, Minnesota, New Hampshire**, New Jersey, New Mexico, Oregon, Vermont, Washington
➢ Price Increase Reporting/Notification
➢ California, Florida, Connecticut, Louisiana, Maine, Minnesota, Nevada, New Hampshire**, New Jersey, New Mexico, New York, Oregon***, Texas, Utah, Virginia, Washington, West Virginia
➢ Varying price increase thresholds, from 10%-50% starting at $40 (CA) WAC to $400 (NM)
➢ Varying deadlines for notices/reports
➢ Some states only require reporting if identified on state list(s) (Connecticut, Maine, Nevada, Vermont)
* ND just repealed its law at end of April so now LA only state that requires quarterly reports
** NH-New Drug and Price Increase reporting to NH PDAB paused until 6/30/25; DOI new drug report still required
*** OR- annual price increase report declared unconstitutional 2/24; 60 day notice and new drug notice still required
DRUG PRICE TRANSPARENCY (CONT.)
PDABs
➢ PDAB laws in 11 states
➢ CO, MD, & OR most active
➢ Ability to set Upper Payment Limits (“UPLs”) in 4 states- Colorado, Maryland, Minnesota, and Washington
STATE
COMPLIANCE REQUIREMENTS CONSIDERATIONS/MONITORING COMPLIANCE
Company/Operational Considerations:
➢ Tracking all of the state price reporting laws to take into account all of the different triggers and filing requirements/who/when/how?
➢ Dealing with PDABs
➢ Challenges
STATE COMPLIANCE REQUIREMENTS/LIMITATIONS
➢ States/jurisdictions with compliance program requirements and/or limits include:
➢ California- “declaration” of compliance program/annual per HCP meal/gift limit
➢ Connecticut- adoption and implementation of a code that aligns at a minimum with AdvaMed/PhRMA Code and OIG CPG
➢ Maine- gift “prohibition” and limits on honoraria
➢ Massachusetts- adoption and implementation of a Marketing Code of Conduct (MA’s regs), which follows PhRMA and AdvaMed Codes/ annual compliance certification
➢ Minnesota- gift prohibition, including meals, in excess of $50 in aggregate per HCP, limited exceptions
➢ Nevada- adoption and implementation of a Marketing Code of Conduct, annual compliance certification
➢ New Jersey- meal limitation(s)/ fee (“bona fide” service fee) limitations
➢ Vermont- gift/meal ban, unless the HCP has a bona fide services arrangement with the company
STATE COMPLIANCE REQUIREMENTS CONSIDERATIONS/MONITORING
Company/Operational Considerations:
➢ Keeping track of various requirements, including deadlines among states/jurisdictions
➢ Annual audit required for compliance certification in a few states
➢ Challenges
HCP SPEND REPORTING…BEYOND SUNSHINE
➢ States/jurisdictions with spend/payments/transfers of value disclosure requirements*:
➢ Chicago, IL- annual disclosure of rep’s TOVs, samples and interactions with HCPs (upon request)
➢ Connecticut- independent APRN disclosure/annual disclosure of reps’ TOVs, samples, and interactions- due by 7/1
➢ Massachusetts- annual disclosure of “sales and marketing activities” TOVs of $50+/ quarterly meal disclosure (not currently enforced) – due by 7/1
➢ Minnesota- annual disclosure of $100+ payments to speaker/faculty and consultants- due by 5/1
➢ Nevada- annual disclosure of (registered) reps’ TOVs of $10+ and samples- due by 3/1
➢ Oregon- annual disclosure of (registered) reps’ TOVs, samples, and interactions with HCPs- due by 4/1
➢ Vermont- annual disclosure of (allowable)TOVs, samples- due by 4/1
➢ Washington, DC- annual disclosure of TOVs of $25+ employee compensation, and marketing/advertising costs –due by 7/1
* Preempted by the Sunshine law
REP REGISTRATION
➢ States/Jurisdictions with registration requirements that apply to sales reps and other field-facing personnel include:
➢ Chicago, IL- registration required if “within city limits” for at least 15 days/CY
➢ Connecticut- no minimum time
➢ Nevada- registration required if in the state for at least 5 days/CY
➢ Oregon- must register if conducting business in the state for at least 15 days/CY
➢ Washington, DC- registration required if detailing in the District for at least 30 days/CY
➢ Should consider if “virtual” interactions count toward minimum # of days
➢ Nevada
➢ Oregon
STATE COMPLIANCE REQUIREMENTS CONSIDERATIONS/MONITORING
Company/Operational Considerations:
➢ Keeping track of state limitations/prohibitions
➢ Violations
➢ How to cure
➢ Tracking(spend)beyond Sunshine
➢ Reporting
➢ Challenges
STATE MARKETING DISCLOSURE REQUIREMENTS
➢ States with marketing disclosure requirements (for HCPs):
➢ Colorado- drug reps must provide HCPs, in writing, the WAC and the names of at least three generic prescription drugs from the same therapeutic class (includes in-person meetings, mail, telephone calls, video conferencing, emails, texting, etc.)
