Lost in Translation: Electronic Medical Records, HIPAA and Litigation

In February 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, for the purpose of improving the electronic exchange of health information via health information technology (HIT). Additionally, the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) provides specific rules regarding the disclosure of protected health information (PHI). Health care providers and their attorneys must be aware of the risk management issues created by the cross-requirements of HIPAA and HITECH, including how the electronic medical record (EMR) will be viewed and interpreted in the event of litigation.

Since the enactment of HIPAA in 1996, there have been wide-ranging applications of its provisions in the litigation setting. In most states, the discovery process in medical malpractice and other personal injury cases have been substantially altered to ensure compliance with HIPAA. The latter has changed that process with respect to medical records requests, the disbursement of records and information to expert witnesses, and ex parte interviews with a plaintiff's treating medical providers. These protections exist for all patients and should be closely adhered to by all concerned. In fact, HIPAA and HITECH provide for significant civil fines and penalties for beaches of their provisions.

The HITECH Act

The overall goal of the HITECH Act is to “invest in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual concerned.” See 42 U.S.C. 300jj-31. HITECH is, in essence, a means of promoting the use of electronic medical records, and was enacted as part of the American Reinvestment and Recovery Act (ARRA). Indeed, any health care provider contracting with a federal agency will be required, by contract, to “implement,
acquire, or upgrade health information technology systems … and products that meet standards and implementation specifications” of the HITECH law. 42 U.S. ' 17902.

This is a broad-reaching requirement given the high number of health care providers that rely on Medicare patients and other federal contracts. Further, Title IV of Division B of ARRA amends Titles XVII and XIX of the Social Security Act by creating incentive payments to eligible providers to promote the adoption of the use of electronic medical records via health information technology. See 42 U.S.C. ' 300jj-31. In addition, the states and other authorized entities, such as non-profit health-care organizations, are also eligible for federal grants for forming a HITECH compliant plan. See 42 U.S.C. ' 300jj-33. Thus, the use of EMRs is a key requirement for health care providers to become “meaningful users” eligible for payment under the Medicare and Medicaid electronic medical record incentive programs. While participation in HITECH is voluntary for private entities, many private health care providers are subject to HITECH by contract or through an applicable grant program.

Effects on Litigation

From a litigation perspective, just as HIPAA changed the way records are obtained in the context of a lawsuit, HITECH and the EMR will change the way records are reviewed, interpreted and litigated in a lawsuit. With the advent of the EMR, we can anticipate some litigation practice positives ' records will be easier to read than handwritten doctors' notes, for example. But we can also anticipate mistakes in marking through a template to create the record, difficulty in determining the actual time of the note depending on the program used by a particular practice or hospital, and questions of when a report was seen or signed if the program does not have a way of recording an electronic signature (with date/time) on the report.

As we wade through these new developments in litigation, we are likely to see an increase in the use of forensic computer analysis of data and metadata to track exactly when something was documented and by whom ' and who has subsequently accessed or viewed the document. For risk management purposes, this adds a layer to the consideration of what type of program to employ, and how to manage, access and track changes.

Avoiding Privacy Breaches

As more and more health care providers use electronic medical records, regulations regarding the disbursement of electronic PHI become especially relevant. HITECH requires attorneys and others to whom PHI is disseminated electronically to adequately protect confidential health information. The purpose of the HITECH law is to efficiently distribute health care information, while complying with patient privacy laws. See 42 U.S.C. 300jj-19. Indeed, the HITECH law states explicitly that it cannot be “construed as having any effect on the authorities of the Secretary under HIPAA privacy and security law.” Id. HITECH also specifically adopts HIPAA's definitions, standards and state preemption language. 42 U.S.C. ' 17951. One thing is certain: Nothing in HITECH absolves health care providers or their counsel of any duties set forth in HIPAA.

For health care providers, it is imperative that appropriate security measures are in place to protect information and ensure compliance with HIPAA. Since 2005, health care providers have been required to have a documented assessment of all technical, administrative and physical safeguards for PHI, per the HIPAA Security Rule. 42 U.S.C. ' 1320d-2; see also 45 CFR 164, Subpart C. HITECH expands this rule to include business associates of healthcare providers. 42 U.S.C. ' 17931. Any weakness detected in the safeguards for PHI should be noted and a plan developed and implemented to address the concern. A covered entity should be able to demonstrate a good-faith effort at compliance with HIPAA requirements.

