[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705-A
200 Independence Avenue, SW
Washington, DC 20201
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics, and welcome to all of you to day three of our hearings on the implementation strategies under the new privacy rule under HIPAA.
Welcome, also, to those of you who are listening to us live via the Internet, Before we proceed to this morning's panel, I would like to begin with introductions of the members of the Subcommittee and the staff and invite those in the audience to introduce themselves as well, and I would request that Subcommittee members disclose at this time any conflicts of interest.
I will begin. I am the Director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine, and I have no conflicts.
MS. HORLICK: Good morning. I am Gail Horlick and I work for the Centers for Disease Control and Prevention, and I am lead staff for the Subcommittee.
MS. FYFFE: Kathleen Fyffe. I am a member of the Subcommittee. I work for the Health Insurance Association of America. In that capacity I, also, represent HIAA on the National Uniform Billing Committee, National Uniform Claim Committee and the National Council for Prescription Drug Programs.
DR. ZUBELDIA: I am Kepa Zubeldia. I am a member of the Committee and Subcommittee. I work for Clona(?) Corporation. I am a member of X12 and NCPEPA and, also, Chair of the Association for Product Transactions.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, EDC, and I am Executive Secretary to the Committee.
MR. FANNING: I am John Fanning, from the Office of the Assistant Secretary for Planning and Evaluation of HHS.
DR. HARDING: I am Richard Harding. I am a member of the Committee and a child psychiatrist, University of South Carolina, and I am the President of the American Psychiatric Association.
DR. COHN: I am Simon Cohn. I am a practicing emergency physician and the National Director for Health Information Policy for Kaiser Permanente. I represent the American Association of Health Plans on the National Claims Committee. I am associated with a CPT panel for the AMA. That is all I can think of in terms of disclosures.
MR. BLAIR: I am Jeff Blair, member of the Committee, Vice President of Medical Records Institute and a member of HL7, MSIS, ASTM.
MR. SCANLON: Good morning. I am Jim Scanlon with the HHS Office of Planning and Evaluation. I am the Executive Staff Director for the Committee.
MS. MC ANDREW: I am Sue McAndrew. I am a consultant for the Office of Civil Rights.
MR. FITZMAURICE: Michael Fitzmaurice, senior science adviser for the information technology at the Agency for Health Care Research and Quality. I am liaison to the National Committee and staff to the Subcommittee on Standards and Security
MS. HUSTEAD: My name is Joanne Hustead. I am senior counsel with the Health Privacy Project at Georgetown University.
DR. VILLAGRA: Good morning. My name is Victor Villagra. I am an internist. I am the mathematical executive for CIGNA HealthCare dealing with health policy and medical affairs and the President of the Disease Management Association of America.
MS. PELLOW: Good morning. I am Wendy Pellow, and I with the Council at the National Association of Insurance Commissioners.
MS. COMPAC: Angela Compac, intern at Pharma.
MR. WILDER: Good morning, Tom Wilder, AAHP.
MS. BEEBE: B. C. Beebe, NCHS.
MR. AZWANDA: Don Azwanda, American Health Information Management Association.
MR. DESET: Chris Deset with Marr(?) Labs.
MS. WHITE: Gracie White, NCHS, staff.
MS. ROLLINSON: Maryetta Rollinson, NCHS.
MS. COLTIN: Nickie Coltin, with Welfare and Bureau of Trag(?).
MR. ROTHSTEIN: Welcome to all of you. A reminder that there is a purpose of these hearings and today's hearing as well which is to provide guidance to the Office of Civil Rights and the Secretary of HHS on practical issues in implementation of the privacy rule.
We would especially be interested in unintended consequences that you have discovered, overlaps and inconsistencies and areas where you think there is need for additional clarification.
The ground rules will be the same this morning as in the prior hearings, that is invited witnesses will have 10 minutes to give their prepared testimony. A 1-minute notice will be provided and a sign will be held up from the Registration Table. A beep will go off at the end of your 10-minute period.
After each witness has completed testimony the members of the Subcommittee will have a brief opportunity to ask questions of a clarifying nature.
After all the witnesses have completed their testimony, then we will approximately one-half hour for general questions and discussion.
Witnesses and members of the public will have until Monday, close of business to submit additional written testimony, and I know you for the most part already have done so, and written testimony should be submitted to Maryetta Rollinson and her address is available as well as in the Federal Register notice.
Before we proceed to the first panel, let me take this opportunity to discuss the final panel of our 3 days to give some special thank you's to the people who made this hearing run so smoothly, beginning with our lead staff, Gail Horlick who arranged for all the witnesses with Maryetta Rollinson who put together all the details and arrangements of this meeting, to Marjorie Greenberg and Jim Scanlon for their above and beyond the call of duty helping us with the consent issue as well as Michael Fitzmaurice on the other three issues, AV people and Sue McAndrew and her colleagues from OCR, and if I left someone out you can accept my apologies.
So, with that we will call on the first panel this morning. Let me make a note for the Subcommittee members that Mr. James Jones will not be with us this morning. So, the panel this morning on marketing will consist of the three witnesses you see before us.
Ms. Hustead?
MS. HUSTEAD: Thank you, Chairman Rothstein, members of the Subcommittee, Ms. Horlick. I appreciate the opportunity to come today to testify on behalf of the Health Privacy Project at Georgetown University.
The project is part of the Institute for Health Care Research and Policy at Georgetown, and our mission is to press for strong, workable privacy protections in the health care arena. The project was founded with the goal of taking the privacy discussion out of the civil rights context and moving it into the health care context to talk about and to think about privacy as an essential component of an effort to provide access to quality health care.
The project conducts research and analysis on a range of health privacy issues. We were thrilled that the department allowed this regulation to go into effect in April despite rather intense pressure from some in the health care industry.
We were, also, both relieved and pleased with the guidance document that was issued in July, relieved because in our view it is a welcome reaffirmation of the major concepts in this privacy regulation and pleased because the department joined us in rebutting quite directly many of the myths and misstatements about this regulation that had been put forth by many in the industry over a period of several months.
We hope the guidance will calm industry fears, lead to greater acceptance of the regulation and foster compliance with it although based on some of the testimony in the last couple of days I am not sure that the guidance has entirely accomplished those objectives.
Before addressing marketing and fund raising I just want to make a few quick points about the other topics that you have covered at this hearing. We submitted detailed testimony on each of them.
As for the consent requirement we agree that some modifications need to be made to it to address particular operational glitches, but it should not be eliminated in its entirety as some in the industry have suggested. Getting patient consent is a critical component of protecting privacy and respecting their rights.
I was pleased to hear during the Subcommittee discussion yesterday that you have deferred the recommendation that that consent requirement be eliminated.
We fully support the minimum necessary standard and view it as a cornerstone of this regulation and indeed of any effort to protect privacy. I would like to echo the testimony yesterday both from the American Nurses Association and from Ron Wyche who testified on behalf of the American Civil Liberties Union about the importance and the workability of the concept of minimum necessary.
We believe that the research provisions are a major improvement over the status quo and will make people more comfortable about participating in medical research. We believe that protecting privacy and promoting research go hand in hand.
Despite our general enthusiasm for the regulation we believe that it has a number of weaknesses and that these weaknesses can and should be addressed by the department, most especially the regulation's approach to law enforcement access, marketing and fund raising.
We are quite frankly alarmed by the regulation's approach to marketing and fund raising. A poll released in 1999 by the California Health Care Foundation confirms that the public opposes the use of medical information for marketing purposes without consent.
In that survey 70 percent of people said that they would not give permission for a drug company to use their medical information for the purpose of providing them with information about new drugs and other health care products.
In a 1993 Harris survey 66 percent of people said that it would be unacceptable for hospitals to use their medical information, their patient records to solicit donations. There was an overwhelming public outcry in 1998, over the disclosure in the Washington Post newspaper of a marketing arrangement between chain drug stores and a marketing company that was, also, under contract with pharmaceutical companies. Due to public opposition to that sharing of information the companies ran ads in the Washington Post announcing that they were ceasing the program. Unfortunately this new regulation authorizes exactly the type of marketing activities that the public resisted so vehemently. While we recognize that the privacy regulation does not allow covered entities to disclose protected health information without authorization to a drug company solely for the drug company's own commercial uses, it does allow a pharmacy to contract with a business associate which might be a drug company or a pharmacy benefit manager or a direct mail operation for the purpose of sending a marketing communication on behalf of the pharmacy.
This communication can pitch the business associate's product or a product of another party as long as the claim can reasonably be made that the communication is being sent for the pharmacy's benefit. Encouraging people to use drugs, even particular drugs could certainly fall within these parameters since the person may purchase them from the pharmacy on whose behalf the communication was sent.
Given the strength of the public's opposition, the regulation's approach to marketing and fund raising is especially troubling. Marketing and fund raising are literally buried in the definition of health care operations. These activities are not part of the core health care purposes that should comprise this treatment, payment and health care operations category, but because they are treated as part of health are operations health are providers will be able to engage in certain marketing and fund raising activities once patients sign a general one-time only consent form.
Health plans will not even need to go through the process of obtaining any consent whatsoever. The after-the-fact opt-out that is in the regulation is totally insufficient. It is indeed ironic that the privacy regulation provides greater protection against unwanted disclosures of facility directory information where individuals are given the opportunity to opt out before the disclosure. Then it provides for certain commercial uses and disclosures of protected health information.
We appreciate the department's effort in the regulation to limit the type of marketing and fund-raising communications that are permissible without a separate authorization. While the safeguards make these provisions less objectionable, the approach remains nonetheless unacceptable.
Covered entities should not be allowed to use or disclose protected health information for these purposes without an explicit and separate authorization highlighting the marketing or fund raising use or disclosure.
In our written testimony we make some particular suggestions about what ought to be in that authorization.
Defining precisely what constitutes marketing and thus in our view would require a separate authorization presents a difficult challenge. The regulation attempts to define marketing primarily by saying what is not marketing. Not surprisingly this definition raises as many questions as it answers and the July guidance did not shed much light.
For example, would the same type of marketing arrangement that came under fire in 1998, be permissible under the regulation, indeed not treated as marketing as long as the pharmacy itself did not receive direct or indirect remuneration? Under that highly publicized and controversial arrangement many of the letters sent by the marketing company suggested alternative drugs or therapies, smoking cessation products, for example.
The July guidance explicitly states that informing smokers about effective smoking cessation programs is not marketing. When a business associate acting for a provider or a plan bears the cost of sending such a communication does that constitute indirect remuneration to the covered entity? How tailored to an individual patient's circumstances do treatment recommendations need to be for the communication to constitute treatment and not marketing?
Is the recommendation sufficiently individualized if all of the drugstore's clients that use a particular medication get the same letter suggesting an alternative treatment?
We would find further guidance from the department helpful in this area, especially if the guidance used concrete examples to illustrate the lines that the department has attempted to draw between what is marketing and what is not marketing. Once we better understand those lines this may be an area where we recommend that specific modifications be made to the regulation.
Assuming that the regulation does allow pharmacists and thus the chain drugstores that employ them to hire marketing firms to send prescription refill reminders as well as suggestions that patients use new drugs, we hope that chain drugstores will be especially mindful that many patients will perceive this as a privacy violation.
The fact that the business associate marketing firm will essentially step into the shoes of the pharmacy and have to comply with the regulation may make this type of situation different from the 1998 situation that I have talked about but the public may not appreciate this distinction. So, even if it is technically permissible pharmacists and drugstores should be aware of the need to conduct these kinds of arrangements in a way that builds public trust and confidence.
In sum, patients should be in charge of deciding whether their information is used or disclosed for marketing and fund raising purposes.
Again, I want to thank you for the opportunity to share the Health Privacy Project's views. We look forward to working with you, with the full Committee and with the Department to ensure the swift and smooth implementation of this important privacy regulation.
Thank you.
MR. ROTHSTEIN: Thank you.
Subcommittee clarification questions?
Dr.Villagra?
DR. VILLAGRA: Thank you. Members of the Committee, Mr. Rothstein, Ms. Horlick, the Disease Management Association of America greatly appreciates the opportunity to submit the following comments concerning the final rules setting forth standards for privacy of individually identifiable health information.
The DMAA is a non-profit, voluntary membership organization that represents the disease management community. DMAA's goals include promotion of high-quality standards for disease management programs, support services and educational materials and educating consumers, payers, providers, patient bodies, legislators and regulators of the importance of disease management, in the enhancement of individual and population-based health.
The Disease Management Association appreciates the efforts of the NCVHS and the Department of Health and Human Services to address many of the industry's concerns with the privacy rules.
It is apparent that HHS has seriously considered the comments to the proposed privacy rules, comments to the final privacy rules and suggested guidance previously filed by DMAA and other organizations and companies with an interest in disease management.
We would ask that NCVHS, also, consider these prior filed public documents in addition to our comments here. Once again, we deeply appreciate the chance to testify before this Subcommittee and provide you with written information as we have.
On the issue of marketing, marketing involves, quote, the communication about a product or service, the purpose of which is to encourage recipients of the communication to purchase or use the product or service.
DMMA believes that pursuant to the privacy rules disease managers who encourage patients to utilize disease management services are engaging in health promotion on behalf of patients, not marketing and urges NCVHS to seek confirmation of this interpretation by HHS.
However, DMAA, also, believes that promoting the sale of particular drugs, devices or durable medical equipment outside the context of disease management would be marketing.
