Posted on May 26, 2009 by Michael Kline

Twitter and Patient Privacy Rights

[Installment 2 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the second in a series of blog posts that relate to the governance concerns surrounding HIPAA, HITECH and HIT.  It is, however, not the second posting that I had originally planned. A front-page article on May 25, 2009 in the New York Times by Pam Belluck, entitled “Hospitals Using Internet to Interact with Public,” prompted me to write on this topic as part of the series

In her article Ms. Belluck stated, “Faced with economic pressures and patients with abundant choices, hospitals are using unconventional, even audacious, ways of connecting directly with the public.” She then reports that hospitals are using Twitter and transmissions from the operating room to communicate with the public on surgical results and YouTube to actually show surgery.  

This is seen by Ms. Belluck as a controversial approach to publicizing new procedures, to compete and attract patients and to stimulate contributions. In this day and age of increasing regulatory activity and heavy penalties for violations of HIPAA and state healthcare privacy and security rules, the Twitter practices should be subjected to careful scrutiny at the highest level by the governing bodies of hospitals.   The image of the hospital and its own sense of what are proper and acceptable marketing practices, the risks of legal or ethical violations from unwarranted communications, and the impact on publicity policies can be undermined by the uncontrolled actions of individuals.  The concept that the results of a complex surgical procedure can be meaningfully compressed into a rapid-fire, 140-character disclosure to the world can be somewhat perplexing.

The practice of using Twitter from the operating room to report on results is very risky and has serious implications for patient privacy. It may be a violation of existing laws or the general right of an individual to privacy.  It is always possible or even likely that the identity of a patient may become public, directly or indirectly, especially if the Twitter communication relates to a novel procedure. It is one thing to have a patient knowingly participate in publicity on YouTube and quite another to have someone send a Twitter message from the operating room while the patient is still recovering from anesthesia.

It is of equal concern that there is no control over the Twitter communications from the operating room. Anyone could make the transmission, which can be premature, totally erroneous and/or misleading.  It is a circumstance in some ways similar to the situation that judges are confronting from jurors who are sending Twitter or e-mail messages on the proceedings from the courtrooms of widely-publicized cases while the trial or jury deliberations are going on. Some judges are even prohibiting all electronic devices from being brought into the courtroom or jury deliberation room. In the case of the operating room there is the additional factor of the possibility that electronic transmissions from Twitter or e-mails may adversely affect or interfere with the normal operation of surrounding medical equipment.

The matter goes further. Will there be additional communications from the Tweeter or the hospital if the patient later develops complications or even dies? If the next patient who undergoes the same procedure does not fare well, will that be communicated through Twitter or other means to avoid misleading the public? How will the hospital control Twitter activity if it chooses to endeavor to do so? 

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.  It is likely that the board should require that the hospital’s code of ethics address in greater detail how and when, if at all, electronic communications relating to patient procedures are communicated to the public and the nature of the patient consent that will be required.

Tags: , , , , , , , , ,
Posted on May 18, 2009 by Helen Oscislawski

Putting ARRA Money in the HIPAA/HITECH Enforcement Mouth

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan's proposed Funding Table is as follows:

Total Appropriated

(Dollars in Millions)

Privacy and Security*

$ 24.285

National Institute of Standards and Technology (NIST)

20.000

Regional HIT Exchange

300.000

Unspecified

1,655.715

Total towards HIT

$ 2,000.000
* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS' Recovery Website.

Tags: , , , , , , , ,
Posted on May 18, 2009 by Michael Kline

Governance Considerations from HIT for the Board and Other Hospital Stakeholders

[Installment 1]

The pressure on healthcare providers to convert to electronic medical records (EMR) as part of the overall HIT movement has increased dramatically in recent months. Promulgations from HHS and FTC, the federal stimulus package and HITECH, which recently heavily-amended HIPAA, create new challenges for healthcare providers.  

Over the next several months, my blog entries will discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of HIT. The earlier entries will deal with the Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Boards of Directors and Trustees of profit and non-profit hospitals have been dealing for years with the ever-increasing costs of HIT for hospitals. Annually they are presented with a menu of costly budget items for investment in HIT. They have dutifully authorized and seen the inexorable growth of IT departments within their hospitals and have become almost inured and resigned to the inevitability of continued spiraling costs, often without any tangible results in the eyes of the Boards. Now they will be confronted by new and different costly demands respecting HIT in the face of an active controversy as to what will and should be the shape of future HIT initiatives.

The May 11, 2009 edition of The Boston Globe carried an article by Carolyn Y. Johnson, entitled “Digital Medical Records Push Exposes Potential Side Effects.” Its thrust was that, even with $19 billion to be spent by the stimulus package to support EMR investment and a real urgency for comprehensive HIT to cut costs and save lives, “a growing body of research illustrates the potential challenges – from getting doctors to use the safety enhancing features the systems offer, to the patchwork of privacy regulations in different states.” 

I would like to add to the challenges identified in Ms. Johnson’s article the need of each hospital to educate and to get the Board “on board” with the importance of HIT and undertaking pro-active initiatives in the institution. This Board effort is likely to be threatened by multiple complexities, including declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT, competitive demands for capital dollars that promise quick tangible returns and many other factors. 

[To be continued in Installment 2]

Tags: , , , , , ,
Posted on May 11, 2009 by Helen Oscislawski

Fox Rothschild to Participate at NIST and CMS Security Rule Conference

As HITECH refocuses the health care industry’s attention on security, the role of National Institute of Standards and Technology (“NIST”) in developing standards for health information security will become more center stage.  

