Boston Park Plaza Hotel
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held hearings September 10-11, 2002, at the Boston Park Plaza Hotel in Boston, Massachusetts.
September 10-11, 2002
The Subcommittee on Privacy and Confidentiality held hearings September 10-11, 2002 on implementation issues under the HIPAA Privacy Rule. During the two days, the Subcommittee heard 26 testimonies and talked with seven panels and the public.
Panel 1: Physician Practices
Dr. Marcus said doctors only knew HIPAA as something government imposed on them. HIPAA spawned an industry of products and services. Professional associations, hospitals, IPAs, Medicare, Medicaid and other insurers offered HIPAA help. Still, diverse interpretations of HIPAA rules and regulations and misinterpretation of what HIPAA was and required caused angst in the community. Dr. Marcus commented on specific problem areas and what she and her group partners did to comply. She emphasized the need for an accurate interpretation; simple checklists for compliance; and necessary, available and affordable forms.
Dr. Fine said 70 percent of Rhode Island primary care physicians practice in solo or small groups and were acrobats of the particular, focusing on one patient at a time in a world that required constant juggling. He depicted HIPAA as a long list of problems with acronyms that had nothing to do with patient care. The rules constantly changed and physicians assumed there really weren't rules, only today's version. It was difficult to prepare to comply with a “final” rule that was always coming out “in a few months.” Dr. Fine said many physicians were becoming cynical about government's role in healthcare. He and Dr. Marcus agreed that confidentiality was a two-edged sword. Dr. Fine urged the Committee to understand the role small practices played and what they did everyday--and then design templates with clear directions these practices could follow while tending to patient care.
Ms. Keener discussed a large, multi-specialty group practice's experience implementing HIPAA regulations, including best practices, available resources, coalition building, their approach to training, and difficulties they faced (e.g., confusion about the intent of the regulations and concern about enforcement, sanctions and public scrutiny). Despite extensive experience managing large, complex projects, she said, implementing the privacy rule made her “head spin.” She encouraged the federal government to define “reasonable”, summarize HIPAA in brochure format for staff and patients, and provide ongoing guidance and FAQ's on the privacy rule.
Ms. Khaja noted issues of concern to small and mid-size practices: uncertainty about the anticipated security standards, government generated forms, scalability, and a definition of business associates and HIPAA-related ways to treat them. She observed that people with greater exposure to HIPAA (e.g., office managers, support staff) had a better understanding than physicians who were frustrated by the vastness and bulk of the regulations. Massachusetts Medical Society (MMS) offered two comprehensive educational programs and partnered with law firms on a series of grand rounds educational sessions. District-level continuing medical education programs and an interdepartmental HIPAA workgroup also addressed HIPAA. Other MMS educational efforts included HIPAA toolkits, guidance booklet, newsletter (paper and electronic), and hotline.
As president-elect of MMS and a practicing cardiologist, Dr. Sullivan offered the perspective of both a small and larger operation. While agreeing with other participants that protecting privacy was the right thing to do, he emphasized that the complexity of the rule, implementation costs, and inexcusable delay in the release of the final rule were great concerns that had to be addressed expeditiously. Dr. Sullivan identified the need for clarifying information concerning billing communications via the phone, fax or e-mail with respect to the small practice; noted the need for a clearer definition of the opt-out for less than 10 FTE's statement, advised that model forms would help alleviate the financial burden, and reiterated the need for the final security rule
Mr. MacLean said practitioners in Maine were comfortable with the state's comprehensive privacy statute. He offered suggestions that could be implemented without extensive personnel resources or finances including: appointing a privacy officer/staff trainer, developing a simple privacy policy and a consent form; addressing internal security and staff access, and adding the provision to the personnel policy that a breach of privacy was grounds for discipline. He recommended: directing technical assistance at practice managers, educational offerings that were simple and available to physicians in the evenings, practical tools including forms, remembering summaries that didn't capture all important aspects of a law were difficult for lawyers, using a consent form from the beginning of a patient/physician relationship, that training include education forums, encouraging coalition building, that the AMA Web site and MMA HIPAA hotline were reliable resources while the accuracy of vendors and consultants varied. Mr. MacLean said he wasn't doing preemption analysis, but advising people from Maine to comply with both rules until the governor stated otherwise.
