Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

• failure to implement policies and procedures to prevent, detect, contain and correct security violations;
• failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
• failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
• failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
• failure to implement policies and procedures to limit physical access;
• faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
• failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
• failure to implement policies and procedures as otherwise required by HIPAA.

Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

“Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.

Several other health care entities in California have also recently had class-action lawsuits filed against them recently.  Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor.  Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients.  The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.

Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients.  The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected. 

Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules.  The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information. 

The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records.  it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.

A private aircraft pilot since 1964, the plaintiff, Stanmore Cooper, was diagnosed with HIV in 1985. Although required to disclose the illness and any medications being taken on his "airman medical certificate," a continuing certification requirement required by the FAA for any pilot to legally operate an aircraft, Cooper chose to let his certificate lapse because he would not be permitted to fly if he disclosed his illness.  In 1994, he again submitted the application, choosing not disclose his HIV status.  For ten years, he continued to renew the application, intentionally omitting his HIV status. 

However, Cooper's information was exchanged between the Social Security Administration (SSA) and the FAA as a result of a collaboration between agencies that sought to uncover illicit efforts by pilots to obtain FAA licenses although medically "unfit." This exchange occurred without his authorization.  Cooper had provided information regarding his HIV status to the SSA in his application for long-term disability benefits.   Cooper was eventually indited on three counts of submitting false statements to the government and lost his pilot's license.

Cooper sued in 2007 alleging that the federal government had "willfully and intentionally" violated the Privacy Act and caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.”  The Southern District of California, where the plaintiff's case was originally brought, admitted that the federal government had violated the Privacy Act, but found that regardless, Cooper had not demonstrated the "actual damages" required by the Act.  The Ninth Circuit on appeal reversed, finding mental or emotional distress was sufficient, "given the nature of the injuries that most frequently flow from privacy violations...."

The Supreme Court accepted the government's petition for certiorari in June of 2011. A key issue expected to be tackled by the Supreme Court, according to the prestigious ScotusBlog, is whether the Privacy Act was intended to broadly protect privacy rights against the government's more limited interpretation, an important step for understanding the nature of privacy injuries and privacy law generally.

If the Supreme Court sides with the government, this would not only limit damages to pecuniary ones, but potentially also deter whistleblowers as well as potentially have a negative impact on privacy law in general.  A decision will not be made until spring of next year. For a more in-depth explanation of the issues involved and an overview of tomorrow's Oral Arguments, visit ScotusBlog, or generally, CNN.com.      

Justice Kennedy, writing for the 6-3 majority, held that the Vermont law was an unconstitutional content-based restriction on First-Amendment protected expression. The majority asserted that speech restraint of this kind must be subject to strict judicial scrutiny. Kennedy concludes that the Vermont law fails this test because, in seeking to advance its goal of lowering health care costs and promoting public health, it restrict “certain expression by certain speakers.”

Justice Breyer, in his dissent, argued that the Vermont law only modestly affects expression, by depriving “pharmaceutical and data-mining companies of data… that could help pharmaceutical companies create better sales messages.”

The dissenting justices contend that these messages are commercial speech, and that government regulation of commercial speech has not been subjected to the heightened judicial scrutiny employed by the majority. In this light, Justice Breyer concludes that the statute permissibly regulates commercial activity. The Court’s dissent also raised concerns over long-term precedential trouble created by the majority’s decision. Justice Breyer states that, “at best the court opens a Pandora’s Box of First Amendment challenges to many ordinary regulatory practices that may only incidentally affect a commercial message… [and] at worst, it reawakens Lochner’s pre-New Deal threat of substituting judicial for democratic decision-making where ordinary economic regulation is at issue.”

For some, the Court's decision is a huge disappointment, but others will undoubtedly welcome the Court's decision as the correct outcome.  In my previous post about this case, I included the in depth analysis of Sorrell vs. IMS prepared by the Centers for Democracy and Technology (CDT).  There, CDT pointed out, among other things, that:

The first thing to recognize about the data at issue is that it contains doctorsʼ names but it does not contain patient names. The data is [']patient de-identified['] pursuant to standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA already prohibits the use of patient-identified data for marketing to patients or to doctors. Vermont went one step further and said that even patient de-identified data cannot be used to market drugs to doctors.

CDT also pointed out it its analysis:

[i]f the Supreme Court were to accept some of the privacy claims, it could do damage to privacy by discouraging use of de-identified data. And claims that doctors have a privacy right in their drug prescribing practices could upset a host of policy goals associated with improving the efficiency and safety of the health care system.

Finally, the CDT memo points out:

The behavior of physicians and other health care professionals is routinely scrutinized by federal and state regulators, accrediting organizations, licensing boards, and health care plans, among others. A broadly recognized privacy interest in prescriber-identifiable data could have implications for multiple important issues, including quality measurement and public reporting, as well as comparative effectiveness research, which are critical to reform of our health care system. If the Court were to agree that prescriberrecords need to be protected like corporate “tradesecrets” or that there is no role for outside review of physician decision making, important reform activities that depend on access to and use of prescriber identified data could be impaired or prohibited.

Clearly, the U.S. Supreme Court agreed.

