[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

National Committee on Vital and Health Statistics

Subcommittee on Privacy and Confidentiality

(Breakout Session)

June 27, 2002

The Wyndham City Center Hotel
Georgetown Room
1143 New Hampshire Avenue, N.W.
Washington, DC 20037

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, 160
Fairfax, VA 22030
(703) 352-0091

P R O C E E D I N G S:

DR. ROTHSTEIN: Good morning everyone. For the record, I am Mark Rothstein, the chair of the Privacy and Confidentiality Subcommittee. It's my pleasure to call this subcommittee meeting to order.

Before we get started on our business at hand, I would like to have introductions for purposes of the record. We are being recorded and eventually the minutes will be posted on our web site but we are not being broadcast so - yes, you will have an opportunity to revise and extend your remarks. So we'll take a minute for the introductions, first of the subcommittee members and lead staff. Stephanie?

DR. KAMINSKI: Stephanie Kaminski from the Office of Civil Rights.

DR. BLAIR: Jeff Blair, a member of the committee.

DR. ZUBELDIA: Kepa Zubeldia, member of the committee.

DR. HARDING: Richard Harding, member of the committee and subcommittee.

DR. COHN: And for the records, Simon Cohn, a member of the committee and subcommittee and it is 5:00 a.m. in California.

DR. HORLICK: Gail Horlick, Centers for Disease Control and Prevention.

DR. ROTHSTEIN: Our guests and other staff members.

(Additional introductions made off-mike.)

DR. ROTHSTEIN: Welcome. I think you have all had a chance to take a look at our detailed agenda for this morning and let me tell you where we are in our work and give you some ideas of how I would like to think about our future activities.

During the last year, we have, of course, concentrated on the HIPAA privacy rule and we held hearings, as you know, and submitted three letters to the Secretary containing with recommendations dealing with consent, minimum necessary research, marketing, and fund raising. That, of course, does not exhaust the universe of HIPAA privacy issues and arguably is a fair start but it's more than scratching the surface but there are many, many other issues left in HIPAA for us to talk about.

The other thing I would like to raise for your consideration is the extent to which HIPAA dominates our agenda and that is sometimes we may lose sight of the fact, but there really is another world out there in privacy and confidentiality above and beyond HIPAA, and so my view, without being directive and just sort of setting the stage, is I think it might be something for us to consider moving along two tracks, that is, to continue our HIPAA oversight work and try to explore some of the difficult issues still remaining in HIPAA that we haven't taken a look at, but also to try perhaps to pick up some of the other issues that we have left by the wayside as we have concentrated on meeting all of the various HIPAA deadlines.

So without going into too much detail at the moment because this is the committee's agenda, not mine, I want to see what the views are of the subcommittee members with regard to that idea, that sort of general idea of continuing HIPAA but perhaps if we identify other project areas that we want to take up also doing that.

It seems to me that we will not be under the deadline pressure that we felt certainly in the spring when we had 30 days in which to respond to the NPRM. Things will be perhaps a little bit more measured for us once the final rule is published whenever that glorious day is.

So, the floor is open for kind of general comments or discussions about where we ought to be going in the next year. Kepa?

DR. SUBELIA: I think it just hits within our chapter. That's exactly what we are supposed to do, not just HIPAA, but general advice to the Secretary on privacy among other things so I think it fits right there.

DR. ROTHSTEIN: There was, of course, when Kathleen was the chair of the subcommittee, a whole list, a sort of a laundry list, or wish list of topics to be considered at some point in the future, most of which were never taken out. So there are other things floating around that I have some ideas in addition. Richard?

DR. HARDING: What percentage of our time would you kind of visualize us doing in evaluation or looking at the implementation of HIPAA and so forth? Is that a role for us? We talked about it before as HIPAA rolls out, is that something that we should spend 20, 50 percent of our time on in addition to the kind of things that you are beginning to talk about or is that a different-

DR. ROTHSTEIN: I think it-- I have no sort of pre-conceived allocation of time. It depends on what topics we want to take up. I suppose theoretically, let's suppose we are after April of next year and we identify that there's some sort of problem in terms of privacy, it's not working out, there are unintended consequences, and maybe we need to spring into action and have public hearings and make recommendations and so on. I think clearly that's one of the things that we want to keep in mind.

My view is that just to pick a number, for the short run we might want to say 50 percent of our time is going to be spent on a HIPAA project and 50 percent on something else, but depending on what we come up with, we may want to adjust that in any direction. Simon?

DR. COHN: I hadn't gotten my hand up yet.

DR. ROTHSTEIN: I could feel the electromagnetic waves.

DR. COHN: Without giving percentages, I do agree with your idea that we have a large area to deal with. Obviously from my view, you have got this global issue of what is it we are going to do and then there's the issue of what's in HIPAA, what's in non-HIPAA, what's the priority, and I can think of a number of HIPAA issues that appear to me things that are going to be coming up on the horizon.

I think the other question is that we have to reflect on is how much energy does this subcommittee have, reflecting on, referencing the fact I think it was last year we had two sets of hearings and this year we've had one. So we were talking about 50 percent. Are we talking about one day in a two day hearing every year or whatever or are we going to be more active.

So it causes one to reflect on those issues also. I mean, how much energy we are willing to spend, relate to what we can do.

DR. ROTHSTEIN: Well, I'm also hoping that we can get some additional membership on the committee and not from within the larger committee but I mean new members appointed to the full committee from whom we can tap some individuals. One of the problems that we have on the subcommittee, of course, is that most members of the subcommittee are also members of other subcommittees or chairs of other subcommittees and there are, you know, there's a limit to how much we can reasonably expect those people to do.

DR. COHN: Well, I do want to suggest this in terms of the HIPAA area and I'm just going to posit this as an issue that's going to be coming up over the next six months or so, that, I mean, sometime in our lifetime we will see a security rule. I don't know when that's going to be. I may be off the committee by that time but one would hope that maybe before the new year, we do see a security rule and I'm being a little facetious because it is, like, the theme now, but basically we will see one and then there's going to be the issue, I think, for us, it's going to be somehow the security, the centers and security subcommittee, somehow is dealing the security and we're dealing with privacy, but they sure relate pretty closely I think.

And I am sure, I guess unless HHS does an absolutely perfect job of somehow figuring out how all this is going to work, I suspect for going to be issues and how does all of this fit together. I guess my view is I would really like this subcommittee to take leadership in terms of seeing how we can put that together.

DR. ROTHSTEIN: I think certainly when that day comes around, it may be appropriate to have joint hearings with the standards and security subcommittee to take up sort of the intersection and overlap and so forth.

Let me propose that the HIPAA topic that I think we need to focus on and that is the coverage of public health information under the rule. Recently in Atlanta, CDC sponsored the first, perhaps annual, National Public Health Law Conference. I chaired or moderated the session on HIPAA and public health and there were more people at that concurrent session that any other one at the entire two-day meeting. There were people sitting on the floor and hanging from the rafters, literally.

And a number of concerns were expressed at that session, including one that we have heard in other context and that is because of a misunderstanding of what HIPAA is all about, there are health care providers who are now suddenly reluctant to report to public health agencies the sorts of information that they had routinely done for years under the theory that they are not allowed to anymore under HIPAA and I think that is, that raises very serious concerns to the ability of public health agencies to do their job properly.

There are other concerns about some of the asserted vagueness of the public health provisions of HIPAA. In other words, does it have to be pursuant to a state law that you can turn over health information without any authorization or consent and so on and so I think these are very important issues for us to explore.

