[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705-A
200 Independence Avenue, SW
Washington, DC 20201
KEPA ZUBELDIA, MD, President, Claredi, Kaysville, Utah
MR. ROTHSTEIN: My name is Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.
I am chair of the subcommittee on privacy and confidentiality of the National Committee on Vital and Health Statistics.
Welcome to the first of three days of hearings on implementation of the privacy regulations promulgated by the Department of Health and Human Services pursuant to HIPAA.
Welcome also to those who are listening live via the internet.
Before proceeding further, I would like to have introductions, beginning with the members of the subcommittee and staff.
In particular, I would invite the members of the subcommittee who have conflicts of interest, or who want to announce their recusals, to do so at that time. I will begin on my right.
MS. HORLICK: I am Gail Horlick from the Centers for Disease Control and Prevention. I am lead staff for the subcommittee on privacy and confidentiality.
DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation, a member of the subcommittee.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.
MR. FANNING: I am John Fanning from the Office of the Assistant Secretary for Planning and Evaluation at HHS, staff to the committee.
DR. HARDING: I am Richard Harding. I am a member of the committee. I am a child psychiatrist from the University of South Carolina, and I am president of the American Psychiatric Association.
DR. COHN: I am Simon Cohn, director of data warehousing for Kaiser Permanente in Oakland, California.
MR. BLAIR: I am Jeff Blair, vice president of the Medical Records Institute and a member of the committee. I can't think of anything to disclose that might be a conflict of interest.
MR. ALTARESQUE: I am Louis Altarescue. I am with the Office of General Counsel at Health and Human Services, civil rights division, and working with the privacy rule.
MR. SCANLON: I am Jim Scanlon in the HHS Office of the Assistant Secretary for Planning and Evaluation, and I am the executive staff director for the full committee.
DR. FITZMAURICE: I am Michael Fitzmaurice, senior science advisor for information technology, Agency for Health Care Research and Quality. I am liaison to the national committee, and staff to the subcommittee on standards and security.
MR. ROTHSTEIN: After we have the first witnesses briefly introduce themselves, then we will invite the members of the audience to introduce themselves if they want.
MS. HENDERSON: I am Mary Henderson. I am the National HIPAA program director for Kaiser Permanente.
MR. KELLY: I am Bruce Kelly. I am director of government relations for the Mayo Foundation and the Mayo Clinic, and I am also representing today the Health Care Leadership Council.
MS. BLEVINS: I am Sue Blevins. I am president of the Institute for Health Freedom.
MS. ADLER: Jackie Adler, I am staff to the committee. I am from NCHS.
MR. BURNETT: Larry Burnett with Kaiser Permanente.
MS. STANDLER: Robin Standler with the American Society of Clinical Pathologists.
MS. PISANO: Edna Pisano(?), Indian Health Service, Office of Public Health.
MR. HAIG: E.A. Haig(?) with Verizon.
MS. FISCHER: Barbara Fischer, National Vaccine Information Center.
MS. GARY: Linda A. Gary(?) with Mintz Levins.
MS. CAGE: Robin Cage, just a private ordinary citizen.
MS. HAWK: Susan Hawk of ASPE.
DR. BRAITHWAITE: Bill Braithwaite, HHS, staff to the committee.
MS. SANCHEZ: Linda Sanchez, HHS.
MS. HYATT: Christina Hyatt, HHS.
MS. ANDREW: Cindy Andrew(?). I am a privacy consultant to OCR.
MS. DUSSETTE: Chris Dusette with Marlos(?).
MS. WILLIAMS: Michelle Williams, CDC, NCHS.
MR. GREEN: John Green, National Association of Health Underwriters.
MS. WINCKLER: Susan Winckler, the American Pharmaceutical Association.
MS. ALLEY: Suzanna Alley(?), HHS.
MS. BICKLE: Laurie Bickle with the Health Care Distribution Management Association.
MS. BEBEE: Susie Bebee, NCHS.
MS. GAINES: Anna Gaines from Congressman Cliff Stern's office.
MS. COLTIN: -- Coltin, law firm of Winwood --
MS. JONES: Catherine Jones, NCHS.
MR. HITCHCOCK: Dale Hitchcock, HHS.
MR. BASOWITZ: Roy Basowitz, National Association of Chain Drug Stores.
MR. BLIGH: Paul Bligh, DOD, Tricare Management activity.
MR. ENGARTEN: Peter Engarten(?), Certa(?) Corporation.
MS. SOREL: Nine Sorel(?), National General.
MS. NORR: Debbie Norr(?) with the National Library of Medicine.
MS. GRIFFITH: Jane Borden Griffith, National Library of Medicine.
MS. DARRAH: Jackie Darrah, AMA.
MS. HATTON: Melinda Hatton, American Hospital Association.
MS. CARLSON: Valerie Carlson of McDermott, Gill and Emery, representing Intermountain Health Care.
MS. BRADLEY: Ruth Bradley(?) with the advocacy office of Premier and Alliance of Hospitals.
MR. PYLES: Jim Pyles, Powers, Pyles, Sutter, representing the American Psychoanalytic Association.
MR. MONGER: Don S. Monger(?), American Health Information Management Association.
MR. RODIE: Dan Rodie(?), American Health Information Management Association.
MS. CUNNINGHAM: Amy Cunningham, Health Privacy Project.
MS. BLISS: Mary Ann Bliss, AARP.
MS. SCHUMLIN: Anna Schumlin(?), AARP.
MR. CLOPINSKI: Bob Clopinski from Medtronic.
MS. TRENTE: Nancy Trente(?), with the American Psychiatric Association.
DR. GOIN: Marcia Goin, a psychiatrist in Los Angeles at the County General Hospital, and vice president of the American Psychiatric Association.
MR. ROTHSTEIN: Thank you, and welcome, everyone. The subcommittee has invited seven panels of invited witnesses, approximately 25 to 30 witnesses in all.
There are two panels on consent, whenever necessary and research, and one panel on marketing on Thursday morning.
These topics, as well as the specific questions for the witnesses to address were developed in cooperation with the Office for Civil Rights, the HHS office delegated the responsibility for enforcement of the HIPAA privacy rule.
The sole purpose of these hearings is to provide guidance to the OCR and the Secretary on practical issues or concerns in implementation of the regulation.
We are interested in possible unintended consequences, overlaps and inconsistencies, and areas in need of clarification.
Concrete suggestions and information about successful implementation strategies are particularly welcome.
A purpose of the hearings is not to voice general approval or disapproval for the statute or the rule. It is an effort to obtain expert input in identifying problems, solving problems, and identifying successful strategies.
The four subject areas chosen for the hearings were specifically identified by OCR and the NCVHS as appropriate areas for public input.
Following the hearings, the subcommittee will submit proposed recommendations to the full committee for discussion and possible action at its next scheduled meeting, which is September 24-25.
If the recommendations are approved by the full NCVHS, they will be transmitted to the Secretary by the chair of the full committee, Dr. John Lumpkin.
Because of the large number of witnesses and the narrow focus of the hearings, I would insist that witness strictly adhere to the following rules.
First, invited witnesses will have 10 minutes to give their prepared testimony and, at the one minute mark, we will provide notice that you have one minute left. The notice will be flashed from the table over there. If I see that you haven't made eye contact, I will help you out.
Second, after each witness, the subcommittee members will have an opportunity to ask questions of a clarifying nature only.
After all the witnesses of each panel have completed their testimony, the members of the subcommittee and the witnesses should have approximately 30 minutes for a discussion of the issues raised by the testimony.
Fourth, witnesses may submit additional written testimony in accordance with the instructions that they were mailed, if they do so by August 27, which is next Monday. They should be sent to Mariette Rollinson, and her address is in the Federal Register notice, and is available on the handout.
Fifth, if, in the opinion of the chair, any witness strays off the assigned topic or exceeds the time limit, the nasty chair will strongly encourage the witness to refocus his or her remarks or, if necessary, to conclude his or her testimony.
In addition to the testimony of invited panelists, time has been scheduled for public testimony. These are at 4:00 o'clock today and 4:00 o'clock tomorrow.
Three minutes will be given to any individual who desires to speak on any of the four issues under discussion. Sign-up sheets for the public testimony are available at the registration tables.
One final request. If you have a cell phone, please turn off the ringer. Does anyone else have any additional remarks, comments? Are we ready to proceed with our first panel?
We have the panel before us and, Ms. Henderson, you may begin.
MS. HENDERSON: Good afternoon. My name is Mary Henderson. I am the national HIPAA program director for Kaiser Permanente.
Thank you for inviting me to speak today about the HIPAA consent requirement. As you just heard, I have only 10 minutes, strictly enforced, and this is a complex issue. So, I have included additional testimony in writing, that is attached to what I am speaking.
Kaiser Permanente is comprised of three organizations, the Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Permanente Medical Groups.
These three organizations cooperate to provide coverage and medical care to members within each of our eight regions.
In each region, the health plan contracts with the Permanente Medical Group to provide medical care to members.
As a highly integrated health care system, we believe that we fit the description of an organized health care arrangement, and that we would need to seek a joint consent for our health plans and providers.
Kaiser Permanente strongly supports the overall goals of HIPAA administrative simplification. However, some provisions in the privacy rule, most notably the HIPAA consent requirement, will create unintended but significant barriers to the delivery of health care services to our 8.2 million members.
My objective today is to share with you some situations in which the HIPAA consent requirement impedes effective and efficient health care delivery, and has effects contrary to the intent of HIPAA.
Given these impacts, we strongly urge that DHHS delete the consent requirement, requiring that we ask DHHS at a minimum to mitigate the unintended negative consequences to patient care and health care delivery.
In the proposed rule, DHHS noted the questionable validity of a blanket authorization, which is what HIPAA consent is.
They determined that it would be neither voluntary nor truly informed. We believe that conclusion was correct then and that it is correct now.
Consent that is informed and voluntary is a positive and powerful principle in health care, and a core value at Kaiser Permanente.
However, HIPAA consent does not provide patients a truly informed and voluntary choice. In medical care, informed consent means giving a patient sufficient information prior to receiving treatment, and giving them a choice about what is done.
The patient has choices. Should the surgeon do my prostate surgery using a scalpel or a laser. Should I agree to a radical mastectomy or consider another option. These are meaningful choices.
Consent, as that term is used in the final rule, provides no such opportunity.
Let me remind you that the rule already has meaningful tools that protect an individual's medical privacy, including precise limits on the allowable uses and disclosures of PHI. Notice, specific written authorizations for other uses and sanctions for misuse.
The HIPAA consent requirement adds nothing to these protections, provides no real value to patients, because the consent is neither knowing nor voluntary and can actually cause harm.
A stated goal of HIPAA administrative simplification is to improve the efficiency and effectiveness of the health care system, by encouraging the development of electronic health information systems.
Ironically, HIPAA consent is likely to be easiest to implement by a single site health care provider who uses only paper charts.
Such providers would have only one or, at most, a few places to check whether a patient has an unrevoked consent on file.
For larger organizations, particularly those with multiple sites of care, numerous electronic systems, along with paper records in many locations, the process of obtaining HIPAA consent and then tracking, storing and updating it to reflect replications, is mind boggling.
I am actively involved with the implementation of the privacy rule, as Kaiser Permanente's national HIPAA program director.
Let me share with you some of the challenges I see HIPAA consent posing, not just for our health care operations, but also for our members when they try to secure care.
We are faced with not only getting consent from our 8.2 million current members, but getting consent from up to 35 million former members.
Many have moved away. Some have died. We have no way to reach them. Yet, their medical information is woven throughout our systems.
Currently, for the majority of our members, we have not obtained blanket authorizations, because state law has provided statutory authorization.
Most of our members enroll through their employers, with no direct contact with us. In states where blanket authorization is currently required, we obtain it solely from the subscriber and not from anyone else in the family.
To obtain HIPAA consent, our members, their employers and Kaiser Permanente would all have to be involved in complex new layers of paperwork and process. This is a step backward from HIPAA's efforts to encourage effective use of technology.
Our members heavily rely upon our phone and internet appointment and advice services. Under HIPAA consent, they would be blocked from being able to use these health care technologies until they sign a consent.
HIPAA consent poses a formidable barrier to continuing health care operations. No health information in our systems can be lawfully used until consent is obtained. Yet, we have no practical way to segregate the data for members who have consented from those who have not.
The consequences for us and, we assume, for other health care systems, are substantial. All existing data would have to be either blocked or archived.
Please consider the effect that this would have on quality review, provider credentialling, planning, evaluation of drugs and medical devices, and even emergency treatment.
The right to revoke consent causes additional problems. Patient data is integrated into our systems with no reasonable way to extricate it. We rely upon it for essential health care operations.
Furthermore, if a member withdraws consent from a Permanente medical group, Health Plan will have to disenroll that member. This creates a real catch 22 for us.
HIPAA portability provisions generally preclude disenrollment of any member, except for non-payment or fraud. Which part of HIPAA do we follow?
The HIPAA consent requirement will place us in many moral and ethical dilemmas. Let me give you examples.
A couple of years ago, we were notified by a drug company that a batch of their epinephrin solution was contaminated.
Epinephrin is carried by severely allergic patients at high risk for anaphylactic shock, which is life threatening.
We were able to go into our systems, identify all 2,350 patients at risk, and provide them new medication very quickly.
Under HIPAA consent, what would have happened to those patients who had not yet signed a consent, or who had revoked consent?
What if a patient revokes consent and later is brought into our ER in a coma? We would, of course, do our very best to treat them, but if their critical medical information is blocked or archived, how can we be sure that we aren't administering a medication that the patient is allergic to? This, too, has life threatening implications.
Given these serious issues, we make the following recommendations. First and foremost, we strongly urge that DHHS rescind the HIPAA consent requirement and return to the soundness of the proposed rule.
Barring that, we recommend these seven measures to help lessen the negative impact of the HIPAA consent requirement. I am going to probably abbreviate this list.
Allow continued use of the data collected before the April 14, 2003 compliance deadline, and require consent only for data collected after that date.
Allow use and disclosure of data collected before revocation for continuing TPO.
Make the HIPAA consent requirement inapplicable to states that have statutory authorization for the use and disclosure of PHI.
Defer the consent requirement for five years.
Reconcile conflicting laws.
Rely on parental consent for a child who reaches the age of majority until the new adult comes in for care.
We urge the committee to carefully review the problems posed by the HIPAA consent requirement, and to recommend to DHHS that it return to the position it took in the proposed rule. Rescind HIPAA consent.
It adds enormous barriers to the delivery of health care without providing meaningful choice or protection for our patients. Thank you.
MR. ROTHSTEIN: Thank you very much for your testimony and for getting us off on a good foot in terms of succinct, direct suggestions.
Are there any clarifying questions?
MR. ALTARESQUE: You had said that you would like to return to the proposed rules regarding consent? The proposed rule says that not only do you not have to get consent, but it said you cannot get consent. Is that the position of Kaiser?
MS. HENDERSON: We currently function under state rules with statutory authorization that seems to work for us and our members. Consent or the general use of data for TPO, yes, we agree with the proposed rule.
MR. ALTARESQUE: The proposed rule said that providers cannot get consent, cannot use a consent form.
MS. HENDERSON: For consent as defined by the HIPAA -- yes.
MS. DONOHUE: On behalf of NCQA, I want to express my sincere appreciation for the opportunity to testify as to the consent requirements under the final HIPAA rule.
NCQA is a leader in the effort to assess, measure and report on the quality of care provided by the nation's health plan.
In our 10 years of operation as a non-profit, we have accredited approximately 50 percent of the HMOs covering 75 percent of the lives.
Our efforts are primarily organized around two things, private accreditation and performance measurement.
Performance measurement is largely driven off an information set which we call HEDIS. HEDIS tests things like whether patients get prescribed beta blockers following a heart attack.
They also measure things like, are women getting mammograms, are children getting vaccines. These are critical measurement components to determine whether we are, in fact, improving quality in this nation. We are currently working on performance measures at the physician level.
NCQA commends the HHS for building a framework for privacy. We, ourselves, have standards in our accreditation which protect the confidentiality of patient privacy information.
The public policy challenge becomes how to strike the appropriate balance between protecting the privacy of a patient's health care information and ensuring that we do not adversely affect the complex flow of information throughout the health care system necessary to advance the nation's quality agenda.
Health plans today are not merely bill payers. They play very critical roles in our health care system. They are intimately involved in prevention and disease management, quality assurance, quality improvement and patient safety, utilization management, performance measurement and private accreditation.
We fear that the current privacy reg as drafted seriously impedes the flow of information to health plans necessary to perform these critical functions.
The philosophy of the role of the health plan, as rooted in the federal HMO act, is supported by Medicaid and Medicare.
The policy individuals we have talked to at CMS are as deeply concerned about the unintended consequences which impede the flow of information as NCQA is.
Private accreditation organizations and employers also depend on this information.
Over the past number of years, health plans have invested significant dollars in improving quality. I just am going to put up one graph that shows you the real important role the health plans have played and what they have achieved over the last four years alone.
You can see that, in measuring cervical cancer screening, health plans, through their participation with physicians, have been able to improve cervical cancer screening rates from 70 to 78 percent.
They have improved the use of beta blockers from 63 to 89 percent and, in only three years, they have improved the rate of chicken pox vaccine from 64 to 71 percent.
If the regulation is not changed, this critical work will be impeded. We have already heard, in the most recent round of HEDIS data collection, that providers are refusing, based on the preamble language, to pass this information on to health plans.
If you look at the Institute of Medicine's most recent several reports on crossing the quality chasm, we should note that information is the means by which integration of providers and plans can effectively be deployed to deliver high quality care.
As well, it is estimated that medical errors contribute to the premature deaths of between 44,000 and 98,000 people a year in U.S. hospitals.
The flow of information from the provider level to the health plan level is critical to address these issues.
Our first and foremost concern is over the preamble language and clarification that was issued in the most recent policy guidance, which impedes the flow of information vital to health plans for health care operations.
Specifically, the preamble states that one covered entity may not disclose protected health information for the operations of a second covered entity.
Therefore, even if the provider obtains consent, in order for treatment, payment and health care operations, that consent is not sufficient to permit the provider to transfer that information to the health plan for its operation.
We believe this preamble and the policy guidance need to be clarified, at a minimum to indicate that consent obtained at the provider level is sufficient to allow this kind of transfer of information for health care operations, which support quality improvement, accreditation and the various functions I ran through before. Without this, the quality agenda will be seriously jeopardized.
As I indicated before, we are already hearing, from the health plans that we accredit and from the AAHP and others, that providers are right now refusing to hand this information over.
We cannot continue this quality work if we have to rely purely on administrative and billing data. You need access to the medical records to actually perform the kinds of coordination of care that NCQA requires for accreditation.
We need access to the medical records to actually audit whether health plans, in fact, are getting valid information.
Much of this information is not available through the billing system and you need to actually go back and check the medical record to assure that children have had their vaccines, that there was a prescription written for beta blockers, even if it wasn't filled, and these sorts of activities.
In addition to the preamble language, we also support the position that DHHS should go back to the original recommendation under the proposed rule, that we delete the consent requirement for treatment, payment and health care operations.
We believe that in order for physicians, who are the only ones who have direct access to the patient, to have to spend the time and effort required to explain what is involved in all kinds of health care operations, what does it mean for HEDIS data collection, is not a meaningful consent on the part of the patient.
It is going to be time consuming. Patients are going to have a difficult time understanding it. If they revoke the consent, as Ms. Henderson indicated, this data is so integrally involved in health plan networks and data systems, that it is going to be an administrative nightmare to try to enforce that.
In addition, we think that if you look at the current policy issues as well, there is a great deal of distrust between many physicians and health plans, and their willingness to advocate or to obtain consent to transfer this information to the health plan for health care operations, is unrealistic.
