Leveraging Big Data in Healthcare: Navigating HIPAA, Antitrust, - - PowerPoint PPT Presentation

Leveraging Big Data in Healthcare: Navigating HIPAA, Antitrust, Stark and AKS Compliance and Security Issues

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, MAY 21, 2015

Presenting a live 90-minute webinar with interactive Q&A Adria Warren, Partner, Foley & Lardner, Boston Chanley T . Howell, Partner, Foley & Lardner, Jacksonville, Fla. Sara J.B. English, CIPP/US, Partner, Kutak Rock LLP, Omaha, Ne

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality

• f your sound will vary depending on the speed and quality of your internet

connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-927-5568 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

In order for us to process your CLE, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form) to Strafford within 10 days following the program. The CLE form is included in your dial in instructions email and in a thank you email that you will receive at the end of this program. Strafford will send your CLE credit confirmation within approximately 30 days of receiving the completed CLE form. For additional information about CLE credit processing call us at 1-800-926-7926

• ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

5

Leveraging Big Data in Health care:

Navigating HIPAA, Antitrust, Stark and AKS Compliance

May 21, 2015

Sara English

Partner Kutak Rock LLP

sara.english@kutakrock.com

Chanley T. Howell

Partner Foley & Lardner

chowell@foley.com

Adria Warren

Partner Foley & Lardner

awarren@foley.com

Introduction to Big Data in Health care

Improved Technologies (data storage, data mining, data sharing) U.S. Government Initiatives and Public/Private Opportunities (NIH’s “BD2K”) Enhanced Infrastructure and Capacity (EMRs) Expanding Health Care Operation Functions (data analytics) Proliferation of Web-based Technologies and Mobile Devices

“Big Data”

$$$$$$$$

Legal Considerations – Privacy and Security Laws and Regulations ??????? Technical, Institutional, Operational Challenges

6

Introduction to Big Data in Health Care

7

Older people were less inclined to share anonymized health data, an NPR-Truven Health Analytics poll found.

Poll: Most Americans Would Share Health Data for Research - Scott Hensley (Shots-Health News:NPR) January 9, 2015 Available at: http://www.npr.org/blogs/health/2015/01/09/375621393/poll-most-americans-would-share-health-data-for-research

Risk/Reward

►Quality and nature of the risks and rewards are different than other industries:

− Patient outcomes are at stake. − PHI is always in-scope at some stage. − There are ethical and policy considerations.

►It is important to get it right.

− Collection and use of Big Data is ubiquitous—and everyone is paying attention. − Failures are costly—violation of multiple legal regimes.

8

Risk/Reward

►Strategic and technical challenges —

− Inherent to the “V’s” of Big Data:

Volume Variety Velocity Veracity

►Specifically, collecting quality data that is from reliable methods. ►Complying with all requirements that attach to the data. ►Maintaining a consistent institutional program.

9

Capstone: HIPAA

►Health Insurance Portability and Accountability Act (“HIPAA”):

− Touches all aspects of most health care data. − Covered Entities and their Business Associates.

►Governs the use of PHI and establishes frameworks for nearly each step in the process.

10

Capstone: HIPAA

Protected Health Information is broad.

− The definition is based on IIHI:

“Individually identifiable health information is information that is a subset

• f health information, including demographic information collected from an

individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”

11

Capstone: HIPAA

12

►Generally, PHI may be used by the covered entity for Payment Treatment Health Care Operations ►Consent is not required for these three areas, but frequently sought. ►Uses of PHI outside of these categories require a written authorization (permission) from the patient. ►Consent  Authorization.

State v. Federal Laws

13

HIPAA provides a federal “floor” of privacy protections—and states are free to impose more stringent protections should they deem appropriate. (See 45 C.F.R. § 160.203).

State Privacy & Security Laws:

A Patchwork Quilt

50-State Survey – Disclaimer

Survey was designed to provide an overview of applicable state law, limited to select state statutes. State administrative regulations, attorney general opinions, licensure board opinions, and court decisions may impact a state’s privacy regime. In that regard, the survey should be used for reference purposes only and not relied on as legal advice.

