Health Information Technology

On July 7, 2016, the Centers for Medicare and Medicaid Services (“CMS”) imposed several administrative penalties on Theranos, a clinical laboratory company that proposed to revolutionize the clinical laboratory business by performing multiple blood tests using a few drops of blood drawn from a finger rather than from a traditional blood draw that relies on needles and tubes. However, after inspecting the laboratory, CMS concluded that the company failed to comply with federal law and regulations governing clinical laboratories and it posed an immediate jeopardy to patient health and safety. CMS has revoked the CLIA certification of the company’s California lab, imposed a civil monetary penalty of $10,000 per day until all deficiencies are corrected, barred Medicare or Medicaid reimbursement for its services, and excluded its founder and CEO from owning or operating a clinical laboratory for two years.

Although Theranos’s history has received an outsize amount of media attention, its experience with regulatory agencies highlights several important issues for start-up and emerging health care entities:

What Do Regulators Want?

It is no surprise that health care is one of the most highly regulated sectors of the U.S. economy, and that noncompliance with health care laws and regulations can result in penalties that can cripple an organization or force it to shut down. As a result, even in an environment that encourages innovation, health care organizations must understand the scope of regulatory oversight at the federal and state levels, and the range of remedies available to regulators for noncompliance. Every organization should also have a protocol in place for responding to regulatory inquiries or inspections.

What Do Health Care Providers and Payors Want?

Adopting a new health care technology is an intensely data-driven process. This is especially the case with clinical laboratories, which are subject to rigorous requirements for proficiency, quality assurance, and training. This burden is greater for laboratory-developed tests, commonly known as “home brew” tests, because they are currently exempt from FDA oversight.

In most cases, the innovator sponsors clinical studies subject to peer review and publication to demonstrate the efficacy of the new technology. These trials can also generate the clinical and cost data needed to convince practitioners that the test has reliable diagnostic or clinical value, and to persuade payors that the test is medically necessary.

However, Theranos declined requests to sponsor studies or disclose data. This was a red flag for many clinicians. In the interim, a group of independent investigators published a study based on a small sample of patients and found that the Theranos’s results were more variable than the results obtained from the same blood samples sent to laboratories using standard equipment. These variations were significant enough that they had the potential to affect clinical decision-making and jeopardize patients.

Who Is Investing in the Venture?

For start-up companies, committed investors are indispensable. Although early-stage investors are accustomed to risk, they also depend on reliable data to gauge whether health care professionals will adopt a new technology, and whether health plans will cover and pay for that technology. In Theranos’s case, several investors with experience in health care start-ups did not invest in the company because it did not release data on its proprietary technology and did not conduct or sponsor well-controlled clinical trials.

Who’s on Board?

The critical role of health care regulations demands that a company’s management and board be familiar with the key challenges and potential barriers to entry under the applicable regulatory framework. Nevertheless, at the time of the CMS survey Theranos’s board reportedly lacked individuals with specific experience in health care operations or clinical laboratories; however, it included two former Secretaries of State (one of whom had also been the dean of a business school), two former U.S. senators, the CEO of a bank, and retired military officers. While it is unclear how much the board knew of potential regulatory risks, the fact that CMS determined that the company had not made a “credible allegation of compliance” in response to any of the deficiencies in the initial survey report is an indicator that CMS did not believe that the company’s management and directors may not have appreciated the regulatory requirements or how to avoid or minimize these significant risks.

On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations (“Draft Guidance”).  This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA’s expectations for the use of Electronic Health Record (“EHR”) data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an Investigational New Drug Application or Investigational Device Exemption.

While the recommendations set forth in the Draft Guidance do not represent a significant departure from existing guidance, research sponsors, institutions and investigators should consider the extent to which their existing policies and procedures, template agreements, protocols and informed consent documents should be updated to incorporate FDA’s recommendations.

