An RSS Feed from melniklegal.com

Ponemon Study Finds Increase in Healthcare Data Breaches

Sat, 12 Oct 2013 14:38:00 EST

The costs of data breaches continue to rise. According to a December 2012 study by the Ponemon Institute, the average economic impact of a healthcare data breach over the past two years was $2.4 million, which was an increase of more than $400,000 over 2010. More organizations continue to have multiple data breaches, with 45% of organizations reporting that they have had more than 5 data breaches over the past two years.

Resources:

Ponemon Institute Third Annual Bechmark Study on Patient Privacy and Data Security (Dec. 2012) (downloadable from IDExperts with free registration)

Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

Sun, 25 Jan 2015 18:54:23 EST

On November 14, 2014, the Court of Appeals of Indiana issued a decision in the Hinchy v. Walgreen Co. case, upholding the jury verdict in favor of Ms. Hinchy. After a four-day jury trial that began in July 23, 2013, the jury found that Ms. Hinchy suffered damages in the amount of $1.8 million, with $1.4 million of that (80%) to be borne jointly by Walgreens and Ms. Withers, a Walgreen's pharmacist. The rest (20%) was to be borne by Mr. Peterson, Ms. Hinchy's ex-boyfriend and the father of her child and Ms. Withers's husband.

In upholding the jury verdict, which courts are "loathe to disturb," the Appellate Court began its decision as follows: "In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client's ex-boyfriend."[1] Walgreens vowed to appeal the decision to the Indiana Supreme Court, but first petitioned the Appellate Court for a rehearing. On January 15, 2015, the Court of Appeals of Indiana ruled on Walgreen Co.'s petition for a rehearing and declined to disturb its original decision.[2] As such, the Court of Appeals of Indiana's decision to uphold the jury verdict stands. Walgreen may yet appeal to the Indiana Supreme Court.

A few preliminary comments....The Hinchy case has garnered a good amount of attention in the media, among attorneys, and more importantly, businesses that handle protected health information. While this case does arise under Indiana law, as Mr. Eggeson, the attorney that tried this case on behalf of Ms. Hinchy noted to me in an interview I conducted with him in December 2014, "[this case] has now created a precedent which will make life MUCH easier for privacy victims across the country--showing those victims how to bring their claims, how to structure and argue their claims so as to make corporate employers liable for the acts of their employees, and how to earn large damages awards from the jury." (The full interview is to be published in an upcoming article for the Journal of Health Care Compliance.)

Covered entities, business associates, and subcontractors should pay careful attention to the circumstances in this case because this can very easily be them. Here is a company that, arguably, has a strong HIPAA training program, where employees are educated on how they can and cannot access and use protected health information. Yet, a jury still found Walgreen liable under respondeat superior. That is, the jury determined that the pharmacist's actions were within the scope of employment because they were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Importantly, the jury found Walgreen's failure to terminate the pharmacist after it learned of the actions as problematic and, as counsel for Walgreen stated during the oral arguments, one juror specifically noted that Walgreen should have fired the pharmacist. As Mr. Eggeson succinctly explained it to me, "From a plaintiff's perspective, the 'good' privacy case is the one where a compliance officer or defense attorney mistakenly believes that corporate policies will be more persuasive to a jury than a tearful privacy victim."

All companies that handle protected health information (or any sensitive information, including credit card numbers, social security numbers, and driver's licenses) should take the time to review their data breach insurance coverage. Healthcare providers in particular should work with counsel to review the extent of their coverage. Many malpractice carriers now include at least some basic coverage for data breach liability in malpractice policies. But, generally, this coverage is insufficient. You may learn more about cyberliability coverage in a three part series that I wrote for the Mature Market Experts blog: Part One (A Few Things to Consider When Purchasing Cyberliability Insurance), Part Two (How Much Coverage Do Organizations Need?) and Part Three (How Much Do Policies Cost?).

The oral argument before the Court of Appeals of Indiana is available online - https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail. The argument is about an hour and is worth watching to see the issues that the judges picked out and found important as well as the facts the attorneys cited in defense of their specific position(s). There was a rather lengthy discussion regarding the respondeat superior issue as well as the need to track employee access.

