Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Overcoming Legal Barriers HIT Adoption



Overcoming Legal and Policy Barriers to Health IT Adoption, World Health Care Congress Leadership Summit on Consumer Connectivity. Examination of changes to HIPAA privacy provisions under ARRA.

Overcoming Legal and Policy Barriers to Health IT Adoption, World Health Care Congress Leadership Summit on Consumer Connectivity. Examination of changes to HIPAA privacy provisions under ARRA.



Total Views
Views on SlideShare
Embed Views



4 Embeds 47

http://healthcarebloglaw.blogspot.com 40
http://www.slideshare.net 5
http://www.in3.org 1
http://healthcarebloglaw.blogspot.cz 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Overcoming Legal Barriers HIT Adoption Overcoming Legal Barriers HIT Adoption Presentation Transcript

  • Overcoming Legal Barriers to Health IT Adoptions Robert L. Coffield Flaherty, Sensabaugh & Bonasso, PLLC Charleston, West Virginia
  • The WORLD has changed . . .
  • . . . and so has the HIT landscape.
  • American Recovery and Reinvestment Act of 2009 • Title XIII – “Health Information Technology” (HITECH Act) • Health Information Technology for Economic and Clinical Health Act • The Health Reinvestment: $19 billion for HIT • Significant expansion of HIPAA privacy and security • Impacts every provider, insurer and 3rd party vendor that stores or accesses medical/health information • HITECH – Subtitle A – Promotion of HIT – Subtitle B – Testing of HIT – Subtitle C – Grants and Loans Funding – Subtitle D - Privacy
  • What Does the HITECH Act Mean? • New Federal Breach Notification Requirement: – Follows standard state notification – but more stringent than many (no federal preemption) – Notify Individuals of breach within 60 days – 500+ requires immediate notification to HHS (under 500 report annually to HHS) – “Unsecured PHI” triggers breach (PHI that is not protected by technologies that render the PHI “unusable, unreadable or indecipherable”) Does this mean encrypted? – Effective 30 days after HHS publishes regulation
  • What Does the HITECH Act Mean? • Personal Health Records (PHRs): – PHR is “electronic record of health information on an individual drawn from multiple sources and is managed, shared and controlled by or primarily for the individual” – PHR vendors now subject to breach notification requirements. Must notify FTC and FTC then notifies HHS. – FTC will apply “unfair/deceptive trade practice” – PHR vendors must comply as a BA of CE
  • What Does the HITECH Act Mean? • HIPAA Business Associates: – Major impact on non-CE world who handle health information. Feds have increased control over BAs. – Now 3rd party BAs (vendors) subject to direct regulation – Now subject to privacy and security provisions – BAs must detect/report security breaches to CEs within 60- day period – Direct civil/criminal penalties apply to BAs
  • What Does the HITECH Act Mean? • Restricting Remuneration and Sale of PHI: – No direct/indirect remuneration in exchange for any PHI unless valid HIPAA authorization signed by patient/consumer. – Exceptions: public health, research, treatment, sale/merger of CE, $$$ paid by CE to BA for services – This could significantly impede business transactions to share/aggregate health data.
  • What Does the HITECH Act Mean? • Patient/Consumer Rights: – Greater liquidity of health data. Right to “electronic copy” of your health information and to have electronic copy transferred to others. – Expands “accounting for disclosure requirements” for CE using EHRs (accounting for TPO for 3-year period). – Individual now has right to require CE to protect PHI and not disclose for payment/health care operations if consumer paid cash for service. – Requirement for consent to use/disclose PHI will be studied.
  • What Does the HITECH Act Mean? • Enforcement Changes: – Increased civil money penalties (tiered: $100 to $1.5M) – Criminal penalties extended to employees of CE and others – Expands enforcement to state AGs to bring actions – HHS to develop process to distribute percentage of penalty to harmed individuals (3rd party right of action?)
  • Federal and/or State Oversight • Complex and conflicting health care laws. Barriers to compliance and business practices. • Examples for health care: – HIPAA (no federal preemption; state by state legal and regulatory barriers) – Unique state licensure laws – Breach notification laws (differ by state and now federal) • How does ARRA change the policy/legal landscape?
  • Ownership of Health Information • Old adage: Possession is nine-tenths of the law. • Physical possession = ownership/legal control. Bundle of Rights: right to use, dispose and exclude others. • Traditional state law: providers own medical records which they maintain – subject to patient’s rights to access/copy records. • HIPAA added rights: corrections, accounting, confidentiality • Today: Who owns? Patient/consumer? Provider? Insurer? Technology company? Government?
  • Ownership of Health Information • Battle for ownership/legal control. EHR vs. PHR • The impact of social media and web/health 2.0 on legal/policy question? • Facebook Terms of Service: – Who owns the data? Members vs. Facebook – You share and grant FB a license to share with others. Is this license permanent? What happens to data you share with others? How does FB value ($$$) data? – 175M users (6th largest country) and many voiced concern about TOS change – Will this be precedent for health information, PHR vendors and Health 2.0 companies? • Does the HITECH Act shift the balance on ownership?
  • WEB/HEALTH 2.0 • • THEN NOW • • Author-Generated Dynamic and User-Generated • • Controlled message Mental chatter & wisdom of crowd • • Read Read, write and collaborate • • Silo Intelligence Collective Intelligence • • Static Web Participatory Web • • Organization Driven Community Driven • • Search/Retrieval Creation/Discussion • • Software Release Software as Service • • Desktop Computing Cloud Computing • • Central data Decentralized data • • World Wide Web World Live Web
  • HOW IS HEALTH 2.0 IMPACTING CONSUMER DRIVEN CARE? • • Health 1.0 Health 2.0 • • Opaque System Transparency • • Passive Patient Engaged Consumer • • Physician Authority Physician Advisor • • Insurance Adversary Health Plan Advocate • • System-Generated User-Generated • • Health Care Health and Wellness
  • Consumer Driven Care and Social Media • Traditionally law/policy is slow and reactive. • Social media and web/health 2.0 is changing the way we create, interpret and enforce laws. • Example: ARRA Wiki. New way to dissect and understand laws. • Social media is changing the privacy benchmark. • Health technology will be in constant beta (disruption) for the next 10 years. How can policy/law become more proactive?
  • Robert L. Coffield Flaherty, Sensabaugh & Bonasso, PLLC Charleston, West Virginia Health Care Law Blog http://healthcarebloglaw.blogspot.com Email: RCoffield@fsblaw.com Twitter: @bobcoffield