➢ Connecticut- “pharmaceutical reps” must provide HCPs, in writing, the “list price” and any variation efficacy data in different racial and ethnic groups, if available (includes in-person meetings, telephone calls emails, texting, etc.)
➢ Vermont-drug reps must provide HCPs, in writing, the AWP per pill and the price relationship between the marketed drug and other drugs within the same therapeutic class and information must be posted on a public website (includes in-person meetings, mail, telephone calls, emails, texting, sampling, etc.)
STATE COMPLIANCE REQUIREMENTS CONSIDERATIONS/MONITORING
Company/Operational Considerations
➢ Format of disclosure, hard copy vs. electronic
➢ Who is responsible for drafting
➢ Training
➢ (Basically) the same for all 3 states?
➢ MLR/PRC approval required?
THANK YOU!
BALANCING INNOVATION AND COMPLIANCE IN THE DATA PRIVACY MATRIX
Alfred R. Brunetti. Esq., CIPP/US, CIPM Principal Porzio, Bromberg & Newman, P.C.
WHAT IS HEALTH DATA?
Diagnoses, Treatments, Medical History
Health data is typically any info related to a person’s physical or mental health, healthcare services, status or condition
Exercise routines, calories logging, etc (think fitness apps or trackers)
Medical Records
Biological, physiological or behavioral characteristic, patterns, rhythms, scans
Wellness
Information
Info revealing health status or history (think geolocation)
Biometrics
Sensitive Health Indicators
HEALTH DATA
Health Data
FEDERAL
HIPAA
GINA
ENFORCERS / REGULATORS
Health Data
NOTABLE FTC ENFORCEMENT ACTIVITY
deceptively sharing consumer health data and Health Breach Notification Rule violation by failing to report unauthorized disclosure to advertising companies
deceptively sharing consumer sensitive data with 3Ps (email, IP, health questionnaire info with Facebook & others)
disclosure of website data to 3P advertising platforms, e.g. Meta and Google
WHAT ARE WE TO DO???
COMMON CONSUMER HEALTH DATA THEMES…
❖ CONSENT requirements to collect (other than strictly necessary to deliver requested product / service)
Consumer Health Data
Health Data
❖ TRANPARENCY obligations, e.g. listing of 3P recipients or affiliates
❖ Affirmative and distinct NOTICE requirements
❖ Strong privacy RIGHTS and exercise instructions
CONSUMER HEALTH DATA LAWS…
Consumer Health Data
Health Data
WASHINGTON MY HEALTH MY DATA ACT
Consumer Health Data
Health Data
➢ Specifically created to gap fill between reality and consumer expectations about health data
➢ Fully effective since June 2024
➢ Broad Scope & Range
➢ Heighten, specific additional obligations & rights beyond traditional consent and notice
➢ Inferences are key
➢ PRIVATE RIGHT OF ACTION
WHO’S IN SCOPE?
“Regulated Entity”
Conducts business in WA state
OR Produces or provides products or services targeted to WA consumer
AND Alone or jointly “determines the purpose and means of collecting, processing, sharing or selling of consumer health data”
CONSUMER HEALTH DATA IS…
personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.
(i) Individual health conditions, treatment, diseases, or diagnosis;
(ii) Social, psychological, behavioral, and medical interventions;
(iii) Health-related surgeries or procedures;
(iv) Use or purchase of prescribed medication;
(v) Bodily functions, vital signs, symptoms, or measurements of the info described in this subsection
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Gender-affirming care info;
(viii) Reproductive or sexual health info;
(ix) Biometric data;
(x) Genetic data;
(xi) Precise location info that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
(xii) Data that identifies a consumer seeking health care services; or
(xiii) Any info processed to associate or identify a consumer with the data described in this subsection that is derived or extrapolated from nonhealth information (by any means, including algorithms or machine learning)
CONSUMER HEALTH DATA IS NOT:
Deidentified
or personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
But, the research must
✓ adhere to all other applicable ethics and privacy laws and ✓ be approved, monitored, and governed by an institutional review board (or similar) that determines business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification
ACTIONS IN SCOPE
Before collecting, you must:
➢ get consent with specified purpose
OR
➢ Do so only to extent “necessary” to provide product or service consumer “has requested from [you]”
Before sharing, you must:
➢ Get consent that is “separate and distinct” from the collection consent
OR
➢ Do so only to extent “necessary” to provide product or service “has requested from [you]”
Consent must include categories, purpose and specifics on uses, recipients & how to withdraw consent
WHAT COUNTS AS CONSUMER HEALTH DATA?
