An electronic health record (EHR) captures health data for treatment at the point of care but can also serve an important role for quality reporting, surveillance, and research. EHRs contain rich clinical and administrative health data from both primary and tertiary care health providers. They include data on efficacy, effectiveness, safety, and patient-level data, such as dosing patterns and treatment combinations, making EHRs a valuable resource for a myriad of observational research studies.

The term “secondary use” is used in the industry to refer to using data for a purpose (i.e., research) other than the purpose for which the data were initially collected (e.g., treatment). Recent developments in health information technology and health information exchange have made it easier for researchers to harness the value of electronically collected and transmitted health data, presenting a unique opportunity. More specifically, with the expected widespread adoption of EHRs, secondary use research has the potential to generate research findings that are more generalizable to a diverse population, as well as improve understanding of disease processes and the impact that social and behavioral factors have on illness. Increased secondary use research will save time and resources, as data sharing will enable researchers to maximize use of an existing data set for multiple studies. This in turn will limit the time and cost of finding and recruiting potential research subjects.

As noted, the benefits of secondary use research are significant, and advances—such as better detection of areas of the country where certain diseases are increasingly prevalent—are within the public interest. However, the individual’s privacy must be taken into consideration as well. Secondary use of identifiable health data collected for clinical or administrative purposes raises concerns of patient coercion or data misuse if proper safeguards are not in place. This article explores the current regulations governing the secondary use of data for research; the increasing need for an effective, comprehensive governing framework; and recent regulatory activity. While many issues still persist, there appears to be an emerging consensus on the general principles that should govern the secondary use of EHR data for research.

cforms contact form by delicious:days

By Michael L. Silhol, Haynes and Boone LLP, Dallas and Houston

The Texas law arose due to concerns by state legislators that HIPAA did not provide enough protection over PHI and that the federal government was not enforcing existing HIPAA provisions. Both the Texas Senate and House of Representatives also were concerned that the increased use of electronic health records and the expansion of the electronic exchange of PHI would require stronger laws to better ensure the protection of PHI. Reports of major data breaches during the 2011 Texas legislative session only added momentum to passage of the bill. The law is expected to result in increased revenue to the state as a result of penalties assessed against Texas covered entities that violate the law, though it was also pointed out that the state could realize a potential revenue loss due to enforcement costs. The bill passed with unanimous votes in both houses of the Texas legislature and was signed by Governor Perry on June 17.

The law is likely to generate confusion over the broad terms in its provisions. While it is not clear how these questions will be answered, anyone who comes into possession of PHI—mail carriers, document shredders, law firms, or inadvertent recipients—should take note of the robust privacy requirements and strict penalties—up to $1.5 million—contained in the law. While many proponents denied the law would be applied broadly, the language in the law belies those assertions.

Texas Has a Broader Definition of Covered Entity Than HIPAA

H.B. 300 requires “covered entities,” as that term is defined under existing Texas law, to abide by a number of new requirements concerning the privacy and security of PHI. Many individuals and organizations that are otherwise not considered “covered entities” under HIPAA are “covered entities” under existing Texas law regarding the privacy of medical records.

Under HIPAA a “covered entity” is defined as:

Texas law defines a “covered entity” much more broadly, to include many more individuals and organizations who:

Proponents of H.B. 300 denied it would be applied to mail carriers, document shredders, or other non-health care entities that routinely serve as conduits for PHI. This would be consistent with federal regulations that have ruled these entities are not “covered entities” of HIPAA merely because they transmit or handle PHI. ⁷ However, existing Texas law states very clearly that a covered entity is any person who comes into possession of PHI. ⁸There is no exception for the types of conduits that have been exempted from HIPAA. Moreover, given that H.B. 300 was enacted in large part due to concerns that HIPAA did not grant enough protection of patient privacy, it is unlikely that Texas regulators, courts or legislators will adopt definitions contained in the HIPAA Privacy Rule to govern H.B. 300. Consequently, there is likely to be confusion about the exact extent of the broad language in the Texas medical privacy law.

