Healthcare Payment Processing: Managing Data Security and Privacy Risks

(1)

Healthcare Payment

Processing: Managing Data

Security and Privacy Risks

Thursday, September 13, 2012

Moderator:

Linda A. Malek

Chair, Healthcare Moses & Singer LLP

Panelists:

Beth L. Rubin

Senior Counsel - Healthcare PNC Bank, National Association Legal Department

Dov H. Scherzer

Co-Chair, Global Outsourcing and Procurement

Moses & Singer LP

Samuel J. Servello

Partner, Healthcare Moses & Singer LLP

(2)

Hypothetical

• Healthcare Client located in Los Angeles

contracts with a Bank in New York to conduct

HIPAA transactions on Healthcare Client’s behalf. Bank has an outsourcing services contract with

Bank’s cloud vendor which is incorporated in New York and that uses its own server in India.

(3)

Healthcare Payment Processing: Managing Data Security and Privacy Risks

3 09/13/12

Payor Healthcare

Provider

Bank

Processes HIPAA

Transactions Data

Data

Services Agreement

Data

Cloud Vendor Data

(4)

Bank Wears two Hats

Customer of Third-Party Cloud Vendor

HIPAA Transaction Services

(5)

5 09/13/12 5

Intro to Outsourcing in a Highly-Regulated Environment

• What is Outsourcing?

• Categories of Outsourcing • Regulatory Overlay

– Applicable Laws

• Outsourcing Process and Key Contact Terms • Overarching Challenge:

– A long-term relationship; Importance of a Proper “Pre-Nuptial” Agreement

(6)

Categories of Outsourcing

• Outsourcing of discrete IT functions (e.g., software development or legacy system maintenance)

• Information technology (IT) outsourcing (e.g., processing services provided from remote data center)

• Traditional “service bureau” services (e.g., payroll)

• Business process outsourcing (BPO) (e.g., outsource administrative services)

• ASP/Time Sharing/Clouds/Shmouds

• Legal Services

• Any other function including entire business operation • Offshore Outsourcing

Healthcare Payment Processing may involve any number of the above types of outsourcings

(7)

7 09/13/12 7

Why Outsource?

• Cost savings/Cost management • Concentrate on “core” capabilities

• Redeployment of resources to key initiatives • Improving performance

• Legacy systems

• Standardizing systems • Technology currency

• Reducing/Sharing risk • Improve flexibility

(8)

Why Re-engineer a Business Process (BPO)?

• Focus management on core business issues • Focus capital expenditures on core business • Streamline administrative functions

• Reduce organizational redundancy • Identify and reduce hidden costs

• Shift accountability for non-core functions

• Access specialized skill sets, processes and

information without having to acquire, invest in or develop such skills, processes or information

(9)

9 09/13/12 9

(10)

Offshore Outsourcing:

What are the Incentives?

• Technological expertise and facilities around the world are equivalent to that in the U.S.

• Advances in technology allow companies to

overcome geographical distances (e.g., Internet) • Availability of lower wage resources

• Ability to conduct business around-the-clock in numerous time zones

(11)

11 09/13/12 11

“Applicable Laws”

A Fundamental Business Point Who is Responsible for What?

(12)

IP TAX Privacy

& Security Auditing

HR Securities

Laws

Outsourcing &

Applicable Laws

(13)

13 09/13/12 13

Examples and Key Concerns

•Privacy & Security

•Securities Regulatory Compliance

–Oversight and management of service providers •Auditing Requirements

•Twin Goals:

A) Meet legal obligations

B) Make clear who is responsible for what

(14)

Privacy and Security Issues

• Outsourcers often have access to company and employee confidential information

• Particular privacy and security concerns: – Financial services and healthcare industries – Human resources functions

– Areas of Concern

• Security measures in place for the vendor’s system • Risks of unauthorized access to information

– Unauthorized personnel – Unauthorized uses

• Designate whether the customer or vendor will be responsible for the costs of implementing additional security mechanisms

(15)

