[This Transcript is Unedited]
Hubert Humphrey Building
Room 305-A
200 Independence Avenue, S.W.
Washington, D.C. 20201
Welcome and Introduction - Mr. Rothstein
Discussion: Joint Hearing on Enforcement With the Subcommittee on Standards & Security Subcommittee
Possible Work - HIPAA/Gramm-Leach-Bliley - Dr. Zubeldia
Miscellaneous Issues - Mr. Rothstein
Agenda Item: Welcome and Introduction - Mr. Rothstein, Chairman
MR. ROTHSTEIN: I guess I ought to call the meeting to order now, I dont know whether other people are coming. Simon and Kepa may well be here and probably thats, those are, Marjorie is in Florida, so shes not coming today. So the meeting of the Subcommittee on Privacy and Confidentiality is --
PARTICIPANT: Are we going across the internet?
MR. ROTHSTEIN: No, this is just being taped for our purposes, correct? Just taped. So I want to welcome Kathleen to her first meeting in her new capacity, only her 100th meeting in some capacity or another. I hope you all have a copy of the agenda because were not going to be following it. Let me suggest what the replacement agenda will be.
The first thing I want to discuss is this draft letter that John Lumpkin suggested that I prepare yesterday, so well go over that. And then well discuss two other items, one is a possible hearing on the enforcement rule and the other is, if Kepas here, another project that he suggested yesterday.
So with no objection Id like to ask you to take a look at this letter and John. were you there when I raised this issue?
MR. HOUSTON: Yes.
MR. ROTHSTEIN: Ok, so John suggested that I prepare this, which I drafted yesterday, Ive got three things to say before we get to the substance of this. Number one, I need to announce at the Subcommittee and I will announce again this afternoon when we take this up in the Full Committee, my conflict of interest that I have with this letter, and that is that by July 9th, sometime in the next two weeks, I will be submitting a grant application to CDC for a grant to study the effect of the HIPAA Privacy Rule on public health reporting, and that is an element of this. Its a related topic, it doesnt foreclose this, its just something that needs to be on the record, I think. And obviously I havent been funded or anything like that yet.
Second, in writing this I wanted to keep it short because its not based on any hearings or anything like that -- Simon, we were starting on this letter, and I deliberately left it vague as to who would actually be doing the study because I think thats a department decision whether they, if they go for it whether they want to assign it to AHRQ or whether they want to assign it to some other thing.
And the third, I guess this goes to the language that Kathleen raised, in the second paragraph when I set up this burdens and benefits, I didnt want to use costs because I didnt want to give the impression that we were going to try to requantify how much it costs because thats already in, the estimates are already in the rulemaking. And it is a concern about burdens, weve all heard Im sure stories that either before or after the implementation date that the Privacy Rule was going to somehow interfere with research or would cause a decrease in public health reporting or make clinical care more burdensome, costly or add hassles or something, so thats why I chose that word.
But sort of the floor is open for any comments, maybe we could start with big comments first and then well get to the actual words. In other words, now that you see this in writing, is it a good idea that we send this, etc., etc. John?
MR. HOUSTON: I really think that probably the two most important things to measure, and maybe its really one and I think it needs to be, this really isnt, we will talk about the verbiage later but I think we want to be very clear, that I think that its very important to make sure that we say we believe that theres unintended consequences impacting both patient access and care and I think that, we talk about effects, I guess my thought is if you want to get somebodys attention you make the words stronger, you say what you really mean, which I believe is that HIPAA has created both patient access as well as patient care issues.
MR. ROTHSTEIN: We can put that in there but I would say that there may be because we dont have hard data and thats what were asking them to come up with. I mean weve all heard the same --
MR. HOUSTON: Absolutely, and even anecdotally I can tell you that we have had patients who have decided not to avail themselves of services because after being given the notice, even almost without reading the notice, they have walked out, or theyve been asked to sign an additional document which has offended them. Again, even without looking at the substance of the notice weve had patients do that.
MR. ROTHSTEIN: My view is youre absolutely right, I agree with that, but thats a conclusion that I dont think we can draw yet.
MR. HOUSTON: But I think were trying to measure something and I think what were trying to do is the unintended consequences that relates to two big issues, which is access and care, I think those are the real important concepts to say we need to make sure, because those are the two important things that were most contributing to.
MR. ROTHSTEIN: But also research and public health, too.
DR. COHN: Actually I dont think Ive observed what John Paul has observed now, that may be because Im from California and we had strong privacy enforcement prior to the rules, so it may just be an issue thats from organization to organization. And certainly Ive not seen any testimony before the Committee that tells me that theres been disruption. I guess I looked at this and I sort of looked at words like burden and all this stuff and felt that they were already, that was latent, and Id be talking more about impacts, because we really dont know whether they are positive or negative at this point.
MS. HORLICK: I know were not wordsmithing but you talk about measuring and analyzing the effects and I thought assess the impact or something because it is a little different than --
MS. FYFFE: You dont know what the effects are going to be.
MR. HOUSTON: Well, maybe what we need to do is say the effects, or whatever words we want to use, and then say by example, both positive and negative, maybe sort of just list, maybe list concerns.
DR. COHN: I mean once again without wordsmithing, I just think this is a conceptual issue, its not just wordsmithing, and so you talk about effects of the Privacy Rule or maybe impacts of the Privacy Rule on, and I think the issues that were talking about clinical care, public health and research are clearly the areas that we want to understand what impacts might exist.
DR. ZUBELDIA: Im, of course, feeling why the letter at all, I mean are you telling the Secretary youre going to do something or just do it and give him some recommendations.
MR. ROTHSTEIN: No, what were requesting is that the Department undertake a systematic process for trying to assess or measure the effect, impact of HIPAA, because were not proposing to do it --
DR. ZUBELDIA: It doesnt come across clear as to what --
MR. ROTHSTEIN: We recommend that the Department initiate a research program to measure the effects of the Privacy Rule.
DR. ZUBELDIA: Its buried in the text. I would just make that sentence, I mean when I read a letter like this, Im going to read the first line of each paragraph to see if I need to read the rest of the paragraph. I dont see that.
MR. ROTHSTEIN: Ok, well come back to that point about whether its clear enough in a minute, but I want to, as explained are you comfortable with the concept now that were asking them to study the effects of the Privacy Rule?
DR. ZUBELDIA: Yes.
DR. COHN: Can I ask one other question? The question is whether or not, I mean I see you doing a research agenda, and I guess the question is is this a research agenda, which to me is Vicky and groups off getting research grants and doing a couple-year studies and publishing scientific documents, or are we talking about some sort of a more focused assessing impact of? I just sort of wonder because when I see research I think its Department of Research or NIH or something like that.
MR. ROTHSTEIN: My thinking was to leave this, the implementation of this up to the discretion of the Secretary, and so whether they want to have something thats more practical and done in-house in a sense, by AHRQ or CMS or ship it to, ask NIH to do it or a funded IOM study. I think that we ought to leave that to the Secretary. John do you agree?
MR. FANNING: Yes, I would agree, there are various mechanisms, I mean we give out money for evaluation. Some of it may take the evaluation form, which would be more focused, some of it might take the broader research form.
DR. COHN: But do we want to use the word evaluation? I just think research to me has a particular --
MR. HOUSTON: Take out the word research program, and just say program, let them decide whether the program is appropriate.
MR. FANNING: Yes, yes, research may --
MS. HORLICK: How about evaluation --
MR. FANNING: Thats another sort of technical usage.
MR. HOUSTON: Program or evaluation, we could use the word evaluation --
MR. ROTHSTEIN: How about if we use both, evaluation or research program, something like that?
MR. FANNING: Well, but I think just the programs to measure the effects would work perfectly well.
DR. ZUBELDIA: And then the next sentence would be an ongoing program or attempt to refine rulemaking --
MR. ROTHSTEIN: Ok, before we get to, now weve got some suggestions that we need to incorporate a second paragraph, I want to take up Kepas point from the first paragraph, and that is to raise the issue of whether the first paragraph makes it clear enough exactly what we are proposing that the Secretary do.
DR. ZUBELDIA: I mean theres nothing at the beginning of a sentence.
DR. HOUSTON: Can I ask a stylistic question?
MR. ROTHSTEIN: Sure.
MR. HOUSTON: Do memorandums like this or letters ever contain a subject heading? Letters often say Re: or Subject:.
MR. ROTHSTEIN: It has not been the practice of the Committee to do that, I dont know that theres any prohibition on it.
MR. HOUSTON: I wasnt sure whether this is something, I mean sometimes thats a great way to just put the marker out there saying program to evaluate effects of HIPAA and then just, everybody you know would walk into this letter then and youve got, you know the subject. But again, I dont know if thats the form that the government uses or HHS or anything else.
MR. FANNING: Well, the Committee can decide to present it in any way it sees fit, I mean the letter rather than a memo is the correct form, but thats a choice of the Committee about how it does it. I might say that a brief letter would we hope, convey to the bureaucrats who actually have to deal with it what the subject is. On the other hand, theres certainly no objection to putting it up front, its a stylistic matter, although you will get into then some discussion of how you phrase the subject.
MR. ROTHSTEIN: See as a practical matter, Secretary Thompson will not be with his letter opener ripping open at the envelope and reading this with 20 other things as you know, and so when it goes through channels to get there this will be well known to be the letter suggesting or recommending that there be some sort of evaluation measure put in place. Is that fair?
