Blogs

Eli Lilly Targets Compounding Kits

Eli Lilly has filed a lawsuit against Pivotal Peptides, a drug vendor in Washington state, accusing them of selling do-it-yourself kits for making knockoff versions of their weight-loss and diabetes drugs, Zepbound and Mounjaro.

Pivotal Peptides allegedly sold these kits without requiring a prescription or medical consultation, labeling the ingredients as “research chemicals” not intended for human use. The company ignored a cease-and-desist letter from Lilly and continued operations under a guise, using coded language to sell their products.

The lawsuit alleges serious safety issues, as these untested and non-pharmaceutical-grade drugs could be ordered by anyone.

Lilly’s legal actions are part of a broader effort to address the sale of illicit tirzepatide versions amid ongoing legal debates over compounded drug formulations.

The FDA had previously declared a shortage of tirzepatide, allowing licensed pharmacies to legally compound the drug, but is now reconsidering this decision following lawsuits from compounding pharmacies. Eli Lilly emphasizes the significant risks posed to patient safety by the sale of these unapproved and potentially harmful drugs.

Anti-Discrimination

• The Department of Health and Human Services’ final rule implementing Section 1557 of the Affordable Care Act prohibits discrimination in healthcare and requires covered entities to appoint coordinators, post nondiscrimination notices, and implement policies and procedures by specific deadlines. Covered entities must also ensure patient care decision support tools are used non-discriminatorily and provide language assistance and auxiliary aids by May 1, 2025.

Blockchain

• The global “Blockchain Technology in Healthcare” market is projected to grow significantly, driven by its potential to enhance security, efficiency, and transparency in healthcare services. Blockchain technology offers secure storage of electronic health records, streamlines data management, and improves drug traceability. Recent developments highlight the ongoing integration of blockchain in healthcare, with companies like IBM and Patientory Inc. making strides in the field.

Data Breaches

• Data breaches are costly, with healthcare and finance industries facing the highest penalties due to stringent regulations. Data masking is a solution that allows businesses to comply with regulations while maintaining data usability. Organizations must implement data masking alongside encryption and PAM to protect sensitive data and avoid regulatory penalties.
• Over 940,000 Medicare beneficiaries’ protected health information was exposed due to a vulnerability in MOVEit software used by WPS. CMS and WPS are investigating the breach, offering credit monitoring and new Medicare cards to affected individuals. Healthcare organizations should review vendor contracts, conduct regular cybersecurity audits, and enhance incident response plans to safeguard against similar incidents.

Health Data

• Health and fitness apps and digital health platforms collect personal health data, but HIPAA does not apply to most of them. State-specific data privacy laws, such as California’s CMIA and Washington’s MHMDA, regulate the collection and use of consumer health data, including the right to consent, delete, and know how data is shared. Businesses must comply with these laws by requiring consent, implementing privacy policies, and ensuring data security.

HIPAA

• HHS is working on updating the HIPAA Security Rule to address the increasing cyber threats in the healthcare sector, including ransomware attacks and data breaches. The proposed modifications may include a thorough enterprise-wide HIPAA security risk analysis. The outcome of the upcoming presidential election could impact the implementation of these regulations, with a potential shift in priorities and enforcement approaches.
• The Office of Civil Rights (OCR) has resumed HIPAA audits after a seven-year hiatus due to a surge in data breaches and cyberattacks. Entities must strengthen their compliance programs, including conducting risk assessments, implementing safeguards, and providing detailed documentation of compliance. Non-compliance can result in financial penalties and corrective actions.
• Texas is challenging to the Biden administration’s new rule strengthening the Health Insurance Portability Act (HIPAA). The rule prohibits healthcare providers, insurers, and states from giving reproductive care information to criminal or civil investigations. Texas is fighting to access out-of-state abortion medical records, which could lead to the criminalization of abortion-seeking residents.
• BAAs are often treated as boilerplate documents, but they require careful review and negotiation to ensure compliance with HIPAA regulations. It is important to update the agreements regularly to reflect current laws. In terms of substance, counsel should ensureg clear reporting obligations, and avoid overly restrictive terms that could hinder a business associate’s operations. Failing to properly execute or update a BAA can result in severe penalties. BAAs are not “one-size-fits-all” and should be tailored to support a robust privacy compliance program.

