2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium

Chicago, IL ~ March 18 & 19, 2010

E-Health: E-Health: Is a Claim Just a Click Away?Is a Claim Just a Click Away?

E-Health: Is a Claim E-Health: Is a Claim Just a Click Away?Just a Click Away?

Moderator:

Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation

Panelists:

M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group

Paul Bantick, Underwriter, Beazley

Sharon R. Klein, Esq., Partner, Pepper Hamilton, LLP

2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium

e-Health DefinedGlobal Reach; Global

Risk

E-Health Defined

“Healthcare supported by electronic processes and communication”

• Electronic Health Records• Telemedicine• Automatic Clinical Protocols/Alerts• Virtual Healthcare Teams• M Health• Patient Monitoring• Distance Learning - Telehealth

Healthcare Provide/Payer Technologies

Remote Healthcare Information Systems Virtual Rounding Remote Operations Clinical Alerts Medical Robots Wireless implants/chips

Consumer Health Technologies

Smart Phones PHRs (Health Vault) Social Networks (Facebook) Smart home sensors/monitoring Use of email to link patients and clinicians Web Portals

Ponemon Institute Findings

Global Risks

Medical Identity Theft Internet use without encryption Lack of uniform security standards (mobile

devices) Expansion to players unfamiliar with

healthcare Outsourcing/Offshoring No global rules for data exchange/transfer

Risk of Lawsuits/Reputational Injury

• Regulation Sanctions, fines, penalties

• Public Enforcement FTC, HHS/OCR, FDA State attorney general(s)

• Private Rights of Action Individual suits (common law, statutory) Class Actions

E- Health: Is a Claim Just A Click Away?

E-Health Privacy, Security, Data Breaches

and Potential Liability

• Pertains to individually identifiable health information Is created or received by a “Covered Entity”; and Relates to an individual’s past, present, or future

physical or mental health or condition, or payment for the provision of health care to them; or provision of health care to an individual; and

That identifies the individual or the information can be used to identify the individual

• Applies to “Covered Entities” (CE): Health providers, Health plans Health care clearinghouses

HIPAA

TechnicalSecurity

Business Associate Management

AdministrativeSecurity

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA Security Requirements

Standards, Safeguards and Implementation Features

• Standards: CEs/BAs required to comply with standards Administrative Physical Technical Organizational Requirements Policies & Procedures & Documentation Requirements,

• Implementation Specifications: Required - must be implemented after a risk analysis Addressable - Second level risk analysis is required

Safeguards

Privacy:Rules-Based vs. Risk-Based

• General Principles of Privacy Regulations Establish a Rules-Based Permissive Model: Use & disclosure of PHI is not permitted

unless the Rule specifically permits it To define & limit the circumstances in

which an individual’s protected heath information (PHI) may be used or disclosed by covered entities.

• Emphasis on “gap analysis” rather than a risk analysis

Uses and Disclosures Permitted

without Authorization

• To the Individual (unless required for access or accounting of disclosures);

• Treatment, Payment, and Health Care Operations;

• Opportunity to Agree or Object; • Public Interest and Benefit Activities; and • Limited Data Set for the purposes of

research, public health or health care operations

Individual Authorization for Disclosures

• Authorization A covered entity must obtain the

individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule

• Psychotherapy Notes • Marketing

Minimum Necessary

• A CE must make reasonable efforts to use, disclose, & request only the minimum amount of PHI needed to accomplish the intended purpose

• A CE must develop/implement policies & procedures to limit uses & disclosures to the minimum necessary.

• When the “minimum necessary” standard applies to a use or disclosure, a CE may not use, disclose, or request the entire medical record, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

• Not applicable in certain situations

45 C.F.R. §§ 164.502(b) and 164.514 (d).

ARRA: Overview of Other Key

Provisions - 1

• Clarification and expansion of the definition of a “Business Associate” (BA)

• Increased Business Associate legal obligations• Notification for breaches involving protected health

information (PHI);• Special provisions for vendors of personal health

records and other non-HIPAA covered entities• Restrictions on certain disclosures. Individuals may

prohibit the disclosure of PHI to a health plan for services that the individual paid for out-of-pocket

• Restrictions on sales of EHRs, PHI. CEs and BAs may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.

