Transcription
Outlineo Why Are We Talking About HealthcareInformation Technology?o A Few Questions Suncoast Healthcare ExecutivesMarch 26, 2015 Tatiana MelnikMelnik Legal PLLCtatiana@melniklegal.com 734-358-4201 CommunicationMobile DevicesEHR VendorsEncryptionData Breaches EnforcementPolicies and ProceduresSocial Media &MarketingInsuranceo Open FloorFor information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Why Healthcare IT?EHR,PHRCommunication IssuesBYOD,BYOCLISo Email Internetof ThingsHealthcare Technologyo eFaxFreeWi-Fi TelehealthIs eFax a secure form of communication?o Skype and FaceTime SocialNetworksIs e-mail a secure form of communication?What about forms that are e-mailed from websites? Arethese secure?Should medical practices use personal e-mail addressesfor practice communicationsCan providers use Skype and FaceTime with patientsand comply with HIPAA?o Remote file sharing/storage systems How safe/secure are programs like DropBox, Box.com,etc.?For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Communication IssuesCommunication Issueso Emailo Email Is e-mail a secure form of communication? Maybe.What about the forms that are e-mailedfrom websites? Are these secure? If you’re using “regular” e-mail No. If you’re using “secure” e-mail Maybe. Have you asked your webmaster? What does the Privacy Policy on yourwebsite say about the forms? Is there a check the box disclaimer prior tosubmission for each of the forms? A link tothe privacy policy? Is there a BAA in place with the e-mailprovider? Maybe.Microsoft will sign BAA for its Office 365 solutionGoogle will sign a BAA for its Apps for BusinesssolutionFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Communication IssuesCommunication Issueso Emailo eFax Should medical practices use personal email addresses for practicecommunications? No. How does the practice meet record keepingrequirements? Is there a BAA in place with the e-mail provider? What happens when an employee leaves? Is there a contract in place addressingownership? Cooperation in the event of litigation? Is eFax a secure form of communication? Maybe. How is the fax delivered? If via “regular” e-mail No. If via “secure” e-mail Maybe. Is there a BAA in place with the eFax provider?For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Communication IssuesCommunication Issueso Remote file sharing/storage systemso Remote file sharing/storage systems How safe/secure are programs likeDropBox, Box.com, etc.? What do their terms and conditions say?How safe/secure are programs likeDropBox? What do their terms and conditions say? Does the marketing match the contracts? Who is operating the companies? How do the companies make money (advertisingvs. services)? Have they been independently audited? Can youget a copy of those reports? How were theauditors?For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Communication IssuesMobile Device Issueso Skype and FaceTimeo Can doctors text with their patients? Can providers use Skype and FaceTime withpatients and comply with HIPAA? No. Are Microsoft and Apple Business Associates withrespect to these applications? HIPAA requires that providers enter into a BusinessAssociate Agreement with each of their BAs. Microsoft will not sign a BAA for Skype Apple will not sign a BAA for FaceTime Option: Cisco Webex – Cisco will sign a BAA for Webex Yes, but Is texting secure?Patient authorization? Disclaimers? Disclosures?What are the protocols to ensure that information isgetting into the medical record?o Should all staff members sign a BYOD Agreement? Yes Erasing data upon termination, appropriate use,reporting in case of loss, etc.SpoliationFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
EHR Vendor IssuesEHR Vendor Issueso Can my EHR vendor really sell mypatients’ information?o Can my EHR vendor advertise to mypatients?o What’s with all of these interface costs?o My EHR vendor charged me for PQRSsubmission, but their tools didn’t workand I submitted via Registry. Can I getmy money back?o Can my EHR vendor really sell mypatients’ information? Yes, if you gave the vendor permission. What does your agreement say?What rights did you grant to the EHRvendor?How long is the indemnification period vs.data breach risks?Consider whether the arrangement nowqualifies as a “sale” under HIPAAFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201EHR Vendor IssuesEHR Vendor Issueso Can my EHR vendor advertise to mypatients?o What’s with all of these interface costs? Yes, if you gave the vendor permission. What does your agreement say?Are you monitoring the ads?Do you need to give your patients noticeregarding the ads and provide disclaimers? Everyone is angry, including Congress MU Stage 3 Proposed Rule (March 20) CMS has proposed, for example, to include APIfunctionality to permit data exchange –“From the provider perspective, using this option would mean the providerwould not be required to separately purchase or implement a ‘patientportal,’ nor would they need to implement or purchase a separatemechanism to provide the secure download and transmit functions for theirpatients because the API would provide the patient the ability to downloador transmit their health information to a third party.” (CMS-3310-P, p. 92)For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