• breach of confidentiality
• negligence
• invasion of privacy by intrusion on seclusion
• invasion of privacy by unreasonable publicity of private life

The lawsuit, Tabata v. Charleston Area Medical Center, stems from the availability of a database containing patient names, social security numbers, medical information and demographic information on the Internet.  A family member of a patient had found the information while searching the web.

Although the database was created in September of 2010 by a third party for patient case management in a research subsidiary of the hospital, the fact that it had inadvertently been made publically available went unnoticed until February 2011.  However, the hospital acted quickly upon being made aware of the breach and promptly notified all potentially affected patients within 8 days.

The hospital had originally offered to pay for one year of credit monitoring as well as an immediate credit freeze at the three credit bureaus for all affected patients.  Free credit reports were also made available to affected patients through the West Virginia Attorney General's Office.  In addition, after discussion with the Attorney General's Office, the hospital hired a risk management group to conduct a security assessment and undertook a number of other measures to protect against further breaches.

The patients seek as part of the damages for the hospital to extend additional credit and identify protection and monitoring services.  They also ask the court to require that the hospital establish a specific security program as well as award monetary damages for annoyance, embarrassment and emotional distress, and for the lack of security and violation of their privacy.

Although it is unclear yet what repercussions the hospital may face from the Department of Health and Human Services for the breach, the breach and accompanying lawsuit highlight the importance of monitoring business associates who have access to PHI and the resulting work product.  In addition, frequent and periodic security assessments are crucial to identifying issues before an incident or breach occurs.  A robust and proactive security assessment coupled with a strong information security program will go a long way towards effectively safeguarding patient electronic PHI as well as cutting costs associated with incident-response. 

The Center for Democracy and Technology (CDT) has recently taken a closer look at the privacy issues presented in the Sorrell case, and has prepared an excellent memo that "unpacks" and carefully analyzes the legal issues and potential impact the Court's decision could have on current health care policy, and patient privacy in general.  CDT has asked Legal HIE to help get the "word out" regarding the issues presented by Sorrell and covered in the CDT memo, and Legal HIE in turn asks our readers to visit CDT's websiteand review the critical points raised in CDT's Sorrell Memo.  

CDT's blog post on the case and link to the legal memo are also reprinted below: 

A Nuanced Understanding of Privacy

by Brock N. Meeks

March 24, 2011

A case pending before the U.S. Supreme Courthas serious implications for how privacy protections are interpreted.  But understanding the various risks posed in this case requires some careful unpacking of the ways in which "privacy" is—and is not—at issue here.  CDT's Health Privacy Project team has taken a look those risks and published an in-depth memo about its findings.

In this memo CDT focuses on two aspects of the case: First, an explanation of why it is important to recognize the valid distinctions between personally identifiable data and "de-identified" data.  The paper explains that privacy could actually be harmed if the Court were to accept the claims, made in some briefs in the case, that there is no difference between identified and de-identified data.  

The second aspect of the case the paper examines is the claim that doctors have a "privacy" right in their drug prescribing practices.  CDT disagrees and explains here that, while the patient-doctor relationship is based on confidentiality and the trust it generates, it is not useful – and would undermine other health care goals – to speak of doctors as having a "privacy" right in their drug prescribing practices.

The paper concludes by saying:  
 

So in many ways, Sorrell v. IMS Health is not about privacy in the way that defenders of the Vermont law claim.  Yet a broad ruling by the court on de-identified data could have a negative impact on patient privacy.  And a broad statement by the Court on doctor 'privacy' could derail other very timely initiatives. This is not the case, nor is the Supreme Court the institution, to make policy on either set of issues; the parties have offered other viable rationale for the Court to use to decide this case. There needs to be a policy conversation about the viability of the current de-identification standard, but this case needs to preserve the concept that there is a meaningful distinction between identified and de-identified data. It is up to other processes to ensure a continually robust de-identification standard and strict accountability for re-identification.

A full copy of the CDT Sorrell Memo can also be reviewed under "Continue Reading" below. 

For AT&T, its headache began last weekend when it announced its plans to buy T-Mobile for $39 billion, giving it effectively a 40% share of the current wireless market share and raising questions from network coverage to increased quality of service, pricing and competition.  AT&T and T-Mobile predict that the quality of calls would improve, coverage would be expanded, and more individuals would have access to faster wireless data connections as a result of the merger.

In a completely unrelated market and action, Blue Cross Blue Shield health insurance plans in the District of Columbia, Kansas, Missouri, North Carolina, Ohio, South Carolina and West Virginia recently found themselves on the receiving end of a U.S. Department of Justice (DOJ) subpoena.  The subpoenas come as part of a lawsuit filed last year by the DOJ against Blue Cross Blue Shield of Michigan alleging the insurer entered into agreements to raise hospital prices. 

Far from immune, health care providers and other stakeholders looking to form and operate Accountable Care Organizations (ACOs), the AT&T and Blue Cross cases serve as a reminder of the significant risk of antitrust scrutiny that such collaboratives can be subject to.  The development of such ACOs through hospital and physician joint ventures and similar relationships has the potential to create substantial market power and may encourage monopoly and price-fixing activity, thus coming under the watchful eye of the DOJ.  The DOJ and FTC are expected to address this matter soon in joint collaboration with the forthcoming proposed ACO regulations from CMS (see Statement of Sharis A. Pozen, Chief of Staff, Antitrust Division. before the Subcommittee on the Courts and Competition Policy, Concerning Antitrust Enforcement in the Health Care Industry (December 1, 2010)).

