Washington, D.C.
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held hearings January 24-25, 2002, at the Hubert H. Humphrey Building in Washington, D.C.
The Subcommittee on Privacy and Confidentiality held hearings January 24-25, 2002 on the issue of marketing and fund-raising under the HIPAA privacy regulations. During the two days, the Subcommittee heard ten testimonies and talked with four panels and the public.
Mr. Cividanes said dropping marketing from PTO would deny individuals the benefits of communications from their own healthcare providers and insurance companies. Direct Marketing Association (DMA) believed the principal issue was the appropriate manner to protect privacy interests when a covered entity wished to use protected health information (PHI) for internal purposes only and limited the purposes for which the data would be used in certain marketing communications. Mr. Cividanes said privacy interests were protected, in such circumstances, if the covered entity furnished an opportunity to object to such uses and honored any request in a timely fashion. He urged the Subcommittee to resist significant changes to the marketing provisions of the HIPAA privacy rule.
Mr. Bell said the National Association of Chain Drug Stores (NACDS) recommended that the definition of marketing be modified to apply only when the communication's principal purpose was to sell a product or service unrelated to the health of the patient. NACDS recommended: (1) exempting all activities that fit the definitions of treatment and healthcare operations and (2) that the rules exempt from the definition of marketing all communications regarding treatment and healthcare operations, regardless of whether a third party paid for written communications. NACDS proposed: (1) opt-out procedures (rather than prior authorization) should apply to all marketing communications made by or on behalf of a covered entity; (2) the rules should clarify the distinction between treatment communications (exempt from marketing restrictions) and targeted health-related marketing; and (3) the rules shouldn't require apprising consumers why they received a targeted health-related marketing communication, because this disclosed PHI, compromising patient privacy.
Mr. Gellman proposed repealing the marketing rule in its entirety. He suggested prohibiting disclosures for healthcare operations and disease/case management that involved any payment or compensation. Mr. Gellman also proposed to: (1) prohibit non-consensual marketing by indirect providers, clearinghouses and employers without prior authorization; (2) prohibit marketing involving any disclosure to a third party, information about children, and information about any sensitive medical condition; (3) require affirmative patient consent, limited to three months, and prohibit any covered entity from soliciting consent on behalf of a third party; and (4) require clear, conspicuous and complete disclosure of all marketing arrangements between data providers and others, identifying all parties and interests; and (5) better opt-outs.
Ms. Pellow said there were serious flaws in the consumer "protections" incorporated within the marketing exception. Not only didn't the final regulation give consumers the right to opt-in, it only allowed them to opt-out after their information was already disclosed--and re-protecting it was practically, if nor wholly, impossible. NAIC argued that the future opt-out provision in the marketing exception offered no protection to consumers, but instead prevented them from taking a proactive stance about their PHI. Ms. Pellow said the marketing exception practically gutted the regulation's stated purpose, was a giant step backwards for consumers, and contradictory to the direction the states were moving. NAIC encouraged the Committee to remove the marketing exception completely.
Dr. Janofsky expressed the APA's concern about marketing and fund-raising loopholes in the regulation. A covered entity wasn't required to obtain authorization when it used or disclosed PHI to make a marketing communication to a patient face to face. The APA was disturbed by the marketing problem that developed with customer proprietary network information (CPNI) and consequences of the release of that information. Dr. Janofsky said APA strongly believed that PHI should never be shared for the purposes of marketing or fund-raising without the patient's informed consent. APA was disappointed that the regulation permitted only an ex post facto withdrawal of consent after damage had already occurred; Dr. Janofsky suggested patient consent could be required through opt-in.
Ms. Pollak noted Hopkins depended on private donations to fund about a fifth of its research budget primarily targeted at innovative new research that otherwise might not be funded. Without a signed authorization to use PHI, Hopkins and other non-profit, academic medical centers couldn't use the department and physician's name in contacting former patients and/or families. Ms. Pollak urged the Subcommittee to consider use of physician, department and division-specific information or, alternatively, a simplified, more patient-friendly authorization form.
Dr. McGinly said AHP was attempting to comply with HHS' final rule, but also cautioned that it would eliminate demographic information that was invaluable in targeting fund-raising to specific grateful patients. With preauthorization, about half of fund-raisers' philanthropy dollars would be threatened. AHP asked to be able to continue gathering patient service information from grateful patients as part of "health care operations."
Dr. Hall said ACP-ASIM's greatest concern was that the final rule permits marketing communication of health-related products and services on behalf of third parties or covered entities if the communication: (1) identifies the third party or covered entity, (2) states whether it received remuneration, and (3) allows opt-out. Dr. Hall said protection was limited and full of loopholes, and that the physician was caught in the middle. Noting the opt-out was weak and ambiguous, ACP-ASIM said it would be burdensome and maybe impossible to opt-out. ACP-ASIM believed patients should be given the opportunity to agree, prohibit or restrict disclosures prior to disclosure. Dr. Hall called on HHS to achieve greater patient privacy protections by 1) providing comprehensive final rules with a single deadline for implementation and clear directives to safeguard privacy and that the regulations be issued in final forms as soon as reasonably possible.
Lambda urged the Subcommittee to mandate that: (1) personal health information not be disclosed to business associates, absent a specific, time-limited, informed written patient consent to each type of disclosure for marketing purposes, (2) personal health information not be used by the covered entity for marketing purposes, other than in face-to-face encounters between the patient and the medical provider, absent a specific time-limited informed written consent for marketing purposes, (3) the patient be notified as part of the consent process about the full range of third parties who might have access to the patient's personal health information and of the fact that the covered entity doesn't accept responsibility for privacy breaches by those third parties, and (4) the patient received notification of his or her rights under the rule.
Ms. Serkes addressed marketing's chilling effect on patients and said she'd submit a copy of the AAPS vs. HHS court documents and affidavits stating how concern that HIPAA insufficiently protected their rights made patients reluctant to communicate openly with their physicians. Ms. Serkes echoed the concern the two panels and particularly Dr. Hall expressed about the damage the implied endorsements brought to the physician's credibility. Ms. Serkes discussed opt-in/opt-out provisions and AAPS's recommendation to redefine healthcare operations to exclude marketing and fund-raising under PTO.
Mr. Rothstein welcomed everyone to the first of two days of hearings revisiting the issue of marketing, first took up in the August hearings, along with the issue of fund-raising under the privacy regulations promulgated by HHS pursuant to HIPAA. He noted the Subcommittee had invited four panels of witnesses and opportunities were scheduled for public testimony. Mr. Rothstein said the purpose of the hearings was to gather information to guide the Subcommittee and full Committee in deliberations and recommendations to the Secretary. The Committee previously submitted recommendations on the issues of consent, minimum necessary and research. Members were especially interested in identifying practical problems, concerns, and specific recommendations. Mr. Rothstein noted the quorum rule didn't apply to subcommittees of federal advisory committees; although they didn't have a quorum, members would take testimony to share with the other Subcommittee and full Committee members. Interested individuals and organizations had until COB February 1 to submit written comments to be considered by the Subcommittee and full Committee.
Mr. Cividanes said DMA, the largest trade association for businesses interested in interactive and database marketing with nearly 5,000 member in 53 nations, believed that in revising the treatment of marketing communications in the initial rule, HHS struck a balance between protecting consumers' health-related data and preserving their right to receive benefits of marketing. He said revising the final rule would be a major mistake. Dropping marketing from PTO would deny individuals the benefits of communications from their own healthcare providers and insurance companies. Instead of examining unintended consequences of marketing provisions of the final rule, the Department would again face all the unintended but now identified consequences of reverting back to the proposed rule's authorization requirements for virtually all communications with patients and plan members. As DMA pointed out in its comments on the proposed rule: privacy protection wasn't balanced when detailed, lengthy authorization was required before a physician could send a reminder notice for a six-month checkup or a dentist could inform patients of expanded services.
DMA believed the principal issue was the appropriate manner to protect privacy interests when a covered entity wished to use PHI for internal purposes only and limited the purposes for which the data would be used in certain marketing communications. Mr. Cividanes said privacy interests were protected, in such circumstances, if the covered entity furnished an opportunity to object to such uses and honored any request in a timely fashion. He said some criticism from the August hearing about use of this data by third parties for marketing communications (e.g., a 1998 controversy surrounding disclosure of a marketing arrangement between a chain of drug stores and a marketing company) was unfounded: the witness acknowledged that "the fact that the business associate marketing firm will essentially step into the shoes of the pharmacy and have to comply with the regulation may make this type of situation different." Noting the United States Supreme Court held (Whalen v. Roe) that the protections afforded to personal information were a critical factor in determining whether a particular practice posed a threat to privacy interests, Mr. Cividanes said HIPAA obligations imposed upon business associates were among the most protective safeguards of any privacy laws. HIPAA's restricted conditions requiring third parties to receive PHI for marketing purposes only as business associates made this situation far different from the controversies brought to the Subcommittee's attention.
Mr. Cividanes said members shouldn't accept at face value allegations that the marketing provisions were inadequate. Just as Congress rejected efforts to change the financial privacy rules of the Gramm-Leach-Bliley Act (GLBA) before they went into effect or could be implemented fully, he urged the Subcommittee to resist significant changes to the marketing provisions of the HIPAA privacy rule.
Mr. Bell reaffirmed that NACDS members, who operate over 34,000 community pharmacies and employ some 100,000 pharmacists, recognized the value of protecting patient privacy. Members knew they might lose customers if they didn't protect patient privacy, and they had no interest in adopting marketing policies that endangered that trust.
Noting limitations on marketing were among the most complex provisions of the privacy rules, Mr. Bell focused on their context. America's market-based healthcare system depended on marketing as a method of informing consumers about the availability, quality and price of healthcare products and services. Mr. Bell cautioned about assuming there was something wrong with informing consumers about products and services: limitations on marketing had kept consumers in the dark and resulted in reduced price competition.
Mr. Bell noted examples of how pharmacies could use customer information in ways that might be considered marketing: e.g., refill reminders (proven to save lives and money), paid by manufacturers and recommendations of alternative medication paid by generic drug manufacturers. Dr, Bell said neither need disclose patient information and that earning money by informing patients wasn't wrong--most "marketing practices" by pharmacies led to better informed, healthier consumers.
Mr. Bell said the "overly-broad" definition of marketing in the privacy rules (a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service) was a purpose of virtually all healthcare communications. A pharmacist who encouraged a patient with diabetes to use a glucometer performed a valuable service, even if the pharmacy profited from the purchase. NACDS recommended that the definition of marketing be modified to apply only when the communication's principal purpose was to sell a product or service unrelated to the health of the patient.
Mr. Bell mentioned two principal problems with the way the rules exempt from the definition of marketing certain treatment and healthcare operations: exemptions were limited to only some treatment/health care operations activities and exemptions didn't apply if a covered entity was paid by a third party to make a written communication. A telephone refill reminder from a pharmacy would be exempt, whether or not a third party paid for the call; yet a similar written reminder might not be exempt. NACDS recommended that: (1) exemptions be extended to all activities that fit the definitions of treatment and healthcare operations, alleviating confusion and simplifying the rules without threatening patient confidentiality; and (2) the rules exempt from the definition of marketing all communications regarding treatment and healthcare operations, regardless of whether a third party paid for written communications.
A signed patient authorization, ordinarily required when a communication constituted marketing before using or disclosing PHI, wasn't required if a communication was health-related; instead, it had to include a method for opting-out of further similar communications. NACDS proposed three ways to make this more workable: (1) opt-out procedures (rather than prior authorization) should apply to all marketing communications made by or on behalf of a covered entity (Congress' approach to financial information privacy); (2) the rules should clarify the distinction between treatment communications (exempt from marketing restrictions) and targeted health-related marketing; and (3) the rules shouldn't require apprising consumers why they received a targeted health-related marketing communication, because this disclosed PHI, compromising patient privacy.
