Transcript Data, More Risks: Compliance Challenges

WWW.ALSTON.COM
More Data, More Risks:
Compliance Challenges Concerning Health
Information Privacy and Security
34th Annual Lab Institute, Washington, D.C.
October 27, 2016
Paula M. Stannard, Esq., Alston & Bird LLP – Washington, D.C.
Dina Hannah, MBA/HCM, MT (ASCP)H, SBB, CIPP, TriCore Reference Laboratories –
Albuquerque
Big Data
• Interoperability of Electronic Health Records and
other Provider-to-Provider Exchange of
Information
• On-line Provider, Payor, Patient Portals
incorporating longitudinal data
• Health Information Exchanges/Health Information
Organization
• Internal data aggregation/un-siloing of data
2
WWW.ALSTON.COM
Overview
• TriCore: A Case Study on Big Data
• Applicable Information Privacy and Security
Requirements
– HIPAA/Health Information Privacy
– Federal Trade Commission
– Portal Safeguards
• Other Potential Legal Issues
– Fraud and Abuse
– Antitrust
3
WWW.ALSTON.COM
Objectives
• Recognize that change is inevitable
• Review current clinical laboratory landscape
• Envision future strategic focus
– Discuss TriCore's experience as a driving force for
change: a case study highlighting compliance risks
while pursuing the mission to reshape the way
healthcare is delivered to improve lives in our
communities.
4
Background – Market Forces
•
•
•
•
•
Current Market
Future Market
(volume based)
Fee for Service
Unfulfilled need for Primary Care
Providers
Limited care coordination
Complicated health care environment
in silos
Sample centric
(value based)
Bundled payment structure
Increased access to care/primary care
to those who need it most
Increased coordinated care
Patient-centered care
Actionable interpretation
information
Aggregation of data
•
•
•
•
•
•
Cost / Unit
•
•
Optimizing Clinical
Processes
Right Test, Right
Time
Value Based Purchasing
Targeted Intervention
Pre-Analytical
Analytical
Post-Analytical
5
Why Change?
•
Reimbursement and regulatory oversight activity continues to increase as both
federal and state governments face healthcare budgetary shortfalls transition to
value-based care
• ACA
• MACRA-money to invest in value-based care, data exchange, clinical decision support and
patient engagement
• MIPPA
• PAMA (clinical laboratories will have significant financial consequences)
•
CMS initiatives target improving the quality of care and decreasing the episodic
costs for their covered populations
bundled payment initiatives
value-based programs
shared savings ACO’s
revised physician fee schedules (more emphasis on care coordination, primary care, and mental
health)
• innovation grants.
•
•
•
•
•
•
•
Payers continue to narrow their provider network
Merger, acquisition
Competition and partnership in the healthcare IT and analytics space
6
Commodity or Partnership?
• Commodity:
• Emphasis on volume and efficiencies to reduce cost and maintain
viability.
• Results in limited care coordination abilities while increasing demands
placed on primary care providers.
• Sample centric environment results in data silo’d environments
– Partnership:
• Emphasis on Value Based Care
• Effort to understand why testing was ordered and what is being done
about the result
• Results in a patient-centered environment focused on coordinated
care and follow up
• Big Data environment requires the aggregation and proactive analysis
of data to optimize clinical processes for targeted interventions
7
Opportunities to establish partnership
Labs are well positioned to facilitate the improvement of both the
health outcomes of the patients we serve and the economic viability
of their healthcare providers through:
•
•
•
•
•
•
State of the art diagnostics, clinical expertise, and technology enable labs to partner in
personalized medicine.
Use of data to apply descriptive and predictive analytics to apply in medical systems, such as
fraud prevention, disease prevalence forecasts, and risk assessment.
Ability to link patient information across disparate databases or organizations
Ability to identify at-risk patients earlier to promote more timely interventions and improved
outcomes.
Ability to create insights around clinical risk to help enable opportunities to reach and aid
patients for the purpose of improving their health
Utilize data sequencing to help physicians identify the best specific course of action; drive new
treatments for disease variations and emphasize clinical research and precision medicine.
8
Transitioning to Partnership
•
Labs must develop key strategies to better serve the growing needs of health
systems, provider groups and healthcare professionals while maintaining
relevancy in a rapidly changing market place:
• optimize core lab operations
• diversify business model to include new products,
services, and markets that align with strategic initiatives.
–
–
–
–
innovative testing technologies
expanded patient care access (longitudinal data)
actionable analytics based upon laboratory data
strategic partnerships to provide lab-based informatics to
facilitate revenue retention in a value-based reimbursement
environment
9
Expanded access to Provider and Payor Groups
•
Provide access to authorized users :
•
•
•
Provider groups: Implement a physician portal that will allow access to the longitudinal laboratory results of
patients and is agnostic of the system or provider that ordered the test
Health plan groups: Analyze and report data for for care management, HEDIS reporting, population health
and possibly other health care operations purposes of the plans, for patients with whom the plans have had a
payment relationship.
Provide information to include:
•
•
•
•
Past and future laboratory results to include data generated from direct care (face to face interaction with
patient) and reference lab functionality (interaction between labs only)
patient’s first name, last name, date of birth, and gender, and the last four digits of the patient’s Social Security
number
demographic information to include such items as diagnosis code, zip code, declared primary care provider, or
other items dependent upon project
Expand reporting to health plans about recommended interventions needed by patients
– Future may include incorporating other providers’ data into current database
10
Expanded Access to Patients
• Patient portal
• Allow patients to access their laboratory results
directly
• Develop an EMPI (Enterprise Master Patient Index) to
ensure continuity of records for same patient seen in
different provider groups
11
Data Analytics:
Setting a Stake in Value Based Healthcare
• Develop additional uses for data in the Portal
Include data analytics,
quality improvement benchmarking,
and research
Provide proactive review of longitudinal records to identify highrisk patients and develop a targeted intervention strategy in which
lab would work closely with the patient’s health care provider and
possibly with the patient’s health plan.
