[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Room 705A
Washington, DC
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703)352-0091
Agenda Item: Call to Order, Introductions
MR. ROTHSTEIN: Good morning, everyone. Welcome to the second day of our two days of hearings.
My name is Mark Rothstein. I'm the Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville, School of Medicine, and I am Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics, which, as most of you know, is a federal advisory committee consisting of private citizens making recommendations to Congress and the Secretary of HHS on Health Information Policy, including issues related to HIPAA.
On behalf of the subcommittee and its staff, I want to welcome you to today's hearings.
I also want to welcome those who are listening on the internet. To those of you on the internet, I apologize for the technical glitch yesterday that prevented you from listening to our afternoon hearings, and the transcript of those hearings will be posted shortly on our website so you can catch up on the information that you missed related to law enforcement and HIPAA.
Before proceeding further, I would like to have introductions, beginning with members of the subcommittee and staff, and, as usual, I would invite subcommittee members to disclose any conflicts of interest that they have.
I'll begin by noting that I have no conflicts of interest, and I'll ask Dr. Harding to be next.
DR. HARDING: I'm Richard Harding. I'm a child psychiatrist and Chairman of the Department of Neuropsychiatry at the University of South Carolina and a member of the committee and subcommittee and I have no conflicts in this situation.
MR. HOUSTON: I'm John Houston with the University of Pittsburgh Medical Center. I am a member of the committee as well as the subcommittee, and I do not have any conflicts either.
MR. FANNING: I'm John Fanning from the Department of Health and Human Services. I'm staff for the committee.
MS. FYFFE: I'm Kathleen Fyffe. I work for the Department of Health and Human Services and I'm lead staff to the Subcommittee on Privacy and Confidentiality.
DR. GREENBERG: I'm Marjorie Greenberg of the National Center for Health Statistics, CDC, and Executive Secretary to the committee.
DR. COHN: I'm Simon Cohn. I'm the National Director for Health Information Policy for Kaiser Permanente and a member of the subcommittee and full committee, and I have no conflicts.
MS. KNOBLAUCH: I'm Laura Manley Knoblauch. I'm the university privacy officer at Illinois State University, but I am here today representing the American College Health Association.
MS. DOZIER: Good morning. I'm Beverly Dozier. I'm the privacy role coordinator for the CDC, Office of Health Information Privacy Office.
MS. SQUIRE: I'm Marietta Squire. I'm with CDC, NCHS, and I am staff to the subcommittee.
MS. HOOPMAN: Good morning. I'm Jan Hoopman. I'm President of the NASN. I'm here as a visitor today.
MS. PERKIDOLICA: Sama Perkidolica(?) from the Association of State and Territorial Health Officials. I'm here as a visitor.
MR. HUNTER: Ed Hunter from CDC.
MR. RODEY: Dan Rodey(?) from American Health Information Management Association.
MR. ROTHSTEIN: And Gail Horlick, are you on line?
Is Gail on line, Donald?
MS. HORLICK: Good morning, Mark. This is Gail Horlick from CDC, staff to the Subcommittee on Privacy and Confidentiality.
MR. ROTHSTEIN: Okay. Good to hear from you, Gail.
And welcome to everyone.
Yesterday's hearings focused on the issues of banking and law enforcement. In earlier rounds of hearings we heard about public-health issues and research and other issues. So this is part of an ongoing series of hearings that we are having on HIPAA implementation issues.
This morning, we will hear from two panels of invited experts on the topic of HIPAA and Schools, and if any of the witnesses want to submit written testimony that have not done so, I would invite them to submit it within two weeks to Marietta Squire.
I want to alert our listeners as well as members of the staff and audience about a schedule change today. We will take our two panel discussions pretty much as listed on your agendas, but we will have a subcommittee discussion that was supposed to begin at 11:30 and end at noon begin at 11:30 and end when it ends, possibly as late as 12:30, but then adjourn the meeting for the day. So we will not be meeting after lunch today.
I want to remind our witnesses and listeners about the purposes of the hearings, and they are to consider whether the Privacy Rule strikes the appropriate balance between health privacy and other important concerns to determine whether there are practical problems or unintended consequences that have arisen as a result of the Privacy Rule, and to ascertain whether there are areas in which additional clarification, education where outreach efforts are needed to facilitate compliance.
Witnesses are asked to limit their initial remarks to 15 minutes, and after all the witnesses of each of the panels have concluded their discussion, we'll have ample time, I hope, for questions and a broader discussion with the subcommittee members.
I would request that all witnesses and guests turn off their cell phones now, and remind the witnesses that we are, in fact, being broadcast on the internet and to please speak clearly into the microphone, so that everyone can hear.
Agenda Item: Schools - Panel 1
MR. ROTHSTEIN: If there no other preliminary or introductory matters, I would like to proceed to our first panel on schools, and we will proceed in the order listed on your agendas, and that is we'll lead off with Beverly Dozier.
MS. DOZIER: Good morning, ladies and gentlemen and members of the subcommittee.
My name is Beverly Dozier, and I am the HIPAA Privacy Rule Coordinator for the Centers for Disease Control and Prevention. My position is within the newly-created Health-Information Privacy Office, an office within CDC's Epidemiology Program Office.
I was asked to speak this morning about the implications and impact on public health of the nexus between the Privacy Rule and the Family Educational Rights and Privacy Act of 1974, also known as FERPA.
As you know, all records protected by FERPA are excluded from the definition of protected health information in the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA. Therefore, regardless of the nature of the information contained in an educational record protected by FERPA, even if it is health related, the law governing the privacy of those records is FERPA and not the HIPAA Privacy Rule.
The CDC has several national health-surveillance programs that track various childhood health conditions and behaviors. A few examples are the National Immunization Program; the National Center on Birth Defects and Developmental Disabilities, which tracks conditions such as birth defects, attention-deficit-hyperactivity disorder, fetal alcohol syndrome and autism; the National Center for Injury Prevention and Control, which has systems to track data related to unintentional injury and violence and collects data related to behavior risk for injuries and violence; the National Center for Environmental Health tracks child lead poisoning, asthma and conducts the National Environmental Tracking Program; and the National Center for Chronic Disease and Health Promotion, Division of Adolescent and School Health and Division of Nutrition and Physical Activity; and the Office on Smoking and Health, just to name a few.
In addition, CDC funds a host of external partners, including state and local health departments, hospitals and academic institutions to identify and track these and other childhood health conditions.
Several provisions of the Privacy Rule permit covered entities to provide protected health information to public-health authorities, such as the CDC, without the consent or authorization of the individual.
These provisions were included in the Privacy Rule because the Department of Health and Human Services, or HHS, understands the need to balance individual privacy interest with the public's need to acquire health data for public health and other purposes.
For some nationwide health-surveillance projects, public-health authorities strongly believe that accurate data on the incidence of health conditions could not be obtained if consent or authorization were required. This is especially true of the types of conditions that CDC tracks in children. Often, a parent is reluctant to have a child labeled with a condition or with a developmental disability. For this reason, and some other socioeconomic factors, obtaining accurate data for these types of conditions would be unattainable if parental consent were required.
There has been some confusion in state and local education institutions about whether FERPA or HIPAA protects health information in the case where a school runs a health clinic. For example, when a school has a health clinic that is a covered entity under the administrative simplification regulations under HIPAA, because it provides health care and conducts electronic transactions, as defined in the Transactions Rule, and these health records are determined by the school to be protected by FERPA, then the records would not also be protected by the Privacy Rule.
While covered entities under the Privacy Rule may disclose protected health information to public-health authorities for public-health activities, FERPA does not generally allow a school or a school system to share health information contained in education records protected by FERPA with a public-health authority without parental consent. Conversely, a public-health authority is permitted under the Privacy Rule, subject to state and federal laws, to share the data it collects with healthcare providers, public-health authorities and the school system, if needed.
Some of the childhood conditions that CDC and its partners track are uniquely identified in school-age children. In many cases, children with these conditions are often only identified in the school. For example, autism and attention-deficit-hyperactivity disorder either do not appear or are not recognized until the child is of school age. These conditions manifest in the child as behaviors, and the school psychologist or other specialist usually tests the child, not to make a diagnosis, but rather to determine what kinds of interventions would assist the child in being more effective in accomplishing schoolwork.
The results and conclusions of these tests become part of the child's school records and are thus protected by FERPA, and, furthermore, these results are seldom found ascertained in the clinical setting.
Under an exception in the FERPA regulations that permits disclosure of education records to authorized representatives of the Department of Education, or Ed, CDC has a memorandum of understanding, or MOU, with the Department of Ed. This MOU allows the CDC to access educational records in five metropolitan Atlanta counties for our study known as the Metropolitan Atlanta Developmental Disabilities Surveillance Project. The MOU expires next year.
The data from CDC surveillance of autism in Metropolitan Atlanta in 1996 show that for 40 percent of the children identified with autism, information was found on these children only at the school sources. Only three percent of the children were found uniquely at clinical sources. So while 57 percent of the children with autism were known to school and clinical sources, school sources certainly provided a great deal of unique information on the features of the children's disabilities.
There is no national policy that allows for the sharing of health data and information between public-health authorities and educational institutions. It is vitally important to the health of the nation's children that public-health authorities and educational institutions work together to identify the incidence of childhood conditions and find effective interventions and preventions.
Congress recently passed the Birth Defects and Developmental Disabilities Prevention Act of 2003, Public Law 108-154, which provides an opportunity for HHS and the Department of Education to work together to resolve this data-sharing dilemma as it relates to autism and other developmental disability surveillance.
The law requires HHS and Ed to study these issues and submit a report to Congress within 18 months. The report must describe, one, the challenges to obtaining education records in the absence of parental or patient consent for public-health purposes, such as surveillance data for autism and other developmental disabilities; two, how these challenges can be overcome, including efforts to educate parents, improve school confidence in the privacy of public-health surveillance programs and raise the rates of parental or patient consent.
The report will also include specific qualitative and quantitative justifications for any recommendations for changes in the existing statutory authority, including the Family Educational Rights and Privacy Act of 1974.
The CDC looks forward to working together with Education to protect the health-information privacy of individuals while maintaining a strong public-health system and clarifying the provisions of the Privacy Rule as they relate to public health and education.
MR. ROTHSTEIN: Thank you very much for that testimony.
We'll now proceed with our second witness, Jane McGrath.
DR. MC GRATH: Good morning, Chairman Rothstein and members of the subcommittee. I am very pleased to be here today.
My name is Dr. Jane McGrath. I am pleased to be here today to represent the 57,000 pediatricians of the American Academy of Pediatrics on an issue of importance to children, parents, health professionals, educators and administrators.
I have been a pediatrician for over 15 years and am currently the School Health Officer for the New Mexico Department of Health and also an Associate Professor of Pediatrics at the University of New Mexico Health Sciences Center.
Real-world problems are created by the lack of clarity regarding whether privacy requirements of HIPAA apply to health information in schools, and I would like to just talk about a couple of examples.
First, immunization information. States mandate that schools require certain immunizations in order for children to attend. These immunization requirements are, in effect, the way we, as a society, ensure that children receive their immunizations. School nurses enforce immunization requirements and spend a considerable amount of time and energy making sure that students at all grade levels are appropriately immunized.
Under HIPAA, the school nurse is no longer able to call the local health department or pediatric provider in order to update immunization information on a student without explicit written permission from the parent. Getting written authorization from parents may seem like a trivial step, but, in many communities, it can represent a significant barrier to a school nurse who is already overwhelmed with work and may be responsible for the immunization records of over 1,500 students.
Because immunizations are considered a public-health exemption under HIPAA, the regulations allow the sharing of information between HIPAA-covered entities without explicit authorization. It does seem unreasonable to require school nurses to get written parental authorization that is not required of other health professionals when we rely so heavily on school nurses to enforce the immunization requirements.
The exchange of information related to the treatment of a student with special-care needs is another area of concern. As schools are not generally considered to be covered entities under HIPAA, the exchange of information with the child's provider for purposes of treatment is thought to require parental authorization. Since the implementation of IDEA, students with special healthcare needs have started going to school in unprecedented numbers. As a result, many school nurses provide daily care for children with complex medical conditions. Children attend school who need ventilatory support, ostomy care, tube feedings, perineal dialysis and a host of other medical procedures and equipment.
It is vital that the school nurse be able to quickly contact a student's physician if something should go wrong during the day. The current regulatory confusion has resulted in children not getting the health care they need while at school in an acceptable time frame. It is difficult enough for a school nurse to get a busy medical provider on the phone to answer questions concerning a patient's care. When the conversation about healthcare is delayed because of concerns about whether the parent has granted permission to share necessary health information, the child is the person who suffers because of the delay.
Another area of particular concern is in the arena of mental health, students discharged from psychiatric hospitalization and residential treatment. Getting records after a student has been discharged from a mental-health facility has been a long-standing problem for schools. Under the current regulatory environment, the school must depend entirely on the parent to provide a discharge summary. Parents frequently don't remember to give the school a copy of the discharge summary, and this can cause disruption in the continuity of care, especially with respect to medication. When the school nurse is included in discharge planning and receives a discharge summary, the student is much more likely to have consistent followup and medication.
Schools bill Medicaid for services provided to students written into their individual educational plan or IEP. Schools provide services that are billed to Medicaid. The government needs to make it clear what a school's responsibilities are under HIPAA. It may be reasonable to explore allowing schools to qualify as HIPAA-covered entities. Schools are part of the healthcare safety net and should be encouraged to collaborate with managed-care organizations, community providers and others.
The current regulatory environment results in barriers between schools and other HIPAA-covered entities. As a consequence, there is less collaboration and, consequently, worse healthcare for students. Because schools are the place where children are during the day, schools need to be included to a greater degree in the community network of healthcare.
Another point is that schools do not adequately protect private health information of students. Under FERPA, schools are not required to protect private health information separately from the student's academic record. As a result, it is not uncommon for a school to include health information in a student's cumulative academic file. Although FERPA regulates access to the cumulative file, it is done with an eye towards who should appropriately have access to the academic record, and a student's health information may be released to an individual who only really desires their academic information. This compromises a student's health privacy, but does not violate the FERPA regulation.
There is a lack of clarify about the intersection of HIPAA and FERPA. It is clear, from my experience and the messages I have received from many providers and school nurses, that confusion is widespread about what is and what is not allowable under the current HIPAA and FERPA regulations. Many states have developed ad-hoc solutions to the current situation that results in further lack of clarity and consistency. It is fair to say that a solution that might be acceptable in Massachusetts is not feasible in New Mexico, and I have brought and would like to submit to the record a number of emails from colleagues and school nurses in my part of the world talking about the problems and issues that they have encountered.
The American Academy of Pediatrics proposes the following recommendations for your consideration.
First, that personally-identifiable health information of students in schools should be protected in the same manner as such information elsewhere. Many schools are involved in providing healthcare on a day-to-day basis. However, their management of health records is a significant problem. Confidential student-health information can be found in various locations throughout the school. For example, academic files, the coaches' files, the school nurse's files. This information may be kept or assessed by a range of individuals with little or no training related to confidentiality requirements. A consistent, fair and reasonable system must be designed to protect a student's health information in the healthcare and educational settings.
Second, school-health providers and community health providers should be able to communicate directly concerning treatment issues, including immunization records. There is a lack of clarify concerning the intersection of FERPA and HIPAA that results in barriers to effective communication for the treatment of students in the school setting. The current environment is one of confusion that results in school health providers who are often the people immediately responsible for a child's welfare during the day being able to communicate with the community health providers.
And, lastly, more stringent health privacy standards need to be put into place within the school setting in order to provide adequate privacy to the student's health information.
Schools are not uniformly careful with students' personally-identifiable health information. Simply liberalizing the HIPAA Privacy Rule to allow school nurses to be included for purposes of receiving and sharing health-treatment information is not an adequate resolution to ensuring that health information remains private.
I appreciate the opportunity to share these observations with the subcommittee, and I would be happy to respond to any questions.
MR. ROTHSTEIN: Thank you very much.
I'm sure the subcommittee has a number of questions raised already by the first two witnesses, and we'll take them up at the end of the discussion.
We would like now to proceed to Ellen Campbell.
MS. CAMPBELL: Thank you.
My name is Ellen Campbell. I am the Deputy Director of the Family Policy Compliance Office at the Department of Education.
