health care it legal issues

[email protected]

HEALTH CARE IT LEGAL ISSUES

Lisa Abe-OldenburgBennett Jones LLP

IT.Can Roundtable

October 29, 2012

Index

1. Enabling IT from Mobile Devices: mHealth, mDevices and Telemedicine.

2. Current Hot Topics in Health Care IT Contracting.

3. Medical management System Architecture.

1. Enabling IT from Mobile Devices: mHealth, mDevices and Telemedicine.

“If the Internet is humanity's planetary nervous system, we are now building our planetary immune system,” Dr Nathan Wolfe.

mHealth

In the early manifestations of health care, African villagers used smoke signals to warn people to stay away from the village in case of serious disease. In the early 1900s, people living in remote areas in Australia used two-way radios, powered by a dynamo driven by a set of bicycle pedals, to communicate with the Royal Flying Doctor Service of Australia. Care at a distance (also called ''in absentia'' care), was also often conducted via post.

Today, the provision of health care or health-related information can be provided through the use of mobile devices (typically mobile phones but also other specialized medical mobile devices such as wireless monitors). There are 6 billion mobile phones in use worldwide.1 Mobile devices are ubiquitous and personal and the nature of mobility provides users with 24x7 anywhere access to networks and information. The health care sector can benefit from the pre-existing investment and development that has already been made into network infrastructure, connectivity, user interfaces, hardware, IT, billing models and user training. So much computing power and communication already exists in the hands of so many people. It is only natural that mobile devices become a vital part of health care.

Dr. Wolfe sees great potential in the mobile phone. When he visits remote parts of the Congo not connected by road or electricity grid, he often finds that locals are able to use a mobile-phone service, recharging their phones at night using portable generators. He recently left his post at

1 According to the International Telecommunication Union, there were 5.98 billion mobile phones in use at the end of 2011.

C:\My Docs\Paper by Lisa Abe-Oldenburg on Healthcare IT Legal Issues for IT.Can Conference Oct 29-30 2012.docx

- 2 [email protected]

the University of California, Los Angeles, to head the Global Viral Forecasting Initiative (GVFI). Since most deadly viruses, like HIV and SARS, originate in wild animals, his team is developing a software system to offer hunters of bushmeat who are in constant contact with such animals, a tiny financial reward to send an SMS message letting him know when they are ill, which would provide a useful early warning. Health workers would then be sent to test the ailing person to see if there is cause for alarm.2

Wireless communication systems, hand held devices, mass data storage and cloud computing will revolutionize health care to become more patient-centric, allowing for care anywhere and precision-based medicine, by providing personalized, participatory, predictive and preventive toolkits that will help patients manage genetic vulnerabilities, chronic illness, and episodic acute conditions.

As a result of demographic changes, such as ageing and chronic illness, the public sector is recognizing a need to optimize access and quality of care, and is driving regulatory reform to partner with the private sector for innovation, efficiency, improved outcomes and cost reduction. Much of this innovation is being achieved through the adoption of mobile technologies, which are being developed and deployed more rapidly in emerging markets than developing countries.

In developed countries, health care systems are hospital-centric, focusing largely on acute care even while chronic conditions dominate the disease load In emerging markets however, inadequate health infrastructure limits are driving growth in mobile health care as a means of providing access to much-needed health services, where patients were previously poorly served, or not served at all.

Mobile applications and services can include, among other things, remote patient monitors, video conferencing, online or text decision support/consultations, personal health care devices, wireless access to patient records and prescriptions, text reminders, coaching and demonstrations/explanations, drug adherence and verification, general health and wellness data gathering and monitoring.

As an example, in Africa, mPedigree operates a program in partnership with the principal telecom operators, leading pharmaceutical industry associations and Fortune 500 technology companies, to empower African patients and consumers to protect themselves from the fatal effects of pharmaceutical counterfeiting. The mPedigree mobile health platform allows consumers purchasing drugs to text (via SMS) at no cost (via their own or a shared mobile phone) a coded number on the packaging and receive instant verification, which will either confirm that the product is legitimate or warn that it is counterfeit. The UN estimates that roughly half of the anti-malarial drugs sold in Africa—worth some $438 million a year—are counterfeits. The WHO has been working with government agencies and manufacturers around the world to create a database of products, giving each packet of medicine a new number. A new initiative from mobile phone company Orange (part of France Telecom), allows for tracking of drugs at any point in the distribution pipeline using widely available and relatively inexpensive technology. According to mPedigree, counterfeit drugs cause at least 700,000 deaths annually.3

