Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

• check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;

• make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;

• confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and

• review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The HITECH Act added over $27 billion to an industry whose publicly trading companies' market cap is below that, around $25 billion.  Such dramatic expansion of the industry will likely lead to significant consolidation among HIT vendors. We have already seen a merger between Eclypsis and Allscripts this summer (which became final last month); and now Cerner, another leading HIT vendor, entered into a partnership with MedAssets, Inc., a company that has specialized Internet-based financial improvement systems.  Via the Journal:

As that funding makes its way to health-care IT companies, it's likely to necessitate a lot more consolidation in an industry that's currently very fragmented. For instance, hospitals are not only looking to reduce the
number of different IT systems they use in-house, they also want more seamless ways of connecting to doctors' offices and insurers.

"We're at the beginning of the single fastest transformation of any industry in U.S. history," said Glen Tullman, chief executive of the health-care IT company Allscripts Healthcare Solutions Inc. (MDRX). <...> Tullman said he expects a lot more deals to come in the industry. He said that some of that consolidation will likely take place among the companies that provide IT systems to hospitals, a list that
includes Allscripts, privately held Epic Systems Corp., General Electric Co. (GE), Cerner, Germany-based Siemens AG (SI), McKesson Corp. (MCK) and privately held Medical Information Technology Inc., commonly known as Meditech. Tullman declined to comment on what companies he expects to make deals.

You can read more at the Wall Street Journal web site here. 

"Health-Care IT Sector Shaking Up As Medical World Goes Digital," Wall Street Journal (October 15, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

HealthImaging.com reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From HealthImaging.com:

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," HealthImaging.com (March 31, 2010).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As if foreshadowing our upcoming webinar on negotiating EHR license agreements in the post-HITECH world, For the Record interviewed our own Steve Fox on this very subject in its February 15, 2010 cover story:

Steve Fox, senior partner and chair of the IT group at the law firm Post & Schell, says such strategies will be critical to an implementation’s ultimate success. For instance, he says vendors’ guarantees that their platform will meet meaningful use thresholds should be discounted.

“I’d be surprised if [satisfying] the final regulations will be achieved by a vendor doing anything,” he says. “Ultimately, it will be up to individual physicians’ offices or provider organization to achieve meaningful use, and in order to do it, they will need that vendor’s help. I have to laugh when I see those guarantees, ‘If you buy our product, you’ll achieve meaningful use,’ because nobody can make that claim. On the other hand, the failure of the vendor’s product can cause you to fail to achieve meaningful use. That’s why it is so important that you have tight provisions in the contract saying that whatever you want that vendor’s product to achieve, it will meet those particular objectives.

“Many vendors use the phrase ‘We don’t know what we don’t know’ as a way to say they can’t try to comply with future regulations, but our position is if you are in the HIT arena, you have to agree up front to comply with whatever they are,” he adds.

 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Our collaborator and friend James Oakes, a Principal at Health Care Information Consultants, LLC in Baltimore, Md., authored a wise and timely call for action for healthcare providers hoping to capitalize on the incentive payments for meaningful use of certified EHR technology included in the HITECH Act. 

The article, appearing in BNA's Health IT Law & Industry Report, argues that even though the HHS has yet to produce final regulations defining such key HITECH Act terms as "meaningful use" and "certified EHR technology," healthcare providers should not wait any longer to begin planning for the transition from paper to digital records, or the likely required updates to existing EHR systems:

Given the uncertainty surrounding these issues, a number of providers have elected to delay any action towards selecting and implementing an electronic health record (EHR) for their institution until answers are made available, reasoning that they want to know as much as possible before committing to a direction. However, providers who take this path may put themselves at risk for forfeiting eligibility for ARRA funds at all, given the time to execute and implement systems.

• Email This
• Print
• Comments
• Trackbacks
• Share Link