490 likes | 652 Views
E-Health: Is a Claim Just a Click Away?. E-Health: Is a Claim Just a Click Away?. Moderator: Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation Panelists: M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group
E N D
E-Health: Is a Claim Just a Click Away? Chicago, IL ~ March 18 & 19, 2010
E-Health: Is a Claim Just a Click Away? Moderator: Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation Panelists: M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group Paul Bantick, Underwriter, Beazley Sharon R. Klein, Esq., Partner, Pepper Hamilton, LLP
E-Health Defined • “Healthcare supported by electronic processes and communication” • Electronic Health Records • Telemedicine • Automatic Clinical Protocols/Alerts • Virtual Healthcare Teams • M Health • Patient Monitoring • Distance Learning - Telehealth
Healthcare Provide/Payer Technologies • Remote Healthcare Information Systems • Virtual Rounding • Remote Operations • Clinical Alerts • Medical Robots • Wireless implants/chips
Consumer Health Technologies • Smart Phones • PHRs (Health Vault) • Social Networks (Facebook) • Smart home sensors/monitoring • Use of email to link patients and clinicians • Web Portals
Global Risks • Medical Identity Theft • Internet use without encryption • Lack of uniform security standards (mobile devices) • Expansion to players unfamiliar with healthcare • Outsourcing/Offshoring • No global rules for data exchange/transfer
Risk of Lawsuits/Reputational Injury • Regulation • Sanctions, fines, penalties • Public Enforcement • FTC, HHS/OCR, FDA • State attorney general(s) • Private Rights of Action • Individual suits (common law, statutory) • Class Actions
E- Health: Is a Claim Just A Click Away? E-Health Privacy, Security, Data Breaches and Potential Liability Peter Adler, Esq., CISSP, CIPP United Healthcare Group
HIPAA • Pertains to individually identifiable health information • Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and • That identifies the individual there is a reasonable basis to believe the information can be used to identify the individual • Applies to “Covered Entities” • Health providers • Health plans • Health care clearinghouses
Administrative Security Procedures, Legal Compliance Technical Security HIPAA COMPLIANCE Business Associate Management Physical Security HIPAA Security Requirements
Safeguards Standards, Safeguards and Implementation Features • Standards: CEs/BAs required to comply with standards • Administrative, 45 C.F.R. §164.308 • Physical, 45 C.F.R. §164.310 • Technical, 45 C.F.R. §164.312 • Organizational Requirements, 45 C.F.R. §164.314 • Policies and Procedures and Documentation Requirements, 45 C.F.R. §164.316 • Implementation Specifications: • Required - must be implemented after a risk analysis • Addressable - Second level risk analysis is required
Privacy:Rules-Based vs. Risk-Based • General Principles of Privacy Regulations Establish a Rules-Based Permissive Model: • A use and disclosure of PHI is not permitted unless the Rule specifically permits it • A covered entity may not use or disclose PHI, except as the Privacy Rule permits or requires or as incident to an otherwise permitted use and disclosure. • To define and limit the circumstances in which an individual’s protected heath information (PHI) may be used or disclosed by covered entities. • Emphasis on “gap analysis” rather than a risk analysis
Uses and Disclosures Permitted without Authorization • To the Individual (unless required for access or accounting of disclosures); • Treatment, Payment, and Health Care Operations; • Opportunity to Agree or Object; • Public Interest and Benefit Activities; and • Limited Data Set for the purposes of research, public health or health care operations
Individual Authorization for Disclosures • Authorization • A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule • Psychotherapy Notes • Marketing
Minimum Necessary • A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request. • A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. • When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. • Not applicable in certain situations 45 C.F.R. §§ 164.502(b) and 164.514 (d).
ARRA: Overview of Other Key Provisions - 1 • Clarification and expansion of the definition of a “business associate” • Increased business associate legal obligations • Notification for breaches involving protected health information (PHI); • Special provisions for vendors of personal health records and other non-HIPAA covered entities • Restrictions on certain disclosures. Individuals will have the right to prohibit the disclosure of PHI to a health plan for items or services that the individual paid for in full out-of-pocket • Restrictions on sales of EHRs or PHI. Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.