The privacy rules carve out certain practices under the definition of marketing, and I will not review those items. I will go directly to the Disease Management Association's position on these exceptions.
The guidance indicates that a covered entity is not marketing when it uses an individual's PHI to tailor the health-related communication to that individual when the communication is, quote, made in the course of managing the individual's treatment or recommending alternative treatment, end quote.
The privacy rules were to clarify that disease management companies as business associates of other entities are not engaged in marketing when they are making a communication about a product or service that is directly related to the patient or population's plan of treatment.
Disease management services by definition manage or support treatments and health care operations. HHS has recognized in extensive preambular(?) discussions all these management activities within the DMAA definition of disease management and that fall within treatment or health care operations exception.
Indeed, the health care operations exception explicitly includes notification of providers and patients of alternative treatment methods as part of health care operations.
In summary the privacy rules should confirm that all legitimate disease management services and related communications with providers and patients fall outside of marketing unless their primary purpose is to sell a particular product, service, drug or device.
Activities that are geared primarily towards advancing sales of a particular product, service, device or drug should be classified as marketing. DMAA which has a broad industry membership including health plans, disease management organizations, provider groups and individual physicians has developed a carefully considered definition of disease management that is referenced on Page 82627 of the commentary to the privacy rules.
DMAA is continuing to refine this definition and plans to have an accompanying definitional process in place by October.
I thank you very much for the opportunity to testify here.
MR. ROTHSTEIN: Thank you.
Clarifying questions from the Subcommittee?
Michael?
MR. FITZMAURICE: Does the way the privacy rule defines marketing, is that satisfactory to you or unsatisfactory, and how would you change it?
DR. VILLAGRA: I think the current definition is satisfactory provided that there is confirmation of some of the possible ambiguity in interpretation of this definition. I would say that for the Disease Management Association the definition is very workable, and that the real trick going forward is to correctly identify disease management programs and services that are provided within that context or outside of it.
MR. FITZMAURICE: Thank you.
MR. ROTHSTEIN: Others?
Ms. Pellow?
MS. PELLOW: Thank you. Good morning, everyone. On behalf of the NAIC, I would like to thank the Subcommittee for giving us the opportunity today to testify before you and to share some of our concerns we have with the marketing exception that is found in the HIPAA privacy rule.
I would, also, like to ask that our written testimony be submitted for the record as well. As you may know, the NAIC has a long history of working to protect consumers' health information.
We have drafted our own privacy model laws and most recently we have been very active in the state implementation of the consumer privacy provisions that are found under the Gramleach-Blyly(?) Act.
The NAIC submitted comments back in February 2000 on the HHS proposed privacy rule, and in our comment letter we recognized efforts of HHS to establish standards that protect the privacy of consumers' health information, and we even noted the similarities between the proposed regulation and our NAIC model laws that would protect health information as well, including the use of an opt-in standard to getting consumers choice to opt in to having their information used or disclosed, and while we had some concerns and we raised some issues about the preemption of state laws and any interference with the ability of the state insurance department to do their jobs and to follow through with their responsibilities, overall we supported HHS' approach to ensure that consumers receive the strongest possible privacy protection.
However, we were very concerned when the final regulation came out in December 2000. We believe that there is a significant and unfortunate change from the proposed regulation in that the final regulation allows covered entities to disclose people's protected health information for certain marketing purposes without the individual's authorization.
We expressed these concerns in our comment letter that was dated March 2000 on the re-opened final regulation. Now, we recognize that the general rule states that the covered entity may not disclose or use a person's protected health information for marketing without their authorization. However, it creates several exceptions, and our concern is that these exceptions basically swallow the general rule, and while we support the establishment of exceptions to the authorization requirement for certain legitimate business exceptions and business transactions we do not support the inclusion of uses for marketing in those exceptions.
Like the HHS regulation, the NAIC model laws allow insurers to use and disclose individual's protected health information for a broad range of insurance activities such as underwriting, paying claims, fighting fraud and investigating fraud. However, our privacy models do not allow insurers to disclose or sell consumers' protected health information for marketing purposes without first obtaining the consumer's authorization.
We think that the marketing exception in the HHS final regulation guts the stated purpose of the regulation for protecting consumer's health information.
In the preamble HHS claims that the marketing exception will benefit consumers by providing them access to information, and it also says that it has incorporated consumer protections within that exception.
It states that the marketing exception will allow health care entities to discuss their own health-related products and services or those of third parties as part of their everyday business. It, also, says that providers in plans will be able to inform their patients and enrolles about new and valuable health products.
The consumer protections that are claimed to be within this exception are based on the fact that covered entities would be required to tell consumers why they have been targeted in the marketing and then give them an option in the future to opt out of future marketing communications.
We are a bit confused because we don't know of any other provision in the regulation that requires a marketing exception in order for a provider to talk to the patient about treatment options or a health plan to tell the enrolle what benefits are covered under their plan.
We, also, don't think that offering consumers a way to opt out of future marketing is the same as giving those consumers the right to make the initial decision up front about whether they want to receive any type of marketing materials at all.
We believe that once an individual's information has been disclosed for marketing purposes the ability to keep that information from being further disclosed is speculative at best.
The assumption behind not only our models but behind the HHS regulation is that health information deserves a higher level of protection than other types of information and the NAIC believes that the marketing exception that is currently in this final regulation is a giant step backwards for consumers, and we would strongly suggest that this exception be removed from the regulation and go back to the approach that was used in the proposed regulation.
I will look forward to working with you, and we hope you can carefully consider our concerns.
Thank you.
MR. ROTHSTEIN: Thank you.
Clarifying questions?
Michael?
MR. FITZMAURICE: If I understand what you said, you believe that prior individual authorization should be required for all marketing. You believe that what we have is better than the status quo, but you like the notice of proposed rule making better than the final rule with regard to marketing.
MS. PELLOW: With regard to marketing, yes, because the proposed rule required authorization, opt in authorization for all marketing.
MR. FITZMAURICE: Thank you.
MR. ROTHSTEIN: Other clarifying questions?
Before we open the general discussion I would like to take the Chair's prerogative before we get sort of onto today's specific testimony to go back to a question that we tabled yesterday at our hearing because of the expertise that we now have before us today.
So, Dr. Villagra, I want to read to you a recommendation that was proposed to us at our hearings over the last couple of days that we have not acted on, but we wanted your opinion on this, and it reads as follows. Patients should have the right to consent to or refuse participation in disease management programs. In addition, an individual's enrollment or cost should not be affected if he or she declines to participate in a plan's disease management program.
We oppose any disclosures of health information for disease management activities without the coordination and cooperation of the individual's position. Yet there is no such requirement in the final rule. We believe disease management needs to be defined narrowly in order to prevent inappropriate use and disclosure, for example, for marketing purposes of health information without the patient's consent.
So, would you please comment on any or all of that?
DR. VILLAGRA: I will be --
MR. ROTHSTEIN: And perhaps we could get a copy of that. It is from the, oh, okay. So, he can actually follow that. It is the fourth bullet.
DR. VILLAGRA: Yes, I have it in front of me. A couple of points, I would absolutely concur that the use and the participation in any activity under the guise of disease management that has as its primary purpose the marketing of products or the selling of products is marketing, and I have absolutely no problems with that portion of this commentary.
The notion that patients or large groups of patients participating in disease management ought to have let us say authorization, explicit authorization from physicians has been tested, has been tested in legislation in the State of California. That was approved, I believe either in 1999 when Governor Davis signed legislation requiring that prior to participation in disease management programs disease management organizations obtain permission from their treating physicians.
These prompted, for example, my company CIGNA HealthCare to send over 10,000 letters to physicians taking care of a large population of patients with diabetes in the State of California asking for their permission prior to enrolling those individuals in our patient educational and health promotional activities.
If I recall correctly we received something of the order of 125 replies from physicians, many of which required additional information, some of them stating that they did not want their patients to participate but by far the vast majority of the physicians did not explicitly oppose the enrollment of patients in the diabetes program.
Because of the administrative problems that this created, the burden of cost and frankly the potential delay of this activity that ultimately is intended to empower patients to self-care better and to be more intelligent participants in the process of care we introduced an amendment or a proposal for an amendment to this legislation which eventually received unanimous approval by the Legislature of the State of California and was immediately adopted by the governor as an amendment to the original legislation.
I think this particular experience taught us a great deal.
PARTICIPANT: What was the amendment?
DR. VILLAGRA: I am sorry. Of course, the amendment was to allow disease management companies to inform the physicians of such an activity as it involved large populations of patients.
MS. FYFFE: Inform instead of?
DR. VILLAGRA: To inform instead of seek permission to --
DR. ZUBELDIA: Wasn't there an opt out after the informing of the physician? Could they opt out of the program?
DR. VILLAGRA: The physician could request that the patient not participate in the disease management program, and generally speaking disease management programs themselves offer the opportunity for patients to opt out. This is over and beyond the input from individual physicians.
MR. BLAIR: Once the amendment was in place was there still retained any requirement to ask permission either of the patient or the physician to be in the disease management program prior to the commencement of the disease management program?
DR. VILLAGRA: Yes, the second component of the original legislation included a consent from the patient or that the patient be informed of their option to participate or opt out of the program. The Disease Management Association never had any concerns about this, but given prior experience with a number of especially useful and practical tools, decision support and information to patients that required the explicit permission of physicians, that was the part that was more difficult, and so, today that amendment has been approved, and we think it is a good one.
So, based on that I don't agree that that should be a requirement for patients to participate in the disease management program. WONO(?) considers that disease management programs represent one of the most innovative, one of the most exciting modalities of taking evidence-based knowledge in science to the hands of thousands and thousands of consumers. I think this would be an unacceptable barrier to this particular theory from the Disease Management Association perspective.
MR. ROTHSTEIN: Let me see if I have your position correct? You would apparently agree with the statement or the part of the statement, the third sentence that says, "We oppose any disclosures of health information for disease management activities without," it says, "the coordination, cooperation of the individual's physician."
Now, leaving aside the issue of exactly how that would work, whether it would be the California approach or some other approach, but in general I take it that is something that you would support, that the individual physician should have a role before the disclosure of individual health information?
DR. ZUBELDIA: When you say, "A role," --
MR. ROTHSTEIN: Let us put it either through notification and an opt-out option or something of that sort. I mean I am not tying you down to this. I am just trying to get a general sense. I would view this through the filter of the California legislation and amendment. You would support that?
DR. VILLAGRA: I would support the notion that physicians are an integral part obviously of disease management programs. In fact, the entire philosophy of disease management programs centers around supporting the patient-physician relationship. That patient-physician relationship typically is episodic. In order for the process of care to continue, this infrastructure that has been developed to serve patients obviously needs to be preserved but the centrality of the patient and the physician transaction is absolutely key to us, and we support it.
MR. ROTHSTEIN: And just following up the fourth sentence I understand your testimony to be that if a primary purpose is to sell a product or service that would constitute in your view marketing and not disease management and therefore reading that, your statement in the context of that fourth sentence, you would then I gather agree in general that disease management should be defined narrowly and distinguished from marketing of products and services?
DR. VILLAGRA: As I stated earlier I think there should be a provision. There should be a provision that allows information and services as support tools to patients, channeled in the context of legitimate disease management programs to be accepted and covered under the current rules as stated in the current rules.
MR. ROTHSTEIN: Yes, certainly, Jeff?
MR. BLAIR: Within a narrow definition of disease management does the disease management entity have the right to communicate directly to the patient and inform the patient of an alternative drug, an alternative therapy without getting the consent of the physician first?
DR. VILLAGRA: If it is in the context of a disease management program information that empowers the consumer to have a broad choice or alternative choices is part of the construct of any form of an informed consumer.
So, the answer is yes. I want to point out that we have previous comments to HHS on disease management and privacy issues that have included the definition of disease management of the Disease Management Association of America and I have it in front of me, if it would be helpful for this Committee to hear this definition and formulate some of your thoughts or your questions in light of this definition, I would be happy to read it.
MR. ROTHSTEIN: Do we have that?
DR. VILLAGRA: You don't have it in the current testimony. I can provide a separate copy of it, but we have submitted this before.
MR. ROTHSTEIN: If you would do that we would appreciate it. I would like to ask a follow-up question to our other two witnesses related to this area. So, you can comment.
Ms. Hustead, you recommended deleting from the definition of TPO marketing. What would your position be if we recommended that but carved out from the definition of marketing some narrow provisions for disease management, in other words included disease management narrowly defined within TPO and took the other forms of marketing out? Would that be something that you would support?
MS. HUSTEAD: I think that I share the concern and indeed maybe the skepticism of HHS about what disease management is. I think that it is a term that is used frequently but really defies definition and that it is important to get a lot of information about any kind of program that says that it is a disease management program before I would clearly put it in the health promotion box as opposed to the, the treatment and health promotion box as opposed to the marketing box.
For example, if a plan wants to send routine reminders to women around their birthday if they are over 40 or 45 that it is time to have a mammogram I don't have any problem with that happening. I don't think they need to get the patient's consent to do that. I don't think that they need to involve the doctor even in that. I think that is a pretty routine and basic sort of service that many plans often do provide.
On the other hand, if you are talking about a program that either is much more intense, much more involved, is doing some serious monitoring of people who for example, have diabetes or where there is clearly some pitching of particular products going on, I think that you have to look at what is going on a whole lot more carefully. Who is bearing the cost of doing this? Who is getting paid for doing it? Whose idea was it? Who is it really out there benefitting?
