Part Two of a Two-Part Series: Unprecedented FTC Enforcement of the Health Breach Notification Rule

By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)

Part One of this series provided an overview of online tracking technologies, and summarized guidance provided in December, 2022, by the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies.

This segment will discuss enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies.

FTC Developments: The Health Breach Notification Rule – Uncertainty Ahead?

HIPAA covered entities are not the only ones that need to be aware of increasing regulatory scrutiny related to online tracking technology. The FTC is ramping up enforcement activity in this area against entities not subject to HIPPA.  Since 2021, the FTC has settled four significant cases involving alleged improper sharing of consumer health information with advertising platforms like Facebook and Google.[i]

In 2021, the FTC settled unfair and deceptive trade practices claims against FloHealth, the developer of the Flo Period & Ovulation Tracker app. The settlement resolved allegations that FloHealth utilized tracking technologies to share consumers’ sensitive health information with third parties for marketing and advertising purposes.[ii] On March 2, 2023, the FTC announced a proposed settlement of similar claims against BetterHelp[iii], an online mental health treatment company. Similar cases could be on the horizon.

Of particular significance, on February 1, 2023, the FTC announced resolution of its first-ever Health Breach Notification Rule (“HBNR”) action.[iv] The Respondent in that case was GoodRx, a digital health platform offering consumers prescription drug discounts and telehealth services. Just a few months later, on May 17, 2023, the FTC settled a second case involving HBNR claims, this time against Easy Healthcare, developer of the Premom Ovulation Tracking App.[v] Allegations from both cases are discussed in more detail below.

The HBNR was enacted in 2009, but until now it essentially sat idle. The Rule applies to certain non-HIPAA covered entities and imposes reporting requirements when there is a breach of individually identifiable health information.[vi] In 2021, the FTC significantly expanded its interpretation of what entities the HBNR covers and what constitutes a breach that triggers reporting requirements.[vii] Organizations not covered by HIPAA that collect consumer health data (or entities that do business with such organizations) should heed recent FTC activity as a sign to stay abreast of FTC communications about the HBNR and work closely with legal counsel to develop a compliance strategy.

Important HBNR Statutory Terms

To understand the significance of recent FTC actions involving the HBNR, knowledge of some of the statutory terms and definitions is essential.

• The Rule applies to “vendors of personal health records” (PHRs), a “PHR related entity” or a “third-party service provider for a vendor of PHRs or a PHR related entity.” It requires notification of individuals and the FTC following discovery of a “breach of security” of unsecured identifiable health information contained in a PHR maintained or offered by a vendor or related entity. Third-party service providers that discover such a breach are required to notify the vendor or related entity.[viii]

• A “personal health record” is “an electronic record of PHR identifiable information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[ix]

• A “vendor of personal health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR.” [x]

• “PHR identifiable health information” is “individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. sec 1320d(6)), and, with respect to an individual, information that:

• Is provided by or on behalf of the individual; and

• That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”[xi]

• Under the Social Security Act definition, “individually identifiable health information” means any information, including demographic information collected from an individual that:

• is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

• identifies the individual; or

• with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

• “Breach of security” means “with respect to unsecured PHR identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual.”[xii]

History Behind GoodRx and Premom – Statement of the Commission on Breaches by Health Apps and Other Connected Devices

In 2020, with more consumers utilizing apps and other technology to stay on top of their health, the FTC recognized that “more companies may be covered by the FTC’s Rule.”[xiii] Accordingly, it initiated rulemaking proceedings and sought public input about potential modifications to the Rule’s definitions and scope. For example, it asked whether it should change the definitions of “PHR related entity,” “third-party service provider,” and “vendor of PHRs”. It also asked, “What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools?”[xiv]

In September 2021, with the rulemaking process still ongoing, the FTC reversed course and published the Statement of the Commission on Breaches by Health Apps and Other Connected Devices[xv] (the “Statement”). The Statement announced for the first time, that the FTC would enforce the HBNR against health app and connected device developers as “health care providers”[xvi] and that it would interpret “breach” to include not just cyberattacks but also sharing of identifying health information without consumer authorization.[xvii] Two commissioners wrote dissents. Both criticized the Commission for publishing the statement without first concluding the ongoing rulemaking process that sought input on these very issues. In addition, they faulted the other commissioners for significantly expanding the Rule in conflict with statutory language, congressional intent, and the Commission’s previously published business guidance.[xviii]

