1 / 21

SHARING CLINICAL DATA: Legal and Privacy Issues

SHARING CLINICAL DATA: Legal and Privacy Issues. Health Information Technology Summit September 8, 2005. Marcy Wilder Hogan & Hartson LLP 555 13 th Street, NW Washington, DC 20004 (202) 637-5729 mwilder@hhlaw.com. Legal Issues Overview. Data Privacy (and Security) Fraud and Abuse

Download Presentation

SHARING CLINICAL DATA: Legal and Privacy Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SHARING CLINICAL DATA:Legal and Privacy Issues Health Information Technology Summit September 8, 2005 Marcy Wilder Hogan & Hartson LLP 555 13th Street, NW Washington, DC 20004 (202) 637-5729 mwilder@hhlaw.com

  2. Legal Issues Overview • Data Privacy (and Security) • Fraud and Abuse • Anti-Trust • Medical Malpractice

  3. Data Privacy in a Hub and Spoke Model

  4. For Each Participant Determine HIPAA Status • Covered Entity • Business Associate

  5. Most Participating Institutions and Organizations are Covered Entities • Most Hub Organizations are not Covered Entities • Clearinghouse exception

  6. Is Hub a Business Associate? • Factors to Consider: • Managing data on behalf of participants • Data access rights for any purpose • Merely a conduit (like the phone company)

  7. Usually, participants that exchange data through the Hub are not business associates of each other.

  8. Legal Obligations

  9. Business Associate Agreement (can be included in master contract)

  10. Covered Entity … • Is liable for actions of business associate only if the Covered Entity has knowledge of a breach and fails to act. • Is required by contract to notify business associate of breach. • Should have procedure for escalation and remediation.

  11. Privacy and Security Oversight of the Hub • Business judgment • Sensitivity of data and reputational harm that can result from breaches suggests some diligence is appropriate, even if not required by law. • Third party can monitor or certify compliance with standards. • Audit requirement is two-edged sword.

  12. Privacy Policies

  13. Policies Should Increase in Specificity as Sub-Unit Grows Smaller • NHIN • SNO • Participant

  14. Policies Needed For: • Notice to Consumer • Uses and Disclosures of Health Information • Information Subject to Special Protection (HIV, substance abuse, mental health) • Minimum Necessary • Role-Based Access • Amendment of Data • Requests for Restrictions • Mitigation • Limited Data Sets/De-identification

  15. Patient Control of Records

  16. What HIPAA Requires • Treatment • Payment • Health Care Operations • Public Health • Research

  17. Should Institutions Go Beyond HIPAA? • Notice and Opt-Out • Prior Consent

  18. Other Legal Issues

  19. Stark and Anti-Kickback • Structure and Financing of RHIO ~ SNO • Outfitting physicians with HIT (community-wide health technology exception inadequate) • Current exceptions inadequate

  20. Anti-trust • Does RHIO ~ SNO advantage some providers over others? • To the extent the benefits can be shown to outweigh anti-competitive impact, they are not likely to violate federal anti-trust laws.

  21. Medical Malpractice Concern among physicians that availability of information will increase potential liability. In the end, the net effect of EMR will likely be to improve care and lower liability risks. At this point, the liability question is unanswered and the cause of significant anxiety among some physicians.

More Related