Specifically, the draft guidance provides additional detail on FDA’s expectations for the due diligence to be performed by sponsors prior to determining the adequacy of any EHR system used by a clinical investigator to capture source data for use in a clinical investigation. FDA expects sponsors to assess whether systems have adequate controls in place to ensure the confidentiality, integrity, and reliability of the data. FDA encourages the use of EHR systems certified through the ONC Health IT Certification Program, and will presume that source data collected in Health IT certified EHR systems is reliable and that the technical and software components of privacy and security protection requirements have been met. Sponsors should consider requesting additional detail in site pre-qualification questionnaires or pre-study visits regarding any EHR system utilized by clinical investigators to record source data, including whether such systems are Health IT certified. Sponsors may also consider the extent to which their existing site qualification policies and clinical trial agreements templates adequately reflect the technical requirements for sites utilizing EHR systems to record source data, the need to ensure that any updates to those systems do not impact the reliability of the security of the data, and the extent to which the data, including all required audit trails, are backed up and retained by the site to ensure necessary access by FDA.

The Draft Guidance also includes recommendations regarding the information it expects to be included in study protocols and informed consent documents. When the use of EHR systems is contemplated, FDA recommends that study protocols include a description or diagram of the electronic data flow between the EHR and the sponsor’s EDC system, along with information regarding the manner in which the data are extracted and imported from the EHR and monitored for consistency and completeness. FDA also recommends incorporation into informed consent forms of information regarding the extent of access to EHRs granted to sponsors, contract research organizations, and study monitors, as well as a description of any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches. While information related to third party access to health information is typically addressed in informed consent documents, specific details related to access to EHRs and their associated risks are less common. Sponsors and research institutions should consider the extent to which their template informed consent documents should be updated to incorporate the best practice recommendation in the Draft Guidance.

In addition, in the Draft Guidance, FDA encourages the development and use of interoperable EDC and EHR systems to permit electronic transfer of EHR data into the eCRFs being utilized for a clinical trial, including the adoption of data standards and standardization requirements of the ONC Health Information Technology (Health IT) Certification Program. While interoperability of EHR and EDC systems offers the promise of increasing efficiency of clinical trial data collection and reducing the transcription errors that commonly result from the maintenance of this information in separate repositories, FDA acknowledges challenges related to the diverse ownership of the data and EHR systems used to capture them, and the confidentiality of clinical trial information, that will need to be overcome in order to realize the benefits offered by interoperability.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

Security Image

Tuesday, March 24, 2015 at 12:00 p.m. – 1:00 p.m. EDT

The past year has demonstrated that no organization is immune to security incidents that could affect its employees, customers, and reputation.  Understanding the complex legal framework governing data privacy and developing a plan to mitigate risk can be the difference between an incident and a disaster.

Join Epstein Becker Green’s Privacy & Security Practice for a comprehensive overview of data breach priorities impacting organizations that deal in electronic data.  Presenters will identify strategies to prepare for and prevent security incidents as well as summarize key takeaways from the biggest breaches of 2014.

Attendees will also learn about:

  • Complying with the evolving legal landscape
  • Minimizing data breach exposure
  • Developing an incident response plan and effectively responding to an incident
  • Setting organizational priorities, and getting buy-in

Speakers:

Adam C. Solander, Member of the Firm

Patricia M. Wagner, Member of the Firm

Who Should Attend:

Compliance Professionals, In-House Counsel, Board Members, and Information Security Professionals

To register for this webinar, please click here.

Epstein Becker Green’s recent issue of its Take 5 newsletter focuses on the 25th Anniversary of the ADA and recent developments and future trends under Title III of the ADA.

  1. Website Accessibility
  2. Accessible Point-of-Sale Devices and Other Touchscreen Technology
  3. Movie Theater Captioning & Audio (Narrative) Description
  4. The Availability of Sign Language Interpreters at Health Care Facilities
  5. “Drive By” Design/Construction Lawsuits

Read the full newsletter here.

Our colleague Mollie K. O’Brien at Epstein Becker Green wrote an advisory on a new law that will increase the protection of personal information under HIPPA by mandating encryption on all computerized data collected by health insurance carriers: “Beyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers.” Following is an excerpt:

In response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated to do more to protect patient information than simply comply with the federal Health Insurance Portability and Accountability Act (“HIPAA”). A new law, signed by Governor Chris Christie on January 9, 2015, specifically requires health insurance carriers to encrypt electronically gathered and stored personal information.