On May 18, 2009, Fox Rothschild LLP will present at the NIST and CMS Security Rule Conference in Gaithersburg, Maryland called“Safeguarding Health Information:  Building Assurance Through HIPAA Security”.   Elizabeth Litten, Esq., a partner of Fox Rothschild’s Health Law Group, and Co-chair of its Government Relations practice group, will be presenting at the NIST/CMS Security Conference as part of a Panel Discussion on Assessments from the Organizational Perspective.   The panel will share its experiences with, and expectations for, audits, assessments, and compliance reviews, and provide strategies for greater assessment efficiencies.   For further information on the NIST/CMS Security Rule Conference, please visit the NIST website

 

For a copy of the Power Point presentation prepared by Elizabeth and Helen Oscislawski, Esq. for the NIST/CMS Security Rule Conference please visit our Blog again next week, or if you subscribe to our Blog a copy will be e-mailed to you directly. 

Tags: , , , , , , , , ,
Posted on May 8, 2009 by Perry Fonseca

A Little Intellectual Property 101 for HIT

Introduction to Intellectual Property

As my initial entry to this blog, I would like to provide a high-level overview of U.S. Intellectual Property ("IP”) law. This overview will provide background information on the various areas of IP. Future entries will consider how the various aspects of IP effect and are affected by HIPAA/HITECH and the electronic patient record initiatives. The basic components of IP include: patents, copyrights, trademarks and trade secrets.

Patents

A patent is essentially a grant from the federal government conveying to the owner the exclusive right to prevent others from making, using, offering for sale, selling or importing the patented invention. It grants these monopolistic powers for a limited period in exchange for full and complete disclosure of invention to the public.

Note that a patent does not convey an absolute right to practice the invention. For example, a patent on an improvement to a product does not invalidate any existing patent on the underlying product, which may be owned by a different inventor. Thus, hypothetically, an inventor holding a patent on a five-legged chair could still infringe a patent to a four-legged chair held by another inventor.

In order to be patentable, the subject matter must be new, useful and non-obvious. U.S. patent law provides certain “statutory classes” of patentable subject matter. These include: processes/methods, machines, articles of manufacture, compositions, and certain business models (a.k.a., “business methods”).

Examples of patentable subject matter in the healthcare, pharmaceutical and biotechnology arenas include: compounds, intermediates, compositions and methods of making these, diagnostic kits, methods for isolation/purification of compounds, methods for analysis, methods for treatment/use, screening methods, improvements to known compositions, improvements to known methods, combinations of active ingredients, microorganisms. cell lines, cellular compositions, viral isolates, vectors or cloning/expression vectors and DNA/RNA promoters, synthetic oligonucleotides, signal sequences, expressed sequence tags (ESTs), proteins, monoclonal antibodies/hybridomas, isolated antigens/vaccine compositions, methods for isolation/purification of biological materials, methods for cloning/protein production, methods for diagnosis, methods for treatment/use, screening methods, and transgenic animals/plants.

Patentability of “business methods” may also be of significant issue in this blog as the era of HIPAA/HITECH and electronic patient records unfolds, and as computer user interfaces, processing software, database structures and other aspects of electronic patient record generation, processing, storage and retrieval are developed.

Trademarks

A trademark is any word, symbol or device used to identify one’s product and distinguish it from the products of others. Trademark rights are available “appurtenant to use” – that is - to be valid, a Federally-registered trademark must be in use in interstate commerce. Also, an active trademark should be policed by its owner, as allowing a trademark to be infringed or diluted by another’s unauthorized use may lead to effective loss of the trademark. 

In the U.S., a person may apply for a Federal trademark registration by filing either an intent-to-use or an actual use trademark application. If an intent-to-use application is filed, a Statement of Use identifying actual use in interstate commerce will need to be filed before the trademark will be registered as active.

U.S. trademark law, particularly with respect to the court cases (i.e., “case law”), is particularly voluminous (i.e., “lots of it”). It would be easy to devote entire blogs to discussions of trademark case law. We’ll defer further discussion here for a future entry.

Copyrights

A copyright is the right that the government gives an author of any original work of expression to  exclude others from copying or commercially using the work of expression without proper authorization. Examples include books, poetry, plays, songs, catalogs, photographs, computer programs, advertisements, labels, movies, maps, drawings, sculpture, prints and art reproductions, game boards and rules, recordings. 

Copyright protection is easy to obtain by filing a form with a sample of the work and a small fee. Authors of copyrighted works should include an appropriate copyright notice on the work. 

Applying for Federal registration of a copyright is required prior to filing a lawsuit for copyright infringement in a U.S. Federal District court.

U.S. copyright may very well operate as a speed bump on the road to HITECH, electronic patient records, and government-run universal healthcare. We will particularly address copyright issues in one or more future blog entries.

Trade Secrets

A trade secret is any information, design, device, process, composition, technique or formula that is not known generally and that affords its owner a competitive business advantage. Reasonable measures to maintain the secret must be made so as to obtain relief against those who wrongfully obtain the information.

These are traditionally the basic components of IP law. Additionally, Internet-related issues are increasingly tied to other IP – such as domain name dispute resolution where the complainant owns a trademark to the domain name. 

My next entry will discuss potential patent issues with respect to HIPAA/HITECH and electronic patient records.

Tags:
Posted on May 1, 2009 by Helen Oscislawski

Red Flag Enforcement Delayed to August 1, 2009

This morning, the Federal Trade Commission (FTC) announced it will delay (again) enforcement of the new “Red Flags Rule,” now until August 1, 2009 to give affected entities more time to comply. In the press release, FTC Chairman Jon Leibowitz said:

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC release points out that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

The news Release states that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC will be releasing templates to help them comply with the law. The FTC also already has a number of materials posted to help explain what types of entities are covered by the FTC Red Flag Rules and to provide guidance. See: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm and www.ftc.gov/redflagsrule.

Tags: