710 likes | 897 Views
e-Technology and Privacy: The New Frontier of Opportunity and Liability Victoria L. Vance Tucker Ellis & West LLP. According to President Obama:. “To improve the quality of our health care while lowering its cost, we will make the Immediate investments necessary to
E N D
e-Technology and Privacy: The New Frontier of Opportunityand LiabilityVictoria L. VanceTucker Ellis & West LLP
According to President Obama: “To improve the quality of our health care while lowering its cost, we will make the Immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized . . . This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests.”
These people may have a different opinion about electronic medical records.
These people may have a different opinion about electronic medical records.
The Victims of Identity Theft May Not be Well Known, but the Costs are Real • 2007-average total data breach per incident cost $6.3m (per Ponemon Institute); • 2008-total fraud up 7%, to $48B over 2007 (per Javelin Strategy & Research study); • Hard dollar costs: direct loss, cost of investigation, mitigation, replacement and repair; • Soft costs: reputational damage, loss of business; • Human costs: time, fear, replacement efforts, credit problems; • In medical settings: cost of mistaken identity means risk of treatment being mistaken or delayed
OBJECTIVES: 1. Survey the array of electronic products and technologies that increase access (and risk) to PHI. 2. Prepare for the increased enforcement of privacy and security laws, and the surge in patient claims. 3. Enhance prevention efforts while readying a response protocol to activate in the event of breach.
I. Electronic World of Modern Healthcare: Traps for the Unwary The Electronic Medical Record (EMR) • Goal is to improve patient care, lower mortality, increase efficiency and reduce costs • P4P rewards quality care • Ideal for managing chronic diseases (obesity, heart disease, hypertension, diabetes). Baby boomers are aging: will peak in 2020 with 71.5 million 55 yo+ • In a recent study,< 2% acute care hospitals have a comprehensive EMR system; and only 8-12% a basic system[1] [1]Jha, AK, et al.,“Use of Electronic Health Records in U.S. Hospitals.” N. Engl J Med 2009; 360.
Electronic Medical Records Privacy Risk: Who has access? What access? When? How?
EMR: Privacy Risks Who has Access? • Patients (and family members) • Log on as inpatient (“Open Medical Record”) • Log on remotely • Ability to “View Only” • Some systems allow patients to add data (i.e., BP checks, glucose levels, pacemaker settings, etc.)
EMR: Privacy Risks Who has Access? • Healthcare providers • At the “home” institution • But also, remote access for other treating • physicians, referring physicians (and their staff) • Payers (and their designees) to conduct utilization, quality, billing and coding checks
EMR: Privacy Risks What is in the EMR? Content goes far beyond the “paper chart” • Photographs • X-ray images • Genetic Information (Now subject to new restrictions in GINA-The Genetic Information Non Discrimination Act of 2008) • Clinical trial data • All correspondence: legal, disability, insurance, and more • E-mail • Outside medical records • Links to electronic billing systems • And more
EMR: Privacy Risks EMR tells more of a story than the paper chart • When were records/entries made? • Who made the entries? (Doctor, nurse resident, PA, secretary, clerk)? • Have the entries been changed (edited, deleted, recreated)? What portion, when, and by whom? • Were the entries made at or after the time of care? Or before? • Are the entries genuine, or “cut and paste” copies of a prior entry? • Or are the entries rote, used repeatedly with every patient?
EMR: Privacy Risks When and how can the EMR be accessed • Immediately • At the point of care • Remotely – intentionally or externally • Via thumb drives and other mobile media
EMR Privacy Breaches: How Can it Happen? • Lost laptop (containing clinical trial data on 5,000+ patients) • PHI uploaded to unsecured websites and mobile media (for researcher’s ease access while travelling) • Co-workers snooping • Hackers hacking (Akron Children’s Hospital; Sept. 2006) • Billing snafus (sent ex-wife’s OB records to new wife’s home) • “Misfiled” electronic records and data (into the wrong patient’s electronic chart; nearly impossible to remove) • EMR mined for fraudulent billing schemes
The Newest Technologies: Risk and Reward E-Mails • Written in shorthand, cryptic and casual; can lead to misunderstanding and misinterpretation • Often not effective for discussing complex clinical issues • Not a substitute for a physical exam and direct patient dialogue • Do you know your audience ? • Take care with content: third-party liability for employees’ alleged libel, slander and defamation • Demands of eDiscovery: must be able to save and produce
The Newest Technologies: Risk and Reward But added privacy risks when e-mail used with or about patients: • A medical postcard • Who has access? • Risk of being misdirected or intercepted • Often not password protected or encrypted, especially when sent from home e-mail system • Internal e-mail about patients, adverse events, quality concerns and gripes • Can live on and on: forwarded, printed, but never really deleted • Often pasted into the EMR
The Newest Technologies: Risk and Reward A picture’s worth . . . a thousand words, and a lot of money!
