Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free.  Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Lincoln Medical and Mental Health Center (LMMHC) in New York suffered a major breach affecting 130,495 of its patients, according to a notice provided to HHS.  The breach occurred when the hospital's contractor, Siemens Medical Solutions USA, shipped seven password-protected, but not encrypted, CDs containing patient information via FedEx; and these CDs were subsequently lost in transit.  Via Bloomberg Business Week:

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

<...> Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

LMMHC's breach should serve as a reminder for all healthcare providers currently negotiating health IT contracts to include proper protections in the event its vendor causes a breach or loss of protected data.  This is particularly crucial in the post-HITECH Act era.  

We always include specific compliance with privacy laws warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss.  LMMHC's example clearly illustrates that providers must insist on such protections -- often, over strenuous objections from vendors -- because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"New York hospital loses data on 130,000 via FedEx," Bloomberg Business Week (June 29, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link