• Expand the services to health plans to include de-identified
population management.
•
•
•
•
12
Health Plan – Facilitated Intervention
• Health Plan – Facilitated Intervention
• Health Plans are measured and partially reimbursed using HEDIS
Effectiveness of Care and PQRS Medicare measures. About a dozen of
the measures involve regular laboratory testing items including
diabetes, prevention and screening for colorectal and cervical cancer,
and others.
• Lab can both identify patients who have gaps in care and can assist
payers (health plans) to close these gaps.
• Reduce provider burden. Easy ordering for provider for a
subpopulation of patients.
• Increases completed tests. Improve number of tests completed for
HEDIS measure.
• Decrease duplicate orders for the same test. Improve test utilization.
• Improve patient experience. Avoid multiple visits for same patient.
13
Review of State and Federal
Laws
Review State and Federal Laws related to Privacy and Security to include but not limited to:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
45 C.F.R. § 164 HIPAA
42 C.F.R. Part 2 (federal “Part 2 regulations” governing drug and alcohol treatment information)
Genetic Information Nondiscrimination Act (“GINA”)
Medicaid regulations
Anti-Kickback Statute – specifically looking at financial relationships between TriCore and health plans affiliated with a federal health care program
(such as a Medicare Advantage plan or Medicaid managed care plan)
FTC: FTC requirements to “clearly and prominently” disclose to consumers, in a way that is “separate and apart” from any license agreement,
privacy policy, terms of use page, or similar document, its practices regarding the collection, use, storage, disclosure, or sharing of health information
before seeking authorization to collect consumers’ health information from a third party.
N.M. Stat. § 24-14B-6, -8 (Health information exchange provisions of Electronic Medical Records Act)
N.M. Stat. § 24-1-9.4, -9.5 (Sexually transmitted disease test information)
N.M. Stat. § 24-1-9.1 -9.2 (Sexually transmitted disease information of persons convicted of or formally charged with certain criminal offenses)
N.M. Stat. § 24-2B-6, -7 (HIV test information)
N.M. Stat. § 24-2B-5.1, -5.2 (HIV information of persons convicted of or formally charged with certain criminal offenses)
N.M. Stat. § 24-2B-5.3 (HIV information of source individuals)
N.M. Stat. § 24-21-3 (Genetic information privacy)
N.M. Admin. Code § 8.300.11.9-.11 (Medicaid recipient information)
N.M. Stat. § 43-1-19 (Mental health and developmental disabilities services)
N.M. Stat. § 43-2-11 (Detoxification Reform Act)
N.M. Stat. § 32A-6A-24 (Behavioral health and developmental disability services for children)
We decided to exclude from our data:
•
Results of testing that was performed for legal purposes rather than medical purposes, such as testing requested by law enforcement, the courts, or
employers (such as by excluding all test results that include any chain-of-custody requests)
•
Clinical trial laboratory testing results
14
HIPAA/Health
Information Privacy
15
WWW.ALSTON.COM
HIPAA Privacy Rule
• Establishes the permitted and required uses and disclosures of protected
health information (PHI) by covered entities and their business associates:
– Covered entities and business associates can use or disclose PHI (without authorization
by the individual) only if the use or disclosure is permitted (or required) under the
Privacy Rule.
• Establishes certain rights of individuals with respect to their PHI, and the
corresponding obligations of covered entities (and their business
associates).
• Covered health care providers and health plans are required to
– Establish policies and procedures about the requirements of the Privacy Rule.
– Provide individuals with notices of their privacy practices.
– Train the members of their workforces on the Privacy Rule and their privacy policies
and procedures.
– Impose sanctions on workforce members who violate the Privacy Rule or the privacy
policies and procedures.
16
WWW.ALSTON.COM
Other HIPAA Rules
• HIPAA Security Rule requires covered entities and business associates to
implement certain administrative, physical, and technical safeguards to
protect electronic PHI’s
– Confidentiality, so that electronic PHI is not made available to or disclosed to
unauthorized persons or processes.
– Integrity, so that electronic PHI is not altered or destroyed in an unauthorized manner.
– Availability, so that electronic PHI is accessible and useable upon demand by an
authorized person.
• HIPAA Breach Notification Rule requires covered entities to provide
notice to the affected individuals, to HHS/OCR, and in some instances to
the media (and business associates to provide notice to covered entities),
if there is an impermissible use, disclosure, access or acquisition of
unsecured PHI that compromises the security or privacy of the PHI.
17
WWW.ALSTON.COM
Privacy Rule and Use/Disclosure of PHI
• In order to determine whether a use or
disclosure is permissible (without authorization),
one has to consider:
–
–
–
–
Is the information PHI?
Who is using or disclosing the PHI?
To whom is the PHI being disclosed?
What is the purpose of the use/disclosure? Is there
an applicable permission under the Privacy Rule for
the use or disclosure? Are there special requirements
that have to be met?
18
WWW.ALSTON.COM
Privacy Rule: PHI
• What is “Protected Health Information” (PHI)?