I spoke with Kathleen Fife earlier this week about this issue, and she was originally supposed to be on the panel in Atlanta and OCR sort of said you can't travel because we are under the gun in terms of getting out the final rule and she said that officially, and I could quote her on this, that that was an area that it would be very helpful for us to take a look at because they have, frankly, not had the time or the personnel to do the kind of outreach and education and publicizing this and trying to get a handle on the parameters of the public health coverage under HIPAA and from her perspective it would be very helpful.

This was also the view of Denise Koo who was a panel member from CDC and so I think that that's one suggestion, this would be at the top of my list but certainly there are other things that we could put on that list. Jeff?

DR. BLAIR: Since we are exploring possible avenues, the number one area I guess where I feel like more needs to be done is clarification and education of the privacy regs because I frequently am asked by folks in doctors' offices, HIPAA is making me spend $10,000 for a new records system, HIPAA is making me do this, HIPAA is making me do that. They are all thinking of privacy, that's the only thing they are conscious of, and they say that a records manufacturer came by and said you have to do this to meet the HIPAA law. There's a lot of exploitation. They've gone to a conference where there's been speakers who've wound up saying, you know, scaring people to death about the privacy regs.

I really feel like that's an area somehow that needs to be addressed. Now, let me go to a different topic. So that's number one is public education needs to be improved about the privacy regs, the intent of them especially.

The other is that in my capacity as board member of the Commission for the Blind in New Mexico, the issue came up because we are part of the vocational rehabilitation system, and the federal vocational rehabilitation system did a legal review and came to the collusion that vocational rehabilitation is not a covered entity. They did a careful review and they are not, from everything that I could tell, and however, there's a number of things that vocational rehabilitation services perform which either obtain medical records or review medical records or deal with health care information.

I spoke to the individuals involve in the federal government and basically what they did is they told all the states that you are not covered entities so don't worry about HIPAA and left it at that and I said to them, you know, you realize that, for example, as with the Commission for the Blind, we literally pay for medical services. It's one of the services we offer. If there's somebody who cannot afford it and needs an iridectomy to reduce the pressure in their eyes or some other kind of surgery to relieve eye conditions, we will do that, and we will pay for those services.

In other situations where we wind up getting clients, many of the clients have multiple disorders in addition to blindness, and some of them are health related, and we work with health care institutions to assist those individuals and we get the medical records.

So clearly we are a business associate but that does not seem to be mentioned by the vocational rehabilitation services. I think it's within the Department of Labor in the federal government. So my comment to them was for you to just give a directive to the state agencies, that they are not covered entities will miss the point that the privacy regs are a de facto national standard and if the state agencies are being - I don't want to say directed, I'm carefully choosing the words - but if the state agencies are led to believe that they don't need to comply with HIPAA because they are not covered entity, I think that there's a problem there and we need to have a balance so that's another issue that I wanted to raise.

DR. ROTHSTEIN: I would like to take up the second one first and I think you, this is the first time I've ever heard that issue raised, and, of course, state government can be a covered entity, depending on what they do. I mean, as a Medicaid provider, for example, a state government is subject to HIPAA. Now, as I understand what you are saying, the state voc-rehab people act as sort of intermediaries or payers for the services that are provided by some other entity but in doing so, they may obtain the medical records of the individuals. Is that --

DR. BLAIR: Yes, if I were to get explicit, I believe that the law reads, and I'm not an attorney and I haven't read through it in detail, but I believe that the law reads that you are not the covered entity if either paying or providing medical services is not your principal role so in many of these cases of vocational rehabilitation agencies, it's in additional service but it's not the principal role so they are hiding behind that.

The other one is that - and this gets to be more central - is that there's two ways to obtain a medical record. If you wind up having a client who is blind and has also health problems, you can ask the individual to obtain the record and give it to you and if that's the case, then you are not a business associate. However, if the agency, if the state agency goes directly to a health care provider and asks for the record, then yes, they would be a business associate so this is, again, the vehicle for, to determine whether or not you have to comply with HIPAA privacy regs.

Interestingly, the letter that went out to -- maybe I should have brought it, maybe I should wind up sending to you the directive that went out to ought the states, the legal ruling and I'll pass that onto you. It was from the federal vocational rehabilitation services.

DR. ROTHSTEIN: Okay, so it was from the Labor Department.

DR. BLAIR: I think it's within the Labor Department. I'll have to verify that. I think it's within the Labor Department. I'll forward it to you, I'll let you read it and see if you feel comfortable. It was strictly a legal ruling. It did nothing to indicate that there might be business benefits to complying with HIPAA in terms of information systems. It did nothing to wind up indicating that from a public relations standpoint if the state vocational rehabilitation services are caught in the situation with the privacy conflict and they had chosen to not be a covered entity that it just, technically and legally, I guess that's true, but it seems to violated intent of HIPAA regulations.

So anyway, I'll pass it onto you and you can determine whether you think this is a subject worth pursuing.

DR. ROTHSTEIN: Well, I appreciate that. I think there are a few things that we can do. We can, when I get that information and share it with the members of the subcommittee, we could hold hearings, we could, based on paper information, make a recommendation to the Secretary, we could simply request clarification from OCR. I mean, there are a variety of things we can do, and with the subcommittee's indulgence, I will just wait until I get the information from Jeff over to you and then we can either put it on our agenda for the next meeting or by e-mail take a sense of what the subcommittee members want to do. I appreciate you calling that to our attention.

On the first issue that you raised, the clarification and education, I couldn't agree with you more, Jeff, and I'm very frustrated about sort of the state of public education on HIPAA.

At this meeting that I described earlier at CDC, one of the questionnaires who was a health commissioner somewhere, but he also had a private practice got up and he was railing about how terrible HIPAA was and he was not going to be allowed to have a sign-in sheet at his office any more and, of course, the guidance last summer specifically addressed that issue.

These kinds of things don't seem to be filtering their way to the practicing, you know, physicians and hospital administrators and the like, and I think that, I don't expect that they are going to read everything that comes out of the department but I think we have a major problem on our hands, and I think some of that may be attributable to the cottage industry that is cropping up of the, quote, experts, and consultants who are out there trying to make a buck on HIPAA compliance.

DR. BLAIR: Let me expand it if I may because I think from what I could tell, there are vendors that either sell systems that organize your hard copy medical records, there are consultants and there are attorneys and I'm going to use this word because I think it's the right word, that are exploiting the complexity of the HIPAA privacy regs for commercial purposes, and they are taking advantage of the fact that it is complex and giving interpretations which are favorable to their businesses.

DR. ZUBELDIA: And the same thing is happening with security, even though we don't have regs yet.

DR. ROTHSTEIN: Jeff, I think you are right in all of those categories. Like you, I'm sure, are on a zillion mailing lists related to HIPAA, and I get all sorts of things that cross my desk and I would say half of what I read is really accurate and the other half is either an exaggeration of the potential problems and if you read a reg a certain way, I guess it's possible that this might theoretically happen, but nobody and going to enforce that interpretation because it's so bizarre or it's just plain wrong. And that frustrates me.

PARTICIPANT: There's one thing I do want to say because it isn't all vendors, it isn't all consultants, and it certainly isn't all attorneys. There are some really helpful, useful programs that are reaching out to educate people so I'm pointing out the areas of abuse, not indicating that the industries as a whole are behaving inappropriately.