Panel 2: Hospitals
Mr. Halamka agreed there was much to do and significant burden in implementing HIPAA. He also pointed out that HIPAA saved hospitals millions of dollars and benefited patients and doctors. A group of 45 providers and payor groups representing about 90 percent of Massachusetts' health care transactions, Massachusetts Health Data Consortium (MHDC) worked to implement administrative simplification. Eligibility, specialty referral, claims status inquiry, referral authorization and inquiry, and electronic remittance were completed and claim status and submission (both institutional and professional) were in pilot. Mr. Halamka said complete, live implementation of all the NCX 124010 HIPAA mandated transactions will be in place by winter. He explained that MHDC used the consortium approach, leveraging it to educate payors and providers. Mr. Halamka outlined CareGroup's Web-based complaint and amendment procedures for patients. He encouraged HHHS to develop templated policies and procedures for non-affiliated and small practices. Mr. Halamka stated that CareGroup viewed HIPAA as a consortium involving legal, human resources, information technology, medical records, and appropriate individuals throughout the clinical community with an interest in balancing privacy and patient care. Mr. Halamka concurred with earlier panelists; hospitals too were challenged by the fact that the Security Rule still wasn't formalized. He expressed disappointment at the Security Rule's extreme lack of specificity. Because the rule was neither finalized or specific, Mr. Halamka said CareGroup developed their own best practices: a matrix of 60 criteria.
Ms. Polley described Sturdy Memorial as a small hospital with 145 beds (including 21 bassinets) and 12 physician practices with about 50 salaried physicians. Ms. Polley agreed with the other panelists that the uncertainty over the final rule was a complication and that the definition of a business associate was unclear. The minimum necessary requirement was a monumental task for Sturdy. Ms. Polley agreed that considering the most restrictive rule the best practice and following the most conservative approach was the best way to keep themselves and their patients' information safe. She said training would be department specific and done in department meetings. Ms. Polley wasn't worried about official enforcement. She suggested that the real threat was the court of public opinion. She reiterated that they needed to do the right thing because it was the right thing. Ms. Polley suggested minimizing rule changes and not bringing back consent. She strongly expressed that the consent conversation had no added value as part of the admission process.
Ms. Cramer said the level of nuance, administrative detail, and complication of the HIPAA privacy rules combined with the failure to preempt state law resulted in a challenging work load for already over extended staffs in their small hospitals. She saw a need for more technical and financial resources and advocated an enforcement rollback extending the deadline another six months. Ms. Cramer identified several hurdles: initial start up, inadequate outside guidance, a lack of preemption analysis, the notice requirements, business associate contracting, and work force training. She pointed out that the State of Vermont and the federal government hadn't provided small providers with guidance assistance and she expressed strongly that this needed to be rectified. She reiterated that the Notice of Privacy Practices (NOPP) shouldn't be their first encounter. Ms. Cramer commended the New Hampshire and Vermont Strategic HIPAA Implementation Plan coalition for sharing materials for best practices. And she again emphasized the need for more guidance and a final unchanging rule.
Although the Yale New Haven Health System (YNHHS) saw long-term financial benefits from EDI, Ms. Ahn expressed concern about the cost due to technical outlays for security related to the privacy requirements. The lack of federal financial assistance for hospital compliance efforts was a major problem. Ms. Ahn identified several issues with patient rights: the patient's right to request a written Notice of Privacy Practice, the right to request a copy of PHI, the right to request amendment of billing or medical records, non-standard requests, the reasonable request for confidential communications and restrictions, the accounting of disclosures and the right to file a complaint.
Panel 3: Ancillary Care Providers
Ms. Rafeld said the major HIPAA resource for dentists in Massachusetts was the American Dental Association (ADA), which provided a HIPAA privacy kit, privacy seminars, conference call seminars for state executives, articles in their journals and newsletters, a HIPAA section on their Web site, and staff available for technical and interpretative information. Ms. Rafeld reported that the Massachusetts Dental Society (MDS) created a HIPAA education coordinating committee and was active in HIPAA education for its members. Programs and resources included sponsorship of ADA seminars, HIPAA compliance seminars offered at the regional Yankee Dental Congress, journal and newsletter articles, links on their Web site to the ADA Web site, telephone technical assistance, and other seminars with Massachusetts-specific privacy information.
