Leveraging Big Data in Healthcare: Navigating HIPAA, Antitrust, Stark and AKS Compliance and Security Issues

Transcription

1 Presenting a live 90-minute webinar with interactive Q&A Leveraging Big Data in Healthcare: Navigating HIPAA, Antitrust, Stark and AKS Compliance and Security Issues THURSDAY, MAY 21, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Adria Warren, Partner, Foley & Lardner, Boston Chanley T. Howell, Partner, Foley & Lardner, Jacksonville, Fla. Sara J.B. English, CIPP/US, Partner, Kutak Rock LLP, Omaha, Ne The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box In order for us to process your CLE, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form) to Strafford within 10 days following the program. The CLE form is included in your dial in instructions and in a thank you that you will receive at the end of this program. Strafford will send your CLE credit confirmation within approximately 30 days of receiving the completed CLE form. For additional information about CLE credit processing call us at ext. 35.

4 Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 Leveraging Big Data in Health care: Navigating HIPAA, Antitrust, Stark and AKS Compliance May 21, 2015 Chanley T. Howell Partner Foley & Lardner Adria Warren Partner Foley & Lardner Sara English Partner Kutak Rock LLP 5

6 Introduction to Big Data in Health care Improved Technologies (data storage, data mining, data sharing) U.S. Government Initiatives and Public/Private Opportunities (NIH s BD2K ) Enhanced Infrastructure and Capacity (EMRs) Expanding Health Care Operation Functions (data analytics) Proliferation of Web-based Technologies and Mobile Devices Big Data Technical, Institutional, Operational Challenges??????? Legal Considerations Privacy and Security Laws and Regulations $$$$$$$$ 6

7 Introduction to Big Data in Health Care Older people were less inclined to share anonymized health data, an NPR-Truven Health Analytics poll found. Poll: Most Americans Would Share Health Data for Research - Scott Hensley (Shots-Health News:NPR) January 9, 2015 Available at: 7

8 Risk/Reward Quality and nature of the risks and rewards are different than other industries: Patient outcomes are at stake. PHI is always in-scope at some stage. There are ethical and policy considerations. It is important to get it right. Collection and use of Big Data is ubiquitous and everyone is paying attention. Failures are costly violation of multiple legal regimes. 8

9 Risk/Reward Strategic and technical challenges Inherent to the V s of Big Data: Volume Velocity Variety Veracity Specifically, collecting quality data that is from reliable methods. Complying with all requirements that attach to the data. Maintaining a consistent institutional program. 9

10 Capstone: HIPAA Health Insurance Portability and Accountability Act ( HIPAA ): Touches all aspects of most health care data. Covered Entities and their Business Associates. Governs the use of PHI and establishes frameworks for nearly each step in the process. 10

11 Capstone: HIPAA Protected Health Information is broad. The definition is based on IIHI: Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 11

12 Capstone: HIPAA Generally, PHI may be used by the covered entity for Payment Treatment Health Care Operations Consent is not required for these three areas, but frequently sought. Uses of PHI outside of these categories require a written authorization (permission) from the patient. Consent Authorization. 12

13 State v. Federal Laws HIPAA provides a federal floor of privacy protections and states are free to impose more stringent protections should they deem appropriate. (See 45 C.F.R ). 13

14 State Privacy & Security Laws: A Patchwork Quilt 50-State Survey Disclaimer Survey was designed to provide an overview of applicable state law, limited to select state statutes. State administrative regulations, attorney general opinions, licensure board opinions, and court decisions may impact a state s privacy regime. In that regard, the survey should be used for reference purposes only and not relied on as legal advice. 14

15 State Privacy & Security Laws: A Patchwork Quilt States that have worked to harmonize their regimes with HIPAA compliance with HIPAA may constitute deemed compliance under equivalent state law include: Hawaii Iowa Kansas Missouri Ohio West Virginia 15

16 State Privacy & Security Laws: A Patchwork Quilt States with relatively comprehensive, broad or stringent privacy regimes: California (Cal. Civ. Code 56.10) Florida (Fla. Stat ) Illinois (410 Ill. Comp. Stat. 50/3) Maine (Me. Rev. Stat. Ann. Tit. 22, 1711-C) Massachusetts (111 Mass. Gen. Laws ch. 70E) New Hampshire (N.H. Rev. Stat. Ann. 151:21) Tennessee (Tenn. Code Ann ) Vermont (Vt. Stat. Ann. tit. 18, ) 16