DR. ROTHSTEIN: I appreciate that, and just to finish, I think one of the problems is the lack of funding and staffing in the education and outreach component that we have in OCR and this is just my editorializing. You guys can come up with the greatest revisions and the most wonderful reg that's ever been drafted in the history of the federal government and it's still going to be a disaster if the public does not get complete and accurate information about what is required by the law and so I don't know what to do about that.

PARTICIPANT: I think it's a great problem and I absolutely agree with you though I would add the wrinkle that we don't have a rule to educate on. I mean, I don't think anyone in their right mind should go out and educate people about the requirements that occur in the current privacy rule and we obviously don't have a modified new privacy rule and we clearly continue have a security rule so in this environment, obviously innuendo, I mean, you can cay whatever you want because there's no there there.

I mean, if I were somebody and I was interested in making some money, I would certainly publish things and how can you refute them because we have no, nothing to say. You are either right or wrong at this point. I mean, isn't that the fundamental issue right now in this vacuum of ignorance this information spreads?

DR. ROTHSTEIN: I think that's one of the problems, but people, some things I've seen and others I'm sure, that even though we don't have a final rule, there's no way in the world you are going to -- I mean it's not even on the table. They couldn't possibly be under any scenario this kinds of horribles that are being concocted.

PARTICIPANT: Well, I would agree. I guess to me the real question is how do we, maybe this is a reason for a getting together with OCR, heads of associations, other groups like this to sort of figure out, recognizing that it sounds to me like the government is going to give us a new rule in the last minute. I mean they will go to six months but that will be about it. How in the heck are you going to get the word out in six months and assure successful implementation and not cause problems?

DR. ROTHSTEIN: John?

DR. DANAHER: Mark, I have do first apologize to you and to the other members for being late so I want to start there and secondly, I have to divulge that I have an extreme conflict of interest here so I want to preface my remarks by that. I have an e-learning business that is in the business of doing compliance training. I spend my days out working with hospitals and with health plans.

I would just make a couple of observations. Do we have a problem in terms of privacy in our hospitals and health plans? Absolutely. And frankly, nobody will deny that. I mean there's a CIO of an august Boston hospital will tell you about Maria Carey checking in under an assumed name and, you know, within a half hour there are 81 hits, unauthorized hits, to access her medical record.

The anecdotes are out. Everybody knows there's a problem. So number one, --

Two is, in all frankness, and with due respect to us and everyone else, there's tremendous mobilization going on in hospitals to train people and to understand how they are trying to get into compliance with the regulations. There's a horrendous amount of spinning the wheels going on. There are committees after committees after committees. Departments of medicine are making policies and procedures and department of surgeries, etc.

So that's the second reality. And then to just point, I mean, there are clearly charlatans and shysters and people who whatever, and then there are clearly, I would like to believe people who are adding a valuable service that are trying to correct the problem we all know that exists out there in providing some guidance.

Well, having said that, let me just throw out three recommendations and Stephanie obviously plays a big role in this.

I think that just as health plans have, one of the things we haven't done is set up a credentialing body, anybody who said we were very vague in what was required and I think that some type of NCQA, some kind of JACO, some kind of thing that doesn't actually say, you know, Price Waterhouse Cooper and Bill Brathwaite are doing the right thing, whatever, but basically says this is what we had in mind when we put forth this regulation.

It's not an endorsement but it's more a rendering or whatever, and this is orex(?) We did this with. This was done with orex, that they, anyway, so that's point number one.

Point number two is I think that there really is a chasm in guidance coming from HHS, and CMS has got those public service, the video, the on-line things and nobody really knows about them and when they watch them, they are not that helpful, etc. And really what everybody is saying is that there's going to be this kind of Y2K scramble at the end for people trying to hit this April 14, 2003.

So I guess what I would say is that if a viral low-cost, effective marketing outreach strategy to give people some guidance, how do you develop policies and procedures, what is it, you know, what kind of training, give some guidelines about the length, you know, it's buried in the regs about the length of training, etc., But I mean, I think some articulation of guidance to help people. You are kind of setting sail. We've issued the regs, we've promulgated the regs, now let's help them triangulate a little bit. Let's give them a few plots of land that say, you know, do this and to that and here are some options for this without endorsing anyone.

I think by and large the department has been really silent on guidance about it.

And then I think, too, the last kind of suggestion is I think really where the spin on it to put is really a positive one and that is it's not so much the fines and it's not so much the CMSes that you have to be, you know, HIPAA compliant to be a contractor to be reimbursed, blah, blah, blah, but really how can we help your organizations, how can OCR make privacy confidentiality at the forefront, you know, just strength and codify your commitment that you have already done.

So I think that really, it's a messaging thing that this is not, come April 14, 2003, you have got to do this or the wrath of God will come down on you but rather, what guidance, what positive spin, what kind of instructions can you -- I think the summation of my comments is really, there are people are trying to do things out there in the absence of any clear articulation or guidance.

There's a tremendous amount of spinning of wheels. There's a tremendous amount of misspent money. Organizations are in stasis. They are in paralysis.

DR. ROTHSTEIN: I thank you for those comments. I just want to point out, as you know, in each of the letters that we sent to the Secretary over the last year and a half, we specifically said we urge you to publish best practices and guidance, etc., Etc., Etc., And it has been our position all along. It would seem to me that to roll out something that is so far reaching in terms of the health care industry that there ought to be a staff of 50 people who are in charge of education and outreach and a huge budget to make public service announcements and educational materials and all sorts of media and continuing ed programs, etc. I just, that's not happening.

DR. DANAHER: And you know what, that part of our message, it's really organizational performance enhancement. It's not about hey, you have checked off a box. I think too many organizations out there, be it hospitals or health plans have this mentality of okay, if I check off the box and can demonstrate the OCR, I've trained everybody with something, then whatever. So, any way --

DR. BLAIR: I haven't done a widespread survey. I've only had my personal anecdotal experiences, and they have been at small practices in the area where I live so I'm separating that out from managed care organizations or from hospitals which, it may be a struggle for them to go through and figure out what the privacy regs are and they may have difficulty, as you say, in spinning wheels, but I think that the area where the biggest concern is, is the small practices and these folks are terrified. They have been told that if they don't to this, they will go to jail because of the penalties or big fines. They have been told that they have to buy this or have a consultant very expensive come in to protect them from this.

These folks are starting to go to their Congressman, feeling like this is the most onerous government mandate that they have known in the last 10 years, and they don't really know what it is because they don't have the time to get the reg and read it through. They are hearing it from the vendors or the consultants that are exploiting this stuff and I personally feel like that's where the need for education is the greatest.

DR. ROTHSTEIN: I think it's a good point. Kepa?

DR. ZUBELDIA: I'm also on a lot of those mailing lists that we all get about HIPAA and there's a lot of questions and answers in the mailing lists. A lot of times the answers are incorrect. Sometimes they are correct.

I think that one of the reasons why people are asking question and answers in mailing lists is because they have nowhere else to go and this is probably a staffing problem.

There is, within CMS something called Ask HIPAA. And that's a place to ask questions. There's another place to get answers. You can send in your questions and the report is that people have asked questions there for a year that are still unanswered and it may be staffing, it may be the process, whatever, but when people learn that you can ask questions but you won't get answers, people start asking questions in other forums and that's what happening.

And I think that a lot of this misinformation could be stopped if there was a place to get answers to your questions that would be effectively working by the way. The committee also has a charge to report to the Secretary on the progress of HIPAA implementation so I know how else we would monitor the implementation of HIPAA privacy other than through this sort of feedback mechanism or perhaps maybe going to print shops and seeing if physician offices are printing privacy notices and things like that.

