Electronic Medical Records: Minimizing
HIPAA, Stark and Anti-Kickback Legal
Risks and Liabilities
October 27, 2009
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
This presentation may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service
by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. ; however, the information and materials do not, and are not intended to, constitute legal advice.
Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an
important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the
information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.
Mintz Levin Cohn Ferris Glovsky and Popeo LLP
Hope S. Foster, Member
701 Pennsylvania Avenue, NW, 9th Floor
Washington, DC 20004
Phone Number: (202) 661-8758
Email: hfoster@mintz.com
Dianne J. Bourque, Associate
One Financial Center
Boston, MA 02111
Phone Number: (617) 348-1614
Email: dbourque@mintz.com
Katina W. Lee, Associate
701 Pennsylvania Avenue, NW, 9th Floor
Washington, DC 20004
Phone Number: (202) 661-8729
Email: klee@mintz.com
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
2
What to Expect Today





General overview of the Health Information Technology for
Economic and Clinical Health Act (“HITECH Act”)
Federal and state laws on data breach notification
Red flag rules
Privacy and security risks and best practices to minimize
liability under HIPAA, prevent the loss of electronic
protected health information and reduce the risk of medical
identify theft
Potential regulatory barriers to electronic health record
technology and best practices to minimize liability under
Stark concerns and Anti-kickback concerns
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
3
Health IT - A Brave New World

While the President, Congress, federal agencies and
states grapple with the best way to reform and
regulate healthcare, the world is moving forward
into a technologically advanced age and dragging
the healthcare industry with it.



New technological advances creating more cost-effective mechanisms
for prescribing, monitoring, and tracking prescription drugs and
utilization.
Keeping up with and meeting new regulatory requirements, as well as
the challenges created by the new technology.
The billions of dollars in grants and payments for health information
technology that is available in ARRA should encourage the industry to
step up to the plate and adopt and implement health information
technology.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
4
Health IT - A Brave New World

The Healthcare Industry’s Reluctant Adoption of
Information Technology
 Healthcare providers have been quick to adopt
breakthrough technology in medical procedures, but
slow to accept innovations in networking and
communications.
• Concern about breaches in security and patient privacy.
• Healthcare services traditionally performed locally and in
person.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
5
Health IT - A Brave New World

These technological advances will not happen
overnight. There are many obstacles which need to
be addressed.
• Likely differences in laws and regulations across borders
may necessitate the need for international laws governing
medical services.
• Possible differences in technical standards between different
countries could create conflicts and call for global standards.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
6
Health IT - A Brave New World

On February 17, 2009, President Obama signed into
law the $787 billion American Recovery and
Reinvestment Act of 2009 (ARRA) that contains new
provisions applicable to the healthcare and
information technology world:
• $19 billion to promote adoption of health information
technology
• Additional privacy and security requirements
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
7
Health IT - A Brave New World

Health Information Technology For Economic and
Clinical Health Act (HITECH Act)
 $2 billion “start-up” funding to promote adoption of
health information technology.
 $17 billion for Medicaid and Medicare incentives and
payments to providers for adopting certified
electronic health records.
 Establishes a timeframe for the use electronic health
records by each person in the U.S. by 2014.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
8
Health IT - A Brave New World

HITECH Act cont.





Establishes Regional Extension Centers, which would provide
technical assistance and disseminate best practices to support
and accelerate efforts to adopt, implement, and effectively
utilize health information technology.
Strengthened privacy and security standards under HIPAA to
encourage the adoption of EHRs
Strengthened penalties for non-compliance
Created new avenues of enforcement (state Attorneys
General)
Created new targets of enforcement (third parties who
wrongfully acquire PHI)
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
9
Electronic Health Records

HITECH Act cont.





Funding is available for the “meaningful use” of “certified”
electronic health records (EHRs) technology by Medicare and
Medicaid physicians and hospitals
Funding will start flowing in October 2010
HIT Policy and Standards Committees still hammering out the
details
CMS intends to issue regulations by the end of 2009
Important so that EHR users and developers can fund their
health information technology implementation
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
10
Federal Breach Notification



Under the original HIPAA regulatory scheme,
“covered entities” were not required to notify
individuals if their PHI was breached or lost.
Under ARRA, 2009, covered entities must notify
affected individuals, the federal government and in
some cases, the media, in the event of “breaches”
of “unsecured PHI.”
“Business Associates” are required to notify
covered entities of breaches so that covered entities
may in turn fulfill their breach notification
obligations.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
11
Federal Breach Notification


