A Q&A with Lynn Sessions of Baker Hostetler LLP
Now that the Affordable Care Act (aka Obamacare) is law, states potentially now have cyber public entity liability exposure, due to their role in managing PHI in connection with the healthcare exchanges, the data hubs that will centralize and route private information through government agencies and related businesses. This new model has already led to privacy data breach incidents, well before the act went into effect this past October (see example). To sort through the complications the ACA poses to public entities, I spoke with Lynn Sessions, counsel at Baker Hostetler LLP.
Can you explain the emerging healthcare exchange system and what type of private data will be in the care, custody and control of state officials?
The most immediate answer is that it’s unclear at this point exactly how personal information will be protected. Will state officials have to comply with HIPAA in protecting this data? The answer is probably yes, but how they will essentially take care of this information and who is responsible for it legally are the kinds of questions we’re now asking. Healthcare organizations have been asked to streamline their functions into what are called Accountable Care Organizations, which allow for opportunities for organizations to receive payments from the government, if they meet certain quality and efficiency milestones, but it’s unclear how partnering entities that are regularly exchanging information will handle it. We know that most of these entities are already covered and subject to HIPAA—hospitals, physician groups, and health plans—but in the case of a data breach it’s unclear as to who would be held responsible. As we see healthcare evolving over the next several years, I think we’ll see new privacy concerns arising and patients who become more concerned over their information. We know the Office of Civil Rights will be scrutinizing these organizations to make sure they are in compliance with HIPAA. It will continue to be a challenge for organizations to ensure that the information stays safe as they move into the new model of care.
What civil and regulatory liabilities can you foresee?
As I mentioned, HIPAA/HITECH likely applies. One thing to consider is that the health information exchanges were created when the data world was already dealing with the component of the American Recovery Act of 2008 that helps healthcare providers implement electronic health records. You also have these organizations holding on to the data for meaningful use in communications with providers. Seamless communication is all well and good, but if it butts up against HIPAA it exposes the organization to regulatory and legal liability. We have found early on if there are a lot of controls in place, the information may not flow freely and easily among providers. From a liability standpoint, the hardest thing is again figuring out whose data is whose and who is responsible for a breach.
Are there any areas of known concern that might lead to future breach events?
Encryption continues to be an issue in stolen and lost laptops and other mobile devices. Healthcare organizations are not encrypting at all or not encrypting sufficiently and we’ve seen how large data breaches can occur from this oversight. The Office for Civil Rights (OCR) is really focused on making organizations explain why they’re choosing not to encrypt. If you can’t or won’t encrypt for some operational reason, such as a medical device that can’t function with encrypted data, then it’s up to the covered entity to prove how you’re otherwise safeguarding the PHI. Another concern is that we have seen incidents caused by business associates in the past few months. Sometimes the healthcare provider doesn’t have control over the business partner’s employees accessing the medical records. Sometimes a vendor has PHI on an unencrypted laptop. We continue to see this tension with business associates, whether it’s negotiations for a contract—how to delineate the responsibilities for a covered entity—or issues after a breach occurred. What remains to be seen is how the OCR will handle jurisdiction over business associates involved in breaches.
Are there any immunities for public entities?
Yes, but it depends on the state or particular municipality. For instance, the Texas and Federal Tort Claims Acts say that you “can’t sue the king”—the state has sovereign immunity—but in some local districts a local suit can be brought against a public hospital or hospital district, but it depends on the Tort Claims Act in the specific state. The amount of damages you can recover from a state entity might also vary. Ultimately, there is usually some limitation to liability protection afforded public entities.
What might a public entity do to mitigate their liability exposure?
I think it’s all about the basics: You need to have a good security program with appropriate controls in place to begin with, and a good privacy program that allows you to address any complaints you might get or respond to customers if an incident arises. If you do these things well, you lower your chances of exposure and litigation. I’ve had several public entity clients in the healthcare space purchase insurance because they know they need to be prepared with a good product as well as advice from experts. We continue to see the OCR being very active and interested in healthcare data breaches and it always comes back to the basics: doing a risk assessment of the entire enterprise, and if you have a breach, getting to the root cause of it, responding appropriately and preventing it from occurring again.
In addition to what Ms. Sessions has outlined we feel another vital initial task for organizations is to inventory and map sensitive data and network relays to ensure reasonable safeguard practices are in place (easier said than done). For example, it’s important to understand the type of data an organization is collecting, storing, sharing and transmitting, and how it flows to external connections. (See examples of employer-state-fed sharing here or an exchange chart here.)