Upload
clay
View
35
Download
3
Embed Size (px)
DESCRIPTION
E-Health: Is a Claim Just a Click Away?. E-Health: Is a Claim Just a Click Away?. Moderator: Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation Panelists: M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group - PowerPoint PPT Presentation
Citation preview
2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium
Chicago, IL ~ March 18 & 19, 2010
E-Health: E-Health: Is a Claim Just a Click Away?Is a Claim Just a Click Away?
E-Health: Is a Claim E-Health: Is a Claim Just a Click Away?Just a Click Away?
Moderator:
Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation
Panelists:
M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group
Paul Bantick, Underwriter, Beazley
Sharon R. Klein, Esq., Partner, Pepper Hamilton, LLP
2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium
e-Health DefinedGlobal Reach; Global
Risk
E-Health Defined
“Healthcare supported by electronic processes and communication”
• Electronic Health Records• Telemedicine• Automatic Clinical Protocols/Alerts• Virtual Healthcare Teams• M Health• Patient Monitoring• Distance Learning - Telehealth
Healthcare Provide/Payer Technologies
Remote Healthcare Information Systems Virtual Rounding Remote Operations Clinical Alerts Medical Robots Wireless implants/chips
Consumer Health Technologies
Smart Phones PHRs (Health Vault) Social Networks (Facebook) Smart home sensors/monitoring Use of email to link patients and clinicians Web Portals
Ponemon Institute Findings
Global Risks
Medical Identity Theft Internet use without encryption Lack of uniform security standards (mobile
devices) Expansion to players unfamiliar with
healthcare Outsourcing/Offshoring No global rules for data exchange/transfer
Risk of Lawsuits/Reputational Injury
• Regulation Sanctions, fines, penalties
• Public Enforcement FTC, HHS/OCR, FDA State attorney general(s)
• Private Rights of Action Individual suits (common law, statutory) Class Actions
E- Health: Is a Claim Just A Click Away?
E-Health Privacy, Security, Data Breaches
and Potential Liability
• Pertains to individually identifiable health information Is created or received by a “Covered Entity”; and Relates to an individual’s past, present, or future
physical or mental health or condition, or payment for the provision of health care to them; or provision of health care to an individual; and
That identifies the individual or the information can be used to identify the individual
• Applies to “Covered Entities” (CE): Health providers, Health plans Health care clearinghouses
HIPAA
TechnicalSecurity
Business Associate Management
AdministrativeSecurity
Procedures, Legal Compliance
PhysicalSecurity
HIPAA COMPLIANCE
HIPAA Security Requirements
Standards, Safeguards and Implementation Features
• Standards: CEs/BAs required to comply with standards Administrative Physical Technical Organizational Requirements Policies & Procedures & Documentation Requirements,
• Implementation Specifications: Required - must be implemented after a risk analysis Addressable - Second level risk analysis is required
Safeguards
Privacy:Rules-Based vs. Risk-Based
• General Principles of Privacy Regulations Establish a Rules-Based Permissive Model: Use & disclosure of PHI is not permitted
unless the Rule specifically permits it To define & limit the circumstances in
which an individual’s protected heath information (PHI) may be used or disclosed by covered entities.
• Emphasis on “gap analysis” rather than a risk analysis
Uses and Disclosures Permitted
without Authorization
• To the Individual (unless required for access or accounting of disclosures);
• Treatment, Payment, and Health Care Operations;
• Opportunity to Agree or Object; • Public Interest and Benefit Activities; and • Limited Data Set for the purposes of
research, public health or health care operations
Individual Authorization for Disclosures
• Authorization A covered entity must obtain the
individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule
• Psychotherapy Notes • Marketing
Minimum Necessary
• A CE must make reasonable efforts to use, disclose, & request only the minimum amount of PHI needed to accomplish the intended purpose
• A CE must develop/implement policies & procedures to limit uses & disclosures to the minimum necessary.
