[This Transcript is Unedited]
Room 705-A
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am the chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
I want to welcome all of you to our hearing this morning on the issue of marketing and fundraising under the HIPAA privacy reg. I also extend a welcome to those of you who are listening to us via the Internet.
As is customary, we will begin by having introductions of the committee members or the subcommittee members, as well as those in the audience. Let me also note before we get the introductions that I have been advised that the quorum rule that used to apply does not apply to subcommittees of federal advisory committees and, therefore, it is perfectly lawful for us, even though we do not have a quorum of the subcommittee to take testimony this morning, which obviously will be shared with the other subcommittee and full committee members as part of our process and recommendation to the Secretary.
Also, as we go through the introductions, it is customary for us to disclose any possible conflicts of interest. So, I will begin.
I am a professor of medicine and a professor of law at the University of Louisville School of Medicine and director of the Institute for Bioethics Health Policy and Law. I have no conflicts of interest on this issue.
DR. HARDING: I am Richard Harding, M.D. I am professor of psychiatry and pediatrics at the University of South Carolina School of Medicine. My conflict of interest is that I am president of the American Psychiatric Association until May the 20th.
DR. FITZMAURICE: I am Michael Fitzmaurice, senior science advisor for information technology to the Federal Agency for Healthcare Research and Quality. And I can keep a secret.
MR. ROTHSTEIN: We can go through the witnesses as well.
MR. CIVIDANES: My name is Emilio Cividanes. I am an attorney with the law firm of Piper Marbury Rudnick & Wolfe. We serve as privacy counsel to the Direct Marketing Association. I am a witness this morning.
MR. BELL: I am Don Bell, associate general counsel for the National Association of Chain Drug Stores.
MR. GELLMAN: I am Bob Gellman. I am a privacy and information policy consultant in Washington.
MS. KAMINSKY: Stephanie Kaminsky with OCR.
MS. GREENBERG: I am Marjorie Greenberg, the executive secretary of the National Committee and also want to welcome Stephanie as the new lead staff to the subcommittee, I believe.
DR. DANAHER: My name is John Danaher. I am a member of the committee. I am also the CEO of a start-up healthcare e-learning company that does provide training on HIPAA, but I have revealed all my things to the general counsel and others and don't believe my presence here today will be a conflict.
MR. FANNING: I am John Fanning. I work in the Office of the Assistant Secretary for Planning and Evaluation of the Department of Health and Human Services and I am temporary lead staff to the subcommittee.
MS. SQUIRE: Marietta Squire, NCHS.
MS. HAMBY: Pat Hamby, McKesson Corporation.
MR. METTERS: Tom Metters(?), Lab Corp Corporation.
MS. PELLOW: Wendy Pellow, National Association of Insurance Commissioners.
MS. JONES: Katherine Jones, NCHS.
MS. JACKSON: Debbie Jackson, NCHS staff.
MS. FYFFE: Kathleen Fyffe, Office for Civil Rights.
MS. LESTER: Kathy Lester, Patton Boggs.
MR. BADO: Matt Bado(?), Capital Associates.
MR. ROTHSTEIN: Thank you very much and welcome to all of you.
Let me remind you that the purpose of the hearing is to gather information to guide the subcommittee and the full committee in our deliberations and in our recommendations that eventually will go to the Secretary. We have previously submitted recommendations on the issues of consent, minimum necessary and research.
In fact, in our August hearings last year, we did take up the issue of marketing, but the subcommittee felt that we did not have sufficient information at that time to provide an informed recommendation to the Secretary on that issue. So, we deferred that and are, therefore, revisiting that issue today, along with the issue of fundraising.
There will be an opportunity for public testimony, as you see on the agenda, that is available. So, those of you from the public, who are interested in testifying on either of these issues, you will see two times that are available today.
In addition, we will allow interested individuals and organizations one extra week, which would be close of business, February 1st, Friday, to submit written comments if you have not done so already and all of those comments will be considered by the subcommittee and the full committee.
We are especially interested today in identifying practical problems and concerns and where appropriate, specific recommendations for the Secretary. I want to thank our acting lead staff, John Fanning, for his work in organizing this hearing this morning and I welcome OCR to our hearings.
Let me remind the witnesses that you will have 10 to 15 minutes for your initial comments and then we will have questioning from the members of the subcommittee.
Are there any other matters that we need to address?
[There was no response.]
Okay. First, I would like to welcome the members of the first panel. The first two panels this morning will be on marketing and in Panel 1 we have already heard from by introduction the three speakers. So, let me just first call on Mr. Cividanes.
MR. CIVIDANES: That is right. Thank you.
Chairman Rothstein, members of the subcommittee, staff, I welcome this opportunity to come and testify today on behalf of the Direct Marketing Association. We all appreciate that you are spending an entire on the subject of marketing and fundraising under the HIPAA rules.
The DMA has been active in the development of the HIPAA privacy rule, having filed comments on the proposed rule and having submitted comments to the subcommittee last August as well. By way of background, the DMA is the leading and largest trade association for businesses interested in interactive and database marketing with almost 5,000 member companies from the United States and 53 other nations.
While direct marketing practices date back to Benjamin Franklin, the DMA was founded 85 years ago and includes among its members direct marketers from every business segment, as well as the non-profit and electronic marketing sectors.
Because direct marketing entails selecting audiences that are most likely to respond to solicitations about specific products and services, the DMA has been active in privacy matters for several decades. Indeed, in the context of health data, the DMA has issued its own guidelines in using health-related data.
The DMA guidelines apply to individually identifiable health-related data gathered either within or outside of the patient/provider relationship. The DMA has also undertaken efforts at educating members about HIPAA. These efforts have included a seminar, which I participated in last year, for companies and non-profit organizations that use health-related data for marketing research and fundraising purposes.
Although my testimony here today will address only marketing, since it is the lead-off panel and start off at 10,000 feet, 5,000 feet, I want to point out that our written testimony also addresses the fundraising provision of the HIPAA privacy rule. In the DMA's view, in revising the treatment of marketing communications in the initial rule, the Department of Health and Human Services has struck the right balance between protecting consumers health-related data and preserving their right to receive the benefits of marketing.
The final HIPAA privacy rules reflect the Department's judgment that disclosures of protected health information to third parties for these other parties' own marketing purposes, the traditional list rental type of situation, usually should be permissible only when a covered entity has secured the individual's authorization. The rule also reflects the Department's judgment that covered entities should be permitted to use protected health information to engage in certain marketing communications with patients and plan participants, but only when the individuals have consented to the collection, use and disclosure of such information for treatment and health care operations, PTO, and are provided with the opportunity to opt out.
Nevertheless, there has been criticism of these provisions of the HIPAA during the subcommittee's hearings last August and no doubt there will be today as well, raising both real, past controversies and hypothetical situations. The thrust of the criticism is the Department should revert back to the initial rules approach for requiring a detailed and burdensome authorization prior to the use or disclosure of any protected health information for marketing purposes, including marketing type communications by covered entities themselves.
The DMA believes that revising the final rule as has been proposed would be a major mistake. First, dropping marketing from PTO in order to address concerns about the third parties engaging in certain restricted communications with patients or plan members, the Department would be denying individuals the benefits of helpful communications from their own health care providers and insurance companies.
Instead of examining the unintended consequences of the marketing provisions of the final rule, the Department would again face all of the unintended but now identified consequences of reverting back to the proposed rule's authorization requirements for virtually all communications with patients and plan members.
The DMA pointed out in its comments on the proposed rule, privacy protection is not balanced when detailed and lengthy authorization would be required before even the following types of situations, where a physician could even inform patients of new office hours or of a change of address or could send a reminder notice that it is time for a six month checkup or a dentist could inform patients of expanded services or the arrival of new state of the art equipment or a pediatrician could inform patients of the opening of a children's clinic at a new convenient location.
Those were the kinds of results that were posed by the proposed rule. In this context, DMA believes that the principal issue is what is the appropriate manner to protect privacy interests when a covered entity wishes to use protected health information for internal purposes only and limits the purposes for which the data will be used in certain marketing communications. We submit that in such circumstances, privacy interests are protected and the covered entity furnishes individuals the opportunity to object to the use and honors the request of the individuals who object in a timely fashion to such uses.
This approach permits covered entities to communicate with patients and plan members, enables individuals to obtain the benefits of marketing communications from the health care providers and insurance plans while protecting the privacy interest of those individuals who would prefer not to have their information used for such purposes.
Second, even some of the criticism from the August hearing about the use via this data by third parties for marketing communications is unfounded. For example, as grounds for changing the HIPAA privacy rule, one witness raised the specter of a 1998 controversy surrounding the disclosure of a marketing arrangement between a chain of drug stores and a marketing company.
Later in her testimony, the witness acknowledged that "the fact that the business associate marketing firm will essentially step into the shoes of the pharmacy and have to comply with the regulation may make this type of situation different from the 1998 situation that I have talked about." Well, as we know, the HIPAA obligations imposed upon business associates are among the most protective safeguards of any of our nation's privacy laws.
The fact that the issue of safeguards is very important in the analysis, in fact, the United States Supreme Court has held that the protections afforded to personal information is a critical factor in determining whether a particular practice poses a threat to privacy interests. I am referring to the Supreme Court case in Whalen v. Roe, where the court considered a privacy challenge to the State of New York's collection and storage of prescription data about patients, finding that the government's privacy and security safeguards prevented unwarranted or unprotected disclosures for third parties, the unanimous Supreme Court held that the challenged practice did not constitute an invasion of any constitutionally protected privacy right.
Here, in this situation, HIPAA's very restricted conditions requiring third parties to receive protected health information for marketing purposes only if business associates makes this type of situation far different from the controversies that have been brought to the attention of the subcommittee.
For reasons such as these, the subcommittee should not accept at face value allegations that the marketing provisions are inadequate. Like the Congress, which last year rejected efforts by some to change the financial privacy rules of the Gramm-Leach-Bliley Act before they had even gone into effect or been given the opportunity to be implemented fully, this subcommittee should resist making any significant changes to the marketing provisions of the HIPAA privacy rule at this time.
We urge the subcommittee to preserve the balance that the Department has struck between protecting consumers' health-related information and preserving their right to receive the benefits of marketing. We also appreciate your taking into consideration the DMA's views as you issue additional guidance in the marketing and fundraising areas.
I look forward to answering any of your questions later in the hearing.
MR. ROTHSTEIN: Thank you very much.
Without objection from the committee, subcommittee members, we will hear from all the panel members and then have an open discussion, if that is okay.
Mr. Bell.
MR. BELL: Thank you. Good morning.
Mr. Chairman and members of the committee, thank you for the opportunity to discuss the Marketing provisions of the HIPAA privacy rules. I am Don Bell, associate general counsel for the National Association of Chain Drug Stores. NACDS members operate over 34,000 community pharmacies and employ over 100,000 pharmacists across the country.
Initially, let me reaffirm that pharmacies recognize the tremendous value of protecting patient privacy. Confidentiality is an important aspect of the professionalism that our pharmacists practice every day. Protecting privacy is the foundation for the bond of trust that links pharmacists and patients. Protecting privacy is also a good business practice.
NACDS members know that they may lose customers if they do not protect patient privacy. For decades, pharmacists have been rated at or near the top of the list of America's most trusted professionals. NACDS members have no interest in adopting marketing policies that endanger that trust.
Now, the limitations on marketing are some of the most complex provisions of the privacy rules. My testimony will address some of the confusion that pharmacies have expressed regarding the marketing restrictions and I will propose specific solutions.
I also hope to put this often emotional issue into its proper health care context. The context of the marketing limitations is key. America has a market-based health care system that depends on marketing as a method of informing consumers about the availability, quality and price of health care products and services.
In the past, limitations on marketing have inadvertently resulted in reduced price competition, as consumers were kept in the dark about the availability and the cost of products and services. So, we should be careful not to assume that there is something wrong with informing consumers about products and services.
To view the marketing rules in context, let me describe the two main examples of how some pharmacies could use consumer information in ways that might be considered marketing. The first example is commonly referred to as a refill reminder. When patients fail to refill their prescriptions as ordered by their physicians, a pharmacy may call or write the patients to remind them of their doctors' orders. Rather than charge patients for these reminders, the pharmacy may be paid by a third party, such as the manufacturer of the drug.
There is no need to disclose patient information to the manufacturer. Instead, a pharmacy can simply tell the manufacturer how many refill reminders it made and the manufacturer pays a fee for each refill reminder. Now, studies prove that refill reminders save lives. Refill reminders also save money because patients who take their medications as prescribed are less likely to end up in the hospital.
The second example is a recommendation of an alternative medication. When patients are taking expensive brand name drugs, a pharmacy may inform them about generic drugs that have the exact same ingredients, but cost much less. A generic drug manufacturer might pay a pharmacy to make these communications. Again, there is no need to disclose patient information to the manufacturer. Instead, the pharmacy can simply tell the manufacturer how many of these communications were made to patients and the manufacturer pays a set fee for each communication.
These communications help patients save a tremendous amount of money. So, despite all the alarmist rhetoric about how health care providers might misuse patient information, these are the only real life examples I know of where pharmacies use prescription information in ways that some may consider to be marketing.
These communications help patients. The vast majority of the so-called marketing practices by pharmacies lead to better informed, healthier consumers. So, we must avoid the temptation to overreact against marketing under the false assumption that earning money by informing patients is wrong.
One example of overreacting against marketing is the overly broad definition of marketing in the privacy rules. Marketing is defined as a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service.
Now, in our market economy, encouraging the use of a product or service is a purpose of virtually every health care communication. For example, a pharmacist who encourages a patient with diabetes to use a glucometer is performing a valuable service even if the pharmacy may eventually profit if the customer purchases the glucometer from that pharmacy.
Therefore, NACDS recommends that the definition of marketing should be modified to apply only when the principal, rather than a purpose, of a communication is to sell rather than encourage the use of a product or services that is not related to the health of the patient. This revised definition fits most people's understanding of what constitutes real marketing.
Now, pharmacies appreciate the fact that the rules exempt from the definition of marketing certain treatment and health care operations. For the reasons discussed above, these exceptions are essential to allow providers to discuss health issues with their patients. However, there are two principal problems with the way these exemptions are promulgated in the rules.
First, the exemptions are limited to only some treatment and some health care operations activities. NACDS recommends that the exemptions from the definition of marketing contained in the rule should be extended to all activities that fit within the definitions of treatment and health care operations. We cannot discern from the rules or the preamble or the HHS guidance any reason why all treatment and health care operations activities are not fully exempt.
Making this revision would alleviate confusion and simplify the rules without threatening patient confidentiality. Second, the exemptions do not apply if a covered entity is paid by a third party to make a written communication. So, a phone call from a pharmacy reminding a patient to refill a prescription will be exempt from the marketing rules, whether or not a third party paid the pharmacy to make the call.
But the same refill reminder from the same pharmacy, paid for by the same third party may not be exempt if the communication is written. Again, the rules, the preamble and the guidance provide no reasonable basis for favoring telephone calls over letters.
So, NACDS recommends that the rules should exempt from the definition of marketing all communications regarding treatment and health care operations regardless of whether a third party pays for written communications. We should avoid the prejudice that there is something wrong with earning money by providing health information to patients.
Well, assuming a communication constitutes marketing, a signed patient authorization will ordinarily be required before using or disclosing protected health information in conjunction with that communication. However, if the marketing communication is health-related, then a signed authorization will not be required and instead, the communication must include a method of allowing the patient to opt out of receiving similar communications in the future.
NACDS has three suggestions to make this approach more workable. First, rather than require prior signed authorizations for some marketing communications while requiring procedures for others, the procedures should suffice for all marketing communications made by or on behalf of a covered entity. That is Congress' approach to financial information privacy. There is no need to require separate signed authorizations because the rules already require a written privacy notice and a signed consent form from every patient.
As long as the privacy notice explains how protected health information may be used and the patient signs a consent form based on that notice, there is no need to require a patient to sign a separate redundant authorization form.
Moreover, allowing procedures would be a less burdensome alternative to requiring prior authorization, which is a limitation on free speech that is currently being challenged in federal court.
Second, at the very least, the rules should clarify the distinction between treatment communications and targeted health-related marketing communications. The distinction is important, because treatment communications are exempt from the marketing restrictions; whereas, health-related marketing communications must include procedures.
The rules, the guidance and the preamble do not explain or give examples of the difference between treatment communications and targeted health-related communications.
Third, the rules require an explanation regarding why a consumer received a targeted health-related marketing communication. Mandating this explanation in the communication could compromise patient privacy because it requires the covered entity to disclose health information that would otherwise remain private. NACDS recommends that the rules should not require covered entities to disclose protected health information in targeted marketing communications.
Thank you again for considering NACDS's recommendations. We pledge to work with the committee to help pharmacies understand and comply with the privacy rules.
MR. ROTHSTEIN: Thank you, Mr. Bell. Appreciate it.
Mr. Gellman.
MR. GELLMAN: Thank you. I have some power point slides. I don't know if they are loaded on the computer here, but I will proceed anyway. I think there are copies of the slides available to committee members.
I am Bob Gellman. I am a privacy and information policy consultant in Washington. I am here representing no one other than myself. Just by way of background, I was a member of this committee for four years and I have been working on health privacy legislation for more than 20 years.
I have three general areas that I want to cover. One is I want to just talk broadly about the marketing role. I want to identify some of the problems raised by the rule and I want to talk about some of the solutions.
The rule itself -- I have been working on health privacy legislation for more than 20 years and I have seen an enormous number of proposals on health privacy. The marketing rule is the single worst thing I have ever seen proposed, let alone adopted. It is absolutely appalling. It is an exercise in terrible public policy and there is absolutely no justification for the rule whatsoever.
Just to make a point, when health privacy legislation has been discussed off and on over the past 15 years, people often made the point that we have better protections for video rental records in law than we do for health records. Well, the truth is with this marketing rule, we still have better protections in law. Your video rental records have greater legal protections against marketing uses than your health records. And that is absolutely appalling.
I could go on at greater length, but let me try and get into some details. What are some of the problems here? First, patients hate this idea. They hate the use of their health records for marketing. Patients do not expect their records to be used for marketing. Frankly, the use of health records for marketing has always been considered to be unethical by the medical profession.
I can cite you hearings going back 20 years where this question has been raised and everybody in the medical profession says it is unethical. It is improper. Marketing uses of medical records are wrong.
Frankly, what is going to happen as a result of this -- and we will go into some of the details -- is that patients are going to scream bloody murder when they start finding out how widely shared their records are and the people who are going to be blamed for this are physicians because patients are not aware of all the institutions in the health care system that see their records.
They are all going to assume that their physicians did it and the whole basis of doctor/patient trust and confidentiality will be affected by this marketing rule. If you want evidence of the patient's view of marketing, you only have to go back to the 1998 Washington Post story that revealed that Washington area pharmacies, Giant Food and CVS, were using records for patient reminders about refills for the kinds of things that Mr. Bell talked about.
Well, as soon as patients found out what was going on, they screamed bloody murder. They hated this. And within a couple of days after the story hit, both pharmacies stopped the program dead. This was a relatively mild mannered use of patient records for marketing. It really wasn't anywhere near as far afield as the rule allows.
I think it is interesting to note, by the way, that there is litigation over this right now in several states, that CVS has been sued and for whatever it is worth, CVS went into court in another lawsuit in New York and argued before the court that drug stores have no duty of confidentiality to their patients, which is not what we hear from the chain drug stores. But I think that the fact a drug store can go into court and make that argument is not only wrong but it is appalling.
So, what are the problems with the rule? Now, this rule is riddled with loopholes and if we went over it in great detail, it would take two hours. It is just filled with problems, but I am going to point out some of them.
First, the rule permits disclosure of information by children. When I talk about disclosure, I am talking about disclosure for marketing. This means information can be given to third parties. Frankly, one of the answers that you have heard from, I think, both of the previous witnesses is, well, information can only be shared with business associates who are covered by the rule. That is a violation of confidentiality.
Whenever you share information with anybody, it is a breach of confidentiality. The question is whether it is justified. I think most people had their first exposure to confidentiality in elementary school. You had a secret and you told your friend Billy and you swore him to secrecy and you discovered the next day that Billy told Johnny. You confronted Billy and he said, well, I did tell him, but I made him promise not to tell anybody else. It is still a breach of confidentiality.
You know, Benjamin Franklin said -- and I think it applies here -- that three people can keep a secret if two of them are dead. The sharing of information with other people, whether they are subject to the rule or not, doesn't make any difference. It is still a breach of confidentiality and it still has to be justified by some important public purpose and chain drug stores making money by selling patient information isn't one of them.
So, information about children can be shared. There is no restriction on this. Information about children can be shared and used for marketing. I don't know what the justification is. Children can be marketed, too, under this rule.
Information about psychiatric treatment can be shared; abortions, drug abuse, every other medical condition, treatment, diagnosis without exception or time limit. Now, under the rule if my wife is being treated by a doctor for a broken leg, it is a violation of confidentiality, it is a violation of the rule if the doctor says to me did you know your wife had an abortion or had psychiatric treatment 20 years ago. The rule expressly says that you can't disclose that because it doesn't relate to current treatment.
However, the marketing provision has no such restriction and you can compile a list of women who have had abortions 20 years ago. You can compile a list of people undergoing psychiatric treatment and you can give them to third parties and use it for marketing.
These people can get phone calls saying, hi, we understand that you had an abortion 20 years ago. Would you like to buy something? That is permitted under the rule. The rule also permits the release of information for marketing by indirect providers. Now, there are a slew of people involved in the health care system.
You go to see a doctor. The doctor knows what your condition is. If he sends a sample to a laboratory, the laboratory also knows something about you. The laboratory is an indirect provider. There is no notice from the laboratory. There is no consent -- this is exempt from the consent rules. There is no notice. There is no contact between the patient and indirect providers.
An x-ray facility could be an indirect provider, a consulting physician. Indirect providers can take information and use it for marketing. You don't even know who that laboratory is or what it is doing. Yet, if they got your sample for a pregnancy test and find out it was positive, they can sell your name to somebody else for marketing purposes. I think that that is appalling.
Clearinghouses, which are processing health claims can take information and use it for marketing and I understand -- I have heard rumors that clearinghouses are gearing up to take all of the health claim information that they routinely get and use it for marketing.
When you look at routine medical transactions, you know, a visit to the doctor may involve information being shared with the doctor, with the laboratory, possibly with an x-ray facility, with a pharmacy, with a pharmacy benefit manager, with a health plan, possibly with an insurer. Every single one of these institutions can take the information and sell it. There is going to be a race to the bottom.
There is going to be a fight among all of these institutions to be the one to get the money that is available by making these records available for marketing. One of the things that is going to happen is patient information is going to become very cheap because of the competition that this rule encourages in the sale of patient information.
Third problem, the rule does not require patient consent. The rule only requires opt out after the fact. Mr. Bell compared this to the Gramm-Leach-Bliley rule for financial privacy. Well, we have better protections for financial privacy records than we do. Gramm-Leach-Bliley requires that everyone be given the opportunity to opt out before their records are used for marketing purposes and other purposes. This rule does not.
Your records can be used for marketing without your consent and you have no chance to object until after you have been marketed to. That is absolutely appalling.
There is no requirement in this rule that your rights be easy to exercise. There is no requirement that anyone marketing to you provide a toll free number for opt out. There is no requirement that they provide a post-paid envelope. There is no requirement that there be an Internet site where you can readily opt out.
If you compare this to the Gramm-Leach-Bliley rules, you will see that under Gramm-Leach Bliley there are some of these requirements. There is not even a provision in here that says opt outs have to be free. Someone could say if you want to opt out, you have to pay five dollars. If you want to opt out, you have to write a letter, give us your name, give us your address, give us your social security number, give us the name of all the doctors you have been seeing, all your diagnoses, everything else. When you have completed this letter, then we will let you opt out.
There is nothing that make s simple to do. Indeed, patients could be required to opt out dozens of times. Imagine, if you all look at your own experience, you have a family practice doctor. You may do business with a pharmacy. Laboratories, x-ray facilities may be part of routine treatment. You have dentists perhaps, pediatrician, gynecologist, ophthalmologist, sports medicine doctor. And this is just for healthy people. People who are sick may have multiple institutions that they do business with.
All of these people can sell your information for marketing and if you want to opt out, you may have to opt out separately to each one. A family of four could easily have to write 50 letters to try and opt out. You can't opt out before the fact. You don't have that right. You can write a letter that says no one in my family wants the information to be withheld for marketing purposes. You only acquire the right to opt out after you have been marketed to.
If a husband gets a marketing solicitation, he can't opt out on behalf of his wife, nor can she opt out. Only after she has received a marketing solicitation and then each opt out is case by case. You have to opt out from your doctor separately from your pharmacy, separately from the PBM, separately from the health plan, separately from the laboratory.
This is sort of an impossible situation. The rule for financial privacy says that making someone write a letter to opt out is an unreasonable activity. The people who wrote this rule didn't know what they were doing. They didn't even read the Gramm-Leach-Bliley rules and do anything to make opt out simple. There is not even a provision in here that says opt out -- it talks about when opt outs expire. Opt outs should be permanent.
More problems. Marketing data can very readily escape from the HIPAA process. Now, if you are giving information to a third party to engage in marketing, it is
-- that third party has to be a business associate and subject to the rule.
Well, it is very simple and it is very easy to create a structure whereby the information loses whatever protection it has. Marketers are not covered entities. So, I can give information to a marketer and the marketer can communicate with a patient. The responses from that patient are not covered. They are not protected information and the recipients of that information may not be covered by the rule.
Let me give you an example. I send out a solicitation to diabetics. It only goes to diabetics. It has got a code on it, so I know that it went to diabetics. The responses -- I hire a third party company to do this and I make an offer to diabetics. The people who get this then respond perhaps to a third party, to another company.
The responses all go to that company. Whatever the request is for because of the code, that company knows that all the respondents because of the nature of the campaign are diabetics. Now, we will list everyone who has responded, whatever the product is for, whether it has anything to do with diabetes or not. You know, everyone on that list is now a diabetic. The information is not covered by HIPAA and can be resold, reused in any way, shape or form without any controls. It is very simple to set up a marketing campaign to do this.
You simply have a whole series of companies that can be separately incorporated, separate subsidiaries or, indeed, wholly independent. It is real easy to do. So, information that comes back from patients in response to marketing campaigns can be used without restriction even though there are some HIPAA restrictions on the covered entities and their business associates.
How to deal with this. It is really hard to come up with a solution. This rule is so toxic that it is really hard to find a way to fix it. I have a whole series of ideas, which I offer in the alternative. They are not cumulative. Some of them may work with others.
My first proposal is to simply repeal the marketing rule in its entirety. I would retain the current provision that says individual advice from a provider or a health plan is not marketing. Whatever your doctor wants to tell you, whatever kind of advice that doctor has for you, that is not marketing. That is treatment. That is the only thing that this rule got right.
The rest of the rule isn't necessary. Marketing uses should be covered by authorizations that are signed by patients in advance. I would prohibit all disclosures that involve for health care operations, disease management -- one of the problems with this rule -- and this is inherent to the subject -- is that it is really hard to distinguish between some of the categories of disclosures that are permitted.
The rule permits disclosures for marketing. It permits disclosures for health care operations, for disease management, for case management, for other things. I can take almost any transaction and call the same activity, marketing or treatment or disease management or case management. These terms are not defined and it is a real problem. It is a difficult one to solve and I don't have a solution.
One of my solutions is to prohibit disclosures, which involve the payment of money where someone is getting paid to do something. If there is no financial incentive to share information, then a lot of the interest in doing so would disappear. That is one way to try and control this.
Another set of solutions is to prohibit non-consensual marketing disclosures by certain institutions. The ones that I would do this for are indirect providers. Laboratories that process samples and provide reports for doctors should have no business being able to take the results of those tests and disclose them to third parties for marketing in exchange for money.
Clearinghouses should not be allowed to engage in any marketing disclosures whatsoever. And employers should not be allowed -- employers play a lot of roles under the health care system and under this rule and employers, just like any other institution, may be covered entities and may acquire to disclose information about their employees for marketing purposes. That should be expressly prohibited.
Other ideas. I would prohibit -- and by the way, I filed comments for those who want to see some of these ideas in a little more detail -- I filed comments with the Department on the second round on March 22nd last year and included a whole series of these ideas with a little more detail. Those comments are available.