ARRA: Overview of Other Key Provisions - 1

• Accounting of certain PHI disclosures required if a CE uses an EHR. CEs must provide accounting for disclosure of PHI to carry a treatment, payment, & healthcare operations when the PHI is in an EHR

• Access to Certain Information In Electronic Format. An individual has a right to obtain a copy of his/her information in an electronic format from the CE

• Conditions on certain communications as part of healthcare operations. Limits the healthcare operations; exception for communications when the CE receives remuneration for the communication except in limited circumstances

• Fundraising Opt-Out• Enhancement of enforcement, funding for enforcement,

and increased penalties

Increased Business Associate Legal Obligations

• Each security & privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in the BA’s contract.

• A BAs must comply with the same administrative, technical, and physical safeguards that a CE is required to comply with under the security rule.

• Must also comply with the document requirements (policies, procedures and other documents).

• BAs that violate the security & privacy provisions of HIPAA are subject to the same civil /criminal penalties as a CE.

Clarification and Expansion of “Business Associate”

Definition

• Definition of “Business Associate” includes: entities that provide data transmission services to

a CE (or its BA), if the service involves access to PHI on a routine basis, including:

• a health information exchange organization; • a regional health information organization; • an E-prescribing Gateway; or • any vendor that contracts with the CE to allow

the CE to offer a personal health record (PHR) to patients

Overview of Breach Notification Rule

• Applies some state breach notification concepts to federal health care law

• Applies to Business Associates (BAs) and Covered Entities (CEs) that experience a breach

• Covers EHRs and PHRs Final FTC regulations released August 18, 2009

(EHRs) Final HHS interim regulations and guidance released

August 19, 2009 (PHRs)

Responding to an Incident Process Under the New Rule

• Determine whether a “Breach” occurred What is a Breach? What is Not a Breach?

• Determine whether breach notification is required

• Follow Breach Notification Procedures

What is a Breach?

• A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

What is NOT a Breach?

• It is important to know what is and is not a breach under the new Rules If not a breach, notification will not be

required• There are two methods provided by the Rule

for determining if a breach occurred

1. By Definition

2. By Risk of Harm Analysis

• A Breach does not include: Acquisition, access, or use or disclosure of PHI by a

workforce member or person acting under the authority of a CE or a BA which does not result in further use or disclosure in a manner inconsistent with the Privacy Rule and the disclosure is -

• made in good faith and within the scope of authority• inadvertently made, from one authorized person to another within a CE,

BA or an Organized Health Care Arrangement (OHCA)

A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information

§164.402(2)

Not a Breach by Definition

Not a Breach – Other Factors

• Not a Breach: if Privacy Rule not Violated if Privacy and Security of PHI

Not Compromised• PHI Not Involved• PHI is “Secured”• There is No Risk of Harm

A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

Breach Definition

• A compromise of the security and privacy of the PHI must pose a significant risk of financial, reputational, or other harm to the individual A risk assessment is to be

conducted to determine if harm exists

A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

Definition

No Risk of Harm

HHS Breach Notification Procedures: Timing, Notice and Content

• Breach of Notice Rule- Timing, Content & Notice Requirements

• 47 Organizations Have Reported Breaches of 500 or more in the first reporting to HHS under this Rule Range from a low of 501 (AK Dept of HSS) to a high of

500,000 (BCBS of TN) Involving >1 M individuals in the first months of reporting

• Since 3/12/09 the Privacy rights Clearinghouse has reported 228 Breaches. Of these, 58 involved PHI Includes electronic and paper-based PHI http://www.privacyrights.org/ar/ChronDataBreaches.htm