15 09/13/12 15

Sarbanes-Oxley

Auditing and SAS-70 Reporting

New SSAE 16 Guidance

• Sarbanes-Oxley (2002). Improve accuracy and reliability of public company financial disclosure in wake of Enron

• AICPA – American Institute of CPAs • Service Auditing Standards Reports

– SSAE 16 replaces SAS 70 concerning service auditor reports for periods ending on and after June 15, 2011

(16)

New SSAE 16

Statement on Standards for Attestation Engagement Reporting on Controls at a Service Organization

• Follow-on Guidance to SAS-70 from the perspective of reporting on systems and controls

• Comply with new international reporting standard (International Standard on Assurance Engagements (“ISAE”) 3402

• Effective for reporting periods after June 15, 2011 • Some practical impacts:

– Service provider management must now make a direct assertion on effectiveness/operations of controls (as opposed to reliance on auditor assertion)

– Need to attest to subcontractor controls

– Harder to allocate costs among similar user group/functions. • Result: Significant impact on pricing

(17)

17 09/13/12 17

CASE STUDY:

Certain Privacy

Issues are

Specific to

Healthcare

Payment

(18)

What should financial institutions be concerned with from a healthcare compliance perspective with respect to cloud computing?

• Access patient information while providing certain services to healthcare providers or payors, such as health plans.

• Patient information protected under federal and/or state law.

• Medicare all claims must be made electronically beginning 2014.

• Utilize cloud computing by outsourcing some of all of these functions to third party vendors.

(19)

19 09/13/12

Relevant Federal Privacy Laws:

• The Health Insurance Portability and Accountability Act ("HIPAA") which was established in 1996;

• The American Recovery and Reinvestment Act ("ARRA") which contains the Health Information Technology for

Economic and Clinical Health Act (the "HITECH"); and

• The Patient Protection and Affordable Care Act ("PPACA”) which was signed into law in 2010.

HIPAA is the basis for federal protection of the privacy and security of certain health information.

Protections of HIPAA were expanded by ARRA, HITECH and PPACA:

(20)

Quick HIPAA refresher

Is the transaction you are working on impacted by HIPAA? If a Bank’s client is a “Covered Entity” and that “Covered Entity”

transmits “Protected Health Information” to the Bank HIPAA must be considered. Bank is deemed a “Business Associate”.

What is a "covered entity"? (i) It is one of the following: -- A health plan,

-- A healthcare clearinghouse, and -- A healthcare provider.

(ii) That transmits health information in electronic form in connection with a transaction covered by HIPAA.

(21)

21 09/13/12

Protected Health Information

("PHI").

The health information that is protected under Federal Privacy Laws is "protected health information" (also referred to as PHI) which is the individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Health Information

Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or

university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

(22)

Business Associate.

Generally, a business associate is an entity or person who carries out certain functions of the covered entity

on behalf of that covered entity.

In other words, if a financial institution is acting on its own behalf, it would not be considered a business associate. It is a business associate only if acting on behalf of a covered entity.

(23)

23 09/13/12

How are the Federal Privacy Laws applied to

financial institutions?

• Performs a healthcare clearinghouse function (i.e., processing or facilitating the process of nonstandard data elements of health information into standard

data elements) or

• Acts as a business associate on behalf of a covered entity.

The Federal Privacy Laws applies to any financial institution that:

(24)

Direct statutory liability as a business

associate.

• Liability exposure has significantly increased under the rules of HITECH.

• Prior to HITECH - Contractual obligations with the covered entity.

(25)

25 09/13/12

Enhanced civil and criminal penalties apply

to both covered entities and business

associates.

• HITECH applies the civil and criminal penalties of HIPAA directly to business associates

• Civil monetary penalties:

Low End - $100 per violation with a cap of up to $25,000 per year

High End - $50,000 per violation with a cap of up to $1,500,000 per calendar year.

• Criminal Penalties - HITECH specifically extended criminal penalties for the wrongful disclosure of protected health information to business associates.

• Attorneys General - States’ attorneys general may also bring civil actions on behalf of residents of his or her state

(26)

Increased Enforcement Environment

• March 2012 - Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA.