How this Case Arose

This privacy breach case arose as these cases typically arise - there was a love triangle of sorts and someone disclosed information they should not have. Sometime between fall 2006 and spring 2010, Ms. Hinchy was involved in a relationship with Mr. David Peterson.[3] As the Appellate Court recited:

During this [2006 - 2010] period, Hinchy filled all of her prescriptions, including oral birth control pills, at a Walgreen pharmacy. At some point in 2009, Peterson began dating Walgreen pharmacist Audra Withers. In August 2009, Hinchy became pregnant with Peterson's child. On an unknown date, Peterson learned that he had contracted genital herpes. Hinchy gave birth to a son on May 22, 2010.

At some point during the week of May 26, 2010, Peterson mailed a letter to Withers informing her about the baby and about the possibility that he may have exposed her to genital herpes. Withers became terrified about the possibility of contracting a sexually transmitted disease. Consequently, during her shift and while at work, Withers looked up Hinchy's prescription profile in the Walgreen computer system to see if she could find any information about Hinchy's sexually transmitted disease. The next day, Withers again looked up Hinchy's profile to confirm that she had spelled it correctly the day before.[4]

Subsequently on May 29, 2010, Mr. Peterson sent Ms. Hinchy a number of accusatory text messages and disclosed to her that he had a copy of her prescription records. Ms. Hinchy tried to determine how Mr. Peterson obtained a copy of her records and was told by an employee at Walgreens "that there was no way to track whether her records had been accessed."[5] Ms. Hinchy let the matter go at that time because she did not know how to proceed. But, in March 2011, Ms. Hinchy learned that Mr. Peterson was married to Ms. Withers and that Ms. Withers was a pharmacist at the local Walgreens where Ms. Withers fills her prescriptions. Ms. Hinchy reported the matter to the local Walgreens, which investigated the matter:

When Withers was confronted about the situation, she admitted that she had accessed Hinchy's prescription profile for personal reasons. On April 15, 2011, Loss Prevention Detective Michael Bryant confirmed to Hinchy that (1) a HIPAA/privacy violation had occurred, (2) Withers had viewed Hinchy's prescription information without consent and for personal purposes, and (3) Walgreen could not confirm that Withers had revealed that information to a third party. As a result of Walgreen's investigation, Withers received a written warning and was required to retake a computer training program regarding HIPAA.[6]

Ms. Hinchy filed suit against both Walgreens and Ms. Withers on August 1, 2011. Against Ms. Withers, Ms. Hinchy filed claims of:

(1) negligence/professional malpractice,
(2) invasion of privacy/public disclosure of private facts, and
(3) invasion of privacy/intrusion.

Against Walgreens, Ms. Hinchy filed claims:

(1) seeking liability for the counts she filed against Withers by way of respondeat superior,
(2) direct claims for:
(a) negligent training,
(b) negligent supervision,
(c) negligent retention, and
(d) negligence/professional malpractice.

Walgreens appealed the jury verdict on a number of grounds, but this discussion will only focus on the Appellate Court's discussion of the underlying liability, the respondeat superior claim, and the amount of damages.

Underlying Liability

The Appellate Court first looked at "the tort of negligence by virtue of professional malpractice of a pharmacist. Negligence is comprised of three elements: (1) a duty on the part of the defendant to the plaintiff; (2) a breach of that duty; and (3) an injury to the plaintiff resulting from the breach."[7] The Court found that Ms. Withers had a duty under Indiana law to keep the medical information she learned confidential. Ms. Withers breached that duty when she disclosed the information to Mr. Peterson. Ms. Hinchy further testified that, among other things, she suffered a number of emotional damages which impacted her ability to care for her child, she was humiliated, that she had a general distrust of healthcare providers, and that she was now taking a stronger anti-depressant.[8] As such, the Appellate Court found that Ms. Withers was negligent by virtue of professional malpractice.

Respondeat Superior and Having the Ability to Track Access

The doctrine of respondeat superior allows for vicarious liability to be imposed on an employer "where the employee has inflicted harm while acting within the scope of employment."[9] As the Appellate Court explained:

To fall within the scope of employment, the injurious act must be incidental to the conduct authorized or it must, to an appreciable extent, further the employer's business. An act is incidental to authorized conduct when it is subordinate to or pertinent to an act which the servant is employed to perform, or when it is done to an appreciable extent, to further his employer's business. . . . An employer is not held liable under the doctrine of respondeat superior because it did anything wrong, but rather because of the employer's relationship to the wrongdoer. . . . Furthermore, conduct is within the scope of employment when it is of the same general nature as that authorized, or incidental to the conduct authorized.[10]

In this case, the jury determined that Ms. Wither's actions were within the scope of employment because they "were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. Specifically, Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred."[11] This issue of whether the actions were within the scope of employment is for the jury to determine and the Appellate Court declined to disturb the jury's decision.

