electronic medical records: minimizing hipaa, stark and anti-kickback legal risks and liabilities...

Electronic Medical Records: Minimizing HIPAA, Stark and Anti-Kickback Legal

Risks and Liabilities

October 27, 2009

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C .

This presentation may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. ; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.


2

Mintz Levin Cohn Ferris Glovsky and Popeo LLP

Dianne J. Bourque, Associate

One Financial Center

Boston, MA 02111

Phone Number: (617) 348-1614

Email: [email protected]

Katina W. Lee, Associate

701 Pennsylvania Avenue, NW, 9th Floor

Washington, DC 20004

Phone Number: (202) 661-8729


Hope S. Foster, Member701 Pennsylvania Avenue, NW, 9th FloorWashington, DC 20004Phone Number: (202) 661-8758Email: [email protected]

mailto:[email protected]




3

What to Expect Today General overview of the Health Information Technology for

Economic and Clinical Health Act (“HITECH Act”) Federal and state laws on data breach notification Red flag rules Privacy and security risks and best practices to minimize

liability under HIPAA, prevent the loss of electronic protected health information and reduce the risk of medical identify theft

Potential regulatory barriers to electronic health record technology and best practices to minimize liability under Stark concerns and Anti-kickback concerns


4

Health IT - A Brave New World While the President, Congress, federal agencies and

states grapple with the best way to reform and regulate healthcare, the world is moving forward into a technologically advanced age and dragging the healthcare industry with it. New technological advances creating more cost-effective mechanisms

for prescribing, monitoring, and tracking prescription drugs and utilization.

Keeping up with and meeting new regulatory requirements, as well as the challenges created by the new technology.

The billions of dollars in grants and payments for health information technology that is available in ARRA should encourage the industry to step up to the plate and adopt and implement health information technology.


5

Health IT - A Brave New World The Healthcare Industry’s Reluctant Adoption of

Information Technology Healthcare providers have been quick to adopt

breakthrough technology in medical procedures, but slow to accept innovations in networking and communications.• Concern about breaches in security and patient privacy.• Healthcare services traditionally performed locally and in

person.


6

Health IT - A Brave New World

These technological advances will not happen overnight. There are many obstacles which need to be addressed.

• Likely differences in laws and regulations across borders may necessitate the need for international laws governing medical services.

• Possible differences in technical standards between different countries could create conflicts and call for global standards.


7

Health IT - A Brave New World

On February 17, 2009, President Obama signed into law the $787 billion American Recovery and Reinvestment Act of 2009 (ARRA) that contains new provisions applicable to the healthcare and information technology world:

• $19 billion to promote adoption of health information technology

• Additional privacy and security requirements


8

Health IT - A Brave New World Health Information Technology For Economic and

Clinical Health Act (HITECH Act) $2 billion “start-up” funding to promote adoption of

health information technology. $17 billion for Medicaid and Medicare incentives and

payments to providers for adopting certified electronic health records.

Establishes a timeframe for the use electronic health records by each person in the U.S. by 2014.


9

Health IT - A Brave New World HITECH Act cont.

Establishes Regional Extension Centers, which would provide technical assistance and disseminate best practices to support and accelerate efforts to adopt, implement, and effectively utilize health information technology.

Strengthened privacy and security standards under HIPAA to encourage the adoption of EHRs

Strengthened penalties for non-compliance Created new avenues of enforcement (state Attorneys

General) Created new targets of enforcement (third parties who

wrongfully acquire PHI)


10

Electronic Health Records HITECH Act cont.

Funding is available for the “meaningful use” of “certified” electronic health records (EHRs) technology by Medicare and Medicaid physicians and hospitals

Funding will start flowing in October 2010 HIT Policy and Standards Committees still hammering out the

details CMS intends to issue regulations by the end of 2009 Important so that EHR users and developers can fund their

health information technology implementation


11

Federal Breach Notification Under the original HIPAA regulatory scheme,

“covered entities” were not required to notify individuals if their PHI was breached or lost.