State Notice of Breach Laws

The following states do not have a notice of breach law:

• Kentucky• Mississippi• New Mexico• South Dakota

46 States PLUS:• District of Columbia (B16-810,

D.C. Code § 28-3851)

• Puerto Rico (Law 111 and Regulation 7207)

Most require businesses and/or government to notify state

residents if their computerized “personal information” is involved

in a data breach

Compliance obligations can differ significantly and

requires research of key provisions in every state for which you have

a resident’s PI

Emerging State Data Security Laws

• Ten States have laws requiring businesses to protect the “security & confidentiality” of personal information AR, CA, CT, MD, MA, NV, RI, OR, TX, and UT Massachusetts is the only state that specifies what a

business must do to comply:• Implement a risk-based “comprehensive, written

information security program” , and• Encrypt all personal information stored on laptops

and portable devices, all records & files transmitted over public networks,” and all data transmitted wirelessly.

Criminal Penalties Applicable to An Individual or An Entity

• Wrongful disclosure of individually identifiable information only if:

…a person (employees or other individuals) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a CE... and it was obtained/disclose without authorization

• “Willful neglect” may be either criminal or civil A formal investigation will commence if a preliminary

investigation of the facts identifies that a possible violation is due to willful neglect

Burden of proof is on the CE and/or BA

HIPAA Criminal Penalties

A “knowing” violation shall: (1) be fined not more than $50,000, imprisoned not

more than 1 year, or both; (2) if the offense is committed under false pretenses,

be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

HITECH Act Civil Penalties

• Graduated Penalties: unknowing - (A) through (D) due to reasonable cause & not to willful neglect- (B) through (D) due to willful neglect - if corrected (C) - (D); if not corrected (D)

(A) $100 for each such violation, (total amount imposed for all such violations during a calendar year may not > $25,000)

(B) $1,000 for each such violation, (total amount imposed on the person for all such during a calendar year may not > $100,000);

(C) $10,000 for each such violation, (total amount imposed on the person for all such violations during a calendar year may not > $250,000); and

(D) $50,000 for each such violation, (the total amount imposed on the person for all such violations during a calendar year may not > $1,500,000).

• Money Collected for civil damages funds OCR enforcement• States Attorneys General Also provided enforcement authority

Enforcement Funding

• Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. This money will be used for enforcing and privacy and

security provisions of HIPAA

• The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.

Enforcement by State Attorneys General

• Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court.

• Damages will be statutorily imposed The amount = the number of violations times up to $100 The total amount of damages imposed on the person for

violations of all identical requirements or prohibition during a calendar year shall not > $25,000

• The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees.

Not much traction for “Negligent Protection of Data”

• The plaintiffs allege that a business collected their personal information for the business’ purposes, and then negligently allowed a third party to improperly access that personal information.

• Plaintiffs have had difficulty establishing that the defendant has a duty to protect their information, and that they have suffered some compensable

damage from that release.

U.S. Breach Litigation

• “[N]o court has considered the risk [of ID theft] itself to be damage”• Key v. DSW Inc.; Bell v. Acxiom Corp.- Plaintiffs unable

to prove that the information was used improperly & that increased risk of ID theft was enough)

• Stollenwerk v. Tri-West Healthcare Alliance.- Plaintiff tried “fear of ID theft “ as their damages – the Court rejected that

• See also, Pisciotta v. Old Nat’l Bancorp, and also Kahle v. Litton Loan Servicing and Guin v. Brazos Higher Education Service Corporation, Inc.- The value of having good policies and procedures.

Why Litigate, Then?

• Thus far they have not been successful proving negligence.

• No harm (provable damages), no foul, say the Courts.

• But litigation is about poking and prodding.

• Plaintiff’s are seeking the soft underbelly.

• The goal: Huge settlements even without the merits.