14

States that have worked to harmonize their regimes with HIPAA—compliance with HIPAA may constitute “deemed compliance” under equivalent state law — include:

− Hawaii − Iowa − Kansas − Missouri − Ohio − West Virginia

15

State Privacy & Security Laws:

A Patchwork Quilt

States with relatively comprehensive, broad or stringent privacy regimes:

− California (Cal. Civ. Code § 56.10) − Florida (Fla. Stat. § 381.026) − Illinois (410 Ill. Comp. Stat. § 50/3) − Maine (Me. Rev. Stat. Ann. Tit. 22, § 1711-C) − Massachusetts (111 Mass. Gen. Laws ch. 70E) − New Hampshire (N.H. Rev. Stat. Ann. § 151:21) − Tennessee (Tenn. Code Ann. § 63-2-101) − Vermont (Vt. Stat. Ann. tit. 18, §§ 1852-1854)

16

State Privacy & Security Laws:

A Patchwork Quilt

“Patient Bill of Rights”

− Florida: “Every patient who is provided health care services retains certain rights to privacy, which must be respected without regard to the patient’s economic status or source of payment for his or her care.”) (Fla. Stat. § 381.026) − Massachusetts: Every patient or resident of a facility shall have the right . . . to confidentiality of all records and communications to the extent provided by law.” (111

• Mass. Gen. Laws ch. 70E)

17

State Privacy & Security Laws:

A Patchwork Quilt

18

HIPAA (45 C.F.R. 160.103)

• “Protected Health Information”

includes individually identifiable health information that (1) is created or received by covered entities, (2) relates to past, present or future physical or mental health or condition . . . provision of healthcare . . . or payment for care and (3) identifies the individual, or with which there is reasonable basis to believe the information can be used to identify the individual. California Medical Information Act (Cal. Civ. Code §§ 56.10 , 56.06 (2013))

• “Medical information” means any

individually identifiable information . . . in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.

• Any business organized for the purpose
• f maintaining medical information in
• rder to make the information

available . . . shall be deemed a provider of health care.

Expansive Privacy Protections

State Privacy & Security Laws:

A Patchwork Quilt

Restrictions may apply to specific persons/entities, e.g., providers/other licensed professionals, hospitals, insurers, managed care organizations or health maintenance organizations.

− Example: Oregon (Or. Rev. Stat. § 746.665) restricts an insurer’s ability to disclose medical information about an individual collected or received in connection with an insurance transaction without that person’s written authorization.

19

State Privacy & Security Laws:

A Patchwork Quilt

Most states also protect designated categories of “sensitive” data—e.g., mental health, genetic information, substance abuse, communicable diseases (HIV/AIDs).

− Example (mental health): “Unless waived by express and informed consent . . . the confidential status of the clinical record shall not be lost by either authorized or unauthorized disclosure.” Fla. Stat. § 394.4615.

20

State Privacy & Security Laws:

A Patchwork Quilt

Examples of Non-HIPAA

Google Flu Target Pregnancy Predictor

21

Examples of Non-HIPAA

22

PHI Exceptions

Education Records Employment Records Deceased > 50 Years Personal Health Records Mobile Devices / Web

Legal Considerations (other than HIPAA)

►Family Educational Rights and Privacy Act (“FERPA”) ►FTCdone ►Privacy Policies ►Contractual

23

Legal Considerations (other than HIPAA)

− Privacy Act of 1974 (Federal Agencies) − Clinical Laboratory Improvements Act (Labs) − Children’s Online Privacy Protection Act of 1998 (COPPA) − Gramm-Leach-Bliley Act and ERISA (Health Plans) − Federal Substance Abuse Records Statutes

24

Legal Considerations (other than HIPAA)

25

FTC v. PaymentsMD Patient Portal Deceived Consumers – Consent Health Information = Sensitive

Additional Considerations – AKS & Stark

Anti-Kickback Statute Generally, prohibits offering, paying, soliciting or receiving anything of value to induce or reward referrals or generate federal health care program business. Stark Law Prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or immediate family member) has a financial relationship, unless an exception applies. Prohibits the designated health services entity from submitting claims to Medicare for those services resulting from a prohibited referral.

26

Additional Considerations - Antitrust

►“Coopertition” ►Manage Risk:

− Competitively sensitive data?

 Economic information  Cost  Volume

− Competitive Effect?

 Criteria for accessing data  Inclusive/exclusive

►Test = Rule of Reason

27

Security

28

Increases in Health Care Data Breaches

Criminal attacks increased by 125%

Past 2 years – 91% of health care

• rganizations – at least 1 breach

39% reported 2 to 5 breaches 40% more than 5 breaches

Source: Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

Security

29

Sources of Health Care Data Breaches

Criminal attacks – 45% Lost or stolen laptops / devices – 43% Employee mistakes – 40% Malicious insiders – 12%

Source: Ponemon Institute Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

Security

30

Security

31

Security

32

Security

33

Contractual Limitations – Business Associates

►Business Associates:

Third parties that have access to, create or receive “Protected Health Information” − To perform or assist in the performance of a function on behalf of the Covered Entity:  Utilization review, quality assurance, billing, practice management − To provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services

►Covered Entity can be Business Associate of another Covered Entity. ►Subcontractor would be defined as Business Associate.