The key terms in the law are defined as follows:

  • “Health insurance carriers” means “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.”
  • “Personal information” means “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number of State identification card number; (3) address; or (4) identifiable health information.”

Read the full advisory here.

By Evan J. Nagler

The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.

SETTING A NATIONAL DATA BREACH REPORTING STANDARD

President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require direct customer notification. The law would also criminalize selling consumer identities overseas.

Presently, most states have their own consumer data protection laws requiring customer notification in the event of a breach. The new bill may preempt stricter state laws such as California’s 5-day window for reporting.

RESTRICTING THE USE OF STUDENT DATA

The White House will also propose the Student Digital Privacy Act, based on a California law passed last September. The main purpose of the bill is to restrict the sale of student data for use unrelated to education as well as restricting targeted advertising based on school-collected data. The bill seeks to restrict commercial uses while at the same time ensuring that outcome-based studies are allowed to continue.

ENACTING THE CONSUMER PRIVACY BILL OF RIGHTS

In 2012, the White House revealed plans for a Consumer Privacy Bill of Rights. This white paper laid out a set of seven guiding principles for consumer privacy (see Appendix A of the linked PDF). After receiving and incorporating suggestions during the last three years, the President will reportedly ask Congress to enact a revised Consumer Privacy Bill of Rights into law. The bill would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union.

STAY TUNED FOR UPDATES

As more information is released regarding the President’s privacy and security plans, we will cover it here, so check back in the coming days.


Our colleagues Adam Solander and Ali Lakhani provide an update on the HIPPA Conference last week in Washington, DC. 

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

For the full post, please visit the TechHealth Perspectives blog.

 

By Adam Solander, Ali Lakhani and Wenxi Li

The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities.  While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.

Physicians Integrate Mobile Technology Into Daily Practice

The Physicians Practice’s 2014 Technology Survey found that only 31 percent of more than 1,400 survey respondents reported implementing policies and rules to address bring your own device (“BYOD”) practices.  With more than 80 percent of doctors using mobile devices at work and integrating their personal devices into their professional practice, these devices could potentially represent a significant privacy and security risk.

Traditional Safeguards Undermined By “Anywhere” Access

The HIPAA Security Rule applies when any protected health information (PHI) is accessed and communicated through a mobile device, such as texting a patient’s name and phone number for follow-up calls.  In the annual OCR report to Congress on breaches of unsecured PHI for calendar years 2011 and 2012, OCR reported that information loss or theft from mobile devices was among the top three sources of breached PHI in 117 of the 222 reported breaches in 2012. Additionally, the Physicians Practice’s 2014 Technology Survey indicated that only 61 percent of the respondents surveyed reported securely backing data on a second server or via another method, thereby not complying with the HIPAA Security Rule which requires covered entities to create and maintain retrievable copies of electronic protected health information (ePHI).

OCR Enforcement Areas, Especially Among Small Breaches, Continue to Grow

OCR officials routinely remind covered entities and business associates to understand their obligations with respect to mobile device security – obligations that continue to become more complex to satisfy as the use of mobile technology in the workplace proliferates.  Simultaneously, OCR continues to increase enforcement of data breaches by entities subject to the HIPAA Security Rule. Significantly, this enforcement expansion has included smaller entities and breaches affecting fewer than 500 individuals.  OCR expects HIPAA Security Rule enforcement to continue its trend and increase going forward in 2014

Be Prepared

Physician practices and health care entities should conduct a thorough risk assessment which addresses the use of mobile devices and storage of mobile device data in their environment.  Additionally, policies and procedures should be developed to manage the risk associated with mobile devices to a business tolerable level.  Risk management plans and security evaluations should be updated and conducted periodically.  Additionally, physician practices and health care entities must remember that their business associates must also comply with the HIPAA Security Rule.  Thus, some diligence on the use of mobile devices in their business associates environment is advisable.  In practice, over 20 percent of HIPAA data breaches have been traced to noncompliant business associates. While the risk may be significant, with proper staff training to identify and address questionable HIPAA behaviors, physician practices and health care entities can minimize the risk of OCR enforcement and large settlement costs associated with mobile devices.

 

By Patricia WagnerAli Lakhani and Jonathan Hoerner

 

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of breaches report to HHS, as well as the actions taken in response to those breaches.