Expanded Training Requirements

Under H.B. 300, Texas covered entities must provide ongoing training to their employees regarding state and federal law concerning PHI. ⁹ The training must be customized as to the entity’s particular course of business and each employee’s scope of employment. An employee must complete the training no later than 60 days after the employee is hired, and such training must be repeated at least once every two years. Additionally, all Texas covered entities must maintain records documenting an employee’s attendance at training programs. Such records may be maintained either electronically or in writing…

cforms contact form by delicious:days

1) Introduction

The popularity of smartphones like the Droid and iPhone as well as tablet devices such as the iPad means that people are able to accomplish many things without physically sitting in front of a computer or even being in the office. Apple currently claims over 90,000 apps for the iPad, many of which are in the health and health care category. After weeding out those directed toward consumers, several hundred are intended for physicians, nurses and clinicians. These health apps range from disease reference guides to remote EKG monitoring, which may also be connected to an EHR (electronic health record).

The promise of such devices and applications is that enhanced mobility and access to information will improve the way in which physicians and their teams interact with patient health information. Physician groups and hospitals should consider the implications, however, of how they use these devices. While a small number are regulated to date by the FDA as medical devices, the storage and wireless transmission of PHI (protected health information) to and from these tools means that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule will impact covered entities and business associates using them.

The benefits of health apps on mobile devices, then, must be balanced against the extra care required to ensure that doctors and others are properly protecting the data on these devices. In addition to the Security Rule, the new Health and Human Services Breach Notification Rule and associated Technology Guidance apply. In an era when people seem to lose portable devices with remarkable frequency, it is important to consider how to incorporate mobile devices into a practice and validate that the device or application(s) can support your compliance with HIPAA and other rules.

2) Proliferation of Devices and Apps

In releasing a study on physicians’ use of technology, Manhattan Research reported in May 2011 that thirty percent of doctors are using iPads to access EHRs, to view results such as radiology images, and to communicate with patients. While a search for “health” on the iPad App Store yields a wide variety of consumer-oriented tools, an increasing number of these apps facilitate a physician’s practice.

A quick review of iPad apps for doctors, nurses and clinicians displays a wide range of these tools. These include apps for drug-interaction checkers, medical dictionaries, diagnostic lab tests tools and disease treatment guides. While most of these apps are used as reference sources and thus would not contain any PHI, an increasing number provide access to EHRs, capture patient data, transmit prescription renewals, and clinical decision support. Many of these apps also provide for the remote monitoring of patient vital signs, such as an EKG-reading app, accessing patient charts and x-ray images. There is also a new blood pressure monitor that has received FDA approval. A recent study by PricewaterhouseCoopers estimated that the annual market for mobile monitoring devices ranges from $7.7 billion to $43 billion.

3) Keep HIPAA in Mind

a) HIPAA Security Rule

Arguably, one of the drivers of mobile devices in health care is the federal government’s push to move patient records into digital systems or EHRs for which the Health Information Technology for Economic and Clinical Health Act (HITECH Act) provides significant funding over the coming years. With the financial incentives, however, the HITECH Act expanded portions of HIPAA directly to business associates and initiated breach reporting obligations for covered entities. As physicians increasingly leverage iPads and similar devices for managing patient data, it remains critical that these devices and apps enable health care users to comply with the requirements of the HIPAA Security Rule.

The HIPAA Security Rule applies to electronic PHI held by covered entities and, since the amendments of the HITECH Act, business associates. Section 164.308(a)(1)(ii)(A) of the Security Rule requires that a covered entity conduct a risk analysis to assess the nature and volume of ePHI and the risks of unauthorized use or disclosure of this patient information. A covered entity must then implement administrative, technical and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis. The purpose of these safeguards is to assure the confidentiality, integrity and availability of patient information.

cforms contact form by delicious:days

By Kendra Casey Plank

A recently published health data privacy proposed rule goes beyond legal requirements and would be burdensome for the health care industry by creating two separate new rights for individuals—one allowing requests for a full accounting of access to their electronic or paper protected health information, and a second allowing requests for information about who has accessed their PHI in electronic form—attorneys contacted by BNA said.

