HIPAA and Data Issues
The Health Insurance Portability and Accountability Act (HIPAA) and its regulations have existed for over twenty years. Although most health care providers are familiar with its requirements, most health care providers are less familiar with the ways in which HIPAA is enforced. They are likewise unaware of how HIPAA investigations are initiated, the processes they follow, nor the types of information the Department of Health and Human Services’ Office for Civil Rights (OCR) requires in the course of an investigation. Many also fear the imposition of stiff penalties, likely as a result of seeing headlines about multi-million dollar settlements by other providers. In “HIPAA Enforcement On the Books and In Practice: When It all Goes Wrong,” Dan addresses HIPAA enforcement, explaining both the regulatory provisions that govern it, and how that enforcement plays out in practice. In addition to explaining the enforcement rule and how the OCR actually employs it, Dan also offers practical guidance based on personal experience in helping clients navigate HIPAA breaches without having to pay penalties or enter into settlement agreements.
On December 20, 2022, the Department of Justice announced an almost $45 million settlement with BioTelemetry, Inc. and its subsidiary CardioNet, LLC to resolve allegations of False Claims Act violations arising from submitting claims to federal health care programs for cardiac monitoring tests. The claims were alleged to be false because a portion of the monitoring services were performed overseas. More specifically, CardioNet had sent certain tests for federal health care beneficiaries to be reviewed by technicians based in India. Medicare will not pay for services that are performed outside of the United States or United States territories (e.g., Guam, Puerto Rico). Because the services in question were performed in India, this rendered the claims false. The settlement arose from a whistleblower lawsuit brought by two former CardioNet employees. Dan has examined these issues and the complications associated with using offshore personnel to perform services in “The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions,”
Artificial intelligence is burgeoning thrughout society with special meaning in healthcare. In “Does ChatGPT Dream of Electric Sheep? Legal Implications of Artificial Intelligence in Health Care” Dan Shay explains the terminology of AI, which has a lingo of its own, and then discusses how it actually works, including its very real limitations. There are many misconceptions abounding here. AI is NOT fancy Google. He addresses current applications of AI in health care and speculates on future uses. He then examines state and federal regulatory controls, presents some of the very small amount of caselaw on point, and considers HIPAA and fraud and abuse implications from using AI.This is a must read for people who have wondered what is realistic about AI in health care and how it can create legal liabilities.
In recent months, generative AI has become all the rage, with OpenAI’s ChatGPT launching for public use in November, 2022, and several other competitor systems launching as well, such as Google Bard and Microsoft Bing Chat. Generative AI programs such as these take massive amounts of information, compile it, and then learn to generate outputs that are statistically likely when a user submits a prompt. With programs like ChatGPT, one can ask it to create a story in the style of the Bronte sisters, write a traditional 3-bar blues song, or provide the user with the most recent copy of a Medicare manual. Moreover, the prompts required can be “natural language” prompts. Thus, instead of learning specific search terms or ways to filter out specific results, one can simply write naturally and ask “What is the definition of PHI under the HIPAA Privacy Rule?” and the software should produce the proper result. We say “should,” however, because there are instances in which the software can “hallucinate” results; in other words, the software uses its knowledge base to create a result that is based on elements commonly found in the material the user is asking about, but which the program has itself created out of whole cloth. For example, consider the recent case in New York in which lawyers used ChatGPT to conduct caselaw research, only to have ChatGPT produce cases that did not actually exist. Our own clients have fallen prey to such AI “hallucinations” when attempting to research Medicare compliance issues. In one instance, a client used two different AI chat programs to look up a Medicare rule, only to have each program provide a different answer, and where each answer was completely created by the AI program and was wrong. (We know. We checked. Neither the specific chapters and section numbers existed, nor the actual content presented by the chat bot.) Despite these hurdles, it is likely that generative AI will improve over time and become more reliable. Nevertheless, we strongly encourage our clients not to rely solely on such resources and to consult with us when provided with information from such software. In the future, AI may prove to be a powerful tool for use within healthcare, but given the risks posed by relying upon an “hallucinated” result, we advise consulting with legal counsel first. We will not be relying on these resources, either.
In “Ongoing Best Practices for HIPAA,” Dan discusses the importance of ongoing HIPAA compliance efforts, such as staff training to be aware of PHI in context, and having policies and procedures in place to address how to mitigate HIPAA violations when they happen. This advice is all premised on the assumption that, at some point, something will go awry with HIPAA compliance. Nobody bats 1.000, but when things inevitably go wrong, effective preparations can help minimize the negative impact of the violation, and potentially avoid fines.
When things go wrong with software and IT providers, it is often almost impossible to find relief because of the way their contracts are written, Amazingly, a New Jersey health-care provider was allowed to proceed with its lawsuit against two health-care information technology firms that represented they could convert patient files from NextGen to Allscripts, computer software programs physicians use to track all aspects of patient care. Nearly 200,000 patient charts were corrupted when the conversion attempt failed. The plaintiff sued under the New Jersey Consumer Fraud Act and the defendants argued the Act didn’t apply. The court had none of it. They found the defendants apparently offered a guarantee of results, and professed to have expertise in the conversions when they had never done it before. The court found the risk of harm was obvious, the nature of the data was of public significance and that the case could proceed. It offers tantalizing possibilities in contracting with IT and software vendors.
