Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMMUNITY-BASED COLLABORATIONS: Legal Issues In Structuring Health Information Exchanges The Health Information Technology Summit October 23, 2004 Reece.

Published byChester Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "COMMUNITY-BASED COLLABORATIONS: Legal Issues In Structuring Health Information Exchanges The Health Information Technology Summit October 23, 2004 Reece."— Presentation transcript:

1

2 COMMUNITY-BASED COLLABORATIONS: Legal Issues In Structuring Health Information Exchanges The Health Information Technology Summit October 23, 2004 Reece Hirsch Sonnenschein Nath & Rosenthal LLP San Francisco, CA (415)882-5040 rhirsch@sonnenschein.com

3 Health Information Exchanges Are Local l Like health care generally, a health information exchange is a local enterprise. l Unique state law considerations l Exchanges can take many forms n Peer-to-peer systems n Facilitating financial transactions n Clinical data repositories

4 Health Information Exchanges Are Local l Review of legal issues that generally apply to exchanges, regardless of structure or locality l Devil is in the details – and the details involve state law

5 Governance and Organization l Early discussions l Statement of Purpose and Objective l Memorandum of Understanding n Entity’s purpose and objective n Which organizations may participate in network n How network’s efforts will be funded n Potential liabilities n How the network will be governed and operated

6 Governance and Organization l Initial structure n Tax status n Board composition l Sources of funding n eHealth Initiative sub-grants to communities as part of “Connecting Communities for Better Health” initiative n Health plans

7 Governance and Organization l Testing the waters n Health information exchange may be organized more simply during beta test stage n Adding a broader range of participating organizations and functions after beta stage

8 Governance and Organization l Someone has to be in Charge l Corporate Formation and Tax Status l Governance l Creating a Business Plan and Budget l Sources of Revenue l Criteria for Involvement

9 Tax Status l Is a health information exchange “organized and operated exclusively for charitable and educational purposes” under IRC Section 501(c)(3)? l Must distinguish IRS private letter rulings regarding 501(c)(6) organizations or “business leagues,” such as medical societies

10 Tax Status l Factors that will favor tax-exempt status: n Control by community board n Improvement in delivery and access to health care services n Broad sources of support n Open participation n Exchange is not solely intended to further the common business interests of participants

11 Tax Status l Revenue Ruling 76-455 n “A nonprofit organization formed to encourage and assist in the establishment of nonprofit regional health data systems … is operated exclusively for scientific and educational purposes,” and thus qualifies for 501(c)(3) status n Activities were “not carried on to set standards for or to police the industry but to provide … benefits to the general public.”

12 Vendor Agreements l Agreements between the Exchange Entity and IT and other vendors l Detail operational and performance specifications for both vendor and entity l Performance measurements and rewards and penalties l Specify key staff l Audit rights and protocols l Compliance with HIPAA and other regulations l Compensation l Intellectual property issues

13 HIPAA Relationships in a “Hub and Spokes” Health Information Consortium l Members of the Consortium are covered entities under HIPAA l The hub organization is not a covered entity unless it converts standard transactions and functions as a health care clearinghouse l The hub organization is a business associate of each member of the Consortium – business associate provisions should be included in each user agreement between members and the hub organization l The members are not business associates of one another -- the members are not providing services to or on behalf of one another

14 Oversight of Hub Organization and its Vendor by Consortium Members l HIPAA does not technically require affirmative oversight by covered entities of their business associates – representations in business associate agreements are legally sufficient l Covered entities are liable for privacy breaches of business associates only if they know of an improper pattern of activity or practice and fail to take appropriate action l But higher level of oversight may be imposed in practice given the amount of data concentrated in a single location and the highly structured nature of the enterprise l There may be opportunities for Consortium members to jointly perform privacy and security oversight of the hub organization or its vendor through a mutually selected agent

15 Key Privacy Screens for Data Access Requests l Is patient authorization required for access? l If so, did the patient provide sufficient authorization? l If not, is the party requesting the “minimum necessary” information for the intended purpose? l Has the data holder agreed to a restriction on uses? l Does the party requesting the data have a treatment or coverage relationship with the patient? l Is the party requesting the data who they say they are?