The Department of Health and Human Services Office for Civil Rights proposed Accounting of Disclosures Rule would revise the Health Insurance Portability and Accountability Act Privacy Rule to modify existing standards for the accounting of disclosures of individuals’ protected health information by HIPAA covered entities and businesses associates, as well as add new requirements that covered entities be able to report to patients about who has accessed their electronic health records (76 Fed. Reg. 31426, 5/31/11).

The changes were proposed, in part, to comply with a mandate in the Health Information Technology for Economic and Clinical Health (HITECH) Act that covered entities be able to account, for broader reasons than provided under existing requirements, for how patients’ health data were shared.

“The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information,” OCR said in the proposed rule. OCR noted, however, that the proposed access reports would not provide details about why a person accessed such data.

“In contrast, the intent of the accounting of disclosures is to provide more detailed information (a ‘full accounting’) for certain disclosures that are most likely to impact the individual,” OCR said.

OCR said meeting a detailed accounting of disclosures request “is generally a manual, expensive, and time consuming process for covered entities and business associates.”

By comparison, the agency said it believed creating an access report would be less burdensome because it would be an automated process and would involve electronic information covered entities already are required to collect under the HIPAA Security Rule.

‘Problematic’ Proposal

Health care attorneys told BNA that the revised accounting of disclosures standard and the new access report requirements could pose significant burdens on covered entities and business associates.

Kirk J. Nahra of Wiley Rein LLP, in Washington, called the proposal “problematic.”

Nahra said the “ proposed rule goes far beyond the HITECH statutory provisions to fundamentally restructure the accounting right, and in that context will create substantial problems and challenges for every participant in the health care industry and their business associates.”

Furthermore, Nahra said the access report requirement went far beyond existing requirements under the Security Rule, which he said requires “drastically less” than OCR is proposing. …

cforms contact form by delicious:days

By Debra Alligood White, Manatt, Phelps & Phillips LLP, Washington.

The Health Information Technology for Economic and Clinical Health (HITECH) Act’s promise of billions of dollars in government incentives has not only increased the pace of provider adoption of integrated health information technology (HIT) solutions but has also sparked enormous growth in the HIT vendor community. As yet, none of the hundreds of HIT vendors has emerged as the predominant market leader. It is therefore difficult to predict which vendors will survive the inevitable consolidation of the market. Selecting the right vendor to handle a major HIT project in this environment can be challenging because of the vast unknowns: Will data in legacy systems migrate over to the new system smoothly? Will the chosen technology keep pace with evolving trends and standards? And, perhaps foremost in the minds of the providers who will have to rely on the systems, will the patient records they need be available when they need them?

At negotiating sessions, as at weddings, it is often seen as bad form to discuss divorce or end-of-life at the joyous occasion. But, until the long-term prospects of HIT vendors become more predictable, it is likely that a customer that enters into a contract today with one HIT vendor will not be working with that same vendor in a decade or less. This article will highlight a few steps a customer can take to ensure that, however the relationship with the vendor ends, the customer’s interests, and data, will be protected.

Vendor Selection

There are any number of reasons why an HIT vendor might suddenly disappear without a forwarding address, from financial distress to being purchased by a competitor to being sued for intellectual property infringement. Unfortunately, the likelihood of any of these developments occurring is difficult to assess from information typically gathered in a competitive vendor selection process or during the course of negotiations. Understanding the history of the company, learning the identity of the management, financial backers and board of directors, and hearing what the existing customers, media reports, and third-party rankings have to say about the vendor may, however, provide some indication of the seriousness of the venture.

