12/17/2015
PRIVACY ISSUES & THE
INCREASING USE OF
INFORMATION TECHNOLOGY:
HIPAA AND HITECH
Pam Hepp – Buchanan Ingersoll & Rooney
Diane Pringle – DLP Conemaugh Memorial Medical
Center, LLC
Overview and Goals:






Background
Electronic Health Records (EHR)
Health Information Exchanges (HIE)
Breach Notification Cases
Audits
Use of Protected Health Information (PHI)
in Litigation
 Telemedicine
2
FBI Private Industry Notice 4/14
 Increase in cyber attacks are likely due to:
– mandatory transition from paper to electronic
health records
– lax cybersecurity standards
– higher financial payout for medical records in
the black market
3
1
12/17/2015
Electronic Health Records
4
Electronic Health Records
 ARRA of 2009
 Established incentive payments for eligible
providers for promoting adoption and the
meaningful use of EHRs
 Goals: Improve clinical outcomes, promote
safety, engage patients/families, maintain
privacy and security of PHI, increase
transparency and efficiency
5
Electronic Health Records
 Stage 1: Set the foundation and
requirements
 Stage 2: Advance clinical processes, use
HIT for quality improvement
 Stage 3: Demonstrate improved outcomes
 Data reporting to show the EHR is being
used in a meaningful manner
6
2
12/17/2015
EHR: The Good, Bad and Ugly
 Incentive payments can be significant
 Noncompliance with EHR/Meaningful Use
= reduced payments up to 5%
 Generally, EHRs are very good, but…..
 The # of breaches and snooping has
increased
 Auditing is easier
7
Health Information Exchanges
8
Health Information Exchanges
 What is a HIE?
– “Health Information Exchange allows health
care professionals and patients to
appropriately access and securely share a
patient’s vital medical information
electronically. There are many health care
delivery scenarios driving the technology
behind the different forms of health
information exchange available today.” HealthIT.gov
9
3
12/17/2015
Health Information Exchanges
 What is a HIE, cont’d
– A HIE can take the simple form of EHR’s that
are capable of conveying information between
treating providers (e.g., between a lab and
physician’s office, or a physician’s office and
a pharmacy) to an intricate health information
infrastructure that connects providers and
payors within a region, a state or even on a
national scale.
10
HIE Benefits
 Enhances medical decision making:
– Enables providers to access medical history,
test results etc. in real time to
 reduce medication errors
 eliminate duplication of tests
 avoid readmissions, and
 provide safer, more efficient, more effective and
more timely care
11
HIE Benefits
 Enables aggregation of data for
– quality and/or value based payments
– disease surveillance and disaster response
– research and timely feedback of results to
truly effect care delivery, and
– evidence based medicine and population
health
12
4
12/17/2015
HIE Benefits
 Facilitates patient education and
involvement in their care:
– appointment reminders
– transmission of follow-up instructions
– reduces time spent by patients completing
paperwork, and
– provides caregivers with information and tools
13
Why the Proliferation of HIEs
 Demand for electronic health information
exchange between providers is growing
along with nationwide efforts to improve
the quality, safety, cost and efficiency of
health care delivery
 Payment incentives for meaningful use,
quality or value-based payments, and new
payment approaches that stress care
coordination are driving demand
14
Breach Notification Cases
15
15
5
12/17/2015
Breach Notification Cases
 UCLA Health System
–
–
–
–
–
–
–
–
May have started in late 2014
Confirmed the hacking breach in May 2015
4.5 M patients affected
Names, DOB, SS#s, Health plan ID #s, Medical data
Data was unencrypted
Patients notified
Identity theft protection—1 year
Credit monitoring—1 year
16
Breach Notifications




Univ. of Colorado/ Dec. 2015
Employee accessed >800 patient records
“Personal curiosity”
PHI: Names, addresses, DOB, phone #s,
insurance info, diagnosis, and treatment
 Employee fired
 Patients notified
17
OCR Resolutions 2015
 Triple-S Mgmt. Corp/ Nov. 2015
 Employee’s access rights were not terminated
after employment ended
