privacy issues & the increasing use of information technology
advertisement
12/17/2015 PRIVACY ISSUES & THE INCREASING USE OF INFORMATION TECHNOLOGY: HIPAA AND HITECH Pam Hepp – Buchanan Ingersoll & Rooney Diane Pringle – DLP Conemaugh Memorial Medical Center, LLC Overview and Goals: Background Electronic Health Records (EHR) Health Information Exchanges (HIE) Breach Notification Cases Audits Use of Protected Health Information (PHI) in Litigation Telemedicine 2 FBI Private Industry Notice 4/14 Increase in cyber attacks are likely due to: – mandatory transition from paper to electronic health records – lax cybersecurity standards – higher financial payout for medical records in the black market 3 1 12/17/2015 Electronic Health Records 4 Electronic Health Records ARRA of 2009 Established incentive payments for eligible providers for promoting adoption and the meaningful use of EHRs Goals: Improve clinical outcomes, promote safety, engage patients/families, maintain privacy and security of PHI, increase transparency and efficiency 5 Electronic Health Records Stage 1: Set the foundation and requirements Stage 2: Advance clinical processes, use HIT for quality improvement Stage 3: Demonstrate improved outcomes Data reporting to show the EHR is being used in a meaningful manner 6 2 12/17/2015 EHR: The Good, Bad and Ugly Incentive payments can be significant Noncompliance with EHR/Meaningful Use = reduced payments up to 5% Generally, EHRs are very good, but….. The # of breaches and snooping has increased Auditing is easier 7 Health Information Exchanges 8 Health Information Exchanges What is a HIE? – “Health Information Exchange allows health care professionals and patients to appropriately access and securely share a patient’s vital medical information electronically. There are many health care delivery scenarios driving the technology behind the different forms of health information exchange available today.” HealthIT.gov 9 3 12/17/2015 Health Information Exchanges What is a HIE, cont’d – A HIE can take the simple form of EHR’s that are capable of conveying information between treating providers (e.g., between a lab and physician’s office, or a physician’s office and a pharmacy) to an intricate health information infrastructure that connects providers and payors within a region, a state or even on a national scale. 10 HIE Benefits Enhances medical decision making: – Enables providers to access medical history, test results etc. in real time to reduce medication errors eliminate duplication of tests avoid readmissions, and provide safer, more efficient, more effective and more timely care 11 HIE Benefits Enables aggregation of data for – quality and/or value based payments – disease surveillance and disaster response – research and timely feedback of results to truly effect care delivery, and – evidence based medicine and population health 12 4 12/17/2015 HIE Benefits Facilitates patient education and involvement in their care: – appointment reminders – transmission of follow-up instructions – reduces time spent by patients completing paperwork, and – provides caregivers with information and tools 13 Why the Proliferation of HIEs Demand for electronic health information exchange between providers is growing along with nationwide efforts to improve the quality, safety, cost and efficiency of health care delivery Payment incentives for meaningful use, quality or value-based payments, and new payment approaches that stress care coordination are driving demand 14 Breach Notification Cases 15 15 5 12/17/2015 Breach Notification Cases UCLA Health System – – – – – – – – May have started in late 2014 Confirmed the hacking breach in May 2015 4.5 M patients affected Names, DOB, SS#s, Health plan ID #s, Medical data Data was unencrypted Patients notified Identity theft protection—1 year Credit monitoring—1 year 16 Breach Notifications Univ. of Colorado/ Dec. 2015 Employee accessed >800 patient records “Personal curiosity” PHI: Names, addresses, DOB, phone #s, insurance info, diagnosis, and treatment Employee fired Patients notified 17 OCR Resolutions 2015 Triple-S Mgmt. Corp/ Nov. 2015 Employee’s access rights were not terminated after employment ended PHI: Names, contract #s, addresses, dx codes, treatment codes Over 4 breaches in past 2 years OCR Resolution does not indicate any harm to individuals $3.5 M fine for noncompliance with HIPAA regs 18 6 12/17/2015 OCR Resolutions 2015 11/15: Lahey Hospital and Medical Center (MA) – Stolen laptop incident – PHI of 599 patients – OCR investigation showed widespread noncompliance with HIPAA rules – Lack of encryption, unique user name, physical safeguards, and in general, lack of policies and procedures in place to prevent – $850,000 settlement and resolution agreement 19 OCR Resolutions 2015 Cornell Prescription Pharmacy (CO) – Improper disposal of unsecured paper medical records – OCR notified by Denver news outlet – 1,610 patients affected – PHI left in unlocked, open container on Cornell’s property – Lack of P & P regarding disposal – $125,000 and resolution agreement 20 OCR Resolutions 2015 9/15: Cancer Care Group/radiation oncology – Employee’s laptop and unencrypted backup media stolen from his car – 55,000 current and former patients affected – PHI: names, addresses, DOB, SS#s, insurance and clinical information – OCR found widespread noncompliance with HIPAA Security Rule – $750,000 settlement and resolution agreement 21 7 12/17/2015 Closer to Home-Analysis BA Breach: March 2015-rogue employee wrote down the names, DOB, SS#s of patients Majority of breaches are r/t ex-spouses, in-laws, nosey co-workers Malicious intent and personal gain often are drivers Termination of employees with ripple effect Criminal attacks are the #1 cause of data breaches in healthcare (2015 Ponemon Benchmark Study) Medical identity theft has doubled in 5 yrs to over 2.3 M in 2014 22 Trends in the Law Plaintiffs claims generally fail -- an increased risk of future injury from identity theft exposure is insufficient to support an actionable injury or to establish damages. Courts reject efforts to analogize risk of future credit card fraud to the harm recognized by courts for the costs of medical monitoring of injuries or