Ms. Janos cautioned that the April deadline wasn't sufficient time for home care providers to become HIPAA compliant. Home care providers were already stretched too thin and overwhelmed with paperwork and reimbursement issues. Two of the biggest challenges were the lack of resources to make required changes and the lengthy requirements for NOPP. Ms. Janos noted simplifying NOPP and making it understandable was especially important as it was the document a patient had to acknowledge receiving. HHS also required home care patients to receive an Outcome of Assessment Information Set (OASIS) Notice. Ms. Janos said the notices overlapped and confused patients. She encouraged the government to reconcile them. She noted, too, that due to the nature of home care, providers found it difficult to keep home medical records secure. Ms. Janos expressed confidence that home care providers could get policies and procedures in place, authorizations and NOPP written, but cautioned that all the necessary training might not be accomplished by the deadline. Ms. Janos also emphasized that Massachusetts' providers couldn't finalize policies until they had a clear understanding of the laws that were and weren't preempted.
Mr. Young said the Visiting Nurse Association (VNA) dealt with HIPAA by breaking it down into process and implementation. Process referred to what needed to be done, who did it and when they needed to be done. Mr. Young said completing what VNA had to do was a daunting task. He explained that implementation covered how they would do that. VNA knew what they needed to do and how to do it, but they weren't sure they could accomplish it within the given timeline. Mr. Young concurred that there were several challenges for home health care providers in meeting the April deadline. The primary difficulty was that home health care providers didn't care for their patients in a controlled environment. Cost was another challenge because implementation involved a cost that couldn't be recouped due to managed care contracts with set rates. Mr. Young agreed that training without jeopardizing patient care would be difficult. He also agreed that NOPP was too complicated for their older patients, already inundated with documents to sign.
Mr. Ortiz expected CVS Pharmacies to be compliant by the April deadline, but anticipated several challenges including preemption, NOPP, non-routine disclosures, training, and cost. Mr. Ortiz suggested posting the state laws that might be a preemption of HIPAA on each state's Web site. NOPP posed several problems for CVS, including length, distribution, good faith effort, and patient acknowledgements. Mr. Ortiz urged HHS to conduct a public education campaign informing consumers what to expect, including the NOPP, and encouraging them to sign the acknowledgment of receipt. Mr. Ortiz also encouraged clarification of what constituted a “good faith” effort. Mr. Ortiz disputed the statement that providers were going to save the cost of privacy implementation with the standardization of electronic billing. He contended that pharmacies were oriented toward electronic claim submission prior to HIPAA and that there wouldn't be any additional savings. Instead, Mr. Ortiz predicted they'd incur millions of dollars of cost initially and on a routine basis going forward.
Panel 4: Community Providers
Ms. Lane said Planned Parenthood of Connecticut (PPoC) was shocked with the amount of effort required to become 100 percent compliant and the cost assessment of over $100,000. PPoC realized a lot was scalable and that much of what had to be done was only formalizing what they'd already put in place, being deliberate about where they scaled it and aware of the rationale behind their decisions. Ms. Lane explained that all employees other than clinicians handled multiple tasks (e.g., front-desk work, answering phones, posting charges, doing blood tests, and counseling) and needed to see the whole medical record. She said this was a matter PPoC would address in their procedures. Ms. Lane noted that in some ways HIPAA seemed to immerse PPoC in more paperwork, counseling, documentation and formalizing of procedures, working against their ability to be flexible and meet their customers' needs. Implementing new systems along with the new medical software was key to PPoC's compliance strategy. As recipients of Title X and in their role as grantee of planning grants for two states, Ms. Lane said PPoC worked with counsel to learn more about their responsibilities for their delegates in terms of financial controls, medical protocols, and their quality assurance plans.
Dr. Perlman said the biggest challenge for the Mental Health and Substance Abuse Corporations of Massachusetts (MHSACM) was uncertainty. So many unknowns made it difficult to make changes to accommodate new regulations. The privacy rules were finalized just after MHSACM distributed their templates for policies and procedures, which now needed to be updated. Neither the security regulations nor code sets for mental health and substance abuse were final. The preemption issues were major and that analysis wasn't complete. And there was ongoing speculation about changes in deadlines and content. Some state agencies told providers little about what they were doing or expected providers to do about HIPAA. Some weren't even certain whether they themselves were covered entities. MHSACM was chronically underfunded and privacy and security costs were large and totally unpredictable. Gap analysis was expensive. And Dr. Perlman concurred that training was a dramatic cost issue. MHSACM's training program met monthly for seven months and covered major HIPAA topics. She said teaching staff the complex requirements was a challenge, especially with the different levels of education. Dr. Perlman cautioned that some providers believed that either the state agency they contracted with or their billing software company would take care of HIPAA for them. She noted billing companies dealt with only the standard transactions and code sets. Some 75-to-80 percent of HIPPA was in the privacy and security part and everyone had to take care of that themselves.