The GoodRx Case

In the GoodRx case, the FTC charged that GoodRx engaged in unfair and deceptive practices in violation of the Health Breach Notification Rule and Section 5 of the FTC Act. [xix] The allegations in the Complaint tracked the FTC’s expanded interpretation of the HBNR as set forth in the Statement. For example, the FTC alleged that the unauthorized disclosures of consumers’ unsecured PHR identifiable health information to Facebook and Google via web trackers constituted a “security breach.” In support of its claim that GoodRx was a “vendor of PHRs,” the FTC alleged as follows:

• The website and mobile apps are electronic records of PHR identifiable information that are capable of drawing information from multiple sources, including:
  • inputs from users;
  • Medication Purchase Data, pricing, and refill information from Pharmacy Benefit Managers;
  • pharmacy information from pharmacies;
  • information about prescribed medications from healthcare professionals (such as the name of a medication prescribed during a telehealth session); and
  • users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.
• The information is also managed, shared, or controlled by or primarily for the users. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.

In addition, the FTC alleged that GoodRx broke numerous data privacy promises it made to customers including: 

• Promised users it would never share health information with advertisers or other third parties, yet used various tracking technologies to send sensitive information like users’ medications and health conditions to companies like Facebook and Google for the purpose of targeted advertising campaigns;
• Promised users that it would only disclose their personal health information for limited purposes, then shared users’ names, addresses, email addresses, phone numbers, and other personal identifiers with advertising platforms; and
• Promised consumers it would limit how third parties that received the information could use the information yet failed to do so.

Per the settlement, GoodRx will pay a $1.5 million penalty and be banned from sharing user health information with third parties for advertising purposes. In addition, GoodRx will need to obtain affirmative express consent from users before disclosing health information to third parties for purposes other than advertising, require third parties to delete data shared with third parties, restrict its data retention periods, and implement a comprehensive privacy program.[xx]

The Premom Case

According to the FTC’s Complaint, hundreds of thousands of women have input sensitive health information into the Premom app, including period dates and pictures of ovulation test strips the app uses for predicting the next ovulation cycle. Like GoodRx, in Premom the FTC claimed the app’s developer made promises it didn’t keep concerning collection and sharing of this “identifiable health information.” The Complaint alleged violations of both the FTC Act and the HBNR.

To support its claim that the app developer is a “vendor of personal health records,” the FTC alleged:

• Premom encourages users to upload ovulation tests and large amounts of information to the app;
• Premom encourages users to connect other apps and products to Premom and permit Premom to import health information from them; and
• Premom allows users to manage and control the PHR identifiable health information in the app and track their ovulation, menstruation, and other health information.

The FTC further asserted that Premom transferred unsecured PHR identifiable health information to third parties like Google and AppsFlyer without users’ authorization. According to the Complaint, these “breaches of security” occurred for years and Premom failed to make breach notifications required by the HBNR.

Under the terms of the settlement, Easy Healthcare (Premom’s owner and developer) will pay a $100,000 civil penalty and:

• Retain users’ personal information only as long as necessary to fulfill the purpose for which it was collected;
• Will not make misrepresentations about its privacy practices;
• Comply with HBNR notification requirements for any future breach of security;
• Seek deletion of data it shared with third parties;
• Notify consumers of the FTC’s allegations and the settlement; and
• Implement comprehensive security and privacy programs with strong safeguards to protect consumer data.

In addition, in a related case, Easy Healthcare will pay $100,000 combined to Connecticut, D.C., and Oregon for violations of their laws.[xxi]

Proposed Amendments to HBNR

The day after the Premom settlement announcement, the FTC voted unanimously to issue a Notice of Proposed Rulemaking to amend the HBNR.[xxii] The proposed amendments were filed in the Federal Register on June 9 and comments will be accepted until August 8, 2023. Briefly, some of the proposed changes include:

• Clarify the scope of the rule – Current definitions would be revised, and new definitions added, to clarify the FTC’s position that mobile health apps and similar technologies not subject to HIPAA are covered by the HBNR. With these changes, the FTC hopes to make clear that the HBNR applies generally to online platforms (“…including websites, apps, and Internet-connected devices…” providing health care services or supplies) and that it covers both medical and wellness services.

• “PHR related entity” definition changes – Revise the definition to clarify that only entities that access or send unsecured PHR identifiable health information to a personal health record (not those that send ANY information) qualify as PHR related entities.

• Require consumer authorization for sharing – Health apps would need to obtain consumers’ authorization to share their information with third parties and would be mandated to notify consumers in the event information is accessed without such authorization.

• “Breach of security” definition changes – This definition would be modified to align with the position the FTC took in GoodRx and Premom. It would include unauthorized disclosures to third parties as well as data security breaches, hacking, and other cyber incidents.