Reproductive Health

• A Texas doctor is suing the HHS to prevent enforcement of a new HIPAA rule that strengthens reproductive health care privacy. The rule prevents HIPAA-regulated entities from disclosing reproductive health care information to law enforcement, but the doctor argues it restricts her ability to report suspected abuse. The lawsuit follows a similar suit filed by the Texas Attorney General.
• A Texas doctor sued the Biden administration over a new rule strengthening privacy protections for abortion and gender transition treatments. The doctor argues the rule prevents reporting possible abuse and violates state law. The lawsuit was filed in Amarillo, ensuring it will be heard by a conservative judge who previously suspended the approval of the abortion pill mifepristone.
• A Texas doctor is suing the Biden-Harris administration over recent changes to federal health privacy laws that restrict doctors’ ability to report suspected abuse and protect patients from the harms of abortion and gender transition. The new rule redefines “person” and “public health” to exclude unborn children and limits how doctors and law enforcement can protect patients from abuse. Alliance Defending Freedom attorneys argue that the rule exceeds government authority and undermines state laws that protect mothers and children from the harms of abortion and gender transition.

Weight Loss

• Novo Nordisk has requested the FDA to prohibit compounding pharmacies from producing unapproved versions of Ozempic and Wegovy, citing safety concerns. The FDA is reviewing the petition and will respond directly to Novo Nordisk.
• Diabetes patients face insulin shortages due to increased demand for weight loss drugs like Ozempic. The three major insulin manufacturers, Novo Nordisk, Eli Lilly, and Sanofi, are under pressure to prioritize insulin production amidst supply chain disruptions and the lucrative market for weight loss drugs. Despite price cuts, diabetes patients worry about the reliability of insulin supply, which is essential for their survival.

Legislation

• In 2024, states continued to enact sectoral privacy laws, particularly focusing on children’s data and AI regulation. The New York Child Data Protection Act and SAFE for Kids Act aim to protect children’s privacy and safety online, while the Maryland Age-Appropriate Design Code Act seeks to regulate online content for children. Other states, such as Connecticut and Colorado, have also passed amendments to their consumer data privacy laws to enhance protections for children’s data.
• In 2024, seven states passed comprehensive data privacy laws, bringing the total to 19. Maryland, Vermont, and Maine introduced more restrictive data minimization provisions, while Minnesota, New Jersey, and Rhode Island iterated on existing models. Existing laws in California, Colorado, Virginia, and New Hampshire received amendments, primarily focusing on expanding protections for children’s data.
• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• California’s CCPA amendment protects neural data as sensitive personal information, impacting Illinois businesses that collect or utilize this data. Illinois businesses should review their data privacy practices to ensure compliance with both state and federal laws.

Security Practices

• Healthcare workers resort to insecure password practices due to care delivery demands, leading to data breaches and compromised credentials. These breaches impact patient care, cause significant costs, and highlight the ineffectiveness of complex passwords.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.
• New York has implemented new cybersecurity regulations for general hospitals, requiring annual risk assessments, incident response plans, and multifactor authentication. The regulations aim to enhance cybersecurity standards beyond HIPAA requirements and address the increasing frequency of cyberattacks on hospitals. Hospitals have one year to comply with the new requirements, with funding available to assist with implementation costs.

LLMs

• A recent study by Apple engineers shows the fragility of mathematical reasoning in advanced large language models (LLMs) like those developed by OpenAI and Google. The research shows that LLMs struggle with minor changes to benchmark problems, resulting in performance drops of up to 9.2%. These findings suggest that LLMs rely on probabilistic pattern matching rather than genuine logical reasoning. The researchers concluded that these models’ reasoning processes have critical flaws that cannot be resolved with simple refinements.
• Google DeepMind has developed an AI model to predict key properties of potential drugs. The new Tx-LLM (Therapeutic Large Language Model) model represents a shift toward specialized artificial intelligence tools for specific industries. This targeted approach could prove more valuable than general-purpose AI in addressing complex commercial challenges.

LItigaton

• The Texas Attorney General settled allegations of false and misleading claims about the accuracy of a healthcare AI product. The company agreed to comply with specific requirements for five years, including disclosing metrics and potential harmful uses of its products. As AI use in healthcare grows, legislators and regulators are increasingly interested in AI laws and regulations, and healthcare entities should adopt AI governance programs to ensure compliance.
• Social credit scores, used by the DOJ to prosecute healthcare providers, are data-driven profiles that assess risky behavior and predict future violations. These scores, influenced by biased enforcement patterns, disproportionately target minority physicians and patients, leading to unjust prosecutions and surveillance. The widespread adoption of predictive tools like social credit scores amplifies systemic biases and entrenching the surveillance and punishment of already marginalized populations.