I would prohibit marketing. One of the real problems here is the use of third parties. Now, it is one thing to say, well, we are giving it to a third party and they are protected by the rule. Well, if the third party is your sister-in-law or your uncle, you are not going to be very happy that that third party got medical information about you. It is a very easy way for information to leak out to people that you don't want to have it.
I would prohibit any disclosure for marketing purposes to a third party. Now, this will definitely create some discontinuities and admittedly so. If you are capable of sending a communication on your own, if a pharmacy or hospital has a letter shop in its basement and can send out a marketing solicitation without using a third party, that would be permitted.
If it had to hire a third party, it couldn't do it. It is the disclosure to the third party that is the breach of confidentiality. Marketing is not enough of a public purpose that we should permit that. This is one way to draw a line. It is a little bit artificial, but it is a proposal.
I would prohibit all marketing involving information about children. Any information about a child should not be available for any marketing purpose without the consent of the parent, and consent here means the advanced written consent, subject to the full authorization procedures of the bill -- of the rule. Sorry. I have worked so long on health privacy bills that never pass that I automatically refer to everything as a bill.
I would prohibit a disclosure of any information for marketing purposes that relates to any sensitive treatment or condition. There shouldn't be any marketing of information about sexually transmitted diseases, about psychiatric treatment. What is a sensitive treatment or condition? It is really hard to define. This is one of the problems with fixing the marketing rule. Why would we possibly allow anyone to sell lists of psychiatric patients?
Remember, I don't think the psychiatrists have any interest in doing this, but the clearinghouses might or a PBM that is filling prescriptions for psychiatric treatment might be very happy to do this. We need to find a way to provide protection for this. I don't know how to define "sensitive information," but even if we came up with a partial list, that would be an improvement over what we have.
Other ideas. I would require affirmative patient authorization for any marketing activity under the full set of rules here. I mean, if you want to allow someone to see your records, if you want to allow your lawyer to see your records, you have to sign a full authorization. The notion that marketers can get your information without that same degree of protection and without that same degree of patient consent is terrible.
I would require that any authorizations for marketing expire promptly. I would propose three months and I would be willing to be pushed back to four. There should be very strict limits on marketing because I think that -- I am not sure that people understand or will understand the breadth of some of these kinds of authorizations that they might be asked to sign.
I would prohibit any covered entity from soliciting a consent for marketing, authorization for marketing on behalf of a third party because I don't want physicians or health plans that are routinely getting signatures from patients as they enter the health care system to be signing forms and not know what they are doing.
They should not be allowed to solicit authorizations for marketing on behalf of third parties. A final set of suggestions. I think that there should be a clear, conspicuous and complete disclosure of all marketing arrangements between data providers, between covered entities and others and I mean very specific. All the parties and interests that are paying for the marketing activities and the sharing of information should be identified and the amount of money that is being paid should be identified.
I want a pharmacy or a hospital that is getting money from a drug manufacturer to have to tell its patients we have been paid $10,000 to make available to this drug manufacturer information about all of our diabetic patients. That kind of disclosure would make institutions stop and realize what they are doing and if they had to disclose that, they wouldn't do it.
The rules require -- and this is one of the few restraints on marketing -- the rules require an accounting for disclosures. Now, that means that when information is given by a covered entity to a third party, to a business associate, that there has to be an accounting for that. There has to be a record of the disclosure and that has to be available to the patient.
I don't think the rule is adequate when it comes to marketing. A lot of times a marketing campaign will be done by sharing information with a third party that is a letter shop. All they are doing is taking the names and taking a letter, matching them and sending something out. The whole operation is being financed by a drug manufacturer.
I think that the name of the real parties and interests of that drug manufacturer should be included on the accounting so that patients can understand. Because if you see that your information was disclosed to the XYZ Letter Shop, that will mean nothing to you. If you see that it has been disclosed to the Mammoth MegaBucks Pharmaceutical Manufacturer, you will understand what was going on.
Finally, I think that there should be better opt outs. I don't support opt outs after the fact. I don't support opt outs before the fact, but if you are going to have opt outs, I think there have to be better opt outs and that includes you should be able to opt out at any time. Indeed, you should be able to opt out in advance. Opt outs must be offered regularly, not just in marketing communications, but in other ways. Opt outs should be free. Opt outs should be easy. Opt outs should be permanent and opt outs should be broadly effective.
Broadly effective, let me explain that, because this is my sneaky way to make marketing almost impossible. What happens when you opt out? I get a solicitation that was mailed to me by the XYZ Letter Shop on behalf of a pharmacy or hospital or health plan or a PBM or any other dozens of institutions that are capable of selling my information for marketing use.
I say I don't want to get this anymore. Who is that opt out effective against? Is it effective against the XYZ Letter Shop? Is it effective against the XYZ Letter Shop only in this campaign when, in fact, if that letter shop is hired by another institution, it is not effective against them?
Is it effective against the underlying institution? Who is it effective against? I want it to be effective against everybody. If you know that someone, a patient, has opted-out, if you are a letter shop or a hospital, any opt out is permanent. It is total. If you are a letter shop doing business for Hospital A and a patient has opted-out, that letter shop is prohibited or should be prohibited from sending any marketing to that patient on behalf of Hospital A or any other institution. Everyone who knows about an opt out directly or constructively should be permanently banned.
Now, the record keeping that would be required to manage that would be difficult. I would also say that it is also effective not only against the institution but against every single one of its affiliates to prevent everyone from simply operating, reincorporating under a new name for every campaign. If you are owned, same -- common ownership, a joint operating, a joint marketing activity, it is effective against everybody.
It maintains the structure and the record keeping would simply make it very difficult. One of the things that this rule does not provide is any remedies for patients. That is a limitation of the law. It is not a criticism of the rule, but no matter how widely spread your information is and no matter how you may be inconvenienced, embarrassed by what has been done in the name of marketing, you have no remedy under this rule.
I think this is another reason why the rule has to bend over backwards to try and control information. I will stop there and see if you have any questions.
MR. ROTHSTEIN: Thank you, Mr. Gellman.
The chair permitted you to go beyond the 10 or 15 minutes that we listed for the witnesses. So, before we get to questions from the members of the committee, I am going to ask Mr. Bell and Mr. Cividanes if they would like to take a few minutes to respond in the event that you perhaps disagree with some of what Mr. Gellman said.
If not, you would, obviously, have the opportunity to present your additional comments in response to questions.
MR. BELL: Yes, I would. Don Bell.
I would like to point out that the sole example of a real life situation, supposedly real life situation, that Mr. Gellman pointed to was an article, February 15th, 1998, in The Washington Post about some chain drug stores supposedly selling information to be used for marketing purposes. That is false.
In fact, I wish he had cited the retraction, partial retraction of that story that occurred two days later in the same paper because he would have known that no information was sold by these companies. In fact, what happened was these were those refill reminders that studies have shown save lives and money. What happened was rather than CVS and Giant hiring their own employees to take names and put them on envelopes, they hired an outside company to do that.
You are right, as a result of that false story, there was a huge groundswell of opposition to what CVS and Giant were doing. So, they stopped doing that. I hope that they have not stopped sending those reminder letters altogether because they do save lives. But I also hope that in the future when this article is cited, the partial retraction will be cited as well.
He also mentioned that as a result of that occasion, those companies have been sued. I think that is true. It is also an example of the reason why even without these rules, people do have the right to enforce whatever rights they have.
Another thing that was said was that there was no remedy under the rule. As I understand it, patients who feel their rights have been violated can file a complaint, an administrative complaint, with HHS. So, I am not sure that that is true either.
That is all of my reaction.
MR. ROTHSTEIN: Okay. Thank you.
Do you have --
MR. CIVIDANES: Sure. I just wanted to -- your task in taking such conflicting views over the course of time and certainly in the proposed rule and the final rule, post-final rule, it is quite a challenge.
Mr. Gellman obviously has been in this area for a long time and has done a lot of thinking about it, but it is also -- part of the context is I don't know whether other than Mr. -- any laws that Mr. Gellman was involved when he was on the Hill, whether he has seen a law or a rule that he has ever liked.
It is interesting, obviously, during the proposed rule, Mr. Gellman also was writing and I pulled one of those articles before coming over today, "The Myth of Patient Confidentiality," and he indicated that neither the privacy rules announced by the President -- this was in November 1999 -- neither the privacy rules announced by the President nor any of the legislative proposals floating around Capitol Hill will make any material change. We can no longer promise medical records will be confidential. We need to be more honest with the public. We need to lower expectations.
So, you are working in this milieu and the final rules on the marketing front do come out with a notice and provisions. It is interesting, we are talking about no chance to object, no chance to object until after you have been marketed to.
I look at the regs and this is something we do in terms of the seminars we are giving -- as you know, the countdown, although the final rule, the effective date is more than a year away, you have to work backwards in terms of training people, getting the training materials ready. So, there is very little time really in terms of making any changes that can get into the process and filter down to employees and training processes.
So, we have been looking at this and the provisions of the rule at 520(b)(1), where it talks about the content of the notice, the requirements of the content of the content of the notice. It is very clear that there needs to be separate statements for -- and certain descriptions for any discussion where it is going to be -- the covered entity is going to use or disclose protected health information for health-related benefits and services that may be of interest to the individual for fundraising, exactly the kinds of things that are covered by the marketing and the fundraising provisions of the rule
So, that needs to be in the notice. Also in the notice needs to be a disclosure of the individual's right to request restrictions on certain use -- on those types of disclosures and uses. So, the notice -- true, not the consent form, but the notice will have disclosures about this type of marketing communications and fundraising and there will be a disclosure about the individual's right to opt out from these kinds of things, to ask for that kind of a request.
Your colleagues in the health fields are going to be working in this area. They are working in this area. Some of the hypotheticals are based on somewhat irrational behavior as well. So, you have a good sense of how much one needs to make changes to account for some of those hypotheticals as well.
But I just wanted to kind of point out that I think that some of the issues, when we are talking about there is no notice or opt out prior to any marketing when there is in the rule when we are talking about putting in the accounting disclosures to parties and interests when the parties and interests never see the data, when the disclosure is not a disclosure to a pharmaceutical.
These are areas that are very tricky. We start going down that path and start calling disclosures something that is not a disclosure.
MR. ROTHSTEIN: Thank you for those comments.
MR. GELLMAN: Can I respond quickly?
MR. ROTHSTEIN: Very briefly, please.
First, with respect to The Washington Post article, the industry clings to this notion that there was something substantially inaccurate about the article. I have looked at this very closely. The article was substantially accurate. It didn't mislead anyone about what happened in the transactions. People hated it.
Secondly, with respect to the remedy under the rule, there is no remedy under the rule. You can file a complaint and the Secretary can do something. You get no relief under the rule. If you have been damaged if you have been injured, there is no mechanism under this rule whereby a complaint with the Secretary will make you whole.
In response to Milo, first, I am delighted to know someone is reading my articles and, secondly, with respect to the -- you do have a right under the rule to ask your provider, current entity, to restrict -- to agree in advance to restrict uses and disclosures of information. This is one of these fake rights under the rule. The rule says you have a right to ask the covered entity -- you can ask for any restriction you want -- the covered entity under the rule has no obligation to consider your request, to respond to your request or to grant your request.
I would suspect that every lawyer who is looking at HIPAA will advise every covered entity to reject every single request that is made because the minute you agree to one of these kinds of restrictions, you will be asking for a lot of liability that you don't want. It is perfectly lawful under the rule for an institution to say we don't care what you ask for as a patient. We reject your request or, indeed, not even respond.
MR. ROTHSTEIN: Okay. Thank you.
Now, the floor is open to subcommittee members for questions.
DR. DANAHER: Both sides of the discussion invoked the Gramm-Leach-Bliley Act. Perhaps this is a question for John Fanning.
But the two things -- one is that -- I will kind of jump to where I want to get to and that is some kind of harmonization of regulations. No. 1, was the Gramm-Leach-Bliley Act looked at in drafting these regs and, secondly, has the effect on the public felt to have been positive or negative?
MR. FANNING: I don't know.
DR. DANAHER: Is that felt to be a precedent that would be something that we could learn from in figuring out the effect of what we are working on?
MR. GELLMAN: Can I respond? I think it is clearly a precedent. Whether you like it or not, the Gramm-Leach-Bliley rules are based expressly on a statute, which has a little more direction in it than the HIPAA law does.
DR. DANAHER: Right, right.
MR. GELLMAN: The rules were issued by the Federal Trade Commission and about eight other agencies, a joint set of rules. They are very controversial about whether the rules are good or bad and what the effects have been, but, nevertheless, there are -- I mean, is it precedent and the answer is "yes." It is there and it is trying to accomplish something generally similar in terms of giving patients -- giving data subjects some choice about what happens to their information.
Whether you like it or not, it is still precedent.
MR. CIVIDANES: The other type of precedent I think that it sets that you might think of is that, again, that after it was passed and before it went into effect, there were calls for changes. The agencies held steadfast and the legislators held steadfast and they let it go into effect, let the first round of implementation and then they have now begun -- they had a workshop last month in terms of the notices that went out on the Gramm-Leach-Bliley.
Now, they are not looking at it in real life, how it is going on, how it is implemented and that is a thoughtful approach. It is just -- you need to get on with it and you need to give some stability and some certainty to those who are affected by this and who are going to be implementing it. And then one can revisit it and learn from the experience.
That is one precedent to keep in mind.
MR. GELLMAN: That is a fair point, but I ought to point out as well that this rule is being changed. The Department has announced that it is going to make changes to this rule in one way or another. There is no reason why the marketing rule shouldn't be fixed along with other provisions.
DR. HARDING: This is Richard Harding.
I always get confused when the discussion comes around to the issue of marketing -- the definition of marketing as opposed to treatment because we talk about consent for PTO and I never -- it never entered my mind that marketing was part of the PTO. But that is something that comes up and I think one of you mentioned that, that it is part of the treatment or the operations process or something for business associates.
But could you explain that better to me?
MR. BELL: I wish I could. It is confusing to me, too. The way the rules are set out is marketing is defined extremely broadly. It is any communication where a purpose is to get someone to use a product or service or to sell a product or service.
Then there are exceptions. There are what I call the treatment exception is -- it does not simply say, as I recommend it should say that treatment and health care operations activities are not marketing. It does not say that in the rule. Instead, it goes through a very tortured definition of marketing where it says you are not marketing if you have some treatment activities and some other activities, such as recommending therapy alternatives that come under elsewhere the definition of "health care operations."
My recommendation was to simplify, clarify it by saying that in the rule that treatment and health care operations are not marketing. There is a separate issue, too, and that is assuming something is marketing, then there is -- ordinarily you have to get a patient authorization, prior patient authorization. But if it is health-related marketing, then you can go ahead and make the communications, as long as you give an opportunity to opt out. If it is targeted health-related marketing, then you give those the opportunity to opt out and you also have to give an explanation as to why that particular patient was targeted.
Something, I assume, like we sent you this letter recommending a glucometer because you have diabetes. My concern is I have never been able to find anyone that can tell me the difference between a targeted health-related communication, which is marketing, and a treatment communication, which usually is not marketing.
I would very much appreciate and I know our members would very much appreciate some clarification of that.
DR. HARDING: You also mentioned the issue of someone taking a brand name medicine and perhaps a decision being made to send them out information that if they took the generic, they could save a lot of money and it is the same chemical and so forth. Would you be as comfortable with the opposite, with someone who is taking generic and they get a solicitation that you ought to be taking the brand name because it has been shown in more studies to be more effective and so forth, where the cost goes up. Is that the same --
MR. BELL: For the example that you just gave, I would not be comfortable because that would be illegal. You cannot say that a brand name drug is more effective than a generic drug because they are not. They do the same thing.
DR. HARDING: That is illegal.
MR. BELL: That would be illegal to make the communication that you just said.
DR. HARDING: Okay. I didn't know that.
DR. FITZMAURICE: Two questions, one for Mr. Cividanes.
You talked about what you want is an overall opt out for all marketing communications and I guess in the absence of that, clarify as Mr. Bell said, the difference between treatment communication and target health-related communication. Would you advocate any additional change in the privacy rule to either further protect personal health information or to enable appropriate -- additional appropriate marketing activity?
In other words there is a balance here that I hear you describe between protecting the information of the consumer, but also giving the consumer information about what is out there and what might make him or her feel better? Are there additional boundaries that you would like to see expanded either for protection or for enabling additional information to get to the consumer?
MR. CIVIDANES: At this point, I mean, I think that our members are learning these sets of rules -- you know, are getting comfortable with these sets of rules and understanding these sets of rules. I think there are some head scratching, for example, in the fundraising more as to why there can't be use of additional information so that if a facility is going to open a cardiac center, they cannot get cardiac related information so they can target that type of audience so that it is only patients who have been in for pregnancy would also get the same information about, you know, a new cardiac center at the hospital because that is not information that is available for fundraising.
There are issues there we put in our comments last year that if there are going to be changes, we certainly would like to see more flexibility there, but as a general matter, I think there is the sense that certainly compared to the proposed rule, this does strike the right balance and does -- we are learning how to work with that area.
If you are a third party -- if you are a covered entity and you have a third party who is interested in marketing their own products and services, then you have to go the authorization route or you have to comply with the conditions for that type of communication. So, we are learning that.
If it is your own communication, you are the covered entity and you want to engage in communication with your own patients or your own plan participants, in many ways you can do that, provided you put it in your notice, provided you alert them to the opportunity to opt out and then in the solicitation, in the communication, you put that opt out as well.
I mean, those are rules that are workable and they can learn and they are working with.
DR. FITZMAURICE: So, essentially you are saying you are learning but you think you can work with the privacy rule as it is now?
MR. CIVIDANES: Yes.
DR. FITZMAURICE: A question for Bob Gellman.
Would it be sufficient to put a potential use of protected health information in the notice of privacy practices when the patient first comes to see the covered entity and permit the patient to opt out of all marketing uses of his or her protected health information at that time of first contact? Now, that might be an individual authorization or a negotiation between the physician and the covered entity, but suppose the patient had the right to prohibit a marketing use -- and assume there is a definition of marketing -- would that be sufficient to take care of most of your objections?
MR. GELLMAN: Well, the rule already requires that the notice include something about -- if you are going to make marketing uses, it has to be in there. It will probably be in Volume 2 of the patient notice on page 227. So, I am not sure how effective those notices will be in terms of actually informing patients.
You know, would giving people an opt out in advance be better? Sure. It is better than the rule now where you don't have that right. I don't think that is enough. I think that if you are going to use confidential patient information for some other purpose that doesn't have anything to do with health care, that -- especially when this is being done in exchange for a fee, when the person who has the record is being paid to do this, I think that is anywhere near enough.
Furthermore, some of the institutions that have the right to do marketing, like indirect providers and health plans, don't have the opportunity to do this. You never see indirect providers. So, unless you prohibit the indirect providers in health plans from doing it, there is no mechanism for then people to opt out in advance.
DR. DANAHER: Would you be comforted or would your position -- would you find it -- you know, reconcile with your position if during open enrollment or renewal for your health insurance that as part of that enrollment process that you could opt out there and there was an explanation of how the information could be used and you could do it at that time?
I think what we are trying to do is go upstream and get to the source.
MR. GELLMAN: I understand.
The answer is -- if you are asking me is that better than the rule today, the answer is "yes." If you are asking me if that is enough, the answer is "no." No patient record should be used for marketing without affirmative consent. Opt outs don't work. The reason that industry clings to opt outs is because people are lazy. If the rule is opt out, people don't opportunity out, especially if as under this rule it is really hard to do.
You know, an open enrollment, if you -- I know, for example, as a federal employee from in the past, if you kept your health plan, you didn't have to do anything. There were no forms to sign. There was nothing. So that, you know, there are no forms. There is no box to check. The easier it is -- the easier you make it for patients to express their views and to say "no," but marketing should be done only with affirmative consent. That is a better position.
What you propose would be better than the rule but not as good and it doesn't meet what I think are the essential standards for protecting whatever little confidentiality is left in the health care system and whatever trust there is between doctor and patient. But it would be an improvement.
DR. HARDING: Mr. Gellman had many recommendations, but I was wondering if you would comment, both of you, on one. That is the rule permitting disclosure of information about children, minors. Do you or your groups have any thoughts about the issue of using marketing to minors for things like cosmetic surgery and so forth that certainly have a different effect or a different vulnerability, perhaps, to marketing than an adult.
MR. BELL: I don't think NACDS does for the simple reason that I don't know of any way that our members do that. Minors do not come in and buy prescription medications on their parents -- and their parents under the rules will sign as a guardian and will, if they want, sign authorizations for whatever marketing to go to that child that they can, but I don't know -- again, I don't have a list of all of our members' marketing plans, but I don't know of any that actually do that.
MR. CIVIDANES: Dr. Harding, I think, if I may make a distinction that might be helpful of your thinking along these lines, it is I think that there is a difference between information about children and solicitations to children. I would think that there are some areas -- let me just first say that the Direct Marketing Association does not have a position on the issue you are raising, but we have in other area, non-health-related areas worked in terms of solicitations to parents on children's related matters, on-line privacy in terms of children -- there is a Children's On-Line Privacy Protection Act.
So, we are very supportive of those efforts to protect children, but in those analyses and in those discussion, one thing we keep in mind is that in order to inform parents about services or products or benefits that would be beneficial to their children, there needs to be some information gathering, some information sharing about children.
It is different to go to the child about some of those things, however you define child, whether it is under 18, it is under 13, and, so, I think that is something to keep in mind. Is it possible to keep parents in the dark about something that would be beneficial to their child by preventing any type of sharing use, disclosure of information about children under the rule.
DR. HARDING: The example that I know of is a teenage girl, who takes Acutane for bad acne and who has concerns about her physical presence and so forth, receives information in the mail about other types of corrective medicines or procedures that would make her even prettier than the Acutane, in addition to that. You know, you have somebody who is taking Acutane. They are concerned about how they look and so forth. So, they are a ripe market, but they are a minor and to get that direct marketing to them concerns me without parents being aware that that is even going on because they are just doing what the dermatologist said to do; give her Acutane for awhile.
That is an area that I think we should look at.
MR. CIVIDANES: Again, in the direct marketing area, I know that there is a lot -- in that area, there are a lot of communications that go to the parents of Milo Cividanes or something like that or they are able to identify the parents and send information to the parents. I would think that in certain areas, you would want that to continue to happen. There are questions then about directing the communications directly to the child.
MS. GREENBERG: I just want a clarification from Mr. Gellman.
Bob, the last -- actually under Response IV here, your last bullet, you propose prohibiting any covered entity from soliciting an authorization for marketing on behalf of a third party. I know there is something in the rule about -- I think it is in relationship to research -- that the covered entity can't make provision of services contingent upon them to be signing an authorization. But if they couldn't even make this authorization available and, of course, you don't want to provide any privileged information to these third parties so they can find these people.
How would a third party then get an authorization for marketing?
MR. GELLMAN: Well, if someone is -- if there is a product or service that would be beneficial to a patient, a physician, dentist, pharmacy is perfectly capable of saying to that patient this is a product or service that we think you need. That is treatment. It wouldn't interfere with that at all.
So, the question is if this is something that a physician would not recommend on his own or her own, we don't have to worry about this. The people that want to market -- and under this rule, you can market just about anything using patient information and it has nothing to do directly with treatment and, indeed, it would be something that is not necessarily a recommended service. I don't think this is a problem. The people that want to do that marketing can find their targets on their own.
They don't need to get assistance from physicians to do this. This just undermines the whole point of confidentiality between doctor and patient, that you are giving all of these entities -- remember, we are not just talking about doctors -- we are talking about everybody -- an incentive to try and get patients to sign authorizations so that the person seeking the signature gets paid to do it. I mean, that is what we need to take out of this is that the people who have the information are making money by sharing that information with third parties.
That is the evil here that we have to stop.
MS. GREENBERG: So, although you feel there should be authorization, those authorizations should not be obtained through the health care environment.
MR. GELLMAN: You know, I am putting forward a whole variety of ways of responding to this. This is one of them. This isn't my best thing, but this is -- if you don't like anything else, maybe you will like this one. That is what I am trying to do.
MR. BELL: The first part of what Mr. Gellman said I absolutely agree on and I would highly recommend that the agency clarify that the rule does, in fact, say that what pharmacies recommend, products and services and pharmacies recommend, are treatment and not marketing. I completely support that position.
I hope that will be stated as such in any new rule.
MR. ROTHSTEIN: I have a series of questions and I want to see if I can summarize the testimony thus far.
We have heard the recommendations along a very broad spectrum ranging from essentially keeping the rule the way it is to going back to -- I mean, to essentially revoking the rule and a wide range of things in between, including various limitations on when you can market and to whom you can market and so on.
One area that I think that we haven't heard any testimony on and that the rule is silent on is the issue of how the actual marketing might take place and what limitations, if any, should be placed on those efforts. For example, I am concerned about the issue of whether marketing information could be left on voice mail, on a joint e-mail account, left with another resident of a joint dwelling where the information is this is Joe's Pharmacy and your AZT prescription has just come in.
You can pick it up or you leave a message with someone and that, you know, it is time to refill your Prozac or whatever the item might be. So, that is one concern. So, without going -- without complicating it, would the industry -- and I hope you don't mind me characterizing you as that -- would you be comfortable with reasonable regulations setting forth the method in which marketing contacts in this area, based on health information may be done?
MR. BELL: Sure. Speaking for pharmacies, we are always supportive of reasonable regulations. Of course, the issue is what is reasonable.
The way I look at is the way it happens in a pharmacy is you mentioned voice mail or e-mail, a person will not give a pharmacist their voice mail or their e-mail unless they want to be communicated with by the pharmacists.
MR. ROTHSTEIN: You might ask for your phone number and if you are not home, it will automatically be your voice mail and --
MR. BELL: You are right and there are ways through the rules as they presently are for someone to say but please don't leave a voice mail message. My personal opinion is that should be respected, sure. I don't know of any pharmacy that will say "no," we are going to --
MR. ROTHSTEIN: No. What I am suggesting is the opposite. That is that without the individual having to affirmatively, in effect, opt out of voice mail, voice mail messages would be -- voice mail marketing messages would be prohibited. That is just a possibility.
MR. BELL: I personally don't have a problem with that. Again, it all gets back to the issue of what is marketing. If calling up and saying to someone, hey, I noticed you haven't refilled your prescription, you may want to do that, if that is considered marketing, yes, I think it would be a mistake to prohibit that kind of a communication.
MR. ROTHSTEIN: Well, I think we all understand that in every aspect of the privacy rule there are tradeoffs and we are trading off the interest of individuals in their health privacy against a variety of very valid interests that we are continuing to explore. In our prior hearings, it was research and we will be dealing eventually probably with the public health and law enforcement, all these other interests.
I don't think anyone is disputing that there is a benefit in some sense to be gained from further informing individuals. The question is how do you strike the balance between that benefit and the harms that might come about by inappropriately using that --
MR. BELL: You are absolutely right. It is a balance and the question is will the government strike that balance for people or will people have the option to strike that balance themselves. What I would be against is having the government simply say "no," these are prohibited in all situations. I would be perfectly supportive of a position that gives customers or patients the opportunity to strike their own balance.
If someone wants -- to give your example, if someone doesn't mind having a voice mail left for them, that should be an option. If they don't want that, then there should be a mechanism for them to make sure that doesn't happen.
MR. ROTHSTEIN: The rule already places certain restrictions on sending faxes of medical records and other information and it seems like this is a lapse on the consumer end. I mean, we are regulating the possibility of inappropriate disclosures within health care settings, but perhaps not in non-health care settings.
Let me ask you something else --
MR. GELLMAN: Mark, before you go on, can I ask a question?
MR. ROTHSTEIN: Sure.
MR. GELLMAN: I can't find the provision in the rule right now, but you would have a right under the rule to say don't leave a voice mail and if the covered entity agreed, that would be binding on them.
Someone who knows the rule better than I do, does that request have to be made in writing? That is what I recall the rule saying. I am not sure, which, of course, would make it completely unreasonable. You could say to somebody -- if that is what the rule says, you say don't leave a voice mail and they could say sure, it is not binding on them. You have no way of -- there would be no way of knowing that that was agreed to and there would be no enforcement under the rule, whatever remedies you have under the rule. So, it is not very effective.
MR. ROTHSTEIN: Let me give you another sort of procedural issue, if you will.