One other issue that I want to just very briefly address, and it is written in more detail in my testimony, is the fact that we also believe that the minimum necessary rule creates the same kind of barriers to the flow of information to the health plan.
This is another area in which we are hearing already that physicians who need to give access to the medical records to the plans are citing as a reason why they cannot make that information available.
I thank you for the opportunity to raise these critical issues, which we believe need to be addressed in order not to seriously damage the quality agenda.
MR. ROTHSTEIN: Thank you. Clarifying questions from subcommittee members?
DR. ZUBELDIA: I am a little bit confused with that slide that you just had on the screen. This is talking about the provider disclosing PHI to a health plan.
MS. DONOHUE: Yes.
DR. ZUBELDIA: I thought you were talking about the provider obtaining consent for the health plan's further disclosure.
MS. DONOHUE: I am talking about the flow of information between the provider to the health plan, for the health plan's operations.
The current preamble and the policy guidance state that even if the provider obtains consent for health care operations, that is not sufficient to allow that provider to transfer that information to the health plan for its health care operations, which include functions like accreditation, quality improvement.
MR. ROTHSTEIN: Thank you. Mr. Kelly?
MR. KELLY: Thank you. I am Bruce Kelly, director of government relations for the Mayo Clinic. As I mentioned, I am also testifying on behalf of the Health Care Leadership Council.
While the examples and recommendations I am going to make are basically from the perspective of Mayo, these recommendations are consistent with the Health Care Leadership Council as well.
Both these groups, Mayo Clinic and the Health Care Leadership Council, have a long history of involvement in this issue.
I have spent many, many hours around many, many tables dealing with this. Both these organizations want to protect the confidentiality of patient information, but both organizations also understand that the flow of information is vital to the provision of high quality health care.
We have -- both these information -- consistently supported national uniform standards to protect confidentiality.
I am glad consent is actually the issue I was asked to address, because I think this is the major problem with the final rule that HHS has put out.
I would hope that what HHS would do is to cure the problem, rather than trying to manage the symptoms.
I would first say that our proposal to cure the problem, as others have supported as well, is to go back to the NPRM's approach of a statutory consent.
I will describe some of the ways that we can try to manage these problems if you don't do that, but I want to make it very clear that our recommendation is to go back to statutory consent.
I think this consent issues, one of the things that troubles me is that it seems to be a solution in search of a problem.
We have heard, over the congressional hearings and hearings that this committee has held and others, about people's concerns with the confidentiality of their information.
I have never heard patients indicate that they believe there is a problem with the health care provider that they go to for care using information about them to provide treatment, to bill them or their insurance company if they choose, or to run their institution and its operations that are designed to take care of issues of patient safety, employee safety, other vital health care operations.
I think the whole consent approach is trying to deal with something that really isn't a problem from the patient's perspective.
What is the reality of this situation that we have to go forward with this world the way it is? I think what is going to happen first is, providers will require consent for treatment, as they certainly are allowed to under this law.
So, what have you gained? The patient comes. He is told, here are all our information practices. Here is a consent form. If you don't sign it, we won't treat you. I don't think it really has accomplished a great deal.
What it will cause, though, is tremendous patient inconvenience, all kinds of new paperwork, and I will mention a few focus group things we have done on this that shows some fairly negative reactions on the part of patients.
As far as patient inconvenience, one of the unintended consequences that was noted by the DHHS guidance document is this issue of the first encounter.
You call up for a first appoint and we cannot schedule tests, we can't even schedule your appointment because, to do that, you have got to tell us what the problem is.
Once we know your name and the nature of your problem, we have protected health care information and, until we have prior written consent, we can't use that for health care operations such as scheduling an appointment.
HHS recognized that as a problem. They also recognized the pharmacy issue of the called in prescription and the first time you go to refill a prescription.
Those are some examples of these tremendous patient inconveniences that are going to be out there.
The other thing, though is, -- and this comes through in these focus groups that I mentioned. We have been testing some of these notices and consent forms with selected groups of patients.
The reaction of patients is not that this is something to protect them. Their reaction tends to be anger, confusion is probably the biggest one, and at the end of the process, that it was a waste of time.
The anger is usually focused by these patients back at us, not the government. Why is Mayo doing to us. What are you trying to hide. Are you just trying to protect yourselves. These were some of the reactions we have gotten.
We had tried, in these examples we were using, not to take the kind of hard coercive approach of sign or else. We tried to gently show people that that this was a requirement that was intended to protect their privacy.
At the end of the day, as soon as they found out that they needed to sign in order to be treated they said, well, why didn't you just tell us that in the first place. That is the bottom line.
I think there is a lot of confusion. Patients are having negative reactions. That creates right off the bat, in effect, an adversarial type of relationship, while what you want to establish is a therapeutic relationship.
We as providers are patient advocates as well. We want to be advocates for our patients. We want to protect their confidentiality. We want to reassure them of that.
I want to mention briefly here one of the questions that was submitted to this group that I want to comment on, because it really gave me kind of cold chills when I saw it.
That was whether or not this consent requirement should be expanded to the so-called indirect providers.
Obviously, since we are in favor of going back to statutory authorization, we certainly don't want to see the consent expanded.
I have got to tell you, that is an issue for an organization like Mayo that is a nightmare. Mayo is a very highly integrated, multi-specialty group practice, physicians, hospitals, home health, nursing care all under one umbrella organization with referrals internally to many different specialists. We also get a lot of referrals obviously from external forces.
If this were expanded to require consent at every one of these encounters, it would absolutely destroy the integrated model. So, I wanted to make sure I addressed that one question. I was very surprised to see it, and I want to make sure I make that clear.
So, the bottom line, we would hope that you would cure the problem rather than just trying to manage it. If we have to just manage this problem, I think there are four critical issues that at least we have identified.
Two of them, HHS acknowledged in their guidance. That is the pharmacy issue and the first encounter issue, which I mentioned.
The other two, which have also been mentioned by other witnesses, are the transition issue, what happens to all these records that we now have in our possession with no authority to use, and then the revocation issue. What happens when a patient revokes their consent, and we have all this information and some of it has migrated into other systems and there is really no way to pull it back out.
Also, a lot of that information is vital to have a complete set of data when you are dealing with issues like patient safety, employee safety and many other types of health care operations.
In my written testimony, I delineated a long list, based on the HHS rule, of the types of health care operations we feel that a revocation should not apply to.
Again, as I say, those are ways of managing the problems we would hope for a cure. Thank you.
MR. ROTHSTEIN: Thank you. Questions from the subcommittee for clarification?
Ms. Blevins.
MS. BLEVINS: Thank you, Mr. Chair, and the committee members for devoting this timely public health to examine how the new federal medical privacy rule affects patient consent, and the principles of health care ethics.
I appreciate the opportunity to testify. I am going to focus on concerns raised by thousands of citizens who took the time to submit comments to HHS, opposing access to their personal health information without their consent.
The National Committee on Vital and Health Statistics subcommittee staff asked witnesses to address one of four questions submitted to panelists.
Today, I am going to focus on the following question. How, if at all, does the privacy rule affect the principles of health care ethics applicable to patient consent.
The medical privacy rule that was published in the Federal Register on December 28, 2000, and approved by President Bush in April 2001, imposes a major shift in health care ethics applicable to patient consent.
For the first time ever, in our nation's history, the Federal Government is going to decide, for each and every citizen, who can access his or her health information, including genetic information.
This is a major shift away from the precious health care ethics we have known for many years in this country, the ethics of consent, personal autonomy, and confidentiality.
With regard to disclosures of personal health information, the concept of informed consent has been defined as a person's agreement to allow personal data to be provided for research and statistical purposes.
The individual's agreement to share information is based on full exposure to the facts the person needs to make the decision intelligently.
As explained in the book titled, Private Lives and Public Policies: Confidentiality and Accessibility of Federal Statistics, informed consent describes the condition appropriate only when data providers -- i.e., patients -- have a clear choice.
They must not be, nor perceive themselves to be, subject to penalties for failure to provide the data sought.
The federal medical privacy rule does not meet this definition of consent. Rather, it coerces individuals into sharing their personal health information.
The rule codifies a new ethical code for medical care in the United States. Individuals now may be denied medical treatment for failing to share personally identifiable information for purposes of health care operations, a broad term encompassing many uses.
Patient autonomy is another important health care ethic that is going to be severely affected by the medical privacy rule.
Respect for personal autonomy is the most frequently cited moral principle in the literature of informed consent.
It includes the ability to remain free from authoritative interference and to control one's personal affairs.
Self governance is the hall mark of personal autonomy. Since the federal medical privacy rule limits individuals' ability to control access to intimate details about their personal lives, the rule represents a major shift away from personal autonomy toward authoritative control over individuals' personal lives.
Confidentiality is yet another vital health care ethic that is impacted by the new rule. For many years, the patient doctor relationship has been viewed as a sacred relationship. In fact, the Hippocratic oath stresses confidentiality.
The Florence Nightingale pledge that nurses have taken for years includes a pledge to confidentiality.
There is no question about it that today the sacred doctor patient relationship is in jeopardy. The same technological advances that brought us high tech life-saving medical treatments have also increased the risk of medical privacy invasion.
Additionally, the Health Insurance Portability and Accountability Act of 1996 lays the groundwork for a national health information system.
I don't think most Americans are aware of this. I don't think that most know that personally identifiable health information about millions of citizens soon will be coded according to national uniform standards, and that the information will be compiled, stored and transferred electronically over the internet.
I want to stress here that simply because we have wonderful technology that facilitates the exchange of medical information electronically does not mean that we should eliminate the fundamental ethical constructs that have guided our physicians and nurses for years in this country.
Considering the forthcoming health information system, we should be working toward strengthening, not weakening, the important ethical concepts of consent, personal autonomy and confidentiality.
In fact, a majority of Americans strongly support informed consent, when it comes to sharing personal medical information.
Because of the time limit, I am going to skip. I wanted to share information from a national Gallup survey that we commissioned.
The bottom line is, people care a lot. They don't want many third parties having access to their medical records, especially banks which, by the way, are not covered by this rule.
I would highly recommend that people take a look at that Gallup survey.
Instead, I am going to skip on to the very important issue of how this medical privacy rule affects an individual's ability to have consent with their doctor.
As you probably know, the federal medical privacy rule went into effect on April 14, 2001, and health care organizations have up to three years to comply with the rule, depending on their size.
Once the rule is in full effect, Americans are going to be asked consent forms to release the medical information for treatment, payment and health care operations.
It is not clear whether citizens are going to be fully informed about how many third parties will have access to their information for these purposes.
Also, under the rule, individuals are not guaranteed the right to restrict access to their records for these purposes and, as has been previously said, physicians now can refuse to treat patients for not sharing their information.
I think probably one of the most astonishing things about this rule that the public hasn't been informed about, that the media hasn't covered, is that right now, under this rule, you are going to be basically coerced into sharing information for health care treatment, care and operations.
Yet, when you go to get an accounting of disclosures regarding when your records are released, you will not get an accounting of releases related to health care treatment, payment and operations.
To put it succinctly, your personal information, including genetic information, could be shared a thousand times over the internet, shared to payers, banks, you name it, and you will not be given an accounting of that.
If you get an accounting of your disclosures, all you are going to see is that it was shared with two marketing companies. I think this can be extremely costly to privacy.
Another very important issue is that patients are being told by the media that they are going to be able to demand stronger privacy protections than offered by this federal rule.
However, they aren't being told that physicians and other providers don't have to agree with that. However, even if the provider agreed to abide by stricter confidentiality, the rules say that such an agreement is preempted by a section of the rule, Section 164.512.
This means, bottom line, that doctors can't guarantee patients confidentiality under this rule, because they are prohibited from entering into valid agreements to protect patients' medical records for a whole list of uses, which I have included in the written testimony.
Why should individuals be concerned about the rules' impact on their ability to control access to their information?
There are many reasons, but I am just going to summarize two here, and there are several more included in my written testimony.
Probably one of the most important is, once the individual's medical records, under this rule, are disclosed to a third party other than a business associate, the final rule no longer protects that information. Gone, no more protection.
Another important issue is that the final rule does not cover the procurement of the banking of blood or body tissue. I am going to read a quote from the rule.
As per the procurement or banking of organs, blood, including autologous blood, sperm, eyes or any other tissue or human product is not considered to be health care under this rule.
Organizations that perform such activities would not be considered health care providers when conducting these functions.
We all know, because blood, sperm or body tissue contains genetic information, lack of privacy protections in those areas will have far reaching effects for millions of Americans.
Individuals and their doctors and other providers should be free to enter into private agreements regarding disclosure of individual medical information, including genetic information.
Now, we have state contract laws we can turn to for this. We don't have to make a new rule to do this, but we have to make sure that this federal privacy rule does not preempt any state contract laws.
Clearly -- and I am going to stress here that I am strongly supporting individual rights -- that an individual's rights end when he or she become a threat to society, absolutely.
Until that burden of proof has been made clear, we must continue to uphold an individual's rights, and important health care ethics of care, personal autonomy and confidentiality. Thank you.
MR. ROTHSTEIN: Thank you. Any clarifying questions for the final witness? The floor is more open for more general questions on the topics raised.
DR. FITZMAURICE: A question of Sue Blevins. In hearing and listening to your testimony, are you for the privacy rule but it doesn't go far enough, or are you against the privacy rule?
MS. BLEVINS: I am not taking a position on the privacy rule. I just know that it should not interfere with an individual's ability to enter into private agreements.
If the majority of citizens want such a rule, I think they should be free to have it. I know, for example, that my mother wouldn't have to do the work of signing a contract or figuring out her level of privacy. She would be comfortable with this rule.
I have another family member -- you know, I try out these policies on real people and ask them what they think about it -- they wouldn't feel comfortable with this at all.
I am not taking a position on the rule and I am not saying to get rid of it or keep it. If you are going to keep it -- and it looks like it is staying -- it should be very clear that this federal rule will not preempt state contract laws.
MR. ROTHSTEIN: Just a reminder, I want to remind our panelists as well as the committee members of something I mentioned earlier, that we are being broadcast live on the internet, in case that influences anything you care to say.
DR. HARDING: You kind of brought into focus the issue of individual's rights versus the public's health, the efficiency of systems, the kinds of things that are used to help large numbers of people as opposed to individual rights.
That has always been tough for many of us to kind of wrestle with. I assume from what you are saying is that the individual right is preemptive, that in your case you feel that is very much above the efficiency of the system, to carry out good public health kinds of research and utilization and others are talking about in their systems, or am I misunderstanding?
MS. BLEVINS: No, and that is an excellent question. I have in my written testimony, I bring up the fact that people always bring that up. What about the public's health.
I went to a school of public health. I have a master of public health degree, and I love statistics, by the way, so I appreciate the work that is being done and I understand the need for public health.
The bottom line is, I think we have to find where that line is. I would say that the individual's right preempts the public good unless that person is a threat to society.
We have proof that consent works. We have had it for a time in this country. Yet, we have had wonderful advances in health care. We have been able to collect statistical information over the past 60 years.
Look at the advances that we have had with consent in place, with patients being able to decide who can see their records.
I would also support a hospital and institutions -- I have worked at major teaching hospitals -- their right also, the provider's right to say, this is the way we function efficiently. If you want to be treated here, you have to share this information.
I support that, believe it or not, but I still think the individual should be free to say, I will try to find another hospital.
Maybe they won't, but I still think that once we do away with individual rights, the bottom line is that you are free or you are not to maintain a confidential relationship.
This slippery slope, I think, is really taking the individual out of the driver's seat and putting in someone else there. In this case, it is the Federal Government with the federal rule.
MR. KELLY: Could I comment just briefly on that? This rule does allow a patient and a physician or whomever to place more restrictions on the use of information.
You could, I believe, in theory negotiate whatever kind of restrictions you wanted with your physician or health care provider. I am not sure how many of them would agree to those kinds of restrictions. I do think that element exists within the context of that rule.
MS. BLEVINS: Could I just respond that actually there is a section -- and it is cited in my written testimony -- that states clearly that, even if a physician agrees to a stricter level of confidentiality, section 164.512 lists a whole list of other purposes that would preempt that agreement. So, you don't have that right.
MS. DONOHUE: I would like to comment as well. Starting with the IOM report and others, there is no question that we have work to do in this country on the quality of health care.
It is only through measurement and collection of data that you can even begin to try to improve quality. I think there are, as a matter of public policy, instances in which that collection and measurement of data does override the individual rights in this case.
The individual can, as previously indicated, ask for restrictions. So, they have built in safeguards. But we need to address the quality problem.
MR. ROTHSTEIN: I have a question that I thought of when you were testifying before, and you reminded me of it now.
That is, when you said that providers were refusing to provide information about chicken pox or whatever, so that data could be accumulated, if this were in a form that is not individually identifiable, there would be nothing, as I understand the rule, to preclude that from taking place.
Is it your statement that you need that information in individually identifiable form, or is it that the providers are reluctant to share the information because they are misreading the requirements of the rule?
MS. DONOHUE: I think that providers are not necessarily misreading the requirements as currently written. So, we need to address the issue of whether, when they obtain consent, they can give any information to the health plan.
The de-identified information is not sufficient to enable the health plans to carry out many of these functions.
For example, NCQA has standards that require health plans to make sure that care is coordinated. We assess that through actually looking at the individual medical records, to make sure that the care across various providers has, in fact, been coordinated.
What we have discovered also is that, through modeling and such, the de-identified information is not sufficient to allow you to actually determine whether, for example, the HEDIS measures have been adequately complied with.
There is an audit program whereby auditors actually audit the medical record to make sure that, in fact, the information that is being passed on by the providers is accurate, for example.
If you are looking at whether a patient is involved in a disease management program or utilization review, you often need access to the medical record to be able to determine all of the background information necessary to perform those functions.
So, our position is that the de-identified information is not sufficient to enable the health plans to carry out these critical functions. There are instances in which they need access to the actual medical record.
MR. ROTHSTEIN: Is it your position that if there were a revised broader definition of health care operations, for example, to include some of the kinds of quality assurance measures that you are referring to, that would satisfy your concerns?
MS. DONOHUE: The definition of health care operations that is in the current reg is fairly broad, to encompass those things.
Our issue is that, based on the preamble language and the guidance which says that once the doctor gets the consent and it is the doctor who has contact with the individual patient, that consent is not sufficient to allow the doctor to give the information to the health plan.
So, there is no way for the information to flow from the individual provider level up to the health plan level.
DR. ZUBELDIA: That statement is still confusing to me. Are you advocating that health plans should not get consent and just rely on the doctor's consent?
MS. DONOHUE: No, what I am advocating is, the way the rule is currently constructed, it says the consent only covers the entity that collects the information. The consent to disclose it only applies to that entity.
So, the health plan never has this information. They can't get consent for disclosure because they don't have it. The doctor has it. Yet, the consent provision as currently written says that even if the doctor gets consent for health care operations, that is not sufficient to give the information to the health plan. So, there is a disconnect.
We think it is completely unintended, but we need guidance that says once the physician obtains consent, if you retain the consent requirement, that that consent is sufficient to allow information to be transferred to the health plan for these kinds of fundamental health care operations.
Right now, that is not permissible under the current preamble language and the guidance, or at least many providers are taking the position that they cannot transfer that information.
DR. COHN: I want to take this opportunity to clarify, I think, for Kepa a little bit of what you are talking about.
I think Kepa is thinking that all this information is already going to the health plan for payment, because of a previous payment arrangement.
There are many capitated arrangements that exist where that information is not routinely sent. I think you are making the case of, when that occurs, you then have no access to that information. Is that correct?
MS. DONOHUE: Correct.
MR. ALTARESQUE: On that same point, let me make sure I get your point. The consent form that somebody signs in their doctor's office is a consent for treatment and payment and health care operations of that doctor.
MS. DONOHUE: Exactly.
MR. ALTARESQUE: What you want is to allow that doctor to not only share information with the doctor's own TPO, but for the health care operations of the plan itself, not the health care operations of the treatment provider.
MS. DONOHUE: Correct. The health plans are completely dependent on the flow of that information for these fundamental functions from the physicians. They have no other way to access that information.
MR. ALTARESQUE: You understand that, under the rule, you could get an authorization?
MS. DONOHUE: Yes, but we believe that is an absolute administrative burden that is a nightmare. The health plan doesn't even have access to the patients in the same way that the physician does. So, we do not support requiring an authorization.
MS. HENDERSON: Even as an organized health care arrangement, if we got a joint consent to cover the health plan, the hospitals and the med groups, we still believe we would have trouble doing accurate HEDIS reporting, as we outlined in our appendix. We wouldn't be able to get consent for some people, and some people would have revoked their consent.
Unless we de-identified before they revoked, and somehow that was useful, that data would not be available. So, our numerator and denominator on these statistics would be off.
MR. ROTHSTEIN: I have a question for you. In your earlier testimony, you said that one of the problems that you were having was getting consent from former patients. You mentioned 35 million or however many.
My question was, why would you need consent from your former patients? Is it for this quality review or is it for some other purpose?
MS. HENDERSON: My understanding of the rule is, unless we have a signed consent on file, which we don't for most of our members, we are not allowed to use their data.
Let's take a former member as a good example. Their data is in many of our systems at this point. Let's take the epinephrin example.
We find out a year later that there is a problem with a drug or there is a drug interaction problem.
One of the beauties of the Kaiser Permanente System right now is that we have data for anyone we prescribed that drug to over the past umpteen years, potentially going back as old as our systems are.
So, with the consent requirement, we would not be able to touch the record. In fact, we would probably have had to remove it somehow, and we wouldn't be able to access those members.
So, we have a logistics problem with how to get it out of all of our systems. We have a real problem. It is not just population-based medicine. It is potentially individual medicine.
We also, at least in our hospital-based regions, operate a lot of the emergency rooms that are left in the community. So, a former member could very likely end up in our emergency room. Unless we had gotten a signed consent from them, we wouldn't be able to use that information.
MR. ROTHSTEIN: Wouldn't that individual be the same, for consent purposes, as a stranger who came to the ER and then the emergency provisions would apply.
MS. HENDERSON: If we were able to get a consent from them in the emergency room and know that they hadn't signed one yet and know to ask them, that we could potentially get one.
The example I gave was someone in a coma, which is probably not the usual case of someone, but it is an example of where emergency care would be less than ideal, if we weren't able to use the data.
DR. COHN: Could I just clarify? My specialty is emergency medicine, and my practice. My understanding of this revocation and the consent issues around emergencies is that obviously you need to treat the patient in an emergency, and that is inviolate with the privacy rule, whether you are given consent or not.
I didn't see anything in the rule that tells me you can actually access previous information about the patient without their consent.
You are in a situation where you have to treat them, but you can't get access to the information, especially if they have revoked it or not consented about it.
So, it puts practicing physicians in a real catch 22, if you are working in an emergency department.
MR. ROTHSTEIN: I have a question for Mr. Kelly and Ms. Blevins, and maybe you can address it, either of you or in order.
In Mr. Kelly's testimony, you raised the issue of your concern about the effect of the new rule on your patients.
It seems to me that the argument has been raised, in analogous ways, with every new piece of consumer protection legislation and regulation over the last 25 years.
If we put labels on this or warnings on this or have disclosures or get consent, the individuals affected, whether they be patients or whatever, won't understand it. They will be confused and angry and so forth.
It seems to me that, just as we need provider education and health professional education, we need patient education.
With education -- and I know that is planned by the department -- it may well be that individual patients will not only become more comfortable with the concept but will, in fact, embrace it and say, why hasn't this been around before.
MR. KELLY: I think giving some kind of notice that there is a new law that affects your privacy is good. Obviously, letting the public know what is out there to protect them is a good idea.
I think the problem is with having to sign this consent when you come in to be treated. There is a sort of coercive nature to the whole relationship.
Perhaps over time what you say may prove to be true. I am going back to my original point. I don't think we really gain anything by having this requirement to sign this written consent.
I think the important thing is that patients know that there are protections in place, that will make sure that, when they come into a hospital or a physician's office to be treated, that there are a panoply of requirements that are now in place to protect the confidentiality of that information, that it can only be used for a very specified set of legitimate purposes, and that anything beyond that, which is where the real problems lie, is now a violation of federal law.
MS. BLEVINS: May I comment on an earlier statement as well?
MR. ROTHSTEIN: Sure.
MS. BLEVINS: I just want to mention is that, in the rule -- and maybe someone from HHS can clarify this -- the rule does not apply to information that was collected prior to the effective date.
So, any information that was collected prior, whatever was done with that in those laws, that is what stands.
MR. KELLY : It does protect it, the information that is held by a covered entity.
MS. BLEVINS: That was collected prior to the compliance date?
MR. KELLY: Right.
MS. BLEVINS: I will share information at another time with you, and a reading of a part of the rule that I would like to share with you.
Regarding the issue that you raised about consumer education, I have to share with you from my nursing experience and working at major teacher hospitals.
I worked on a urology unit, famous people, newspaper reporters, members of Congress, ambassadors, people with impotency. I worked in urology and it was very sensitive information.
I saw things, I heard things. People shared things with me that they wouldn't share with family members.
I can tell you that, what would people do if they don't have the ability to control access to their data. I can tell you, typically honest people will lie.
I have had cases where a very famous person came in and you ask about alcohol and they don't even want to tell the nurse that they are an alcoholic. So, they say one or two drinks. They go have their surgery and they come back and they thrash in the bed and we don't know if it is a reaction or if it is DTs, what is going on. We find out later that this person was an alcoholic. We don't have anything in their record.
I totally support quality care, quality research, but mis-information is worse than no information and if you get a data base full of lies, that could truly harm the quality of care in the United States.
I am not talking for me here today. I am talking to everyone in this room. I mean, is there no one in here that would like to keep something secret from their employer?
I don't know. I have a few secrets that I would like to keep. So, this isn't about me and it isn't about the institute. It is about every citizen and will they be able to do that.
At the same time, the quality of care and the efficiency, I totally understand that. I think the bottom line is that it is going to take consumer education.
I think if you prohibit consent, which is what the proposed rule would have done, you are going to destroy the quality of medical care in this country.
MR. KELLY: Could I add one thing? I agree with what you are saying. I guess where the disconnect is here, I believe that this whole HIPAA law, at in least in some of the states we operate, existing state laws, provide the protection that you are looking for.
I will go back to my original premise. I don't think that the problem that patients perceive as a violation of confidentiality is that their information is going to be shared for these very limited purposes that we are talking about here under the consent piece. I don't think that is their concern.
If you go to be treated, I believe that you feel, I need to give this information to the people who are going to treat me, and that you recognize there are some other legitimate operational needs for that information within that milieu, but it is a pretty tightly defined milieu, and that the real problems are addressed in other parts of the HIPAA rule and other state laws.
MR. ROTHSTEIN: Any other questions or comments from any members? Thanks very much to all four of you. We appreciate your coming and speaking with us. We will take a 10-minute break until 2:30, when the second panel will begin.
[Brief recess.]
MR. ROTHSTEIN: We welcome all of you back and those on the internet as well, and our second panel this afternoon on informed consent is ready to begin. So, I will begin with you, Ms. Winckler.
MS. WINCKLER: Thank you for the opportunity to testify. I am Susan Winckler with the American Pharmaceutical Association. We represent individual pharmacists in all practice settings.
What I will cover today briefly, I am not going to read for you my written testimony. I just want to hit the highlights with these slides here, and talk about the impact and I think a lot of unintended consequences of the final rule on pharmacy practice.
In pharmacy operations today, pharmacists and the pharmacies where they operate do abide by privacy standards laid out in state practice acts, board of pharmacy regulations, other laws, our code of ethics, and individual confidentiality policies or privacy policies.
Most pharmacies and pharmacists do not operate with a prior consent requirement. So, we just have to lay that groundwork. This would be a substantial deviation for pharmacy practice to move to the prior written consent requirement.
What that would mean is that, moving into the scenario of the prior written consent requirement, if a prescription is called in to the pharmacy and the pharmacy does not have a written consent on file, the prescription is set aside, and the pharmacist does not begin to enter that information into the computer.
They don't begin to evaluate the clinical appropriateness of the prescription. They don't look at the appropriateness of the duration to begin to fill the prescription at all, nor to build the third party payer, because they don't have consent.
So, all of those things stop until the patient comes into the pharmacy. Again, that is just an example of the substantial deviation in the prescription environment that we see.
I think it is important to note that payment is a factor here. In the pharmacy environment, prescriptions are billed in an on line real time environment.
In today's environment, by the time a patient comes in to the pharmacy to pick up a prescription for an antibiotic that has been called in, it has been checked for clinical appropriateness, has already been filed with the third party payer, and we have received approval to dispense that medication, and it has already been billed by the time the patient comes in to the pharmacy.
So, the payment happens almost simultaneously with the clinical appropriateness check. There is an eligibility check to make sure the product is on the formulary, et cetera. So, it is a treatment issue and also a payment issue. None of that can happen if the consent is not on file.
What does that mean in the scope of our work? Just to remind you, there were more than 3.1 billion prescriptions prepared in the year 2000, and we expect that to increase each year as we move forward. So, we are talking about a significant number of health care encounters and, although the consent is per person, we are talking about a lot of information here.
The consent we do see as erecting some barriers to patient care, at least slowing down what happens.
I think everyone who has been close to this is aware of what this means, what prior written consent, means in the prescription environment.
We wanted to touch on the activities that pharmacists perform that aren't involved directly with preparing a prescription, but are also affected by prior written consent.
This is similar to the information presented earlier this afternoon, the need to identify patients if there is a recall of an epinephrin product.
Could we go into the patient files and look for that? To touch on a current event that is tragic, in the situation in Kansas City, where you have a health care provider accused of intentionally diluting chemotherapy products, it was very important that the files from that physician's office and that pharmacy be evaluated immediately.
Even if we could justify, under the emergency circumstances, looking at that information without consent, if there is even one moment of hesitation to do that, where someone says, there may be a HIPAA problem here, that is a problem and we need to address that, so there would not be a hesitation, and that providers would do what is necessary to get to the information.
Besides simply obtaining consent, there are some challenges for pharmacists in the work that we do, in the opportunity for patients to request restrictions on the consent.
What you may have there is, obviously when the patient gives their consent, they may request restrictions on the use and disclosure of the information.
A common piece that happens in pharmacies today is that a patient may request that their prescription for a mental health medication, that it not be filed with their payer.
They simply don't want their third party payer to know about that medication. They request that they will pay cash and it will be kept out of that system.
That happens today, and pharmacy doesn't have a lot of challenge with that situation. With the consent, however, we are concerned that we may have patients who then request that the mental health medication also not be disclosed to other health care providers.
If the pharmacist were to accept that restriction -- although we may counsel them against that -- if they accept that restriction, they are put in an odd situation. They simply can't perform their functions any more.
They could identify an interaction between the mental health medication and a new medication, but when they call the prescriber to discuss it, do they tell the provider the name of the patient or the name of the drug? They wouldn't be able to disclose that information.
We have then counseled our members, as far as we know, that there are a lot of problems with accepting any of the consent restrictions, at least in the treatment area, that it will be difficult to offer those restrictions and to abide by them.
There are some questions there with the consent. If you give patients the opportunity to restrict how the information will be used, how far can you go? We would argue that you can't go very far and still meet your compliance with state practice acts, and I would assume that there would be similar problems with physicians and in other situations.
We are also concerned that the consent process, and going to each health care provider and signing a consent, may create some confusion between the consent for treatment, payment and health care operations, and the authorization for other activities, that we may see patients and providers just saying, well, here is another form that you have to sign so that we can provide these services.
That is obviously not the intent of the rule. What we want patients to be most aware of is that authorization for those other activities.
If we are creating an environment where you just sign what is put in front of you, we do see a risk that patients and providers may confuse the consent with the authorization and will lose the intent of the rule, to know what you are authorizing.
I will just say, we have to confirm that there will be a significant administrative and financial burden in security the consent, because this is new for pharmacy.
We will also say that we are still concerned about the vagueness of what is required in the rule. We have to take reasonable precautions against accidental disclosures. What does that mean for a pharmacy that announces over the public address system that a prescription is available.
Is that okay? We think it is, but there is a lot of kind of shifting sand here.
I have one comment on the HHS guidance document, which has been helpful in answering some questions, but it also raises a situation that I think is a great example of this rule and the impact that it has.
The guidance clarified that a pharmacist could counsel a patient on the selection of an OTC product without getting consent, if they did not record that information in the patient's record.
That doesn't really make sense. If I am a pharmacist and I am providing a consultation to a patient who I know has hypertension; therefore, I recommend against them buying a decongestant that would interact with their hypertensive medication, that is an interaction I would like to document in their patient record, because then we know we have guarded against that.
In this situation, it is okay to do the consultation without the consent, which obviously facilitates that. On the other side, it has created a problem, because if you don't have the consent, you can't document it. We just raise that as a question here.
Finally, the options that APHA would pose will agree with many of the folks on the first panel who said statutory authorization is really where we would like to go.
In the absence of a statutory authorization, there have been some individuals who have talked about the prescription serving as an initial consent, so that at least the prescription could begin to be prepared, and it takes care of some of the challenges that the profession sees.
Another alternative is changing the prior requirement, although that raises questions about the validity of the consent, if it is not provided prior to the use and disclosure of information.
A final one that has been recommended by many folks is one consent form for treatment, payment and health care operations, although that also creates some challenges among health care providers, in knowing who has what type of consent.
Finally, I think it is important for all the folks who are affected here that the compliance date for this regulation should be two years after the last change.
We have pharmacists who are trying to prepare for this, but have the rules changing underneath their feet. We have a promise to change the prior written consent requirement for prescriptions, but we don't know how that will change. Thank you.
MR. ROTHSTEIN: Thank you. Clarifications from subcommittee members? Dr. Goin?
DR. GOIN: Mr. Chairman and members of the committee, I am Marcia Goin, vice president of the American Psychiatric Society, a medical specialty society representing more than 40,000 psychiatric physicians nationwide.
I am also past chair of the APA committee on confidentiality. I am a clinical professor of psychiatry at the University of Southern California Medical School, department of psychiatry, providing care to the indigent and underfunded population at the Los Angeles County General Hospital.
I am testifying on behalf of our profession and hundreds of thousands of patients that we serve.
Regrettably, it is often overlooked that confidentiality is an essential element of high quality health care. As has been described, some patients refrain from seeking medical care, or they drop out of treatment, in order to avoid any risk of disclosure of their records, and some patients simply won't provide the full information necessary for successful treatment.
Patient privacy is particularly critical in ensuring high quality psychiatric care. Since my referenced congressional testimony of 21 years ago has been presented, the critical importance of patient privacy to high quality psychiatric treatment, the reality has been confirmed.
Both the Surgeon General's report on mental health and the U.S. Supreme Court's Jaffe Redmond decision conclude that privacy is an essential requirement for effective mental health care.
The Surgeon General's report concluded that people's willingness to seek help is contingent on the comments received, on their confidence, the personal revelations will not be disclosed without their consent.
In Jaffe, the court held that effective psychotherapy depends upon an atmosphere of confidence and trust. For this reason, the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment.
Accordingly, the APA commends the administration and Secretary Thompson for moving forward with the implementation of the regulations and evidencing their commitment to protecting the privacy of the medical record advancing patient privacy, which we as physicians believe our patients and families need.
Health care plans and clearinghouses should be required to obtain a patient's meaningful consent before their medical records can be disclosed for treatment, payment or other health care operations.
The regulation should not be limited only to health care providers obtaining an individual's consent. Patients should be able to choose who should see their medical records.
This is a huge hole in the privacy coverage. The existing medical and legal obligations require physicians to handle patient information confidentiality, and are enforced through state law and medical licensing boards.
As you recall, there are provisions in the regulation regarding comatose patients. We suggest these have a relationship to the APA's unique professional concern with respect to the matter of respecting the health information of involuntary patients being treated for mental illness or substance abuse pursuant to state law.
The privacy regulation does not make an exception for involuntary patients who refuse to sign a release permitting the use and disclosure of their medical information.
We respectfully suggest, and would welcome the opportunity, to work with NCVHS to achieve that goal in your recommendations to HHS.
The APA is concerned about the disclosure of medical records for judicial and administrative proceedings. Patients will lose some existing privacy protections, because the current practice of hospitals and doctors, generally requiring patient consent before disclosure, will change as a result of the regulation.
A patient's ability to decide when their medical record information will be disclosed outside the health system will be reduced.
For example, currently, when hospitals or doctors receive a request for a medical record from an attorney for civil and administrative purposes, they will generally not disclose medical record information without the patient's consent.
The new regulation would allow providers to disclose medical records information in response to a subpoena, discovery request or other lawful process that is not accompanied by the order of a court or administrative tribunal, as long as reasonable efforts are made by the party seeking the information to give notice of the request to the patient, or to secure a qualified protective order.
These procedures provide no check on attorneys' behavior in requesting records of marginal relevance to a case, or for the purpose of embarrassing or intimidating opposing parties.
Once the information is disclosed, the damage is done. Post hoc remedies cannot restore a party's privacy.
The APA is pleased the administration understood and appreciated the critical importance of requiring a higher level of authorization for the use and disclosure of psychotherapy notes.
However, we believe that it is essential that the definition of psychotherapy notes needs to be expanded.
While the APA is presently developing a formal policy position on psychotherapy notes, there has been an overwhelming consensus -- it would be more accurate to say unanimous support -- which has already developed among our psychiatric physicians, about the critical need to ensure the inclusion of medication prescriptions and monitoring, counseling session start and stop times, the modalities and frequencies of treatments furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plans, symptoms, prognosis and progress to date.
Additional protections consistent with the Supreme Court's Jaffe v. Redmond decision for mental health and other particularly sensitive medical information are essential.
Without such additions, the protections essential for effective mental health care will be lost. This is necessary until all medical records enjoy a level of protection so that no additional protections are needed for psychiatric and other sensitive information.
APA believes that the rule allows for the use and disclosure of far too much information without the patient's consent.
We also believe that language needs to be added to clarify that privacy protections cover treatment modalities broader than psychotherapy, and also cover information that is part of the patient's medical record.
The regulations change the current standard of practice relative to the psychotherapy documentation. There is a new requirement for keeping a second set of records, which most psychiatrists do not now do, which will result in increased time, difficulty and cost associated with record keeping.
The APA also wants all Americans to be free from unreasonable police access to their most personal medical information.
The regulation falls short in this area. Under these regulations, law enforcement agents would simply issue written demands to doctors, hospitals and insurance companies to obtain patients' records, without needing a judge to review the assertions.
We are also very concerned by the separate provision that would allow for the release of medical record information any time the police are trying to identify a suspect.
This broad exception would allow computerized medical records to be sifted through to seek matches for blood or other health traits.
In addition, the provision that allows disclosure on the basis of an administrative subpoena or summons, without independent judicial review is particularly troublesome.
We believe the same constitutional protections -- fourth amendment, probable cause standard, including independent judicial review for all requests -- should apply to a person's medical history as applies to their household possessions.
We are concerned that the critical issue of informed consent with respect to a patient's treatment at a facility for the purposes of marketing or fund raising has inappropriately placed patients in a second class citizenship.
We are hopeful the commission will agree with the APA that marketing or fund raising endeavors have a patient consent or opt in before the activity occurs, rather than the regulation authorizing the patient to opt out of any further fund raising or marketing endeavors.
In conclusion, we believe the privacy regulations are very much needed. At the same time, we believe such provisions are inadequate to protect our patients.