• Expand breach notice and content requirements – Email and other electronic methods could be used to send breach notifications to consumers. Breach notices would need to contain additional information, such as names of third parties who may have accessed information.

• Penalties – add a new section to the rule that states the penalties (up to $50,120 per violation per day) for non-compliance.

 For more detail, read the Proposed Amendments in full.

FTC publications

For more information on the FTC’s current interpretation of the HBNR, HBNR compliance, and other FTC enforcement activity, consult the following publications:

• Complying with FTC’s Health Breach Notification Rule

• First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices

• FTC Business Guidance blog

[i] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog; FTC Business Blog (2023, March 3), FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises. https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke; FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order.https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[ii] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.

[iii]FTC Press Release (2023, March 3), FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

[iv] 16 CFR. § 318; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[v] FTC Business Blog (2023, May 17), FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more sensitive than that? https://www.ftc.gov/business-guidance/blog/2023/05/ftc-says-premom-shared-users-highly-sensitive-reproductive-health-data-can-it-get-more-personal

[vi] The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115, codified at 42 U.S.C. § 17937; see FTC Health Breach Notification Rule summary, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule & Complying with FTC’s Health Breach Notification Rule, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.

[vii] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[viii] 16 CFR. § 318.3. Vendors of PHRs must notify the media if the breach affects (or is reasonably believed to affect) more than 500 individuals. Id. at § 318.5(b).

[ix] Id. at § 318.2(d).

[x] Id. at § 318.2(j).

[xi] Id. at § 318.2(e).

[xii] Id. at § 318.2(a).

[xiii] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (May 22, 2020).

[xiv] Id.; see also Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf

[xv] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[xvi] The combined statutory definitions of “vendor of personal health records,” “personal health record” and “individually identifiable health information” provide that a PHR vendor subject to the statute is a “health care provider, health plan, employer, or health care clearinghouse.”

[xvii] Id.

[xviii] Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf; Phillips, N.J. (2021, Sept. 15) Dissenting statement of Commissioner Noah Joshua Phillips regarding the policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf

[xix] FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[xx] Id.

[xxi] FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order. https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[xxii] FTC Press Release (2023, May 18), FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-ruleficnbkvhernjgiddiuhhclrrrjjnuvjuduhdlvhnhttjicdjiubhjfutdiknnnke        

By: Nicholas H. Meza, J.D., M.P.H., Richard Davis, J.D., Theresa DeAngelis, J.D.

On Friday April 21, 2023, the United States Supreme Court granted the application filed by the Food and Drug Administration (“FDA”) and Danco Laboratories, LLC[1] to stay the lower court’s decision in the high-profile mifepristone litigation. The lower court’s decision reversed the FDA’s original approval of mifepristone (issued in 2000) and has created serious obstacles for all entities and individuals involved in the mifepristone distribution supply chain. The Supreme Court’s decision temporarily ensures nationwide access to mifepristone while the merits of the lawsuit are litigated in the Fifth Circuit Court of Appeals. The Fifth Circuit heard oral arguments related to this litigation on May 17th, 2023, and generally expressed sympathy for the parties seeking to limit the sale of mifepristone.

This article provides a summary of mifepristone regulation, the mifepristone litigation, and concludes with implications for entities involved in the manufacture, sale, and dispensation of mifepristone.

I. Background on Mifepristone Regulation

Over 20 years ago, in 2000, the FDA approved mifepristone. The drug blocks the progesterone hormone needed for a pregnancy to continue and is used with misoprostol to end pregnancies through ten weeks gestation. Mifepristone was initially approved under “Subpart H” regulations implemented under the Federal Food Drug and Cosmetic Act (“FFDCA”) to expedite the approval of “new drug products that have been studied for their safety and effectiveness in treating serious or life-threatening illnesses.”[2]

FDA imposed “restrictions to assure safe use” including an in-person dispensing requirement and permitted the drug to be distributed only to prescribers who agreed to dispense it in certain healthcare settings, by or under the supervision of a qualified physician who attested to the ability to accurately date pregnancies and diagnose ectopic pregnancies. Specifically, the restrictions required that mifepristone be used for pregnancies under 50 days gestation, in connection with three in-person office visits,[3] with supervision of a qualified physician, and where all adverse events would be reported. Today, these types of restrictions in connection with FDA drug approval are referred to as Risk Evaluation and Mitigation Strategy (“REMS”).[4]

