IT S ALL ABOUT THE DATA!!

Transcription

1 American Health Lawyers Association In House Counsel Program New York City, June 29,2014 IT S ALL ABOUT THE DATA!! Bernadette M. Broccolo McDermott Will & Emery LLP bbroccolo@mwe.com Thomas J. Kiser University HealthSystem Consortium kiser@uhc.edu McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. Current Reality: Data is the new Natural Resource Accelerating the development and implementation of a Big Data strategy is essential, not optional, for the full spectrum of industry stakeholders Health Reform Demands on Providers, Payors (Both Public and Private Sector) New Care Delivery Models Coordination, Accountability, Outcomes, Patient Experience, Population Health New Payment Models - Value not Volume (quality and cost benchmarking, comparative effectiveness) Real Time Clinical Care Delivery Decision Support, Evidence-Based and Personalized Medicine Biomedical Research Innovation (Treatment/Diagnosis/Product Development) Streamlining to Accelerate and Reduce Cost through Secondary Research as an Alternative to Clinical Trials Diversification and Maximization of Revenue Streams Operating Cost Efficiencies Mandated Manufacturer Post-Market Product Surveillance and Risk Mitigation (REMS) 2 1

2 Current Reality There will be: Some old, tried and true approaches and players Some new, untested ones Mixed Messages and Sentiments: Excitement v. Skepticism Changes in technology, business needs, resources, players and relationships Need for a strategy that evolves along the spectrum from the sublime to the ridiculous and is nimble enough to adapt to changes and developments in technology, business needs, resources, players and relationships, and law False starts, failures and delayed optimization are inevitable Compliance considerations are complex Public policy messages are conflicting Don t wait to start Proceed swiftly but cautiously not hastily! 3 Focus of Today s Discussion Current quest for Big Data: Who, What, Where, Why, When and How Big Data = Big Topic Overview of Spectrum of Big Data Initiatives Key Building Blocks for Moving Along the Spectrum Enterprise Risks and Associated Risk Management Strategies 4 2

3 The Mantra It s ALL about the DATA!!! what we know is that transfer of information is critical [t]hat's the human rocket science of how you make health care systems work well. Source: Bill Moyers Journal, Transcript of Interview of Dr. Jim Yong Kim, President of Dartmouth College and co-founder of Partners in Health, September 11, 2009, The reality is that hospitals are going to need data from outside the organization. No one will be able to operate in a bubble anymore it s not going to be adequate in an accountable care environment Jennifer Covich Bordenick, CEO, ehealth Initiative But, as with most buzz-attracting topics, gaining value through big data isn t as easy as it seems. Big Data doesn t necessarily mean good data Optum, Moneyball Analytics Big Data: The Newest Enterprise Risk Frontier Data is now seen as a highly valuable corporate asset. Data is a key ingredient for delivering and improving high quality and effective care and getting paid for it. BUT, Big Data strategies implicate key areas of enterprise risk: strategic, operational, financial, legal liability, regulatory compliance, reputation, etc. Identifying and managing the enterprise risks during the full life cycle of a Big Data initiative should be a priority focus of Board oversight. Effective Board Oversight and Risk Management require: Education, and Integrated, Enterprise-Wide Data Governance Infrastructure

4 Key Elements of Big Data Strategy Both Retrospective and Predictive Dimensions of: Electronic Data Collection Data Access and Exchange Data Aggregation, Extraction, Normalization and Validation Data Analytics and Reporting 7 Approaches to Data Access and Aggregation One, Some or All Of the Following: Drawing data solely/primarily from one s own internal EHR systems Accessing internal and external EHRs through interoperable EHR systems HIE participation (public v. private sector) Exchanging/combining clinical data with payer claims data Patient portals Access to public and private data Clouds Building a robust internal data warehouse by collecting and aggregating data from various internal and external sources Access to other third party data repositories for disease and population management (e.g., disease registries offered by professional societies, health industry consortia and trade associations, CDC, CMS and other government agencies) 8 4