Our greatest concern is that certain parties who were disappointed in how protective these regulations are of patient privacy will, in support of their own interests, be arguing for surrendering many of the protections that patients have just gained.
In order to ensure that interested stakeholders and regulatory pundits do not diminish medical record privacy protections, we recommend that the Secretary not only receive all interested stakeholders, such as insurers, providers, health care clearinghouses and consumer groups comments, but use his regulatory authority to work with the stakeholders' representatives to find solutions.
I thank you for this opportunity to testify, and we look forward to working with the committee on medical records privacy issues. I would be pleased to answer your questions.
MR. ROTHSTEIN: Thank you. Are there clarifying questions from the subcommittee?
DR. ZUBELDIA: At one point you recommended that clearinghouses and payers obtain consent from the patients. Will this be directly from the patients or through the providers? Clearinghouses never see the patients. Payers probably never see the patient. They see the insured.
DR. GOIN: There should be a requirement, a consent, so that we do know where the information is going, that the clearinghouses have the same sense of responsibility to maintain the privacy and the liability for that, that the providers have.
DR. ROTHSTEIN: Thank you. Ms. Hatton?
MS. HATTON: Thank you. My name is Melinda Hatton and I am appearing here today on behalf of the American Hospital Association and its nearly 5000 member hospitals, health systems networks and other providers, all of whom are committed to meaningful patient privacy, and many, many aspects of this HIPAA regulation.
Before I start, I want to take a minute to both endorse and commend the comments of my colleagues at Kaiser Permanente and the Mayo Foundation, on their remarks on consent. We are in total agreement with both their position and the rationale that they articulated so well for you.
Let me start off by giving you sort of the framework for my comments, which I am sure you are grateful that I am not going to read.
First, is a practical comment, and it is one that HHS raised in their most recent guidance. Let me put this in terms for you that I think are as real as they can possibly be.
Imagine that you have had a particularly robust season of rugby and your knee is in rather bad shape. So, you go to your doctor's office, and your doctor determines that your really do need to have surgery and you need to have it soon.
Under the system the way it currently works, the doctor could pick up the phone, call the hospital and schedule surgery for you, and that process would be relatively easy and painless at least until you underwent the surgery, for the patient and for the doctor.
That is not the way it will work when HIPAA becomes effective. No longer will hospitals be able to schedule surgery, x-rays, any other procedure for patients, until the patients have received a privacy notice that, in the example that we have had -- the model that we have compiled is at least 10 pages -- have actually received that physically, read that, and then signed a written consent form and returned it to the hospital.
As you can imagine, perhaps for you and me in the age of fax machines and electronic communications, that might be a slight inconvenience, but we might be able to do it.
Imagine rural or elderly citizens. What a major inconvenience that is going to be for them and, in many cases, will be a real impediment to getting timely care.
It is something that HHS has recognized and promised to address in future modifications to the rule.
I want to make it clear, on behalf of the AHA, we are not questioning the need for patients to receive a notice of privacy practices.
In fact, I think nobody on any of these panels has questioned the need for a robust privacy notice, so that patients understand how doctors and hospitals and other covered entities are using their information. That is really essential, and that is essential in any privacy regime that you look at, whether it is online privacy or the new financial privacy laws, or even the way the European privacy laws are configured.
The notice of information practice is really essential. What we are asking be made discretionary is this consent form, which patients must see and sign before they can get any care at all.
Again, it is a practical impediment to care, which really is totally unnecessary, because the consent form itself, where you put your signature, doesn't add to the privacy protections to which the patients are entitled.
Those privacy protections, the notice of privacy practices, are all embodied in the privacy notice.
The second concern that I want to talk about and another, I think, compelling reason to make the consent obligation discretionary rather than mandatory, is a practical one for patients.
Bruce Kelly of the Mayo Foundation, I think, raised this when he talked about some of his focus groups.
The fact is, we have been talking to a number of hospitals and asking them how are they going to implement this written consent requirement.
Intermountain Healthcare, in fact, in the comments they made in April on the newly opened rule, really posed a dilemma that I think, again, makes a compelling case for making this discretionary.
They said, we believe we have two choices. We can either ask patients to sign this consent form and presumably get the notice every time we see them, whether that is once a year or once a week or five times a week, or we can design and build a hugely complex and expensive computer system to track these consents.
Again, this is recognizing that there is no additional patient privacy benefit from signing this consent form.
We are also hearing from other hospitals and other associations, like the SNIP organization in Nebraska, who tells us that they are going to be advising all their hospitals in Nebraska that each time the patient walks in the door they must sign a consent form, because of the difficulties in variations in tracking these forms.
I will tell you that I think -- again, like the focus group from Mayo -- that patients will not like the obligation of having to fill out this unnecessary paperwork every time they come to a hospital or a provider.
I think, in addition to Mayo's focus group, there is also a very good contemporary example. All of you, I am sure, have bank accounts, credit cards and other relationships with insurance companies.
This spring, nearly a million privacy notices were sent out by those institutions under the Grandlich(?) Wiley financial privacy law.
Newspaper reports indicate that we as consumers got between 15 and 25 of those notices, and that we didn't like them.
Consumers do not like being barraged with unnecessary paperwork, which is what this written consent form is, again, without providing any meaningful privacy protection. The written form is simply a paperwork requirement.
For hospitals, I think this is particularly compelling. The AHA recently did a study entitled, Patients are Paperwork.
What we found is that, for each patient visit, each time the patient comes into the hospital, there are between 30 and 60 minutes of paperwork per hour of patient care required, in order to meet various federal mandates. We didn't even really look at the state mandates. These are federal mandates.
This consent form, this paperwork required by the consent form, is simply going to add to that, again, without providing any meaningful privacy protection.
I think it is really important, again, because this privacy law and, as one of your previous speakers indicated, medical privacy is important to Americans. It is important to all consumers. It is important that they feel secure about medical privacy.
It is also, I think, important that they support this rule and its implementation in the way providers implement it.
I think that there is a very real possibility that consumers, barraged with unnecessary paperwork, will question the value of the whole medical privacy rule, if we don't make it more workable for them, while retaining the meaningful privacy protections, I think, that are really at the core of HIPAA.
I would urge you -- again, I have a longer statement where I articulate some of these arguments a little further -- but I would really urge this panel to look at the privacy protections that are really important to patients, and then look at the paperwork requirements that really aren't important to patients.
I think it is important to preserve the privacy requirements that are really at the heart of HIPAA, and I think that is the privacy notice.
I think the written consent form is really a piece of paperwork that raises serious problems, impediments to patient care, and really threatens to frustrate, I think, public and provider support for what should be a very meaningful privacy rule.
MR. ROTHSTEIN: Thank you. Clarifications?
DR. ALTARESQUE: I was a little bit confused when you were saying that a number of providers will ask patients to sign a consent form each time they come in for care.
As you know, we have clarified that you only need to provide consent once and that will cover all subsequent treatment, payment and health care operations. Could you explain that?
MS. HATTON: I would be glad to. You are exactly right. Technically, under the rule, you only need to get consent once, technically under the rule.
The question is, how do you meet the requirements of the rule to track consents, to know, every time the patient comes in the door, that in fact there is a valid written consent on file, that they haven't revoked, that there aren't limitations that you are not aware of.
There is no practical way to do that for many institutions, other than to get you to sign that consent form every time you walk in the door.
You are right about the technical requirements, but I think this is one area where you need to look beyond the technical requirements and ask how it is really going to be implemented for patients and how institutions are going to do it.
That is why I think the comments of Intermountain are so important, and their very careful review of how they are going to make this rule work for patients.
Then also the reports we are getting from, for example, the SNIP group in Nebraska where they are saying, look, we are looking at how the rubber really meets the road here on this rule, and this is what we are going to tell hospitals.
So, you are exactly right. In order to meet the obligations of a statute -- let me remind you that there are both civil and criminal penalties for failing to meet the obligations under the statute -- that is the way many hospitals are going to, and many other providers, I think, are going to elect that they really have little choice but to implement it in that manner.
MR. ROTHSTEIN: Thank you. Ms. Darrah.
MS. DARRAH: Thank you, Mr. Chairman. I am here representing the American Medical Association, its physician and medical student members.
We appreciate the invitation to testify before the subcommittee on the consent requirement provided in the privacy rule.
Today I will briefly summarize the AMA policy on consent, provide suggestions for improving the workability of the consent requirement, and identify remaining ethical considerations pertaining to the current consent requirement.
Let me begin by saying that the AMA is both pleased and disappointed with the consent requirement in the privacy rule.
The privacy rule is consistent with AMA policy, in that it will require most providers to obtain patient consent prior to using or disclosing a patient's health information to carry out treatment, payment or health care operations.
However, we are disappointed that the consent requirement has many unintended consequences for patient care and the patient physician relationship.
The current consent requirement is consistent with AMA policy. The AMA policy states that, where possible, informed consent should be obtained before personally identifiable health information is used for any purpose.
However, in those situations where specific informed consent is not practical or possible, either the information should have identifying information stripped from it, or an objective, publicly accountable entity must determine that patient consent is not required, after weighing the risks and benefits of the proposed use.
The AMA vigorously promotes this policy, because the AMA considers patient autonomy to be a fundamental element of medical ethics.
When confidential health information is used or disclosed without the approval of the patient, control of sensitive health information and patient autonomy has been taken away. Trust in the health care system is lost.
Since the privacy rule was published, there has been a debate over whether written consent should even be required of health care providers or whether it should be optional.
The AMA believes that the requirement to obtain consent honors the rights of individuals. To truly obtain consent means to inform the patient of the privacy practices of the provider or plan, and to provide the patient with a choice.
Mere notification of an entity's privacy practices does not rise to the level of respecting the autonomy of the patient.
Requiring providers to obtain consent also creates an appropriate incentive to de-identify information. Unfortunately, the privacy rule does not require health plans to obtain consent for payment or health care operations, with the exception of psychotherapy notes.
We believe failure to regulate the health plans in this case is completely misguided.
Some providers are now trying to remove the consent requirement, claiming it is unworkable. The AMA does not believe this broad brush complaint is a valid reason to remove the requirement altogether, or to make it optional.
At the same time, the AMA does not intend for its consent policy to compromise patient care or health care systems.
We believe that a consent requirement that accommodates the needs of patient care and is workable for providers is preferable to abdicating the principle of patient autonomy solely in the name of convenience.
Just as the privacy rule provides flexibility for health care providers who have an indirect treatment relationship with patients, the consent requirement can, and should be, modified to accommodate other circumstances.
Therefore, the AMA offers the following suggestions to ease the burden of implementation of the consent requirement.
First, the privacy rule should allow reasonable and limited uses and disclosures before a patient consent is obtained.
Physicians, hospitals and pharmacies that have contact with patients may not always have the opportunity to obtain patient consent before some uses or disclosures for treatment, payment or health care operations are necessary. You have heard several of those examples this afternoon.
We are pleased that the recently released HHS guidance states that HHS intends to modify the privacy rule to assure this flexibility.
However, the guidance only recognizes first-time referrals. Patients may need to describe symptoms over the phone, schedule an appointment or surgery, or ask for advice from a new or current treating physician before they have signed a consent form. These necessary uses and disclosures, typically initiated by a patient, should be accommodated.
Secondly, uses and disclosures of protected health information acquired or received prior to the compliance date of the privacy rule, should be allowed to continue as was legally permitted prior to the compliance date of the privacy rule, with regard to the content or existence of a written consent.
We are very encouraged that the guidance clarifies that if a provider obtained any consent to use or disclose health information for either treatment, payment or health care operations prior to the compliance date, the provider may continue to use the information for all purposes after the compliance date.
It is so important that the AMA suggests that this interpretation should be formally clarified in the modification to the privacy rule, when HHS undertakes that exercise.
Written consent currently is not required in many occasions before physicians use health information, typically for treatment.
Yet, the guidance permits only health plans and health care clearinghouses to continue to use information obtained before the compliance date for their purposes when no written consent is on file.
The AMA would urge HHS to treat all covered entities in the same manner for this purpose. If the provider is now able to legally use protected health information without written consent, the provider should not be prevented from using this information or penalized for doing so after the compliance date.
A third suggestion is that the privacy rule should apply a good faith standard to the right to request restrictions and the right to revoke.
You heard some of the circumstances that can occur in the health system when the patient exercises their right to revoke. I am going to address mainly the issue of the right to restrict information.
Some patients understand that their physicians can only promise to do their best to restrict information, such as an attempt to limit access to patient information by certain office personnel.
As written, the privacy rule would completely discourage such agreements, because a physician would always be violating the privacy rule if he or she was not able to always honor an agreed-upon restrictions.
Physicians may no longer agree to do so. With the application of a good faith compliance standards, physicians will be more likely to agree to such requests, and patient expectations will be more realistic.
In addition to the workability of implementation of the consent requirement, the AMA continues to have ethical concerns regarding the consent requirement and the breadth of the definition of health care operations.
Some providers believe that the consent requirement should be removed or should be optional. They state that health care providers should not be required to obtain patient consent for such routine purposes as treatment, payment and health care operations.
However, many uses and disclosures allowed under the definition of health care operations are anything but routine.
When patients seek health care, they are generally aware that their information will be used and disclosed for treatment and for some general and administrative purposes.
However, most patients don't imagine that their information will be used or disclosed for many of the activities currently allowed under the definition of health care operations.
Many of these activities are not critical to the care of the patient or operation of health care facilities. Moreover, many of the functions included in the definition of health care operations may be routinely conducted with de-identified information, making consent not necessary.
There is another reason that the definition of health care operations should be narrow. The AMA believes it is appropriate for health care providers to condition treatment or for health plans to condition enrollment on a patient's consent to use or disclose their protected health information, but only when the use or disclosure will be made for purposes that are routine and necessary for the provision of health care.
It is not acceptable to condition treatment or enrollment on patient's consent to use or disclose such information otherwise.
Because these are non-routine non-critical activities that have made their way into the definition of health care operations, patients may be unwittingly agreeing or even forced to consent to the use of their health care information for these broad purposes, if they want to be treated.
For example, disease management is feasibly included in the definition of health care operations. Therefore, a provider could condition the treatment upon the patient's agreement to participate in a disease management program.
Sweeping these non-routine, non-critical uses and disclosures into consent, under the definition of health care operations, is especially troubling, if the consent requirement is removed from the privacy rule.
If this occurred, patients would lose control over many uses and disclosures of their protected health information.
To remove the consent requirement for treatment, payment and health care operations, without narrowing the definition of health care operations, would fly in the face of patient privacy and autonomy, merely for the convenience of the provider.
You will see in our written testimony, there are also remarks about the fact that health plans are omitted from the consent requirement, and I think some of the questions that came up in the previous panel go directly to why health plans should obtain consent, because they obviously do get and we do believe that they should have patient information and be able to use it for various purposes. So, I refer you to my written testimony for that.
In conclusion, the AMA appreciates the opportunity to share its policy on consent with the subcommittee. We urge DHHS to incorporate all possible improvements to the consent requirement so that it will not impede patient care or health care delivery, and I am prepared to take any questions the committee may have. Thank you.
MR. ROTHSTEIN: Clarifying questions for the last witness?
Okay, the floor is now open for more general questioning.
MR. ROTHSTEIN: I have a question for Dr. Goin about the psychotherapy notes that you raised. I understand your position that the separate treatment of psychotherapy notes should be broader, to include more kinds of information such as prescription drugs and monitoring and so forth.
At some point, though, the people who are paying the bills are going to want to know what your charges are for.
My question is, where do you strike that balance? Obviously where the line is drawn now is not the appropriate one in your view. It needs to be moved somewhere. I am not sure from your testimony where exactly that would be, and what sort of information you would think ought to be disclosed.
DR. GOIN: The general rule at the present time for insurance forms and so on is -- to answer your question, of course if someone is going to be paying for a treatment, they need to know that it has happened and what happened.
The customary information that they require at this point is the date the person was treated, a code for the treatment and a code for the diagnosis to be sent separately to the payer.
Our objection is to having the information in the chart automatically made available and not protected. Unfortunately, in this day, our patients are stigmatized, they are discriminated against. There is a sense that there needs to be considerable protection.
I think you are also hearing that they didn't want even their internist to know that they were getting an anti-depressant, which requires a good deal of information to the patient. The physician needs to know.
So, we are not talking about withholding information in terms of that treatment occurred. If you are going to have in the chart a chart that is helpful to those who might be, in an emergency, needing to see this patient, there is information in there that doesn't have to go to a payer to know that the treatment took place.
MR. ROTHSTEIN: So, in other words you would say chart-based information beyond psychotherapy notes should not be sent, and that the only thing that should be sent is a diagnostic code.
DR. GOIN: If more is required, then the psychiatrist gets consent from their patient. Usually what I do is, I will write a letter or whatever, and I will show it to the patient, so the patient knows this is what the payer has requested, and they know the information that has gone.
It is then up to them to feel comfortable to move forward because they want to have it paid for.
MS. FYFFE: Everyone gave very good testimony, good preparation. I have a question for the American Hospital Association.
I am not convinced that it would be terribly difficult to know which patients had been to your institution before, and that they had signed a consent form.
At a very minimum, in community hospitals, by golly, the admissions clerks will say, hi, Ms. Fyffe, you were here six months ago. I remember that you were here. They begin to know you if you are a chronically ill patient.
I would think that there would be an automated way to do this. In your medical records departments you have things called master patient indexes, MPIs, so that you know whether a patient has been there before or not, so that you can consolidate their medical records.
I am not trying to minimize the difficulties that might occur in a very large university teaching hospital, where people might only come in once and then fly back to another part of the country.
I am not convinced that it would be terribly difficult, under some circumstances, at the very least, to be able to track consent forms for patients.
MS. HATTON: Let me say that I think that if you actually talked to an institution that is in the planning stages for HIPAA, I think you would come away with a very different view of that, whether it is a small rural hospital that may actually be still paper based, or whether it is a very large complex institution like Intermountain.
The problem is not knowing that you have been there before. It is knowing that there is a valid consent on file, and that in the interim between the time that they have seen you, you haven't revoked your consent.
Remember, for hospitals, there are criminal penalties for misusing information. If they don't have a valid consent on file, that is a violation of HIPAA, the federal law, and also could have serious consequences under state laws and certainly for private actions.
There is an enormous amount of concern to make sure that there hasn't been a revocation between the times they have seen you, nor has there been any limitation.
Remember that patients still have the ability, the right, to request limitations on the way that information is used, and they can do that at any time and in any form, and it can be agreed to in any number of ways.
Hospitals have to know that there is a valid consent on file and whether or not there are any limitations that they have bound themselves to.
Whether you are talking about paper where somebody actually has to go physically look it up and hope that they haven't misplaced the piece of paper that they needed, or whether you are talking about a very complex computer system, where noting not only that there has been a revocation on a computer file, but noting that there has been any kind of limitation agreed to, is enormously difficult.
Again, I think you only need to go and spend some time in a technologically sophisticated environment with the people who are actually trying to make this work, to understand that it is not as we wish it would be, which is that there is some easy computer way to say to the computer, it has been revoked. It is a very difficult and complex process.
I think Intermountain, because they are very far ahead of many other institutions, I think, in really determining how to implement this, it is one thing to have the rules on paper and it is another to make them work.
For those of you on the panel and in the audience for making them work, I think we understand what a gargantuan task you have.
In making them work, there are many complications to these rules that were unintended, unimagined, but need to be dealt with, I think, in a serious and straightforward fashion, for hospitals who very much hope they are going to work and for other providers, and most of all, for patients.
DR. HARDING: I have one for prescription issues. It seems a long time ago, we had hearings about 1996, 1997, you know, when I was young. I remember clearly, as a matter of fact my memory is pretty good, that we had the vice president of Revco here, which became CVS. That is how long ago it was.
He was talking about have electronic data bases from each Revco in the country that would go to Cleveland, Ohio, I believe he said, and then have a data base there that would look for interactions of drug problems, drug interaction difficulties, and then would come back with a clearance to each Revco, that the pharmacist could feel pretty certain that there weren't interaction problems.
