Overcoming Legal Barriers HIT Adoption

Overcoming Legal Barriers to Health IT Adoptions Robert L. Coffield Flaherty, Sensabaugh & Bonasso, PLLC Charleston, West Virginia

The WORLD has changed . . .

. . . and so has the HIT landscape.

American Recovery and Reinvestment Act of 2009 • Title XIII – “Health Information Technology” (HITECH Act) • Health Information Technology for Economic and Clinical Health Act • The Health Reinvestment: $19 billion for HIT • Significant expansion of HIPAA privacy and security • Impacts every provider, insurer and 3rd party vendor that stores or accesses medical/health information • HITECH – Subtitle A – Promotion of HIT – Subtitle B – Testing of HIT – Subtitle C – Grants and Loans Funding – Subtitle D - Privacy

What Does the HITECH Act Mean? • New Federal Breach Notification Requirement: – Follows standard state notification – but more stringent than many (no federal preemption) – Notify Individuals of breach within 60 days – 500+ requires immediate notification to HHS (under 500 report annually to HHS) – “Unsecured PHI” triggers breach (PHI that is not protected by technologies that render the PHI “unusable, unreadable or indecipherable”) Does this mean encrypted? – Effective 30 days after HHS publishes regulation

What Does the HITECH Act Mean? • Personal Health Records (PHRs): – PHR is “electronic record of health information on an individual drawn from multiple sources and is managed, shared and controlled by or primarily for the individual” – PHR vendors now subject to breach notification requirements. Must notify FTC and FTC then notifies HHS. – FTC will apply “unfair/deceptive trade practice” – PHR vendors must comply as a BA of CE

What Does the HITECH Act Mean? • HIPAA Business Associates: – Major impact on non-CE world who handle health information. Feds have increased control over BAs. – Now 3rd party BAs (vendors) subject to direct regulation – Now subject to privacy and security provisions – BAs must detect/report security breaches to CEs within 60- day period – Direct civil/criminal penalties apply to BAs

What Does the HITECH Act Mean? • Restricting Remuneration and Sale of PHI: – No direct/indirect remuneration in exchange for any PHI unless valid HIPAA authorization signed by patient/consumer. – Exceptions: public health, research, treatment, sale/merger of CE, $$$ paid by CE to BA for services – This could significantly impede business transactions to share/aggregate health data.

What Does the HITECH Act Mean? • Patient/Consumer Rights: – Greater liquidity of health data. Right to “electronic copy” of your health information and to have electronic copy transferred to others. – Expands “accounting for disclosure requirements” for CE using EHRs (accounting for TPO for 3-year period). – Individual now has right to require CE to protect PHI and not disclose for payment/health care operations if consumer paid cash for service. – Requirement for consent to use/disclose PHI will be studied.

What Does the HITECH Act Mean? • Enforcement Changes: – Increased civil money penalties (tiered: $100 to $1.5M) – Criminal penalties extended to employees of CE and others – Expands enforcement to state AGs to bring actions – HHS to develop process to distribute percentage of penalty to harmed individuals (3rd party right of action?)

Federal and/or State Oversight • Complex and conflicting health care laws. Barriers to compliance and business practices. • Examples for health care: – HIPAA (no federal preemption; state by state legal and regulatory barriers) – Unique state licensure laws – Breach notification laws (differ by state and now federal) • How does ARRA change the policy/legal landscape?

Ownership of Health Information • Old adage: Possession is nine-tenths of the law. • Physical possession = ownership/legal control. Bundle of Rights: right to use, dispose and exclude others. • Traditional state law: providers own medical records which they maintain – subject to patient’s rights to access/copy records. • HIPAA added rights: corrections, accounting, confidentiality • Today: Who owns? Patient/consumer? Provider? Insurer? Technology company? Government?

Ownership of Health Information • Battle for ownership/legal control. EHR vs. PHR • The impact of social media and web/health 2.0 on legal/policy question? • Facebook Terms of Service: – Who owns the data? Members vs. Facebook – You share and grant FB a license to share with others. Is this license permanent? What happens to data you share with others? How does FB value ($$$) data? – 175M users (6th largest country) and many voiced concern about TOS change – Will this be precedent for health information, PHR vendors and Health 2.0 companies? • Does the HITECH Act shift the balance on ownership?

WEB/HEALTH 2.0 • • THEN NOW • • Author-Generated Dynamic and User-Generated • • Controlled message Mental chatter & wisdom of crowd • • Read Read, write and collaborate • • Silo Intelligence Collective Intelligence • • Static Web Participatory Web • • Organization Driven Community Driven • • Search/Retrieval Creation/Discussion • • Software Release Software as Service • • Desktop Computing Cloud Computing • • Central data Decentralized data • • World Wide Web World Live Web

HOW IS HEALTH 2.0 IMPACTING CONSUMER DRIVEN CARE? • • Health 1.0 Health 2.0 • • Opaque System Transparency • • Passive Patient Engaged Consumer • • Physician Authority Physician Advisor • • Insurance Adversary Health Plan Advocate • • System-Generated User-Generated • • Health Care Health and Wellness

Consumer Driven Care and Social Media • Traditionally law/policy is slow and reactive. • Social media and web/health 2.0 is changing the way we create, interpret and enforce laws. • Example: ARRA Wiki. New way to dissect and understand laws. • Social media is changing the privacy benchmark. • Health technology will be in constant beta (disruption) for the next 10 years. How can policy/law become more proactive?

Robert L. Coffield Flaherty, Sensabaugh & Bonasso, PLLC Charleston, West Virginia Health Care Law Blog http://healthcarebloglaw.blogspot.com Email: RCoffield@fsblaw.com Twitter: @bobcoffield

http://healthcarebloglaw.blogspot.com	38
http://www.slideshare.net	5
http://www.in3.org	1

Overcoming Legal Barriers HIT Adoption

by Bob Coffield on Feb 24, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 44

Statistics

Overcoming Legal Barriers HIT Adoption — Presentation Transcript