Although each rule brought unique challenges, Mr. Coffee said the Community Health Center HIPAA Collaborative (CHC HIPAA Collaborative) faced the privacy rule with the greatest trepidation. Health centers struggled with increased demand for services, funding cuts and decreasing, less stable reimbursement. Massachusetts Health Centers provided services to a patient population speaking nearly 40 languages; many were illiterate. Centers provided services to homeless populations, substance abusers, and the mentally ill. Mentally ill patients already had difficulties navigating the health care system and Mr. Coffee expressed concern that the language and concepts of HIPAA could further disrupt patient care. For many staff members, English was a second language and they had difficulty with legal concepts. One health center provided services to homeless individuals at 70 sites. Training at that many sites and developing and maintaining a viable monitoring system for authorization and access tracking seemed overwhelming, given the time frame. Mr. Coffee noted the accuracy and quality of vendors and consultants varied widely and expressed concern about working effectively enough in that time with all available resources and potential partners. With turnover rates as high as 22 percent, constant training would drain valuable resources from patient services. The federal government had mandated providers train employees and become compliant, but Mr. Coffee noted health centers also would be training patients. He urged the federal government to educate the public on the basic principles behind the legislation and regulations.
Public Testimony
Mr. Kozik said the July 2001 guidance was an excellent resource providing “plain English” answers to many of the final privacy regulations' gray areas. Noting that the burden to inform patients of the new federal standards apparently defaulted back to the provider community, he emphasized that the government needed to communicate to the general public. A major challenge for North Shore Medical Center (NSMC) was to train more than 5,000 employees and physicians on the final Privacy Rules. Pointing out the need to design systems to capture and enforce requests, Mr. Kozik said he saw the right of allowing patients to directly opt in and out of a facility as another major hurdle. He cautioned that the necessity of raising funds for biomedical research and community benefits like indigent care could be severely impacted due to their inability to reach out and assess peoples' interest and potential in giving. Mr. Kozik encouraged the Committee to adjust the regulations to provide fund-raising staffs' access to the names of physicians, departments, and divisions, noting these elements would be granted under normal hospital operations and thus wouldn't require an authorization form. He also emphasized that diagnosis and treatment of patients wouldn't continue to be accessible unless an authorization form was signed in advance. Mr. Kozik noted that North Shore utilized a cost-effective module approach to training substantial enough for the board level that could be broken down into modules for teaching at various levels. He said North Shore also was developing job specific models.
Day Two
Ms. Curran said Blue Cross/Blue Shield of Rhode Island (BC/BSoRI) regularly communicated with providers about how changes in HIPAA EDI regulations would affect the claims process. BC/BSoRI developed a HIPAA hotline, utilized direct mailings, and was producing a CD-ROM based on continuing medical education (CME) seminars presented earlier in the year to help providers get ready for HIPAA. BC/BSoRI strove to work with other insurers and their hospital and medical associations and Ms. Curran noted that this, too, was a challenge because everyone had a different interpretation and coming to consensus could take months. Dr. Danaher noted many health plans around the country had talked about similar efforts, but feared exposure to litigation from interpreting HIPAA and hadn't been courageous enough to do it. Ms. Curran said negotiating a middle ground between their legal and business people involved qualifying a lot of what they said and did. She said the way BC/BSoRI focused on and addressed its concern, not just about liability but also that providers took ownership for their HIPAA readiness, ultimately enabled them to do presentations. Ms. Curran expressed concern that privacy still hadn't been extended and that providers wouldn't be ready in April. She noted that some thought nothing would happen if providers didn't conform.