 PHI: Names, contract #s, addresses, dx codes,
treatment codes
 Over 4 breaches in past 2 years
 OCR Resolution does not indicate any harm to
individuals
 $3.5 M fine for noncompliance with HIPAA regs
18
6
12/17/2015
OCR Resolutions 2015
 11/15: Lahey Hospital and Medical Center (MA)
– Stolen laptop incident
– PHI of 599 patients
– OCR investigation showed widespread noncompliance with HIPAA rules
– Lack of encryption, unique user name, physical
safeguards, and in general, lack of policies and
procedures in place to prevent
– $850,000 settlement and resolution agreement
19
OCR Resolutions 2015
 Cornell Prescription Pharmacy (CO)
– Improper disposal of unsecured paper medical
records
– OCR notified by Denver news outlet
– 1,610 patients affected
– PHI left in unlocked, open container on Cornell’s
property
– Lack of P & P regarding disposal
– $125,000 and resolution agreement
20
OCR Resolutions 2015
 9/15: Cancer Care Group/radiation oncology
– Employee’s laptop and unencrypted backup media
stolen from his car
– 55,000 current and former patients affected
– PHI: names, addresses, DOB, SS#s, insurance and
clinical information
– OCR found widespread noncompliance with HIPAA
Security Rule
– $750,000 settlement and resolution agreement
21
7
12/17/2015
Closer to Home-Analysis
 BA Breach: March 2015-rogue employee wrote down
the names, DOB, SS#s of patients
 Majority of breaches are r/t ex-spouses, in-laws, nosey
co-workers
 Malicious intent and personal gain often are drivers
 Termination of employees with ripple effect
 Criminal attacks are the #1 cause of data breaches in
healthcare (2015 Ponemon Benchmark Study)
 Medical identity theft has doubled in 5 yrs to over 2.3 M
in 2014
22
Trends in the Law
 Plaintiffs claims generally fail -- an increased risk
of future injury from identity theft exposure is
insufficient to support an actionable injury or to
establish damages.
 Courts reject efforts to analogize risk of future
credit card fraud to the harm recognized by courts
for the costs of medical monitoring of injuries or
latent medical harm.
 Recent effort of plaintiff’s lawyers to focus on
“malicious intent”
23
23
Polanco v. Omnicell, Inc.
D. N.J.
 FACTS - Laptop stolen from business associate with patient
data from 3 healthcare entities - no allegation of misuse of
information
 CLAIMS - Breach of state data security law, violations of
consumer fraud statute, fraud, negligence and conspiracy,
alleged that patient sought treatment at more distant
hospitals and incurred increased expenses
24
24
8
12/17/2015
Polanco v. Omnicell, Inc.
D. N.J.
 RESULT - DISMISSED court found no standing, holding that
broad and conclusory allegations fail to establish actual or
imminent danger
 Independent decision to go to other hospitals was based on
speculative belief that PHI would be lost again – claims
injury for expenses incurred in anticipation of future harm
25
25
Avmed
 Stolen laptops with unencrypted information of 1.2
million customers, including name, contact
information, SSNs and sensitive medical data
 Court approved a settlement class who did not
experience ID theft but paid higher premiums that
were intended to contribute to the costs of
adequate data security
 Recognition of injury without direct financial loss
and recognition of a class without standing
26
Avery Center
 Patient sued Connecticut OB/GYN clinic because
it released medical records to a third party in
response to a subpoena in paternity suit by father
 Patient had issued specific instructions not to
release records to father. Did not give notice to
patient or seek to quash subpoena
 Connecticut Supreme Court held that HIPAA
establishes standard of care and did not preempt
private right of action for unauthorized release of
medical records
27
9
12/17/2015
Walgreens
 Indiana Court upholds $1.44 million verdict
involving love triangle of pharmacist, her husband
and her husband’s ex girlfriend
 Pharmacist accessed ex girl friend’s prescription
records and shared info with husband who used it
in child support fight
 Weak discipline of pharmacist
 Actions of pharmacist e.g., looking up and
printing out customer info, were within scope of
employment