latent medical harm. Recent effort of plaintiff’s lawyers to focus on “malicious intent” 23 23 Polanco v. Omnicell, Inc. D. N.J. FACTS - Laptop stolen from business associate with patient data from 3 healthcare entities - no allegation of misuse of information CLAIMS - Breach of state data security law, violations of consumer fraud statute, fraud, negligence and conspiracy, alleged that patient sought treatment at more distant hospitals and incurred increased expenses 24 24 8 12/17/2015 Polanco v. Omnicell, Inc. D. N.J. RESULT - DISMISSED court found no standing, holding that broad and conclusory allegations fail to establish actual or imminent danger Independent decision to go to other hospitals was based on speculative belief that PHI would be lost again – claims injury for expenses incurred in anticipation of future harm 25 25 Avmed Stolen laptops with unencrypted information of 1.2 million customers, including name, contact information, SSNs and sensitive medical data Court approved a settlement class who did not experience ID theft but paid higher premiums that were intended to contribute to the costs of adequate data security Recognition of injury without direct financial loss and recognition of a class without standing 26 Avery Center Patient sued Connecticut OB/GYN clinic because it released medical records to a third party in response to a subpoena in paternity suit by father Patient had issued specific instructions not to release records to father. Did not give notice to patient or seek to quash subpoena Connecticut Supreme Court held that HIPAA establishes standard of care and did not preempt private right of action for unauthorized release of medical records 27 9 12/17/2015 Walgreens Indiana Court upholds $1.44 million verdict involving love triangle of pharmacist, her husband and her husband’s ex girlfriend Pharmacist accessed ex girl friend’s prescription records and shared info with husband who used it in child support fight Weak discipline of pharmacist Actions of pharmacist e.g., looking up and printing out customer info, were within scope of employment Walgreens liable for HIPAA violation by employee 28 OCR Audits 29 OCR Audits HITECH Act mandated OCR audits Rolled out in 2010, audited 115 organizations in 2011-2012 All were on-site, included covered entities of all types and sizes Evaluated compliance with Privacy Rule, Security Rule and Breach Notification Rule Described as a compliance improvement activity but may refer for enforcement 30 10 12/17/2015 OCR Audits 89% had findings/recommendations Smallest entities had the most findings Over 60% of the findings pertained to the Security Rule Results will be used for focus of future audits as well as creation of best practices and guidance Also created and released a risk assessment tool: http://www.healthit.gov/providersprofessionals/security-risk-assessment 31 Next Phase of Audits Spring 2014 Plan: – Anticipated auditing 350 Covered Entities to be selected from a pool of covered entities receiving pre-audit surveys – Would have 2 weeks to respond to data requests – OCR would conduct audits from October 2014-June 2015 – Would begin auditing BAs in 2015 32 Next Phase of Audits September 2014 Plan: – < 200 desk audits, large number on-site – Comprehensive audit of BAs; will ask Covered Entities for list – Updating technology to assist with process – Comprehensive but will look specifically at risk analysis, documentation of policies and procedures, and whether they have been updated and implemented. 33 11 12/17/2015 Preparing for an Audit Know where your data resides Have risk analyses been conducted, documented, updated? Are policies in place, up to date? Are practices consistent with policies? 34 Preparing for an Audit Conduct mock audit Identify appropriate contacts Be prepared to be able to respond quickly if chosen If audited, ensure responses are responsive and comprehensive but only what is relevant and on point, demonstrates compliance 35 Use of PHI in Litigation 36 12 12/17/2015 Use of PHI in Litigation Issues depend upon nature and parties to the litigation If patient and Covered Entities (CEs) are parties (medical malpractice case), CE can use/disclose to defend the case Otherwise if CE is a nonparty, more is required to disclose PHI 37 Judicial and Administrative Proceedings A CE may disclose PHI: – In response to a court order – In response to a subpoena, discovery request or other lawful process not accompanied by a court order if: CE receives satisfactory assurances that the subject of the PHI has been notified (or reasonable efforts have been made to do so) or That reasonable efforts were made to secure a qualified protective order 38 Satisfactory Assurances Good faith attempt to provide notice Notice must contain sufficient information Individual files no objection with the court 39 13 12/17/2015 Qualified Protective Order Prohibits parties from using/disclosing PHI for purposes other than the specific litigation Require return of PHI at the end of the litigation or proceeding 40 Other Litigation Issues Health care provider employment termination cases Whistleblower exception 41 Telemedicine 42 14 12/17/2015 Telemedicine What is telemedicine: – The provision of clinical services to patients by practitioners from a distance via electronic communications. – The telemedicine services can be provided simultaneously (in real time) or nonsimultaneously (after-the-fact assessment of the patient’s condition). 43 Variations on the Use of Telemedicine Rural facility may contract with an academic medical center or tertiary care center for specialty services via telemedicine Second opinions Patient monitoring devices Internet medicine 44 Issues Regarding Telemedicine Reimbursement is limited May present licensure issues where “practicing across state lines” – ex. WV regulations consider practicing telemedicine to constitute the practice of medicine within the state and is subject to WV licensure requirements 45 15 12/17/2015 Questions???? Pamela E. Hepp Shareholder Buchanan Ingersoll & Rooney PC T: 412 562 1418 pamela.hepp@bipc.com Diane Pringle Compliance/Privacy Officer Corporate Compliance Conemaugh Health System (814) 410-8421 dipringl@conemaugh.org 46 46 16