5 Harnessing EHR Capabilities to Collect Data in Robust Electronic Data Warehouses Big Data Cornerstone Integration of Systems Provider Transition From Paper to Electronic Records Clinical Trial Management Systems Implementation Institutional Review Board Transition to Electronic Records Institutions Providing EHR Access To Medical Staff And Others HIEs (Private/Public) Institutions Physicians Labs Pharmacies Private/Public HIEs Electronic Data Warehouse (EDW) Electronic Data Warehouse (EDW) - Consortia - Pharma - CROs - Universities - Payors and Affiliates - Gov t - Other EDWs 9 Source of Tools and Expertise to Analyze Data Some Combination of the Following: Industry Consortia and Industry Trade Associations Payers and their Affiliates Home-grown medical informatics department, algorithms and other tools In-license third party analytical tools Outsourcing analytical support function to a third party

6 Emerging Stakeholder Collaborations Illustrative Purposes Revenue Cycle Management Automated Data Extraction Data Analytics to Produce Actionable Data (e.g., performance measurement) Clinical Decision Support and Artificial Intelligence Evidence/Information Based Medicine Personalized Medicine Acceleration of Clinical Research through Secondary Research Common Collaboration Structures Service and Support contracts/license Arrangements Contractual Joint Ventures Joint Venture Entities 11 Myriad Collaboration Participants Limitless permutations and combinations of: Stand-alone community hospital and regional and national healthcare systems Single and multi-specialty medical groups, large and small Other Providers Government and Private payers Industry Consortia, Trade Associations and Professional Societies Myriad Research Stakeholders AMCs/Universities Regional and National Health Systems Research Institutes Manufacturers CROs Other research Vendors and Service Providers Other Emerging Vendor and Support Organizations (analytics firms, cloud vendors)

7 University HealthSystem Consortium A unique strategic co-operative of leading academic medical centers, their affiliated hospitals and physician practices UHC helps its members to meet the unique challenges of, and to succeed in today s changing health care environment by creating knowledge, fostering collaboration and promoting innovation. Databases containing records of 100 million individuals (one-third of entire US population) Key Data Strategy Elements with both Retrospective and Predictive Dimensions

8 Creation and Use of EDWs for HCO Purposes General Rules Covered Entity s (CE s) Creation and use of an EDW solely for its own HCO purposes is an HCO purpose CE may retain a BA to assist in creation of the EDW Creation and use of a shared EDW with other CEs for certain HCO purposes CEs may retain a BA to assist in creation of the shared EDW as a Data Aggregator BA must conduct analysis and produce reports in de-identified form as a Data Aggregator that relate to the HCO Purposes of CEs providing the data CEs may directly share EDW data on all patients in fully identifiable form for any of one another s HCO purpose if the CEs are members of an OHCA CEs that are not members of an OHCA may directly share fully identifiable data on common patients for more limited HCO purposes CEs may share EDW data in the form of a limited data set for one another s HCO purposes pursuant to a Data Use Agreement 15 UHC Clinical Performance Intelligence Program Secondary Use of Aggregated Member Data UHC Performance Intelligence Program begins with submission of a copy of administrative data (e.g., ICD data) and certain EHR data (including PHI such as lab values) by Member-Participants through a Secure Server (See Handout Data Flow Diagram) UHC normalizes, standardizes, and error corrects the data to create a Data Mart Data Mart is used first in a Test Environment before becoming Active. A separate Data Mart and separate license agreement exists for each UHC Program UHC neither creates nor hosts a data warehouse comprised of Participant data in its original or adapted form; nor does it retain a copy of Participant s data submission in any other form. UHC places a filter on top of Data Mart (i.e., code that draws data out of the Data Mart) to protect against prohibited access to PHI. No one ever gets direct access to the Data Mart