PARTICIPANT: Yeah, it will end up down in --
MR. FANNING: Listen, the relevant people already now know what its all about.
MR. HOUSTON: I would simply take what Kepa is saying to move the second two sentences up to the very beginning of the paragraph.
MS. HORLICK: Im not sure we even need to say now that the compliance date has passed.
MR. ROTHSTEIN: You think theyre aware of that?
MS. HORLICK: Well, I mean if we want to get the, yeah, I do, I mean if we want to get the substance of it in there sooner --
DR. HARDING: What would be the resistance to having outcome data on HIPAA implementation? Is it that theres the fear that it may not do what all these, all the money and energy has gone into, that we couldnt show that it did anything? I mean that would be embarrassing. Or why would we, why would not the Department feel that its a pretty good idea to do outcomes studies? Or is it an expense issue?
MR. ROTHSTEIN: Well, Im not sure that the Department wouldnt think this is a great idea.
DR. HARDING: I would hope so but Im not in, in a different position you have different, I mean could it be embarrassing, this kind of a thing? If the outcome says that privacy hasnt been effective and weve done all this, would that hinder some future legislative, Im just thinking out loud but it would seem to me that if it was a simple statement and with a good idea that it would go, it would be welcomed I would think.
MR. FANNING: Yes, Im not sure what your point is, Richard, I think the Committee sort of has agreed that this is a good thing, at least generally.
DR. HARDING: If properly presented.
MR. FANNING: Well, but I think what youve been moving to in the discussion is that the presentation should be quite general, not get into the method of funding or the way the question would be formulated or whether money is a consideration or not, your Committee could debate all of those and might be able to make useful suggestions, but that has not occurred and in the time available perhaps the sensible thing to do is just to say to the Secretary look, we think this ought to be looked at, dont just throw it, just dont throw the regulation out there, follow up to see what actually happens. Thats my sense of what the Subcommittee is thinking of.
MS. HORLICK: But I think, picking up on what you were saying, maybe there is, there might be some concern about what will this show and so maybe if we take out the language about say the burdens, just saying it would be valuable to study the impact on these things, then that leaves it much more open to finding positive impact.
PARTICIPANT: Short and long-term effects.
MR. ROTHSTEIN: So, alright let me pick up on that and see if I can make a change to the second sentence in the second paragraph. So striking everything from researchers through the end of that sentence, and in the next sentence striking everything through the word burdens. So in other words it would read, among other things it would be valuable to study the effects of the Privacy Rule in such matters as clinical care, public health reporting, and that was a suggestion that Richard made, public health reporting, and research, and then we could also say, it could also assess the degree to which the Privacy Rule has increased the level of privacy and confidentiality, blah, blah, blah, something like that. Would that be agreeable?
MR. HOUSTON: Do we want to, maybe this is just the same, clinical care is, maybe you find it the same, but I just sort of always like to separate out access from care.
DR. COHN: Why?
MR. HOUSTON: Why? Because I think that theres --
DR. COHN: In this sort of a document? I mean there is a difference but in this sort of a document?
MR. HOUSTON: Maye not.
MR. ROTHSTEIN: But just saying care here means access, quality, cost, availability, so I think that subsumes the thought. But there is something else that you mentioned, another concept that I think we need to work in here, and that is the idea of unintended consequences. Im not sure, do you think we need to know that this is been redrafted --
MR. HOUSTON: But having said that, listening to the dialogue here, does that show an inappropriate bias because if were going to measure the effect we could find that theres unintended consequences, theres positive impact on people willing to --
MR. ROTHSTEIN: Right, so youre comfortable in letting go --
MR. HOUSTON: Having thought about that, maybe what we simple need to do is make a statement as to we want to insure that we measure both the positive and the negative impacts of the Privacy Rule.
MR. ROTHSTEIN: Were just studying the effects, were studying the effects on these three areas.
MS. HORLICK: I was thinking maybe if we start with the first paragraph we could try to get what we want to say right there and then maybe put some of the language, like even the last sentence of the first paragraph could maybe go into what you want to collect and why it would be good.
MR. ROTHSTEIN: Tell me what youre thinking.
MS. HORLICK: Well, I think that, I think Kepas right, I think we should get to exactly what we want to say, I mean they know weve written letters, we always start out saying well --
MR. ROTHSTEIN: I mean this is sort of the form that weve written a hundred letters.
MS. HORLICK: Right, the standard way, but maybe even in the second sentence we could, so weve written you letters and now, if we take out now that the compliance date has passed we could put maybe a beginning of a sentence about why we think its important to assess the impact and so therefore we recommend this, and that would be the second sentence.
DR. ZUBELDIA: And make that a second paragraph?
MS. HORLICK: Well, you mean make a one sentence paragraph?
MR. ROTHSTEIN: So after the first sort of --
MS. HORLICK: Right, we always have to say, either were charged with this or --
MR. ROTHSTEIN: Who we are and why were supposed to do it.
MS. HORLICK: Then instead of that first part now the compliance date has passed --
MR. ROTHSTEIN: Ok, just drop that and next sentence we recommend?
MR. HORLICK: Right, but we could put something instead of now that the compliance date has passed, we could put something right in there in the beginning of the second sentence about what NCVHS believes is important to assess the impact of this rule, they know its, and then basically therefore we recommend.
MR. ROTHSTEIN: Alright, how about this, I have a suggestion. What about the first sentence in the second paragraph becoming the second sentence in the first paragraph?
DR. ZUBELDIA: What I would do is I would take the first sentence of the second paragraph, the NCVHS believes blah, blah, blah, and make that the introductory sentence for a new paragraph in between those two. And the second sentence of that new paragraph would be the we recommend part.
MR. ROTHSTEIN: Ok, alright, lets make sure everybody follows this.
MR. HOUSTON: I think you could just simply make it the first paragraph, I think --
MS. HORLICK: We always say --
PARTICIPANT: -- who we are.
MR. HOUSTON: After that --
MR. ROTHSTEIN: The first element in the letter, see if everybodys with me and I have this right, the first element in the letter is the first sentence, which would now just be a paragraph onto itself. Then the next element would be another paragraph that begins with what is currently the first sentence of the second paragraph through the words Privacy Rule, and after that as part of the same second paragraph, would be a sentence that begins we recommend that the Department. What about the sentence after that, which now reads, would that be included in that second paragraph?
MS. HORLICK: Thats fine because it will be at the end of the second paragraph.
MR. ROTHSTEIN: Ok, Kepa, ok?
DR. HARDING: After we recommend, whats after that?
MR. ROTHSTEIN: Ok, we recommend that the Department initiate a program to measure the effects of the Privacy Rule. An ongoing program will help to refine, etc., etc., etc. Then what about the sentence, among other things, is that part of the second paragraph?
DR. ZUBELDIA: I would make that a separate paragraph.
DR. HARDING: Which one is this?
MR. ROTHSTEIN: Whats now the second sentence in the second paragraph that begins among other things.
MS. HORLICK: Do we want to say that now about the burdens and the benefits?
MR. ROTHSTEIN: Well, weve already changed that, that sentence now reads, among other things it would be valuable to study the effects of the Privacy Rule on such crucial matters as clinical care, public health reporting, and research. It could also assess the degree to which the Privacy Rule, etc. So do we want to, we could make that the end of the new second paragraph or we could make it a new third paragraph. Any thoughts?
DR. ZUBELDIA: My preference would be to make it a separate paragraph so you give more impact to the recommendation.
MR. ROTHSTEIN: So the sentence that begins Among is now paragraph three. Ok, so, John did you?
MR. HOUSTON: Just back to the NCVHS believes that an early phase implementation, weve already past implementation.
MR. ROTHSTEIN: The early phase of implementation, I mean were in the early phase right, the first few months.
MR. HOUSTON: Well, implementation was to occur before April 2003, were now in the early phases of --
MR. ROTHSTEIN: Compliance?
MR. HOUSTON: Early period following --
MR. ROTHSTEIN: The early period following the compliance date?
DR. ZUBELDIA: Or the period immediately following the compliance date.
MR. HOUSTON: Im just afraid, we are all, all covered entities are to be compliant at this point in time, theyre not --
MR. ROTHSTEIN: How about the NCVHS believes that now --
MS. HORLICK: This or now because by the time they get the letter and decide to do it --
MR. ROTHSTEIN: How about if we just take it out and say now?
MR. HOUSTON: This is an especially opportune time.
MR. ROTHSTEIN: Now is an especially opportune time?
MR. HOUSTON: Yes.
MR. ROTHSTEIN: And however you want to define now were going to agree with.
MR. FANNING: Thats left in the second paragraph.
MR. ROTHSTEIN: Ok, anybody have anything to change in what is currently the third paragraph, which will become the fourth paragraph?
DR. ZUBELDIA: Are you going to leave the words, research and developing strategies?
MR. ROTHSTEIN: Would be pleased to assist the Department developing strategies --
MR. FANNING: Strategies for this inquiry or whatever term you use --
MR. ROTHSTEIN: Strategies for this program? Because thats the word weve used, the program. Strategies for this program --
MR. HOUSTON: Or we could say, developing strategies to measure programs --
MR. ROTHSTEIN: We could say Very Truly Yours instead of Sincerely.
PARTICIPANT: I like Sincerely.
MR. ROTHSTEIN: You like sincerely, ok --
PARTICIPANT: Is sincerely what the Committee usually uses?