“Breach” means “the unauthorized access,
acquisition, use, or disclosure or protected health
information which compromises the security or
privacy of such information.”
“Unsecured PHI” means “PHI that is not secured
through use of a technology or methodology
identified by the U.S. Department of Health and
Human Services (“HHS”) as rendering the
information unusable, unreadable or indecipherable
to unauthorized persons.”
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
12
Federal Breach Notification

No breach notification is required when:
 the recipient of the information would not reasonably
have been able to retain the information
 the breach involved the unintentional acquisition,
access, or use of information by employees or
persons acting under the authority of a covered entity
or business associate
 certain inadvertent disclosures among persons
similarly authorized to access protected health
information at a business associate or covered entity
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
13
Federal Breach Notification


HHS has specified two methods for securing PHI.
Encryption:


For data at rest: NIST Special Publication 800-111, Guide to Storage
Encryption Technologies for End User Devices.
For data in motion: Federal Information Processing Standards (FIPS)
140-2. These include, as appropriate, standards described in NIST
Special Publications 800-52, Guidelines for the Selection and Use of
Transport Layer Security (TLS) Implementations; 800-77, Guide to
IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others
which are FIPS 140-2 validated.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
14
Federal Breach Notification


HHS has specified two methods for securing PHI
Destruction


Paper, film, or other hard copy media have been shredded or
destroyed such that the PHI cannot be read or otherwise cannot be
reconstructed.
Electronic media have been cleared, purged, or destroyed consistent
with NIST Special Publication 800-88, Guidelines for Media Sanitation,
such that PHI cannot be retrieved.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
15
Federal Breach Notification


If PHI has been secured using one of the abovelisted methods, its loss or wrongful disclosure does
not trigger breach notification requirements.
If “Unsecured PHI” is lost or impermissibly
disclosed and one of the notification exceptions
does not apply, affected individuals must be notified
of the breach. Notice must include:

(i) a brief description of what happened, including dates, (ii) a
description of types of unsecured PHI involved, (iii) the steps the
individual should take to protect against potential harm, (iv) a brief
description of steps the covered entity or business associate has taken
to investigate the incident, mitigate harm and protect against further
breaches, and (v) contact information for questions.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
16
Federal Breach Notification
Notice of the breach must also be provided to HHS
 Notice must be provided immediately for breaches
involving 500 or more individuals
 Breaches involving fewer than 500 individuals may
be logged and reported annually
 Breach notification form available at:
http://transparency.cit.nih.gov/breach/index.cfm

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
17
State Breach Notification Requirements



At least 44 states have implemented data security
and breach notification laws
State laws typically apply to a broader class of
personal data (social security numbers, financial
account numbers and information)
Notice to affected individuals and state authorities
is typically required
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
18
Federal and State Breach Notification



Covered entities must consider both state and
federal law when implementing their security
programs and providing breach notification
State breach notification requirements may not be
preempted by HIPAA, so care must be taken to
comply with all state and federal requirements
The analysis will be complicated when breaches
impact individuals from more than one state
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
19
Red Flag Rules


“Red Flag Rules” of the Federal Trade Commission
(“FTC”) are an additional consideration for health
care organizations planning their security programs
The Red Flag Rules apply to financial institutions
and creditors.

The FTC has made clear that non profit and government entities
that defer payment for good and services - including hospitals
and other health care providers - are creditors and therefore
must comply with the rules.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
20
Red Flag Rules


The Red Flag Rules require financial institutions and
creditors to establish a written program for
identifying and detecting warning signs or “red
flags” or identity theft, such as unusual account
activity, suspicious enrollment documents or other
suspicious patterns or activities that indicate the
possibility of identity theft.
Compliance Date: November 1, 2009
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
21
The Stakes Are Higher





Increased federal enforcement
State enforcement
Reputational risks - due to public disclosures of breach
Costs associated with enforcement and required
notifications
Risks associated with business associate breaches
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
22
Best Practices to Minimize Risk




Comprehensive privacy and security policies
 Implemented and enforced
Good Training
 Reminders and updates
If possible: implement security measures necessary to avoid breach
notification
If NOT possible: be prepared to provide timely notice in the event of
breach
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
23
Best Practices to Minimize Risk






Implement a breach response plan
Be sure that employees/agents promptly report all
actual and suspected breaches
Take steps to mitigate harm
Assign responsibility for risk assessment and
analysis of reporting obligations under state and
federal law
Be careful when selecting business associates
Use good contractual provisions to minimize
damages from a business associate’s breach
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
24
One More Risk to Think About