To read more, click "Continue Reading" below.

Federal antitrust laws prohibit price-fixing, monopolies and other unlawful restraints on competition.  The Sherman Antitrust Act, the Clayton Antitrust Act and the subsequent substantial case law that has developed, protect competition through strict regulation of price discrimination, monopolies, mergers and acquisitions, products bundling and "tying", exclusive dealings and other anti-competitive practices.  

For mergers and acquisitions, the DOJ and Federal Trade Commission (FTC) generally have the authority to regulate as well as approve (or disapprove) the terms of agreements.  The Federal Communications Commission (FCC) also has limited authority to review certain mergers and acquisitions for telecommunications companies. Both the DOJ and the FTC regulate, monitor and investigate anticompetive practices in the health care and other markets. 

Over time, certain "safe harbors" have been identified by the FTC and DOJ which, if strictly complied with, would give a market participant assurances that its practices would not be subject to antitrust scrutiny.  Of particular importance are the safe harbors for health care which identify certain mergers, acquisitions, joint ventures and other arrangements which will not subject hospitals and providers to antitrust scrutiny.  Although arrangements and agreements which do not fit into a safe harbor are not per se antitrust violations, they have a greater risk of being subject to antitrust scrutiny and as such, health care providers have fewer assurances that they will not be on the hook later on for antitrust violations. 

The Impact on Market Participants

Antitrust law significantly affects how market participants may enter into and conduct certain arrangements and agreements.  Although such arrangements are typically entered into after careful consideration of any antitrust implications, unless the arrangement qualifies under a safe harbor, potential for antitrust scrutiny remains. 

For AT&T, despite the epic proportions of its upcoming battle with the DOJ and the FCC, it must only face antitrust challenges before action is taken, as the proposed merger is subject to approval by the DOJ and FCC before taking place.  However, for Blue Cross and other health care insurers and providers, the antitrust challenges come after the arrangements and agreements have been negotiated and the alleged anticompetitive activities have taken place, putting them potentially on the hook for antitrust violations. 

Although market participants in the health care sector can seek review of proposed arrangements for potential government challenges, review is not guaranteed and the process can be burdensome and time-consuming.  In addition, the review only extends to present intentions and the DOJ or FTC is free to pursue investigation and action in the future. 

The lawsuit against Blue Cross deals with what are termed "most favored nation clauses", contractual provisions which require a hospital to give the insurer the "best rate" or "deepest discount."  These clauses in general will be viewed as permissible unless abused or used in other industries.  However, the investigation in Michigan revealed that Blue Cross did not always demand just the lowest price but rather, it offered to pay hospitals more as long as competing insurers were charged more for health care services.  According to the Michigan attorney general, these exclusionary practices resulted in placing other insurers at a competitive disadvantage and rising prices for consumers.

Expansion of the investigation into other states indicates that these practices may not have been confined to just Michigan, but rather, systematically occuring in other Blue Cross markets across the nation.  A spokesman for the trade group Blue Cross Blue Shield Association stated that the agreements actually saved money for consumers.  

"It's our goal to secure the best health care at the best rates for our members while also ensuring fair compensation to providers."

The DOJ's Watchful Eye

Blue Cross is not the only entity that the DOJ has recently investigated in the health care sector, as is seen by the DOJ's recent settlement with Texas-based United Regional Health Care System for an alleged monopoly over health care services which resulted in higher costs to consumers.  According to the DOJ, United Regional required health insurers with which it contracted to pay significantly higher prices if it contracted with any competing facilities.  In addition to its forthcoming review of the AT&T deal, the DOJ is also negotiating with Google over its acquisition of ITA Software, a travel information software company, to avoid instigation of a lawsuit to block the deal.    

Additionally, there is much cause for concern that the formation and operation of Accountable Care Organizations (ACOs) will have significant antitrust implications.  The development of such ACOs through hospital and physician joint ventures and similar relationships has the potential to create substantial market power and may encourage monopoly and price-fixing activity, thus coming under the watchful eye of the DOJ.  The DOJ and FTC are expected to address this matter soon in joint collaboration with the forthcoming proposed ACO regulations from CMS. 

Now, Strike 3.  Bloomberg News reported recently that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca and Bayer.  Allegedly, CVS was paid by pharmaceutical manufacturers to encourage physicians to prescribe their drugs to patients. "CVS encouraged physicians to do so through letters which included patient names, dates of birth and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services." The lawsuit accuses CVS of unfair trade practices, unjust enrichment and violating consumer protection laws. 

As Cignet Health and Mass General know all too well from the combined $5.3 million in civil penalties imposed recently by OCR, OCR is pursuing HIPAA violations with a vengeance as a result of HITECH's increased enforcement and CVS could potentially face a HIPAA investigation in addition to the pending lawsuits.  HIPAA as amended by HITECH generally prohibits Covered Entities and their Business Associates from marketing and selling PHI without first obtaining patient authorization.  Only under very limited circumstances may patient information be "sold" or released without authorization for such purposes.  Investigation by OCR is even more likely given that CVS has been under OCR's watchful eye since 2009.  In addition, CVS's actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water. 

