Robert L. CoffieldFlaherty, Sensabaugh & Bonasso, PLLC

Gerald “Jud” E. DeLossMinneapolis, Minnesota

PHRs, Health 2.0 and the Impact of Social Media on Health CareAmerican Health Lawyers Association

Annual Meeting – July 1, 2009

PHR Defined

“A tool for collecting, tracking and sharing important,

up-to-date information about an individual’s health or

the health of someone in their care”

American Health Information Management

Association ("AHIMA") and American Medical

Informatics Association ("AMIA")

HITECH Definition

“An electronic record of PHR identifiable health

information . . . on an individual that can be drawn

from multiple sources and that is managed, shared,

and controlled by or primarily for the individual”

PHR 1.0

“First generation” PHRs

Stand-alone PHRs

Require patients to gather and enter their own information

Tethered PHRs

Provided by a health plan, provider, or employer sponsor who

populates the PHR with information

PHR 2.0

Not merely a data collection application

Platform for the electronic aggregation and storage

of health information

Foundation for various applications

Personal Health Information Networks – part of

NHIN

Impact of PHRs

Comprehensive shift in the way health information is used, maintained, and stored Impact on means and methods for patients, health care providers

and payers to maintain, use, control, and disclose health information

The current, decentralized system of records maintained by multiple providers and entities at multiple locations

Transformed into a centralized record maintenance system that may rely on personal health information networks ("PHINs"), where the PHR serves as the central repository

Data Ownership

Who owns health information?

The physician?

The plan/insurer?

The patient?

Under traditional theory, providers own the medical

records they maintain, subject to the patient’s rights

of access in the information contained in the record

Data Ownership

Physicians and other healthcare providers

Maintain ownership of health information results in a greater

likelihood of maintaining a relationship with the patient

Patient who desires to change providers faces difficult task in

locating all sources of the health information and requesting that

it be transferred to a new provider

Rehash in the form of health intake questionnaires, health and

physical history examinations, and tests which may not have

been adequately communicated

Data Ownership

Plan ownership

Underwriting and utilization review activities

Whether coverage may be extended or whether a pre-

existing condition is present

Aggregate the data in records or de-identify the

information to be used, disclosed, sold, or manipulated

for a variety of medical and economical reasons

Data Ownership

The PHR Vendor Patient privacy advocates have expressed concern over what use

PHR vendors will put to the health information

An individual executes an authorization then the vendor may use or disclose the health information in any manner it wishes, since HIPAA would no longer apply

New HITECH Act provisions (discussed below) will place limits on these uses but some PHR vendors have taken an initial position that HITECH will not apply because an authorization, among other things, wll relieve them of compliance

Patient Ownership

Patient ownership

Results in framework where medical, expense, well-being, and

utilization are aligned within one party

Patient has an incentive to keep costs to a minimum by avoiding

multiple or repetitive procedures

Patient has an incentive to or at least the means to monitor their

health or well-being by becoming actively involved in the process

Patients have an incentive minimize the unauthorized disclosure

or use of their health information

Discrimination

Under HIPAA, a group health plan is prohibited from disclosing protected health information to a plan sponsor (typically an employer) for other than plan administration functions

In addition, the plan sponsor must certify that it will not use or disclose the protected health information for employment-related actions

Health plans, including group health plans offering PHRs to their enrollees Must ensure that the PHR is either not accessible by the group plan

Any health information contained within the PHR which is accessible by the group plan is not shared with the plan sponsor for other than administration functions

Discrimination

In addition to HIPAA, employers – and possibly

insurers -- must consider the implications

Americans with Disabilities Act (“ADA”)

Family and Medical Leave Act (“FMLA”)

Similar State laws

HITECH Act

Under the HITECH Act, a “personal health record” means

“An electronic record of PHR identifiable health information . . . on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

“PHR identifiable health information” is broadly defined as individually identifiable health information, relying on the HIPAA definition and “includes, with respect to an individual, information . . . that is provided by or on behalf of the individual” and “that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

HITECH Act

Breach Notification Requirements The HITECH Act imposes breach notification requirements on PHR vendors and

entities that offer products and services through, or that access information from, a PHR

Requires each vendor of PHRs, and each designated PHR entity, following the discovery of a breach of security involving unsecured PHR identifiable health information that is in a PHR maintained or offered by such vendor, to provide notice to the Federal Trade Commission (“FTC”) and to any United States citizen or resident whose unsecured health information is acquired by an unauthorized person as a result of the breach

Third party service provider that provides services to a vendor of PHRs or a designated PHR entity in connection with offering or maintaining PHRs (or related products or services) and that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information must notify the PHR vendor (or the designated PHR entity) of a breach of such information, which notice shall include identification of each affected individual

HITECH Act

The HITECH Act generally requires that breach notices be sent without unreasonable delay and in no case later than 60 calendar days after discovery

Notices to affected individuals generally must be sent by first class mail or may be sent by electronic mail if the individual has expressed a preference for it or, in an urgent situation, by telephone

Further, if 10 or more individuals require notification for which there is insufficient or out-of-date contact information, then the notifying entity is required to place a conspicuous posting on its website homepage or place a notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside

If the breach involves more than 500 residents of a state (or jurisdiction), a PHR vendor or designated PHR entity also must provide notice to prominent media outlets serving the area

A PHR vendor or designated PHR entity must notify the FTC immediately if the breach involves more than 500 individuals. The FTC must notify HHS of such breaches

Violations of the notification requirements related to PHR identifiable health information will be treated as unfair and deceptive acts or practices under the Federal Trade Commission Act

WHAT IS SOCIAL

MEDIA?

technology + mobile tools + information + community +

user-generated content + collaboration + social interaction

Do YOU use social media and networks? Are you LinkedIn?