As I read the rule, marketers do not have to identify themselves as marketers when they engage in marketing. What might well take place is a situation where a patient gets a call or an individual gets a call and it says, hi, I am John Smith. I am an associate of your doctor, Dr. Jones, and we want to tell you about a new medical device that is available for people with your condition.
I think for many individuals it may be insufficiently informative to have a conversation of that sort without announcing up front exactly the relationship between the marketing entity and the physician and I was wondering whether that was something that you could find an objection to.
MR. BELL: I don't have an objection with preventing people from not revealing who they are.
MR. ROTHSTEIN: I am not saying they are misrepresenting. I am just saying that -- whether they ought to have an affirmative duty to make this sort of disclosure.
MR. BELL: I think people should have an affirmative duty to say who they are and actually the rules do say that they have to say what their relationship is to the provider. For example, if, to use your example, if they are getting paid to make that phone call on behalf of that doctor, then they have to say not only who they are, but who is paying them and --
MR. ROTHSTEIN: Well, but the rules requires is that the covered entity discloses that it is the source of the communication and any direct or indirect remuneration it receives and how to opt out of further contact, but it does not require that that information be given up front and, therefore, one of the concerns that I have is at the time you get the credit card number, you make all these disclosures that you are required to do.
I think as a consumer, I think it is quite reasonable to expect that when someone makes a call of this sort and is legally required to make these disclosures, that they have to make it first before they give their pitch and before people say, okay, send me one of those new wheelchairs and, oh, by the way, let me read you this stuff.
MR. BELL: Yes, the rules do say, I believe, that you have to prominently state those things, whatever that means. I would welcome some clarification and I know our members would welcome clarification on what "prominently" means.
MR. GELLMAN: Mark, the rule is worse than that. The rule says the communication must identify the covered entity as the party making the communication. You are required by the rule -- whatever third party business associate you are, you have to say I am calling for Dr. Smith. Now, it doesn't say that you can't say I am also somebody else, but you have to say expressly that. You are required to do that. In effect, you are required, in effect, to misrepresent what is going on here, not on a third party, you know, whatever.
The rules kind of conflict because there are disclosures that are inconsistent with that. I mean, it doesn't jibe that you have to say I am Dr. Smith and then make all of these disclosures about the arrangements between third parties. If you do all of that, you will confuse the heck out of everybody, although I suspect that by the time Madison Avenue copyrighters get through writing scripts for phone calls and writing letters, that they will find a way to meet all the legal requirements and fool everybody about what is going on.
MR. CIVIDANES: In the other kinds of areas where there are disclosures on telephone type of communications, they tend not to -- you know, they tend not to be a paragraph of script right at the beginning. I mean, there are areas where you try to get something out at the very beginning with disclosure, for example, and the wire tap laws that require if a call is being recorded, that you inform them at the very beginning.
You do that in a short sentence. So, your opening example was the word "only associate," I am an associate of Dr. Jones, if there are -- to give a priority to one of the disclosures, one of the legal disclosures by having greater detail that can be said in the opening sentence or so, that is -- but if there is a legal form that needs to be read and, you know, takes a minute or two, I think that really presents a problem in terms of the ability to communicate via using telephone.
MR. ROTHSTEIN: Well, let me say that in my research we do a lot of telephone interview surveys that require IRB approval and you wouldn't want to have to give all the information that we have to give to individuals just to ask them a few questions about their health. I am certainly not suggesting that. But what I am suggesting is that some upfront, honest understandable information is, I think, the bare minimum that consumers should expect when they receive these solicitations.
MR. CIVIDANES: That sounds like a good description of it and that seems to conform, for example, with what is required by the wire tap laws. So, if that is the direction you are going in, it would seem, you know, to be consistent with other approaches to privacy by giving certain disclosures a priority at the very beginning of the telephone communication. All I am saying is maybe your comparison to the IRB type of disclosures, but one should be careful about frontloading too much into that, even the ability of a human being to absorb all that information.
So, if you really want to get one message across, I am a separate company from Dr. So and So, you should really kind of highlight that, make sure that is the first disclosure. The other disclosures are made during the course of the conversation.
As an example, I am just saying the more you pack into the opening statement, the less probably is absorbed. So, if there is something that is particularly important, that is probably what should be given higher prominence.
MR. ROTHSTEIN: Let me raise another issue. In the regs there is special treatment for psychiatric information and is there any reason why we should not also treat psychiatric information separately for marketing purposes? In other words, you need to get a specific authorization for the release of certain psychiatric information and it is not covered by the one time consent that is signed.
So, the question that I have is can you make any compelling arguments why we shouldn't at least bring that philosophy if you will into the marketing provision?
Richard.
DR. HARDING: I have a conflict here, a little bit. I think the issue, I think, Mr. Gellman brought forward, the sensitive areas of medicine, quote, how we define that, usually defined as psychiatry, OB/GYN, infectious disease and genetics and maybe there are a few others that we could put in there.
You know, I mean I am ambivalent about that because I feel that is important in my practice, but on the other hand, I think that any medical information should be treated just as well. So, I am ambivalent about having sensitivities for certain categories of medical illness.
MR. ROTHSTEIN: Well, I appreciate that and it is a position that I have expressed on many occasions. I am looking for some fallback positions between this -- one of the things that I hope will come of this hearing is that we will have a variety of options for the full committee to consider and perhaps even a variety of options for OCR and the Secretary to consider. So, I was just getting things on the table.
I can think of a variety of situations where sensitive information, you just would not want to be marketed and it might not occur to you to opt out. I think, for example, one of the things that I would do at the -- include in the upfront message is say you have the opportunity -- I mean, you can opt out now and not only will I hang up and say thank you very much, but we won't ever call you again.
I think that ought to be a disclosure that probably should be considered.
MR. GELLMAN: Can I offer a couple thoughts? I mean, having suggested this psychiatric distinction, it is a tar baby because you can't really define -- that is to say, some things are clear. Some things aren't.
Richard, you will have to give me an example of some drug that is of little purpose that has some psychiatric use and some other use, depending on what your condition is. All the sudden you don't know what it is. You could write a rule that says for those things none of it can -- but it gets very complicated with all the different players involved, who have all the same information and can use it. One way to deal with the problem -- you see, the higher up you go, the easier it is to deal with the problem. One answer is no telephone marketing. Then all those problems disappear.
Milo is right in the sense that there is a limit to how much information you can convey to people on the phone. The notion of someone going to see a physician and coming home and getting phone calls saying, hi, we understand you have hemorrhoids, that you are pregnant and you broke your leg, whatever it is, from different marketing companies, who have gotten the information from the doctor and the health plan and the PBM and they are all calling you trying to make money out of this is pretty offensive.
Everyone would be better off if there was a flat rule and the higher up you go in writing flat rules, nothing happens without consent or no phone calls. Whatever you can do will make things better and will clarify and avoid some of these problems.
Phone calls are a lot worse than written materials.
MR. ROTHSTEIN: Well, I understand that but there are dangers with written materials as well. I mean, I may not want to share with my wife a diagnosis that I have and we open each other's mail and there it is.
MR. GELLMAN: Well, I will give you a real example I got years ago in discussing confidentiality with my dentist. He had a patient who wore dentures. Nobody knew that the patient wore dentures, not even his wife. Everyone in this office knew about this secret and both the husband and wife were treated in the same office and they were very careful not to say anything, not to put it on a bill, you know, and that is the kind of thing that you would not think in that circumstance is sensitive. But to that guy, it was probably the biggest secret in his life.
MR. ROTHSTEIN: Right.
Let me ask if there are any further questions.
John.
MR. FANNING: Yes, I have a couple of things.
I want to focus on the business associate provision. Bob, you don't seem to have much faith in the requirements in the regulation or promises by the businesses those get about further use of the information and the like. I wonder if you could go on a little bit more about why you consider that a disclosure and in the last example, for example, if you have gone to the doctor, these later phone calls that you have just posited, would they not have to -- would not that depend on the physician having made the choice to give information to these people on his own behalf?
MR. GELLMAN: Well, the physician could always make a phone call on his behalf or with his own staff. That is treatment. As long as it is treatment, it is perfectly fine. So, that is not restricted in any way whether you have a marketing rule or not.
The business associate, disclosing information to a third party -- and this is the schoolyard example. Let me give another example. Dr. Harding is treating my brother-in-law and I go and say how is he doing and he says, as he would, I can't tell you anything about his treatment. It is confidential.
But if Dr. Harding said tell you what I will do, I will treat you as a business associate. I will put you on my staff for a week. Then you can read his record and you will be covered by the rule not to redisclose. Would that make anybody feel better? I mean, the notion of information being given to third parties is a significant disclosure. It is a significant imposition on confidentiality.
We do that in a lot of circumstances. We do it for public health purposes. We do it for law enforcement purposes. We do it for research purposes. There are a million things in the rule to allow this to happen. Marketing is not a sufficient purpose for this. I mean, remember we are already allowing treatment to go on. So, treatment disclosures are just fine. Doctors giving advice is just fine. It is not affected by this. That all goes on anyway.
All we are talking about is marketing and the marketing -- and let me read a section right out of the rule. "However, the final rule permits an alternative arrangement. The covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party through a business associate relationship to conduct the actual health-related marketing, such as mailings or telemarketing under the covered entity's name. That is exactly what the rule permits.
You can give information to anybody as long as they are a business associate. There is no restriction whatsoever. That is what is offensive. There should be some kind of restriction. You can do it yourself. As soon as you are giving information to a third part, there needs to be a higher barrier, better procedural protections. It is not enough to say they get coverage but they can't tell anybody else.
In fact, they can tell somebody else, depending on how you write the contract.
MR. FANNING: Well, wait a minute. Does not the regulation require that that contract forbid further disclosure?
MR. GELLMAN: I am not sure about that. It does forbid that, but it depends, if I as the covered entity can give information to a business associate and I can give it to somebody else, who might be a business associate or somebody else, I can authorize that business associate to make the disclosure on my behalf. So, there could be a chain of business associates one to the other, all authorized by the covered entity and could lose all kinds of control here over what happens to information. It depends on how you write the rule, how you write your contract with your business associate. It can be narrow or it can be broad.
MR. FANNING: It seems to me that you are troubled by the risk there because marketing is not a sufficiently great interest to permit that. It seems to me, though, that in the whole health care system, there were all kinds of outsourcing and multiple successive subcontracting arrangements for the ordinary business of the health care, which I take it you have to accept because there is no other way to do it, but for marketing, the risk is not worth it?
MR. GELLMAN: Well, you know, I -- yes, the short answer to your question is "yes." I recognize and it is not -- if I were coming here saying my only way of fixing this rule is to prohibit disclosures to third parties as business associate for marketing purposes, that would be hard by itself. It is not my best answer.
You know, I want to do something else. I am fishing for ways to allow reasonable uses of records to not interfere in any way, shape or form with communications from doctors to patients, that they want to make on their own behalf. When they are hiring somebody else to do it or they are getting paid to make these communications, that is when we need to be careful. That is when we need to be suspicious and that is when we need to have protections.
So, saying no business associates for marketing is simply one way of trying to do that. It may not be the best way. It is a way.
MR. ROTHSTEIN: I have one final question and it relates to the prior work of the committee. In our August hearings, the research community testified before us and urged us to consider medical research as something that should be considered within treatment, payment and health care operations for which the one time consent would include research.
The committee in its wisdom rejected that and endorsed the current thinking that you need separate authorization for research, notwithstanding the, you know, obvious benefits of medical research. I don't see how we can take that position on research and continue to endorse the current rule where marketing is considered as part of treatment, payment and health care operations.
So, what I want to do is as much as we can stipulate that there are values to marketing, I don't think that as an enterprise, it approaches the social utility of the medical research establishment for which we are saying you need specific authorization. So, what I would like to do is just give you an opportunity to sort of have a last word and kind of what is your best argument for saying that there is some reason that marketing should be considered as part of, you know, health care operations where medical research shouldn't?
MR. BELL: Marketing should be considered health care operations. I have never suggested that.
MR. ROTHSTEIN: Or treatment or payment or something for which there is no authorization requirement.
MR. BELL: I haven't suggested that marketing should be treatment or payment or health care operations. What I suggested is that the rules make a distinction but not very clearly between the two and I hope that the agency will clarify that distinction.
MR. ROTHSTEIN: Let me make it easier for you.
We were presented with an option that it should be instead of TPR, it should TPOR. The current rule effectively is TPOM and can -- I am searching for the rationale, the justification that would support your position on this issue so we can fairly consider all the views. As I said initially, I find it hard to reconcile the committee's prior view on the issue of research with marketing.
MR. BELL: I think you are proceeding from a false assumption. There is no TPOM exception in marketing. The rule is you have to get prior authorization. There are some exceptions to that. For example, health-related marketing, whatever that is, you don't have to get prior authorization and, instead, you can make one marketing communication in which you have to give an opportunity to opt out, but there is no general exemption that says you don't have to get an authorization for marketing.
On the contrary, the general rule is you do have to get a prior written authorization separate from the consent before you can conduct marketing.
MR. ROTHSTEIN: Okay. I should have qualified that as TPOHM.
MR. BELL: So, I am not sure that there really is a huge distinction between the way research is treated and the way marketing is treated. The questions arise in these gray areas, where you have got something called health-related marketing or targeted health-related marketing on the one hand and on the other hand, you have got something very different supposedly called treatment.
So, one thing I would ask for is a clarification between those two animals, whatever they are, because they are treated very differently. Marketing, the general rule is you must have prior authorization before conducting marketing.
MR. GELLMAN: Can I just make a comment? I completely disagree with that characterization of the rule. The rule -- I mean, at some level, yes, there is a requirement for some kinds of marketing that you need an authorization. For most kinds of marketing, you do not. The loophole swallows the rule and almost every kind of marketing, for example, that pharmaceutical manufacturers want to pay for and any food product, vacations, any of these things can be called health related.
The term is not defined and there is virtually no product. You know, you have to really think hard to find a product that you couldn't draw some health -- make an argument that there is some health-related benefit to. So, new cars, safer cars, you know, more efficient appliances give you more money to pay for health care.
I mean, you can just make any claim you want. There is no restriction here. So, virtually every kind of marketing fits under the loophole.
MR. FANNING: Okay. But even granting your point about health-related marketing, health care operations include marketing of health products. The question is still there. Since marketing is included under health care operations and, therefore, allowable without an explicit authorization by the patient, I think the question is still there. Why should that be allowed without specific authorization as distinguished from the use of information for research for which you need either a separate authorization or some other very explicit process with outside review?
MR. BELL: Again, I think there is some confusion. I don't see anywhere in the definition of health care operations that it says it includes marketing. On the contrary, what it -- the definition of "marketing" includes virtually any communication and it exempts a couple of very specific types of health care operations, such as recommending treatment alternatives. But I don't believe that marketing is included as -- in the definition, but maybe I am wrong. It is a very long definition.
What is it?
MR. FANNING: 5, 6(b).
MR. BELL: Ah, marketing 4, which an individual authorization is not required. Well, you are right. That begs the question when is an individual authorization not required. Again, the general rule is that individual authorization is required unless you are talking about a health-related marketing, whatever that is. I agree with you completely that it is not defined and I hope it will be defined. We probably have very different definitions of how it should be defined.
MR. FANNING: There is some class of communications with patients that is allowed without explicit authorization.
MR. BELL: Definitely.
MR. FANNING: Now, we are back to the chairman's question. Why is that allowable without explicit authorization when the use for research is not?
MR. BELL: I don't know about the use for research because that is not something that we have worked on. I can tell you the only two real life examples that I know of that some might consider to be health-related marketing -- I don't think they are, but some might -- are those refill reminders that I mentioned and the suggestions of alternative treatments. That maybe we can agree on. It sounds like Mr. Gellman was saying that if it is a recommendation from a pharmacy to a patient about a product or service, then it is treatment.
If we can agree on that, then I have no problems reading all of the other things of marketing the same way that research is treated.
MR. ROTHSTEIN: Well, on that note of agreement -- DR. DANAHER: Just remembering the tail end of the -- I think I joined at the tail end of the discussion about health care research. I am not sure I was swayed that the greater social good was going to be served by requiring an authorization for health care research.
I think my impression -- tell me if I am wrong -- I don't know whether the effect yet has been felt by the health care research community of our position. So, I guess, I understand the question. I just worry that kind of using that as a precedent or --
MR. ROTHSTEIN: Well, the research issue, as you know, is a very complicated one and we have a whole set of recommendations to the Secretary dealing with research, but the basic framework as described by John Fanning is to leave the rule as it is, which would require either explicit authorization or some degree of a privacy board or IRB approval for the research.
That is not to suggest that there are not other ways in which we have recommended other possible changes in the rule regarding research, which we perhaps considered to be overly restrictive on researchers.
DR. DANAHER: Just to follow up on that, yes, I mean, how I was able to get comfortable with that position was that, you know, it had to have approval from a privacy board or an IRB, you know, committee, et cetera. Is there an analogous kind of body that would facilitate, you know, for marketing in that case.
MR. ROTHSTEIN: And we haven't heard of that model yet or anything.
MR. GELLMAN: I will give you an idea that is sort of half of that and that is to require any covered entity that is disclosing records for marketing to post a public description of what they are doing and all of the details on their web site. If they don't have a web site, make them get one so that this is available and the goal is so that the next newspaper reporter can come along and write an article that says did you know that Hospital X is selling lists of patients with diabetes to the XYZ firm. That would stop marketing cold. Public disclosure would do it.
MR. CIVIDANES: And, again, Mr. Gellman's comments again emphasize the distinction between third party disclosures to third parties for their own use and the use by the covered entities or the hiring of third parties to help the covered entities to do things.
That continues to be a distinction --
MR. ROTHSTEIN: I appreciate that. That is certainly one of the things that I think we will take out of this panel discussion.
We are over time and I apologize to the next panel that we will be starting late.
We will take a break until 10:45 and then resume with the second marketing panel. So, thank you all for your testimony.
[Brief recess.]
MR. ROTHSTEIN: Good morning. Again, we are back on the record and on the Internet getting ready to begin with our second panel on the issue of marketing.
I want to reiterate that at the close of this panel discussion there is an opportunity for public testimony on the issue of marketing and if you are interested in presenting testimony as a member of the public, there is a sign-in sheet and witnesses will be called in the order in which they sign in.
We are now ready to proceed to the witnesses; marketing in the insurance context and we will begin with Ms. Pellow and please introduce yourself.
MS. PELLOW: Good morning. My name is Wendy Pellow and I am legislative and regulatory counsel for the National Association of Insurance Commissioners.
I want to thank the Subcommittee on Privacy and Confidentiality for inviting the NAIC back to talk about the HHS privacy regulation and, in particular, the marketing exception.
We understand that you are still considering this issue and it is still being debated on what is the best solution on this issue. So, we hope that we can answer any questions that you still have about this and can offer some solutions while reiterating our concerns and taking those solutions and offer them as recommendations to HHS.
Also, I would like to request that my written testimony that you have before you be submitted for the record, in addition to my oral testimony. In the testimony last August, I told you about the NAIC and how much they value protecting consumers protected information, including their health information.
For more than 20 years and through the development of three privacy models, the NAIC's position has been that insurers should be required to obtain authorization from the consumer prior to use or disclosure of their protected health information. In all three of our privacy models that we have developed, the states have made a policy decision up front that consumers deserve to have the right to decide if their doctors or health plans may or may not disclose their information, their health information in particular especially, for marketing purposes.
The states were not going to wait for the creation of a long list of complaints from consumers before they took action. The states also didn't want to get into a debate about which disclosures would be beneficial to consumers or would not be beneficial to consumers and then which consumers would or would not want their protected health information disclosed.
Instead, the states were respectful and very responsive to their citizens' concerns and instead decided to implement the opt in standard for health information and the states are currently doing that and we have seen that through the development of our three models and particularly our most recent model, which implements privacy protections under the Gramm-Leach-Bliley Act.
Basically, the states are wanting to make sure that the individuals are asked first or not they want the protected health information used or disclosed, especially for marketing purposes. We hope that our experiences in developing these models and the states example in implementing these privacy protections can be helpful to you in making your recommendations to HHS.
As we stated before, the NAIC is very concerned about the marketing exclusion in the final privacy regulations and I do want to stress up front, that the NAIC does not seek to prohibit marketing or prevent consumers from getting information that I think that would be helpful to them. We do believe, however, that consumers should have the right up front before their information is shared to make an affirmative decision about that disclosure.
As you know, the proposed HHS regulation was similar to the NAIC models in that it required prior authorization for marketing activities. However, the final HHS privacy regulation seriously diverts from that standard. It provides that covered entities may or may not use or disclose protected health information prior to getting the consumers authorization.
However, it creates a whole list of exceptions, which basically allows covered entities to disclose consumers' protected health information for marketing purposes prior to their authorization and we believe it is a significant reversal from HHS's previous position in terms of protecting consumers. We found it interesting that in the regulation HHS claims that the marketing exception is necessary and will benefit consumers.
The Department also asserts that consumer protections have been incorporated into the marketing exceptions. We respectful disagree with both of those statements and these are the two points that I am going to focus my comments on today.
First, we agree that the marketing exception is not necessary nor will it benefit consumers. HHS claims that the marketing exception is necessary for health care entities to be able to discuss health care products and services as part of their everyday business and to inform patients and enrollees about new or valuable health products. While we understand the inclusion of exceptions for certain legitimate business activities, a broad marketing exception is not necessary in this situation.
In fact, the definition of marketing specifically excludes these types of communications; thus, providers and plans are free to discuss treatment options, services, products with their patients and enrollees. Inclusion of the marketing exception will not benefit consumers. In fact, it just creates a whole new set of problems for them. What will benefit consumers is for covered entities to explain what they want to do with consumers' information up front and then let the consumers decide whether the benefit of having their information disclosed outweigh the consequences of disclosing that information.
Consumers should have the affirmative opportunity up front to decide whether or not they want their information shared for marketing purposes.
Second, we believe that the consumer protections that are built into the marketing exception are flawed. The Department claims that it has incorporated protections by requiring covered entities to identify themselves in marketing communications to tell consumers why they have been targeted and to inform consumers that they can opt out of future communications.
While there are problems with all these provisions, our comments focus on the third one, the future opt out protection. In developing the privacy requirements for insurers in the Gramm-Leach-Bliley, NAIC members and interested parties had long debates about the opt in standard versus the opt out standard to both financial information and health information.
The NAIC members ultimately decided to use Gramm-Leach-Bliley's opt out standard for financial information that strengthened the protections for health information and used the opt in standard. We believed a higher standard should be applied to sensitive health information than is applied to financial information. However, I think it is important to point out that even the opt out standard for financial information offers more protection than the HHS regulation does for health information, in particular as it applies to marketing.
Not only does the HHS regulation not give consumers the right to opt in, to having their information disclosed, but it does not allow the consumers to opt out prior to that disclosure. Only after the information has been disclosed and the consumer has received marketing communications can the consumer opt out. Even Gramm-Leach-Bliley gives consumers the opportunity to opt out prior to the disclosure of their financial information.
We believe that offering a way for consumers to opt out of future marketing efforts is not the same as giving them the rights to make an initial decision about whether or not they want to receive any marketing materials either using an opt in standard or a prior opt out method. Once sensitive health information has been disclosed, re-protecting it is practically if not completely impossible.
There are also some other flaws with this future opt out protection. They are detailed in my written testimony, but briefly I just want to hit a few of them. For starters, no details about how consumers will opt out of the future efforts. Gramm-Leach-Bliley and our privacy model relating to financial information gives consumers a reasonable opportunity to opt out. It gives them 1-800 numbers to call, web sites, fliers, any way to opt out.
It gives them certain deadlines to do so. It gives them opportunities to opt out at different points in time as well, but none of those details are set out in the HHS regulations. So, consumers have no way of knowing how they are supposed to opt out.
The second thing is it is unclear how broad the scope of the opt out is. Is the consumer only able to opt out from getting marketing information from the entity that marketed to them or about the disease or service or product that they were marketed about or can they opt out of all future marketings from all entities relating to all services, products, diseases? That is not clear and if the opt out is not applied to that individual, the opt out is just going to -- the individual is going to continue to have to opt out as opposed to just -- if it doesn't apply just to that individual, only applies to that marketer or that product.
A third point is that the covered entity only has to make a reasonable effort to ensure that individuals who opt out don't receive any future marketing materials. All reasonable efforts is good. That is no guarantee for consumers who have had their information disclosed in protecting them from getting any future marketing materials.
Finally, HHS has basically set out a system that encourages telemarketing and creates a conflict of interest between covered entities and their patients and enrollees. We find that problematic why they would want to encourage that and actually include an example in the preamble of how that can be done.
As you can tell, we believe that this future opt out provision in the marketing exception offers no protection to consumers to try to convince consumers from taking a proactive stance about their health information. Consumers can only be reactive after a disclosure has occurred and once they can react, there is no process to do so.
We respectfully question why the Federal Government knowingly would issue a regulation that requires horrible inconvenience to occur first and before any action can be taken rather than issuing a regulation that would prevent the harm from occurring in the first place. The assumption behind the creation of the HHS privacy regulation is that health information is sensitive and deserves a higher level protection than other types of information.
The NAIC and the states have developed and implemented legislation and regulations based on those same assumptions. Again, the NAIC does not want to prevent consumers from receiving information they might find useful. We just believe that consumers should have the right before the information is disclosed or shared to make an affirmative decision whether they want that information disclosed for marketing purposes should be the consumer's choice.
The NAIC believes that the marketing exception is a giant step backwards for consumers and is contradictory to the direction in which the states are moving. We respectfully request that HHS remove the marketing exception from their regulation. We look forward to continuing to work with you on this issue and ask that you thoroughly consider our concerns.
Thank you.
MR. ROTHSTEIN: Thank you very much.
We will again defer questions until your other panel member speaks.
Dr. Janofsky.
DR. JANOFSKY: Thank you.
Mr. Chairman and members of the committee, I am Jeffrey Janofsky, a physician who specializes in psychiatry. I am a member of the American Psychiatric Association, the APA, a medical specialty society representing more than 38,000 psychiatric physicians nationwide and I am a member of the APA's Commission on Judicial Action. I am an associate professor of psychiatry at the Johns Hopkins University School of Medicine, where I direct the Psychiatry and Law Program and treat psychiatric inpatients.
I am also a clinical associate professor at the University of Maryland School of Medicine. I am testifying today on behalf of our profession and the hundreds of thousands of patients we serve.
In my testimony to you today, I cannot emphasize enough that privacy and particularly medical records privacy is an issue all Americans are deeply concerned about. I thank you for your continued commitment to protecting medical records privacy and for holding this meeting on the marketing and fundraising provisions of the privacy regulation.
Regrettably, it is often overlooked that confidentiality is an essential element of high quality health care. Some patients refrain from seeking medical care or drop out of treatment in order to avoid any risk of disclosure of their record. Some patients simply will not provide the full information necessary for a successful treatment.
Patient privacy is particularly critical in ensuring high quality psychiatric care. Both the Surgeon General's Report on Mental Health and the U.S. Supreme Court's Jaffee v. Redmond decision conclude that privacy is an essential requisite for effective mental health care. The Surgeon General's report concluded that people's willingness to seek help is contingent on their confidence that personal revelations of mental distress will not be disclosed without their consent and in Jaffee, the Supreme Court held that "Effective psychotherapy depends upon an atmosphere of confidence and trust. For this reason, the mere possibility of disclosure may impede the development of the confidential relationship necessary for successful treatment."
Accordingly, the APA commends the Administration and Secretary Thompson for moving forward with the implementation of the regulations and evidencing their commitment to protecting the privacy of the medical record by advancing patient privacy, which we as physicians believe our patients and our families need.
However, the APA is very concerned about the marketing and fundraising loopholes that exist in the regulation. Under the marketing loophole, a covered entity is not required to obtain an authorization when it uses or discloses protected health information to make a marketing communication to a patient if it occurs face to face.
A marketer, who had obtained health information from a covered entity without the patient's consent, could talk directly to the patient in the hospital and try to sell them a product or service related to the treatment they had received at an especially vulnerable time. The regulation allows the release of a patient's health information without their consent when it concerns products or services of nominal value.
A pen or other item that is inexpensive could be given to a patient promoting a product or service for which the patient had received treatment to encourage the patient to buy that item. Also, the patient's health information can be released without their consent when it concerns health-related products and services of the covered entity or of a third party and meets marketing communication requirements.
The APA is disturbed by the marketing problem that has developed with customer proprietary network information or CPNI and the consequences of the release of the information will have. CPNI, as quoted from the Federal Communications Commission, includes where, when and to whom a customer places a telephone call, as well as the types of services offering to which the customer subscribed and the extent to which the service is used.
In August of 1999, the Tenth Circuit Federal Court of Appeals decided the U.S. West, Inc. v. FCC case that changed the right to disclosure for CPNI from opt in, where a customer affirmatively chooses that the phone company may share CPNI information, to opt out, where now a customer has to affirmatively choose that they do not wish CPNI to be shared.
The APA is concerned about the impact of this case on the marketing loophole because CPNI by a marketing agreement can be sold to insurance companies or employers who will discriminate against providing insurance to patients who are frequent callers to a psychiatrist or to other physicians.
Another area of concern is the fundraising loophole, which permits a covered entity to use or disclose patients demographic information, that is, name and addresses and dates of health care, to a business associate or to an institutionally-related foundation without a patient's authorization. We are aware that the covered entity must include in any fundraising materials it sends to a patient a description of how the patient may opt out of receiving any further fundraising communication.
However, the APA maintains that the patient should be asked for consent before the fundraising communication is sent. For example, a commercial fundraising organization for a health facility could use confidential information that a prominent person, such as a member of Congress or any other public official, was a patient at the facility without that person's consent for use in their fundraising.
The APA is particularly concerned about the need for sensitivity with psychiatric patients' names. Commercial fundraisers should not be allowed to take advantage of patients, especially those with mental illnesses.
The APA strongly believes that personal health information should never be shared for the purposes of marketing or fundraising without the patient's informed consent. We are disappointed that the privacy regulation permits only an ex post facto withdrawal of consent after the marketing and fundraising damage already has occurred.
This is a simple problem with an easy solution. Require the marketing and fundraising endeavors to have patient consent before the activity occurs. In other words, we support an opt in procedure. This is in contrast to regulations, which allow damage to be done to a person's privacy first and then only authorizes the patient to opt out any other fundraising endeavors.
We are troubled that the critical issue of informed consent with respect to the use of information regarding a patient's treatment at a facility for the purposes of the marketing or fundraising has inappropriately placed patients at a disadvantage. We are hopeful that the committee will agree with the APA that marketing or fundraising endeavors should have a patient's advance consent. In other words that patients may opt in.
I thank you for this opportunity to testify and look forward to working with the committee on medical records privacy issues. Thank you.
MR. ROTHSTEIN: Thank you very much, Dr. Janofsky and Ms. Pellow.
Before we begin the panel questions, I just want to note for the record that Dr. Harding has recused himself from the questions and discussion with this panel. So, the floor is now open for subcommittee members and others for questioning.
John.
DR. DANAHER: I guess I am just -- did no one from the industry respond?
MR. ROTHSTEIN: Which industry are you talking about?
DR. DANAHER: The health insurance industry.
MR. FANNING: We did have one scheduled, but as it turns out, they could not come.
DR. DANAHER: Do you perceive that this an important consideration to them or not that important a consideration, how the regulation is currently worded?
MR. FANNING: I have no way of evaluating that. The organization that planned to come to come but at the last minute couldn't said they would submit a written statement to the committee.
MR. ROTHSTEIN: We did have testimony from HIAA at our prior hearing on other issues and they are certainly aware of our ongoing work in this field. We will consider their views, obviously.
DR. DANAHER: Just out of -- I apologize for this -- could someone -- I mean, we assume HIAA and AAHP are pretty much, you know, on the same place. What in a nutshell are their responses?
MR. FANNING: I don't know what their responses are. We can find their statement from last time and we do expect the HIAA to --
DR. DANAHER: Thank you.
MR. ROTHSTEIN: I have my usual array of questions.
First, I want to start with Dr. Janofsky. I appreciate your statement, which strongly suggests that marketing of psychiatric information is inappropriate. What would your organization do if -- let's assume that the regulation did not change in its final form and one of your members legally disclosed information to an associate that resulted in a marketing activity of that member's patients, would that be in your view grounds for some sort of disciplinary action?
I mean, to what extent are you willing to go on the record as saying that is improper?
DR. JANOFSKY: Well, I think it is dangerous to speak about what our organization would do without more facts, but I also happen to be chair of the Maryland Psychiatric Society Ethics Committee and teach ethics. As I said, I think it is dangerous to make statements in general about particular cases without particular facts. But I am also chair of the Maryland Psychiatric Society Ethics Committee and teach ethics.
Physicians have a fiduciary duty to act in their patient's best interest and to maintain confidentiality under most circumstances and to only breach confidentiality under particular circumstances and those particular circumstances are almost always with the patient's best interest in mind.
I can't tell you how our committee might rule in a particular case, but I can tell you just thinking about it generally that I would have serious problems if a psychiatrist, a physician, disclosed information for marketing purposes without their patient's consent.
MR. ROTHSTEIN: Are you familiar with any cases like that that have been brought either in Maryland or elsewhere?
DR. JANOFSKY: I am not familiar -- I personally know of no ethics case where this has been an issue. It is hard for me to conceive that a psychiatrist treating a patient would release information at the current time for marketing purposes or any other purpose without a patient's consent, except with the exceptions enumerated in particular state or federal law.
MR. ROTHSTEIN: Are you aware of any other medical society or organization that is contemplating issuing ethical guidelines or statements based on its unhappiness with the current state of the rule; in other words, trying to say, look, we don't care what the law provides. We think that it is improper to disclose patient information for marketing purposes?
DR. JANOFSKY: Well, I think -- let me be clear about this. The existing ethical principles for medicine in general, not just psychiatry, require physicians to act as fiduciaries for their patients. We are required to act in our patients' best interests. We are required to only release information with our patients' consent or in other limited circumstances.
Our major job is to act in our patients' interest. That is not just psychiatric ethics. In fact, psychiatric ethics are built on the AMA's code of medical ethics. Any physician has that fiduciary responsibility. I can't speak for any other organization, medical organization, but I would be surprised if other medical organizations would not be concerned if a physician released information about a patient's medical care without their consent.
MR. FANNING: Can I ask a related question?
Yes, I can understand that there are probably not many instances of psychiatrists in individual practice engaging someone to do marketing. But I wonder if the issue arises in the case, let's say, of mental hospitals or other institutions that do employ psychiatrists, but that simply operate differently, are you aware of any issue in this regard?
DR. JANOFSKY: I am not. My particular area of expertise is in the physician/patient relationship. I am aware that other entities that may employ physicians have other ethical precepts that they have to follow. I am certainly not an expert in that area.
MR. ROTHSTEIN: In your testimony, you noted the three sort of exceptions to the -- or situations in which marketing can go on. We have been focusing, I think, for good reason on the third one. I just want to go back and see if I understand your testimony correctly.
Is it your testimony that the face-to-face contact exception and the de minimis value, nominal value, whatever you want to call it, exception, are not problematic or less so than the third one? Would you clarify that?
DR. JANOFSKY: No. I think it is our position that any disclosure in any setting is problematic if it does not occur without the patient's prior informed consent.
MR. ROTHSTEIN: But that would be to a third party, but I mean it would be okay for the physician himself or herself to give the pen out.
DR. JANOFSKY: No. No, not at all.
MR. ROTHSTEIN: It would not?
DR. JANOFSKY: No, of course not. Again, our goal -- physicians don't do marketing. We are not businessmen in the general sense. Our duty is as a professional. Out duty is to our patient. Our duty is to do what we think is in our patient's best interest. Marketing has nothing whatsoever to do with patients' best interests. We don't market to our patients. We give our patients our best judgment regarding data. We discuss with patients the information they receive. We may discuss with patients other available information that is out there, but our role in society, I believe -- this is not just psychiatrists, but all physicians, our duty, our goal is to act always in our patients' best interests period.
MR. ROTHSTEIN: I am trying to get a sense of the range of your comments because, of course, the jurisdiction of HIPAA in this committee is only on the disclosure of protected health information and not what might be considered inappropriate or tacky practices where your doctor gives you, you know, a key chain with -- to remember to come back or something. So, if there is disclosure to some third party, that is sort of beyond our jurisdiction.
Let me ask Ms. Pellow a question, if I may. As I understand the position of NAIC, you want the exception removed completely. I don't know if you were here for the prior panel discussion, but we discussed a whole range of other sort of intermediate steps that might be taken between the current version of the rule and the version that you would like to see.
My question is of those other measures, are there any that your organization has specifically discussed or that you think would be at the top of your list for, you know, okay, this is our No. 1 fallback position or something like that?
MS. PELLOW: We haven't discussed what would our fallback position would be. Obviously, when we did our models, created our models, we just made the policy decision right up front that -- and after lots of discussion that we wanted it to be opt in because it becomes a slippery slope where you are trying to cut off what is the next best option. Okay. Is this okay? But are these marketing disclosures okay? This would be beneficial. We didn't want to get into trying to draw fine lines because it is very difficult as we have seen in the discussion, which ones are okay, which is not okay, which is just a tacky business practice and which is unauthorized.
So, we took the position and we still hold the position that you need a prior authorization before you market or you disclose the individual's protected health information for marketing purposes. In fact, in our 1998 model, we required it to be a separate authorization. You couldn't just lump it in with other things you were wanting authorization for. It needed to be set out on its own that this is what you are going to do with it.
So, it wasn't lost in, you know, multiple pages of disclosures and notices and, you know, you are signing away and giving authorization for multiple things. We are troubled that the -- and as I said in my original statement -- that the Gramm-Leach-Bliley gives more protections for the financial information and the fact that the opt out right is prior to a disclosure.
I mean, I guess that would be the next -- I mean, one way to fix it. It would be better than what you have right now, where it is an opt out after the fact and there is, you know, multiple little sayings if -- you know, closing the barn door once the cows are out or, you know, putting the genie back in the bottle. That is too late. I mean, that is not an opt out right at all.
So, that would be an improvement to at least have it be a prior opt out. There are discussions about whether it was just listed in the notice as opposed to having it be an authorization. I think, as Mr. Gellman said, there is going to be a notice of lots of different things and you can request that not be disclosed, but, obviously, the covered entity can say, no, we don't agree to that.
I think you need -- the consumer needs more than just notice that their information could be disclosed for marketing purposes. It needs to have the consumer authorize that. I think there is a perspective that consumers mostly know, like, no way, don't share my information. I think if industry is -- because we get these arguments all the time. If the disclosure is going to be so beneficial to the consumers, we will sell it to the consumers. Tell them what the benefits of having that information marketed -- you know, you will receive information about new treatments. You know, there are new products that you will be aware maybe earlier.
I mean, sell them on the fact of why it would be in their interest to -- let you disclose their information for marketing purposes and giving the consumer the right up front to say "yes" or "no." I think that is not too much, you know, for the -- you know, to ask and let the consumers just decide whether they want that information or not.
So, it is -- obviously, our position is to keep -- have it be an authorization and an opt in for marketing, but one way you could fix it -- we still wouldn't like it, but one way to fix it is at least have the opt out be prior to the disclosure.
DR. DANAHER: Ms. Pellow, we discussed earlier, would NAIC's concerns be abated if during, again, open enrollment at the time when the source of information or during renewal that the form or on the electronic as you were enrolling electronically, that there were -- I think the wording would be able to be done very simply, kind of three opt out choices.
The first one is do you not wish for your PHI to be used for care management, disease management, case management, et cetera, by this health plan, et cetera. You know, this is a time when you are being assigned your PCP, et cetera. So, you have that choice.
The second one is, you know, do you not wish that this information could be used for, you know, marketing purposes by TPOs -- would that allay their concerns?
MS. PELLOW: No, because I think that is lumped in with enrollment, your enrollment information and as -- I think it was Mr. Gellman or one of the other panelists said, you may not get enrollment every year if you are still having your coverage continue, I don't what types of forms you would get, which -- I mean, and I guess this would be something that if they wanted to, you know, have a new form every year or are you still opting out or are you opting in, but I don't think that allays the fears because it is lumped in with enrollment and it only addresses health plans, which, obviously, is our jurisdiction, but that still doesn't get to the questions about whether providers are disclosing that information and using it for marketing health care operations or any of the other entities.
That only gets to a very small target --
DR. DANAHER: Let me just argue with you about that because I think that that is kind of the source for the remuneration. That information can be transmitted from the health plan to the providers and the provider is being paid by the health plan, the labs. It would subsequently go to labs, radiology, et cetera, because they are being -- I didn't mean to interrupt but --
MS. PELLOW: No. Go ahead.
DR. DANAHER: I am just kind of -- I just don't -- see, I guess, to me, your insurance company that pays your bills and your claims and pays the radiologists or the pharmacy or whatever, blah, blah, blah, blah, blah, would be a good putting the onus on them to convey your preferences to the radiologists, et cetera, that they pay.
MS. PELLOW: Right, but the insurance company may be paying these other entities, but the other entities still have a financial stake in it themselves, not directly related to the insurance company paying them. if doctors or pharmacies or whoever, other entities, have a financial stake in selling your information or using your information, it may not be directly related to payments they are getting from the insurance company, reimbursing, you know, for payment for services.
DR. DANAHER: It just seems to me when that information from a health plan is readily transmitted to pharmacies that they contract with with the provider networks that they contract with, with the lab, you know, groups that they contract with, et cetera, as part of that payment they maybe transmitted the information that these members have agreed to -- you to be able to use -- you know, you use their information for marketing purposes.
MS. PELLOW: I understand what you are trying to get at and trying to think of if they are the biggest source of the information, maybe if we get the authorization right there, but I think there are still too many other ways of getting information and information being shared that goes on around the insurance companies that you may stop one hole, but you have still got all these other holes and loopholes that the information is still flowing.
I don't think that solves it and our members wouldn't agree to that being the solution.
MR. SCANLON: Can I follow up, Mark.
Wendy, have any states adopted -- actually adopted the provisions related to marketed that you described this morning, including the opt in or the opt out? I mean, you have had a lot of legislation going back --
MS. PELLOW: Right.
MR. SCANLON: If so, what has been the experience one versus the other?
MS. PELLOW: Right. And we have adopted three models. It is in the appendix in the back of you written testimony. It kind of gives a brief summary of each of the models. The first one was developed to apply to insurance information broadly and has an opt in standard for all types of information. A 1998 model, which we developed primarily as guidance to Congress and to HHS because they are considering adopting privacy regulations based on HIPAA. We put that together. We haven't had any states adopt that because that was primarily developed as a guidance for Congress and HHS, as I said.
The third model, which we developed in 2000 was implementing privacy protections based under Gramm-Leach-Bliley in the insurance industry considered part of the financial institutions and the insurance departments are the regulators for those institutions. So, we were responsible for implementing privacy protections for the insurers.
We developed in the debate -- and I briefly mentioned this in my oral testimony that we had the debate about financial versus health because our previous model had always used an opt in standard. For Gramm-Leach-Bliley they used an opt out standard for financial information.
But an important part in Gramm-Leach-Bliley was that it allowed the states to go further to create higher level protections for the consumers. Since Gramm-Leach-Bliley is really getting financial information, we wanted to do something for health information and we included health information in our models implementing those standards was because in the preamble, some of the regulations that came out from the Federal Government on Gramm-Leach-Bliley, there were hints that financial information could possibly include health information.
Well, that sent a big red flag up for our members, you know, like, no way, we don't want health information being treated the same as financial information. They didn't want it to be the same as financial information because health information is so much more sensitive. I think people have a greater or a heightened sense of wanting to protect that information, not that their financial information isn't important to them to having control over, but health information is a bigger -- drawbacks are ways of being hurt, either discrimination in employment or trying to get a loan. So, they wanted to protect that.
Since the states had the right to go further and create higher protections under Gramm-Leach-Bliley, we did so for health. If you will look on page 5 of your written testimony, in the footnote, we write out how many states have adopted the Gramm-Leach-Bliley.
We have 48 states, plus D.C. in the past year who have adopted the Gramm-Leach-Bliley privacy protection. It is broken down. Twenty of them have adopted both the financial and the health standards, which means the financial use, the opt out standard, health use, the opt in. We have 15 who did the financial and are in the process or looking at the health part of it.
We have our 1982 model, which is our much more broader, general model, but it provides an opt in standard. So, we have at least 33 states already. We have opt in for health information and another 15 who have the private -- for the financial and who either have information or are looking at it for the health.
So, you can see in just this past year, that states are really moving forward in the direction of moving in it to make sure an opt in standard is used for health information.
So, that is already there. I guess we kind of wonder why our government would put something in even lower than what the states are doing, knowing that the states are going to be enforcing something stronger.
MR. SCANLON: I guess there might even be a question of which of those regulations or statutes prevail if the state has a stronger --
MS. PELLOW: Well, yes, and I think that is why the states are wanting to make sure -- they are looking at the HHS privacy regulation, understanding that there may be changes in this area. This is definitely an area they are looking at and like, well, we can't just let the federal regulations stay in place if we want to not only be the enforcers and make sure that health plans are complying and protecting the information based on our state laws.
But they see this as a big loophole and they see this as really losing protections on this issue. They want to make sure that they have their own statutes in that are comparable if not stronger.
MR. FANNING: I know your jurisdiction, if you will, is insurers and health plans. Have you had occasion to distinguish the rules that might be applicable to insurers and health plans from those that are applicable to actual providers of care, like physicians? Are you in effect recommending the same standard for everyone?
MS. PELLOW: For everyone, yes. I mean, obviously, we only have jurisdiction and can only really address how the insurers are using the information, as opposed to really knowing how the providers are -- how they are using the information -- definitely across the board and opt in or in getting authorization, prior authorization for using the information for marketing purposes.
MR. FANNING: All right. Your 1998 model act was meant to apply to insurers.
MS. PELLOW: Right. All insurers, not just health insurers.
MR. FANNING: All insurers. So, health information held by other insurers is --
MS. PELLOW: Is covered as well, which is another reason why the states wanted to have those laws in place so they can apply those types of protections for consumers no matter who holds -- no what type of insurer holds that information.
MR. FANNING: Has there been any discussion of possible anti-competitive effects of limiting marketing that somehow it deprives people of information about alternative providers of whatever beyond the one that one's already enrolled in?
MS. PELLOW: I don't recall having those conversations just because we have taken the policy stance for so long to marketing, but I think it is important to stress we are not anti-marketing and we are not trying to prevent marketing from happening. We are not trying to prevent consumers from getting information. We just want consumers to have the chance up front to have it explained to them like we want to use your information for marketing and here are all the benefits for having it and let the consumers say "yes," you can disclose my information for marketing purposes. I think those, some of the things you will recommend sound great.
So, I don't mind. But I think it is up to the consumer to decide up front.
MR. FANNING: We have been using the term "disclosure" here and Bob Gellman used that term this morning. However, what the regulation speaks of is using the information of a particular covered entity, insurer, provider, using it itself and the only disclosure that would take place would be under the regulation to someone who acts under contract of the covered entity with presumably controls on further use.
Are you troubled at well by direct use of the information by the entity that the person is dealing with or does the problem arise only when someone else has to be hired to send out a notice or do some other communication?
MS. PELLOW: I don't think we have made that distinction. I think it is marketing as a whole. I think we haven't broken down by -- is it a third party marketing is your covered entity, but I think in those types of situations, you might need to take a step back and like, well, look at the definition of marketing, look at the definition of treatment, payment, health care operations. Is this something legitimately with the -- you know, as a covered entity, as with the health plans, is this something that is covered within their health care operations or payment operations that it is legitimate to share information or, you know, suggest information to your enrollees or your patients.
I think in the HHS privacy regulations, how you have defined marketing and what is considered marketing and what is not considered marketing is broad enough to allow, you know, legitimate discussions with health plans and enrollees. I think how you have defined marketing is making sure that you are keeping up that financial interest, that outside interest and why the enrollee would be telling you or not telling you because there is alternate treatment or we are trying to give you the best care or there is something else out there, there is at least that hint in the back of their mind that there is some other motive, where it should be financial.
I think how you just defined marketing in the regulation makes that distinction, that while loss of disclosure, but it doesn't want to allow there to be any hint of a conflict of interest.
DR. DANAHER: Ms. Pellow, just so -- it seems as if your position or the NAIC's position is you boil it down is that you believe consumers have the right to or should be allowed to opt in up front. Is that basically what it is?
MS. PELLOW: Right.
DR. DANAHER: So, tell me what that means. What does it mean to opt in up front where -- logistically, what does that mean? When during the process of receiving care, et cetera, would they opt in? How do you see it? How would you see this being --
MS. PELLOW: I would think either, you know, as you said, at the time of enrollment, if you are a provider, you know, and you are first visiting with them, I think the first time you are really disclosing that protected health information you need to have that discussion and have them give the right up front -- just giving them all the information and giving the right up front --
DR. DANAHER: How does that keep a lab organization from using the information to the market, et cetera? The consumer is not interacting face to face necessarily with the lab or the radiology or whatever. You very aptly when I pointed out the opt out, you said there was all this extraneous stuff. I am just trying to figure out --
MS. PELLOW: Well, I think that is why we take the position of opting in, as opposed to trying to opt out.
DR. DANAHER: Right. But that is what I am asking you. How do you opt in? How does that -- your position, the fact that you choose to, how does that communicate -- I guess --
MS. PELLOW: I guess in our case, the burden is on the health plan that we have received and opt in or consumer -- in the case if you don't have an opt in, then, obviously, the covered entity can't disclose it for marketing purposes because then the person has not authorized you to do so. They have not opted into that.
DR. DANAHER: So, I guess my point is will you opt in or you opt out -- I mean, say I am a consumer and I sign up with XYZ Health Plan and for various reasons it is really important to me that I want to be involved -- you know, I do want to get marketing information. I do want to get stuff. So, either way, whether I opt in or opt out, it is incumbent upon the health plan to convey that position to everyone or -- I guess --
MS. PELLOW: I don't know. I think it -- yes, there is a responsibility on them to -- whenever they are disclosing information, whether it would be health care operations or they are passing the information on to the lab or the doctor that conveyed that --
DR. DANAHER: It almost seems like -- and I don't mean to beat this point to the ground -- if one is taking a position that marketing information is bad --
MS. PELLOW: We are not taking a position --
DR. DANAHER: Right. No, no. I am just saying if one did, then you -- if you take the position that marketing information or some of it could be good and beneficial and helpful and productive, then you would want to facilitate in the public interest that position, the fact that someone opted in, you would want -- the health insurance company, you would want them to make sure that they convey that to the radiologist, you know, to the radiology company or to the PBM or to whomever, so that this patient, you know, the consumer got to know what the latest advances were in diabetic treatment or whatever.
I mean that is the thing -- that is what I am just wrestling with. Do you get my point or not?
MS. PELLOW: No, I am not quite sure I can answer your question.
MR. ROTHSTEIN: Maybe I can jump in on this. I think the point that you raise is an excellent one and it doesn't matter whether we keep the current system or go to the opposite system that you were recommending. In other words, if there is an opt in system, we need to have some way of regulating what that means and how indirect providers learn of that or if we kept the current system, we still would need a way of regulating the way indirect providers learn that a patient has opted out and that those records may not be disclosed for marketing.
DR. JANOFSKY: I would like to address that if I could. The major difference between opt in and opt out is who has the burden of obtaining the consent. In an opt in system, the burden is on the entity, the lab or whatever, to send information to the patient and they can make a choice whether or not to receive the information. You can't receive marketing information until the marketer decides to send it. So, in the opt in system before that information can be sent, the entity would need to send the patient a form or information and asking them whether they want to be sent the information.
If the consumer does not send the form back, no information is sent. There is no privacy --
MR. ROTHSTEIN: But it might be possible -- if I am a consumer and I just love to get mail and calls and learn about everything, wouldn't it be possible for me to sign one authorization from my primary care doc that says anybody who has my records, they can do whatever they want with them in terms of marketing, as opposed to all of these indirect providers then having to contact me and my providing separate authorizations?
DR. JANOFSKY: I think a single authorization would be -- in my opinion, a very bad and dangerous idea. You can't have informed consent about disclosure unless you have the information about what is going to be disclosed, how you are going to be marketed. You can't assess the risks and benefits of the breach of privacy unless you have information about the product you might be marketed about.
Furthermore, marketing information just doesn't appear. Someone has to pay for it. Someone has to start a campaign. So, you have to put the information together. It is just not out there.
MR. ROTHSTEIN: Let me put it in a way that you are maybe more comfortable with the question and that is how would you notify people -- suppose the current rule into effect. How would you notify indirect providers, people that we have already identified, PBMs, et cetera, that this particular patient has opted out? I take it you wouldn't require that the patient opt out with each successive one.
Wouldn't we have to figure out some way of coding that and getting that downstream?
DR. JANOFSKY: I think it is precisely the point you are raising that makes the current rule not workable. It is that very point you are making that makes this rule not workable. I don't think it can work because, again, when you are -- if you are opting out, how do you know what you are opting out to? You can't opt out to something you don't know about. Just like you can't opt into something you don't know about.
Health information is not an all-encompassing thing. People have different health problems. Maybe they want to be marketed on their Disease A, but not on their Disease B, C or E. How can they possibly make the choice, a reasoned choice, either to opt in or opt out unless they know the type of marketing information they would receive?
DR. DANAHER: The flip side -- and this is why I am grappling with this, Ms. Pellow -- and this is what I was getting about marketing being characterized good or bad or whatever -- take this scenario. I am a consumer. I have a terminal illness or I have got a, you know, psychiatric illness and the medication I am on has very real side effects. I want to know -- you know, I have combed the medical literature all the time. I want to know about new innovations that are occurring.
Okay. So, I have opted in. Whose responsibility or obligation is that to get that information to the indirect providers?
DR. JANOFSKY: Again, I will say it again. Marketing information doesn't come out of the air. It has to be designed as opposed -- this was hard for me to think about it -- as opposed to scientific literature, which is out there for anyone to see. Marketing information just doesn't occur. It has to be produced. The person who produces the marketing information is going to have a very big incentive to get that information out there and I think they should have the burden of obtaining consent before private health care information is released to the entity for marketing purposes.
MR. ROTHSTEIN: At the prior panel, one of the witnesses testified against changing the rule on the grounds that an opt in provision would be burdensome. It seems to me that an opt out provision would also be burdensome unless nobody did it. Maybe that is the assumption underlying that suggestion, that if we had to affirmatively recruit these people, it would be a burden, but if they had the burden, that is, the consumer had the burden, maybe they wouldn't do it and it wouldn't be burdensome.
DR. JANOFSKY: Well, that is -- well, I hate to be a cynic, but I think that is -- I think that may be an underlying precept. If you put the burden on the patient, perhaps the thinking is how is the patient going to know? I mean, this should be a patient-centered issue. This is a patient privacy bill. This isn't a marketing financial aid bill. The patient should be first. Why are you thinking of putting the burden on the patient to maintain privacy?
Why shouldn't the burden be on the marketer, by the way, if his marketing is successful and he has a good product, is going to make a profit, why shouldn't the burden be on the marketer, even though it is a burden. We all have burdens. I have burdens when I take care of my patients. I am willing to accept that burden because I think it is in my patient's interest.
Why shouldn't the marketer have the financial burden? I don't think it is that much of a burden to be required to obtain informed consent before the information is released.
MS. PELLOW: There is going to need to be a system in place either way, whether you have opt out or opt in in terms of tracking it, in our models, we have put the burden on the health plan or the insurer to -- you know, in the process of the authorization, you know, described all the people that they are going to give it to, what the purposes of, you know, the authorization -- what types of information you are trying to get, all of that.
The burden is on the covered entity or in our case the insurer. I think it is important that either way there is going to have to be a system to track it, that you need to take a step back and it is like -- or look at the consumer, though. If the covered entity is going to need a system either way, that is the thing, but it is going to make a big difference to the consumer, whether they get the right to opt out or they get the right to opt in prior to having that disclosure made.
So, you are going to need to track that either way and to get to your question in terms of you wanting new medical information, well, part of that is talking to your doctor or talking to your health plan in terms of getting additional information, getting the newest information out there. If you are talking to your doctor and saying, look, these treatments aren't working, I think you have that treatment relationship there and also you can give authorization to your doctor. Please share my information. We are looking for, you know, a better solution or better treatment.
DR. DANAHER: I think it is a nice idea. The Internet and external sources of information have eclipsed, you know, physicians and providers as the primary source of information for patients.
