Joseph Rugg's Health Law Blog

My colleagues, Steve Prom (Jacksonville) and Betsy Hodge (Tampa), healthcare attorneys at Akerman, have recently written an article for FHA on the “Organization or Development of RHIO or HIN for Risk Managers.”   Their bios are at the end of this post.   They have graciously allowed me to use their article here.   The subject matter is very timely.

_______________________________________

So, you’re a Risk Manager and your organization is getting involved in the organization or development of a Regional Health Information Organization (“RHIO”) or a Health Information Network (“HIN”). Many hospitals, health agencies, physicians and other health care providers are scurrying about in efforts to cobble together functioning, sustainable electronic health information networks that will permit health care providers and planners to use patient health information in a meaningful way. This article is not intended to be a primer on how to accomplish that. In fact, the authors are not aware of any groups that have claimed to have been wholly successful in their efforts. This article is an effort to inform the reader, in a meaningful way, regarding some risks that will be associated with organizing a RHIO or HIN and how to deal with them.  For simplicity, the authors elected to use the term “HIN” to refer to either a RHIO, HIN, or both.

Step 1: Identify the Risks

Other than possible inaccuracies contained in an electronic medical record that is accessible in a HIN, the biggest risk that HIN participants will face is that of unauthorized disclosure.  Unauthorized disclosures can be accidental, intentional or the result of “fishing” by nosey “journalists,” fans, paparazzi or, even more likely, inquisitive persons who have access to the records and may be seeking to share or leak information for pleasure or bounty, but are not authorized by the patient to do so.  “Fishing” can also be the result of well-meaning administrators associated with a participant or host entity who accesses patient information without the patient’s authorization or consent, and is not using the information for purposes of diagnosis, treatment, health planning, or billing/collection.

Step 2: Identify the Participants

Participants in a HIN may include all or a subset of a universe of interested health care providers, including hospitals, physicians, local health agencies, not for profit health clinics, behavioral health providers, and homeless shelters.  From a practical standpoint, the initial participants will likely either be necessary or helpful. For example, they offer expertise in HIT experience, funding, leadership, community profile, legal, HIPAA, etc. The authors’ experience reflects that hospitals, a local health department and one or more clinics that would benefit from HIN use and data analysis will likely be initial organizers/participants, although larger physician groups, networks and hospital-based or affiliated groups are natural fits, as well. Since most HINs are developed in stages, good planning will probably identify not only the prospective participants, but  also their strengths, readiness and at what stage they are likely to join the HIN .

Step 3: Identify the Laws/Sanctions

A Florida patient’s rights to privacy and confidentiality with respect to his or her medical records are protected under both Florida and Federal laws. Under Florida law, a patient has a right to privacy that is protected by the Florida constitution, as well as Florida statutes. Patient medical records are to be kept confidential absent patient consent.  Additionally, patient medical records relating to substance abuse, mental health and certain diseases, such as HIV/AIDS, are afforded “super confidentiality,” which means that specific consent to disclosure must be in writing and can be withdrawn at any time, subject to limited exceptions.  Florida also has a breach notification law which requires persons who cause or learn of an unauthorized disclosure of unencrypted confidential patient records to notify the patient, take steps to lessen the damage, etc.  This can be very expensive when, for example, the “breach” is the loss or theft of a computer server that may have tens, or hundreds of thousands, or millions of patients’ records. 

In addition to Florida law protections, patient health information in both paper and electronic format is protected under the federal HIPAA and HITECH laws.  Also, , Florida and federal laws prohibit the unauthorized disclosure of “super confidential” patient information related to substance abuse, mental health and certain diseases, such as HIV/AIDS.  Of course, the key to risk management is to document and preserve patient authorization and consent to the disclosure or redisclosure of PHI and super confidential PHI.

Step 4: Identify Prevention Mechanisms

A HIN is only as good as its weakest link.  It is critical that the HIN carefully select who will participate in the network and that all participants understand from the beginning what is expected of them.

Establish credentialing criteria for participants focused on their adherence to “best practices” with respect to maintaining the privacy and security of patient information.  All participants should sign an agreement that, among other things, obligates participants to adhere to privacy and security “best practices.”  Interim Final Rule on Breach Notification for Unsecured Protected Health Information published August 24, 2009 at 74 Federal Register 42740, references many of the NIST guides related to protected health information.  The “meaningful use” requirements also mandate certain IT capabilities to protect patient information.  Best practices that HIN participants should agree to adhere include individual user IDs and passwords, sufficiently strong passwords (use of upper and lower case, numbers and symbols), work stations timing out after a specified period, and use of security audits to detect unauthorized access to patient information.  The participant agreement should also address what steps will be taken and by whom if a HIN participant or one of its employees is found to have engaged in unauthorized access or disclosure of patient information.