Federal dream vs. state law reality
One goal of EHR adoption is to facilitate the sharing
of PHI among covered entities. There is a big push
at the federal level to achieve this goal
BUT
Even though HIPAA may provide mechanisms for
the merging and sharing of EHRs, state law may not.
Especially with respect to sensitive and specially
protected categories of health information
(infectious disease, drug and alcohol treatment,
mental health counseling, etc.)
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
25
Personal Health Records


Currently, we live in a world of decentralized record keeping
where records are maintained by multiple entities and in
multiple locations – makes the system duplicative and
sometimes creates conflicting information.
As people move from state to state, they leave a trail of
fragmented or partial medical records behind.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
26
Personal Health Records

Impact of ARRA of 2009

ARRA of 2009 defines a personal health record as “an
electronic record of PHR identifiable health information on an
individual that can be drawn from multiple sources and that is
managed, shared, and controlled by or primarily for the
individual”
• "PHR identifiable health information" is “individually identifiable
health information that is provided by or on behalf of the individual
and that identifies the individual or with respect to which there is a
reasonable basis to believe that the information can be used to
identify the individual.”

A “Vendor of Personal Health Records” is “an entity, other than
a covered entity, that offers or maintains a personal health
record.”
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
27
Personal Health Records

Impact of ARRA of 2009
 In the event of a breach of security, ARRA imposes
notification obligations on:
• Vendors of PHRs;
• Entities that offer products or services through websites of
PHR vendors;
• Entities that offer products or services through the websites
of covered entities that offer PHRs;
• Entities that are not covered entities and that access
information in a PHR or send information to a PHR.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
28
Personal Health Records

Risks of PHRs




May not be complete
PHR owner/patient may remove objectionable, but clinically
relevant information
Another provider may rely on a partial record mistakenly believing
that it is complete
PHR owner/patient may rely on a provider to review a PHR to which
he or she has been given access, and withhold certain information
in discussions with the provider
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
29
Fraud and Abuse Safe Harbors


Exceptions to the physician self-referral prohibition
and a safe harbor under the anti-kickback statute for
arrangements involving donation of interoperable
EHR technology to physicians and other healthcare
practitioners or entities from businesses with whom
they work.
Physicians must contribute 15% of the costs.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
30
Fraud and Abuse Safe Harbors


Entities furnishing designated health services (and
certain other entities under the safe harbor) may
donate to physicians (and certain other recipients
under the safe harbor) interoperable electronic
health records software, information technology and
training services.
Hospitals and certain other entities may provide
physicians (and certain other recipients under the
safe harbor) with hardware, software, or information
technology and training services necessary and
used solely for electronic prescribing.
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
31
Fraud and Abuse Safe Harbors

Impact of ARRA funding for EHR implementation
 Windfall for hospitals and physicians?
 Donations inconsistent with promotion of
transparency in the relationship between healthcare
entities and physicians?
 Funding available to those entities that donate to
physicians under safe harbors?
 Past donations reimbursable?
 Incentive to implement EHRs faster?
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
32
PENALTIES


Non-meaningful EHR users subject to
reimbursement reductions beginning in 2015
Penalties for HIPAA violations increased under
ARRA



Civil violations: penalties range from $100 - $50,000 per
violation, capped at $25,000 - $1.5 million per year for multiple
violations of the same standard
Criminal penalties range from one year in jail and a $50,000
fine, to ten years in jail and a $250,000 fine
New State enforcement authority
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
33
Key Takeaways





New enforcement mandates from Congress
mean that enforcement will be on the rise
Understand the new requirements, or face
the consequences
Avoid risk
Marketplace is shifting from paper to
electronic
Implement appropriate infrastructures
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
34
QUESTIONS AND FOLLOW-UP
Mintz Levin Cohn Ferris Glovsky and Popeo LLP
Hope S. Foster, Member
701 Pennsylvania Avenue, NW, 9th Floor
Washington, DC 20004
Phone Number: (202) 661-8758
Email: hfoster@mintz.com
Dianne J. Bourque, Associate
One Financial Center
Boston, MA 02111
Phone Number: (617) 348-1614
Email: dbourque@mintz.com
Katina W. Lee, Associate
701 Pennsylvania Avenue, NW, 9th Floor
Washington, DC 20004
Phone Number: (202) 661-8729
Email: klee@mintz.com
Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .
35