MR. ROTHSTEIN: Yes, I was just --
PARTICIPANT: It was a dig at me.
MR. ROTHSTEIN: No, no, it wasnt, it was a dig at the lawyer on the Committee, thats right.
MR. FANNING: As long as youre in the formalistic mode, the title of the official to whom you are addressing it is Secretary of Health and Human Services, hes not Secretary of the Department of Health and Human Services.
DR. HARDING: Explain that.
MR. FANNING: That is his title, Secretary of Health and Human Services, and theres a meaning in that, he does not just administer a department, he has a responsibility for more broadly to the nation for those matters.
DR. HARDING: And thats the same for each Cabinet official?
MR. FANNING: Yes.
MR. ROTHSTEIN: Ok, any other thing related to this letter? I will after this Subcommittee meeting is over I will revise this and have it ready for presentation to the Full Committee this afternoon on our regularly scheduled time.
DR. COHN: 10:30 probably.
MR. ROTHSTEIN: Ok, well, its not going to take long, I will make the changes on this and have it ready to go.
Ok, the second item on the mental agenda that I have is to talk about the listed agenda item, and that is what we agreed to at our last subcommittee meeting in this joint hearing and Simon maybe you want to discuss or raise the issue from our brief chat with John yesterday.
DR. COHN: John and Karen and Stephanie and Kathleen and everyone else. Well, I think well start with what we know and then well start with what we dont know. I have become convinced, and I think John Paul has sort of seconded this one, that at some point in the Fall we need to have a hearing on the Security Rule and how thats going and issues that are coming up. Now I also think been convinced that probably this needs to occur after October 15th, just because I think weve heard some pleas from those who are involved in the implementation of the administrative and financial transactions that we should probably not be trying to divert attention and focus from that implementation. Now of course October 15th isnt that far from now so this I dont think prevents us from moving forward with a hearing on that. Now given that Security, even though its part of the title of that other Subcommittee, to my view is really sort of a cross cutting issue and so I thought it had always been that we would do a hearing on that in terms of how implementation is going and what are the issues, what do entities need at this point, that it should probably be a joint hearing between both Subcommittees.
Now, that part I know. The part that I dont know has to do about enforcement, and I am, there is obviously right now, I dont know what you call it, I guess interim enforcement rule that has the peculiar properties of going into force before comments have even been completed, which is sort of interesting but not being a lawyer I cant comment on that. But clearly theres the expectation the way the other pieces, or maybe other big pieces will be coming out as the year progresses. This obviously I think, on one hand its probably a very legalistic issue, there are probably also however fundamental policy issues that sort of get connected with the legal pieces related to enforcement.
Now the part that I dont know is really weve heard differences of opinion, and Id have to have Stephanie or Kathleen or anyone else chime in on this one, about whether this is something that really is appropriate for public testimony in a public hearing as well as seemingly some, once again this is something that I sort of get help from you and get help from the staff in terms of figuring out what the major focus is of the issues that need to be addressed. It seems to me that there may be something there that would benefit from public testimony but at this point I dont know what it is and I think we, I dont know, Kathleen do you have a comment, Stephanie do you have a comment? I see Stephanie back there.
MR. ROTHSTEIN: Shes sitting back there to give us a graphic illustration that shes almost out the door.
MS. FYFFE: My bias is to put as much sunshine as possible on things like this.
MR. HOUSTON: Whats that mean? I mean sunshine, what does --
MS. FYFFE: Open hearings --
MR. FYFFE: Theres no other way of having a hearing basically for this kind of thing. Was the question you were raising as to whether security vulnerabilities would be exposed or --
DR. COHN: No, no, Security we know were going forward with, were talking about enforcement and the issue was that Im hearing from some of our staff that geez it would be a good idea probably for us to do something and hearing equally strongly from some of the other staff and from like a two minute snippet from John Lumpkin that hes unsure whether we ought to really get into that area.
PARTICIPANT: Is that at all or the timing?
MR. ROTHSTEIN: Not to categorize Johns remarks but Ill try so theyre not obviously binding on him, I believe he thinks that this is an inappropriate topic because it deals with the enforcement discretion of the agency or something of that sort and its not the kind of factually driven stuff that we usually try to express at our hearings. Is that fair?
DR. COHN: I think its not information policy. But having said that, of course, in the legislation we are responsible for advising the Secretary, I didnt see parts of the HIPAA reg that were excluded from the discussion, so thats obviously the other issue to think about. I mean Im really open, I mean it seems to me that we could put together a hearing sometime this Fall, one day on Security the other day on enforcement, I just want to make sure everybodys sort of --
MS. HORLICK: Shift it to compliance issues and then it will talk about how its an administrative burden or whether theyre losing patients or something like that.
MR. HOUSTON: When we started to talk that really was my original intent, was Privacy would be talking, allow public testimony regarding what were the unintended consequences, or what is the impact of the rule post, six months post deadline.
DR. COHN: Thats another conversation, but this may not be wrong.
MS. HORLICK: -- Part of the impact is related to compliance but its probably broader but I mean you could focus it without mentioning enforcement just on whats been your experience with complying with this.
MR. ROTHSTEIN: The only thing I would say is we would have to be very careful in structuring that hearing because I can imagine some of the witnesses who are just, they want to re-litigate if you will minimum necessary and all the issues that weve been around and around on for the last several years and Im not, just to raise the substantive issues that theyre unhappy with doing is really not what we have in mind.
MS. HORLICK: People might be reluctant to say theyre having difficulty complying now that the compliance date has passed, its a little different.
PARTICIPANT: It might not be a real popular thing to come before HHS.
MS. HORLICK: I would try to do some of these hearings --
DR. COHN: I think theres a couple of issues and probably should actually, I can see John Paul where you were going with your comment, part of the issue gets to be the enforcement rule is intended to be one rule so on the one hand it is related to Privacy but on the other hand sort of stands separate because its supposed to apply to everything. And we can narrow this one down and talk about it in the context of Privacy. Of course Gail as you commented you get into trouble that, I certainly would not want to as a covered entity come in and talk about the non-compliance six months after the rule, and for the record --
MS. HORLICK: I wouldnt want to be planning that hearing.
DR. COHN: Exactly, it might be a little tough, you might have to get anonymous people.
MR. ROTHSTEIN: If we got trade association types they wouldnt be admitting anything, they would just say some of our members believe that theyve had difficulty in certain areas.
MR. HOUSTON: I do believe post April 2003 that there are some issues that frankly need to be addressed, I think there are some areas where the rule is, has not operated effectively, I think theres some areas where I think there could be some improvements. I think its worthwhile to engage people in dialogue, I really do.
MR. FANNING: Simons suggestion is for a hearing on the enforcement rule or process but Im still not sure what people would come forth and say, possibly someone against whom a proceeding was brought would come and complain and attempt to re-litigate it in almost a literal sense, but it is a sort of a technical legal thing involving discretion, when you decide to bring a proceeding and that sort of thing, Im not sure what you would get out of it and what the type of recommendation you would make to the Secretary based on the hearing would be.
DR. COHN: Well, John, I think youre reflecting, Im sorry you and Karen arent sitting together because youd probably be looking at each other and nodding your head because that is I think somebody, the concern dont want to hold a hearing if its, I mean first of all youd like to have a client so that somebody would listen to the results as opposed to wishing they hadnt heard it, and so you want to focus it appropriately. And then the question is is it anything other than sort of a nebulous spin, and I dont know. This has been something, Mark and I have gone back and forth about this for a couple months and if Im misdescribing this Mark, please chime in. Im still uncertain whether theres anything there.
DR. ZUBELDIA: The comment period has closed, right? So do you have a sense of what comments there were? Do you have an idea of what the issues were? Because it may be worth to have a hearing on whatever issues came, the top issues in the comments.
PARTICIPANT: Comments went to CMS.
MS. KAMINSKY: There were very few comments, very few. The piece that was just issued was issued as an interim final because it was merely procedural, and because its really just the Departments procedures under the APA or whatever, there were a couple other laws that were construed together, it was HIPAA, it was the APA, and it was the 1128-A, which is the OIGs enforcement --
MR. HOUSTON: Its nothing knew.
MS. KAMINSKY: Im sorry?
MR. HOUSTON: It really is nothing knew.
MS. KAMINSKY: Right, but they were construing all of those and there was legal authority to move forward into an interim final rule because it was merely procedural, the hearings, the subpoenas, this, that and the other thing. The piece that is being worked on now as I explained yesterday is the substantive piece of the rule and it has substance tied to it, whats a violation, what are mitigating and aggravating circumstances, those kinds of questions. There will be another NPRM coming out on that stuff in the Fall sometime, there will be a comment period following that NPRM where the public will be welcome to submit comments, and I supposed NCVHS would be part of that public who could be open to submitting comments. And those comments will be taken into consideration and that NPRM will be retweaked or reworked or whatever accordingly and some of the comments that weve received now even on the procedural piece, which are very few, will also be taken into consideration and the entire package will be reconstituted as one regulation sometime next year, final regulation.
DR. ZUBELDIA: So its probably not worth having a hearing on enforcement until we have that substantive piece published.
MR. ROTHSTEIN: Can we table this until our September meeting and take it up then?
DR. COHN: I mean certainly I think what were talking about is moving forward planning for the Fall a two day hearing, one day on security and one day either on privacy six months after and issues or on enforcement. Now be aware it does get a little bit, in other words Im just sort of reflecting on previous NPRMs and the process, but generally I dont think that we hold hearings in the middle of an open comment period on an NPRM and I have to think about this one a little bit. Now normally our role is to sort of think about things and try to provide input --
MR. ROTHSTEIN: No, I think weve done that.
MR. FANNING: You certainly could do that, you after all --
MR. ROTHSTEIN: Thats so we can submit our comments.
MR. FANNING: Thats right, you have a more formal commenting role than the public who writes in and it seems to me you could use any mechanism you wanted to form your view.
MS. KAMINSKY: However it would be very tricky to do the timing, because to arrange a hearing, that takes some time, youd have to have the hearing soon into the comment period, the comment period is usually only 30 days, I dont know if this one is going to be longer but thats been my experience, then you have to congregate and youd have to get your results together, so the timing piece could be very difficult for you --
MR. FANNING: Although, may I point out, I dont think the Committee is as a legal matter bound by the 30 days. On the other hand, as a practical matter, if the final reg is already being written theres no help to it to get your comments when its all over.
PARTICIPANT: I thought it was 60 days.
MS. KAMINSKY: Is it 60 on this one? The Committees not bound by that, its true, and if they came in soon after the comment period closed Im sure theyd be certainly considered as well.
MR. FANNING: Yes, yes, soon after.
DR. ZUBELDIA: Theres another issue that I think we need to discuss and I dont know if youre looking for a hearing in the Fall, to talk about possibly enforcement or possibly some other issues. The other issue would be the banking industry --
MR. ROTHSTEIN: Were going to come to that in just a second.
DR. COHN: Lets sort of finish off the --
MR. ROTHSTEIN: Were going to come to that issue shortly.
DR. ZUBELDIA: But if youre looking at a topic for the hearing I think this would take a good chunk of that hearing.
MR. ROTHSTEIN: Were going to be coming to that in just a second I promise you. I want to finish up on this issue. Simon, when you originally raised this, was it your sense that you just in general thought it would be a good idea for us to hold a hearing and hear from the public or was there some sort of substantive aspect of the enforcement rule that you thought --
DR. COHN: That I had insight into that hadnt been written yet?
MR. ROTHSTEIN: No, that you thought needed to be explored?
DR. COHN: My perspective on this was that our, according to the HIPAA regs and the -- law in 1996 we have full responsibility to advise the Secretary on HIPAA rules. And so when I think of a new rule coming out or a new rule being in the works my mind immediately jumps to getting public comment on that, trying to provide guidance to the Department on yet another HIPAA rule. And so it had nothing to do with my gosh Im concerned about enforcement, Im not a lawyer thank God, but anyway. But I did not immediately go oh, there are legal issues that we need to investigate, it was really more I think as Kathleen commented about providing sunshine into the process as well as helping us develop our own views. But as much as that trying to help the Department recognizing that some of these things are benefited by these opportunities for public discussion.
MR. ROTHSTEIN: Well, ok, thats helpful, its not as if there was a burning issue, substantive. So, Kathleen?
MS. FYFFE: Can we discuss this in the full Committee meeting and sort of put a stake in the ground that says the recommendation is that after the NPRM for the enforcement rule is issued the Committee or the Subcommittee having a hearing? Is that what we want to do in order to --
MR. ROTHSTEIN: Thats a possibility, do you think that would be valuable for the full Committee to advise on --
MR. HOUSTON: That should be done in a context, I think maybe done in a context of what we plan on doing in terms of public testimony and other aspects such as security and --
MS. FYFFE: And to me that by announcing that publicly it could put, could inform the public that this is coming --
MR. ROTHSTEIN: What do you mean --
MS. FYFFE: That hearings --
DR. ZUBELDIA: I wouldnt ask for advise, I would just --
MR. ROTHSTEIN: You dont want advise, you just want to announce --
DR. COHN: Subcommittee hearings are not a consensus issue with the full Committee generally.
MR. ROTHSTEIN: Well, maybe we ought to talk to John about that given that hes expressed some reservations about whether we ought to be doing that.
DR. COHN: Well, you can decide to say that we are thinking about doing this.
MR. HOUSTON: Maybe the other route to pursue this is to engage briefly HHSs council, to say would this be an appropriate matter for NCVHS to consider, because if they come back and say you know something, this is our gig, or there is some other type of objection from them maybe we at least get their opinion as to something, they could come back and say thats a good idea because we think we have some problems how we approach, maybe Im being --
MR. ROTHSTEIN: So youre talking about CMS --
MR. HOUSTON: Maybe its OIG --
DR. COHN: You know John, actually its sort, I just sort of agree with your comment, which is I think that we, were very interested in doing this if we can be helpful, and I think theres sort of two opportunities. One is that we somehow communicate effectively with the Office of the General Council, and once again its this issue of client and somebody to hear. So if there are things that would be valuable for us to get a hearing going before a NPRM is published to provide some discussion of issues that might be helpful then it would make a lot of sense to do that, otherwise we probably ought to consider doing it during an NPRM to help inform us about what we might respond.
MR. HOUSTON: I think that it also deals with John Lumpkins, some of his concern or issue, which is this even an area of a space for which we should be engaged in.
MR. ROTHSTEIN: Ok, so how about if I at the Executive Committee meeting this afternoon raise the issue of whether John Lumpkin should approach through whatever channels are appropriate someone at OGC and find out whether they think it would be constructive for us to hold hearings on this? Is that --
MS. HORLICK: Are you going to give your report to the full Committee? Are you going to mention --
DR. COHN: I dont see reports on the agenda this morning.
MR. HOUSTON: Yes, reports from the Subcommittee.
DR. COHN: Oh, is it there?
MR. ROTHSTEIN: Yes, thats when we have to go over --
DR. COHN: Ok, well I know theres other ones going to be coming up.
MR. ROTHSTEIN: So you think I need to raise it then?
DR. COHN: I dont think theres any value to bringing this up for general discussion, I think its something --
MS. HORLICK: I didnt mean, well I mean I guess any time you announce what youre doing --
DR. COHN: Well, were not announcing what were doing, were basically going to explore --
MR. HOUSTON: -- the issue of possible future hearings.
DR. COHN: And were thinking about doing X as a concern of the --
MR. ROTHSTEIN: I would like to have it vetted first before we start reporting it at the meeting. Because I dont want to have to report that OGC squelched it.
MR. FANNING: May I suggest that you not be that specific about who in the Department youre consulting? I mean ultimately choices about what goes in the regulation are policy choices, so let the Department sort out who wants to comment to you on the desirability of having a hearing.
MR. ROTHSTEIN: Ok, so I will put that on the agenda for my report at the Executive Committee this afternoon dealing with privacy.
DR. HARDING: Before I could vote for that Id have to know more about what information are we looking for and from whom specifically, and then who we would recommend things to specifically.
MR. ROTHSTEIN: Ok, Ill start with the last which is the easiest, I mean we would recommend to the Secretary in our normal way, the question I think that we want resolved is whether the folks in the Department who are responsible for enforcement think it would be valuable for the Subcommittee to hold hearings and solicit public testimony and then for us to develop a letter in which recommendations --
DR. HARDING: Solicit, I mean what information are we trying to get, whether people like enforcement or not?
MR. ROTHSTEIN: No, I would think the procedures dealing with the enforcement.
DR. HARDING: The procedures of enforcement? Most people arent going to like them I would think.
MR. HOUSTON: No, but I think there are some issues related to everything from how do you count a violation to mitigating circumstances --
DR. HARDING: And thats our role to determine, or to make recommendations --
MR. ROTHSTEIN: We might recommend something like we think that the Department needs to be more specific in setting out what it considers to be mitigating or aggravating circumstances and should issue guidance on that or clarification or FAQs or something. I think personally thats the sort of outcome that I might see from this.
MR. FANNING: It seems to me that most of what youd focus on would be that rather than the procedural portion of how a hearing is conducted and so on, obviously you can advise the Secretary on anything you choose but it strikes me that that would not be a particularly valuable inquiry and those rules follow ones that already exist for violations of other statutes we administer in this Department and it could provoke people whod want to question the whole thing and so on. However, what youve just laid out are full of elements of the substance of the command of the regulation, these other matters.
MR. ROTHSTEIN: And I think should we, I mean this is sort of very speculative now, should we go ahead with hearings I think we would have to be incredibly detailed in our instructions to witnesses as to the scope of the hearings, because I dont want, I mean you can imagine what sort of witnesses we might have.
MS. KAMINSKY: Im hesitant to bring it up, I dont know whats listed, there is one procedural issue that really is on the table as I understand it which has to do with appeals. The way it was written folks can get a hearing, the hearing procedure thats been set forth as I understand it, and obviously I havent read the procedural rule, is before an ALJ, Administrative Law Judge, the Department has a choice about whether or not there would be an appeal, appeal right or an appeal process to the DAB, Departmental Appeals Board, versus going to a court, federal district court, that in the procedural rule they chose not to have a DAB, Departmental Appeals Board level of appeal available and apparently that has been a source of some debate. So for whatever thats worth there are some I think some procedural issues that the public may have some thoughts about as well.
MR. FANNING: Thats addressed in the covered rule and thats the choice thats made there.
MS. KAMINSKY: Yes but its, I mean everything is going to be reconstituted so that is a procedural issue in particular that there could be some thoughts on but again you have to consider is that something that you want to hold a hearing about.
MR. ROTHSTEIN: Right, and we would have to be very specific on those things. So Richard are you now, is your comfort level --
DR. HARDING: A little higher but I understand Johns concern.
MR. ROTHSTEIN: I agree.
MR. HOUSTON: Why dont we take the next step to engage those individuals in the Department who might say you know, yeah, we do believe as Stephanie said that there are some areas maybe that further input would be welcome, or vice versa, they may say --
MR. ROTHSTEIN: So a vote now, basically an affirmative vote, is to direct me to report at the Executive Committee meeting this afternoon our intention of looking into this and asking John through appropriate channels to find out whether the Department thinks its appropriate for us to do it. Is that ok? Any objections? Ok, so that carries.
Now the next issue, how long do you have here?
DR. ZUBELDIA: I told them I would be there by now, but --
MR. ROTHSTEIN: Ok, well were going to put you up right now. There are other issues and one of the ones that for possible work of the Subcommittee and Kepa described sort of a gap in HIPAA/Gramm-Leach-Bliley that I think the Subcommittee might want to look at.
Agenda Item: Possible Work - HIPAA/Gramm-Leach-Bliley - Dr. Zubeldia
DR. ZUBELDIA: Yes, this has been described to me and I have not done any further research other than just taking the description from a source that is from within the banking environment, so I presume that he knows what hes doing, now he testified before the Committee before.
Apparently Gramm-Leach-Bliley is an act that protects the banking customers from the bank disclosing their personal information, and it protects two types of entities, the banks customer and the banks prospective customers. So if you go to a bank and send your loan application and then decide to not get a loan with that bank they still cant disclose your information even though youre not a bank customer. Section 1179 in HIPAA excludes the banks payment activities from coverage under HIPAA and what the banks are saying that theyre also not a clearinghouse, not a covered entity, because the fact that theyre processing payments, even if its in the 835 and converting the 835 to CTX transaction doesnt make them a clearinghouse.
According to the report from this individual the banks are actually considering the 835 information outside of the scope of Gramm-Leach-Bliley because the patients contained in the 835 are most likely not bank customers or bank prospective customers. The provider would be the bank customer or the payer would be the bank customer, but not the patients inside the 835. And therefore they believe that they can use the information in the 835, including procedures, dates for service, place of service, to their financial gain in direct marketing activities, not just general research but even marketing directly to an individual products that are not even banking products, and are apparently getting ready to sell this information to marketing companies for their marketing activities.
I think this is something that needs to be investigated further and I dont know if its a loophole that needs to be changed in the law or in Gramm-Leach-Bliley or in some sort of business associate agreement or some restriction to the HIPAA covered entities that they cannot send this through the banking system because there is a hole, I dont know exactly what needs to be done but I think that it needs to be investigated further.
MR. HOUSTON: A couple questions. What is the purpose of the bank getting the 835? Why do they need that information if theyre not acting as a clearinghouse?
DR. ZUBELDIA: Well, the 835 has two parts, two tables, one is the payment instructions to the banks, which is the payer instructing their bank to send instructions to the providers bank to make a money transfer into the providers bank account. And then the second part to the 835 contains the remittance advice that says what was paid, what wasnt paid, and whos responsible for it.
MR. HOUSTON: Ok, now I would argue that if theyre not a clearinghouse, theyre not a covered entity, then what youre troubled with, I would suspect part of the question is based on a minimum necessary rule, whether any information other than transactional information is something that a covered entity should be disclosing then to the bank as part of this and therefore if you only are giving banking information then this information that theyre talking about using would never make their way to them. I guess thats part of my thought processes, is whats the propriety of the bank even getting this information based upon what role apparently theyre playing here.
DR. ZUBELDIA: And that may be the way to close the loophole, but currently there are several ways of using the 835 and one of the most common ways is to send the payment instructions and remittance advice to the bank for the bank to forward to a provider.
MR. HOUSTON: Because if you think about the process, my understanding is that transactions are intended to be passed between covered entities.
MR. ROTHSTEIN: Well, another way of looking at it is, or closing the loophole, is to consider the bank a business associate of the covered entities and therefore they would have to enact an agreement and so on. But lets move back from the --
DR. ZUBELDIA: But the banking system has more pieces than just the two financial institutions at the end. There is all kinds of settlement --
MR. ROTHSTEIN: No, I understand that, but then if you had a business associate agreement with all the users then they couldnt sell, thats sort of irrelevant at this point. The question is, that Kepa raises by bringing this up, is this an appropriate area for us to look into and schedule hearings on. And if so this is a little different then some of the other hearings that weve done in the past, who do you see us coordinating with in terms of these hearings?
DR. ZUBELDIA: Well, I know that the American Bankers Association has some legal opinions as to whether banks are clearinghouses or not, and as to whether they have access to this data or not, and I think the American Bankers Association should be one of the entities to come. Theres some banking marketing companies that Im sure they have some opinion as to whether, and they could come to testify, why theyre doing and why they believe that what theyre doing is correct.
DR. COHN: Well, I guess Im struggling based on previous testimony, I mean I imagine that the American Banking Association might come to talk about their legal opinions, but I would be sort of scratching my head trying to imagine a banking, what is it, a marketing organization coming to voluntarily share with us their plans in this area.
DR. ZUBELDIA: To share with us why they believe what theyre doing is correct.
DR. COHN: But I dont think theyre doing anything yet.
MR. HOUSTON: Whos responsible for Gramm-Leach-Bliley for enforcement and the like?
MR. FANNING: The Financial Regulatory Institute --
PARTICIPANT: Its one of them.
MR. FANNING: Well, there are several of them actually, anybody who regulates financial institutions, the Office of Thrift Supervision, the Fed I think, the Office of the Controller of the Currency in FTC.
DR. ZUBELDIA: And there are some states where the Department of Banking and Department of Insurance are together. I know, for instance, New Jersey has banking and insurance together, and it may be appropriate to bring some of those state regulators to ask them how they see this fitting.
MR. HOUSTON: Let me ask a question. Is this a testimony type situation or is this a situation where we call to the attention of the Department as being a potential unintended consequence that needs to be investigated for possible violation?
MR. ROTHSTEIN: Well, I think this is something where testimony would be appropriate to find out exactly whats going on to get on the record the kinds of things that Kepa was suggesting.
MS. KAMINSKY: It wouldnt hurt for the Department to issue some guidance about whether some of these scenarios are clearinghouses or are not clearinghouses, that wouldnt hurt --
PARTICIPANT: Or a business associate, or --
PARTICIPANT: If I may be so bold, that decision is being made probably in the next few days by Karen Trudel and Jared Adair, the banking community sent a letter to them asking for clarification on just these issues.
DR. HARDING: My one concern is that its now six months if we do a hearing before we would have anything to say, probably or more, and is it there something that we could say about, as Stephanie was saying, something that should be looked into, is this something that shouldnt. This is a flag here, lets do something now as opposed to waiting six months. And maybe we can do both.
MR. HOUSTON: Right now if this stuff hits the street, lets just say we play Kepas scenario out and in a month or two we end up with these communities using these materials for marketing, that is absolutely, I mean thats something that could have very dire consequences because then if OCR comes back and says you know something, they should have a business associate agreement, theyre covered under HIPAA, then all of a sudden not only do you have a guidance document with regards to just the business associates but you also have a whole pile of information, potentially millions of disclosures that have occurred by these organizations are starting to use this for marketing.
DR. COHN: But lets get it straight for just a second here. First of all before HIPAA there was no regs on all of this stuff, people were doing electronic transactions, just because its probably a major issue if not resolved by October 15th when we expect to have things in, but its not an issue that has been caused because of the privacy regs.
MR. ROTHSTEIN: Well, the other thing is I dont know that we need an emergency letter to the Secretary if the Department is already on notice that theres a problem.
PARTICIPANT: They dont know the situation that Kepa just brought up, so whether or not Gramm-Leach-Bliley covers the patient information is being shared through the banks and that is definitely something that --
MR. FANNING: But what was this reference to a letter about to go to Karen Trudel and Jared Adair?
PARTICIPANT: Its on Karens desk, excuse me its on Jareds desk now.
MR. FANNING: Ok, but it does not identify this issue explicitly?
PARTICIPANT: It identifies the banks --
MS. FYFFE: Did this letter go to the Secretary?
PARTICIPANT: No, it went to Jared Adair, but there have been other approaches by the same parties to other people in the Department and the issue is are we a clearinghouse or not, are we a clearinghouse only if we change formats or reenter the data from standard to non-standard. If we do that youre a clearinghouse, but if youre not a clearinghouse and youre using the data then a business associate applies. And even if the business associate particulars they may not offer the protections to the patient data thats transferred back and forth between the banks.
DR. COHN: Without trying to solve this problem at the moment it seems to me that what really sort of needs to happen is since Jared and CMS have a letter on their desk probably somebody needs to say to, I mean that way wed all have this information, but they need to be informed or reminded to share the information with OCR so that a not just a standards perspective can be brought to bear but also the privacy perspective, and there may be an issue that they need to consider around the interface with the Gramm-Leach-Bliley, which we know is a very complex area anyway. I mean any organization thats dealt with this knows that, theyre sort of trying to deal with both and trying to figure out whats what, and inevitably there are going to be holes. I would think only if they cant get this resolved or it seems to be unsatisfactorily resolved with guidance then we need to get into hearings on this.