A past member of the Committee, Mr. Gellman remarked that he'd worked on health privacy legislation for more than 20 years and seen many proposals on health privacy, but this marketing rule was "an exercise in terrible public policy and…the single worst thing (he'd) ever seen proposed, let alone adopted." He pointed out that patients hate--and don't--expect their health records to be used for marketing; in two decades of hearings, the medical profession always considered that unethical. Patients were most likely to blame physicians; the whole basis of doctor/patient trust and confidentiality would be affected by this marketing rule. Mr. Gellman described the public outcry to the February 15, 1998 article in The Washington Post that revealed Washington area pharmacies, Giant Food and CVS, used records for patient reminders about refills for activities he said were similar to those Mr. Bell proposed. Within days after the story was published, both pharmacies stopped the program. Mr. Gellman said that had been a relatively mild-mannered use of patient records for marketing compared to what this rule allowed. He noted current litigation in several states and that CVS argued before the court that drug stores had no duty of confidentiality to their patients.
Mr. Gellman noted the rule's marketing provision permitted disclosure of information about children, psychiatric treatment, abortions, drug abuse and other sensitive conditions, treatment or diagnosis could be shared without exception or time limit. Recalling that one answer they'd heard from both previous witnesses was that PHI could only be shared with business associates who were covered by the rule, Mr. Gellman contended that exchange was a violation of confidentiality. He said the question was whether it was justified by some important public purpose, and chain drug stores making money selling PHI didn't meet the criteria. He noted the rule also permitted the release of information for marketing by indirect providers: a consulting physician, laboratory, x-ray facility, pharmacy, health plan, or clearinghouse could sell PHI for marketing.
He emphasized it would be easy to create a structure in which PHI lost any protection. Marketers weren't covered entities and responses to third parties didn't fall under HIPAA. A solicitation to diabetics by a third party could be coded so PHI on everyone who responded could be identified, resold and reused in any way without controls. A series of separately incorporated companies could use PHI gleaned from patients' response to marketing campaigns without restriction, despite HIPAA restrictions on covered entities and their business associates.
Mr. Gellman said another problem was the rule didn't require patient consent. Noting Mr. Bell had compared this rule to the GLBA rule for financial privacy, Mr. Gellman said there were better protections for financial privacy records than medical records. GLBA required everyone be given the opportunity to opt-out before his or her records were used for marketing. This rule didn't require that rights be easy to exercise: there was no toll free number, post-paid envelope, or Internet site for opting-out. Covered entities could charge for opt-out. Dozens of opt-outs might be required; the rule didn't even state opt-outs were permanent.
Mr. Gellman proposed repealing the marketing rule in its entirety. He suggested retaining the current provision that stated individual advice from a provider or a health plan wasn't marketing. And he suggested prohibiting disclosures for healthcare operations and disease/case management that involved any payment or compensation. Mr. Gellman also proposed to: (1) prohibit non-consensual marketing by indirect providers, clearinghouses and employers without prior authorization; (2) prohibit marketing involving any disclosure to a third party, information about children, and information about any sensitive medical condition; (3) require affirmative patient consent, limited to three months, and prohibit any covered entity from soliciting consent on behalf of a third party; and (4) require clear, conspicuous and complete disclosure of all marketing arrangements between data providers and others, identifying all parties and interests; and (5) better opt-outs. Mr. Gellman emphasized that anyone should be able to opt-out, not only in advance, but at any time. Opt outs should be offered regularly in marketing communications and other ways. Opt-outs should be free, easy, permanent, and broadly effective: blocking not only that campaign, source, or underlying institution and affiliates--anyone who directly or constructively knew about an opt-out would be permanently banned.
Mr. Bell responded that the sole example of a supposedly real-life situation Mr. Gellman cited was false. A partial retraction clarified that the chains had sold no information; an outside company had processed the refill reminders. CVS and Giant discontinued that procedure after the article triggered a huge groundswell of opposition, but Mr. Bell said he hoped they hadn't stopped sending reminders that studies showed saved lives and money. He said the companies had been sued, and patients who felt their rights were violated could file an administrative complaint with HHS. Mr. Cividanes quoted from Mr. Gellman's 1999 article, The Myth of Patient Confidentiality, in which he indicated that neither the privacy rules announced by the President nor any legislative proposals floating around Capitol Hill would make material change--expectations had to be lowered; it could no longer be promised that medical records would be confidential. Mr. Cividanes pointed out that the final rules did have a notice with provisions for disclosures about this type of marketing communications and fund-raising, as well as an individual's right to opt-out and request restrictions.
Mr. Gellman replied that, although the industry clung to the notion that something was wrong with The Washington Post article, it was substantially accurate. He reiterated that the rule offered no remedy. One could file a complaint, but if one had been damaged, there was no mechanism whereby a complaint would make you whole. One had a right under the rule to ask the covered entity in advance for any restriction one wanted--but the covered entity had no obligation to consider or respond to it. He predicted that, because of liability, lawyers would advise covered entities reject every request.
Mr. Fanning said he didn't know if GLBA had been considered in drafting these regulations. Mr. Gellman said the joint set of rules issued by Federal Trade Commission (FTC) and other agencies, while controversial, was clearly a precedent that tried to give data subjects some choice about what happened to their PHI. Mr. Cividanes said, before GLBA went into effect, there had been calls for changes, but the agencies and legislators held steadfast--That, too, was a precedent. Those affected by and implementing this needed stability and certainty. Later, everyone could revisit and learn from the experience. Mr. Gellman pointed out that HHS had announced it was making changes; there was no reason the marketing rule shouldn't be fixed along with other provisions.
Mr. Bell expressed confusion over the distinction between marketing and treatment; Dr. Harding said he'd never considered marketing as PTO. The rules defined marketing broadly as any communication where the intent was to sell or get someone to use a product or service. The treatment exception put forth a "tortured" definition of marketing, declaring one wasn't marketing if there was treatment or some other activities (e.g., therapy alternatives) that elsewhere came under the definition of "healthcare operations." Mr. Bell recommended clarifying in the rule that treatment and healthcare operations weren't marketing. He noted a separate issue was that marketing ordinarily required prior patient authorization, but health-related marketing only called for an opportunity to opt-out. Targeted health-related marketing also required an explanation of why the particular patient was targeted. Mr. Bell said he'd appreciate clarification of the difference between a targeted health-related communication, which was marketing, and treatment communication, which usually wasn't marketing.
Noting he'd heard Mr. Cividanes describe a balance that protected PHI while providing consumer information, Dr. Fitzmaurice asked about additional changes in the privacy rule. Mr. Cividanes said DMA's members called for more flexibility in obtaining additional information (e.g., cardiac-related information in support of a campaign to fund a new cardiac center) for targeting fund-raising. But he said the privacy rule, as it now stood, struck the right balance. Members were learning to work with it.
Dr. Fitzmaurice asked Mr. Gellman if listing potential uses of PHI in the notice of privacy practices, clearly defining marketing, and permitting patients to opt-out of all marketing uses of PHI at first contact corrected most his objections. Mr. Gellman said the rule already required that the notice reference marketing uses, but he questioned how effectively that notice would inform patients. Giving people an opt-out in advance would be better, but wasn't enough when confidential patient information was used for purposes that had nothing to do with healthcare--especially when the person passing on the record received a fee. Mr. Gellman also noted there was no mechanism for people to opt-out in advance with indirect providers and health plans. Dr. Danaher asked if an explanation of how information could be used along with the opportunity to opt-out during open enrollment and renewal of health insurance could resolve that concern. Mr. Gellman pointed out that some health plans didn't require signatures at renewal and so had no mechanism. He reiterated that patient records shouldn't be used for marketing without affirmative consent. Mr. Gellman said opt-outs didn't work; industry clung to them because people were "lazy" and didn't follow through--especially when, as with this rule, that was hard to do. He said what Dr. Danaher proposed didn't meet essential standards for protecting what little confidentiality was left in the healthcare system and whatever trust there was between doctor and patient--But it would be an improvement.
Asked their position on marketing things like cosmetic surgery to minors, Mr. Cividanes made a distinction between information about and solicitations to children. DMA was supportive of efforts to protect children, but he noted that information needed to be gathered in order to inform parents about beneficial services, products or benefits. Dr. Harding cited the example of a teenage girl who took Acutane for bad acne and received a mailing about other corrective medicines or procedures that would make her "even prettier." Testifiers noted they might want certain communications sent to them as parents, but expressed concern about minors receiving direct marketing without parental knowledge.
Noting Mr. Gellman proposed prohibiting any covered entity from soliciting an authorization for marketing on behalf of a third party, Ms. Greenberg asked how a third party could then get authorization for marketing. Mr. Gellman replied they didn't have to worry about a product or service that a physician, dentist or pharmacy wouldn't recommend in treatment; marketers could find targets on their own. Physicians' participation undermined confidentiality between doctor and patient; anyone with access to PHI shouldn't make money sharing it with third parties. Mr. Bell said he agreed with the first part of what Mr. Gellman said and recommended that the agency clarify that the rule stated products and services pharmacies recommended were treatment.
Noting that both the rule and testimony were silent on how marketing took place and what, if any, limitations there should be on those efforts (e.g., whether marketing information could be left on voice mail or with another resident of a joint dwelling), Mr. Rothstein asked if the industry would be comfortable with reasonable regulations setting forth the process for marketing contacts based on health information. Mr. Bell said the issue was what was reasonable; no one gave contact information unless they wanted the pharmacists to use it. Mr. Rothstein replied that one could automatically be connected to voice mail and suggested these marketing messages could be prohibited without the individual having to opt-out. He said no one disputed the benefit to be gained from further informing individuals; the query was how one struck a balance between that benefit and harm from inappropriate actions. The rule already regulated the possibility of some inappropriate disclosures within healthcare settings (e.g., restrictions on faxing medical records), but not in non-healthcare settings. Mr. Bell concurred. The question was would the government strike that balance or would people have the option to strike it themselves. He was against the government making prohibitions in all situations, but supported patients being able to strike their own balance.
Mr. Gellman suggested a request not to leave a voice mail had to be in writing in order to know and enforce it. Mr. Rothstein said, for many individuals, it might be insufficiently informative to have these conversations without announcing up front the precise relationship between the marketing entity and physician. The rules required the covered entity to disclose it was the source of the communication, any direct or indirect remuneration received, and how to opt-out of further contact--but it didn't require that information up front. Mr. Bell said NACDS members welcomed clarification. Mr. Gellman pointed out that the rule said the communication must identify the covered entity as the party making the communication: the third party business associate must say, "I'm calling for Dr. Smith"--That misrepresented what was happening.
Noting his research involved telephone interview surveys requiring IRB approval, Mr. Rothstein acknowledged that one didn't want to give too much information just to ask a few questions about someone's health, but he suggested the bare minimum consumers should expect receiving solicitations was upfront, honest and understandable information. Mr. Cividanes said that description conformed to requirements for wiretap laws, but cautioned about frontloading more than anyone could absorb.
Mr. Rothstein asked if there was a compelling argument why the specific authorization for the release of certain psychiatric information (not covered by the one-time signed consent) in the regulations shouldn't apply to the marketing provision. Dr. Harding expressed ambivalence about setting sensitivities for certain categories of medical illness: exemptions were important in his practice, but he believed all medical information should be treated similarly. Mr. Rothstein said he'd expressed that position many times, but wanted fallback positions for the full Committee to consider. He suggested there were a variety of situations where one wouldn't want sensitive information marketed, but might not think about opting-out. He suggested they consider disclosing the right to opt-out in the upfront message. Mr. Gellman said a single, simple solution to many of these problems could be either: nothing happens without consent, or no telephone marketing.