When you were talking about no prior consent prior to filling a prescription, when do you feel you have permission of that person to enter them into that data base?
Do they need to give consent for that, written consent? I go to CVS for my pharmacy and I appreciate all of that, but I am fully aware that my data goes to Cleveland, Ohio and that it is held there and it can be utilized.
At what point do you feel like the patient is informed of that, or should they be informed. You were talking about no prior consent and the problem if somebody calls in a prescription. When does that all start? Does it happen right away before they come and sign in, under these new rules?
MS. WINCKLER: In the current practice, part of the clinical aspect of preparing the prescription is entering that information into the data base. So, if it is in a chain where they have the opportunity to run that data against the prescriptions from other pharmacies, then it is done at that time.
There is also a second time that happens, and that one is when the claim is filed for payment. Then it would be run not only against the Revco pharmacies, but against any other prescriptions that have been filed for that patient. So, that is a separate process.
I think, under the current system, pre-HIPAA, there is not necessarily a consent given for that activity. As you point out, patients may not even understand that that happens.
That points out a good part of HIPAA, and that is the notice of privacy practices that we do support. I think it would help if patients understood that.
Under HIPAA, at least our interpretation of it is that I, as a pharmacist, could go and check to see if I have a consent on file for you. If I do not, I stop. So, the information does not even go into the data base at the CVS on Spout Run Parkway, let alone go to the data base that is central.
DR. HARDING: A reality of that is that as a psychiatric, I have patients who go to CVS for their allergy and hypertensive medicines, but then go to a local mom and pop pharmacy to fill their psychotropic medications, to avoid being in that data base.
To me, one of the things that we have to come up with is a way so that isn't an issue, so that all the medicines are handled in such a way that people won't play games like that, because those games get patients in trouble as well as doctors in trouble.
MS. WINCKLER: Right, because that sets up a potential for real problems, if you don't know what other medications they are taking.
MS. HATTON: Again, I am ont sure hat is a consent issue. I think you are talking about a different issue.
MS. WINCKLER: It is the notice of privacy practices, so that I know at the CVS they have this capability, which actually provides me more protection. The best course for me is to choose one pharmacy in the first place. If you choose not to, I am not sure consent gets you the answer that you are looking for.
MS. HATTON: Right, and that is why I think it is so important to distinguish between a notice of privacy practices and that patients enjoy all the rights they currently have.
The way they know they have them and the way they know they can exercise them is really the notice of privacy practices.
The written consent requirement, again, we have got a model notice of consent attached to our testimony. You can take a look and sort of compare the two documents. The written consent really adds -- we contend that the written consent really adds nothing to the privacy protections that the patients enjoy.
DR. ZUBELDIA: The discussion has been a lot about replacing consent by this notice of privacy practice, notice of information policies.
Could you help me understand how that would work? How would you know that the patients have it? Would you have to give it every time? Do you keep a receipt? Do you have a signed receipt? Is that different from the consent.
MS. HATTON: I would be glad to take this and then have other people give their interpretations.
There are a number of different ways that patients have access to the privacy notices. First of all, under the rules, you are required, if you have a web site, to display it on your web site.
Patients would always get it the first time the patient presented themselves after the rule was finalized. Hospitals, at least, are required to display their privacy policy conspicuously for patients.
I think there is no difficulty at all in patients having access to the notice of privacy practices, again which reiterates, which is -- they are not interchangeable forms.
Notice of privacy practices is the document that tells patients what the privacy practices of the institutions are and what rights they have under the HIPAA rules.
DR. ZUBELDIA: Does the patient have the capability to disagree with some of those privacy practices?
MS HATTON: The patients would have all the same rights that they do now. They just wouldn't have the paperwork every time they come into the institution.
MS. DARRAH: I think that is probably why AMA is focused on maintaining the consent requirement. The consent really does become the vehicle for yes, I agree, to the use of this information.
As was pointed out, we get all kinds of notices in the mail and you may toss them, you may read them, and Mindy is right, there is a right in there but the average patient is used to consents.
Yes, I agree to be treated. That is the essence of informed consent to treatment. Yes, I agree to the use of my information.
I think the example of the pharmacy, yes, I agree to the use of this information in that data base, I think that is where the AMA policy is making the line.
Where that line is drawn as far as consenting to treatment and then the authorization, what goes beyond that, is another story.
DR. GOIN: I think there is also a difference of opinion in terms of how individuals feel about having the opportunity to give a consent, and how they feel if things go on without their having given consent.
I know in a study I did with patients who had had breast cancer, following them years later when they were having reconstruction, they told me, in the privacy of my office, that they had received questionnaires from the hospital where they had the surgery, asking about their health status, and they had to sign for these.
Here are people who sort of feel that their life is out of their control. The one thing they could have in their control, as they told me, and I said it is not very helpful, they didn't fill these out truthfully. Oh, I am doing fine, thank you very much, or they threw them away.
Any study I have been involved in, when I asked for consent, or any time I asked the patient for consent about something, 99 percent of the time they were glad to have been asked, and were willing to go forward with it.
MS. DARRAH: Again, I think it is really, really important to focus on the privacy notice, that the patient has the right to exercise, to ask for limitations. They have the right to revoke at any point in time, not just when they come to the hospital, not just when they come to the doctor.
At any point that they decide they want to request a limitation or revoke, their right isn't contingent on a written consent form under the rules.
Again, if you look at a model privacy policy, I think that becomes apparent. I think what we are talking about, again, is paperwork versus patients' rights.
Patients rights are all embodied in a notice that explains very clearly to patients how their information will be used and what their rights are, how they can exercise their rights and even how they can get more information if they have questions about the privacy policy. That is a requirement of the privacy policy.
Again, it is accessible to patients. Patients will always get notice of privacy policies, and in institutions like hospitals, it will be publicly posted, and any provider that has a web site, it is on their web site.
I really don't think that -- again, I think it is very important to separate out the importance of the privacy notice from the paperwork involved in this whole consent form, and the difficulties posed to our hospitals and other providers because of this obligation.
MR. BLAIR: This is kind of a two-part piece because one piece of my question, the thrust of it is to try to have a better understanding of the cost and complexity of an information system to deal with tracking consent forms.
Before I ask the question, I would like to ask a pre-question, so to speak, and I think Kepa has greater knowledge on this than the rest of us on this.
HIPAA financial and administrative transactions has, among those transactions eligibility transaction. In the eligibility transaction, is there a field which, at the same time that we ask for eligibility, can we also ask for status of consent, existence of a consent form?
DR. ZUBELDIA: In the transaction now you can't ask for it, but the payer can report in the free text area some indication that yes, the consent has been obtained by the payer.
MR. BLAIR: Okay, so there is a partial enablement of automating that along with the eligibility but, at this point, it isn't completely automated where the computer, in the provider area, could acknowledge that without a human being able to read that. That really answers my question, thank you.
MS. HATTON: I was going to say, even if that were the case -- this may be a rhetorical question -- but how would you configure that computer interaction to know what limitations had been agreed to, if any limitations had been agreed to, or to deal with the issue of revocation.
Again, you don't have a valid consent or you don't have a full robust consent if there are limitations that have been agreed to, or there is revocation. There are a lot of practical issues.
DR. ZUBELDIA: I am not sure how this would work at all because it would have to be just plain text that flows back and forth.
DR. COHN: I guess I am sort of scratching my head also a little bit about whether this can be practically implemented, since an eligibility transaction usually goes between a provider and the payer or health plan, and yet it is the provider who is the one who is supposed to maintain it.
Are we asking the health plans to tell us when they have a consent on file when, indeed, the provider is supposed to have that information?
The direction is maybe not bad, but it doesn't quite play out functionally in a way that at least I could see how it could be implemented.
DR. HARDING: I am trying to -- during the first panel, we talked about the issue of individual rights versus the good of the public and so forth.
This panel, I have been thinking here that we have been talking about the burden of compliance versus something. There is kind of an increased -- by signing the consent forms, are we increasing the trust of the system? Is the patient feeling more comforted by that in some way, and therefore, better services, more trusting relationships?
Several of you have implied that it does the opposite, and that is kind of a boggling thing to me, that by filling out a lot of those forms, we are going to get an opposite reaction. That came from the last one and I think somebody said that earlier.
This burden of compliance is a real entity. Doctors are feeling the burden. They also want to have the patient feel like they can trust the situation to do the right thing for them, and that that information that may be in a data base or something will be used in some other way.
MS. HATTON: That is the function of the privacy notice. That is exactly the function that you have described. I think there is unanimous agreement on this panel is how important the privacy notice is.
I think something that policy makers absolutely need to balance is whether or not the burden of compliance -- I think HHS has even acknowledged that the burden of compliance also falls on patients. It is not just providers right now, the way it is set up, because again, hospitals and providers can't use your personal information in any way -- not to schedule surgery, not to schedule x-ray under the current rules -- until you have seen and read the privacy notice, signed the consent form, and sent it back to the hospital and they have it on file. I think that is a real burden for patients.
The other, I think, balancing you need to do is, if institutions have to develop complex systems to track this, or if the alternative is to ask the patient to, every time they present for care, get a privacy notice and theoretically read a privacy notice and sign a consent form, have we really advanced the cause of protecting patient privacy by asking them to go through those steps.
Patients, under the privacy notice, which is a very significant document -- I mean, when is the last time you walked into a provider's office and had access to understanding what their information practices are --
DR. GOIN: I have to say, working in the public sector half time and the private sector half time, the patients in the public sector do not have access to the web sites, or the ability to look at web sites.
I could also say, as you walk into the hospital, you see a sign posted. I know that most people don't read them. They will read where lunch is and where the men's room is and the women's rule is, but they are not going to stop and read the privacy notice.
With the consent form, you have a person who will talk to the patient and deal with this directly. That is very different than a piece of paper on the wall or expecting someone to be able to go to a web site and access it.
MS. HATTON: It is all a piece of paper. Really, it is all a piece of paper.
MS. DARRAH: Actually, I think we don't disagree that the notice of privacy practice is important. Again, our policy is, where possible, informed consent should be obtained, and where practical and possible. We are not advocating more burdens on already over-regulated physicians.
There is a key way to get the patient consent to use that information. Whether that is by a consent form, an authorization for those things that are beyond health care payment, operations and treatment or, in the alternative -- and this was the end of our testimony -- if consent was taken away, and we are not saying that is what we want, but if that is what is happening, that definition of what is health care operations needs to be narrow.
Again, we then have this broad definition of what is health care operations and patients have no idea that, aside from the notice of privacy practices, that they have agreed and they have consented to the use of their health care information for that column and a half of the Federal Register, of what the definition of health care operations is.
They may understand that, if there is no signed consent, that they are sitting there, the doctor is drawing blood, and they have consented to the use of the diagnosis coming out of the blood work, and that information to be used by the hospital for a very, very narrow scope of treatment.
They don't understand that that is also being used for NCQA and their quality assurance.
MS. HATTON: Jackie, isn't that required to be put in the privacy notice?
MS. DARRAH: It has to include how you are using information for health care operations. It has to tell patients how you are using it for health care operations.
MS. HATTON: It is the element of agreement.
DR. ZUBELDIA: I keep having questions about the notice of privacy practice. This is a document that can change.
It is, by its nature, dynamic. Every two years, every three years, or every six months, there will be some technology advances that the provider wants to take advantage of, and data mining capabilities or whatever, and the notice of privacy practices could change.
How could the patient revoke the notice of privacy practices? They can't do that? I can't revoke my consent, but if I don't like your privacy practices, I can't revoke your privacy practices. What can I do, notify you somehow that I don't want my data to be subject to your new privacy practices? I have trouble understanding that.
I also have trouble understanding how it is any different to track the fact that the patient has received the notice of privacy practices, or to track the fact that the patient has signed the consent.
If you are going to track one or the other, it is in the computer, just one flag, one way or the other.
MS. HATTON: You have a couple of questions. Currently, you are exactly right, privacy practices certainly will change.
I think that providers will probably improve upon -- if the online experience is any guide, providers will probably improve upon their privacy policies to make them even more accessible to their patients, as we move through this wonderful experiment on privacy.
Currently, in the rules, as long as you reserve the right to change your privacy notice, in the privacy notice, you don't have to get consent again. So, providers aren't required to get consent when it changes, currently.
Again, it is very important to understand that your right to revoke doesn't rise or fall on signing a consent form.
You have the right to revoke. You have the right to revoke at any time, if you decide that is the course that you want to take. It doesn't rise or fall.
You don't have to be in the process of signing a consent form to do that. You can always do that.
DR. ZUBELDIA: What are you revoking?
MS. HATTON: You would be revoking your permission for them to use your data.
DR. ZUBELDIA: I never gave it.
MS. HATTON: You have given your permission, by being a patient. The concept in the notice of proposed rule making is that there was a regulatory or statutory authorization for the uses of your data in ways that patients expect.
Patients expect that, when they go to a doctor, when they go to a hospital, that your information will be used for payment and treatment.
Health care operations was a definition that was -- those around the table from HHS can probably add more to this than I will be able to add, but the definition of health care operations was another area, I think, that was carefully crafted by the regulators at HHS to encompass the expected uses of information.
For example, you as a patient expect -- I think expect -- that an accreditation agency like the Joint Commission will have access to the data they need, to determine whether or not your hospital should be accredited, your provider should be accredited. Those are the expected uses of information.
What HHS did was set up -- they set up a two-part process. One was initially in the notice of proposed rule making.
One was a privacy notice that described the expected uses of information and where the patient, by being a patient, accepted those, but retained the right to ask for limitations or revoke.
The second part of this was for authorization. Those were for uses of information that weren't totally expected, for marketing, for research, for other kinds of uses of information, where the obligation is to explain exactly what that use is, and to let you opt in. You must opt in. You must, as a patient, say yes, you can use it. That is the structure they set up.
Your ability to revoke, under a privacy notice, or to ask for limitations, has nothing to do with the written consent form. It is a right that you retain as a patient, and that you can exercise at any point.
MS. DARRAH: It is also worth noting that under NPRM, the definition of health care operations was narrower, and it was in recognition of the dichotomy that Mindy just pointed out.
MS. HATTON: I am not sure that HHS explained that fulsomely in the final rule, and the reason for the written consent.
Again, I would urge you to take a look at some privacy notices, and the way that the patient's rights are explained, and the fact that there must be a mechanism set up for the patients to exercise those rights, to realize that, again, a written consent form not only currently creates an impediment to care, but also creates what you may see as a real consumer back lash, as well as a burden for institutions, when patients find that they must sign it again and again and again, whether they come to a hospital once a year, once a month or once a week.
MR. ROTHSTEIN: Thank you very much. We will take a break until 4:05. Then we will have the public testimony.
For those of you who have already signed to testify, I would recommend that you just make a second look at the sheet and make sure you are on it.
For those of you who have not done so yet and are interested in doing so, I recommend that you do so.
Thank you to all four panel members, and we are on break until 4:05.
[Brief recess.]
MR. ROTHSTEIN: We have come to the public testimony part of the hearing today. Just a reminder that there will be another session tomorrow afternoon for additional public testimony.
The people who are testifying this afternoon I will call in the order on which they signed onto the sheet. Each person will have three minutes to testify.
They should not feel constrained to speak on the topic that we spoke on today, that is, consent. If you have something you want to say about any of the other three topics that we will be discussing in the next day and a half, I think you should feel free to do so as well.
Just a reminder, we are going out live on the internet. Please identify yourself before you begin your testimony.
The first witness I would like to call is from the Association of Credit and Collection Professionals.
All right, they are not with us at the moment. James Pyles?
MR. PYLES: Thank you, Mr. Chairman. I am James Pyles, representing the American Psychoanalytic Association. I want to thank you for holding a hearing today.
I was somewhat shocked when I heard some of the testimony that I heard today. I was surprised to hear representatives of the hospital and the pharmaceutical industry coming in and recommending that we eliminate a right which currently exists for patients, and that is to not have their information disclosed without their consent. I suspect the rest of the public will be surprised as well.
You mentioned a ground rule at the beginning, that we are not here to discuss rescinding any of the regulations. I would assume elimination of the consent requirement is not on the table.
Since that is all we have talked about, that is what I will be talking about as well.
I would just ask you to remember, if you would, please, section 264(b) of HIPAA, which is the authorizing section for the regulations.
It says that the regulation should set forth the rights that individuals should have with respect to privacy, not confidentiality, as the witness from Mayo was talking about, but privacy.
In my experience and in my view with the Association, there is nothing more essential in protecting the right to privacy than the right to give or withhold consent. Consent is absolutely crucial.
As we said in the comment process, most of the public around the country won't know what is in the regulations. They are just too lengthy and too complex. They will understand if you eliminate their right to give or withhold consent.
If you eliminate the right to give or withhold consent, then you must also agree that you think it is a good policy to compel citizens to disclose information against their will.
You heard Ms. Winckler, I believe it was, from the pharmaceutical industry or association saying, one problem we have is that people sometimes don't want to disclose information. They want to pay out of pocket.
If you just eliminate consent, then they can get access to that information against the patient's will. That is astonishing. That is why people pay out of pocket. That is exactly why. That is why consent is important. That is why it is very, very important.
One other thing, let me just point to the findings in the regulations. We have gone through an extensive fact finding and public comment period to get where we are in these regulations.
I would just cite to you page 82473 of the preamble to the regulations. It says there that half of the states require consent. That is the law in half of the states as a statutory matter.
It also indicates that many of the professional licensure laws in this country require consent in order to treat patients. Many of the ethical guidelines and ethical codes require that.
Common law in almost every state says it is a violation, it is a breach of a patient's right to privacy to disclose information without the patient's consent.
I was struck by the disparity between the patients and the practitioners representatives on your panel and the representatives of the institutions and the pharmacies. That was quite interesting.
The patients and the practitioners understand that consent is absolutely essential for quality health care, just absolutely essential.
Let me turn to a point that is near and dear to the hearts of members of our association, and that is protection for psychotherapy notes, which are accorded special protections in the regulations.
We certainly agree with that and appreciate it and think it is absolutely the right way to go. There is still work to be done, and this does fall into the area of implementation.
We need a better definition of what is protected psychotherapy notes. As the Supreme Court noted, in the 1996 decision in Jaffe v. Redmond, if patients don't know up front, when they make the disclosure to the therapist, that their information won't go beyond the therapist without their consent, they will not make those disclosures, and you cannot have effective psychotherapy in this country. It cannot possibly happen.
So, we need to know what falls within psychotherapy notes. We need, for example, since the protection for psychotherapy notes is based on the privilege, the therapist/patient privilege, we need to ground the definition in the definition of the patient therapist privilege.
Therefore, if a therapist puts information in a general medical record, that should not cost the patient their protection for psychotherapy notes. That protection should be available only by the patient, as is the patient/therapist privilege.
Second, there is a list of I think eight exceptions to the psychotherapy notes protections. Those eight exceptions really need to be very carefully and specifically defined. Otherwise, those eight exceptions will devour the rule.
Now, we have models that you can look to, to do that. The states of New Jersey and the District of Columbia both have definitions of many of those terms that you can use, and those statutory models have been in place for 15 to 20 years, and the insurance industry in those jurisdictions has not crumbled.
I would just ask you, please, don't make a decision or a recommendation solely on what you hear in these hearings. Certainly, take into account the findings in the preamble, and they are a matter of public record. They were the product of a very detailed fact finding process.
I would just urge you to remember there is nothing that people care about in this country more than their right to privacy.
They certainly believe that consent is the means by which they protect that right. Specifically with respect to psychotherapy communications, if you are not free to keep your own thoughts private without your consent, then you simply have no freedom.
MR. ROTHSTEIN: Thank you very much. Questions or comments from the subcommittee? Okay, thank you.