HITECH also adjusts how patient information can be used by healthcare providers. Patient PHI cannot be sold in violation of HIPAA. 42 U.S.C. ' 17935. Also, under most circumstances, a health care provider may not use a patient's information to solicit contributions for fundraising purposes, 42 U.S.C ' 17936. HITECH also narrowed the definition of marketing, such that providers may only use patient information for limited purposes such as educating a patient about a product that is specifically related to that patient's treatment (rather then general marketing to encourage a patient to purchase a product). Id.

When a Breach Occurs

Medical malpractice attorneys may often be called upon to advise physician or health care provider clients concerned about breaches of the HITECH law. HITECH contains specific privacy provisions, which define a breach and explain the process for responding to a potential breach. See 42 U.S.C. ' 17921, et seq. A breach is defined simply as an unauthorized acquisition, access, use or disclosure of protected health information. 42 U.S.C. ' 17921(1)(A). There are also specific provisions related to a health care provider's wrongful dissemination of PHI. 42 U.S.C. ' 17932(e)(2).

Fortunately, minor or technical violations may be fairly easy to remedy. In short, health care providers confronted with a potential breach must notify each individual whose PHI has been compromised. 42 U.S.C. ' 17932(1)(a). The notification must be made, “without unreasonable delay,” and never more than 60 days after the discovery of the breach. 42 U.S.C. ' 17932(d)(1). Where the breach involves more than 500 individuals, notice to the media is required. 42 U.S.C. ' 17932(d)(1). The notification must be fairly detailed. 42 U.S.C. ' 17932(f). Each individual must be informed of the nature of the breach, the PHI disseminated, guidance on how to protect the disseminated PHI, a description of how the health care provider will avoid future breaches and recover the PHI, and contact information for the health care provider. Id.

In addition to notifying the patients, the health care provider must provide notice to the Secretary of the Department of Health and Human Services (DHHS). This is done through an online form on the website of the DHHS' Office of Civil Rights ' http://ocrnotifications.hhs.gov. There is no specific time requirement for these notifications, except that each breach must be reported in the year that it occurred. However, in practice, these notifications can easily be made at or around the time the individual notices are prepared. The contents of the notification are the same, and the DHHS' Office of Civil Rights website provides all of the necessary guidance. A covered entity must also retain any documentation regarding privacy policies, and any communications with respect to privacy policies, for a period of six years from the date of its creation or the date when it was last in effect, whichever is later. 45 C.F.R. 164.530.

Penalties for non-compliance with HITECH are the same as those for non-compliance with HIPAA. 42 U.S.C. ' 17934 (incorporating 42 U.S.C. ” 1320d-5 and 1320d-6). Initially, HITECH increased the civil penalties for breaches, but those increases were later omitted. 42 U.S.C. ' 17939. Importantly, non-compliance due to reasonable cause will typically not result in any penalty, as long as the breach is cured within 30 days. 42 U.S.C. ' 1320d-5(2)(A). In the event that the breach is caused by “willful neglect,” health care providers may be fined as much as $50,000 per breach (or as little as $100 per violation, depending on the severity). 42 U.S.C. ' 1320d-5(a)(3)(A). Further, the State Attorney General has an explicit civil remedy against health care providers for HITECH breaches. 42 U.S.C. ' 1320d-5(d).

Similarly, the entities to whom health care providers appropriately (in compliance with HIPAA) disseminate PHI need to take steps to ensure they are adequately protecting confidential health information. 45 CFR 16.302. For example, individuals who can access medical records on an iPhone or iPad should use a password on their device. This is a simple measure at a most basic level. Obviously there are far more sophisticated tools and means of protecting electronic PHI on company and/or law firm computer networks, and all necessary measures should be employed.

Conclusion

The Department of Health and Human Services (DHHS), under HITECH requirements, must now periodically audit health care providers and business associates to ensure compliance with HIPAA. 42 U.S.C. ' 17940. This may lead to the imposition of more penalties, even for unintentional violations. Thus, all attorneys in the HIPAA-HITECH arena need to be aware of the requirements and actively involved in assuring that they, and their clients, are in compliance.

Overall, it is important for any entity involved in the exchange of PHI to have a specific plan in place for safeguarding the data. In the event of a breach, the entity should move quickly to notify individuals affected by the breach (and the DHHS Secretary) and take affirmative steps to mitigate any possible harmful effects of the breach. In addition, all documentation on HIPAA/HITECH compliance, breaches and notification should be stored and retained for at least six years from the date of creation.