2 "A Doctor in your Pocket", The Economist, April 16, 2009.3 http://mpedigree.net/



Counterfeit drugs used to be a problem for poor countries. Now they threaten the rich world too.4 Through the use of mobile technology, hundreds of thousands of lives will be saved and counterfeiters can be caught and brought to justice.

mDevices

The use of mobile devices on wireless sensor networks (WSN) in health care is flourishing. Applications of wireless sensor technologies, devices, services and tools, can help monitor the health status of patients, providing prevention and early intervention, feedback and coaching, in order to reduce costs associated with chronic conditions that are the leading cause of disability globally and which put an enormous strain on most health care systems.

Mobile devices that can be used to monitor human activities using sensor technology and networks, may be deemed medical devices and subject to regulation as well as licenses5 from regulators in order to be sold in Canada.6 The term "Medical Devices", as defined in the Food and Drugs Act, covers a wide range of health or medical instruments used in the treatment, mitigation, diagnosis or prevention of a disease or abnormal physical condition. Health Canada reviews medical devices to assess their safety, effectiveness and quality before being authorized for sale in Canada. Medical devices may also require certification by the Canadian Nuclear Safety Commission (CNSC), and compliance with radiation emitting regulations, prior to licensing for operational or servicing activities. With the advent of new unproven technologies, regulators will face challenges in seeking a balance between patient safety and potential benefits.

The applications of mobile devices in medical use can be of two types: (i) wearable, and (ii) implanted.

Wearable devices are those that can be used on the body surface of a human or just at close proximity of the user. Some of the wearable medical devices and applications are: temperature measurement, respiration monitor, heart rate monitor, pulse meter, blood pressure monitor, glucose sensor, etc.

The implantable medical devices are those that are inserted inside the human body. These devices and their applications include for example: cardiac arrhythmia monitor/recorder, brain liquid pressure sensor, endoscopic capsules, etc.

The non-medical devices and their applications in the area of health care can include real-time video streaming and real-time audio streaming. Besides the typical scope of monitoring applications in health care facilities, there are other uses such as remote controlled applications, data file transfer, measuring body positions and location of the patient, and at home monitoring.

4 "Poison Pills", The Economist, 2 September 2010.5 In Canada, certain devices must have a Medical Device Licence before they can be sold. To determine which devices need a Licence, all medical devices have been categorized based on the risk associated with their use. This approach means that all medical devices are grouped into four classes with Class I devices presenting the lowest potential risk (e.g. a thermometer) and Class IV devices presenting the greatest potential risk (e.g. pacemakers). Prior to selling a device in Canada, manufacturers of Class II, III and IV devices must obtain a Medical Device Licence. Although Class I devices do not require a Licence, they are monitored through Establishment Licences.6 The Therapeutic Products Directorate (TPD) applies the Food and Drug Regulations and the Medical Devices Regulations under the authority

of the Food and Drugs Act to ensure that the pharmaceutical drugs and medical devices offered for sale in Canada are safe, effective and of high quality. The TPD also administers fee regulations for drugs and medical devices under the authority of the Financial Administration Act.



To address the growing use of sensor technology in this area, a new field known as wireless body area networks (WBAN or simply BAN) has emerged. Also, a new concept of "people centric" and "urban" wireless sensor networking has been proposed and is gaining momentum.

Radio Frequency Identification (RFID) and Wireless Sensor Network (WSN) are two important wireless technologies that have wide variety of applications and provide unlimited future potentials most especially in health care systems. RFID is used to detect presence and location of objects while WSN is used to sense and monitor the environment. Integrating RFID with WSN not only provides identity and location of an object but also provides information regarding the condition of the object carrying the sensor enabled RFID tag.