I think if you take out of the end of the regulation the section on marketing and fund raising and take out the reference to those in the definition of health care operations that you have done all that you need to do for the moment, because the definition in the reg of what is marketing and what is not marketing essentially treats what some might consider disease management as a treatment payment or health care operations function. If it is treatment it is going to fall within the treatment category. If it is care management or coordination done by a health plan it might fall into treatment category or it might be health care operations category. So, I don't think that you need to add anything to the definition of health care operations to make it possible for plans to engage and for providers to engage in certain kinds of care monitoring and management, and I think I would recommend against using the words "disease management" in the absence of, and I know HHS has looked at this very closely, of any real consensus about what that means because of the concern that too many things will get lumped in that box without an adequate look at what is really going on; what are the objectives; who is getting paid to do this, etc., the kinds of things that are in the definition of marketing and not marketing.
MR. ROTHSTEIN: The example that used the reminder of it is time for a mammogram or colonoscopy or whatever, that would not be patient specific other than age related, and it is not based on diagnostic information. Is that the kind of cut that you would like to make? In other words, you don't need to review anyone's medical chart to send that out. All you need know is their sex and birth date.
MS. HUSTEAD: Right. No, from health promotion programs and care management programs that are conducted by health plans. So, I don't want to say that merely something that is sort of administrative like sending out that kind of postcard is the only thing that would be okay. I think there is a lot of very innovative and very interesting things that are being done by health plans to monitor the care of patients. I do think though that where it is helpful and in some cases I think necessary to get the health care professional sign off on it, but again I don't think that you move to change the way the regulation defines either treatment payment or health care operations in order for those kinds of activities to continue.
My concern, aside from the rule says is marketing and permits it without authorization is the definition of marketing versus not marketing which is a very difficult line to draw. It is sort of like Justice Stewart, I believe, who said, "It is hard to define insanity, but you know it when you see it." So, I think HHS did a good job of trying to put in a definition of what is not marketing, and it reads a lot like treatment and health promotion.
On the other hand, there are some ambiguities in that definition, and it is important in any situation to really look at what is going on, who is getting paid, you know, who is bearing the cost, what is at stake here and what is going on before you can decide whether it is marketing or not marketing.
MR. ROTHSTEIN: Ms. Pellow, would you care to comment?
MS. PELLOW: I agree with what she said in terms of the marketing provision does, having that exception in there opens the door to a lot of, I mean there are a lot of gray areas, and I think the definition of health care operations is broad enough to address and the definitions of treatment and payment are broad enough to address legitimate uses of sending notices and information to consumers and of doctors being able to discuss treatment options with their patients' plans being able to say, "This is covered by your plan adequately," having the marketing exception in there and trying to, and the complications of trying to define what it is, what it isn't is kind of opening the door to a lot more gray areas and while the guidance document that was issued was very helpful in trying to clarify that I think there are so many more gray areas that it may be opening up more questions than answering questions and so, our concern or at least our position is let us just get the authorization, and I don't think consumers are going to always be, you know, say, "No, don't share our information. No, we don't want to get postcards." I think that some of the industry have taken that position where everybody is going to say, "No, I don't want my information shared," and I think consumers will many times say, "Yes. I think there is a lot of great benefits, and I am fine with that." I think the key should be on just getting authorization from the consumer, just saying that this is what we are going to do. Is that okay with you? You know, we are not going to sell your information.
MR. ROTHSTEIN: Thank you.
You wanted to respond to that?
DR. VILLAGRA: Yes, I feel that to represent sending a postcard reminding an individual of some health promotion preventive services and equating that to disease management is a huge mistake. It is precisely because a variety of existing health promotion and disease prevention activities that frankly have been in place for many, many years does not constitute an organized system of care that promotes better outcomes in patients with chronic diseases, for example, that disease management came into being, but for example, components of disease management such as risk identification and tailored interventions for individual patients within a disease category, all diabetics are not in the same status. Some are brittle and unstable. Others are doing better.
The inclusion, for example, of measurements of process of care, of outcomes of care, the reporting of these activities, routinely reporting feedback to providers, to patients, to ancillary providers, to all the stakeholders in the process of coordination of care, to patients with chronic, sometimes multiple conditions, that is disease management, not sending cards, and I think the omission of disease management as being inclusive on the part of treatment and health plan operations exception would create much greater confusion because now there is absolutely no parameter and to lump disease management program with a variety of other administrative activities is taking an enormous step backwards.
What I believe we ought to do is we ought to root this definition on the Disease Management Association definition of disease management that has been submitted. We continue to refine this definition and create an operational platform for it. For example, a registry of disease management programs with strict rules would be a step forward in explicitly separating disease management or complete disease management, all disease management programs or disease management components that need to be integrated into a system of care, but I think it is absolutely imperative that disease management be explicitly mentioned under the treatment and health plan operation as it is today.
MR. ROTHSTEIN: Okay, the floor is now open.
Kepa?
DR. ZUBELDIA: Ms. Hustead, do you think that if marketing was taken out and disease management put in with a narrow definition of disease management that would meet Dr. Villagra's needs, and every communication done under the rubric of disease management had a requirement to explicitly state the procedures for opting out would that satisfy you?
MS. HUSTEAD: I don't think that you need to add disease management to the definition of treatment or health care operations in order for programs like that to continue.
I just want to read a couple of sentences from the preamble to the regulation. Disease management appeared to represent different activities to different commenters. Our review of the literature, industry materials, state and federal statutes and discussions with physician groups, health plan groups and disease management associations confirm that a consensus definition from the field has not yet evolved although efforts are on the way. Therefore rather than rely on this label we delete disease management from the treatment definition and instead include the functions often discussed as disease management activities in this definition or in the definition of health care operations.
Unless things have changed pretty significantly, you know, since this preamble was written to the final regulation then I would encourage this Subcommittee to sort of leave things where they are with respect to disease management although I think my desire to clarify the definition of marketing and not marketing is a similar or is prompted by a similar issue, you know, what really is treatment and health promotion and then what crosses the line over into marketing.
MR. ROTHSTEIN: Other questions?
Kathleen?
MS. FYFFE: Ms. Hustead, your testimony was cut off before you got to your third point which was access by law enforcement officials. Do you want to elaborate on that for purposes of the folks on the Internet, please?
MS. HUSTEAD: Sure, I actually hadn't planned to talk about it since I know it wasn't on your agenda, but we have commented very strenuously both on the proposed reg and on comments in the final reg and in fact, this is one area where the consumer community and many in the industry if not all in the industry seem to agree, and that is that access to personal medical records by law enforcement officials should be circumscribed and that it should be limited by a Fourth Amendment standard, a constitutionally based standard that recognizes the expectation of privacy in that information and puts requirements on law enforcement before they can have access to records.
That would mean going to a judge or a neutral magistrate and having that individual weigh the appropriateness of access to those medical records in that circumstance, and since this is an area where everyone seems to agree, you know, I would hope that the department would heed that call and make some appropriate adjustments in the regulation.
MS. FYFFE: Thank you.
MR. ROTHSTEIN: John?
MR. FANNING: Dr. Villagra, in your rather strict standard which says that disease management doesn't encompass things that involve primarily the promotion of a product, would you ever envision a situation where something could be considered legitimately disease management when in fact what was expected of the patient in the situation was to purchase something or get another service, and I have in mind the application of disease management, for example, in a fee-for-service context?
DR. VILLAGRA: So far experience in the industry has demonstrated that the sale of goods of any sort is decidedly not the central activity by any means. By far the largest component of disease management involves patient education and physician feedback and that sort of activity.
I think it is possible that if we don't adhere to the strict definition of disease management and continue to work towards creating very high standards for what is disease management that there could be the promotion of goods, drugs, devices, etc., under the guise of disease management in the fee-for-service environment or any other environment, and so, I think with the progress made today with the definition of the Disease Management Association, with the creation of a registry, with the, for example, NCQA is in the process of putting together accreditation and certification requirements for disease management programs. The construct for accreditation and certification of disease management programs is extremely strict, and it goes beyond the mere definition. It sets standards for performance and standards for structural elements of disease management. So, with all of these processes in place and evolving very rapidly I think we should make every effort to include this as part of the definition of treatment health plan operations so that things that are not can be procedurally, and there is a practical way of excluding and not have it protected under these exceptions.
MR. ROTHSTEIN: Other questions?
Richard?
DR. HARDING: Let me walk through just for my clarification something? Let us say that you are a disease management program, and I am the executive officer of an insurance system, and so you come to me, and you say that you want to provide these services to my diabetics that are in my system. What do you ask of me?
You ask me to give you a list of those people, and I do so on the basis of what, that they have signed a TPO consent? So, you are a health care operation now, and so I give you that information because that is covered.
Then I start getting fuzzy. The doctor isn't involved at this point. Who is?
DR. VILLAGRA: The version of disease management that is most common and in our company we have substantial experience with this, before we engage patients we inform the physicians. The physicians are informed that patients under their care with a particular disease are going to be invited to participate in a disease management program. Materials that will be shared with the patients are submitted to the physicians for their review and in sequence the patient is then contacted in our case by the insurance company informing that individual that because they are a member of your company this is your company sending the letter they are entitled to participate in this program unless explicitly excluded, that they want to exclude themselves and opt themselves out. If they don't opt out then the information can be transmitted to the disease management program so that educational and all the proper activities of the comprehensive disease management program can begin.
So, this process is carefully crafted so that the physician is informed. The physician has the opportunity to communicate back with the company that contracts him or her and that the patient is given the opportunity to opt out and that information is sequentially presented in such a way that no more information that is absolutely necessary is --
DR. HARDING: Do you feel that the option to opt in by the patient is a killer for your program?
DR. VILLAGRA: The option to opt in in population-based programs is not possible, will not work. We have extensive experience with the opt in and the opt out.
One of the key success elements of disease management programs based, for example, on claim-based identification of eligible patients is that large populations of patients,for example, with chronic diseases can be identified at a given time. For example, we can identify 3000 patients with diabetes in the Houston area and the ability to begin patient education activities simultaneously on a large number of patients makes a tremendous difference in terms of the time to see results and time to see the impact.
An opt-in option creates a staggered approach, a staggered enrollment process and all the time that passes between the possible participation in the actual enrollment is time lost and in turns what is population based to mostly an individual-based program.
DR. HARDING: And then just one final one. What about in areas of quotes, special sensitivities, depression, venereal warts, you know, whatever the topic is that has special sensitivities, how is that handled?
DR. VILLAGRA: In the areas, I am not aware of any programs for things such as venereal warts and so forth, but in the area of depression which I think is a very valid question our approach is we know that patients, let us say with chronic conditions such as diabetes, and I could use other examples of cardiac disease, by itself brings with it the pre-test probability, the a priori probability of depression that is significantly higher than the rest of the population. The disease management program can screen patients that are likely to have depression with instruments that have been validated for their predictive ability and then pass that information on to the primary care physician who is taking care of the chronic condition. It is a responsibility of the primary physician taking care of the patient with diabetes to either treat the depression which is a significant comordibity or refer that patient to a behavioral health scientist or provider.
This ability of disease management programs to identify these populations and refer them to behavioral health specialists or to primary care physicians and to alert them is part of the program, and I think disease management companies and health plans and so forth will be perfectly willing to work on areas of special sensitivity such as HIV, behavioral health issues and anything that requires special tact, special attention. So, we are perfectly open to work the logistics of those issues.
MR. ROTHSTEIN: Other questions?
Marjorie?
MS. GREENBERG: Taking the example that you used of diabetes are there guidelines in the disease management definition or in your association or whatever about relationships with companies that are selling particular products? For example, I could see that the educational materials for people with diabetes might talk in terms of the benefits and the risks and benefits of insulin pumps, but that would be sort of a more generic educational activity, but I can, also, imagine that that could be part of a promotion of a particular sale of a particular insulin pump. Do you have guidelines on that or what the relationship is between education in a disease management association that would fit your definition as to what the relationship would be with the promotion or education and information about particular products as opposed to more generic?
DR. VILLAGRA: We don't have explicit guidelines but the disease management companies and for example, disease management members of the association have taken extreme care not to engage in the promotion of specific products. In general we feel that there has been abundant promotion of very specific products since the FDA Modernization Act and I believe that we have every reason, every intention to stay absolutely out of that business. It is covered abundantly today.
The disease management community views itself as providing an exciting, acceptable by patients, acceptable to all stakeholders of an approach to creating a system of care that is good, that has a strong ethical and moral backbone and that is rooted in better informed patients. To contaminate this particular movement with things such as the promotion of individual commercial products and so forth would be unthinkable and as I said I think it is amply covered by what we see today in terms of promotion of products. That is not the space where we operate.
MR. ROTHSTEIN: Kepa?
DR. ZUBELDIA: I am still fuzzy on the line between disease management and marketing. I have some gray areas. Let me give you an example, and I would like you to tell me whether it is disease management or marketing. Let us say we find that there is a population of patients that is having a compliance problem with the drug that has relatively high cost and because of the high cost it is determined that there is a compliance problem. All of a sudden there is a generic equivalent that comes to the market and now we want to send an indication to all those patients saying that now we can buy a generic product and it is going to be much cheaper and therefore it will be more affordable. You will have less of a compliance problem, would you actively push away from a brand name onto a generic brand? Of course, that is, also, going to lower the cost of the health plan. Is that disease management or marketing?
