2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium

Chicago, IL ~ March 18 & 19, 2010

E-Health: E-Health: Is a Claim Just a Click Away?Is a Claim Just a Click Away?

E-Health: Is a Claim E-Health: Is a Claim Just a Click Away?Just a Click Away?

Moderator:

Fran O'Connell, RN, MBA, Managing Director, Medical Professional Liability, Markel Corporation

Panelists:

M. Peter Adler, Esq., CISSP, CIPP, Chief Privacy Officer, UnitedHealth Group

Paul Bantick, Underwriter, Beazley

Sharon R. Klein, Esq., Partner, Pepper Hamilton, LLP

2010 Medical Professional 2010 Medical Professional Liability SymposiumLiability Symposium

e-Health DefinedGlobal Reach; Global

Risk

E-Health DefinedE-Health Defined

“Healthcare supported by electronic processes and communication”

• Electronic Health Records• Telemedicine• Automatic Clinical Protocols/Alerts• Virtual Healthcare Teams• M Health• Patient Monitoring• Distance Learning - Telehealth

Healthcare Provide/Payer Technologies

Remote Healthcare Information Systems Virtual Rounding Remote Operations Clinical Alerts Medical Robots Wireless implants/chips

Consumer Health Technologies

Smart Phones PHRs (Health Vault) Social Networks (Facebook) Smart home sensors/monitoring Use of email to link patients and clinicians Web Portals

Ponemon Institute Findings

Global Risks

Medical Identity Theft Internet use without encryption Lack of uniform security standards (mobile

devices) Expansion to players unfamiliar with

healthcare Outsourcing/Offshoring No global rules for data exchange/transfer

Risk of Lawsuits/Reputational Injury

• Regulation Sanctions, fines, penalties

• Public Enforcement FTC, HHS/OCR, FDA State attorney general(s)

• Private Rights of Action Individual suits (common law, statutory) Class Actions

E- Health: Is a Claim Just A Click Away?

Peter Adler, Esq., CISSP, CIPP

United Healthcare Group

E-Health Privacy, Security, Data Breaches and Potential Liability

• Pertains to individually identifiable health information Is created or received by a health care provider, health plan,

employer, or health care clearinghouse; and Relates to the past, present, or future physical or mental

health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

That identifies the individual there is a reasonable basis to believe the information can be used to identify the individual

• Applies to “Covered Entities” Health providers Health plans Health care clearinghouses

HIPAA

TechnicalSecurity

Business Associate Management

AdministrativeSecurity

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA Security Requirements

Standards, Safeguards and Implementation Features

• Standards: CEs/BAs required to comply with standards Administrative, 45 C.F.R. §164.308 Physical, 45 C.F.R. §164.310 Technical, 45 C.F.R. §164.312 Organizational Requirements, 45 C.F.R. §164.314 Policies and Procedures and Documentation Requirements,

45 C.F.R. §164.316• Implementation Specifications:

Required - must be implemented after a risk analysis Addressable - Second level risk analysis is required

Safeguards

Privacy:Rules-Based vs. Risk-Based

• General Principles of Privacy Regulations Establish a Rules-Based Permissive Model: A use and disclosure of PHI is not permitted

unless the Rule specifically permits it• A covered entity may not use or disclose PHI, except as

the Privacy Rule permits or requires or as incident to an otherwise permitted use and disclosure.

To define and limit the circumstances in which an individual’s protected heath information (PHI) may be used or disclosed by covered entities.

• Emphasis on “gap analysis” rather than a risk analysis

Uses and Disclosures Permitted

without Authorization

• To the Individual (unless required for access or accounting of disclosures);

• Treatment, Payment, and Health Care Operations;

• Opportunity to Agree or Object; • Public Interest and Benefit Activities; and • Limited Data Set for the purposes of

research, public health or health care operations

Individual Authorization for Disclosures

• Authorization A covered entity must obtain the individual’s

written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule

• Psychotherapy Notes

• Marketing

Minimum Necessary

• A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request.