As most devices and their applications are wireless in nature, security and privacy are among major areas of concern. The direct involvement of humans also increases the sensitivity. Whether the data gathered from patients or individuals is obtained with the consent of the person or without it due to the need by the system, misuse or privacy concerns may restrict people from taking advantage of the full benefits from the system. Also of concern is the risk of serious personal injury. People may not see these devices safe for daily use. Public fear that such devices may be used for monitoring and tracking individuals by government agencies or other private organizations and that those devices could be tampered with or contain defects, raises policy issues, will require strict regulation and contracts that fairly allocate liability risk for vendors and suppliers.7

Telemedicine

In the health care sector, many organizations and/or health care professionals use telemedicine to facilitate access to health care for patients. However, many more are using it to increase access to distance education opportunities or to reduce the amount of travel and cost involved in attending meetings.

"Telemedicine" has been defined as the use of telecommunications technologies to create audio/visual linkages between physicians and patients in different locations, in actual or stored time.

The benefits of telemedicine include improving access and quality of care, by having the right provider in the right place at the right time. The Ontario Telemedicine Network (OTN) is one of the largest telemedicine networks in the world. More than 3,000 health care professionals in more than 1175 sites across the province use OTN to deliver care to their patients. This year, OTN will deliver more than 135,000 patient visits.

Using two-way videoconferencing, OTN provides access to care for patients in every hospital and hundreds of other health care locations across the province. OTN offers a full range of telemedicine services, including videoconferencing, webcasting, store forward and telehomecare to meet various clinical, educational and administrative needs.

7 Security and Privacy Issues in Wireless Sensor Networks for Health Care Applications, Moshaddique Al Ameen, Jingwei Liu and Kyungsup Kwak, Journal of Medical Systems, Volume 36, Number 1 (2012), 93-101, DOI: 10.1007/s10916-010-9449-4.



Areas where Telemedicine is being used include Teleneurology,8 Teleradiology, Telepathology, Teledermatology,9 Telecardiaology, Telepsychiatry, Teleopththalmology and Fetal Monitoring.

The connectivity of telemedicine involves telecommunications systems, and in particular phone lines, Internet, satellite and wireless communications.

One of the major concerns with any mobile or tele-medicine application is the issue of privacy and data security. In Ontario, personal health information is subject to the requirements of the federal Privacy legislation as well as the Personal Health Information Protection Act, 2004. Other provinces have similar legislation.

Another issue is the regulation of medical professionals across jurisdictional borders. The College of Physicians and Surgeons of Ontario ("CPSO"), which regulates doctors in the province, recognizes that telemedicine enables physicians to deliver health services across provincial/territorial and international borders. In many cases, physicians in Ontario refer patients or provide patients’ information to a specialist located outside of the province. Where this occurs and the physician outside of the province is not registered with the CPSO, the CPSO expects the physician in Ontario to inform the patient of that fact and that any potential complaint would need to be considered outside of the province (for example, in the jurisdiction of the specialist). Providing this information is part of the process for obtaining the patient’s informed consent to the medical consultation.

For Ontario physicians providing care to patients outside of the province via telemedicine, the CPSO suggests that they:

comply with the licensing requirements of any province/territory/country in which they are providing medical services; and

in addition, understand that the CPSO maintains jurisdiction over its members wherever they may practice and therefore is required to review any complaint made to it about a member, even if made by a patient located in another jurisdiction.

This is based on the principle that patients must be protected from harm and physicians held accountable for the quality of services they perform. Ontario physicians with a certificate of registration in another jurisdiction should also be aware that the CPSO may review concerns arising in the other jurisdiction and may take action with respect to the physician’s certificate of registration in Ontario.

Telemedicine is in a constant state of evolution. The innovative technologies in telemedicine provide endless opportunities for developing new approaches to the delivery of health services. In recognizing the tremendous potential for growth in this area, the CPSO acknowledges that telemedicine will likely be one of the greatest influences on the way medicine is practiced in the

8 The Telestroke Program of the OTN provides stroke patients in remote areas of the province with 24/7 access to life-saving emergency care that they might not receive without this real-time expert neurological assessment. Emergency Physicians use OTN to connect with neurologists to obtain urgent diagnosis and treatment advice, including the administration of time-sensitive medication. 9 Otn.teledermSF allows a health care professional to take a digital image of a skin condition and upload it along with pertinent patient data to a secure server. An Ontario-based dermatologist accesses the server to review the information, returning a diagnosis and suggested treatment to the referrer– all without a long wait, added costs or travel time for patients.



future. For this reason, the CPSO will continue to monitor future developments and provide updates, in particular, on jurisdictional issues and certificates of registration. It also views telemedicine as an impetus for the future development of a national medical registry.

