Healthcare Payment Processing: Managing Data Security and Privacy Risks

Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel - Healthcare PNC Bank, National Association Legal Department Dov H. Scherzer Co-Chair, Global Outsourcing and Procurement Moses & Singer LP Samuel J. Servello Partner, Healthcare Moses & Singer LLP

Hypothetical Healthcare Client located in Los Angeles contracts with a Bank in New York to conduct HIPAA transactions on Healthcare Client s behalf. Bank has an outsourcing services contract with Bank s cloud vendor which is incorporated in New York and that uses its own server in India. 2

Healthcare Provider Services Agreement Data Bank Processes HIPAA Transactions Data Payor Data Data Data Cloud Vendor Data 3

Bank Wears two Hats HIPAA Transaction Services to Health Care Providers Customer of Third-Party Cloud Vendor 4

Intro to Outsourcing in a Highly-Regulated Environment What is Outsourcing? Categories of Outsourcing Regulatory Overlay Applicable Laws Outsourcing Process and Key Contact Terms Overarching Challenge: A long-term relationship; Importance of a Proper Pre-Nuptial Agreement A Truly Cross-disciplinary Practice Area 5

Categories of Outsourcing Outsourcing of discrete IT functions (e.g., software development or legacy system maintenance) Information technology (IT) outsourcing (e.g., processing services provided from remote data center) Traditional service bureau services (e.g., payroll) Business process outsourcing (BPO) (e.g., outsource administrative services) ASP/Time Sharing/Clouds/Shmouds Legal Services Any other function including entire business operation Offshore Outsourcing Healthcare Payment Processing may involve any number of the above types of outsourcings 6

Why Outsource? Cost savings/cost management Concentrate on core capabilities Redeployment of resources to key initiatives Improving performance Legacy systems Standardizing systems Technology currency Reducing/Sharing risk Improve flexibility Sale of assets 7

Why Re-engineer a Business Process (BPO)? Focus management on core business issues Focus capital expenditures on core business Streamline administrative functions Reduce organizational redundancy Identify and reduce hidden costs Shift accountability for non-core functions Access specialized skill sets, processes and information without having to acquire, invest in or develop such skills, processes or information independently 8

Offshore Outsourcing 9

Offshore Outsourcing: What are the Incentives? Technological expertise and facilities around the world are equivalent to that in the U.S. Advances in technology allow companies to overcome geographical distances (e.g., Internet) Availability of lower wage resources Ability to conduct business around-the-clock in numerous time zones Tax incentives 10

Applicable Laws A Fundamental Business Point Who is Responsible for What? 11

Auditing Privacy & Security IP Outsourcing & Applicable Laws TAX Securities Laws HR 12

Examples and Key Concerns Privacy & Security Securities Regulatory Compliance Oversight and management of service providers Auditing Requirements Twin Goals: A) Meet legal obligations B) Make clear who is responsible for what KEY: Delegation does not insulate from liability 13

Privacy and Security Issues Outsourcers often have access to company and employee confidential information Particular privacy and security concerns: Financial services and healthcare industries Human resources functions Areas of Concern Security measures in place for the vendor s system Risks of unauthorized access to information Unauthorized personnel Unauthorized uses Designate whether the customer or vendor will be responsible for the costs of implementing additional security mechanisms 14

Sarbanes-Oxley Auditing and SAS-70 Reporting New SSAE 16 Guidance Sarbanes-Oxley (2002). Improve accuracy and reliability of public company financial disclosure in wake of Enron AICPA American Institute of CPAs Service Auditing Standards Reports SSAE 16 replaces SAS 70 concerning service auditor reports for periods ending on and after June 15, 2011 15

New SSAE 16 Statement on Standards for Attestation Engagement Reporting on Controls at a Service Organization Follow-on Guidance to SAS-70 from the perspective of reporting on systems and controls Comply with new international reporting standard (International Standard on Assurance Engagements ( ISAE ) 3402 Effective for reporting periods after June 15, 2011 Some practical impacts: Service provider management must now make a direct assertion on effectiveness/operations of controls (as opposed to reliance on auditor assertion) Need to attest to subcontractor controls Harder to allocate costs among similar user group/functions. Result: Significant impact on pricing 16

CASE STUDY: Certain Privacy Issues are Specific to Healthcare Payment Outsourcing 17

What should financial institutions be concerned with from a healthcare compliance perspective with respect to cloud computing? Access patient information while providing certain services to healthcare providers or payors, such as health plans. Patient information protected under federal and/or state law. Medicare all claims must be made electronically beginning 2014. Utilize cloud computing by outsourcing some of all of these functions to third party vendors. 18

Relevant Federal Privacy Laws: HIPAA is the basis for federal protection of the privacy and security of certain health information. Protections of HIPAA were expanded by ARRA, HITECH and PPACA: The Health Insurance Portability and Accountability Act ("HIPAA") which was established in 1996; The American Recovery and Reinvestment Act ("ARRA") which contains the Health Information Technology for Economic and Clinical Health Act (the "HITECH"); and The Patient Protection and Affordable Care Act ("PPACA ) which was signed into law in 2010. 19