Our next witness, Robin Kay(?).
MS. KAY: I am just a private citizen who has been tracking the medical privacy issue as a matter of personal interest since the Health Insurance Portability and Accountability Act of 1996 was passed.
Before my planned speech, I want to comment on something that was said today. First, Kelly, from the Mayo Clinic and the Health Care Leadership Council, said that patients don't care if their medical records are freely exchanged, without consent, to heal them, pay insurers, and run health care operations.
Let me tell you that right now, since there is patient consent required before medical records are released, a patient can start over fresh with a new doctor in a malpractice, misdiagnosis or personality conflict situation with their doctor.
If the medical records flow freely from doctor to doctor, that prior bad relationship will follow the patient from doctor to doctor, since the prior doctor's negative experience with the doctor will be reflected in a medical record that will follow the patient forever, like a piece of toilet paper on his shoe.
I believe there was a Seinfeld episode that showed this. Elaine was labeled a non-compliant patient who was argumentative, for example.
Also, another problem is, if you are faced with a serious illness, when you need an objective second opinion, if the medical record is shared between doctors without patient consent, how can you get an objective second opinion when the second doctor can see the first doctor's poor prognosis and diagnosis.
Doctors don't like to disagree with doctors. Because of no sharing of medical records without patient consent, my father, who was a physician, was originally given approximately three months to live, but was able to go to other doctors and get other unbiased suggestions for treatment, and was able to go on and live for four years, and he did a lot in those four years.
With automatic sharing of the medical record without patient consent, this might not have been possible.
Another remark I have is that, with approximately 50,000 total comments given to HHS about the final privacy rule, why didn't HHS have more groups representing the private citizen testifying today?
The panelists are predominantly information or fact gathering groups who want broad access to medical records without patient consent.
Certainly, HHS could have read into the record a sampling of the thousands of comments of private citizens who vehemently do not want anyone to access their medical records without patient consent.
Indeed, a recent Gallup Poll, done by the Institute for Health Freedom, show that the vast majority of citizens want no access without patient consent.
My planned speech -- I am going to begin that now -- with the new medical privacy rule created by HHS and approved by the Bush administration, many people will now have access to medical records without the need for patient consent.
Perhaps prior to this rule, some of these entities improperly accessed medical records but, because of the rule, now these groups will legitimately and legally look at and use patients' medical records without patients' permission.
As an attorney, I read the final medical privacy rule, not for my work, but as a private person deeply concerned about privacy and freedom.
Who are these groups that will have access? The Office of Civil Rights, under the authority of HHS can, with no notice or subpoena, access the medical records of every citizens without patient consent. Researchers can access medical records without patient permission, if an institutional review board or privacy board decides the patient's consent is not necessary.
Law enforcement, public health officials and countless others can also have access without patient consent.
We are being told that the patient has the right to restrict access to his records. In reading the lengthy medical privacy rule, you learn that the patient only has the right to request such a restriction.
The doctor can refuse the patient's request and, further, can even refuse to treat the patient if the patient does not sign a consent form giving the doctor access to the patient's medical records and the right to share the patient's records with others.
Under the rule, the patient must give broad permission for the doctor to use and disclose his medical information in order for the patient to be given medical treatment.
When someone is ill or needs medical treatment, of course he will have to give such permission. Such permission is not freely given. It is coerced.
When I go to the doctor, I give personal information for the doctor's use only. It is a limited use to heal me. That is the sole use I give permission for.
The doctor or the government should not then own my information and be able to decide what other entities should get my information.
Before becoming an attorney, I worked in a doctor's office for 13 years. It was my father's office.
Only in emergency situations did doctors share patient information. Now the medical industry is clamoring for wide access to medical records. Just because such technology exists to easily access information does not make it right to do so, nor does the fact that wide use of medical records may help medical research and the overall efficiency of the medical industry.
The privacy of the patient must be considered strongly, as should each citizen's freedom to share sensitive information with his doctor without the fear that others will know about the patient's abortion, alcoholism, impotence, HIV and other private matters.
In a country such as ours, it is inconceivable to me that now each patient will be held hostage to give broad consent before the doctor will agree to treat the patient, let alone complete remove the consent requirement, as suggested by many of our panelists today.
Further, upon close reading of the medical privacy rule, the doctors can agree to limit access to medical records, but then go ahead and allow access anyway. See page 82553 of the December 28, 2000 Federal Register.
What a false sense of security, to tell patients they can request restrictions on access, and then have the doctor agree, knowing that he need not honor that agreement.
That is not honest or an honorable way to conduct business, let alone a doctor/patient relationship that is supposed to be based on trust.
It seems that HHS is endorsing misrepresentation in this one instance.
The American public has become complacent and lazy, believing what they read in the newspaper without looking further.
People hear, we are getting a new federal medical privacy rule. They believe we are getting privacy protection. The reporters will not take the time to read the approximately 1,500-page document. The reporters take the HHS press releases and accept the broad HHS statements.
If you read the rule, you will find that the government will now decide who can look at your medical records.
Somehow we, as private citizens, have lost that right that traditionally was ours.
Rather than provide broad access to medical records, as the medical privacy rule allows, we should be reinforcing consent forms and the ability of the patient to decide, on a case by case basis, what information his doctor, health insurer, or others, should know about him. Thank you very much for the opportunity to make this comment today.
MR. ROTHSTEIN: Thank you very much. Questions or comments from the subcommittee? Thank you.
Our next witness is Tom Wilder.
MR. WILDER: Thank you. Good afternoon. My name is Tom Wilder. I am with the American Association of Health Plans. I have provided some written comments to the subcommittee.
I want to touch on a couple of points that have been made, I think, by most of the witnesses here today.
First of all, our health care system is, in many respects, a health information system. Plans and providers do share health information for a variety of legitimate reasons in order to carry out their functions that they need to do.
Second of all, it is important to understand that most of the information the plans use comes from the provider and not from the member. So, we need to make sure that that flow of information is not restricted unduly.
It is also important to understand that plans cannot always easily get consents or authorizations or information from their members, directly from their members rather than going to the provider.
In many cases, it would be a difficult and time consuming task if the plan had to go directly to the member every time they needed to get access to information.
As an example, our plans, who are engaged in Medicaid operations, tell us that upwards to 15 to 20 percent of the addresses and phone numbers that they have for their members are incorrect.
So, the only time they really have contact with that Medicaid beneficiary is when they go to a provider for treatment.
What most of the witnesses have discussed today is really a need to balance the respect for the confidentiality of information with the needs of the health care system.
We may disagree about where that fulcrum is. We may disagree about the relative weights to give to those two very important needs, but that is really what we are looking at as you struggle with the privacy rule, and particularly with the consent requirements.
Our association has three recommendations that we would like you to consider, that are set out in our testimony.
First of all, with regards to health care operations, as was pointed out, there are some concerns with language in the preamble and in the guidance that providers may feel that they cannot share information with the health plan because the provider has consent for health care operations, and they may feel that those health care operations are not those of the plan.
We think that the agency should allow providers, pursuant to the consent that they have from their patient, to share protected health information with the plan, for the plan to carry out its health care operations.
Second of all, with respect to grandfathering existing information, providers and plans have a lot of information currently in their files and in many cases it is embedded in uses that are hard to pull that information back out of.
There are cases where you can't go back to the member or the patient and get their consent because they have passed away or they have moved or they are using another provider.
In fact, in some states such as California, providers are, by statute, allowed to use health care information without having an express written permission from their patient.
We think, in those cases, to avoid disrupting essential health care functions in states that currently do not require any form of written permission, covered entities should be allowed to use or disclose protected health information collected before the compliance date of the privacy rule, in those cases where they do not have written permission to use that information.
Finally, on somewhat of a related issue, which is the revocation of consent, as you are aware, the rule that allows individuals to revoke their consent and then goes on to say that covered entities can continue to use that information, so long as they don't know about the revocation or they had a reliance on that consent, for example, a plan that is processing a claim for payment can go ahead and process that claim, even though the patient may subsequently revoke their consent.
Again, there are a lot of situations where a plan is going to have information on file that they need to carry out their health care operations.
There are a lot of instances, retrospective review of the files, for example, quality studies typically utilize one to five years of prior data to gain a large enough sample size to assure valid study methodology.
Credentialling for providers and accreditation for health plans will entail a review of patient files, as will patient safety initiatives.
What we are suggesting to you is that that revocation should be honored, but it should be honored for information that is collected after revocation is given. With that, I will be glad to answer any questions that the subcommittee may have.
MR. ROTHSTEIN: Questions?
DR. ZUBELDIA: On this last issue of revocation being effective only for the data that was collected after the revocation, we understand that that would imply that the health plans would have to essentially time stamp all the data they collect and compare that with a possible revocation any time in the future. The administrative burden of doing that would be incredible.
MR. WILDER: I think that is true, but I think the way it is set up now, it is even more problematic. If I revoke my consent, then everybody who has my information in their files is going to have to dig through those files and say, okay, we can no longer use that information. It is a less burdensome way than you have got the rules set up now.
MR. ROTHSTEIN: Thank you. Warren Todd?
MR. TODD: Good afternoon. I think I may be the last presenter, so I will try to be brief. My name is Warren Todd. I am executive director of the Disease Management Association of American. I would like to thank the chairman of the committee.
We have a very difficult dilemma here. I think several months ago, the timing was such that the Institute of Medicine's Cross the Quality Chasm report, the second report, was issued, which clearly states that connectivity and free exchange of health care information is a barrier and a concern, if we are going to address chronic illness in the aging of America.
I think around the same time, if I remember correctly, maybe during the same week, the HHS regulations were issued. So, we have been struggling with that all this time.
We are not sure if we have the answer. What I would like to do today is read a brief statement from DMAA in terms of our position on consent, and ask that the committee consider this.
First, our current understanding of the privacy rules is that they require most health care providers to obtain a patient's written consent prior to using or disclosing personal health information to carry out treatment, payment or health care operations.
Health care providers that have indirect treatment relationships with patients, such as clinical laboratories that do not interact directly with patients, do not have to obtain consent.
Certainly, health plans and clearinghouses need not obtain consent prior to using or disclosing PHI.
The Disease Management Association believes that allowing legitimate disease management programs to have unhindered access to individual identifiable patient information, such as claims forms, eligibility files and medical records from all sources is crucial to preserving patient access to high quality disease management programs, as suggested by the IOM report.
We realize this is a complicated task. We think that one effective way to ensure patient access to personal health information is to effect disease management programs -- I am sorry, access to effective disease management programs while still preserving the privacy is to create a special exemption in the privacy rules that allows disease management organizations, as business associates of health plans, to access this information to carry out disease management activities.
Alternatively, another suggestion could be to include disease management by name within the definition of treatment, so that PHI may flow freely to disease managers, whose sole mission is to improve patient clinical and financial outcomes.
We would like you to consider this. We have filed various papers with HHS in the past, and again, we applaud what you are doing here.
The Disease Management Association is relatively new. We are three years old. Disease management has been evolving for the past 10 years, basically. We think there are a number of barriers to the free flow of information as the regs are currently viewed, and would request that the committee take a look at disease management, which is well recognized in the preamble, probably less so within the regs themselves, and help us work through that. Thank you very much.
MR. ROTHSTEIN: Thank you. Comments or questions from the subcommittee? Thank you very much, Mr. Todd.
That concludes the public testimony for this afternoon and there will be another public testimony session at 4:00 tomorrow.
With the consent of the subcommittee, I would like to move up the subcommittee discussion time from 4:45 to now, and move right into our discussion. For our guests, you are certainly welcome to stay. This is public discussion.
MR. ROTHSTEIN: As you will notice, on our agenda, at the end of each of the four topic areas, we have discussion times scheduled for the subcommittee.
It is our hope that we can discuss each of the subject areas in a way that will give us a running start on any possible recommendations that we want to bring to the full committee.
Before we get to the actual specifics, I would like to take a moment to talk about the process that we are going to use, and that the subcommittee members feel most comfortable with.
In terms of timing, of course, we need to have -- if we start at the 25th of September and go backwards -- what we need to do is have a set of recommendations in place some time the prior week that the subcommittee agrees on, so that it can be made available to all the members of the committee in advance of the meeting. We will need to discuss that.
For Gail's benefit and ours, I would like to have as concrete a set of sort of suggestions about areas that we want to go into as possible at the end of each of the sessions.
The floor is open for comments on the process. Simon?
DR. COHN: I am not sure that I am describing the process, or I hadn't planned to discuss the time line, which I think is what you are describing.
I was just reflecting, as I was listening to these sets of hearings, that I have been around for a long time -- actually as long as Dr. Harding -- on the committee.
I am actually reminded that both the subcommittee and the full committee have previously made recommendations in the area of consent to the Secretary.
It might be helpful at some point soon if we review those recommendations, to see whether we agree with them, agree with parts, agree with all of them, only because that might make some of our tasks considerably easier.
I don't think that applies necessarily to everything we hold hearings on, but certainly it is something that we should at least review and ponder on. It might help streamline some of the process that we have going forward.
I won't say that I agree with it, but there may be certainly parts of that, that we could pull out into a letter, if we did agree with the comments.
MR. ROTHSTEIN: I think that is an excellent suggestion. We will certainly consult with that.
MR. BLAIR: It is nice to be consistent with ourselves at least.
MR. ROTHSTEIN: Indeed, it is nice, where possible, to be consistent with oneself.
The other thing that I would remind the subcommittee members is the admonition directed to all the witnesses, and that is our purpose is not to rewrite either of the statutes, were we able to, or the rule, were we able to.
It is simply to make recommendations on the most effective way of implementing the rule as enacted, with recommendations for certain areas that may need some clarification or some revision that OCR or the Secretary might do.
Now, it is a trade off. On the one hand, we don't want to take onto ourselves too broad a responsibility that we don't properly have or couldn't possibly exercise.
On the other hand, we don't want to be derelict in our duty to point out some problem areas if, indeed, we recognize that they exist.
Finding the appropriate balance, as in anything, is going to be hard for us, and that is our main task.
I suppose we can come back over the next couple of days to the time table. I just wanted to raise for you what the general plan is. We hope to walk out of here promptly at noon on Thursday with a good idea of the direction that we want to go in.
Anybody have any further comments on that? I can see you are itching to get to the substance of the discussion.
I suppose what we ought to do is just put together a tentative list of areas, from the testimony that we have heard, that might be appropriate for further discussion at the subcommittee level. Jeff?
MR. BLAIR: I really felt that we received excellent testimony, even though different people took different stances. It makes it that much more difficult to try to reconcile them.
One of the areas that I personally am struggling with, and I would like to be able to get better information to know what side we should lean toward, is it would be nice if anybody has done a little bit of assessment on the burden, the expense, of tracking consent forms and the revocation of consent forms.
If we could get a little bit of education on that, then that might be helpful. I don't know if some of the folks who testified that this was very burdensome, if they have some data that we could look at, or if anybody else has some data we could look at, just to get a feeling for how much of a financial and administrative burden this really is.
MR. ROTHSTEIN: Let's put on our discussion agenda the issue of the burden of consent revocation, because that was an issue that was --
MR. BLAIR: Revocation and tracking.
MR. ROTHSTEIN: And tracking, okay. So, that will be issue number one for our discussion. Is there a second issue?
I would like to put on the issue of the psychotherapy exception and how broad it ought to be, whether it should be limited to notes or go beyond that, and the trade offs involved in doing that.
DR. ZUBELDIA: I think another issue was the ability for the providers to send important information to the payers when it is not for payment, such as encounters on capitated plans and additional information like that.
MR. ROTHSTEIN: So, we have three. Everybody clear on HIPAA?
DR. ZUBELDIA: The issue was brought up that providers can send the personal health information to a health plan when it is for payment, but when it is not for payment, they can't send it.
DR. COHN: It may be very close to what Jeff was describing, and he is obviously asking the issue about the burden of the consent.
I would maybe almost describe it in a slightly different way, maybe the value of the actual consent versus what I think we are hearing about the fair information practices, et cetera, and is there a demonstratable value to all of that.
MR. ROTHSTEIN: So, a slightly different twist on Jeff's. I think when we get to the substance of each of them, I don't know which it is. Kepa, do you have another?
DR. ZUBELDIA: I would like to tackle Simon's thinking, and that is the ability to revoke a notification of information practices or something like that.
MR. ROTHSTEIN: We could certainly discuss that either under your issue or his.
DR. HARDING: Something that would be helpful to me is to have staff -- there were times in the testimony where people gave opposite interpretations of the rule.
I didn't know, to be honest -- I have looked through not all 1,500 pages, I have looked through quite a few. I didn't know which one was accurate.
In some of those areas, could we get staff to xerox the rule, in that area?
MR. ROTHSTEIN: Certainly, where it forms the basis of our recommendation, yes.
DR. HARDING: I don't want the whole 1,500 pages by any means, but I think it would be helpful.
MR. ROTHSTEIN: There are people in this room, I am sure, who have it all memorized.
DR. COHN: Maybe this is just a process issue, but it is sort of hard in retrospect to point out what those were. Maybe we need to make a point, as we go through, almost at the end of each speech, to sort of identify where there were issues that we weren't clear about, so that we can get clarification.
I actually agree with you. I think I understand what the rule is. I want to make sure that my understanding is similar to yours or Lou's or Mark's, for that matter. So, we better make sure that we have a common understanding of what it is that we are changing.
MR. ROTHSTEIN: Gail, do you have anything that you noted? This is sort of a statement against interest, because the more issues you add, the more work you have to do.
MS. HORLICK: I don't have any specific issues. I think one thing that the subcommittee will have to address -- maybe not right now -- is just exactly how we are even going to write the letter.
We may come up with a recommendation but do we want to actually -- we heard really opposing points of view. I feel certainly we would have an obligation, if we write a recommendation, to at least include information about the other testimony that we heard, that might not be in support of that recommendation and so forth.
I feel some of what Richard was saying. Somebody refers to a section and says, well, under this section it allows this or it doesn't. I am not really sure.
MR. BLAIR: One of the individuals who testified said some things that I found very compelling. They talked about the fact that the legislation set certain provisions of protection of privacy as rights.
I guess that I would love to have maybe a little bit of review from the staff specifically of those things. I think I want to make sure that we are clearly fixed on what rights are in the law.
I also was impressed by the other individual that indicated that you have to have a balance. You may have rights, but you have the reality of the fact that providers and payers have to be able to provide care.
Even though we have to protect the rights, we have to find a way to do so in a way that is not excessively burdensome or impractical.
If there could be some clarification for at least me of specifically what are the aspects of the rights, I would like to see them clearly defined, so I understand what those are, as we begin to look at, how do we trade off other aspects to make this pragmatic and workable.
MR. ROTHSTEIN: Thank you. How many do we have at the moment; right?
MS. HORLICK: Five.
MR. ROTHSTEIN: Some of them might be merging.
MS. HORLICK: It may be less than that.
MR. SCANLON: I think two of the areas that came up today are related to this issue of the first encounter. How do you deal with informed consent, whatever it is, whether it is a pharmacy encounter or hospital emergency or whatever. There were some suggestions of how that might be approached.
The second one had to do with the issue of information, the policy with respect to information before the effective date of the final rule. I think that may require more of a clarification than a change in policy.
Then again, there is this basic potential conflict between, do you have informed consent. That is really what it came down to today. Are you trying to make it easier within the existing framework to address some of the issues, or you look at the very nature of the informed consent framework.
DR. FITZMAURICE: Mine has to do with, like Jim's, crossing the compliance state. In part of the testimony there was a current population of patients that you get treatment.
Sometimes I call my doctor and say, can I get a prescription? My son has got a sore throat, and he calls the pharmacy and you get a prescription.
What if my son turns 18? Now the doc doesn't have a signed consent for that patient. I am giving some information to the doctor, but I am not a covered entity, so I am okay.
