500 likes | 643 Views
E-Health: Is a Claim Just a Click Away?. E-Health: Is a Claim Just a Click Away?. Moderator: Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation Panelists: M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group
E N D
E-Health: Is a Claim Just a Click Away? Chicago, IL ~ March 18 & 19, 2010
E-Health: Is a Claim Just a Click Away? Moderator: Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation Panelists: M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group Paul Bantick, Underwriter, Beazley Sharon R. Klein, Esq., Partner, Pepper Hamilton, LLP
E-Health Defined • “Healthcare supported by electronic processes and communication” • Electronic Health Records • Telemedicine • Automatic Clinical Protocols/Alerts • Virtual Healthcare Teams • M Health • Patient Monitoring • Distance Learning - Telehealth
Healthcare Provide/Payer Technologies • Remote Healthcare Information Systems • Virtual Rounding • Remote Operations • Clinical Alerts • Medical Robots • Wireless implants/chips
Consumer Health Technologies • Smart Phones • PHRs (Health Vault) • Social Networks (Facebook) • Smart home sensors/monitoring • Use of email to link patients and clinicians • Web Portals
Global Risks • Medical Identity Theft • Internet use without encryption • Lack of uniform security standards (mobile devices) • Expansion to players unfamiliar with healthcare • Outsourcing/Offshoring • No global rules for data exchange/transfer
Risk of Lawsuits/Reputational Injury • Regulation • Sanctions, fines, penalties • Public Enforcement • FTC, HHS/OCR, FDA • State attorney general(s) • Private Rights of Action • Individual suits (common law, statutory) • Class Actions
E- Health: Is a Claim Just A Click Away? E-Health Privacy, Security, Data Breaches and Potential Liability
HIPAA • Pertains to individually identifiable health information • Is created or received by a “Covered Entity”; and • Relates to an individual’s past, present, or future physical or mental health or condition, or payment for the provision of health care to them; or provision of health care to an individual; and • That identifies the individual or the information can be used to identify the individual • Applies to “Covered Entities” (CE): • Health providers, • Health plans • Health care clearinghouses
Administrative Security Procedures, Legal Compliance Technical Security HIPAA COMPLIANCE Business Associate Management Physical Security HIPAA Security Requirements
Safeguards Standards, Safeguards and Implementation Features • Standards: CEs/BAs required to comply with standards • Administrative • Physical • Technical • Organizational Requirements • Policies & Procedures & Documentation Requirements, • Implementation Specifications: • Required - must be implemented after a risk analysis • Addressable - Second level risk analysis is required
Privacy:Rules-Based vs. Risk-Based • General Principles of Privacy Regulations Establish a Rules-Based Permissive Model: • Use & disclosure of PHI is not permitted unless the Rule specifically permits it • To define & limit the circumstances in which an individual’s protected heath information (PHI) may be used or disclosed by covered entities. • Emphasis on “gap analysis” rather than a risk analysis
Uses and Disclosures Permitted without Authorization • To the Individual (unless required for access or accounting of disclosures); • Treatment, Payment, and Health Care Operations; • Opportunity to Agree or Object; • Public Interest and Benefit Activities; and • Limited Data Set for the purposes of research, public health or health care operations
Individual Authorization for Disclosures • Authorization • A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule • Psychotherapy Notes • Marketing
Minimum Necessary • A CE must make reasonable efforts to use, disclose, & request only the minimum amount of PHI needed to accomplish the intended purpose • A CE must develop/implement policies & procedures to limit uses & disclosures to the minimum necessary. • When the “minimum necessary” standard applies to a use or disclosure, a CE may not use, disclose, or request the entire medical record, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. • Not applicable in certain situations 45 C.F.R. §§ 164.502(b) and 164.514 (d).
ARRA: Overview of Other Key Provisions - 1 • Clarification and expansion of the definition of a “Business Associate” (BA) • Increased Business Associate legal obligations • Notification for breaches involving protected health information (PHI); • Special provisions for vendors of personal health records and other non-HIPAA covered entities • Restrictions on certain disclosures. Individuals may prohibit the disclosure of PHI to a health plan for services that the individual paid for out-of-pocket • Restrictions on sales of EHRs, PHI. CEs and BAs may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.
ARRA: Overview of Other Key Provisions - 1 • Accounting of certain PHI disclosures required if a CE uses an EHR. CEs must provide accounting for disclosure of PHI to carry a treatment, payment, & healthcare operations when the PHI is in an EHR • Access to Certain Information In Electronic Format. An individual has a right to obtain a copy of his/her information in an electronic format from the CE • Conditions on certain communications as part of healthcare operations. Limits the healthcare operations; exception for communications when the CE receives remuneration for the communication except in limited circumstances • Fundraising Opt-Out • Enhancement of enforcement, funding for enforcement, and increased penalties
Increased Business Associate Legal Obligations • Each security & privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in the BA’s contract. • A BAs must comply with the same administrative, technical, and physical safeguards that a CE is required to comply with under the security rule. • Must also comply with the document requirements (policies, procedures and other documents). • BAs that violate the security & privacy provisions of HIPAA are subject to the same civil /criminal penalties as a CE.