Ms. Schwartz noted that, even though Fallon Community Health Plan (FCHP) had strict policies regarding disclosure of member information to outside entities, they realized that their internal communications process could be improved. Strengthened security will minimize the possibility of inadvertent disclosures. FCHP will also benefit from clearly documenting their policies and having consistency among all departments. She noted that outside consultation brought experience and knowledge to their projects and objectivity that was especially important in the area of security where some might have found fault with internal recommendations. However, Ms. Schwartz reported the consultant had experience in security but didn't have much more exposure to HIPAA privacy than FCHP did. She detailed FCHP's plans to train their workforce. And she said another challenge was finding a reasonably priced vendor that could incorporate the policies and procedures for the plan and clinic without large customization fees. Ms. Schwartz pointed out confusion over the Business Associate Agreements. She said FCHP could have used more guidance about what entities were considered business associates. And she noted that other covered entities were another area of confusion. Ms. Schwartz emphasized that the interpretive guidance and answers to questions were confusing and that prompt answers to questions and issues and additional interpretive guidance would assist implementation. She reiterated that security was essential and that it would have been helpful to have the Security Rule finalized.
Unlike group health plans, employer/plan sponsors are not directly regulated by the Rule. Ms. Hilger said employer/plan sponsors are struggling with the HIPAA Privacy Rule primarily because the compliance framework is not clear-cut for ERISA plans. Untangling where responsibility for the obligations fall is exacerbated by competing demands for resources in a particularly difficult economic climate in which most companies aggressively try to control costs. At Fidelity Investments, the Benefits Department has responsibility for management of the benefits programs, and Ms. Hilger said the most critical task was determining when the department acts as an employer/plan sponsor versus when it acts on behalf of the plan. This determination is important because it is impractical to conclude that the Benefits Department is always acting on behalf of the plan when dealing with the health plans and because it provides clues as to where and how firewalls to protect PHIhave to be erected. Ms. Hilger noted that enrollment activities performed by the Benefits Department are not plan administration functions for purposes of the Privacy Rule, and she said that it would be helpful for HHS to verify that other enrollment-related activities commonly performed by benefits departments will be viewed in the same way. Ms. Hilger said Fidelity was doing a cost-benefit analysis of outsourcing the appeals function. She noted a number of large employers took this approach and more were considering it. Ms. Hilger said she appreciated the sample language for the business associate contacts provided in the NPRM and the modification to the Rule. She welcomed similar sample language for privacy notices and policies, authorizations and other written requirements.
Ms. Rubinstein discussed MHDC's work with consultants and lawyers to help employees and employers understand their responsibilities in implementing HIPAA. MHDC helped employers devise employee communications about HIPAA and Ms. Rubinstein noted areas where she hoped to get clarification. She discussed disadvantages of requiring a finite expiration date on the authorization, addressed the timing of execution of authorizations and proposed having an execution in advance, addressed the issue of changing between insured and self-insured status and the HIPAA issues the changes brought, discussed the guidance on e-mail and faxed authorizations, and questioned which entity needed to file for an EDI extension. She explained that the employer community was asking for something more basic than a change in the rules; it was requesting clarification of its responsibilities under HIPAA's privacy regulations. She advised that HHS would provide enormous value to the employer community by issuing clear guidance. Only with clear guidance could the employer community embrace the rules and make them a part of their organizational culture. Failure to provide that guidance would leave many employers believing they were exempt from HIPAA and many employees without the privacy protections that HIPAA meant to provide.
Panel 2: State Agencies/Public Health Authorities
Ms. Allan said concepts and many specifics of the HIPAA Privacy Rule were familiar to and embraced by state agency personnel, but that they found it extremely challenging. Because of the way state agencies were structured and their programs, it was difficult to fit them under the rubric of the rule. They served diverse populations and this was reflected in their programs. Many held diverse functions and weren't as clearly delineated between health care provider and health care plan as the private sector programs. Ms. Allan explained that most of the HIPAA information sources and resources were geared to the private sector. She said virtually all of their agencies initially struggled with how to designate themselves, and she emphasized that with the compliance deadline looming they had to know where they fit in. Ms. Allan identified three other challenges the state faced: the state was responsible for financing this overall effort and it had become a burden, operational hurdles because state government was structured differently than a private enterprise, and concern from the HHS Executive Office perspective that they avoided adverse program impacts from many provisions of the HIPAA Privacy Rule. Ms. Allan anticipated a paralysis setting in unless they thoroughly educated people out in the private sector who held protected health information (PHI) about what HIPAA did and didn't allow. She said it would be very helpful to get clarification on authorizations. But stressing that much earlier it would have been helpful to have clearer guidance on how to put state programs under the HIPAA definitions, Ms. Allan said, at this point, they'd made their decisions and were moving forward with compliance deadlines looming and too much still to be done. She said she wasn't sure she wanted that clarification now. Ms. Allan said that she was talking broad education of the public as well as private sector about what HIPAA did and didn't do.
