'It goes beyond contracting'

New requirements raise the bar and the stakes for all involved with health care data

Few people doubt that the health care industry’s greater focus on collecting, analyzing and sharing information on patient care will produce big dividends over time. But a lot of the finer points of how that will happen are still being prescribed to and/or developed by the sector’s players. Amy Leopard, a partner at Bradley Arant Boult Cummings, spoke recently with Post Editor Geert De Lombaerde about developments on the risk management side of health care data.

What’s the high-level regulatory view of data in health care?

We’re seeing a lot of interactions among providers, insurers and technology companies on this issue and the Office of Civil Rights and The Office of the National Coordinator for Health Information Technology are paying a lot of attention, too. There’s a balancing act going on with this issue. You have both the seriousness of needing to maintain the security of the data and the imperative of using the data for innovation and quality improvement. So you have both incentive dollars being spent and a strong enforcement policy when it comes to entities that have to follow HIPAA.

Have you noticed a chilling effect as a result of regulators’ strong enforcement stance?

Maybe. But hospitals and physicians know their Medicare payments will be cut in 2015 if they are not using electronic health records. There is a chilling effect on unbridled enthusiasm and a focus on managing the risks.

Are corporate infrastructures ready to handle the legal side of the greater use of health data?

The market is bifurcated to some extent. On the high end, you have large organizations with deep infrastructure, history and knowledge to handle what should be living, breathing policies. On the other end, there are contractors working with the health information of covered entities that aren’t always as sophisticated as they should be. And there are others who are being caught off guard by the new requirements they face.

What are those new requirements?

Under the HITECH law, business associates that create, receive, transmit and maintain health information for providers and health plans are now regulated directly under HIPAA. This means that many service providers and IT companies (hardware and software) and their subcontractors are subject to the increased penalties as trusted custodians for covered entities, so it goes beyond contracting. All regulated entities are now subject to a more robust requirement to report breaches of protected health information to the government and the affected individuals. This breach reporting has prompted enforcement actions and class-action lawsuits.

Have the business associate rules raised the cost of entry or forced some companies to tweak their business models?

Absolutely. Adequate security safeguards are now the cost of entry and companies must have a compliant and risk-based approach to stay in health care.

And will the market take care of players that can’t keep up with the new rules? If I’m partnering with a company that is struggling to adapt, I’d start looking for a new partner.

And you should. As care is delivered and paid for through knowledgeable teams using actionable data, the ability to manage and protect data becomes a core competency for collaborations. On the vendor side, providers are engaging in much more due diligence to gauge the security readiness and compliance documentation of their service providers.

Either way, it sounds like this is elevating the importance of data use at health care organizations.

Yes, it’s become much more of a C-suite issue as a strategic imperative and no longer something handled strategically just by a company’s privacy officer or legal counsel. I’m being asked more and more to talk about this issue at the board level.

What are the most important things those boards should think about when it comes to sharing or using shared health data?

Big data is here. The possibilities are endless for data analytics, care coordination and patient engagement, but the exposure needs to be managed at the enterprise level. Data sharing requires a governance framework so that this asset can be protected for business, regulatory and competitive reasons. Boards need to confirm their organizations are evaluating and managing the risks, particularly in information security, and updating their compliance programs for industry and operational changes.