HIT Legal Issues:
Interoperable EHRs and
Privacy and Security
Alice J. Becker, JD
Senior Associate General Counsel
PeaceHealth
Bellevue, WA
[email protected]
Rebecca L. Williams, RN, JD
Partner
Co-Chair, HIT/HIPAA Practice
Davis Wright Tremaine LLP
Seattle, WA
[email protected]
Davis Wright Tremaine LLP
Introduction
Federal
Focus on “RHIOs”
Privacy
and Security Issues for Interoperable EHRs
PeaceHealth
Model
Davis Wright Tremaine LLP
2
Types of RHIOs
 Pointer
System
 Master
 RHIO
 Data
patient index
acts as a map to where information is stored
Warehouse–Silo System
 RHIO
holds the information but keeps each provider’s
records in separate silos
 Community
Health Record System
 All
records combined into one community-wide health
record
Davis Wright Tremaine LLP
3
Types of RHIOs: PeaceHealth
 The
Community Health Record (CHR) is
a key part of PeaceHealth’s strategy to
realize a future vision of high quality, safe,
efficient and cost effective care delivered
seamlessly across the continuum in each of the
communities we serve
 Began as PeaceHealth EHR only
 Now includes non–PeaceHealth patient information
 Provides access to system, technologies and databases
 Rx
Pad
 Radiology
 Medical libraries
Davis Wright Tremaine LLP
4
Organizational Issues: OHCA
 Medical
Staff OHCA
 Community OHCA: organized system of health care
 More
than one covered entity
 Hold themselves out to the public as a
joint arrangement
 Participate in joint activities that include
UR, QA or sharing of financial risk
 Benefits
 Disclosures
permitted within OHCA
for OHCA health care operations
 May use joint notice of privacy practices
 May avoid need for business associate contract
Davis Wright Tremaine LLP
5
Organizational Issues:
Business Associate
 Business
Associate provides services on behalf of a
covered entity involving PHI
 Examples:
management, administration,
data aggregation
 Need
BAC
 RHIO/ASP/ISP
 May
or may not be covered entity
 May
be a business associate
Davis Wright Tremaine LLP
6
Organizational Issues: PeaceHealth
Business Associate
Model
“EHI Works” – a division of PeaceHealth
Contracts with “Users”
Connectivity only
Use of “system” as ASP
User responsible for “Authorized Workforce”
 Employees
 Agents
 Other
health care providers under User’s direction and
control
Davis Wright Tremaine LLP
7
Uses and Disclosures: General
 Decide
what uses and disclosures will be allowed
 Determine
which frequently exercised uses and disclosures
pose least/greatest risk in a RHIO
 TPO
 Mandatory
 Public
disclosures (e.g., child abuse reporting)
health (e.g., cancer registry)
 Research
 Authorization
Davis Wright Tremaine LLP
8
Uses and Disclosures: TPO
 May
disclose PHI for own
 Treatment
 Payment
 Operations
 May disclose PHI for treatment activities of a health care
provider (not necessarily a covered provider)
 May disclose PHI to provider or covered entity for payment
 May disclose PHI to covered entity
 For limited operations (e.g., QA, peer review, compliance)
 If both have/had relationship with patient
 If disclosure relates to relationship
 Poses least risk because generally no
authorization requirement
Davis Wright Tremaine LLP
9
Uses and Disclosures: PeaceHealth
Treatment
Limited
 QA –
and Payment
Health Care Operations
credentialing, licensing, accreditation
 Compliance
No
– training programs
other use or disclosure is allowed
“Sensitive”
 Special
information
security features
 Audits
 Compliance
with laws
Davis Wright Tremaine LLP
10
Individual Rights
 General
Issues
 Need to determine responsibilities
 Centralized v. de-centralized
 Access
 If de-centralized, different providers may follow different rules
 Want to put RHIO participants on notice
 Amendment
 User who entered PHI must be involved in determination
 Process for making amendments system-wide
 Need to preserve pre-amendment PHI
 Need to track timing of amendments
 Need to link to statement of disagreement/rebuttal
Davis Wright Tremaine LLP
11
Individual Rights
 Accounting
of disclosure
 Most RHIO disclosures not subject to accounting
 Who tracks?