9 UHC Data License Agreements UHC Rights to Create and Use Derivative Works UHC may create statistically de-identified version of the Data Mart for any purpose, free of any restrictions (e.g., use to populate other data bases to support other products, integrate products, etc.), UHC may create Limited Data Sets (LDS), but uses of LDS are subject to Participants approval. Participant Rights to Access to the Data Mart Participants may access the data mart and use it to submit queries and produce reports. Access by Participants is: Solely via a VPN, Only to their own PHI (for use to compare their own performance against aggregated benchmarks), and Only to data of other Participants that is statistically certified as de-identified. No third party access to any UHC data bases is permitted UHC Data License Agreements Participant s Data Ownership Rights Participant is sole owner of data it sends to UHC Participants retain physical possession and sole ownership of the original data. Participant owns reports generated from its own queries, subject to restrictions on their ability to share them. UHC Ownership Rights UHC owns the data in the aggregated form in the Data Mart UHC owns the supporting technology, architecture, tools UHC owns other Derivative Works (subject to license terms applicable to original work) 18 9

10 UHC Data License Agreements Battle of the Policies: Which ones control? Data storage and Use Security Infrastructure Encryption Data Transparency Representations and Warranties of the Participant and UHC Data Accuracy and Completeness Compliance Proper data sharing between and among Participant and its affiliates Data Liaison Due Diligence: UHC conducts an analysis of each participant s corporate structure to assure appropriate data access 19 UHC Data License Agreement UHC Disclaimers of Warranties Data AS IS UHC Performance Intelligence Program is not a substitute for exercise of professional diligence and judgment Limitations of Liability FTC Safe Harbor Requirements

11 UHC Business Associate Agreement One BAA is used for each Participant and governs all individual license agreements involving submission of PHI. Minimum Necessary Requirement Internal Controls Only Need to Know UHC personnel may not attempt to re-identify the de-identified data Data Drives Removing Access External Controls (e.g., Participant will not attempt to re-identify the de-identified data Includes UHC s right to create Limited Data Sets Breach Notification UHC does not report pings or unsuccessful log-ins to Participants UHC requests 10-day notice period to report a breach Return of Data Invokes the Infeasibility standard (unless termination occurs before Participant data submitted to Data Mart) 21 Data Governance Generally Data Governance as a means of Identifying and Managing Enterprise Risk Still an evolving concept with many variations Scope: All operational domains (not only IT) But Phased implementation will likely be more effective Common governance framework as foundation for domain-specific policies and procedures Principles, Organization, Standards and Process, Technology Tools Key Focus Areas Data definitions, architecture, strategy, quality/integrity, availability, integration, ownership, sensitivity, compliance, strategy, financial, storage and retention, leveraging, third party relationships

12 UHC Data Governance Governing Board Level Committee Performance Improvement and Comparative Data Committee Committee Charter Oversees: Policy and Procedure development and implementation Data Storage and Use Responds to Audit Requests UHC Does not allow Participants to Audit its system or logs 23 UHC Internal Controls Privacy and Security Policies (UHC has AT601 Attestation Credential) Proper Data Storage Designated Drives Limited Access to persons with Need to Know Internal Storage Cloud Storage UHC requires data privacy and security representations and warranties from the cloud provider. UHC requires specific cyber liability insurance from the cloud provider. UHC flows certain requirements down to the data base participants. UHC does not allow any off-shore data storage. Security Safeguards Data transmission Policies Using the Secure Data Exchange 24 12

13 UHC Internal Controls Third Party Firewall Testing Due Diligence Data Privacy and Security Attestations of Third Parties/Subcontractors No offshore storage, access and/or downloading Disaster Recovery Plan Insurance Coverage Policy Coverage Broker risk analysis addresses: Data De-Identification Storage Method Access controls (internal and external personnel) Segregation of databases # or Individuals whose records are included in database # of Individuals with access Data encryption (in motion and at rest) Disaster Recovery Business Continuity 25 Think Ahead: Use of EDW to Conduct Secondary Research Attorney Client Communication & Attorney Work Product: Privileged & Confidential -- DRAFT Research Health Care Operations for compliance purposes Anticipate possible future use of HCO Warehouse for Secondary Research so as to maximize flexibility of the warehouse Secondary Research use raises different compliance considerations than HCO use Common Rule Consent Requirement - generally permits researchers to seek informed consent to future research activities provided such future research is described in sufficient detail Recent Harmonization of HIPAA and Common Rule regarding Secondary Research Uses Under recent rules implementing HITECH Act, OCR will no longer require an authorization to identify the specific study for which PHI will be used and will allow an authorization to include a general description of the purposes of potential future research uses 26 13