DR. VILLAGRA: Health plans or disease management companies don't communicate with patients in the way you just described. Disease management programs are not designed, empowered or chartered with telling patients specifically about the switch of a particular product with its generic counterpart. There is ongoing communication between health plans and treating physicians in the context of the management of our pharmacy benefits, about these sorts of things.
So, I understand your question but to pose the question in the context of a disease management program is simply not the way disease management programs work. That particular activity is already managed under let us say pharmacy benefit programs and it would not target individual physicians, I beg your pardon,individual members and certainly would not be based on the use of personal identifiable information as a promotional activity of a particular product.
MR. ROTHSTEIN: Simon?
DR. COHN: I think I need maybe one bit of clarification here only because I am getting very confused by this discussion, and I am not sure quite where it is going. As I understand disease management, and I have worked for a managed care organization though they have internal physicians; so, it isn't quite the same situation but effectively as described you are a business associate of the health plan, acting as a business associate of the health plan and effectively it is a health plan operation that you are performing.
We talked about this yesterday, I think, what authorizations can the health plan get to operate, and we talked about HEDIS(?) as an example, and obviously this is another one, but right now I don't actually understand how you could actually get that list of names from the health plan under the new privacy law to actually do disease management. Maybe, Susan, you can help me with this one. I don't have the law right in front of me to get clarification on that, but it would seem to me that that act unless we clarify something, it would be prohibited because it would be for health plan operations.
MS. MC ANDREW: By and large the list of names actually is already at the plan. I mean they know which of their membership have particular condition. What they may be asking the physician for is some additional information about the patient or they may be initiating the communication with the doctor. The doctor can to the extent that the disease management program would be looked at as a role of coordinating or assisting in the treatment of the patient, the provider can provide that information, under a treatment definition could provide information to the disease management program, and that is how we would perceive the information flowing from the provider to the plan for disease management purposes. It would be a treatment communication from the provider to the plan. When it gets to the plan because plans don't treat it becomes a health care operation.
DR. COHN: So, it isn't health plan operations then?
MS. MC ANDREW: What the business associate is doing for the plan is from the plan's perspective health care operations, but it may relate to, from the provider's perspective we would look at that as treatment.
MS. HUSTEAD: May I just add something that might help? The conversation yesterday about accreditation and HEDiS and the concern about information going from the provider to the plan is a slightly different issue because in that case, and I think that Sue explained that well, in the case of a disease management program whatever that mean it is either a treatment or a health care function of the provider itself so that that information can go to the plan or directly to the disease management people, but in the case of accreditation or HEDIS data the concern is that is not a treatment or health care operation function of the provider and so the provider cannot disclose it to the plan or to anyone else for that purpose. It really is an issue of what function it falls under for the physician in the first place, and they are different in these contexts.
DR. COHN: I just have a completely separate question and you have really helped clarify this. I will reread the regulation as we move forward.
Joanne this is a completely separate question as to the issue of fund raising. You had mentioned in your testimony that you had significant concern not just about marketing but also about fund raising. Yesterday during our research panel you may have been here, we heard Johns Hopkins talking about some leniency in relationship to fund raising recognizing that they are a non-profit charitable institution really very dependent on access to information so they can go out and do fund raising.
How big is your concern about fund raising and is that a major concern on the level of marketing or is it just that they words sort of go together?
MS. HUSTEAD: We are concerned about both. I think it is fair to say that our concern about marketing is much more serious for two reasons. One is that on the fund raising side the regulation limits exactly what the purpose of this endeavor is for, and it is to raise money for the covered entity.
So, there aren't commercial interests outside of the covered entity that may have a stake in what is going on. So, the activity is limited by the regulation to fund raising for the covered entity, and the other safeguard is that you cannot use information about the patient's medical situation. All you can use or disclose for fund raising purposes is demographic information, their name and address essentially and when they were in the hospital if it is a hospital for example.
So, because the regulation has those safeguards limiting what the purpose of this commercial endeavor can be and limiting the kind of information that can be used to accomplish that purpose we are less concerned about it but our position nonetheless is that fund raising should only be engaged in after the patient has given his or her consent to that or excuse me, authorization would be the correct term using the reg lingo, that patients should be asked to give authorization for that use of disclosure just like marketing.
DR. ZUBELDIA: May I follow up on that? I assume that when you are saying that fund raising is a fully covered entity you are, also, extending that to maybe foundations that are part of this or associating with the covered entity because there are some cases, I don't know if the Kaiser Permanente does fund raising, but let us make an imaginary Kaiser Foundation that would get the fund raising funds from the Kaiser Permanente members, just for the name, okay?
MS. HUSTEAD: The reg would allow the fund raising, a covered entity to disclose information to a business associate or to an institutionally related foundation in order for that outside entity to send a fund-raising communication, but I believe that the regulation specifically says that the purpose has to be to raise money for the covered entity as opposed to for the non-profit foundation. I can look that up.
DR. ZUBELDIA: Other members of the family of the foundation?
MS. HUSTEAD: It says, "For the benefit of the covered entity," I believe.
MR. ROTHSTEIN: Marjorie?
DR. GREENBERG: Does anyone have anything more on this topic? I want to back to Simon's question. I think I am a little confused now. I understand the physician referring the person or even providing information to the plan about patients for disease management as part of a treatment consent, but the plan in the case that was mentioned, an insurance company or the plan under the current rule in order to use information for health care operations would have to get a separate consent.
MS. MC ANDREW: No, actually plans are not required to obtain consent to do TPRO. They have regulatory authority to use information for treatment payment or their own health care operations and disease management would be a health care operation.
MS. GREENBERG: Okay, well, what was the issue yesterday about accreditation? Oh, that was the case of the provider providing information. Okay. So, in this case information that the plan has because of their payment records that these individuals are actually being treated for diabetes they can use for health care operations without any consent or authorization of the patient?
MS. MC ANDREW: That is right.
MR. ROTHSTEIN: Jeff?
MR. BLAIR: Please correct me if I have come to an erroneous conclusion here, but from what I have heard two conclusions seem to be at hand. No. 1, I believe that virtually every testifier, every commenter that we received testimony from -- should I wait?
MR. ROTHSTEIN: No, go ahead.
MR. BLAIR: It sounds like all the recommendations that we have received are all recommending that we do not include marketing as one of the areas that is included within TPO for consent. That seems, I am not aware of anyone who is saying that marketing should continue to be included within TPO for consent purposes.
The second thing that I seem to be hearing a possible consensus on is that we use a narrow definition of disease management, and it sounds like both Dr. Vellagra, am I pronouncing your name correctly?
DR. VILLAGRA: Yes.
MR. BLAIR: And I am sorry, I cannot see your card, but --
MR. ROTHSTEIN: Ms. Hustead.
MR. BLAIR: That both of you seem to be indicating that you could list, you could define disease management narrowly by defining the list of the functions where you could come to an agreement as to what that narrow definition could be and by defining it in terms of the uses we could get specific, eliminate the ambiguities, eliminate the possibility for abuse or the perception of a possibility of abuse. Those appear to be the two areas of possible consensus that I have heard.
Did I misunderstand anything in here?
MS. HUSTEAD: Could I just add to that a little bit? I agree with your first point clearly and the second point mostly. I think yes, you can look at the functions that a disease management program performs but I think those functions are already listed in the definition of health care operations so that you don't need to change that in order for that to be permissible, but you still have this additional overlay of looking at that activity through a marketing lens. Is it marketing? And you need to look at the reg's definition of marketing and the definition of not marketing to see whether it falls within that category because even if the function is to promote health there may be other functions as well.
There may be very significant commercial motives in terms of promoting particular products. Now, I would accept Dr. Villagra's testimony that the people who are part of his association do not engage in that behavior, but I assure you that historically there are efforts by people who are engaged in what I think most of us would say is marketing to put that cloak on and say, "This is for the benefit of the patient. This is to protect and promote their health," and so it is not enough to say, "Is there a function here, a core function that we can all agree on is positive?" but what are the financial incentives? Who is making the money? What is this really all about and what other things are going on at the same time before I would certainly decide that an activity is acceptable and one that can be conducted without a patient's explicit authorization.
MR. BLAIR: Granted we haven't had everyone sit down at a table and go through a list definitively to see where there might be areas where there is not agreement, but I am getting the sense in listening especially to Dr. Villagra that they are very concerned that disease management organizations not be, I think the word he used was corrupted by these abuses and it sounds to me as if there is a group here that he represents that might be someone that might be able to offer a list of the functions and work with other advocates who are trying to protect the abuses and there is a real possibility for conversions.
MR. ROTHSTEIN: Okay, we need to take a recess. So, I will just have two final brief, one question and then I will let you respond to whatever you need.
Marjorie?
MS. GREENBERG: Just following up on what Jeff was saying, the issue seems to be whether particularly if you take marketing out of the definition of health care operations but you put in disease management and I gather disease management is not specifically named as a --
MS. MC ANDREW: No, what we have done is broken out functionally the components that make up most disease management and have included those functional activities in either the definition of treatment and/or in the definition of health care operations.
MS. GREENBERG: So, it seems that the current rule allows all of the types of legitimate activities that have been described here and sort of endorsed as disease management and without putting in, but you know, still I respect the presenter's request that disease management actually be included, but I haven't heard that anything in the current rule even if you removed marketing would hinder these disease management activities. Is that correct?
MS. MC ANDREW: I think as Ms. Hustead had said, the difficulty is not in the disease management. If you take marketing out of health care operations leaving the disease management function that still doesn't answer the question of if this, if an activity is a legitimate health care operation by our definition is that enough to make it okay, do it; we don't care what else is encompassed in that activity or the way the rule is currently constructed, we overlay a marketing definition on those permissible health care operations activities and ask two questions.
One, is it a health care operation? Yes/no. If it is, is it also marketing, and if it is also marketing then we subject that activity to an additional test and so the question would be if we take marketing out do we not put a marketing filter on anything that we would call a health care operations or do we still want some sort of marketing filter to distil those activities in a finer manner?
MR. ROTHSTEIN: Dr. Villagra, did you want to comment briefly?
DR. VILLAGRA: I wanted to express my agreement with the summary that Mr. Blair offered to this group and I would say that a narrow tight and operational definition of disease management would clarify things enormously. Leaving it unmentioned I think will cause additional confusion and it will leave interpretation of disease management to the vagaries of the user.
I strongly encourage you to continue to work with the association. There are eight bullet points that are part of the definition of disease management, what it should contain, only eight, and if we can create a procedural operational accompanying tool then the inclusion of disease management will effectively separate activities that Ms. Hustead would like to see removed from that interpretation, and I think that is a very practical contribution that this Committee can put forth.
MR. ROTHSTEIN: Thank you very much to all the panel members. We appreciate your being here. The Subcommittee will be recessed until ten-fifteen, and then we will --
MS. GREENBERG: That is 5 minutes.
MR. ROTHSTEIN: Sorry, I planned that 10 minutes ago. We will make it ten-twenty, and then we will begin our discussion of the remaining consent items and then move on.
(Brief recess.)
MR. ROTHSTEIN: Let us pick up where we left off yesterday, and I would propose that the discussion that we tabled yesterday relating to disease management that we got clarified today, I propose that we retable until our overall discussion of marketing.
So, without any objections we will move now to the remaining comments. I am on the next to the last page, and I want to begin with the comments of Robin Paine who was one of our public witnesses and I want to raise the first of her concerns and that is the free flow of records allows information from a bad doctor-patient relationship to follow the patient indefinitely, in other words that if you had a bad relationship with Doctor X then there is no way that you can start over with Doctor Y or Doctor Z without Y or Z knowing that somewhere in your chart X said that you were non-compliant, mean and nasty, difficult, etc.
Jeff?
MR. BLAIR: I believe the law provides that a patient does have the right now to view their records so that they could see if their record has statements in it that they feel uncomfortable about and that they, also, now have the right to not amend but append, add to the record their own comment indicating that they disagree with something that may be in the record and if this is the case, if my understanding is correct that patients do have both of those rights, then I think that we should consider whatever else we might do within the context that the patient now has some rights to mitigate the impact of a negative comment in the record considerably which did not exist before.
MR. ROTHSTEIN: Regarding that issue I don't have any evidence to cite, but it seems a fair inference that when the states variously enacted legislation allowing patients a right of access to their own medical records that the frequency with which physicians routinely put those kinds of comments did not decline, but you wouldn't put, "Patient is a miserable, argumentative person."
DR. ZUBELDIA: And if you put that and the patient corrects it then the patient would say, "No, I am not."
May I relate an experience I had. I read a doctor's example and it was one of those tractor-fed printouts and he wrote carefully all of his notes on the tear-off margins. So, they could be torn off and I asked him about that, and he said, "We do that on a routine basis with everybody on the first visit. We write all the notes on the tear-off margins. So, it can disappear."
MR. ROTHSTEIN: Moving along is there anyone who wants to propose that we take any specific action based on that recommendation?
Hearing none, we will go to the next of her bullets, access under the rule is too broad and that is a very sort of broad recommendation, and so we will so note that that was an opinion reflected to us.
Next page bullet, give patients the opportunity to restrict disclosure not just request it and that is a substantive proposal. The current rule allows patients to request restrictions, and this would give patients presumably a unilateral right to demand them. Is there anyone who wants to put forward a recommendation based on this?
Hearing none, we will move to the next set of proposals. These proposals are first to create a special exemption for disease management and second to include disease management in the definition of treatment and with the consent of the Subcommittee I would, also, like to table this to our discussion of marketing.