34

Contractual Limitations – Business Associates

►Business Associates are directly subject to applicable HIPAA regulations and to civil penalties for violations (regardless of whether BAA executed). ►Business Associates are subject to Security Rule. ►Business Associates are directly subject to certain Privacy Rule provisions:

− Use and disclose PHI in accordance with Business Associate Agreement or Privacy Rule. − Disclose PHI for compliance purposes. − Provide individual access to PHI. − Comply with minimum necessary standard. − Enter into Business Associate Agreements with Subcontractors.

35

Contractual Limitations – Business Associates

36

The Omnibus Final Rule effectively made a Covered Entity or Business Associate strictly/vicariously liable for violations by its agent.

− The most important criterion is the right to exercise control

• ver the Business Associate.

− In drafting a BAA, consider the trade-off between the need to control the Business Associate and the liability associated with such control.

Case Study - 1

ABC Health System and its owned hospitals and clinics are an OHCA. ABC wants to hire Aggregate4U, an analytics company, to mine its databases and electronic health records for various purposes.

37

Case Study - 1

38

Treatment, Payment, Health Care Operations Ethics: Predictive Analytics Other uses?

Case Study - 2

ABC uses XYZ Medical Management, a world-class EHR

• system. ABC’s deployment of XYZ’s solution (Giant EHR)

is managed as a shared electronic health system

• environment. All OHCA participants use it, and ABC

resells/sublicenses Giant EHR to community clinics and small hospitals who are not members of the OHCA. ABC wants to assure that the shared Giant EHR participants are also participating in the regional HIE, AnyStateHealth. ABC wants all the shared Giant EHR participants to send records to, and participate in, an oncology database.

39

Case Study - 2

►Stark and AKS (Shared EHR) ►What limitations?

− Legal − Authorizations − Can this be segmented?

►Database participation ►Antitrust considerations

40

Case Study - 3

RST Oncology Specialists is a physician-owned clinic that participates in ABC’s shared Giant EMR. The

• wners of RST, including Dr. Bill, are all non-employed

staff physicians at several ABC hospitals. In order to achieve meaningful use, and to report on a number of other quality initiatives, Dr. Bill needs ABC to help him extract a significant amount of information from his patient files.

41

Case Study - 3

42

►Meaningful Use

− Requires greater interoperability and data sharing. − More opportunities and incentives to move beyond “using” the EHR for day-to-day.

►Extraction Assistance, Consulting, Reporting Tools, Etc.?

− Fair market value. − If applicable, are these permissible donations?

Case Study - 3

Stark

− Electronic health records items and services exclusion (the 85 rule).  “Nonmonetary remuneration (consisting of items and services in the form of software or information technology and training services) necessary and used predominantly to create, maintain, transmit or receive electronic health records . . ..” − Stark identifies certain types of remuneration which, if provided, would not create a compensation arrangement subject to the physician self- referral prohibition. Such remuneration includes the provision of items, devices or supplies that are used solely to order or communicate the results of tests or procedures for such entity.

43

Case Study - 4

ABC and its OHCA participants are exploring more effective ways to support research, both through

• rganizing ongoing internal research programs and

potentially supporting external research conducted by third parties.

44

Case Study - 4

45

Authorization/Consent De-Identified Data

• - No subject authorization or consent required
• - Unlimited uses and disclosures permitted

Limited Data Set (with Data Use Agreement)

• - No subject authorization or consent required
• - Only includes a few more elements than de-identified data. Limited?

Institutional Review Board (IRB) or Privacy Board Waiver of Authorization

• - No subject authorization or consent required
• - Approval may not be available in cases where it is feasible to request

authorization

Case Study - 4

46 Statutory Construct State/Citation Similar States Research – De-identified data Permissive disclosure in connection with use in actuarial or research studies, provided: (A) no individual is identified; (B) materials in which the individual may be identified are returned or destroyed; and (C) the organization agrees not to further disclose the information.