14 EDW Creation and Secondary Research Use Under LDS Option Use of a limited data set (LDS) structure involving a BA as an Honest Broker provides additional flexibility to use EDW for research Avoids the need to obtain up-front HIPAA authorization and, possible Common Rule consent to: Create the EDW Mine the data to identify clinical cohorts Re-identify patients to present clinical trials Be sure to distinguish between: Creation of Research EDW Subsequent use of Research EDW Both are compliance moments for both HIPAA and the Common Rule 27 LDS Option: Honest Broker Strategy Can the same entity act as both the researcher using the LDS and the Honest Broker that both creates the LDS and performs the Re-Identification/Patient Contacting Role? Preamble to HITECH Final Rule raises question regarding longstanding practice of using an internal firewall to prohibit persons in the same organization from both creating the LDS and using the LDS for research. However, the Preamble language is largely consistent with prior statements from the Office for Civil Rights on the issue Supports the argument that the Preamble did not intend to diminish or eliminate the effectiveness of the firewall approach. A Covered Entity should consider consulting with an IRB for endorsement of this approach

15 Universal Privacy and Security Compliance Planning Considerations What stakeholders are involved in providing, accessing and exchanging information? What due diligence was performed to validate the privacy and security infrastructure of participants? What data will be contributed and exchanged? Will it contain identifiers/sensitive information when contributed? Competitively sensitive information? For what purpose was data originally gathered (clinical care? primary research study?) Was consent/authorization obtained and what scope of use did it cover? Was more data gathered than necessary for the original purpose? For what will the date be subsequently used? Was a consent/authorization obtained? Does the Notice of Privacy Practices address some or all of the Big Data Strategy? Directly or indirectly? 29 Universal Privacy and Security Compliance Planning Considerations Will data be made available to other than those who contributed it? For what purpose? Will any remuneration (financial or non-financial) be exchanged for contribution of or access to the data by participants in the arrangement? By others? What is the amount and, for data contributors, how does it compare to cost of contributing the data? Will the collection, aggregation, storage, analysis or reporting of data involve the use of external infrastructure/services provided by third party support organizations? Prime? Subcontractors? Due Diligence? Will data provided by one participant be returned or destroyed by other participants in the event of termination or withdrawal of that participant? What transition support will be provided upon such termination or withdrawal?

16 Risk Management Guideposts A thoughtful and thorough approach to risk allocation and risk management at the front-end will enhance the likelihood of short-term and long-term success and overall sustainability Need to anticipate scope of the risk in both the short-term and the long-term ALL parties play a role in creating and managing potential risks. Key Questions/Guideposts Who is in the best to manage/prevent against the risk? Who is able to insure against the risk? Need a multi-faceted risk management strategy: Technology infrastructure features, functions and performance capabilities Business processes synchronization with IT and proper training Policies, procedures and training and enforcement related to them Contracting due diligence and allocation of risk in third party relationships There is no one size fits all solution 31 Contractual Risk Allocation Developing new agreements and restructuring existing agreements Traditional IT application vendors (prime and subcontractors) Niche/emerging IT infrastructure and analytics vendors (prime and subcontractors) Collaborations (EHR, HIE, Peer to Peer, ACO, Registries) Note: It s a new ballgame even with some of the veteran players: Risk posture of vendors and other third parties has changed on some key issues due to environmental and regulatory uncertainties and ongoing changes Demands new approaches to allocation of risk on key issues