I mean, it's very difficult to monitor the progress of the implementation of HIPAA privacy, but it's one of the things the committee has to do. I don't have the answers. I have the questions.

DR. GREENBERG: I was just wondering. I guess this is a question for Stephanie and I think, I mean, this is, I don't think anyone is underestimating the hours and efforts that are going on in OCR and actually in CMS either. It's just that from the very beginning this whole effort has been, as you said, under resourced.

I'm wondering to what extent OCR has on formal ongoing relationships with all the myriads of responsible associations out there like I'm looking at people who represent some of them around the room who really probably are trying to, but need to partner with the department in providing this education.

I mean, like the issue of small practices, well, it's very hard for the department to get out there and educate every small practice but there are organizations, I assume, that represent some of these small practitioners.

DR. BLAIR: That's where I think we really need to start to -- I don't know whether you want to have some hearings from these folks and find out what are their members saying and what are they doing to educate their people, whether it's the American Association of Family Practice or associations, pediatric practice, the AMA, whatever.

DR. GREENBERG: I there has to be some kind of common message that then a whole cadre of associations and organizations are helping OCR and the department carry out there and also, as Kepa said, when misunderstandings or questions arise, there's a real way to kind of get those clarified and then get that message back out.

I mean, the same thing is going on in public health. You just can't get up and talk about standards in public health really because what they want to hear about is privacy and they have all these anxieties and rightfully so because they are being told in their various states, well we can't share data with you anymore. You know, we can't participate in any of these longstanding public health data sets, data activities.

I mean, might be they can, maybe they cant but nobody knows so the safest thing is to say we can't do anything because nobody can criticize us if we don't ever do anything.

So it seems to me that they are really, I mean, the department cannot do it alone, can't even begin to do it alone but there needs to be some kind of real coalition network, whatever.

DR. KAMINSKI: I think that's an interesting idea. I am not aware of a formal ongoing relationship with various associations. There certainly are lots of, there are several, there are informal and ongoing -- I don't want to say they are informal and not ongoing -- informal, ongoing, relationships with a host of associations, etc. I don't know if it's one message that we would be wanting to get out to these associations. I think that the interesting part of your suggestion and the complicated part of the rule is that obviously each of these associations come representing their particular constituents and there are various interests that play out that are very different depending on who those constituents are.

The department does have, and John Sanding is very involved with a working group within HHS. We have a formal, ongoing, privacy implementation forum where we vet some of these issues on a sort of agency by agency or covered entity by covered entity type of way and some of the issues that come up, obviously, can all interests and some are pretty unique.

I don't know, it's a creative suggestion to think about perhaps starting an implementation forum sort of in the private sector and have an associations participate in that in a kind of formal and ongoing monthly, I don't know, meeting type fashion. I think that's interesting.

DR. DANAHER: Thank you. I want to just echo one comment Jeff made. I don't know whether they are going to their Congressmen and women, Congresspeople, but clearly where there is absolutely, practically across the board, little to no understanding and ramping up is in the provider community. Most every hospital, most every health plan designate a privacy officer who is in the process of drafting policies and procedures, etc.

Overwhelmingly across the board, meaning, for example, I don't want to pick on one specialty or another, dentists. I've done a number of sampling of dentists, gotten on the ADA sites, WADL, ADA is just now kicking off something. If we were to call randomly 5,000 dentists right now, you would find zero.

The physicians, some of the blues plans are actually doing provider network training sessions but it's around awareness and education, what you have to do so I would say that number one, if you were to focus the department's efforts any where, it would be just as Jeff suggested in that small provider arena to those health care providers that really are small offices except that they don't have the resources.

Secondly, I think Marjorie's point is absolutely correct, that it should be kind of these public-private partnerships or association partnerships, etc. I think, to a certain extent, many of the large associations did drag their heels or a number of parts of HIPAA resisted, etc., So I think the strategy I would recommend was to find one of the more aggressive associations that was serving small provider groups and as quickly as possible, whether it's John Henning's group or whoever, try to launch some kind of PSA type of activity to hit their member audience and use that to build upon.

What I don't want you to do is to spend endless hours with some of the big national associations that have historically resisted HIPAA in trying to waste time getting them to now throw their weight behind it and helping you, etc. So if some how you could identify on ally that would see the need of stressing privacy or confidentiality and really helping them be progressive and if the department could kind of put some weight of their resources behind that mission of effort, then I think you could conscript some of the other associations there.

But I totally agree with Jeff and I think, as Marjorie said, it has got to come from, you don't have the resources to do it. It has got to come from getting people on board to do these things.

DR. ROTHSTEIN: Well, let me just add to that my support for that general view. I don't think we can assume that Washington-based programs will work with county medical societies and county dental societies and one way to do that is to get people in all of the HHS regions throughout the country trained and have somebody detailed to work for a year on HIPAA compliance and let them work with the county medical societies in their areas and have various training programs through the association groups.

It's hard to go from the top down and we need people, I mean, just thinking of a state like Kentucky that has a lot of these rural areas. I don't know how you are going to --

DR. DANAHER: To that point, and I apologize for one other thing, but I guess HRSA actually has a grant where they are providing up to $11,000 to rural hospitals to help them get into compliance with the HIPAA regulations so I think that they are some probably and I think maybe the Indian Health Service may actually -- so I agree with you. I just wanted to throw that in.

DR. ZUBELDIA: There's two aspects. One is the dissemination of information and education and the other aspect that I want to go back to is the misinformation or the lack of answers and how to get answers and since we're kind of brainstorming here, I'll just brainstorm out loud.

It's very difficult to get stuff at HHS to answer all these questions, even if there was stuff, some of the questions, just require extensive research, lawyers researching the answers and then you are getting into transaction type of questions. You have to have very deep, technical knowledge that is not always available at the government.

HIPAA in essence is a collaboration effort between government and industry where the Secretary is to adopt industry-led standards except that in privacy there was no such thing. Some other industries use a panel of experts. I've seen some of the computer situations where you can ask a question in a forum that will be answered by a variety of experts from multiple vendors, associations, independents and essentially it becomes a public statement that says this is the answer and, by the way, that is my name. It's a marketing vehicle for them.

I'm sure there would be a myriad of experts that can help. It's a chance in pulling together well researched and well thought out answers to these questions that would like to see their name associated with a response. A lot of the consultants, associations, vendors, would like to see their name associated with the response and still do the bulk of the work in doing the research, full integrated response and deliver it to HHS for approval or review before publication as an HHS response that has been put together by such and such if you want to do that. And if you don't want to acknowledge who put together the response, it could become an HHS response but the bulk of the work could be done by non-HHS staff and then have the HHS staff doing the filtering and the vetting of the response and I think that the industry would be very well served because there are a lot of experts out there that are giving good responses in those mailing lists.

You kind of, after you read the list for a while, you know what messages to read and what messages to skip, based on the sender. So there are some good -- I'm sorry, it's profiling, but I don't look at the domain name, I just look at the name -- but there are some experts out there that can be tapped for this and they would cost nothing. They would be free to HHS.

DR. KAMINSKI: Can you be a little more specific how you conceive this would work? I mean, at first when you were talking, I was thinking a little bit about what John was saying earlier about having some private sector credentialing body, but it doesn't sound like the private sector interpretation body. I mean, is it just that we send the questions, the myriads, the hundreds of thousands, all the questions that we get to a private lister person?

DR. ZUBELDIA: We are brainstorming, okay? You could have all the questions that come right now, that are coming to HHS on an e-mail route where nobody can see the question much less the answer. Nobody can even see the question. If instead of that, you would put the questions that come in a public forum, not necessarily the answer yet, just the questions in the public forum and let experts address those questions and send the answer to HHS where you can filter those answers and if you find one that you like, post it as the answer, but let the experts out there contribute their efforts to answering those questions and it will be very simple and free.

DR. BLAIR: And along with the answers would be this is an answer from --

DR. ZUBELDIA: Yes, it's an answer from Jeff Blair or whatever. If you want to do that so they get credit for it but if you don't want to give them credit, that's fine, too, because I'm sure they would rather give you the answers, the question gets answered instead of they themselves having to answer that question on a mailing list on a weekly basis which is happening today. I mean, the questions are repeated and repeated and the answers are always the same. I think that's pretty tedious sometimes.

DR. COHN: I liked what Kepa was saying though I guess I have to step a couple of steps back because I'm a little less clear what the problem is. It's very hard for me to figure out what the solution is, and it seems like there's some sort of a cloud of misinformation, lack of information, I don't know whether there are too many questions or people don't even know where to send the questions to, that's my ignorance, probably. I mean, there's just sort of like this cloud of sort of vagueness and I keep coming back to, well, gee, I know there's a tremendous amount -- he's on the subcommittee but it's also like blind people touching the elephant -- and, Jeff, don't take offense at that comment, but I think there's something there.

Maybe we need to talk to people that are being affected. I really, for example, don't know what the view of small providers is. I mean, one could posit that maybe there's a problem but I have no independent knowledge of that or know that they are being more or less affected than other providers.

I do know, just out of my own experience, everybody is sort of nuts because nobody knows what the final rule looks like. I mean, even though there are people out selling wares, doing trainings, writing privacy policies and all that, I, for myself, wonder how they can do that very well when you don't really know what sort of consent you have to have a policy about or if you have a consent or how that all plays, but that's just one person and one aspect of the piece.

I do think it might be useful to hear from a variety of these people just to sort of hear what their issues are, as opposed and us positing all their issues. Just a thought.

DR. ROTHSTEIN: So, just to follow up on your thought, maybe have an implementation hearing at some point and hear from, let's say, the AMA, the ADA, the AHA and maybe if they have like committees or represent sort of solo practitioners, etc., To sort of get a feel for what their concerns are, the implementation issues.

DR. COHN: Well, I don't know how you best get to the groups. I think that was what John was --

DR. DANAHER: I think Simon is onto a very good point and I would just make one or two little tweaks about it. I think rather than going to the AMA or the AHA or whatever, I would pick a hospital system or I'd pick a health plan and have them come in a hear a couple, hear what they are doing, so that would be one suggestion.

The other thing I would probably suggest against, it's just like, you know how in marketing, when you do a focus group sometimes and if you were to go out and ask people, what would be your ideal car or something, what you get back is not very useful because people, it's not really, they don't have a good frame of reference.

I guess I would caution us against just bringing in small physician practices because they don't, what they have got to do has not dawned on them. I don't think we would find it as fruitful to bring them all in and they would come in and say -- you know -- and let me just assure you what happens in being or half of us in our positions, it's absolutely correct in saying that their initial response, if we get a hundred physicians in here, their initial response is anything that the government is doing that's going to affect my income is bad and they are going to get their hackles up. That's kind of like death and taxes. You can count on that.

So I guess, just making the tweak, I think it would be very useful to hear some good strategies that are being adopted and then getting back to kind of the best practices. You know, could we either use some of those centers and reference sites or whatever. And potentially, you know, potentially maybe there are some small mid-size physician groups or dentist groups or whatever, that we know of or hear about that are doing some innovative things that could be kind of the thought leaders for their societies.

DR. ROTHSTEIN: And if we were going to do this, I think we ought to get out of Washington to do it.

DR. DANAHER: Yes, yes, yes. But I think Simon has got a good point, very good point.

DR. ROTHSTEIN: The other thing I would like to explore with you, I'm still troubled by the, sort of the fringe group, the ones that are the most egregious misstaters of the HIPAA requirements. I'm wondering if a joint statement by OCR and the FTC, for example, saying that we will investigate deliberately false claims that are made in solicitation of customers, something like this.

DR. COHN: You mean like mail fraud?

DR. HARDING: They always put a little disclaimer on it in small print at the bottom that rules hasn't been published yet, but this is the way it probably will roll out. I mean, they get out of it.

DR. ROTHSTEIN: But what I'm saying is I think a statement such as that could have very good value in sort of dissuading people from kind of going over the line. I remember -- my grandparents told me about this -- when OSHA went into effect in 1971, we had a problem with folks going out there and vendors saying that buy this equipment from me, it's OSHA approved, etc., Etc., Etc., And OSHA does not approve any equipment or anything for that matter and a statement from the, and I don't remember which branch of the Labor Department or it may have been Justice or something, to the effect that we are going to come after you if you make these deliberately false claims and attempt to sell your ladders or goggles or something. That was the end of it.

DR. DANAHER: The only thing I would push back on, and I know where you are going with this, I think in the absence of OCR, kind of giving some best practice examples, not endorsing a product, I just think that it's only going to kind of create some sturm und drang that's, you know, and create more confusion.

DR. ROTHSTEIN: Oh, we are worried about the government coming and putting us in jail and now they are saying that they are going to come.

DR. DANAHER: Right, and we've have to back it up and you would have to investigate and then somebody is going to say --

PARTICIPANT: You will get the FTC involved.

DR. DANAHER: Yes, and I really, I spent as much time looking at this field as any. I don't think there's anybody who's saying that they are NCVH approved or HIPAA approved or anything like that. I think what they are taking is their, they are preying on the lack of information; they are preying on the confusion that's out there, and I think that rather than us fueling that, I think the higher ground for us to take would be let's pick some systems or plans or whatever. They are doing some innovative, great things, and that would be willing to serve as kind of reference sites, whatever, and, you know, lets give some examples and best practices for people to know what to do.

DR. GREENBERG: Well, I'm exactly sure what the resource requirements would be of doing that, but the committee does have some resources to do special projects and would explore with OCR, maybe partnering with them, but putting some resources into maybe developing some documentation on best practices.

You know, it could be starting with a hearing, maybe, and bringing some people in and then developing some sort of user friendly, accessible materials. I mean, I don't know if that's the committee's role or not, but, getting back to what Kepa said, this committee is responsible for backing implementation of HIPAA which includes privacy, the ASCA legislation requires the committee to come up with some issue reports on how to overcome barriers to implementing the transaction code set standards.

It isn't that big a leap for the committee to also maybe put out some kind of report, but not reports, because there's one more thing people aren't going to read but some things, that would, even though I have to say that when that was put into the ASCA legislation I objected to it because I felt that it was-- Simon knows that. I'm an honest person, I mean, I'll admit that. I mean, Jim Scanlon and I both felt that's an executive function. It's not really a function for on advisory committee. But on the other hand it's obvious the department needs some help here and you all have responsibilities in this area.

DR. DANAHER: Can I throw out two quick grassroots efforts that are going on that would be an example? The Boston Bar Association, kind of the Massachusetts Health Data Consortium. They have done the state preemption analysis where the Massachusetts privacy regulations are more stringent than HIPAA and they are disseminating that free to all the hospitals and health plans in their state. The National Blue Cross Shield Association did, I guess, had a contractor with a firm to do a state by state preemption analysis and they made that available to all their members.