Hearing no objections we will move on to the final set of recommendations and with your indulgence I will read all three together because I have a proposal on this. The first bullet, allow a provider pursuant to a consent to disclose PHI to a health plan that will use it for TPO.
Second bullet, covered entities should be allowed to use or disclose, well, let me just say, break them up, I believe we discussed this earlier and voted on this earlier.
The second bullet, covered entities should be allowed to use or disclose PHI collected before the compliance date of the rule even if not written permission to use or disclose information has been obtained, and I believe we voted on this as well earlier, and the third bullet, revocations of consent should apply only to PHI collected or generated by a covered entity. After it has received a notice of the revocation PHI that was generated or collected prior to revocation it still may be used for health care operations without the entity first demonstrating that it has relied on the information available. I believe we have already addressed that issue as well.
Is there anyone who would like to -- Marjorie?
MS. GREENBERG: My understanding and maybe I am wrong on this but in regard to the second bullet there that the Subcommittee did address the issue of being able to use information until the person presents to provide consent, but this seems to ask for something broader and that is that information that was, and there was an earlier one, too, that information that was obtained before the requirement for consent should be able to be used in perpetuity regardless of ever getting consent. Only the information obtained after the requirement for consent would require consent.
MR. ROTHSTEIN: Thank you. That is an excellent point. This really is somewhat different from what we approved. It is related, but as you say it is broader. So, what we voted on yesterday you will recall was the proposal, and let me cite you back to it. It is the third bullet on the first page, allow continued use of the data collected before the April 14, 2003 compliance deadline and require consent only for data collected after that date.
That was merged with the fifth bullet that said, "Allow the continued use of data until a patient makes a physical appearance and is able to sign a consent form."
The way that was agreed to, we were going to clarify that or ask for clarification that that would apply in limited circumstances such as the need to notify patients when it was in furtherance of some medical condition, such as the need to notify them of some drug interaction or the like.
This proposal as Marjorie correctly points out would extend the rule indefinitely and without the sort of restrictions that we put on it yesterday.
So, is there anyone who wants to move this broader proposal forward?
Hearing none, we will go to the third bullet n the page, but thank you for raising that, Marjorie. I didn't mean to slide over that.
Revocations of consent should apply only to PHI collected or generated by a covered entity. After it has received a notice of the revocation PHI that was generated or collected prior to revocation still may be used for health care operations without the entity first demonstrating that it has relied on the information being available, and I would suggest that the issue of revocation was, also addressed yesterday.
Hearing no disagreement with that, that concludes the recommendations on consent. Were there other recommendations that are not captured in this document dealing with consent that we heard that may have been submitted in written testimony or written comments from non-witnesses or are there other consent recommendations that members of the Subcommittee want to present themselves?
Keep in mind, of course, that we have left open until close of business on Monday, August 27, the date for receipt of additional public recommendations dealing with consent and of course, it is, also, open obviously until anytime through the approval process of the full Committee for Subcommittee members to bring forward their own recommendations dealing with the issue of consent.
Without objection, we will consider the issue of consent to be closed.
DR. LUMPKIN: Are we going to go through some of these delayed items, not the big ones that we have deferred, but I believe there were some that were just like delayed until tomorrow?
MR. ROTHSTEIN: I think we tabled the issue of the disease management programs. We tabled some as beyond the scope of consent and some we put in a category called deferral because they were just so broad as to basically reopen the basic philosophy. If there are any that you feel that we need to get back to, certainly I would be happy to put these back on the table. We tabled that until the conference call on marketing.
DR. ZUBELDIA: Okay, you don't want to discuss those now that we have the additional information?
MR. ROTHSTEIN: No, because we are going to do all the marketing stuff together as soon as we get the printout of the total recommendations package. So, those have not been lost.
My hope is that we can get through minimum necessary today and do research and marketing, both of those issues on our conference call scheduled for September 10.
DR. COHN: The question I have is I am presuming that as you begin to see drafts of whatever it is that comes out of this that will be reopened for further discussion, clarification and further work.
MR. ROTHSTEIN: Absolutely.
DR. COHN: Is it okay for now to allow --
MR. ROTHSTEIN: That is right. This is not closing the process other than for our discussion today. The process remains open to receive public comments. The process remains open in the sense that the Committee is going to see drafts and drafts and drafts, and that is the Subcommittee will be working with drafts, and then the full Committee will still have an opportunity to not only revise what we recommend but add additional things as well.
Marjorie?
MS. GREENBERG: I think I mentioned this yesterday, but also, there will be a Federal Register notice for the September 10, call, and there will be an opportunity for people to call in.
MS. HORLICK: I just want to add one other thing. Since we are expecting the additional comments by Monday our intention is to circulate that to the Subcommittee members, and everybody could read that particularly for the consent issue and hopefully for the minimum necessary that we have already discussed and see if there are any additional points you would want to include for consent or minimum necessary that we haven't already discussed and then e-mail that to me. That would be very helpful.
DR. COHN: Is there a list of the items from the minimum necessary?
MR. ROTHSTEIN: Yes, we are ready to proceed. I have the minimum necessary. Let me direct your attention to a document that says on the top, "Draft notes for personal use only, don't believe that, J. M. Fitzmaurice." Do you see that, 8212201? If you need an extra copy we can get that for you. That is what we are going to start with. If we need copies we can certainly get them.
Maryetta, do we have extra copies of this document, the one that says, "Draft notice for personal use only, J. M. Fitzmaurice."
MS. ROLLINSON: I didn't get it.
DR. COHN: The discussion was that virtually everyone was in favor of the minimum necessary concept with a tremendous amount of clarification about what exactly it meant to make it implementable, and I can think of maybe only one case where that was really not the case, but it seemed like everybody came with like well, what about this, what about that, what about whatever, and I don't know if that is reflected in here or not, but that was sort of the conclusion I reached listening to things.
DR. HARDING: I would agree with that with the exception that there was a debate about who granted what that was. Was the requestor the person who decided what minimum necessary was the person who was responding to the request? There was a debate about that.
DR. COHN: Do you think that is a clarification or does that need to be in the regulation? Maybe that is really the clarification.
DR. HARDING: It is part of the definition, I guess.
MR. ROTHSTEIN: If everyone has a copy in front of you let me direct you to the third page.
MS. FYFFE: The draft notes by Fitzmaurice?
MR. ROTHSTEIN: Correct. The first two pages deal with the issue of consent which we have just completed and at the to of Page 3, the first circle or open bullet says, "Favors national legislation."
MS. GREENBERG: Mine is on Page 4, actually.
MR. ROTHSTEIN: Is that Page 4? Okay, I am sorry. Counting each side and not pages then.
MS. GREENBERG: We don't have two sided.
MR. ROTHSTEIN: Oh, I have got two sided, some of one sided.
MS. GREENBERG: Go to where it says, "August 22."
MR. ROTHSTEIN: Yes, please go to August 22? Then the first of the substantive things are at the top of the next page, at least the top of my next page and the first being favors national legislation. Does everyone have that?
MS. GREENBERG: It is the third physical page from the back.
MR. ROTHSTEIN: Okay, now, let me read the whole set, that is the first eight or so of these for Jeff's benefit and then we will open the floor to anyone who wants to propose that we bring forward any of these recommendations.
First, favors national legislation, and these are Michael's sort of impressions.
DR. COHN: These are not recommendations?
MR. ROTHSTEIN: These are not recommendations.
MS. FYFFE: Let me say that it looks like this was suggested by Henry Demaris of HIAA.
MR. ROTHSTEIN: Correct.
MS. FYFFE: So, I am going to recuse myself from any discussion on this.
MR. ROTHSTEIN: First, favors national legislation.
Second, much legal uncertainty leads to defensive restrictions on the flow of information.
Third, only the requesting entity can determine if the requested information is the minimum necessary.
Fourth, minimum necessary could lead to shielding information for detecting broadened views.
Next, health plans need PHI to assess risk and to underwrite.
Next, need a final security rule.
Next, minimum necessary will be costly.
Next, speed is essential to keep the implementation costs down, and I am not sure what that last one is.
DR. COHN: I think the only issue here that needs to be extracted is the issue which I think Richard brought up which is who decides what is minimum necessary. That is the main bullet.
MR. ROTHSTEIN: Yes, the big bullet. I don't know whether there is anything to read into the big bullet versus the smaller bullet, but for identification purposes at least the third bullet says, "Only the requesting entity can determine that the requested information is the minimum necessary. Now, that would represent a major change from the current rule.
MR. BLAIR: Does the current rule indicate today who has responsibility for determining minimum necessary? Does it state or is it just silent on that point?
MS. MC ANDREW: What the current rule does is it imposes the responsibility for making a minimum necessary determination and this only involves covered entities. If a covered entity is requesting the information they have an obligation to request only the minimum necessary and there is, also, an obligation on the entity that has the information that is being requested to, also, make a minimum necessary determination about the disclosure of that information.
If the request is coming from a covered entity the rule permits the disclosing covered entity to rely on the minimum necessary determination of the requesting entity provided that reliance is reasonable.
MR. BLAIR: So, in a sense it puts the requestor and the requestee in the position of having to negotiate with each other if they are within a covered entity. Is that correct?
MS. MC ANDREW: If they are both covered entities, yes, that is true.
MR. BLAIR: That sounds like that was the intent.
MS. MC ANDREW: That was the intent.
DR. HARDING: And if they do not agree then what?
MS. MC ANDREW: If there is no agreement it is ultimately the entity that has the information that controls what information is disclosed.
MR. ROTHSTEIN: Whereas I take it with this recommendation that would shift the balance of power if you will to the requestor.
DR. ZUBELDIA: We, also, heard discussion from the National Association of Chain Drugstores that they say that as the discloser of information they will want to make that determination when the payer will determine what it is they need to do so they have no liability in making the determination of minimum necessary and we, also, heard that in the decisions as to what should be in the implementation guide for the pharmacy claims. They try to make a determination between payers and pharmacies as to what is to be disclosed. The payers want to know more information than the pharmacies want to give them.
MR. ROTHSTEIN: Right. It was, also, their position I think that they didn't even want to disclose the names.
DR. ZUBELDIA: That is correct.
DR. COHN: To restate that I think what they were trying to do was to avoid any aspect of liability and they will do whatever it takes to avoid any liability, and I think it is an unreasonable and paranoid concern.
DR. ZUBELDIA: One of the possibilities that they may have is in the guide. So, whatever is in the guide is necessary, rather than the option they have now.
DR. COHN: I think once again it is a clarification issue.
MR. ROTHSTEIN: The third bullet has been raised for discussion and now the question is whether anyone wants to move that we include that as a recommendation.
DR. HARDING: I would think that Susan got it about right the first time and would not want to change that.
MR. ROTHSTEIN: Is there anyone who --
DR. COHN: I think my only concern, and I haven't read through all of these, and it may come to it, but I think that there is a legitimate concern by people requesting information about what happens if people cannot come to agreement, and I don't know would the court settle this thing? I think that there are probably cases where whatever we set this up where people who are requesting information really need the information, and they have legitimate reasons and there are probably, also, legitimate reasons why people are not wanting to give the information, and is the answer here that the redress gets to the court or what?
MS. MC ANDREW; I think that is an unlikely scenario as between covered entities. One, treatment communications are not on the table. So, treatment communications are not subject to minimum necessary standards, and that is not a consideration. So, the situations that were brought to our attention in these struggles for information are basically plans versus providers on how much information is needed for various plan operations and/or payment needs, fraud detection, whatever, and basically the plans really had other means of leverage against providers and ultimately against the individual. I mean you don't pay the claim, you don't get the information, and it was those kinds of balances of power that will just get worked out, but it was an attempt to give both sides a responsibility for making a minimum determination.
Providers that have the information are under our rule permitted to rely on the requestor's determination of minimum necessary. In most cases that will be a reasonable reliance.
On the other hand, a more proactive provider does have the ability under the rule to make their own minimum necessary determination and to open negotiations about what information should be released, and it is between the parties. We would leave the ultimate resolution of that to their own negotiations.
DR. COHN: Could I make a comment? Actually thank you very much for the comments, and I agree with what you are saying. It seems to me that I do believe that it sounded quite like what you were describing in the current guidance.
MS. MC ANDREW: There is --
DR. COHN: Some of this.
MS. MC ANDREW: There is some of that in one of the Q's and A's about can, I think we were discussing reasonable reliance and when can someone question --
DR. COHN: Yes, I am still commenting on I think a more full feature. What you heard is I think a lot of anxiety by a number of the presenters about how all this would play out, and I think that what your description has provided is guidance and clarification that will be very valuable to the industry.
MR. ROTHSTEIN: Is there someone who actually wants to move this specific recommendation forward?
Hearing none, it seems -- oh, I am sorry, Jeff?
MR. BLAIR: It sounds like from what Simon is saying is that maybe there should be a clarification wordage to explicitly express what Sue just told us, that that is the intent of the law, that somebody doesn't have to a Q&A in order to understand that. Is that correct, Simon?
DR. COHN: No, I said that was where we need the Q&A. That is what I meant by guidance.
MR. ROTHSTEIN: Does anyone want to request additional clarification on this issue?
DR. COHN: We could put it as a recommendation that the Secretary provide additional clarification in the form of a Q&A or guidance on this issue.