Online Tracking

• In St. Aubin v. Carbon Health Technologies, Inc., the United States District Court for the Northern District of California examined a claim under the California Invasion of Privacy Act (CIPA) regarding alleged interceptions of medical data by third-party tracking technologies. The court focused on the application of CIPA’s second clause, which prohibits unauthorized interception of the “contents or meaning” of communications, finding that URLs containing detailed health information could qualify as protected content. Facebook’s tracking was deemed to meet this requirement due to its real-time data interception capabilities, while Google’s tracking lacked sufficient specificity, leading the court to allow an amendment to the complaint. This case highlights the increasing judicial scrutiny of digital privacy, particularly concerning online tracking and the sharing of sensitive medical information.
• Online tracking technologies, such as cookies, can impact HIPAA compliance by potentially disclosing protected health information. Non-HIPAA-regulated businesses must comply with state laws regarding consumer health data collected through these technologies. To ensure compliance, businesses should review tracking technologies, analyze license terms, and determine applicable state and FTC rules.

Regulation

• The FDA has authorized almost 1000 AI-enabled medical devices and has received hundreds of regulatory submissions for drugs that used AI in their discovery and development. The FDA assets that effective regulation requires coordination across industries, government, and international bodies, with flexible mechanisms to keep pace with AI developments. Transparency from sponsors and proficiency in AI evaluation by regulators are crucial, alongside a life cycle management approach with ongoing postmarket performance monitoring.

Threat Vector

• There is an alarming rise in healthcare data breaches, which have increased by 187% in 2023. The surge in cyberattacks, particularly driven by ransomware and phishing, poses significant challenges to the healthcare industry. To address these challenges, healthcare organizations must prioritize regular training and thorough audits to enhance their security measures.
• Data compromises decreased by 8% in Q3 2024, with 672 incidents reported. However, the number of individuals affected fell by 77% due to a significant decrease in healthcare data breaches. Despite the decrease in data compromises, the total number of victims for the year is still above the 2023 record.
• Privacy-enhancing technologies (PETs) like fully homomorphic encryption (FHE), trusted execution environments (TEEs), and privacy-preserving federated learning (PPFL) can protect sensitive healthcare data while enabling analysis. Regulators should endorse these technologies to simplify compliance and incentivize their adoption. Post-quantum cryptography (PQC) will provide protection against emerging attacks, including those from quantum computing devices.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Opinion

• AI and precision health aim to improve patient outcomes by tailoring treatments to individual characteristics. However, challenges such as data diversity, privacy concerns, and the need for longitudinal data need to be addressed. To ensure the success of precision health, strategies like assembling large cohorts, improving diversity, and protecting data privacy are essential.

Litigation

• Texas Attorney General Ken Paxton sued a Dallas doctor for providing gender-affirming treatments to minors, violating a state ban. The lawsuit alleges the doctor used false diagnoses and billing codes to mask the care. The doctor practices at UT Southwestern and Children’s Health, both affiliated with the state.
• The FTC appealed a Texas ruling that invalidated its nationwide ban on employment noncompete agreements. The FTC’s noncompete ban, which aimed to prohibit noncompete agreements between employers and employees, faces legal challenges and may eventually reach the Supreme Court. Employers are advised to comply with state laws regarding restrictive covenants.

Security Standards

• The Health Infrastructure Security and Accountability Act (HISAA) aims to enhance cybersecurity standards for healthcare organizations by imposing mandatory minimum security measures and providing financial support for compliance. The bill requires annual audits, stress tests, and increased accountability for non-compliance, with penalties reaching up to $250,000 for willful neglect. HISAA also includes financial assistance for hospitals to enhance their cybersecurity infrastructure, particularly for rural and safety net facilities.
• HIPAA EDI transactions are electronic data exchanges between healthcare providers and health plans that adhere to HHS standards. Non-compliance can result in delayed treatments and payments, and may lead to sanctions or exclusion from Medicare and Medicaid.