Members noted written materials also presented dangers. Mr. Gellman gave an example of sensitivity and confidentiality he'd heard from his dentist about one patient's biggest secret: even his wife didn't know he wore dentures. Giving information to third parties was a significant imposition on confidentiality sometimes done for a variety of purposes: public health, law enforcement and research. Mr. Gellman emphasized that marketing wasn't a sufficient purpose. He quoted the rule: "However, the final rule permits an alternative arrangement. The covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party through a business associate relationship to conduct the actual health-related marketing, such as mailings or telemarketing under the covered entity's name." Mr. Gellman noted the covered entity could give information to a chain of business associates, all authorized to disclose on the covered entity's behalf. Without a higher barrier and better procedural protections, control over information could be lost. Mr. Fanning noted there were all kinds of outsourcing and multiple successive subcontracting arrangements throughout the healthcare system, but he said he'd heard people were troubled because marketing wasn't of sufficient interest to permit the associated risk.
Mr. Gellman acknowledged that fixing this rule by prohibiting disclosures to third parties, as business associates for marketing purposes, wasn't the best answer. He said he was "fishing" for ways to allow reasonable uses of records that didn't interfere with doctor/patient communications, but he emphasized that, when somebody was hired or paid for those communications, there was cause for caution and protections. Eliminating business associates for marketing was one way.
Mr. Rothstein noted that the Committee had rejected considering medical research as part of treatment, payment and healthcare operations (TPO) and supported separate authorization for research. He questioned that marketing approached the social utility of the medical research establishment or how, given the Committee's position on research, they could endorse the current rule considering marketing part of TPO. Mr. Bell said he wasn't suggesting that marketing should be TPO, but that the rules made a hazy distinction that he hoped the agency would clarify. He said the Subcommittee proceeded from a false assumption. There was no TPOM exception in marketing; the rule was prior authorization, with exceptions. Prior authorization wasn't required for health-related marketing: one marketing communication could be made, giving an opportunity to opt-out. But the general rule was prior written authorization, separate from the consent, before marketing could be conducted. Mr. Bell reiterated that there wasn't much distinction between how research and marketing were treated. The questions arose in the gray areas around targeted health-related marketing and something treated differently called treatment.
Mr. Gellman rebutted that characterization, saying authorization wasn't needed for most kinds of marketing. The loophole swallowed the rule and almost any kind of marketing (e.g., food products, vacations) could be called "health related." The term wasn't defined and there was virtually no product. Mr. Bell said marketing wasn't in the definition of healthcare operations. The definition of "marketing" included virtually any communication and exempted a few specific types of healthcare operations (e.g., recommending treatment alternatives). Mr. Bell said the general rule was that individual authorization was required, except for "health-related" marketing. He agreed the term wasn't defined and noted they probably had very different definitions. Mr. Fanning questioned why some communications with patients were allowed without explicit authorization, but not for research. Mr. Bell said there were only two real-life examples that some others (not he) might consider health-related marketing: refill reminders and suggestions of alternative treatments. He said he'd heard Mr. Gellman say a recommendation from a pharmacy to a patient about a product or service was treatment; if they could agree on that, than he could accept treating the rest of marketing the same way as research.
Dr. Danaher questioned the advisability of using the authorization for healthcare research as a precedent. Mr. Rothstein acknowledged that the issue of research was complicated, but he noted John Fanning described the basic framework as leaving the rule as it was, requiring explicit authorization or some degree of a privacy board or IRB approval. Dr. Danaher said that approval was what made it possible for him to accept this position. He asked if an analogous body would facilitate that role for marketing. Predicting public disclosure would stop marketing cold, Mr. Gellman suggested requiring covered entities disclosing records for marketing to post all details on their Web sites. Mr. Cividanes remarked that Mr. Gellman's comments again emphasized the distinction between disclosures to third parties for their own use and use by the covered entities or the hiring of third parties supporting them. Mr. Rothstein affirmed that was something everyone gleaned from this discussion.
Ms. Pellow said that for more than 20 years and through the development of three privacy models, NAIC's position had been that insurers should be required to obtain authorization from the consumer prior to use or disclosure of PHI (opt-in standard). She said the states continue implementing NAIC's privacy models, choosing the opt-in standard to ensure individuals are asked first whether or not they want PHI used or disclosed for marketing purposes.
She reiterated concern, first expressed last March in NAIC's comment letter about the marketing exclusion in the final regulations. Although the proposed regulation was similar to NAIC models in establishing standards to protect consumers and their individually identifiable health information, she noted the final regulation "seriously diverted" from HHS's previous position, allowing covered entities to disclose PHI for certain marketing purposes without prior authorization. She reconfirmed NAIC's believe that consumers should have the right to decide about disclosure before any PHI was shared. And she said NAIC respectfully disagreed with the Department assertions that the marketing exception was necessary and would benefit consumers or that consumer protections had been incorporated into those exceptions.
Ms. Pellow noted HHS claimed the marketing exception was necessary for healthcare entities "to discuss their own health-related products and services, or those of third parties, as part of their everyday business" and inform patients and enrollees about "new or valuable health products." She said NAIC understood inclusion of exceptions for certain legitimate business activities, but she contended a broad marketing exception wasn't necessary. In fact, the definition of marketing specifically excluded these communications; providers and plans were free to discuss treatment options, services and products with their patients and enrollees. Rather than benefit consumers, Ms. Pellow cautioned that the marketing exception would create a whole new set of problems. She said consumers would benefit if covered entities explained what they want to do with consumers' information up front and let consumers decide whether the benefit outweighed the consequences of disclosure. NAIC didn't want to prohibit appointment reminders or prevent consumers from obtaining information; but everyone should be assured his or her PHI wouldn't be shared, sold or released for marketing purposes without their specific consent.
Ms. Pellow noted HHS said it incorporated consumer protections within the marketing exception by requiring covered entities to identify themselves in marketing communications, tell consumers why they were targeted, and inform them that they could opt-out of future communications. She said there were serious flaws in the first two "protections," but focused particularly on the last. NAIC members long debated over opt-in and opt-out standards before deciding to use GLBA's opt-out standard for financial information and the strengthened protections of opt-in for health information. The states currently implemented the opt-in standard for PHI, however Ms. Pellow pointed out that even the opt-out standard for financial information offered more protection than the HHS regulation did for PHI, particularly in terms of marketing. Not only didn't the final regulation give consumers the right to opt-in, it wouldn't allow anyone to opt-out prior to disclosure. Only after their information was already disclosed, could consumers opt-out. Once sensitive information was disclosed, she said re-protecting it was practically, if not completely, impossible.
Ms. Pellow pointed out other flaws with future opt-out: (1) there were no details about how consumers opted-out: (e.g., 1-800 numbers, Web sites, fliers), (2) scope of opting-out was unclear (was it linked only to the disease, product, or service related to the initial communication or to all future marketings from all entities), (3) the covered entity only had to make a "reasonable" effort to ensure marketing didn't continue post opt-out, and (4) the final regulation set out a system that encouraged telemarketing. Ms. Pellow questioned why HHS included in the preamble an example of how to implement a process that created a conflict of interest between covered entities and their patients and enrollees.
NAIC argued that the future opt-out provision in the marketing exception offered no protection to consumers, but instead prevented them from taking a proactive stance about their PHI. Ms. Pellow said NAIC respectfully questioned why the federal government knowingly issued a regulation that required "horrible inconvenience" to occur before consumers could act.
The assumption behind the creation of the HHS privacy regulation was that health information was sensitive and deserved a higher-level protection; NAIC and the states developed and implemented legislation and regulations based on those assumptions. Ms. Pellow said the marketing exception practically gutted the regulation's stated purpose, was a giant step backwards for consumers, and contradictory to the direction the states were moving. NAIC encouraged the Committee to remove the marketing exception completely.
Dr. Janofsky said he couldn't emphasize enough that medical records privacy deeply concerned Americans; regrettably, the fact that confidentiality was an essential element of quality healthcare was often overlooked. Some patients refrained from seeking medical care or dropped out to avoid any risk of disclosure; others wouldn't provide the full information necessary for successful treatment. Patient privacy was particularly critical in ensuring high-quality psychiatric care. Both the Surgeon General's report on mental health and the U.S. Supreme Court's Jaffee v. Redmond decision concluded privacy was an essential requisite for effective mental healthcare. The Surgeon General's report concluded people's willingness to seek help was contingent on their confidence that personal revelations wouldn't be disclosed without their consent and the Supreme Court held that "Effective psychotherapy depends upon an atmosphere of confidence and trust ... For this reason, the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment."
Dr. Janofsky expressed the APA's concern about marketing and fund-raising loopholes in the regulation. A covered entity wasn't required to obtain authorization when it used or disclosed PHI to make a marketing communication to a patient face to face. A marketer who'd obtained PHI from a covered entity without the patient's consent, could talk directly to the patient in the hospital and try to sell a product or service related to the treatment at an especially vulnerable time.
The regulation also allowed the release of PHI without consent when it concerned products or services of nominal value. A pen or other inexpensive promotional item could be given to encourage the patient to buy a product or service. And the patient's health information could be released without consent when it concerned health-related products and services of the covered entity or of a third party and met marketing communication requirements.
The APA was disturbed by the marketing problem that developed with CPNI and consequences of the release of that information. The Federal Communications Commission defined CPNI as: where, when and to whom a customer places a telephone call; the types of services subscribed and the extent they are used. The APA was concerned about the impact of the Tenth Circuit Federal Court of Appeals decision in U.S. West, Inc. v. FCC that changed the right to disclosure for CPNI to opt-out. By marketing agreement, CPNI could be sold to insurance companies or employers who discriminate against providing insurance to patients who frequently call a psychiatrist or other physicians.
Dr. Janofsky said APA strongly believed that PHI should never be shared for the purposes of marketing or fund-raising without the patient's informed consent. APA was disappointed that the regulation permitted only an ex post facto withdrawal of consent after damage had already occurred, but he noted an easy solution: patient consent could be required through opt-in.
Dr. Harding recused himself from this panel's questions and discussion. Mr. Fanning noted that an organization from the health insurance industry had been scheduled to testify and couldn't, but would submit a written statement. He said HIAA testified at hearings on other issues and was aware of the Committee's ongoing work; but he said he couldn't evaluate if the wording of the regulation was an important consideration to them.
Dr. Janofsky said he couldn't say how the Maryland Psychiatric Society Ethics Committee might rule in a particular case, but as chair and a teacher of ethics he would have serious problems if a physician disclosed information for marketing purposes without patient consent. The existing ethical principles for medicine required physicians to act as fiduciaries for their patients, acting in their patients' best interests and only releasing information with a patient's consent or in limited circumstances. He personally knew of no ethics case where this has been an issue.
Mr. Rothstein noted Dr. Janofsky mentioned three exceptions for marketing. He asked if the face-to-face contact and de minimis value exceptions were less problematic. Dr. Janofsky said APA considered any disclosure in any setting problematic, if it occurred without the patient's prior informed consent. He emphasized that it would be improper, not only for a third party, but for the physician himself or herself to "give out the pen": marketing had nothing to do with patients' best interests.