The use of off shore services and personnel to contribute to the delivery of health care has a long standing presence in health care. Yet, state law, federal reimbursement principles and other federal laws create barriers to the use of overseas personnel, resources, information technology and more in the delivery of health care. Issues of whether supervision can be rendered from afar, licensure requirements, HIPAA restrictions and Medicare reimbursement prohibitions create a challenging context to make these arrangements work. Dan Shay explores all of this and offers practical contractual language to use in any of these undertakings in his article "The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions" in the 2021 edition of the Health Law Handbook.
On December 13, 2016, Congress passed the 21st Century Cures Act, which, among other things, sought to promote electronic health record (“EHR”) interoperability by prohibiting the practice known as “information blocking” – where an EHR prevents the sharing of electronic health information (“EHI”). In addition, the Act sought to promote patient access to their own EHI. In May, 2020, the Office of the National Coordinator for Health Information Technology (the “ONC”) published a final implementing rule for compliance by April 5, 2021.
Health care providers (including physicians), health information exchanges (HIEs), health information networks (HINs), and software developers must share with patients a specified range of information with some exceptions. While the right of a patient to access their records already exists under HIPAA, this new rule requires that information to be provided to patients immediately, such as through a patient portal. The regulations are complex, and include similar terminology to that used in the HIPAA regulations, but with different definitions (e.g., a “health care provider” is defined differently under the two sets of rules). Blocking of data includes the delay of data availability.
As a practical matter, health care providers must examine their policies and procedures, and revisit how and when they provide patients access to their EHI. This issue may be especially concerning to physicians who are not used to providing patients with such wide-ranging access to their records, or who otherwise place limits on how and when information is shared with patients. (e.g., “We don’t send lab results to the patient portal until 2 days after the doctor has reviewed them.”) Existing practices and policies that may restrict patient access to information will need to be carefully considered. Dan has developed a DFS List as a practical checklist to begin confronting this challenge.
Electronic health records (“EHRs”) are a fact of life in the current healthcare industry, with adoption of EHRs having increased steadily since the early 2000s, and especially in connection to Medicare’s Meaningful Use program. But most physician practices will not keep the same EHR software forever. Changes in certification requirements, software obsolescence and patches that change how the software functions, as well as practice mergers and sales can all lead physicians and physician practices to switch EHRs. In “Maintaining EHR Records Access – Legal and Technical Risks”, Dan discusses what happens to physicians’ records when switching EHRs. It is a physician’s duty to maintain access to their records, and this article provides insight into issues surrounding this subject.
In “What Are the Legal Risks Associated with Social Media and Online Review Sites?”, Dan examines potential problems for health care practitioners in the social media context, and with respect to online review sites. Managing one’s online reputation is a relatively new business aspect for those in health care, and sometimes one’s initial instincts may not be the smartest move. This article discusses both practical and legal considerations that health care practitioners should bear in mind before deciding how and when to respond online.
With the reemphasis on 'transparency' in health care quality policy, more and more quality information about providers will be made available. The commercial value of provider data is also increasing. Providers enter into many contractual relationships where data about them may be in play, even if that is not the focus of the relationship. For example, a managed care contract, a practice management company relationship, obtaining an electronic medical record from a software vendor, or hiring a billing company are all relationships where significant provider data will be at issue. In "Commerce in Provider Data: What, Why and Provider Contractual Controls" Daniel Shay looks at what is proprietary to a provider, considers who is reporting data and why, and offering actual contract language as well as case law, addresses contractual protections providers should think about in entering into relationships with a range of other entities.
The last five years have heard a relentless call for information technology dissemination to improve quality and lower costs in health care. Electronic health records (EHR) have been touted as the first and most important step to a real technology revolution. For physicians, though, the cost of EHR implementation has often proven prohibitive. The Stark and anti-kickback protections for donated medical records was expected to jumpstart this effort. Not so fast. In his consideration of downstreamed EHR licenses Dan Shay takes his primer on EHR license agreements a step further in explicating the special complications of tri-partite license agreements. What happens on termination is at least as important as what is entailed in implementation.
For quality to advance in this country, it is becoming increasingly clear that universal electronic medical records will be necessary. Proposed regulations to permit hospitals to provide record systems to their physicians have been published under Stark. Many physician practices are looking to obtain these programs. Whatever the source of an electronic health record system, it is certain there will have to be a license agreement by which the practice obtains access to the software, unless they build their own. In "A Primer on Electronic Health Records License Agreements", Daniel Shay reviews the context for these contracts, elucidates their common features, based on reviews of real-life documents, and points out pitfalls that physician practices should avoid in obtaining access to these vital practice accessories. In a practical, easily applied application of the deeper issues addressed in the primer, Daniel has also offered guidance on “Top Ten Questions To Ask When Looking At An EHR License Agreement.”