Quality of Care

• The Outpatient and Ambulatory Surgery Consumer Assessment of Healthcare Providers and Systems (OAS CAHPS) survey, which evaluates patient satisfaction in outpatient healthcare facilities, will become mandatory for ASCs and HOPDs in January 2025. ASCs should prepare by aligning operations with OAS CAHPS guidelines and engaging a CMS-approved vendor to administer the survey. Participation in the survey is essential for compliance and can impact public perception and reimbursement rates.

Fraud & Abuse

• The former owner of 4M Pharmaceutics was convicted of defrauding Medicare out of $160 million by submitting claims for medically unnecessary drugs using illegally obtained patient information. Mokbel faces decades in prison and millions in restitution and fines. Prosecutors argued that Mokbel’s scheme involved using diabetes testing equipment as a ruse to send patients topical creams and Omega-3 pills they didn’t need, while Mokbel’s defense claimed he acted within the bounds of the law.

Out-of-Network

• A Louisiana court awarded $421 million to an out-of-network provider in a dispute with Blue Cross Blue Shield of Louisiana over underpayment for services rendered. This verdict, along with similar cases, highlights the need for fair reimbursement for healthcare providers. Insurance companies may face increased scrutiny and potential financial consequences for underpaying or denying payment to out-of-network providers.

Ransomware

• UMC Health System in Lubbock, Texas, has restored its electronic medical record (EHR) system after a ransomware attack in September. The divert for emergency patients has been lifted, but some patient-facing systems are still being restored. The investigation into the attack is ongoing.
• Ransomware claims have increased by 68% in severity, with an average loss of $353,000. Business Email Compromise remains a leading threat, while funds transfer fraud has seen a slight decline.

Telemedicine

• The Texas Medical Board has proposed new telemedicine regulations. The new rules would require a full license to provide telemedicine services, reaffirms that telemedicine services be performed in compliance with the Texas Occupations Code and the Medical Practice Act, and establishes requirements for prescribing for chronic pain via telemedicine.
• The DEA is expected to extend telemedicine prescribing flexibilities for controlled substances through 2025, following pressure from Congress and the White House. Without an extension, the flexibilities that have increased access to healthcare for rural and underserved communities will expire, potentially leaving thousands of patients without access to critical medications. Stakeholders are urging the DEA to extend the flexibilities and create a taskforce to provide feedback on a new proposed rule for telemedicine prescribing of controlled substances.

CMS

• CMS proposed a rule to amend the Medicare Overpayment Rule, extending the deadline for providers to investigate overpayments from 60 to 180 days. The rule also seeks to replace the “reasonable diligence” standard with the FCA’s knowledge standard.

M&A

• The FTC’s final rule for premerger notifications expands disclosure requirements, particularly for healthcare transactions. It aims to address gaps in enforcement by requiring more extensive data and information on corporate structure, transaction details, competition, and prior acquisitions. The rule is expected to increase compliance time and may lead to more scrutiny of healthcare mergers and acquisitions.

Summary of article from IAPP, by John Haskell:

Misconceptions persist about the use of online tracking technologies (OTTs) for marketing under HIPAA compliance. HIPAA mandates that covered entities must obtain explicit authorization from individuals before using or disclosing their personal health information (PHI) for marketing purposes. Simply signing a Business Associate Agreement (BAA) does not ensure compliance, particularly when PHI is involved. The U.S. Department of Health and Human Services (HHS) has clarified that disclosures of PHI to tracking technology vendors without proper authorizations are impermissible. Additionally, business associates are prohibited from using PHI for their own purposes, such as marketing campaigns. Compliance with HIPAA requires obtaining valid authorizations and adhering to specific guidelines, rather than relying solely on BAAs. Understanding these requirements is crucial to avoid regulatory issues.

Summary of article from Ars Technica, by Beth Mole:

The FDA has issued a warning about overdoses related to off-brand versions of the weight-loss drug semaglutide, commonly known as Wegovy and Ozempic. Due to high costs and supply shortages, patients are turning to compounded versions, which lack standardized dosing and safety assurances. These compounded drugs often come with unclear instructions and improper syringe sizes, leading to significant dosing errors—sometimes up to 20 times the intended amount. Such overdoses have resulted in severe health issues, including nausea, vomiting, and pancreatitis. The FDA emphasizes that compounded drugs carry higher risks and should only be used when absolutely necessary. The agency also noted that healthcare providers have made dosage calculation errors, further exacerbating the problem.