1

Due Diligence for Health IT InvestmentsSession #31, March 6, 2018

Sharon Klein, Partner, Pepper Hamilton

Mark Elson, Principal, Intrepid Ascent

2

Sharon Klein, JD

Has no real or apparent conflicts of interest to report.

Conflict of Interest

3

Mark Elson, PhD

Has no real or apparent conflicts of interest to report.

Conflict of Interest

4

Agenda• Introduction

• Due Diligence for Privacy

• Regulatory Concerns

• Due Diligence for Technology

• Due Diligence for Security

• Practical Takeaways

• Q&A

5

Learning Objectives• Identify the unique data rights, intellectual property, privacy and security, and

regulatory concerns associated with mergers and acquisitions involving health information

• Demonstrate data mapping analysis to show how data is collected, used, stored, transferred and destroyed, and how data rights may impact a transaction

• Demonstrate an approach to evaluating an application’s architecture in the data review process and the degree to which it is standards-based, a critical factor for scalability, interoperability and privacy and security

• Explain solutions for startups throughout the data lifecycle to facilitate increased valuations, as well as discussing red flags for investors that could impact a deal

6

The Context for Innovation: Productive Constraints

Value-based payment

Protect privacy while

integrating care

7

Standard Due Diligence• Legal/Litigation

• Financial

• Intellectual Property

• Assets/Indebtedness

• Buildings/Environmental

• Material Contracts

• Employees/Operations

8

Health IT is DifferentRegulatory Focus

• HIPAA

• CMS / Stark / Anti-kickback

• Consents

• Meaningful Use

• State Law

Operational Focus

• Data Rights – Life Cycle of Data

• Security

• Architecture

• Third Party Software Development / Support

• Interoperability

• Scalability

• Distinct Data Classifications (e.g. 42.CFR.2)

9

Due Diligence ProcessWhy are you buying/selling the company?

Product People Data

Acute Care

Primary Care

Provider

Pharmacy

Mobile Device / Application

Physical Therapist

Employee

Wellness Program

Mobile Device / Application

Payer

Nutritionist

1111

Due Diligence for Privacy / Data

12

Acquisition of Data RightsWhat kind of data?

• Consumer data

• PHI

• Performance metadata

What do you want to do with the data?

• Internal use

• Commercialize

13

Data Ownership

Considerations

• Rights flow from terms of the contract with the individual

• Transferability and user consents

• Rights limited by legal rules (privacy/digital advertising)

• Rights limited by company’s compliance standards

• Financials and ROI

14

Data Ownership Versus Stewardship• Ownership

– Intellectual property inventor; holder of contractual rights to data

• Stewardship

– Responsibility to manage and protect data at some stage of the data life cycle (e.g. as a Business Associate)

• Balance of data rights

– Vendor / developer

– Patient / individual

– Healthcare institution

15

Monetization of Data

Types of Monetization

• Digital touchpoints along lifecycle

• Aggregation with third party data

• Sale of data for lead generation / advertising

16

Evaluating Compliance Through the Data Lifecycle – Mobile Diabetes App

Example Data Lifecycle Data Steward(s) ApplicableRegulations

Issues / Gaps in Compliance

Step 1: Visit summary submitted to app from PCP’s EHR

Med Group HIPAA

Step 2: Person accesses clinical data in app and requests prescription

Employer and Patient HIPAA, FTC

Step 3: Payer accesses app and approves physical therapist

Payer HIPAA

Step 4: Script sent by PCP to pharmacy via app; fill data sent to app

Employer, Med Group, and Pharmacy

HIPAA, FTC

Step 4: Person schedules appt. with physical therapist; visit summary returned to app

Employer and PhysicalTherapist

HIPAA, FTC

Step 5: Person works with Nutritionist and shows them app content

Patient FTC

Step 6: PCP accesses recent history in app via tab in EHR

Med Group andEmployer

HIPAA

1717

Regulatory Concerns

18

Understanding Overlapping Jurisdictions & Regulations

• Federal Trade Commission – Prohibits unfair and deceptive trade practices

• Office of Civil Rights / HHS – Oversees HIPAA compliance

• Food and Drug Administration – Protects patient safety

• Federal Communications Commission – Oversees the airwaves (texting)

• State Law

Acute Care

Primary Care

Provider

Pharmacy

Mobile Device / Application

Physical Therapist

Employee

Wellness Program

Mobile Device / Application

Payer

Nutritionist

20

Example: Behavioral Health Data in CA• Multiple laws apply to behavioral health data depending on

circumstances

• Need to triangulate data provenance, purpose of use, and user

• KISS by meeting the highest level of requirements (or not touching certain data), but customers increasingly expect both policy-based and role-based controls

• Due diligence requires drilling down to fully understand the laws and regulations governing relevant data use (it’s not just HIPAA!)