Mr. Ballin advised that the definitions were ambiguous with regard to public health and noted that they'd attempted to get guidance from HHS, but hadn't received any feedback. He emphasized that the lack of guidance made it difficult for those trying to interpret these rules at the state level. Mr. Ballin noted that the ways they used PHI and the actual information collected were extremely diverse and that it was difficult to assess how each program related to the health care provider or plan definitions. A couple of programs looked like health plans, and many others acted like health care providers or contracted out with agencies to provide services. The remaining 75 percent of the programs didn't fit the definitions and, for the reasons Ms. Allan mentioned, they'd decided a hybrid entity would have made it too difficult for their programs to share PHI necessary for conducting public health practice. Mr. Ballin noted the decision to have other programs voluntarily comply with HIPAA caused concern about many programs that people believed didn't apply to HIPAA. Mr. Ballin shared questions that conveyed some of the perceived impacts of HIPAA on public health practice and how things needed to change. Mr. Ballin said it would have been very helpful to have appropriate guidance for public health authorities on covered entity questions. Mr. Ballin stated that he did believe the HIPAA Privacy Regulations demonstrated a clear intent to insure that core public health activities of public health departments weren't impeded. Despite much confusion, he said that he believed by carefully reading the rules they were able to change some of the business procedures they conducted. He said that they were still able to do their business and HIPAA did not present any significant barrier to their public health practices.
Ms. Bergman explained that the New Hampshire HHS's services and administration were provided seamlessly across the department and followed a matrix model. One of the department's largest stumbling blocks was determining each state agency's proper covered entity designation. A decision was made to move forward with a total department HIPAA privacy assessment It was agreed that designation as a single covered entity for the purposes of complying with the HIPAA privacy rule supported the department's organizational make-up and philosophy and met the intent and requirements of the Privacy rule. The Department believed it could comply with the privacy rule and still maintain its organizational processes. They planned to do this without creating inequitable rules of practice, duplicate auditing or compliance efforts, firewalls or boundaries between program areas that needed to share resources and information in order to effectively serve their client populations. Ms. Bergman said the department was pleased with the amendments to the hybrid definition permitting covered entities that could qualify as hybrid entities to choose their designation. With few exceptions, the department believed that most of what it did was related to health care. The amendments to the privacy rule created a better environment for the way the New Hampshire HHS did business, met the privacy rights and requirements mandated therein, and didn't force a compliance designation contrary to their business model. Ms. Bergman said the accuracy and quality of the consulting was less than they'd hoped for with privacy. Consulting organizations found it difficult to understand that one size didn't fit all when assessing privacy within state government. Ms. Bergman noted privacy remediation at a state agency required individuals with extensive knowledge in privacy practices, individual rights, government operations, and some level of legal proceedings.
Panel 3: Consultants/Other Resources
Mr. Szabo said the Boston Bar Association (BBA) Task Force's report analyzing 200 state laws and regulations alongside a synopsis of the relevant provision of the privacy rule and conclusions regarding preemption will be released on CD-ROM this fall. The Health Privacy Project at Georgetown, American Bar Association (ABA), the state of Maryland, and other professional and trade associations also studied the HIPAA preemption. Mr. Szabo discussed several factors contributing to the complexity of the HIPAA preemption. He portrayed HIPAA compliance as divided into three tiers: Large organizations that made substantial investments in compliance: some were ready now; most would be ready in April; organizations that had begun but were far from ready and might be hampered by under capitalization and thin or non-existent operating margins; and individuals and organizations unaware of or resistant to hearing about HIPAA. Mr. Szabo suggested that: small providers be given access to approved forms of notices, authorizations, and policies and procedures simple enough for a small organization to use yet compliant with the intent of the rule; a form of administrative simplification be tailored for small organizations and sole practitioners; the cost of HIPAA implementation be taken into account in setting provider rates of payment; and outreach and educational efforts target smaller organizations, health plan sponsors, and others not fully aware of their obligations. Mr. Szabo noted that some providers literally had no money to divert to HIPAA compliance. Others were forced to make painful choices between investing in compliance or in quality improvement, clinical staffing and health technology.