17 State Privacy & Security Laws: A Patchwork Quilt Patient Bill of Rights Florida: Every patient who is provided health care services retains certain rights to privacy, which must be respected without regard to the patient s economic status or source of payment for his or her care. ) (Fla. Stat ) Massachusetts: Every patient or resident of a facility shall have the right... to confidentiality of all records and communications to the extent provided by law. (111 Mass. Gen. Laws ch. 70E) 17

18 State Privacy & Security Laws: A Patchwork Quilt Expansive Privacy Protections HIPAA (45 C.F.R ) Protected Health Information includes individually identifiable health information that (1) is created or received by covered entities, (2) relates to past, present or future physical or mental health or condition... provision of healthcare... or payment for care and (3) identifies the individual, or with which there is reasonable basis to believe the information can be used to identify the individual. California Medical Information Act (Cal. Civ. Code 56.10, (2013)) Medical information means any individually identifiable information... in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient s medical history, mental or physical condition, or treatment. Any business organized for the purpose of maintaining medical information in order to make the information available... shall be deemed a provider of health care. 18

19 State Privacy & Security Laws: A Patchwork Quilt Restrictions may apply to specific persons/entities, e.g., providers/other licensed professionals, hospitals, insurers, managed care organizations or health maintenance organizations. Example: Oregon (Or. Rev. Stat ) restricts an insurer s ability to disclose medical information about an individual collected or received in connection with an insurance transaction without that person s written authorization. 19

20 State Privacy & Security Laws: A Patchwork Quilt Most states also protect designated categories of sensitive data e.g., mental health, genetic information, substance abuse, communicable diseases (HIV/AIDs). Example (mental health): Unless waived by express and informed consent... the confidential status of the clinical record shall not be lost by either authorized or unauthorized disclosure. Fla. Stat

21 Examples of Non-HIPAA Google Flu Target Pregnancy Predictor 21

22 Examples of Non-HIPAA PHI Exceptions Education Records Employment Records Deceased > 50 Years Personal Health Records Mobile Devices / Web 22

23 Legal Considerations (other than HIPAA) Family Educational Rights and Privacy Act ( FERPA ) FTCdone Privacy Policies Contractual 23

24 Legal Considerations (other than HIPAA) Privacy Act of 1974 (Federal Agencies) Clinical Laboratory Improvements Act (Labs) Children s Online Privacy Protection Act of 1998 (COPPA) Gramm-Leach-Bliley Act and ERISA (Health Plans) Federal Substance Abuse Records Statutes 24

25 Legal Considerations (other than HIPAA) FTC v. PaymentsMD Patient Portal Deceived Consumers Consent Health Information = Sensitive 25

26 Additional Considerations AKS & Stark Anti-Kickback Statute Generally, prohibits offering, paying, soliciting or receiving anything of value to induce or reward referrals or generate federal health care program business. Stark Law Prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or immediate family member) has a financial relationship, unless an exception applies. Prohibits the designated health services entity from submitting claims to Medicare for those services resulting from a prohibited referral. 26

27 Additional Considerations - Antitrust Coopertition Manage Risk: Competitively sensitive data? Economic information Cost Volume Competitive Effect? Criteria for accessing data Inclusive/exclusive Test = Rule of Reason 27

28 Security Increases in Health Care Data Breaches Criminal attacks increased by 125% Past 2 years 91% of health care organizations at least 1 breach 39% reported 2 to 5 breaches 40% more than 5 breaches Source: Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data 28

29 Security Sources of Health Care Data Breaches Criminal attacks 45% Lost or stolen laptops / devices 43% Employee mistakes 40% Malicious insiders 12% Source: Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data 29

30 Security 30

31 Security 31

32 Security 32

33 Security 33

34 Contractual Limitations Business Associates Business Associates: Third parties that have access to, create or receive Protected Health Information To perform or assist in the performance of a function on behalf of the Covered Entity: Utilization review, quality assurance, billing, practice management To provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services Covered Entity can be Business Associate of another Covered Entity. Subcontractor would be defined as Business Associate. 34