ARRA: Overview of Other Key Provisions - 1 • Accounting of certain PHI disclosures required if covered entity uses an EHR. Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR • Access to Certain Information In Electronic Format. An individual has a right to obtain from the covered entity a copy of his or her information in an electronic format • Conditions on certain communications as part of healthcare operations. Limits the healthcare operations exception for communications when the covered entity receives remuneration for the communication except in limited circumstances. • Fundraising Opt-Out • Enhancement of enforcement, funding for enforcement and increased penalties
Increased Business Associate Legal Obligations • Each security and privacy requirement in the HITECH Act that is applicable to a covered entity is also applicable to a business associate and should be included in a business associate contract. • A business associates must comply with the same administrative, technical, and physical safeguards that a covered entity is required to comply with under the security rule. • Must also comply with the document requirements of the security rule (policies, procedures and other documents). • Business associates that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity.
Clarification and Expansion of “Business Associate Definition • Definition of “business associate” includes: • entities that provide data transmission services to a covered entity (or its business associate) if the service involves access to PHI on a routine basis, including: • a health information exchange organization; • a regional health information organization; • an E-prescribing Gateway; or • any vendor that contracts with the covered entity to allow the covered entity to offer a personal health record (PHR) to patients.
Overview of Breach Notification Rule • Applies some state breach notification concepts to federal health care law • Applies to Business Associates (BAs) and Covered Entities (CEs) that experience a breach • Covers EHRs and PHRs • Final FTC regulations released August 18, 2009 (EHRs) • Final HHS interim regulations and guidance released August 19, 2009 (PHRs)
Responding to an Incident Process Under the New Rule • Determine whether a “Breach” occurred • What is a Breach? • What is Not a Breach? • Determine whether breach notification is required • Follow Breach Notification Procedures
What is a Breach? • A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
What is NOT a Breach? • It is important to know what is and is not a breach under the new Rules • If not a breach, notification will not be required • There are two methods provided by the Rule for determining if a breach occurred • By Definition • By Risk of Harm Analysis
Not a Breach by Definition • A Breach does not include: • Acquisition, access, or use or disclosure of PHI by a workforce member or person acting under the authority of a CE or a BA which does not result in further use or disclosure in a manner inconsistent with the Privacy Rule and the disclosure is - • made in good faith and within the scope of authority • inadvertently made, from one authorized person to another within a CE, BA or an Organized Health Care Arrangement (OHCA) • A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information • §164.402(2)
Not a Breach – Other Factors Breach Definition • Not a Breach: • if Privacy Rule not Violated • if Privacy and Security of PHI Not Compromised • PHI Not Involved • PHI is “Secured” • There is No Risk of Harm A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
No Risk of Harm • A compromise of the security and privacy of the PHI must pose a significant risk of financial, reputational, or other harm to the individual • A risk assessment is to be conducted to determine if harm exists Definition A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
HHS Breach Notification Procedures: Timing, Notice and Content • The Breach of Notice Rule Provides Specific Timing, Content and Notice Requirements • 47 Organizations Have Reported Breaches of 500 or more in the first reporting to HHS under this Rule • Range from a low of 501 (Alaska Department of Health and Social Services) to a high of 500,000 (Blue Cross Blue Shield of Tennessee) • Involving more than 1 million individuals in the first months of the reporting program • Since March 12, 2009 the Privacy rights Clearinghouse has reported 228 Breaches. Of these, 58 involved protected health information • Includes electronic and paper-based PHI • http://www.privacyrights.org/ar/ChronDataBreaches.htm