Quick HIPAA refresher Is the transaction you are working on impacted by HIPAA? If a Bank s client is a Covered Entity and that Covered Entity transmits Protected Health Information to the Bank HIPAA must be considered. Bank is deemed a Business Associate. What is a "covered entity"? (i) It is one of the following: -- A health plan, -- A healthcare clearinghouse, and -- A healthcare provider. (ii) That transmits health information in electronic form in connection with a transaction covered by HIPAA. 20

Protected Health Information ("PHI"). The health information that is protected under Federal Privacy Laws is "protected health information" (also referred to as PHI) which is the individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Health Information Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 21

Business Associate. Generally, a business associate is an entity or person who carries out certain functions of the covered entity on behalf of that covered entity. In other words, if a financial institution is acting on its own behalf, it would not be considered a business associate. It is a business associate only if acting on behalf of a covered entity. 22

How are the Federal Privacy Laws applied to financial institutions? The Federal Privacy Laws applies to any financial institution that: Performs a healthcare clearinghouse function (i.e., processing or facilitating the process of nonstandard data elements of health information into standard data elements) or Acts as a business associate on behalf of a covered entity. 23

Direct statutory liability as a business associate. Liability exposure has significantly increased under the rules of HITECH. Prior to HITECH - Contractual obligations with the covered entity. After HITECH - Direct statutory liability 24

Enhanced civil and criminal penalties apply to both covered entities and business associates. HITECH applies the civil and criminal penalties of HIPAA directly to business associates Civil monetary penalties: Low End - $100 per violation with a cap of up to $25,000 per year High End - $50,000 per violation with a cap of up to $1,500,000 per calendar year. Criminal Penalties - HITECH specifically extended criminal penalties for the wrongful disclosure of protected health information to business associates. Attorneys General - States attorneys general may also bring civil actions on behalf of residents of his or her state 25

Increased Enforcement Environment March 2012 - Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA. April 2012 Physician practice group in Arizona agreed to pay $100,000 for posting clinical and surgical appointments for patients on an Internet-based calendar that was publicly accessible and for having implemented few policies and procedures to comply with HIPAA. (i.e., even the little guy is being watched and is expected to comply). 26

Federal Breach Notification Obligation The HITECH Act and regulations promulgated under that act require: Covered entities to notify affected individuals following the discovery of a "breach" of "unsecured protected health information" of those individuals. Business Associates to notify the covered entity following the discovery of a "breach" of "unsecured protected health information" in its possession. 27

Definition of "breach" and the risk assessment under Federal rule. Under the Federal rule, as part of the definition of "breach" there is a risk assessment. In other words a breach is only deemed to occur if there has been an acquisition, access, use, or disclosure of protected health information that poses a significant risk of financial, reputational, or other harm to the individual. Therefore, if such a significant risk does not exist then there is no "breach" to be reported. 28

Breach notification "safe-harbor" Breach is triggered by unsecured protected health information". Encryption: HHS has stated that encryption processes that are consistent with certain National Institute of Standards and Technology (NIST) publications and/or that are validated by certain Federal Information Processing Standards (FIPS) will meet this requirement. 29

State law breach notification obligations 46 states currently have security breach notification laws. some States risk assessment is done before obligation to notify is triggered (like the federal rule). some States no risk assessment prior to the obligation to notify is triggered. Triggered merely upon the discovery of an unauthorized acquisition, access, use or disclosure of the personal information of such individual. must be familiar with states laws. 30

How does Section 1179 of the Social Security Act interact with these new obligations? Key- On whose behalf is the bank acting? The consumer (individual) of healthcare or the provider of healthcare? No exemption from the application of HIPAA if done on behalf of provider. 31

Interaction with the Gramm-Leach Bliley Act and Other Specific Privacy/Security Regulations The technical, physical and administrative safeguards required by HIPAA are different than those required by the Gramm Leach Bliley Act and other laws and regulations that may be generally applicable to the types of data being processed. 32

What a financial institution processing HIPAA Transactions should consider if it outsources any part of its business that handles protected health information. Financial institution as covered entity: Clearinghouse is a covered entity under HIPAA. Business associate agreement: - administrative, physical and technical safeguards; - ensure that any of its agents, including any of its subcontractors implement reasonable and appropriate safeguards - Security Breach 33

Financial institution Processing HIPAA transactions as business associate: Business associate agreement with the covered entity. Agreements with outside vendors in order to utilize cloud computing. A confidentiality agreement with such third party vendor. require that such vendor implement administrative, physical and technical Obligation to report security breaches to the covered entity. Who has the obligation to notify the individual? 34

Anatomy of Bank s Outsourcing Contract with Cloud Vendor 9/11/2012 35

Healthcare Provider Services Agreement Data Bank Processes HIPAA Transactions Data Payor Data Data Data Cloud Vendor Data 36