As the use of electronic health records (EHRs) and participation in health information exchanges (HIEs) expands, so does their appearance in court.  EHRs are more and more frequently relied upon to produce all or part of a patient’s medical record in response to a discovery request.  Not only do EHRs include files, tests results and clinical notes, but they can also include images such as X-rays, charts, consent forms and other documentation, and handwritten notes.  One might be tempted to think that producing an EHR in response to a subpoena would be a fairly easy feat – the records are all available electronically so simply search the EHR for those particular records and print or save them.  But as those well versed with EHR technology are quite aware, responding to discovery requests where an EHR is involved can be a Herculean task for hospitals with anything but the newest EHR technology. 

When paper was the norm, hospital administrators could sort through and pull out only the requested (and relevant) information from the patient’s paper medical record.  With the adoption of EHR technology, however, this became more problematic because not only was there significantly more data available to sort through in a given EHR, but older EHR technology commonly lacked the capacity to efficiently track, filter and selectively “print” or save the required data.  In addition, many hospitals may still retain legacy systems in addition to their current EHR system and as such, data must be pulled from multiple sources to create a complete record.  The result? Extremely time and resource-consuming efforts to produce information in addition to a multitude of discovery problems and reliability concerns.

For hospitals with EHR systems incapable of filtering or selectively printing data, each screen may have to be printed individually using the "print screen" function.  Once printed, there is also no guarantee that the record will look like it would when viewed live in the EHR.  For example, printing may have to be by all treatment notes, then all progress notes, then medications, then audit trails (which may not even be printable at all).  This can result in boxes and boxes of disorganized information being produced, much of which may make virtually no sense at all.  And to top it off, all of the information may not have even been available to the physician at the point of care.  Because of these problems "printing" out EHRs, all too often are plaintiffs requesting access to the live EHR itself, and courts may also order hospitals to figure out how to produce the data in a computer read-only format.  This could potentially require painstaking collaboration with the vendor itself and IT professionals.   

And then come the problems with interpreting the record in court.  When looking at the traditional paper medical chart versus an EHR, it is clear that the EHR is far more complex and generally tells a different and more clinical story than the one needed for litigation.  For example, it may be commonplace for a physician to turn “off” a flag, promoting the need for an explanation as to why the “flag” was turned off or overridden under the circumstances.  Additionally, certain definitions may mean one thing for purposes of one hospital's EHR but something else for another EHR.  For example, an order "accepted" into the EHR system could mean either it was pending or that it was officially entered and signed off on by the physician.  This discrepancy would have to be explained in court by a knowledgeable member of the hospital's HIM or IT department.  Another problem is that come a plaintiff's day in court, the EHR technology, functions and capabilities may look nothing like when the physician actually had access to the information, making it impossible to reproduce exactly what the physician saw that day(s).  One can only imagine the number of people who would be required to testify as to the system’s capabilities, lags in time between when procedures were actually performed and when they were actually entered into the EHR, current and prior functionalities, and how audit trails did and currently function. 

In addition, hospitals and providers may also have trouble when patients request copies of their medical record in electronic format, as HITECH expanded patient access rights to include such copies where the information is maintained in an EHR.  HITECH requires copies to be produced in an electronic form and format if the individual so chooses.  Even if not readily producible, a hospital would still be required to produce the record in a readable electronic form agreed to by the individual and the hospital.  And if all these concerns aren’t enough to make one’s head spin, when HIEs are thrown into the blender, things get even more complicated.  Putting aside the issues surrounding whether and when an HIE may be properly served with a subpoena for medical records, where an HIE functions with a “centralized” or even a hybrid architecture (meaning it has some key components centralized and others federated), it could also be pulled into litigation along with the individual provider(s) to produce EHRs or related records that it may maintain and control.  With a centralized architecture, the HIE itself stores and controls the data or maintains registries as opposed to the individual providers storing the data and merely pushing or pulling it into and through the HIE.  Even where an HIE functions primarily with a federated architecture (de-centralized), it will have audit trails and other records which could be required during the course of litigation or even for investigation by the Office of Civil Rights (OCR).  

Even though EHR records in general are as accurate as the paper medical record would be, separating that information from its source and producing it in a readable and comprehensive format creates more challenges than many hospital and providers are capable of dealing with currently.  Although certainly EHR technology and HIE capabilities have evolved and continue to evolve rapidly (Meaningful Use, anyone?) to respond to many of these challenges, hospitals and health care providers who have not yet updated their systems, or have only updated parts of their systems, still must deal with these concerns, particularly when involved in litigation.  Developing policies and procedures to deal with discovery requests concerning EHRs is an absolute necessity as well as ensuring key management personnel, such as privacy, health information management (HIM) and information technology (IT) officers, understand exactly how the EHR functions (from audit trails to authentication of users) and what it is capable of producing for litigation and other non-clinical purposes. 

We don't believe this kind of judicial activism will be upheld and we are confident that the Affordable Care Act will ultimately be declared constitutional by the courts.

She characterized the ruling as "well out of the mainstream of judicial opinion," noting that 12 federal judges have dismissed challenges to the law's constitutionality and two--in Michigan and Virginia--have upheld the law.