MS. PELLOW: But you can give your authorization to your provider to disclose your information to find out that type of information. You know, please share my information with other providers or other plans or marketers or other entities, who may have that information. But that is the consumer getting to say right up front I want this. I see the benefit of you sharing my information.
DR. JANOFSKY: But that is not marketing. That is treatment and that is the difference. I have a duty now. When my patient comes in and they come in with information off the Internet all the time and we review it together. We sit down at the computer and go to the web and go to the pages, but that is not marketing. That is treatment planning and that is different.
I don't need a particular -- I don't think anyway under this rule or any other rule to do that. That is regular care. The difference is is when you are outside of the treatment relationship. That is what we are talking about. That is what makes it dangerous because, again, the outside entity, unlike the doctor/patient relationship, the outside marketing entity has no fiduciary duty to the patient. They have the duty to their stockholders. That is just as ethical.
Their duty is to maximize profit and that is a good thing in our society. My duty is to act in my patient's best interest. Those are conflicting ethical duties and I think that is where the problem is.
MR. ROTHSTEIN: I don't want to get distracted, but I mean I appreciate your depiction of the doctor/patient relationship and it is hard to pick up a newspaper or a magazine, et cetera, without seeing physicians, hospitals marketing themselves. The U.S. News & World Reports ranking of hospitals, the face that we are -- Johns Hopkins is the No. 1 is that -- you know, so, I guess it is --
DR. JANOFSKY: With all respect, that is not marketing in my opinion.
MR. ROTHSTEIN: But I guess what I am worried about -- and, again, I don't mean for that to be a diversion, but a little repartee, but I guess what I am worried about is your position and the APA's position seems to me to potentially hurt the social good of patients who are learning about alternative treatments, alternative therapies, et cetera, by now changing the status quo and by putting a significant burden on outside entities and outside providers to go and obtain that authorization.
DR. JANOFSKY: Again, I respectfully, strongly disagree. In fact, I believe that if this regulation is allowed to go forward, it would affect the social good in exactly the opposite way. Patients only tell their physicians about their most intimate secrets, about their difficulties because they assume that the doctor is always operating in their interest.
It struck me when I was an intern 20 years ago, medical intern, walk into a patient's room at 3:00 in the morning, never saw them before and they would immediately tell me everything about themselves, things they haven't told their spouse, their minister or anything else. They do that only because they know about our social contract, the social good that we have established in the doctor/patient relationship that I will only use the information they give me for their benefit.
This regulation might have the effect of breaking that social good or social contract because then patients could not assume that I was always working for their interest. I always have a duty to educate my -- right now, I, as a physician, have a duty to educate my patients about alternative treatments, et cetera, to answer their questions, but, again, my goal is always to put their interest first. Once you allow marketing to intrude and marketing's goal is not necessarily to follow the patient's good. It is to sell a product. That is what it is for.
Once that intrudes on the doctor/patient relationship, you have destroyed the social good that we have in the doctor/patient relationship.
MR. FANNING: We don't like to make our policy based on horror stories, but I am wondering if the witnesses have any examples of marketing or marketing-like activities that they are aware of that they would describe as harmful or know to have caused specific harm?
DR. JANOFSKY: Well, I will tell a personal story and this is one of my relatives, who went into her doctor and was wrongly diagnosed with asthma on a single visit. She doesn't have asthma. It was coded as asthma. Since that time, she has received mounds of information about asthma treatment, has gotten phone calls from her health insurance plans, patient management system regarding how to manage asthma. She can't turn it off. She keeps getting pharmaceutical product literature. Her own insurance plan keeps asking her for case management better -- she doesn't have asthma. It was a misdiagnosis. She can't turn it off. That is crazy. You know, you don't go to your doctor -- the social contract today is you go to your doctor. You expect the information to stay in the room unless you sign a release. She signed no release.
That information -- how did it get out there? It got out there because existing state regulations apparently aren't working, at least in my state, regarding this issue. I think for me that is a disturbing issue.
MR. FANNING: Okay. Some people would regard that as legitimate disease management and the information is there because reimbursement was sought at the health plan or the insurer knows what was prescribed.
DR. JANOFSKY: Except she doesn't have the disease that they think she has. And she has no ability to turn it off.
MR. ROTHSTEIN: Again, just using that example, there are enumerable people that have been helped by disease management programs that have been sponsored by outside pharmaceutical companies that have had access to information from health plans in collaboration, have been put on, you know, programs --
DR. JANOFSKY: Don't miss my point. I think information is good. I think disease management is good, but I think it should be up to the patient to decide whether they want the information disclosed and they should have the ability to turn it on and they should have the ability to turn it off.
MS. PELLOW: May I answer your question?
I listed a few examples that we had gotten just anecdotally when we were developing our privacy model, one of them being a man made a claim to his insurance company for medication that he had been prescribed and, you know, within a few days his doctors being bombarded by pharmaceutical companies trying to get the doctor to change the patient's medication to something that they sold.
There was a man who was diagnosed with diabetes a week later, who started getting information on syringes and different, you know, diabetic medical equipment and he hadn't told anybody. Well, as you say, some people may think, well, that is great. You know, they got the information, but to these two people, they were very upset and I think at least the insurance commissioners wanted to take a stand like we don't want to see who is going to be upset by this type of disclosure, you know, would John be upset, but Mary wouldn't or which type of disclosure is okay. It is okay if you are getting information about diabetic information, about diabetic equipment, but if it was about AIDS, then we would be upset.
We didn't want to wait until we got a whole long list of consumer complaints and, well, is this one legitimate or is this one not legitimate because those consumers, it was upsetting to them. They didn't want that information shared and they didn't want to be marketed. So, we took the policy stance right up front to get authorization, get prior authorization, using an opt in standard and just inform the consumer what you want to do with it and then get their consent up front.
MR. FANNING: The first example you gave is an instance where the patient was not approached, but the prescribing physician was approached. Is that forbidden or otherwise controlled by your model?
MS. PELLOW: I don't believe that was addressed, but those were just examples of stories that came up because then the doctor is feeling -- I mean, we don't have any concern to what -- or not concern with what the doctors think, but I mean our focus was obviously the consumer, but if then the doctor is feeling to change it or is this in the best interest, we didn't want to have that hint of is there a conflict of interest here. Is the doctor switching my medication because it is really better for me or is it because he is going to get paid whatever amount of money to change it?
Our model doesn't address that and I think that it was stories like that we didn't want to get into trying to draw fine lines, is this okay, is this not okay. So, you just got the authorization right up front, using opt in.
MR. ROTHSTEIN: Michael.
DR. FITZMAURICE: Wendy, I want to go to the bottom of page 5 that -- to the table that you directed us to that show 33 states have an opt in standard. I notice that it starts off with new consumer privacy provisions and I am concerned about the overlap between the covered entities of the HIPAA privacy rule and the entities to whom this might apply.
The reason for that is that if 33 states have such laws and if such laws apply to the HIPAA covered entities and are deemed to be more stringent, then that would effectively override the provision in the privacy rule. Are these, the states that have enacted the regulations or the laws, do they cover the covered entities in HIPAA? This is a question of what is the scope of these laws relative to the scope of HIPAA.
I realize that it may be out of the bounds of what you know.
MS. PELLOW: No. The scope of the GLB privacy standards apply to all insurers. So, it is property, casualty, worker's comp, the whole life; whereas, under HIPAA, it is just health insurers. So, our standards -- these are important to keep in place because they will at least maintain a minimum protection and minimum requirements that are put on all insurers to protect consumers' information.
Obviously, when we drafted this, we got a lot of heat from the insurers saying wait, HHS is going to come out with a regulation. They are going to finalize it any day, but at that time we didn't want to wait until HHS came out with the regulation and finalized it because even when it was effective, there would still be that two year delay in terms of compliance date and we didn't want to have that gap in there for -- you know, lack of protections for consumers' health information. So, we put the piece into the Gramm-Leach-Bliley Act to protect consumers' health information, but we made sure we made it very general.
We didn't get into a lot of the details that are found in the regulation, that we didn't get into a lot of the details that are found in our previous regulation because we didn't want there to be that conflict of, you know, we said you get x number of days for authorization or you need this in your notice and, you know, the HHS privacy regulation would say something else.
We did that kind of as a stop gap to keep that protection in place and then, obviously, once HHS comes in
-- the regulation comes into place, the health insurers are going to have to comply with that standard as well, but that is where the states are right now looking at that because, great, it would apply to the HHS regulation and all the details, but if there is this marketing exception, we are still going to have to go back and, you know, make sure that is a state requirement that they are also going to comply with.
But we also wanted -- once 2003 rolls around, there will still be protections -- consumers' information is still protected if it is held by property and casualty insurers and other types of insurers, who aren't covered under HIPAA.
DR. FITZMAURICE: So, essentially, this would not apply to providers unless such providers are deemed to be financial institutions?
MS. PELLOW: Right. I mean, obviously, our model -- I mean, just because we are a jurisdiction can only apply to insurers and providers aren't lumped into financial institutions that I am aware of under the Gramm-Leach-Bliley.
DR. FITZMAURICE: And probably not clearinghouses either.
Thank you.
MR. ROTHSTEIN: Well, thank you very much for your testimony this morning. We do not have any public comments scheduled at this time. So, therefore, we will adjourn for lunch until 1 o'clock.
We will move the afternoon session, that is, Panel 3 on fundraising, up to 1 o'clock, assuming that those panel members are here in time and then assuming that we are doing that, we would be also moving up the afternoon panel session from 3:15 to 2:45 for Panel No. 4. So, to some extent we are going to have to play that a little bit by ear, but we are adjourned until 1 o'clock.
[Whereupon, at 12:00 noon, the meeting was recessed, to reconvene at 1:00 p.m., the same day, Thursday, January 24, 2002.]
MR. ROTHSTEIN: Good afternoon and welcome to the resumption of the hearing of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
This morning we heard from two panels discussing the issue of marketing and this afternoon we will hear two panels discussing the in some ways related issue of fundraising.
I want to remind people that at the conclusion of Panel No. 4, there is an opportunity for public testimony and if you are interested in testifying on either of these issues, please sign up at the registration desk and we will put you on our list.
I also want to welcome back our friends who are listening to us live on the Internet.
So, let's begin now with the fundraising Panel No. 3 and we will begin with Ms. Pollak.
MS. POLLAK: Thank you, Mr. Chairman and thank you members of the committee. I am very pleased to have the opportunity to return to speak to this committee. I previously spoke on general research issues and the impact of HIPAA on research and I did mention at that time that there was an issue with fundraising, but this is an opportunity to flesh that out and answer any questions that you might have.
I understand that part of your charge is to look at the protections that HIPAA intends to put in place and weigh those against the burden or difficulty for those who are to be regulated through HIPAA and, indeed, this is one that I thought possibly may have been inadvertent, but I believe that that may not be the case, that there really are two sides to this debate.
I want to put forth what the current situation is for particularly my interest, non-profit, academic medical centers and how the new HIPAA regulations on fundraising impact us. Then we offer some solutions and from our view you would weigh that impact on a person's privacy rights.
What is going on today and really for the last 25 years at Hopkins is that -- and probably longer -- is that there are 18 departments at Hopkins and they are almost like mini hospitals. There is ophthalmology, the Wilmer Ophthalmology Center, the oncology center, the cardiology center. If you go down the list of departments, even the department of medicine that is somewhat more diffuse is really seen as a department that a patient would come to. So, if they come to Hopkins and they may say I am coming to Hopkins, but it is really I am going to see Dr. X in Department Y. That is sort of how they present at the desk and that is how we are seeing them.
Over the years, there has been fundraising, which is ever-increasing, for the needs of research. As you know, we get a lot of funding from NIH. We get funding from private sponsors, but we also depend in large part, about a fifth of our research budget is funded through private donations. That budget is primarily targeted at very innovative new research that if you were competing with all the other grants for an NIH grant, might not be funded.
If you went even to a private sponsor, they might have a hundred in line for that million dollars or five million dollars; whereas, if we have funding through private donors, which we often do for several millions of dollars, they say my daughter died of X. I want to make sure that we target research in this area and here is my $5 million and I want you to tell me who you are going to give it to and what the purpose of that research is for.
Now, those fundraising efforts are carried out through our development office. These are employees of Johns Hopkins. They are given information not about the diagnosis of the patient, not about any of the more personal items about the care. They are given the department and the physician that the patient visited.
Then they make a contact with that former patient and/or family if the patient is deceased, and they follow through in saying can we tell you more about the research opportunities, can we tell you more about what the department is doing.
For fiscal year 2000, which is the most recent I have, we raised 98.98 percent of our money through departmental fundraising. A general campaign is not successful generally. Because it is the people who come to those departments and to those particular physicians, who want to know that their money is going -- not that Johns Hopkins isn't a wonderful place, but they want to know that their dollars are going to targeted research.
This is not a small matter. We have looked at research that this funds and just two come to mind. Burt Vogelstein got his start in research through privately funded services and Patrick Walsh in the department of urology, who, of course, spearheaded the new prostate surgery mechanisms in large part through his early research that was funded privately.
Now, what is the problem with HIPAA? This is the way it has been going on for, you know, decades. HIPAA has been passed and there obviously was a concern that either private information was being used to make the fundraising contact or that inappropriate contacts were being made. So, what does HIPAA say? HIPAA says that an institution may use demographic information; name, address, phone number and even curiously payer class and the date of service.
But they may not use the department that the person visited or the name of the physician that the patient used when they were at the institution. So that in effect what one is left with, if one follows this rule, without a specific authorization to use protected health information , such as this is viewed as the department and the physician's name, you would have to get a signed authorization to be able to contact the person to say would you like to give or even to contact and say is it okay if we contact you about fundraising.
Now, you might say to me, well, Ms. Pollak, what is so difficult about that. Why can't you just use an authorization? Well, if you look through all the things that you need to do under HIPAA, you are going to have consent form. You are going to have an authorization for anything that is non-routine and that may be a slew of other things.
In addition, about 50 percent of the people that come to Hopkins participate in some form of research. Therefore, there is going to be a research authorization, which must be separate and apart from the consent and any other authorization. So, all of these things are coming at the patient at that time.
They have just walked in the door and you say, by the way, I would like you to sign this other form to authorize us to contact you for fundraising. Possibly at that point, that is the last thing that the person is thinking about, plus if you look at all the required components of an authorization, it is very long. I have offered to you a sample form. If you fully comply with the regulations it is about a page and a half single spaced.
One of the terms in there that is particularly difficult for us is that you have to warn a patient that we can't guarantee that your information will remain private. So, therefore, if you authorize this, it may be redisclosed to other people and, therefore, we can't really protect the privacy that you visited this department or that you went to see Dr. X.
Now, how does this work in reality? If there were an exception -- and I am going to offer two solutions at least to the problem as we see it. If that information is only given to your own development department or if you hire someone to do your fundraising, if it is your employee, they are bound by HIPAA anyway and all of the protections that we are going to have to have in place are going to be there.
If you use a business associate to do your fundraising, you are going to have to have a business associate agreement, where that business associate says that they are going to keep that information as confidential as you would have to.
Therefore, it would only be through a misuse of this information that it would be redisclosed to anyone. That is true in almost anything that we do. We cannot protect against an individual who goes off the reservation and discloses private information. That could happen even in health care operations, finance, payment, any of the other things that are thoroughly allowed under HIPAA.
So, coming back to the solution, if we were to amend the regulation to merely add to the list of things that could be used without a patient's consent or authorization, the department that they visited and/or the name of the physician. The department actually is the most critical thing because then the dialogue can begin. That would allow that information to be used for a first contact.
If the person does not want to be contacted about fundraising anymore. They certainly would have the opportunity to say I don't want to be contacted anymore about fundraising.
Now, obviously, there are some risks with that. There is the risk that you get a letter that says "Oncology Department" on the return address. If for any reason you were sensitive about people knowing that you came to the oncology department, that letter coming to you would certainly have that.
There are many other instances under HIPAA where we have made exceptions and that that risk has been balanced against the good that would come and we have tried to build in protections for the patient.
Just looking at it selfishly from the academic medical center's point of view, that is the best solution for us because having an additional authorization of any kind is going to be an additional record keeping and possibly a bar to some people consenting to fundraising. The other alternative would be a simplified and more direct authorization. I have also offered a form to that effect in the materials that you have.
Instead of going through the 12 or 13 requirements for an authorization, it really just says we would like to contact you about fundraising. We will keep your information confidential and we will not knowingly release it to anyone. If you don't want to hear from us, just let us know.
That type of a form is less threatening, we believe, and more likely that people really understand the spirit and intent of what is going on.
Let me compare that to an authorization for research. Those types of authorizations really need all of the kinds of things that are in the authorization language in HIPAA. It is a very serious undertaking. There are researchers at many, many different levels in many different levels in many different institutions that are going to have that information and see that information.
That is a serious decision. Whether or not one is going to get a call or a letter regarding fundraising, at least for decades at Hopkins we have had almost no complaint. The one or two complaints that we have had, we immediately took them off the list and they were not contacted again.
So, we see 40,000 inpatients and about 200,000 outpatients every year. We have had only a handful of people who have said we don't want you to use -- you know, to contact us through the department of ophthalmology or the department of oncology.
So, we would hope that you would seriously consider hopefully the first alternative of merely allowing the department to be used and if not, to have a simplified authorization form. Again, coming back to where I started, the weighing, when we look at all the research dollars that are coming through the Federal Government and every year increasing the budget by 5 to 10 percent for NIH funding. If you took away all of -- and it wouldn't be all but a good portion of the private philanthropy fund research.
One of two things is going to happen. Research is going to have to shrink because those dollars are no longer there or you will find institutions making increased demands for valid and important research to the Federal Government for additional funding sources.
So, when we look at the possible harm and we weigh it against the possible intrusion on the individual, we hope that you will take this into consideration that it is a serious matter, that there are hundreds of millions of dollars in research support that depend on this decision. When you take the hundred to 135 academic medical centers across the country, I think Hopkins may be one of the top in private philanthropy dollars, but there are some others that are close. When you add all of that together, we are talking about a huge amount of money that would no longer be available.
There are institutions who do blanket solicitations, in other words, to all patients. The Mayo Clinic is one of those. The Mayo is not organized as many academic medical centers so intensely on a departmental basis. It really is an institution-wide effort and there was testimony before the committee that was considering HIPAA in the Office of Civil Rights that the departmental unit was not that important for fundraising. It is in the comments in the published HIPAA regulations.
I guess I am here to say that is just wrong. It is important. We hope that you will consider our plea and it is a plea to weigh these things and to come up with a solution that will not undo something that we think has worked very well for decades and is not a great intrusion into the privacy of individuals.
Thank you.
MR. ROTHSTEIN: Thank you very much for that testimony. It has been our practice certainly today, we will get testimony from the other member of your panel and then will have questions at the end.
So, Dr. McGinley.
DR. MC GINLEY: Thank you very much, Mr. Chairman and committee members.
I am delighted to be here with you today and very proud to represent the people who are professional health care development individuals throughout the country. Accompanying me is Kathy Renzetti(?), who is our marketing and communications manager and who deals and fields some of the questions that we get from our own members about this issue along with some other people on our staff.
My purpose today really is to -- there are so many things I would like to get out here, based on visits we made with HHS when we started this endeavor. I will try and do that succinctly. But to give you a little history and background about operations and in particular this organization and how we work and a request that is very similar to what Joanne is talking with you about.
As such, our profession is with development executives is responsible for management of foundations and departments within the hospital. Very nicely, when we went through all this before, the regulations do also speak to institutionally-related foundations and how they work within this whole process and the regulations cover that.
That was a big plus for us, the fact that that was carefully crafted, but indeed part of what was really something that we are after, where Joanne is saying an exception, I am not here to ask for an exception today. One of the things that you will see is that our organization has existed for 35 plus years and what we are asking is that we be allowed to operate in the fashion that we have operated for 35 plus years in all of this.
Just to give you a sense, so you know where we are coming from, all of the individuals that are doing fundraising in our association are employed -- first of all, they are employed by the organization. We were incorporated in 1967. Prior to that, we were a little company called Develop Partners, all not-for-profit, and we only represent not-for-profit; 3,100 members across the United States and North America right now, with some in Australia and Europe as well.
Philanthropic programs in more than 1,900 institutions and it is actually more than that because we represent multi-hospital facilities as well and not all of those are included in the number. Right now, it is actually closing in on 85 percent of the U.S. population. It is growing even more served by our members. In 1988, the data that we were using when we first approached this, AHP members represented raising $5.7 billion in the practices they went through. At that time, that was 1.92 billion more than all of what United Way has done.
In the two years or the most recent data, we have now reached $7 billion for those people that are doing the fundraising. That is 3.1 billion more than all of what United Way is doing in the United States, just to give you a perspective on that.
When we approached this and we asked -- when we look at CEOs across the country that are managing these enterprises. There are three basic sources of revenue for them. It is operations. It is investments and it is philanthropy. As recently as eight years ago, I still had some of the CEOs of hospitals saying to me that philanthropy was insignificant.
Now, when they would look at that and I would take some even small hospitals and we would look at what they generated to their bottom line off of their operations compared to the fundraising. Then it became very significant. In the past eight, nine years, the philanthropic dollar is carrying many organizations. Now, it is not going to save the day, but it is carrying them very clearly. So, it has become more important to the CEOs. The fact that these people are all employed in not-for-profit organizations, which is misunderstood by an awful lot of the public out there, what not-for-profit and for-profit is all about and the fact that these funds stay in the community. They are reinvested in the community.
They do the research kinds of things that Joanne is talking about. That confusion is something that we constantly work on. We know that these funds are doing all sorts of things. It is not just research, but it is wellness programs, mobile health vans, mammography screenings, eye exams, facility improvements, upgrades and all sorts of things that are essential to the various communities.
This speaks very well of the community support for these activities. I want to ask you when you hear the word "fundraising," what do you think of? Am I allowed to ask a question?
MR. ROTHSTEIN: Sure.
DR. MC GINLEY: Sure. I have just done it so it is too late. I will have to ask it. What do you think of when you hear that?
DR. FITZMAURICE: Letters in the mail. Phone calls.
DR. MC GINLEY: Phone calls when?
DR. FITZMAURICE: Usually around dinner time.
DR. MC GINLEY: So, you are working all sorts of things with the blocks that you can put on.
DR. FITZMAURICE: There are other ways. They won't get me at home. They don't leave a voice mail message.
DR. MC GINLEY: Well, that is so true of most of the people that the entities outside of these health providers are going about in a very professional way at that level, but certainly not through what we see in health providers. The fact is that people will generally react to that.
So, one of the things we explored when we asked donors and we asked our members early on, what would happen if we had to get an authorization prior to making a solicitation, which is not our practice now and at that time with 98 data raising $5.7 billion dollars, we had a range of 3 to 3 1/2 billion dollars that would be at risk and potentially lost on the donation side and we went through -- we had people that responded, our own members, that told us the kinds of things that would be lost.
These are the kinds of things that would be lost in the community that we are very invested in providing. As a not-for-profit organization as well as a 501(c)(3), we have an obligation to conduct fundraising activities, an obligation. It is expected of us. It is demanded of us.
The types of things that the original regulations that came out would have precluded us from even having the demographic information and it was very gracious of you. We went through the orientation and such down here in the kinds of things we were trying to convey, indeed, we were allowed to have access to that.
We put together an analysis and, again, these are the things that we are allowed to have on the top, name, address, other contact information, phone numbers, e-mails, age, gender, insurance status, dates of service. As we approached that, a couple of things that we alerted HHS to, our members are professionals working in this field, know why you are in their facility. Whether it is outpatient or inpatient, they know. Why is that?
They are a part of health care operations. It is their expectation to visit potential patients. They serve as ombudsmen in many instances for the activities of these particular providers and on and on.
So, we know why you are there. By the virtue of the fact that you visit me or you call me when I am in the hospital, I know. I am not allowed to use that information right now as what is precluded the place within the hospital where the patient receives the diagnosis, nature of services and the treatment.
As we went through all of this, our members have no need, in my view, for information about the treatment, the diagnosis, the specifics. Knowing the department, which they already do in most instances, because they are part of health care operations, is very helpful to an awful lot of organizations that do their fundraising targeted to specific grateful patients.
We know that the philanthropic support that is coming out of communities is, by and large, coming through grateful patients. A grateful patient, the life of a grateful patient giving to health care and health care providers is about eight to ten years. In your college and university, it is over 20 years. So, we have a lot that we need to do with all this, but grateful patients are certainly the major source.
On average, 62, 63 percent of all gifts coming to health care providers are coming from individuals. I say there are also -- there is another category of bequest. I also say that is individuals that would up it another 10 percent. It is just they don't have -- in order to affect the gift, they have to die. But, again, it is coming from individuals, which are crucial to what we are after and what we are trying to do.
When I say I am not after an exception here, in our practice for 35 plus years, our members have adhered to the code of standards of conduct for our association, which clearly has elements that is in the packet that we distributed, that relate to respect for the rights of privacy and what that means, complying with the law and the professional ethics of the institution and there are two others that relate to that as well.
We also comply with the donor bill of rights, which was put together by a number of fundraising organizations, ourselves included, and long before this opt out idea was part of the regulations, that was included in the donor bill of rights. Now, I am just -- well, I used to be a young man, but I am an Irish kid from Philadelphia and I like common sense and simple and it seems to me that whenever you are trying to -- endearing yourself and build relationships with donors, if a donor doesn't want to be a part of that educational effort or learn about programs, you are foolhardy not to exclude them and to take them away from that.
It makes good sense. If you don't people will go out and tell 17, 18, 19 people of a bad experience and they only talk to two or three about a good experience. So, that is part of what we are after. When the regulations came out the way they were and what we worked with and proposed, we felt very confident that we could work within them. I can tell you right now there is an awful lot of confusion out there about them and how they will be applied.
Some organizations feel that they are in effect right now. You know, there is that kind of confusion. The key for us is simply in one element is that here we are looking at a preauthorization, if that were to happen, and we would have at least the 1997, 1998 data, we would have about half of those donated dollars threatened.
Since we got the arrangement to come here, we have been canvassing some of our members because we never even looked at the cost side of this and the paperwork burden for them. What we have determined is even on that side there is 150 to 180 million dollars that is an added burden that means that amount is not available for philanthropic purposes in the community. That doesn't include what our members would be doing with the computer systems and training and so on and so forth.
So, we know that paperwork burden is there and we believe it is something that would create some issues for us. There are so many other things I would like to get out, I hope we do have some questions on all of it and part of this is in my statement and I can take you to that direction.
But I think there are some other things, too, that you need to know about our practices. When you think of the word "fundraising" and we have seen instances where you have organizations that will take their list and they will sell that list to a related activity. You have probably dealt with that more in the marketing area and what you have heard. Our members do not do that. Their reputation, their integrity is built on the confidentiality of that donor list that they develop and how they are using the information.
What Joanne mentioned is absolutely true. We have rare exception where someone is concerned because how did you get my name, why did I get this letter. And I can tell you almost exclusively that that individual, once they learn what is going on becomes supportive of the activity that they have been asked to support. If not, they are removed from the list and they are not -- and it is not just fundraising. It is also the educational things that we are doing with community benefit, changing behaviors and our effort to do that throughout the country based on the needs of the individual community.
So, my last power point thing is just as a reminder again, I am not giving -- suggesting an option here, if you will, but, again, foundations as you know in the regs, departments that are a vital part of health care operations. We are considered to be a part of health care operations as employees.
The information that is listed here that we have should also be supplemental. It would be very beneficial if we were able to use the knowledge that we have about the department where you receive care or service. What that means is that in many instances, not just the appeal for the grateful patient, which is key, but also instead of a broadcast, broader, more costly fundraising effort to an entire community or segment of the community, we are able to keep those costs down because we are able to enact this in a way that appeals best to grateful patients.
Thank you very much for your time.
MR. ROTHSTEIN: Thank you very much.
Let me say at the outset that many of us around this table are supported in our own institutions by the generosity of grateful former patients and their families and so we are very appreciative of the need to do this. Also, to answer your question, Dr. McGinley, when I think of fundraising, I think of my normal dinner conversation with my wife, who is a dean. So, it is -- I guess that is -- that cuts both ways.
But our task is really to balance the interests of the institutions and all the good that they do against the confidentiality of the patients. That is not always -- where that balance is struck is not always clear or a point of immediate agreement.
So, with that, I will open the floor to questions from my colleagues.