Ms. Ruffino reported that provider office staffs consistently thought HIPAA offered better business practices than what they'd been doing. She identified three major problems with provider offices. First, the standards still weren't fully understood and, even if provider office staffs had time, HIPAA wouldn't be their first priority. Secondly, only critical issues were likely to get physicians' attention or resources beyond patient care. Third, the squeeze on reimbursement rates: no money was included in the HIPAA legislation for additional reimbursements. In regard to myths, Ms. Ruffino cautioned that industry wanted administrative simplification for good reasons and payers and providers would benefit, but HIPAA wouldn't help consumers much. Ms. Ruffino suggested privacy rules were more accurately described as consumer mandated than as an unfunded federal mandate. And she said the collaborative efforts throughout HIPAA were impressive. Ms. Ruffino urged the Committee to make the guidance and FAQ's more accessible. She recommended a simple HIPAA practice management handbook for small provider offices with sample policies and procedures and the information on obtaining forms and references to current resources. And she emphasized that consumers needed to know the purpose of HIPAA was to improve information for health care purposes.
Dr. Weintrub, a practicing physician and software developer who was completing an educational CD-ROM to help Blue Cross Blue Shield of Rhode Island educate providers, discussed the process of building a multimedia application to help physicians understand and comply with HIPAA.
Agenda Item: Subcommittee Discussion
Mr. Rothstein noted the Subcommittee had final hearings on this matter on October 29-30 in Baltimore, and November 5-6 in Salt Lake City. The meetings were close together and both had to be planned. Noting people were very positive about the July 2001 guidance, Ms. Kaminsky said updated guidance reflecting modifications to the rule was underway. Hopefully, feedback from the last guidance will make it even better. She reported that the Office for Civil Rights (OCR) was funding a large-sum technical assistance contract for written technical assistance and educational videos oriented to different types of entities. Ms. Kaminsky acknowledged the urgency of getting something out quickly. She requested input.
Ms. Kaminsky said if she got permission, they'd have a breakout session from the full Committee meeting and she'd try to have the list of covered entities. Noting they'd just heard about community health centers and other public health groups being largely on their own, Ms. Greenberg commented that technical assistance was well funded so it might not be necessary, but if serving certain constituencies wasn't currently funded other parts of the Department with those groups in their constituencies might enhance the funding. Ms. Kaminsky said she'd raise that point at OCR or with the privacy implementation forum. Noting that OCR felt under the gun to get guidance to a wide audience, many of whom testified at these hearings, Ms. Kaminsky suggested that additional funds might be tagged onto this contract. She circulated a partial inventory of the kinds of technical assistance various operating divisions were doing. She also noted a pamphlet that reflected the technical assistance from the Title X part of HHS. Ms. Kaminsky affirmed that consumers' needs would probably be addressed with the technical assistance contract; she said she'd have details for the next meeting. Ms. Kaminsky reiterated her concern that consumers received outreach and education and covered entities got technical assistance. She said she thought it was in the works.
Ms. Kaminsky said she'd informally and formally reported at OCR some of what was discussed at the last Subcommittee meeting. No one particularly favored OCR putting a clearing-house on its Website. Dr. Cohn reflected that a good use of resources might be to develop everything internally, with time spent making sure what they did was appropriate and other people had access.
Dr. Cohn reiterated that people testified about needing an employee and consultants to research and come up with their own interpretations that might or might not be consistent with an overall compliant approach to implementation. He asked if OCR planned to advise or give answers to vexing or ambiguous problems of interpretation in a timely fashion. Ms. Kaminsky reminded him that people could submit questions to the privacy mailbox on the OCR privacy Website. Members said they'd heard a number of people say they submitted questions and never received answers. Ms. Kaminsky believed there was an auto response. She'll check. Noting a guidance with FAQ's hadn't been published in over a year, Mr. Rothstein said if the department had no intention of answering questions in a timely manner, that function should be deleted from the website. Ms. Greenberg agreed. Ms. Kaminsky urged the Subcommittee to strongly advise that OCR handle FAQs more responsively.
Dr. Zubeldia noted Ms. Trudell reported that CMS was answering e-mailed questions. Ms. Kaminsky pointed out that OCR did answer a fair number of questions, but received an enormous amount and the cultures had gone in different directions and so responses differed. Ms. Greenberg asserted that it was hugely resource consuming. She wondered how most questions might be answered locally, so the questions that got through were ones that really required more expertise.
Mr. Rothstein asked about the response to the Subcommittee's recommendation that a complete new version be available in print when the final rule was published. Ms. Kaminsky said it would be on the Web.