The Newest Technologies: Risk and Reward Pictures can be funny or embarrassing
The Newest Technologies: Risk and Reward but if patients are involved, the pictures can be devastating: • ED footage of dying patients leaked to the internet • Inappropriate cell phone pictures of patients, especially children Triggers for adverse publicity, reputational damage, lawsuits, investigations, surveys and more
Social Networks, You Tube and blogs The Newest Technologies: Risk and Reward
The Newest Technologies: Risk and Reward www.facebook.com • Started as a social network for Harvard students in 2004 • Since September 2006, site is open to anyone • Allows members to join “networks” based on geography, profession, interests, etc. • Users can add friends and then post messages, photos, videos for these friends to see • Important to read Terms and Conditions, to know how networks will share member information. (Blockbuster sued over Facebook ad program, May 2008)
The Newest Technologies: Risk and Reward www.myspace.com • Smaller globally than Facebook • Focused targeting towards teens and young adults • offers e-mail, forums, communities, videos and weblog space www.twitter.com • 6 million users since 2006 • 140 character “tweets” • Read by “followers” individually, or by the thousands, all simultaneously • Accepts photos, video, text • “Virtual water cooler”[2] ”[2]Julio Ojeda-Zapata, Twitter Means Business
The Newest Technologies: Risk and Reward Social Network sites: A Global Consumer Phenomenon • Adult usage of social networking sites has more than quadrupled in the past four years: 8% of adults in 2005; to 35% of adults in 2009[3] • 79% of employees use social media at work for business reasons • 51% access media sites at least once per day [4] [3]Pew Internet Project’s December 2008 survey; http://pewresearch.org [4] FaceTime Communications Survey, Oct. 27, 2008; http://www.facetime.com
All Internet 18% Member Communities 63% Facebook 566% The Newest Technologies: Risk and Reward Figure 3: The total amount of time spent on Facebook increased by 566% (Nielsen Company Report, March 2009) Change in total minutes between Dec ’07 and Dec ‘08
The Newest Technologies: Risk and Reward Figure 10: Facebook and LinkedIn have experienced large relative increases in global Online reach (Nielsen Company Report, March 2009)
The Newest Technologies: Risk and Reward In the healthcare setting, social network sites are used: By patients and families • As a bulletin board to update friends about status and care • Often contain sensitive identifying information • Latest invention: Twitter can detect movement; pregnant couple uploaded moment to moment baby kicks • What’s next? patients can send “tweets” regarding blood sugar or heart rate readings, and more…
The Newest Technologies: Risk and Reward Social Network Sites are Used: By Hospital CEO • Runningahospital.blogspot.com, by Paul Levy, President and CEO of Beth Israel Deaconess Medical Center • To “share thoughts about hospitals, medicine and healthcare issues” • July 2008, Levy blogged openly about a wrong site surgery event that occurred at BIDMC;notified the entire BID staff within a few days of the mistake, as well as initiated contact with the media • Paul Levy admits he is on a crusade to reduce medical mistakes, regularly blogging about the issue and publicly disclosing preventable events; confident the “short-term adverse publicity” will soon be outweighed by improved patient care and greater trust within the institution.