35 Contractual Limitations Business Associates Business Associates are directly subject to applicable HIPAA regulations and to civil penalties for violations (regardless of whether BAA executed). Business Associates are subject to Security Rule. Business Associates are directly subject to certain Privacy Rule provisions: Use and disclose PHI in accordance with Business Associate Agreement or Privacy Rule. Disclose PHI for compliance purposes. Provide individual access to PHI. Comply with minimum necessary standard. Enter into Business Associate Agreements with Subcontractors. 35

36 Contractual Limitations Business Associates The Omnibus Final Rule effectively made a Covered Entity or Business Associate strictly/vicariously liable for violations by its agent. The most important criterion is the right to exercise control over the Business Associate. In drafting a BAA, consider the trade-off between the need to control the Business Associate and the liability associated with such control. 36

37 Case Study - 1 ABC Health System and its owned hospitals and clinics are an OHCA. ABC wants to hire Aggregate4U, an analytics company, to mine its databases and electronic health records for various purposes. 37

38 Case Study - 1 Treatment, Payment, Health Care Operations Ethics: Predictive Analytics Other uses? 38

39 Case Study - 2 ABC uses XYZ Medical Management, a world-class EHR system. ABC s deployment of XYZ s solution (Giant EHR) is managed as a shared electronic health system environment. All OHCA participants use it, and ABC resells/sublicenses Giant EHR to community clinics and small hospitals who are not members of the OHCA. ABC wants to assure that the shared Giant EHR participants are also participating in the regional HIE, AnyStateHealth. ABC wants all the shared Giant EHR participants to send records to, and participate in, an oncology database. 39

40 Case Study - 2 Stark and AKS (Shared EHR) What limitations? Legal Authorizations Can this be segmented? Database participation Antitrust considerations 40

41 Case Study - 3 RST Oncology Specialists is a physician-owned clinic that participates in ABC s shared Giant EMR. The owners of RST, including Dr. Bill, are all non-employed staff physicians at several ABC hospitals. In order to achieve meaningful use, and to report on a number of other quality initiatives, Dr. Bill needs ABC to help him extract a significant amount of information from his patient files. 41

42 Case Study - 3 Meaningful Use Requires greater interoperability and data sharing. More opportunities and incentives to move beyond using the EHR for day-to-day. Extraction Assistance, Consulting, Reporting Tools, Etc.? Fair market value. If applicable, are these permissible donations? 42

43 Case Study - 3 Stark Electronic health records items and services exclusion (the 85 rule). Nonmonetary remuneration (consisting of items and services in the form of software or information technology and training services) necessary and used predominantly to create, maintain, transmit or receive electronic health records.... Stark identifies certain types of remuneration which, if provided, would not create a compensation arrangement subject to the physician selfreferral prohibition. Such remuneration includes the provision of items, devices or supplies that are used solely to order or communicate the results of tests or procedures for such entity. 43

44 Case Study - 4 ABC and its OHCA participants are exploring more effective ways to support research, both through organizing ongoing internal research programs and potentially supporting external research conducted by third parties. 44

45 Case Study - 4 Authorization/Consent De-Identified Data -- No subject authorization or consent required -- Unlimited uses and disclosures permitted Limited Data Set (with Data Use Agreement) -- No subject authorization or consent required -- Only includes a few more elements than de-identified data. Limited? Institutional Review Board (IRB) or Privacy Board Waiver of Authorization -- No subject authorization or consent required -- Approval may not be available in cases where it is feasible to request authorization 45

46 Case Study - 4 Sample State Provisions Governing Disclosure/Use of PHI in Research Statutory Construct State/Citation Similar States Research De-identified data Permissive disclosure in connection with use in actuarial or research studies, provided: (A) no individual is identified; (B) materials in which the individual may be identified are returned or destroyed; and (C) the organization agrees not to further disclose the information. Conn. Gen. Stat. 38a-988 (2012) (applicable to insurance institutions, agents and insurancesupport organizations) Connecticut, Florida, Illinois, Massachusetts, Minnesota, New Jersey, North Carolina, Tennessee, Wisconsin Research Waiver of authorization (privacy board) PHI may be disclosed for research, with approval or waiver of the applicable privacy board in accordance with HIPAA, subject to a finding of (1) no more than a minimal risk to privacy of individuals, based on, at least, an adequate plan to protect the identifiers from improper use and disclosure, to destroy the identifiers at the earliest opportunity, and adequate written assurances that the protected health information will not be reused or further disclosed except as permitted; (2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use of the protected health information. Del. Code tit. 16, 1212 California, Delaware, Maine, Maryland, Washington, Wyoming 46