The mission of the Family Policy Compliance Office - FPCO - is to meet the needs of the department's primary customers, students and their families, by effectively implementing two important federal privacy laws that seek to ensure student and parent rights in education, FERPA, the Family Education Rights and Privacy Act, and the Protection of People Rights Amendment, PPRA.
The FPCO responds to complaints from parents and students as well as to inquires and requests from school officials for technical assistance.
In addition, the FPCO responds to a large number of telephone calls, emails from parents, students, school officials and other government officials requesting information on FERPA and PPRA.
The purpose of my testimony today is to discuss FERPA and its intersection with HIPAA.
FERPA has a long-term continuing impact on educational agencies and institutions that are the recipients of U.S. Department of Education funds. Therefore, FERPA impacts all public school districts, virtually all public institutions or public post-secondary institutions, public and private - excuse me - and all state educational agencies.
FERPA is a federal law that protects privacy interests of parents and their children's education records. FERPA generally prevents an educational agency or institution from having a policy or practice of disclosing the education records of students or personally-identifiable information contained in education records without the written consent of the parent.
The term, education record, is broadly defined as all records, files, documents and other materials which contain information directly related to a student and are maintained by the school or the person acting for the school.
Additionally, the records of a student that pertain to services provided to that student under the Individuals With Disabilities Education Act idea are education records under FERPA and are subject to the confidentiality provisions under IDEA and all of the provisions of FERPA.
When a student reaches the age of 18 or attends college at any age, the student is considered an eligible student under FERPA and all the rights afforded by FERPA transferred from the parent to the student.
K through 12 students' health records, including immunization records, maintained by an educational agency or institution subject to FERPA, including records maintained by a school nurse, would generally be education records subject to FERPA because they are, one, directly related to a student, and, two, maintained by an educational agency or institutional party acting for the agency or institution, and, three, are not excluded from the definition of education records as treatment of sole-possession records or on some other basis.
In August 1996, Congress enacted HIPAA to ensure continued health-insurance coverage for persons who change jobs and to establish transaction security, privacy and other standards to address concern about the electronic exchange of health information.
Final regulations for the privacy requirement detailed in how covered entities must handle individually-identifiable patient information were published in the Federal Register on December 28, 2000, with final modifications to the Privacy Rule August 2002.
Organizations subject to the HIPAA Privacy Rule, known as covered entities, include health plans, healthcare clearinghouses and healthcare providers that transmit health information in electronic format. Healthcare providers include institutional providers or health and medical services such as hospitals and other non-institutional providers. As such, schools and school districts that provide health and medical services to students may qualify as covered entities under the HIPAA Privacy Rule.
However, the preamble to the December 2000 final rule explained that health information maintained as an education record, defined by FERPA, is excluded from HIPAA privacy requirement; that is, it is not the HIPAA Privacy Rule, but FERPA, and the confidentiality provisions and idea, where applicable, that protect the privacy of information in education records, including, specifically, health-related information, and I won't read what the preamble to the 2000 final rule stated, but it is in the testimony, but I will read this sentence, it says, while we strongly believe that every individual should have the same level of privacy protection for his or her individually-identifiable health information, Congress did provide us with the authority to disturb the scheme - for records maintained by educational institutions under FERPA. We do not believe Congress intended to remand or preempt FERPA when it enacted HIPAA.
The FERPA carve-out from the HIPAA Privacy Rule includes treatment records of eligible students, those that are 18 or in college at any age, which are excluded from the statutory definition of education records in FERPA; that is, treatment records of eligible students are not protected under FERPA as education records and are not subject to the HIPAA Privacy Rule. However, if the records are used for any other purpose than for treatment of the student as laid out in the law and the regulation, they become education records under FERPA.
It should also be noted that even if records maintained by schools that provide health services to students are subject to FERPA and thus excluded from the HIPAA Privacy Rule, the school may, nonetheless, be covered under other HIPAA standards, such as the Transaction Rule.
As noted, the reason for the exemption in the HIPAA Privacy Rule for records covered by FERPA is that Congress, through FERPA, previously addressed how education records should be protected, and I would like to give you a little more background on FERPA before we end.
Under FERPA, there are a number of specific statutory exceptions to the general rule against non-consensual disclosure. There are no general exceptions to FERPA's Prior-Consent Rule that permit a school subject to FERPA to disclose records to a state health agency or to researchers. FERPA does contain a very limited exception to the Prior-Consent Rule that allows educational agencies and institutions to disclose information to appropriate officials in connection with a health or safety emergency.
Specifically, FERPA says that these records may be disclosed without consent in connection with an emergency to appropriate officials if the knowledge of this information is necessary to protect the health or safety of the students or other persons.
However, the regulations and the congressional language indicate that these conditions will be strictly construed. I won't quote the joint statement, but it is in the testimony that you can see in 1974 Congress intended that that exception be strictly construed.
The FPCO has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individual.
While the exception is not limited to emergencies caused by terrorist attack, our recent guidance on this issue provides useful and relevant summary of our interpretation, which I will not quote.
In summary, educational agencies and institutions subject to FERPA may disclose personally-identifiable non-directory information from education records under the HELPA(?) safety emergency exception only if the agency institution determines on a case-by-case basis that a specific situation presents imminent danger or threat to students or other members of the school community or requires an immediate need for information in order to avert or diffuse serious threat. Any release must be narrowly tailored considering the immediacy and magnitude of the emergency and must be made only to parties who can address the specific emergency in question.
Certainly an outbreak of diseases, such as measles, rubella, mumps and polio not only pose threat of permanent disability or death but have historically presented themselves as epidemic in nature. Thus, disclosure of personal identifiable information from records to state health officials for such reasons would generally be permitted under FERPA's health or safety emergency provision, and then there are recordation requirements that the law requires that schools record who they dispose it to and under what exception.
Please note, however, that FERPA does not permit an educational agency institution from disclosing non-personal identifiable information to state health officials or to any other outside entity. Rather, FERPA prohibits the disclosure of personally-identifiable information from education records without the consent of parents or students, and personally-identifiable information is described in the regulations, and I list the items there that make a record personally identifiable.
In order to make sure that information is not personally identifiable, the disclosing school would need to remove the name, ID number, any other identifier that would permit the identity of an individual student to be easily determined.
And, finally, nothing in FERPA prohibits school officials from attaining parental consent in order to disclose information to anyone, to outside entities. The written consent has to specify the records that may be disclosed, state the purpose of the disclosure and identify the party or class of parties to whom the disclosure may be made. Certainly, this could include a broad consent at the beginning of the year for any disclosures to physicians that might need to be made.
I hope that this testimony adequately explains the requirements of FERPA as they relate to the disclosure of personally-identifiable information contained in student-education records as well as to the intersection between FERPA and HIPAA, and we are always available for any questions on followup.
MR. ROTHSTEIN: Thank you very much. I'm sure we will have some questions for you shortly.
And the final witness on this first panel is Laura Manley Knoblauch.
MS. KNOBLAUCH: Good morning.
My name is Laura Manley Knoblauch, and I am here as a designated spokesperson for the American College Health Association with regard to the Privacy Rule under HIPAA. I am a member of the American College Health Association's HIPAA Task Force.
The American College Health Association represents 2,624 individuals and 955 institutions and is the principal leadership organization in the field of college health. College and universities' health services provide health services to 15.3 million students.
I work for Illinois State University where I am the Assistant Director of the Student Health Service and the University Privacy Officer.
My goal today is to relay to you concerns college and university health services are experiencing in their efforts to comply with the privacy rules of HIPAA, as well as complying with the Family Education Rights and Privacy Act, otherwise known as FERPA, and, in some cases, state law for student medical records.
Before I begin stating our dilemma, I must state that not all student health services are faced with HIPAA compliance, because not all institutions perform any of the electronic transactions triggering the application of HIPAA.
Many of our student health services are smaller and do not bill for services or file insurance manually or electronically. However, for those student health centers who do perform electronic transactions, we have been seeking legal interpretation on how to comply with HIPAA. Because most of our institutions receive federal funding, they are also covered by FERPA. The intersection of these two pieces of legislation has been the subject of much discussion and interpretation. Great disparities have resulted in how college and university health centers across the country have dealt with the issues created by the HIPAA regulations.
Implementation efforts fall along the spectrum of implementing only HIPAA, following only FERPA or some convoluted combination of these two regulations. Many student health services have received legal opinions regarding compliance with FERPA and HIPAA and they have informed us that student health services must ensure compliance for student records under FERPA or state law, and non-student records are governed by HIPAA. In addition, the January 2003 FERPA Teleconference sponsored by the Department of Education reenforced these legal opinions.
Many student health services are now in the unenviable position of having three different standards with which to comply. Student records maintained and accessed solely by the provider are governed by state law. Students records released for any reason, including pursuant to a patient authorization, are governed by FERPA. Non-student records, such as those of university employees are governed by HIPAA.
Since we often release medical records upon patient authorization, we have to determine, prior to the release, the patient's status, be it student or non-student, and if the record has ever been released. This has created a cumbersome, complicated system for medical-record privacy and one that I don't believe Health and Human Services intended.
Student health services frequently refer patients to physician specialists within our communities. These medical providers naturally assume that we are covered entities under HIPAA. When a specialist requests medical records for treatment purposes, we must have the student patient sign an authorization for this release. This is often confusing for the patient and our clinical staff, as well as a possible barrier to efficient communication to the clinical staff to whom we refer.
Under FERPA regulations, student health services could, theoretically, release a student medical record to a professor without obtaining the patient's consent. However, FERPA will not allow release of a student medical record to another healthcare provider for treatment purposes without a patient authorization.
In my opinion, to consider clinic records maintained by the student health service education records under FERPA, instead of medical records, is absurd and illogical.
As a result of the widespread confusion in college health, there is disparity in the way university health centers have chosen to grapple with the several sets of medical privacy laws that we are charged to comply with. For example, some university health services have implemented a HIPAA-only approach for the non-student records, meaning that for their non-students, they comply with HIPAA and for their students, they comply with FERPA. This has certainly simplified the process of complying, but it appears that a student medical record is being held at a lesser privacy standard than non-student medical records. If HIPAA is the national privacy standard in healthcare, which we believe it should be, why are student medical records exempt under HIPAA?
Some university health services have considered complying exclusively with HIPAA regulations and ignoring FERPA. However, in some cases, FERPA regulations are more stringent. An example is that HIPAA allows for release of information for treatment, payment and health-care operations. However, this would be a violation under FERPA. This is one of the benefits available under HIPAA that would violate FERPA. Legal experts have told university health services that since FERPA is, in some cases, more stringent, we cannot simply choose to comply with HIPAA as it is not the higher standard in all cases.
We looked at the possible non-compliance penalties of HIPAA versus FERPA. We were told that compliance with HIPAA, instead of FERPA, even though FERPA doesn't levy fines, could result in federal funds being withheld from the university if it was found to be in non-compliance, a frightening thought to say the least for most institutions.
Still, other university health services have addressed this complicated problem by opting to discontinue providing care to non-students, such as spouses, summer camps, visiting scholars, athletic interns, J-1 Visa Scholars and the like. This option allows them to follow only FERPA or state law. This is certainly not an optimal solution as it decreases healthcare access and services to the campus community, not to mention the lost revenue.
Representatives of several university health services have attempted to contact the Department of Education and/or HHS with questions regarding the HIPAA-FERPA intersection. We have received no official response.
In order to discuss our challenges with compliance and to formulate a solution, we put forth the following recommendation:
It is a request of the American College Health Association for this committee to identify a workgroup made up of representatives from the Department of Education, the Department of Health and Human Services and the American College Health Association to specifically address the implementation issues of HIPAA in our college and university health centers.
We believe the resolution of our issues will only be achieved through changes in both FERPA and HIPAA regulations and that it will require involvement from all constituents to effectively make these changes. The changes to the regulations might include:
One, to change the FERPA's regulation's definition of exemption to education records. The exemption to education records, Section 20, US Code 1232-G, Section A-4-B IV, for medical records held at institutions of higher education, needs to be broadened in scope beyond the provider-patient relationship. The exception needs to include the records, even if they are released outside the provider-patient relationship.
This change in definition would exempt any medical record created by a university health service from FERPA leaving an institution to comply with state law if they do not perform any of the listed electronic transactions or to solely comply with HIPAA if they do submit listed electronic transactions.
Secondly, to change the HIPAA regulation's definition of protected health information or PHI to include medical records held by institutions of higher education. The definition of PHI and HIPAA at Section 164 501, needs to be changed to eliminate the FERPA exception of medical records held by institutions of higher education. These two changes would allow medical records held at institutions of higher education to be included in PHI under HIPAA and would remove their coverage under FERPA. This would eliminate the dysfunctional intersection of these two regulations and, we believe, would meet the intent of both of these regulations, which is to protect the privacy of medical records held by institutions of higher education. The end result being that any university health services falling under HIPAA regulations by virtue of them performing any of the listed electronic transactions would automatically treat all of their medical records under one privacy standard, that being HIPAA.
We thank you for your time and consideration of our request, and I would be happy to answer any questions you may have.
MR. ROTHSTEIN: Thank you very much.
I have an infinite number of questions B (laughter) - but I'm sure my panelists and subcommittee colleagues do as well. So we will open the floor for discussion and questions by subcommittee members, begin with John Houston.
MR. HOUSTON: I feel bad, because I always start. Well, but what the heck.
MR. ROTHSTEIN: You don't feel that bad. (Laughter).
MR. HOUSTON: Well, that's true.
I guess I have two separate questions for Dr. McGrath, the first being is in the event that you had a special-needs child, somebody who had some type of care that was required on a daily basis within a school setting or had to have medications administered, things of that sort, what would preclude the school from requiring an authorization in appropriate paperwork prior to accepting that child into the school, so that the nurse would have available to the nurse, you know, access to the medical information?
DR. MC GRATH: It is my understanding - and I think we have other experts here in the room who will, hopefully, be able to help us clarify these things probably more effectively than I can - but I think, under most circumstances, if you have a child with known medical needs that are being taken care of by the school, certainly, in that circumstance, early in the school year, it might be not too onerous for the school to get written authorization to share information with the physician, but, for example, as is frequently the case now, unfortunately, many of us don't have a single physician that we deal with, but perhaps an entire group or a large group. So, in that case, the nurse might call to try to get some help, and because there is such a large amount of uncertainty about HIPAA and FERPA and what can be shared and what can't be shared, if there wasn't immediate documentation for what might be another physician or another part of a physician group, they may or may not feel comfortable sharing the information. So even though a written authorization had been obtained by the school, that information might not be available to a covering physician on the line. So, again, there are different levels, I think, in the community of concern.
The other issue is for a new child that is being brought into the school, authorization may not have been acquired from the parents at the time of registration. You know, it's a new procedure for schools to get that authorization, so that you may have a child who is new in the school, doesn't have authorization and the nurse is unable to follow up, and then, again, you may have a child who has had a known problem that hasn't really manifested itself or has a new problem, and the school doesn't have authorization. It's not always easy for the school to get authorization from parents if it hasn't been obtained at the time of registration, and I think one of the big problems for school nurses is that the focus of the school is not on healthcare, but it's on the academic issues of the child. So, generally, a child who is getting enrolled, either at the beginning of the year or in the middle of the year doesn't necessarily come into contact with the school nurse at the time of enrollment. So enrollment is done by the school counselor or somebody else -
MR. HOUSTON: But to the extent that there is some medications that need to be administered or some type of treatment that needs to be administered on a daily basis or on a periodic basis, I would suspect, in that particular case, arrangements would have to be made with the nurse anyways, and in those types of scenarios, I would suspect that there are things that can be put in place procedurally to allow that nurse the flexibility to communicate with the physicians and ensure that the care is delivered appropriately. I mean, that would - just thinking out loud.
DR. MC GRATH: I think it is not an issue that procedures can't be put in place. It is that they are often overlooked by schools because they don't see healthcare as their primary responsibility. They see their primary responsibility as enrolling the kid in the school, getting them signed up for their classes, and, then, it's frequently the case in my experience that a child is enrolled in school without the school nurse ever even knowing.
