© Copyright Tucker Arensberg, P.C. All Rights Reserved.
The Continued Evolution of Mobile,
Wireless and Cloud Technologies in
the Healthcare Industry
Health Care Compliance AssociationRegional Conference
October 11, 2013 Pittsburgh, PA
Michael A. Cassidy
Tucker Arensberg, P.C. 1500 One PPG Place Pittsburgh, PA 15222
www.tuckerlaw.com 2
What is Cloud Computing?
“The dynamic provisioning of IT capabilities
(hardware, software and services) from third parties over a network”
Accenture
Provider interface Transmission (ISP)
Storage (supersize data centers) End user
Benefits of Cloud Computing
Enhanced access
Necessity of sharing to improve quality Faster access
Lower scalable costs
Significantly reduced capital investments Mobility
Security and privacy
Industry Facts
55% using cloud computing (2011) 73% intend to be using by 2013 $5.4 billion industry by 2017
No ISP with greater than 5% market share
www.tuckerlaw.com 4
Cloud Legal & Compliance Issues
1. Privacy
2. Security
3. Jurisdiction/Offshore Risks
Recovery
Enforcement
Access
4. Data Ownership
5. Compliance
Training
Testing
Auditing
www.tuckerlaw.com 5
7 Essential Compliance Plan Elements
1. Standards and Procedures
2. Oversight
3. Education and Training
4. Monitoring and Auditing 5. Reporting
6. Enforcement and Discipline
7. Response and Prevention
Cloud Use: Offshore Contracting
CMS’s requirements help identify some of the regulatory and other legal concerns that Offshore Activities can raise. CMS requires that its regulated plans identify and report the following:
All contractors and subcontractors that engage in Offshore Activities involving PHI;
The type(s) of PHI provided to the offshore contractor;
The functions that the contractor performs offshore that involve PHI;
Whether Offshore Activities involving PHI are necessary, and whether alternatives to those Offshore Activities were considered; and
The contracting arrangement’s safeguards to protect PHI, and provisions for audits of the offshore contractors’ compliance with those safeguards.
www.tuckerlaw.com 7
Privacy Sources
1. 4thAmendment
2. Hospital licensing regulation
3. Physician licensing regulations
4. HIPAA
www.tuckerlaw.com 8
HIPAA Refresher
1. Covered entities
a) Providers b) Health Plans c) Clearinghouses
d) Business Associates/Contractors
2. Basic Rule: Covered entities may not disclose Protected Health Information (PHI) – individually identifiable data, except:
a) Required disclosures b) Permitted uses and disclosures
3. Required:
a) Individuals
Permitted HIPAA Disclosures
1. Individual
2. Treatment, Payment and Operations (TPO)
3. Opportunity to Object
4. Incident to other permitted disclosures
5. Public Interest Activities 6. Limited Data Set
www.tuckerlaw.com 10
HIPAA
Public Interest and Benefit Activities
1. Required by law
2. Public Health Activities
3. Abuse Victims
4. Health Oversight
5. Judicial and Administrative Proceedings
6. Law Enforcement
7. Decedents
8. Organ Donation
9. Research
10. Heath and Safety Threats
11. Essential Government Functions
12. Workers Compensation Compliance www.tuckerlaw.com 11
Pennsylvania Hospital Privacy Regulation
All records shall be treated as confidential. Only authorized personnel shall have access to the records. The written authorization of the patient shall be presented and then maintained in the original record as authority for release of medical information outside the hospital.
28 Pa Code §115.27
(Copy Attached)
Pennsylvania Physician Privacy Regulation
Pennsylvania Medical Board regulations define
misconduct to include:
“(1) Revealing personally identifiable facts, obtained as a result of a practitioner-patient relationship, without the prior consent of the patient, except as authorized or required by statute”.
49 Pa Code §16.61
(Copy Attached)
www.tuckerlaw.com 13
Fourth Amendment
The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
www.tuckerlaw.com 14
Fourth Amendment Development
Principles:
Free from unreasonable searches and seizures Persons, houses, papers and effects
Probable cause for warrants Exclusionary rule
Smith v. Maryland (U.S. Supreme Ct. 1979) 2 prong test:
Person has actual expectation of privacy Society has recognized that the expectation was
reasonable
Fourth Amendment Exceptions
ConsentPlain view
Motor vehicle
Plain view
Weapons (reasonably hidden)
Foreign Surveillance Border Searches
Exigent circumstances/great need
Sobriety checkpoints
Self Disclosure/3rdParty Rule
www.tuckerlaw.com 16
Third Party Doctrine
Self Disclosure to 3rdParty
Waiver/No Reasonable Expectation of Privacy Self Disclosure
Trash
Informants and in undercover officers
Any voluntary witness
Spouse
Disclosure to machines (Smith v. Maryland)
Telephone numbers Telephone operators
www.tuckerlaw.com 17
Third Party: Cloud: Social Network
The basic problem stems from the fact that almost all
communications over the Internet – including messages over such sites as Facebook, Gmail, and Hotmail – are stored for various lengths of time on third party servers or Internet service providers (“ISPs”). These are proprietary systems owned by the respective provider (e.g., Facebook, Gmail) that house the information so that it can be delivered to its destination. The question for scholars has been whether these communications continue to merit privacy protection, despite this disclosure to a third party.
Facebook Privacy Policy
The most pertinent part of Facebook’s privacy policies relates to sharing information with government authorities. Facebook’s policies state that it may:
Access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.
www.tuckerlaw.com 19
Apple License Agreement
Apple’s iCloud requires its users to “acknowledge and agree that Apple may [disclose] Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so if [it has] a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to … comply with legal process or request…”(www.apple.com/legal/internet-services/icloud/en/terms.html)
www.tuckerlaw.com 20
Consent Without Boilerplate Issues
ISP Transmission v. StorageFirst Class Mail
Encrypted
Mail to 3rdParty to post
Custodial Consent
Apple
Landlord
Privacy v. HIPAA
Patients do not have “4thAmendment” style
privacy rights in PHI.
Third Party Doctrine
HIPAA prohibits you from releasing voluntarily disclosed PHI
Release to law enforcement without a search warrant.
www.tuckerlaw.com 22
Use of Mobile Devices
Data access vs. diagnostic tool Enhanced privacy and security risks
Loss or Theft
HIPAA preamble to recent regulation updates (HIPAA Omnibus Rule) suggests patient explanation of risks
www.tuckerlaw.com 23
Government Initiatives
Managing Mobile Devices in your Healthcare Organization – 5 Steps:
www.HealthIT.gov
1. Decide 2. Assess
3. Identify
4. Develop, Document and Implement 5. Train
(See Attached)
Additional Resources
FDA Safety Communication: Cyber Security for Medical Devices and Hospital Networks (June 13, 2013)
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356 423.htm
Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff
(September 25, 2013)
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationan dGuidance/GuidanceDocuments/UCM263366.pdf