In 2016, the FDA updated the drug label for mifepristone, expanding use through ten weeks of pregnancy. The FDA also made major changes to mifepristone’s REMS, including: (1) increasing the maximum gestational age at which a woman can use the drug from 49 to 70 days; (2) reducing the number of required in-person office visits from three to one; (3) allowing non-doctors to prescribe and administer the chemical abortions drugs; and (4) eliminating the requirement for prescribers to report non-fatal adverse events from chemical abortion.[5] In 2021, FDA announced “enforcement discretion” to allow mifepristone to be dispensed through the mail during COVID-19. Finally, on January 3, 2023, FDA approved a modified REMS, permanently lifting the in-person dispensing requirement.[6]

II. Mifepristone Litigation

In November of last year, several months after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization,[7] a coalition of doctors and medical associations filed a lawsuit in the United States District Court for the Northern District of Texas to, inter alia, vacate the FDA’s approval of mifepristone, FDA’s 2016 REMS changes, and the 2021 mail order decision.[8]

In essence, plaintiffs argued that the FDA’s approval and subsequent administrative actions with respect to the drug violated the federal Administrative Procedure Act. Plaintiffs argued that: (1) to approve the drug, FDA improperly relied on Subpart H’s accelerated approval because pregnancy is not a life-threatening illness; (2) FDA improperly ignored scientific evidence in approving and setting distribution controls for the drug; and (3) the Comstock Act, an 1873 obscenity law, prohibits the mailing of any medication used for abortion.[9]

In response, the FDA argued, inter alia, that it properly exercised its authority under the FFDCA and applied its scientific expertise when approving and making determinations about mifepristone and that the Comstock Act is inapplicable when the sender of the product intends the product to be used lawfully.

Deciding on plaintiffs’ and FDA’s arguments, on April 7, 2023, Judge Matthew Kacsmaryk issued a preliminary injunction, staying the FDA’s 23- year-old approval of mifepristone.   In his ruling, Judge Kacsmaryk found that a preliminary injunction was appropriate due to the “substantial threat of irreparable harm” arising both from claims that the use of mifepristone is dangerous and that the FDA did not appropriately follow its approval processes in approving mifepristone—notwithstanding that FDA has repeatedly said that the use of mifepristone is safe, effective, and that any adverse effects are a “rarity.”   

Within the hour of this ruling, Washington federal court judge Thomas O. Rice issued an order in a similar case,[10] which directly contradicted the Texas ruling. Essentially, the Washington ruling ordered the FDA to make no changes regarding the availability of mifepristone in 17 states and the District of Columbia which expressly permit the drug’s use for medication abortions.

Mifepristone’s legality was immediately thrown into question in light of the conflicting rulings. The FDA immediately appealed the Texas District Court’s decision to the Fifth Circuit.  The Fifth Circuit stayed the district court’s suspension of FDA’s original approval of mifepristone. But it would not stay the suspension of subsequent updates to the conditions on the drug’s use, which have governed the drug’s distribution for seven years. In effect, the Fifth Circuit’s order permitted mifepristone to remain on the market, but simultaneously made it illegal to send the drug across state lines by eliminating the effective date of the 2016 Major REMS Changes.

The FDA and Danco Laboratories petitioned the Supreme Court for an emergency stay of the district court’s order pending the appeal of the case. The Supreme Court granted the stay of the lower court’s ruling in a short opinion order[11] and sent the case back to the Fifth Circuit for the Fifth Circuit to consider the case on its merits. Thus, the Supreme Court granted the stay of the April 7, 2023 order of the United States District Court of the Northern District of Texas pending the disposition of the appeal in the United States Court of Appeals for the Fifth Circuit and a disposition for a writ of certiorari to the Supreme Court, if such a writ is timely sought. Should the Supreme Court deny certiorari, the stay will terminate automatically. If the Supreme Court grants certiorari, the stay shall terminate upon the Supreme Court’s judgment.

In contrast to the brevity of the majority’s opinion order, Justice Alito wrote a lengthier dissent, finding Danco had not shown that they were “likely to suffer irreparable harm,” in the “presumably short period at issue” where Danco argued primarily that it could not continue to market mifepristone because the drug would be mislabeled, and that distribution could not resume until Danco satisfied certain regulatory requirements. However, according to Justice Alito, this “would not take place, … unless the FDA elected to use its enforcement discretion to stop Danco, and the applicants’ papers do not provide any reason to believe the FDA would make that choice.” Justice Alito cited that the FDA had previously invoked its enforcement discretion to permit the distribution of mifepristone in a way that the regulations then in force prohibited.

As a result of the stay, mifepristone will be available in interstate commerce at least until the Fifth Circuit ruling , which will likely end up before the Supreme Court again.