Do you Facebook?

Do you Tweet?

Do you have a blog? Do you read/comment on blogs?

Do you use RSS?

Do you regularly look at your online reputation via Google.

Are you lifestreaming via Posterous?

Do you know what Google Wave is?

11% of American adults use a service like Facebook/Twitter to share updates about themselves or to see the update of others. Pew Internet & American Life Project, Dec. 2008

Where are YOU?

Where Is EVERYONE?

210 Years of Information. Thomas Baekdal

http://www.baekdal.com

A Glimpse Into the State of Social Media

200M active users; 100M log on every day; 30M mobile users

If country 5th largest behind China, India, US & Indonesia

Average user has 120 friends

Fastest growing demographic – over 35

850M photos uploaded each month

1B pieces of content shared each week

A Glimpse Into the State of Social Media

Amazing growth! Unique monthly visitors:

Jan. 2008: 500,000

Dec. 2008: 4.43 M

March 2009: 8 M

Largest user demographic: 35-49

Users more mobile less tethered by technology

Twitter replacing RSS and Google search – “real time” results

WEB 2.0

THEN

Author-Generated

Controlled message

Read

Static Web

Software Release

Desktop Computing

Central data

World Wide Web

NOW

Dynamic and User-Generated

Mental chatter & wisdom of crowd

Read, write and collaborate

Participatory Web

Software as Service

Cloud Computing

Decentralized data

World Live Web

social media = 297 hospitals + youtube + facebook + twitter + blogs

social media = doctor + disruptor + technology + e-visits + health stream

hairball + health data + technology + consumer rights + viral campaign = e-social media health movement

The WORLD has changed . . .

. . . and so has the HIT landscape.

Without CHANGE . . .

Is it a time for HEALTH CONSUMERISM? Demographics → “Pig In Python” (79M Baby Boomers)

Rise in chronic illness and complexity of treatment

Rising cost of health care and cost shift (employer → you and me)

Governments’ inability to afford uninsured/universal coverage

Personalized medicine and genomics

The role of PHRs and HEALTH 2.0: Shift to consumer-centric (PHR) model of health data

Health consumer is at the center of integrated medical info network

New technology tools to treat and reduce/manage chronic condition

Mobile health to monitor/feed health data (the desktop to the pocket)

Cost transparency/reform to the current reimbursement model

Consumerism drives the need to get information and exercise control over yours/my health and care decisions

WHAT IS

HEALTH 2.0?

Health 2.0 by Scott Shreeve MD. Creative Commons Attribution, Non-Commercial, Share Alike 2.5 License.Updated on 5/30/07.

Health 2.0 = social software + web/cloud based + light

weight tools + consumer/provider collaboration

HOW IS HEALTH 2.0 IMPACTING

CONSUMER DRIVEN CARE

Health 1.0

Opaque System

Passive Patient

Physician Authority

Insurance Adversary

System Generated

Health Care

Health 2.0

Transparency

Engaged Consumer

Physician Advisor

Health Plan Advocate

User Generated

Health and Wellness

Personal Health Records

Personal Health Records

PHR and Health Platform

Personalized Health Search

Personalized Physician Search

Collaborative Medical

Information Wikis

Physician Social Community

Web Based

Practice Management

Virtual Concierge

e-Health Practice

Practice Management Tools

Health Support Community

Disease Communities Capturing

& Sharing Outcome Data

Consumer Facing Health Tools

Consumer Facing Health Tools

Personal Health Tools

Health Consumer Tools

Reinvented Health Care

Marketplace

Consumer Health Financial

Tools

Health Financial Tools

Insurance Coverage/Discovery

Blogging/Med Mal/Privacy

Medical Identity Theft/Privacy

Negative Review/Libel

Contract Law/Libel/Litigation

EHRs/PHRs/HIEs/Malpractice

User Agreement/Contract Law

Health Data Ownership

Privacy/Regulatory

Patient Rights/Privacy

Discovery/Employment

Employment

(from 30 ways to lose your job on Twitter)

Legal Ethics

ONE SLIDE PROJECT: Engage With Grace Project

Questions

Robert L. CoffieldFlaherty, Sensabaugh & Bonasso, PLLC

Health Care Law Blog

RCoffield@fsblaw.com

Twitter: @bobcoffield

Gerald “Jud” E. DeLossMinneapolis, Minnesota

Minnesota Health IT Blog

gdeloss@gmail.com

Twitter: @gdeloss

Slides Available via SlideShare