Clarification and Expansion of “Business Associate” Definition • Definition of “Business Associate” includes: • entities that provide data transmission services to a CE (or its BA), if the service involves access to PHI on a routine basis, including: • a health information exchange organization; • a regional health information organization; • an E-prescribing Gateway; or • any vendor that contracts with the CE to allow the CE to offer a personal health record (PHR) to patients
Overview of Breach Notification Rule • Applies some state breach notification concepts to federal health care law • Applies to Business Associates (BAs) and Covered Entities (CEs) that experience a breach • Covers EHRs and PHRs • Final FTC regulations released August 18, 2009 (EHRs) • Final HHS interim regulations and guidance released August 19, 2009 (PHRs)
Responding to an Incident Process Under the New Rule • Determine whether a “Breach” occurred • What is a Breach? • What is Not a Breach? • Determine whether breach notification is required • Follow Breach Notification Procedures
What is a Breach? • A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
What is NOT a Breach? • It is important to know what is and is not a breach under the new Rules • If not a breach, notification will not be required • There are two methods provided by the Rule for determining if a breach occurred • By Definition • By Risk of Harm Analysis
Not a Breach by Definition • A Breach does not include: • Acquisition, access, or use or disclosure of PHI by a workforce member or person acting under the authority of a CE or a BA which does not result in further use or disclosure in a manner inconsistent with the Privacy Rule and the disclosure is - • made in good faith and within the scope of authority • inadvertently made, from one authorized person to another within a CE, BA or an Organized Health Care Arrangement (OHCA) • A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information • §164.402(2)
Not a Breach – Other Factors • Not a Breach: • if Privacy Rule not Violated • if Privacy and Security of PHI Not Compromised • PHI Not Involved • PHI is “Secured” • There is No Risk of Harm Breach Definition A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
No Risk of Harm • A compromise of the security and privacy of the PHI must pose a significant risk of financial, reputational, or other harm to the individual • A risk assessment is to be conducted to determine if harm exists Definition A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
HHS Breach Notification Procedures: Timing, Notice and Content • Breach of Notice Rule- Timing, Content & Notice Requirements • 47 Organizations Have Reported Breaches of 500 or more in the first reporting to HHS under this Rule • Range from a low of 501 (AK Dept of HSS) to a high of 500,000 (BCBS of TN) • Involving >1 M individuals in the first months of reporting • Since 3/12/09 the Privacy rights Clearinghouse has reported 228 Breaches. Of these, 58 involved PHI • Includes electronic and paper-based PHI • http://www.privacyrights.org/ar/ChronDataBreaches.htm
State Notice of Breach Laws • 46 States PLUS: • District of Columbia (B16-810, D.C. Code § 28-3851) • Puerto Rico (Law 111 and Regulation 7207) • The following states do not have a notice of breach law: • Kentucky • Mississippi • New Mexico • South Dakota Most require businesses and/or government to notify state residents if their computerized “personal information” is involved in a data breach • Compliance obligations can • differ significantly and • requires research of key provisions • in every state for which you have • a resident’s PI
Emerging State Data Security Laws • Ten States have laws requiring businesses to protect the “security & confidentiality” of personal information • AR, CA, CT, MD, MA, NV, RI, OR, TX, and UT • Massachusetts is the only state that specifies what a business must do to comply: • Implement a risk-based “comprehensive, written information security program” , and • Encrypt all personal information stored on laptops and portable devices, all records & files transmitted over public networks,” and all data transmitted wirelessly.
Criminal Penalties Applicable to An Individual or An Entity • Wrongful disclosure of individually identifiable information only if: …a person (employees or other individuals) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a CE... and it was obtained/disclose without authorization • “Willful neglect” may be either criminal or civil • A formal investigation will commence if a preliminary investigation of the facts identifies that a possible violation is due to willful neglect • Burden of proof is on the CE and/or BA
HIPAA Criminal Penalties • A “knowing” violation shall: • (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; • (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and • (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
HITECH Act Civil Penalties • Graduated Penalties: • unknowing - (A) through (D) • due to reasonable cause & not to willful neglect- (B) through (D) • due to willful neglect - if corrected (C) - (D); if not corrected (D) • (A) $100 for each such violation, (total amount imposed for all such violations during a calendar year may not > $25,000) • (B) $1,000 for each such violation, (total amount imposed on the person for all such during a calendar year may not > $100,000); • (C) $10,000 for each such violation, (total amount imposed on the person for all such violations during a calendar year may not > $250,000); and • (D) $50,000 for each such violation, (the total amount imposed on the person for all such violations during a calendar year may not > $1,500,000). • Money Collected for civil damages funds OCR enforcement • States Attorneys General Also provided enforcement authority
Enforcement Funding • Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. • This money will be used for enforcing and privacy and security provisions of HIPAA • The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.
Enforcement by State Attorneys General • Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. • Damages will be statutorily imposed • The amount = the number of violations times up to $100 • The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not > $25,000 • The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees.