 Request additional privacy protection
 Covered entity has right to refuse
 Accepted request → Bound
 Practical implication: Is RHIO bound?
 Be aware of system limitations
 Notice of privacy practices
 Description of RHIO
 Responsibility for contents/distribution of NPP
 Joint NPPs need to be tracked
Davis Wright Tremaine LLP
12
Individual Rights: PeaceHealth
 Access/Copies—User
 Must
is responsible
acknowledge that other Users will be giving access
 Amendments—User
is responsible for decisions
 Must
notify PeaceHealth of amendments, disagreements,
rebuttals
 Privacy
Protections—User can decide but PeaceHealth
must approve if restriction affects CHR
 Accounting – User is responsible for User’s disclosure
 Alternative Communications—User is responsible but
cannot bind other Users
 Notice of Privacy Practices – User is responsible
 Required language
Davis Wright Tremaine LLP
13
Administrative Responsibilities
General
Consideration
 Centralize
v. decentralized
 Combination
Training
Response
to Complaints
Sanctions
 Each
User must have and use sanctions
 RHIO-wide sanctions
Policies
 Individual
policies and procedures
 Rules of the road
 Coordination
Davis Wright Tremaine LLP
14
Administrative Responsibilities:
PeaceHealth
 Right
to monitor and retrieve information
 Notification
of security incidents
 Compliance
with PeaceHealth policies, protocols and
procedures
 Training
 User
required to provide
 PeaceHealth
 Right
may provide
to terminate workforce/Users
Davis Wright Tremaine LLP
15
Security Standards
Critical
to success of a RHIO
Standards are scalable based on sophistication and
resources of covered entity
Security is only as good as the weakest link
Minimum standards may be required (e.g., through
user/license agreement)
Need to identify responsibility
Davis Wright Tremaine LLP
16
Security Standards
 Risk
analysis/Risk management
 Heart and soul of Security Rules
 Who? How far?
 Information Management/Access Controls
 Authorize and allow access only to appropriate
persons/entities
 Who may access what
 Identify relationship with patient/Role of User
 Unique User name assigned for tracking
 Does the system identify individual Users or just
entities?
Davis Wright Tremaine LLP
17
Security Standards
Integrity
 Protect
ePHI from improper alteration or
destruction
 Person and Entity Authentication
 Verify that a person seeking access to ePHI
is the one claimed
 Privacy also requires verification
 Audit Controls
 Hardware,
software and/or procedural mechanisms that
record and examine activity in information systems that
contain or use ePHI
 Sanctions
Davis Wright Tremaine LLP
18
Security: PeaceHealth
 Users
must comply with PeaceHealth
security requirements
 Password/Logon
 Confidentiality
 PeaceHealth
Requirements
Agreements
has right to:
 Audit
 Terminate
if security requirement breached
 Users
required to comply with applicable laws (e.g.,
HIPAA security regulations apply to User and User’s
systems)
Davis Wright Tremaine LLP
19
Liability for Privacy and Security
 There
will be privacy and security breaches
 Direct
liability for own action
 Uncertain
how far liability will travel for acts of other
RHIO participants
 Ultimately
may depend on reasonableness of RHIO’s
safeguards
 Recognize
 Allocate
potential risk
risks in contracts/organizational documents
Davis Wright Tremaine LLP
20
Liability for Privacy and Security:
PeaceHealth
 Users
required to maintain insurance
 Users
must indemnify PeaceHealth and other Users for
privacy and security breaches
 Compulsory
disclosure
Davis Wright Tremaine LLP
21
Questions
Rebecca L. Williams, RN, JD
Partner
Co-Chair, HIT/HIPAA Practice
Davis Wright Tremaine LLP
Seattle, WA
[email protected]
Alice J. Becker, JD
Senior Associate General Counsel
PeaceHealth
Bellevue, WA
[email protected]
Davis Wright Tremaine LLP
22