Asked which intermediate steps discussed by the prior panel NAIC considered a fallback position, Ms. Pellow said NAIC's 1998 model required separate authorization and they held to a policy decision for authorization and opt-in for marketing because next-best options quickly became a slippery slope. She said NAIC wouldn't like it, but having opt-out prior to disclosure would be an improvement. Consumers needed more than just notice, they had to authorize that PHI could be disclosed for marketing purposes. If the disclosure would be beneficial to the consumers, marketers could sell them on it. Dr. Danaher asked if NAIC's concerns would be abated if, during open enrollment and renewal, consumers were given the option to have their PHI used for care, disease and case management and for marketing purposes by TPOs. Ms. Pellow pointed out that: it would be "lumped in" with enrollment information; if coverage continued, there wouldn't be a form every year; and this only addressed health plans--not providers or other entities. Noting there were too many other ways for information to be shared, she said NAIC members wouldn't agree to that solution.
Mr. Scanlon asked if any states had actually adopted the marketing provisions Ms. Pellow described earlier and about experiences with opt-in and opt-out. Ms. Pellow explained NAIC adopted three models. The first applied broadly to insurance information and had an opt-in standard. A 1998 model, developed primarily as guidance to Congress and HHS as they considered adopting privacy regulations based on HIPAA, hadn't been adopted by any states. The third model, developed in 2000, implemented privacy protections based on GLBA, giving states the right to create higher-level protections for consumers, included health information. Regulations coming from the federal government on GLBA had suggested health information might be included in financial information, with its opt-out standard, and NAIC elected to preserve opt-in. Ms. Pellow said, within the last year, 33 states adopted the opt-in standard for health information. A total of forty-eight states (plus D.C.) adopted the GLBA privacy protection; fifteen adopted the financial and were considering the health standards. Ms. Pellow questioned why the HHS privacy regulations proposed less, knowing the states already endorsed something stronger.
Noting NAIC's jurisdiction was insurers and health plans, Mr. Fanning asked if Ms. Pellow recommended the same standard for everyone. She said NAIC recommended opt-in and prior authorization across the board. One reason the states wanted these laws was they protected consumers no matter what type of insurer held PHI. Ms. Pellow emphasized NAIC wasn't anti-marketing, but wanted it explained so consumers could decide up front whether to disclose PHI for marketing purposes. She said NAIC didn't distinguish between uses of PHI by the covered entity or a third party and that the privacy regulations defined marketing broadly enough to allow for legitimate discussions with health plans and enrollees.
Dr. Danaher asked how opt-in at the time of enrollment would keep a lab organization, which didn't necessarily interact face to face with the consumer, from using PHI for marketing. Ms. Pellow said the burden was on the health plan: if the plan hadn't received an opt-in then the covered entity couldn't disclose PHI for marketing purposes. Mr. Rothstein said the point was an excellent one. With either the current or an opt-in system, there had to be a way to regulate how indirect providers learned that a patient declined consent and that those records couldn't be disclosed for marketing. Dr. Janofsky pointed out that the major difference between opt-in and opt-out was who had the burden of obtaining consent. With opt-in, the burden was on the entity to send information to the patient who then decided whether or not to receive it. If the consumer didn't send the form back, no information could be used. Dr. Janofsky added that a single authorization was a dangerous idea. One couldn't assess the risks and benefits of the breach of privacy and have informed consent about disclosure without knowing what would be disclosed and how it would be marketed.
Mr. Rothstein asked how Dr. Janofsky would notify indirect providers that a patient opted-out. Would patients be required to opt-out of each successive pitch, or would the opt-out be coded and moved downstream? Dr. Janofsky pointed out that query illustrated why the current rule was unworkable. Health information wasn't all encompassing; people had different health problems. One couldn't possibly make a reasoned choice to opt-in or out, unless one knew what marketing information would be received. Dr. Janofsky emphasized that whoever produced the marketing information had a big incentive and should have the burden of obtaining prior consent.
Noting a witness in the last panel testified against changing the rule because an opt-in provision would be burdensome, Mr. Rothstein observed an opt-out would also be burdensome-- unless nobody did it. Mr. Rothstein and Dr. Janofsky agreed. There seemed to be an underlying precept: affirmatively recruiting people would be a burden, but give consumers the burden and they wouldn't follow through--It would no longer be burdensome.
Noting this was a patient privacy, not a marketing/financial aid bill, Dr. Janofsky questioned why the burden to maintain privacy would be put on the patient rather than the marketer who stood to profit. Ms. Pellow agreed: noting, either way, they needed a tracking system. But she pointed out that whether the consumer had the right to opt-out or to opt-in prior to disclosure made a big difference. Observing that part of getting new medical information was talking to your doctor or health plan, Ms. Pellow suggested patients could authorization their doctor to share PHI in looking for a better solution or treatment. Dr. Danaher agreed: the Internet and external sources of information had eclipsed physicians and providers as the primary source of information for patients. Dr. Janofsky said his patients came in all the time with information off the Internet and they sat down at the computer and reviewed it. That wasn't marketing; it was treatment planning, and he didn't need a rule to do that. But the outside marketing entity had no fiduciary duty to the patient. The problem was that the physician and marketer had conflicting ethical duties.
Mr. Rothstein said he worried that APA's position potentially hurt the social good of patients learning about alternative treatments and therapies by putting a significant burden on outside entities and providers to obtain authorization. Dr. Janofsky disagreed. He cautioned that if the regulation went forward, it would affect the social good in exactly the opposite way. Patients only told their physicians their most intimate secrets because they assumed the doctor operated in their interest. Once marketing intruded on the doctor/patient relationship, the social good in the relationship was destroyed.
Dr. Janofsky told of a relative who was wrongly diagnosed and coded for asthma on a single visit. She never had asthma, but received mounds of information about asthma treatment and phone calls from her health insurance plan's patient management system about managing asthma. She couldn't turn it off. Mr. Fanning remarked that some people regarded that as legitimate disease management; the information was there because reimbursement was sought at the health plan or the insurer knew what was prescribed. Dr. Janofsky reiterated: the woman didn't have the disease. But they thought she did--And she couldn't turn the marketing off. He said disease management was good. But it should be up to patients to decide whether they want the information disclosed. And they should have the ability to turn it on and off. Ms. Pellow gave other examples of patients and physicians bombarded by pharmaceutical and medical equipment companies within days of a diagnosis. She said the insurance commissioners, not wanting to wait until there was a long list of consumer complaints, took the policy stance of informing the consumer and obtaining prior authorization using opt-in.
Mr. Fanning asked if NAIC's model forbid or controlled approaching the prescribing physician. Ms. Pellow said NAIC didn't address that. Dr. Fitzmaurice expressed concern about overlap between the covered entities of the HIPAA privacy rule and the entities to which this applied. If 33 states had new consumer privacy provisions, and if such laws applied to the HIPAA-covered entities and were deemed more stringent, then that would effectively override the provision in the privacy rule. Ms. Pellow said the scope of the GLBA privacy standards applied to all insurers. Under HIPAA, it was just health insurers. It was important to keep GLBA standards in place because they would at least maintain minimum protection and requirements on all insurers to protect consumers' information. She said they'd gotten lots of heat from the insurers saying wait until HHS came out with a regulation, but they'd gone ahead because, even when HIPAA was effective, there would still be that two-year delay in terms of compliance date and they didn't want a lag in protections for consumers' health information. So they'd put a general piece into GLBA to protect consumers' health information. GLBA would apply to the HHS regulation and all the details, but if there was this marketing exception, they would make sure it was a state requirement that must be complied with. Ms. Pellow clarified that, once 2003 rolled around, consumers' information would still be protected if property and casualty and other types of insurers now covered under HIPAA held it, but GLBA wouldn't apply to providers and clearinghouses, unless they were deemed to be financial institutions.
The 18 departments at Hopkins serve almost as mini hospitals; patients come to an academic medical center to be cared for in a particular department or divisional which has visibility in its own right. Hopkins is largely funded from NIH and private sponsors, but also depends on private donations to fund about a fifth of its research budget primarily targeted at innovative new research, that otherwise might not be funded. Those fund-raising efforts are carried out through Hopkins' Development Office. Employees are told the department and the physician visited, then contact that former patient and/or family asking if they can tell them more about research opportunities and what the department is doing. For FY 2000, Hopkins' Development Office raised 98.98 percent of its monies from departmental and divisional appeals.
The final regulations allow an institution to use PHI for fund-raising without an authorization only if the PHI used is limited to demographic information (e.g., name, address, phone number, age, gender, and insurance status). Without a signed authorization to use PHI, the department and physician's name couldn't be used. Ms. Pollak pointed out that the patient walked in the door and had to read and sign admittance forms, authorizations for anything non-routine, about half of them had to sign research authorizations--and then all were asked to read and sign a one-and-a-half page, single-spaced form authorizing contacting them for fund-raising and warning there was no guarantee their information would remain private. In reality, she said information given by the development department or an employee was bound by HIPAA and all the protections in place. And a business associate doing fund-raising had an agreement to keep that information confidential. Ms. Pollak said only a misuse would redisclose and that could happen in anything allowed under HIPAA. She noted many exceptions had been made under HIPAA where the risk was balanced against the good and patient protections were built in.
Ms. Pollak said the other alternative was a simplified, straightforward, less threatening authorization specially addressing fund-raising. Instead of the ten substantive requirements for an authorization, with their "misleading" statements, the form simply asked to contact the individual about fund-raising, assuring that information would be kept confidential and not knowingly released. And it asked the individual to let Hopkins know if he or she didn't want to be contacted.
She said an authorization for research needed everything in HIPAA's authorization language. Researchers at many levels in many different institutions would have that information. For decades, Hopkins received almost no complaints. The few they did receive were immediately taken off the list and never contacted again.
Ms. Pollak urged the Subcommittee to consider use of physician, department and division-specific information or, alternatively, a simplified, more patient-friendly authorization form. She emphasized that hundreds of millions of dollars in research support at academic medical centers depended on this decision. Without those contributions, either research would shrink or institutions would place increased demands for valid, important research on the federal government.
Dr. McGinly said AHP, an association of professional development executives responsible for management of foundations and development departments of nonprofit healthcare providers, was attempting to comply with HHS' final rule, but also cautioned it would eliminate demographic information necessary for successful fund-raising. Noting the paperwork burden and compliance confusion, coupled with the recessionary economy and events of September 11, AHP asked to be able to continue gathering patient service information from grateful patients as part of "health care operations."
Dr. McGinly said AHP represented 3,100 members managing philanthropic programs in more than 1,900 not-for-profit, charitable healthcare provider institutions. He noted these institutions had three basic sources of revenue: operations, investments, and philanthropy. Eight years ago, some hospital CEOs considered philanthropy insignificant; today fund-raising carried many organizations. In 2000, AHP's members raised $7 billion ($3.1 billion more than was raised by United Way). Dr. McGinly emphasized that everyone fund-raising in AHP was employed in not-for-profit organizations and the funds were reinvested in the community--not only for research, but for wellness programs, mobile health vans, mammography screenings, eye exams, facility improvements, upgrades and other essentials. If authorization was required prior to making a solicitation, Dr. McGinly said that 3-to-3.5 billion dollars (of $5.7 billion dollars raised in 1998) would be at risk and potentially lost.
Dr. McGinly pointed out that AHP members were professionals and part of healthcare operations: they served as ombudsmen, called on patients and already knew why they were there. But they weren't allowed to use this information that was invaluable in targeting fund-raising to specific grateful patients. McGinly noted that the life of a grateful patient giving to healthcare and healthcare providers was eight-to-ten years; for colleges and universities it was over 20 years. About 73 percent of all gifts to healthcare providers came from individuals. For more than 35 years, AHP members had complied with a code of standards of conduct, which related to the rights of privacy, and with the donor bill of rights put together by AHP and other fund-raising organizations, which included the opt-out concept. AHP cautioned that the rules, as promulgated, would cost the philanthropic healthcare industry between $150-$180 million annually to comply, not including the added burden of millions of dollars for computer upgrades, staff training, attorney's fees, and other compliance obligations. With preauthorization, about half of fund-raisers' philanthropy dollars would be threatened.