So, now, obviously, a child with multiple health problems, that child is more likely to be referred to the school nurse, but, again, I would just submit to you that you need to recognize that schools don't consider - their first consideration is not the health status of the child. Their first consideration is all of the issues that have to do with that child's academic records, success and placement within the school.
MR. HOUSTON: Just a followup question. What happened pre-HIPAA? I mean, what was - I guess - it would be interesting to understand what was the climate before HIPAA. Obviously, FERPA existed.
DR. MC GRATH: Under FERPA, I think - prior to HIPAA, there was - well, I think it is unfair to say that unfettered access between the physician and the school nurse - I think it is always difficult for a school nurse to get a physician on the phone to talk about issues because they tend to be very busy, but I think school nurses have much more ready access to physicians. Physicians, generally, are much more wary and careful and unsure about what they can communicate without explicit authorization given HIPAA. Now, part of this may, in fact, be less an issue of what the law actually allows, so much as people's own concern about that or perceptions.
MR. ROTHSTEIN: Okay. Thank you.
Dr. Harding.
DR. HARDING: I have a number of questions, but just one clarifying, and then I'll let someone else start.
Does FERPA not apply to private schools?
MS. CAMPBELL: FERPA only applies to schools that receive funds from the U.S. Department of Education as a spending-clause provision under the Constitution. Private schools, for the most part, do not receive federal funds.
Now, children are placed in private schools by the local school district. The local school district, in that case, is responsible under FERPA and IDEA for that child's privacy of their records.
So a private school, if they qualified as a covered entity under HIPAA, they would be subject to HIPAA, because they are not generally subject to FERPA.
DR. HARDING: I wasn't aware of that. Thank you.
MR. ROTHSTEIN: I have several questions about FERPA. This is new ground for many of us, and I just want to get some clarification on some of the statements that some of your co-panelists made.
Is it, in fact, the case that FERPA does not require separate records for medical and academic records in schools?
MS. HARDING: Yes, FERPA does not require that a school create any records or maintain them in any specific fashion, other than to protect the privacy of the records under FERPA.
We are very aware of a tension between local control and federal control, and the law only requires if you have records, then you have to comply with FERPA. It doesn't say you have to have - there's no such thing as cumulative record under FERPA. It is any record that is directly related to the child is maintained by the school.
Now, that doesn't mean - and we have said this - that a school could not create a higher standard and allow only health officials to see the information in the school nurse's office. That has always been the case, but that is up to the school.
MR. ROTHSTEIN: So it could, in fact, be the case - and may be - for medical information, health records to be commingled with academic records, and the protection, I hear you saying, is the limited or supposed limited access to all the records.
MS. CAMPBELL: That's correct. I mean, a school only has to provide access to the parent.
MR. ROTHSTEIN: Right.
MS. CAMPBELL: No one has the right to see the records. However, the law permits disclosures to other school officials who have a legitimate educational interest. So just any teacher down the hall doesn't have a right to see the record. They have to have a legitimate educational interest in that child's education -
MR. ROTHSTEIN: Under HIPAA, one of the requirements is that covered entities have to engage in a training program to train employees and students who might have access to that information; that is, trainees and so forth. Is there any comparable training requirement under FERPA B in other words, a requirement that teachers be trained and school nurses be trained and other people be trained about the FERPA requirements?
MS. CAMPBELL: There is nothing in the law or the regulations that require training. I believe there's something in IDEA that requires that those IDEA officials be trained, but my office has a very aggressive training program itself where we train school officials in FERPA all over the country, and if we have a situation where we have found that a school violated FERPA in a complaint, one of the stipulations is they have to provide guidance to school officials on compliance with FERPA.
MR. ROTHSTEIN: And the last question - and then I'll let some of my other colleagues ask - is does FERPA draw any distinctions in the treatment or the care or the standards between K-12 and higher education? In other words, we heard testimony that sometimes student medical records are released to professors or could be released to professors without the consent of the students who are now presumably 18 and old enough to give their own consent. Are there different standards or is there just a single standard?
MS. CAMPBELL: Well, I wouldn't call it different standards. There is a carve-out. One of the exceptions to an education record is if it is a medical treatment record on a student who is 18 or in post-secondary school, and then there are parameters for that. I mean, a college, for instance, could decide we are going to treat these records as medical records, not as education records, but that means they can only be disclosed within the institution for those people providing treatment to the student's position.
Once a disclosure is made that is not within those parameters, it becomes an education record under FERPA. So, oftentimes, you see a treatment record being disclosed to the disability office on campus. Well, that's fine, but once it is it is no longer in that carve-out section. It's now an education record under FERPA.
MR. ROTHSTEIN: So am I correct in saying that the primary reason for the Department of Education being reluctant to, let's say, have that regulation under FERPA, setting requirements that there be a distinction between educational records and health records is a sort of federalism issue that you don't want to -
MS. CAMPBELL: Well, no. It's a statutory issue. I mean, we don't write regulations just based on something that we want to change. Congress has to change the law -
MR. ROTHSTEIN: So you don't think that you have the statutory authority to do it.
MS. CAMPBELL: No, we do not.
MR. ROTHSTEIN: So - I see. I was under the impression that it was your earlier testimony that concern about differences in state policies was driving that, and now you think it's a lack of statutory authority.
MS. CAMPBELL: The lack of statutory authority to just decide we are going to change and say, okay, these are subject to HIPAA and these are not.
MR. ROTHSTEIN: No, I don't mean subject to HIPAA. I'm talking exclusively in the FERPA realm. If you wanted to say, we want to treat medical records separately from educational records and we think that all schools subject to FERPA should do that for whatever reason, do you think FERPA gives you that -
MS. CAMPBELL: Not at the K through 12 level. I think we have that at the post-secondary level. I don't believe we have the authority to say that at the lower level.
MR. ROTHSTEIN: Okay. Richard.
DR. HARDING: One of the issues that the committee has been asked to look at is the issue of unintended consequences of HIPAA, and HIPAA was brought forward with a good heart and with good intentions and I think that it has served many good purposes.
You were saying, though, in the college health services that it has complicated your life a little bit, and you have made some recommendations. Could you expand a little bit on the complications? Is it just that you aren't sure what HIPAA really states and there is a debate going on among your association and colleagues about the extent of HIPAA's sincerity or severity or is it - you know, I guess I'm trying to think about the intent, the way it is written. What would help? And you mentioned getting together and talking, but what would help.
MS. KNOBLAUCH: Right. I think what would be helpful, for those of us that see both students and non-students, it's a real challenge, because we have to treat our student records under FERPA. If they have only been maintained in that provider-patient relationship, they have an exemption under FERPA and they are covered under state law.
Our non-students, such as university faculty and staff, those records are held under HIPAA. We have all tried different ways of complying with that, and at my institution, we have tried to keep the higher standard of both laws just for consistency.
My healthcare providers, when they go to release information for treatment purposes, for a student, they have to get an authorization for a non-student they don't. Specialists within the community are questioning, why do you need a release for this? I'm providing treatment. Aren't you a healthcare provider? Aren't you a covered entity?
So it has been a real challenge for us. Which types of disclosures do we document when we keep our accounting and disclosures, we have to document all disclosures for our HIPAA records. For our FERPA records, we are documenting all disclosures, including those of treatment. It is just a real challenge trying to know whether this record is a HIPAA record or a FERPA record, and sometimes I have a faculty member who is also a student. How do I treat that record? Where does it fall? Does it fall under HIPAA or under FERPA? Those are the challenges that we are struggling with. Quite honestly, if all the records were HIPAA, it would make my life simpler.
DR. HARDING: Have those things been superceded by more stringent state laws in any cases?
MS. KNOBLAUCH: In a few cases there are some state laws that are more stringent, such as my state's HIV records are more stringent, but the lion's share of the challenges tend to come between the HIPAA and FERPA and student and non-student records.
MR. ROTHSTEIN: Can I just ask a clarification?
You said a few minutes ago you want to be covered under HIPAA.
MS. KNOBLAUCH: I think it would make -
MR. ROTHSTEIN: Okay. I just - hadn't heard that in a while. (Laughter).
MS. KNOBLAUCH: When you have been trying to deal with three regulations, I think having one would simplify the process. Again, not all university health centers submit electronic transactions, and so they would not be covered under HIPAA, but those of us who do, it would simplify the process to have one standard as opposed to three.
MR. HOUSTON: Just to follow up on that, reading your recommendations, obviously asking for HIPAA to eliminate - the second recommendation was to eliminate the FERPA exception, but, obviously, if we eliminate the FERPA exception, then you still have this area where I'm sure people are going to have some discomfort, where if you are not doing electronic transactions and there is no FERPA exception within HIPAA, what applies?
MS. KNOBLAUCH: State law would apply, would it not?
MR. HOUSTON: Arguably, then, I guess, the drafters of FERPA would say, well, the intent of FERPA was to provide some type of federal framework with regards to the protection of student information, and that would be an unintended - I think - consequence of doing that, and I guess what would be nice to see, and sort of like a homework assignment, I guess, in one sense is to say, based upon the different scenarios of whether there is electronic transactions being performed or not, how would you deal with providing a framework for protecting patient health - protected health information or health information in each case? You know, obviously, you've got students. You have faculty and family members, and, in each case, you almost have to do an analysis of where electronic transactions are performed, where they are not being performed and, in each case, how do you guarantee that there is going to be appropriate protections put in place. I think your second recommendation sort of says, well, we don't do electronic transactions. You have a varying standard, which was really not intended.
MS. KNOBLAUCH: Well, I would agree with that, but the way HIPAA is written, if you don't submit electronic transactions, you are not a covered entity. So I wanted to point out that there are some university health services that don't submit electronic transactions, but, yes, HIPAA would be much easier for all of us.
MR. HOUSTON: Would it be helpful to sort of have an analysis of - you know, based upon the different scenarios, how would we ensure that appropriate protections are put in place, whether it be FERPA, whether it be HIPAA, whether it be something else, but, clearly, I guess my point is is that the federal government has felt compelled in each case to put regulations in place to ensure that either health information or student information is, in all cases, protected, so - or as much as possible. So I guess that is an issue that I see.
DR. HARDING: Ms. Dozier, are you aware of any specific - any occasions or any trends in the reporting of public-health information that shows that HIPAA has caused or effected that at this point or is it theoretical at this point?
MS. DOZIER: No, it is not theoretical. There has been a great deal of confusion about public-health reporting. I think that it has definitely gotten better of late, but we are still encountering situations where states who were previously reporting certain conditions to the CDC, and did not have state reporting laws felt like they were no longer able to report to the CDC once the HIPAA compliance was required.
We are still battling that hurdle on an actual program-by-program basis within the CDC, and our letters and communications in education programs with different states within our tracking systems have been helpful, but we have several situations that we are still having ongoing discussions with states or local health departments.
DR. HARDING: The interpretation is that they are not allowed.
MS. DOZIER: That they cannot - that they - yes. In an absence of a specific reporting law that they cannot provide us with that information.
DR. HARDING: And then have you asked for clarification on that?
MS. DOZIER: From the state health department?
DR. HARDING: Well, to HHS or the Office Civil Rights or any other -
MS. DOZIER: Yes, I think that we are very clear on what the situation is. The problem is educating the state and local health departments.
DR. HARDING: So the law is clear. It's the educational component that -
MS. DOZIER: We feel like it's very clear. There's confusion on the other end, as we can see.
MR. ROTHSTEIN: At our hearing in November on the issue of public health, we did hear quite a bit of testimony about the problem, not only of permissive disclosures, which you are alluding to, but also even required disclosures and a reluctance on the part of some reporters to make the disclosures because they thought, erroneously, that it violated HIPAA, and that is one of the things that this subcommittee is considering.
The other thing that we are considering and heard specific testimony about was the immunization issue, and the problem that it places on schools and school nurses having to get authorization, et cetera, and so this subcommittee is aware of that.
Dr. McGrath, I wonder if you could take us through the mental-health issue that you raised earlier. I'm clear on the first two issues that you called to our attention, the immunization one, certainly, and the treatment one. Just as an aside, as to the treatment issue, I think I would like to explore with my colleagues the issue of whether it would qualify as - if a nurse, for example, routinely or even periodically gives injections of some sort to a child or oral medications or anything, whether that would qualify under the treatment provisions of HIPAA, and where there is treatment, even if it is performed by a non-covered entity, disclosure of protected health information for treatment purposes does not require an authorization, but, in that context, it is something that I am not clear on, and it's maybe something we need to take a look at, but could you go through the mental-health issue that you raised? I want to be certain that we understand your concern.
DR. MC GRATH: Okay. Well, let me start by saying I am not a lawyer.
MR. ROTHSTEIN: A lot of people preface their remarks for us with that statement.
(Laughter).
DR. MC GRATH: But one of the areas of concern for schools - and I'm sure you are aware - is that the growing number of students who have mental-health treatment outside of school, either in residential treatment or psychiatric hospitalization, their return to school generally really requires some integration in terms of behavioral supports that might have been recommended, especially medication, and, in my experience, frankly, one of the biggest ways in which students' treatment tends to sort of fall through the cracks is that children who have been in psychiatric hospitalization, many of them also come - in many cases, they are in foster care or the care from their parent - their parents may have varying degrees of organization in terms of helping their child transition back into school.
So one of the ways in which things get dropped through the cracks is it - prior to HIPAA, prior to the implementation of HIPAA, it was possible for a school nurse to receive a discharge summary of a child who had been in a psychiatric hospital or residential treatment that would outline what the treatment recommendations are for that child, and the nurse would know what medications they are supposed to be on, what behavioral supports are supposed to be put into place and could help manage that transition.
Now, it is my understanding, that the discharge summary can only really be given to the parent. I understand the - you know - that point of view. However, it is not always possible for then the school nurse to get the discharge summary from the parent and to ensure that the child has a smooth reentry into school. That make sense?
MR. ROTHSTEIN: Richard, do you want to comment on that?
DR. HARDING: Well, I would think that it would be much more - even more complicated, because you have parents who want to wish it away and say that he was suicidal a week ago, he had four days in the hospital, and let's just kind of get him back into school and let nobody know, and, therefore, it'll be like it never happened, or some parents who want to gather around all the troops and get as much help as possible, and then that is a parental decision that can leave a nurse dangling with someone who had attempted suicide four days ago, who now is back in the school without knowledge from anybody in the school.
MR. ROTHSTEIN: On the other hand, might it not also be the case that you have a child who does have some sort of behavioral or mental-health problem, maybe not of the dimension that you are talking about, and the parents are legitimately concerned about stigmatization, about the fact that mental health and health information in general may not be separated from other information, and that may become a self-fulfilling prophecy in terms of the teachers who would have access to this information, and for very legitimate reasons might decide, you know, I think we are doing an effective job of caring for that child at home, and - you know, in the private healthcare setting - and there's no point in notifying the schools. No good could come of it.
Dr. Cohn, did you want to comment?
DR. COHN: Yes. I just had a question about that, because I think you are bringing up an issue that I am sort of - back of my mind as I'm listening to this, and maybe this is really a question for Ellen, just because I'm - you asked an earlier question about sort of the commingling of records under FERPA, and just to make sure I understand how this might play out, the educational and the medical records are potentially commingled under FERPA. A student may have some sort of a medical problem or otherwise comes back to school, that information is communicated or put in that record, and then the student, later on, applies to go to another school, applies to college, applies to wherever. Now, does that - that becomes part of the permanent medical record - permanent record for the student, correct? Since he is available for sort of that - evaluation at that next stage. Am I missing something here?
MS. CAMPBELL: It could be that way. Under FERPA, there is no such thing as a permanent record. School can not have records, have records, throw them away once they have them, and there's no requirement that they be commingled or that they be separated, and, again, they could have their own local policy that we are going to separate these records.
Now, one of the exceptions to the general-consent rule under FERPA is school may transfer information to a new school that the student is seeking or intending to enroll, whether it be college or another high school. That is a permissive disclosure. The original school may or may not disclose everything. Sometimes they don't disclose anything because the parents owe them money. It is up to the local school.
We have a new requirement under No Child Left Behind that says the states now have to have in place a procedure for transferring disciplinary records. That is the only requirement, because a lot of times you have a problem, children going from one school to another. The new school doesn't know about the problem. So that requirement is there, but that doesn't - there is no requirement that they disclose medical records or other education records.
