Working in the grey: FDA, CMS and data privacy

For companies in the biotech space, it’s never been easy to navigate the legal and business risks inherent in a highly regulated, dynamic industry – and it’s only becoming more complicated in light of recent enforcement trends, a new presidential administration, and an uncertain economic environment.

Those complicating factors, however, only make it more important to manage legal, compliance, and business risks in order to ensure successful outcomes for patients and other stakeholders. Since 2017, the United States has collected over $1 billion in Anti-Kickback Statute, False Claims Act, and other alleged schemes, according to the US Department of Justice. And in the same statement, the Department of Health and Human Services Office of Inspector General stated that it “remains committed to thoroughly pursuing allegations of price fixing and kickbacks that put the Medicare program at risk.” 

So, how do companies manage these competing pressures? The key is to understand the areas of greatest risk and uncertainty and develop policies and protocols to address them as much as possible. A consistent, well-documented approach will go a long way in addressing concerns when regulators come knocking on the door. 

An environment in flux

No company has unlimited budget or resources to plan for every eventuality, so prioritisation is key – and so is being realistic; fast, cheap, and good quality work are each important goals that are challenging to achieve simultaneously. Among the major regulatory areas to understand and prepare for are FDA enforcement actions, Center for Medicare and Medicaid Services (CMS) audit trends, and data privacy requirements across state, federal, and international jurisdictions. A cross-functional approach within companies, as well as with outside counsel, will help to identify risk, institute best practices, and navigate uncertainties. 

Here are several key areas to focus on.

FDA enforcement trends and compliance strategies

Traditionally, the FDA has relied on a few common enforcement actions, such as warning letters, recalls, injunctions, and criminal penalties. However, the new presidential administration may decide on other actions and priorities, including an application of deregulation as a guiding principle, especially impactful to the life sciences community and many others. 

Until more guidance is given, biotech companies should make sure they have strong compliance protocols around areas such as Good Manufacturing Practices (GMP) and Quality System Regulation (QSR), as well as clinical trial compliance and reporting obligations, and post-market surveillance and adverse event reporting. With the uncertainty over Congressional funding in 2025, many in our biotech community fear that the FDA may not be able to continue to review and approve human drugs or medical devices meeting its usual timelines.

Robust internal compliance programmes, proactive self-audits and third-party reviews, and clear documentation and regulatory submissions will help companies to respond in the event of an enforcement action.

CMS audits and penalties: Key considerations

In the past, CMS has relied on several common types of audits, including Recovery Audit Contractor (RAC) audits, Comprehensive Error Rate Testing (CERT) audits, and Zone Program Integrity Contractor (ZPIC) investigations to ensure compliance. For instance, in the Medicare Advantage and Part D programs, CMS performs annual audits and imposes sanctions or penalties based on findings. Recent trends in CMS audit penalties indicate a focus on enforcing compliance across various healthcare sectors, including biotech, with an emphasis on accurate reporting and timely submissions. In 2024, CMS also communicated its intention to increase company audit activity, bringing into focus potential risk of failure to effectively prioritise implementation, training, monitoring, and record-keeping supporting internal systems that demonstrate commitment to principles of transparency meeting CMS requirements.

Biotech companies should deploy several strategies for CMS audit readiness, including strong billing and coding compliance frameworks, regular internal audits and staff training, and timely and accurate responses to audit requests.

Data privacy compliance, considerations, and pitfalls

Companies in the biotech space and in other industries face a complex web of data privacy regulations at the state, federal, and international level, with new regulations and updates happening regularly. Beyond enforcement, though, companies can also fail to comply with their own internal policies, which can lead to data breaches and reputational harm.

HIPAA in the United States and GDPR in the EU present significant compliance challenges. Several states also have laws, including California, Colorado, Virginia, Utah, and Connecticut, with varying degrees of enforcement.

While these regulations (and their penalties) can vary significantly, there are several things that can put companies at risk of violating any and all of them. For example, failing to conduct regular risk analyses leads to vulnerabilities in data protection.

Another driver of risk is inadequate employee training, since employees mishandling sensitive data can result in breaches and regulatory penalties. Improper data retention and disposal is another concern, when PHI or PII are retained longer than necessary. GDPR and various US state laws also require explicit consent before data collection and processing. Failing to comply in a timely way with breach notification rules can lead to hefty fines. 

In order to avoid these risks, companies need to tirelessly review their data privacy policies and protocols, since new technologies (used by companies as well as potential bad actors) are constantly being introduced. Employee turnover can also lead to increased vulnerabilities, if training isn’t regular and thorough. Data encryption and secure storage are also crucial steps; while these are not explicitly required, encryption is a best practice to help prevent data breaches. Robust role-based access controls and employee training can also minimise risks. And it’s not enough to have strong internal controls – companies must ensure that third-party contracts align with data protection laws and their own policies.

During times of uncertainty, it’s more important than ever to be proactive, consistent, and keep open lines of communication. Having a proactive compliance strategy, following it rigorously, and being able to provide documentation can go a long way to minimising risk and being able to thoroughly respond if regulators come calling. And in this complex, highly regulated landscape, it’s critical to maintain cross-functional collaboration between legal, compliance, and operational teams. Each group plays an important role, and problems can be avoided if these groups are constantly in contact and sharing information on internal practices, as well as regulatory updates and industry trends.

Biotech companies must also update – or implement – risk assessment frameworks, strengthen internal audit and monitoring mechanisms, and maintain regulatory engagement and transparency with agencies. When there isn’t much black and white guidance, being able to operate in the grey becomes more important than ever.

About the author

Image

A partner at OGC, Berry Flynn Cappucci brings over 19 years of experience as an attorney in both the US and Europe. A former in-house counsel with several life sciences companies, she now serves as an expert resource that is an extension of an in-house legal team, which allows her to become very familiar with the particular issues and risks facing her clients.