Another important issue in this case is Walgreen's ability to track who accessed a patient's record and the actions that Walgreen took after it learned from Ms. Hinchy that someone had improperly accessed her record. The issue was raised during oral arguments before the Indiana Court of Appeals when the Court and counsel were discussing the issue of respondeat superior, how it relates to other claims (e.g., negligent training) as well as the disciplinary actions Walgreen took after it found out what happened.[12]

Ms. Maggie Smith, counsel for Walgreen noted that prior to this issue, Ms. Wither's had not violated Walgreen's policies. But, the Court challenged this assertion because Walgreen had acknowledged that the Company did not have any way of knowing since the Company had no means to track access. Ms. Smith specifically asserted that other pharmacies did not have the means to track access and therefore Walgreen could not be negligent for failing to do something that is not done in the community. Ms. Smith noted that, "the jury found that the discipline imposed by Walgreen was inadequate. But, there is nothing in negligent retention or supervision jurisprudence that says that the action that you take after learning an employee has acted incorrectly is to fire that employee. Instead what happened here is [that Walgreen took certain disciplinary actions against Ms. Withers.] They took steps to make sure this didn't happen again. They didn't fire her and one of the jurors felt that that's what they should have done."[13]

Mr. Neal Eggeson, counsel for Ms. Hinchy, noted that whether access tracking systems were in place at pharmacies was a dispute between the experts. Mr. Eggeson specifically note that, Curtis Baldwin, the expert that he presented, "said not only is tracking systems something that he's been using at Kroger for 30 years, this is something that he does everyday. The expert that [Walgreen] hired from Perdue, on the other hand, suggests that, to his knowledge, even though he has not worked in any pharmacies, he does not know of any tracking system by any pharmacy. That was a disputed fact and the jury came down on [Ms. Hinchy's] side on that issue."[14]

Amount of Damages

The amount of damages has garnered a significant amount of attention. In its appeal, Walgreen argued "that the damages award was excessive and based on improper factors."[15] Appellate Courts do have the power to set aside jury verdicts if they are excessive. "Where a damage award is so outrageous as to indicate the jury was motivated by passion, prejudice, partiality, or the consideration of improper evidence, [Courts will] find the award excessive."[16] To support that the award was excessive, Walgreen argued that, "(1) Hinchy does not have a physical injury or condition resulting from the breach, (2) Hinchy has had no lost wages as a result of the breach, and (3) Hinchy did not offer any testimony from a medical professional or counselor supporting her claim of emotional distress."[17] Interestingly, some of these damages types have been cited by courts in other jurisdictions as grounds for dismissing data breach class actions, arguing that, because plaintiffs failed to demonstrate 'damages,' they lacked standing to bring their claim(s).

But, as the Court here explained, Walgreen's argument amounted to "a request that [the Court] reweigh the evidence, a practice in which we do not engage when evaluating a damages award. We find that the evidence in the record supporting the award is sufficient to affirm it."[18] The Appellate Court identified the following evidence in support of the damages award:

Withers gained information about Hinchy's private health information, including her social security number, and then shared that information with Peterson, who then shared the information with at least three other people
Hinchy's father learned about Hinchy's use of birth control, that Hinchy had herpes, and that Hinchy had stopped taking birth control shortly before becoming pregnant.
Hinchy testified that she experienced mental distress, humiliation, and anguish as a result of the breach. She stated that she was upset, crying, and feeling "completely freaked out . . . ." She felt "violated," "shocked," and "confused."
The disclosure led to Peterson berating Hinchy for "getting pregnant on purpose" and eventually extorting Hinchy by threatening to release the details of her prescription usage to her family unless she abandoned her paternity lawsuit.
Hinchy testified that she experienced uncontrollable crying that affected her ability to care for her child, going to a counselor to address the emotional toll of the privacy breach, experiencing a general distrust of all healthcare providers, and feeling a persistent and continuous loss of "peace of mind."
Hinchy also testified that she now takes Celexa, an anti-depressant, which costs $75 per month. Before the breach, she had taken a weaker anti-depressant intermittently, and had not taken it for more than one year before the breach.[19]

The Appellate Court declined to disturb the awarded damages.