17 Supplemental Material 2013 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. Final Rule s Enhanced HIPAA Privacy and Security Protections Extends HIPAA s Privacy and Security compliance requirements/standards and sanctions directly to Business Associates and their Subcontractors Policies, Procedures and Safeguards BA must notify Covered Entity of Breach of Unsecured PHI BA must enter into downstream BAs with Subcontractors Clarifies definition of BA to include data center operators, cloud service vendors, and other vendors that maintain or transmit PHI (even though they do not actively access PHI) Any individual that creates, maintains, or transmits PHI for a function or activity on behalf of a Covered Entity Lower threshold for triggering data breach notification and reporting Covered entity must rebut presumption that a breach occurred by demonstrating Low Probability that privacy of PHI has been compromised

18 Final Rule s Enhanced HIPAA Privacy and Security Protections Sale of Data Prohibition inhibits secondary market for sale and mining of data, with certain exceptions, including research, treatment and public health purposes Research exception restricts amount of remuneration to no more than cost incurred to contribute the data Restriction applies to both financial and non-financial (in kind) remuneration Increases flexibility for secondary research and other secondary uses of data Ability to combine authorizations for conditional and unconditional research into one document Description of Future Research Purposes no longer needs to identify a specific study Modified and expanded sanctions for violations Accounting for all treatment, payment and health care operations disclosures Not addressed by Final Rule 35 Other Privacy, Security and Confidentiality Laws State Sensitive Information Privacy/Confidentiality Laws Create additional restrictions that can preempt HIPAA The nature of the restriction can vary by state and by category of information May require a consent to: Disclose information for any purpose (even treatment or healthcare operations purposes) to other than members of the treatment team Retain a Business Associate to create a Limited Data Set or to De-Identify information Use sensitive information even in fully De-Identified form to conduct quality studies, comparative effectiveness and outcomes research, and clinical research May not recognize key aspects of HIPAA (e.g., De-Identified Data and Limited Data Sets, HCO v. Research )

19 Other Privacy, Security and Confidentiality Laws FTC s Health Breach Notification Rule State Data Breach Laws HIPAA federal breach notification laws preempt state breach notification laws only if the state laws are contrary to the federal law (i.e., impossible to comply with both state and federal requirements. All but a handful of states have security breach notification laws. Duty to notify generally arises when there is a reasonable belief that unencrypted electronic personal information has been acquired or accessed by an unauthorized person (e.g., SSN; DLN or other state ID number; account number, credit/debit card number that with other information allows access to financial information) Several have expanded personal information definition to include health-related information. GINA FDA and Common Rule Informed Consent Requirements More to come (Note: White House Big Data and Privacy Study) 37 UHC Data License Agreement Language Data Sharing and Access within Participant s System Data Liaison Language Participant further warrants that it has all necessary documentation and/or legal authority, including as appropriate data sharing agreements amongst its participating health care system members, to permit its on-site administrators access to Program Data and Participant Data. Participant agrees to indemnify UHC from any and all liability or breaches

20 UHC Data License Agreement Data sharing clauses for Participant and its Covered Affiliates HIPAA. All Parties will adhere to all statutory privacy rules and regulations, including HIPAA as amended. Attached hereto and incorporated herein as Exhibit 4 is Participant s Business Associate Agreement, as may be required by HIPAA. The Parties recognize that some safety and quality functions may be handled jointly by Participant and/or its Covered Affiliate(s), and that as a result employees of Participant and/or a Covered Affiliate may need sign-on privileges with respect to other entities participating under this agreement (either as Participant or as a Covered Affiliate). As a condition to UHC granting such signon privileges, Participant and Covered Affiliates represent and warrant that they are in compliance with all statutory privacy rules and regulations, and have all necessary documentation and/or legal authority, including if appropriate, data sharing agreements, to permit authorized users with sign on privileges to access the Materials and Participant Data. Participant agrees to indemnify UHC from any and all liability or breaches of this provision as provided in Section 12 below. 39 Universal Contracting Considerations How many agreements do you need? Need for a Master Agreement? Subcontractor Agreements? Data Availability and Integrity (accuracy and completeness) Changing Roles and Relationships of the Parties Change of control of one or more of the parties Exit and Transition Strategy Return of Data