MR. ROTHSTEIN: Of these listed I would like to take up the second issue which is the second bullet. Much legal uncertainty leads to defensive restrictions on the flow of information, and I don't know how this translates into recommendation. It may translate into more educational programs, etc., but it is certainly a concern that providers and others who are fearful of liability, and we heard 3 days of this really will err on the side of keeping things not disclosed, that the rule does not require it be kept private with the result being that there is a diminution of quality of care and an interference with payment and operations as well, and so, I think the only thing that would flow from this that I can see, and I am certainly inviting the Subcommittee to chime in with other suggestions is that we put in a letter our strong recommendation that educational efforts that I know are in the works focus on this aspect as well so that people not engage in the kinds of defensive maneuvering that we heard described by several witnesses.
Anyone else want to comment on that suggestion?
DR. COHN: No, that is basically another clarification and guidance provided by the Secretary.
MS. FYFFE: May I make a comment, and again, this is not particular to HIA's testimony, but to a certain extent any guidance that you provide helps reduce uncertainty. So, I mean that is what HHS is doing in general.
MR. ROTHSTEIN: The point of my --
MS. FYFFE: Maybe I missed the point.
MR. ROTHSTEIN: -- calling attention to it is guidance and clarification in general is necessary but what we particularly recognize as a concern that we share is that there will be this defensive restriction of information on the part of individuals, entities, providers, etc., who are concerned about liability, and the result will be to lessen the quality of care and to impede health care payment and operations where the sharing of the information is perfectly authorized under the rule.
MS. MC ANDREW: Mark, I am not clear on what we would be requesting the clarification on. I understand the purpose of the clarification.
MR. ROTHSTEIN: It is not a clarification per se. OCR is planning an educational program and what we would be urging is that part of the educational program specifically address the concern of defensive maneuvering.
DR. HARDING: As long as there is 10 years in prison and one-quarter million dollar penalty people are going to be paranoid and dump liability as quickly as possible, and it is going to be a real educational job to make people feel comfortable with what they are doing. That 10-year criminal penalties and so forth are basic and as we heard yesterday the front page of the Washington Post where the CVS issue, that had all of those things, and it is just going to make people, it is going to be a tough sell.
MR. ROTHSTEIN: It may well be that when the enforcement rules come out and there are examples of the kinds of conduct that would lead to prosecution are listed then there will be a greater comfort level in good faith errors in implementing a new set of regulations.
In that first list are there other bullets that people want to bring forward?
Hearing none, I will go to the second group of only two bullets.
MS. GREENBERG: Was it agreed that a letter would generally indicate support for the minimum necessary --
MR. ROTHSTEIN: Good question.
MS. GREENBERG: I think the bottom line although I couldn't find specifically stated, but the bottom line of the first set of testimony indicated that the minimum necessary provision wasn't necessary. That is really the way I had heard and read that testimony.
MR. ROTHSTEIN: Of course, notwithstanding the testimony of any particular witness that certainly could be a recommendation from the Subcommittee and ultimately the full Committee. So, I will take that as a suggestion that we incorporate into our discussion of minimum necessary a sort of a reaffirmation from the Subcommittee and Committee of the minimum necessary principle.
Any comments to the contrary?
Okay, the next two bullets, No. 1, NCPDP needs to get consensus on the optional 837 variables to make them mandatory, situational or dropped.
The second bullet wants a person code to be assigned to individuals by HHS or by drug claims processors to avoid putting the patient's name on the claim, and we already heard about the individual identifier at least from the HHS standpoint. It is not in the cards in the moment. So, I will take that to be a drug claims processor's own --
MS. MC ANDREW: Please don't make us face Congress and the public on giving individuals personal identifiers? We have got enough.
DR. COHN: I will comment moving from that back up to the first bullet actually at least as I understand it, I think that there is a problem in relationship to the NCPDP standards since patient name as I discovered afterwards is actually not mandatory and it is not situational but optional, therefore not covered and I understood from the discussion afterwards yesterday that is another covered field because of the way HIPAA and the privacy rules are stated. Probably HHS needs to provide some guidance to NCPDP and the people who use the NCPDP transaction on whether for the purposes of that transaction it would be okay for them to consider it to be mandatory. It was covered.
MR. ROTHSTEIN: Simon, could you explain the essence?
DR. COHN: Okay. Probably Kepa can join in on this one since he is actually a member of NCPDP unlike myself. My understanding with these standards is that you can rely on anything that is required in the standard or a situational element and any of the standards can get sent and be covered by privacy under the minimum necessary. There is no problem, but anything that is optional you have to examine to see if it is really needed on a case-by-case or a process basis and apparently, unfortunately, this data element which is patient name from many places is considered to be optional in the NCPDP transaction and so they are apparently having major discussions internally which they appear to be unable to resolve, I guess or are having difficulty resolving about what to do about it, plus with the deadline for implementation unless there is an emergency fix to the standard it is going to remain optional.
MS. FYFFE: If I may add to that, the 837 standard was developed with the assumption that there would be a unit patient identifier, was it not?
DR. COHN: Is it optional there, too?
MS. FYFFE: No.
DR. ZUBELDIA: The 837 is required. The program that really differs is the next 12 standards have no optional fields at all. They have either required or situational, with the situational very well defined. The NCPDP standard has lots of optional fields which opens them up to this minimum necessary elaboration in every case. What I would do as the VHS is recommend to NCPDP that they revise their standards to reduce or eliminate the optional fields and come out with implementation guides not just the standard but with implementation guides that specify the situations in which those fields need to be used and they need to do so very, very quickly because if they want the standard adopted by the Secretary to be modified in time for the October 16, deadline of next year it needs to go through the NPRN process and it needs to go through additional process to do a fast track again. So, I wouldn't see how they are going to do this on time. So, I would urge the NCPDP to get together as industry and define situational elements for pharmacy as soon as possible because I don't think they are going to make the time.
DR. COHN: I don't think this needs to change the final reg, but I think there may need to be some accommodation made for this as an interim step. I just can't see any other way. I mean there needs to be guidance about what we considered to be --
MR. ROTHSTEIN: So, is that a recommendation that OCR provide guidance on what it considers to be situational?
DR. COHN: No.
MR. ROTHSTEIN: How would you characterize what you --
MS. GREENBERG: It needs to be to NCPDP not the department.
DR. COHN: It is two things. One is that there needs to be, that this is a recommendation back to NCPDP to get this fixed, but there needs to be something to HHS saying, "Indeed, this is going to be implemented on schedule and if things haven't been changed by that time there needs to be something that sort of covers those that using the NCPDP transactions until they get the changes in. I don't quite know how to say this.
Kepa, do you have a thought on the privacy side?
DR. ZUBELDIA: The privacy rule has very clearly stated that the optional fields are subject to name and necessary determination.
MS. GREENBERG: The final rule.
DR. ZUBELDIA: The final rule, I am sorry, not the privacy rule. So, they are going to have to maybe as an industry come together on a separate consensus maybe not as part of implementation guide maybe an industry consensus as to what constitutes really unnecessary for pharmacy claims until they can fix the implementation guidance.
MR. ROTHSTEIN: How does that relate to what we have the authority to recommend?
DR. ZUBELDIA: I think that the only thing we can do here is recommend that NCPDP fixes the problem in the next version of the implementation guide and it should happen as soon as possible, and that would be our recommendation to NCPDP.
MR. ROTHSTEIN: So, it is not to the Secretary.
DR. ZUBELDIA: It is not to the Secretary, and as an interim until they can fix the implementation guide, maybe they could come out with a pharmacy industry consensus or best practice or whatever you want as to what constitutes minimum necessary as an industry.
MR. ROTHSTEIN: So, suppose that we put as a separate item on our agenda for the September 25, meeting a proposal that the full Committee send a letter to NCPDP with this recommendation because it would have to be a separate document?
DR. ZUBELDIA: We could do that.
DR. COHN: Or sometimes what you say in these documents is we advise the Secretary to communicate to NCPDP that they need to do A, B and C. It could be a separate document.
MR. ROTHSTEIN: How about if I raise the issue for the full Committee and then let the Committee decide whether it should be within the letter to the Secretary or a separate letter to NCPDP from NCVHS, because John's view on what he would be comfortable with I think is very important.
MR. BLAIR: I wonder whether that level of formality for either type of letter is necessary. There was an issue that was brought to the NCVHS, and we heard it. You know, we have chosen to not wind up asking the Secretary of Health and Human Services to put in corrective actions on that and since time is of the essence I just almost question whether the formality of a letter from NCVHS to NCPDP is even necessary. There are either representatives here from NCPDP or we could communicate to them directly on this.
MR. ROTHSTEIN: Roy, could you --
MR. BUSSEWITZ: Yes, for the last 6 months we have actually tried to reach consensus on this issue, and so far to no success because there is a disagreement, again, basically what you folks were talking about earlier. Providers want to provide less information. Plans want more information, and that is kind of where we are stuck. Probably within the next month we are going to have a meeting of attorneys from both sides meet.
MR. ROTHSTEIN: And that is going to unstick the problem?
MR. BUSSEWITZ: You being an attorney and me being an attorney I think we know the answer to that. It will probably just basically say that these folks are stuck in their respective positions, but whatever assistance we could get from HHS on this is fine because I don't believe we are going to meet the deadline as you said. I think it is going to be impossible to meet it.
MR. ROTHSTEIN: I suppose the question is what are you asking us to do other than wave our magic wands and clear this up.
PARTICIPANT: First of all, could you identify yourself, please?
MR. BUSSEWITZ: Yes, Roy Bussewitz. I am with the National Association of Chain Drugstores, also, a Board member of NCPDP.
DR. COHN: Do we need to inform or advise the Secretary that they may be expecting some sort of an emergency fix coming from NCPDP to resolve this?
MR. BUSSEWITZ: That way denies if something could be fast track to allow that to occur because again I think it is not going to make it through that process.
MR. ROTHSTEIN: For those who need clarification NCPDP is National Council for Prescription Drug Programs.
MR. BLAIR: It creates the message format standards between retail pharmacies and payers and between providers that might be giving a prescription to a retail pharmacy.
DR. ZUBELDIA: Any changes to the standard NCPDP standard would have to go through additional process at this point and that is not going to make it in time.
MR. BUSSEWITZ: I think the biggest problem was really that five one wasn't ready to be implemented. HHS did adopt it as a standard which wasn't being used at all by the industry, and it made an assumption that it would be by the 2-year period, but with all those optional fields that were pointed out in the Federal Register on December 28, and the privacy regulation as being exposed to the minimum necessary requirement that just put a whole new light on it. We were all and still are using basically three two and the industry is using that. We kind of assumed that that is what HHS would in fact adopt but they did not, and again, I think five one was just not ready for implementation at that point because of the optional fields and the privacy statement.
MR. ROTHSTEIN: I have another possible suggestion. I don't know what this Committee really can do with this issue. Perhaps we ought to include in our letter to the Secretary that we heard testimony about this problem and it is a problem that NCPDP has to work out, but we should alert the department to the possible need to react to this stalemate in some way.
MS. FYFFE: Mark, I agree, but I think we need to identify what the problem is in the letter.
MS. GREENBERG: In a way it is like referring on your right hand to your left hand because I know many of the people here who are members of this Subcommittee are also members of the Standards and Security Subcommittee, but this really seems like an issue for that Subcommittee because it is going to impact on implementation of the transaction standard. That is what I am hearing.
MS. FYFFE: But it gets into the issue of privacy because of the patient name.
MS. GREENBERG: I realize that. Roy, is that the main sticking point or are there lots of issues?
MR. BUSSEWITZ: That is the most contentious issue was the name, but there are lots of other variances of opinion in what is necessary and from the point of the provider versus that of the plan, and we have each developed our own protocol document of five one, and we said that we think this data is necessary and the plans have kind of come back, the PBMs and the claims processors have come back and said, "No, no, this is what we need," and they don't look alike, believe me.
MS. GREENBERG: The version that you are currently using, the three point two or whatever, does it have a lot of optional items, also?
MR. BUSSEWITZ: Yes, it does.
DR. COHN: I actually have a suggestion because i don't have an answer offhand. I am actually not certain that the whole answer here is to throw it back at the standards organization since part of what the Secretary has empowered is do things within the first year to help ensure implementability of the transaction.
Now, as I see this, it gets at the privacy rule. So, the question is I think I would sort of defer this perhaps to Kepa and myself to mull over and see if we can present a proposal. There may be some things that we can recommend to the Secretary that might be of help in the interim, and once again to not do something means that there is going to be a major problem assuming the time lines are all met.
DR. ZUBELDIA: I think this is definitely something that needs to be discussed in standards and security because the underlying comment that I am hearing in the back of various comments is that five one is not ready for adoption and maybe should be retracted back to three two, and that is a very, very important thing if that is going to happen. We are already one year into the implementation practically and I understand that three two is implemented as operational today. So, it would not affect the pharmacies all that much, but still it needs to be known.
MR. ROTHSTEIN: With the agreement of the Subcommittee I propose to refer the issue to the Standards and Security Subcommittee and when they get something worked out to consult with the Privacy and Confidentiality Subcommittee so that we are informed of the privacy implications of whatever they develop.
MS. FYFFE: I would like to modify that. I still think that we need to note in our letter that this is an identified problem and that we are going to throw it over also to the Security and Standards Subcommittee, but I still think it needs to be identified in the letter.
MR. ROTHSTEIN: The letter of course is going to come from the full Committee which may note that part of a Subcommittee of the full Committee is continuing to work on this, but we want to raise this anyhow, something like that.
Anyone want to bring forth anything else from those two bullets?
Hearing none I will move to the next four bullets, and they are first that pathologists must be able to communicate with surgeons, avoids confirmatory testing when the diagnosis is already known and the information shared with the pathologist.