Walgreen's Petition for Rehearing

Subsequent to the first decision from the Appellate Court, Walgreen petitioned for a rehearing from the Court of Appeals of Indiana. On January 15, 2015, the Court denied the petition. As a result, the jury's decision and that of the Appellate Court upholding the decision stands.

-------------------------------------
[1] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, *2 (App. Ct. Ind., Nov. 14, 2014), available at https://www.in.gov/judiciary/opinions/pdf/11141404jgb.pdf [hereinafter the "First Appellate Decision"].

[2] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, (App. Ct. Ind., Jan. 15, 2015), available at https://www.in.gov/judiciary/opinions/pdf/01151503jgb.pdf.

[3] First Appellate Decision at *2-3.

[4] Id. at *3.

[5] Id. at *4.

[6] Id. at *5.

[7] Id. at *14.

[8] Id. at *22.

[9] Id. at *8 (internal quotations and citations omitted).

[10] Id. at *8-10 (internal quotations and citations omitted).

[11] Id. at *11.

[12] Hinchy v. Walgreen Co., Case. No. 49A02-1311-CT-950, Oral Arguments, Oct. 14, 2014, available at https://mycourts.in.gov/arguments/default.aspx?&id=1724&view=detail.

[13] Id. at 14:57 - 15:49 (argument of Maggie Smith).

[14] Id. at 28:26 - 28:51 (argument of Neal Eggeson).

[15] First Appellate Decision at *21.

[16] Id. (internal quotations omitted).

[17] Id. at *22.

[18] Id. at *22-23.

[19] Id.

-------------------------------------

Posted by Tatiana Melnik on January 25, 2015

Former Employee of a Florida Medical Center Pleads Guilty to Identity Theft

Mon, 07 Apr 2014 12:22:31 EST

Medical centers continue to be in the news in connection with their employees using their positions of trust to steal the identities of patients. On March 27, 2014, Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, Jose A. Gonzalez, Special Agent in Charge, Internal Revenue Service Criminal Investigation (IRS-CI), and Ric. L. Bradshaw, Sheriff, Palm Beach County Sheriff�s Office, announced that Eltonya Wiley of Lady Lake, Florida pled guilty for her participation in a wide-ranging identity theft scheme.

According to the Press Release:

As part of her guilty plea, Wiley admitted that she made unauthorized use of medical patients� Social Security numbers in connection with ongoing identity theft. The government alleged, and Wiley agreed that at least 92 patients of Villages Endocopy near The Villages in Central Florida had their identities stolen by virtue of Wiley�s conduct while she was an employee at that medical facility.
. . .
The scheme involved, in part, stealing the identities of patients at a medical facility in central Florida. Those identities were then used to file fraudulent federal income tax returns in the patients� names seeking fraudulent refunds, and obtaining fraudulent credit cards which were then used to make fraudulent purchases.

Ms. Wiley pled guilty to:

one count of conspiracy to commit wire fraud, in violation of 18 U.S.C. ' 1349 (Count 1) - maximum of 20 years on prison,
three counts of wire fraud, in violation of 18 U.S.C. ' 1343 (Counts 4, 6, and 12) - maximum of 60 years on prison (20 years for each count),
one count of aggravated identity theft, in violation of 18 U.S.C. ' 1028A (Count 35) - mandatory term of 2 years in prison

Ms. Wiley was the last of six defendants to plead guilty in the case.

To minimize risks of identity theft, providers should only collect the information they need. Generally, to successfully engage in identity theft, the thieves need the patient's social security number. So, providers should evaluate whether they actually need to collect the patient's social security number. In many circumstances, upon closer examination, many providers will find that they do not need the number. If they do need the number, however, then they should take other appropriate steps to only make the number visible on an as needed basis. Providers using electronic medical records, for example, could make only the last four numbers visible to all staff. Similarly, providers using paper records could keep the social security number separate from the regular patient file.