These companies and others are saying that the main law governing communication privacy — the Electronic Communications Privacy Act of 1986 (ECPA) -- is outdated, and affords more protection to letters in a file cabinet than personal information maintained on a server. The current ECPA does not explicitly afford protections for the vast majority of private content stored on the Internet, allowing law enforcement agencies to obtain a person’s online data with a simple subpoena from a prosecutor. This weak level of protection has created tension between privacy advocates and law enforcement agencies that consider internet data to be a valuable source of crucial information.  In fact, Google, along with other Internet companies such as Verizon, Facebook, and Twitter, have increasingly been targeted by law enfo­rcement for personal data information.

Unlike Twitter, whose policy is to notify users before releasing personal information, most Internet companies are not required to provide users with any notice, and law enforcement officials can even demand that requests be sealed from targets of investigation. Since there are no straightforward standards in the ECPA governing Internet information, courts in different jurisdictions have interpreted them differently and created a piecemeal collection of rules. Under the ECPA, emails can be accessed by the government without a warrant under certain storage conditions or after a certain amount of time has passed.

According to the Center for Democracy and Technology’s (CDT) Digital Due Process coalition, the current rules are inadequate and do not meet the Fourth Amendment’s due process clause. In December 2010, two federal appeals court decisions supported CDT’s stance, ruling that the ECPA standards for government surveillance have not kept up with technological progress and do not meet Constitutional standards. Over the past year, the CDT, along with privacy advocates, legal scholars, and major telecommunications service providers, have developed a set of standards under which they believe the ECPA should be updated. The ACLU has also created proposals designed to simplify, clarify, and strengthen the ECPA:

1. Robustly Protect All Personal Electronic Information. Current loopholes in our privacy laws need to be closed to protect electronic information without regard to its age, whether it is "content" or "transactional" in nature, or whether an online service provider has access to it to deliver services.
2. Safeguard Location Information. The law should require government officials to obtain a warrant based on probable cause before allowing access to location information transmitted through cell phones, which 82% of Americans own.
3. Institute Appropriate Oversight and Reporting Requirements. To ensure adequate oversight by Congress and adequate transparency to the public, existing reporting requirements for wiretap orders must be extended to all types of law enforcement surveillance requests.
4. Require a Suppression Remedy. If a law enforcement official obtains non-electronic information illegally, that information usually can’t be used in a court of law. The same rule, however, doesn’t apply to illegally-obtained electronic information. Such a rule only encourages government overreaching and must be changed to require a judge to bar the use of such unlawfully obtained information in court proceedings.
5. Craft Reasonable Exceptions. Currently ECPA sometimes allows access to the content of communications without a true emergency, without informed consent and without prompt notice to the subject. ECPA must be amended on each of these fronts if electronic records are to receive the protections Americans need.

For now, it is up to Congress to decide whether to not to adopt these proposed updates and negotiate the critical balance between the protection of personal expectation of privacy and the government’s need to protect the public.  However, for RHIOs, HIOs, and software vendors offering PHR and HIE solutions via the internet, the impact of the ECPA should be evaluated as well, particularly with respect to whether data maintained in internet-based HIE repositories may be subject to disclosure pursuant to this federal law.

Prepared with assistance from Melody Hsiou, MPH Columbia University, J.D. expected from Seton Hall Unversity 2013.

As the Court of Appeals noted, data mining companies typically collect aggregate data to determine prescribing patterns and sell the information to pharmaceutical companies which, allegedly without this information, would be prevented from more effective marketing efforts, directing important information to prescribers, tracking disease prevention, and conducting clinical trial programs and post-marketing surveillance programs.  Researchers and insurance companies also use the data generated by data-mining companies, as do state law enforcement and other state agencies, and federal agencies such as the FDA, CDC and DEA.

Noting that the First Amendment protects “even dry information, devoid of advocacy, political relevance, or artistic expression,” the Court of Appeals found the Vermont statute was clearly aimed towards influencing “the supply of information,” central to First Amendment concerns, and that it restricted the data mining companies’ commercial speech.  The Court held that the statute failed to satisfy the intermediate scrutiny test because it did not assert a substantial state interest that was “directly advanced” by the statute nor was it “narrowly tailored” to achieve that interest. 

In doing so, the Court of Appeals rejected the substantial state interests alleged by Vermont - that the restrictions protected the public health and the privacy of prescribers and prescribing information (medical privacy) and the state’s interest in containing health care costs in the private and public sectors.  The Court noted that data-mining and the use of the data generated from such activities was still permitted in other contexts and found the state’s concerns for medical privacy too “speculative” under the circumstances to qualify as a substantial state interest.  Although the Court did agree that Vermont had a substantial interest in lowering health care costs and protecting public health, it found that the statute did not advance these interests in a ”direct and material way.”  The Court also found that the statute was not narrowly tailored and that Vermont had more direct and less restrictive methods available that it failed to utilize that would better serve its asserted interests.

The Vermont decision could have paramount implications for HIEs.  Secondary uses of de-identified information are often touted as a potential solution to the elusive long-term financial sustainability issue faced by all HIEs. The fact that the Second Circuit struck down as "unconstitutional" a state law enacting restrictions on data mining will most certainly give database firms and HIE stakeholders confidence that similar uses of information in other contexts could be similarly protected under the First Amendment.