So people are doing collaborative, proactive, which is kind of the nature of our society and that they, you know, when their back is up against the wall, they kind of work together to come up with some innovative solutions. I think if we could highlight some of them and make people aware of it, I think we would really be aiding the process.

DR. ROTHSTEIN: Let's see if we can get to some degree of closure on this, at least for the subcommittee purposes. We've heard a lot of very good, a couple of not-so-hot ideas. I was thinking of mine, the one everybody rightly jumped on.

So what do you see the role of the subcommittee doing in this regard? Obviously we've got our pipeline to OCR who can relay our concerns, but what should we do going forward? Simon and Kepa.

DR. COHN: I guess I come back to the issue regarding HIPAA is that we have a responsibility to, A, track implementation and identify issues and come up with mitigating strategies. I don't think our role is to operationalize everything but it is certainly, to identify what the problem is and maybe come up with some solutions that people can go and do. I'm thinking of HHS in this case, and I think John has described some very good ideas. I mean, it's beginning to sound like a day or two with a number of different panels where we begin to hear about problems, we hear from associations, we hear from other targeted groups. We hear about best practices.

DR. ROTHSTEIN: Excuse me, Simon, what would you think for the timing of that?

DR. COHN: That's a good question. It would be nice to have the final rule out so people knew what they were doing. I hate to put it that way, but I'm very impressed that John can go out and train everybody, but I still struggle, and maybe I'm just the 80 percent, I'm seeing the 20 percent that's empty in the glass or whatever which is probably what John would tell me. I don't think it needs to be long afterwards. I'm looking at Stephanie to know whether that means we have an October hearing or an October hearing.

DR. ROTHSTEIN: Just for the sake of putting some dates out, suppose that Labor Day they publish the final rule, then you think a month, two weeks, a month, two months, how far after that?

DR. COHN: Well, considering that April is the deadline for implementation regardless of what they do and October is six months for the deadline for implementation--

DR. ROTHSTEIN: So you think around October?

DR. COHN: Well, I don't know. I look at others. That's sort of what feels right.

DR. ROTHSTEIN: John?

DR. DANAHER: I think that the attitude-- to Simon's point-- the attitude that hospitals and health plans are taking about the finalization of consent and the issuing of the security guideline, etc., is that the regulation is going to be a moving target and is going to be evolving over time and nobody, at least in terms of any sizable organization, are kind of sitting on their hands and saying, well, let's wait before we address this.

They are just realizing, it's clearly articulated in the reg that if the policies and procedures change or if you materially change your policy, you have got to go back and think. The mindset of organizations are, and it gets back to this organization performance thing, again, it's not on April 14, 2003, check off that you are going to be constantly updating and revising and retraining and getting people thinking about privacy and security.

So that's at least, again, I watch my bias, may creep in, but I think the sooner we can shed light on this, we will be providing a tremendous assistance to hospitals and health plans in the country. I think that the one thing that's seared in people's mind is this April 14, 2003, and the only thing I can tell you about deadlines is the closer you get and there's no light, the more anxious that they get.

I think my recommendation would be to regardless that things haven't been finally issued, to just begin the wheels, begin the process, beginning, having people come in.

DR. ROTHSTEIN: Just thinking out loud, would it be valuable at a hearing to hear from non-HIPAA type people? People, for example, who were responsible for Y2K compliance, people maybe from the public relations or marketing experts who could shed light on how you actually reach people and to try to develop some ideas. I don't know whether OCR is doing this or not, whether they are making use of some sort of experienced professionals whose job it is to reach the public.

DR. KAMINSKI: As I said yesterday, there are plans in motion right now to contract out to outside contractors to do technical assistance. I have seen some of the sort of concepts underlying the technical assistance plans and I have not seen any formal concepts for compliance and technical assistance. Most of the technical assistance seems to be oriented toward answering questions, you know, that specific entities would have. A lot of it is interpretation questions, etc., Etc., But not what you are talking about, Mark, which is how to do a compliance plan. I think that's what you are talking about.

DR. BLAIR: Stephanie, do you have any sense, I know that clearly for hospitals and integrated delivery networks and managed care organizations, there are a lot of important issues but I sort of feel like while there's challenges there, that's not the part that I am worried about. The part I'm really worried about are small practices because they are scared. At least that's the impression I got, that they are scared and they don't know and they have been misinformed so will the contractors be reaching out to the small practices?

DR. KAMINSKI: You know, it was a while ago when I saw the list. I know that, for example, small, rural hospitals have been a concern of our office for a while and we are trying to get information out to them. It would surprise me in we weren't also working towards assisting small doctor practices but I cannot remember, you know small physician or small provider practices. I can't recall that off the top of my head. It really was a while ago and I'm not involved with the outreach and education efforts of the office, as much as I would really like to be.

DR. BLAIR: Is there some way where we could get the message to them?

DR. KAMINSKI: Yes, certainly, yes, yes.

DR. ZUBELDIA: Thank you. I think the role of the subcommittee is to provide advice to the Secretary and to the department in what to do. Even if the department hires the best marketing company, I think our advice somehow still continue as to how to promote this.

In that line, my advice is that if some, if there's somebody that the small providers listen to is their Medicare carrier. They come with a check every so often so they listen to that. That's a unique mechanism that we have because those checks are in that envelope being sent to all the providers in the country and they are going to open it and if there is a notice there that tells them about something, they are going to read it. Very low cost.

I think that in the past, we have seen Medicare carriers have very effective education programs. I remember when CPT first came up with the immigration and management codes. There was a very extensive outreach effort going to all the providers in the country and it was tried by the state medical societies, this was tried by the AMA, it was tried by everybody. When the Medicare carriers set up meetings to educate the providers on how to use the codes, the rooms were packed, packed.

And I think that's something that gets noticed, and I think that mechanism needs to be taken advantage of and I don't think there's enough being done in that area yet. Just another suggestion.

DR. GREENBERG: It's interesting. In some ways I think we're, I mean, I'm kind of on the same wavelength because I was thinking of two things you had said, Mark, when were not off the wall. One was about, you know, just blasting the information from Washington doesn't really do it, particularly if you are thinking of smaller providers in rural areas and all of that.

And the other was about, you mentioned about the regional offices and it's interesting, I don't know whether there are people at all in the regional offices who are knowledgeable about these areas but then you mentioned Y2K, and I know that EMS and HCFA had a major outreach on Y2K. And they went out, and I'm sure they worked through the carriers and the intermediaries, etc., And there were people on the HCFA staff because I knew some of them, who were on the road constantly because, I mean, here you have the situation where they didn't want the docs being able to pay bills and, I mean, this was really major.

And so there's some precedent from this and just really sending, and they went out everywhere. They went to North Dakota, they went, you know, they were in every state and they were working with every group and I'm sure very much with the carriers and the intermediaries but with the providers and carriers.

So I think some kind of cadre like that is really kind of needed, and I'm wondering if there would be any value, and I'll ask Stephanie this, you have a sense of this, if the subcommittee and the full committee were to put together some kind of letter, have the hearings and, in fact, the letter would say, we are concerned about this. We want to be supportive to the department. We feel that there is a lot of misinformation out there. There's a lot of confusion, there's a lot of anxiety, what have you. And we are planning to do this but we really strongly urge you, Mr. Secretary, to increase the department's outreach because there's a real need for and I don't know if there might be some specific recommendations from that regard you would want to make but I mean, would that be helpful to OCR, maybe to get more attention, more resources or more recognition or would it just make things worse?