DR. COHN: Okay. Can I just ask Jane - I mean, should we be concerned? I mean, obviously - I'm a physician like you. I mean, is this a - we obviously want people to have the information they need, but is there an issue here?
DR. MC GRATH: And I think that is why we have both recommendations from the American Academy, that we include the school nurse, so that we can have appropriate sharing of information and so, for example, things like medication are properly continued across time, but, at the same time, we need to have more stringent requirements for schools in regards to health information, and I think we need to address, as well, the issue of what happens when a child does transfer and what happens to that medical record and how is it transmitted.
You know, there's a concern about, for example, your child's sports physical form, which, you know, all of us who are parents have had filled out. Where does that go? And, you know, what dusty locker in the gym does your child's medical record end up in?
So I think there are a lot of concerns, but I think if the goal is to improve communication - I mean, school is where children are during the day. They spend more active awake time in school than they do anywhere else, and it's critical that the school be able to respond appropriately to your child's health needs. At the same time, the school needs to be responsible in the same way that a health-care provider agency is responsible about how that information is kept and shared.
MR. HOUSTON: I guess I'm still struggling. Where do the changes need to be made? It almost appears like there's a bigger issue with regards to FERPA and the way that FERPA deals with medical information and making sure that it's appropriately managed through FERPA, and that there is some type of linkage between FERPA and HIPAA that sort of makes sure that some of these unintended consequences with regards to communication of information don't occur, but it really sounds to me like we're still B sounds like we are still dealing with predominantly a FERPA issue, from my simple understanding of this, and I apologize if I'm missing things, and I guess then, at the same time, I'm sort of questioning - because our purview is really the Privacy Rule under HIPAA is what really needs to be changed under the Privacy Rule. Assuming that FERPA were to deal with these issues more appropriately, how does the Privacy Rule need to change? And I guess - I'm stuck with exactly what do we do to the Privacy Rule to make it work, knowing that FERPA maybe needs to be improved.
MR. ROTHSTEIN: Well, I have a sort of a related question. While we are struggling for the - I mean, there is clearly an overlap in practice in many areas, certainly, in the college area, and we need to get a handle on the constraints that we have, the jurisdictional constraints of the statutes so we know what is fair game for changing by regulation and by whom and what needs a statutory amendment and the like.
Ms. Campbell, is there a federal advisory committee on FERPA?
MS. CAMPBELL: No, sir.
MR. ROTHSTEIN: There is not.
MS. CAMPBELL: No.
MR. ROTHSTEIN: Have there been any reports issued that might help us dealing with medical records under FERPA? I mean, has this issue been studied by the agency, by Congress by IOM , by GAO, OTA, somebody?
MS. CAMPBELL: To the best of knowledge, no.
MR. ROTHSTEIN: Really? Okay.
So, basically, you're telling us we are on our own. (Laughter).
MS. CAMPBELL: Well -
MR. ROTHSTEIN: Yes, okay. We've been there before. (Laughter).
DR. COHN: I was going to say, obviously, we'll be hearing from others after our break, but I guess in all of this stuff I'm wondering whether the issue of asking OCR to get more involved in working with the Department of Education to sort of figure out how all this plays together -
SPEAKER: Or even the CDC also, I mean -
DR. COHN: Well, I don't know. I'm not sure the - I mean, yes, the CDC has issues, but I hear they are more educational issues almost than anything else, but you're right. Maybe the CDC is a player in this, though, certainly, OCR is part of the U.S. Department of Health and Human Services. So, hopefully, they represent CDC interests, but it sounds to me like there is a need to sort of figure out how all of this comes together. Obviously, the questions I was asking were about -
MS. CAMPBELL: Well, I would like to point out that we worked with the Department of HHS over a year ago in developing - respective websites on the intersection, and it's still in clearance in HHS. So we are pursuing our own guidance, and we'll be putting that up on our website shortly.
MR. ROTHSTEIN: Okay. Thank you. Well, that is helpful.
Gail Horlick.
MS. HORLICK: Yes.
MR. ROTHSTEIN: Are you with us? Do you have any questions?
MS. HORLICK: No, I don't. Thank you.
MR. ROTHSTEIN: Okay. Any questions here? John.
MR. FANNING: I don't have a question, but I would like to provide the committee with some information about privacy-policy thinking in light of Ms. Dozier's explanation of the study of autism.
All privacy-policy inquiries over the years have supported the use of personal information for research and statistical purposes with identifiers without individual consent.
Now, they have typically required, as a condition of that, that there be careful analysis of the need for the information in advance and that there be an absolute prohibition on the receiver of the record against use of the record for anything but a research or a statistical purpose. Okay?
The Privacy Protection Study Commission in 1977 explicitly recommended that FERPA be amended to permit disclosure for research and statistical purposes. Okay?
That said, the public is not as understanding of this use of information as are the policy people who inhabit these committees, studies and commissions, and surveys do show that a very high proportion of people do want to be consulted before their records are used for research.
MR. ROTHSTEIN: Thank you for clarifying that.
Kathleen, do you have any questions?
Well, thank you very much to our panelists, and we will stand in recess for 15 minutes, and take a break and we'll have Panel No. 2 begin at 10:15.
(Brief recess).
Agenda Item: Schools - Panel 2
MR. ROTHSTEIN: I want to welcome you back to our second panel on the issue of schools and HIPAA, and we have three witnesses today, and I would like to take them in the order in which they are listed on the agenda, if that is okay with you, and we'll begin with Mr. Thomas Hutton.
MR. HUTTON: Good morning Chairman Rothstein and subcommittee members. My name is Tom Hutton. I'm a staff attorney with the National School Boards Association. I'm here on behalf NSBA and also its Council of School Attorneys.
NSBA is a non-profit federation of 49 state associations of school boards, along with the boards of education of the District of Columbia and Hawaii and some other U.S. entities, and COSA is an NSBA membership program that serves over 3,000 attorneys who represent public-school districts, state boards of education, associations and community colleges.
Dr. McGrath mentioned that she was not a lawyer, and I am here to sort of express the opposite - I am not a health authority. I am just a plain, old lawyer, and so my testimony will be a little different, perhaps, from the others that you'll hear this morning.
The fact that NSBA and the Council of School Attorneys are not specifically healthcare focus groups is perhaps a useful context for the subcommittee to bear in mind as it weighs how it can sort of further the intent of HIPAA with respect to K-12 education from the perspective of people who aren't focused mostly or solely on healthcare issues.
I want to start out by saying that DHHS is to be commended for recognizing that HIPAA's privacy regulations should not disturb or overlap the existing complex privacy regime governing public school education records under FERPA and, significantly, the many state privacy laws that are out there as well.
Schools do take their privacy obligations seriously, at least if the volume of inquiries we received about school obligations under HIPAA are any indication. We continue to receive a great many inquiries about HIPAA, and, as you know, there is a good deal of confusion. I'll pick up on comments from earlier this morning that there is a great deal of confusion persisting as to school privacies under HIPAA and where that intersection with FERPA occurs. One state department of education reportedly has counseled school districts in the state to await further federal guidance before expending precious time and resources on HIPAA compliance strategies because there is a significant degree of uncertainty out there.
I also think it is important to just get back to my point about sort of the non-focus entirely on health things. It bears keeping in mind, I think, when we are talking about the challenges facing K-12 education and school attorneys that the context in which they are operating right now is just fully dominated by the challenges of complying with the No Child Left Behind Act and the conditions which the act was enacted to address, and that is important when we are considering ways in which we can foster further privacy protections and that kind of thing to bear in mind that the full system from top to bottom - and you'll hear this from the state departments of education, and the U.S. Department of Education is so focused on this myriad of challenges that they are contending with that one more sort of federal regulatory approach is going to be difficult for the system - I don't mean to say that to sort of whine and say, oh, don't do anything and that kind of thing, but I think it's important to bear in mind as you consider recommendations.
In June of 2003, NSBA initiated a dialogue with the Office for Civil Rights, which we understood was in the process of developing some frequently-asked questions - I think it was alluded to earlier this morning - for schools, and we have been engaged in that process now for several months. The FAQs have not been forthcoming yet. They are eagerly anticipated by school attorneys and other school officials.
Not surprisingly, NSBA's object so far B and school attorneys have been - it is kind of ironic that the advent of HIPAA has sort of caused a lot of K-12 people to look at FERPA like an old friend. Confronted with this new whole regulatory regime, all of a sudden FERPA seems kind of familiar, and so there has been sort of a sense, I think, that, well, we would like as broad a FERPA exception to HIPAA as possible, because it is sort of what we know, and rather than sort of impose this new system on us let's go with what we know, and also to the extent that there is a lack of clarity between how the laws intersect, that is an understandable reaction also to sort of cling to let's just go with the familiar and not have to deal with multiple conflicting requirements.
I don't have time, probably, to go through all the minutia in my written testimony, but I did want to highlight a few areas that school attorneys think could use some real clarification.
I have also appended an attachment like Dr. McGrath did to her testimony which sort of lays out a whole lot of commentary and questions that we received from the field during the process of sort of trying to collect feedback for HHS.
Let me acknowledge that some of the questions we are flagging may have been addressed by HHS or perhaps can be discerned with some diligent research and analysis, but I think it is instructive to the level of confusion - to relay faithfully the kinds of things that are being asked and put out there, and if you are looking for somebody to sort of relay uncertainty, I'm your guy, because the time that I spent going into HIPAA and FERPA, I feel like I can represent very faithfully the degree of confusion that is out there in the field.
One thing that we were impressed with very early on when we started collecting feedback was the wide discrepancy of people's understandings about what HIPAA meant for K-12, and there are states that have basically told school districts, well, you have FERPA. HIPAA doesn't apply to you, and all the way to the opposite extreme where we hear school districts retaining very costly sort of consultants to help them revamp their entire system of everything based on HIPAA, and then you have sort of the range in the middle where people are recognizing that. In fact, HIPAA has implications for K-12. There is a FERPA exception that is pretty significant for schools and trying to weigh that a little bit more carefully.
One of the issues that is important, from our perspective, to get more clarity on is covered-entity status. Just as an aside, we note that there has not been a lot of attention to the role of schools as healthcare clearinghouses, which is one of the three covered entities. It is usually K-12 schools are looked at as maybe falling into one of the other two, but, in some instances, larger districts function as a healthcare clearinghouse for smaller districts that don't have the same capability of, for example, of seeking Medicaid reimbursement. So that area, we recommend that if there is additional guidance forthcoming from HHS it be addressed.
There is also - in our discussion with HHS, we have been told that they are viewing a distinction sort of between the employees of the school district and the school district itself as to covered-entity status. I can tell you that based on the analyses that we have seen out in the world and school lawyers, that concept is not readily sort of appreciated by the whole field. It is sort of seen as the school district is the entity, whether it is a covered entity or not, and not sort of a distinction between whether the healthcare clinic at the school or the nurse is a covered entity as distinct from the district. So if that is, indeed - that informs the analysis of a lot of other issues that we have raised here, and if that is the case, then that clarity on that issue is important.
The largest issue, of course, is the extent to which the education-records exception for FERPA - what the implications of that fully are for a school's obligations under HIPAA.
We have had a lot of discussion on that among school law communities, and, again, even if we have gotten away from the notion that HIPAA doesn't apply to schools at all, the extent that the FERPA exception addresses the world of records that are relevant and sort of eliminates any PHI on behalf of the school, you sort of end up at the same place, and there is a great deal of confusion out there about whether, in fact, all of our records fit into the FERPA education records, and, therefore, we don't have any PHI and we don't have any implications under the HIPAA Privacy Rule.
There is also a long list of the exceptions to FERPA education records and how HIPAA plays into those things, oral communication or information gleaned from first-hand observation; the issue of sole-possession notes, which was addressed earlier; law-enforcement records; records pertaining to student employees. There's an awful lot of sort of confusion about - I'll throw out one example. The sole-possession notes, there's a lot of analysts that have said, well, the same rationale HHS used to exclude the records of certain adult students from HIPAA's privacy rules sort of applies to these sole-possession notes that schools have. So wouldn't it be the same thing there? And you see commentary back and forth on that.
Another issue that is out there that I haven't seen much commentary on from either HHS or the Department of Education is a Supreme Court ruling in 2002 in Awaso v. Falvo(?), which, basically suggested that the definition of education records under FERPA is much narrower. There hasn't been any followup to that to sort of give us clarification, but the Supreme Court basically said that they envisioned education records under FERPA being maintained by sort of a central custodian of the schools, which is not necessarily the way that it plays out in a lot of school districts, and, in the absence of further clarity about what the Supreme Court meant by that. That sort of potentially throws a great deal of uncertainty into a school's understanding of the extent to which the education-records exception under FERPA gets them out of different HIPAA implications.
Medicaid billing is probably the longest list of questions in our appendix, whether billing from Medicaid - I think Ms. Dozier mentioned this morning, that it may have implications for the Transactions Rule, but does that also have implications for the Privacy Rule? And there's a great deal of uncertainty about that issue out there and whether - Okay. We have to do the Transaction Code Sets - that we understand - but do we also have to deal with all the HIPAA privacy complaints, by virtue of the fact that we are billing for Medicaid reimbursement?
There has been a good deal of discussion about whether all the ancillary sort of administrative obligations about assigning a privacy officer and all those kinds of things apply to a school that either does not have PHI - protected health information - or that does not use or disclose PHI in a way that would trigger HIPAA privacy obligations, and so there is a great deal of confusion on that issue as well.
School nurses and school health clinics, I alluded earlier to the distinction between whether those are the covered entities or the schools are the covered entities, but there is also a constellation of issues around whether the school nurse is an employee of the school district or perhaps a county department of health who is in the school and does that have implications for whether it is actually the school board or the county department of health that is a covered entity with HIPAA obligations, and you see a lot of discussion about that issue as well.
The immunization issues were already flagged this morning.
Drug and alcohol testing is another issue that is out there, and because there is a lot of sort of attention to that politically right now, that could be a looming one.
Other speakers here are more capable of addressing some of the complications that have arisen with respect to dealing with third parties and whether school nurses and school officials can get information from outside physicians and that kind of thing, but that is - we get a great deal of feedback from people saying that is an issue.
So our sort of message, by and large here, I am not prepared to weigh in to discussions that you had in the first panel about, well, we'd be better off just having HIPAA or we'd be just better off having FERPA. I can just invade - the plea from the field, from local communities that we hear is just clarity about where one ends, where one begins, not having three systems of privacy regulations, but having one and sort of sorting that out for us.
As I said, the field has been waiting eagerly for the FAQs that were to be coming out of HHS. We have a few recommendations aside from sort of the substance of the issues that I flagged, and one of them - it was very positive to hear Ms. Campbell say this morning that, in fact, the Department of Education is sort of taking a look at the HIPAA things, because that was one of our recommendations that we are not privy to the degree of collaboration that has occurred between the departments, but, from the local perspective, you sort of have a silence from the normal sources of your information, which is the Department of Education at the national level, and then your state department of education, and it doesn't seem like there's a coordination of information about where HIPAA ends and where FERPA begins for schools from the normal sources of information they have for the department. So to the extent that there is collaboration and the information is being put down through the Department of Education and the state departments of education, that can help clear a lot of the uncertainty up more quickly, from our perspective.
I will be happy to answer any questions. I rather suspect I may have more than the subcommittee, but the bottom line for NSBA and for the Council of School Attorneys on this kind of issue is as you go forward with making recommendations to the department that there is - really where we are in terms of the local level of understanding of what is entailed here is perhaps several steps back from what you heard from the panel earlier this morning, and that is important to bear in mind as you deliberate on how best to help K-12 schools fulfill their obligations under the act.
Thank you.
MR. ROTHSTEIN: Thank you very much, Mr. Hutton.
Our next witness will be Ms. Schwab.
MS. SCHWAB: Thank you.
Good morning, Mr. Chairman and members of the subcommittee. My name is Nadine Schwab. I am representing the American School Health Association - which is an interdisciplinary school-health organization - as an expert in school-health issues related to privacy, confidentiality and student-health records. As an aside, that means I am an expert in practice, complexity and confusion, not on HIPAA or FERPA, per se.
Thank you for the opportunity to testify on the impact of the HIPAA Privacy Rule on schools, in particular, its impact on school attendance, student safety and learning and parent-school-physician communication.