• A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

• When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

• Not applicable in certain situations

45 C.F.R. §§ 164.502(b) and 164.514 (d).

ARRA: Overview of Other Key

Provisions - 1

• Clarification and expansion of the definition of a “business associate”

• Increased business associate legal obligations• Notification for breaches involving protected health information

(PHI);• Special provisions for vendors of personal health records and

other non-HIPAA covered entities• Restrictions on certain disclosures. Individuals will have the right

to prohibit the disclosure of PHI to a health plan for items or services that the individual paid for in full out-of-pocket

• Restrictions on sales of EHRs or PHI. Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale.

ARRA: Overview of Other Key Provisions - 1

• Accounting of certain PHI disclosures required if covered entity uses an EHR. Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR

• Access to Certain Information In Electronic Format. An individual has a right to obtain from the covered entity a copy of his or her information in an electronic format

• Conditions on certain communications as part of healthcare operations. Limits the healthcare operations exception for communications when the covered entity receives remuneration for the communication except in limited circumstances.

• Fundraising Opt-Out• Enhancement of enforcement, funding for enforcement and

increased penalties

Increased Business Associate Legal Obligations

• Each security and privacy requirement in the HITECH Act that is applicable to a covered entity is also applicable to a business associate and should be included in a business associate contract.

• A business associates must comply with the same administrative, technical, and physical safeguards that a covered entity is required to comply with under the security rule.

• Must also comply with the document requirements of the security rule (policies, procedures and other documents).

• Business associates that violate the security and privacy provisions of HIPAA are subject to the same civil and criminal penalties as a covered entity.

Clarification and Expansion of “Business Associate Definition

• Definition of “business associate” includes: entities that provide data transmission services to a

covered entity (or its business associate) if the service involves access to PHI on a routine basis, including:

• a health information exchange organization; • a regional health information organization; • an E-prescribing Gateway; or • any vendor that contracts with the covered entity to

allow the covered entity to offer a personal health record (PHR) to patients.

Overview of Breach Notification Rule

• Applies some state breach notification concepts to federal health care law

• Applies to Business Associates (BAs) and Covered Entities (CEs) that experience a breach

• Covers EHRs and PHRs Final FTC regulations released August 18, 2009

(EHRs) Final HHS interim regulations and guidance released

August 19, 2009 (PHRs)

Responding to an Incident Process Under the New Rule

• Determine whether a “Breach” occurred What is a Breach? What is Not a Breach?

• Determine whether breach notification is required

• Follow Breach Notification Procedures

What is a Breach?

• A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

What is NOT a Breach?

• It is important to know what is and is not a breach under the new Rules If not a breach, notification will not be

required• There are two methods provided by the Rule

for determining if a breach occurred

1. By Definition

2. By Risk of Harm Analysis

• A Breach does not include: Acquisition, access, or use or disclosure of PHI by a

workforce member or person acting under the authority of a CE or a BA which does not result in further use or disclosure in a manner inconsistent with the Privacy Rule and the disclosure is -

• made in good faith and within the scope of authority• inadvertently made, from one authorized person to another within a CE,

BA or an Organized Health Care Arrangement (OHCA)

A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information

§164.402(2)

Not a Breach by Definition

Not a Breach – Other Factors

• Not a Breach: if Privacy Rule not Violated if Privacy and Security of PHI Not

Compromised• PHI Not Involved• PHI is “Secured”• There is No Risk of Harm

A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

Breach Definition

• A compromise of the security and privacy of the PHI must pose a significant risk of financial, reputational, or other harm to the individual A risk assessment is to be

conducted to determine if harm exists

A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security and privacy of the PHI

Definition

No Risk of Harm

HHS Breach Notification Procedures: Timing, Notice and Content

• The Breach of Notice Rule Provides Specific Timing, Content and Notice Requirements

• 47 Organizations Have Reported Breaches of 500 or more in the first reporting to HHS under this Rule Range from a low of 501 (Alaska Department of Health and Social

Services) to a high of 500,000 (Blue Cross Blue Shield of Tennessee)

Involving more than 1 million individuals in the first months of the reporting program

• Since March 12, 2009 the Privacy rights Clearinghouse has reported 228 Breaches. Of these, 58 involved protected health information Includes electronic and paper-based PHI http://www.privacyrights.org/ar/ChronDataBreaches.htm

State Notice of Breach Laws

The following states do not have a notice of breach law:

• Kentucky• Mississippi• New Mexico• South Dakota

46 States PLUS:• District of Columbia (B16-810,

D.C. Code § 28-3851)