In February 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, for the purpose of improving the electronic exchange of health information via health information technology (HIT). Additionally, the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) provides specific rules regarding the disclosure of protected health information (PHI). Health care providers and their attorneys must be aware of the risk management issues created by the cross-requirements of HIPAA and HITECH, including how the electronic medical record (EMR) will be viewed and interpreted in the event of litigation.

Since the enactment of HIPAA in 1996, there have been wide-ranging applications of its provisions in the litigation setting. In most states, the discovery process in medical malpractice and other personal injury cases have been substantially altered to ensure compliance with HIPAA. The latter has changed that process with respect to medical records requests, the disbursement of records and information to expert witnesses, and ex parte interviews with a plaintiff's treating medical providers. These protections exist for all patients and should be closely adhered to by all concerned. In fact, HIPAA and HITECH provide for significant civil fines and penalties for beaches of their provisions.

The HITECH Act

The overall goal of the HITECH Act is to “invest in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual concerned.” See 42 U.S.C. 300jj-31. HITECH is, in essence, a means of promoting the use of electronic medical records, and was enacted as part of the American Reinvestment and Recovery Act (ARRA). Indeed, any health care provider contracting with a federal agency will be required, by contract, to “implement,
acquire, or upgrade health information technology systems … and products that meet standards and implementation specifications” of the HITECH law. 42 U.S. ' 17902.

This is a broad-reaching requirement given the high number of health care providers that rely on Medicare patients and other federal contracts. Further, Title IV of Division B of ARRA amends Titles XVII and XIX of the Social Security Act by creating incentive payments to eligible providers to promote the adoption of the use of electronic medical records via health information technology. See 42 U.S.C. ' 300jj-31. In addition, the states and other authorized entities, such as non-profit health-care organizations, are also eligible for federal grants for forming a HITECH compliant plan. See 42 U.S.C. ' 300jj-33. Thus, the use of EMRs is a key requirement for health care providers to become “meaningful users” eligible for payment under the Medicare and Medicaid electronic medical record incentive programs. While participation in HITECH is voluntary for private entities, many private health care providers are subject to HITECH by contract or through an applicable grant program.

Effects on Litigation

From a litigation perspective, just as HIPAA changed the way records are obtained in the context of a lawsuit, HITECH and the EMR will change the way records are reviewed, interpreted and litigated in a lawsuit. With the advent of the EMR, we can anticipate some litigation practice positives ' records will be easier to read than handwritten doctors' notes, for example. But we can also anticipate mistakes in marking through a template to create the record, difficulty in determining the actual time of the note depending on the program used by a particular practice or hospital, and questions of when a report was seen or signed if the program does not have a way of recording an electronic signature (with date/time) on the report.

As we wade through these new developments in litigation, we are likely to see an increase in the use of forensic computer analysis of data and metadata to track exactly when something was documented and by whom ' and who has subsequently accessed or viewed the document. For risk management purposes, this adds a layer to the consideration of what type of program to employ, and how to manage, access and track changes.

Avoiding Privacy Breaches

As more and more health care providers use electronic medical records, regulations regarding the disbursement of electronic PHI become especially relevant. HITECH requires attorneys and others to whom PHI is disseminated electronically to adequately protect confidential health information. The purpose of the HITECH law is to efficiently distribute health care information, while complying with patient privacy laws. See 42 U.S.C. 300jj-19. Indeed, the HITECH law states explicitly that it cannot be “construed as having any effect on the authorities of the Secretary under HIPAA privacy and security law.” Id. HITECH also specifically adopts HIPAA's definitions, standards and state preemption language. 42 U.S.C. ' 17951. One thing is certain: Nothing in HITECH absolves health care providers or their counsel of any duties set forth in HIPAA.

For health care providers, it is imperative that appropriate security measures are in place to protect information and ensure compliance with HIPAA. Since 2005, health care providers have been required to have a documented assessment of all technical, administrative and physical safeguards for PHI, per the HIPAA Security Rule. 42 U.S.C. ' 1320d-2; see also 45 CFR 164, Subpart C. HITECH expands this rule to include business associates of healthcare providers. 42 U.S.C. ' 17931. Any weakness detected in the safeguards for PHI should be noted and a plan developed and implemented to address the concern. A covered entity should be able to demonstrate a good-faith effort at compliance with HIPAA requirements.