Under ARRA, 2009, covered entities must notify affected individuals, the federal government and in some cases, the media, in the event of “breaches” of “unsecured PHI.”

“Business Associates” are required to notify covered entities of breaches so that covered entities may in turn fulfill their breach notification obligations.


12

Federal Breach Notification “Breach” means “the unauthorized access,

acquisition, use, or disclosure or protected health information which compromises the security or privacy of such information.”

“Unsecured PHI” means “PHI that is not secured through use of a technology or methodology identified by the U.S. Department of Health and Human Services (“HHS”) as rendering the information unusable, unreadable or indecipherable to unauthorized persons.”


13

Federal Breach Notification

No breach notification is required when: the recipient of the information would not reasonably

have been able to retain the information the breach involved the unintentional acquisition,

access, or use of information by employees or persons acting under the authority of a covered entity or business associate

certain inadvertent disclosures among persons similarly authorized to access protected health information at a business associate or covered entity


14


HHS has specified two methods for securing PHI. Encryption:

For data at rest: NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

For data in motion: Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.


15


HHS has specified two methods for securing PHI Destruction

Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation, such that PHI cannot be retrieved.


16

Federal Breach Notification If PHI has been secured using one of the above-

listed methods, its loss or wrongful disclosure does not trigger breach notification requirements.

If “Unsecured PHI” is lost or impermissibly disclosed and one of the notification exceptions does not apply, affected individuals must be notified of the breach. Notice must include: (i) a brief description of what happened, including dates, (ii) a

description of types of unsecured PHI involved, (iii) the steps the individual should take to protect against potential harm, (iv) a brief description of steps the covered entity or business associate has taken to investigate the incident, mitigate harm and protect against further

breaches, and (v) contact information for questions.


17


Notice of the breach must also be provided to HHS Notice must be provided immediately for breaches

involving 500 or more individuals Breaches involving fewer than 500 individuals may

be logged and reported annually Breach notification form available at:

http://transparency.cit.nih.gov/breach/index.cfm

http://transparency.cit.nih.gov/breach/index.cfm


18

State Breach Notification Requirements

At least 44 states have implemented data security and breach notification laws

State laws typically apply to a broader class of personal data (social security numbers, financial account numbers and information)

Notice to affected individuals and state authorities is typically required


19

Federal and State Breach Notification

Covered entities must consider both state and federal law when implementing their security programs and providing breach notification

State breach notification requirements may not be preempted by HIPAA, so care must be taken to comply with all state and federal requirements

The analysis will be complicated when breaches impact individuals from more than one state


20

Red Flag Rules

“Red Flag Rules” of the Federal Trade Commission (“FTC”) are an additional consideration for health care organizations planning their security programs

The Red Flag Rules apply to financial institutions and creditors. The FTC has made clear that non profit and government

entities that defer payment for good and services - including hospitals and other health care providers - are creditors and

therefore must comply with the rules.


21

Red Flag Rules

The Red Flag Rules require financial institutions and creditors to establish a written program for identifying and detecting warning signs or “red flags” or identity theft, such as unusual account activity, suspicious enrollment documents or other suspicious patterns or activities that indicate the possibility of identity theft.

Compliance Date: November 1, 2009


22

The Stakes Are Higher Increased federal enforcement State enforcement Reputational risks - due to public disclosures of breach Costs associated with enforcement and required

notifications Risks associated with business associate breaches


23

Best Practices to Minimize Risk Comprehensive privacy and security policies

Implemented and enforced Good Training

Reminders and updates If possible: implement security measures necessary to avoid breach

notification If NOT possible: be prepared to provide timely notice in the event of

breach


24

Best Practices to Minimize Risk

Implement a breach response plan Be sure that employees/agents promptly report all

actual and suspected breaches Take steps to mitigate harm Assign responsibility for risk assessment and

analysis of reporting obligations under state and federal law

Be careful when selecting business associates Use good contractual provisions to minimize

damages from a business associate’s breach


25

One More Risk to Think About

Federal dream vs. state law reality One goal of EHR adoption is to facilitate the sharing

of PHI among covered entities. There is a big push at the federal level to achieve this goal

BUT Even though HIPAA may provide mechanisms for

the merging and sharing of EHRs, state law may not. Especially with respect to sensitive and specially protected categories of health information (infectious disease, drug and alcohol treatment, mental health counseling, etc.)