Aside for implementing administrative and technical safeguards, providers should also consider purchasing appropriate insurance. Victims of identity theft are increasingly going to the courts to seek remedies against providers whose employees misused information. In Florida, plaintiffs sued AvMed Health Plans in a class action after the company suffered a data breach. In that case, several of the plaintiffs were able to demonstrate that they were victims of identity theft. That case resulted in a $3 million dollar settlement.

------------------

Press Release, U.S. States Attorney's Office, Southern District of Florida, Source of Medical Patient Stolen Identities Pleads Guilty, Mar. 27, 2014, https://www.justice.gov/usao/fls/PressReleases/140327-01.html

Just in Time for the New Year - Dermatology Clinic Settles with OCR for $150K

Fri, 27 Dec 2013 12:28:49 EST

As we close out 2013, the Office of Civil Rights (OCR) announced on December 26 that it settled potential HIPAA violations with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) for $150,000.

APDerm is a private practice delivering dermatology services in four locations in Massachusetts and two in New Hampshire.

According to OCR, "this case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act." [1]

In a statement, Leon Rodriguez, the Director of OCR, advised that "Covered entities of all sizes need to give priority to securing electronic protected health information." [2]

[Jump to A Few Things to Note]

On October 7, 2011, APDerm notified OCR that a USB drive containing unencrypted electronic protected health information (ePHI) of approximately 2,200 individuals was stolen out of the vehicle of one of its workforce members. According to the Resolution Agreement, APDerm "impermissibly disclosed the ePHI . . . by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." [3]

On November 9, 2011, OCR notified APDerm that it would be launching an investigation into the incident.

During its investigation, OCR found the following problems:

APDerm did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012.

APDerm failed to comply with the administrative requirements of the Breach Notification Rule until February 7, 2012:

APDerm did not have written policies and procedures to address the Breach Notification Rule

APDerm did not train members of its workforce regarding the Breach Notification requirements

APDerm "impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members." [4]

Under the Corrective Action Plan, APDerm must take the following steps:

Security Management Process

Conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities, including review of electronic media and systems.

Develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures.

Provide to OCR for review and approval the risk analysis, risk management plan and any revised policies and procedures and implement any revisions suggested by OCR.

Implement, distribute, and train all appropriate staff members on the revised policies and procedures within 30 days.

Track and Report to OCR Any Further Breaches

APDerm must, "upon receiving information that a workforce member may have failed to comply with any provision of its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter."

If, after the investigation, APDerm "determines that a member of its workforce has failed to comply with a provision of its Privacy, Security, and Breach Notification policies and procedures, the Covered Entity shall notify OCR in writing within thirty (30) days."

The report to OCR must include:

"A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of the Covered Entity�s Privacy, Security, and Breach Notification policies and procedures; and" [5]

"A description of actions taken and any further steps the Covered Entity plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures." [6]

Provide to OCR an Implementation Report, which is to include, among other things,

"An explanation of how the Covered Entity implemented its security management process ... focusing specifically on how The Covered Entity determined whether its policies and procedures should be revised based on the risks and vulnerabilities identified in the risk analysis." [7]

An attestation from an APDerm officer that any revisions to policies and procedures were fully implemented and distributed to all workforce members.

"An attestation signed by an officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful."
[8]

Entities subject to HIPAA compliance should take note of the requirements in the Corrective Action Plan, particularly the list of details that a report to OCR should include. The details noted by OCR should be included in the entity's breach investigation and report checklist. Specifically, any HIPAA breach investigation checklist should include, at least, the following elements:

Description of the event
Person(s) involved in the event
Policies and procedures that were impacted by the event
Privacy policies
Security policies
Breach notification policies
Steps covered entity took to mitigate any perceived harm
Steps covered entity will take to address the specific incident
Workforce member sanctions
Additional training requirements for all workforce members
Steps covered entity will take to prevent the harm in the future

A few things to note...

OCR notified APDerm in November 2011 that it would launch its investigation. But, this settlement was not announced until December 2013, a full 2 years after the launch date. One has to wonder how many other investigations and settlements are currently pending.

Neither the Press Release nor the Resolution Agreement provided details on the specifics of APDerm disclosing ePHI "by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." But, covered entities and their business associates should take this opportunity to carefully review the roles and responsibilities of their workforce members to ensure that only authorized individuals have access to ePHI.

The OCR appears to be adopting the approach taken by the SEC, where it is requiring that any submissions being made to OCR are signed and attested to by an officer of the company. This has the potential to expand the scope of liability for the attesting officer for any false statements made in the reports to OCR.