Overarching Principle Bank needs to confirm that it is committed to outsourcing to Cloud Vendor, and that the outsourcing will permit it to meet its obligations to its Healthcare Providers. In this regard, need to determine at the outset which activities are to be outsourced and what financial or other goals are hoped to be achieved. 37

First steps Every outsourcing contract must be clear regarding allocation of responsibilities, remedies, applicable law, compliance, costs, change control, rights in IP, dispute resolution, governance, SLAs, termination, etc. That means that these topics must be discussed fully and understood by the business on each side of the deal. 38

Key Contract Elements The contract between Bank and Cloud Vendor will generally consist of the following: Terms and Conditions General framework/ rules Allocation of each party s responsibilities Applicable law Exhibits Details of scope/pricing Numerous subjects can be treated in an exhibit Possibly Most important part of contract Parallel track of negotiation 39

Be sure to understand and address key regulatory concerns Regulatory liability cannot be outsourced. Bank is relying on Cloud Vendor to perform services in a manner that will permit Bank to meet its independent regulatory obligations, as well as obligations and restrictions contained in its Healthcare Provider agreements Among other things, Healthcare Provider s confidential information (including PHI of Healthcare Provider s patients) will be accessible to Bank and Cloud Vendor. 40

Particular privacy and security concerns: As we discussed: healthcare industries are heavily regulated. payment processing activities involve the processing of sensitive healthcare information. HIPAA Transaction Processors must be particularly sensitive regarding sharing data with their business associates. 41

Additional Considerations and Risks Healthcare Provider agreements may restrict or require advance consent to outsourcing Bank needs to understand that additional risks, including of data security breach, are created when Bank outsources activity to a cloud vendor Consider the distributed nature of the cloud service, including where data is stored and who has or can have access to data Risks increase when Cloud Vendor provides services off-shore Some privacy and security laws may apply directly to Cloud Provider s provision of services; other laws must be specified and specifically addressed in the contract Rule of thumb: You need to tell a Cloud Provider what to do, or it won t get done. 42

Due diligence regarding Cloud Vendor Bank should always conduct operational, financial and regulatory due diligence with respect to any potential Cloud Vendor. Consider Cloud Vendor s financial viability, data security policies, privacy policies, location of servers, etc. Diligence is even more important when contracting with an off-shore Cloud Vendor. Among other things, there may be additional tax and regulatory implications and, as a practical matter, there may be limitations on Bank s ability to enforce its contract Practical Tip: if doing a deal with an Indian service provider, insist on an arbitration clause 43

Particular concerns regarding access to data Bank will likely want to ensure its ability to have immediate access to data throughout the term of the contract, and to ensure ability to retrieve data upon termination of the agreement. Consider data retention (or destruction) policies, and provisions for backup and disaster-recovery (possibly including redundancy obligations with servers located in different geographical locations) Bank may require ability to track and audit data usage, storage and protection, as well as Cloud Provider s internal process controls (e.g., under GLB) Cloud Vendors will usually try to limit their liability for privacy and security breaches to service level credits NOTE: Even the CIA has been hacked, so bank should not expect a Cloud Vendor to accept open-ended liability in the event of malicious activity. But liability for certain privacy and security breaches are often the subject of significant negotiation. 44

Hypothetical Healthcare Client located in Los Angeles contracts with a Bank in New York to conduct HIPAA transactions on Healthcare Client s behalf. Bank has an outsourcing services contract with Bank s cloud vendor which is incorporated in New York and that uses its own server in India. 45

Conclusion A successful outsourcing results in well thought out service contracts (i) between Healthcare Provider and Bank, and (ii) between Bank and Bank s Cloud Vendor. Process requires input from all concerned parties including legal, compliance, privacy and data security, operations, vendor management, HR, tax, etc. The Ultimate Team Effort. 46

Linda A. Malek Chair, Healthcare Moses & Singer LLP lmalek@mosessinger.com 212.554.7814 Dov H. Scherzer Co-Chair, Global Outsourcing and Procurement Moses & Singer LLP dscherzer@mosessinger.com 212.554.7833 Beth L. Rubin Senior Counsel - Healthcare PNC Bank, National Association Legal Department beth.rubin@pnc.com 215.585.6381 Samuel J. Servello Partner, Healthcare Moses & Singer LLP sservello@mosessinger.com 212.554.7872 Disclaimer: This presentation does not constitute legal advice or an opinion of Moses & Singer LLP or any member of the firm. It does not create or invite an attorney-client relationship and may be rendered incorrect by future developments. It is recommended that it not be relied upon in connection with any dispute or other matter but that professional advice be sought. Attorney Advertising: Under the laws, rules or regulations of certain jurisdictions, this presentation may be construed as an advertisement or solicitation. Copyright 2012 Moses & Singer LLP. All rights reserved. 47