Not much traction for “Negligent Protection of Data” • The plaintiffs allege that a business collected their personal information for the business’ purposes, and then negligently allowed a third party to improperly access that personal information. • Plaintiffs have had difficulty establishing that the defendant has a duty to protect their information, and that they have suffered some compensable damagefrom that release.
U.S. Breach Litigation • “[N]o court has considered the risk [of ID theft] itself to be damage” • Key v. DSW Inc.; Bell v. Acxiom Corp.- Plaintiffs unable to prove that the information was used improperly & that increased risk of ID theft was enough) • Stollenwerk v. Tri-West Healthcare Alliance.- Plaintiff tried “fear of ID theft “ as their damages – the Court rejected that • See also, Pisciotta v. Old Nat’l Bancorp, and also Kahle v. Litton Loan Servicing and Guin v. Brazos Higher Education Service Corporation, Inc.- The value of having good policies and procedures.
Why Litigate, Then? • Thus far they have not been successful proving negligence. • No harm (provable damages), no foul, say the Courts. • But litigation is about poking and prodding. • Plaintiff’s are seeking the soft underbelly. • The goal: Huge settlements even without the merits.
TJX Companies Breach • On Jan. 17, 2007, TJX Companies Inc. announced that that the portion of its computer network handling customer transactions was breached by unauthorized individuals; >46.2 M credit/debit cards compromised • Litigation & investigations; new laws to protect banks considered in CA, CT, IL, MA, MN, NJ, and TX. (Only MN actually enacted) • have reduced what once was as many as 18 separate putative bank & consumer class action lawsuits against the company • September 2007 - Settlement includes $7 M to reimburse customers
TJX Companies Breach (Continued) • November 2007 - Settlement with Visa (and issuing banks) $40.9 M • December 2007 - TJX settled for $40 M with banking associations & all but one individual bank for reimbursement of their costs • April 2008 - Settlement with MasterCard (and issuing banks) $34 M • June 2009 $9.8 M to a group of 41 state AGs • September 2009 additional $525,000 to the FIs • Total – $132,225,000
Hannaford and Heartland • Hannaford Bros. Co. supermarkets (parent Delhaize America) • > 12 separate class actions in FL, ME, NH and NY– • Heartland Payment Systems, Inc. Litigation • Negligence, Breach of Contract, Breach of Implied Contract, Violation of NJ Consumer Fraud Act, and Negligence Per Se • Heartland faced 17 class actions , 10 bank & credit union class actions related to the breach. Heartland agreed to pay: • nearly $4.7 M (up to $2.4 M in damages), $760,000 in attorney's fees & expenses, & up to $1.5 M in admin costs • Am Ex Travel Related Services Co. Inc. just over $3.5 M • A max. of $60 M to Visa and Visa card-issuing banks Total - $68,960,000 (8K filing stated up to $73M
Breaches Cost Money, Even Without Litigation • U.S. organizations continue to experience an increased cost of data breaches • Avg. cost up nearly 2 %, $6.65 M (2008) to $6.75 M (2009) • Avg. cost /compromised record/breach up $2, ($202 to $204) • The most expensive data breach event included in this year's study cost nearly$31 M to resolve • Companies that notify victims too quickly may in fact incur higher costs • $219 versus $196, a 12% difference • The leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches Source: 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventive Solutions, The Ponemon Institute
E- Health: Is a Claim Just A Click Away? Future Trends/Outlook for 2010 and Beyond
Current Situation • More people living longer • Number of people with chronic illnesses is going to increase • Therefore, increased pressure on the healthcare system and technology requirements • One of the key drivers of healthcare reform is recognition of this problem and attempt to deal with this issue • Better quality of care • Cost containment • Better deployment of technology
Coordination of Care • Draws the 3 elements together • Fragmented delivery of care • Many different siloed systems e.g. billing, care, control, record keeping, data • Physicians & hospitals will become the pivot for delivering under this new approach and for co-ordinating amongst other providers as well as handling records and billing • For this approach to work it will require efficient, usable technology with greater access points & capability than before • HITECH is an attempt to facilitate and encourage/require the adoption of such an approach
Is this all going to Work? • Great in theory but what in practice • Short time frame –HITECH compliance by 2011 is ambitious • Technology providers will be key. Are they up to it? • More systems, broader coverage, more people accessing them is a bigger exposure • Implementation will be key • This will ultimately drive insurance requirements as the number of breaches grow and the average costs involved • Claims scenarios become more complex & greater scope for uncertainty as to where the responsibility lies • Insurance polices will have to adapt to provide the coverage required as underwriting becomes more complex & exposures shift and change
Other Considerations • Electronic Personal Health Records – As we move to EHRs, exposure increases & attracts more people interest & is a more personal record. This could have an impact on the number and size of breaches. • Solutions – clients are looking for solutions & service and not just an insurance product. • As exposure & complexity grows, it will continue to be one of the main drivers for purchasing insurance. • Sub limits –Must be addressed in the insurance market to provide the coverage required in the event of a claim. • Underwriting – Time will tell. • More complex and in depth underwriting • Risks carrying greater exposures • Broader policies • Claims solutions must keep up pace with a changing market