Thursday, February 19, 2009

Stimulus Bill and Electronic Health Records: Privacy, Regulation and the Coming Liability Feast

As a $787 billion “economic stimulus law,” the American Recovery and Reinvestment Act of 2009 ("ARRA"), signed by President Obama on February 17, 2009, launched new federal mandates on health information technology ("HIT") and privacy of personally identifiable information (“PII”), both on “ordinary” identity theft and on specially protected health information under HIPAA. It inaugurates a $200 million Health IT czar (our official “HIT Man”) to define and manage standards for electronic health records (“EHR”). Is HIT going to be a real “hit”?

Optimism. The federalization of security and encryption norms for PII and EHR promises a new wave of governmentally sponsored IT contracts with private contractors, advisors and medical records managers. It will re-shape the outsourcing and software provider relationships with healthcare customers. Optimistically, the resulting e-health records will enable a new national system for better healthcare outcomes, more global coverage, less disparity in treatment, fewer medical errors, better accounting, better security, more valid data on “ordinary and customary” treatments, and other benefits of a centralized data base for monitoring and improving the efficacy of medical treatments. The law sets ambitious goals. We will post a one-page flow chart showing the roles and mission statement for the new health care “National Coordinator” for Health Information Technology and related government officials on and http://www.biercekenerson.comRisks of New Regulation. Pessimistically, the promise of e-medical records is elusive. It opens new risks for all stakeholders.

Cost Management. Spending money to set and enforce federal standards in a short time could be wasteful. Such massive programs have failed in the past, in the cases of the IT systems for the U.S. IRS, the U.S. Navy and the U.K. socialized medicine system.

Regulation vs. Innovation. As a general principle, regulation of standards stifles innovation. Such regulation deprives the marketplace of the competition that involves winners and losers in innovation and service quality. The political jockeying for having one’s proprietary software system adopted as a “certified” standard could be a race to the bottom. A standardized e-health record could simply result in a workable, “lowest common denominator” format. Imagine using Microsoft Excel for HIPAA-based accounting! So expectations about quality need to be low.

Limited Scope. Happily, the ARRA economic stimulus law does not go so far as to allow the government to dictate guidelines for clinical treatment or decisions on national insurance coverage. This could be a first step towards that long-term goal.

What You Need to Know. The stimulus law will impact every employer, consumer, medical service provider, patient, insurance carrier, and, indeed, buyer or seller of IT-enabled business process services.

New Privacy Rules.
Under the EHR provisions, the privacy and security rules of HIPAA will no longer be enough for medical records management. Under the PII rules, anyone processing PII will have to report to authorities on any breach if that breach impacts more than 500 individuals in a single “jurisdiction.” Sadly, legislated privacy mandates are not easy to comply with, as witnessed by a report on February 18, 2009, in USA Today that cyber-attacks on U.S. government computer networks have doubled in 2008 compared to 2006, based on a report by the U.S. Computer Emergency Readiness Team (“US-CERT”).

Liability Exposure. It’s time for everyone to go back to civics class and learn what a “jurisdiction” is and how it will define breach notification rules. Further, the liability rules will be strict, though the ARRA economic stimulus law does not give individuals a right to sue. This may be scant encouragement to victims of hacking, since the private rights of action under common law and local statutes are not preempted.

Privacy At Risk. Quis custodiet custodies ipses? Who can save us from data privacy and security breaches when the Government can’t? Maybe we all agree to less anonymity of Internet communications as a small price to pay for allowing unknowns to conduct cyber-attacks and gain unauthorized access to PII and medical records.

Litigation Opportunities.
Underemployed litigators, take heart. There is stimulus enough for you too. The stimulus law offers an extraordinary litigation opportunity, a liability feast, if you can prove negligence in recordkeeping of personal data or e-medical records. (Of course, you might have to overcome the defense that a company complied with the HIT standards but that the standards were not strong enough).

Custodians of E-Medical Records.
For healthcare providers, health plans, third-party administrators, employers and service providers alike, it’s time to redefine your security procedures, review your insurance coverage and review your contract risk allocations. For more, see our February 2009 newsletter.

No comments:

Post a Comment