– Information relating to:
• The physical or mental health of an individual;
• The provision of health care services to an individual; or
• Payment for health care services to an individual,
– Coupled with:
• Information that identifies the individual; or
• As to which there is a “reasonable basis to believe” that information could be used
to identify the individual.
• PHI excludes individually identifiable health information in
– Educational records addressed by FERPA.
– Employment records.
– Records concerning persons deceased for more than 50 years.
19
WWW.ALSTON.COM
Privacy Rule: Entities
• Covered Entities:
– Health Plans
– Health Care Clearinghouses
– Health Care Providers who transmit PHI electronically in connection with a transaction
for which HHS has adopted a standard.
• Business Associates: Persons (Individuals or Entities) that perform certain
functions or activities that involve the use or disclosure of PHI on behalf
of, or provide certain services involving PHI to, covered entities.
– Business associate agreement with covered entity required.
– Business Associates include:
•
•
Providers of Data Aggregation Services
Health Information Organization, E-prescribing Gateway, Other Person that provides data transmission services
with respect to PHI to a Covered Entity and that requires access to such PHI on a routine basis.
20
WWW.ALSTON.COM
Privacy Rule: Entities
• Affiliated Covered Entities: Legally separate covered entities that are
affiliated may designate themselves as a single covered entity for purposes
of Privacy, Security and Breach Notification Rules:
– Designated covered entities have to be under common ownership or control.
• Common control exists if an entity has the power, directly or indirectly, to influence or direct
the actions or policies of another entity.
• Common ownership exists if an entity or entities possess an ownership or equity interest of 5
percent or more in another entity.
– Designation has to be documented and maintained.
21
WWW.ALSTON.COM
Privacy Rule: Entities
• Organized Health Care Arrangement (OHCA):
– A clinically integrated care setting in which individuals typically receive health care from
more than one health care provider.
– An organized system of health care in which more than one covered entity participates
and in which the participating covered entities:
• Hold themselves out to the public as participating in a joint arrangement; and
• Participate in joint activities that include at least one of the following:
– Utilization review, in which health care decisions by participating covered entities are reviewed by other
participating covered entities or by a third party on their behalf;
– Quality assessment and improvement activities, in which treatment provided by participating covered
entities is assessed by other participating covered entities or by a third party on their behalf; or
– Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by
participating covered entities through the joint arrangement and if protected health information created
or received by a covered entity is reviewed by other participating covered entities or by a third party
on their behalf for the purpose of administering the sharing of financial risk.
– Certain relationships between group health plans maintained by the same sponsor
and/or between such group health plan(s) and a health insurance issuer or HMO with
respect to such group health plan, but only with respect to PHI created or received by
the issuer or HMO that relates to individuals who are or who have been participants or
beneficiaries in such group health plan.
22
WWW.ALSTON.COM
Privacy Rule: Uses and Disclosures
•
•
•
Covered entities may only use and/or disclose PHI for covered functions and as
permitted under the Privacy Rule.
A covered entity that performs multiple covered functions must comply with the
requirements applicable to the covered functions performed, and may use or
disclose PHI of individuals who receive the entity’s health plan or provider
services, but not both, only for purposes related to the function being performed.
Under the Privacy Rule, covered entities can use or disclose PHI without
individual authorization for treatment, payment, and health care operations.
–
–
Treatment: “The provision, coordination, or management of health care … by one or more
health care providers, including the coordination or management of health care by a health care
provider with a third party; consultation between health care providers relating to a patient; or the
referral of a patient for health care from one health care provider to another.”
Payment: Activities undertaken by
•
•
•
A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of
benefits under the health plan.
By a health care provider or plan to obtain or provide reimbursement for the provision of health care.
And the activities relate to the individual to whom health care is provided.
23
WWW.ALSTON.COM
Privacy Rule: Uses and Disclosures
•
Health Care Operations: Any of the following activities of the covered entity to the
extent that the activities are related to covered functions:
–
–
–
–
–
–
Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical
guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting
from such activities; patient safety activities; population-based activities relating to improving health or reducing health
care costs, protocol development, case management and care coordination, contacting of health care providers and
patients with information about treatment alternatives; and related functions that do not include treatment.
Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider or health
plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care
learn under supervision to practice or improve their skills as health care providers, training of non-health care
professionals, accreditation, certification, licensing, or credentialing activities.
Certain underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement
of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk
relating to claims for health care (including stop-loss insurance and excess of loss insurance).
Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection
and compliance programs.
Business planning and development, such as conducting cost-management and planning-related analyses related to
managing and operating the entity, including formulary development and administration, development or improvement
of methods of payment or coverage policies.
Business management and general administrative activities of the entity.
24
WWW.ALSTON.COM
Privacy Rule: Uses and Disclosures
HEDIS Data:
MAY A HEALTH CARE PROVIDER DISCLOSE PROTECTED HEALTH INFROMATION
TO A HEALTH PLAN FOR THE PLAN'S HEALTH PLAN EMPLOYER DATA AND
INFORMATION SET (HEDIS)?
Answer:
Yes, the HIPAA Privacy Rule permits a provider to disclose protected health information to a health plan
for the quality-related health care operations of the health plan, provided that the health plan has or had
a relationship with the individual who is the subject of the information, and the protected health
information requested pertains to the relationship. See 45 CFR 164.506(c)(4). Thus, a provider may
disclose protected health information to a health plan for the plan's Health Plan Employer Data and
Information Set (HEDIS) purposes, so long as the period for which information is needed overlaps with
the period for which the individual is or was enrolled in the health plan.
HHS/OCR FAQ 265; see also 67 Fed. Reg. at 53217.
25
WWW.ALSTON.COM
Privacy Rule: Uses and Disclosures
Specifically, a covered entity may:
•
•
•
•
Use or disclose PHI for its own treatment, payment, or health care operations.
Disclose PHI for treatment activities of a health care provider.
Disclose PHI to another covered entity or a health care provider for the payment
activities of the receiving entity.
Disclose PHI to another covered entity for health care operations activities of the
receiving entity, if each entity has/had a relationship with the individual, the PHI relates
to such relationship, and the disclosure is
–
–
•
•
For a purpose listed in the first two paragraphs of the definition of health care operations; or
For the purpose of health care fraud and abuse detection or compliance.
If it participates in an organized health care arrangement (OHCA), disclose PHI about
an individual to other participants in the OHCA for any health care operations
activities of the OHCA.
Use and disclose PHI for research, subject to the conditions in 45 CFR 164.512(i) (IRB
waiver of authorization).
26
WWW.ALSTON.COM
HIPAA/Health Information Privacy
•
Specific HIPAA limitations/requirements:
–
–
–
–
Limitation on the use or disclosure of psychotherapy notes.
GINA: Limitation on the ability of a health plan to use/disclose genetic information for underwriting purposes.
HITECH Act: Prohibition on disclosure of PHI to health plan if individual so requests and pays for the health care service in full,
out-of-pocket.
Prohibition on Sale of PHI. Regulatory exceptions, include:
•
•
•
•
–
–
–
•
Authorization from individual.
Public Health Purposes.
Research Purposes, but remuneration is limited to reasonable cost-based fee to cover cost to prepare and transmit the PHI.
Any other HIPAA-permitted purpose, but remuneration is limited to reasonable cost-based fees to cover cost to prepare and transmit the PHI, or a fee otherwise expressly permitted by
other law.
Uses and disclosures have to be consistent with Notice of Privacy Practices.
Unemancipated minors who have the right to consent to treatment or confidential communications.
Individual right to request restrictions/confidential communications.
Federal Mental Health Regulations:
–
–
–
–
–
Require federally assisted alcohol or drug abuse treatment programs to obtain patient’s written authorization for disclosure of
information that would identify a patient as receiving such diagnosis, referral, or treatment.
Prohibits a health care provider or other person that has/receives such information from disclosing/redisclosing without express
patient authorization/consent.
Limited exceptions for disclosure without consent: Medical Emergencies. Scientific Research. Audits and Evaluations. Child
Abuse Reporting. Crimes on Premises or Against Personnel. Court Order. Communications with Qualified Service
Organization.
February 2016 NPRM proposed changes to facilitate information exchange within new health care models and to support
delivery system reform efforts.
Unified Agenda projects a November 2016 final rule, but final rule has not been submitted for OMB review.
27
WWW.ALSTON.COM
HIPAA/Health Information Privacy
•
Privacy Rule does not preempt State laws more protective of individual privacy, so
consider State law requirements.
– Information derived from genetic testing tends to be privileged and confidential;
releasable only to the individual and to persons specifically authorized.
– Diagnosis-specific laws protecting the confidentiality of
•
•
•
•
•
•
HIV/AIDS.
STDs.
Mental health.
Developmental disabilities.
Substance abuse.
Behavioral health and developmental disabilities of children.
– Medicaid Rules.
– EHR/Electronic exchange of health records.
•
Generally permit disclosure only with a patient’s specific authorization, a specific
court order, or in a medical emergency or when deemed necessary for treatment.
28
WWW.ALSTON.COM
HIPAA Implications
•
•
•
Covered entities need business associate agreements with vendors and health
information exchanges.
Care management: Treatment or health care operation?
When asked to share data, entities need to be aware of limitations
on/requirements for disclosing certain PHI.
– Need for consent/authorization for certain types of sensitive PHI.
– Agreed upon/required restrictions on use or disclosure of PHI.
•
Health care provider disclosure of PHI to health plan:
– Can only disclose PHI of health plan members.
•
Security Rule access management and access control implications if health plan has access to health care provider’s
information systems.
– Can only disclose sensitive PHI with consent.
– Permissible purposes for disclosure:
•
•
Payment.
Limited health care operations of health plan: case management, care coordination, quality improvement, population
health, etc.
– Minimum necessary rule applies.
•
Covered entity may play different roles. The implications of those different
roles must be recognized in the HIPAA analysis.
29
WWW.ALSTON.COM
HIPAA Implications: Care Management
•
Potential Information Flows and Issues:
– Provider to Provider: Disclosure for treatment purpose.
•
•
•
Not subject to minimum necessary rule.
May be able to disclose some sensitive PHI without consent if “necessary for treatment.”
May be an issue with respect to some agreed upon restrictions on use or disclosure of PHI.
– Provider to Plan (including managed care organization): Disclosure for health plan’s health care
operations.
•
•
•
•
Limited to certain health care operations purposes.
Limited to PHI concerning health plan’s members.
Cannot disclose sensitive PHI without consent.
Subject to minimum necessary rule.
– Plan to Provider: Disclosure for provider’s treatment purpose.
•
•
May be able to disclose some sensitive PHI without consent if “necessary for treatment.”
Not subject to minimum necessary rule.
– Disclosures within ACO/other entity functioning as OHCA: Disclosure for participating health
care providers’ treatment or OHCA’s health care operations.
•
•
•
Permitted disclosures for health care operations (even to participating health plan) are broader than permitted health care
operations disclosures to health plans.
Participating covered entities can perform services that benefit OHCA (and, thus, the OHCA participants) without business
associate agreement.
OHCA can hire/contract with care manager or third party vendor to provide services to multiple OHCA participants with
one (rather than many) business associate agreements.
30
WWW.ALSTON.COM
Federal Trade Commission
• FTC Act § 5 (“unfair or deceptive . . . acts and practices”):
–
–
Causes or is likely to cause substantial injury to consumers which is
Not reasonably avoidable by consumers themselves and
–
Not outweighed by countervailing benefits to consumers or competition.
• Enforcement Against Inadequate Data Security Practices
–
–
–
Practices that, when taken together, fail to provide reasonable and appropriate security for personal
information on the business’s computer networks.
Alleges that such lack of security harms consumers, including exposure to risk of identity theft,
disclosure of sensitive information.
Some 50 FTC enforcement actions alleging such claims, including LabMD.
• Consumer Notice of Uses and Disclosures of Health Information
–
–
Requires entities to “clearly and unambiguously” disclose to consumers – in a way that is “separate
and apart” from any license agreement, privacy policy, terms of use, or similar document – its practices
regarding the collection, use, storage, disclosure, or sharing of health information before seeking
authorization to collect health information from a third party.
Recent HHS/FTC Guidance, “Sharing Consumer Health Information? Look to HIPAA and the FTC
Act.”
31
WWW.ALSTON.COM
Information Exchange (IE)
Privacy Practices
•
•
Provide notice of uses and disclosures in Portal Consumer Privacy Policy.
A Portal Privacy Policy should include, for example:
–
–
–
–
–
–
–
–
•
The types or categories of personally identifiable information (PII) collected by the site.
The uses and retention period for each type or category of PII.
Whether the site, or a third party, collects payment information for online purchases.
The categories of third parties with whom the site may share PII, including analytics providers for the
website, with links to third parties’ privacy policy statements, where available.
The choices a user has regarding the collection, use, and sharing of user information, with
instructions on how to exercise those choices.
The process for a user to review and request corrections to his or her PII maintained by the site, if
available.
A means for users to contact the site developer with questions or concerns.
The effective date of the privacy policy and the process for notifying users of material changes to the
privacy policy.
Best practices for a website privacy policy include enhancing the “readability”
of the policy by using icons, table of contents and summaries of data collection
practices.
32
WWW.ALSTON.COM
IE Safeguards/Best Practices
• Authentication, Access Control, and Authorization:
– Verify against a unique identifier(s) (e.g., username or number)
that a user seeking access to electronic health information is
the one claimed.
– Establish the type of access to electronic health information a
user is permitted based on the above unique identifier(s) and
the actions the user is permitted to perform with the
technology.
–
–
–
–
–
–
Assign/require unique user IDs and strong passwords.
Control of user IDs and other identifiers.
Verify authenticity of recipients.
Consider two-factor authentication.
Restrict access to active users and active user accounts only.
Restrict internal access to those who need the information to perform
their job duties.
33
WWW.ALSTON.COM
IE Safeguards/Best Practices
•
Auditable Events and Tamper Resistance:
– Record, in accordance with certain sections of ASTM E2147-01,
• Actions related to electronic health information, with date and time recorded in a specified
manner.
• The audit log status (enabled or disabled), unless it cannot be disabled by any user.
• The encryption status (enabled or disabled) of electronic health information locally stored on
end-user devices by technology , when such status is changed, with the date and time recorded
in a specified manner, unless the technology prevents electronic health information from being
locally stored on end-user devices
– Settings must be set by default to perform such capacities, where applicable.
– When disabling any of the audit logs is permitted, the ability to do so must be
restricted to a limited set of users.
– Audit actions and statuses recorded in accordance with the standard must not be
capable of being changed, overwritten, or deleted by the technology.
– Detection of whether the audit log has been altered.
– Audit logs and reasonable monitoring for unauthorized access to/use of
personal information.
34
WWW.ALSTON.COM
IE Safeguards/Best Practices
• Audit Reports: Enable a user to create an audit report for a
specific time period and to sort entries in the audit log according to
each of the data specified in the above standards.
– Monitoring and review of audit log files.
• Automatic access time-out:
– Automatically stop user access to health information after a
predetermined period of inactivity.
– Require user authentication in order to resume or regain the access
that was stopped.
– Block access to user ID after multiple unsuccessful attempts to gain
access.
35
WWW.ALSTON.COM
IE Safeguards/Best Practices
•
End-user device encryption: Technology
– To locally store electronic health information on end-user devices must
encrypt the information stored on such devices after use of the technology on
those devices stops.
• Electronic health information that is stored must be encrypted in accordance with
any encryption algorithm identified by NIST as an approved security function in
Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2,
October 8, 2014.
– Must be set by default to this capability. Unless configuration cannot be
disabled by any user, the ability to change the configuration must be restricted
to a limited set of identified users.
– Must be designed to prevent electronic health information from being locally
stored on end-user devices after use of the technology on those devices stops.
– Encryption of financial (and other sensitive) data.
36
WWW.ALSTON.COM
IE Safeguards/Best Practices
• Trusted connection: Establish a trusted connection using one of the
following methods:
– Message-level: Encrypt and integrity protect message contents in accordance
with the standards identified above or by use of a hashing algorithm with a
security strength greater than or equal to SHA-1, as specified by NIST in FIPS
PUB 180-4 (March 2012).
