Due Diligence for Health IT Investments · 2018. 2. 14. · 1 Due Diligence for Health IT...
Transcript of Due Diligence for Health IT Investments · 2018. 2. 14. · 1 Due Diligence for Health IT...
1
Due Diligence for Health IT InvestmentsSession #31, March 6, 2018
Sharon Klein, Partner, Pepper Hamilton
Mark Elson, Principal, Intrepid Ascent
2
Sharon Klein, JD
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Mark Elson, PhD
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
Agenda• Introduction
• Due Diligence for Privacy
• Regulatory Concerns
• Due Diligence for Technology
• Due Diligence for Security
• Practical Takeaways
• Q&A
5
Learning Objectives• Identify the unique data rights, intellectual property, privacy and security, and
regulatory concerns associated with mergers and acquisitions involving health information
• Demonstrate data mapping analysis to show how data is collected, used, stored, transferred and destroyed, and how data rights may impact a transaction
• Demonstrate an approach to evaluating an application’s architecture in the data review process and the degree to which it is standards-based, a critical factor for scalability, interoperability and privacy and security
• Explain solutions for startups throughout the data lifecycle to facilitate increased valuations, as well as discussing red flags for investors that could impact a deal
6
The Context for Innovation: Productive Constraints
Value-based payment
Protect privacy while
integrating care
7
Standard Due Diligence• Legal/Litigation
• Financial
• Intellectual Property
• Assets/Indebtedness
• Buildings/Environmental
• Material Contracts
• Employees/Operations
8
Health IT is DifferentRegulatory Focus
• HIPAA
• CMS / Stark / Anti-kickback
• Consents
• Meaningful Use
• State Law
Operational Focus
• Data Rights – Life Cycle of Data
• Security
• Architecture
• Third Party Software Development / Support
• Interoperability
• Scalability
• Distinct Data Classifications (e.g. 42.CFR.2)
9
Due Diligence ProcessWhy are you buying/selling the company?
Product People Data
Acute Care
Primary Care
Provider
Pharmacy
Mobile Device / Application
Physical Therapist
Employee
Wellness Program
Mobile Device / Application
Payer
Nutritionist
1111
Due Diligence for Privacy / Data
12
Acquisition of Data RightsWhat kind of data?
• Consumer data
• PHI
• Performance metadata
What do you want to do with the data?
• Internal use
• Commercialize
13
Data Ownership
Considerations
• Rights flow from terms of the contract with the individual
• Transferability and user consents
• Rights limited by legal rules (privacy/digital advertising)
• Rights limited by company’s compliance standards
• Financials and ROI
14
Data Ownership Versus Stewardship• Ownership
– Intellectual property inventor; holder of contractual rights to data
• Stewardship
– Responsibility to manage and protect data at some stage of the data life cycle (e.g. as a Business Associate)
• Balance of data rights
– Vendor / developer
– Patient / individual
– Healthcare institution
15
Monetization of Data
Types of Monetization
• Digital touchpoints along lifecycle
• Aggregation with third party data
• Sale of data for lead generation / advertising
16
Evaluating Compliance Through the Data Lifecycle – Mobile Diabetes App
Example Data Lifecycle Data Steward(s) ApplicableRegulations
Issues / Gaps in Compliance
Step 1: Visit summary submitted to app from PCP’s EHR
Med Group HIPAA
Step 2: Person accesses clinical data in app and requests prescription
Employer and Patient HIPAA, FTC
Step 3: Payer accesses app and approves physical therapist
Payer HIPAA
Step 4: Script sent by PCP to pharmacy via app; fill data sent to app
Employer, Med Group, and Pharmacy
HIPAA, FTC
Step 4: Person schedules appt. with physical therapist; visit summary returned to app
Employer and PhysicalTherapist
HIPAA, FTC
Step 5: Person works with Nutritionist and shows them app content
Patient FTC
Step 6: PCP accesses recent history in app via tab in EHR
Med Group andEmployer
HIPAA
1717
Regulatory Concerns
18
Understanding Overlapping Jurisdictions & Regulations
• Federal Trade Commission – Prohibits unfair and deceptive trade practices
• Office of Civil Rights / HHS – Oversees HIPAA compliance
• Food and Drug Administration – Protects patient safety
• Federal Communications Commission – Oversees the airwaves (texting)
• State Law
Acute Care
Primary Care
Provider
Pharmacy
Mobile Device / Application
Physical Therapist
Employee
Wellness Program
Mobile Device / Application
Payer
Nutritionist
20
Example: Behavioral Health Data in CA• Multiple laws apply to behavioral health data depending on
circumstances
• Need to triangulate data provenance, purpose of use, and user
• KISS by meeting the highest level of requirements (or not touching certain data), but customers increasingly expect both policy-based and role-based controls
• Due diligence requires drilling down to fully understand the laws and regulations governing relevant data use (it’s not just HIPAA!)