In preparation for this hearing, I solicited and received within the past two weeks current information from American School Health Association leaders, as well as state-level nurse consultants from state departments of public health and education and school nursing leaders across the country.
The issues I will address are those with significant negative impact on student learning and health and on the resources of families in public schools.
We believe these negative outcomes are due primarily to misinterpretation of the regulations and inadequate guidance, not to the regulations themselves.
Before addressing those concerns, it should be noted that HIPAA has had a positive impact on school-based practices related to records and confidentiality, albeit small and mostly indirect; that is, through the questions, diverse opinions and conversations that it has generated.
Many school health leaders welcomed the HIPAA privacy standards, and, indeed, had hoped that they would apply to health records of children and youth in schools, in order to ensure consistent minimum standards and practices across settings and to clarify conflicts among laws as alluded to by Attorney Hutton.
FERPA was enacted before children with significant physical, developmental, behavioral and mental-health conditions attended school and before schools became providers of a wide variety of health and mental-health services in order to support student learning.
Even today, records, including third-party medical or psychiatric records, as a subset of - I'm sorry. FERPA does not address student health records, including third-party medical or psychiatric records, as a subset of education records, nor does it provide sufficient direction for appropriate protection, disclosure and use of these health records within the primary and secondary schools.
Now, I return to the impact of the HIPAA Privacy Rule on schools, students and families. First, and foremost, students are still being denied attendance in school and parents are losing time from the workplace because physician offices and clinics refuse to share immunization and mandated physical-assessment information with school nurses or other school officials.
Despite the fact that these health requirements - that is, immunizations and periodic physical assessments and screenings, such as tuberculosis screenings - are driven by public-health policy and constitute the only real barriers to school attendance for most children. State public-health officials have generally not interpreted such information to fall under the public-health exceptions to the authorization requirements of the Privacy Rule. Furthermore, they have not included school nurses or school physicians as extensions of the state and local public-health system, despite the fact that these school-health officials have traditionally been considered public-health professionals, are generally the school officials responsible for school district compliance with public-health mandates, and are expected to report to public-health authorities communicable disease data and related problems - de-identified data - that occur in the school communities as required by state law.
Where school nurses and physicians are not considered an extension of the public-health system and where states have not enacted a law to circumvent these problems or issued specific guidance to the contrary, which is still the majority of states, HIPAA authorization is required for physicians and clinics to share mandated immunization and physical-exam data with schools. This negatively effects schools, students and families as follows:
Public schools are in a difficult position when they are both prohibited from denying children access to school and, at the same time, are required to deny them access if they have not complied with the public-health mandate.
Further, there is a significant drain on school-district resources when students loose time and miss instruction in the classroom and when school-health personnel spend significant portions of their time in tracking public-health mandates, rather than providing student support services, especially when paperwork, not the students or the public's health, is at issue.
In many instances, it is the paperwork - the right form and getting it to the school in a timely fashion - that are the problems. Many physician offices and clinics now refuse to fax the state-mandated immunization or physical-exam forms to schools, a past practice which allowed students same-day entry into school, and many will not accept parent-signed school authorization forms for the release of that information, even if our forms meet the authorization requirements of HIPAA. School personnel must then spend considerably more time in communicating with parents and convincing them to retrieve the form from their physician and hand-deliver it to school.
Students, above all, are negatively impacted by these HIPAA-related communication problems when they are delayed in starting or prohibited from continuing in school. It can be disastrous for our most vulnerable students who can least afford time away from the classroom and learning. These are often the same students whose families have the least resources available to learn about and comply with the requirements of these various laws and the paperwork that goes with them. Students suffer the consequences.
Families, too, are negatively impacted by the lack of clarity and misunderstandings related to permissible communications between schools and healthcare providers about these mandated health requirements for school attendance.
Many parents have been told that their oral, over-the-telephone or faxed authorization to allow the child's healthcare provider to release their child's immunizations data to school nurses is insufficient and that they have to drive to the provider's office, sign the provider's form and hand deliver the immunization record back to the school themselves.
Some providers have refused to accept a faxed authorized form for release of immunization data to school even when the authorization was executed by the parent on the provider's own form.
These reported incidents have happened all over the country and are still happening. For example, one state consultant reports in remote parts of the state where physicians are scarce or non-existent, parents have been required to drive hundreds of miles to the doctor's office to pick up, in person, their child's immunization records. Others report different, but equal impediments to school-provider communications within suburban and inner-city communities. Some families do not have phones, drive cars or understand English, and many single and working parents can ill afford absence from their jobs, especially to taxi HIPAA-compliant forms and immunization records around town or country because providers refuse to comply with their request to fax to their child's school immunization or other health information mandated by law. Better they save absent days for times when their children are truly ill and need to be cared for at home.
It is critical that we remove these artificial barriers to school attendance and necessary communications between schools and healthcare providers. These barriers can be eliminated through guidance to state health departments and providers clarifying that:
One, school nurses and physicians should be recognized as public-health professionals and extensions of their state's public-health system, regardless of whether they are employed by school districts, health departments or other healthcare agencies.
Two, that school nurses should be included among the healthcare providers who can access and contribute to state immunization registries.
Three, that release to school nurses and physicians of records demonstrating compliance with state-mandated health requirements for school attendance is permitted under the public-health policy exception to the Privacy Rule's authorization requirements.
And, four, that immunization data may be faxed from a HIPAA-covered entity to a school.
The second major area in which HIPAA-privacy regulations continue to have a serious negative impact on schools, students and families across the country relates to communications between healthcare providers - that is, physicians and clinics - and school health professionals, but not only school nurses and physicians, also other school health professionals - physical therapists, occupational therapists, speech-language pathologists, clinical psychologists and school psychologists - regarding the health-care treatment of children in school who have acute and chronic-health and mental-health conditions.
There are large numbers of students today who need special healthcare services during the school day for medication administration for asthma, anxiety, depression or anaphylaxis to feedings by gastric tube, oxygen administration, IV therapy, respirator care, physical therapy, mental-health counseling and specialized behavioral-modification programs.
School health professionals - for example, school nurses - cannot administer many of these treatments without a medical order from the healthcare prescriber. In order to meet safety standards and licensure requirements in nursing practice and to protect clients, nurses must be able to communicate about an order directly with a prescriber to question the order, explain school-setting issues that may effect the prescriber's judgment about the order, report adverse and therapeutic effects and so on. It is under the state licensure laws that these communications for treatment purposes were previously assumed permissible and desirable that have now been shut off by interpretations of HIPAA.
Based on their interpretation of HIPAA, many physician offices and clinics now refuse to discuss with the school professional the medical order they are asking that same professional to administer. Many school health leaders report that healthcare providers cannot disclose treatment information to school health professionals because schools are not covered by HIPAA. This situation is extremely hazardous to schools, students and families for the following reasons:
Schools are negatively effected because their personnel are being asked to deliver services to students without adequate communication with the healthcare providers who are prescribing the treatment or care. This interferes with the ability of those professionals to meet minimum standards for the care and safety of their client.
While schools can and do pursue authorization for such communications, sometimes there is a significant delay between the expected implementation date of an order and the date when an authorization form is executed and accepted by both the school and prescriber B executed by the parent and accepted by both the school and prescriber.
Sometimes, usually in contentious situations, parents refuse to sign such communication requests, yet expect school health professionals to follow the medical orders of their child's physician.
Students are placed in significant jeopardy when prescribers and health professionals in schools are not communicating and collaborating about the healthcare treatments that are expected to be provided in school.
Delays in or lack of communication regarding healthcare treatment can result in delayed treatment, treatment errors and poor care, all of which are likely to negatively impact the student's health status and learning in school.
Sometimes, students may be kept out of school until authorization is completed for communications regarding treatment orders.
Families are also impacted when their children are denied appropriate care because of these inadequate communications.
And, once again, parents should not need to taxi HIPAA authorization forms from physician office to school before a treatment order can be implemented for their child.
To remedy this problem, guidance is desperately needed to clarify whether healthcare providers who are covered entities can disclose protected health information for treatment purposes using the minimum-necessary standard to school health professionals or other school officials in schools covered by FERPA.
To clarify whether HIPAA-covered entities can accept the written and signed request of a parent to disclose certain health records to their child's school for educational planning purposes, if that request is on a school-disclosure form, rather than the covered entity's own form, even if it has - but if it has all the HIPAA-required elements of a valid authorization form and to clarify whether HIPAA-compliant entities can fax authorization forms and health information to schools and under what circumstances.
There are many other areas at the HIPAA-FERPA interface where healthcare providers, schools and school-health professionals need additional guidance.
For example, is it true that schools engaging in the electronic transmission of student health data for Medicaid-filling purposes are required to meet the requirements of the Security and Transaction Rules, but not the Privacy Rule? While that is the response many of us heard at the OCR National Conferences on the Privacy Rule last year - at least in regard to the Transaction Rule - differing opinions on this issue remain rampant and states are grappling with the answer one by one.
If that statement is true, is the school district required to keep a duplicate set of records for Medicaid, HIPAA privacy or other reasons.
Finally, I wish to offer one additional suggestion which would require long-term collaboration between the U.S. Departments of Health and Human Services and Education.
In reality, school health records, including any third-party medical or psychiatric records, should be afforded the protections due both education and medical records. Therefore, many of the implementation problems related to schools might best be resolved if FERPA could be updated to be more consistent with HIPAA and more directive in identifying minimum privacy standards for the use and protection of student health information, including oral communications, the minimum-use standard, staff training and enforcement requirement and related security.
Consistent standards across settings would enhance the privacy, confidentiality and security of student-health records, improve district practices and promote trust, communication and collaboration among families, schools and healthcare providers.
Thank you.
MR. ROTHSTEIN: Thank you very much for that testimony, and I know we'll have questions for you as well.
And our final witness on this panel is Martha Dewey Bergren.
MS. BERGREN: Thank you.
Good morning, Chairman and members of the subcommittee.
I am Martha Dewey Bergren, Clinical Assistant Professor at the University of Illinois, Chicago, College of Nursing. I'm nationally certified in both informatics and school nursing and have followed the development of HIPAA regulations and its impact on school nursing since its inception.
I am the Co-Chair of the HIPAA Advisory Committee to NASN, and I represent the National Association of School Nurses today and over 10,000 grassroots school-nurse members who have sent me many comments and emails which I will share with you today.
As you know, education records are exempt from the HIPAA Privacy Rule and school health records are educational records and protected by the Family Education Rights and Privacy Act.
School nurses have several responsibilities to school children in their families that have been effected by FERPA, by HIPAA. To protect citizens from preventable communicable disease that causes morbidity and mortality, schools have, over the century, successfully enforced public-health mandates by requiring proof of immunizations for school entry.
School nurses act as case managers and provide treatment and health monitoring that allows medically fragile and chronically and acutely ill children to be educated in the least restrictive environment as mandated by IDEA.
Children in schools have the same diagnoses, treatments, healthcare needs that you all see in acute-care facilities. Treatments for children in schools include suctioning tracheotomies, urinary catherization, monitoring ventilator settings, administering gastrostomy feedings and administering very complex medications to a wide variety of children with chronic illnesses.
And one thing that I did want to point out also is that school nurses are frequently responsible for the zero to six-year age group prior to kindergarten, and that the records of those children also contain a lot of family-health information - for instance, maternal labor and delivery, use of alcohol, drugs, et cetera, during childbirth - as assessment information that leads to why a child is not developing correctly and might need some additional special education in the early childhood age range.
School nurses also collaborate with educators and primary-care providers to identify the source of healthcare problems that interfere with learning and to design individual effective education plans, healthcare plans and emergency plans.
Nurses also function to enhance the ability of students to attend school and achieve in the educational setting, and we collaborate with primary providers to provide a safe and supportive school environment following injury, hospitalization and illness. We communicate with educators and providers regarding the child's health status and whether or not they can fully participate or participate with restrictions in music, athletics, physical education and academics.
Prior to HIPAA, primary providers and health departments communicated and collaborated on all of these matters regularly. It was nothing to pick up the phone and call a physician and confirm an order, have them fax a clarification of a dosage that we were not familiar with. Nurses could verify immunization dates with physician offices and local health departments, get health-maintenance parameters over the phone and consult with providers regarding assessments for learning problems.
Since HIPAA regulations, school children have suffered as a result of misconceptions regarding communication of personally-identifiable health information with schools. Nurses from all over the country have reported the refusal of HIPAA-covered entities to communicate with them directly, and this stack of emails reports the following situations:
Physician offices, hospitals and health departments refusing to honor HIPAA-complying authorizations initiated by schools, releasing PHI only to parents and only in person.
Some HIPAA-covered entities will only release information with their facilities release forms, requiring school nurses to maintain a file of 25 to 30 release forms specific to healthcare providers or agencies.
And, earlier, Mr. Houston asked why would it not be possible to get an authorization at the beginning of the school year for the children who have chronic illnesses, and many of these children have seven-eight different specialists covering their care because of the different systems that their diseases cover, and frequently parents seek other specialists during the school year that wouldn't have been covered in that initial release which is signed at the beginning of the school year.
HIPAA-covered agencies are refusing to accept faxes or send fax information to schools, citing HIPAA, and providers are refusing to confirm or discuss treatment orders, immunization dates, physical-exam dates, activity restrictions or health accommodations with school health providers.
And how has this then effected students and their families? It is estimated that thousands of students have been excluded from school due to missing immunization dates required for school entry or attendance. Students have been re-immunized when the barriers to obtaining the information are too burdensome for working parents, rural residents or families who have relocated significant distances from providers who administered the immunizations. Students have had to return to school following an illness or injury - have had to return delayed due to the inability of the nurse to provide treatment without knowledge of the student's health-problem restrictions or physician's orders, and students have returned to school without needed medication or treatments for their chronic or acute health conditions.
Parents have missed work to drive or take public transportation to physically travel to providers, obtain the records and physician orders for treatment and then re-transport them to school, and parents have also missed work to travel to school to administer medications or administer treatments because of the nurse's inability to obtain physician orders to administer or have been unable to clarify treatments or doses over the phone or by fax.
One nurse in Illinois estimated that 75 to 100 of 275 students were excluded and missed school days this year due to missing immunization verification.
Health departments in some jurisdictions have conducted vision and hearing screenings for schools for years, and, now, since HIPAA, they are refusing to share the results of those screenings with school officials, so that school health authorities can provide followup and even accommodate, say, a child with a vision problem by moving them to the front of the room.
School nurses repeatedly report providers refusing to verify indistinguishable dates on the documents that provider generated.
Many nurses report that many parents provide reports of physical exams that are required for school attendance or for participation in athletics or physical education, but that the date of the physical exam is missing. Providers who conducted the exam refused to verify the date of the physical exam, and this is all new since HIPAA.
Restrictions on physical activity, such as no physical education for two weeks, are sent to schools without the reason for the restriction. One nurse had a physician order for a child returning to school to participate in physical education as tolerated. When the nurse called for clarification, she was told due to HIPAA, the provider could not reveal the child's health problem nor what body system it effected - respiratory, cardiac, orthopedic.
There was a situation - and this is just as an example - of a child that returned to school with a central line, unbeknownst to the school nurse, and the child was found sitting in an abandoned auditorium because they didn't feel well. The school nurse found out about this after the fact, didn't know that the child had been admitted to school with a central line.
Some physicians not only require to have the parents come to the office to pick up the orders, but require the parents to schedule an appointment to counsel them and thus delay student treatment, attendance and assessments for education.
One health department in Southern Illinois refused to share immunization data with schools because immunization data is not for treatment purposes and not exempt, but stated that the school must share any health information in the ed record because it was for treatment purposes and did not need a parent authorization.
And then one situation that I found particularly ridiculous was a school nurse from Delaware reported that a highly-regarded tertiary medical center, which cares for many Medicaid recipients and uninsured students, called a school health office to request that a nurse read a PPD that had been administered in the facility, but refused to tell the nurse the date and the time the PPD had been administered, thereby making it impossible to read it at the 72-hour mark whether the child had a positive or negative reaction.
While some facilities are overreacting to the HIPAA Privacy Rule, many facilities are aware that they may share health information for treatment, but are aware also that they are not required to share it without authorization.