The text of the court’s full decision may be found at http://courtlistener.com/ca2/VqT/ims-health-inc-v-sorrell/   

Like other breaches under HITECH involving PHI of 500 or more individuals, the AvMed breach is posted on HHS's Web site. However, although the federal government has enforcement jurisdiction over HITECH, there is still no private right that would allow one to sue under HITECH for breaches (although in the future individual may be eligible to collect a percentage of any Civil Monetary Penalties collected and resulting from violation of HIPAA and/or HITECh that result in "harm" to such individual). 

Attorneys attempting to sue for damages resulting from a breach are often hard-pressed to keep their complaint from being tossed, unless they can demonstrate the plaintiff suffered actual harm caused by the breach. However, the attorneys representing the class of plaintiffs in the AvMedcase are commercial litigators, and so it will be interesting to see if they come up with more unique causes of action under consumer protection or other laws, and how this will be tested in court.  Stay tuned...

The ACLU seeks to have the policies declared unenforceable and for the court to order RI-DOH to adopt formal rules addressing the statutory provisions that the ACLU alleges the RI-DOH responded to inadequately. Although the ACLU and its attorney, Frederic Marzilli, recognize the importance of HIEs and why the state approached implementation of the HIE with written policies instead of regulations, such as to better deal with the development and operation of such a new and groundbreaking mechanism, the ACLU’s position remains that the regulatory process must be followed. It argues that the critical privacy issues raised by HIEs require detailed rules as to how the state HIE system will work and protect patient confidentiality, security and informed consent. The State has continued to deny the allegations and is expected to file a motion to dismiss the case.  It remains uncertain whether ACLU will remain in court to fight another day.

For more information regarding the ACLU's specific comments on the Rhode Island's proposed rules, click on "Continue Reading" below

This post was prepared with assistance from Krystyna H. Nowik, Esq.

May 12, 2009

[...]

We have several concerns with these proposed regulations – many of which stem from statutory requirements for regulatory action that are simply not present in the proposed rules. Instead, the proposed regulations, in large part, merely reiterate the language of the statute, without fleshing out the details that the APA regulatory process was expected to address. We urge that more significant work be done on these rules before they are formally adopted.

There are no fewer than seven places within the HIE law that specifically refer to implementation activities to be defined by the Department through the rule-making process. Leaving aside one of them – the creation of an HIE Advisory Commission, about which we express no opinion – the other statutory references are only minimally addressed by the proposed regulations.

We refer specifically to the following (emphasis added):

1. R.I.G.L. § 5-37.7-4(c) “Patients and health care providers shall have the choice to participate in the HIE, as defined by regulations…” Nothing provided within the draft regulations describes a process for making patients or providers aware of the choice, nor how and when the choice is presented to patients. The proposal does not even appear to explicitly address whether this will be an opt-in or opt-out system. Also missing is any procedure to document the informed consent of those agreeing to participate.
2. R.I.G.L. § 5-37.7-5(a) “The director of the department of health shall develop regulations regarding the confidentiality of patient participation…” However, Section 4.0 of the regulations titled “Confidentiality Protections” consists almost exclusively of language mirroring the statute. In light of the significance of the confidentiality issue to the implementation of an HIE, the absence of any clarifying regulations is striking and disconcerting.
3. R.I.G.L. § 5-37.7-6 “The RHIO shall, subject to and consistent with department regulations and contractual obligations it has with the state of Rhode Island, be responsible for…” This is another area that prompted a great deal of discussion during the legislative process. Regulations were expected to cover minimum confidentiality and privacy practices and standards that the RHIO must be held to in accordance with any contractual agreement between the Department and the RHIO.

Also discussed for inclusion through the regulatory process, but not addressed in this proposal, was the inclusion of mechanisms to address contractual violations of these standards by the RHIO. The goal of these mechanisms was to ensure meaningful accountability without leaving the Department with the sole choice of seeking revocation of the contract as the remedy for any violations. We continue to believe that such mechanisms should be included in these regulations.

R.I.G.L. § 5-37.7-7(c) “The content of the authorization form […] shall be prescribed by the RHIO in accordance with applicable department of health regulations...” The proposed regulations (§4.5), for the most part, simply regurgitate the statutory language. It would be both appropriate and useful to include a copy of a proposed authorization form to ensure it adequately addresses the statutory requirements and demonstrates true informed consent. At a minimum, though, some standards regarding the form’s contents should be included.

R.I.G.L. § 5-37.7-8(a) “Authenticate the recipient of any confidential health care information disclosed by the HIE pursuant to rules and regulations promulgated by the agency.” Other than the inclusion of a reference in §5.1 to using “prevailing industry standards and safeguards,” there is absolutely no authentication process spelled out within the proposed regulations.

R.I.G.L. § 5-37.7-10(d) “To terminate his or her participation in the HIE in accordance with rules and regulations promulgated by the agency” This is also something largely absent from the proposed rules, even though it is very important to patient autonomy. Instead, §4.1(e) merely provides that a patient may be able to terminate his or her participation “at any time” in accordance with a RHIO policy to be approved by the Director. This language fails to provide any guidance as to how one goes about terminating participation, and essentially leaves it up to the RHIO, rather than the APA process, to establish that guidance.

In addition to standards and procedures missing as outlined above, we have further suggestions based on what is already included in the draft rules.