The doctor then phones the pharmacy. Can the doctor do anything without having my son come in and sign a consent? That seems to be something that needs to be clarified.
There are other populations of patients where we cross that borderline and they are just like the person turning 18.
You are treating them and then the date hits, and the first time you see the patient, you have got to get a consent. Can you treat them over the phone without the consent? That seems to be an issue that needs clarification.
A second set of issues would have to do with the burden of joint health operations. For example, providers might get together and find it in your benefit to share health information.
So, they want to pool protected health information so they can do things like quality improvement or research planning in the community.
They can do it if it is for their own health operations and they can share information with their business associate. Do they have to sign business associate agreements with every other provider in order to pool their data and then return the pool to each of the providers.
Is it permissible? Can you do it with one agreement that everybody signs one piece of paper, or do you have to sign N times N-1 pieces of paper. So, it is an operations issue. It is a clarification issue.
MR. ROTHSTEIN: Let me remind you that the comment period for submitting written testimony is open until next Monday.
So, it is possible that we will have other issues that we would want to add to our list. Therefore, the fact that, should we decide to leave the list at the current 10 that we have at the moment, doesn't foreclose us from taking up other issues, to the extent that time permits.
Are there any other things that we want to add to our slate at the moment? With your consent, I would like to start with the first one, which is the burden of tracking consent and revocation of consent. Jeff, do you want to -- you raised the issue. Do you want to make a statement in support of some action?
MR. BLAIR: Yes, I don't know whether the folks who testified about that burden have some data that they could share with us, that would help us understand that issue better, or if someone else who has gone through this process, to some degree, has information about what does it cost to track consent forms, and to be able to additionally track revocation of consent forms.
I am thinking of it in an information system, but it doesn't have to be limited to that.
MR. ROTHSTEIN: Any other people want to comment on the issue?
MR. SCANLON: I guess I would suggest that we actually have some medical record professionals who can testify tomorrow, who actually do this, the American Health Information Management Association.
These are the folks who actually run these record systems within the hospitals and the plans. Maybe we can ask them to try to get some information that they already have, about how this works. Maybe they have some better sense of how often such requests come up and how difficult it might be.
DR. COHN: I was going to say, I think we saw a lot of testimony today that we could easily ask a number of the testifiers, especially places like American Hospital Association.
Any of the larger organizations I think could come up with some figures that talk about the cost and difficulty. I am sure that they could probably come up with some figures.
I guess the question in my own mind, recognizing that the whole issue of consent and revocation is actually only a small piece of it. It is actually medical records maintenance, and that is only if you are dealing with a paper based environment.
It doesn't include any of the discussion around the actual initiation of the encounter and certainly doesn't cover, for most places, anything having to do with any computerized system.
We might get an answer, but it might look a little different than someone representing a hospital or some other large enterprise.
I think we need to get that information, but I am just thinking that it might be a little small --
DR. FITZMAURICE: Just a small point. In addition to tracking consent and revocations of consent, I would also track limitations that are agreed upon by the patient and the physician.
DR. ZUBELDIA: I think Mike is right on the money there. I think that is where the burden is going to be, to track the limitations.
Every time I go to the doctor today or for my children, I have to sign a piece of paper in two different places. One is the assignment of benefits. The other is the release of information.
We do that on a routine basis on every visit today. I think that the release of information signature would be replaced by the consent that we are talking about.
I think the systems are already in the systems. The incremental cost to track the consent itself is close to zero. That is my opinion.
What I would say is that, in order to track the revocation or the limitations, that is what is going to be a little bit more complicated.
MR. ROTHSTEIN: Let me give my opinion on the revocation issue. I feel very strongly that if you do away with the ability of individuals to revoke their consent, you have, in effect, done away with consent.
I think we should be very reluctant to say that you can't revoke your consent once it is given. There is a cost to it.
I mean, one of the things that I spend a lot of time on is human subjects and approving protocols for IRBs.
We allow research participants to revoke their consent at any time. In many instances, when they do so, they can threaten the entire experiment because, if enough of them do it, or if the N is small enough, years of work can go right down the drain.
We say that, even though there is a cost, it is an absolutely essential cost that we need to pay to promote and protect the autonomy of individuals who are participating.
MR. BLAIR: Mark, I think that is a valid issue. I think we ought to keep that as a separate issue from us understanding the cost of tracking consents and whether or not revocation is part of that cost.
MR. ROTHSTEIN: I have no problem in quantifying the cost. All I am saying is that I think there would be great social costs, not as easily quantifiable, if we did away with the opportunity of individuals to either revoke their consent or to say that you can only do it prospectively. I think that would be just a very unfortunate recommendation for us to make. That is my personal view. That has not been accepted by the subcommittee.
Are there other comments of a general nature related to this particular issue?
DR. COHN: Which issue are we talking about now?
MR. ROTHSTEIN: The first issue was the burden of tracking consent and the revocation and limitations of consent.
DR. COHN: Perhaps the value is the statement here. I come from a state where actually statutory authorization has been around for a long time.
I am sort of unused to the idea, even, of getting consent. I certainly am trying to think in my own mind of really how you would revoke consent and how that would necessarily work, and do you pull everything out of the data base, you pull the medical record.
Are you invoking consent from previous data that you have or are you just revoking it as of today. I am trying to think of exactly how you do it.
I guess I would wonder -- I know just within my own experience of doing all this, it could get to be tremendously expensive.
Maybe the value here is allowing consent to be revoked previously, is your issue. I am still trying to think of the value equation of what all this is going to provide, as opposed to providing a level set of privacy and security information practices work.
I guess the point I would make in terms of all of this stuff, and I am just sort of thinking about it, you have somebody come to the office. There is a set of fair information practices. You sign a consent and, okay, you agree to the consent.
Now, if you don't like the fair information practices, I guess you can negotiate with the provider to get them changed. I don't think anyone in their right mind is going to start negotiating their information practices on a person by person case or whatever.
Maybe a doctor might do it. I can't imagine that in a multi-physician clinic or anything else, that you would start negotiating it on a case by case basis.
So, effectively, you don't sign a consent and then the physician, because you are not in an emergency today, I say, well, sorry, I can't treat you.
So, out of all this money that we have spent developing this consent and revocation methodology, what exactly has it gotten us. In reality, the patient makes a choice based on the provider and the information practices of the provider. He is going to choose whether to see that doctor or not. Where are we getting all this additional value from all this paperwork and process that we are putting into place.
Fundamentally, the idea of revocation sounds good. I just can't think of how you implement it.
MR. ROTHSTEIN: I think the practical answer is that consent revocations, I would imagine, would be extraordinarily rare. I think it is the kind of thing where you can say, I am not sure I want to ride that roller coaster.
You can tell them, we can stop at any time you want. I think there is something important to individuals who are going to be giving up their private information, to know that if their circumstances change at some point in the future, they can say, look, it was fine for you to do anything you wanted with my medical records before I got cancer, before I got AIDS, before I had a mental illness or something else.
I want to be able to have the ability to revoke my consent, should my circumstances change, after I get a divorce or whatever. It might cause you to want to rethink use of your medical records.
MR. BLAIR: I very much agree with Simon that we really ought to carefully look, as well as the cost of doing consent as separately we should also examine the value of it.
In my mind, I think revocation is a third area which is value, but I have difficulty blurring them together. Is it possible that we could keep these each as separate issues for discussion?
MR. ROTHSTEIN: Certainly. Gail needs some more help, in the sense that all that she has are some widely divergent comments. That is not going to help her come up with a tentative anything.
DR. HARDING: I tend to agree that revocation, I think, is an important principle. I think that where I start getting weak kneed is when there are a million different revocations.
You know, I want this since December 25, or I want you to not say anything about this part or this part or this part. A computer would go crazy trying to handle that. I think it either has to be a yes or no revocation. It can't be a deal between patient and doctor.
There are lots of deals between patients and doctors, lots of them, where people say, I don't want you to mention this, I don't want you to put this in the record, and the deal is struck.
For instance, in a group of doctors, where one doctor is taking care of the spouse of another doctor, they are going to make deals about what goes in the record, and don't tell me they don't.
I think if you have revocation, you are going to have to have it be all or nothing, instead of a million possibilities that could come from revoking only this much of the record. How do you do that? It is impossible, it seems like to me.
MR. ROTHSTEIN: As a practical matter, the revocation would be tantamount to saying, I don't want you to treat me any more. The doctor might well put, as a condition on treatment, that you consent to release the records so the doc can get paid, among other things. It would almost, I would think, be a yes or no kind of thing.
MR. ALTARESQUE: The rule provides a single consent for TP and O. The revocation is parallel to that. It is a single yes for TPO or a single no for TPO. When you are revoking, you are revoking that provider's right to use the information for treatment, payment and health care operations. So, it is a black and white situation.
It shouldn't be confused with the right to ask for a restriction. You may ask for a restriction of, don't share this information with any other treatment provider. If the doctor agrees to that, that is something the doctor could do. That is the right to request a restriction.
So, those are two different matters, where one is black and white and the other has all sorts of parameters, based on whatever the patient and the provider agree to.
MS. HORLICK: I have a question about that right. We heard somebody say, if I have got this right, that the patient can request a restriction and then the provider -- I think they said -- my understanding is that the patient can request a restriction and the provider can agree or not agree.
I thought I heard someone say that the provider can agree to the restriction and -- I might have misinterpreted -- but I thought someone said that something else in the rule preempts that agreement or makes it not valid. I couldn't appreciate the clarification.
MR. ALTARESQUE: A provider can say that he no longer will abide by that, but that only applies to new information. I have Jody Goldstein with me to keep me honest, another attorney with general counsel's office.
MS. GOLDSTEIN: The right to request restrictions is with respect to certain types of purposes, so treatment, payment, health care operations or the 510s, which are disclosures to family members or persons assisting in care.
If a provider -- if the patient requests a restriction in the 512s, which are the public purpose disclosures, and we do not enforce and agree to a restriction between the provider and the patient for those, it is possible that under other law there is some commitment to honor that agreement, but we can only enforce against agreed-to restrictions for the TPO and the disclosures to family members or the persons assisting in care.
That might be what they are referring to. I am not sure. There is also -- and I am trying to remember exactly how this works -- there is an exception in emergency situations as well. I am not sure if that is what they were referring to but those are the limitations on that, enforcing that agreement.
MS. HORLICK: I could go back and read it, but if the physician does agree to the restriction --
MS. GOLDSTEIN: In those areas, yes.
MS. HORLICK: In the treatment, payment and operations and the disclosure to family members, as opposed to the 512s.
MS. GOLDSTEIN: Yes, except in the emergency situation.
MR. ROTHSTEIN: Let's see if we can get closure on this issue because we have a few more left.
DR. COHN: Which issue?
MR. ROTHSTEIN: The issue is the question of revocation costs, limitations, tracking costs, et cetera. Now, Jeff encouraged us to get more data, which we can solicit tomorrow at the hearing, from the folks in the medical records industry.
DR. COHN: And from others who testify.
MR. ROTHSTEIN: And other witnesses, of course, on the minimum necessary part.
DR. COHN: Are we going to vote? Is that what is going to happen?
MR. ROTHSTEIN: I don't have anything to vote on yet. Do you have a motion?
DR. COHN: Mike is laughing, because I can remember how many hours we spent trying to figure out overall framework for all this stuff.
I am struck that it isn't black or white, I don't think. What I am hearing is that the main consent would remain exactly the same. I am hearing a bunch of intermediate things that could be done to make things easier on everybody to reduce burden. Then I am hearing another piece, which is go all the way back to pretty much what was in the notice of proposed rule. That is sort of the spectrum of options that we are confronting.
We are probably also being confronted with things on the other side of the current consent rule. I apologize if I am a little blind on that one, but that is sort of what I am sort of seeing here.
I guess we would need to figure out sort of the cost and the value of each of those positions. I personally think that we are trying to help with unintended consequences.
Probably staying exactly where we are right now is probably not the place that we should be focusing on exclusively, but we should be looking at the burdens and the opportunities of those intermediate positions, and then at maybe what the old position might have gotten us, only because we heard so much testimony saying, things would be a whole lot cheaper and easier if you went back to some sort of statutory authorization.
I guess I would personally vote that we move off in that direction and do a little more analysis and see if we could come up with a list of suggestions.
MR. ROTHSTEIN: A list of suggestions?
DR. COHN: I heard a number of things coming from the testimony of intermediate things that could be done to help.
I heard about issues about data collected before the compliance date, of use -- I thought those were intermediate positions, basically.
MR. ROTHSTEIN: Yes, but we haven't gotten to those yet.
DR. COHN: I am sorry, I thought those were all part of the same discussion. I am sorry.
MR. ROTHSTEIN: Maybe we want to do them all and then we will come back and see if we want to take a vote. Let me go over the list again. Maybe it would help if we put it on the board or something, so we know what the issues are.
The issues are, again, first, burden of tracking consent revocation, tracking and limitations.
Second, psychotherapy, the exceptions should be limited to notes.
Third, provider's ability to send information to health plan when not for payment.
The ability to revoke the notice of information practice, which Kepa raised.
The first encounter problems.
The policy problem of information obtained before the compliance date.
What happens when a patient turns 18.
Treatment over the phone.
The business associate issue with the joint health care operations.
DR. COHN: I guess what I am hearing, just so we don't have to discuss 10 items and vote on each of them separately, there seem to be four or five of those that all fit into what I would describe as an intermediate position.
Am I mistaken about that one? I guess I tend to think of consent, statutory authorization, and then something sort of in the middle where consent exists, but there may be a whole lot of things that make consent easier to deal with.
MS. HORLICK: An intermediate position on consent? I don't know, maybe. We haven't looked at them that way.
MR. ROTHSTEIN: I think several of them go to the issue of, how can we make the implementation go more smoothly, and that is the charge of the subcommittee at these hearings.
We are not re-legislative, re-litigating, re-negotiating anything. What we want to come up with are sort of practical solutions, problem areas, how to make the trains run on time, and at the least cost to everyone.
Simon, you are right. I think many of these things go to that. The only one that might not, I think, would be the psychotherapy notes, which goes to the issue of expanding the rule, but I think it is the exception. I think I will rule that in order for us to consider.
MS. FYFFE: Simon thinks very differently than I do. It is very interesting. Is our purpose here to identify issues that will make implementation difficult, or are we going to be identifying issues also that need further clarification?
MR. ROTHSTEIN: I think both of those.
MS. FYFFE: Okay, and we will document this for the Secretary or for whom?
MR. ROTHSTEIN: Initially for the full committee and then, if the committee agrees, then for the Secretary.
MS. FYFFE: So, implementation issues and then suggestions. Okay.
MR. ROTHSTEIN: Right. That is my understanding of our goal.
MS. GREENBERG: I thought you had said also that particularly because the Secretary has said that he may modify the rule, presumably to facilitate implementation and, I guess, clarification potentially, although that might just be in guidance, there was also the issue of potential changes.
I think there is a line between opening up the whole thing and starting over again. Obviously, when you modify something, you can change it, like with the NDC codes.
Specifically, they were named as a standard and testimony was received that this was going to be a problem in implementation and there is now the potential of their being retracted as a standard.
I guess that is an option and you have to keep that constrained within, is it really going to make it impossible to implement.
On this whole issue of consent, I guess what I am kind of struggling with is -- and please correctly me wherever I am wrong -- but there are states obviously and environments where consent is routine, as you pointed out. This has been my experience as well. Every time you go, you sign this consent, at least it seems for treatment and payment. I am not quite sure about health care operations. I should look more carefully. Then there are other states and environments where it is statutory.
The proposed rule didn't leave the status quo. It actually said that it should be statutory and that, in fact, I think it said you couldn't ask for consent, treatment and operations. I mean, didn't it actually say, don't do that?
MS. HORLICK: Proposed.
MS. GREENBERG: That was the proposed rule. The final rule required consent for treatment and payment. So, it seems that there is this spectrum. It is statutory everywhere, consent everywhere, and then the status quo sort of, where it is decided, I guess, on a state by state basis. Is that the case?
On the one hand, there are places where it has been going on always, and they seem to be coping with it. It is bigger, but it is sort of like the issue of people being able to see their records. Where that isn't currently allowed, this would cause a tremendous problem, and in the states where it is being allowed they say, we deal with it, it is okay, it is not a problem.
I mean, I think that is one thing that I need to understand better. If half, is it, the states already require, or a large number require consent, then the health care system hasn't shut down there, and that says something.
On the other hand, is there any evidence that there are more abuses or there are real problems in the states where it is statutory? We haven't really heard that either.
So, it seems that part of the problem -- this I may be going somewhere where I shouldn't be going -- but part of the problem with the proposed rule is that it took away the right to ask for consent, by making it statutory everywhere.
Now, there is something, of course, to be said for doing everything the same way because of plans that are across state borders and everything, but is that the case, that there was a real problem that people who were comfortable with consent no longer were going to be able to require it.
I guess it seems that one option, in modifying the rule, would be to go back to the status quo on that. I heard either keep consent the way it is in the final rule, or make it even stronger, or go back to the proposed rule, which didn't allow for consent.
There does seem to be something in between there, which is what the current situation is, that in some states they require it and in others they don't. I didn't hear that, and maybe that is not an option. Maybe we have rejected that.
I think the problem with people who are raising the concerns with the consent was in saying, go back to the proposed rule is, that didn't allow people to request consent when they wanted to.
MR. ROTHSTEIN: Let me mention a very practical problem that we have as a subcommittee and as a full committee.
Our last discussions with OCR, we said that we would have recommendations completed by October 1 for your use in preparing additional guidance, which means that we needed to have it approved by the full committee on September 25 at our meeting.
To the extent that we make rather narrow targeted recommendations based on problems that are brought to our attention by folks who are trying to implement the rule, I think then we could succeed in coming up with something valuable for OCR and for the Secretary.
To the extent that we are being asked by anyone or by ourselves to revisit sort of the big pictures of the HIPAA privacy rule, I don't think we have the time, and we certainly don't have the staffing and, as wonderful as our witnesses are, hearing from 25 witnesses is not the same as getting 50,000 comments, if we want to sort of re-strike the deal. I think there are very practical limitations on what we are able to accomplish here.
DR. COHN: I am almost afraid to comment. First of all, Marjorie, there actually was a recommendation one of our speakers did about state laws. There was a recommendation that talked about statutory authorization a little bit more and being discretionary.
Being a chair of another subcommittee, I understand your angst of, we have only got four weeks to make recommendations and how are we going to organize.
I guess my view on all of this stuff is, you can certainly battle down to the last minute the last day and come up with the right suggestion.
One option is that we give it a little bit of flexibility. One example, which might be where I might go would be, gee, I am in favor of statutory authorization but, if you can't do that, you might consider X,Y and Z as things to mitigate what we thought were valid industry concerns. That might be a way to sort of handle fighting to the death on a single solution, and taking that approach to a letter where you provide a little flexibility, since we are not going to agree with just one thing, and the Secretary would probably like some flexibility in what they are going to be considering and accepting.
That is just a suggestion in terms of how we might actually be able to come to some conclusion and actually come up with a letter eventually, which I think is what you are worried about.
MR. ROTHSTEIN: If we want to have, as an ongoing project for the subcommittee and the committee, to reconsider the structure of the privacy rule and go into areas where we think that, with all due respect, the department got it wrong, I have got my own list.
I think the public health exemption is too broad, I think the law enforcement exemption is too broad. I think there are all sorts of problems in 15 different areas.
I don't think there is any way that we can give a fair accounting and a balanced discussion of any of those issues in the time frame that we have, and I don't think that was our charge, and we couldn't possibly have agreed to do that.
DR. COHN: But Mark, tell us about the issue of consent, the issues that were not brought up today that you would like to have brought up.
MR. ROTHSTEIN: We went into the issue of consent because OCR said, in our discussions, here are four issues that are very important. Three of the four were already discussed in a first crack in the guidance that was issued previously.