DR. DANAHER: Ms. Pollak, I thought your recommendations were pretty reasonable and it seems to me that by closing -- you wouldn't even really have to do the division. I mean, you don't have to say Pat Walsh -- and the doctor's name, I guess -- what division does urology fall into? Or that is the department?
MS. POLLAK: No. Urology now is a separate department. It used to be part of medicine.
DR. DANAHER: Okay. So, if you just did it by the department and Pat Walsh and especially in academic centers, the name of the physician pretty much is all the fundraiser needs to -- would need to know. So, personally, I happen to think that for me, at least, number one, I agree with your point that I don't think there are egregious violations that are occurring everyday. I think when people do go too far
-- when fundraisers do go too far, and it tends to be more
-- at least in my experience more one-on-one marketing than mass marketing and so I found that position pretty -- fairly reasonable and if we want to even err on the side -- more on the side of consumers, we could just have a department and not a division it would seem to me.
Then the second thing is it seemed to me that in your kind of either Exhibit A or Exhibit B, specifically about Exhibit B, you could even in kind of just change of the authorization, you could even insert a line that basically says I hearby authorize medical centers to contact me for their fundraising, my position and the name of the department where I was treated, specifically my actual diagnosis will never be, you know, released to -- so, that is kind of -- I thought that was a fairly -- I think your positions were reasonable.
MS. POLLAK: I would agree with that addition. Of course, we wouldn't go to the authorization if we amend the regulation to allow the department -- you wouldn't have it, but if we did go to an authorization, I think your addition, we would have no problem with that.
DR. HARDING: Since I had part of my training at Johns Hopkins, I don't know if I should recuse myself or not on this one, too. But I won't.
Let me see if this gets -- let me just clarify something. Cardiology, which is a department in a university or any university, hires a business associate to fund raise?
MS. POLLAK: They could.
DR. HARDING: They could? Some do, some don't in different places. Okay.
The business associate then takes information they get from the department and sends that out to cardiac patients.
MS. POLLAK: Right.
DR. HARDING: And then this new -- as the new law or the new rule states, they would not be able -- the only way to fund raise would be that the general Hopkins would get a list of patients and send out something to the general category.
MS. POLLAK: That is correct.
DR. HARDING: And no breakdown?
MS. POLLAK: No breakdown.
DR. HARDING: So, no targeted funding.
MS. POLLAK: Right.
DR. HARDING: Okay. I didn't quite understand that before.
MS. POLLAK: So, of our 42,000 inpatients, we could either pick half of them at random where we would have to send out 42,000 solicitations that just generally say we know you were recently at Hopkins, but it couldn't say we know you were recently at Hopkins and that you have a particular interest in cardiology or something.
DR. HARDING: Well, you would know their zip code and a few other things that would help you pick the people probably.
MS. POLLAK: Well, but people come to Hopkins for all reasons from all zip codes.
DR. HARDING: One-fifth of your research comes through private donations at this time?
MS. POLLAK: That is right. We get about -- I have to be correct in my calculations but we get about $400 million through NIH and we get another -- what I am unsure of is how much we get from private sponsored research, but we get between 150 and 200 million from private.
DR. HARDING: That is very impressive.
One of the issues that we had talked about earlier this morning was the issue of some areas of medicine being more sensitive than others for general mailings and phone calls or whatever comes out. I mentioned the four that I always think of, of infectious disease, OB/GYN, psychiatry and genetics as being a little more sensitive to patients than my brother, who is an orthopod, you know, talk about shoulders and everybody brags about that, but nobody brags too much about some other conditions.
Do you have any thoughts as to dealing with that type of a group of patients, say, OB/GYN or something along those lines that may have special sensitivities?
MS. POLLAK: I am glad you raised it. I forgot to mention it. We had actually been talking about that and whether in the regs you might require that the envelope not have the name of the department on it, would be fine, as long as the letter inside could have the name of the department so that you would not have that -- now, you can't -- if there is an inadvertent opening of mail by someone else in the family, I think that is always a risk, but it is a going to be a risk in any communication that is permitted under the regs generally.
But that would be one way of limiting sort of that chance exposure to an embarrassment that someone might have.
DR. MC GINLEY: If I may, we had also asked some of our members about this, whereas we have access to this. But a lot of our members will say -- would say I don't want anybody under 18 years old that we want to solicit, what would happen if I said to our business office I don't want anyone who is a psychiatric patient so that those names would never reach us. We ask for an opinion about that and they said that would be acceptable, as long as you are assured that there was no way that that list of psychiatric patients could ever then appear in the development office or in the institutionally-related foundations.
So, you know, there is a risk there, but we would be excluding if some of our members wanted to do that, the psychiatric patients.
MS. POLLAK: If I could just add, we already limit that type of information. So, I think that reasonable limitations if they needed to be built into the regulations would not be viewed as an impediment. In other words, I think psychiatric records in general have protection certainly in Maryland much greater than any other records. So, we tend not to distribute those even in health care operations. So, I think there are reasonable limitations.
MR. ROTHSTEIN: I have several questions. I want to explore for a minute this need for department specific contact.
Many of us are approached by our former alma maters to make contributions and I understand quite well that people don't want to generally just give to the university. They want to give to their college or department or whatever. But it is also quite common to get in the solicitation letter an opportunity to designate. I want to give my money to such and such a department at et cetera. Why would something like that, in other words, a general institutional letter giving the opportunity to designate, why is that viewed as less valuable?
DR. MC GINLEY: That is already being done and it is valuable, but the difference is that mailing, according to the regs right now, cannot go out to me as a cardiac patient. It would have to go to everyone and I would be able to designate.
MS. POLLAK: If I could just add, part of fundraising is not just that letter. In fact, the majority of fundraising is the follow-up. So, if all that one were going to do was to have a letter and designate and send back, you probably get a 3 to 5 percent return on that general mailing if you are lucky.
That is really not what development officers do because then they say in the letter I would like to call you. I would like to have lunch with you. I would like to see you. Now, obviously, if they are not interested, then that is the end of the matter.
But it is an opportunity to then form additional things that happen after that. So, if we were just doing a mass mailing and hoping that people would give and designate, that would be -- your solution would work.
MR. ROTHSTEIN: Well, there are donors and then there are donors, right? And you don't invite everybody out to lunch. Okay? So, what I am talking about -- I suppose maybe we ought to talk separately about, you know, really a target on somebody who you think can give you a major gift versus the general -- the kind of letters I get. Okay.
So --
MS. POLLAK: But I am prohibited from doing that. In other words, I could maybe isolate a hundred donors, who might give a major gift. But the development office cannot have the department or know the department where that person visited. So, that doctor can't call them. The personal contact really -- you are just saying I understand you were recently at Hopkins. I mean, that is an okay start, but it is not the same as having someone from that department call. I mean, Pat Walsh raises his money because Pat Walsh calls and that --
MR. ROTHSTEIN: Let me see if I get this straight now. One of the things that you are trying to protect -- this is a point that hasn't -- I don't think came up yet -- you want to protect the ability of the actual doctors, researchers, et cetera, to contact their former patients directly. Is that correct?
MS. POLLAK: Well, if you take my suggestion to have department and physician, yes. That would be ideal because that is really how it is done today. If the conclusion was we can't do that and it will just be the department, it would be the head of the department then, where some designees who would be making the call. They would not necessarily be that person's patient.
MR. ROTHSTEIN: So, here is where the concern comes in. If the treating doc makes the call, there may be some sort of ethical, you know, concerns about that, but there is certainly not a concern about confidentiality. When you start getting somebody else involved, whether it is the department chair or the development office or -- then you raise the issue of, well, how much information about that person is it reasonable to disclose for the fundraising purpose?
MS. POLLAK: The only thing I am adding is to the department. This is already permitted by the regulation.
MR. ROTHSTEIN: No, I understand.
DR. MC GINLEY: Not the diagnosis -- the reason you get all those general letters is because we cannot focus in on you and report this -- give you something that might be more appealing. Also, you bring up a good point, if I might, about the college and university. If you think if you have ever put children through college, they protect the academic information. You may not have that even as a parent, but they are still using information to do fundraising targeted to you and targeted at the graduate or even the undergraduate students.
Now, you can get the grades because you are paying the tuition perhaps, but your son or daughter has to release that. So, the college or university is protecting that information and using it appropriately in a very limited way. It is very similar to what we are talking about here.
DR. DANAHER: What is missing up there is -- and this is just more of a pedantic on my part, but what is missing up there is who the physician is in terms of the -- and, frankly, especially at academic centers, it would seem to me we don't even have to know the department or the division if we knew it was Dr. Walsh. I suspect I could give you the whole roster of just names of Hopkins faculty and you could with 99 percent accuracy, you know, put them to the right department or division.
MS. POLLAK: Probably.
DR. MC GINLEY: You shouldn't have that job if you can't do that.
DR. DANAHER: Right. So, it would seem to me if I had -- if I were -- it would just seem that the minimal -- the best thing would even be just to -- for the docs --
DR. MC GINLEY: That would be helpful. Remember, too, 35 plus years, our members have had access to all of this information. I mean, if they wanted to find out what the diagnosis was of the medical information because a part of health care operations, they could do that, but again because of the kinds of things that are part of our, you know, code of ethics and all that and donor bill of rights, this -- we are using information that is applicable for our purposes and the obligation we have to do a fundraising.
MS. POLLAK: Excuse me. If I might, in the legal profession, we often say that bad facts make bad law and I think this may be a case where there are one or two stories where people have been hounded or, you know, asked for money as they were on their death bed or something like that and that these somehow have been taken to say we have to protect people from this wrong or this evil.
After all, HIPAA was to protect patient information. Assuming that there is something that needs to be changed and I guess my concern with it is that it seems to fixing a problem that isn't a major problem right now and that if we look at the abuses of that and concentrate on assuring that we take care of any abuses, then we haven't sort of turned academia on its head and said you can't do what you have been doing for the last, you know, 30 or 40 years because there is some problem, but none of us knows or has had at least people come to us and say we think you are abusing this.
Now, if there are people out there abusing it, selling lists of people or doing anything like that, clearly, the regs address that. You can't do that. There is no exception under HIPAA for giving this information to anyone who doesn't have a legitimate reason to have that information.
MR. ROTHSTEIN: Well, I understand that but the fact that it is -- some practices have gone on for a long period of time and even if there have been no complaints, that, at least to me, does not mean that they are right in view of the values of today as incorporated into HIPAA. If development officers for the last 30 years have been able to get diagnostic information about individuals and read charts and stuff like that as part of their fundraising, I am sorry, I don't think that is right.
DR. MC GINLEY: I would agree with you.
MS. POLLAK: We agree with you.
DR. MC GINLEY: While they have had access to that, you know, it is part of what has been there. They have never done that. They don't do that. They don't use it. My point was simply that the way it operates, they would. We agree with what you are saying absolutely. That would be an inappropriate use.
MS. POLLAK: Our suggestion is not to do that. I mean, it is to allow the general use of department and, hopefully, physicians. That is the information that has been used.
MR. ROTHSTEIN: Let me ask you one final question and I will get back to another round to the -- to my colleagues.
That is, this morning, one of the things that we talked about in the context of marketing was possibly drawing some distinctions between telephone marketing and other kinds of marketing and perhaps putting different procedural restrictions on that. What would your view be on, for example, amending the reg to deal with the issue of telephone calls where something like at the beginning of the call you have to inform the individual that they can opt -- I mean, you know, that they can opt out and not be contacted in or something along those lines?
DR. MC GINLEY: If I can only give you one example -- and, again, we didn't explore that as seriously because the telemarketing that you think of when you hear fundraising is by and large not what our folks into. However, there is a program out there called PhoneMail, a company in Nevada, but it only relates to the donors and it involves a letter going out from a significant person that you would recognize as a donor. You ware already a donor. And a second letter follows that gives a lot of detail about the program and such.
Then the development office or the institutionally-related foundation personnel are calling to follow up on that, with the exception that these are trained callers. They are a part of that system that are hired that have that business relationship, business associate relationship. When they are on that call, if they can't get a decision -- there are times if they do not want to be bothered, they are notified of that. If they don't want this particularly and they are taken away from -- they are taken off the list.
Now, that is just part of what is in the contractual relationship with this particular firm, but it is targeted only at donors, people that are already donors for the most part. Now, when I take that and I deal with grateful patients, the same thing can occur, with those safeguards being put in place in a contractual arrangement.
I don't have any problem with that because what is very carefully put in is, you know, if you no longer want to be contacted by us in this way, whether it is mail or phone in this instance, we are going to do that.
DR. FITZMAURICE: I have a question about good apples and bad apples. I have heard an awful lot of good apple stories this afternoon and it seems to me that there are a lot of people who have had access to this information for many years, have done good things with it and I hear a lot of money going to research, to health services, people who might not otherwise get it. When you look at the economics of fundraising, though, there are some fundraisers out there that have high administrative expenses and very little money goes to the charitable use that they talk about.
These non-profits might also -- and maybe the for-profits as well -- might take a large overhead and might also be inclined to use and misuse, reuse protected health information. Not wanting to paint everybody with the same brush, is this a problem in the industry that some people -- I am thinking maybe a business associate sends it to another business associate and pretty soon the names are out and you can't get off of an asthma list, for example, although that is not necessarily fundraising. That was giving information. So, that is not the same example.
Is this a problem in the industry? Are there other authorities than just the HIPAA privacy rule to overlook the industry to guard against misuse and misapplication of funds, but also as a companion for the misuse of protected health information; that is, personal health information?
MS. POLLAK: I can take a stab at that one. I think this is certainly something that both I am sure this committee and Office of Civil Rights, HHS, everybody has been debating and legislators and that is how do we regulate the business associates. Do we have jurisdiction under the act itself? How can we get at them? The way that has been chosen is to get at that business associate through the covered entity.
Now --
DR. FITZMAURICE: That is actually the only way available to us under the HIPAA law.
MS. POLLAK: Right. Exactly. So, you know, this has been debated back and forth. So, when you say to me there is the chance that that business associate could redisclose that information illegally and in contravention of the contractual arrangement and, frankly, HIPAA, because under our agreement, at least, we say you are going to comply to HIPAA to the same extent that we have to.
I don't think anything I can say would protect 100 percent against that. I think that what one might do is to say that with this information, in particular, it either has to be the institution's own employees or a foundation that is sponsored by or in large part supported by that institution. Now, that will hurt some small institutions because they don't have their own foundation. They use a fundraiser that is out there and so that is a problem.
But other than saying it -- getting them directly through the covered entity, anytime you have the business associate, there is the potential risk that that might be misused.
DR. MC GINLEY: But that is the way to go. I mean, it is the reputation of the health provider in that relationship, whether you are talking about an annual campaign company, business associate or capital campaign or whatever it may be. I can tell you that, you know, 3,100 people in this community, in the health care provider end of it, is very small. Our members know almost immediately when there is a problem with a vendor or a business associate that is doing business. It is a network like that.
I can tell you that when they enter into a relationship and say they are looking for a capital campaign fundraiser, they are going to deal with two or three. They may talk with our office to find out who they -- and they want to know who else have they done work with and their best thing is they are checking, they are going and they are doing that. That is a nice balance.
But, in fact, they do everything possible to protect the integrity of that donor list and the names that the business associate is using. If they violate that, that is to their detriment because not only are they going to lose the business relationship they have, they are going to put others in jeopardy because of it.
We see that all the time with companies that just book entertainment, for instance -- I know that doesn't have to do with fundraising but it is that kind of a network.
DR. FITZMAURICE: So, basically what I think I am hearing is that the ethical considerations, the economic value of such mailing lists make fundraisers hold onto it very tightly and guard it as well as not wanting to have the adverse publicity would be associated from misuse of that. The market in this does tend to work in that regard.
DR. FITZMAURICE: You said you have heard the good news part of that, the strengthening part of that. There is a side to that that is detrimental that is out in the marketplace from time to time, where you will find an unscrupulous company that is taking a list and they have other clients where they are doing something similar and they sell that list. There have even been contracts that I have looked at that that is part of the arrangement, not through health care, but through other smaller community groups, the firemen, the -- I had better not name anybody, but smaller community groups often fall into that because they are fronting -- the company is fronting the money to do the fundraising. That appeal is awful strong, but it can put you out of business, too.
DR. FITZMAURICE: I think we have seen the same newspaper articles on those.
Let me just summarize. The thing that you would like most, both of you, is just to be able to use the department where the patient was seen, see if you more closely target the fundraising with your particular institution services.
MS. POLLAK: That is correct.
DR. MC GINLEY: Yes.
MR. ROTHSTEIN: But am I correct, it is more than just the department. You want to allow a contact by someone from that department.
MS. POLLAK: I think the term "use" as used in the regulations means that an employee of the institution may use that to either contact or write or do something. So, yes, I mean, if we just use -- if we just had access to the department but weren't allowed to do anything with it, then that really doesn't gain anything.
MR. ROTHSTEIN: How would we defend such a position where we are allowing -- I am positive there are departments at Hopkins that are bigger than entire institutions.
MS. POLLAK: That is correct.
MR. ROTHSTEIN: How can we justify a rule that is going to allow an entity that is -- seemingly treat people differently based on the size of their institution? Can you help me with that?
MS. POLLAK: Why would it treat people differently? If you were to change this rule --
MR. ROTHSTEIN: Because if I am a small community hospital somewhere, I am not going to raise money through my one person department.
MS. POLLAK: Right. So, this rule doesn't affect you and that is why you haven't heard a great deal from the vast majority of hospitals across the country because they do general fundraising. This rule will make no difference to them.
I shouldn't say -- it may make a difference to some, but I know I have been on the phone. I have been trying to call colleagues to even have them acknowledge and understand the limitation of the rule and when it finally gets through to them what this rule really means to their academic medical center, they say, oh, I have been reading the general press about HIPAA and fundraising and that it is good. So, therefore, they are just -- there has not been an understanding of how it is going to hit.
I don't know how many institutions across the United States this impacts. I know it impacts the hundred or so academic medical centers. I don't know if there are others that it impacts, but I don't think it is a disparate, like an unfair thing that you would be doing that would somehow disadvantage a small provider.
MR. ROTHSTEIN: I am just trying to -- I don't want to -- should we, you know, adopt your recommendation, I just don't want it to be seen as, you know, we are giving something to the giant medical centers that we are not giving to the smaller ones.
DR. MC GINLEY: I can assure you that it would be viewed as something that is allowed for everyone, whether they use it or not. Johns Hopkins may have specialty events. Other organizations don't. When you look at the two top groups or categories as children's hospitals and academic medical centers and the academic medical center and even the children's hospitals to a degree may -- has used this. But it is not going to be viewed by the community hospital as something that they have to do.
They are going to implement the kinds of fundraising program that they are building with a variety of different things that is most beneficial to them, that reflects the interest of the community that is going to draw them into the programs and activities.
DR. HARDING: You said that you had done a survey and that you felt like to comply with the current opt in that it would cost 180 million to comply with the reg as it is currently --
DR. MC GINLEY: Right. We ran this starting about four weeks ago and we had never even looked at what or tried to come up with what the expense part of it would be or the paper regulation. We did that very quickly because we had this opportunity. We focused on the lost philanthropic dollars or what was threatened when we started. When we looked at that, it is the paperwork tracking to make sure that there are releases there, that they are tracked properly and that is all part of it.
So that if you take 150 to 180 million dollars out of donated dollars, that means it is no longer there for the communities across the country for these kinds of things that we support. That does not include -- we didn't have time to really get into in a serious way as to what it would mean for other things with computers and training and that sort of thing.
MR. ROTHSTEIN: One final question. I think we have covered to a fairly good extent one side of the equation and that is how an overly restrictive rule might have negative consequences for health care. What we haven't talked about yet and I certainly want to pursue this with the next panel, but I want to give you an opportunity to address this as well. It could also be argued that there is a loss to some degree in trust of physicians or the physician/patient relationship or the health care provider and patient relationship, whatever, if individuals thought that their confidential protected health information was being inappropriately used for marketing.
That is the other side. We haven't quantified -- you can't and so I would like you to, if you want, address that concern and how would you respond to that argument.
DR. MC GINLEY: Inappropriately used for marketing as opposed to fundraising?
MR. ROTHSTEIN: I am sorry. Fundraising, yes.
DR. MC GINLEY: I think we have addressed that to a degree in the sense that if the five of you, six of you, seven, eight of you receive something, there may be one of you that has a question, that is upset about it and, again, when we address that with the individual and we give them some information about what these programs are all about, what it means and why they are deserving of support, generally, that -- they understand how that information is being used and they understand that it is not -- you know, they don't know how many stitches I had in my forehead or why I was in the emergency room or anything else, but they know I may have an interest in supporting the emergency room or the helicopter service or whatever it is.
Genuinely, that disappears. Now, there are exceptions certainly and you can't guarantee a hundred percent that there aren't going to be people upset. We remove them. We take them out of that mix.
MR. ROTHSTEIN: One of the other things I do is I serve on the board of a major disease organization and I have discussed many times with the physician members of our board the awkwardness of their position when they have very wealthy patients, who could make a seven or eight figure contribution to curing the disease and, yet, they are troubled by setting them up, making the approach or whatever because it -- they are concerned that it might intrude on the physician/patient relationship.
So, to some degree we are dealing with some variation of that issue here and I am just curious as to your views, given where you come down on this.
MS. POLLAK: I think I began by saying it is a balancing and I think that one must look at what is the intrusion or the potential intrusion against the privacy right, against the value or the possible public good that comes about from allowing things, frankly, from our view to continue the way that they have generally.
I think that you are right to be concerned that there are people who feel, whether it is marketing -- and when one looks at the exceptions for marketing, there is certainly much, much broader and there is much, much more contact that can be had in the marketing area even for third parties that stand to gain, as long as you just disclose the fact that you are getting money.
But you can still send it and all the embarrassment that we are talking about today happens every single time one of those marketing pieces goes out. So, somebody who was looking at these regs balanced and said, well, the possible good of that advertising is I am going to weigh that against the embarrassment of that letter or that contact and I am going to come on the side of marketing.
So, that discussion and balancing went about -- I guess what we are asking for is that there be some consideration of that same balancing with whatever protections there needs to be to assure that for certain diagnoses we don't send the letters or, you know, that the letters have just the institution's name on it, but when one considers that this is a way that we fund our health care system and not a major part, but certainly a large part for many, many institutions and that lots of good comes out of that and very few people object, when you put all those things together, is there a way that we could make this a little more friendly, a little more helpful to the current system than the reg that is there now, which really will stop a good deal of what we think is good things? And we are going to have to work around it.
So, all I think we are asking you to do is to do that balancing. For me to sit here and tell you that there is never going to be any embarrassment or there is never going to be a bad business associate that is going to do things, I wouldn't be credible.
DR. MC GINLEY: I think, too, if I can speak to the physician relationship, certainly there needs -- in all of this, there needs to be a sensitivity and knowledge, a professionalism in how you are doing this and we will have physicians that will say to some of our members occasionally, oh, that would be unethical for me to do that. Well, we have worked that through with AMA and we have seen other articles and many physicians get excited about embracing their patients, getting them involved. Others don't.
I have a colleague that graduated from college with me, who practices over on the Eastern Shore and he will never give a penny to the philanthropic side of things. He is a wonderful physician, but that is his view that he works and we are not going to change him. You have to recognize that. Well, fine, but I never give up.
MR. FANNING: I have a question. You both have described highly professional and sophisticated operations with an organization with a code of ethics and people who have put forth their money and attention to join, but we are, of course, faced with advising -- the committee is faced with advising the Secretary of making rules that will apply to the entire health care sector. I am wondering whether there are hazards of misuse and embarrassment or any other kind of danger to patients that could result from an expansion of the type you are talking about if, shall we say, administered by people who haven't signed on to your code and that sort of thing.
Do you have any views on that and how it might be dealt with?
DR. MC GINLEY: Well, from my perspective, even if you are not a member of our organization -- being a member of our organization does not necessarily assure that every single thing is going to be followed. The onus goes back to the institution and institutionalizing these practices and how they conduct fundraising. But what we are speaking to in these regulations are health providers. So, we are not talking about, you know, groups that go beyond that. You are talking about organizations that are very well respected in communities. They have significant resources or they have a reputation whereupon they can build their fundraising program as opposed to a fleeting one that is just starting.
We have interconnects with an awful lot of providers in the same system, where their overall back office support is providing support for the very best as far as their fundraising program and their history to the very least that is just building.
So, you know, with that, I see that as a safeguard, the fact that we have a level of sophistication vis-a-vis the organizations that these people are employed by.
MS. POLLAK: If I could just answer, it seems to me that all of the covered entities are otherwise covered by HIPAA and, therefore, you are to use the minimum necessary regardless of whether it is for this function or anything else. Even in the things that are already allowed under the regulations, there could be misuse of this information.
I mean, just think about your insurance and somebody who wanted to sell insurance lists around for people to try to get other insurance companies to go after their members. There are abuses that could come from any of these. If people aren't going to follow the regs, there is going to be an abuse of those regulations.
But just as counterpoint, one of the things that we were kicking around was, well, what will change in addition to just not being able to use the department to raise money. Some other things won't be able to happen and people were amazed when I sort of gave the example. Let's say you wanted to have a get together of all of the former cardiology patients who had survived open heart surgery and at that affair you wanted to pass out a fundraising -- you know, you are here, I hope you had a good time, if you would like to make a contribution to the cardiology department at Hopkins, you know, please come.
Well, under HIPAA, getting that list together to have that meeting would not be permissible. So, unless you can use the department to contact people, you are not going to have get-togethers of surviving babies, of twins and families and oncology patients. You are not allowed to send anything out where you have used the department that people visited to come to your organization.
There are a lot of people at Hopkins who say that can't be the law and I say that is the law or it will be in 2003. So, it is inadvertent. I don't think that is what was intended and I don't those people would be embarrassed to be asked to come back. They love those kinds of things.
So, somewhere in between -- and, again, I guess I come back to my theme -- what is the balance that we need to look at here? If there are protections that you think we need to put in place, obviously, you will recommend them, but, hopefully, we can find a way to allow some of these practices to continue.
MR. ROTHSTEIN: That last example raised a question for me. Do you think -- let's support we went to a system of a more simplified authorization but an authorization that would be required, nevertheless. Do we need any special transitional rules so that you could still have your get-together without sending -- without violating the law because they haven't signed previously an authorization? I mean, we do have the transitional rules with continuing -- for continuing care, but correct me if I am wrong, they would not apply to other uses.
MS. POLLAK: You raise a very important point. I have had meetings with different people from the Office of Civil Rights and HHS on this issue and I get mixed messages. A couple of people have said that we would accept the consent that people signed previously because they expected to be contacted for a fundraising and other things, that you would be grandfathered.
I have heard others who say without an express opt in subsequent to the effective date of the regulations, we couldn't use any of that information.
MR. ROTHSTEIN: So, that certainly needs to be clarified.
MS. POLLAK: It needs to be clarified. It is an issue. We raised that in connection with our last filing in research, but it is absolutely an issue.
DR. MC GINLEY: But I think the other part of that, too, is the risk and the balance that you need to create and, you know, what Joanne is describing there relates to the fact that we want these groups to come together for educational purposes as well, informational purposes.
You know, I think that puts a burden that is unjustified as far as the risks that you are discussing. Again, I am back on the side of let's operate it ethically and professionally and deal with those that wish to opportunity out, rather than having everybody required to opt in.
MS. GREENBERG: I just want to clarify, there is nothing in the rule that would keep you from holding this reunion if it had -- if there was no fundraising associated with it.
MS. POLLAK: It would have to come within some exception. If it isn't expressly permitted by the regs, you can't use the protected health information. So, it would have to fit into some category. If it was an educational get-together, you might be able to get it under the, quote, marketing because they put education in marketing under that. If you believe it would be in the best interest of patients, then you could send out a notice and invite people back, but it would have to fit into a category like that and if you did fundraising at the affair, I think, then you definitely flunk.
DR. MC GINLEY: And the confusion it creates.
MR. ROTHSTEIN: If there are no other comments, thank you very much. It was very enlightening testimony.
We will take a break until 3 o'clock and have the next panel on marketing and fundraising begin at 3:00.
[Brief recess.]
MR. ROTHSTEIN: Good afternoon. We are back on the record for our fourth and final panel of today on our hearing of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
We want to welcome again our friends on the Internet, who are listening to us live.
Our final panel today is brief in number, but important in stature and also in his message. I want to call on Dr. Hall to present your testimony.