Proposed Rule §4.1 [Patient’s rights] – This section should be further expanded to include the processes a patient would go through in subsections (a), (c) and (f) to obtain or amend his or her records, or to obtain his or her disclosure report. For example, whom do patients contact and are any forms required?

Proposed Rule §4.1(f) – The language herein is taken directly from statute. However, R.I.G.L. § 5-37.7-4(e) also makes clear that the RHIO must respond to patient requests to amend their health care record directly. The regulations should propose some standards to the RHIO for complying with this obligation.

Proposed Rule §4.5 – The language related to “proposed uses” (§4.5(a)(1)) should be clearly outlined. It is our understanding that the HIE was established primarily, and perhaps exclusively, for the benefit of treatment and care coordination. It is ambiguous to a worrisome degree not to give further definition of what other uses would be allowed and to ensure that patients will know if they are agreeing to sharing of information for non-treatment purposes. In this regard, the regulations should provide for the use of two separate forms: one for treatment situations and a separate form to authorize patient information for other purposes, such as marketing or research. This would help to ensure a patient’s informed consent to participate in the latter to the extent that the Department is agreeing that these uses are permissible.

 If, as has been suggested in other venues, that no uses of the HIE will be allowed other than for treatment purposes – a restriction that the RI ACLU strongly supports – then the regulations should make this clear so as to avoid any confusion.

Proposed Rule §4.5(a) – In order to protect patient privacy, we would urge that the regulations, similar to HIPAA, contain a minimization requirement when it comes to the transfer of information for non-treatment purposes. That is, only the minimum necessary medical records information should be provided to third parties for whom consent authorization has been provided by the patient. Of course, if the regulations are clarified (as suggested immediately above) to specify that the HIE will be used only for health care purposes, this concern would largely be rendered moot.

We believe that health care providers should be prohibited from denying treatment to patients who refuse to participate in the HIE. In this regard, the proposed regulations only contain an ambiguous provision indicating that a health care provider may be subject to “administrative review” for abandoning a client or denying treatment solely on the basis of a patient’s refusal to participate in the HIE. It is unclear to us exactly what this “administrative review” would consist of, how it differs from the statutory disciplinary process currently in place, or even exactly what a provider’s obligation is vis a vis denying treatment to non-participating clients. Is it improper or not? Both patients and providers need more guidance than what these regulations offer.

In addition, to the extent that the regulations do not prohibit the practice of abandoning non-participating patients, we believe that, at a minimum, they should require providers to notify the Department if they mandate patient participation in the HIE and for the Department to maintain a list of those providers for public access. In this way, patients concerned about their privacy will be able to make the most informed decisions about the health care providers whose services they wish to use.

Finally, we believe it is important to note additional changes to the regulations that may be necessary in light of Congress’s recent passage of the HITECH Act. While we have been unable to examine this new law in depth, at least a few aspects of the Act suggest potential conflicts with our state HIE that may require additional consideration. For example:

The HITECH Act has a broader concept of “breach” than the RI Identity Theft Law (RIGL §11-49.2) referenced in the statute and regulations (at §2.3(c)(11)). Both state law and the HITECH act breach provisions apply only to “unsecured information.” The new federal breach provisions apply to unauthorized “access, use or disclosure” not just “access” as in state law, do not require the unauthorized access “pose a significant risk of ID theft” as state law does, and set out more specific notice requirements (and timelines) for breach notifications. Federal regulations implementing this provision of the Act appear imminent.

The national HIT Policy Committee is supposed to make recommendations in several policy areas, and the National Coordinator for HIT is supposed to consider these in developing and implementing a national HIT infrastructure. One policy area concerns the use of limited data sets, i.e., “[t]echnologies that protect the privacy of health information and promote security in a qualified health record, including for the segmentation and disclosure of specific and sensitive individually identifiable health information, with the goal of minimizing reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns” and for the “disclosure of limited data sets of such information.” As the Department is aware, the RI ACLU has expressed concern for some time about the all-or-nothing approach envisioned by the HIE, where sensitive data (e.g., records relating to mental health, drug treatment, or STDs) is not segregated in any way or limited in its release to those with access to the HIE. It is worth noting that, depending on the HIT Policy Committee’s recommendations, Rhode Island’s all or nothing approach may be premature.

In sum, we believe these proposed rules fall short by failing to comply with the statutory mandates contained in the new HIE statute for rule-making, and by failing to adequately provide for the confidentiality, security, due process and informed consent protections to patients that the regulatory process is designed to protect. We urge that these issues be addressed.

We appreciate your attention to our views, and trust that you will give them your careful consideration. If the suggestions we have made are not adopted, we request that, pursuant to R.I.G.L. §42-35-3(a)(2), you provide us with a statement of the principal reasons for and against adoption of these rules, incorporating therein your reasons for overruling the suggestion urged by us. Thank you.