MR. HOUSTON: Im going to go back to Kepas original statement which is, to paraphrase hopefully closely, is theyre about ready to use this data, maybe I misunderstood what you said.
DR. ZUBELDIA: My understanding is theyre using it now, its not about ready to.
MR. HOUSTON: So therefore I believe there is some immediacy if in fact whats happening is theyre using data which covered entities are compelled under the Privacy Rule to keep confidential, because whether its a standard or a non-standard transaction, what theyre doing is taking data that they have available for one purpose and using it for another purpose, which in theory we shouldnt be permitting them to do. So I think there is some immediacy to what Kepa said.
DR. COHN: Well, Im not arguing with that, it just sounds to me that theres a process to deal with that, I mean were not the enforcers of the Privacy Rule.
MR. HOUSTON: Well, no, no, no, but we are enforcers of business associates.
DR. COHN: We are advisors to enforcers of --
MR. ROTHSTEIN: We also could do hearings on what the obligations of covered entities are, it seems to me that the covered entity who knows this is going to happen has at a minimum a requirement to notify the patients.
DR. ZUBELDIA: Well, I think there has been some conflicting either guidance or interpretations of all of this because the position from the bank is that theyre not converting formats, theyre wrapping the 835 in a banking envelope so it would flow through the banking system, and therefore there is no possible way for them to be a clearinghouse, all theyre doing is wrapping it. But of course they can peek inside it. Also, the idea that the bank is a business associate, the banks have fought that and apparently successfully where they said theyre not business associates of the providers in that the providers bank is not acting on behalf of the payer and the payers bank is not acting on behalf of the provider so the business associate relationship extends only to the immediate contact and there is this chain that including the clearinghouse association and all of this financial institutions that information flows through --
PARTICIPANT: Its a very porous pipe --
DR. ZUBELDIA: A very porous pipe, a very long porous pipe.
MR. ROTHSTEIN: Well, it seems to me that there are three entities involved in each of these transactions and arguably all of them are in violation of HIPAA. Weve talked about the banks, we havent talked about expressly the obligations of the payers not to disclose that information, the payers are covered entities and on what basis are they disclosing without any authorization --
DR. ZUBELDIA: On the basis of 1179.
DR. COHN: Theres actually something in the law that talks about banks being--
MR. ROTHSTEIN: But it doesnt say they have the right to send PHI --
MR. HOUSTON: They need to go back to this law and the minimum necessary, say do they need this to, does somebody, does a current entity need to disclose this information for this associate.
PARTICIPANT: The answer to your question, anything thats in a standard transaction is considered minimum necessary.
MR. HOUSTON: But, but, only for the intended purposes of that transaction with the other parties to the transaction, the other covered entities. But the point is the payer now is --
PARTICIPANT: The payer is sending a transaction out the door as a standard transaction. Whats in that transaction --
MR. HOUSTON: But that doesnt mean that covered entity can go send private citizen or Wal-Mart an 837 then and say I dont have any liability because it was an 837 with minimum necessary but --
DR. ZUBELDIA: The 835 transaction is intended for payment and remittance advice, and it includes all of this remittance advice information as part of the transaction.
MR. HOUSTON: I understand that --
MR. ROTHSTEIN: Ok, were not going to solve the substance now, the question is what should the Subcommittee do. What is your recommendation, Kepa, that we hold hearings?
DR. ZUBELDIA: That we investigate this further, I think that the first thing to do is have some of the staff look at it more and maybe let us know what they find, because I think it needs to be investigated further before we have hearings or a conference call or something.
MR. ROTHSTEIN: Ok, so the recommendation is that we direct Kathleen to look into the issue and see the degree to which it is being considered at both OCR and CMS and then report back to us about what steps if any are being taken and well decide whether we need to hold hearings. Is that a fair --
DR. ZUBELDIA: Ill give you the information that I have.
MR. ROTHSTEIN: Is that agreeable to the rest of the Subcommittee?
DR. HARDING: Kathleen will ask who?
MR. ROTHSTEIN: Kathleen will ask I would assume Rick and Jared.
DR. HARDING: And see if they are doing anything?
MR. ROTHSTEIN: Correct.
MS. HORLICK: See what, like what this gentlemen said, what exactly, they have a letter but what are they going to do with that letter, what are they going to recommend.
MR. ROTHSTEIN: Whats their understanding of this problem.
MR. HOUSTON: The letter may be so limited in what it says they may not even understand the totality of the issue.
MS. HORLICK: If its on a transaction basis then theres a gap.
MR. ROTHSTEIN: Kathleen will explain the problem as Kepa described it and see whether that is something that they are currently looking into based on this letter.
Agenda Item: Miscellaneous Issues - Mr. Rothstein
MR. ROTHSTEIN: Ok, we have a few minutes left and I would like to raise a couple other issues, I know some of you have another meeting. Now that we have sort of turfed one issue, table another issue, Id like to raise the question of we could go in our inquiries in our hearings in a couple different directions now on other issues. One is we could take a look at the privacy rule and to see which provisions are not working and why theyre not working, and with all due respect to our esteemed colleagues from OCR, perhaps some mistakes that were made in either the Privacy Rule itself or the guidance that has been issued, and I would argue theres some ill-advised things in the guidance. I mean thats one thing. On the other hand we might decide that for political practical reasons we dont want to do that because we dont think that the problems are that bad or theres a high degree of likelihood that theyre going to do anything about it, or whatever may be a focus on other things.
The other thing I want to put on the table is a concern that I have and that is a professional misunderstanding of the Privacy Rule and that the Privacy Rule was intended to be a floor of rights that individuals have with respect to their health care and not to be coextensive with the ethical obligations of health care professionals. So let me just give you one example, and I could give you many, in which if you follow what the Privacy Rule says it would result in a lower level of privacy for individuals then theyre currently used to.
So for example, I go to doctor A and doctor A treats me and says that I need to, Ill just call doctor A an internist, an internist says well I think you need to see a specialist, we need to send you to a gastroenterologist, so they schedule an appointment, I go to the gastroenterologist who now wants my medical records. Under the Privacy Rule, because its treatment, theres no need for any sort of authorization or anything it just goes automatically to the second doctor or third doctor or fourth doctor, anyone whos involved in my treatment, when now I think in many instances its customary for the second or third or fourth doctor to ask me to sign a release authorizing my internist to send my medical records. Now the question is whether that is the kind of thing that ought to be followed.
Another thing in the treatment area is you can use treatment information for one relative in treating another relative without any authorization or consent. And if you think of many of the same kinds of treatments that individuals would go to a physician for, think of a medical geneticist or an ob-gyn or whatever, theres all sorts of things that you might not want, that one family member, think of psychiatry, perfect example, theres no restriction on using one patients information for treatment decisions of another. And you can probably think of at least two or three dozen illustrations of areas in which the Privacy Rule, I mean it was not designed to supplant, so this is not a criticism of the rule, it was not designed to replace medical ethics and professional judgment across the board. And to the extent that in practice it is doing that, I think that is troublesome to me and that would be another issue that we can look into, we can get people from the AMA for some of the specialty colleges or ethics people and so on.
So those are a couple ideas that I have for things to look into and I would solicit you to try --
DR. COHN: Well, first of all we have I think, I dont think a security hearing is being shelved.
MR. ROTHSTEIN: No, its been tabled.
DR. COHN: No, it has not been tabled, the question is the timing.
MR. ROTHSTEIN: Ok, right.
DR. COHN: Security I think is going forward, hopefully were cosponsoring it obviously with Standards and Security, so I want to make sure that thats, thats one day of a two day hearing and we were arguing about what the second day would be and whether it would be enforcement or I think some of the stuff that John Paul was describing earlier which sounded like I think your first issue though I would reframe it about, used an e word that sort of gives me a headache, especially if its being taped, but I think we were talking about --
MR. ROTHSTEIN: Ill repeat it, errors.
DR. COHN: Well, actually I dont think there were errors, I think there are ways to improve the rule potentially, I mean you may want to look at that, and I think if were going to do a hearing we might want to focus in six months after how well things are going, issues that people are having, how we can improve with the advice and subsequent rules, I think that would make a lot of sense.
The second issue Im fascinated by, though, I think that theres this issue of I think some local variation in how things happen and I think that probably your view of the distinctions between medical ethics and laws and all of that, they sort of blend together the way, how things work because a lot of this stuff is state based and, for example, California will think differently than New Jersey and probably somewhat different from --
MR. ROTHSTEIN: Plus some of it is based in state laws where there are strong state laws like California, so its institutional based, some of its custom based, some of its related to whatever specialty group were talking about. But I think the overarching question is whether there are some instances where physicians are in fact using HIPAA as a replacement for ethical restrictions that formerly were applied to disclosure of patient information.
MR. HOUSTON: First of all I think Simon just said HIPAA was never intended to displace more stringent state law, and often we get into this debate well, doesnt HIPAA want me to do that, and I do field these questions all day long, yes, but we need to still go back and look at state law because state law precluded it prior to HIPAA, therefore you dont get to trump in reverse. So I probably said, if I said it five times Ive said it 100 times to people, so I think there, that this is maybe a misconception that needs to be remedied somewhat but I believe thats been very solid, thats been advice that Ive given time and time again in my organization with regard to this specific issue.