2. Current Hot Topics in Health Care IT Contracting.

Most national health systems are both vast and fragmented. Technology still presents challenges for mHealth adopters. Both doctors and payors list privacy and security concerns as leading barriers to greater use of mHealth, and only around half of doctors believe that the mobile Internet facilities at their workplace are reasonably secure. Poor integration also impedes uptake. Just 53% of doctors say that the mHealth applications and services they use work with their organization's IT, and even fewer say they are integrated with technology in other parts of the health system, such as other hospitals and clinics.10 Integration of new systems, software and technologies give rise to a host of integration issues, which must be managed through adequate design, implementation, testing, correction, change and governance processes. Contracts must set realistic and measurable boundaries on each party's obligations and liability, in particular for personal injury.

The move to a more patient-centric health care model requires leadership and co-ordination among all stakeholders – physicians, hospitals, health insurers, pharmaceuticals, medical device companies and government. In order to achieve desired results, conventional business models and contracts typically will not work. Contract negotiations need to involve all stakeholders and will likely shift their focus to clinical outcomes, value and patient satisfaction. The following key principles will need to be addressed in health care IT contracts:

Interoperability – representations, warranties and covenants as to interoperability of IT with sensors and other mobile and non-mobile devices, networks and systems, to share vast amounts of data with other applications, such as electronic health records and existing health care plans.

Integration – services and deliverables to include integration activities and work products of providers and users.

Qualitative Solutions – deliverables to be problem solving, real-time, qualitative solutions that realize measurable productivity gains. Outcomes to provide a return on investment not just in terms of cost but also access and quality of care based on health care objectives.

Socialization – terms dealing with sharing of information, privacy, security and data access and retention across a broad community.

Service Levels - that enable patient involvement and the provision of ubiquitous and instant feedback.

10 "Emerging mHealth: Paths for Growth", a PwC survey and study of the mobile health market.



Scalability and portability require open modular architecture and vendors are increasing the use of cloud computing and open source technologies to deliver IT services and systems. Peter Neupert of Microsoft argues that the rise of cloud computing (providing data storage and processing over the Internet), will be “transformative” for wireless health.11

However, cloud computing and open source technologies pose several risks, such as:

security and privacy breaches, unauthorized access

data mining

uncertainty as to location of data at any point in time

inability to properly audit

cross-border data transfer

difficulty with access to and return of data

vendors' standard cloud computing contract terms and open source licenses don't contain adequate protection for intellectual property, have unreasonably high limits on liability, no warranties or indemnities.

Health care providers will need to assess and manage these risks, as well as seek legal advice in contract negotiations involving innovative technologies.

3. Medical Management System Architecture.

Access to the right information and the automation of complex tasks & workflow is the key focus of medical management systems, enabling freeing the staff to spend more time on caring for patients and extending the reach of services. Such systems (and procurement/outsourcing contracts) need to have the technical and functional specifications, as well as service level requirements (SLAs) of flexibility & scalability, comprehensive report types, ease of customization, intuitive visuals and interactive graphics that simplify complex data analysis and presentation. As well, seasoned professionals with relevant experience in the health care industry, can help consult on, design, develop, configure, integrate and implement the system that incorporates the best health care practices and is designed to deliver key tangible benefits to patients and health care industry stakeholders.

There is a huge spectrum of medical management systems and architecture that has been developed over the past 10-15 years, and continues to be developed to provide solutions in medical office administration, pathology, radiology, pharmaceutical delivery systems, medical records management and other areas. There are increasingly extensive applications of new systems techniques and methods in hospitals, clinics, physician's offices, including communication links between various health care providers, insurers, product suppliers, medical 11 "M-Powered – The Convergence of Mobile Telephony and Health Care is Under Way", The Economist, Nov 11, 2010.



records storage and retrieval and ancillary patient-support systems. With the amalgamation of sciences, existing medical systems are constantly being modified to fit particular circumstances and to solve specific problems.

In a hospital setting, for example, computer hosts are dispersed to different locations in the network. There are generally workstations, personal computers, lap tops, mobile devices, PDAs, modems, switches, hubs, printers, medical equipment, storage archives, servers and host systems all configured to be connected through a LAN, WAN Intranet and the Internet.

