Reproduced with permission from Bloomberg Law: Health IT Law & Industry Report, (March 9, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
By James Swann
Privacy and security concerns are mounting as Uber and Lyft break into the medical transportation space.
The two companies recently rolled out separate initiatives to drive patients to and from medical appointments, acting on behalf of health-care providers.
The arrangements expose Uber and Lyft to possible violations of health-care privacy rules and regulations and may raise overall compliance costs.
Just over 3.5 million U.S. patients have trouble getting to doctor’s appointments, according to Lyft, and 25 percent of lower-income patients have missed appointments or been forced to re-schedule because of transportation issues.
Federal and state privacy laws are major concerns with the Uber and Lyft arrangements, Stephanie Trunk, a health-care attorney with Arent Fox LLP in Washington, told Bloomberg Law.
Uber and Lyft will have to implement adequate administration and technical safeguards to comply with the federal Health Insurance Portability and Accountability Act’s Privacy and Security rules, Trunk said.
Uber, a privately traded San Francisco-based company, completes 10 million trips a day and operates in 77 countries. Lyft, also based in San Francisco, completes around 1 million trips a day and operates in the U.S. and Canada. Lyft has a market value of $11.5 billion as of December 2017, compared with Uber’s $54 billion market value.
“What is interesting in the proposals is that the individual drivers aren’t employees of Uber and Lyft but are independent contractors,” Trunk said. Uber and Lyft will have to train their drivers on HIPAA compliance and maintain effective oversight over their respective programs, Trunk, a Bloomberg Law advisory board member, said.
A major concern would be drivers or Uber Health leaking the names of patients who are being driven to medical appointments, as well as where they’re going.
Uber Health was rolled out March 1 and is already being used by more than 100 health-care organizations, including Washington-based Georgetown Home Care and Yale New Haven Health.
Lyft announced an agreement with health technology company Allscripts March 5 to allow health-care providers to use Allscripts electronic health records network to provide transportation for patients. Patients who aren’t able to drive to an appointment will be flagged in the EHR, which will then automatically schedule a Lyft car to pick them up.
Allscripts is a publicly traded EHR vendor in Chicago.
Uber Health is contracting with a dedicated compliance company—Nashville, Tenn.-based Clearwater Compliance—that will perform periodic audits of the new program, Jay Holley, Uber Health’s head of partnerships, told Bloomberg Law.
Providers will be able to log in to Uber Health’s third-party, HIPAA-compliant platform and order or schedule a ride for a patient, Holley said. Uber drivers will approach an Uber Health ride no differently than a regular Uber ride, Holley said, and will receive no indication that they’re taking a patient to a medical appointment.
Uber Health enrolled over 100 health-care organizations prior to the official debut of the program, Holley said, including both urban and rural organizations. The idea was to ensure that the program was relevant in all geographic locations, Holley said.
Lyft has already signed HIPAA-compliant business associate agreements with health-care partners, Kate Margolis, a Lyft spokeswoman, told Bloomberg Law. Lyft is committed to protecting personal identifiable information and has a dedicated in-house team focused on health-care compliance, Margolis said.
“Employees who are directing and carrying out the day-to-day functions of our health-care partnerships take annual HIPAA-compliance training,” Margolis said.
Lyft launched its Concierge service in 2016, enabling third parties to request rides to and from medical appointments, Margolis said. Lyft was already working with nine of the top 10 largest health systems in the U.S. prior to the new venture with Allscripts, Margolis said.
Uber Health is being engaged by health-care providers as a business associate, and will have to sign business associate agreements as a result, but it’s unclear how the drivers will be categorized, Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law.
The drivers will likely need to sign sub-business associate agreements with Uber, Zick said.
Business associates are individuals or organizations that perform certain services involving the use of protected health information on behalf of a HIPAA-covered entity.
Uber Health will have to address potential patient inducement issues, which have been the focus of several Department of Health and Human Services advisory opinions about patient transport, Zick said. HHS enforces federal health-care privacy laws.
Civil monetary penalties can be assessed against anyone who offers remuneration to a Medicare beneficiary that could influence the beneficiary’s choice of provider.
Uber and Lyft will have the full names of the patients being driven for billing purposes, and will need effective safeguards to prevent any illegal disclosures, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg Law.
To comply with HIPAA’s minimum necessary standard, the individual drivers shouldn’t be given more than the patient’s first name and pickup location, Fader said.