Mr. Rothstein observed that many around the table were supported in their own institutions by the generosity of grateful former patients and their families and so were appreciative of the need. But he noted the Subcommittee's task was to balance the interests of the institutions and all the good they did against the confidentiality of the patients. Where balance was struck wasn't always clear or a point of immediate agreement.
Dr. Danaher agreed with Ms. Pollak that egregious violations didn't occur everyday and recommended giving fund-raisers the name of the department and, especially in academic centers, the physician's name. He suggested granting permission in the authorization for the medical center to contact regarding fund-raising, stating the physician, department and diagnosis would never be released. Ms. Pollak concurred. Dr. Harding clarified: a department in a university (e.g. Cardiology) could hire a business associate to fund-raise; using the name of the department, the associate communicated with cardiac patients. The new rule stated the only way to fund-raise would be for the general Hopkins to solicit to the general category; there couldn't be targeted funding. Ms. Pollak confirmed that a-fifth of Hopkins' research funding (150-200 million dollars) came through private donations.
Responding to that morning's discussion about areas of medicine especially sensitive to mailings and phone calls, Ms. Pollak suggested the regulations require that the department not appear on the envelope, but only on the letter. She noted inadvertent opening of mail was a risk in any communication permitted under the regs. Dr. McGinly said members agreed it would be acceptable if the business office kept names of anyone under 18 years old and psychiatric patients separate from those available for solicitation, so long as there was no way that list could end up in the development office or institutionally-related foundations. Ms. Pollak said that information was already restricted and reasonable limitations wouldn't be viewed as impediments. She emphasized that the majority of fund-raising was follow-up, which Ms. Pollak said she was prohibited from doing. She could identify donors, who might give a major gift, but the development office couldn't know the department that person visited and the doctor couldn't call them. Mr. Rothstein clarified that Hopkins wanted to protect the ability of the doctors and researchers to contact their former patients directly. Ms. Pollak said that was how it was done today. If they couldn't do that, it would be the head of the department, with designees, who weren't necessarily that person's patient, making the call. Mr. Rothstein noted there could be ethical concerns about the treating doctor making the call, but not a concern about confidentiality. Involving anyone else raised the issue of how much information about that person was reasonable to disclose for fund-raising. Mr. Rothstein and both testifiers agreed that it would be inappropriate for development officers to access charts and diagnostic information about individuals as part of their fund-raising.
Asked his view on a procedural restriction that at the beginning of any telephone solicitation the individual had to be informed that he or she could opt-out and not be contacted again, Dr. McGinly described a program called PhoneMail targeted primarily at people who were already donors. A letter from a significant person recognizable as a donor and a second letter providing details about the program were followed up by a trained caller with a business associate relationship. The safeguard that individuals who didn't want to be bothered were taken off the list was built into the contractual arrangement.
Dr. Fitzmaurice asked about other authorities besides the HIPAA privacy rule to oversee the industry, guarding against misuse and misapplication of funds and acting as a companion for the misuse of PHI. Ms. Pollak remarked that everybody debated how to regulate business associates. The only way available under the HIPAA law was to get at the associate through the covered entity. Anytime there was an associate, there was potential risk of misuse. Ms. Pollak suggested one might say this information had to be handled either by the institution's employees or a foundation supported by the institution. She cautioned that would hurt small institutions that didn't have their own foundation. Dr. McGinly pointed out that the healthcare provider end of the community was small; members know almost immediately about any problem with a vendor or associate. Dr. Fitzmaurice said he heard that occasionally an unscrupulous company sold a list, but that ethical considerations and the economic value of these lists (and the adverse publicity associated with misuse) made fund-raisers hold onto them tightly. He summarized: what both testifiers wanted most was for an employee of the institution to be able to use the name of the department where the patient was seen in writing and direct contacts that closely targeted fund-raising with institution services.
Noting that a small community hospital couldn't raise money through a one-person department, Mr. Rothstein asked how the Committee could justify a rule that allowed an entity to seemingly treat people differently based on the size of their institution. Ms. Pollak said this rule wouldn't make a difference to the vast majority of hospitals that did general fund-raising. The rule impacted the hundred or so academic medical centers. Smaller providers wouldn't be disadvantaged. Dr. McGinly assured the Subcommittee that the rule would be viewed as something allowable for everyone, whether he or she used it or not. Community hospitals would continue to implement fund-raising programs beneficial to them.
Dr. McGinly explained that AHP determined that it would cost 180 million to comply with the proposed reg by focusing on the philanthropic dollars threatened when they started and the paperwork tracking necessary to ensure there were releases and that they were properly tracked. He said they hadn't had time to calculate the cost of computers and training.
Mr. Rothstein noted that they'd covered one side of the equation: how an overly restrictive rule might have negative consequences for healthcare. The next panel would address the loss in trust in physicians and the healthcare provider/patient relationship, if individuals thought their confidential PHI was being inappropriately used for marketing. Mr. Rothstein said he served on the board of a major disease organization and often discussed with the physician members the awkwardness of their position when they had wealthy patients, who could make a seven or eight figure contribution to curing the disease and, yet, these physicians were troubled that, in approaching them, they might intrude on the physician/patient relationship. He asked how this panel would address that concern about fund-raising. Ms. Pollak replied that this balancing called for weighing potential intrusion of the privacy right against the possible public good. She said Hopkins asked for consideration of that balancing with whatever protections were needed, realizing that this was the way many institutions and much that was good was funded. The proposed reg would stop a good deal of what might otherwise be accomplished. Speaking to the physician relationship, Dr. McGinly commented that there needed to be sensitivity, knowledge and professionalism in fund-raising and occasionally a physician felt it would be unethical to do this. But he said AHP worked this through with AMA, there were many articles supporting it, and physicians spoke excitedly about embracing patients and getting them involved.
Mr. Fanning observed that both testifiers described highly professional and sophisticated operations with organizations that held to a code of ethics and people who put forth their money and attention to join. But he noted the Committee was charged with advising the Secretary on making rules that applied to the entire healthcare sector. He asked about hazards of misuse and embarrassment or other dangers to patients that could result from expansion of these practices administered by people who hadn't signed on to their codes. Dr. McGinly replied that, even for members of his organization, the onus always came back to the institution and institutionalizing these practices and how they conduct fund-raising. He noted that these regulations spoke to health providers well respected in communities. Ms. Pollak remarked that all the covered entities were otherwise covered by HIPAA and, therefore, were to use minimum necessary regardless. Even in things already allowed under the regulations, there could be misuse of information. She noted, as counterpoint, that, under the proposed rule, it wouldn't be permissible to pull together a list of former cardiology patients who'd survived open-heart surgery for an affair where you had a fund-raising. She suggested the rule's wording was inadvertent. People wouldn't be embarrassed; they loved being remembered and invited back. Ms. Pollak said, hopefully, they'd find a way to allow these practices to continue.
Mr. Rothstein asked whether, given a more simplified authorization, any special transitional rules were needed so get-togethers could be held without violating the law because they hadn't previously signed an authorization. Transitional rules for continuing care wouldn't apply to other uses. Ms. Pollak said it was an issue that needed to be clarified. She'd gotten mixed messages from the Office of Civil Rights and HHS. Some said they'd accept the consent people signed previously, because they expected to be contacted for a fund-raising; others said, without an express opt-in subsequent to the effective date of the regulations, they couldn't use any of this information. Noting that events like Ms. Pollak described were also held for educational and informational purposes, Dr. McGinly said the burden was unjustified. He said they should operate ethically and professionally, dealing with those who opted-out, rather than requiring everybody to opt-in. Ms. Greenberg clarified that there was nothing in the rule that would prevent holding a reunion, if there was no fund-raising associated with it. Ms. Pollak pointed out that, even without a fund-raising, an exception would be needed. Protected health information could only be used if it was expressly permitted by the regs. It would have to fit into some category (e.g., an educational get-together might qualify under marketing).
Dr. Hall said one of the College's most troublesome concerns about the privacy regulations was exceptions that condoned and perhaps even encouraged a wide array of marketing activities using what was supposed to be PHI. ACP-ASIM recommended that the use of PHI for marketing purposes be prohibited. Under the final rule, the marketing communications exceptions for healthcare providers fall under healthcare operations that at least require a patient consent before individually identifiable information can be used or disclosed. But these exceptions represent a major loophole for health plans, which can use or disclose PHI for various marketing purposes without patient consent.
A covered entity or third party was exempt from having to obtain patient authorization if it uses or discloses PHI for marketing if the communications: (1) occur face to face with the patient, (2) concern products or services of nominal value, or (3) concern health-related products or services of the entity or third party and certain disclosures are part of the same communication. Dr. Hall noted these exemptions apply to any conceivable face-to-face encounter, including door-to-door salespersons and telemarketers. Nor does the final rule limit the types of items or services that can be promoted: PHI could be used to sell vacations, magazines and cars. Noting the portion of the rule that dealt with nominal value was particularly vague and ambiguous, Dr. Hall pointed out that what was in danger of being damaged--the relationship with physicians and with the healthcare system--was anything but nominal.
Dr. Hall said ACP-ASIM's greatest concern was that the final rule permits marketing communication of health-related products and services on behalf of these third parties or covered entities if the communication: (1) identifies the third party or covered entity as the party making the communication, (2) states whether it received any remuneration, and (3) allows the patient to opt-out from further communications from the covered entity or third party. Dr. Hall noted protection to patients was limited and full of loopholes for the third party or covered entity, and that the physician was thrown inadvertently into the middle of a sale between a third party and a patient: a patient who had a high cholesterol value for the first time on a routine physical examination might receive a letter from a third-party marketer saying, now that you have high cholesterol, your physician asked us to tell you about purchasing a condo or a health spa or reevaluating your life insurance.
Dr. Hall said ACP-ASIM also found the opt-out requirement extremely weak and ambiguous. Noting it couldn't go into effect until after the patient received at least one solicitation, he called this approach too little, too late. The covered entity or third party was only required to make "reasonable" efforts to ensure individuals didn't receive another communication. He said it seemed to ACP-ASIM that it would be extremely difficult, burdensome, and maybe impossible for individuals to actually opt-out. There were no parameters on how far the patient must go to get information removed from a third party's list.
If a covered entity or third party uses or discloses PHI to target communications based on health status, other requirements apply to the communication: (1) determination must be made that the communication might be "beneficial" to the patient targeted (regardless of how slight or trivial benefit might be) and (2) the communication must explain why the patient was targeted and how the product or service would benefit the patient. Dr. Hall said this requirement, too, went against the basic integrity of what patient privacy was about. A promotional post card or e-mail from a third party would have to explicitly say, for example, that a teenager was selected because the patient was treated for a sexually treated disease that the product had been shown to effectively treat. Allowing use of PHI for marketing purposes flew in the face of respect for privacy. Dr. Hall said the College wasn't anti-market, but was against using PHI for competitive advantage in marketing. At the very least, for any marketing contract to occur, patients should be given the opportunity to agree, prohibit or restrict disclosures well in advance of the communication. Dr. Hall called on HHS to achieve greater patient privacy protections by 1) providing comprehensive final rules with a single deadline for implementation and clear directives to safeguard privacy and that the regulations be issued in final forms as soon as was reasonably possible.
