Legal Issues in Health Information Exchange

Transcription

1 Legal Issues in Health Information Exchange Sponsored by Health Information and Technology Practice Group June 8, 2012 Presenter: Gerry Hinkley, Esquire, Partner, Pillsbury Winthrop Shaw Pittman LLP, San Francisco, CA, 1

2 Objectives Understand the rationale for health information exchange (HIE) Examine approaches to HIE governance Focus on technology procurement Look at data sharing agreements and the Nationwide Health Information Network HIEs as business associates Look at privacy and patient consent Discuss the relationship of HIE to Accountable Care Organizations and Meaningful Use Explore some hot legal issues Identify challenges to HIE expansion 2

3 Vocabulary Health information exchange it s a verb and a noun Health information exchange organization (HIEO or HIO) the entity that enables exchange (also sub-network organization) 3

4 Why? Improve quality of care Reduce medical errors Decrease duplication, unnecessary services Reduce costs Manage population health Engage patients in their own care Support meaningful use Support accountable care organization (ACO) operations 4

5 What? Single source data labs, hospital admits/discharges Combination source data continuity of care record, problem list Sensitive data excluded mental health, HIV/AIDS, substance abuse 5

6 Who? Content providers (labs, pharmacy, radiology, hospitals, medical professionals) Content users (medical professionals, consumers, payors, public health) 6

7 Governance Achieving trust and interoperability with consumer participation Three building blocks Clear goals and objectives what is the problem we are trying to solve? Mechanisms and processes for development, oversight and coordination of policies, standards and services The policies and standards themselves The governance cycle: Problem identification/agenda setting Design, formulation, adoption Implementation and enforcement Evaluation and review 7

8 Governance, Cont d A well-functioning governance structure will demonstrate: Well-defined and bounded mission; Appropriate participation, representation and expertise; Transparency; Accountability; Effectiveness metrics; Adaptability; and Consumer involvement 8

9 Structure Centralized repository Federated model Edge servers Record locator Master patient index Query Issues Interoperability Openness Technology 9

10 Technology, Cont d Policy aware procurement strategy Openness and transparency Purpose specification and minimization Collection minimization Specification and minimization of use Individual participation and control Data integrity and quality Security safeguards and controls Accountability and oversight 10

11 Technology, Cont d Issues of concern in procurement Functionality Hosting (where is my data?) Implementation and training Go live and testing Data migration Maintenance and support, backup and recovery New releases Up-time Vendor-purchaser incentives aligned Indemnification, remedies, limitation of liability 11

12 Data Sharing Agreement Mechanisms for oversight, accountability, and enforcement Establishing fundamental basis for trust among health information sharing participants Addressing fundamental principles contractual obligations, transparency, accountability, accreditation, data sharing organizational framework Registration agreements Policies and procedures Privacy and security Economic relationships, obligations Insurance and indemnification Liability for inaccuracies, misuse 12

13 NwHIN and the DURSA Nationwide Health Information Network (NwHIN)/Data Use and Reciprocal Support Agreement (DURSA) Network of networks Department of Defense, VA, Kaiser, HealthBridge Federal standard Required response for treatment, other purposes optional No indemnification Content provider: what I am sending is what I have Mandatory dispute resolution Will DURSA be the last agreement standing? Governance RFI issued by ONC: Conditions for Trusted Exchange Standards for ability to participate in the NwHIN 13

14 HIEs, BAAs, and Subcontractors HIEs must have BAAs in place with every covered entity participant Avoid BAAs on steroids standardize, stick to HIPAA HIEs must downstream their BA obligations to the HIE s subcontractors and vendors (hosting, data transmission, patient locator) Reconcile all the BAAs provisions that need to be downstreamed Subcontract in writing, sufficiently detailed; proof to covered entities of HIE s compliance Address potential for new terms to be incorporated 14

15 Patient Consent Driven by the principles that the patient should control access and use of his/her health information and the system should be open and transparent (Fair Information Privacy Principles) Legal bases HIPAA, state law Not simply opt in or opt out toward granular consent: what accessible to whom when Concept of consent based on information standard for HHS grantees: meaningful choice Breaking the glass Where is consent collected How is consent managed 15

16 HIE to HIE Exchange Requires a governance structure Common policies and procedures Lowest common denominator of use restrictions Reconciling technological differences Building in flexibility for growth, technology 16

17 HIEs and ACOs HIE participants in ACOs will use the HIE to: Identify episodes of care Communicate with other providers Assemble a continuity of care record Patient grouping by diagnosis Connect to patients and their PHRs reminders, scheduling, alerts, wellness Gather information for reportable metrics, reducing preventable conditions Patient profiling Medicare ACOs are given limited patient data as a starting point to patient profiling and adjustments to care Given Medicare utilization of multiple, unconnected providers, HIEs can assist ACOs to bridge the data gap CMS preference for patient consent via opt out with respect sharing claims data with providers 17

18 HIEs and Meaningful Use Stage 2 NPRM HIE focus in Stage 2 Public health: transmission to immunization registries, reportable lab results Summary of care documents provided via HIE Consumer access view and download Exchange of key clinical information at each transition of care CPOE: medications, lab/radiology orders 18

19 Offshore Activities When the HIE or its participants store data outside the US When an HIE participant (e.g., a health plan) prohibits offshoring Generalized concerns: The offshore s employees will not be adequately trained Monitoring offshore compliance with a BAA will be difficult Will U.S. law have an effective reach to the offshore? 19

20 HIE approach to offshoring Establish P & Ps Offshoring, Cont d Identify participants that offshore data Require participants to report their BAs and subcontractors who offshore Require participants to conduct and report audit results at least annually desk vs. on-site? Require participants to terminate arrangements if there is a serious security breach

21 Other Hot Issues Standard of care Conflicts of interest HIE obligations with respect to data breach Cyberinsurance system failures, user failures OCR enforcement of HIPAA State attorney general enforcement of HIPAA

22 Challenges HIE proliferation continues to be challenged by: Funding and sustainability Variation in implementation of interoperability standards Provider adoption Proliferation of disparate technologies Privacy and security concerns Consumer engagement and integration of personal health records with HIE

23 Legal Issues in Health Information Exchange 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 23