Sharing Mental Health Data
with a Physical Health
provider
Sharing Substance Use Disorder
Data with a Physical Health
provider
2424
Due Diligence for Technology
Networks of Networks
26
Standards-Based Design for Health IT
• Technology standards for performance and interoperability
• Data standards to talk the same language
• Standards-based design for scalability
• Participation in regional, state, and national networks for data sharing
27
Evaluating Current Footprint
Product Current Clients
Use Cases Current Connections: Data In
CurrentConnections:Data Out
Data Management(Normalization, etc)
Mobile Diabetes App
EmployerWellness Program
Care Coordinationand Wellness
Source: PCP EHRMethod: FHIR API call
Target: PCP EHRMethod: FHIR API call
Extract: SimpleImport: Simple
Mobile Diabetes App
EmployerWellness Program
Medicationmanagement / reconciliation
Source: PharmacyMethod: HL7 2.3.1feed
Target: PharmacyMethod: HL7 2.3.1 feed
Extract: ModerateImport: Complex
Mobile Diabetes App
EmployerWellness Program
Physical therapy (Non-HIPAA covered provider)
Source: PT EHRMethod: Flat files via S-FTP
Target: PT EHRMethod: Flat files via S-FTP
Extract: ComplexImport: Very Complex
28
Evaluating Standards-Based Design
Product Data Model Data Exchange Model
Applicable Communication Standards
Applicable Data Standards
Applicable National Data Networks
Pharmacy Data Management System
HL7 2.3.1 -Based
VPN-Based HL7 Message “Streams”
Met Meets legacy HL7 2.3.1 standards, but not more current 2.5.1 standard
Not supported
Electronic Health Record
FHIR Proprietary API
Met, although proprietary API may pose problems
Uses new standard, some systems do not natively support
Supported
Physical Therapy EHR
SQL S-FTP flat-file “Interface”
Met, although transmission method is less than ideal
Does not meet standards
Not Supported
29
Health IT Product Coherence• Does the product suite address an important problem set in a
coherent manner?
– Does it make sense to customers? If yes, you’ve got a market segment!
– Sometimes comprehensive is right: try telling your EHR vendor not to boil the ocean
– Excel in a niche + interoperability = plug and play, with potential to increase scale and scope
• The Goldilocks Zone: Integrated services with modular options is often… just right
Data Life Cycle and Chain of Stewardship
Source: Kahn, Michael G., et. al., “Transparent Reporting of Data
Quality in Distributed Data Networks,” eGEMS, March 2015.
Outpatient Clinic EHR
Health System
Clinical Data Repository
Shared Database (e.g. HIE)
Analytics / Reporting Tool
State Registry
Where does the product fit?
3131
Due Diligence for Security
32
Why is Security so Critical to Healthcare?
• Trust is a critical asset in healthcare
• Data exchange is unavoidable
• Medical records have high personal and black market value
33
FTC Start with Security Guidance
• Start with security
• Control access to data sensibly
• Require secure passwords and authentication
• Store sensitive personal information securely and protect it during transmissions
• Segment your network and monitor who is trying to get in and out
• Secure remote access to your network
• Apply sound security practices when developing new products
• Make sure your service providers implement reasonable security standards
• Put procedures in place to keep your security current and address vulnerabilities that may arise
• Secure paper, physical media, and devices
Lessons learned from 50+ data security related enforcement actions
34
National Institute of Standards & Technology
De-identification Encryption Wireless Security
35
Security Standards / Certifications
Governmental Private Certifications
SSAE 16
36
Must Haves for Security Due Diligence
• Security Risk Assessment
• Enforceable and documented policies and procedures
• Comprehensive system security plan
• Awareness training
• Control of third-party risk
• Privacy and security by design
3737
Practical Takeaways
38
General Due Diligence Key Takeaways
• Start Due Diligence Early
• Meet with Senior Leadership
• Develop and Execute Against a Gameplan
• Enlist Support of Advisors/Counsel
• Foster Cooperation and Streamline Process
• Prepare, Prepare, Prepare
39
Evaluating Compliance Through the Data LifecycleProduct Privacy Issues Regulatory Issues Technology Issues Security Issues
Pharmacy Data Management System
MINOR – Few data fields contain patient data
MINOR – Little sensitive regulated data
MODERATE – Not regulated by Meaningful Use
MINOR – Contains some sensitive data
Electronic Health Record
MODERATE – Falls within HIPAA TPO; Few consents necessary
MAJOR – HIPAA regulated, contains PHI
MINOR MAJOR – Often contains sensitive data, common point of attack
Physical Therapy EHR MODERATE –Patient consents for PHI and PII necessary
MINOR – Some sensitive data is HIPAA regulated
MODERATE – not regulated by Meaningful Use
MINOR – Rarely contains sensitive data
Mobile Diabetes App MODERATE –Consents for PHI and PII necessary
MAJOR – Complex multiple regulations (FTC, FDA, HIPAA)
MAJOR – Not regulated by Meaningful Use, needs to integrate with a large number of external systems
MODERATE – Used by consumers / mobile security a new area
40
Questions
Please be sure to complete the online session evaluation!
Sharon R. Klein, JD Mark Elson, PhD
Partner Principal
Pepper Hamilton LLP Intrepid Ascent