In medical management systems, the key functions a system must address include:

Patient administration, such as front office appointments, reservations, registrations, admissions, discharge, payment, back office services, staff scheduling, doctor and nursing station orders, transfers, etc.

Clinical management, such as diagnostic/laboratory, operation theaters, patient indecies, medical records, blood banks, telemedicine, physical management systems, care plans and personnel management, etc.

Resource management, such as pharmacy, general stores, ambulatory, cafeteria, medical equipment and supply chain management, etc.

Financial Management, accounting, payroll, health benefits admin, claims processing, etc.

Information Management, such as clinical decision support, patient data monitoring and safety, medication-use process, research systems, enterprise application management, etc.

With the progress and the development of information technology, the internal data in medical organizations has become extremely valuable and sensitive in electronic format. Moreover, the use of the Internet has enhanced information communication as well as affected the development of the medical information management systems. Such systems are often networks within other networks, and when all are connected together, comprise a vast resource of useful information that can be analyzed for medical research, advancement in health care and improvement of individual health. However, the Internet is considered as a high-risk and public environment which is easily invaded. The data in medical network systems is very sensitive and confidential and it is necessary under the law to protect the personal privacy of electronic patient records, including ensuring data in health care facilities is properly authorization-controlled. As a consequence, medical network systems are considered high security networks that require excellent protections and managerial strategies to prevent the risk of disclosure, misuse of confidential information and external attacks from happening. Health care organizations need to implement secure medical managerial strategies to be applied to the network environment of the medical information system architecture, while allowing the medical system to work smoothly and safely that not only benefits the patients, but also allows the doctors to use it more conveniently, and further promote the overall medical quality. These objectives can be achieved through proper design of the technology, as well as implementation of business processes that minimize managerial mistakes, resulting in highly-reliable medical information systems.



In today's hospitals, the medical workstation is a basic component of any image management and communication system. The design of such component can be very complex, because of the challenging engineering requirements. Architectural models must ensure flexible and portable software platforms upon which medical workstations can be realized. Some current models are based on an overall framework of object oriented programming.12

Biomedical Information Management Systems ("BIMS") is an example of software architecture designed to provide a flexible computational framework to manage the information needs of a wide range of biomedical research projects. The main goal is to facilitate the clinicians’ job in data entry, and researcher’s tasks in data management, in high data quality biomedical research projects.

The architecture methodology required in a health care setting, must be able to manage large amounts of complex and dynamic information. In addition, to be fully functional, flexible and allow modeling and managing of large amounts of heterogeneous biomedical data sets, both textual as well as visual (medical images) information, the architecture would need to be developed as a web-based application.

In Medical Genetic Testing (MGT) Laboratories, there are existing knowledge management (KM) technology weaknesses. Information system (IS) architecture is being developed to establish process automation and content management of the distributed workflow of knowledge generation and knowledge management (KG&KM) during MGT result interpretation. The IS will validate the interpretation decision by using information systems/information technologies (IS/IT), especially KM tools, such as workflow management system (WFMS), search engine and groupware. Once developed and implemented, such integrated systems will significantly improve MGT lab researchers' KG&KM performance through increasing knowledge capture, improving documentation quality and maintaining (if not improving) users' information satisfaction.13

IT contracts for the development and procurement of such systems, require careful consideration of the terms and allocation of risks that are best managed between the parties. In the health care sector, the procurement Directive and guidelines must be followed. Contractual issues need to be analyzed from a legal and business perspective. Contracts need to focus on issues arising in IT development and outsourcing, legal compliance (e.g. privacy), intellectual property ownership and licensing, liability risk allocation, patient outcomes, impacts and results, as well as the functional and technical requirements (including testing) of the IS architecture.

12 A software architecture for medical image processing stations, Boccignone, G. , Chianese, A., De Santo, M., Picariello, A., Image Processing, IEEE International Conference, Nov 1994.13 A System Architecture Design for Knowledge Management (KM) in Medical Genetic Testing (MGT) Laboratories, Gu, Y., Warren, J., Stanek, J., Suthers, G., Computer Supported Cooperative Work in Design, 10th International Conference, May 2006.


health care it legal issues

Documents