Most recently, the three-judge panel of the Fifth Circuit heard approximately two hours of oral arguments on May 17th, 2023, including whether plaintiffs could be found to have legal standing by showing they would suffer a real injury if approval of and access to mifepristone remains the same. FDA argued that the plaintiffs waited over two decades after mifepristone’s approval to bring their case. The panel expressed criticism of FDA and sympathy for the plaintiffs generally.

III. Implications

A Fifth Circuit ruling in favor of the plaintiffs would have sweeping effects beyond starkly curtailing or potentially eliminating the availability of mifepristone. Notwithstanding the potential prohibition of patients across the country to access mifepristone, as described by pharmaceutical industry stakeholders in an amicus brief filed with the Supreme Court, “If allowed to take effect, the district court’s decision will result in a seismic shift in the clinical development and drug approval processes, erecting unnecessary and unscientific barriers to the approval of lifesaving medicines, chilling drug development and investment, threatening patient access, and destabilizing the pharmaceutical industry.”[12] Such a ruling would constitute a radical departure from court deference that is given to the scientific and medical judgment of the FDA — the regulatory agency with scientific expertise designated by Congress as the sole regulator of drugs.

This dramatic departure from traditional deference to the FDA ostensibly means that a court can “undo” FDA approval for a drug it “doesn’t like.” For example, the precedent set by such a decision could result in a court undoing the approval of gender affirming drugs/puberty blockers, which are currently being targeted at the state level in the same manner in which abortion-inducing drugs are being targeted.

Pharmaceutical manufacturers could also invoke such a decision as a weapon to challenge FDA approval of competitor drugs. In these ways, the FDA approval process—and medications which are relied on by patients—could be taken off the market due to one judge’s opinion.

Also at issue is whether the Fifth Circuit will apply the Comstock Act to prohibit the mailing of any abortion-inducing drug in the United States. In some respects, such a ruling would provide clarity regarding the legality (or illegality) of interstate dispensing mifepristone, something that mail-order pharmacies and wholesale distributors struggled to monitor as a patchwork of states implement medication abortion bans. On the other hand, should the court rule in favor of the FDA, pharmacies, wholesale distributors and providers will need to continue to monitor state-specific bans and, perhaps, future challenges to such bans as a basis of federal preemption.

Ultimately, the Fifth Circuit has espoused its openness to such a ruling but it remains to be seen whether the Supreme Court would grant certiorari and how the Supreme Court would treat such a ruling. Stakeholders and the public are only left to wait.

[1] Danco Laboratories, LLC is the manufacturer which holds the approved New Drug Application for Mifeprex (mifepristone) Tablets.

[2] 21 CFR § 314.500 et seq.

[3] The first two visits to administer mifepristone and the third to assess any complications and ensure there were no fetal remains in the womb. Specifically, requirements included in-person dispensing by or under the supervision of a qualified physician, dispensing of misoprostol at the provider’s office or clinic, and a follow up visit 14 days later. See generally, https://www.fda.gov/drugs/postmarket-drug-safety-information-patients-and-providers/information-about-mifepristone-medical-termination-pregnancy-through-ten-weeks-gestation

[4] In 2007, the FFDCA was amended to authorize the FDA to require a REMS for a drug if the FDA deems it is necessary to ensure that the drug’s benefits outweigh its risks.

[5] After the generic version of mifepristone was approved in 2019, one unified REMS was issued for both generic and brand name versions.

[6] Also, in January of 2023, the FDA modified the REMS to provide a process for pharmacies to become certified by the manufacturer of the drug to dispense mifepristone. 

[7] 142 S. Ct. 2228 (2022), available at, https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf

[8] Alliance for Hippocratic Medicine et al. v. U.S. Food and Drug Administration et al., No. 2:22-cv-223 (N.D. Tex. filed Nov.18, 2022).

[9] As a practical matter, the mifepristone litigation as described above applies solely to FDA approval related to brand and generic versions of mifepristone, which are FDA-approved for purposes of inducing a medication abortion. The litigation does not challenge the FDA approvals for other drugs containing mifepristone, such as Korlym, a drug used to treat Cushing’s syndrome.

[10] Washington et al. v. United States Food and Drug Administration et al., No. 1:23-cv-03026 (E.D. Wash. filed Feb. 23, 2023).

[11] Danco Lab’ys, LLC v. All. for Hippocratic Med., 143 S. Ct. 1075 (2023).

[12] See Pharmaceutical Companies et al., Amicus Brief, available at, https://www.supremecourt.gov/DocketPDF/22/22A902/263624/20230414164838799_2023-04-14%20SCOTUS%20Amicus%20Brief%20FINALa.pdf