Submitted by: Steven Brown, Executive Director

Here are some of the key points the Report makes regarding liability concerns, as well as a few thoughts of my own:

• Liability for Data Storage and Management.  How data is stored and managed (e.g., by the RHIO versus by its participants) will affect the distribution of liability. In general, the more authority and responsibility that the RHIO possesses in connection with the data, the more liability coverage it will need to take on. I agree.
• Liability for Accuracy and Completeness.  Both data suppliers and data users are concerned about their respective liability in relation to data being accurate and complete.  RHIOs often will contractually limit their liability for accuracy of data supplied, or received and used.  However, if the RHIO manipulates the data in transit in anyway, it could be held responsible for such intervening acts. I note that data senders and receivers are also typically required to carry insurance and assume contractual responsibility for supplying accurate and complete data to the RHIO.
• Duty to Review.  In a previous blog post, I discussed providers’ concerns that joining a RHIO/HIE will create a duty to review all information about a patient contained in the RHIO/HIE, and this will potentially expose them to an increased risk of “missing” relevant information. In my post, I noted why I thought that the role of HIEs in connection with the "standard of care" is still evolving. The Report additionally notes that:

there are no widely recognized standards for reasonable physician behavior in seeking or reviewing electronically available data, or for the extent to which that data should inform his/her clinical decisions.

• Liability for Audit Logs.  The Report points out that some RHIOs have recently been compelled via subpoena to provide audit information for malpractice lawsuits involving the RHIOs participants. Although a RHIO may be legally obligated to respond to a subpoena, I note that it is still important that HIPAA’s standards for releasing PHI in response to a subpoena are complied with. 
• Extending Liability to IT Vendors.  If the IT vendor provides any software, integration services, and operational services for the RHIO, the vendor should assume responsibility for their actions.  The Report noted that one factor that strongly influenced the amount of liability assigned to IT vendors was the negotiating power of the RHIO. The type of coverage in their liability insurance that the IT vendors were asked to carry varied, but typically total liability coverage ranged between $1 million and $3 million.

With regard to insurance coverage, the Report made the following additional points: 

• Researching, negotiating and obtaining liability coverage takes time. Get started early.
• There remains a high degree of uncertainty with regard to what constitute adequate coverage.
• Insurance policy options for RHIOs are growing, but remain limited.
• There is wide variability in liability insurance practices across RHIOs.
• Sovereign immunity has its advantages and disadvantages. On this last point, the paper notes that while some are strong proponents of State immunity for RHIOs, citing such benefits as increased stakeholder participation, decreased start-up costs, and long-term sustainability, others are skeptical and noted that if State immunity is available, RHIOs may not be as rigorous in establishing privacy and security controls, and that stakeholders may then be targeted for lawsuits instead.  

In sum, the Report illustrates some of the complex liability questions that are being addressed in the RHIO context, and this is without even getting into other areas such as directors' and officers' liability, as well as security breaches across RHIO participants. Navigating this complex and uncertain landscape continues to be challenging, but those getting started now have some benefit from lessons learned by others over the last year, and well as a slightly more mature insurance market primed to RHIO and HIE risks.

Whether or not a provider will be held liable for “misses” will always depend on the facts and circumstances surrounding a particular case. However, the “standard of care” in medicine evolves over time, especially when dealing with new technologies. Therefore, what may not yet be the standard of care today, may very well be just that in the very near future. Sooner or later, this will likely hold true with use of electronic medical record (EMR) and HIE technology as well.

To get a different perspective on the question, I decided to ask an old law school friend who now happens to be a successful medical malpractice attorney (I try not to hold that against him!) what he thought about HIEs and malpractice.  Initially, we both agreed that if the relevant information is hidden deep inside the HIE and is not reasonably accessible to the busy practicing provider, is not presented in a way that is of value or conducive to making clinical judgments, or it is just plain too expensive to join the HIE, then it will be unlikely that the physician's "failure" to “find” or “access” such information would be found by a jury to be negligent or falling below the “standard of care.” However, my friend then did a 180º on me when he said the following…

But, if joining the HIE is not cost prohibitive, and the information was available to the physician in a meaningful, easily-accessible and useful way that, had it been accessed through the HIE, could have prevented harm to the patient, but the physician did not join the HIE simply because he/she did not want the new obligation and burden of having to review such information, then I would definitely sue the physician for not joining the HIE and not accessing the information because it could have prevented harm to my client…

Now, I have to admit I did not see that one coming and immediately thought to myself "so, is this a case of 'damned if you do' and 'damned if you don’t'”?  I don’t think so. However, the reasons why providers decide not to join a HIE should be very carefully considered and weighed against the potential benefits joining a HIE may have for their patients, namely potentially improving safety and quality of care. That said, before HIE technology can become a standard of care, at a minimum it must be easy to use, offer useful information, be secure, and not cost prohibitive to the busy practicing provider. Once that happens, however, what will happen if providers don’t join and patients suffer as a result? .... well, I guess my old law school friend may be waiting!

The Rhode Island chapter of the American Civil Liberties Union (ACLU) filed the Complaint alleging that:

the proposed rules failed to comply with the HIE’s statutory mandates by not addressing provisions in the statute that require adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients

The ACLU argues that the RI-DOH cannot supplement gaps in the proposed rules through the adoption of policies and that the RI-DOH must address these concerns through Rhode Island's public rulemaking process in order to fulfill its obligations under the HIE Act. However, the RI-DOH has countered that the policies provide sufficient safeguards to protect patients' information while offering more flexibility to make adjustments quickly as national standards for privacy and security in the HIE context continue to evolve rapidly.

The lawsuit serves as an example of how important these concerns are to the public as well as highlights the potential for challenges to others developing HIE regulations. This case is worth watching closely to see how it develops.

This post was prepared by Krystyna Nowik.  Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE.