Overcoming Legal Barriers to Health IT Adoptions
Robert L. Coffield
Flaherty, Sensabaugh & Bonasso, PLLC
Charleston, West Virginia

The WORLD has changed . . .

. . . and so has the HIT landscape.

American Recovery and Reinvestment
Act of 2009
• Title XIII – “Health Information Technology” (HITECH Act)
• Health Information Technology for Economic and Clinical Health Act
• The Health Reinvestment: $19 billion for HIT
• Significant expansion of HIPAA privacy and security
• Impacts every provider, insurer and 3rd party vendor that stores or accesses
medical/health information
• HITECH
– Subtitle A – Promotion of HIT
– Subtitle B – Testing of HIT
– Subtitle C – Grants and Loans Funding
– Subtitle D - Privacy

What Does the HITECH Act Mean?
• New Federal Breach Notification Requirement:
– Follows standard state notification – but more stringent
than many (no federal preemption)
– Notify Individuals of breach within 60 days
– 500+ requires immediate notification to HHS (under 500
report annually to HHS)
– “Unsecured PHI” triggers breach (PHI that is not protected
by technologies that render the PHI “unusable, unreadable
or indecipherable”) Does this mean encrypted?
– Effective 30 days after HHS publishes regulation

What Does the HITECH Act Mean?
• Personal Health Records (PHRs):
– PHR is “electronic record of health information on an
individual drawn from multiple sources and is managed,
shared and controlled by or primarily for the individual”
– PHR vendors now subject to breach notification
requirements. Must notify FTC and FTC then notifies HHS.
– FTC will apply “unfair/deceptive trade practice”
– PHR vendors must comply as a BA of CE

What Does the HITECH Act Mean?
• HIPAA Business Associates:
– Major impact on non-CE world who handle health
information. Feds have increased control over BAs.
– Now 3rd party BAs (vendors) subject to direct regulation
– Now subject to privacy and security provisions
– BAs must detect/report security breaches to CEs within 60-
day period
– Direct civil/criminal penalties apply to BAs

What Does the HITECH Act Mean?
• Restricting Remuneration and Sale of PHI:
– No direct/indirect remuneration in exchange for any PHI
unless valid HIPAA authorization signed by
patient/consumer.
– Exceptions: public health, research, treatment, sale/merger
of CE, $$$ paid by CE to BA for services
– This could significantly impede business transactions to
share/aggregate health data.

What Does the HITECH Act Mean?
• Patient/Consumer Rights:
– Greater liquidity of health data. Right to “electronic copy” of
your health information and to have electronic copy
transferred to others.
– Expands “accounting for disclosure requirements” for CE
using EHRs (accounting for TPO for 3-year period).
– Individual now has right to require CE to protect PHI and
not disclose for payment/health care operations if
consumer paid cash for service.
– Requirement for consent to use/disclose PHI will be
studied.

What Does the HITECH Act Mean?
• Enforcement Changes:
– Increased civil money penalties (tiered: $100 to $1.5M)
– Criminal penalties extended to employees of CE and others
– Expands enforcement to state AGs to bring actions
– HHS to develop process to distribute percentage of penalty
to harmed individuals (3rd party right of action?)

Federal and/or State Oversight
• Complex and conflicting health care laws. Barriers to
compliance and business practices.
• Examples for health care:
– HIPAA (no federal preemption; state by state legal and
regulatory barriers)
– Unique state licensure laws
– Breach notification laws (differ by state and now federal)
• How does ARRA change the policy/legal landscape?

Ownership of Health Information
• Old adage: Possession is nine-tenths of the law.
• Physical possession = ownership/legal control. Bundle of
Rights: right to use, dispose and exclude others.
• Traditional state law: providers own medical records which
they maintain – subject to patient’s rights to access/copy
records.
• HIPAA added rights: corrections, accounting, confidentiality
• Today: Who owns? Patient/consumer? Provider? Insurer?
Technology company? Government?

Ownership of Health Information
• Battle for ownership/legal control. EHR vs. PHR
• The impact of social media and web/health 2.0 on legal/policy
question?
• Facebook Terms of Service:
– Who owns the data? Members vs. Facebook
– You share and grant FB a license to share with others. Is this license
permanent? What happens to data you share with others? How does FB
value ($$$) data?
– 175M users (6th largest country) and many voiced concern about TOS
change
– Will this be precedent for health information, PHR vendors and Health
2.0 companies?
• Does the HITECH Act shift the balance on ownership?

WEB/HEALTH 2.0
• •
THEN NOW
• •
Author-Generated Dynamic and User-Generated
• •
Controlled message Mental chatter & wisdom of crowd
• •
Read Read, write and collaborate
• •
Silo Intelligence Collective Intelligence
• •
Static Web Participatory Web
• •
Organization Driven Community Driven
• •
Search/Retrieval Creation/Discussion
• •
Software Release Software as Service
• •
Desktop Computing Cloud Computing
• •
Central data Decentralized data
• •
World Wide Web World Live Web

HOW IS HEALTH 2.0 IMPACTING
CONSUMER DRIVEN CARE?
• •
Health 1.0 Health 2.0
• •
Opaque System Transparency
• •
Passive Patient Engaged Consumer
• •
Physician Authority Physician Advisor
• •
Insurance Adversary Health Plan Advocate
• •
System-Generated User-Generated
• •
Health Care Health and Wellness

Consumer Driven Care and Social Media
• Traditionally law/policy is slow and reactive.
• Social media and web/health 2.0 is changing the way
we create, interpret and enforce laws.
• Example: ARRA Wiki. New way to dissect and
understand laws.
• Social media is changing the privacy benchmark.
• Health technology will be in constant beta (disruption)
for the next 10 years. How can policy/law become
more proactive?

Robert L. Coffield
Flaherty, Sensabaugh & Bonasso, PLLC
Charleston, West Virginia
Health Care Law Blog
http://healthcarebloglaw.blogspot.com
Email: RCoffield@fsblaw.com
Twitter: @bobcoffield