The Newest Technologies: Risk and Reward By healthcare providers: M.D.s, RNs, students • As a tool for public health outreach (e.g., notification to patients, groups or “networks” potentially exposed to HIV, STDs) • “Grand Rounds on the Internet” • Surgeons tweeting from the OR • Even the AMA launched a Twitter profile page: “to provide updates on what is needed to better serve patients and empower physicians to deliver the highest quality care (AMA Press Release, 04/06/09) • UCSF using a YouTube channel and Facebook page to communicate with patients about chronic diseases, connect with external audiences, reach donors, and recruit potential clinical trial participants • But some providers just want to rant (and rave) about their patients and their day
The Newest Technologies: Risk and Reward The problem? These sites are viewed by medical colleagues and patients In a recent study of 271 medical blogs: • 45% written by identified authors • 42% included descriptions of interactions with patients • 17% included sufficient detail for patients to identify their doctors or themselves • 3 blogs showed recognizable photograph images of patients [5] [5] Lagu, T. et al. J Gen Intern Med 23(10):1642-6 (July 23, 2008)
The Newest Technologies: Risk and Reward Privacy risks • One slip . . . • Patient name • Identifying information • Picture or video • Poor choice of words • One click . . . . . . and it’s on the network
The Newest Technologies: Risk and Reward Risks of social network sites include • If the social network is maintained by a healthcare provider, it may trigger HIPAA Privacy Rule Obligations • Possible liability for torts committed by employee(s) including disparagement, embarrassment, harassment, discrimination, defamation, libel, invasion of privacy • Possible intellectual property infringement, or dissemination of employer’s confidential or proprietary information • Retention demands of e-Discovery
Individual PHR Healthcare Provider The Newest Technologies: Risk and Reward The Newest Frontier: Personal Health Records • A tool for patients to better manage their health and wellness • Collection of medical data, gathered from various providers and controlled by the patient
The NewestTechnologies: Risk and Reward Personal Health Records • Hosted by vendor site (Microsoft™ “Health Vault™, Google Health) not by the healthcare provider • Some PHR sites are offered by employers and insurers (Aetna’Care Engine™) • Patient controlled access (for relatives, friends, caregivers and physicians) • Some PHR platforms have applications for (1) searching for relevant medical articles and (2) uploading data from patients: family history, Rx, appointment, test results and data from home devices that manage chronic diseases
The Newest Technologies: Risk and Reward Personal Health Records • Mobile for ease of access and interoperable; not tethered to one institution • Enhanced continuity of care and efficient communication • Some sites have lax password acces • Not recognized as a legal medical record • Unless hosted by a HIPAA-covered entity, most) PHRs are still beyond the reach of HIPAA • But HIPAA does control how PHI enters a PHR: direct transfer to the PHR, or via the patient
The Newest Technologies: Risk and Reward Personal Health Records • Privacy protections derive from the vendor’s privacy notice; subject to change • Potential for production to third-parties without patient consent • Some PHR providers seek to sell or share PHI information with contractors and business partners, and link with advertisers and insurers • Exposing sensitive PHI to “strangers” – the employees of and associates of the PHR storage company
II. Enforcement Measures to Secure Privacy Calendar of Events: FTC “Red Flag Rules” – (slated to take effect November 2008; postponed to May 1, 2009) Purpose: to detect, prevent and mitigate identity theft (misappropriation of a patient’s name, insurance information, SSN, identity, in order to obtain medical goods or services) Risk: in a medical setting, identity theft can cause inaccurate information to be placed in victims or a perpetrator’s medical record, leading to wrong treatment given or correct withheld Scope: financial institutions and “creditors” that maintain “covered accounts”; by definition, will include medical providers that regularly allow patients to defer payment or pay in installments Goal: to establish reasonable processes and procedures to detect, prevent and mitigate instances of identity theft
II. Enforcement Measures to Secure Privacy Key Features of Red Flag Rules: • Program must be in writing • Include policies and procedures to identify, detect and respond appropriately to red flag triggers • Organizations have flexibility to tailor its Red Flag program in accord with the organization’s size, complexity, and past experience with identity theft • Red Flag program cannot trump EMTALA • Program must be formally approved and regularly reviewed by the Board (or designated senior management) • Include staff training and oversight • Conduct periodic risk assessments
II. Enforcement Measures to Secure Privacy Genetic Information Non-Disclosure Act of 2008 • Signed into law 05/21/08; effective 11/21/09 • Prohibits discrimination by employers and health insurers on the basis of genetic information • Directs employers to treat genetic information as a confidential medical record • Requires genetic information to be maintained on separate forms and in separate medical files • Restricts the disclosure of genetic information to third parties, researchers, labor organizations, and government officials
II. Enforcement Measures to Secure Privacy Providence Health Settlement (07/15/08) • HHS and Providence entered a Resolution Agreement, including a monetary settlement ($100K) and corrective action plan • Sanction for loss of backup tapes, optical discs and laptops containing unencrypted electronic PHI of ~386,000 patients • No evidence of actual disclosure of individually identifiable information • Corrective action plan required revision of Providence’s HIPAA policies focusing on physical and technical safeguards, offsite transport and storage of electronic media, workforce training, audits and site visits and submitting compliance reports to HHS • Announcement of Settlement came with explicit warning to other covered entities