• Conn. Gen. Stat. § 38a-988 (2012)

(applicable to insurance institutions, agents and insurance- support organizations) Connecticut, Florida, Illinois, Massachusetts, Minnesota, New Jersey, North Carolina, Tennessee, Wisconsin Research – Waiver of authorization (privacy board) PHI may be disclosed for research, with approval or waiver of the applicable privacy board in accordance with HIPAA, subject to a finding of (1) no more than a minimal risk to privacy of individuals, based on, at least, an adequate plan to protect the identifiers from improper use and disclosure, to destroy the identifiers at the earliest opportunity, and adequate written assurances that the protected health information will not be reused or further disclosed except as permitted; (2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use

• f the protected health information.
• Del. Code tit. 16, § 1212

California, Delaware, Maine, Maryland, Washington, Wyoming

Sample State Provisions Governing Disclosure/Use of PHI in Research

Case Study - 5

ABC Hospital would like to use its patient information for marketing purposes. It would like to know what information it can use, how it can use it, and when specific patient authorization is required and not required.

47

Case Study - 5

48

Use of PHI for marketing requires authorization Communications about health-related products or services that encourage purchase (third party) Financial remuneration Payments in exchange for making marketing communications Authorization not required – products and services of the Covered Entity

Case Study - 5

49

HIPAA Omnibus Rule 2013

Previous exception for treatment-related marketing communications Previously opt-out rather than opt-in Now opt-in – express written authorization Authorization must disclose remuneration

Case Study - 5

50

Exceptions

Refill reminders Other communications about prescriptions Remuneration must be reasonably related to the cost of the communication

Case Study - 5

51

Exceptions

Face-to-face communications (Even if remuneration or promotional gift of nominal value) Telephone is NOT face-to-face Communications promoting health that do not promote a particular provider Communications about government-sponsored programs

Case Study - 5

52

Sale of PHI

CE or BA receives remuneration Not limited to financial remuneration Not just “sale”  access, licenses and leases

Case Study - 5

53

Exceptions

Remuneration – reasonable cost Research – reasonable cost Treatment and payment M&A activity

Case Study - 5

54

Exceptions

Business Associates Disclosures to patients Payments from grants  research Exchange of PHI through HIEs

Case Study - 6

XYZ Medical Management has access to a significant amount of health information as a world-class EHR. Although it has been in business for several years, it is just starting to explore opportunities to leverage all this data for other business uses.

55

Case Study - 6

56

Industry Solutions – Business Associate Agreements

• Business Associate Agreements should provide:
• Express authorization to aggregate PHI for health care
• perations purposes
• Permit the Business Associate to de-identify PHI
• Exclude de-identified data from any provisions related to

the Covered Entity’s ownership of the data

Case Study - 6

57

De- Identification Safe Harbor Expert Determination

Case Study - 6

58

Sample Business Associate Agreement Provision  De-Identified Information (“BA friendly”) Business Associate may de-identify any and all Protected Health Information created or received by Business Associate under this Agreement; provided, however, that the de-identification conforms to the requirements of the [HIPAA Rules]. Such resulting de-identified information would not be subject to the terms of this Agreement.

Case Study - 7

• Dr. Jones, a primary care physician, is in negotiations to

sell her practice to the local community hospital.

• Dr. Jones believes that the practice’s patient records

have significant value and she would like to negotiate a higher price on that basis. The parties are also starting due diligence, and Dr. Jones would like to have a compliant process from a privacy perspective.

59

Case Study - 7

60

Industry Solutions – Mergers and Acquisitions

• Anti-Kickback Considerations:
• Payments for intangibles are particularly suspect and may

be subject to scrutiny

• This includes patient records
• Valuation methodologies to take into consideration

Case Study - 7

61

Due Diligence

• “Healthcare Operations” is defined to include any of the

following activities of the covered entity to the extent that the activities are related to covered functions:

• Business management and general administrative activities of

the entity, including, but not limited to . . . (iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity. 45 C.F.R. 164.501

Additional Case Studies

ABC terminates its relationship with Aggregate4U in favor of launching a homegrown internal data warehouse system for ABC and its OHCA. Its CISO, Privacy Officer, and HIM director are arguing over logging requirements. AnyState Health, the HIE, would like to facilitate the sharing of PHI among health care providers but is concerned about verifying the identity of users (providers and patients) on the front end and, after the users have been initially verified, authenticating the users when they log in to the HIE.

62

Summary

►Step through the process.

− From where does data originate? − Who owns it? − Who processes it? − Who are the data subjects?

►What legal regime(s) apply? ►Develop a program.

63

Be aware of applicable federal and state requirements; tailor privacy policies as applicable. Designate people responsible for security in the organization. Conduct security training for employees. Take reasonable steps to ensure vendors/service providers protect data. Consider minimizing data collection. De-identify where possible. Conduct a privacy or security risk assessment initially, and periodically thereafter. Consider encryption.

Summary