State Notice of Breach Laws • 46 States PLUS: • District of Columbia (B16-810, D.C. Code § 28-3851) • Puerto Rico (Law 111 and Regulation 7207) • The following states do not have a notice of breach law: • Kentucky • Mississippi • New Mexico • South Dakota Most require businesses and/or government to notify state residents if their computerized “personal information” is involved in a data breach • Compliance obligations can • differ significantly and • requires research of key provisions • in every state for which you have • a resident’s PI
Emerging State Data Security Laws • Ten States have laws requiring businesses to protect the “security and confidentiality” of personal information about residents • Arkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Rhode Island, Oregon, Texas, and Utah • Massachusetts is the only state that specifies what a business must do to comply: • Implement a risk-based “comprehensive, written information security program” in accordance with a detailed list of requirements; and • Encrypt all personal information stored on laptops or other portable devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly. • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth; promulgated pursuant to Mass Gen. Law 93H
Criminal Penalties Applicable to An Individual or An Entity • Wrongful disclosure of individually identifiable information only if: …a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization • “Willful neglect” may be either criminal or civil • A formal investigation will commence whenever a preliminary investigation of the facts identify that a possible violation is due to willful neglect • Burden of proof is on the CE and/or BA
HIPAA Criminal Penalties • A “knowing” violation shall: • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
HITECH Act Civil Penalties • Graduated Penalties: • unknowing - (A) through (D) • due to reasonable cause and not to willful neglect- (B) through (D) • due to willful neglect - if corrected (C) through (D); if not corrected (D) • (A) $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000 • (B) $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000; • (C) $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and • (D) $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000. • Money Collected for civil damages funds OCR enforcement • States Attorneys General Also provided enforcement authority
Enforcement Funding • Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS • This money will be used for enforcing and privacy and security provisions of HIPAA • The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.
Enforcement by State Attorneys General • Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. • Damages will be statutorily imposed • The amount is calculated by multiplying the number of violations by up to $100 • The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not exceed $25,000 • The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees
Not much traction for “Negligent Protection of Data” • The plaintiffs allege that a business collected their personal information for the business’ purposes, and then negligently allowed a third party to improperly access that personal information. • Plaintiffs have had difficulty establishing that the defendant has a duty to protect their information, and that they have suffered some compensable damagefrom that release.
U.S. Breach Litigation • “[N]o court has considered the risk [of ID theft] itself to be damage” • Key v. DSW Inc., 454 F. Supp. 2d 684 (D. Ohio 2006); Bell v. Acxiom Corp., No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006) • (Plaintiffs were unable to prove that the information was used improperly and that increased risk of ID theft was enough) • Stollenwerk v. Tri-West Healthcare Alliance., No. Civ. 03-0185 (D. Ariz. September 6, 2005 (Plaintiff tried “fear of identity theft “ as their damages – the Court rejected that; another Plaintiff proved that a miscreant tried to open up credit card account with Plaintiff’s information – Court rejected that – “you cannot prove THIS breach was how they got your information”) • See also, Pisciotta v. Old Nat’l Bancorp, 499 F3rd 629 (7th Cir 2007) and also Kahle v. Litton Loan Servicing LP (case no. 1:05cv756. (Ohio) and Guin v. Brazos Higher Education Service Corporation, Inc., 2006 WL 288483 (D. Minn. 2006) (The value of having good policies and procedures.