– Transport-level: Use a trusted connection in accordance with the [encryption
or hashing] standards set forth above.
37
WWW.ALSTON.COM
IE Safeguards/Best Practices
•
Encryption is a best practice for the protection of electronic/ computerized data that
may contain sensitive information.
–
•
HIPAA Security Rule addressable implementation specification.
Encryption and Breach Notification
– Breach Notification Statutes and Regulations generally require notification of breaches
of computerized data.
– A number of States include health or medical information in their Breach Notification
Statutes.
– Such statutes and regulations generally apply to computerized data that is not
encrypted, or is encrypted and the encryption key has been accessed or acquired in the
breach.
• Safe harbor/exception for encrypted data.
– Acceptable Encryption standards: HIPAA/HITECH Act Guidance:
• Data at Rest: Encryption processes consistent with NIST Special Publication 800-111, Guide to
Storage Encryption Technologies for End User Devices.
• Data in Motion: Encryption processes that comply, as appropriate, with NIST Special
Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which
are Federal Information Processing Standards (FIPS) 140-2 validated.
38
WWW.ALSTON.COM
FRAUD AND ABUSE
39
WWW.ALSTON.COM
Fraud and Abuse Laws
• Anti-Kickback Statute, Social Security Act § 1128B(b), 42 USC
§ 1370a-7b(b)
• Physician Self-Referral Statute (Stark), SSA § 1877, 42 USC §
1395nn
• Civil Money Penalty (CMP) Statutes, SSA § 1128A, 42 USC §
1370a-7a
• Exclusion Authority, SSA §§ 1128, 1128A
• False Claims Act, 31 USC § 3729 et seq.
• State law equivalents
40
WWW.ALSTON.COM
Anti-Kickback Statute
• Makes it a felony for individuals or entities to knowingly and willfully offer,
pay, solicit, or receive remuneration in order to induce or reward referral
of business reimbursable under any federal health care program.
• Remuneration Covered:
– Direct or indirect, overt or covert, in cash or kind.
– Kickbacks, bribes, rebates, etc.
• Prohibited Conduct
– An intent-based statute (“knowingly and willfully”)
– Payment intended to induce or reward referrals of patients for services under federal or
state health care programs.
– Payment intended to induce or reward purchasing, leasing, or ordering of any goods,
services or items reimbursable by any federal health care program.
41
WWW.ALSTON.COM
Anti-Kickback Statute
• Penalties:
–
–
–
–
–
Imprisonment for up to 5 years.
Fines of over to $25,000 per violation.
Imposition of CMPs under CMP Statute.
Exclusion from federal health care programs under Exclusion Authority.
Liability under False Claims Act.
• Safeharbors include
– Beneficiary incentives offered by Medicare or Medicaid managed care plans.
– Risk sharing arrangements:
•
•
Price reductions offered to eligible managed care organizations (MCOs), MA entities that receive capitation
payments, certain Medicaid MCOs, PACE, federally qualified HMOs
Arrangements between first-tier contractors and downstream contractors, or between successive tiers of
downstream contractors.
– Employment.
– Personal services and management contracts.
– Electronic Health Records (EHR) arrangements.
42
WWW.ALSTON.COM
Stark Law
•
•
•
•
Prohibits a physician from referring a Medicare patient to an entity (including a
hospital) with which the physician (or an immediate family member) has a financial
relationship for the furnishing of “designated health services” (DHS).
Prohibits the entity receiving the referral from filing a claim or billing for services
arising out of the prohibited referral.
A strict liability statute.
Financial Relationship:
– Direct or indirect relationships.
– Ownership/investment interests.
– Compensation interests.
•
Referral:
– For Medicare Part B, request for the item or service.
– For all other services, request or establishment of a plan of care by a physician that
includes the DHS.
43
WWW.ALSTON.COM
Stark Law
•
Penalties
–
–
–
–
–
–
•
Denial of payment for services provided in violation of Stark Law and refund of payment for such services.
CMP of up to $15,000 for each service that a person knows or should know was provided in violation and 3
times the amount of improper Medicare payment.
CMP of up to $100,000 for each scheme to circumvent the Stark Law.
Exclusion from federal health care programs under Exclusion Authority.
Liability under False Claims Act.
Denial of Medicaid FMAP for Medicaid services that would have been prohibited under Stark Law if Medicare
covered service to same extent as under Medicaid.
Exceptions include
–
–
–
–
–
–
Fair market value.
Managed Care Risk Sharing Arrangements (withholds, bonuses, risk pools, etc.) between an MCO and a
physician for items or services for a MCO beneficiary.
Written indirect compensation arrangements where physician’s compensation is at FMV for services and
items provided (not considering volume or value), does not violate the AKS, and the physician stands in
shoes of physician organization.
Employment or personal services arrangements.
In-office ancillary services.
EHR arrangements.
44
WWW.ALSTON.COM
CMPs
•
•
Statute authorizes Secretary to impose penalties and assessments on persons who
defraud Medicare or Medicaid or engage in certain other wrongful conduct.
To impose CMPs on any person who knowingly presents or causes to be
presented a claim that is improperly filed:
–
–
–
–
–
•
For medical item or service that the person knows/should know was not provided as claimed.
For a Medicare item or service that the person knows/should know is false or fraudulent.
For a physician service that the person knows/should know was performed by an unlicensed
physician.
For a medical or other item/service furnished during a period in which the person was excluded.
For a pattern of claims for medical or other item/service that a person knows/should know are not
medically necessary.