Additionally, HIN participants should carefully select the vendor(s) who will be providing the infrastructure.  Asking for references and actually following up with those references can provide a wealth of information about the capabilities of prospective vendors, both from a technological and a customer service perspective.  Also, it is important to have any contract with IT vendors reviewed by lawyers knowledgeable in that area especially since vendors will try to provide as few warranties and as many disclaimers as possible concerning their IT systems.

There must be a HIPAA and HITECH compliant Business Associate Agreement (BAA) with all covered entities participating in the HIN.

The HIN should have legal counsel involved in creating these “prevention mechanisms.”  At the same time, each participant should have its own counsel review documents the HIN is requiring participants to sign.  Participants need to identify in the beginning if they will be able to comply with their obligations to the HIN and identify any gaps and determine how to correct them.

 Step 5: Identify Post Event Mop Up

Regardless of efforts to prevent risk occurrence, there will be adverse “events.”  The time to plan your response to those events is before they occur. 

The HIN should develop policies and procedures (“P & Ps”) that describe what should happen when an “adverse event” occurs.  These policies and procedures should include encouraging participants to timely report to the HIN if they discover an adverse event.   As with your facilities’ internal policies and P & Ps, the HIN procedures should specify who will be the central contact person when an adverse event is discovered.  There may be more than one such person depending on the type of adverse event.  The P & Ps should also specify how the event and the response to event will be documented.

The HIN should review with legal counsel the various federal and state laws governing data breaches in developing P & Ps for responding to an event.  For example, both the federal HITECH Act and Florida’s data breach law specify steps to take in the event of a data breach.

Identify the “team” that will help respond to data breach before one occurs.  Prepare a short list of, or better yet, retain, computer forensic firms, public relation firms, outside legal counsel, and firms that provide credit monitoring in advance of an event so there can be a prompt response.

Of course, all HIN participants must be educated on these policies and procedures.

Step 6: Identify Potential Damage Claims/Fines

It is important for the HIN and the participants to identify the cost of the worst-case scenario and the most-likely scenario.  Both HIPAA and HITECH  provide for fines for improper use and disclosure of protected health information.  If there is a data breach, as defined under the HITECH Act, the entity that suffered the breach must provide notice to all who are potentially affected.  HIPAA requires that the covered entity mitigate harm to those affected by a breach.  Mitigation can include offering credit monitoring and setting up call centers to address questions, which can be expensive.  The Florida data breach law requires that an entity that conducts business in Florida notify all of those who are affected by data breach.

In addition to fines that may be imposed by Florida and the federal government, there is the cost of responding to the breach.  This may take a lot of staff time and may also require the use of outside vendors such as computer forensic specialists and outside legal counsel.  If the breach is of sufficient size, the entity may need to disclose through a media outlet and disclose to HHS (which will then publish the breach on its website.)  The cost of hiring a public relations firm to deal with the bad publicity should be considered.  As mentioned above, it may be prudent to set up a call center and provide credit monitoring to those affected by the breach.

Also, consider the potential cost of having the federal government impose a Corrective Action Plan under HIPAA.  Often, the fine is dwarfed by the costs of complying with the plan, including hiring an outside monitor, cost of updating policies and procedures regarding privacy of protected health information, training employees on the policies, and preparing various reports required under the plan.

Step 7:  Identify How to Defend/Pay Damages

Both the HIN and its participants must decide how to insure against potential claims or losses related to participation in the HIN.  One option is to obtain commercial insurance, if it is available.  Another option is to self-insure.  The HIN may also want to consider contracting responsibility for loss to its vendor.  HIN participants should check with their current liability carrier to see whether the policy will cover losses related to participation in a HIN.

The HIN needs to review what damages or costs insurance will pay.  Often insurance will not cover fines.  Insurance will not cover punitive damages.  The HIN and participants need to determine how each will pay any amounts not covered by insurance.  Another issue to consider is whether there will be any indemnification between the HIN and participants, depending on who caused the adverse event.  This should be addressed in the participation agreement.

Conclusion

The organization and operation of HINs presents both opportunities and challenges to the organizers and subsequent participants.  Success and sustainability will in large part depend on organizers and participant HIT and legal counsel to understand, appreciate and address the legal risks and to set up appropriate mechanisms to prevent or minimize the adverse consequences to the patients, providers and participating organizations’ future ability to achieve their missions.

_______________________________________

About the Authors

Stephen G. Prom, Esq.
Stephen Prom  has over 30 years of multidisciplinary legal experience in the areas of corporate, business and tax, with a high concentration in the healthcare industry. His experience includes the representation of institutional, group and individual providers in connection with electronic medical records and networks. He is a shareholder in Akerman’s Jacksonville, Florida office.

Elizabeth F. Hodge, Esq.
Elizabeth Hodge has more than ten years of experience representing hospitals, physicians, and other healthcare providers in contract matters, medical record issues and general healthcare litigation, principally civil and administrative trial matters. She is Of Counsel in Akerman’s Tampa, Florida office.