Mr. Adams said Lambda was the oldest and largest national legal organization committed to achieving full recognition of the civil rights of lesbian and gay men and people with HIV and AIDS through impact litigation, public policy work and education. Noting the privacy of medical information was critically important to the communities Lambda represented, Mr. Adams said Lambda didn't believe the marketing provisions of the final rule sufficiently protected medical privacy interests.
Mr. Adams observed that the discussion accompanying the final rules eloquently explained that Americans were extremely concerned that the privacy of their medical information was threatened, and he noted especially vulnerable populations, which include people with HIV and AIDS and those who are gay, lesbian, bisexual and transgendered (collectively known as sexual minorities), were even more fearful and concerned about potential breaches of their medical privacy.
An extensive body of evidence documented that stigma and bias against sexual minorities and people with HIV and AIDS remained rampant. Populations represented by Lambda faced frequent discrimination in the workplace, family life, and society and placed a high premium on controlling disclosure of their sexual orientation and health status. Because disclosure meant increased vulnerability, it was often avoided. A recent study in New York State reported that 43 percent of gays and lesbians concealed their sexual orientation from neighbors and on the job and 28 percent hid it from parents or siblings. Nationally, 35 percent of lesbian and gay voters hid their sexual orientation in most aspects of their lives. Willingness to access medical care and be fully forthcoming with healthcare providers was strongly influenced by the degree of patient confidence in the privacy of their medical records.
Research demonstrated that gays and lesbians and people with HIV and AIDS were especially fearful that their medical privacy would be violated; this fear already kept many from accessing medical care and disclosing important information to their medical providers. A study in the New York metropolitan area where sexual-orientation discrimination was considered less pronounced, indicated 30 percent of gay and lesbian patients didn't reveal their sexual orientation. Mr. Adams said patient refusal to disclose sexual orientation to medical providers was even more common elsewhere. Concern about the privacy of their medical records and risk of disclosure to insurers, employers and family members were among the most common reasons given. Fears about lack of confidentiality also heavily influenced the willingness of people with HIV and AIDS to access medical services and care. One study indicated 60 percent of those tested for HIV anonymously wouldn't have tested if their names were reported to public health officials. Some 23 percent of individuals who tested positive for HIV in another study in Los Angeles County said they'd delay accessing medical care until they were actually sick, if their doctor was required to report their name to public health authorities. Mr. Adams pointed out that studies show those infected, diagnosed, and treated were significantly less likely to transmit the virus.
Mr. Adams described real-life examples of disclosure of highly personal and health information that result in severe consequences. In Washington, D.C., a hospital receptionist, who worked a second job at the same place as a patient, saw in the medical records that the colleague had HIV and told everyone at his or her workplace. In Oregon, a ski patroller lost his job when his employer learned his wife had HIV. And an 18-year-old in Pennsylvania committed suicide after police said, if he didn't tell his family that he was gay, they'd tell them. Rather than provide reassurance to those fearing disclosure to non-medical third parties, Mr. Adams said the exceptions provided in the final rule (which purports to require patient consent for use and disclosure to third parties of PHI for marketing) and lack of effective accountability of third parties or "business associates" effectively gutted protections. The final rule allowed healthcare providers and other covered entities to transfer any and all PHI to business associates for marketing, so long as the covered entity determined that the product or service might be beneficial, the communication explained why the individual was targeted, and the patient was advised of his or her right to opt-out of similar marketing communications in the future.
Mr. Adams noted numerous problems with this approach: (1) determination of potential benefit wasn't required to be tailored to the individual patient's specific needs or even evaluated by any qualified medical personnel; (2) HHS's guidance made clear that: (a) the mandated contract provisions were "far narrower" than requirements the rule imposed on covered entities, (b) the requirements didn't apply to business associates, (c) covered entities weren't required to monitor business associates to determine whether they abide by the contract's terms, and (d) covered entities weren't liable for business associates' privacy violations; (3) the final rule discarded a provision that made patients third-party beneficiaries of contracts between covered entities and business associates--patients couldn't hold business associates liable for breaches of contracts mandated by the final rule; (4) the requirement that marketing communications advise patients of their right to opt-out of future communications shifted the burden to the patient to safeguard his or her medical privacy and only allowed for safeguarding after privacy had already been infringed.
Mr. Adams expressed concern that the final rule provided for the unauthorized disclosure of personal health information to third party business associates for such a broad array of marketing techniques (e.g., HHS's July 6, 2001 guidance said a covered entity could transfer identifiable personal health information to a telemarketing company to do telemarketing to targeted patients on the covered entity's behalf, even without patient authorization. Giving more real-life examples of disclosure, Mr. Adams emphasized the marketing provisions' potential for harm to people with HIV and AIDS, as well as to sexual minorities,
Mr. Adams said requiring the covered entity to identify itself as the source of the marketing communication, when a third party was actually the sender, only reinforced the message that personal health information disclosed to a medical provider wasn't confidential and would be disclosed for non-medical purposes. He emphasized that neither the final rule nor existing law provided adequate remedies for unintended disclosures of personal health information that result from marketing or for the discrimination and other harms that result from those disclosures.
The rule doesn't provide a course of action or money damages for patients injured by unauthorized marketing. Mr. Adams noted most states still lacked protections for discrimination based on sexual orientation or gender identity and that about 96 percent of employment and public accommodations discrimination cases lost under the Americans With Disabilities Act.
Mr. Adams said the harms that would result from the marketing provisions of the rule were both irremediable and unacceptable. Because the rule didn't adequately distinguish between financially driven marketing and disease management, these harms weren't justified by the benefit unauthorized marketing would bring either to the individual or to public health.
Lambda urged the Subcommittee to explore means of distinguishing between use of personal health information by current healthcare providers for disease management and use of this information by non-medical third parties for primarily non-medical purposes. Lambda recognized that disease management had potential benefits to patients and providers, but disputed the Department's assertion in the guidance that, because some overlap between treatment, healthcare operations and marketing was unavoidable, covered entities didn't need to draw distinctions. Mr. Adams said Lambda strongly believed that the only way to ensure adequate protection of medical privacy and an appropriate distinction between medical treatment and financially-driven marketing was to mandate that: (1) personal health information not be disclosed to third party business associates, absent a specific time-limited informed written patient consent to each type of disclosure for marketing purposes, (2) personal health information not be used by the covered entity for marketing purposes, other than in face-to-face encounters between the patient and the medical provider, absent a specific time-limited informed written consent for marketing purposes, (3) the patient be notified as part of the consent process about the full range of third parties who might have access to the patient's personal health information and of the fact that the covered entity doesn't accept responsibility for privacy breaches by those third parties, and (4) the patient received notification of his or her rights under the rule (e.g., the rule currently provided that the patient had a right to request that communications regarding personal health information by sent to an alternative location or by alternative means, but there was no provision that the patient would be made aware of that right).
Dr. Hall said the College believed in a role for third parties using PHI to work with a covered entity in the areas of care, disease, and case management. PHI was already used and there was no way to implement a national health system without it. He said the problem was the extent PHI should be provided without the physician's or patient's knowledge. Dr. Danaher walked through an example. A health plan broke down its medical cost ratio and saw that asthmatics and diabetic patients were high cost. They ran their claims, noted how often people bought glucometers, and evaluated the experience of their asthmatics and diabetics. A large pharmaceutical company and the plan discussed a $150,000 grant to institute an asthma or diabetes program, with glucometers and literature provided by the company. The plan's medical director contacted the provider and introduced the program in terms of the ten members with asthma that provider cared for.
Dr. Hall noted that, presumably, the plan attracted subscribers because individuals or a corporate structure paying the benefit were convinced it provided a certain level of healthcare. The assumption was that a financial or fiduciary relationship with a medical supply house would support that level of healthcare and gain financial advantage. He suggested it might be better to conduct a public education campaign than be subsidized by a third party who had not only the ability to market other products to that patient group, but (paralleling subsidies of physicians and physicians' practices by pharmaceutical houses) influenced behaviors of those empowered to divert business between entities. Dr. Danaher countered that a plan that contracted to provide high quality care did so based upon its belief that it was contracting with good doctors who practiced the standard of care. The claims indicated patients with heart failure weren't being prescribed case inhibitors and a large pharmaceutical company offered to run a public awareness campaign, citing literature indicating that, post MIA, patients did better with case inhibitors. Dr. Danaher contended that the fact that the pharmaceutical company produced case inhibitors didn't make this wrong.
Dr. Hall said that, in terms of public education, probably nothing was wrong. But he questioned the reason for an exclusive contractual arrangement. Dr. Danaher said he'd grappled with the difficulty of drawing a line between case, disease, and care management and marketing, and he'd found there were gray areas where the public good was served by third parties. Dr. Hall urged the Committee to look hard at alternative approaches to solving the real problem of improving patient care, rather than developing contractual relationships with entities that had strong proprietary interest in selling a family of products. He questioned making pharmaceutical support for physician education an exclusive arrangement. Making a case that the public good was served by a contractual relationship begged the issue of whether public good could be achieved in ways more protective of patient rights and less confusing in terms of relationships between healthcare entities and a specific competitive business operation.
Mr. Rothstein remarked that, from the testimony, there seemed to be only one area of disagreement: the propriety of face-to-face contact and whether it should be permissible. He asked for instances where face-to-face dialogue between physician and patient wouldn't constitute treatment, but would be health-related marketing that required an exception. Dr. Hall recalled a line from a television commercial: "Wouldn't it be nice if you could have the same degree of trust in your financial adviser as you would in your physician." He cautioned that a physician marketing a product because somebody wanted to promote an entity struck an almost irreversible, fatal blow to the patient/physician relationship. Dr. Hall said he could conceive of situations, which he'd like to think would be rare, but he emphasized that, in a managed care environment, trying to represent both one's self and an outside entity became convoluted and shouldn't happen without patient permission.
Mr. Adams said Lambda presumed face-to-face communication between a treating physician and patient involving discussion or recommendation of a product or service was part of the treatment relationship and wouldn't require advanced authorization. He noted the assertion in HHS guidance that it wasn't possible to separate out marketing from treatment; inevitably, there was overlap and some aspect of marketing might occur in certain kinds of conversations between a patient and a physician. According to the broad definition of marketing in the rule, a physician's recommendation that a patient use a particular medication was marketing. Mr. Adams suggested that if the definition of marketing was more narrowly drawn (stating the primary purpose was to convince of the need for a product or service), the conduct Lambda wanted to protect would be considered treatment and an exception wouldn't be needed. He pointed out that Lambda identified this as an exception to their general proposal that there should be prior patient consent when marketing occurred. Ms. Greenberg clarified that neither Dr. Hall nor Mr. Adams had any problem with face-to-face communication between physician and patient; both were only concerned because it allowed face-to-face communications by third parties.
Mr. Adams said Lambda was concerned that the nominal value exception didn't define the term. He noted it would be an inept exception if appropriateness were measured by a price tag. The dollar value of the product was irrelevant; there were problematic marketing situations with free services or products. Lambda was concerned that patients received any marketing communication in any form derived from their PHI: it constituted an invasion of their medical privacy and signaled that patient medical records weren't private. Dr. Hall agreed--The inability to define nominal value was "the sword upon which this would be impaled." Providers were confronted daily with gifts of nominal value from marketers. What troubled Dr. Hall was that the value of nominal gifts wasn't commensurate with the loss of the lack of privacy or trust in the healthcare system. He noted many who'd studied this decided there was no such thing as a nominal gift. Ample evidence indicated that "a Viagra pencil" was enough to change prescribing habits.
