02-11-14 | Blog Post
BY TATIANA MELNIK
Health IT Attorney
As the clock struck midnight on New Year’s Eve, it was already clear that 2014 was shaping up to be an exciting year for all things healthcare IT. With enforcement actions squarely on the heels of the new year, the on-going healthcare-related data breach litigation (and a renewed focus on data breaches from federal legislators because of the Target incident), the upcoming ICD-10 conversion deadline, the continued move to BYOD, and the growth of Big Data, there is a lot happening in healthcare IT.
Data Breaches, Identity Theft, and Enforcement
On Christmas Eve, the Office of Civil Rights (OCR), the HHS department in charge of enforcing HIPAA, announced a settlement with Adult & Pediatric Dermatology, P.C., for $150,000. According to OCR, this case marked “the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions” required by the HITECH Act. Then on December 31, the Federal Trade Commission (FTC) announced a settlement with Accretive Health, a company providing medical billing and revenue management services to hospitals, where the parties entered into a consent agreement calling for a 20 year compliance period. Both cases involved the loss of an unencrypted portable device—a USB drive in the case of the dermatology practice, and a laptop in the case of Accretive—which is a wholly preventable breach through the use of encryption. Both cases serve as a reminder to covered entities and business associates that federal regulators are watching.
Private plaintiffs (and their attorneys) are watching too. While succeeding in a data breach class action continues to be difficult, as the AvMed Inc. $3 million settlement showed, it is not impossible. AvMed, a Florida health insurance company, suffered a data breach in December 2009, when two unencrypted laptop computers were stolen from its office. Plaintiffs argued, among other things, that part of the funds used to pay for the premiums were supposed to be used to pay for data security. As part of the settlement, AvMed agreed to create a $3 million settlement fund from which customers could claim $10 for every year they were an AvMed customer (up to $30), to recoup the funds that were supposed to be spent on data security. What made this settlement stand apart was that the company settled with class members that could demonstrate damages (i.e., they were identity theft victims), as well as those that did not demonstrate that they were ‘damaged.’ Plaintiffs’ firms have been studying the AvMed settlement. Healthcare providers who suffer a data breach should be particularly concerned if impacted individuals can demonstrate identity theft.
BYOD Policies and Procedures
The Bring Your Own Device (BYOD) phenomenon continues to grow in healthcare and is now expanding to notions of Bring Your Own Cloud (BYOC) and so forth.
Hospitals, physicians’ practices, nursing homes, and other healthcare stakeholders continue to permit employees to use employee owned devices for work purposes. Yet, many organizations have yet to institute BYOD policies and procedures that fit their specific work environment. Not having proper policies and procedures in place will be problematic for healthcare organizations, particularly as terminated employees challenge a company’s authority to remotely wipe their devices as well as seek the devices for use in litigation.
Moreover, many organizations have not implemented specific policies and procedures to address physicians’ texting with patients, including, for example, saving the communications or otherwise ensuring that information is added to a patient’s medical record. While few courts have looked at this issue specifically, it is clear that text messages are discoverable in the event of litigation and must be preserved. Parties that fail to preserve text messages risk sanctions. In Christou v. Beatport, LLC, for example, the defendant failed to preserve text message in response to litigation hold letter. (Civil Action No. 10-cv-02912-RBJ-KMT, 2013 U.S. Dist. LEXIS 9034 (D. Colo. Jan. 23, 2013).) The mobile device containing the text messages was later lost. While the Court declined to order an adverse jury instruction, the Court did permit the plaintiffs to “introduce evidence at trial, if they wish, of the litigation hold letter and defendants failure to preserve Mr. Roulier’s text messages. Plaintiffs may argue whatever inference they hope the jury will draw. Defendants may present evidence in explanation, assuming of course that the evidence is otherwise admissible, and argue that no adverse inference should be drawn.”
The Move to ICD-10
The move to ICD-10 by the October 1, 2014 deadline will also pose challenges to healthcare providers. The transition to ICD-10 is required for everyone covered by HIPAA, but the level of training among staff members will depend on their specific role.
In August 2012, HHS delayed the transition from ICD-9 to ICD-10 by one year. As of now, it is unclear whether HHS is amenable to another delay, particularly because HHS wants providers to collect and report more data. The transition to ICD-10 is in line with this push because it includes codes for new procedures and diagnoses, which is expected to improve the quality of information available for quality improvement and payment purposes.
The transition to ICD-10 is expected to be costly for providers (e.g., lost productivity, the cost of training and implementation, etc.). The transition is also made particularly difficult because there are reports noting that many electronic healthcare records vendors have yet to make the ICD-10 codes available for physicians’ practices. Without updated systems, staff members are finding little opportunity to practice the skills they are learning in training sessions. Physicians’ practices must also work with payers to plan for any reimbursement changes for ICD-10. That is, as payers convert to ICD-10, they may make changes to benefit coverage based on new diagnosis codes.
The Continued Push for Telemedicine
Telemedicine continues to be a hot topic among providers, legislators, and insurance companies. Many states have yet to adopt laws and regulations to permit providers to offer services through telemedicine, despite the continued pressure on the healthcare system by an aging population as well as the Affordable Care Act. But, states do continue to evaluate the issue. It is expected, for example, that Florida will pass a law in 2014 expanding the scope of telemedicine services.
Providers using telemedicine enabling technologies must also carefully consider existing state and federal compliance requirements. The Oklahoma Board of Medical Licensure and Supervision, for example, suspended a psychiatrist for, in part, providing telepsychiatry services through Skype, which is not an approved method of providing telemedicine services in that state.
De-Identifying Big Data for Analytics
With the growth of electronic healthcare records, personal healthcare records, and patients using mobile technologies to track everything from how many steps they walk to what foods they eat, ‘Big Data’ is expected to be big business in healthcare. ‘Big data’ is also expected to greatly improve the lives of patients as payers, providers, and manufacturers of medical devices and drugs can evaluate data for patterns. But, healthcare stakeholders will need knowledgeable staff to manipulate the data, new technologies to store and process the data, and, importantly, ways to de-identify the data to minimize privacy and security concerns.
Tatiana Melnik will present “Identity Fraud and Data Breaches: Criminal and Civil Enforcement Efforts” at HIMMS14. A session description is available here. She will also appear at Online Tech’s exhibition booth (#3904) during HIMSS14. Set up a time to meet with her directly via her website, or stop by the booth to schedule a time.
Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. She regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements. She is managing editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida. For more information, visit www.melniklegal.com.