Beneficiary Inducement CMP prohibits person from offering or providing
remuneration to Medicare/Medicaid beneficiary that person knows/should know is
likely to influence beneficiary to order/receive covered item/service from a
particular provider, practitioner, or supplier.
45
WWW.ALSTON.COM
CMPs
•
Gainsharing CMP Provision prohibits hospitals (and CAHs) from knowingly making
a payment, directly or indirectly, to a physician as an inducement to reduce or limit
services provided to Medicare or Medicaid beneficiaries under the direct care of
the physician.
–
–
–
–
–
–
Hospital or CAH making payment, and physician who knowingly accepts it are subject to CMPs of up
to $2000 per beneficiary for whom payment is made.
Application of provision with respect to HMOs and other risk-sharing entities (included as in OBRA
1986) has been repealed.
Self-implementing law.
OIG has recognized that gainsharing can be beneficial and has issued 16 advisory opinions approving
gainsharing arrangements.
Congress has authorized Secretary to waive – and Secretary has so waived -- provision for ACA §
3022 Medicare Shared Savings Program.
In October 2014 NPRM, OIG again proposed regulatory text to implement provision, and has
solicited comment on defining “reduces or limits services.” No regulatory text proposed, but OIG
seeks to interpret phrase broadly enough to protect beneficiaries and federal health programs, but
narrowly enough to allow low risk programs that further the goal of delivering high quality health
care at a lower cost.
46
WWW.ALSTON.COM
Exclusion Authorities
– Secretary has the authority to exclude persons from federal
health care programs and direct State agency to exclude
persons from any State health care programs.
• Mandatory and permissive exclusion authority.
• Death sentence for excluded provider.
47
WWW.ALSTON.COM
False Claims Act
•
•
A person who commits certain act(s) in connection with a claim for payment by
the federal government can be held liable to the US government.
Prohibited acts include:
–
–
–
•
•
Knowingly presenting or causing to be presented a false or fraudulent claim for payment or approval.
Knowingly making, using, or causing to be made or used, a false record or statement material to a
false or fraudulent claim.
Knowingly making, using, or causing to be made or used, a false record or statement material to an
obligation to pay or transmit money or property to the government, or knowingly concealing or
knowingly and improperly avoiding or decreasing an obligation to pay or transmit money or property
to the government.
Penalty: $5,000 to $10,000 (adjusted for inflation) per claim, plus three times the
amount of damages sustained by the government.
Private litigants can bring an FCA action on behalf of US (qui tam relators) and, if
successful, receive between 15% and 30% of the proceeds of the action.
48
WWW.ALSTON.COM
Implications
• Shared savings/performance-based payments from
private/commercial plan do not necessarily implicate fraud and
abuse issues.
– However, consider potential fraud and abuse implications , e.g.,
• Whether funds are calculated or used in downstream payments in ways that influencing
referrals of or ordering for Medicare/federal health care program patients.
• Whether private payer arrangements are sensitive to volume of business generated for
downstream providers/suppliers, which may have Stark implications.
– Can the commercial shared savings arrangements be structured to fit within
• Stark exception for risk-sharing arrangements, or other Stark exceptions?
• Anti-kickback Statute safe harbor, e.g., managed care safe harbor?
– Is a provider-sponsored/created commercial plan truly operating independently
of its provider sponsor/owner?
49
WWW.ALSTON.COM
Implications
•
Innovative Health Care Delivery/Payment Models for Care to Medicare or
Medicaid Patients – Bundled Payments, Shared Savings/Shared Discounts
– Stark: Arrangements can create financial relationship between hospital and physicians. Is there
an applicable Stark exception? Depending on structure and flow of funds, there may arguably
be no applicable exception.
– Anti-kickback Statute: Given the methodology for splitting bundled payments or sharing
savings or discounts, could regulators view payments to physicians as kickbacks?
– Gainsharing CMP: Does the design/methodology for provider incentives fit into the OIG’s
approach in advisory opinions? Does it meet the OIG considerations outlined in the NPRM
concerning a narrower interpretation of “reduce or limit services”?
– Beneficiary Inducement CMP: In seeking patient engagement, are incentives which qualify as
“remuneration” offered or provided to beneficiaries? Is there an applicable exception?
– Depending on design, it may be difficult to implement some innovative models outside a
demonstration project. Is there one that could be joined?
•
Specific new safe harbors and exceptions may be needed to take full advantage of innovative models.
50
WWW.ALSTON.COM
Antitrust Issues
51
WWW.ALSTON.COM
Sherman Act § 1
• Prohibits “contracts, combinations and conspiracies” that unreasonably
restrain competition/trade.
Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint
of trade or commerce among the several State or with foreign nations is declared to be
illegal.
• Agreements do not need to be in writing.
• Per se violations: Agreements on
Price fixing.
Market division (customers, territories, etc.).
Limiting output or capacity.
Bid rigging.
“Concerted refusals to deal”: Group boycotts or refusals to deal with a customer or
supplier.
– Other competitively sensitive topics.
–
–
–
–
–
52
WWW.ALSTON.COM
Sherman Act § 1
• Other agreements judged under the civil liability “rule of reason”:
– Is the practice likely to increase prices or otherwise reduce competition in the market?
Does the practice promote or suppress market competition?
– Requires identification of the market and market share.
– A “totality of the circumstances” test, based on analysis of actual effects in defined
market.
– Intent and motive are relevant.
53
WWW.ALSTON.COM
Sherman Act § 2
• Prohibits exclusionary or predatory conduct by an organization to
maintain monopoly power or conduct that creates a serious probability
that monopoly power will be achieved.