By way of background, HITECH requires that both covered entities and business associates (as defined under HIPAA) provide notifications after a breach of unsecured protected health information (PHI).  These required notifications include the affected individuals, HHS, and also media outlets in cases where the breach includes more than 500 residents of a state or jurisdiction.  However, HHS has issued guidance explaining that encryption and destruction make PHI “unusable, unreadable, or indecipherable to unauthorized persons” and, thus, loss of such secured PHI does not trigger the breach notification requirements.

Report Findings

                Healthcare providers accounted for the majority of breaches affecting 500 or more individuals in both 2011 and 2012 while business associates and health plans accounted for the remainder, as illustrated below.

Breaching Entity 2011 2012 Change
Providers 63% 68% 5%
Business Associates 27% 25% (2%)
Health Plans 10% 7% (3%)
Total 100% 100%

 

Theft of PHI was the leading cause of a breach in both 2011 and 2012 followed by loss of PHI and unauthorized access/disclosures.  In 2011, theft was the cause for 24% of the total number of individuals affected by a breach and loss accounted for 54% of individuals affected. This high affected rate due to loss was the result of single breach incident involving a business associate and loss of back-up tapes containing information on 4.9 million individuals. In 2012, the causes of breach returned to expected rates with 36% of individuals affected due to theft and 13% due to loss. The below tables outline the frequency of breach causes in 2011 and 2012 as well as the sources of the breached information in each year.

 

Causes of Data Breach 2011 2012
Theft 50% 52%
Loss of PHI 17% 12%
Unauthorized Access 19% 18%
Hacking/IT incident 8% 27%

 

Sources of Breach 2011 2012 Change
Laptop 20% 27% 7%
Paper 27% 23% (4%)
Server 9% 13% 4%
Desktop Computer 14% 12% (2%)
Other Portable Device 13% 9% (4%)
Email 1% 4% 3%
Electronic Medical Records 2% 2% 0
Other 14% 10% (4%)

 

Audit Information

HITECH authorizes and requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA rules. Unlike compliance reviews (which occur after a major breach) or compliance investigations, these audits are not triggered by an adverse event or incident.  Instead, they are “based on application of a set selection criteria.”

The Office for Civil Rights (OCR) (the office within HHS that is responsible for administering the Breach Notification Rules) implemented a pilot program of the audit process to assess the privacy and security compliance which was described in the Breach Report. The audit revealed that 31 out of 101 audited entities had at least one negative audit finding related to the Breach Notification Rule.  Specifically, the audit examined the following four areas:  (1) notification to individuals, (2) timeliness of notification, (3) methods of individual notification, and (4) burden of proof.  All four areas had a similar number of deficiencies noted.

Implications and Recommendations for Healthcare Entities

Breaches involving 500 or more individuals accounted for less than 1% of reports filed with HHS, yet represent almost 98% of the individuals affected by a PHI breach.  It is likely that OCR will continue investing significant resources into large scale PHI breaches due to the extensive impact of these breaches. Additionally, theft remains one of the top causes of PHI breaches and covered entities and business associates must take appropriate measures to ensure that any PHI stored or transported on portable electronic devices is properly safeguarded.  Chronic vulnerabilities include:

Encryption: Even if a device is stolen or misplaced, the Breach Notification Rule will not apply if the data is properly encrypted. Thus, it is imperative that covered entities and business associates encrypt portable electronic devices (such as laptops) and all CDs or USB thumb drives.

Access Control: Healthcare entities must pay close attention to the physical access to and proper disposal of devices that contain PHI.  Server rooms should be locked with limited access, and the physical access to buildings, floors, and offices should be secured to prevent theft of desktop computers containing PHI.

Disposal: Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.  Such devices include computers, external storage media, and photocopiers.

Lastly, as explained in the Breach Report discussion of OCR’s audit pilot program, covered entities most often explain noncompliance with the various aspects of the Breach Notification Rule by pleading unawareness of the requirements of the Rules. Covered entities and business associates should ensure that comprehensive privacy and security policies and procedures are developed and implemented to mitigate the risks of a breach and to effectively respond to a breach should one occur.