DR. KAMINSKI: I certainly don't think it would make things worse. That's an easy one. As Mark said earlier, though, every letter that has come from NCVHS to date on this privacy rule has concluded with a forceful paragraph about the need for outreach and education.

DR. GREENBERG: Right, but might be this letter would only, that would be the only forceful paragraph in it. That's been at the end of, and this is what we think you should do about marketing and this is what we think you should do, and by the way, maybe just focusing on this.

DR. KAMINSKI: It might help, I think to the extent that it was, there were some of these substantive suggestions put into it that would be sort of assistance getting the outreach in education job done. That might also be useful.

I do think that there are problems that people have identified that have been responsible for the dearth of information out there. A lot of it I believe, as Simon said earlier, that without having a rule, a final rule developed, the administration has been very, very uncomfortable doing extensive outreach and education because especially before the NPRM came out, it was quite unclear what it was that they were going to be doing outreach and education on including even training regional staff about, because you talked earlier about getting regional staff to be working with regional contacts in county and local provider groups, etc.

So that some of it has been that piece. That is accurate. Some of it as you kindly also stated has to do with the resource problem that I don't know how many people were behind the CMS Y2K effort. I have a feeling that it was a huge priority for CMS and it was an enormous -- I was at CMS, even at the time, but I wasn't involved with it. I think it really had more substantial staff behind that effort and, as I recall, they really, I believe they also contracted out quite a bit of that.

DR. GREENBERG: They probably did.

DR. KAMINSKI: I think they had some major contracts lined up on that piece.

DR. GREENBERG: It was like their number one priority. It was huge.

DR. KAMINSKI: So the staffing issue is real. It's very frustrating, very, very frustrating, and, you know, I'm not sure what else I can say about that and so based on those two pieces, whether or not a letter at this point sort of thing -- come on, come on, come on.

I think if it had some substantive sort of some of the things we brainstormed about today, that could be useful. I mean, I was thinking early in the discussion, I'm very sympathetic and I share some of the concerns that everyone in this committee has about the need for a real step up on outreach in education and I also question what is the role of the subcommittee. I can't really answer that. I'm not sure how to answer that, whether it's appropriate for the subcommittee to be involved with outreach and education. I don't have a problem with it. I'm not sure that, like you said, the difference between advisory and executive or operational.

It starts to get a little blurry to me whether the subcommittee could be involved if we had some 50 interpretation questions. I mean, to me it seems that that might be an area where it would be held up on giving assistance because we are needing to sort of process some very difficult interpretation issues that affect a large proportion of covered entities. That might be more an area where an advisory group could be pulled in.

So I guess I'm kind of dividing the world out between doing the education and outreach on the one hand and getting interpretations, getting correct information generated and getting those statements put out there.

DR. COHN: So much has been said and obviously we are having two sort of conversations at once here. We're having one conversation about fixing the problem that we are not exactly sure what the problem is but we want to fix it immediately with all sorts of things.

;mso-ansi-language:EN-US;mso-fareast-language:EN-US; mso-bidi-language:AR-SA'

Then the other issue is gee, do we need to do further investigation and do we need to be monitoring this as it moves forward. And, Stephanie, our role is not to answer your tough questions. I want you to know that, at least I don't think my role is. My role is to say gee, if you are having all these tough questions, you need to get X, Y, and Z to get these questions answered, which I think is really the role of the committee or gee, the whole industry can't move forward because you aren't addressing these tough questions and you don't have enough staff or gee, the industry isn't moving forward because we've heard from 12 groups and there's no outreach going on and I think that, just from my view of what our role is, I mean, our role is not the expert shot to answer tough questions.

Having said that, and trying to focus in a little bit about what this subcommittee is going to be doing, A, I guess I would posit that since we're in June, at the last day of the NCVHS meeting before we move to our next meeting in September, that probably this is not the time to start drafting a letter unless somebody can figure out how in the heck we are going to get it published between now and next September. There are ways, but consider that we are in such on early stage of drafting this letter, it would be a hard thing to do over the summer plus I'm not sure about the value added.

Now it may be that--

DR. ROTHSTEIN: I think that coming-- we need to wait until the final rule is out.

DR. COHN: Right, exactly. Now, I guess I would posit, and I'm getting really concrete because we are getting close to 10:00. I think we need to hold a hearing in October. I agree with you it probably should be out of Washington, D.C. I would actually further posit that probably if we are indeed serious that our role is to oversee, monitor, identify issues, identify recommendation to mitigate issues, we had better be prepared, probably on a bi-monthly basis, between October and April to hold various regional hearings around to identify what the issues are and get the issues identified and see if we can come up with some solutions in a relatively speedy process.

That isn't a whole lot of hearings. That's October, that's December, that's probably February. And by that time it's going to be too late to do anything anyway, in terms of guidance and advice and so I don't know if we are willing to do that, but that would be the way one would go around over seeing what's going to be a very difficult implementation, given that we don't have a whole lot of time to get it done in and we just need to be in a way that we are getting the information, we are getting it out to them.

We can certainly listen to Y2K people. I will tell you that actually our project manager at Kaiser Permanente was the Y2K project manager. I will tell you also that she thinks that this is much more difficult than Y2K because the government keeps changing its mind on what it's doing and that's the reason.

I mean, for Y2K, people said we have a deadline, things will stop functioning. With this implementation, sort of like you have one piece but you don't have another and they keep changing pieces and deadlines and everything else so it's making everybody absolutely nuts, but, if we do want to get some advice, Bob Moore from CMS did do the Y2K, might be able to provide us some advice at a hearing. He's a consultant now. He might be willing to come in and talk about his view of what might be useful as we move forward and that may be somebody we want to hear from.

DR. GREENBERG: I would just suggest if you wanted to have a series of hearings that we try to engage someone under contract who could work with us because I'm thinking here we've got Stephanie is the lead staff and she would certainly be involved and we would want to get input from OCR, etc., But she's also working a 24/7 trying to get this done and trying to get the final rule out and Gail is shaking her head because she knows what it's like.

Not just maybe to help identify appropriate people and maybe we can do that and we can set up the hearings and everything, but to be there to help with putting together information right afterwards that would be helpful. I mean, because that's, you don't want to wait two months to get your minutes. You really kind of distill things from the hearing and put out some four-page document or something that really is pithy and gets to what you learn and go onto help say okay, this is what we need so now find out and go on to the next one.

Because otherwise, the hearings will have modest benefit to the people who are able to participate or be there.

DR. ROTHSTEIN: Before we get to John I want to see if I can restate Simon's recommendation to hold three hearings and I'll actually embellish a little bit to see if it's okay with you. Three hearings in different sized places in different parts of the country, hearing from different groups of affected individuals and entities. One in October, one in, say, early December and one in, say, early February. Is that more or less what you had in mind?

DR. BLAIR: The weather is lovely in October in Albuquerque.

DR. GREENBERG: I was going to say I wouldn't recommend the early February one be in North Dakota.

DR. ZUBELDIA: But Salt Like City would be great. Great skiing.

DR. ROTHSTEIN: I understand they are having major compliance problems in Maui.

DR. DANAHER: A couple of thoughts, a couple of points.

One is, the first one, I would be careful about tying this effort too closely to Y2K. Y2K was a one-time fix. What we are talking about is affecting people's behavior about confidentiality over the long term. It's good to think about in terms of marshaling resources. We don't want to be in the vernacular of what is another Y2K. That's point number one. And there is that tendency, there is very much that tendency.