Every person who shall monopolize, or attempt to monopolize, or combine or conspire
with any other person or persons, to monopolize any part of the trade or commerce
among the several States or with foreign nations, shall be deemed guilty of a felony.
• Requires the possession of monopoly power in the relevant market and
the willful acquisition or maintenance of that power (as compared to
growth or development as a consequence of superior product(s), business
acumen, or historic accident).
• Courts tend to define “monopoly power” as the power to control prices
or exclude competition.
54
WWW.ALSTON.COM
Sherman Act § 2
• As with the rule of reason, the definition of the affected market is
important.
• Requires line drawing between prohibited exclusionary or predatory
conduct and aggressive competition.
• Examples:
–
–
–
–
Tying of one’s products/services.
Acquisition of competitors.
Use of monopoly power in one market to obtain power in another market.
Exclusive contracts with suppliers or customers.
55
WWW.ALSTON.COM
Sherman Act Penalties
• Criminal penalties:
– Fines of up to $100 million for corporations or $1 million for other persons.
– Imprisonment for up to 10 years.
• Civil penalties:
–
–
–
–
Treble damages.
Costs of suit, including attorneys’ fees.
Interest.
Injunctions.
56
WWW.ALSTON.COM
Accountable Care Organizations
• DOJ and FTC guidelines concerning antitrust implications of ACOs:
–
–
ACOs following CMS ACO eligibility criteria presumptively viewed as bona fide quality-enhancing
clinical integrations – judged under “rule of reason,” so not per se illegal.
Presumptive “safety zone” (safe harbor):
•
•
•
Overlapping primary service area shares, calculated based on a specific methodology, of 30% or less when
overlapping physician, inpatient, or outpatient services are combined.
Participating hospitals or ambulatory surgery centers do not use the ACO as their exclusive contracting vehicle
(regardless of share).
Dominant providers (with 50% share) are non-exclusive to the ACO.
• Outside the safe harbor: Reduce/minimize antitrust risk by taking steps to
not
–
–
–
–
–
Share excessive competitively sensitive information.
Prevent payers from using selection devices that ensure inclusion of variety of providers.
Tie non-ACO services to ACO services.
Exclusive contracting and other exclusive arrangements/refusals to deal.
Restrict payers’ ability to communicate quality/cost information to members.
57
WWW.ALSTON.COM
Mitigation of Compliance Considerations
• Physician portal:
– Limit providers’ and health plans’ access to PHI in the Portal:
• For the purposes of treatment, payment and for “limited health care operations” (such as
case management by health plans and quality improvement)
• For patients with whom the provider or plan has or had a relationship, and only to
information that pertains to the entity’s relationship with the patient
–
Organized health care arrangement (“OHCA”):
• Participant would be permitted to access data for treatment, payment and all of the
participant’s health care operations (not just the “limited health care operations”).
However, this may be difficult to operationalize on a participant-by-participant basis.
–
–
Patient consent:
» Not required to disclose health information from the Portal, as long as that disclosure is permitted by
HIPAA (unless an individual has opted-out of the Portal).
» The Portal must include functionality to allow requesting providers to attest that they are requesting
information for a permissible purpose.
Participation agreement:
» Set forth basic data sharing rules in the, with the ability to expand data use as defined with more
specificity in policy
58
Mitigation of Compliance Considerations
• Patient Portal:
– Will not provide access to the patient portal to minors, except possibly to
emancipated minors.
– Should use extra caution when obtaining consent and take steps to make
consents for related services prominent and distinct from those associated
with the primary service.
– Patient consent not required before including individuals’ records in its
Portal.
– Must provide a mechanism to allow individuals to opt-out of including
their information in the Portal’s “record locator service” (the “RLS”), the
functionality to search for patient information.
• Health Plan:
– The Anti-Kickback Statute prohibits the knowing and willful solicitation or
receipt of any remuneration in return for federal health care program
business. The recipient of remuneration (data analytics) will be the plans.
Should evaluate risk of AKS in this arrangement.
59
Mitigation of Compliance Considerations
• Special considerations:
– To the extent access is permitted to the Portal for payment and health
care operations functions, lab should implement policies related to
compliance with the minimum necessary standard.
– Must have the ability to track access to information within the
exchange and to provide audit logs to individuals upon request
– Must determine how lab will implement individual requests not to
disclose PHI to a health plan, where that PHI is solely related to a
health care item or service for which the individual has paid in full outof-pocket.
– Segregate and withhold from the Portal any records received from
substance abuse programs.
60
Mitigation of Compliance Considerations
• Special considerations (ctnd):
– Exclude certain sensitive test results flagged in TriCore’s system based on the test
code ordered (such as HIV and hepatitis test results), as well as data relating to
clinical research (which must be blocked because TriCore is contractually
prohibited from disclosing it).
– Depending upon consent laws, lab may be able to implement a consent process
that requires the accessing provider to obtain consent from the patient before
accessing information in the Portal
• NM law too restrictive, drafted change, introduced in 2014 legislative session, signed into law by
governor.
– Must implement restrictions in Portal policy, stating that health plans may not use
or disclose any genetic information they obtain through the Portal for underwriting
purposes.
– Not disclose for emergency treatment purposes information of patients who have
opted out of the RLS. However, if TriCore wants to disclose information in these
circumstances, we think it would be permissible to have a procedure outside of the
normal RLS procedure that would allow TriCore itself to search for patients’
records for emergency-treatment purposes.
61
Questions?
WWW.ALSTON.COM
62