By Edward F. Shay, Esq.
The informatics revolution has hit the health care industry full bore and one estimate projects that the annual expenditure on health care informatics will grow from $11 billion 1995 to $21 billion in 2000. Examples of the informatics revolution dominate the headlines in health care. In both the public and private sector, connectivity and database transactions abound.
Since June, 1998, HCFA has required Medicare and Medicaid participating nursing facilities to electronically submit individually identified health information from a uniform resident assessment form to a national resident assessment database which will be used to develop survey tools, perform quality studies and facilitate comparisons with HCFA’s database on facility deficiencies.
Healtheon, Inc., a Silicon Valley pioneer of health care EDI, has bet its future on its ability to electronically connect the 1250 physicians in California’s giant Brown and Toland IPA via the Internet.
United Health care Corp., long recognized as an innovative manager of health plans, has established an entire knowledge and information initiative built around its subsidiary Applied Health care Informatics, Inc. Applied has grown to $170 million in revenue in two years.
Kaiser Permanente, one of the nation’s largest managed care organizations, has contracted out to Sequent and Hitachi to establish and manage a database for 45 million prescriptions annually generated by Kaiser members.
Along the way, these companies will gather, mine and recompile for thousands of customers customized reports on a virtually limitless range of data-driven inquires including health status risk adjustment, drug utilization, reactions and prescription recalls, hospital utilization by diagnosis, physician practice patterns and patient compliance.
The informatics revolution is driven by four related factors, as follows:
• From plan enrollment to claims submission, most health care information exchanges are, or soon will be, an electronic data interchange (EDI).
• Providers have assumed significant financial risk from managed care organizations. Managing risk on thin margins requires radically enhanced data analysis and real time management tools.
• HIPAA has mandated EDI transaction standards, security standards and privacy legislation. Standardization of data will greatly facilitate systematic data analysis, comparison and quality initiatives.
• The out year cuts in the Balanced Budget Act are already driving a search by providers and their vendors for new and better management tools to assess value and rationalize care.
The legal system is scrambling to adjust to the fast paced world of health care informatics. Existing state medical record and confidentiality laws were written for the paper record era. Weekly, these laws are being examined in informatics transactions to determine how they apply to interstate EDI networks which transmit sensitive, individually identifiable health care information. Below is a brief synopsis of recent legal developments which apply to health care informatics and EDI transactions. Collectively, they represent the beginnings of an emerging body of law particularly applicable to health care informatics.
Regulatory Developments: HIPAA and Standardization
Over the next three years, electronic information exchanges in health care will change dramatically. Each major sector of the health care industry will be directly and significantly impacted by these developments.
This change will be driven by the administrative simplification (AS) amendments included in the passage of HIPAA. With respect to electronic exchanges of health information, HIPAA requires the following:
• The Secretary to adopt standards for health care financial and administrative transactions which involve the electronic exchange of health information.
• Development of unique identifiers for individuals, employers, health plans and health care providers.
• Selection and adoption of code sets.
• Adoption of standards for electronic signatures.
• Adoption of security standards.
• Imposition of penalties for noncompliance.
HCFA published three proposed rules which are the leading edge of the rollout of AS. One proposed rule involves unique identifiers for providers and the second proposes standards for eight types of electronic transactions and code sets for use in those eight transactions. The third proposed rule addresses data security and electronic signature standards.
HCFA has proposed a rule on a uniform standard health care provider identifier and requirements concerning its implementation. All providers must obtain and use the national provider identifier supported by HCFA which consists of an eight position alphanumeric identifier. The identifier must be used by all health plans, all health providers and all health care clearinghouses in regulated electronic transactions.
HCFA has also proposed a rule on standards for eight specific types of electronic health information transactions as follows:
• Health claims/encounter information.
• Health claims attachments.
• Enrollment/disenrollment in plans.
• Payment and remittance advice.
• Premium payment.
• First report of injury.
• Health claim status.
• Referral certification/authorization.
For each of the foregoing, HCFA has selected a specific industry recognized standard. Extensive implementation guides will support each standard. The standards will apply to all electronic transactions involving health plans of all types (not just federal), health care providers )a term which has been broadly construed), and health care clearinghouses (defined to mean any entity which converts nonstandard data into standard data).
HCFA’s proposed security and electronic signature rules are part of HIPAA’s larger effort to maximize the privacy environment in the exchange of individually identifiable health care information. As proposed, the rules will establish a set of guidelines to enable all parties to fashion appropriate security policies and technological procedures.