Asked their positions on the issue of the individual's right versus the community's greater good, Mr. Adams said Lambda hoped for reasonable balance. But he emphasized that more than possible embarrassment was in jeopardy. The personal information that could be disclosed through the marketing envisioned in the rule could lead to job discrimination, unemployment, loss of insurance and other compelling matters. Mr. Adams said Lambda didn't discount fund-raising and the general good marketing could serve. But he emphasized that a better balance had to be struck and that obtaining patient consent was a way of pursuing that general good without jeopardizing important individual rights. Dr. Hall said history was strewn with atrocities that resulted from what had been called "the greater good." Like nominal value, greater good was hard to define. But he said Americans took a strong stand for individual rights, and he cautioned against trying to achieve greater good by using PHI as value added to get donors.
Noting panelists had talked about the issue of marketing to minors, Dr. Harding asked about marketing to those with diminished capacity (e.g., in geriatrics, HIV, psychiatry). Mr. Adams said Lambda's concern didn't focus on the individual's capacity to make proper choices about marketing or fund-raising, but on the use of anyone's private information. Dr. Hall recounted his first experience with telemarketing when his then eight-year-old son proudly told how he had bought a fishing boat and motor over the telephone. Dr. Hall said he shuddered to think what might happen if that telemarketer could say, "Dr. Hall thinks it is a good idea for you to get another 50 magazine subscriptions because you might win something."
Mr. Rothstein noted they'd also discussed that morning that, even if the marketing regulation required prior authorization, it still might be necessary or advisable to develop procedural guidelines: when in the conversation certain disclosures had to be made and whether messages could be left on voice mail. He asked if they also supported additional limitations surrounding marketing. Noting that he, too, was a victim of telemarketing, Dr. Hall said limitations would not only be desirable, but probably necessary. Mr. Adams said discrimination often began with disclosure of HIV status through voice mail messages and inadvertent messages. This was a real danger and an important area to explore.
Mr. Fanning followed-up on Dr. Harding's query about balancing greater good: What they'd heard wasn't abstract balancing, but the practical way healthcare facilities sought donations from people they'd served, and those communicating were permitted by the regulation. Testifiers hoped they could continue to use the name of the department. They'd also noted it wasn't helpful or reasonable to ask for a signature allowing contact when the patient entered the facility. Mr. Fanning asked if, in view of those difficulties and the fact that the information would only be used by the facility to communicate to the patient, if they still considered this inappropriate intrusion. Dr. Hall replied that he came from a lifestyle that depended on that type of philanthropy and that the donors they were talking about usually were better informed about fund-raising strategies than the people approaching them. The area he was concerned about was specific patient information.
Mr. Fanning observed there were two models. The way the regulation was written, they had to be informed, but no signature was required and the only information that morning's witnesses wanted was the department. Dr. Hall said he didn't think that was illegal and he couldn't say it was inappropriate, but he pointed out a "hidden danger." The entree might not be that you were a patient in this department, but: "You have a condition the department is very interested in and we are breathtakingly close to a cure.' If these conversations were limited to a select segment of people who wished to be involved in philanthropy, Dr. Hall could concur. But he cautioned that this would be applied to millions of people and other entities. He noted that the call brought to your attention, under these privacy and marketing regulations, that your doctor initiated the communication. Dr. Hall asked how members would feel about not responding and then continuing with that healthcare provider? He worried about an unfair competitive advantage. Noting that Dr. Hall clearly identified a downside, Mr. Rothstein said he'd talked to physicians who lamented being pressured to approach a prominent patient for a contribution and afterwards the patient decided to get treatment elsewhere. Dr. Hall said that was common. The flip side was that the most impressive philanthropy he'd been associated with generally had been from patients appreciative of their private physician. He suggested another approach would be improving the communication skills of individual physicians.
Ms. Serkes said the Association of American Physicians and Surgeons (AAPS), founded in 1943 to protect the sanctity of the patient/physician relationship, had some cross membership with the College. Noting they'd heard a lot about what might happen in the marketing area, Ms. Serkes presented troubling anecdotes capturing what already was happening and that AAPS assumed would only get worse. A provider told her about a patient discharged from the hospital who received marketing and fund-raising materials; the patient died, but the family had the additional emotional burden of receiving solicitations. After having a sonogram, a woman received a gift basket tied up with pink ribbons congratulating her on the impending birth of her daughter. At first delighted, she then wondered what would have happened if there was a congenital problem or illness--Did they know everything in her record? Ms. Serkes described the chilling effect on this woman the next time she saw her physician.
Ms. Serkes noted one could buy or rent marketing lists by disease or health condition. Nothing in this act limited that. She said she'd testified on list management before the National Association of Attorneys General that was looking at state laws or regulations to control it. Ms. Serkes said she would submit a copy of the AAPS vs. HHS court documents and affidavits from patients stating how their concern that HIPAA insufficiently protected their rights made them reluctant to have open communication with their physicians. Ms. Serkes echoed the concern the two panels and particularly Dr. Hall expressed about the damage the implied endorsements brought to the physician's credibility.
She noted, too, how the regulatory burden on physicians Dr. Hall mentioned, as well as possible new burdens had increased. Ms. Serkes submitted affidavits from physicians who stated the regulatory burden and problems with the damage to their credibility.
Ms. Serkes said there had been a number of congressional hearings on the GLBA and the consensus was that opting-out wasn't working. She remarked that she had filled out 15-20 opt-out forms and still was besieged because she hadn't tracked through everything from everybody. She said opt-out wasn't working and put a burden on patients.
Ms. Serkes said the disclosures weren't in plain English, but that people opted-in because of the points Mr. Adams mentioned. There were problems even with opting-in. Without full disclosure, plain language and easy-to-understand opting-in that delineated everyone who might get everything, and the four items he'd mentioned, opt-in was very difficult. Even if they could opt-in, Ms. Serkes expressed AAPS's concern that the burden would be placed on the providers at the point of contact. Even though Mr. Adams ideas were good, AAPS was concerned that if a physician had to ensure paperwork was filled out satisfying all the conditions he mentioned, time would be taken away from patient care. Responding to Mr. Fanning query about delineating circumstances and having guidelines, Ms. Serkes cautioned that adding to the regulations and making them complex, created more chances for doctors to be left "holding the bag."
Following up on the question of a third party actually being in the room during a face-to-face encounter, Ms. Serkes noted it wasn't uncommon for medical device representatives to be in on consults with patients or in an OR. She asked how confidentiality extended if you had a third person.
Ms. Serkes remarked on the difference in how the Department of Justice and HHS responded to the fear factor and how strong it was in the past four months. There had been a limited number of anthrax cases and yet fear was extensive. The public also was fearful of the privacy issue. Panelists talked that day about a fear of their records being disclosed and HHS dealing with the regulations now, rather than waiting until full enforcement was in place. AAPS's recommendation was to amend the definition of healthcare operations to exclude marketing and fund-raising under the PTO.
She clarified that AAPS's basic recommendation was to redefine healthcare operations to exclude marketing and fund-raising. She noted that Mr. Adams suggestions for disclosure and an informed opt-in were good, but expressed concern about increasing the regulatory burden on providers. AAPS's position was that marketing and fund-raising weren't actually healthcare operations--The most direct route might simply be to eliminate them. If Mr. Adams' suggestions of full opt-out were implemented, the provider, being the point of contact, would have to see that the patient filled out the paperwork and did the opt-in. But if marketing and fund-raising were eliminated from the definition of healthcare operations, access to the patient would be prohibited, pursuant to an authorization--lessening the burden on providers. How many people were "dying to give an authorization?" Eliminating them from the definition would reduce the numbers greatly. AAPS would just as soon see all that gone, but realistically, reducing the numbers would be a step forward.
Ms. Greenberg queried if, under the current regulations, it wasn't possible for Hopkins' Wilmer Clinic to directly raise funds (without providing any information to the development office) to their patients. The departments already knew the demographic variables needed for targeted fund-raising; if Hopkins decentralized and departments built internal fund-raising capacities, they might directly fund-raise to their patients, without a business associate contract.
Dr. Fitzmaurice reflected on what the members had learned and how, with some prodding, most the testimony got down to the definitions. Testifiers knew the privacy rule and what they wanted; the harder job would be the Subcommittee's deliberations on what to recommend to the Secretary.
Working from notes of yesterday's hearing and their discussion about the witnesses' recommendations and other issues that arose in question-and-answer sessions, Subcommittee members framed an outline of the issues and options for addressing them to discuss as soon as possible with the full Subcommittee in a conference call, open to the public. Mr. Rothstein said the Subcommittee expected to present a recommendation to the full Committee at the February meeting; otherwise they'd miss the necessary cycle, given publication of the anticipated NPRM. He noted three sets of proposals. One group testified current HIPAA regulations dealing with marketing and fund-raising had the right balance and should be retained. Another group considered the amended balance irremediable and called for the original proposed rule, requiring authorization for all marketing and fund-raising activities. A series of mid-range proposals saved elements of the current rule, while making minor (and sometimes fundamental) changes. Members took up the marketing issues reflected in three of the panels and considered fund-raising.
Members said Mr. Cividanes mentioned that the final HIPPA rule struck the right balance and shouldn't be changed; marketing should be included in the PTO. Ms. Greenberg recalled he'd also noted the required privacy notice would tell everyone what was disclosed and he or she could opt-out or ask for restrictions--although it was also noted that the provider didn't have to agree. Members remarked that the privacy notice would advise individuals if their PHI would be used for any marketing purposes and of their right to request opt-out. Mr. Fanning observed there were two elements to allowed or specifically provided for patient requests: one was to request restrictions of uses and disclosures; the other was a request for communications to occur in a certain way. Neither case stated the organization had to indicate its willingness or its rejection. Mr. Rothstein added that the rule should clarify the rights of consumers following notice.
Ms. Greenberg remarked that Mr. Bell explicitly said, if it was clear pharmacists could remind people to refill prescriptions and tell them about alternative therapies, they didn't need a marketing exemption. His concern was that the rule shouldn't require prior authorization or consider refill reminders and information about alternatives as marketing. Members noted the rule needed to be clear on this and that the Committee might want to consider it as a recommendation. Dr. Fitzmaurice raised the issue of the pharmacist paid to provide information. Mr. Rothstein said they'd have to debate that point and might attach conditions about phone messages announcing prescriptions were ready to be picked up. Ms. Kaminsky remarked she was struck by Mr. Bell's comments on the market-based healthcare system and that reducing marketing freedom might have an adverse impact on prices, costs, and competition. Mr. Rothstein added that information promoted competition and benefited consumers.
Members noted that NACDS generally supported the rule as it is, but would make the following changes: (1) definition of marketing should be changed to "a principal purpose of a communication is to sell a produce or service that is not related to the health of the patient," making all communications by pharmacists treatment; (2) rules should exempt from definition of marketing all communications about treatment and health care operations regardless of whether a third party pays for the communications; (3) opt-out procedures should apply to all marketing (rather than prior authorization); (4) rules should clarify the distinction between treatment communications and health-related marketing; (5) rules should be amended to delete requirement that consumers be apprised of why they received a targeted health-related communication, because this would compromise patient privacy; and (6) refill reminders and information from pharmacists should be permitted without prior authorizations.