Second bullet, too much ambiguity with the minimum necessary standard with so much discretion the guidance document is not necessarily needed at all within institutions.
Third, the cost of determining and carrying out minimum necessary determinations prior to access to the medical record. Let me just raise a general comment about this. Unless I am reading these wrong or not finding something in here that was intended it seems to me that all of these objections are already covered in the sense that minimum necessary does not apply to treatment. It doesn't apply to medical students, residents, etc., access to the complete medical file.
So, is there some concern here that I am missing?
MS. MC ANDREW: I think the comment reflects something that we had also heard from the March round of comments and that is the distinction that we made that while minimum necessary does not apply to disclosures, we do have a minimum necessary standard even for treatment for use within a covered entity. So, we ask the covered entity to develop policies and procedures on who within that covered entity should have access to the information for treatment purposes and there was much comment that treatment ought not to be subject to minimum necessary standards even for internal uses within the entity.
MS. HORLICK: I have a question. I am not sure how to phrase this, but it is related to the first bullet. It is what Dr. Baylor was referring to, I guess you know in the pathology lab. His concern was that some of that information would not be able to be shared with the pathologist. Is that correct? I wonder if it is a correct interpretation.
MS. MC ANDREW: I don't think that that would ultimately happen, and what we envision is that with the treatment uses, that the policies and procedures that a covered entity would likely define would permit the free flow of information within the institution among treating physicians and treatment teams and so unless the institution itself has some reason for narrowing the amount of information that went from the doctor to the lab our rule would permit them to define a treatment use procedure that all the information could flow.
DR. ZUBELDIA: I think his comment was in terms of information that there are two covered entities where he has the lab with 100 satellite offices or something and he says that the physicians are not part of his covered entity.
MS. MC ANDREW: To the extent this is a treatment communication between different covered entities then that is already exempt from the minimum necessary standard.
MS. HORLICK: One thing is providers must be able to share information among other health care providers in order for patients to obtain appropriate care, and the pathologist may be examining tissue from a woman's uterus and then the surgeon may even inform the pathologist that a hysterectomy was performed however, not given any other information and how that could be misleading.
MS.MC ANDREW: The doctor can tell the lab whatever the doctor needs to tell the lab about the requested procedure. If it is a communication within the covered entity what the rule requires is that the covered entity develop a policy for what the minimum necessary communication is between those treating team members and that the degree of, I mean it would be up to the covered entity and we would expect the covered entity to essentially say that the full medical record is available to all treating, to all members of the treatment team and would then define who are members of the treatment team and so essentially the information would flow.
The only difference is it flows under the covered entity's own definition of what is minimally necessary for a treatment purpose within that institution.
MS. GREENBERG: And medical students involved, residents involved with the care of the patient could be included in that policy.
MS. MC ANDREW: That is right.
MS. GREENBERG: Has the department or does the department plan to provide any guidance on best practices or policies?
MS. MC ANDREW: We did address this minimum necessary standard and routine protocols within the institution for treatment and we did address in the July guidance the medical student question under the minimum necessary standards.
DR. HARDING: It seems to me we should just encourage the continuation of free flow of medical information for treatment practices and good policies within institutions to clarify those.
MR. ROTHSTEIN: This may be one of the areas where we have these defensive restrictions.
DR. HARDING: Don't limit the pathologists, for God's sake. They are the critical person for people going in for surgery. They need to know everything they need to know. Don't limit them.
MR. ROTHSTEIN: Any other recommendations from the pathology set?
Hearing none, we will move to the next set of four.
This goes to the burdens of the minimum necessary standard. It just says, "Addressing policies and procedures under recommendation, impact on data flows, different interpretations by entities is a problem."
Could you craft a business associate, I take it, contract or something between the covered entity and the HEDIS requestor for health operations purposes? That was a question, and exclude minimum necessary standard from the covered entity's internal use of PHI obtained from another covered entity.
Do we have the original testimony, the written testimony?
MS. GREENBERG: There are several recommendations. Do you want me to read them?
MR. ROTHSTEIN: Please?
MS. GREENBERG: Okay, that are labeled recommendations. One is HHS should provide guidance making it clear that entities may develop policies and procedures that broadly describe the types of PHI necessary for categories of operations such as claim processing or grievance processing. The department has already done some of that.
Ideally the privacy rule should be modified so that the recipient of a request for information made by another covered entity automatically relies on that request unless it clearly is inappropriate. Absent that change HHS can help to prevent disagreements between the entities by issuing guidance, emphasizing that the privacy rule currently allows the covered entity to rely upon the request.
MR. ROTHSTEIN: Which is the current state of the rule and has in fact been clarified.
MS. MC ANDREW: Right, although you considered a recommendation that we provide additional clarification.
MS. GREENBERG: And the guide could go on specifically to enumerate some disclosures that should be considered appropriate, for example, request for HEDIS data that is made by health plans subject to NCQA accreditation. We kind of dealt with that yesterday.
The next one, HHS should issue guidance clarifying the covered entities likely will develop different criteria for minimum necessary information and that a covered entity's organization procedures and information infrastructure will be factors in determining what information is necessary. The guidance, also, should clarify that the standard is satisfied so long as the covered entity reasonably believes that the information is necessary to perform the task at hand.
MR. ROTHSTEIN: I think that is a statement of support for the current rule.
MS. GREENBERG: HHS should issue guidance that establishes that the minimum necessary requirement does not apply to a covered entity's internal use of PHI if the information used has been obtained from another covered entity.
MR. ROTHSTEIN: I am trying to remember. I mean these recommendations are not nearly as pointed as the actual testimony, and I remember his testimony to have raised for him, yes, this was Independence Blue Cross in Philadelphia.
MS. GREENBERG: On behalf of AAHP.
MR. ROTHSTEIN: And AAHP. Some rather specific problems don't seem to be translated into the recommendation.
MS. GREENBERG: I think it is similar to the previous one questioning whether minimum necessary standard is necessary and we kind of addressed that but I mean there is here in bold and particularly is it necessary internally. Does applying the minimum necessary standard internally in an institution make sense?
MR. ROTHSTEIN: Right. Okay, so there is a major shift, a recommendation that minimum necessary only apply to external communications and not apply to internal communications, the rule taking the opposite position from this recommendation.
MS. GREENBERG: The rationale was if the covered entity only requests information it needs why make that entity go to the trouble and expense of repeating its minimum necessary analysis each time it uses the information.
MS. HORLICK: I have in my notes his comment that case-by-case determinations would have to be made.
MS. GREENBERG: What?
MS. HORLICK: I have in my notes from when he was speaking that he made the point that it would be burdensome to make case-by-case determinations.
MS. GREENBERG: What I heard was that covered entities can come up with policies that would not require case by case.
MS. HORLICK: That non-routine functions require case-by-case determinations. That is what I wrote, and we do have two categories the routine functions and non-routine functions. I don't know whether his concern was for instance some claims processing may not know what information you may need to go back to and each claim will be a little different, but it seems to me generically you can come up with a general category of information. We are not expecting people to be data specific in their protocols.
MS. FYFFE: I don't know if this helps but I took a careful note when Mr. Foty said that the burden should be on the requestor to determine minimum necessary amount of information needed because the requestors know the business needs better than the organization they are requesting it from.
DR. ZUBELDIA: And the covered entity that holds the information that is going to be disclosed can rely on the requestor's determination of minimum necessary on a routine basis. Then you are okay.
MR. ROTHSTEIN: He, also, said that the department needs to clarify that the standard should be reasonable efforts and that those reasonable efforts will vary by the type of institution. I think he emphasized that AHP is, you know, so many different kinds of institutions and that there needs to be this reasonableness standard and he, also, said that clarification that they can use a common sense approach, his language. So, what is the Subcommittee's pleasure on this?
MR. BUSSEWITZ: The issue of the requestor?
MR. ROTHSTEIN: Any of the issues that we talked about. Does anyone want to bring forward a recommendation for the Subcommittee based on these recommendations?
DR. ZUBELDIA: Maybe the recommendation would be to have specific clarification from the department that there will need to be a determination for routine processes being necessary, that a policy would cover routine uses and that the submitter or the holder of the information about to be disclosed can rely on the minimum necessary determination by the requestor, and if you clarify those two points which, it is in the existing rule, if you clarify those two points I think it would take care of all this.
MR. ROTHSTEIN: Further clarification of the ability to rely on policies and procedures for routine use, common sense approach, flexibility among institutions, etc.
Marjorie?
MS. GREENBERG: I, also, think what the Subcommittee recommended yesterday is relevant here and you have addressed it, and that is to amend the rule to assure that the privacy regulation does not prevent plans from getting information from providers that they need for accreditation and health care quality purposes because you mentioned the HEDIS and that seems to be a recurring theme. So, I think you have kind of --
MR. ROTHSTEIN: So, you think it is already covered in the other --
MS. GREENBERG: I think it is already there and then this proposal.
MR. ROTHSTEIN: Okay.
MS. GREENBERG: We are actually proposing that they amend the rule to make that --
MS. HORLICK: We are not amending. We are asking for clarification.
MS. GREENBERG: Amend the rule to assure that the privacy regulation does not prevent plans from getting information from providers that they need for --
MS. HORLICK: That was yesterday. What we are talking about today is we are requesting clarification that the policies that are developed cover routine use and that I guess case-by-case determinations are only for non-routine use and that the holder can rely on the requestor's determination. That we are just asking for additional clarification. Amend the rule was specifically to what we addressed yesterday. Is that correct? I mean that is my understanding.
MS. GREENBERG: I guess so. I thought the clarification already clarified. The guidance already made those clarifications, but --
MS. MC ANDREW: There are many parts to the rule that the more times you say it that finally it may be heard.
MR. ROTHSTEIN: I think many of the places where we are requesting clarification what we are requesting is reiteration.
MS. HORLICK: If I can just say, my understanding of our minimum necessary discussion so far is that as a rule we do with all the issues is just give a brief summary of the diverging points of view, and that the Committee would reaffirm the need for the minimum necessary standard, but since we are going to address the NCPDP issue separately it may or may not refer to that in this letter; yet, this now is the first actual request for clarification that we are making, and we haven't made any other recommendation. Have I got that right?
MR. ROTHSTEIN: We approved more clarification.
MS. HORLICK: Oh, under reasonable reliance and the educational effort, okay. I forgot that, okay. I just want to make sure.
MR. ROTHSTEIN: So, is the consensus that, do you want to repeat what the proposal was on this last request for clarification?
MS. HORLICK: The policies and procedures cover routine use, that case-by-case determinations are only for non-routine use and that the holder of the information can reasonably rely on the requestor's determination of what is minimally necessary.
DR. HARDING: Isn't minimally necessary a professional judgment in the regs?
MS. HORLICK: No.
DR. HARDING: Isn't minimally necessary in the regs a professional judgment as opposed to a requestor plans request? I hate to throw that in, but --
MS. HORLICK: We have said in the guidance material that these are reasonable determinations and reasonableness will in some circumstances be based on the judgment of the prudent professional. It is not necessarily the kind of medical professional judgment in all cases. I mean you could have --
DR. HARDING: So, the final determiner is that? I mean you could have rules that you follow, but if the rules don't apply --
MR. ROTHSTEIN: The primacy in making the determination is not in the hands of the requestor currently. It is in the custodian of the information.
DR. HARDING: And we are suggesting that it should go to the requestor?
MR. ROTHSTEIN: No, I am not suggesting that.
MS. HORLICK: You have it backwards. That is not what we are saying.
DR. HARDING: I misunderstood.
MS. HORLICK: I think we are saying two separate things. I want to make sure I understand.
DR. COHN: I think we are just referring to the guidance that was previously published which says that you can rely on it unless it is clearly inappropriate.
MS. HORLICK: So, that the releaser, the holder and the person that is going to release the information --
MS. GREENBERG: They can rely on the request of a covered entity as being minimum necessary but doesn't have to rely on the request of the covered entity, can obviously there is room for --
MS. HORLICK: So, they can exercise their own judgment. So, ultimately it is their own decision, but they can rely on that in making their decision. We are just asking for clarification.
MR. ROTHSTEIN: Right, reiteration, reguidance.
Okay, I think we are ready to move to the next set of two recommendations. Minimum necessary bolsters the patient's control of the PHI. The benefits of minimum necessary justify the cost and we began our discussion by reaffirming general support for minimum necessary. So, I think that takes care of these two recommendations and that concludes the actual recommendations of the first of the two minimum necessary panels.
The next panel, the --
MS. GREENBERG: This was in the Q&A period. These things came up under Q&A. I think that might just capture it.
MR. ROTHSTEIN: I will let you have a couple of minutes to read through that.
MS. GREENBERG: At some point the health care industry needs to address this currently approved demand for extra health care information and the --
MS. FYFFE: What page are you on?
MS. GREENBERG: Excuse me, Page 3. I think this is more of a long-term issue as to demand for additional information. At some point the health care industry needs to address this currently approved demand for extra health care information in the process but this is the topic today. Okay, moving right along.
Secondly there is also a minor legal question as to whether this rule precedes change of information or PHI between professionals engaged in treatment when one of the professionals or organizations is a covered entity and the other party is one of the rare groups not covered by the HIPAA electronic transaction requirements and an authorization does not exist. HEMA(?) does not believe that any conscientious professional will let this question stand in the way of treatment, but it would behoove the Secretary and perhaps Congress to address this point and assure that these privacy standards apply to all health care providers.