Point number two, I would suggest realistically, if we have these meetings on that timetable articulated and issue guidance in February or something like that, it's going to be next to worthless. What I would suggest is starting the process earlier and not issuing guidance and recommendations until after the finalized thing. Let's begin hearing what's going on there's plenty of activity, plenty of things to hear about but truly, if I'm John Hopkins Hospital and you guys come out and I've got April and you come out in something in February or March, the cat's way out of the bag so you really -- my recommendation would be start the process now, don't issue anything, don't issue a final guidance, recommendations, etc., Until after October but give organizations a chance to react, to respond, to incorporate what you are saying.

DR. ROTHSTEIN: And if we moved things forward and had the first hearing, let's say, in September, and then the second one in late October and the third one the first week of December and then have sort of rolling feedback on the hearings that would be more attractive?

DR. DANAHER: And I guess I would even, why can't they start in August? But anyway, you get my point and you guys know how to operationalize this better.

What we are trying to do is we are trying to heighten awareness and frankly, if we don't do anything between now and October, then shame on us. Know what I'm saying? We are as guilty as they are then.

The third point I would make, Stephanie, I think that the only way you are in the short term that you are going to be able to marshal additional resources and money and frankly, you know, do I think you need to send a letter to the Secretary saying it again? Sure. I mean, that's kind of pro forma stuff you do. Anybody, you know, realistically, is anything going to happen? No.

The only short term thing that I think you could dovetail on is the homeland security efforts. I mean, that's kind of, you know, I'm not trying to be not respect full, but that's the topic du jour. That's where efforts are being, and people are taking privacy and confidentiality and security of medical information. You know, people are saying that that is a very integral part of the homeland security effort. There's lots of funding that's going on for that, there's lots of efforts, there's all kinds of across coordination and I don't know exactly what the next step would be but that's kind of, I think, if you want to kind of Willy Sutton where you wanted to marshal additional resources and that the kind of excitement, it seemed to me that that's where you would look.

The next quick point is there is, what is, what happened, that's why I think we need to get going. There's a heightened awareness about this stuff. You know, I don't know how many of you saw the sports page, the front page of the New York Times sports page. What can you say now about groin injuries in athletes, training athletes. And other injuries as well but that seems to be a common one. It was on about a major pharmaceutical company having a practice of paying drug reps, you know, paying docs to let the drug reps come in and see them.

So I guess I keep on getting back to the point in in the absence of guidance, in the absence of information from us, etc., As we get closer to this deadline, there's going to be more information and some of it is going to be right, some of it is going to be wrong but it's going to start getting people lathered and frothy, etc. I think what our obligation is to provide, you know, some light on it.

And then the last thing is, I guess, to the question of whether it's within the purview of the subcommittee or not within the purview of the subcommittee, I guess what I would say is my sense is that this is where it's going to get driven out if it is going to get driven out at all, you know what I'm saying, in enough of us -- and I think that we kind of, if we feel strongly enough about it, go ahead and launch some activities and then ask for forgiveness later or something.

I don't know whether it's the purview of the executive branch or executive staff or whatever. You know what I'm saying. If we feel strong enough about it, let's go to it. Let's wait for somebody to say no, no, you're exceeding the realm of what the subcommittee is supposed to be doing.

DR. ROTHSTEIN: I mean, think about it, we have, over the last couple of years made very specific recommendations to the Secretary on all sorts of things relative to HIPAA and it seems to me that this is less meddlesome that our recommending that words be changed and definitions and coverage. It seems to be, to me at least exactly why this committee was created to be the liaison between the public and the department.

DR. DANAHER: I couldn't agree with you more.

DR. ROTHSTEIN: Okay, I started this meeting by saying that I wanted us to move beyond HIPAA implementation and then we spent the last hour and 40 minutes on HIPAA implementation. I hear a consensus and please tell me otherwise if I'm reading you incorrectly, that we ought to have a series of hearings concluding before Christmas of this year. Different locations and we will work out the specifics and you will certainly have input as to who should be invited, as to when, where and so forth.

We haven't breached the other issues. The first one that I raised was the substantive issue of whether we ought to be doing something with public health and that ties in, of course, very closely with bioterrorism. We really need to get a handle on this issue or there may be a problem in getting people to report suspected this, that or the other thing that they normally do and I would not like to see that dropped.

DR. COHN: Is there a way to include that in some of our regional hearings and it's another aspect of the issue.

DR. ROTHSTEIN: So, can we say that in one of the hearings, we will put the issue of public health, maybe do a whole afternoon on public health or a two-day hearing, one day on sort of traditional implementation, if I can say that and the other on public health, something like that? Would that be okay with the committee?

DR. COHN: I mean it might be a half day rather than a full day. Of course, I'm not sure if I know the scope of the problem.

DR. KAMINSKI: I did not come today prepared to talk about some of the other implementation or interpretation questions that are out there. There's a wide, a long list and a wide range.

I think what I would love to be able to do is have the opportunity to pull a list together and share it with the subcommittee and public health is a piece of it and an important piece but there's a lot of other groups out there that have a lot of concerns so if people would be up for that, I could put together a sort of suggested -- there are a lot of questions and a lot of misinformation and to I think that if we could, since we are going to only have what, six days, three hearings two days each. I done even know if they are each going to be two-day hearings. I just want to be very judicious. It's a very special and important opportunity so --

DR. ROTHSTEIN: And, Stephanie, to that point, and I think this is what you were getting at. If we -- we could have kind of a master list of the multiple activities that the various not only HHS agencies are doing in the area of HIPAA like this HRSA one that I just heard about and again, it's grants to rural hospitals to assist them in becoming compliant with HIPAA.

DR. GREENBERG: Is that HIPAA privacy or HIPAA transactions or both?

DR. ROTHSTEIN: I, the answer is, what it is, Marjorie, is it's to create a resource center. It's not clearly articulated that's transactions or privacy or whatever. It's to create resource centers to assist rural hospitals in their efforts. I know that DOD and Tri-care has got stuff that they are doing.

So again, it's always one of these cases that undoubtedly there's a ton of stuff going on, you know, the government is so big or whatever, if we could figure out how to lasso them so we could direct people to some of those efforts and resources. Is there any kind of master list or do people know?

DR. KAMINSKI: I'll see what I can do to get some information about that.

DR. ROTHSTEIN: Well, the other half of our subcommittee meeting was supposed to be devoted to the non-HIPAA issues and once again, let me suggest that I will defer that until our subcommittee meeting September 25th and 26th which is the next full committee meeting and by then we'll have a better sense of when our, what our hearing schedule is going to be like and maybe we can begin a project to work on, let's say, the beginning the first of next year. But our plate, you think, is now full.

DR. GREENBERG: Well, the first hearing is probably going to be before the next full committee meeting.

DR. ROTHSTEIN: Correct.

DR. COHN: I guess I would request, I don't know how everybody else's calendar looks, but I was noticing that I think I have four days already called for in September already at this point, and I'm sure that everybody else at the table probably is in the same situation. So the sooner, especially if we are doing something in September which, even though John thinks we could do something in August, I would laugh, but in September we really need to get a fix on all of the dates we are going to do this, even if we don't know the locations, as quickly as possible.

DR. ROTHSTEIN: Right. I'm going to start today. Stephanie and I are going to have a conference today on that.

Any other business or comments? Thank you very much. We stand adjourned.

(Whereupon, the meeting was adjourned at 9:54 a.m.)