Primary providers cite that they are permitted to have more restrictive information privacy policies than the minimum required by HIPAA, and they admit to school officials that their office's stringent restrictions on sharing, since HIPAA, have greatly decreased the time and greatly decreased the workload previously spent collaborating with schools on schoolchild healthcare and immunization compliance.
HIPAA-covered entities frequently cite their inability to share PHI with schools specifically because schools are not HIPAA-covered entities, and one facility specifically cited FERPA as not providing HIPAA-level privacy protection. While HIPAA provides direction to school health providers on how to protect patient privacy, FERPA does not provide guidance to schools on how to protect family and student privacy. Schools are left to interpret who has a legitimate educational interest to access a student's educational records without authorization, and including the health records. Some schools interpret this narrowly and others interpret it quite broadly.
FERPA was written in 1974, prior to the inclusion of medically-fragile or disabled children in schools and does not differentiate between the voluminous and sensitive health information and family health histories that are collected and stored to provide educational and health services.
FERPA also does not address the storage and security of this information in the school electronic data bases or servers, nor does it mandate confidentiality training for educators or school health employees.
School districts engage in HIPAA transactions when they electronically bill for nursing care and other health services in schools. In fact, some states mandate that schools seek reimbursement for health services.
Health and Human Services sources have stated that education records, even when submitted as a HIPAA-covered transaction, are exempt from the HIPAA Privacy Rules, but are subject to the Transaction Rules and Code Sets. However, this information has not appeared in the form of technical guidance and many schools have been advised by legal counsel that engaging in a HIPAA transaction automatically qualifies a district as a HIPAA-covered entity, and, therefore, subject to the Privacy, Security and Transaction Rules.
And HHS, on direct questioning, has been silent on whether or not the security rules apply to HIPAA transactions conducted by schools.
There are several areas where guidance and direction is welcome: Written technical guidance on the submission of electronic transmissions for reimbursement; an exemption of the immunization records from HIPAA Privacy Rules in the interest of national public health goals; an exemption of public screening data collected for the detection of easily-preventable disabilities that interfere with learning - for instance, vision and hearing; a stronger, clearer directive to help providers that HIPAA not interfere with the provision of care regardless of the setting; a stronger, clearer directive that what constitutes reasonable safeguards when the provision of non-sensitive information, such as physical exam dates, are requested for school entry or participation in athletics and academics; a clear, definitive statement that HIPAA-covered entities shall communicate with health providers, including those who provide healthcare in schools to provide treatment to clients; a definitive statement that HIPAA does not bar transmission of PHI via analog fax machines, and a statement that analog fax transmissions do not qualify as HIPAA transactions; and one thing that I think is antithetical to HIPAA, in terms of administrative simplification, including some directive prohibiting the refusal to honor HIPAA-compliant authorizations. Requiring a school to use an agency-specific authorization form is not in the spirit of administrative simplification.
The National Association of School Nurses thanks the subcommittee for inviting us to testify on the impact of the HIPAA Privacy Rule on the ability of school nurses to provide quality healthcare to children and to increase the attendance and educational achievement of this nation's children. Thank you.
MR. ROTHSTEIN: Thank you very much for that testimony, including all these examples that you provided.
Strikes me that this panel was a little different from the first panel in that the first panel raised very complicated issues of construction of the regulations and the overlap or non-overlap of HIPAA and FERPA or the limitations of HIPAA or whatever to - just from my very quick reading of your testimony, I think the statute and the regs are clear and have clear answers to 90 percent of your questions. The issue is how are we going to get the word out to people, so that they don't hold up process by saying they can't accept the facts or what have you, and so, at least for me, those are the kinds of issues I would like to explore with this panel.
But I will open the floor for questions. John, would you like to assume your usual role?
MR. HOUSTON: Yes, thanks. Maybe I am going to make as much of a comment, too.
I'm disappointed that it seems like there's epic cues in the system in guidance that is necessary, and that there is a lot of - a lot of what is happening, clearly, when I listen to the testimony and read through the testimony, it doesn't make sense that it should be this way. It was never intended to be this way, and it's troubling to me, and I am also troubled by the fact that it's clear from Martha's testimony that providers are using this as a reason or an excuse to maybe avoid having to do work that, frankly, they should be doing, because they are the patients.
I guess one question I do have is - and I think I know the answer, but I'll still ask it - is it appears to me, from earlier testimony and your testimony, that the big hole is still the alignment of FERPA to HIPAA and ensuring that there are no gaps and that FERPA works well and aligns then to it.
Just, again, any specific recommendations as to what you think needs to be done within our purviews as well as your thoughts on additional modifications to FERPA? I know some of it, you touched on in your testimony already, though.
MS. BERGREN: Well, both Nadine and I are actually on a national confidentiality committee for student health records that has issued some suggestions on, for instance, separating health records from educational records, has made some other suggestions to - in terms of policy for protecting health records in the school setting, creating a higher standard that meets HIPAA-level protections for health records in schools, a lot of what Dr. McGrath mentioned this morning.
Nadine, do you want to add to that?
MS. SCHWAB: You just made me think of something that I really need to say. We can't really separate health records in schools from educational records because educators need this information in order to serve students well in school. So we need to be clear that although a lot of the issues that we have talked about are with the school health professionals - my boss, for example, who is the special ed administrator in the school district, she needs that information to know that we are providing appropriate individualized education programs for students with special needs. So I just want that as a piece.
MR. ROTHSTEIN: Excuse me, but there might be a difference between separating the two types of records and limiting access to them. So, in other words, it might well be that a special ed coordinator would have a legitimate need to have access to both kinds of records and you could still have them separated, right?
MS. SCHWAB: And we absolutely agree, and this task force that we are on, the document that we are working on is actually going to come out with some guidelines to policy and administrative procedures that school districts could follow using a lot of the HIPAA standards, you know, as policy.
The problem is that doesn't necessarily drive those school districts that perhaps need it the most. It will help those of us who know that we need to be doing a better job in this area.
I do think that clarification to the field is extremely important, and I also just want to reiterate that FERPA does not sufficiently address protections in appropriate use of health records in schools, and that needs to be taken care of.
MS. BERGREN: One inquiry that I had earlier this year was from a school district in Southern Illinois that wanted proof that they actually had to have a locked file cabinet for health records, and I had to research. I mean, there's just basic not understanding of - because FERPA doesn't give any direction, it just says protect families' education rights. School districts interpret that very loosely or tightly depending on what their orientation is, and I do think that there is more direction needed on protecting health information in schools.
MS. SCHWAB: Can I just add one thing? On the side of the educators, they - unless they are special educators, they really have no preparation around confidentiality, privacy. They don't understand health records, laws whatsoever. So they are really functioning from a place where they don't have any education about this.
MR. ROTHSTEIN: Do you think that it would be an appropriate subject for in-service training for teachers? I mean, it used to be, in the old days, you had your special ed teachers and you had your regular teachers, and, now, with so many kids with special needs being mainstreamed that it suggests to me that every teacher needs this kind of training.
MS. SCHWAB: Every teacher, and I think your school administrators need a great deal more depth in this area than they are getting in their current preparation.
MR. HOUSTON: But it sounds like a huge void relates to guidance to providers, covered entities as to what they are permitted to do and the like, and I think we need to find out what is the status of the FAQs and what is the depth of the FAQs.
And the other thing I might - let me ask you a question in terms of the authorizations, because I still think an authorization is still a hugely-important thing here that - and if there is a way to make it work, I guess I would think that is one thing we need to try to do, and I guess a question is is there any interest in or do you think there is any capability to develop a model authorization that could be supported by whatever association that could be used to maybe prevent some of this dueling authorization-form issue?
MS. SCHWAB: We actually have - some of us in some of the states have developed model authorization forms that would be HIPAA compliant that schools could use, and in some places and with some providers, that works, but others are just saying, no, no, we can't take that. It's not our form. So, again, it comes down to needing guidance that, yes, you can.
If there was a model form that everyone would use and just could put their heading on, I mean, I think that that would help, although I don't know if everyone would adopt it.
MR. HOUSTON: I think that some of the stuff that HHS has done with respect to sort of trying to get resources, FAQs and sample forms and that kind of stuff to physicians, if there were school-specific things like that, as opposed to talking about the physicians interacting with the schools, but the schools don't have that same level of sort of detailed, here's an example of - and when there is still this level of uncertainty about some of the macro-issues out there, it's hard to get down to the level of getting those things, because they are still trying to figure out, well, do we even have to deal with this law? Are we just FERPA and we don't have to deal with them?
MR. ROTHSTEIN: Let me ask all of you this question. I know you all are representative of national organizations and we appreciate your sharing with us some of the horror stories, if you will, but I want to ask you if maybe you could share some success stories if you are aware of any. So, in other words, are you aware of localities or school districts or groups of your members who, for example, work together with the local medical society or the local association of pediatricians or whomever to talk about these issues, to get some programs jointly developed and maybe that we could use as sort of models or to point to the kinds of things that should be encouraged throughout the country?
MS. SCHWAB: One of the things that has been done that I think was extremely helpful was in Massachusetts. The State Department of Public Health actually issued guidance about the immunization, that public-health-mandated information, and some frequently-answered questions, which has been very helpful in Massachusetts, so that Massachusetts providers in schools have that information to go on. So I would look at that.
I think the Oregon Attorney General just came out with an opinion about the question of whether or not the schools that were Medicaid billing were not subject to the Privacy Rule, but were subject to the Transaction Rule, and I can't remember what it said about Security Rule, but that was, I thought, very well done and would be a nice thing for HHS to kind of mirror in a technical-assistance guidance.
MS. BERGREN: I was told that there are places where things are working well, but the focus of the search for stories was what is not working, and I could go back to those people who said that there are some situations that are working well and just ask what the model was.
MR. ROTHSTEIN: We would very much appreciate that, because we would like to support those kinds of efforts. I'm not sure what went on there, but we would certainly like to see the successes replicated elsewhere.
DR. HARDING: Being very cognizant of Mr. Hutton's comment about not one more darn thing, please, and then thinking about the 1974 FERPA law that - you know, it's 30 years ago, and I remember 30 years ago, and there weren't the same kids in school 30 years ago. I mean, it wasn't - the kids, like the central line, that would have been an intensive care. It wouldn't even have been allowed on the regular unit of pediatrics 30 years ago. So it is a different world, and to kind of lay things at the foot of a 30-year-old law makes me a little anxious, I guess, and makes me feel not - I mean, several people said, please don't mess with FERPA, you know. That is something that is solid, and we know, we know the game well with FERPA and HIPAA is complicating things, but it just seems like it is going to be necessary to relook at FERPA, if FERPA is going to continue to have its preeminence and so forth.
MR. HOUSTON: I think there may be very compelling reasons why more privacy protection is needed and more clear sort of communication rules for student-health information in a sort of post-IDEA world are there. I just throw the cautionary note out, not to say we shouldn't even consider that, but just the context in which it has to be pursued is give it to us in clear form that we understand, don't impose another huge level of regulatory stuff, and in the world of No Child Left Behind, another big federal regulatory thing without sort of clarity and resources attached is just going to be explosive, and so if it is thought through well and it actually makes schools' lives easier, because it clears up this level of confusion, and there is a lot of administrative sweat being poured out trying to figure this stuff out.
So, you know, it can be done in a way, I think, that - and the very compelling connection that is made between the sort of what in some people's minds who aren't in healthcare and in privacy kinds of things are sort of these esoteric kinds of privacy things, but when you make it to a connection to sort of a local school-board member about it's about student health and safety and academic achievement and all those - then you are speaking their language and the case is compelling, but it just needs to be made in a clear way, I think.
MR. ROTHSTEIN: Other questions from - Richard.
DR. HARDING: The other part, and it's something that John Fanning was talking about during the break and was brought up in your testimony, is that we have to come to a way to not allow the law to interfere with good patient care. We can't allow that, and, you know, you die with your rights on or whatever the term is.
You know, when push comes to shove, the best thing for the patient has to be done, and to heck with the law, and that is - I don't know how to codify that exactly, because that is a very difficult - and many people would have different interpretations of what is best for the patient, but somehow or other that has to come forward. I don't know how to do that.
MR. ROTHSTEIN: Any further questions?
Gail, are you still with us?
MS. HORLICK: Yes, I am.
MR. ROTHSTEIN: Any questions?
MS. HORLICK: No. No, I don't have any questions. Thanks.
MR. ROTHSTEIN: Just soaking it all in.
MS. HORLICK: Well, yes, I did want to comment that the Massachusetts memo that was referred to, the subcommittee actually has. I think I provided that to you in November.
MR. ROTHSTEIN: Okay. We will dig that out of our files and take a look at Massachusetts.
MS. HORLICK: I guess one other thing that was going through my mind, you know, Mark, you mentioned earlier that the rule is quite clear in some places, maybe about facts or whatever. What we at CDC found helpful was to put together some Q&As that were either directly from the rule or directly from the FAQs that were on the OCR website, and just the one or two page memo with something that could be handed to the providers, and even though the information is out there, that was helpful with our - the F CNA six(?) visits and maybe something similar could be tried.
MR. ROTHSTEIN: Well, the kind of thing that I was thinking of was maybe if the county medical society and the school board would put together a joint publication that said - you know, dealing with school health issues, and it may well be that the physicians would give greater credence to a document that was sort of co-produced, endorsed by an organization of which they were a member, than to come in and just hand them another piece of paper, either from the schools or from the government or something like that.
MS. HORLICK: Right.
MR. ROTHSTEIN: I don't know, and that's why -
MS. HORLICK: Oh, yes, but either - you know, even just - yes, I can certainly see that, but something saying that the specific authorization - the HIPAA-compliant authorization doesn't have to be on the provider's own form. I mean, that would go a long way, if it had the proper credence.
MS. SCHWAB: And I'm not sure that the local or even state provider groups getting together with schools will do it, because there is not enough guidance coming - there is still confusion coming down from state departments of education, state departments of health, et cetera. So -
MS. HORLICK: Well, perhaps they could prepare a document that would be reviewed by OCRs -
MS. SCHWAB: If we had something - right.
MS. HORLICK: - have the official blessing.
MS. SCHWAB: Then they could adapt something.
MS. HORLICK: Right.
MS. SCHWAB: That would work better.
MR. ROTHSTEIN: Yes, I mean, let's assume that tomorrow the OCR FAQs regarding HIPAA and FERPA and schools come out, then some locally-endorsed statement incorporating that information, and maybe some sort of meeting - joint meeting to deal with these issues. I mean, just hearing the list of this just made me sad. There are enough sort of difficult, insoluble kinds of problems that we have to deal with without problems that shouldn't be problems, and they are getting in the way of the education of kids or their health care.
MS. BERGREN: I think that some of the direction - I'm going to echo Nadine - does need to come from OCR, and the reason that I say that is that fear is driving a lot of the physicians' and providers' refusal to share, fear of the penalties. It's per incident of releasing information inappropriately, and in these small physician practices, they have a very small staff and are in rural America. They can't handle that level of a fine and that penalty, and, believe me, that was hammered in the little session they sent their office manager to on HIPAA a year-and-a-half ago. You know, believe me, the fines carry a great weight, and that's why I think that having some technical guidance specific to communication with schools from OCR would be very helpful to diminish that fear of financial penalty and jail time.
MR. ROTHSTEIN: And, of course, one of the things that this subcommittee and full committee recommended a while ago was that there be a special section on the OCR website for schools as well as a special section on all other kinds of issues where you just click on and get the official word on school issues or you click on and get the official word on law enforcement or whatever the issue might be, and we are still hoping that may come about in the future.
Any other questions?
Well, I want to thank all three of you for joining us and sharing that information, and, again, if you have further information that would be helpful to us B and, personally, what I would like to see is the great success that you can point to that we can sort of endorse and support. So thank you very much.
Agenda Item: Subcommittee Discussion
MR. ROTHSTEIN: At this point in our agenda, we are going to turn to a consideration of the three topics that we talked about over the last day and to try to develop some plans for dealing with them -
MR. HOUSTON: - take a break?
MR. ROTHSTEIN: Sorry? No, we are not going to take a break. We are going to go straight through, and then adjourn at lunchtime.
MR. HOUSTON: Gotcha.
MR. ROTHSTEIN: Okay. There's good reason for it. I know everyone is anxious to keep going.