II. Enforcement Measures to Secure Privacy OIG Work Plan for 2009 (10/08) Includes: • Plan to review hospitals’ and contractors’ security controls relating to electronic health information protections, access, storage and transport • OIG critical of CMS’s oversight of HIPAA security rule; recommend CMS become proactive in enforcement by focusing on compliance reviews • OIG plans to review OCR’s oversight of HIPAA privacy rule
II. Enforcement Measures to Secure Privacy FTC Report on Protecting Social Security Numbers (12/17/08) 5 measures to help prevent social security numbers from being used as a tool for ID theft • Improve consumer authentication – consider establishing national consumer authentication standards • Restrict public display and transmission of SSN • Establish standards for data protection and breach notification – require private sector entities to provide public notice in the event of a security breach • Further guidance to businesses and consumers to decrease use of SSN and increase protections • Develop government – private clearing house of “best practices” for SSN usage and fraud protection
II. Enforcement Measures to Secure Privacy CVS settlement with OCR and FTC (01/16/09) • First such joint investigation and resolution between OCR and FTC • Arose from failures to safeguard PHI when disposing of pill bottles: bottles found in industrial trash bins, unsecured and publicly accessible • Corrective plan focuses on policy practices and training regarding proper disposal processes • CVS must actively monitor its compliance, engage a 3rd party auditor, report on compliance to OCR (for 3 years) and FTC (for up to 20 years)
II. Enforcement Measures to Secure Privacy • 02/26/09 – two Wisconsin nurses were fired and case referred to FBI when they took a cell phone picture of a patient’s x-ray and posted it on a Face Book Page • Peeking into celebrity records continue: 03/31/09 Kaiser Permanente fired 15 employees who accessed records of octuplet mom, Nadya Suleman
II. Enforcement Measures to Secure Privacy INDIVIDUAL LAWSUITS No private right of action under HIPAA, but . . . class action filings are increasing, as wide scale breaches are publicly disclosed • Plaintiffs now using negligence theories to frame a cause of action (failure to comply with industry “standards of care”) • Establishing actual damages remains the plaintiffs’ biggest challenge • Plaintiffs ideal case: negligence approach, large class size, statutory damages: Melvin Gene Snow, et al. vs. Lenscrafters, Inc., et al. Superior Court of California, San Francisco County, Case No. CGC-02-405544 (July 2008): >$20m expected to be paid to 1.6m California consumers for misuse of patients’ medical and prescription information in violation of California’s Confidentiality of Medical Information Act and other consumer protection laws.
II. Enforcement Measures to Secure Privacy Private Litigation • Potential for D & O exposure: Claims against management for failing to take steps to prevent cyber damage: hacking, loss of PHI, misuse/manipulation of or mitigate data; Board accountability per FTC Red Flag Rules • Lesson: hospital leadership and Board must ensure strong IT security practices and polices are in place; understand security trends, evaluate exposures, document compliance testing and regular auditing [6] • Potential for punitive damages? • Hospitals having prior notice and knowledge of risk, past history of identity theft mishaps • Incumbent on hospitals to document ongoing compliance effort • Criminal and civil claims for unauthorized photography [6]Source AON P Technical
II. Enforcement Measures to Secure Privacy State Specific Security Laws NEVADA – effective 10/01/08, “a business in this state shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secured system of the business unless the business uses encryption to ensure the security of electronic transmission.” MASSACHUSETTS – effective 05/01/09, new set of security practice obligations; applicable to businesses in all sectors; safeguards include encryption standards and physical access restrictions
II. Enforcement Measures to Secure Privacy CALIFORNIA – Effective 01/01/09, two California laws penalize snooping in Medical Records. Senate Bill 541 • Healthcare providers, clinics, hospices and home health agencies must prevent unauthorized access to or disclosure of PHI • Substantial monetary penalties by California Department of Public Health • Patients (and DPH) must be notified of breach within 5 days • Greater penalties for egregious noncompliance causing patient injury or death
California Assembly Bill 211 • Focus on the offending providers; civil penalties for licensed workers who “knowingly and willfully” obtain, disclose or use PHI unlawfully • Gives patients a private right of action to sue, for actual or nominal damages • Establishes “the Office of Health Information Integrity” within California’s HHS; enforcement oriented, including ability to make referrals to State Licensing Boards
II. Enforcement Measures to Secure Privacy The American Recovery and Reinvestment Act of 2009(“ARRA”): a.k.a HITECH Act of 2009 • Incentives for increased use of “meaningful” EMRs (for e-prescribing, interconnectivity, and reporting of quality measures), but with increased security measures as well: to encourage use and build trust in the EMR technology • $20B commitment; “the most important legislation to ever impact health IT.” (Steve Lieber, President of HIMSS)
HITECH Act of 2009 ARRA-HITECH utilizes HIPAA framework, but broader coverage and increased burdens • Expansion of security and privacy rules to Business Associates (eff. 02/17/10) • Administrative, physical and technical safeguards • Security awareness and training programs • Policy, procedure and documentation requirements • New disclosures/accounting obligations to patients upon request • Notification of breach to covered entities • Civil and criminal penalties apply