Dr. Danaher suggested all the positions and arguments traced back to a fundamental question Mr. Rothstein raised yesterday: whether or not it should be PTOM. On the "no" side were the College, Lambda, NAIC, APA and Mr. Gellman. Hopkins, NACDS, and DMA on the "yes" side requested minor concessions (e.g., using the department name for fund-raising). Dr. Danaher said they were at the seminal question and probably the right decision was not to go down the slippery slope of trying to define case and disease management, but to include it in PTOM. People against PTOM had a seminal fallback position: requiring prior authorization for marketing and fund-raising activities. Mr. Rothstein contended the nay-side's position was that it was inappropriate to treat marketing the same as treatment payment or healthcare operations. Instead, it should be dealt with separately. The way they dealt separately with research was to require prior authorization. There were other steps they'd like to see regarding how marketing was regulated, even with prior authorization. Mr. Rothstein said their fallback position, if the framework remained the same and prior authorization wasn't required, was a series of proposals, some similar, some different, to regulate circumstances under which marketing activities took place as part of TPO. Dr. Danaher said the characterization was helpful because there were branch points where they had to make decisions; he was trying to aggregate and create some order around how they might make logical decisions based upon what they heard.
With only half the Subcommittee's members present, Mr. Rothstein said they couldn't make a substantive call on recommendations to the full Committee, but they could supply everyone with copies of the written testimony and this summary they were revising to prepare for the conference call. They could also come up with a structured agenda depicting this branching tree.
Ms. Greenberg noted GLBA was cited several times for its consumer-friendly provisions and as a precedent for opt-out--though they also heard it wasn't working. Dr. Fitzmaurice said he didn't find much difference in GLBA and the privacy rule, except GLBA permitted opt-out before being contacted and gave notice to everyone. The scope overlapped with insurance companies and financial institutions, but not with providers or clearinghouses. He suggested looking at it for lessons to apply to the privacy rule rather than as a model to follow. Ms. Greenberg noted those opposed to the current rule found it especially galling that someone had to be contacted before they could opt-out.
Dr. Harding proposed other questions. Should PTOM be modified in some way? Should indirect providers (e.g., labs, radiologists) be further regulated? Should minors be marketed? Should voice mail and e-mail solicitation be restricted? Should opt-out and opt-in be specific or general? Could one get out of everything by opting-in or -out, or was it one thing at a time throughout? Should "sensitive" information be further restricted? Should the burden of all this be on the patient, provider or marketer?
Members decided that: the first key issue is whether the current structure of marketing coverage under the rule generally should be continued: (1) currently, health-related marketing is considered part of health care operations (and therefore subject to the one-time general consent) if it is (a) face-to-face, (b) involves other items of nominal value, or (3) complies with provisions for third-party marketing, (2) the other main option is to return to the position of the NPRM--no marketing activities would be permitted without prior authorization.
Regardless of this decision, members noted it is necessary to consider specific recommendations that would revise or clarify provisions. Should there be further regulation or clarification of the role of indirect providers (e.g., how should indirect providers be informed about whether a particular patient has opted-in or out)? Should there be special regulations for marketing to minors? Should there be special restrictions on marketing involving other forms of "sensitive" health information (e.g., psychiatric records)? Should there be regulation restrictions on voice mail, e-mail and other methods related to marketing? Should the opt-out or opt-in be specific or generalized to all "marketing"? Should sensitive information be defined and further restricted? Should the burden be on patients, providers or third parties?
Mr. Rothstein said the staff would prepare for the conference call a separate document listing all the other issues in the testimonies that they hadn't picked up. He noted the comment period was open another week; other things might come in to add to the list.
Members discussed the difference between marketing and treatment. Dr. Harding said Mr. Bell's definition of marketing ("a principal purpose of a communication is to sell a produce or service that is not related to the health of the patient.") should be changed; marketing also involved selling products related to the health of the patient. Mr. Rothstein suggested Mr. Bell's point was that adding principal purpose "tightened it up." He recalled that at the August hearings DMA presented a definition delineating the primary purpose. He said it was debatable whether those kinds of modifications helped. Ms. Greenberg pointed out that, even more important than principal or primary, DMA added that this was unrelated to the health of the patient, which was obviously out of scope. Mr. Fanning concurred: everything they were talking about would be allowable with no requirements or fuss.
Mr. Rothstein suggested they might consider recommending that, rather than trying to regulate what was going on, the Department regulate who was acting. They'd taken that position regarding physicians' communications with patients, but not with other health professionals or indirect providers. He said a different approach might get them away from the principal purpose dilemma.
Ms. Greenberg queried whether the rule spoke specifically to physicians or to any healthcare provider. Mr. Fanning said the regulation envisioned that the term "patient" was used for all these relationships; it didn't distinguish between providers. Ms. Greenberg recalled that the last thing Mr. Bell said was marketing exceptions weren't necessary if pharmacists could send refill notices and tell people about alternative treatments; NACDS's concern was that pharmacists didn't have the right other healthcare providers did without prior authorization. Members noted that, while the pharmacist had a therapeutic relationship with a patient, pharmacies were more like department stores and offered a wide range of healthcare products and services.
Ms. Kaminsky revisited the point about a nuance of possible remuneration to the pharmacist by a third party and how this could shift the treatment/marketing paradigm. Ms. Greenberg observed that the question of disclosure applied to a physician's fiduciary relationship with third parties. Mr. Rothstein recalled pursuing with witnesses whether active investigations and self-regulation were in place to deal with inappropriate marketing by health professionals; nobody said it was happening or probable. Ms. Greenberg pointed out dual components to this issue: whether there was a code of ethics the professional subscribed to and whether anyone monitored or policed it.
Mr. Rothstein recapped. On the first issue, marketing, they were up to their pre-conference call document. The first issue to consider was whether the exceptions should remain, allowing health-related marketing, or if they should recommend wiping them out and requiring authorizations for even those circumstances. Whatever was decided, they still needed to consider a range of specific issues: six that Dr. Harding compiled and others Mr. Rothstein would add based on the testimony and already incorporated in the working document.
Dr. Danaher questioned whether the Subcommittee should take a position on these issues that day or work through them on the conference call. He suggested defining their position might facilitate the decision-making process. Mr. Rothstein responded that the Subcommittee and, to a lesser extent, the full Committee tended to review issues de novo. With only three members present, others might feel steamrollered. Framing the issues clearly and having everyone study the documents in advance could enable each of them to make up his or her own mind and have informed discussion. Ms. Greenberg suggested it would be good to hear if the three members present felt they'd heard from enough people and received adequate testimony to make recommendations. Given the depth and breadth of the testimony and discussion heard yesterday and in August, Mr. Rothstein said he felt confident he had a fair appreciation for the views of the parties and interests on both topics. Dr. Harding suggested having these kinds of questions for the conference call along with extracts from the testimony supporting both sides. Mr. Rothstein expressed concern that only one person had addressed many issues. Some issues they'd developed themselves, after hearing testimony. They couldn't quote pro and con passages from the transcript. They'd talked about issues and gathered important information, concerns and viewpoints, but they hadn't had a full discussion that drew upon the expertise of witnesses. Dr. Fitzmaurice remarked that--just as he'd ask his doctor after getting all the facts, "What would you do?"--The other members would ask what they thought. Interpretations of people with first-hand evidence and the ability to ask questions to pursue the problems or get additional information were important.
While it was a committee's prerogative to change its mind, Ms. Greenberg noted the Committee had come out against treating certain issues as sensitive, stating instead, as Dr Harding did yesterday, that what was sensitive to one person might not be to another and that information should be held at equivalent levels. Mr. Fanning confirmed that was the administration's position in its recommendations to Congress. Setting aside the issue of genetic discrimination laws, he concurred that it was difficult to specify what was sensitive for a general data control enactment. Mr. Rothstein suggested the issue might go away, based on other things the Subcommittee decided. If a series of restrictions on method of contact (e.g., no voice or e-mail unless specifically authorized) were recommended, everyone might worry less about sensitive information because everything would be communicated in an appropriate manner. Mr. Fanning said giving people individual choices about particular uses would help.
Noting Ms. Serkes, Mr. Adams and others had said that the provisions he'd advocated for marketing should apply to fund-raising, Mr. Rothstein said the initial question for the conference call was whether or not fund-raising should be within treatment, payment, healthcare operations. The Subcommittee then needed to consider specific issues raised by witnesses and through discussion.
Mr. Rothstein summarized Ms. Pollak's three points, noting they were based on different assumptions. Her top pick was fund-raising remained within healthcare operations and the name of the doctor and/or department were included in the demographic information. If fund-raising was removed from healthcare operations (and authorization required), her backup position was that the regulations specify a special, simplified form. Her third point was transitional problems had yet to be addressed; the regs dealing with transitional issues mostly focused on consent, rather than non-medical-use issues. Mr. Rothstein noted another issue was whether the regulations put procedural restrictions (e.g., telephone disclosures or methods of contact) on fund-raising efforts.
Dr. Harding noted Ms. Pollak brought up the issue of sensitive information and if there should be different marketing rules for departments of psychiatry or other areas. He agreed with Mr. McGinly: there hadn't been many complaints about fund-raising. Mr. Fanning reflected that program and operational necessities might result in fund-raising usually be done in ways that didn't create resistance or hostility. Dr. Danaher pointed out that they'd heard testimonies from august organizations with polished fund-raising operations; it wasn't inconceivable that smaller, less august hospitals hired third-party marketers that lacked this sophistication. Mr. Rothstein noted abuses had occurred with contractors soliciting for specific disease organizations, but concurred that HHS wasn't besieged by calls and e-mails.
Recalling that Ms. Pollak also emphasized that using the department's name was important in fund-raising for research related to specific conditions; Ms. Greenberg queried whether her request related just to fund-raising for medical or biomedical research or was for all fund-raising. Participants sensed her request was broader.
Asked if the FTC regulated fund-raising activities under any circumstances, Dr. McGinly said FTC didn't regulate, but had an impact. Professional fund-raisers were consultants and weren't licensed, but certified and filed with the state as individuals employed by the healthcare provider. A number of organizations opposed percentage-based compensation for professional fund-raisers ethically, but legally the FTC ruled and decided the other way: one couldn't preclude how someone earned their living. Mr. Rothstein suggested an option might be specific guidelines for fund-raising as an exception or in the non-exempt category. He recapped the fund-raising discussion. The Subcommittee will consider whether or not fund-raising should remain within TPO, then discuss issues around Ms. Pollak's three points. They will also consider whether there should be special rules for sensitive information and specific regulations for fund-raising procedures. As soon as possible, a revised document outlining the "plan of attack" for these two issues will be to all Subcommittee members. Staff will contact members to line-up a two-hour conference call. There probably won't be time to publish a Federal Registry notice, but the phone number and call-in directions will be posted on NCVHS's Web site: www.ncvhs.hhs.gov.
Ms. Greenberg suggested incorporating other points Mr. Gellman made. She noted he'd often used "consent" in his document, but said "authorization," which she thought he'd meant. Consent was only the initial action; anything else was authorization. Mr. Gellman had also pointed out that any information provided to a third party was a breach of confidentiality. Ms. Greenberg said the real question was whether the decision was based on a societal good, public health, or some other issue. She remarked that the query was useful because it made a distinction between the provider utilizing the information and providing it to a third party, which was a breach of confidentiality. Mr. Rothstein observed there was both an intrinsic and consequential value to privacy and confidentiality. The Subcommittee tended to focus on consequential harms (how people lost their jobs or were embarrassed), but there was also intrinsic value to healthcare privacy and confidentiality, irrespective of any tangible harm. Certainly, the degree to which confidence in the physician/patient relationship and the healthcare system were undermined was extraordinarily important.
Dr. Danaher noted a remedy Mr. Gellman mentioned to make PTOM more palatable was full disclosure of all marketing arrangements by covered and third-party entities, including posting details on their Web sites. Thanking the witnesses for their thoughtful, helpful testimony and everyone for facilitating these two days, Mr. Rothstein adjourned the meeting at 10:23 a.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete
/s/
Chair Date