21

CA State Health Information Guidance (SHIG)

http://bit.ly/CALSHIG

Sharing Mental Health Data

with a Physical Health

provider

Sharing Substance Use Disorder

Data with a Physical Health

provider

2424

Due Diligence for Technology

Networks of Networks

26

Standards-Based Design for Health IT

• Technology standards for performance and interoperability

• Data standards to talk the same language

• Standards-based design for scalability

• Participation in regional, state, and national networks for data sharing

27

Evaluating Current Footprint

Product Current Clients

Use Cases Current Connections: Data In

CurrentConnections:Data Out

Data Management(Normalization, etc)

Mobile Diabetes App

EmployerWellness Program

Care Coordinationand Wellness

Source: PCP EHRMethod: FHIR API call

Target: PCP EHRMethod: FHIR API call

Extract: SimpleImport: Simple

Mobile Diabetes App

EmployerWellness Program

Medicationmanagement / reconciliation

Source: PharmacyMethod: HL7 2.3.1feed

Target: PharmacyMethod: HL7 2.3.1 feed

Extract: ModerateImport: Complex

Mobile Diabetes App

EmployerWellness Program

Physical therapy (Non-HIPAA covered provider)

Source: PT EHRMethod: Flat files via S-FTP

Target: PT EHRMethod: Flat files via S-FTP

Extract: ComplexImport: Very Complex

28

Evaluating Standards-Based Design

Product Data Model Data Exchange Model

Applicable Communication Standards

Applicable Data Standards

Applicable National Data Networks

Pharmacy Data Management System

HL7 2.3.1 -Based

VPN-Based HL7 Message “Streams”

Met Meets legacy HL7 2.3.1 standards, but not more current 2.5.1 standard

Not supported

Electronic Health Record

FHIR Proprietary API

Met, although proprietary API may pose problems

Uses new standard, some systems do not natively support

Supported

Physical Therapy EHR

SQL S-FTP flat-file “Interface”

Met, although transmission method is less than ideal

Does not meet standards

Not Supported

29

Health IT Product Coherence• Does the product suite address an important problem set in a

coherent manner?

– Does it make sense to customers? If yes, you’ve got a market segment!

– Sometimes comprehensive is right: try telling your EHR vendor not to boil the ocean

– Excel in a niche + interoperability = plug and play, with potential to increase scale and scope

• The Goldilocks Zone: Integrated services with modular options is often… just right

Data Life Cycle and Chain of Stewardship

Source: Kahn, Michael G., et. al., “Transparent Reporting of Data

Quality in Distributed Data Networks,” eGEMS, March 2015.

Outpatient Clinic EHR

Health System

Clinical Data Repository

Shared Database (e.g. HIE)

Analytics / Reporting Tool

State Registry

Where does the product fit?

3131

Due Diligence for Security

32

Why is Security so Critical to Healthcare?

• Trust is a critical asset in healthcare

• Data exchange is unavoidable

• Medical records have high personal and black market value

33

FTC Start with Security Guidance

• Start with security

• Control access to data sensibly

• Require secure passwords and authentication

• Store sensitive personal information securely and protect it during transmissions

• Segment your network and monitor who is trying to get in and out

• Secure remote access to your network

• Apply sound security practices when developing new products

• Make sure your service providers implement reasonable security standards

• Put procedures in place to keep your security current and address vulnerabilities that may arise

• Secure paper, physical media, and devices

Lessons learned from 50+ data security related enforcement actions

34

National Institute of Standards & Technology

De-identification Encryption Wireless Security

35

Security Standards / Certifications

Governmental Private Certifications

SSAE 16

36

Must Haves for Security Due Diligence

• Security Risk Assessment

• Enforceable and documented policies and procedures

• Comprehensive system security plan

• Awareness training

• Control of third-party risk

• Privacy and security by design

3737

Practical Takeaways

38

General Due Diligence Key Takeaways

• Start Due Diligence Early

• Meet with Senior Leadership

• Develop and Execute Against a Gameplan

• Enlist Support of Advisors/Counsel

• Foster Cooperation and Streamline Process

• Prepare, Prepare, Prepare

39

Evaluating Compliance Through the Data LifecycleProduct Privacy Issues Regulatory Issues Technology Issues Security Issues

Pharmacy Data Management System

MINOR – Few data fields contain patient data

MINOR – Little sensitive regulated data

MODERATE – Not regulated by Meaningful Use

MINOR – Contains some sensitive data

Electronic Health Record

MODERATE – Falls within HIPAA TPO; Few consents necessary

MAJOR – HIPAA regulated, contains PHI

MINOR MAJOR – Often contains sensitive data, common point of attack

Physical Therapy EHR MODERATE –Patient consents for PHI and PII necessary

MINOR – Some sensitive data is HIPAA regulated

MODERATE – not regulated by Meaningful Use

MINOR – Rarely contains sensitive data

Mobile Diabetes App MODERATE –Consents for PHI and PII necessary

MAJOR – Complex multiple regulations (FTC, FDA, HIPAA)

MAJOR – Not regulated by Meaningful Use, needs to integrate with a large number of external systems

MODERATE – Used by consumers / mobile security a new area

40

Questions

Please be sure to complete the online session evaluation!

Sharon R. Klein, JD Mark Elson, PhD

Partner Principal

Pepper Hamilton LLP Intrepid Ascent

kleins@pepperlaw.com mark@intrepidascent.com