• When the “minimum necessary” standard applies to a use or disclosure, a CE may not use, disclose, or request the entire medical record, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
• Not applicable in certain situations
45 C.F.R. §§ 164.502(b) and 164.514 (d).
ARRA: Overview of Other Key
Provisions - 1
• Clarification and expansion of the definition of a “Business Associate” (BA)
• Increased Business Associate legal obligations• Notification for breaches involving protected health
information (PHI);• Special provisions for vendors of personal health
records and other non-HIPAA covered entities• Restrictions on certain disclosures. Individuals may
prohibit the disclosure of PHI to a health plan for services that the individual paid for out-of-pocket
• Restrictions on sales of EHRs, PHI. CEs and BAs may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.
ARRA: Overview of Other Key Provisions - 1
• Accounting of certain PHI disclosures required if a CE uses an EHR. CEs must provide accounting for disclosure of PHI to carry a treatment, payment, & healthcare operations when the PHI is in an EHR
• Access to Certain Information In Electronic Format. An individual has a right to obtain a copy of his/her information in an electronic format from the CE
• Conditions on certain communications as part of healthcare operations. Limits the healthcare operations; exception for communications when the CE receives remuneration for the communication except in limited circumstances
• Fundraising Opt-Out• Enhancement of enforcement, funding for enforcement,
and increased penalties
Increased Business Associate Legal Obligations
• Each security & privacy requirement in the HITECH Act that is applicable to a CE is also applicable to a BA and should be included in the BA’s contract.
• A BAs must comply with the same administrative, technical, and physical safeguards that a CE is required to comply with under the security rule.
• Must also comply with the document requirements (policies, procedures and other documents).
• BAs that violate the security & privacy provisions of HIPAA are subject to the same civil /criminal penalties as a CE.
Clarification and Expansion of “Business Associate”
Definition
• Definition of “Business Associate” includes: entities that provide data transmission services to
a CE (or its BA), if the service involves access to PHI on a routine basis, including:
• a health information exchange organization; • a regional health information organization; • an E-prescribing Gateway; or • any vendor that contracts with the CE to allow
the CE to offer a personal health record (PHR) to patients
Overview of Breach Notification Rule
• Applies some state breach notification concepts to federal health care law
• Applies to Business Associates (BAs) and Covered Entities (CEs) that experience a breach
• Covers EHRs and PHRs Final FTC regulations released August 18, 2009
(EHRs) Final HHS interim regulations and guidance released
August 19, 2009 (PHRs)
Responding to an Incident Process Under the New Rule
• Determine whether a “Breach” occurred What is a Breach? What is Not a Breach?
• Determine whether breach notification is required
• Follow Breach Notification Procedures
What is a Breach?
• A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
What is NOT a Breach?
• It is important to know what is and is not a breach under the new Rules If not a breach, notification will not be
required• There are two methods provided by the Rule
for determining if a breach occurred
1. By Definition
2. By Risk of Harm Analysis
• A Breach does not include: Acquisition, access, or use or disclosure of PHI by a
workforce member or person acting under the authority of a CE or a BA which does not result in further use or disclosure in a manner inconsistent with the Privacy Rule and the disclosure is -
• made in good faith and within the scope of authority• inadvertently made, from one authorized person to another within a CE,
BA or an Organized Health Care Arrangement (OHCA)
A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information
§164.402(2)
Not a Breach by Definition
Not a Breach – Other Factors
• Not a Breach: if Privacy Rule not Violated if Privacy and Security of PHI
Not Compromised• PHI Not Involved• PHI is “Secured”• There is No Risk of Harm
A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
Breach Definition
• A compromise of the security and privacy of the PHI must pose a significant risk of financial, reputational, or other harm to the individual A risk assessment is to be
conducted to determine if harm exists
A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI
Definition
No Risk of Harm
HHS Breach Notification Procedures: Timing, Notice and Content
• Breach of Notice Rule- Timing, Content & Notice Requirements
• 47 Organizations Have Reported Breaches of 500 or more in the first reporting to HHS under this Rule Range from a low of 501 (AK Dept of HSS) to a high of
500,000 (BCBS of TN) Involving >1 M individuals in the first months of reporting
• Since 3/12/09 the Privacy rights Clearinghouse has reported 228 Breaches. Of these, 58 involved PHI Includes electronic and paper-based PHI http://www.privacyrights.org/ar/ChronDataBreaches.htm
State Notice of Breach Laws
The following states do not have a notice of breach law:
• Kentucky• Mississippi• New Mexico• South Dakota
46 States PLUS:• District of Columbia (B16-810,
D.C. Code § 28-3851)
• Puerto Rico (Law 111 and Regulation 7207)
Most require businesses and/or government to notify state
residents if their computerized “personal information” is involved
in a data breach
Compliance obligations can differ significantly and
requires research of key provisions in every state for which you have
a resident’s PI
Emerging State Data Security Laws
• Ten States have laws requiring businesses to protect the “security & confidentiality” of personal information AR, CA, CT, MD, MA, NV, RI, OR, TX, and UT Massachusetts is the only state that specifies what a
business must do to comply:• Implement a risk-based “comprehensive, written
information security program” , and• Encrypt all personal information stored on laptops
and portable devices, all records & files transmitted over public networks,” and all data transmitted wirelessly.