16 Is Patient Authorization Required for Access? l HIPAA has liberal rule that permits disclosure without authorization for treatment, payment and health care operations – this will cover almost all disclosures among Consortium members l Consider whether patient consent may be appropriate from risk management standpoint before sharing the patient’s data electronically through the Consortium n However, patient consent can be a major operational stumbling block

17 Health Care Operations l If health information exchange is generating various outcomes and utilization reports for participants, may qualify as “health care operations” under HIPAA, which include: n Quality assessment and improvement, outcomes evaluation, case management and care coordination, evaluating provider or health plan performance and population-based activities relating to improving health or reducing health care costs

18 Is Patient Authorization Required for Access? l State confidentiality laws may also require authorization and are likely to pose the greatest challenge: n often more stringent consent requirements than HIPAA n requirements vary with the type of information (e.g., HIV/AIDS, mental health, Medicaid) n separate laws may have differing consent requirements (oral vs. written, required elements, etc.) n laws may be applicable only to a subset of Consortium members (e.g., insurers, hospitals, mental health facilities, public agencies) l Federal regulations governing substance abuse treatment records are also more stringent than HIPAA

19 State Law Challenges l In working with a California data exchanges, particular challenges were posed by participants that were: n “Agencies” subject to Cal. Information Practices Act of 1977 n “State and local agencies” subject to California Public Records Act n An agency engaged in administration of the Medi-Cal program (Section 14100.2 of Cal. Welfare & Institutions Code)

20 Veteran’s Administration l If a VA hospital or clinic participates in the exchange, issues under the federal Privacy Act of 1974 may apply l When a VA agency provides by contract for the operation of a system of records to accomplish an agency function, Privacy Act applies to the system l Health information exchange may not be a VA “system of records” because if it is not “under the control” of the VA

21 Is the Party Requesting the Minimum Necessary Information? l HIPAA requires covered entities to request the minimum necessary information for the intended purpose l If Consortium consists exclusively of covered entities, each party disclosing data may rely on the requesting party’s minimum necessary determination if reliance “is reasonable under the circumstances” l Other minimum necessary exceptions may also apply: n Disclosures to providers for treatment n Disclosures to the patient or pursuant to the patient’s authorization l Minimum necessary rules can also be embedded in system

22 Has the Data Holder Agreed to Restrict Uses? l HIPAA allows patients to request restrictions on uses of data for treatment, payment or health care operations l Covered entities do not have to agree to all restriction requests l Data holders must have the capacity to override otherwise permissible access requests based on agreed upon restrictions n Or data holders must all agree that it is not their practice to agree to restrictions

23 Does the Requesting Party Have a Relationship with the Patient? l Health care providers and health plans are not entitled to data on any person without regard to whether there is a treatment or coverage relationship l Centralized system enabling each provider and plan to verify and register their relationships with patients can avoid case-by-case verification l May elect “break the glass” capability for emergency situations, subject to back-end audit

24 Is the Requesting Party Who They Say They Are? l HIPAA requires covered entities to verify identity of parties receiving protected health information l Assignment of unique user ID and password by hub organization will be required l Use of digital certificates may be warranted

25 Consortium Must Perform Security Risk Analysis l Great importance placed on risk analysis in HIPAA Security Rule n Underlies decisions regarding all “addressable” specifications n Basis for selecting competing security options n Integral to making scalability decisions related to compliance l Sophisticated risk analysis would be expected for this type of venture l Each Consortium member may rely on the risk analysis performed centrally by the Consortium or its vendor – but internal review of the analysis by a member may be appropriate, depending on its size and resources

26 Hub Organization Responsible for Network Security Issues l Encryption – this is an “addressable” standard but a risk analysis is likely to identify this as a necessary measure for any internet-based transmission (encryption of stored data may be deemed appropriate as well) l Audit trail – required for privacy and security monitoring and could assist in meeting accounting of disclosures mandate l Authentication – issuance of unique user IDs and passwords, and digital certificates if utilized l Physical safeguards in data center (access control, environmental control, emergency power, disaster recovery plan, etc.)

27 Consortium Members Not Relieved of Own Security Responsibilities l Workforce clearance and termination procedures l Role-based access controls l Virus protection l Data back-up l Device and media controls l Physical safeguards

28 Consortium May Set Minimum Security Standards for Each Member l Standards may be scalable based on size and resources of members l Minimum standards may be included in user agreements l Consortium may audit compliance by each member

29 Security Training May be Shared Responsibility l Hub organization may develop curriculum l Hub organization may use “train the trainer” model or conduct training of all users l Division of training responsibility may depend on size and sophistication of individual members l Evidence of training should be maintained by each member

30

31 For further information contact: Reece Hirsch Sonnenschein Nath & Rosenthal 415.882.5040rhirsch@sonnenschein.com

Download ppt "COMMUNITY-BASED COLLABORATIONS: Legal Issues In Structuring Health Information Exchanges The Health Information Technology Summit October 23, 2004 Reece."

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Similar presentations

Ads by Google