DR. COHN: Is this a comment that the privacy rules only apply to providers that are submitting electronic transactions?
MS. GREENBERG: Apparently.
DR. COHN: That certainly is an interesting issue. I think that was unfortunately because of the HIPAA legislation. Unfortunately, that is an issue that has to do with the actual legislation, isn't it?
MS. MC ANDREW: The statute makes coverage limited only to health care providers that do engage in the HIPAA electronic transactions.
MR. ROTHSTEIN: I would like to propose that we not consider that issue because it was beyond the scope of the requested testimony, and we did not have a full range of witnesses.
DR. HARDING: That is in litigation right now.
MR. ROTHSTEIN: So is everything.
MS. GREENBERG: This is a question of whether the privacy rule applies to people who only submit paper.
MS. MC ANDREW: No, it does not, but it does not prevent these communications from occurring. You can still disclose, if you are a covered entity you can disclose for treatment purposes even though you are disclosing to a non-covered physician.
MS. GREENBERG: Then is there anything else? Are we moving on?
MR. ROTHSTEIN: Yes.
MS. GREENBERG: Okay, this is the recommendation to centralize the location or person where an outsider must go to to get PHI information. For years HEMA has advocated that all release of information, communications and correspondence --
MS. FYFFE: What page are you on?
MS. GREENBERG: I am sorry, Page 4 regarding PHI, the middle of the page there, Page 4, and outside of the payment or normal claims in patient accounting process should come from the health information management or medical records department or function. Obviously this really relates to an institution of some type or from the health care professional in charge of the patient's care or his or her HIM function. By centralizing the location or person where an outsider must go to get PHI information and identify where information will be released within the organization a mechanism is provided through policy, procedure and practice to narrow the gate of information flow and to assure that the information release is according to the rules, consent and authorizations involved.
MR. ROTHSTEIN: So, it is an internal management issue.
MS. GREENBERG: Moving on, okay. In their comments in March, this is Page 6, the bottom of the page, HEMA did recommend that one of the privacy regulation rights be modified right before the italics on the bottom of Page 6, namely, the right to request privacy protection for PHI. HEMA did not suggest that this right could not be granted. In making our recommendation we pointed out that all health information should be accorded maximum privacy protection and security; segregating or requiring special procedures for certain subsets of the individual health record is both clinically and administratively ill advised.
MR. ROTHSTEIN: I think that is beyond the scope of the hearing.
MS. GREENBERG: People can ask and the provider can make a decision.
The next page, middle of Page 7, HEMA indicated to the Secretary that it does not support this right to restrictions and recommended that it either be deleted from the rule or that it be optional for the covered entity to extend this particular right.
MR. ROTHSTEIN: We addressed the restriction issue yesterday.
MS. GREENBERG: Now, further HEMA recommendations at the bottom of Page 7. HEMA recommended that the covered entity should be permitted to use its professional judgment and request additional justification for the amount of protected health information requested by another covered entity. We talked about that. It believes the professionals should have the right their judgment.
Next, Page 8, HEMA recommended that the responsibility for disclosure of health information be centralized under the direction, okay we talked about that.
Second, AHI may recommend that the requestor of PHI present or sign a statement stipulating that the requested information is limited to the minimum necessary for the stated purpose. Patently it must be understood we are not talking about situations related to emergent and urgent treatment or the customary exchange of information in the HIPAA transaction.
MR. ROTHSTEIN: So, the proposal is that you would need to sign something verifying that your request is the minimum necessary. I think that is the recommendation which currently they don't have to do. They just make the request and it is assumed that it is a request for the minimum necessary and the person on whom the request is made can reasonably rely on that.
Is there some member of the Subcommittee who wants to move that proposal forward?
Okay.
MS. GREENBERG: Then the third one, the last bullet there is HEMA recommended that a statement prohibiting use of the information for other than the stated purpose and requiring destruction of the information after the stated need has been fulfilled should accompany any disclosure of health information to external requestors.
MR. ROTHSTEIN: That is a proposal for a set period of time after which it would be destroyed; is that correct for external requests? Authorizations that are required for release of information beyond TPO there is currently no requirement that it be returned or destroyed by some date certain and this would be a proposal that that would be mandated for authorization.
MS. MC ANDREW: It would, also, likely apply to any disclosures under the five twelves. It would not only be disclosures pursuant to individual authorization but would likely also apply to disclosures under the five twelves like to law enforcement, public health, all those.
MR. ROTHSTEIN: So, there would be a date certain by which it would have to be destroyed or returned unless it were really incorporated into other data in the instance of public health where it would limit its identifiability.
Is there some member of the Subcommittee who wants to move that forward?
Marjorie, is that it?
MS. GREENBERG: I guess so, yes.
MR. ROTHSTEIN: The next set of recommendations from ACOM what information should be released to the employer of liver disease? That is just a -- HHS should develop a standard protocol for use by occupational physicians in implementing minimum necessary for work-related PHI. My comment to ACOM would be be careful what you wish for, but they didn't ask for my advice.
Does anyone want to bring this forward?
Okay, next grouping of eight bullets, minimum necessary is undefined and therefore unenforceable. Minimum necessary is unintelligible, not evidence that minimum necessary can prevent the widespread dissemination of sensitive information. Minimum necessary might lead to the omission of critical patient care information from a copy of the chart.
Let us just take a break here. The first two I think we recognized the opposite view by our support for the general support of minimum necessary. The second two, I think we have previously evidenced our concern certainly in the defense of area that we are concerned about this although I would recognize anyone on the Committee who wants to make a recommendation based on any of these first four. Let us just leave that at this point.
Richard?
DR. HARDING: We have asked that minimum necessary be further defined.
MR. ROTHSTEIN: Correct.
DR. HARDING: So, we are --
MS. FYFFE: No, clarified.
DR. HARDING: So, that those first two I think are addressed in our previous --
MR. ROTHSTEIN: So, is there anyone who wants to bring one of these four recommendations forward?
The fifth one seems to me to be a clear proposal to someone exclude small entities; it is not defined here from the minimum necessary requirement. Is there someone who wants to move that forward. A small entity is 50 employees or 100, some definition, I don't know what that would be.
Hearing none we will move to the next. Do not apply minimum necessary internally to an institution. Aim for optimum performance of its services, and I think we have already addressed this on internal uses.
Next is require a warrant for law enforcement access. That is a concern that we can relay although it was not certainly related to minimum necessary.
MR. BLAIR: It is raising the bar for law enforcement.
MS. HORLICK: The issue there was that additional protections were permissible, that we were going to request --
MR. ROTHSTEIN: No, it is not a request for clarification. I think we did not specifically ask for, I mean we had like no law enforcement people here for example but we can put in our letter to the Secretary that we heard testimony expressing concern about the law enforcement exemption and that it is too broad. I think that is all we can say. I don't think we can make a recommendation regarding law enforcement.
MS. HORLICK: That is not what I meant. I thought what we said yesterday was that we were going to request clarification that that was sort of a floor and that additional --
MS. MC ANDREW: That was in the area of judicial and administrative proceedings.
MS. HORLICK: Right.
MS. MC ANDREW: Law enforcement is a different --
MS. HORLICK: Okay, I want to make sure.
MR. ROTHSTEIN: With the agreement of the Subcommittee we will reflect the fact that we heard such testimony without making a recommendation because I don't think it would satisfy sort of due process having only heard --
DR. COHN: I hate bringing this question up, but are we going to reflect every single comment that everybody made in this six-page letter that is on topic. I think it may be fine what you are saying, but where is the bar there about, you know, I mean do we say that we heard other comments on a variety of other subjects? See the testimony.
MR. ROTHSTEIN: Let us put it this way. It will be reflected from the Subcommittee to the full Committee and then what the full Committee chooses to incorporate in its letter we will leave to them.
DR. COHN: Let me say that I think that this is something we may need full hearings on. I am not saying that we should avoid the issue, but it is just a question of whether we put it in now.
MR. ROTHSTEIN: It may well be that as a result of our meeting in September we just want to recommend that we have a full day of hearings in which we invite the FBI and the ACLU and the national chiefs of police and everyone to come to John Fanning's office and discuss the issue.
MR. BLAIR: Could I ask if it is even appropriate for us to put that on our agenda? The impression that I got when Bob Gellin was doing the Fair Health Information Practices Act is that there are some very, very strong special interest groups that are very concerned about this on all sides and that it is of the magnitude that other than it being dealt with in Congress that we are just simply not going to find that Health and Human Services will find it within its discretion to cut this one way or another.
MR. ROTHSTEIN: I appreciate the comments, Jeff, but let me suggest that those are appropriate for the full Committee and what we, what I am proposing is to give a complete report to the full Committee in September indicating what we heard and what of what we heard that is sort of on topic will be our recommendations, and then the full Committee can decide either to let it go, hold hearings on it, incorporate it somehow in the letter or whatever is the pleasure of the full Committee.
Is that okay?
MR. BLAIR: Okay.
MR. ROTHSTEIN: Now, we are going to include it in our report to the full Committee and then the full Committee will decide what we want to do.
We have reached the noon hour, and let me just, I think there is one.
MS. GREENBERG: I think you could get through just the rest of this document, don't you think?
MR. ROTHSTEIN: Can we go another 15 minutes?
Okay, the next set of recommendations --
DR. SERKES: Mr. Chairman, may I correct for the record, Dr. Fitzmaurice was not here for my, Katherine Serkes, Association of American Physicians and Surgeons, was not here for my oral testimony. So, he is working off of the draft written record that he had. May I add something to the list of the record that is in the written statement?
MR. ROTHSTEIN: In the oral statement?
DR. SERKES: The written statement that has been submitted to the office and there are two simple recommendations. One is that we had suggested that the Office of Civil Rights be willing to issue advisory opinions on the minimum necessary standard as for example, the Department of Justice has done in the past on the fraud and abuse issues and second that again that the Office of Civil Rights make available sample lists and forms for various applications, not what the occupational doctors ask for standards but samples that would give some guidelines. So both of those would be --
MR. ROTHSTEIN: Sample lists of what?
DR. SERKES: Of a minimum necessary disclosure form so that essentially that also could be shown to patients as well, so that we have some, again, in the Q&A or the guidance that we would have some guidance and an advisory opinion of what would be acceptable since again this is the group that fears the withholding of information because of the defensive withholding of information. So, if we would have some guidelines it would be helpful. So, those were two specific recommendations in the written statement.
MR. ROTHSTEIN: Thank you.
Simon has to leave. Can we take up these so we can complete this, and then we will adjourn? We will take up at the beginning of the conference call the last, anything else from minimum necessary. I don't think there really is very much.
So, does everyone understand those last two proposals? One is OCR should be willing to issue advisory opinions and we should recommend that OCR do so and the second is make available sample lists, that is OCR should make available sample lists of minimum necessary disclosure forms for use by consumers, etc.
Is there someone on the Subcommittee who wants to --
DR. COHN: Yes, I will put that forward. I actually think it is very consistent with the idea of the government providing additional guidance. I am obviously not a lawyer. So, I don't know all these ways that the government can provide guidance, but in a risk adverse environment getting advisory opinions from OCR that they can rely on would be a wonderful way to reduce some of the tension certainly that is out there.
DR. ZUBELDIA: I don't know if it is appropriate for OCR to do that or for HHS, not OCR to do that since OCR would be doing the enforcement.
MR. ROTHSTEIN: Right. So, perhaps we could amend that. I mean we can say whatever we want and recommend to the Secretary that HHS and leave it to the Secretary to decide who should have that responsibility. Would you accept that amendment?
DR. COHN: That is a great idea.
DR. HARDING: Is OCR or HHS doing things like that?
MS. MC ANDREW: Not at this time, and I mean we had in the proposed rule making had with regard to the preemption of state law proposed a process of advisory opinions on that area of the rule and in the final rule we deleted that because of staffing implications.
DR. ZUBELDIA: I vaguely remember that the rule had in the back of it an example of a consent form or something.
MS. MC ANDREW: I think we had both a model authorization and either a notice -- we didn't propose a consent form. So, it would have been a model notice, but again we did not issue model forms with the final rule.
DR. ZUBELDIA: But I think that is what they are asking in the second request to have samples of minimum disclosure.
MS. MC ANDREW; Yes, but I am not exactly sure. I mean we do not envision that there be any kind of minimum necessary form. We are looking for protocols, policies and procedures.
MR. ROTHSTEIN: Someone in the agency can collect sort of best practices.
MS. MC ANDREW: Best practices would be another matter.
MR. ROTHSTEIN: So, are we ready to vote on these two recommendations? We will take them separately.
The first one is that HHS should issue advisory opinions.
All in favor, raise your hands?
(There was a show of hands.)
MR. ROTHSTEIN: Four in favor.
Any opposed?
Any abstentions?
Okay, so, it is approved by a vote of four to zero.
MS. HORLICK: Just a clarification, is it just going to be an issue advisory opinions or it is not limited to any particular area?
MR. ROTHSTEIN: No.
The second proposal was HHS should make available sample lists of minimum necessary including best practices documents.
All in favor, raise your hands?
(There was a show of hands.)
MR. ROTHSTEIN: That is three.
MR. BLAIR: Let me add to the approvals.
MR. ROTHSTEIN: That is four.
Any opposed?
Any abstentions?
So, it passes four to zero.
We will conclude at this point, resuming on our conference call on September 10, to finish up minimum necessary and then do research and marketing.
(Thereupon, at 12:11 p.m., the meeting was adjourned.)