Criminal Penalties Applicable to An Individual or An Entity
• Wrongful disclosure of individually identifiable information only if:
…a person (employees or other individuals) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a CE... and it was obtained/disclose without authorization
• “Willful neglect” may be either criminal or civil A formal investigation will commence if a preliminary
investigation of the facts identifies that a possible violation is due to willful neglect
Burden of proof is on the CE and/or BA
HIPAA Criminal Penalties
A “knowing” violation shall: (1) be fined not more than $50,000, imprisoned not
more than 1 year, or both; (2) if the offense is committed under false pretenses,
be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
HITECH Act Civil Penalties
• Graduated Penalties: unknowing - (A) through (D) due to reasonable cause & not to willful neglect- (B) through (D) due to willful neglect - if corrected (C) - (D); if not corrected (D)
(A) $100 for each such violation, (total amount imposed for all such violations during a calendar year may not > $25,000)
(B) $1,000 for each such violation, (total amount imposed on the person for all such during a calendar year may not > $100,000);
(C) $10,000 for each such violation, (total amount imposed on the person for all such violations during a calendar year may not > $250,000); and
(D) $50,000 for each such violation, (the total amount imposed on the person for all such violations during a calendar year may not > $1,500,000).
• Money Collected for civil damages funds OCR enforcement• States Attorneys General Also provided enforcement authority
Enforcement Funding
• Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS. This money will be used for enforcing and privacy and
security provisions of HIPAA
• The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.
Enforcement by State Attorneys General
• Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court.
• Damages will be statutorily imposed The amount = the number of violations times up to $100 The total amount of damages imposed on the person for
violations of all identical requirements or prohibition during a calendar year shall not > $25,000
• The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees.
Not much traction for “Negligent Protection of Data”
• The plaintiffs allege that a business collected their personal information for the business’ purposes, and then negligently allowed a third party to improperly access that personal information.
• Plaintiffs have had difficulty establishing that the defendant has a duty to protect their information, and that they have suffered some compensable
damage from that release.
U.S. Breach Litigation
• “[N]o court has considered the risk [of ID theft] itself to be damage”• Key v. DSW Inc.; Bell v. Acxiom Corp.- Plaintiffs unable
to prove that the information was used improperly & that increased risk of ID theft was enough)
• Stollenwerk v. Tri-West Healthcare Alliance.- Plaintiff tried “fear of ID theft “ as their damages – the Court rejected that
• See also, Pisciotta v. Old Nat’l Bancorp, and also Kahle v. Litton Loan Servicing and Guin v. Brazos Higher Education Service Corporation, Inc.- The value of having good policies and procedures.
Why Litigate, Then?
• Thus far they have not been successful proving negligence.
• No harm (provable damages), no foul, say the Courts.
• But litigation is about poking and prodding.
• Plaintiff’s are seeking the soft underbelly.
• The goal: Huge settlements even without the merits.