So if I could ask you to think back to the two topics that we talked about yesterday - of course, banking and law enforcement - and today's topic, we need to kind of figure out where we want to go next. I mean, do we need more information? Do we need additional hearings? Who do we need to hear from and so forth?
So the first one was banking.
MR. HOUSTON: My suggestion is on banking is it seemed to be that there was one issue which related to 1179, I think it was -
MR. ROTHSTEIN: Right.
MR. HOUSTON: - and a clarification of its intent and its scope or at least guidance in that regard, because that seemed to be the gap, and then, clearly, then I think the only other questions were that relate to whether a bank would become a business associate or a covered entity as a clearinghouse by the fact that it was handling PHI vis-a-vis the 835 or parts of the 835 that it might come in contact with are handled through its -
MR. ROTHSTEIN: All right. Let's take those two things separately.
The first one is on 1179, and I don't know where you are going to get that clarification from. I think we heard from people who were there at the drafting of 1179, and I think it would take either a court decision or some sort of advisory opinion from the Attorney General or something. Who is going to say what 1179 means?
MR. HOUSTON: It seems to be the hole - I mean, I don't know. I mean, you got this B
MS. FYFFE: Would you go back to the conference report? I mean -
MR. ROTHSTEIN: See, the issue in Section 1179 is how broad an exemption does banking have? Does banking that's - was the intent to limit the banking exception to consumer transactions, so checks, credit-card transactions, et cetera, or was it intended to be broader and encompass any banking activity throughout the payment chain in terms of the reimbursement of providers and so forth.
And we heard yesterday two conflicting views. To no one's surprise, the banking industry believed that the exemption was very broad and it exempted everybody, and we had other witnesses who were intimately familiar with it, including Bill Braithwaite, who said, no, the intent was just to exempt the consumer aspect of this, and I think it is obviously very important, because if the broader view prevailed, then it certainly ties the hands of OCR or, indeed, the committee, in terms of what we might want to recommend.
MR. FANNING: Mr. Chairman, may I suggest that the substance of that issue is really the business of the agencies that have substantive responsibility for this, mainly this department and perhaps the financial regulatory agencies, but it seems to me that there is not a great deal that the committee could do in terms of the substance of that question. The committee may want to emphasize the need for privacy protections for information, however achieved.
MR. HOUSTON: Why can't the committee make the recommendation that there is an issue with 1179 or a clarification is required of whomever and ask the Secretary to take that forward? I don't see any reason why we can't do that.
MR. ROTHSTEIN: Oh, I have no problem with that. What I was saying is I don't think it is our responsibility to take a position that 1179 is narrow or 1179 is broad. I think that is beyond our responsibility.
I do think it is certainly appropriate for us to say that the scope of 1179 has a bearing on some other issues and that needs to be clarified in some way.
MS. FYFFE: We cannot interpret 1179.
MR. HOUSTON: But we - I think it is within our purview or right to at least indicate the testimony from individuals who were involved in the drafting of it indicated that the intent of it was to deal with check and credit-card transactions. We did hear that. It was very clear that that was the original scope or intent of that particular section. I guess I don't know why we shouldn't have the right to at least acknowledge -
MR. ROTHSTEIN: We can say - I think we can say that we did hear from at least two witnesses who had that position, but I think we can't draw the conclusion that that is necessarily the correct interpretation, because we didn't hear from a lot of other people.
MR. HOUSTON: I agree with your perspective. I guess I wanted to give it as much - I don't even want to say evidence - testimony, and frame it in a way that allows somebody within HHS to take this forward, at least to start to try to resolve it, because I think this has to be resolved.
MR. ROTHSTEIN: Well, I think the way we need to frame it - and it is not necessarily inconsistent with what I hear you saying - is there is a problem with banking that PHI is used in the banking process, in terms of payment of these claims.
We can describe the testimony that we heard, that at least for some transactions, PHI goes along with that, and that raises the question of whether - where that goes through the chain it is within the scope of the Privacy Rule Regulation, and that raises the broader issue of the exemption in 1179 that we believe is essential to have clarified.
MR. HOUSTON: That's fine.
MR. ROTHSTEIN: So I think we can put that in a letter, and I certainly would support that, because it is part of the crux of the problem.
I do think there is another - I mean, another issue to consider is that Mr. Stone, who represented the American Bankers Association, I think testified to the fact that some bankers and some banking transactions they actually do, in fact, play the role of a clearinghouse or a business associate, and it wasn't clear to him - and probably couldn't be clear to him, given his position - in how many of these situations the banks actually went through all their requirements that the Privacy Rule places on clearinghouses and business associates, and so that is an issue that I think is fair for us to raise, that even in the normal - in quotes - covered-entity functions that bankers provide not the - sort of the value-added that Kepa described. Where they most likely would be found to be covered, we have questions about whether they are, in fact, in compliance with the Privacy Rule requirements. So that is a second point that I would add on -
MR. HOUSTON: I mean, maybe to restate that a little bit, I guess what I heard was as much guidance regarding when is a bank a business associate, when would a bank potentially be a clearinghouse, because I think that was sort of the fundamental, underlying point that was being made, and then, obviously, if a bank is a business associate, clearly, its obligations are to comply with the business-associate terms that its covered entity imposes upon it. I don't think there was any testimony said they weren't complying as business associates, per se, as much as -
MR. HOUSTON: He didn't know.
MR. HOUSTON: Right. Because I think there was a fundamental uncertainty as to whether they were either, because of 1179, and if they - you know, I think if you close the loophole of 1179, what you end up with is they are - as long as their transactions contain PHI - such as through an - part of an 835 - at that point in time, they are either a business associate or a clearinghouse, and, in that particular case, have obligations that need to be met, based upon what they are characterized as.
MR. ROTHSTEIN: There are two other points that I would suggest that we might want to put in any letter that we come up with.
Number one is that we did not hear any testimony of any widespread or any misuse of PHI by the banking industry, in terms of selling the information or wrongfully disclosing information or using it in ways that are not deemed appropriate. The information, of course, is encrypted to begin with, and so that would make it more difficult.
The second thing that I would want to add is that we did hear testimony that it is possible to achieve the payment needs of the payer, the bank and the provider without including PHI, and I think that is an important point because that may influence the structure of 835s in the future or rules that would go through that. That was a question that I specifically asked Kepa and the other members of the panel.
The way it currently works now is in the claimed-payment document, the 835, there is an attachment that includes the PHI, and the PHI - for reasons that I don't understand, to be honest with you - need not actually be in that document to provide all the information that the payer and the banker needs.
MR. HOUSTON: Wasn't there some discussion about when you're done with lock-box functions that there's potential that the entire 835 could go to the lock box?
MS. FYFFE: There are circumstances under which that would happen.
MR. HOUSTON: Right. But I think what they sort of indicated was we don't necessarily need to provide that information, but a lot of banks were giving value-added services, which -
MR. FYFFE: Right.
MR. HOUSTON: B in essence, would provide that certain PHI was actually accompanying any type of financial transaction, but I guess - so there is a nuance between is it absolutely necessary? No. Were banks desirous of providing those additional services, and I think the answer sounds like to be, in a lot of circumstances, yes.
MR. ROTHSTEIN: Well, and if they were, then -
MR. HOUSTON: And they were covered - right.
MR. ROTHSTEIN: - maybe certain restrictions ought to apply to them.
Personally - and this may just reflect my lack of sophistication in this area - I would like to see our letter not go into all of the details of how the banking functions actually work, but simply say that we did hear testimony that PHI, for many banking functions, is not necessary and that further exploration of how this could be achieved would be desirable.
MR. HOUSTON: Minimize the use.
MR. ROTHSTEIN: Yes, to minimize the use and the possibility that this could be disclosed.
There is another point that we might want to consider - and not in the letter - and that is we do not disclose - as far as I know - in NPP, to anyone, that their PHI may be disclosed to bankers. I mean, we list all the things that - in the notice of privacy practices where your PHI will go, with consent, without consent, with authorization, et cetera. Maybe, in the interests of - it may be in the interests of consumers to disclose this information if, in fact, it were disclosed.
MR. HOUSTON: If it were disclosed to a bank - well, I'm making B assuming that the 1179 loophole or whatever is clarified - would be pursuant to a business-associate agreement or as a clearinghouse function, which would be all part of that payment chain which would then be within the realm of payment.
MR. ROTHSTEIN: Yes, I understand that, but here I am, I'm your average patient/consumer, and I read this notice and it says that my health information may be disclosed in the process of paying my claim. Well, I'm assuming that - yes, okay. Well, Blue Cross is not going to pay unless they find out what my doc did for me. The idea that National Bank is somehow in that process may never have occurred to me.
MS. FYFFE: The notice of privacy practices from either your health plan or your provider would not say that a bank -
MR. HOUSTON: No, but there might be other - and I understand the point, but there may be other cases where your PHI is disclosed to other third parties during the payment process, whether that be firms that facilitate collections or -
MS. FYFFE: That is supposed to be mentioned in the notice of privacy.
MR. HOUSTON: Is it? Is this part of payment?
MR. ROTHSTEIN: Well, it's payment or operations or something.
MR. HOUSTON: But any business - I mean, I don't think we would - I would be - thinking of my own notice, I would be concerned about listing up every case where we had a business associate touch a piece of PHI, because those business decisions happen on a very regular basis to go between an in-house service versus a -
MS. FYFFE: Sounds like the NPP needs to be updated.
MR. HOUSTON: Well, no, no, because -
MS. FYFFE: No?
MR. HOUSTON: An NPP, in my mind - we can't afford to have another privacy-practices update every month or every two weeks because we now, all of a sudden, have a business associate performing a function -
MR. ROTHSTEIN: No, what I'm suggesting is that you don't have to list the name of the bank, but it may be, as a matter of truthful disclosure, that financial institutions are involved in the payment chain besides just the health-insurance company or some health plan or clearinghouse. I just think it's a matter of being truthful.
MR. HOUSTON: I just think NPPs are - they can't be - I understand your point. I'm just concerned about where do we start and where do we stop, and there is clearly the concept of the business associate, which is - you know, that they were acting as your agent, and, again, those types of relationships change all the time, especially in a large organization that has - ours has many hospitals and it's quite large, and, in fact, they may vary between hospitals, but, in every case, if we are not doing it in house, we are using a business associate and we are expecting our business associate to do the appropriate thing, based upon a contractual - you know.
MR. FANNING: Mr. Chairman, I can suggest a possible principal distinction between the ordinary business associate and the bank. The business associates are clearinghouses and other organizations that have no relationship to individuals' lives, except as handlers of their information on behalf of a payer or a provider. Whereas, banks have a broader place in people's lives and one could make the argument - and I am not necessarily pressing this argument - one could make the argument that it is more important that they know that that institution has their information.
MR. ROTHSTEIN: That is much better than I could have said it and that - than as I have tried to say it several times. So I thank you.
MR. HOUSTON: I think it needs some additional research.
MR. ROTHSTEIN: Research?
MR. HOUSTON: On my behalf, at least. I -
MR. ROTHSTEIN: Well, feel free. (Laughter).
Well, okay. So the question B all right. Let me try to sum up this. On the issue of banking, do you think we need - Before we prepare a draft letter for the full committee, do we need any more information from consumers, the banking industry, healthcare providers or do you think we have the essence of what we need?
DR. HARDING: I think we have the essence. We don't have the answer.
MR. ROTHSTEIN: Well, that is beside the point. (Laughter).
DR. HARDING: So we are concerned with PHI. Embedded in banking payments and so forth is PHI.
MR. ROTHSTEIN: Right.
DR. HARDING: Therefore, we are concerned about that.
MR. ROTHSTEIN: Right.
DR. HARDING: And then who does that go to? Do we ask the Secretary to do the appropriate thing to attend to that?
MR. ROTHSTEIN: Correct. Correct.
MR. HOUSTON: I mean, we need to investigate to find out who has responsibility or who has the oversight of 1179 and has the ability to write guidance or clarification -
MR. ROTHSTEIN: Well, we'll obviously raise the 1179 issue and set out the two -
MR. HOUSTON: Need to find out who that is, though.
MR. ROTHSTEIN: - competing positions.
MR. HOUSTON: Give the Secretary the -
MR. ROTHSTEIN: Yes, I just wanted to sort of wrap that up, because our conclusion may be different when we get to the second topic that I want to talk about, and that is law enforcement.
And in law enforcement, we did not have as extensive a discussion as we would have liked. The staff made heroic efforts to get law enforcement to the table, but they were unavailable in many instances.
We did have three excellent witnesses who outlined a variety of problems, and I think there are a couple that we would want to focus on.
I'll just start with two, one that was mentioned by Bob Gellman, and that is the administrative requests under 512-F, the fact that there are very few restrictions placed or requirements for administrative requests. They can be oral. They can be by any law-enforcement official. There's no requirement of showing of any sort of relevance, et cetera. So that is one issue we may want to take up.
The other issue that I would just add to our list is the disclosures required by law pursuant to 512-A, and this gives very wide discretion to state and local officials to enact wide-ranging laws requiring the collection, disclosure, release of all sorts of records.
So those are two problems. I'm not suggesting how we relieve any of them or solve any of them, but there are others that we can add to the list.
MR. HOUSTON: The only other one that I think came up yesterday that - brought up was related to the concept of doctor shopping and whether there are guidelines that could be provided as to what a covered entity can and cannot do with regards to addressing a problem where a physician office realizes that doctor shopping is occurring and what type of information can be disclosed, what type of actions can they take. I think there is a lot of just difficulty in that area.
MR. ROTHSTEIN: Well, and the related issue that we spent a fair amount of time on, and that is the prescription-monitoring program -
MR. HOUSTON: Right.
MR. ROTHSTEIN: - that DEA has supported and about 20 states have, and because of 512-A, those state laws can - you know, there are disclosures required by law, and, therefore, they can be made without any sort of authorization, and, yet, as we discussed yesterday, there is concern that they - either in their present form or in some future form - could really be over broad.
Okay. Now, having said that, we don't need to resolve this.
The question is what we should do next, because, as many of us talked informally, we really did not have a sufficiently representative group before us. We had - the only law-enforcement official we had was from DEA, and that as a - sort of very narrow in scope.
Ideally, we would like to hear from the FBI. We would like to hear from state police, local - you know, all sorts of people, and it's not clear to me that they have an interest in testifying either orally or in written form. So I'm not sure what to do at this point, and I'm open to suggestions.
DR. GREENBERG: These are potential testifiers, organizations that were contacted already, but were not either available or declined?
MR. ROTHSTEIN: That's right.
So, I mean, we would like to hear from the FBI, from Justice, from the chiefs of police, from the - you know - county law-enforcement officials, whatever, just to see what problems they have, and I certainly don't want to speculate as to their reasons for not wanting to testify or being unavailable.
The fact of the matter is that I don't know what we can say in the absence of their testimony. I suppose we can just say that, that we have identified these problems. We recognize that we do not have an adequate record because we have not been able to obtain the testimony from key stakeholders, but we think that these are issues that need to be explored at the department level or inner-department level or something like that.
John, do you have wisdom to share?
MR. FANNING: No, except to make it more complicated by suggesting that these questions also go to the issue of the relationship between this regulation and state law, which is a broader issue and of great complexity.
MR. HOUSTON: State law and go local practice in each county.
MR. FANNING: One might make a national law that governs the availability of information to law-enforcement authorities and even courts, but the complexities involved in interfering with, certainly, local judicial process, but even with, shall we say, police practice, are very great.
MR. ROTHSTEIN: Well, and even the state legislative prerogatives, in terms of enacting laws that would come under 512-A. So I think in our letter we should certainly point out that that is another complicating factor.
MR. FANNING: I think that a regulation of this kind, as large as it looms in our minds, has to be seen as a kind of first step in hammering out national policy on the use of information. The attention called to the subject by the regulation, awareness of it by providers and so on, may have effects on future choices by legislatures, for example.
MR. ROTHSTEIN: Would the other members of the committee feel comfortable discussing the issues in the way that we have so far sketched them?
Okay. Well -
DR. HARDING: The only other thing that I would suggest is that we compliment the good and maybe go quiet on the things that aren't so good or say very little about them, and that way bring them up with faint praise or something like that. I don't know how to exactly - these must be very sensitive issues, and so we could say, we understand that there are times when emergencies exist and that things have to done, and in national interest and terror and so forth, but - and then remain silent on some of the other things.