• April 2012 – Physician practice group in Arizona agreed to pay $100,000 for posting clinical and surgical

appointments for patients on an Internet-based calendar that was publicly accessible and for having implemented few policies and procedures to comply with HIPAA. (i.e., even the little guy is being watched and is expected to comply).

(27)

27 09/13/12

Federal Breach Notification Obligation

• Covered entities to notify affected individuals following the discovery of a "breach" of

"unsecured protected health information" of those individuals.

• Business Associates to notify the covered entity following the discovery of a "breach" of

"unsecured protected health information" in its possession.

The HITECH Act and regulations promulgated under that act require:

(28)

Definition of "breach" and the risk assessment under Federal rule.

Under the Federal rule, as part of the definition of

"breach" there is a risk assessment. In other words a breach is only deemed to occur if there has been an acquisition, access, use, or disclosure of protected health information that poses a significant risk of

financial, reputational, or other harm to the individual. Therefore, if such a significant risk does not exist then there is no "breach" to be reported.

(29)

29 09/13/12

Breach notification "safe-harbor"

• Breach is triggered by “unsecured protected health information".

• Encryption:

HHS has stated that encryption processes that are consistent with certain National Institute of

Standards and Technology (NIST) publications and/or that are validated by certain Federal

Information Processing Standards (FIPS) will meet this requirement.

(30)

State law breach notification obligations

• 46 states currently have security breach notification laws.

• some States risk assessment is done before

obligation to notify is triggered (like the federal rule). • some States no risk assessment prior to the

obligation to notify is triggered. Triggered merely upon the discovery of an unauthorized acquisition, access, use or disclosure of the personal information of such individual.

(31)

31 09/13/12

How does Section 1179 of the Social

Security Act interact with these new

obligations?

Key- On whose behalf is the bank acting? The

consumer (individual) of healthcare or the provider of healthcare?

No exemption from the application of HIPAA if done on behalf of provider.

(32)

Interaction with the Gramm-Leach Bliley Act and Other Specific Privacy/Security Regulations

The technical, physical and administrative

safeguards required by HIPAA are different

than those required by the Gramm Leach

Bliley Act and other laws and regulations

that may be generally applicable to the types

of data being processed.

(33)

33 09/13/12

What a financial institution processing HIPAA

Transactions should consider if it outsources any part of its business that handles protected health information.

Financial institution as covered entity:

• Clearinghouse is a covered entity under HIPAA. • Business associate agreement:

- administrative, physical and technical safeguards;

- ensure that any of its agents, including any of its subcontractors implement reasonable and appropriate safeguards

(34)

Financial institution Processing HIPAA transactions

as business associate:

• Business associate agreement with the covered entity. – Agreements with outside vendors in order to utilize cloud

computing.

– A confidentiality agreement with such third party vendor.

– require that such vendor implement administrative, physical and technical

• Obligation to report security breaches to the covered entity. Who has the obligation to notify the individual?

(35)

35 09/13/12 35 9/11/2012

(36)

Payor Healthcare

Provider

Bank

Processes HIPAA

Transactions Data

Data

Services Agreement

Data

Cloud Vendor Data

(37)

37 09/13/12

Overarching Principle

• Bank needs to confirm that it is committed to outsourcing to Cloud Vendor, and that the

outsourcing will permit it to meet its obligations to its Healthcare Providers.

• In this regard, need to determine at the outset which activities are to be outsourced and what financial or other goals are hoped to be

(38)

First steps

• Every outsourcing contract must be clear

regarding allocation of responsibilities, remedies, applicable law, compliance, costs, change

control, rights in IP, dispute resolution, governance, SLAs, termination, etc.