TJX Companies Breach
• On Jan. 17, 2007, TJX Companies Inc. announced that that the portion of its computer network handling customer transactions was breached by unauthorized individuals; >46.2 M credit/debit cards compromised
Litigation & investigations; new laws to protect banks considered in CA, CT, IL, MA, MN, NJ, and TX. (Only MN actually enacted)
have reduced what once was as many as 18 separate putative bank & consumer class action lawsuits against the company
• September 2007 - Settlement includes $7 M to reimburse customers
TJX Companies Breach (Continued)
• November 2007 - Settlement with Visa (and issuing banks) $40.9 M
• December 2007 - TJX settled for $40 M with banking associations & all but one individual bank for reimbursement of their costs
• April 2008 - Settlement with MasterCard (and issuing banks) $34 M
• June 2009 $9.8 M to a group of 41 state AGs
• September 2009 additional $525,000 to the FIs
• Total – $132,225,000
Hannaford and Heartland
• Hannaford Bros. Co. supermarkets (parent Delhaize America) > 12 separate class actions in FL, ME, NH and NY–
• Heartland Payment Systems, Inc. Litigation Negligence, Breach of Contract, Breach of Implied Contract,
Violation of NJ Consumer Fraud Act, and Negligence Per Se Heartland faced 17 class actions , 10 bank & credit union
class actions related to the breach. Heartland agreed to pay:
• nearly $4.7 M (up to $2.4 M in damages), $760,000 in attorney's fees & expenses, & up to $1.5 M in admin costs
• Am Ex Travel Related Services Co. Inc. just over $3.5 M
• A max. of $60 M to Visa and Visa card-issuing banks
Total - $68,960,000 (8K filing stated up to $73M
Breaches Cost Money, Even Without Litigation
• U.S. organizations continue to experience an increased cost of data breaches Avg. cost up nearly 2 %, $6.65 M (2008) to $6.75 M (2009) Avg. cost /compromised record/breach up $2, ($202 to $204) The most expensive data breach event included in this year's
study cost nearly$31 M to resolve • Companies that notify victims too quickly may in fact incur
higher costs $219 versus $196, a 12% difference
• The leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches
Source: 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventive Solutions, The Ponemon Institute
E- Health: Is a Claim Just A Click Away?
Future Trends/Outlook for 2010 and Beyond
Current Situation
• More people living longer
• Number of people with chronic illnesses is going to increase
• Therefore, increased pressure on the healthcare system and technology requirements
• One of the key drivers of healthcare reform is recognition of this problem and attempt to deal with this issue
Better quality of care
Cost containment
Better deployment of technology
Coordination of Care
• Draws the 3 elements together
• Fragmented delivery of care
• Many different siloed systems e.g. billing, care, control, record keeping, data
• Physicians & hospitals will become the pivot for delivering under this new approach and for co-ordinating amongst other providers as well as handling records and billing
• For this approach to work it will require efficient, usable technology with greater access points & capability than before
• HITECH is an attempt to facilitate and encourage/require the adoption of such an approach
Is this all going to Work?
• Great in theory but what in practice• Short time frame –HITECH compliance by 2011 is ambitious• Technology providers will be key. Are they up to it?• More systems, broader coverage, more people accessing them
is a bigger exposure• Implementation will be key• This will ultimately drive insurance requirements as the number
of breaches grow and the average costs involved• Claims scenarios become more complex & greater scope for
uncertainty as to where the responsibility lies• Insurance polices will have to adapt to provide the coverage
required as underwriting becomes more complex & exposures shift and change
Other Considerations
• Electronic Personal Health Records – As we move to EHRs, exposure increases & attracts more people interest & is a more personal record. This could have an impact on the number and size of breaches.
• Solutions – clients are looking for solutions & service and not just an insurance product.
As exposure & complexity grows, it will continue to be one of the main drivers for purchasing insurance.
• Sub limits –Must be addressed in the insurance market to provide the coverage required in the event of a claim.
• Underwriting – Time will tell.• More complex and in depth underwriting• Risks carrying greater exposures• Broader policies• Claims solutions must keep up pace with a changing market