EHR Vendor IssuesEncryption Issueso My EHR vendor charged me for PQRSsubmission, but their tools didn’t workand I submitted via Registry. Can I getmy money back?o Do I need to encrypt ALL of mylaptops?o Can I just password protect the files?o Can I just password protect a directoryor a drive?o Is there a specific form of encryptionthat should be used? Maybe. What does your agreement say?For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Encryption IssuesEncryption Issueso Do I need to encrypt ALL of mylaptops?o Can I just password protect the files? No but Yes. Encryption is an addressable standard underHIPAA. But, “addressable” optional.FIPA requires the use of “reasonable measuresto protect and secure data in electronic form”.If encrypted, then out of the breach notificationrequirements. Yes but. Whether this is the best option depends on whyyou are using this option . . . Is this the primary means to secure information storedon a laptop, desktop, server, etc.? Or is the file being password protected because itneeds to be shared? Is there a password policy? How is it beingenforced?For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Encryption IssuesEncryption Issueso Can I just password protect a directoryor a drive?o Is there a specific form of encryption thatshould be used? Yes but. No. Yes.Whether this is the best option depends on whyyou are using this option . . . Under HITECH, Congress required the HHS Secretary toissue guidance to render unsecured PHI unusable,unreadable, or indecipherable to unauthorizedindividualsThe Guidance looks to NIST AvMed Health Plan - In 2009, unencrypted laptops stolenfrom office during a “break-in” Class action filed in Florida; after several years oflitigation, AvMed settled in October 2013 for 3M In fact, AvMed implemented encryption – but encrypteda drive where employees were supposed to store PHIData at rest - NIST Special Publication 800-111Data in motion - NIST Special Publications 800-52 and 800-77Bottom line: best to use technology that is FIPS 140-2validated (not “compliant”) Includes: Microsoft BitLocker (included on Windows 8machines for free), Symantec PGP (the Symantec EndpointEncryption suite is used by the IRS) TruCrypt is not FIPS 140-2 validated and is no longersupportedFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Data Breach IssuesData Breach Issueso Do I have to report every HIPAABreach?o Can an individual be held liable underthe HIPAA Privacy and Security Rule?o I keep hearing about the Office of CivilRights, but are there others enforcingHIPAA?o Do I have to report every HIPAA Breach? Yes. If the security incident is a “breach” as defined inHIPAA (or FIPA), then the question is merely whenthe report is due. If breach impacts 500 individuals – report due to the HHS Secretary “without unreasonable delay and inno case later than 60 calendar days from discovery” Florida AG “as expeditiously as practicable, but nolater than 30 days after the determination of thebreach or reason to believe a breach occurred” If breach impacts less than 500 individuals – report dueto the Secretary “within 60 days of the end of thecalendar year in which the breach was n.htmlFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Data Breach IssuesData Breach Issueso Can an individual be held liable under theHIPAA Privacy and Security Rule?o I keep hearing about the Office of CivilRights, but are there others enforcingHIPAA? Yes. There are criminal and civil penalties Criminal penalties – fine of 250,000 and 10 years infederal prison Civil – fine of 1.5M Yes.Doesn’t happen often; most likely to be indicted forother federal offenses (e.g., some form of fraud –mail fraud, Medicare fraud, etc.)But, a Texas grand jury indicted a former employeeof a covered entity for HIPAA violations in July 2014For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Data Breach IssuesData Breach Issueso Who are the enforcers?ClassActionsHHS Office ofCivil igenceOffice ofCivil RightsBreach of warrantyFederal TradeCommissionState BoardsInsuranceRegulatorsFor information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Federal TradeFalse advertisingCommissionUnreasonabledelay in notification/ remedying breachIndividualClaimsHIPAA becoming theState’sstandardof care insomestates entional infliction ofStateBoardsemotional distressInsuranceRegulatorsInvasion of privacyFor information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Policies and ProceduresPolicies and Procedureso Aren’t all of these HIPAA policies andprocedures just “forms”? Can I just pick aset off of the Internet?o Aren’t all of these HIPAA policies andprocedures just “forms”? Can I just pick aset off of the Internet? No and no. Polices and procedures are not aspirational; theyshould reflect what your