HIE Liability and Insurance
Liability continues to be a central concern for HIEs and their stakeholders. In general, liability may arise from the acts or omissions of a party that fails to meet a responsibility or legal duty. Last year, I discovered an excellent resource that summarizes liability coverage issues for Regional Health Information Organizations (RHIOs) that I would like to pass along to readers. Specifically, the Agency for Healthcare Research and Quality (AHRQ) published a Report in June 2009 that looked at key liability issues identified by RHIOs, as well as insurance options.
Here are some of the key points the Report makes regarding liability concerns, as well as a few thoughts of my own:
- Liability for Data Storage and Management. How data is stored and managed (e.g., by the RHIO versus by its participants) will affect the distribution of liability. In general, the more authority and responsibility that the RHIO possesses in connection with the data, the more liability coverage it will need to take on. I agree.
- Liability for Accuracy and Completeness. Both data suppliers and data users are concerned about their respective liability in relation to data being accurate and complete. RHIOs often will contractually limit their liability for accuracy of data supplied, or received and used. However, if the RHIO manipulates the data in transit in anyway, it could be held responsible for such intervening acts. I note that data senders and receivers are also typically required to carry insurance and assume contractual responsibility for supplying accurate and complete data to the RHIO.
- Duty to Review. In a previous blog post, I discussed providers’ concerns that joining a RHIO/HIE will create a duty to review all information about a patient contained in the RHIO/HIE, and this will potentially expose them to an increased risk of “missing” relevant information. In my post, I noted why I thought that the role of HIEs in connection with the “standard of care” is still evolving. The Report additionally notes that:
there are no widely recognized standards for reasonable physician behavior in seeking or reviewing electronically available data, or for the extent to which that data should inform his/her clinical decisions.
- Liability for Audit Logs. The Report points out that some RHIOs have recently been compelled via subpoena to provide audit information for malpractice lawsuits involving the RHIOs participants. Although a RHIO may be legally obligated to respond to a subpoena, I note that it is still important that HIPAA’s standards for releasing PHI in response to a subpoena are complied with.
- Extending Liability to IT Vendors. If the IT vendor provides any software, integration services, and operational services for the RHIO, the vendor should assume responsibility for their actions. The Report noted that one factor that strongly influenced the amount of liability assigned to IT vendors was the negotiating power of the RHIO. The type of coverage in their liability insurance that the IT vendors were asked to carry varied, but typically total liability coverage ranged between $1 million and $3 million.
With regard to insurance coverage, the Report made the following additional points:
- Researching, negotiating and obtaining liability coverage takes time. Get started early.
- There remains a high degree of uncertainty with regard to what constitute adequate coverage.
- Insurance policy options for RHIOs are growing, but remain limited.
- There is wide variability in liability insurance practices across RHIOs.
- Sovereign immunity has its advantages and disadvantages. On this last point, the paper notes that while some are strong proponents of State immunity for RHIOs, citing such benefits as increased stakeholder participation, decreased start-up costs, and long-term sustainability, others are skeptical and noted that if State immunity is available, RHIOs may not be as rigorous in establishing privacy and security controls, and that stakeholders may then be targeted for lawsuits instead.
In sum, the Report illustrates some of the complex liability questions that are being addressed in the RHIO context, and this is without even getting into other areas such as directors’ and officers’ liability, as well as security breaches across RHIO participants. Navigating this complex and uncertain landscape continues to be challenging, but those getting started now have some benefit from lessons learned by others over the last year, and well as a slightly more mature insurance market primed to RHIO and HIE risks.