Data Ownership, Escrow, Migration, and Retrieval Rights

While many sectors of society, like banking and streaming music services, have become accustomed to arrangements where a user’s applications and data are stored remotely and accessed through a secure internet connection, the medical community is among those sectors that is moving to the “cloud” with a bit more caution. There are several reasons to select a web-based solution, including speedier deployment, lower implementation costs, upgrades and regular system maintenance being baked-into a subscription-like fee and the ability to access data from internet-connected devices even if a customer’s computer system goes down. A major concern, however, with web-based HIT systems is that a physician’s data will not be sitting down the hall from her when she needs them. This concern can be minimized by close scrutiny of the vendor’s data storage, back-up, failover, redundancy, and recovery arrangements. In addition, the contract should include a requirement that the vendor notify the customer before changing any of those arrangements so that, if the vendor suddenly “goes dark,” the customer at least has some clues about where its data are.

Another approach is for the customer to request that the vendor establish a “software-as-a-service escrow,” where the vendor deposits the source code along with certain development and maintenance tools and customer data with a third-party escrow agent. The terms of the escrow agreement will specify the circumstances, typically after a vendor has either gone out of business or refused to perform certain essential functions, under which the customer will have the right to use the escrowed materials in order to operate and maintain the software or retrieve data from the system. From the customer’s perspective, the biggest advantage of an escrow arrangement is that, provided the escrow is established at about the same time as the contract is initially entered into, the subsequent filing of bankruptcy by or against the vendor should not interdict the escrow release. Vendors generally abhor these arrangements, although carefully tailoring the release conditions and narrowly defining the customers’ ability to use the escrowed source code after its release may address some vendor objections.

In order to cover situations that do not trigger a release of the escrow, customers also should seek to secure data retrieval and migration services that the vendor would be obligated to provide even if, for instance, the contract were terminated for customer breach. The cost (or at least the basis for pricing) for these services should be established up front and any circumstances under which the services would be provided at no cost to the customer should be enumerated.

Especially where the HIT solution is “software-as-a-service” or “cloud-based,” one very basic and important step that a customer can take to protect its data from the eddy of a failing vendor is to make it clear—to the vendor and the vendor’s landlords, equipment lessors and creditors—that the data being stored, processed, transmitted, and generated by the vendor’s HIT application does not belong to the vendor. The fact that the vendor has no lienable interest in the data may seem so obvious that it falls into the category of things that “go without saying.” However, the law places a high premium on the concept of notice, particularly where there are competing rights in property, so it is advisable to include in the contract a statement regarding data ownership rather than leaving it open to question as to why it was not included. Further, the vendor should acknowledge that under no circumstance will the vendor have the right to deny the customer access to its data residing on the vendor’s system. The vendor has many remedies under the law and in equity for any wrong done to it by the customer—holding the data hostage for a late payment or an extra user or two need not be one of them…

cforms contact form by delicious:days

On July 14, the Department of Health and Human Services (“HHS”) published a notice of proposed rulemaking (the “Proposed Rule”) that would modify the HIPAA privacy, security and enforcement regulations (the “Privacy Rule, “Security Rule” and “Enforcement Rule”). The Proposed Rule primarily implements the provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), but it does contain a few features that have come as a surprise to many…

cforms contact form by delicious:days

Department of Health and Human Services Secretary Kathleen Sebelius July 13 announced two upcoming final rules to help eligible physicians and hospitals qualify for as much as $27 billion in federal funding to assist in…

cforms contact form by delicious:days

The Department of Health and Human Services July 8 announced proposed changes to the Health Insurance Portability and Accountability Act Privacy Rule, Security Rule, and Enforcement Rule to implement their congressionally…

cforms contact form by delicious:days

Some have proposed that one way to rein in health care costs and improve the quality of patient care is to increase the rate at which patient records are being converted from paper to electronic form. Progress on that goal to date has been…

cforms contact form by delicious:days