Businesses must consider the way they handle electronic health records ("EHRs"), not only to comply with the Health Information Technology for Economic and Clinical Health Care Act's ("HITECH Act") mandates, but also because EHRs are now the predominant form of evidence in regulatory proceedings and litigation related to health care.
Health care stakeholders have digitized information for years, with caregivers increasingly communicating with each other and with patients by email; lab results and radiology images stored and disseminated electronically; and claims and reimbursements handled electronically. This transition gained considerable speed as a result of the HITECH Act, which provides monetary grants (and imposes severe penalties) in order to expedite the transition to EHRs under the American Reinvestment and Recovery Act of 2009 (i.e. the Obama stimulus package).
The Expansion of the Health Insurance Portability and Accountability Act ("HIPAA")
In order to adapt to the changing landscape of electronically stored health information generated and maintained by health care stakeholders, the privacy and security rules of the HIPAA have been revised and expanded. The need for these revisions is evident: Breaches of privacy and security have become headline news. Health care organizations thus face increased exposure to enforcement proceedings by regulatory agencies at the federal and state level, as well as surveys and external and internal audits. Moreoever, HIPAA now grants jurisdiction to state attorneys general to pursue violations of that statute, significantly increasing the potential for enforcement.
HIPAA mandates that covered entities -- health care providers, health plans, and clearinghouses -- preserve data used for treatment, payment, or hospital operations in a secure environment, and also governs access to and disclosure of protected health information, defined as "individually identifiable health information." HIPAA's privacy and security rules were significantly expanded by the Obama stimulus package. For example, covered entities are now exposed to increased regulatory scrutiny in the form of audits by the Office of Civil Rights of the U.S. Department of Health and Human Services. Moreover, state attorneys general now have concurrent jurisdiction to prosecute HIPAA violations.
HIPAA still remains only a floor for medical confidentiality. State laws are often more demanding in their restrictions on disclosures of patient information. One of those requirements is documenting a protocol for records retention, including responsibilities such as disclosure and deletion. For example, a New York appeals court upheld a $300,000 punitive damages award for violation of a patient's privacy instructions under New York's Public Health Law on the ground, among others, that the violating facility had no written policy or procedure and no training protocol for implementing the putative privacy practices. And even before the stimulus package's expansion of HIPAA's scope, Seattle-based Providence Health & Services, which had failed to protect patient information stored on a variety of portable and backup media, was fined $100,000 and forced to institute a costly, detailed corrective plan to protect against future loss of electronic information. Federal district courts have also deemed the lack of an assessment of readiness to produce electronic health records when demanded by an audit, investigation, or litigation to be gross negligence.
Mitigating risks and costs associated with electronic health records
The primary form of information sought in regulatory proceedings, audits, surveys, and litigation will be electronically stored records. For the non-governmental entity in this equation, EHRs require careful management on multiple levels. At the very minimum, a business entity must know:
- How its electronic health information is created;
- Where such records are stored within the enterprise;
- How best to access this data for collection and reporting;
- How its data is backed up; and
- All relevant retention policies and schedules applicable to the data in order to respond to requests for the production thereof.
This is no easy feat. For those inevitable instances when relevant data cannot be produced, well-designed protocols for preservation and management of data must be documented so that the system of data preservation can be defended and the risk of penalties and sanctions mitigated.
In order to mitigate risk and reduce costs associated with EHRs, an enterprise must be able to meet the demands of producing such records in any audit, governmental investigation, or litigation. This often begins with electronic discovery. In light of the fact that deadlines to respond to demands for health care records from state and federal authorities are often very short, enterprises should be prepared for significant e-Discovery campaigns. In assessing their own readiness to meet legal and/or regulatory disclosure requirements, enterprises must:
- Assess their current policies and technologies associated with the organization's existing electronic discovery response process;
- Identify gaps between current practices and best practices; and
- Bridge any such gaps and improve their ability to respond to e-Discovery obligations.
Using legal holds to preserve information for litigation
Legal holds are used to preserve all forms of relevant information where litigation is reasonably anticipated. They are thus one of the primary means by which a health care organization can protect itself when faced with regulatory proceedings, audits, investigations, or litigation. Mitigation of risk and cost lies not only in the ability to move quickly to identify and preserve relevant EHRs, but also in the ability to suspend routine deletion and/or destruction of pertinent data and issue legal notices to all custodians of relevant data once an obligation to preserve that data arises.
Managing legal holds often intersects several departments or divisions, especially corporate counsel, information technology, risk management, and compliance. Such management must be carefully coordinated as soon as third-party scrutiny begins. Failure to preserve relevant data can result in sanctions up to and including an adverse judgment in a lawsuit. Enterprises should thus:
- Implement mechanisms for determining when the need for a legal hold has been triggered;
- Identify which electronic records must be preserved, including identifying custodians of data, employees with specialized knowledge, as well as data repositories;
- Establish a plan to preserve the EHRs; and
- Implement and manage the preservation of records as well as the hold process itself.
Health care stakeholders face increasing cost and time pressures as the volume of EHRs increases in a manner commensurate to the regulatory and legal demands for that information. Effectively controlling the impact of these demands is no longer a luxury, but rather is a business imperative that is nothing less than mission critical.
Ben Kerschberg is a Founder and the Chief Operating Officer of Consero Group LLC. Mr. Kerschberg has a Bachelor of Arts in Foreign Affairs and German, summa cum laude and Phi Beta Kappa, from the University of Virginia and a Juris Doctor from Yale Law School, where he was as a Coker Fellow. He clerked for the Honorable Gilbert S. Merritt, Chief Judge of the U.S. Court of Appeals for the Sixth Circuit.
Consero's Government IT Forum will take place March 6-8, 2011 in Clearwater, Florida.
Follow Ben Kerschberg on Twitter: www.twitter.com/BenKerschberg