 Walgreens liable for HIPAA violation by employee
28
OCR Audits
29
OCR Audits
 HITECH Act mandated OCR audits
 Rolled out in 2010, audited 115 organizations in
2011-2012
 All were on-site, included covered entities of all
types and sizes
 Evaluated compliance with Privacy Rule,
Security Rule and Breach Notification Rule
 Described as a compliance improvement activity
but may refer for enforcement
30
10
12/17/2015
OCR Audits
 89% had findings/recommendations
 Smallest entities had the most findings
 Over 60% of the findings pertained to the
Security Rule
 Results will be used for focus of future audits as
well as creation of best practices and guidance
 Also created and released a risk assessment
tool: http://www.healthit.gov/providersprofessionals/security-risk-assessment
31
Next Phase of Audits
 Spring 2014 Plan:
– Anticipated auditing 350 Covered Entities to
be selected from a pool of covered entities
receiving pre-audit surveys
– Would have 2 weeks to respond to data
requests
– OCR would conduct audits from October
2014-June 2015
– Would begin auditing BAs in 2015
32
Next Phase of Audits
 September 2014 Plan:
– < 200 desk audits, large number on-site
– Comprehensive audit of BAs; will ask
Covered Entities for list
– Updating technology to assist with process
– Comprehensive but will look specifically at
risk analysis, documentation of policies and
procedures, and whether they have been
updated and implemented.
33
11
12/17/2015
Preparing for an Audit
 Know where your data resides
 Have risk analyses been conducted,
documented, updated?
 Are policies in place, up to date?
 Are practices consistent with policies?
34
Preparing for an Audit
 Conduct mock audit
 Identify appropriate contacts
 Be prepared to be able to respond quickly
if chosen
 If audited, ensure responses are
responsive and comprehensive but only
what is relevant and on point,
demonstrates compliance
35
Use of PHI in Litigation
36
12
12/17/2015
Use of PHI in Litigation
 Issues depend upon nature and parties to
the litigation
 If patient and Covered Entities (CEs) are
parties (medical malpractice case), CE
can use/disclose to defend the case
 Otherwise if CE is a nonparty, more is
required to disclose PHI
37
Judicial and Administrative
Proceedings
 A CE may disclose PHI:
– In response to a court order
– In response to a subpoena, discovery request
or other lawful process not accompanied by a
court order if:
 CE receives satisfactory assurances that the
subject of the PHI has been notified (or reasonable
efforts have been made to do so) or
 That reasonable efforts were made to secure a
qualified protective order
38
Satisfactory Assurances
 Good faith attempt to provide notice
 Notice must contain sufficient information
 Individual files no objection with the court
39
13
12/17/2015
Qualified Protective Order
 Prohibits parties from using/disclosing PHI
for purposes other than the specific
litigation
 Require return of PHI at the end of the
litigation or proceeding
40
Other Litigation Issues
 Health care provider employment
termination cases
 Whistleblower exception
41
Telemedicine
42
14
12/17/2015
Telemedicine
 What is telemedicine:
– The provision of clinical services to patients
by practitioners from a distance via
electronic communications.
– The telemedicine services can be provided
simultaneously (in real time) or nonsimultaneously (after-the-fact assessment of
the patient’s condition).
43
Variations on the Use of Telemedicine
 Rural facility may contract with an
academic medical center or tertiary care
center for specialty services via
telemedicine
 Second opinions
 Patient monitoring devices
 Internet medicine
44
Issues Regarding Telemedicine
 Reimbursement is limited
 May present licensure issues where
“practicing across state lines”
– ex. WV regulations consider practicing
telemedicine to constitute the practice of
medicine within the state and is subject to WV
licensure requirements
45
15
12/17/2015
Questions????
Pamela E. Hepp
Shareholder
Buchanan Ingersoll & Rooney PC
T: 412 562 1418
pamela.hepp@bipc.com
Diane Pringle
Compliance/Privacy Officer
Corporate Compliance
Conemaugh Health System
(814) 410-8421
dipringl@conemaugh.org
46
46
16