The proposed rules address:
• A certification process.
• Contingency plans.
• Applications and data criticality analysis.
• Information access controls.
• Audit trails.
• Personnel security policies.
• Incident procedures.
• Risk management processes.
• Training and sanctions.
In their proposed form, the rules are silent on sanctions. HCFA anticipates that several accreditation organization (e.g., NCQA and JCAHO) will use the standards in their reviews. If so, the proposed security rules could acquire significance in the accreditation context well before they become a government mandate.
Statutory Penalties: HIPAA’s Big Stick
HIPAA added significant penalties for improper disclosure of “individually identifiable health information,” which includes any information created or received by a provider, health plan, employer or clearinghouse that relates to an individual’s past, present or future physical or mental health condition, provision of care or payment of care, and which identifies or gives reason to believe that it could be used to identify the individual.
Any person who knowingly makes improper use of unique health identifiers, or obtains individually identifiable health information, or discloses individually identifiable health information may be subject to penalties of $50,000 to $250,000 and imprisonment.
Contractual Developments: Ownership of Records and Health Care Information
Underlying the entire health care informatics industry is the basic issue of who owns data and how data may be used by others. There is limited public law on this question and parties almost invariably address the issue as a matter of private agreement. Generally, the law in most states gives ownership of the medical and business records to the provider who creates the records, subject to a general duty of confidentiality and in some states a right of access for patients to their own records.
Ownership of data is a current issue in managed care contracting. For two years, Aetna U.S. Healthcare (AUSHC) has been asserting a claim of joint ownership of health care information relating to its members in its managed care contracts with physicians, hospitals and other AUSHC providers. In the face of relentless criticism from the AMA and other medical societies, AUSHC has withdrawn its assertion. In Florida, the State Insurance Commission invalidated the AUSHC physician agreement specifically on the joint ownership of records issue.
AUSHC’s contractual position could have been intended to cure one of the weakest of fundamentals in health care informatics, namely, that patients and plan members almost never consent to the disclosure or downstream use of individually identifiable health care information. Even the most casual review of typical plan enrollment waivers discloses that plan members would never anticipate from those waivers the use of their health care records in sophisticated, health care informatics products. Thus, in the negotiation of any health care informatics transaction, intense negotiation of data ownership, permissible use and appropriate representations and warranties almost always precedes the grant of specific rights to use data.
Judicial Developments: Confidentiality as the New Mass Tort?
Health care informatics is causing a reexamination of general theories of liability. Health care informatics has the ability to gather, combine, analyze and create from diverse health care data an impressive array of reports, studies or data products.
Recently, the Washington Post described a prescription recall program utilized by CVS in conjunction with a marketing firm and Glaxo Wellcome, a pharmaceutical giant. Shortly following the Post article, a class action suit was filed in Superior Court in Massachusetts alleging violation of the Massachusetts Privacy Act. The complaint sought designation of a class on behalf of “millions of CVS customers” and seeks injunctive relief and damages on their behalf. The case is pending.
Two other recent decisions involve unauthorized diagnostic tests in search of unwarranted individual health information. Each case resulted in significant findings of liability which foreshadow other coming battles in health care informatics.
In essence, these cases hold that persons ordering and performing unauthorized tests are not permitted to know sensitive information about an individual. The logic of these cases suggests that, unless clearly authorized, data warehouses face similar liability for accumulating or recompiling individual data into revealing but intrusive patterns of individual behavior.
Enabled by accelerating technology and driven by relentless cost pressures, the health care industry is embracing health care informatics as never before. Parties to health care EDI transactions must focus on a range of transactional issues and state and federal requirements. These issues will at a minimum include who are all of the parties (e.g., direct parties, their outsource vendors, software licensors, etc.) at the virtual table in a health care EDI transaction; who among these direct and indirect parties is authorized to use data and to what extent; who indemnifies whom for contemplated, but perhaps unclear uses of sensitive data; who will bear the cost of compliance with HIPAA’s transaction standards and/or security standards.
Already, regulators are burying in their rules constraints on entities who are not direct parties to health care EDI transactions. For example, HCFA has cautioned nursing facilities that their data processing agreements with contracted agents submitting resident assessment information should restrict data use to avoid violating HIPAA’s nondisclosure penalties.
Clearly, in the accelerating world of health care EDI, hard legal questions abound and clear answers are few.
Edward F. Shay, Esq., is a partner at Saul, Ewing, Remick and Saul, LLP, in Philadelphia.