But I think that that might be the purview of the larger discussion, some of the issues with regards to privacy that we need to put on the table for a hearing, its one of, preemption is actually on my list of five or six key areas of HIPAA that I think warrant some further discussions. You can go back to the original arguments pre-April 2003 where people said really there should be no state preemption, you should have a federal, some people were arguing there should be a federal privacy rule and then should completely preempt state law. Now I dont know if we want to open Pandoras box up on that regard, I would prefer not to at this point in time, but again I think that is one of the unsolved areas that Ive heard and I think theres four or five other ones.
MR. ROTHSTEIN: Well, I would agree that part of it is preemption but I think part of it is also a matter of medical ethics because the issue is not resolved in many states, its not subject to any particular state case law or statute and its just based on custom. And now suddenly oh, we can do that --
MR. HOUSTON: Sounds like more of a realization than anything if there was no state law --
MR. ROTHSTEIN: Right, and I think a joint publication by, I mean this is jumping ahead six jumps, by the Department and various medical groups would go a long way in clarifying what this does and what it doesnt do.
MR. FANNING: One thing you might explore in such a hearing is the nature of professional education with respect to this sort of thing, does it get to the underlying reality of what your ethical obligations are or is it focused on bare minimum compliance begrudgingly simply to avoid sanction.
MR. ROTHSTEIN: Right, I think thats an excellent point and one that weve been --
MS. HORLICK: I was going to say in the first scenario that you mentioned with your internist and the gastroenterologist I wasnt really clear who you were saying was disclosing to this third and fourth doctor.
MR. ROTHSTEIN: No, no, no, what Im saying is that if I go to a new gastroenterologist who wants to see what my internist found its customary as far I know to sign a release and theyll send that to my internist and send the record. Now under HIPAA thats not required.
PARTICIPANT: Unless theres a prior state law.
MS. HORLICK: Right, but you can still get that and presumably you would know that it was being sent to that doctor. But I wasnt talking about that, I was talking about you mentioned a third and a fourth disclosure and I wasnt sure --
MR. ROTHSTEIN: What I meant was other specialists.
MS. HORLICK: Right, and I guess what Im saying is I maybe dont see it, maybe see it from a different perspective, but if it were me going from the internist to the gastroenterologist presumably Id know that my records were being sent even if I didnt sign it or that he would send me to somebody else, so I didnt see that but I may be missing the issue.
MR. ROTHSTEIN: But Im saying you would either acknowledge, expect it, be told that were getting the records, and that goes beyond any HIPAA requirement.
MS. HORLICK: Right, and what I guess Im wondering is are you seeing this as problematic, that now doctors are using this as an opportunity to not --
MR. ROTHSTEIN: Yes, yes.
MR. HOUSTON: Im going to stay, that we just fall back to state law and I would suspect many are that way but I understand that not all states have medical privacy laws, so in theory it was an open, it was something they could have done before pre-HIPAA because there was nothing that precluded them from doing such and I agree theres a point where ethics have to fill in the void.
MR. ROTHSTEIN: If Richard is treating two members of a family I think he might have a problem in using information that was told to him by one member of the family in treating another member of the family whether that was disclosed or not as an ethical matter, and HIPAA does not --
MS. HORLICK: Those are two separate issues, I see that one as really to me, I dont know, maybe I --
DR. STEINDEL: I agree with Gail, the first case that youre talking about, even if they go and ask for a release we heard yesterday about perfunctory signing of releases and I think in most cases today when you go to one doctor to another and they hand you something its a perfunctory signing of a release. And the fact that it now could be transferred without signing of the release practically is not going to make that much difference. And I agree with Gail that in most cases people who go from one doctor to another expect the information to be transferred.
Now the other situation like with Richard or with genetic information, that is very concerning, and I think that thats a point that really should be --
MR. ROTHSTEIN: I think you make a good point but its a substantive one on the first one. Youre saying that people shouldnt mind that HIPAA is now replacing what was commonly done in the past because it didnt afford very much protection. That may be true but the question is whether as sort of an overarching principle we want people to rely on HIPAA as a basis for doing that. I think what they should rely on is the fact that maybe the --
DR. STEINDEL: If youre looking at information flow downhill, youre going from your internist to your specialist, and that information is flowing, or if youre going from your internist to your psychiatrist and the information about your medical history is going to your psychiatrist, I think that theres probably not that much of a medical concern or an ethical concern there. Now the information flow in the other direction may be of concern --
MR. ROTHSTEIN: From the specialist to the internist.
DR. STEINDEL: Yes, and that flows freely, and that is an area where I do have some concern.
MR. ROTHSTEIN: Sure, so I want to see a psychiatrist and I dont necessarily think my internist needs to know what I said.
MR. HOUSTON: I think what this really speaks to Id say is still going back to state laws, theres an inconsistent of application of HIPAA based upon what other laws are existent in the localities for medical, where this is occurring. Again, I always, often go back to state law, even post-HIPAA, in giving advice because many of these types of things youre speaking to are things that are still governed by state law and Im getting head shakes no but I think --
DR. STEINDEL: I think a lot of states dont have good specific laws.
MR. HOUSTON: Then my point is is that this is not a HIPAA issue because the state did not have laws pre-HIPAA and in theory there was the right to have done these things all along --
MR. ROTHSTEIN: Except the restrictions that were placed on the practice by ethical standards of the profession.
MS. HORLICK: Well, I mean it would be interesting to see, I dont know, Richard, from your perspective, I mean just using the psychiatrist as an example, do you think now that psychiatry is being inclined to disclose information back to referring specialists because HIPAA doesnt, I mean it doesnt seem to me that that would be an issue, but I might be wrong, I really think the other issue, and I just wanted to comment that to me it wasnt so much the signing or the not signing the consent or the authorization, its the knowledge base, do I know that thats going to my gastroenterologist and I think that shouldnt change but Im not sure that it has changed, and so that is whether the consent is meaningful. I think, Im not sure that HIPAA has changed that, if Im going to a specialist one way or another I think Im going to assume my records are going to go. But thats only based on just --
MR. HOUSTON: What HIPAA may have done, though, and again back to my point, was that often people say well HIPAA says I can do this and you say no, you have to stop people because they read HIPAA and they read the summary of HIPAA and they forget the fact that theres this preemption that sits there also and thats a separate issue but one that I confront all the time.
MR. FANNING: I just want to say that I think this would be a worthwhile inquiry because even if state law doesnt govern it these ethical questions and professional relationship questions are still very real ones and the danger of a law, state, HIPAA, whatever, is that it becomes the only standard instead of being a bare minimum. Anything of this sort has to be written very generally to accommodate a great range of situations that cant be dealt with in advance, so what fills in the rest is professional judgment and the like and it becomes more important to look into that and emphasize it once you have a law because everyone is looking at the law and may not look at the rest. So I think its a good idea, but I am a staff member and not a member of your Committee.
MR. ROTHSTEIN: We are running out of time, let me just give you a chance to comment in a second, I just want to sort of frame where we are. We have directed Kathleen to inquire on the Gramm-Leach-Bliley issue. We have a joint hearing with Standards and Security, one day of which will be security and the other day is not clear yet, and were going to be inquiring, or Im going to be inquiring at the Executive Committee this afternoon. So now the issue is do we want to put on the table and try to schedule Subcommittee work on either of these two issues or some combination or what. John?
MR. HOUSTON: I believe that there are some very practical issues with regards to privacy that are very unsolved at this point in time, and I think they warrant discussion above and beyond these ethical issues that I think we can talk about medical ethics for years, they are in my mind, there are still in my mind serious potential issues with regards to accounting disclosures. I dont think there is clarity right now, and its a latent issue that this doesnt seem to be too difficult now but as we move forward its going to become more difficult because the volume of accountings will just simply accelerate and it will go up. I think its a latent issue thats going to come back and hit people. I still think that there are issues with regards to fundraising that are still, were only now starting to understand some of the limitations and some of what an impact it is on organizations that depend on fundraising. Preemption we talked about, I think is important to discuss. Physician compliance, small provider compliance, I think is still minimal at best --
MR. ROTHSTEIN: So, not to cut you short, but you would prefer a more broader more substantive hearing in which we could delve into all of these issues. Is that what youre saying?
MR. HOUSTON: Yes, I think we need to, I think very clearly we need to.
MS. WILLIAMSON: During the NHII Workgroup meeting yesterday we talked just briefly, and weve talked in the past about some of the issues that are coming up related to privacy as we move towards an NHII, and so this is something that I wanted to at least put on the table, I know Steve got some feedback from a presentation that he did.
DR. STEINDEL: Im hoping that some of this may come out in the breakout sessions John has next week on privacy, I gave a couple of NHII talks to small groups and they happened to be right after the privacy reg went into effect so this was hot on peoples minds, and one of the basic impressions people get from the NHII is were now going to create this free flow of patient information all over the place, that is a presumption, and I heard, I actually heard this, it was in a side conversation, but two people were commenting you know we just spent N hours or days learning about how to protect patient information under HIPAA Privacy and now heres this guy standing up and telling us were going to create this environment where theres this free flow. And actually if you take a look at what as you said is a minimal standard in the Privacy reg what we want to do under the NHII is probably going to be allowed under the HIPAA Privacy reg, and I think the question needs to be asked, what should be allowed and what constraints should be put on this free flow of information, whether they be regulatory or ethical. I think right now theres probably going to be some ethical constraints, I hope theres some ethical constraints.