DR. HALL: Thank you, Mark. You mean I am a solo today?
MR. ROTHSTEIN: That would be it.
DR. HALL: Well, for the record, my name is William Hall. I am a practicing internist, geriatrician from Rochester, New York, where I am on the faculty of the university there. I am here because I am currently president of the American College of Physicians and the American Society of Internal Medicine. We are perhaps more commonly referred to as ACP-ASIM or just the "College."
We are the largest of the medical specialty groups in the country and the second largest medical membership organization in the country, in the world. We represent 115,000 physicians and medical students in this country, Canada and Latin America and a fair number of other countries.
About half of our members are primary care providers. The other half are medical subspecialists. We certainly want to congratulate the Privacy and Confidentiality Subcommittee for holding this meeting and for allowing us to have the opportunity to testify.
For the record, we have had many concerns about HIPAA health information privacy regulations, but of these concerns, the use and disclosure of health information for marketing probably is one of the most troublesome to us. So, Mark, we are very thankful to you as chair of this committee and the subcommittee members for holding this hearing to discuss ways and strategies of looking at the use and perhaps the misuse of health information for marketing.
I would like to make a few comments about how we have looked at the HIPAA definition of "marketing" in the privacy final rules and kind of lead from there. Just to read verbatim, which I am sure is maybe the nth time you have heard that, that marketing is defined as a communication about a product or a service, the purpose of which is to encourage recipients of that communication to purchase or use the product for service.
Now, communications, which is a big part of what internists do for a living and why they come into the profession to begin with, are generally not considered marketing in a couple of specified conditions. If they are made by the health care provider and tailored to a particular individual as part of treatment. I make a diagnosis of diabetes. I explain the implications of this to my patient. I tell them that there are certain ways that they can monitor their blood sugar at home. There are certain ways that they can provide insulin for themselves, one thing or another. This is not considered marketing.
I would almost certainly mention specific proprietary products in the course of that communication. By the same token, communication is not marketing if either the provider or a plan uses dialogue to manage treatment of individual or to direct or recommend alternative therapies or even different settings of care, as long as I am not receiving remuneration or my health care system is not receiving direct remuneration from a third party.
Perhaps an example of this would be I see someone in a family and there is clearly a problem in an older relative, maybe a mother or father in terms of functional abilities and we say it is time for a nursing home, it would be all right, as I interpret these, for me to talk about nursing homes in our community, as long as I don't violate any other federal guidelines in doing that and to provide assistance to them as to how they -- what kind of a health system might provide the best kind of care for their loved one.
Now, beyond that, I think most of us really don't expect that private medical information that we share with a physician willingly is going to be used for bargaining purposes. In fact, I think most people who have looked into the federal privacy rule would say that it provides additional safeguards for this to happen.
Unfortunately, as we read the final rule, we think that some of the specific exceptions that have been delineated condone and perhaps even encourage a wide potential array of marketing techniques and activities using what we like to think of as protected health information. I hope for reasons that will become evident over the next few minutes in my testimony, my organization, the ACP-ASIM, strongly believes that these marketing loopholes, which we feel have been created by these exceptions, probably need to be closed.
Now, for health care providers where I come from, the marketing communications exemptions generally fall under health care operations that require a patient consent before individually identified information can be used or disclosed. But for health plans, these exceptions represent a fairly major loophole because these plans really don't need to get patient consent in order to conduct health care operations under the final rule, as we interpret it.
This means to me that health plans can use or disclose your individually-identified health information or that of your spouse or your children for various marketing purposes without your consent. These so-called covered entities or third parties are exempt even -- third parties are exempt from having to obtain patient authorization if the party uses or discloses protected health information for marketing under certain well-delineated conditions.
These include the communications that occur face to face with the patient, the communications represent product for services or what is called nominal value -- and I will come back to that -- or the communications concern health-related products or services of either the entity or the third party if certain disclosures are on the same communication.
I will talk a little more about that with some examples. In general now what I would like to do is share what I think are some clinical examples or scenarios with how these exceptions might potentially violate the principle of patient privacy and really the intent of HIPAA in that regard.
Let's look at face-to-face encounters. That is one of the exemptions. The final rule exempts communications from requiring patient authorizations that occur in a face-to-face encounter with the individual. They apply to any conceivable face-to-face encounter, including door-to-door salespersons, telemarketers. For example, an individual who has just been discharged from a major hospital visit could be visited, could be called at home. It is bad enough to be sought for such solicitations during a time of convalescence, but the final rule, we think, goes further.
It really doesn't limit the types or items of services that can be promoted. In fact, face-to-face marketing using a patient's health information can be used to sell vacations, magazines, cars, other items that may or may not have anything to do directly with your health. Now, in terms of nominal value as a gold standard, the final rule exempts communications that relate to services of what are called nominal value. This portion of the rule seems to us very vague and ambiguous.
What exactly does nominal value mean? Does it simply apply to a discount from the retail price of a product or, in fact, the cost of the item itself? Not only is health information misused, it is misused by statute to provide something that is trivial that has no particular value to an individual. But it seems to us that the potential damage, the relationship with physicians and with the health care system can really -- is anything but nominal in this situation.
The final rule exempts not only health care plans themselves, but also third parties from having to obtain patient authorization. It is perhaps in this arena where we have some of our greatest concern. Specifically, this exemption permits marketing communication of health-related products and services on behalf of these third parties or covered entities if the communication meets three requirements I promised I would go back over.
The communication identifies the third party or covered entity as the party that is making the communication. Secondly, the communication states whether it received any remuneration or not and, finally -- and I will have more to say about this -- the communication has to allow the patient to opt out from further communications from the covered entity or the third party.
Well, certainly this form of communication seems to offer some form of protection to patients. It seems to us that it is very, very limited and full of loopholes for the third party or covered entity to take advantage of seeking new customers for a wide variety of entities and products.
The first requirement of third party identification throws the physician inadvertently right into the middle of a sale between a third party and a patient. As solicitations and promotional communications continue, the more likely the patient is to become agitated, the more likely they are to mistrust their physician.
I suppose an example that kind of hits home to me is a patient who comes to a physician's office for a routine physical examination. Discovered during that examination, let's say, to have a high cholesterol value for the first time. In theory, a third party marketer could send a letter to that patient saying now that you have high cholesterol, your physician asked us to tell you about purchasing a condo and a health spa or reevaluating your life insurance, perhaps silly examples, but examples of where really there are no limits on how that information, which presumably comes from the physician making a diagnosis of a potentially serious condition where the physician seems to be right in the middle of that.
Now, this is rather intrusive but the fact that it gives the patient the impression that the physician is endorsing this product is, we think, not in the best interest of patients or of the medical care system. The physician, of course, will have no knowledge of this so-called authorization until he or she receives probably a very angry and outraged call from a patient or a parent who hears about this.
The third requirement for the third party or covered entity communications does give the patient this opportunity to opt out, which seems like a good thing, to receive any future communications. But the opt out requirement seems to us to be extremely weak and ambiguous. To add insult to patient rights to opt out, the opt out provision doesn't really go into effect, of course -- and this is the key thing -- until after the patient receives at least one solicitation. We believe that this opt out approach is too little too late.
In giving patients the opportunity to opt out from future communications, the final rule only requires that the covered entity or third party make what are, in quotes, reasonable efforts to ensure that individuals don't receive another communication. But I need formal guidance as to how procedurally a patient would go about notifying the covered entity.
It seems to us that it is going to be extremely difficult and burdensome and maybe impossible for individuals to actually opt out of some of these procedures. Methods could be prescribed, such as writing formal letters, paying a fee to the provider or health care company, pharmaceutical manufacturer, just to get off the list. We don't really know at what lengths the patient would be required to go through to get information removed from the third party's list.
Any of you who have had any experience with the Internet of inadvertently clicking would you like to receive health care information or any information about other products, you know what happens very quickly. It is a multiplier effect.
We could see families needing to send many letters to many different marketeers. Other requirements attached to the communication if a covered entity or third party uses or discloses health information to target communications based on health status, I would like to just say a word about.
One such prerequisite is that the determination must be made that the communication, in quotes again, might be beneficial to the patient targeted, regardless of how slight or trivial that benefit might be. Then a second prerequisite is the communication must explain why the patient has been targeted and how the product or service would benefit the patient.
This requirement goes against the basic integrity of what patient privacy is all about. Let's take another example. Suppose a teen patient was recently treated for a sexually transmitted disease that may or may not have been known by the parent. The promotional communication to be used by the third part, you have to explicitly say this teen patient was selected because the teen was created for a sexually treated disease and that X Brand ointment or whatever product has been shown to effectively treat this disease that the teen has
Would the teen welcome or even expect to see this in print. What if someone other than the teen patients themselves were to open the letter. What if it came by post card? What if it came by e-mail? Situations such as these could easily occur and are the types of instances that a federal privacy standard was supposed to guard from happening.
Other examples could, I suppose, include unwanted pregnancies, confidential mental health services, clinical conditions that might affect employment or insurability. The opportunity to further invade the privacy of individuals seems to us to be a great risk of this provision. Allowing the uses of what is supposed to be protected health information for marketing purposes flies in the face of respect for privacy. We feel these exemptions should not be exemptions at all.
Marketing that utilizes protected health information should be prohibited. As an organization ACP-ASIM recommends that the use of protected health information for marketing purposes simply be prohibited. We are not anti-market but we are against the idea of health information, private health information should not be used for competitive advantage in that marketing.
At the very least, for any marketing contract to occur, patients should be given the opportunity to agree, prohibit or restrict disclosures well in advance of the communication. We are very pleased that the subcommittee is addressing the serious problems in the implementation of the privacy regulation provision on the use and disclosure of health information.
We call on HHS to achieve greater patient privacy protections by providing comprehensive final rules with a single deadline for implementation and clear directives to safeguard privacy and that the regulations be issued in final forms as soon as is reasonably possible. We ask this subcommittee to consider the use of protected health information for marketing purposes be prohibited at the very least. For any marketing contract to occur, patients should be given the opportunity to agree to, prohibit, restrict the disclosures in advance of communication.
As I was walking in here this afternoon, there is that wonderful picture of Hubert Humphrey on the wall and his famous quote from 1977, which I can only paraphrase, where he says that the true mark and test of a democracy is how we treat people in the very beginning of their lives, how we treat them in what he calls the shadows of their lives, how we handle the sick, the needy and those who need care.
My own sense is and I think I reflect the organization is that patient privacy is something that we need to hold onto as one of our greatest treasures that allows the kinds of communication that enhance any form of health care, enhance any pharmacologic intervention. Let's not use patients' private information to create marketing advantages. We don't need that and we think it is going to be deleterious to the health care system and certainly to the kind of relationships that we would like to have with our personal health care providers.
Those are my formal questions and I am, of course, am happy to entertain any questions or comments from the committee. And many thanks again.
MR. ROTHSTEIN: Thank you, Dr. Hall.
As is our practice, we wait until the end of the panel and now that we have a full panel, we will wait until Mr. Adams finishes his remarks and then have our questions.
So, welcome and please begin when you are ready.
MR. ADAMS: Thank you very much. My name is Michael Adams and I am the deputy legal director of Lambda Legal Defense and Education Fund. I will be presenting some concerns somewhat similar to those of my fellow panelists, but from a somewhat different perspective in some circumstances.
Lambda is the oldest and largest national legal organization committed to achieving full recognition of the civil rights of lesbian and gay men and people with HIV and AIDS through impact litigation, public policy work and education. I am here today because the privacy of medical information is critically important to the communities that Lambda represents and we do not believe that the marketing provisions of the final rule for standards for privacy of individually identifiable health information are sufficiently protective of those medical privacy interests.
The discussion accompanying the final rules publication in the Federal Register in late December of 2000, eloquently explained that Americans as a whole are extremely concerned with the privacy if their medical information is threatened. But especially vulnerable populations, which include people with HIV and AIDS and people who are gay, lesbian, bisexual and transgendered, sometimes collectively referred to as sexual minorities, are even more fearful and concerned about potential breaches of their medical privacy because they recognize that disclosures of their personal health information to third parties can and does lead to discrimination against them.
An extensive body of research and other evidence documents that stigma and bias against people with HIV and AIDS and sexual minorities remains rampant in our society. Because sexual minorities and people with HIV and AIDS face frequent discrimination in the workplace, family life and society at large, the populations represented by Lambda have long placed a high premium on controlling disclosure to others of their sexual orientation and health status. Since disclosure means increased vulnerability, it is often avoided.
For example, a recent study reports that in New York State, 43 percent of gays and lesbians conceal their sexual orientation on the job and from neighbors and 28 percent hide their sexual orientation from parents or siblings. Nationally, 35 percent of lesbian and gay voters hide their sexual orientation in most aspects of their lives. The willingness of people with HIV and AIDS and of sexual minorities to access medical care and to be fully forthcoming with health care providers has been strongly influenced by the degree of patient confidence in the privacy of their medical records.
Research demonstrates that both gays and lesbians and people with HIV and AIDS are especially fearful that their medical privacy will be violated and that this fear already causes many to avoid or delay accessing medical care and to fail to disclose important information to their medical providers. A recent study of gays and lesbians in the New York City metropolitan area where sexual orientation discrimination is generally thought to be less pronounced, indicates that 30 percent of gay and lesbian patients do not reveal their sexual orientation to their medical providers.
In other parts of the country where anti-gay discrimination is more virulent, patient refusal to disclose sexual orientation to medical providers is even more common. When those who did not reveal their sexual orientation to the medical provider were asked why, concern about the privacy of their medical records and risk of disclosure to insurers, employers and family members were among the most common reasons.
Those most likely to withhold their sexual orientation from their medical provider were also among those most in need of medical care. Fears about lack of confidentiality also heavily influenced the willingness of people with HIV and AIDS to access medical services and care. Data in the area of HIV testing is instructive here. One study has found that 60 percent of individuals, who tested for HIV anonymously would not have tested if their names were reported to public health officials.
In another study, 23 percent of individuals who tested positive for HIV in Los Angeles County said they would delay accessing medical care until they were actually sick if their doctor were required to report their name to public health authorities. It is worth pointing out that studies show that those who were infected and diagnosed and treated are significantly less likely to transmit the virus to others.
People with HIV and AIDS and sexual minorities understand full well that disclosure of highly personal information, including health information, can have unforeseen and severe consequences. Lambda's own files are full of real life examples. In Washington, D.C., a hospital receptionist, who worked a second job at the same place where a hospital patient was employed, got access to the patient's medical records, learned he had HIV and told everyone at their shared workplace.
In Oregon, a ski patroller lost his job after his employer learned that his wife has HIV and in a particularly tragic illustration of the potential consequences of involuntary disclosure of sexual orientation, 18 year old Marcus Weiman(?) of Pennsylvania committed suicide after police officers in his home town threatened to tell Weiman's family that he was gay if Weiman did not disclose this information to them.
I provide these examples not to suggest that they are all about medical circumstances, but, instead, to illustrate the severe consequences that can result from involuntary and undesired disclosures of HIV status, sexual orientation and other such highly personal information. Unfortunately, the marketing provisions, that is, the rule, do not provide reassurance to people with HIV and AIDS and sexual minorities, who fear that giving highly personal information to medical providers may lead to disclosure to non-medical third parties.
Instead, the final rule effectively authorizes health care providers and other covered entities to share individual specific personal health information with third parties for marketing purposes in a manner that conflicts with patient's desire and expectations that their personal health information remain private. While the final rule purports to require patient consent for use and disclosure to third parties of personal health information for marketing, the exceptions provided and the lack of effective accountability of third parties or so-called business associates effectively gut the rule's protections in this area.
The fact is that the final rule allows health care providers and other covered entities to transfer any and all protected health information to business associates for marketing, as long as the covered entity determines that the product or service to be marketed may be beneficial. The communication explains why the individual has been targeted and the patient is advised of his or her right to opt out of similar marketing communications in the future.
There were numerous problems with this approach. There is no requirement that the determination about the product or services' potential benefit be tailored to the individual patient's specific needs and, likewise, the determination need not be made by the patients treating physician or any qualified medical personnel, for that matter.
Moreover, while the covered entity must sign a contract with the business associate that purportedly prevents the business associate from misusing personal health information, the Department of Health and Human Services guidance in July 6, 2001, makes clear, one, that the contract provisions mandated by the final rule are, quote, far narrower, end quote, than the requirements the rule imposes on covered entities; two, that the final rule's requirements do not apply to business associates; three, the covered entities are not required to monitor their business associates to determine whether they abide by the terms of the contracts and, four, that the covered entities are not liable for privacy violations by their business associates.
The final rule also discarded a provision contained in the proposed rule that would have made patients third party beneficiaries of contracts between covered entities and business associates. So, patients are thus robbed of the ability to hold business associates liable for breaches of contracts mandated by the final rule.
The final rule's provisions for patient opt out and consent to marketing are clearly deficient from our perspective. The rule's requirement that marketing communications advise patients of their right to opt out of future communications shifts the burden to the patient to safeguard his or her medical privacy and allows for such safeguarding only after privacy has already been infringed by marketing the patient did not authorize.
The consent requirement for marketing that does not fit within the final rule's broad exceptions is also insufficient. As the Department of Health and Human Services July 6, 2001 guidance states, quote, one consent may cover all uses and disclosures for treatment, payment and health care operations by that provider indefinitely.
A consent need not specify the particular information to be used or disclosed nor the recipients of disclosed information, end quote. We note that the rule treats marketing as though it were a health care operation. We are also concerned that the final rule provides for the unauthorized disclosure of personal health information to third party business associates for such a broad array of marketing techniques.
For example, the Department of Health and Human Services July 6, 2001 guidance makes clear that a covered entity can transfer identifiable personal health information to a telemarketing company to do telemarketing to targeted patients on the covered entity's behalf, even without patient authorization.
The potential for harm to people with HIV and AIDS, as well as to sexual minorities as a result of the final rules marketing provisions is manifest. Personal health information may be used by a third party to send a letter to John Smith advising him that he has been targeted for marketing of a new protease inhibitor because of his HIV status. James Doe may receive a telemarketing call advising him that he has been targeted for marketing of a workshop on unsafe sex because of information he disclosed to his doctor about HIV risk behavior.
Jane Roe may receive a letter or a phone call advising her that she has been targeted for marketing of mammography services because research indicates that lesbians are at higher risk for breast cancer. Marketing communications of this nature and others can lead to unintended disclosure to other parties of the patient's HIV status, AIDS diagnosis, sexual orientation or other highly sensitive information.
As my fellow panelist has already noted, mail can be opened and read by family members, roommates and neighbors. Telemarketing calls can be accepted by any number of persons, other than the individual targeted. As previously discussed, these kinds of disclosures can have severe consequences and fear of such disclosures alone can result in an individual's decision to refuse to disclose information to medical providers that is relevant to their medical care or worse yet, to avoid medical care altogether.
The fact that the rule requires that the covered entity be identified as the source of the marketing communication, even when a third party is actually the sender, in fact, is not helpful because it reinforces a dangerous message to the patient, i.e., personal health information disclosed to a medical provider is not confidential and will be used and disclosed for non-medical purposes. Neither the final rule nor other existing law provide adequate remedies for unintended disclosures of personal health information that result from marketing or for the discrimination and other harms that may result from those disclosures.
The rule does not provide a cause of action or money damages for patients injured by unauthorized marketing. As I stated before, it does not make patients third party beneficiaries of contracts between covered entities and business associates. Most states still lack protections for discrimination based on sexual orientation, on gender identity and approximately 96 percent of those who pursue discrimination cases under the Americans With Disabilities Act after employment or public accommodations discrimination lose their cases.
The harms that will result from the marketing provisions of the rule are both unremediable and unacceptable to us. Because the rule does not adequately distinguish between financially-driven marketing on the one hand and disease management and like on the other, it cannot be said that these harms are justified by the benefit that unauthorized marketing will bring either to the individual or to public health in general.
We urge this committee to explore means of distinguishing between the use of personal health information by current health care providers for disease management and the like versus the use of this information by non-medical third parties for primarily non-medical purposes, such as marketing and fundraising.
We fully recognize that disease management has potential benefits to patients and providers by, among other things, focusing on preventive care, but we cannot accept the assertion in the Department of Health and Human Services guidance of last summer that because some overlap among treatment and health care operations and marketing is unavoidable, covered entities need make no effort to draw distinctions.
We strongly believe that the only means to ensure adequate protection of medical privacy and to better ensure an appropriate distinction between medical treatment and financially-driven marketing is to alter the final rule to mandate the following: First, that personal health information not be disclosed to third party business associates, absent a specific time-limited informed written patient consent to each type of disclosure contemplated for marketing purposes.
Second, that personal health information not be used by the covered entity for marketing purposes, other than in face-to-face encounters between the patient and the medical provider, absent a specific time-limited informed written consent, the patient can -- of contemplated use for marketing purposes.
Third, that the patient be notified as part of the consent process about the full range of third parties, who may have access to the patient's personal health information and of the fact that the covered entity does not accept responsibility for breaches, privacy breaches by those third parties.
Finally, that the patient received notification of his or her rights under the rule. For example, the rule provides that the patient has a right to request that communications regarding personal health information by sent to an alternative location or by an alternative means, but has no provision that the patient be made aware of that right.
We believe that these recommendations have equal force Internet he area of fundraising, even when fundraising is done on behalf of the health care provider itself. When conducted by non-medical third parties, it presents the same risk of privacy breaches and future disclosures as marketing and even when done by the health care provider itself, it delivers a potentially dangerous message to the patient about the lack of confidentiality of medical records.
With fundraising as with marketing, the problem is solved at least partially by giving the patient the opportunity to consent to be contacted for fundraising purposes at the outset before any fundraising occurs and to limit the extent and duration of the use or disclosure of identifiable health information for that purpose.
So, that concludes my remarks and I am also happy to entertain any questions or discussion. Thank you.
MR. ROTHSTEIN: Thank you very much, Mr. Adams.
Now the floor is open for questions from members of the subcommittee.
DR. DANAHER: Dr. Hall, may I -- it will help me to clarify ACP-ASIM's position if I could walk through an example to see -- does the College believe that there is a role for third parties using -- having access or using PHI to work with a covered entity in the areas of care management, disease management, case management?
DR. HALL: I think the answer is "yes," that there is a role for third parties. I mean, they are used now. There really would be no way to implement a national health system without that in a variety of areas. The distinction is to what extent should personal health information be provided without the knowledge of the physician or really the full knowledge of the patient themselves in providing a marketing opportunity for these various third parties. I think that is where we have a problem.
DR. DANAHER: Let me kind of run through an example and we can see.
So, a health plan notices that their -- you know, their medical cost ratio is getting high and they want to make -- break it down and see that their asthmatics and diabetic patients are high cost. So, they take their claims and they run their claims and they see, you know, how many times, you know, people are buying glucometers or, you know, sperometers(?) or whatever and kind of look at the experience of their asthmatics and their diabetics.
So, they then go to a large pharmaceutical company and say or the large pharmaceutical company approaches them and says, look, we will help you institute a program. We will give $150,000 grant to your health plan and we will institute -- let's do an asthma program or a diabetes program and, you know, we will give your members that you can see don't have glucometers, a glucometer and your literature shows that if, blah, blah, blah, blah, blah, and we will give them some advice and some suggestions or recommendations.
So, the health plan through their medical director contacts the patient's provider and says, look, we have got this asthma program. We know you care for ten of our members that have asthma and, you know, we have seen by running their claims that they have got -- you know, they are in the ER all the time, et cetera.
The physician says fine, you know, you can contact them or whatever. So, is that a scenario that you would have a problem with?
DR. HALL: Well, up to a point. Presumably, this health plan has attracted subscribers because they have convinced individuals or a corporate structure that is paying the benefit, that they are providing a certain level of health care. Now we are suggesting that they find that in order to provide that level of health care and have it more of a financial advantage, it would be better to have a financial or fiduciary relationship with a -- let's see, in this case a medical supply house.
I don't think two wrongs make a right in this situation and I think one would wonder whether in that situation a public education campaign, some other way than having to subsidize by a third party who then probably in the worst of worlds has the ability first of all not only to market other products to that same patient group, but in much a parallel with what we are finding out in terms of subsidies of physicians and physicians' practices by pharmaceutical houses, it tends to influence behaviors of people, people who have power to prescribe health plans, that have power to divert business to one entity or another.
So, it seems to me that in that situation what is wrong with getting full disclosure from an individual patient that this sort of thing is going on. Why would you not want to do that?
DR. DANAHER: I guess I am not -- let me kind of take your example -- let me just respond to your example first. I think that a health plan that contracts with a company or something and says we will provide high quality care is saying that based upon their belief that they are contracting with good doctors and those good doctors will practice the standard of care.
When they go and look at the claims, they see all these patients with heart failure and they are not being prescribed ace inhibitors or anything like that. So, then a large pharmaceutical company says let's run a public awareness campaign that while the literature shows that post no MIA that patient is doing much better with ace inhibitors.
It just so happens that that pharmaceutical company that wants to run that campaign happens to produce ace inhibitors. What is wrong with that?
DR. HALL: Well, I mean, in terms of public education probably really nothing is wrong with that, but why does that require an exclusive contractual arrangement with one third party versus another? Is there that much evidence that this third party has a drug that is therapeutically equivalent or better than any other product on the market?
DR. DANAHER: I think in those cases the answer is "yes." I mean, I think in those cases the medical literature just totally conclusively shows, you know, the use of beta blockers or ace inhibitors, et cetera, in the post MI period, you know, prolongs survival and et cetera, blah, blah, blah, and for one reason or another these physicians are not doing it and I am marketing head of XYZ Pharmaceutical Company says, boy, I could be serving the public good and -- I don't know -- I mean, this is what I -- the reason why I am probing so much is what I grapple with because for me in these cases these are examples to me where I am -- I have a very hard time drawing the line between ace management and disease management and care management and marketing.
I think that for me there are gray areas where the public good does get served by third parties being able to intercede. That is --
DR. HALL: I understand your point and perhaps it is a gray area, but it seems to me that we should look very hard at alternative approaches to solving a very real problem of improving patient care.
Other than developing contractual relationships with people who have a very strong proprietary interest in selling a whole family of products, I think that is the only difference here. In terms of pharmaceutical support, for example, which I know perhaps a lot more about, why do these have to be exclusive arrangements if we are talking about physician education? I don't see the necessity for that.
It strikes me it is a very slippery slope and that for us to say, well, I can make a case that the public good is being served by this contractual relationship begs the issue of whether that public good could be achieved some way that would be a little more protective of patient rights and a little less confusing in terms of a relationship between a health care entity and a specific competitive business operation.
MR. ROTHSTEIN: I have one question that I will pose to both of you. From your testimony, it seems to me at least at first glance that there is only one area of disagreement and that is on a propriety of face-to-face contact and whether it should be permissible. So, let me first ask you, Dr. Hall, can you think of instances -- and it has never been quite satisfactorily explained to me what this is all about -- where there would be a face-to-face discussion between a physician and a patient that would not constitute treatment, but would be a health-related marketing that we should in some way put an exception into protect.
I don't know if that is very articulately explained.
DR. HALL: Let me try. There is a wonderful little television ad that has been running, but I guess -- I am not even sure -- it didn't impact me the way it was supposed to. It is probably a financial advising company or a stock broker company and it has a picture of a trustworthy gray haired physician at the bedside of a woman, who has a thermometer in her mouth. And he said, now, take six of these and move about 20 percent of your portfolio into tax free municipals. And I said wouldn't it be nice if you could have the same degree of trust in your financial adviser as you would in your physician.
If we get to the point where physicians are being -- so, there is an example, if a physician is marketing a product because either he or she or the covered entity that they may work for says we wish to support and promote this entity, I think we have really struck an almost irreversible and fatal blow to the patient/physician relationship.
So, I will just pull that example out of where a face-to-face encounter where, in fact, one might argue that the good of this patient is going to be very much improved by moving a portion of their portfolio into something that is safer because the stress levels are so high that it is probably causing catecholamine, a release, and making that congestive heart failure worse and we would have to then go to the other pharmaceutical house to get the best ace inhibitor.
So, I can conceive of situations. I would like to think that they are going to be rare, but this gets very confused and intertwined in a managed care environment between representing myself and representing an entity. So, just get rid of it. Don't let it happen without patient permission.