• That means that these topics must be discussed fully and understood by the business on each

(39)

39 09/13/12

Key Contract Elements

• The contract between Bank and Cloud Vendor will generally consist of the following:

– Terms and Conditions

• General framework/ rules

• Allocation of each party’s responsibilities • Applicable law

– Exhibits

• Details of scope/pricing

• Numerous subjects can be treated in an exhibit • Possibly Most important part of contract

(40)

Be sure to understand and address key regulatory concerns

• Regulatory liability cannot be outsourced. Bank is relying on Cloud Vendor to perform services in a manner that will permit Bank to meet its

independent regulatory obligations, as well as obligations and restrictions contained in its

Healthcare Provider agreements

• Among other things, Healthcare Provider’s confidential information (including PHI of

Healthcare Provider’s patients) will be accessible to Bank and Cloud Vendor.

(41)

41 09/13/12

Particular privacy and security concerns:

• healthcare industries are heavily regulated. • payment processing activities involve the

processing of sensitive healthcare information. • HIPAA Transaction Processors must be

particularly sensitive regarding sharing data with their business associates.

(42)

Additional Considerations and Risks

• Healthcare Provider agreements may restrict or require advance consent to outsourcing

• Bank needs to understand that additional risks, including of data security breach, are created when Bank outsources activity to a cloud vendor

• Consider the distributed nature of the “cloud” service, including where data is stored and who has or can have access to data • Risks increase when Cloud Vendor provides services off-shore • Some privacy and security laws may apply directly to Cloud

Provider’s provision of services; other laws must be specified and specifically addressed in the contract

• Rule of thumb: You need to tell a Cloud Provider what to do, or it won’t get done.

(43)

43 09/13/12

Due diligence regarding Cloud Vendor

• Bank should always conduct operational, financial and regulatory due diligence with respect to any potential Cloud Vendor.

• Consider Cloud Vendor’s financial viability, data security policies, privacy policies, location of servers, etc.

• Diligence is even more important when contracting with an off-shore Cloud Vendor. Among other things, there may be additional tax and regulatory implications and, as a

practical matter, there may be limitations on Bank’s ability to enforce its contract

• Practical Tip: if doing a deal with an Indian service provider, insist on an arbitration clause

(44)

Particular concerns regarding access to data

• Bank will likely want to ensure its ability to have immediate access to data throughout the term of the contract, and to

ensure ability to retrieve data upon termination of the agreement.

• Consider data retention (or destruction) policies, and provisions for backup and disaster-recovery (possibly including redundancy obligations with servers located in different geographical

locations)

• Bank may require ability to track and audit data usage, storage and protection, as well as Cloud Provider’s internal process controls (e.g., under GLB)

• Cloud Vendors will usually try to limit their liability for privacy and security breaches to service level credits

• NOTE: Even the CIA has been hacked, so bank should not expect a Cloud Vendor to accept open-ended liability in the event of malicious activity. But liability for certain privacy and security breaches are often the subject of significant negotiation.

(45)

45 09/13/12

Hypothetical

• Healthcare Client located in Los Angeles

contracts with a Bank in New York to conduct

HIPAA transactions on Healthcare Client’s behalf. Bank has an outsourcing services contract with

Bank’s cloud vendor which is incorporated in New York and that uses its own server in India.

(46)

Conclusion

• A successful outsourcing results in well thought out service contracts (i) between Healthcare

Provider and Bank, and (ii) between Bank and Bank’s Cloud Vendor.

• Process requires input from all concerned parties including legal, compliance, privacy and data

security, operations, vendor management, HR, tax, etc.

(47)

47 09/13/12

Linda A. Malek

Chair, Healthcare Moses & Singer LLP

[email protected] 212.554.7814

Beth L. Rubin

Senior Counsel - Healthcare PNC Bank, National Association Legal Department

Dov H. Scherzer

Co-Chair, Global Outsourcing and Procurement Moses & Singer LLP

Samuel J. Servello

Partner, Healthcare Moses & Singer LLP

Disclaimer: This presentation does not constitute legal advice or an opinion of Moses & Singer LLP or any member of the firm. It does not create or invite an attorney-client relationship and may be rendered incorrect by future developments. It is recommended that it not be relied upon in connection with any dispute or other matter but that professional advice be sought.

Attorney Advertising: Under the laws, rules or regulations of certain jurisdictions, this presentation may be construed as an advertisement or solicitation.