26

Personal Health Records Currently, we live in a world of decentralized record keeping

where records are maintained by multiple entities and in multiple locations – makes the system duplicative and sometimes creates conflicting information.

As people move from state to state, they leave a trail of fragmented or partial medical records behind.


27

Personal Health Records Impact of ARRA of 2009

ARRA of 2009 defines a personal health record as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual”

• "PHR identifiable health information" is “individually identifiable health information that is provided by or on behalf of the individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

A “Vendor of Personal Health Records” is “an entity, other than a covered entity, that offers or maintains a personal health record.”


28

Personal Health Records Impact of ARRA of 2009

In the event of a breach of security, ARRA imposes notification obligations on: • Vendors of PHRs; • Entities that offer products or services through websites of

PHR vendors; • Entities that offer products or services through the websites

of covered entities that offer PHRs; • Entities that are not covered entities and that access

information in a PHR or send information to a PHR.


29

Personal Health Records Risks of PHRs

May not be complete PHR owner/patient may remove objectionable, but clinically

relevant information Another provider may rely on a partial record mistakenly believing

that it is complete PHR owner/patient may rely on a provider to review a PHR to which

he or she has been given access, and withhold certain information in discussions with the provider


30

Fraud and Abuse Safe Harbors

Exceptions to the physician self-referral prohibition and a safe harbor under the anti-kickback statute for arrangements involving donation of interoperable EHR technology to physicians and other healthcare practitioners or entities from businesses with whom they work.

Physicians must contribute 15% of the costs.


31


Entities furnishing designated health services (and certain other entities under the safe harbor) may donate to physicians (and certain other recipients under the safe harbor) interoperable electronic health records software, information technology and training services.

Hospitals and certain other entities may provide physicians (and certain other recipients under the safe harbor) with hardware, software, or information technology and training services necessary and used solely for electronic prescribing.


32


Impact of ARRA funding for EHR implementation Windfall for hospitals and physicians? Donations inconsistent with promotion of

transparency in the relationship between healthcare entities and physicians?

Funding available to those entities that donate to physicians under safe harbors?

Past donations reimbursable? Incentive to implement EHRs faster?


33

PENALTIES Non-meaningful EHR users subject to

reimbursement reductions beginning in 2015 Penalties for HIPAA violations increased under

ARRA Civil violations: penalties range from $100 - $50,000 per

violation, capped at $25,000 - $1.5 million per year for multiple violations of the same standard

Criminal penalties range from one year in jail and a $50,000

fine, to ten years in jail and a $250,000 fine New State enforcement authority


34

Key Takeaways New enforcement mandates from Congress

mean that enforcement will be on the rise Understand the new requirements, or face

the consequences Avoid risk Marketplace is shifting from paper to

electronic Implement appropriate infrastructures


35

QUESTIONS AND FOLLOW-UPMintz Levin Cohn Ferris Glovsky and Popeo LLP

Dianne J. Bourque, Associate

One Financial Center

Boston, MA 02111

Phone Number: (617) 348-1614


Katina W. Lee, Associate

701 Pennsylvania Avenue, NW, 9th Floor

Washington, DC 20004

Phone Number: (202) 661-8729


Hope S. Foster, Member701 Pennsylvania Avenue, NW, 9th FloorWashington, DC 20004Phone Number: (202) 661-8758Email: [email protected]




electronic medical records: minimizing hipaa, stark and anti-kickback legal risks and liabilities...

Documents

health information technology

new technology

brave new world

phone number

popeo llp dianne

law firm of mintz

new regulatory requirements

best practices