Why Litigate, Then? • Thus far they have not been successful proving negligence • No harm (provable damages), no foul, say the Courts. • But litigation is about poking and prodding. • Plaintiff’s are seeking the soft underbelly. • The goal: Huge settlements even without the merits
TJX Companies Breach • On Jan. 17, 2007, TJX Companies Inc, including TJ Maxx, Marshalls and Home Goods announced that that the portion of its computer network that handles customer transactions was broken into by unauthorized individuals and at least 46.2 million credit and debit cards may have been compromised • This resulted in litigation and investigations consideration of new laws to protect banks in California, Connecticut, Illinois, Massachusetts, Minnesota New Jersey and Texas. Only the Minnesota law was actually enacted • have reduced what once was as many as 18 separate putative bank and consumer class action lawsuits against the company • September 2007 - Settlement include $7 million to reimburse customers for credit monitoring and other identity theft mitigation measures they undertook and to hold a company wide one-day sale • November 2007 - Settlement with Visa (and issuing banks) $40.9 million • December 2007 - TJX settled for $40 million with banking associations and all but one individual bank that filed class actions seeking reimbursement of their costs associated with the breach, such as reissuing compromised credit cards and covering fraudulent purchases • April 2008 - Settlement with MasterCard (and issuing banks) $34 million • June 2009 $9.8 million to a group of 41 state attorneys general • September 2009 additional $525,000 to the financial institutions • Total – $132,225,000
Hannaford and Heartland • Hannaford Bros. Co. supermarket chain and its parent corporation Delhaize America Inc. • Over 12 separate class actions in Florida, Maine, New Hampshire and New York – Still fighting it out • Heartland Payment Systems, Inc. Litigation • Negligence, Breach of Contract, Breach of Implied Contract, Violation of New Jersey Consumer Fraud Act, and Negligence Per Se • Heartland faced a total of 17 consumer class actions and 10 bank and credit union class actions related to the breach. To Settle Heartland agreed to pay: • nearly $4.7 million (up to $2.4 million in actual damages), $760,000 in attorney's fees and expenses, and up to $1.5 million in administration costs • American Express Travel Related Services Company Inc. just over $3.5 million to settle any claims • A maximum of $60 million to Visa Inc. and Visa card-issuing banks Total - $68,960,000 (8K filing stated up to $73m)
Breaches Cost Money, Even Without Litigation • U.S. organizations continue to experience an increased cost of data breaches • Average organizational cost increased nearly 2 percent, from to $6.65 million in our 2008 study to $6.75 million in 2009 • The average cost per compromised record per breach rose only $2, from $202 to $204. • The most expensive data breach event included in this year's study cost one organization nearly$31 million to resolve • Companies that notify victims too quickly may in fact incur higher costs. • $219 versus $196, a 12% difference • The leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches Source: 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventive Solutions, The Ponemon Institute
E- Health: Is a Claim Just A Click Away? Future Trends/Outlook for 2010 and Beyond Paul Bantick Technology, Media and Business Services Beazley Group
Current situation • More people living longer • Number of people with chronic illnesses is going to increase • Therefore, increased pressure on the healthcare system and technology requirements • One of the key drivers of healthcare reform is recognition of this problem and attempt to deal with this issue • Better quality of care • Cost containment • Better deployment of technology
Coordination of Care • Draws the 3 elements together. • Fragmented delivery of care • Many different siloed systems e.g. billing, care, control, record keeping, data • Physicians and hospitals will become the pivot for delivering under this new approach and for co coordinating amongst other providers as well as handling records and billing. • For this approach to work it will require efficient and usable technology with greater access points and capability than before. • HITECH is an attempt to facilitate and encourage/require the adoption of such an approach.
Is this all going to Work? • Great in theory but what in practice • Short time frame – Achieving HITECH compliance by 2011 is ambitious. • Technology providers will be key. Are they up to it? • More systems with broader coverage and more people accessing them is a bigger exposure • Implementation will be key. • This will ultimately drive insurance requirements as the number of breaches grow and the average costs involved. • Claims scenarios become more complex and greater scope for uncertainty as to where the responsibility lies. • Insurance polices will have to adapt to provide the coverage required as underwriting becomes more complex and exposures shift and change.
Other considerations • Electronic Personal Health Records – As we move away from paper, exposure increases and attracts more people interest and is a more personal record. This could have an impact on the number and size of breaches. • Solutions – clients are looking for solutions and service and not just an insurance product. • As exposure and complexity grows this will continue to be one of the main drivers for purchasing insurance. • Sub limits – This is an area that must be addressed in the insurance market to provide the coverage required in the event of a claim • Underwriting – Time will tell. • More complex and in depth underwriting. • Risks carrying greater exposures • Broader policies • Claims solutions must keep up pace with a changing market.