This is yet another case where a breach could have been prevented if the portable media device was encrypted. Covered entities, their business associates and the subcontractors of such business associates need to carefully evaluate their existing policies and, to the extent possible, implement encryption for all portable media devices, including thumb drives and laptops.

------------------
[1] HHS, Office of Civil Rights, Press Release, Dermatology practice settles potential HIPAA violations, Dec. 26, 2013, available at https://www.hhs.gov/news/press/2013pres/12/20131226a.html.

[2] Id.

[3] HHS, Resolution Agreement with Adult & Pediatric Dermatology, P.C., p. 2, Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[4] Id.

[5] HHS, Resolution Agreement with Adult & Pediatric Dermatology, P.C., Appendix A: Corrective Action Plan, p. 3 (of Appendix A), Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[6] Id.

[7] Id.

[8] Id. at 4.

What is an FDA Guidance document and do Guidance documents bind the FDA?

Wed, 23 Oct 2013 20:33:57 EST

FDA Guidance sets forth the FDA's "current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited." As the FDA explains,

[The guidance] does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations...FDA's guidance documents, including this guidance, do not establish legally enforceable responsibilities.

But, guidance documents should not be ignored because the FDA does tend to follow its own guidance.

What is the difference between laws, regulations, and guidance documents?

The FDA must follow a set of laws, which are passed by Congress, and the FDA routinely issues regulations and guidance documents.

Laws

One of the primary laws establishing the framework within which the FDA operates is the Federal Food, Drug, and Cosmetic Act (FD&C Act). The FD&C Act is amended by Congress from time to time. Some of the more significant amendments include the Orphan Drug Act of 1983, Food Quality Protection Act of 1996, and the FDA Food Safety Modernization Act of 2011.

Regulations

The FDA develops regulations based on the laws that are set forth in the FD&C Act as well as the other laws under which the FDA operates. Regulations issued by the FDA are federal laws and are codified in the Code of Federal Regulations.

When issuing regulations, the FDA follows the procedures set forth in the Administrative Procedure Act (APA). Broadly speaking, the APA sets for a Notice and Comment Rule Making process, which requires that regulatory agencies issue a proposed regulation, allow time for public input, and then issue a final regulation. More information about this process is available here (PDF, Federal Register FAQ), here (Center for Effective Government), and here (LSU Public Health Map).

Guidance Documents

After a regulation is issued, the FDA may determine that it needs to provide industry, academia, and other stakeholders with more information on how the FDA intends to exert (or decline to exercise, as the case may be) its regulatory authority. The FDA does this through issuing what it has termed 'Guidance' documents. The FDA follows the procedures required by its "Good Guidance Practice" regulation to issue FDA guidance.

Guidance documents must not set new legal standards or impose new requirements. Unlike regulations, guidance documents do not contain amendments to the Code of Federal Regulations and are not subject to the notice and comment process.

Are FDA Guidance Document Law?

No. The FDA guidance documents are not legally binding on the public or the FDA. BUT, the FDA has come to rely on guidance documents as a means of informal policy making. By telling industries when it does and does not plan to act, the FDA is giving industry stakeholders notice of its position on certain issues (e.g., how the FDA intends to treat mobile medical apps). As a result, impacted industries would be wise to take heed and pay attention to the guidance documents. So, for practical purposes, FDA guidance documents are laws.

Do Guidance documents bind the FDA?

In other words, can the FDA base its legal action against a company on an FDA Guidance document or can a company use an FDA Guidance document in its own defense?

This is a complicated question due to several cases that were decided by the U.S. Supreme Court: (1) Christensen v. Harris County, 529 U.S. 576 (2000); (2) United States v. Mead Corporation, 533 U.S. 218 (2001), and (3) Barnhart v. Walton, 535 U.S. 212 (2002). For a good summary of these case and the current standing, see the article reference below by Kevin Michael Lewis.

For more on the FDA and why it issues guidance documents, please see:

Erica Seiguer & John J. Smith, Perception and Process at the Food and Drug Administration: Obligations and Tradeoffs in Rules and Guidances, Food and Drug Law Journal (2005)

Kevin Michael Lewis, Informal Guidance and the FDA, Harvard Law School Student Papers (2011)