Electronic Medical Records: Minimizing HIPAA, Stark and Anti-Kickback Legal Risks and Liabilities October 27, 2009 Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . This presentation may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. ; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome. Mintz Levin Cohn Ferris Glovsky and Popeo LLP Hope S. Foster, Member 701 Pennsylvania Avenue, NW, 9th Floor Washington, DC 20004 Phone Number: (202) 661-8758 Email: hfoster@mintz.com Dianne J. Bourque, Associate One Financial Center Boston, MA 02111 Phone Number: (617) 348-1614 Email: dbourque@mintz.com Katina W. Lee, Associate 701 Pennsylvania Avenue, NW, 9th Floor Washington, DC 20004 Phone Number: (202) 661-8729 Email: klee@mintz.com Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 2 What to Expect Today General overview of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) Federal and state laws on data breach notification Red flag rules Privacy and security risks and best practices to minimize liability under HIPAA, prevent the loss of electronic protected health information and reduce the risk of medical identify theft Potential regulatory barriers to electronic health record technology and best practices to minimize liability under Stark concerns and Anti-kickback concerns Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 3 Health IT - A Brave New World While the President, Congress, federal agencies and states grapple with the best way to reform and regulate healthcare, the world is moving forward into a technologically advanced age and dragging the healthcare industry with it. New technological advances creating more cost-effective mechanisms for prescribing, monitoring, and tracking prescription drugs and utilization. Keeping up with and meeting new regulatory requirements, as well as the challenges created by the new technology. The billions of dollars in grants and payments for health information technology that is available in ARRA should encourage the industry to step up to the plate and adopt and implement health information technology. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 4 Health IT - A Brave New World The Healthcare Industry’s Reluctant Adoption of Information Technology Healthcare providers have been quick to adopt breakthrough technology in medical procedures, but slow to accept innovations in networking and communications. • Concern about breaches in security and patient privacy. • Healthcare services traditionally performed locally and in person. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 5 Health IT - A Brave New World These technological advances will not happen overnight. There are many obstacles which need to be addressed. • Likely differences in laws and regulations across borders may necessitate the need for international laws governing medical services. • Possible differences in technical standards between different countries could create conflicts and call for global standards. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 6 Health IT - A Brave New World On February 17, 2009, President Obama signed into law the $787 billion American Recovery and Reinvestment Act of 2009 (ARRA) that contains new provisions applicable to the healthcare and information technology world: • $19 billion to promote adoption of health information technology • Additional privacy and security requirements Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 7 Health IT - A Brave New World Health Information Technology For Economic and Clinical Health Act (HITECH Act) $2 billion “start-up” funding to promote adoption of health information technology. $17 billion for Medicaid and Medicare incentives and payments to providers for adopting certified electronic health records. Establishes a timeframe for the use electronic health records by each person in the U.S. by 2014. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 8 Health IT - A Brave New World HITECH Act cont. Establishes Regional Extension Centers, which would provide technical assistance and disseminate best practices to support and accelerate efforts to adopt, implement, and effectively utilize health information technology. Strengthened privacy and security standards under HIPAA to encourage the adoption of EHRs Strengthened penalties for non-compliance Created new avenues of enforcement (state Attorneys General) Created new targets of enforcement (third parties who wrongfully acquire PHI) Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 9 Electronic Health Records HITECH Act cont. Funding is available for the “meaningful use” of “certified” electronic health records (EHRs) technology by Medicare and Medicaid physicians and hospitals Funding will start flowing in October 2010 HIT Policy and Standards Committees still hammering out the details CMS intends to issue regulations by the end of 2009 Important so that EHR users and developers can fund their health information technology implementation Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 10 Federal Breach Notification Under the original HIPAA regulatory scheme, “covered entities” were not required to notify individuals if their PHI was breached or lost. Under ARRA, 2009, covered entities must notify affected individuals, the federal government and in some cases, the media, in the event of “breaches” of “unsecured PHI.” “Business Associates” are required to notify covered entities of breaches so that covered entities may in turn fulfill their breach notification obligations. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 11 Federal Breach Notification “Breach” means “the unauthorized access, acquisition, use, or disclosure or protected health information which compromises the security or privacy of such information.” “Unsecured PHI” means “PHI that is not secured through use of a technology or methodology identified by the U.S. Department of Health and Human Services (“HHS”) as rendering the information unusable, unreadable or indecipherable to unauthorized persons.” Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 12 Federal Breach Notification No breach notification is required when: the recipient of the information would not reasonably have been able to retain the information the breach involved the unintentional acquisition, access, or use of information by employees or persons acting under the authority of a covered entity or business associate certain inadvertent disclosures among persons similarly authorized to access protected health information at a business associate or covered entity Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 13 Federal Breach Notification HHS has specified two methods for securing PHI. Encryption: For data at rest: NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. For data in motion: Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 14 Federal Breach Notification HHS has specified two methods for securing PHI Destruction Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation, such that PHI cannot be retrieved. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 15 Federal Breach Notification If PHI has been secured using one of the abovelisted methods, its loss or wrongful disclosure does not trigger breach notification requirements. If “Unsecured PHI” is lost or impermissibly disclosed and one of the notification exceptions does not apply, affected individuals must be notified of the breach. Notice must include: (i) a brief description of what happened, including dates, (ii) a description of types of unsecured PHI involved, (iii) the steps the individual should take to protect against potential harm, (iv) a brief description of steps the covered entity or business associate has taken to investigate the incident, mitigate harm and protect against further breaches, and (v) contact information for questions. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 16 Federal Breach Notification Notice of the breach must also be provided to HHS Notice must be provided immediately for breaches involving 500 or more individuals Breaches involving fewer than 500 individuals may be logged and reported annually Breach notification form available at: http://transparency.cit.nih.gov/breach/index.cfm Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 17 State Breach Notification Requirements At least 44 states have implemented data security and breach notification laws State laws typically apply to a broader class of personal data (social security numbers, financial account numbers and information) Notice to affected individuals and state authorities is typically required Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 18 Federal and State Breach Notification Covered entities must consider both state and federal law when implementing their security programs and providing breach notification State breach notification requirements may not be preempted by HIPAA, so care must be taken to comply with all state and federal requirements The analysis will be complicated when breaches impact individuals from more than one state Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 19 Red Flag Rules “Red Flag Rules” of the Federal Trade Commission (“FTC”) are an additional consideration for health care organizations planning their security programs The Red Flag Rules apply to financial institutions and creditors. The FTC has made clear that non profit and government entities that defer payment for good and services - including hospitals and other health care providers - are creditors and therefore must comply with the rules. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 20 Red Flag Rules The Red Flag Rules require financial institutions and creditors to establish a written program for identifying and detecting warning signs or “red flags” or identity theft, such as unusual account activity, suspicious enrollment documents or other suspicious patterns or activities that indicate the possibility of identity theft. Compliance Date: November 1, 2009 Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 21 The Stakes Are Higher Increased federal enforcement State enforcement Reputational risks - due to public disclosures of breach Costs associated with enforcement and required notifications Risks associated with business associate breaches Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 22 Best Practices to Minimize Risk Comprehensive privacy and security policies Implemented and enforced Good Training Reminders and updates If possible: implement security measures necessary to avoid breach notification If NOT possible: be prepared to provide timely notice in the event of breach Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 23 Best Practices to Minimize Risk Implement a breach response plan Be sure that employees/agents promptly report all actual and suspected breaches Take steps to mitigate harm Assign responsibility for risk assessment and analysis of reporting obligations under state and federal law Be careful when selecting business associates Use good contractual provisions to minimize damages from a business associate’s breach Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 24 One More Risk to Think About Federal dream vs. state law reality One goal of EHR adoption is to facilitate the sharing of PHI among covered entities. There is a big push at the federal level to achieve this goal BUT Even though HIPAA may provide mechanisms for the merging and sharing of EHRs, state law may not. Especially with respect to sensitive and specially protected categories of health information (infectious disease, drug and alcohol treatment, mental health counseling, etc.) Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 25 Personal Health Records Currently, we live in a world of decentralized record keeping where records are maintained by multiple entities and in multiple locations – makes the system duplicative and sometimes creates conflicting information. As people move from state to state, they leave a trail of fragmented or partial medical records behind. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 26 Personal Health Records Impact of ARRA of 2009 ARRA of 2009 defines a personal health record as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual” • "PHR identifiable health information" is “individually identifiable health information that is provided by or on behalf of the individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” A “Vendor of Personal Health Records” is “an entity, other than a covered entity, that offers or maintains a personal health record.” Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 27 Personal Health Records Impact of ARRA of 2009 In the event of a breach of security, ARRA imposes notification obligations on: • Vendors of PHRs; • Entities that offer products or services through websites of PHR vendors; • Entities that offer products or services through the websites of covered entities that offer PHRs; • Entities that are not covered entities and that access information in a PHR or send information to a PHR. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 28 Personal Health Records Risks of PHRs May not be complete PHR owner/patient may remove objectionable, but clinically relevant information Another provider may rely on a partial record mistakenly believing that it is complete PHR owner/patient may rely on a provider to review a PHR to which he or she has been given access, and withhold certain information in discussions with the provider Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 29 Fraud and Abuse Safe Harbors Exceptions to the physician self-referral prohibition and a safe harbor under the anti-kickback statute for arrangements involving donation of interoperable EHR technology to physicians and other healthcare practitioners or entities from businesses with whom they work. Physicians must contribute 15% of the costs. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 30 Fraud and Abuse Safe Harbors Entities furnishing designated health services (and certain other entities under the safe harbor) may donate to physicians (and certain other recipients under the safe harbor) interoperable electronic health records software, information technology and training services. Hospitals and certain other entities may provide physicians (and certain other recipients under the safe harbor) with hardware, software, or information technology and training services necessary and used solely for electronic prescribing. Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 31 Fraud and Abuse Safe Harbors Impact of ARRA funding for EHR implementation Windfall for hospitals and physicians? Donations inconsistent with promotion of transparency in the relationship between healthcare entities and physicians? Funding available to those entities that donate to physicians under safe harbors? Past donations reimbursable? Incentive to implement EHRs faster? Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 32 PENALTIES Non-meaningful EHR users subject to reimbursement reductions beginning in 2015 Penalties for HIPAA violations increased under ARRA Civil violations: penalties range from $100 - $50,000 per violation, capped at $25,000 - $1.5 million per year for multiple violations of the same standard Criminal penalties range from one year in jail and a $50,000 fine, to ten years in jail and a $250,000 fine New State enforcement authority Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 33 Key Takeaways New enforcement mandates from Congress mean that enforcement will be on the rise Understand the new requirements, or face the consequences Avoid risk Marketplace is shifting from paper to electronic Implement appropriate infrastructures Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 34 QUESTIONS AND FOLLOW-UP Mintz Levin Cohn Ferris Glovsky and Popeo LLP Hope S. Foster, Member 701 Pennsylvania Avenue, NW, 9th Floor Washington, DC 20004 Phone Number: (202) 661-8758 Email: hfoster@mintz.com Dianne J. Bourque, Associate One Financial Center Boston, MA 02111 Phone Number: (617) 348-1614 Email: dbourque@mintz.com Katina W. Lee, Associate 701 Pennsylvania Avenue, NW, 9th Floor Washington, DC 20004 Phone Number: (202) 661-8729 Email: klee@mintz.com Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C . 35