Stephen S. Wu is a partner in the Los Angeles-based law firm Cooke Kobrick & Wu, LLP, where he focuses on information privacy, security, and records management. During 2010-2011, Wu served as chair of the American Bar Association’s Section of Science and Technology Law. He has written a book, A Legal Guide to Enterprise Mobile Device Management: Managing Bring Your Own Device (BYOD) and Employer-Issued Device Programs, published by the American Bar Association this summer, and is currently revising A Guide to HIPAA Security and the Law, published by the ABA in 2007, with the revised volume set for publication this year. Wu spoke recently with HCI Editor-in-Chief Mark Hagland regarding this perspectives on the legal exposure issues facing healthcare providers around mobile devices and mobility in healthcare. Below are excerpts from that interview.
What happens when there’s a lawsuit of some kind involving a provider organization?
Over time, a hospital or medical care facility needs to think about records management as a business process; and that starts with managing useful records. And then it needs to establish a records retention policy and subordinate documentation to effectively manage the records management policy. Think about a life cycle of documentation: there’s the creation, the usage, the storage of it over time, and then its eventual destruction. Every business is going to have records that go through that life cycle. So they should have a policy for records management. If they needed a dispute resolution, they could put before a judge or arbitrator authentic documentation.
When litigation actually takes place, what kinds of internal processes are required?
So if an organization can reasonably anticipate litigation, then it has an obligation to preserve evidence relevant to the dispute. If a patient or patient’s attorney communicates with a hospital or medical practice in such a way that it could reasonably anticipate malpractice litigation, it is now on notice and has an obligation to preserve records. And the way that that may work out practically is that there may be some information-purging systems in place that make records inaccessible over time; and hospital or medical group managers need to suspend any time-based types of documentation destruction processes.
And in the mobile area, when a hospital or medical facility or doctor’s practice can anticipate litigation, it has an obligation to preserve, and then when a lawsuit occurs, the other side can be expected to ask for the patient care organization for information. And then the hospital or medical practice has to do a reasonable search to respond to the request. Then the hospital may need to look into mobile devices to reasonably respond to the request. So if a doctor just dumps information into his computer and doesn’t pay reasonable attention to these kinds of recordkeeping processes, under litigation, the hospital may be asked to get information from the doctor—the hospital could be sanctioned for not producing that information, whether it be a text, an e-mail, or EKG readings, for example. In a malpractice case against a cardiologist, those EKG results could be relevant. I’m guessing that most hospitals and medical practices realize this and are finding ways to keep the information in recordkeeping systems, so that the EKG results are retained and managed. But the point is that they need to think intentionally and realize that we now have these mobile devices out there, and they need to incorporate processes for records retention in their recordkeeping systems.
And now, there are HIPAA [Health Insurance Portability and Accountability Act of 1996] privacy and security issues, and state laws that could be used in breach cases to assert claims in some legal cases.
How do mobile devices fit into the intensified HIPAA requirements?
Back in 2003 when the HIPAA security requirements came out, there were already implications around mobile devices. So when I wrote my book on HIPAA security and the law, I talked about mobile devices, even though the law didn’t specifically address the topic, since there was no exception for mobile devices, just because they weren’t explicitly mentioned by the HIPAA security rule. And therefore, when the business associates requirement under HITECH [the Health Information Technology for Economic and Clinical Health act] and some interim rules, and now the final rule, came in—what is new is that in the HIPAA final omnibus rule, they made some clarifications, including that subcontractors are business associates under the rule.
And service providers are storing information for you, and the service provider is providing a service to a business associate or to a hospital, if there is protected health information involved, those service providers are vulnerable under the law. That really broadens the requirements. And as a result, we have a lot of general technology vendors who are now being swept up by the HIPAA privacy rules, and who are now coming to terms with this new compliance overlay.
And if the vendors are surprised, it also affects the covered entities—the providers, insurers, and healthcare clearinghouses. They all need to make sure that the downstream chain of vendors is complying with HIPAA as well. And that starts with contracts: you need to say, you must comply with the HIPAA requirements. And you need to make sure your subcontractors comply as well; and we have the right to terminate with you, and you need to put in there that you the vendor can terminate the subcontractor, for breaches.
The mobile aspect comes in, too, when you have mobile devices that take inputs and store information in a cloud service, for example. The cloud service needs to be a part of that chain of compliance. Also, the final rule finalized breach notification rules, and if mobile devices are involved, then the general breach notification requirements would apply to a breach involving mobile devices.
In your work with hospitals and medical groups, how aware and prepared are they for all this?
I think it’s very uneven. I have clients who are trying to do the right thing and making special efforts to go through a rigorous process; but I am hearing that some other organizations aren’t going through the pains necessary to ensure compliance.
Do you have anything else to add?
The one interesting thing I’m following right now is a fight in the California state courts about the applicability of the Confidentiality of Medical Information Act in California (CMIA). We have two cases going through the court system in which there were security breaches—one involving a stolen external hard drive, and another involving stolen desktops at a hospital. The first was an encrypted hard drive stolen as part of a home robbery. What’s interesting is that under the CMIA, there is a $1,000 nominal damages clause that says if you can’t prove actual damages, you can recover $1,000 in nominal damages for a violation of the CMIA; and plaintiffs are using the CMIA in these cases.
That is not really a theft of information per se, but claims lawyers have been using that, multiplying that $1,000 times the number of records compromised to demand damages in the billions of dollars. And the hospitals and medical groups are saying this isn’t really a theft of information per se. A recent appellate court found for the hospital saying that there was no proof of viewing, so therefore, there was no violation of those requirements. Contrast this with other instances in which information could be used via a thief and then used to create phony financial accounts using patients’ names. The court said if there was evidence of actual identity theft, or used a celebrity’s identity information, for example, and used it to create a false identity and use it, that would be different. But if the thieves were just selling the hardware, then there would be no violation.
But the point is that it’s not that hard to encrypt information; that I think is a big story. And I’m guessing that after this court of appeals action, we’ll see action by the Supreme Court ultimately. There’s a court of appeals decision we’re expecting any day now in the stolen-desktops case.