These were areas where OCR thought that getting people in the public and the industry representatives, the professional groups, et cetera, could help in clarifying some of the problems.
They get lots of questions and comments, and we needed to know what people were thinking.
Consent is sort of a touchstone of this rule. If the issue of consent, broadly stated, is on the table, we are going to be here until Christmas debating this issue.
MS. FYFFE: We would be here longer than that. Could we let Louis speak, please?
MR. ALTARESQUE: Thank you. You mentioned the guidance. Keep in mind, in the guidance that we issued, the Secretary explicitly stated that he is concerned and would propose making substantive changes in the rule to address the phoned in prescription issue and the referral issue.
You could take that into consideration in terms of what you want to address and what you don't want to address. The Secretary has made a decision that he will propose changes.
Of course, that goes through the notice and comment process and it doesn't meant that -- there will be a change at the end of the process. At this stage, in terms of what he is planning to propose, these are substantive changes that he has decided to pursue, just on one other matter.
MR. ROTHSTEIN: That was reflected in the questions that we sent out, other than the pharmacy.
MR. ALTARESQUE: Right, but those were two things that were mentioned. This doesn't preclude, of course, your recommending or the Secretary deciding to do something more global than that, but just in terms of those two issues.
The other thing, in terms of state law, is that if there was no consent provision, if we did not require consent for TPO and a state law did require consent, then that state law would provide greater privacy protection and that state law would prevail. That would preempt our provision.
MR. ROTHSTEIN: Jim, any help is greatly appreciated.
MR. SCANLON: Again, I think every subcommittee struggles with this. This is clearly an issue -- a lot of these privacy issues -- are balances between rights and the best way to do this and efficiency and effectiveness. There is no really one way or the other. You just have to see where the best balance lies at any one time.
I think what would be very helpful to OCR, and speaking for them -- and this doesn't preclude broader looks and more in-depth looks at possible framework changes later -- we did hear today, and it is actually written very well -- in fact, each of the testifiers today very eloquently defended conflicting points of view, and that is why this is difficult.
I think there are some points within the informed consent framework, there are some suggested changes in here that probably would work as a practical matter.
I think there are some suggestions in here, where people have proposed, within the informed consent framework, doing this, doing that, making some other changes that would help matters somewhat.
You are not going to change the basic informed consent framework. There were others who said, this simply doesn't seem to work as a practical matter for us, and their proposal was to go back to the statutory authorization. That could be, as you say, something to look at further.
I think in your letter to the Secretary you would want to say that you heard support for both. This is what I think Simon's subcommittee has done.
When they have had hearings and, after two long days, it just is not clear what exactly the right way to go is, you describe the situation, that is very helpful, people hear what the pros and cons are, and then there are some things that you probably do want to move forward on, assuming there is committee majority, and they have actually been described fairly well here, as there probably will be tomorrow related to minimum necessary and some of the research provisions later.
Some of the best sort of an analysis to the Secretary is to point out where these things stand. Then, again, if there are some suggestions of a practical nature, unintended consequences, ways to improve this, that is very helpful.
MS. HORLICK: I guess that is what I was getting at with my first question. It would be enough of a job to go back and say, well, some people said this and other people said this, but if you do it this way, here are some ideas.
Is that what would be helpful or do you want specific recommendations from this subcommittee, that would be a recommendation, if you don't rescind informed consent we would like you to at least do X,Y and Z, or 1, 2, 3.
Is just sort of pulling together the information be helpful or not, or do you want the subcommittee to take a position.
If that is the case, and coming up with recommendations, I am not sure the subcommittee would agree with even everything that was suggested, and I am not comfortable writing it.
MR. ALTARESQUE: And I am not comfortable speaking for OCR. I would suggest you do the best you can to provide whatever help you think you could provide in terms of ways the rule could be improved or guidance that is additionally needed, and we will appreciate anything we get in that regard.
DR. FITZMAURICE: Drawing on some of the past experience that both Simon and I have, and Jim probably has more experience than all of us, as does Marjorie, it seems to me that going through things the way we are going through right now is probably a good way of doing it, and we need to have a recording of what the different options are.
So, we do this perhaps after every set of hearings or every day and, at the end, we are going to have a lot of points to consider.
You can then prioritize the points that the subcommittee feels are most important and then task staff with some further development and, with conference calls and with e mails, you can probably home in pretty well on where there is agreement.
Where there is a lot of disagreement -- that is, no coalescing of agreement -- then point out to the Secretary that these are contentious issues, and we have identified them for your edification, but we don't have a recommendation at this time.
MS. FYFFE: I am going to echo part of what Mike has said. We really have to define our scope here, because we don't have the precious resources of time and lots of staff to come up with a very, very comprehensive book to give to the Secretary.
My sense is that we are going to identify implementation issues and, if there are suggestions, identify those as well, and also identify those areas that require further clarification.
I don't want to turn all this into a simple reporting and administrative function, but we really do have to limit the scope of what we are going to do.
The last thing we should do, after we get through those first pieces, which is going to take time, is come up with recommendations and we may not have time to do it this time around.
I feel obligated to really report what all the public testimony was and, again, to reiterate, to identify implementation issues, identify those that had suggestions for improving implementation, and then also identifying those areas that need clarification.
I was a little bit amazed, and I will continue to be amazed, I am sure, of the areas that are gray and cloudy and muddy for a lot of people.
Even though HHS has already come out with guidance and clarification, they need to do some more of it, on the same issues you already thought you clarified. That is my suggestion, but we have to be very careful of scope.
MR. ROTHSTEIN: Thank you for those comments.
DR. COHN: I was actually waiting for Kathleen to talk because I have the sense that I need to have a meeting of the minds with her before we can move forward.
MS. FYFFE: You never will.
DR. COHN: Really?
MS. FYFFE: We think differently.
DR. COHN: Except I think I fundamentally agree with what you are talking about based on all the letters we have written.
I mean, we are talking about a letter. We are not talking about a report. It had better be under six pages, or else we are all going to go nuts.
I do personally think we need to give some range of recommendations, but I think a lot of them are based on recommendations that are being offered to us.
MS. FYFFE: That is okay.
DR. COHN: I don't think we should make recommendations out of whole cloth or anything. It is more, here is what you need to review, and a lot of the recommendations that were given to us in the testimony and say, gee, is that worthy of being in the letter or not.
MS. FYFFE: Suggestions are different than recommendations, are they not? I don't want to get into that. I am beginning to sound like an attorney with semantics here.
DR. COHN: Let's see how far we go. To me, there a recommendation and I tend to think of recommendations as giving them a range of options. To me, if we are going to be of value, we need to be a little bit flexible to give HHS some flexibility, because they are in much more of a political milieu even than we are.
MR. SCANLON: Certainly explaining what the situation is and what some practical solutions are may serve the purpose.
Remember, this will go into an NPRM and there will be another 50,000 comments.
MS. GREENBERG: Really, perhaps this is not expanding on what the last few folks have said, but to the extent that -- I mean, you had testimony in some cases that just go back to square one. I don't think there is any way probably that, even if that were an appropriate role, the subcommittee, I don't think -- there are too many different views, just like there are in the presentations, that would make that possible.
Then there are a number of recommendations where people said, okay, but if you are not going to go back to square one, these are ways that you could kind of make this work better.
I think it would be helpful to -- in most cases, I think we had written testimony -- to pull those out and see if there is consensus around any of them. Perhaps not, but if there is at least general support for any of them.
If you look at them, some of them are fairly specific. As Jim said before, they kind of relate to this idea of first encounter, but they kind of relate to the whole issue of just being practical so you don't shut things down.
For example, rely on parental consent for a child who reaches the age of majority until that new adult comes in for care.
I don't know, people will probably be opposed to that and not be, but things like that, that are fairly specific, that either the rule currently allows that, and people just don't understand that or, if it doesn't, maybe it might make a reasonable change just to allow a temporary approach until the person comes in and can then resume the consent process.
I think it would be helpful to pull those out and see if there is any consensus around them. If there isn't, fine. Some may not seem that controversial, whereas the bigger issues are. You know, some of these specific recommendations might seem reasonable.
Again, as Jim said, even if you recommended them, first of all, the department would have to decide how they felt about it, and then they would go into an NPRM anyway.
Unless they are a clarification area, if they can be handled through clarification, then that is something they could consider.
I think it is worth looking at those specific recommendations and seeing if there is any kind of general agreement or not with them.
MR. ROTHSTEIN: I have got a comment and a proposal. First, the comment. In selecting the witnesses, we had a narrower vision of what we were going to do.
We did not invite people here who were going to give us the views on what is the role of privacy in America, or should we have consent at all.
MS. GREENBERG: You got that.
MR. ROTHSTEIN: We invited people who were asked to comment on very specific things. The fact that they commented on broader things, a broader topic, we may have had other people as well.
In some respects, it was not as representative a group of witnesses as possible. So, that is a little bit of an explanation.
Here is the proposal. What I would like to suggest is that we work on two tracks. One is a sort of longer-term track, keeping in mind that some of these issues are going to be around for a considerable period of time and may need additional study, more data analysis and so forth.
Also, on another level, a more specific level, as Marjorie suggested, try to find the narrower areas in which there may be agreement among the subcommittee. There may even, in fact, be agreement among the witnesses as to clarifications, minor revisions and so forth, that would make the rule work better, and to disrupt the system.
To the extent that we can sort of highlight these broad areas that we are interested in, and also give specific concrete recommendations, I think we ought to pursue that.
DR. COHN: I apologize for monopolizing the conversation. That is not my intent, but I am sort of struggling.
I keep hearing these process suggestions you have and I am not sure about what long-term view means, given that we know that the Secretary is going to be doing --
MR. ROTHSTEIN: Past October 1.
DR. COHN: Well, whatever. I know the Secretary is going to go and develop a revision to the final rule. Whatever long term is, is what we see coming out of that next final rule.
So, I guess to my own view, I think we are sort of at a point where we have talked about process so much that we might be able to get a couple of suggestions up on the board, that we just need to get on the board as options that we can then argue about, agree, disagree, make recommendations to go forward or whatever, rather than trying to slip into a near term or long term or whatever.
I would agree that there are things that need further analysis, and I think there is a bucket where we can do that. We just don't have the information but we know it is an issue.
I would just say, it seems to me it is pretty clear -- I don't think this is rocket science. I think we could offer a couple of options right now. I don't know whether they are the right ones or not.
I did number one here, I think that one option that we should at least put down on the board is statutory authorization and recognizing, as he commented, as Marjorie said, that if we had statutory authorization, it would give states the right, that wanted to have consent, to continue with consent. That is one option, not a recommendation, but an option.
If that doesn't happen, then there are a whole bunch of things that were given by a number of different speakers of real problems, real unintended effects with real solutions that could be done, that would move us in there, and there are probably A through G that would take about three minutes to sort of put up on the board.
Then maybe there is something else around consent. I am not talking about revocation right now. That is a whole different, very complex issue, but probably in terms of consent, we probably could do this in 15 minutes.
MR. ROTHSTEIN: Jeff had a comment.
MR. BLAIR: I guess, while I was listening to Simon, my thoughts -- Simon's approach might work better. So, let me just -- I am debating whether to offer it or not, because it might just muddy it up.
Why don't you just react to Simon's suggestion and see if that is a good approach.
MR. ROTHSTEIN: I have been informed that we have to end at 6:00. So, we have 15 minutes left, and Simon is confident that we can resolve this in 15 minutes. Was that why you chose 15 minutes?
DR. COHN: I don't have a watch on.
MR. ROTHSTEIN: It worked. You are on.
DR. COHN: I can come up with a number of bullets. I am actually going to start by saying that I will apologize because many of them are the morning testimony. I was just sort of starting with the Kaiser testimony. You all know that I am a Kaiser employee. We are talking about getting at the edge of the balance here of options.
There is one that says, allow continued use of the data collected before April 14, 2003 for use.
MR. ROTHSTEIN: Without consent?
DR. COHN: Yes, exactly, and require consent only for data collected after that date. I am just sort of going through this particular one just to start, since she was the first testifier.
Allow use and disclosure of data collected before revocation, for continuing TPO. I mean, that is probably a revocation issue. So, maybe we want to take it off the table, since we are just talking about consent right now.
MR. ROTHSTEIN: How would that change the current way --
DR. COHN: Let's not talk about revocation right this moment.
MR. ROTHSTEIN: That second one -- oh, you want to drop that? Okay.
DR. COHN: I just think it is a revocation discussion.
MS. HORLICK: Right, to allow continued use after revocation, is a revocation issue.
DR. COHN: Exactly, so I think we should probably not handle that in the consent discussion.
MS. FYFFE: One of the broad areas is revocation.
DR. COHN: Yes. I thought revocation was another issue in addition to consent, actually, as far as I am concerned. I am just trying to get a consent handle here.
Basically, allow the continued use of data until a patient makes a physical appearance and is able to sign a consent. That issue also of parental consent, when the patient reaches the age of majority.
The NCQA presentation had a recommendation having to do with clarification around the disclosure to health plans for use in health care operations.
MR. ROTHSTEIN: Are you moving the adoption of these recommendations?
DR. COHN: No, I am sort of putting them up there so we can discuss them.
MS. FYFFE: So, you are putting up categories of issues.
DR. COHN: I am actually putting up specific recommendations that we heard all around consent that actually might be a reasonable framework. I am not sure that we can agree on them in 15 minutes, but we can get them on the board.
MS. FYFFE: We need to identify implementation issues, categories of implementation issues. Can we start with that, please? We can maybe get through that in 10 or 15 minutes.
MS. GREENBERG: I think these are, the seven or whatever bullets, in the Kaiser are the implementation issues, but some of them could maybe be addressed in clarification, and others probably would require some modification to the rules.
MR. BLAIR: It is my thought that there are probably several different ways that this could work. I think at this point Simon at least is able to visualize a pattern where we might be able to be productive within the 15 minute piece. Let's go down this path and try to see if we can make as much of it work as we can.
MS. GREENBERG: Can I ask for just a clarification. This whole issue about providers providing data to health plans for health care operations, would the rule allow a provider to include that in its consent, or if information is going to be provided to the plan for its health care operations, does that have to be either an authorization from the provider or a separate consent from the plan?
MR. ALTARESQUE: Yes, it does, to answer simply.
MS. GREENBERG: It can't be included in the consent.
MR. ALTARESQUE: The health care operations referred to in TPO is the health care operations of the entity that is getting the consent, not for some other entity.
MS. GREENBERG: Even if the provider is part of this plan.
DR. ZUBELDIA: The health plans say that that kind of reporting is part of payment and say that, even though it is a capitated plan, if you don't give us the report, then you don't get paid, and it is part of payment.
MS. GOLDSTEIN: There is probably going to be a lot of information that is disclosed for payment purposes that will fall in the definition of payment, that the plan may also use for their health care operations.
We have minimum necessary requirements. So, the information that is disclosed under payment can only be what is minimally necessary in order to conduct those payment activities.
So, a plan couldn't just say, we want your entire -- you know, all this information.
DR. ZUBELDIA: If a plan wants an encounter and that gets transmitted just in the standard 837 encounter, that is exempt from the minimum necessary.
The plan can say, if you don't give me encounters, you don't get paid. Therefore, this is part of payment. Since it is an 837, it is exempt from the minimum necessary.
MS. GOLDSTEIN: Right, and then that information would be fine. It would be okay to disclose that information for payment purposes.
MR. ALTARESQUE: The principal concern was for operations, and for their own operations, not operations related to the provider, if it is the provider who is getting the consent.
MS. GOLDSTEIN: There is also -- and I don't want to spend too much time on this, but there are organized health care arrangements, and it is possible that a plan and a provider are in an organized health care arrangement, and that information could be shared, pursuant to that relationship.
So, there may be some cases where the information could flow to the plan if they are part of this organized health care arrangement, and that arrangement is -- there is notice of that arrangement. That is not going to solve all the problems that testifiers have raised.
MR. ROTHSTEIN: Simon, I don't follow what is going on here, what your proposal is. Is it to incorporate the recommendations of all of the witnesses who presented testimony today, including the public witnesses, the AMA, et cetera, or is it just limited to Kaiser and NCQA?
DR. COHN: I think as I was going through, I stopped after NCQA, only because I was interrupted, but those are as far as I had gotten. That was just meant as, once again, I think there is a range of options and recommendations.
You had asked me to sort of start with a frame. So, I had started out with saying, one being going back to statutory authorization and then, two, if you don't go to statutory authorization, a whole bunch of these other things that are basically operational issues with the implementation.
I am not necessarily saying that those are what we accept, but I am getting them on the board for discussion and the question is, do other people have other things that they want to get on the board for discussion.
Basically, I am just trying to provide a framework so that we can make decisions. I guess I know that I am biased. I have a view on this. At least I am putting it out there. Mark, what is your suggestion?
MR. ROTHSTEIN: We have got five minutes.
DR. COHN: I don't think we necessarily vote on this. At least we can get it up on the board.
MR. ROTHSTEIN: I think if you want to go through all the recommendations that were submitted to the subcommittee today, if that is your strategy, then we have got to put up all 50 or so recommendations that we got from all the witnesses.
DR. ZUBELDIA: We can't do that in five minutes, obviously.
MR. BLAIR: Is there any possibility, do we have a bit of an opening where we can go past 6:00 o'clock?
MR. ROTHSTEIN: We have to be out of here at 6:00; is that right, Marjorie?
MS. GREENBERG: Our transcript will end at 6:00 and discussion should end at 6:00. If anybody wants to stay and put these out -- the other problem is that we do have to lock -- it does take a little bit of time to break down and everything.
For that matter, I am willing to stay and lock the room if somebody wants to put these up here, but the transcript will stop at 6:00 and they will start breaking down everything.
MR. ROTHSTEIN: I don't think we should go beyond 6:00.
MS. FYFFE: I don't think we should. We need the sunshine on what we are doing and if we can't have a public record of it --
MS. GREENBERG: I am just thinking of the mechanical process of getting all these recommendations.
MR. ROTHSTEIN: We have to meet in public on the record.
MS. HORLICK: I can sit in my office and list everything from all the testimony and write it out. What we need is the discussion about it. We are certainly not going to make -- that is why I was asking, what would be helpful, a compilation or recommendations. We need the time to discuss them and that is what we don't have.
MS. GREENBERG: Obviously you don't have the time now. My thinking was that if you have got them together, if you had them all in one place and for each one, instead of having an hour discussion on each one say, is there anyone who just really feels this shouldn't be considered, and if somebody feels it should not be considered, just go on to the next one.
There might be some that seem kind of reasonable and worth considering and then, maybe down the road, some of the others might be worthy of discussing.
It is kind of like each person -- everyone would have a veto and say, we don't want to consider that one. Just go on to the next one and see if, out of that, you come up with some that seem to really make a good point.
MR. BLAIR: Could I suggest this? Gail, if you could compile the list and we have a chance to go over it at our next discussion period, we could maybe deal with each of those items in two or three ways.
Some of the items we might actually have consensus on, and those could be recommendations. Others, we could wind up indicating they are either a pro or a con and we would list them as options.
Other ones, we might put aside as something that is either too complex to deal with or something that there is not a consensus of support on.
That might be a way for us to capture as many of the good ideas as possible from our testifiers, and get them included. That is one way that we might proceed.
MR. ROTHSTEIN: The problem is, there is no time in our schedule. We have 10 witnesses in the morning and six in the afternoon. We have two 45-minute subcommittee discussion periods.
By the time we could get to this, we will already have had 10 more witnesses on minimum necessary, and we don't have the staff to compile these 50 recommendations.
DR. ZUBELDIA: Do you want to continue discussion at lunch time tomorrow? We could have lunch down here and get some time, or just get a conference call for next week.
[Whereupon, at 6:00 p.m., the meeting was recessed, to reconvene the following day, Wednesday, August 22, 2001.]