TJX Companies Breach

• On Jan. 17, 2007, TJX Companies Inc. announced that that the portion of its computer network handling customer transactions was breached by unauthorized individuals; >46.2 M credit/debit cards compromised

Litigation & investigations; new laws to protect banks considered in CA, CT, IL, MA, MN, NJ, and TX. (Only MN actually enacted)

have reduced what once was as many as 18 separate putative bank & consumer class action lawsuits against the company

• September 2007 - Settlement includes $7 M to reimburse customers

TJX Companies Breach (Continued)

• November 2007 - Settlement with Visa (and issuing banks) $40.9 M

• December 2007 - TJX settled for $40 M with banking associations & all but one individual bank for reimbursement of their costs

• April 2008 - Settlement with MasterCard (and issuing banks) $34 M

• June 2009 $9.8 M to a group of 41 state AGs

• September 2009 additional $525,000 to the FIs

• Total – $132,225,000

Hannaford and Heartland

• Hannaford Bros. Co. supermarkets (parent Delhaize America) > 12 separate class actions in FL, ME, NH and NY–

• Heartland Payment Systems, Inc. Litigation Negligence, Breach of Contract, Breach of Implied Contract,

Violation of NJ Consumer Fraud Act, and Negligence Per Se Heartland faced 17 class actions , 10 bank & credit union

class actions related to the breach. Heartland agreed to pay:

• nearly $4.7 M (up to $2.4 M in damages), $760,000 in attorney's fees & expenses, & up to $1.5 M in admin costs

• Am Ex Travel Related Services Co. Inc. just over $3.5 M

• A max. of $60 M to Visa and Visa card-issuing banks

Total - $68,960,000 (8K filing stated up to $73M

Breaches Cost Money, Even Without Litigation

• U.S. organizations continue to experience an increased cost of data breaches Avg. cost up nearly 2 %, $6.65 M (2008) to $6.75 M (2009) Avg. cost /compromised record/breach up $2, ($202 to $204) The most expensive data breach event included in this year's

study cost nearly$31 M to resolve • Companies that notify victims too quickly may in fact incur

higher costs $219 versus $196, a 12% difference

• The leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches

Source: 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventive Solutions, The Ponemon Institute

E- Health: Is a Claim Just A Click Away?

Future Trends/Outlook for 2010 and Beyond

Current Situation

• More people living longer

• Number of people with chronic illnesses is going to increase

• Therefore, increased pressure on the healthcare system and technology requirements

• One of the key drivers of healthcare reform is recognition of this problem and attempt to deal with this issue

Better quality of care

Cost containment

Better deployment of technology

Coordination of Care

• Draws the 3 elements together

• Fragmented delivery of care

• Many different siloed systems e.g. billing, care, control, record keeping, data

• Physicians & hospitals will become the pivot for delivering under this new approach and for co-ordinating amongst other providers as well as handling records and billing

• For this approach to work it will require efficient, usable technology with greater access points & capability than before

• HITECH is an attempt to facilitate and encourage/require the adoption of such an approach

Is this all going to Work?

• Great in theory but what in practice• Short time frame –HITECH compliance by 2011 is ambitious• Technology providers will be key. Are they up to it?• More systems, broader coverage, more people accessing them

is a bigger exposure• Implementation will be key• This will ultimately drive insurance requirements as the number

of breaches grow and the average costs involved• Claims scenarios become more complex & greater scope for

uncertainty as to where the responsibility lies• Insurance polices will have to adapt to provide the coverage

required as underwriting becomes more complex & exposures shift and change

Other Considerations

• Electronic Personal Health Records – As we move to EHRs, exposure increases & attracts more people interest & is a more personal record. This could have an impact on the number and size of breaches.

• Solutions – clients are looking for solutions & service and not just an insurance product.

As exposure & complexity grows, it will continue to be one of the main drivers for purchasing insurance.

• Sub limits –Must be addressed in the insurance market to provide the coverage required in the event of a claim.

• Underwriting – Time will tell.• More complex and in depth underwriting• Risks carrying greater exposures• Broader policies• Claims solutions must keep up pace with a changing market