DR. COHN: Getting back focused again, I think the first step for the NHII, and I sit now on the Workgroup, is for them to figure out what it is. And once we figure out what it is then we can look at the privacy pieces, I think that that certainly is an issue but I think its probably a longer term agenda that they really need to be looking at. I guess the question I would ask for you Mark is what sort of agenda were developing, I think it may make sense for us to look at creating the years agenda in which case things like NHII and your second issue around provider responsibilities in the electronic age or whatever, whatever it is that youre describing, may make sense. I think in terms of a more immediate task if were talking about something this fall, knowing the limited range of this Subcommittee, were probably talking about a security Monday, and I guess at this point Im sort of more excited about the Privacy Rule six months after and sort of seeing where we are and how to improve it only because it seems something that we could actually do something with as opposed to a longer expiration, the other things may be better later on.
MR. ROTHSTEIN: The only thing about this more general Privacy Rule six months after is it would be very long and very involved because people would want to come back and talk about all the issues that we spent time on.
MS. HORLICK: Well what about focused hearings where you could have four panels, you could have one --
MR. ROTHSTEIN: I mean there are research issues, there are public health issues, there are issues about accounting for disclosures that I think need to be looked at, so I mean --
MR. HOUSTON: Just because theres issues doesnt mean we should shy away from them.
MR. ROTHSTEIN: No, all Im saying is we need to commit the time and the resources to do that if thats what we want to do.
MS. HORLICK: But instead of saying heres your docs or heres your consumers, you could have heres your topic and look at it from different perspectives --
DR. COHN: I was going to say, I think that that actually might be fine, I dont think we need to do it in six weeks, a whole review like we did last time in trying to get recommendations, I think this is something we can give a little more look at this topic, look at that topic, and sort of try to space and plan some hearings into probably the middle of next year that would allow us to do this and maybe put other issues in as they come up. We are sort of a Subcommittee that doesnt have any hearings planned.
MR. ROTHSTEIN: Correct.
DR. HARDING: Could we ask OCR what the dilemmas are that they face and try to help in some way with hearings that would address those things?
PARTICIPANT: Youre assuming that OCR has dilemmas?
MR. HOUSTON: Or isnt trying to better understand themselves some of the issues.
DR. HARDING: No, John, Im saying can we be a help to them.
DR. COHN: Well, I think theres two issues, one is guidance, and then theres the other issue which is that, and maybe that, all these rules are supposed to evolve and obviously OCR cant, it sort of lives up in the rule of what exists generally as opposed to the rule of what could be, and I think maybe we, our role is to sort of look at the rule of how the rule needs to evolve and get shaped I would think.
MR. ROTHSTEIN: Right, and OCR may be more wed to the current version of the rule than we are, for example, talking about accounting for disclosures you could make a very good argument that the current rule is backwards in terms of what is accounted for, that you should have to account for disclosures pursuant to an authorization and not have to disclose for legally compelled disclosures that are required under state law.
DR. COHN: Disclosures are a confusing area.
MR. ROTHSTEIN: But what Im saying is that may not be something that OCR would put on the list but that we might put on the list.
MR. HOUSTON: I absolutely believe theres some problematic issues that really do need to be explored, theyre operational often, weve heard also research, public health, some of this is misconception probably as much as it is the fact the rule doesnt necessarily operate the way it was intended, but I think we need to work on these things.
MR. ROTHSTEIN: I am prepared to move ahead with hearings in the Fall on this, I would not like to see it move to 2004. The fact that we are having this joint hearing, frankly I think your Subcommittee is going to be taking the lead on that --
DR. COHN: See I thought John Paul was going to take the lead actually on Security.
MR. ROTHSTEIN: Well, whomever, the Security Rule is not the sort of major area of expertise or interest of this Subcommittee even though it is obviously an issue, and I dont see anything that would prevent us from moving ahead and scheduling something some time in the Fall that didnt --
MR. HOUSTON: Are we precluded from having more than a two day hearing?
MS. HORLICK: Weve had two and a half days because weve had like the next morning to discuss and synthesize.
MR. ROTHSTEIN: Weve had three day hearings, HIPAA version. I would not like to see a piggyback onto that, I think were talking about a separate two day hearing.
MS. HORLICK: Youre talking about a separate then the second day of the security hearing?
MR. ROTHSTEIN: Yes.
MS. HORLICK: So then what would the second day of the security hearing be?
DR. COHN: See I actually thought we could do the second day of the security hearing is getting into this, but are you thinking, unless we do a --
MR. ROTHSTEIN: The problem is in ten minutes we could probably come up with 15 topics and you cant have a witness on each one because you need a range of views, so suddenly you have a penal on each one and that takes a couple of hours, and then youve got public testimony and so on and there are practical limits on the number of issues that you can really get done in a day and I would say that maybe three or four at the most.
MR. HOUSTON: Are we allowed to elicit input as to what people would, topics for the testimony? Are we supposed to provide those ourselves?
MR. ROTHSTEIN: We normally derive those ourselves, we have in the past relied on OCR to suggest areas in which the public has expressed concerns --
MR. HOUSTON: We have thousands of hits to the FAQs and questions to OCR, I guess that might be a good source of --
MR. ROTHSTEIN: We could rely on that or we could just, as well as generate topics internally and to --
MS. HORLICK: Are you suggesting that we not use the day after, lets say the day after the security hearing for a privacy hearing?
MR. ROTHSTEIN: That would be my inclination because I think we need two days, if were going to take up the issue of, lets suppose we dont do anything on the enforcement rule and we have a second day, I think the second day could easily or more easily be devoted to the other topic, the topic of the relationship of the Privacy Rule and professional responsibilities and state privacy laws, I think that could be done in a day. I dont think the issue of possible amendments to the Privacy Rule can be done in a day.
DR. COHN: I dont think anybody thinks that the Privacy Rule can be done in a day, I think we all think we might be able to start it, we think its probably going to be two or three hearings all told, I dont even think you can do that in two and a half days, because I think theres a whole bunch of topics, many of which we went through last time which we have to go back and take a look at.
MR. HOUSTON: I almost think that, my personal opinion is this issue of medical ethics versus HIPAA privacy is something that maybe can be done some other time, I think theres --
MR. ROTHSTEIN: So you would prefer that we have, use the second day if we dont do it on the enforcement rule as sort of part one of a look into possible revisions and then if thats the will of the Subcommittee then what we can do is sort of solicit internally some topics and distribute them by email and then well refine it over the course of the next several weeks and we can plan that hearing. Our next full Committee meeting is September, is that enough time for us to plan a hearing in late October?
DR. COHN: Between now and then you mean?
MR. ROTHSTEIN: No, in September, lets suppose we, so we need more time then that.
DR. COHN: Well, we dont need Committee face to face time, were sort of saying go forward --
MS. HORLICK: Youre talking about doing a hearing in when, October, isnt that when its scheduled, the security, is it scheduled for September?
DR. COHN: I dont know whether its scheduled really or not.
MR. ROTHSTEIN: Alright, you can do it by conference call, I will arrange a conference call depending on what happens with the enforcement rule. In advance of that well ask for people to send in suggestions of topic areas that they want to do some work.
MS. HORLICK: I would just say that anything you can do to avoid trying to get in touch with people in August would be good because everybody is on vacation so if you can --
MR. ROTHSTEIN: I understand, so what I would like to do is have a conference call next month to line up the topics and then we can line up the speakers in September.
MS. HORLICK: Or we could start at the end of July but thats when I mean, that was my experience when we did those August hearings.
DR. COHN: I would actually just suggest almost in terms of jump starting and not that I dont love conference calls but anytime during the summer is a bad time for a conference call. Yet email is a practical value you have, I mean Kathleen obviously is our staff, I would think a, we need to, what it is we need to do is look at a date and begin to get some dates, dates tied down and I know Kathleen can help us with all that. I think that probably we ought to sort of start emailing around and I know John Paul has a list of items that I know hes been hungering to get on the agenda so we should ask him to sort of send us an email with his issues and then we can maybe via email start saying yeah this is an important one --
MR. ROTHSTEIN: Alright, then how about if we use the conference call as a back-up if we cant resolve --
MR. HOUSTON: I dont think its something well need to convene in that type of a setting.
PARTICIPANT: Is there anything in your statutory language that can or cannot be interpreted as Congressional intent that HIPAA replace or supercede or supplant medical ethics or better fine tune state laws?
MR. ROTHSTEIN: No, no. Well, they address the issue of state laws and then they specifically said that HIPAA does not preempt stronger state laws, but the issue of its relationship to medical ethics was not addressed either in the legislation or in the legislative history.
PARTICIPANT: Because often the attitude on the Hill was if they dont get it right now theyll go back and fix it later and see how current events with Kennedy and the drug brokers in Medicare youd say well lets pass something now and well fix it later. The value of your hearings could be, the hearing might be if you need something, need something fixed, looked at, and the dichotomy between what the law actually is supposed to be and the way its being applied, hearings could be very, could correct things in the future.
MR. ROTHSTEIN: Well, thats what we hope to align and hope that that would be the case as well.
MS. HORLICK: I would just say if you think that you want to have another hearing before the end of the calendar year, while youre polling people I would go ahead and reserve that date because --
MR. ROTHSTEIN: Yes, we probably ought to reserve two dates.
MS. HORLICK: And they could always cancel it.
MR. ROTHSTEIN: We havent had a hearing since --
[Whereupon the meeting was adjourned.]