Tracking of bodily functions (like, e.g. digestion, perspiration or sleep) by an app, device or otherwise
info that is derived or extrapolated from nonhealth data to associate or identify a consumer with consumer health data (so, even potential inferences drawn from purchases of toiletries or other activities)
WORDS AND ACTIONS WILL BE SCRUTINIZED
Role Reversal?
Make sure your business contracts and DPAs are detailed and specific because infractions could turn your processor into a directly regulated entity
Distinct Policy & Items
• Categories of collected & shared
• Purpose of collection and how used
• Categories of sources
• Categoreis of 3P and affiliate share recipients
• How to exercise rights
CAN WE ENABLE INNOVATION
EXTERNAL (AND EASIER)
FIRST
✓SEPARATE LINKS
✓PROPER POLICY LANGUAGE
✓FUNCTIONAL AND TESTED
GET THE RIGHTS RIGHT
✓ACCESS - DELETE* – WITHDRAW
✓45 DAY RESPONSE (+45 DAYS**)
✓DOWNSTREAM OBLIGATIONS IMPOSED ON VENDORS
AND AFFILIATES
NOT YOUR STANDARD CONSENT(S)
✓ CLEAR, AFFIRMATIVE, VOLUNTARY PURPOSE-SPECIFIC OPT IN CONSENT TO COLLECT / SELL
✓ STAND ALONE CONSENT TO SELL
✓ REVOCABLE & TRACKABLE
✓ KEEP THE AUTHORIZATION TO SELL FOR 6 YEARS
General terms in unrelated info / closing a piece of content / dark patterns (i.e. deceptive designs)
PLAN THE WORK, WORK THE PLAN
THOUGHTFUL HEALTH DATA GOVERNANCE CAN
PROTECT PRIVACY, INCREASE SECURITY AND REDUCE RISK AND LIABILITY
✓ PRIVACY BY DESIGN, EARLY & OFTEN IN PRODUCT DEVELOPMENT & IMPLEMENTATION
✓ KNOW WHEN/HOW TO CONDUCT DATA PROTECTION IMPACT ASSESSMENTS
✓ TRAIN CROSS-FUNCTIONALLY
✓ MONITOR AND AUDIT VENDORS AND AFFILIATES
BIG PICTURE: HOW WE HANDLE HEALTH DATA
Proactive Prevention versus Reactive Remediation
❑ Leverage existing compliance infrastructure to adopt a proactive approach to health data governance
❑ Is Health Data being processed for legitimate and lawful business purposes in accordance with policies, SOPs and applicable law?
❑ Policy creation / revisions to address collection, use and sharing/sale
❑ Accuracy and propriety of Notices and Consents / documented and preserve via Consent Management platform?
❑ Timely and functional opportunities to opt-out of certain processing activities
❑ Vendor Assessment & Contracts – Audit & Monitor
❑ TRAINING!! (at a regular cadence)
WEBSITE TRACKER REPORT BY PORZIO
QUESTIONS?
Martin J. Healy, Esq. Principal Porzio, Bromberg & Newman, P.C.
ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM
WHAT REALLY MATTERS
➢ Clear Rules of the Road
➢ Ownership/Leadership
▪ Tone from the Top
➢ Knowledge / Training
➢ Transparency /Candidness
➢ Consistency & Accountability
➢ Challenge & Test
➢ Continual Improvement
DOJ GUIDANCE FOR EVALUATING COMPLIANCE PROGRAMS
(MARCH 2023)
Key Considerations:
➢ Is the compliance program well designed?
➢ Is the program being applied earnestly and in good faith?
➢ Is it adequately resourced and empowered to function effectively ?
➢ Does the company’s compliance program work in practice?
“Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.”
“Prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one implemented, resourced, reviewed, and revised, as appropriate, in an effective manner.”
DOJ GUIDANCE FOR EVALUATING COMPLIANCE PROGRAMS
(SEPTEMBER 2024)
Key Considerations:
➢ Are Emerging Technologies (Including AI) Properly Deployed, Integrated, Monitored and Used?
➢ Are Whistleblowers Properly Protected and Incentivized?
➢ Does The Compliance Program Have Appropriate Access To Data - and the Technological Tools Needed To Assess Such Data?
“Now is the time to make the necessary compliance investments [inAI and other technology] to help prevent, detect, and remediate misconduct.”
INVESTIGATIONS: HIGHLIGHT AREAS OF CONCERN
Participation: Speak-Up Culture? Process: Well –Designed?