practice actually doesThe HIPAA regulations have specific requirementsOCR audits:No and no. Polices and procedures are not aspirational; theyshould reflect what your practice actually doesThe HIPAA regulations have specific requirementsOCR audits:For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Social Media & MarketingSocial Media & Marketingo A patient complained about my practiceon Yelp. Should I respond?o A patient complained about my practiceon Yelp. Can I have it removed?o I got a cease and desist trademarkinfringement letter from “XYZ Practice,”but the name of my practice “XYZPractice and More.” Do I have tochange the name of my practice?o A patient complained about my practice on Yelp.Should I respond? Probably not. Disclosing the fact that someone is a patient is problematicunder HIPAAo A patient complained about my practice on Yelp. CanI have it removed? Maybe Is it defamatory? (slander spoken; libel written) False statements that damage someone’s reputationFlorida recognizes defamation per se – something so bad that themere fact that it was spoken/written is sufficient to show damages(e.g., damaged someone’s business reputation, claim/discloseSTD status, claim someone committed a crime, etc.)Is it true? Truth is a defense.Requires an individualized assessment because turns onwhat was actually saidFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Social Media & MarketingSocial Media & Marketingo A patient complained about my practice on Yelp.Should I respond?Abigail E. Hinchy v. Walgreen Co. et al. (Indiana Probably not.o I got a cease and desist trademarkinfringement letter from “XYZ Practice,”but the name of my practice “XYZ Practiceand More.” Do I have to change the nameof my practice?SuperiorCt., 2013; Affirmed by Appellate Ct., 2014 ) Disclosing the fact that someone is a patient is problematicunder HIPAAo A patientcomplainedaboutaccessedmy practiceon Yelp. CanPharmacistimproperlymedicalI haveit removed?recordsof one patient Maybe Patient reported the incident to Walgreens and Is it defamatory? (slander spoken; libel written)Walgreensdid notthatdisablethe pharmacist’s False statementsdamage someone’sreputation Florida recognizes defamation per se – something so bad that theaccessmere fact that it was spoken/written is sufficient to show damages(e.g., damagedsomeone’sbusinessreputation, Jury awarded 1.8million,with 1.4Mclaim/discloseof that toSTD status, claim someone committed a crime, etc.)be paidby WalgreensIs it true?Truth is a defense. Requires an individualized assessment because turns onwhat was actually saidMaybe. It depends on a number of factors including howcommon XYZ is for the specific services, whetheryou were the first to use the name, etc.Should obtain trademark clearance prior toadopting a mark If you have media coverage, your insurance policy willlikely require this for coverageFor information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Insuranceo What should I look for in a data breachinsurance policy? Many options – work with an experienced brokerand obtain legal review Are government fines covered? Are there limitations(e.g., actual fine vs. cost to investigate)Are business associates covered? Only covered if youhave “written agreements” in place?Rogue employee coverage?Are there encryption requirements for laptops?Identity theft coverage? Include call centers and creditmonitoring?Coverage for forensics? Sub-limits?Coverage for crisis management? Sub-limits?DisclaimerThis slide presentation is informational onlyand was prepared to provide a brief overviewof hot topics in healthcare. It does notconstitute legal or professional advice.You are encouraged to consult with an attorneyif you have specific questions relating to any ofthe topics covered in this presentation, andMelnik Legal PLLC would be pleased to assistyou on these matters.For information purposes only. Please consult with your legal counsel with any questions.For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
And a Few More Questions Any Questions?Tatiana MelnikMelnik Legal, Tampa, FL734.358.4201tatiana@melniklegal.comHaben Sie Fragen?(German)Yu' vay'?(Klingon)質問?(Japanese)For information purposes only. Please consult with your legal counsel with any questions.Tatiana Melnik Melnik Legal PLLC Tampa, FL melniklegal.com (734) 358-4201This slide presentation is informational only and was prepared to provide a brief overview of some healthcare information technology issues. It does not constitutelegal or professional advice. The healthcare regulatory environment is ever evolving. You are encouraged to consult with an attorney if you have specific questionsrelating to any of the topics covered in this presentation. Tatiana Melnik, Melnik Legal, PLLC, Tampa, FL
Free Wi-Fi Telehealth Social Networks Internet of Things LIS . o eFax Is eFax a secure . mechanism to provide the secure download and transmit functions for their patients because the API would provide the patient the ability to download or transmit their health information to a third party."