• Puerto Rico (Law 111 and Regulation 7207)

Most require businesses and/or government to notify state

residents if their computerized “personal information” is involved

in a data breach

Compliance obligations can differ significantly and

requires research of key provisions in every state for which you have

a resident’s PI

Emerging State Data Security Laws

• Ten States have laws requiring businesses to protect the “security and confidentiality” of personal information about residents Arkansas, California, Connecticut, Maryland, Massachusetts,

Nevada, Rhode Island, Oregon, Texas, and Utah Massachusetts is the only state that specifies what a business must

do to comply:• Implement a risk-based “comprehensive, written information security

program” in accordance with a detailed list of requirements; and• Encrypt all personal information stored on laptops or other portable

devices, all records and files transmitted over public networks “to the extent technically feasible,” and all data transmitted wirelessly.

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth; promulgated pursuant to Mass Gen. Law 93H

Criminal Penalties Applicable to An Individual or An Entity

• Wrongful disclosure of individually identifiable information only if:

…a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization

• “Willful neglect” may be either criminal or civil A formal investigation will commence whenever a preliminary

investigation of the facts identify that a possible violation is due to willful neglect

Burden of proof is on the CE and/or BA

HIPAA Criminal Penalties

A “knowing” violation shall: (1) be fined not more than $50,000, imprisoned not

more than 1 year, or both; (2) if the offense is committed under false pretenses,

be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

HITECH Act Civil Penalties

• Graduated Penalties: unknowing - (A) through (D) due to reasonable cause and not to willful neglect- (B) through (D) due to willful neglect - if corrected (C) through (D); if not corrected (D)

(A) $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000

(B) $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;

(C) $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and

(D) $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

• Money Collected for civil damages funds OCR enforcement• States Attorneys General Also provided enforcement authority

Enforcement Funding

• Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS This money will be used for enforcing and privacy and

security provisions of HIPAA

• The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish.

Enforcement by State Attorneys General

• Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court.

• Damages will be statutorily imposed The amount is calculated by multiplying the number of violations by

up to $100 The total amount of damages imposed on the person for violations

of all identical requirements or prohibition during a calendar year shall not exceed $25,000

• The court may also award the Attorney General reasonable costs for bringing the action and attorney’s fees

Not much traction for “Negligent Protection of Data”

• The plaintiffs allege that a business collected their personal information for the business’ purposes, and then negligently allowed a third party to improperly access that personal information.

• Plaintiffs have had difficulty establishing that the defendant has a duty to protect their information, and that they have suffered some compensable

damage from that release.

U.S. Breach Litigation

• “[N]o court has considered the risk [of ID theft] itself to be damage”• Key v. DSW Inc., 454 F. Supp. 2d 684 (D. Ohio 2006); Bell v. Acxiom

Corp., No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006) (Plaintiffs were unable to prove that the information was used

improperly and that increased risk of ID theft was enough)• Stollenwerk v. Tri-West Healthcare Alliance., No. Civ. 03-0185 (D. Ariz.

September 6, 2005 (Plaintiff tried “fear of identity theft “ as their damages – the Court rejected that; another Plaintiff proved that a miscreant tried to open up credit card account with Plaintiff’s information – Court rejected that – “you cannot prove THIS breach was how they got your information”)

• See also, Pisciotta v. Old Nat’l Bancorp, 499 F3rd 629 (7th Cir 2007) and also Kahle v. Litton Loan Servicing LP (case no. 1:05cv756. (Ohio) and Guin v. Brazos Higher Education Service Corporation, Inc., 2006 WL 288483 (D. Minn. 2006) (The value of having good policies and procedures.

Why Litigate, Then?

• Thus far they have not been successful proving negligence

• No harm (provable damages), no foul, say the Courts.

• But litigation is about poking and prodding.

• Plaintiff’s are seeking the soft underbelly.

• The goal: Huge settlements even without the merits

TJX Companies Breach

• On Jan. 17, 2007, TJX Companies Inc, including TJ Maxx, Marshalls and Home Goods announced that that the portion of its computer network that handles customer transactions was broken into by unauthorized individuals and at least 46.2 million credit and debit cards may have been compromised

This resulted in litigation and investigations consideration of new laws to protect banks in California, Connecticut, Illinois, Massachusetts, Minnesota New Jersey and Texas. Only the Minnesota law was actually enacted

have reduced what once was as many as 18 separate putative bank and consumer class action lawsuits against the company

• September 2007 - Settlement include $7 million to reimburse customers for credit monitoring and other identity theft mitigation measures they undertook and to hold a company wide one-day sale

• November 2007 - Settlement with Visa (and issuing banks) $40.9 million

• December 2007 - TJX settled for $40 million with banking associations and all but one individual bank that filed class actions seeking reimbursement of their costs associated with the breach, such as reissuing compromised credit cards and covering fraudulent purchases

• April 2008 - Settlement with MasterCard (and issuing banks) $34 million

• June 2009 $9.8 million to a group of 41 state attorneys general

• September 2009 additional $525,000 to the financial institutions

Total – $132,225,000

Hannaford and Heartland

• Hannaford Bros. Co. supermarket chain and its parent corporation Delhaize America Inc.

Over 12 separate class actions in Florida, Maine, New Hampshire and New York – Still fighting it out

• Heartland Payment Systems, Inc. Litigation Negligence, Breach of Contract, Breach of Implied Contract, Violation of New

Jersey Consumer Fraud Act, and Negligence Per Se Heartland faced a total of 17 consumer class actions and 10 bank and credit

union class actions related to the breach. To Settle Heartland agreed to pay:

• nearly $4.7 million (up to $2.4 million in actual damages), $760,000 in attorney's fees and expenses, and up to $1.5 million in administration costs

• American Express Travel Related Services Company Inc. just over $3.5 million to settle any claims

• A maximum of $60 million to Visa Inc. and Visa card-issuing banks

Total - $68,960,000 (8K filing stated up to $73m)

Breaches Cost Money, Even Without Litigation

• U.S. organizations continue to experience an increased cost of data breaches Average organizational cost increased nearly 2 percent, from to

$6.65 million in our 2008 study to $6.75 million in 2009 The average cost per compromised record per breach rose only $2,

from $202 to $204. The most expensive data breach event included in this year's study

cost one organization nearly$31 million to resolve

• Companies that notify victims too quickly may in fact incur higher costs. $219 versus $196, a 12% difference

• The leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches

Source: 2009 Annual Study: Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventive Solutions, The Ponemon Institute

E- Health: Is a Claim Just A Click Away?

Future Trends/Outlook for 2010 and Beyond

Paul Bantick

Technology, Media and Business Services

Beazley Group

Current situation

• More people living longer

• Number of people with chronic illnesses is going to increase

• Therefore, increased pressure on the healthcare system and technology requirements

• One of the key drivers of healthcare reform is recognition of this problem and attempt to deal with this issue

Better quality of care

Cost containment

Better deployment of technology

Coordination of Care

• Draws the 3 elements together.

• Fragmented delivery of care

• Many different siloed systems e.g. billing, care, control, record keeping, data

• Physicians and hospitals will become the pivot for delivering under this new approach and for co coordinating amongst other providers as well as handling records and billing.

• For this approach to work it will require efficient and usable technology with greater access points and capability than before.

• HITECH is an attempt to facilitate and encourage/require the adoption of such an approach.

Is this all going to Work?

• Great in theory but what in practice• Short time frame – Achieving HITECH compliance by 2011 is

ambitious.• Technology providers will be key. Are they up to it?• More systems with broader coverage and more people

accessing them is a bigger exposure• Implementation will be key.• This will ultimately drive insurance requirements as the number

of breaches grow and the average costs involved.• Claims scenarios become more complex and greater scope for

uncertainty as to where the responsibility lies.• Insurance polices will have to adapt to provide the coverage

required as underwriting becomes more complex and exposures shift and change.

Other considerations

• Electronic Personal Health Records – As we move away from paper, exposure increases and attracts more people interest and is a more personal record. This could have an impact on the number and size of breaches.

• Solutions – clients are looking for solutions and service and not just an insurance product.

As exposure and complexity grows this will continue to be one of the main drivers for purchasing insurance.

• Sub limits – This is an area that must be addressed in the insurance market to provide the coverage required in the event of a claim

• Underwriting – Time will tell.• More complex and in depth underwriting.• Risks carrying greater exposures• Broader policies• Claims solutions must keep up pace with a changing market.