HITECH also adjusts how patient information can be used by healthcare providers. Patient PHI cannot be sold in violation of HIPAA. 42 U.S.C. ' 17935. Also, under most circumstances, a health care provider may not use a patient's information to solicit contributions for fundraising purposes, 42 U.S.C ' 17936. HITECH also narrowed the definition of marketing, such that providers may only use patient information for limited purposes such as educating a patient about a product that is specifically related to that patient's treatment (rather then general marketing to encourage a patient to purchase a product). Id.

When a Breach Occurs

Medical malpractice attorneys may often be called upon to advise physician or health care provider clients concerned about breaches of the HITECH law. HITECH contains specific privacy provisions, which define a breach and explain the process for responding to a potential breach. See 42 U.S.C. ' 17921, et seq. A breach is defined simply as an unauthorized acquisition, access, use or disclosure of protected health information. 42 U.S.C. ' 17921(1)(A). There are also specific provisions related to a health care provider's wrongful dissemination of PHI. 42 U.S.C. ' 17932(e)(2).

Fortunately, minor or technical violations may be fairly easy to remedy. In short, health care providers confronted with a potential breach must notify each individual whose PHI has been compromised. 42 U.S.C. ' 17932(1)(a). The notification must be made, “without unreasonable delay,” and never more than 60 days after the discovery of the breach. 42 U.S.C. ' 17932(d)(1). Where the breach involves more than 500 individuals, notice to the media is required. 42 U.S.C. ' 17932(d)(1). The notification must be fairly detailed. 42 U.S.C. ' 17932(f). Each individual must be informed of the nature of the breach, the PHI disseminated, guidance on how to protect the disseminated PHI, a description of how the health care provider will avoid future breaches and recover the PHI, and contact information for the health care provider. Id.

In addition to notifying the patients, the health care provider must provide notice to the Secretary of the Department of Health and Human Services (DHHS). This is done through an online form on the website of the DHHS' Office of Civil Rights ' http://ocrnotifications.hhs.gov. There is no specific time requirement for these notifications, except that each breach must be reported in the year that it occurred. However, in practice, these notifications can easily be made at or around the time the individual notices are prepared. The contents of the notification are the same, and the DHHS' Office of Civil Rights website provides all of the necessary guidance. A covered entity must also retain any documentation regarding privacy policies, and any communications with respect to privacy policies, for a period of six years from the date of its creation or the date when it was last in effect, whichever is later. 45 C.F.R. 164.530.

Penalties for non-compliance with HITECH are the same as those for non-compliance with HIPAA. 42 U.S.C. ' 17934 (incorporating 42 U.S.C. ” 1320d-5 and 1320d-6). Initially, HITECH increased the civil penalties for breaches, but those increases were later omitted. 42 U.S.C. ' 17939. Importantly, non-compliance due to reasonable cause will typically not result in any penalty, as long as the breach is cured within 30 days. 42 U.S.C. ' 1320d-5(2)(A). In the event that the breach is caused by “willful neglect,” health care providers may be fined as much as $50,000 per breach (or as little as $100 per violation, depending on the severity). 42 U.S.C. ' 1320d-5(a)(3)(A). Further, the State Attorney General has an explicit civil remedy against health care providers for HITECH breaches. 42 U.S.C. ' 1320d-5(d).

Similarly, the entities to whom health care providers appropriately (in compliance with HIPAA) disseminate PHI need to take steps to ensure they are adequately protecting confidential health information. 45 CFR 16.302. For example, individuals who can access medical records on an iPhone or iPad should use a password on their device. This is a simple measure at a most basic level. Obviously there are far more sophisticated tools and means of protecting electronic PHI on company and/or law firm computer networks, and all necessary measures should be employed.

Conclusion

The Department of Health and Human Services (DHHS), under HITECH requirements, must now periodically audit health care providers and business associates to ensure compliance with HIPAA. 42 U.S.C. ' 17940. This may lead to the imposition of more penalties, even for unintentional violations. Thus, all attorneys in the HIPAA-HITECH arena need to be aware of the requirements and actively involved in assuring that they, and their clients, are in compliance.

Overall, it is important for any entity involved in the exchange of PHI to have a specific plan in place for safeguarding the data. In the event of a breach, the entity should move quickly to notify individuals affected by the breach (and the DHHS Secretary) and take affirmative steps to mitigate any possible harmful effects of the breach. In addition, all documentation on HIPAA/HITECH compliance, breaches and notification should be stored and retained for at least six years from the date of creation.