This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Electronic Medical Records: Minimizing HIPAA, Stark and Anti-Kickback Legal
This presentation may be considered attorney advertising under the rules of some states. The information and materials contained herein have been provided as a service by the law firm of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. ; however, the information and materials do not, and are not intended to, constitute legal advice. Neither transmission nor receipt of such information and materials will create an attorney-client relationship between the sender and receiver. The hiring of an attorney is an important decision that should not be based solely upon advertisements or solicitations. Users are advised not to take, or refrain from taking, any action based upon the information and materials contained herein without consulting legal counsel engaged for a particular matter. Furthermore, prior results do not guarantee a similar outcome.
What to Expect Today General overview of the Health Information Technology for
Economic and Clinical Health Act (“HITECH Act”) Federal and state laws on data breach notification Red flag rules Privacy and security risks and best practices to minimize
liability under HIPAA, prevent the loss of electronic protected health information and reduce the risk of medical identify theft
Potential regulatory barriers to electronic health record technology and best practices to minimize liability under Stark concerns and Anti-kickback concerns
Health IT - A Brave New World While the President, Congress, federal agencies and
states grapple with the best way to reform and regulate healthcare, the world is moving forward into a technologically advanced age and dragging the healthcare industry with it. New technological advances creating more cost-effective mechanisms
for prescribing, monitoring, and tracking prescription drugs and utilization.
Keeping up with and meeting new regulatory requirements, as well as the challenges created by the new technology.
The billions of dollars in grants and payments for health information technology that is available in ARRA should encourage the industry to step up to the plate and adopt and implement health information technology.
Health IT - A Brave New World The Healthcare Industry’s Reluctant Adoption of
Information Technology Healthcare providers have been quick to adopt
breakthrough technology in medical procedures, but slow to accept innovations in networking and communications.• Concern about breaches in security and patient privacy.• Healthcare services traditionally performed locally and in
On February 17, 2009, President Obama signed into law the $787 billion American Recovery and Reinvestment Act of 2009 (ARRA) that contains new provisions applicable to the healthcare and information technology world:
• $19 billion to promote adoption of health information technology
Establishes Regional Extension Centers, which would provide technical assistance and disseminate best practices to support and accelerate efforts to adopt, implement, and effectively utilize health information technology.
Strengthened privacy and security standards under HIPAA to encourage the adoption of EHRs
Strengthened penalties for non-compliance Created new avenues of enforcement (state Attorneys
General) Created new targets of enforcement (third parties who
Funding is available for the “meaningful use” of “certified” electronic health records (EHRs) technology by Medicare and Medicaid physicians and hospitals
Funding will start flowing in October 2010 HIT Policy and Standards Committees still hammering out the
details CMS intends to issue regulations by the end of 2009 Important so that EHR users and developers can fund their
Federal Breach Notification Under the original HIPAA regulatory scheme,
“covered entities” were not required to notify individuals if their PHI was breached or lost.
Under ARRA, 2009, covered entities must notify affected individuals, the federal government and in some cases, the media, in the event of “breaches” of “unsecured PHI.”
“Business Associates” are required to notify covered entities of breaches so that covered entities may in turn fulfill their breach notification obligations.
Federal Breach Notification “Breach” means “the unauthorized access,
acquisition, use, or disclosure or protected health information which compromises the security or privacy of such information.”
“Unsecured PHI” means “PHI that is not secured through use of a technology or methodology identified by the U.S. Department of Health and Human Services (“HHS”) as rendering the information unusable, unreadable or indecipherable to unauthorized persons.”
HHS has specified two methods for securing PHI. Encryption:
For data at rest: NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
For data in motion: Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.
HHS has specified two methods for securing PHI Destruction
Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitation, such that PHI cannot be retrieved.
Federal Breach Notification If PHI has been secured using one of the above-
listed methods, its loss or wrongful disclosure does not trigger breach notification requirements.
If “Unsecured PHI” is lost or impermissibly disclosed and one of the notification exceptions does not apply, affected individuals must be notified of the breach. Notice must include: (i) a brief description of what happened, including dates, (ii) a
description of types of unsecured PHI involved, (iii) the steps the individual should take to protect against potential harm, (iv) a brief description of steps the covered entity or business associate has taken to investigate the incident, mitigate harm and protect against further
breaches, and (v) contact information for questions.
“Red Flag Rules” of the Federal Trade Commission (“FTC”) are an additional consideration for health care organizations planning their security programs
The Red Flag Rules apply to financial institutions and creditors. The FTC has made clear that non profit and government
entities that defer payment for good and services - including hospitals and other health care providers - are creditors and
The Red Flag Rules require financial institutions and creditors to establish a written program for identifying and detecting warning signs or “red flags” or identity theft, such as unusual account activity, suspicious enrollment documents or other suspicious patterns or activities that indicate the possibility of identity theft.
The Stakes Are Higher Increased federal enforcement State enforcement Reputational risks - due to public disclosures of breach Costs associated with enforcement and required
notifications Risks associated with business associate breaches
Federal dream vs. state law reality One goal of EHR adoption is to facilitate the sharing
of PHI among covered entities. There is a big push at the federal level to achieve this goal
BUT Even though HIPAA may provide mechanisms for
the merging and sharing of EHRs, state law may not. Especially with respect to sensitive and specially protected categories of health information (infectious disease, drug and alcohol treatment, mental health counseling, etc.)
Personal Health Records Currently, we live in a world of decentralized record keeping
where records are maintained by multiple entities and in multiple locations – makes the system duplicative and sometimes creates conflicting information.
As people move from state to state, they leave a trail of fragmented or partial medical records behind.
ARRA of 2009 defines a personal health record as “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual”
• "PHR identifiable health information" is “individually identifiable health information that is provided by or on behalf of the individual and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”
A “Vendor of Personal Health Records” is “an entity, other than a covered entity, that offers or maintains a personal health record.”
In the event of a breach of security, ARRA imposes notification obligations on: • Vendors of PHRs; • Entities that offer products or services through websites of
PHR vendors; • Entities that offer products or services through the websites
of covered entities that offer PHRs; • Entities that are not covered entities and that access
information in a PHR or send information to a PHR.
Exceptions to the physician self-referral prohibition and a safe harbor under the anti-kickback statute for arrangements involving donation of interoperable EHR technology to physicians and other healthcare practitioners or entities from businesses with whom they work.
Entities furnishing designated health services (and certain other entities under the safe harbor) may donate to physicians (and certain other recipients under the safe harbor) interoperable electronic health records software, information technology and training services.
Hospitals and certain other entities may provide physicians (and certain other recipients under the safe harbor) with hardware, software, or information technology and training services necessary and used solely for electronic prescribing.