MR. ROTHSTEIN: Well, I will let you respond, Mr. Adams. Did I hear you correctly that face-to-face was one of the exceptions that you think should be retained?
MR. ADAMS: Yes. It has been our presumption and I hope it is a correct one that face-to-face communication between a treating physician and a patient that involved discussion or recommendation of a product or service would, in fact, be part of the treatment relationship and, therefore, that it would be appropriate to permit that kind of communication without some kind of advanced authorization by the patient. So, we have drawn that --
MR. ROTHSTEIN: But it would be considered treatment and you wouldn't need this exception under marketing. If I go to my doctor and she says, you know, I think you ought to take x kind of pill, which is best for your condition, that is treatment, even if X is a specific brand, right?
MR. ADAMS: Yes, but I think part of what we are responding to is the assertion in the HHS guidance that it is not possible to separate out marketing from treatment and that inevitably there is overlap and there may well be some aspect of marketing occurring in certain kinds of conversations between a patient and a physician about particular products in the sense that the definition of marketing in the rule, I can't state it for you exactly, but as I recall and would paraphrase it is something along the lines of communication, which is designed to encourage the targeted individual to use a particular product or service. Well, if you are using that kind of a definition of marketing, then a communication between a physician and patient in which the physician says I would recommend that you use x medication for this condition, by that broad definition is marketing and if you use that broad definition and, therefore, it arguably is marketing, we would say in that context, it nonetheless is a form of treatment or part of a treatment relationship that we would find acceptable without advanced patient authorization.
MR. ROTHSTEIN: So, would I be correct in assuming that if the definition of marketing were more narrowly drawn to say that the primary purpose of the communication is to convince someone of the need for a product or service? Then you would feel that you don't need that exception because the conduct that you want to protect would be considered treatment and couldn't possibly be considered marketing?
MR. ADAMS: We would feel that we don't need that exception. It is important to point out that we identify that as an exception to our general proposal that where marketing is occurring, that there should be patient consent ahead of time.
MS. GREENBERG: I guess I am a little confused now. Dr. Hall, would you have any problem with this communication between the face-to-face communication between the physician and the patient --
DR. HALL: Not at all.
MS. GREENBERG: -- particular product.
DR. HALL: No, not at all.
MS. GREENBERG: Your concern is that it also allows face-to-face communications by third parties.
DR. HALL: Exactly so.
MS. GREENBERG: So, the two of you really agree.
MR. ADAMS: I think we do.
DR. HALL: I think we do.
MR. ROTHSTEIN: Let me get to the second one. Maybe I will have that one right. That is the issue of nominal value. Can you give me a situation where that exception is going to play out and we should seriously consider keeping that one?
MR. ADAMS: We have a concern with the nominal value exception in part because nominal value isn't defined. So, we don't know what it means. If nominal value were to be -- or the value of a product were to be measured by the extent to which a price tag is put on it or the extent to which the service is charged for, that to us would be a problematic exception because we can imagine circumstances in which services or products are being provided at no charge for one reason or another, but, in fact, it is a problematic marketing situation and the reality is that our concern is that a patient receive any kind of marketing communication by letter, telemarketing or any other form, that comes from their personal health information as disclosed by their health care provider, No. 1, because of the fact that it constitutes an invasion of their medical privacy, but at least as importantly because of the message it gives to the patient that their medical records are not private. So, if the marketing communication is about something of nominal value, that does not change the message to the patient, which is your medical records are not private.
In that sense, the value of the product really is irrelevant when it comes to the message of the patient.
DR. HALL: I certainly agree with that. I mean, the total lack of even ability to define nominal value is I think going to be the sword upon which this will be eventually impaled. We are all confronted daily with gifts of nominal value from marketeers, for example, primarily the medical profession. If you have ever been to a medical meeting or see what happens, at least up until now -- I think that may change quite a bit -- and I guess the question is is the value of this nominal gift commensurate with the loss of the lack of privacy or trust in the health care system that your physician will keep certain things in strict confidence. So, that bothers me.
The second thing is that many people who have studied this, who are much more expert -- and I am not an expert at all on this -- have suggested that when it comes to gifting from manufacturers, there is no such thing as a nominal gift. There is ample evidence to suggest that a Viagra pencil to a doctor is all it takes to change prescribing habits tremendously.
So, let's get real here. This is not philanthropy. This is not working in the inner city delivering health care to underprivileged people. This is pure profit. Why do we -- and I am not particularly opposed to that except I don't want to get it confused with the doctor/patient relationship and the sacredness of private health -- personal health information.
DR. HARDING: Those are both excellent testimonies. Appreciate it, both of you. We have had a full day of testimonies and we have heard lots of things. I just wanted -- a couple of things I would like you all to comment on, maybe a little bit off, but close to what you are talking about.
One is that we had an individual from a large hospital near here, who was in charge of raising funds for research and so forth, say in effect that the greater good is that money is raised to conduct research. It is critically important for the future health of society and so forth, but that is a greater good than the possible embarrassment that could come from an individual being contacted without consent, without prior consent and that we should lean on the side and I am not quoting the individual by any means, but perhaps we should lean on the side of the greater good as opposed to the individual right.
Do you all come down one way or the other on that issue of the individual's right versus the greater good of the community as a philosophical point? Or is that something that you leave to the ethics community?
MR. ADAMS: Well, I think that we would hope for some reasonable balancing of the two. But in attempting to make that balance, I think it is important to cast what we are balancing. The issue that we bring to the table here from the perspective of the communities we represent goes far beyond possible embarrassment. As I mentioned earlier, there is much evidence to indicate that the kinds of health conditions and other personal information that can be disclosed through the type of marketing envisioned in this rule, in our experience can lead to job discrimination, can lead to loss of employment, can lead to loss of insurance and many other things.
So, when we are balancing the individual right on one side, it goes far beyond embarrassment into many other very compelling matters. We don't discount the general good and the fundraising that can be done to pursue that general good or that marketing can serve that. But we believe that a better balance needs to be struck than is struck in this rule and that obtaining patient consent is a means of pursuing the general good without jeopardizing the very important individual rights at stake here.
DR. HALL: Let me just be brief. The road of history is strewn with the results of the greater good as a justification for political systems, treatment of minorities, a whole variety of what we now call atrocities in the world, including some that we are witnessing right now, which all use the greater good philosophy.
So, really if it is hard to define nominal value, I think it is pretty darn hard to define the greater good of society. I am the last person to do that.
On the other hand, in this country, it seems to me that we have taken a pretty strong stand over the last 250, 300 years about individual rights. I mean, in fact, we weren't even satisfied with our Constitution. Before the ink was dry, we wrote a Bill of Rights about it.
So, I think that we tread on very sacred and perilous and mucky group if we start to say, well, the greater good will be achieved if we kind of ignore the fact that we are using personal health information as a, if you will, a value added in getting at donors. I would be very uncomfortable with that and caution us as a society.
I mean, I am sounding much more lofty than I feel about this, but I think this is very dangerous.
DR. HARDING: Another issue that came up and since you come from dealing with populations who have some problems with this, we talked this morning about the issue of marketing to minors, but in your situations, it may be marketing to those with diminished capacity in geriatrics or HIV, psychiatry and so forth. Do you have thoughts about that issue, the marketing to or the sending out various messages and so forth to those who may not have full capacity?
MR. ADAMS: It is not the angle at which we come at it. I think our concern has not focused on the capacity of the individual to make proper choices or make their own choices about marketing or fundraising pitches, but instead about the use of anybody's information, anybody's private information and that would be the same concern regardless of their capacity. So, that is not really something I feel like I could comment on.
DR. HALL: Two comments. My first experience with telemarketing was when my now 32 year old son was eight and I came home and he proudly told me he had bought a fishing boat and motor over the telephone and I would be proud of him.
When the telemarketer called to verify the credit card or to find out if there was a credit card, I listened to his whole said did you know that you were talking to an eight year old. He said you sound much older than that.
Since then, I approach this with a certain bias about this, that this is a scandalous sort of thing. Fast forward to my day-to-day life in dealing with older people, a great deal of time if, in fact, I have time to spend with patients these days under the burden of Medicare regulations, it gets into very social kinds of phenomenon because older people are preyed upon by telemarketers.
Magazine subscriptions, free coupons, it is almost a way of life. I just shudder to think what would happen if that caller, that telemarketer could say and Dr. Hall thinks it is a good idea for you to get another 50 magazine subscriptions because you might win something. I don't want that to happen. I don't want to live in that kind of world.
MR. ROTHSTEIN: One other thing that we explored this morning was that even if the regulation for marketing required a prior authorization, it still might be necessary or advisable to develop some procedural guidelines on what is permissible when that takes place in terms of when in the conversation certain disclosures are made and whether you can leave messages on voice mail or et cetera. Given your positions with regard to the desirability of having prior authorization, would you also support additional limitations that would spell out the circumstances surrounding the actual marketing itself?
DR. HALL: Well, I think this is -- that is a huge question. It goes way beyond my arena of expertise, but I am a victim of telemarketing virtually every night usually around dinner time. I think that, for example, New York State has enacted a reasonably good piece of legislation that allows people to, in essence, opt out. It doesn't work at all. I can tell you in my circumstance. So, I think generically I think that it would not only be desirable but it would probably be necessary because I think the abuse of this -- the temptation to abuse this privilege would be so rampant that something would have to come forward.
I don't know whether that is the scope still of your committee but it sounds to me like it is an awesome task.
MR. ADAMS: I would say that from our perspective, patient consent is an necessary starting point, but it is not necessarily the ending point and I think you are raising a very important issue. We from our own experience working with individuals who have HIV and AIDS have repeatedly attempted to assist individuals who have been discriminated against and the beginning of that discrimination was disclosure of their HIV status through things like voice mail messages that other people hear or inadvertent messages left with secretaries and things like that.
So, I think that that is a real danger. I don't know that we have the expertise to determine what the appropriate rules would be. In fact, I think we probably don't, but I think it would be a very important area for you to explore.
MR. FANNING: Could I just follow-up up on Dr. Harding's question about balancing the greater good. What we heard earlier was not an abstract balancing of the general good, but the practical way in which health care facilities seek donations from people who have been served there is to communicate with them after they have had the encounter with the health care facility and that is permitted by the regulation.
What we heard was that there was one other bit of information that they hoped could be used, which is the particular department or service in the overall facility. This is an issue in large academic medical centers with which the patient had had the contact. They also noted that it wasn't really very helpful to get a signature allowing that contact when the person enters the facility of the system.
In view of the difficulty of getting that and it really isn't a very -- it sure isn't informed consent because the person is otherwise occupied. The view of the difficulty of getting that and the fact that the only use of the information is by the facility back to the person who, of course, knows that he was there, do you still consider that an inappropriate intrusion in view of the fact that they get a great deal of money this way?
DR. HALL: I come from a lifestyle that depends on that type of philanthropy for a living. I am the last one to bite the hand that feeds me, I suppose. On the other hand, my experience has been that the kind of donors we are talking about are much better informed about strategies of fundraising than usually the people approaching them. They didn't get rich by accident and they seem to understand these issues.
I don't think we need a great deal of this. I guess the area that I am concerned about is if specific patient information -- I guess you sort of qualified that by saying that they have already given authorization or a vague consent when they come into the hospital.
MR. FANNING: Well, there would be two models. The way the regulation is written now, I think they have to have been informed that they may be --
DR. HALL: That certain things are going to happen. I haven't read all the details --
MR. FANNING: They have to be informed, but there is no signature required and the only information that the witnesses this morning wanted about their treatment was what department they were treated in because the contact may well be made by someone in that department.
Now, is that an inappropriate tradeoff?
DR. HALL: I don't think it is illegal and I can't say it is inappropriate but let me at least point out what I think is one of the hidden dangers in that approach. If, in fact, the entre to the patient is not that you happen to be a patient at this hospital or in this department, but that you happen to have a condition that we are very interested in and that we are right at the -- breathtakingly close to a cure for cancer or heart disease, Alzheimer's disease, whatever it is, and just a few million would get us over the top, where does that fit into the overall equation? You probably do raise more money that way and I guess there is, therefore, a good that comes from that.
If it were just limited to a very tiny segment of people who wish them to be involved in philanthropy, I would say fine. But this is going to be applied to millions of people and it is going to be -- maybe other charities will get into this and maybe that is okay, too, but here is the difference and put yourself in the situation.
Somewhere along the line it has been brought to your attention, let's say, under these privacy and marketing regulations, that your doctor suggested that a fundraiser talk to you. Now, how do you feel about not responding to that and then continuing with that health care provider? Does that bother anybody that maybe my doctor wanted me to give money and what is it going to be like when I come into the emergency room? Will he or she be there for me? Will they make decisions?
I think it is an unfair competitive advantage and I guess I am worried about that aspect of it. Really, I can't say anything more than that about it. That is way beyond my ken.
MR. ROTHSTEIN: Well, I think you identify clearly one of the downsides of doing that. I have talked to physicians, who lamented that they were under one or more pressure to approach a very prominent patient for a contribution and after doing so, the patient decided to get treatment elsewhere.
DR. HALL: Right. That is very common.
MR. ROTHSTEIN: That destroys faith in the profession, not just that individual doctor. There is no question that there is a risk in not doing that. On the other hand, if we go too far and we may be weakening the institutions that we all think so highly of.
DR. HALL: Perhaps another approach -- I mean, there are many roads to the greater good -- perhaps that institution might want to think seriously about improving the communication skills of their individual physicians
MR. FANNING: All right. But that does assume the allowability under the regulation of the approach based on the service that the patient sought.
DR. HALL: Right. I am uncomfortable with that. The flip side of that is that the most impressive philanthropy that I have been associated with has generally been from patients who are very appreciative of their private physician often not somebody on the university faculty and will specifically ask them or will make it clear in their estate that they wish it be asked, how would that physician like to see some substantial philanthropy be deployed.
MR. FANNING: Do you have any observations about this tradeoff in view of the fact that I am sure some of the people who serve your population are non-profit organizations.
MR. ADAMS: A couple of quick thoughts. One is that I think, again, with -- if the fundraising approach or communication is done by any person other than the treating physician, then I think we have the same concern about the message to the recipient of that approach about what their medical information or the fact that they have been receiving medical treatment is used for, other than their medical treatment. On the other hand, if the approach is made by the treating physician, that obviously presents its own host of problems in terms of potential interference with the physician/patient relationship.
I have to confess to knowing nothing about hospital financing and how they obtain their finances. Although having said that I know nothing, I will next say that it would surprise me if some significant portion of their finances are derived from contributions by individuals they treat, other than the payment of medical bills by insurers, et cetera. But perhaps I am wrong in that.
So, I guess at this point, maybe that is all that I can say.
MR. ROTHSTEIN: Other comments?
[There was no response.]
Well, I want to thank you both very much for your testimony. It was very helpful.
At this point in the hearing, we will proceed to our public testimony and while we are getting ready for that, I want to remind all the witnesses and those on the Internet that we have -- we will keep our comment period open for written comments, both from those people who have testified and those who have not, until a week from tomorrow. That would be close of business on February 1st.
So, we are ready now for the public testimony and we only have one witness. So, we will certainly give her our undivided attention because she is familiar to us.
Ms. Serkes, please.
DR. SERKES: I am Kathryn Serkes on behalf of the Association of American Physicians and Surgeons and just to remind you the Association of American Physicians and Surgeons is a national association of physicians in all practices founded in 1943 to protect the sanctity of the patient/physician relationship.
So, we certainly have some cross membership here with Dr. Hall today.
I would like to address about three issues here. First of all, the chilling effect on patients; second, the burden and the damage to the credibility of the physicians. I want to talk a little bit about the opt in, opt out provisions and then talk about our suggestions.
What we heard today is everyone speaking in what might happen, what could happen, what may happen and possible scenarios, particularly in the marketing area. This could happen. They could do this. They could do that.
I would like to tell you about a few anecdotes that might help you understand some of what is happening already and we assume that it will continue to go on and could get worse. Some of the -- I wouldn't go so far as to say abuses, but some of the troubling anecdotes that we have heard about.
First of all, I have told to me the story by the person involved and I am not going to name hospitals or patients, but of the patient who was discharged from the hospital and the received both marketing and fundraising materials afterwards. Unfortunately, the patient died. So, the family was burdened with the emotional burden of receiving solicitations for a family member, who was already deceased. That is a very difficult situation that should not have happened.
No. 2, let me tell you about told to me -- this was actually a radio talk show host to whom this happened. She went into -- was pregnant and after one of her visits for a sonogram, received her little gift basket of diapers and baby supplies and all kinds of products. Congratulations on the impending birth of your daughter and tied up with pink ribbons. At first, she thought how nice they sent me all this good, free stuff.
Then it occurred to her, how did they find out about this? How did they know that I was having a girl? Then she said now take that to the next step. What if there was some sort of congenital problem? What if there was an illness? What if there was something else in her record? Would they know that as well?
So, again, it is the troubling nature of the fact that the -- I am talking about the chilling -- the chills the next time they go in.
Third, we are talking about lists, marketing lists. I can go right now today and buy or rent marketing lists by disease. If I want to market to people with diabetes, I can buy or rent those lists. I can buy or rent lists based on whatever disease or health condition that I want to do that. That is disturbing that that is going on. We have seen nothing in this act that will help to prevent that, that will keep that from going on.
In fact, that list management is one of the things that I testified before the National Association of Attorneys General and I know that they are looking at some sort of state laws or regulations to try to control that.
What happens then is because of those types of anecdotes than what we have and we have heard this discussed is we have a chilling effect on patients. Now, the Department of Justice has responded to the association saying that, well, how can we measure this because the regulations aren't in effect being -- while the regulations are in effect, they aren't being enforced yet.
Yet we know that the chilling effect based on previous experiences from some of the people you have heard talk about, plus what we are being told has already begun. The chilling effect has begun and what I will do is I have affidavits from patients that I will submit for the record that will help you understand how this is affecting patients already because of what they heard about HIPAA and what they have already experienced in the past.
MR. ROTHSTEIN: The patients are concerned that HIPAA is insufficiently protective of their rights. So, they are not seeking medical care. Is that what you are saying?
DR. SERKES: That has chilled the communication with their physicians and while, obviously, I don't have affidavits to prove the negative of not seeking medical care, what I should tell you is the ones that have said that they are less likely or more reluctant to communicate, that have the open communication.
Of course, I don't need to begin to delineate how important face-to-face communication and the -- is between the, quote, provider. We still call them doctors and physicians, but for the purposes of the regulations, the providers, how important that is. I don't need to emphasize that to you.
Now, let's look at the other side. The other side is to the providers, to the physicians and the two panels who just spoke alluded to that, particularly Dr. Hall mentioned that. There are two elements here. One is the damage to the credibility to the physician. I have already talked about the damage to the patient and the effect that has when the patient isn't discussing or having -- willing to have full communication with the physician.
On the other side, there is a damage that goes on to the physician and I am echoing what you have already heard. There is a damage to the credibility of the physician and that is the implied endorsements, all the same things. I echo those same concerns.
Second, what I will talk about in a moment which is a little bit more is the burden on physicians that has been increased, the regulatory burden that Dr. Hall mentions, as well as possible new burdens. No, in terms of credibility, again, I have now affidavits from physicians who state the problems with their damage to their credibility and the regulatory burden, which I will submit to the committee with -- as part of the written record as well.
So, we know again that that is going on now. It is happening. It is not something that may happen. It is already happening.
Now, third, I would like to talk a moment about the opt in, opt out. I think that many of you may have some overlap in your expertise in the Gramm-Leach-Bliley Act. Certainly, the consensus is that quite frankly the opting out is isn't working on Gramm-Leach-Bliley.
A number of congressional hearings on that. I don't know about you all, but I have filled out about 15 or 20 opt out forms and I am still getting stuff because I haven't tracked through everything from everybody. The opt out simply isn't working and we know that that is putting a burden on patients to try to keep up with more information than they can.
The disclosures are not in plain English. Then, quite frankly they opt in because of the things that Mr. Adams mentioned. There are problems even with the opting in. Unless we have a full disclosure, plain language, easy to understand opting in that delineates everybody who may get everything and out of the four items that he mentioned, the opt in was very difficult. The other part of the opt -- even if we were to go to an opt in, our concern is, again the burden that would be placed on the providers because we probably, when it all comes down to it, that point of contact with the patient is with the provider, with the physician.
So much of the burden already is on the physician to do this paperwork and, again, paperwork spent on -- even though I think that Mr. Adams ideas are very good, the concern would be that if a physician has to make sure that paperwork is filled out that satisfy all four of those conditions that he mentioned, that is time away from patient care.
So, as we add more regulations and more -- you asked about -- Mr. Fanning asked about delineating what circumstances are okay in the marketing and having some guidelines. When we start adding to the regulations and starting making more complex, then, again, we have more opportunities for somebody to get nailed for doing it incorrectly, not intentionally, especially at that point of the provider communication with the patients.
So, that is our concern is that doctors are the ones who are going to be holding the bag for this burden.
I thought of - I wanted to respond to the face-to-face that you brought up and one that occurred to me just as you were speaking is that it is not unheard of, not that uncommon, for example, for medical device representatives to actually be in on some consults with patients or to be, for example, into an OR. So, that is an example I could think of where a third party would actually be in the room in a face-to-face encounter.
MR. ROTHSTEIN: They wouldn't be selling in the OR to the patient presumably.
DR. SERKES: Well, in a sense that is possible. There were a number of problems with -- in the past with pacemakers. That is the --
MR. ROTHSTEIN: No, I know.
DR. SERKES: In the OR, you are correct.
MR. ROTHSTEIN: -- in the OR, but that is a marketing issue per se.
DR. SERKES: But take it a step back and it could be. So, but the communication that goes on with the third party, so where does the privilege, the confidentiality extend there if you do have a third person.
I think just in conclusion the Department of Justice has taken a position, as I said, that -- we are talking about things that might happen, could happen. Therefore, these aren't things that we should be concerned about and, yet, I think that what we have here is a difference of how the Department of Justice and the Department of Health and Human Services are going to respond to the fear factor. And I think we have seen how strong the fear factor can be in the past four months.
We have had a very limited number of cases of anthrax and yet the fear is quite extensive and not to equate HIPAA with terrorism, but the potential is that the fear -- the public has a fear of the privacy issue. They have a fear of their records being disclosed that we have heard from from a number of your panelists here today and that we need -- if the HHS can go ahead and deal with the regulations and the fear factor now, rather than waiting until the full enforcement is in place.
Our suggestion is that the definition of health care operations be amended to exclude -- under the PTO to exclude marketing and fundraising.
I thank you all for the time.
MR. ROTHSTEIN: Thank you.
MR. FANNING: Could you provide us with information about whatever inquiry the state attorneys general did where you say you testified and also whatever this transaction was with the Justice Department where they responded.
DR. SERKES: Well, that is a public record. That is the AAPS vs. HHS with court documents filed on August 31st. I don't have the case number with me.
MR. FANNING: Okay. But if we could --
DR. SERKES: Do you want a copy of the --
MR. FANNING: If you would care to leave that with us or if it is posted on your web site, give us the citation and so on.
DR. SERKES: What is it specifically that you are interested in? Is it the Department of Justice's response and position?
MR. FANNING: Well, yes, the whole thing. I think we are -- I, at least, am not familiar with that line of regulation and whatever the litigation is and so forth. We would like to know about it.
DR. SERKES: We can do that. We can submit that as part of the record, then, too. That will be fine.
DR. HARDING: So, your basic recommendation to us -- Richard Harding -- is to redefine health care operations to exclude marketing and fundraising. That is what you said was the --
DR. SERKES: That is the recommendation. I qualify that by saying that Mr. Adams -- I thought that Mr. Adams suggestions for the disclosure and for an informed opt in were very good. However, again, the concern is that that increases the regulatory burden on the providers. Therefore, perhaps the most direct route is simply to eliminate marketing and fundraising from health care operations. It has been the AAPS's position that marketing and fundraising certainly are not actually health care operations.
MR. ROTHSTEIN: But even if we did that -- whoever -- we don't have the authority -- even if that came about and that definition were changed, it still would be possible to do marketing and fundraising pursuant to an authorization. Explain to me how that would lessen the burden on providers. It is just a different burden, isn't it?
DR. SERKES: No. If you are talking -- what I am saying is that if you were to, for example, implement Mr. Adams' suggestions in terms of a full opt -- and opt in, who is it that is going to have to do the disclosure, have the patient fill out the paperwork and do the opt in? Isn't it going to come down to the provider?
MR. ROTHSTEIN: Right.
DR. SERKES: Because that is the point of contact. While I -- that is what I said, although those are good ideas, we are concerned that that, again, is putting the burden --
MR. ROTHSTEIN: I understand that, but I mean it is always going to be the provider under any situation that is going to have the administrative burden whether it is an opt in as you call it or an authorization that is explicitly signed at some point in the process.
DR. SERKES: If we eliminate the marketing and fundraising from the definition of health care operations, though, they are prohibited from access to the patient --
MR. ROTHSTEIN: -- pursuant to an authorization.
DR. SERKES: That is if somebody chooses to give an authorization.
MR. ROTHSTEIN: Right.
DR. SERKES: How many people are going to come in and say, gee, I am just dying to give you an authorization?
MR. ROTHSTEIN: If the authorization route is going to be offered, the burden of doing that is still going to fall on the health care entity. It may be that the hospital or the physician group or whatever wants to be able to fundraise and in order to do that, they are going to have to have an authorization. I don't know how you get away from the paperwork.
MS. SERKES: It will reduce the numbers greatly. While it won't eliminate it, it will reduce the numbers greatly.
MR. ROTHSTEIN: Okay.
MS. SERKES: I think all of you know that AAPS's position on this enough to know that we would just as soon see that all gone, but realistically in looking at the regulations as they are now, that if we can reduce that, that that is a step forward to us.
MR. ROTHSTEIN: Any other further comments?
[There was no response.]
Thank you for your testimony.
Let me remind the -- I am sorry. Marjorie.
MS. GREENBERG: I am just a little confused about an aspect of the fundraising and that is is it -- under the current regulations, is it possible for Wilmer Clinic, which is actually the eye clinic at Hopkins -- is it allowable for them to directly fundraise? Not provide any information to the development office of Hopkins, but just Wilmer Clinic fundraise to their patients, who are obviously all eye patients.
So, I mean, is that an alternative for Hopkins to -- I realize that it may not be so convenient, but to decentralize their -- I mean, can the cardiac department directly fundraise to their patients? Can Wilmer Clinic directly fundraise? Can the oncology department directly fundraise?
MR. ROTHSTEIN: If the records are centrally kept -- and I will defer -- the patients cannot be identified at the moment by department because that goes beyond the list of demographic variables that can be used for fundraising.
MS. GREENBERG: But the department already has that information.
MR. ROTHSTEIN: Well, I understand that. So, if what you are saying is couldn't they do the same thing by sort of separately incorporating all their departments, the answer is, I think, yes.
MS. GREENBERG: Well, do they even have to incorporate them. They would just have to build some fundraising capacity into each one of them. I don't underestimate --
MR. ROTHSTEIN: -- more clearly defined entity, yes.
MS. GREENBERG: But, I mean, there is nothing that prevents that in the current rule.
MR. ROTHSTEIN: That is my understanding.
DR. HARDING: Each would have to have a business associate contract.
MS. GREENBERG: Unless they did it themselves. I mean, if they get that much money, it is worth it to hire one person to go and send out these letters. I don't know.
MR. ROTHSTEIN: Other comments?
Michael?
DR. FITZMAURICE: No. I just am trying to think of what we have learned today and trying to go beyond how good most of the -- most all the testimony was really good because it got down to the definitions. They knew the privacy rule and they also knew what they wanted sometimes with some prodding from the chair and other members, but we got out of them what they really wanted.
I think the harder job is going to be what is it the council thinks out of what they wanted we should recommend to the Secretary.
MR. ROTHSTEIN: My proposal is, of course, the subcommittee is meeting tomorrow in this room at 8:30 for deliberations, which are open to the public and will be broadcast on the Internet as well. We will -- the agenda item is to plan on a conference call with the rest of the members of the subcommittee -- with the full subcommittee, as well as discussing sort of an outline of issues and possible ways of addressing them, which the chair will work on over a room service dinner tonight.
So, if there is nothing else, we stand adjourned until 8:30 tomorrow.
[Whereupon, at 4:45 p.m., the meeting was recessed, to reconvene at 8:30 a.m., the following morning, Friday, January 25, 2002.]