Protection: Triage & Privilege? Prevention: Causation & Remediation?
SPEAK–UP CULTURE
(Move Program from Paper to Practice)
➢ Sets The “Proper Tone” / Foundation
➢ Encourages Business “Buy-In”
➢ Bolsters Participation Across Enterprise
➢ Fosters Open Communication and Trust
➢ Values Transparency, Consistency and Accountability
➢ Energizes Itself, Leads To Continuous Process Improvements
A WELL-DESIGNED PROCESS: YOU CAN’T JUST WING IT!
CRITICAL ELEMENTS:
➢ Establish Clear Policies and Procedures
➢ Have a Formal Investigation Plan
➢ Use and Rely On Technology/Data Analytics
➢ Preserve Confidentiality & Prevent Retaliation
➢ Conduct Root-Cause Assessments
➢ Implement/Confirm Remedial Measures
➢ Continuously Improve Process
THE INCREASED ROLE OF TECHNOLOGY, DATAANALYTICS,ANDARTIFICIALINTELLIGENCE
➢ Understand Your Resources / Know Your Data
➢ Utilize Analytics and AI To Enhance Anomaly Detection
➢ Leverage AI To Keep Up With Industry Trends and Developments
➢ Establish Real Time Compliance Monitoring
➢ Automate Data Collection and Integration
➢ Evaluate Predictive Compliance Analytics
➢ Monitor Industry to Seek Out New Tools
THE
USE OF TECHNOLOGY – INCLUDING AI:
➢ Should Be Integrated Into Broader Corporate Enterprise Risk Management (ERM) Processes
➢ Should Be Used to Enhance Accuracy and Efficiency of Compliance Program (Including Investigations)
➢ Should Be Available To, and Utilized By, Compliance Team in Similar Manner to Its Use Elsewhere In Company
PROTECT COMPANY PRIVILEGE:
CREATE A TRIAGE PROCESS
➢ ESTABLISH WRITTEN POLICIES AND PROCEDURES
➢ EDUCATE EMPLOYEES (INVESTIGATORS)
➢ CONDUCT EARLY ASSESSMENT
➢ INVOLVE COUNSEL
➢ IDENTIFY PRIVILEGED MATTERS
➢ CONTINUALLY MONITOR OPEN MATTERS
PROTECT COMPANY PRIVILEGE: UNDERSTAND WHAT IT MEANS
➢ ATTORNEY CLIENT PRIVILEGE
▪ Protects confidential communications between a lawyer and a client for the purpose of seeking or obtaining legal advice
➢ WORK PRODUCT PRIVILEGE
▪ Protects certain materials prepared in anticipation of litigation and/or at the direction of counsel.
PROTECT COMPANY PRIVILEGE: PRESERVE YOUR RIGHTS
➢ ENSURE COUNSEL DIRECTS INVESTIGATION
➢ LIMIT DISTRIBUTION OF PRIVILEGED COMMUNICATIONS
➢ SEPARATE LEGAL ADVICE FROM STANDARD BUSINESS
➢ MARK DOCUMENTS AS “PRIVILEGED AND CONFIDENTIAL”
➢ EDUCATE EMPLOYEES ON PRIVILEGE PROTECTIONS
➢ ENGAGE OUTSIDE COUNSEL – AS APPROPRIATE
ITS NOT OVER TILLITS OVER: ROOT
CAUSEAND REMEDIATION
Conduct Post-Mortem & Identify Lessons Learned
Analyze Root-Cause & Identify Corrective Measures
Ensure Enforcement of Remedial Action & Document/Close Case
Implement Necessary Systemic Changes To Mitigate Future Risk
Validate Effectiveness of Corrective Measures (Using Tech/Data)
QUESTIONS, COMMENTS, IDEAS?
PHARMA AND MED DEVICE COMPLIANCE PANEL
Jeff Kawalek, MBA Chief ComplianceZambonOfficer US Gil Rodriguera Sr. Director, Compliance Business Partner Mallinckrodt
Jennifer A. Romanski, Esq. Principal Porzio, Bromberg & Newman, P.C.
Daniel Spicehandler VP, Compliance, Commercial Divisions Stryker
Jeffrey Kawalek, MBA Chief Compliance Officer Zambon USA
Gil Rodriguera
Sr. Director, Compliance Business Partner Mallinckrodt
Jennifer A. Romanski, Esq. Principal Porzio, Bromberg & Newman, P.C. JARomanski@pbnlaw.com
Daniel Spicehandler VP, Compliance, Commercial Divisions Stryker
THANK YOU FOR JOINING US.
For additional resources and to complete the CLE survey, please scan the QR code below.