MR. ROTHSTEIN: I think that is a good point. I mean, just like in every other area, I mean, we are balancing privacy against an important interest. If nobody cared about research or public health or law enforcement, our hearings would be very short, but these are very difficult questions, and so I appreciate your raising that, and we will try to do that.
Okay. Let's move on to today's discussion, which involved - if you have forgotten already - (laughter) - our two panels on schools, and -
DR. HARDING: Excellent. Excellent presentation.
MR. ROTHSTEIN: So do you have some suggestions on the kinds of issues we want to talk about relative to today's hearings?
MR. HOUSTON: I think we need to at least identify the fact that there is a conflict or a tension between FERPA and HIPAA. Obviously, we are in the same boat as 1179. Insofar as we don't have responsibility or purview over FERPA, we clearly have to identify that that is a source of issue.
After that, though, I guess it is dependent upon what happens with FERPA, what changes we would want to try to make to HIPAA to make it more compatible. That would be one point, I think is -
MS. HORLICK: Mark, this is Gale.
I just wanted to mention that I just thought it was interesting the way the panel shaped up, because everybody was given the same instruction, and I was taken by your comment about the HIPAA/FERPA intersection, more in the first panel, and the educational aspects more in the second panel.
Also, for whatever reason, when Dr. Harding is speaking, it is a little - I am just not able to hear. I don't know if it's where the microphone is situated, but -
DR. HARDING: I apologize.
MR. ROTHSTEIN: He's so tall that that microphone is -
MS. HORLICK: My thought is -
DR. HARDING: I will do much better next time.
MS. HORLICK: - or at least one of my thoughts is that there were certain issues that were related to HIPAA that clarification, in terms of which law applies that we could raise - the Medicaid billing issue, whether school - does it matter if - who the school nurse is employed by? Certain sort of broad issues that wouldn't - that it seems to me - I was reading through Mr. Hutton's questions, his attachment, a little bit, and it seems like there are some just overall themes that are not - that it is not clear which law addresses, and then some of the items that were mentioned, I think, in terms of HIPAA needing further education, we might be able to list those or come up with a general suggestion, but I think that goes in a separate area in terms of further education is needed. I think the rule is clear, and maybe picking up on your suggestion about how that education could be done.
MR. ROTHSTEIN: Yes, I agree with you, Gail. I think that especially the second panel made it clear that much work needs to be done, in terms of just informing all the parties - the teachers, the school nurses, the administrators, the physicians in the community, et cetera - because some of the questions that were raised, I think OCR has been as clear as they can be. I mean -
MR. HORLICK: Right. But I do think - it was stated and I do agree wholeheartedly that whatever is developed needs to somehow get OCR's blessing. It either needs to be - you know, if it is not written by OCR, if somebody else writes it and they approve it or if that is not possible, then if someone writes a document where they specifically reference the OCR website or - when we did the MMWR, it was HHS document, so it was too big for most people to read, but if you cut and pasted pieces from it, you still had that - the regulatory authority, and I think that, in the end, that that is really important. The state medical board can say what they want, but if the OCR doesn't agree, then - you know.
So I think they have been clear, but one of the things that I am finding is that there's a lot of clear information out there, but people are just not going to the website or they are not - it's not that the information is not available, but each individual provider or person isn't seeking it out, and so if someone pulls something together that comes from the official source and it is in a one or two pager, it has been our experience that has been very helpful. We are looking to do that again in another area.
MR. HOUSTON: But I thought there was some guidance from OCR or FAQs that had not been released that had been in process for some time.
MR. ROTHSTEIN: There's some - reportedly - FAQs in the works on schools, FERPA's intersection, but I think - here's the - sort of the mental image that I would like us to address. Okay? You've got this pediatrician in solo practice. It's just the doc and a nurse somewhere, and somewhere along the line, over the last two years, the pediatrician has heard that if you release records, they are going to come and take you away in handcuffs, and what is it that we need to do or that somebody needs to do to reassure that pediatrician that sharing information about his or her patient with the school nurse for purposes of treatment or immunization records or what have you is not going to violate the law and get him or her into terrible trouble?
This person is busy from 8 to 6 or maybe later. They are not going to log into the OCR website to see what the latest FAQs are. I mean, how do we reach that person? And the suggestion that I was sort of thinking about is maybe through some medical association where they would normally get information or there's gotta be some way.
DR. GREENBERG: I was sort of feeling that the missing party, although - was the provider - the community provider in this discussion. Although, we did hear from the American Academy of Pediatrics, so - and I don't know whether - didn't specifically ask her what kind of guidance AAP is trying to provide to its members, but a lot of children are actually not treated by pediatricians, but a family physician or -
MR. ROTHSTEIN: Right.
DR. GREENBERG: - internal medicine or what have you, not to mention the children for whom this is most complicated, it seems, with the chronic conditions - whether it be endocrinologists, psychiatrists, whatever - are not part of the AAP, and I found myself often thinking, well, I'm being almost amazed that the healthcare providers were putting these barriers up, but I think you have put your finger on it, that the anxiety is such that when in doubt, don't share, and, in fact, the schools are not covered entities. This is true.
MS. HORLICK: Right. And - this is Gail - I think that is a large part of it, that they - although they may - you can separate out the immunizations that might be required for school entry, but a lot of the other information they might be sharing it for - you know, can they participate in athletics or for a treatment purpose, but if they are not a covered entity, my understanding is they are reluctant to share even the immunization data without authorization, unless there is a state law, and I think it raises an important issue because while we have looked at the public-health purpose besides - you know, behind sharing that immunization data, and I think most parents would want providers to be able to share that without their consent, so their children can get into school, I think, as you pointed out earlier, many parents may not want discharge summaries and some very sensitive information to be shared without their authorization.
DR. GREENBERG: Well, particularly because it can get into this FERPA situation where it gets mixed in with other records -
MS. HORLICK: Right.
DR. GREENBERG: - and, you know, becomes - you know, maybe - any teacher that that child touches would have access to this, which would not, maybe, you know, be appropriate or certainly desired.
So I am just wondering if we need - if the subcommittee needs to hear from - I mean, your question. Is there enough information or does there need to be some more dialogue with provider groups?
MR. HOUSTON: Can I make - also, one thing we did hear in testimony this morning was that - one piece of testimony we did hear this morning indicated that certain providers were using HIPAA as an excuse to - because it reduced their burden, their effort. So there's -
DR. GREENBERG: Well, I have noticed, personally, that providers who used to be willing to fax things - prescriptions, what have you - won't anymore, and I think - not because of HIPAA. This is regardless. This was prior to HIPAA. This is not HIPAA. This is - I think it's a time thing. I mean, I saw this before HIPAA came into - you know, things that previously had been faxed, et cetera, won't be anymore. You have to go and pick them up or whatever, and I think it is part of the whole thing of burden and -
MR. HOUSTON: So we do have to be somewhat cautious, in my mind, about ensuring that one isn't a pretense for the other. I mean, maybe some of this is overstated, and I'm sure there is definitely genuine concern out of the providers about releasing information, but I think at least we do have some indication that maybe some of this is done - it's more convenient or it's less burdensome not to have to comply, and we'll just use HIPAA as the excuse, because I think we do see that in other areas, too.
MR. ROTHSTEIN: Kathleen -
MS. FYFFE: Yes, I remember back to our November hearings, we had invited a number of provider organizations to the hearings. The only organization that accepted our invitation was the American Academy of Family Physicians, I think it was. The other provider groups had said that they needed more lead time in order to survey their members more formally about any challenges or issues or concerns about the HIPAA Privacy Rule. So I am wondering if we might want to spend a couple of minutes talking about perhaps having further information or another panel from the providers, but giving them sufficient lead time, as they have requested, to survey their members.
MR. ROTHSTEIN: Well, maybe we don't need hearings. Maybe we could write a letter to the AAFP and other groups that we can identify and ask them to respond in writing, and sort of narrowly tailor the question, based on the kinds of things that we have been talking about today, to get some input.
You can say that we heard testimony that physicians have been reluctant to release records under such-and-such circumstances, and, in many of these instances, the regulations are quite clear that doing so is permissible under the Privacy Rule, and we are wondering if there are any suggestions they have as to how to reduce these impediments, et cetera, whatever, and then if we send that to a selected handful of medical organizations, that will at least give - a chance to respond. I'm not sure I want to delay things.
We have our next subcommittee hearing in two weeks as part of - not hearing, subcommittee meeting as part of the overall full committee meeting.
MS. FYFFE: That's March -
DR. GREENBERG: March 4th and 5th.
MR. ROTHSTEIN: March 4th and 5th.
DR. GREENBERG: Privacy is the morning of the 5th? Is that - I don't have it with me.
MR. ROTHSTEIN: Yes. Yes.
At that meeting, of course, we are going to present the draft of our letter dealing with research and public health and other issues -
DR. GREENBERG: At the full committee meeting.
MR. ROTHSTEIN: At the full committee meeting.
DR. GREENBERG: And that was my question about - are you discussing that letter at all today or -
MR. ROTHSTEIN: We were not going to.
DR. GREENBERG: Okay. You're pretty much -
MR. ROTHSTEIN: Yes, we had a conference call -
DR. GREENBERG: Right.
MR. ROTHSTEIN: - signed off.
DR. GREENBERG: Okay. And has that letter - are you aware of that letter going to the Executive Subcommittee? I'm wondering if we - you know, I don't -
MS. FYFFE: I'm guilty. I have not sent it to the Executive Subcommittee.
DR. GREENBERG: Well, I think it is actually probably my office that should have sent it, but it would have had to have gotten it to send it. Maybe - I'll take responsibility, too, because I was actually on that conference call.
We have a - you know, this new process that we agreed to about a year ago that certainly reports - but I think letters, too, because often our letters are a substitution for a report - that are going to be brought for a decision to the full committee, go out to the Executive Subcommittee, first to get - you know, kind of give a heads up and see if any other subcommittee chairs want to weigh in with any suggestions.
So if that hasn't gone out, I think we should send it out probably today.
MR. ROTHSTEIN: Right. We can send that out today.
DR. GREENBERG: And it's a letter, so you can give them a -
MS. FYFFE: It's a draft letter.
DR. GREENBERG: It's a draft letter. I think our intent is to - I think we have to send out the agenda books by a week from today, so people wouldn't have a lot of time, but do we have - Kathleen -
MS. FYFFE: Yes. Yes, I can send it to you.
DR. GREENBERG: Could you send Debbie Jackson and me -
MS. FYFFE: Sure.
DR. GREENBERG: - an electronic version of the latest copy, then, and we'll get that out. I just realized that something had kind of -
MS. FYFFE: Actually, I think you all have a copy of it, because -
DR. GREENBERG: Okay. You have the latest version, electronic version of this?
MS. FYFFE: I'll send it to you this afternoon.
DR. GREENBERG: Would you send it to me? Okay. Thank you.
MR. HOUSTON: There was a copy in our packet today, and I guess I had read the letter that was sent out in preparation for this meeting, and I guess I had had some additional tweaking that I had - was interested in, but shall we just simply - should I wait on that until our next meeting - at the full committee meeting?
MR. ROTHSTEIN: If you wouldn't mind, if it's okay with you.
MR. HOUSTON: That's why I'm asking.
MR. ROTHSTEIN: Are they non-substantive tweaks?
MR. HOUSTON: I think so. They may be mildly substantive.
MR. ROTHSTEIN: (Laughter).
MR. HOUSTON: Mildly. That's sort of like -
DR. GREENBERG: Well, if any of them are sufficiently -
MR. HOUSTON: Give me more time, I'll -
DR. GREENBERG: - substantive that -
MR. ROTHSTEIN: That you're not comfortable having this sent out to the Executive Committee?
MR. HOUSTON: No, I just - there were just some minor tweaks on the research side that I saw that I think are more clarifying, though -
MR. ROTHSTEIN: Okay. Well, this is a draft. It is going - I'm sure it is going to be tweaked in a substantive and non-substantive sense when it gets to the full committee, and we also need to debate the one bullet that was not agreed to. So everyone is going to have ample opportunity.
So I just want to wrap up the school issue. We are going to send out letters to - and Kathleen and I will talk about the appropriate medical groups, asking if they would like to comment on that, and should we have a draft letter in two weeks? Is that -
MS. FYFFE: The draft letter that would go out to the medical groups?
MR. ROTHSTEIN: No, the draft letter to the Secretary on the - is that too soon?
MS. FYFFE: On the hearings yesterday and today?
MR. ROTHSTEIN: Yes. Um-hum.
MS. FYFFE: Too soon.
MR. ROTHSTEIN: Okay. So we will decide at our next subcommittee meeting in two weeks what the deadline will be for preparing the draft of the letter based on this hearing.
The other agenda item that we will consider - because we have two additional members who are not here, and so I don't want to discuss it without them - Simon - and Harry has now joined -
DR. GREENBERG: Harry has joined the committee, yes.
MR. ROTHSTEIN: And that is the issue of other topics to consider for our third round of hearings, and I have your recommendation that we consider the issue of fund raising, and that is on the list, and I would just say in passing that I would like to add to the list marketing, which is a very controversial issue, and I would like to hear how it is working, the marketing provisions. I have no sort of agenda, but we had such heated hearings before the marketing rule, we would be remiss if we didn't follow up on that.
And the other thing that I would add to the list is the issue of media access to medical records that was raised by the letter that we received. I think it is a very interesting issue.
MR. HOUSTON: The last two committee meetings I've been at, privacy and then the security subcommittee before regarding the security testimony, it seems like in a couple of cases we had two panels that collapsed into one panel, and, again, maybe - my thought is that some of these things we might be able to do with a four-person panel, one single panel, like fund raising. Again, what we are dealing with - like yesterday, we ended up getting done pretty early, and, boy, I'll tell you, again, I know I seem to be fixated on fund raising, but I really want to try to get some time, even if it's a single panel in order to get some testimony -
MR. ROTHSTEIN: Well, it's on the list. It'll be our next hearing.
MR. HOUSTON: I know. I'm just saying though - I'm just thinking whether we can streamline some of this, if there is some less controversial, by doing single panel.
MR. ROTHSTEIN: Well, that is certainly a possibility. If we can get a broad enough cross section. Sometimes, if you have - depending on the topic. If you only have four people, then five other important people are left out, and we need to hear their perspectives, but fund raising, there is an organization that has testified before us - the name escapes me - and so they are very well connected with the fund-raising community, and then we can hear from one or two organizations and maybe some consumer person and that, I think, would be appropriate -
MR. HOUSTON: I think it's AAMC.
MR. ROTHSTEIN: No, it's not AAMC.
MS. FYFFE: Healthcare Philanthropic Association -
MR. FANNING: There is an association of -
MR. HOUSTON: No, AA - American Association of something Philanthropy -
MS. FYFFE: Healthcare Philanthropic -
MR. HOUSTON: Yes.
MR. ROTHSTEIN: Something or other.
MS. FYFFE: - Organizations, yes.
MR. ROTHSTEIN: I mean, we have heard form them in the past, and I'm sure they would be happy to come back and tell us how things are going and whether they think we need to do anything.
Are there other matters for us to discuss today?
DR. HARDING: Just as an aside, the issue of private schools and parochial schools that aren't under FERPA -
DR. GREENBERG: We can't hear you, Dr. Harding.
DR. HARDING: Pardon me.
The issue brought up about private schools and parochial schools not being covered under FERPA in -
DR. GREENBERG: Well, then they can be covered under HIPAA.
DR. HARDING: Well, is that what is happening? Are they considering themselves covered entities? What is happening with that whole group? Because everybody else is kind of hiding behind FERPA, and when FERPA isn't present, what do they do?
MR. ROTHSTEIN: That is an interesting question. We may want to add that to our letter.
Well, in conclusion, I want to thank the people who are responsible for putting the hearing together. I want to especially thank Amy Chapper and the folks at CMS who were kind enough to allow her to do this work for us, John Fanning and Kathleen Fyffe and the ASPE people who were kind enough to loan us their services, and Gail Horlick from CDC as well, and I want to thank Marietta Squire and Shirl Willheit(?) as always, and our crack broadcast team, and thank you all, and the meeting is adjourned.
(12:15 p.m.)