21 Business Associate Relationships Does the BA know it is a BA? (e.g., HIE, Cloud Vendor) HIPAA-Compliant Security and Privacy Infrastructure HIPAA-Compliant Security Assessment HIPAA-Compliant Policies and Procedures Interplay with Covered Entity HIPAA Policies and Procedures Global privacy and security compliance program may not square with HIPAA Use of Subcontractors and Downstream Agreements Downstream Due Diligence Downstream BAA 41 Business Associate Relationships Prohibitions/Limitations on BA right to use data for other than services to Covered Entity Need for a separate agreement? Avoid Agency Relationship CE is liable for violations resulting from acts or omissions of a BA that is an agent of CE and acting within the scope of agency Use of Subcontractors Offshore Data Storage and Access Workforce Security-Related Pre-Screening

22 Business Associate Relationships Data Breach BA is subject to HITECH Act Data Breach Requirements and corresponding enforcement by OCR But, BAA should expressly require BA to cooperate if a potential breach occurs BA to promptly notify Covered Entity of incidents/coordinate timing with CE s notice and reporting deadlines BA to cooperate with Covered Entity in investigating and determining whether breach occurred Allocate responsibility for notice to patients and OCR/CMS between BA and Covered Entity for data breach responsibility 43 Business Associate Relationships Data Breach Review BA assessment practices and tools mindful of heightened risk that an unauthorized disclosure is a breach General indemnification by BA for: CE costs of notice and reporting and OCR sanctions Damages and costs in third party claims arising from data breach and breach of other privacy and security obligations Carve BA indemnity obligations out of damage caps and liability disclaimers Large BAs v. Small/Niche BAs Is Insurance a realistic alternative to indemnity?

23 Contracting Considerations HIT Application Vendor Thorough front-end due diligence of application s features and functions and data and security architecture is essential to assess ability of technology to contribute to reduction/management of data sharing compliance risks System access controls and firewalls to supplement break the glass approaches Track consent and authorizations Distinguish/segregate sensitive information Restrict access to sensitive information Audit and monitor system access Track data origination (Source, Date, Pre- and Post- Consent) Distinguish/segregate research record from medical record Corresponding detailed contractual description (including documentation, specifications etc.) is also key Contracting Considerations HIT Application Vendor Changes, upgrades, enhancements necessary for providers to comply with changes to/new interpretations of their applicable laws Vendor obligation to make the changes Corresponding Fees Beware of vendor disclaimer of responsibility for problems arising from use of the system by provider. Vendor s Use of Coordinated Bundle of Third Party Products Relational Database and Database Server Products Codes and Vocabularies Interfaces to other existing systems and Third Party Products Avoiding gaps in vendor accountability in HIT infrastructure involving multiple vendors and changing technology

24 Cloud Vendor Contracting Considerations Segregation of Data in Multi-Tenant Environment Location of Data Centers/Subcontractors Domestic v. Foreign Disaster Recovery Plan 47 HIE Relationship Complexities Founding Members/Founding Participants EHRs P E R M I T T E D HIE Cloud Vendor U S E Non-Founding Participants R = Ownership/ S = Policies = Contract Control = IT

25 HIE Contracting Considerations Scope of participation/exchange initially and over time Should the HIE be viewed as the alter ego of Founding Participants? HIE responsibility for providing adequate security compliance infrastructure and compliance-related HIT features, functions and performance (either directly or through IT vendor agreements) Policies and Procedures for Managing Privacy/Security Compliance Interplay of HIE and Participant Policies and Procedures Participant s influence/approval rights with regard to adoption and amendment of HIE Policies and Procedures Each Participant s obligation to have a solid internal privacy/security compliance program to support participation in the HIE Insurance coverage of HIE and the Participants 49 American Health Lawyers Association In House Counsel Program New York City, June 29,2014 IT S ALL ABOUT THE DATA!! Bernadette M. Broccolo McDermott Will & Emery LLP bbroccolo@mwe.com Thomas J. Kiser University HealthSystem Consortium kiser@uhc.edu McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. 25