47 Case Study - 5 ABC Hospital would like to use its patient information for marketing purposes. It would like to know what information it can use, how it can use it, and when specific patient authorization is required and not required. 47

48 Case Study - 5 Use of PHI for marketing requires authorization Communications about health-related products or services that encourage purchase (third party) Financial remuneration Payments in exchange for making marketing communications Authorization not required products and services of the Covered Entity 48

49 Case Study - 5 HIPAA Omnibus Rule 2013 Previous exception for treatment-related marketing communications Previously opt-out rather than opt-in Now opt-in express written authorization Authorization must disclose remuneration 49

50 Case Study - 5 Exceptions Refill reminders Other communications about prescriptions Remuneration must be reasonably related to the cost of the communication 50

51 Case Study - 5 Exceptions Face-to-face communications (Even if remuneration or promotional gift of nominal value) Telephone is NOT face-to-face Communications promoting health that do not promote a particular provider Communications about government-sponsored programs 51

52 Case Study - 5 Sale of PHI CE or BA receives remuneration Not limited to financial remuneration Not just sale access, licenses and leases 52

53 Case Study - 5 Exceptions Remuneration reasonable cost Research reasonable cost Treatment and payment M&A activity 53

54 Case Study - 5 Exceptions Business Associates Disclosures to patients Payments from grants research Exchange of PHI through HIEs 54

55 Case Study - 6 XYZ Medical Management has access to a significant amount of health information as a world-class EHR. Although it has been in business for several years, it is just starting to explore opportunities to leverage all this data for other business uses. 55

56 Case Study - 6 Industry Solutions Business Associate Agreements Business Associate Agreements should provide: Express authorization to aggregate PHI for health care operations purposes Permit the Business Associate to de-identify PHI Exclude de-identified data from any provisions related to the Covered Entity s ownership of the data 56

57 Case Study - 6 De- Identification Safe Harbor Expert Determination 57

58 Case Study - 6 Sample Business Associate Agreement Provision De-Identified Information ( BA friendly ) Business Associate may de-identify any and all Protected Health Information created or received by Business Associate under this Agreement; provided, however, that the de-identification conforms to the requirements of the [HIPAA Rules]. Such resulting de-identified information would not be subject to the terms of this Agreement. 58

59 Case Study - 7 Dr. Jones, a primary care physician, is in negotiations to sell her practice to the local community hospital. Dr. Jones believes that the practice s patient records have significant value and she would like to negotiate a higher price on that basis. The parties are also starting due diligence, and Dr. Jones would like to have a compliant process from a privacy perspective. 59

60 Case Study - 7 Industry Solutions Mergers and Acquisitions Anti-Kickback Considerations: Payments for intangibles are particularly suspect and may be subject to scrutiny This includes patient records Valuation methodologies to take into consideration 60

61 Case Study - 7 Due Diligence Healthcare Operations is defined to include any of the following activities of the covered entity to the extent that the activities are related to covered functions: Business management and general administrative activities of the entity, including, but not limited to... (iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity. 45 C.F.R

62 Additional Case Studies ABC terminates its relationship with Aggregate4U in favor of launching a homegrown internal data warehouse system for ABC and its OHCA. Its CISO, Privacy Officer, and HIM director are arguing over logging requirements. AnyState Health, the HIE, would like to facilitate the sharing of PHI among health care providers but is concerned about verifying the identity of users (providers and patients) on the front end and, after the users have been initially verified, authenticating the users when they log in to the HIE. 62

63 Summary Step through the process. From where does data originate? Who owns it? Who processes it? Who are the data subjects? What legal regime(s) apply? Develop a program. 63

64 Summary Be aware of applicable federal and state requirements; tailor privacy policies as applicable. Designate people responsible for security in the organization. Conduct security training for employees. Take reasonable steps to ensure vendors/service providers protect data. Consider minimizing data collection. De-identify where possible. Conduct a privacy or security risk assessment initially, and periodically thereafter. Consider encryption.