Dr. Cohn reviewed what he recalled of the sessions and asked if the Subcommittee could sketch out a brief one-page letter to OCR and the full Committee, explaining what they'd heard and was already apparent. Mr. Rothstein suggested items heard repeatedly be included (e.g., the need for notification and authorization forms). He said he'd work with Ms. Kaminsky and circulate what they thought could be agreed on before the September meeting. A follow-up letter with more detail could be sent in November.
Ms. Kaminsky reported that OCR 's leadership had changed. The new Director was Mr. Rick Campanelli, a civil rights attorney with a broad background. OCR was asked to present an update at the full Committee meeting in September and Mr. Campanelli might do that. She asked whether he should be invited to participate in discussion at the Baltimore hearing. She also wondered if the Subcommittee on Privacy might want to schedule a focused, semi-private conversation.
Regarding the agenda, Ms. Kaminsky spoke to Holt Anderson of the North Carolina Healthcare Information and Communications Alliance (that state's equivalent to MHDC) about testifying. Elliot Stone was a possibility, though he hadn't been invited because of the original focus on providers. Dr. David Kibbe, a physician with the American Academy of Family Physicians who presented at the Harvard HIPAA Colloquium had accepted the invitation to represent the family physician perspective on HIPAA. Bruce Freed who had been a senior person in Medicare at HCFA and partner at Shaw Pittman (the group BC/BSA commissioned to do a 50-state preemption analysis) was another testifier. A privacy working group on National Medicaid EDI (NMEH) was putting together their Subcommittee's collective testimony.
Dr. Danaher requested that they step back a moment and agree on the problem. He said the two days reconfirmed an across-the-board lack of awareness, understanding and resources and a particular lack of knowledge among small and medium-size providers. Health plans were well on their way. He suggested the Committee's greatest usefulness would be to prompt OCR to help that constituency between then and April 2003. Dr. Cohn agreed that the goal was to ensure successful implementation. He'd also heard about the need for technical support and implementation issues. Dr. Cohn said he was also aware of the likelihood of more than just small providers overshooting or doing the wrong implementation. If the Subcommittee wanted to focus more on small providers, he suggested they talk more with groups who represented them.
Given the vagueness of the regulation, Dr. Danaher said he was more concerned about the have-nots. He stressed that the Subcommittee's efforts shouldn't stop once the April 14, 2003 implementation date came. The big issue was that the basic tenets, regulation, and intention were unheard by potentially the most important constituency--the providers. Mr. Rothstein contended that, with all due respect to OCR, this problem and its solutions were so big that a serious commitment from HHS's highest levels was needed; clearly, massive public education programs were needed. Each entity had its own difficult issue to resolve. And Mr. Rothstein said he hadn't seen an appropriate response to this law that would affect everyone who ever picked up a prescription. He cautioned that there was an underestimation of the scope and complexity of getting HIPAA off the ground. Mr. Rothstein said he didn't know whether the Committee had authority to make that case, and he wanted someone from the highest level of the Department to attend the full September meeting where this case could be made.
Ms. Greenberg agreed that putting this at the top of HHS was valid: the public health departments were on their own and local ones had no resources. National associations couldn't do it. OCR had to focus initially on covered entities. And the issues included employer ERISA plans, extending almost into the Labor Department. The government had gone awry, but Ms. Greenberg said she was heartened that people declared the policies vague, because that would force a review and improve policies and procedures. It was a tremendous opportunity, as well as a tremendous job.
Ms. Greenberg affirmed that it was the Committee's role to recognize this as a time of constrained resources. The budget surplus had slipped away, and the letter had to emphasis that impact. Effort over time was required and reasonable, restrained enforcement would be necessary early, but this also had to have teeth in it. Dr. Zubeldia noted the Subcommittee had set a precedent getting the individual identifier in the news. Ms. Greenberg emphasized that publicity had to be done well. And she reiterated that the law virtually would impact everyone.
Mr. Rothstein reported that a session on HIPAA in public health was held at CDC's first Annual National Public Health Law Conference. Considerable anxiety was expressed about the continued ability to do traditional public health surveillance, epidemiology, investigations and reporting because hospitals and providers were misinformed about HIPAA. Everyone wanted to know what was being done to fix it. Dr. Cohn supported that view. He proposed that a properly crafted letter might do more than having Secretary Thompson spend five-or-ten minutes talking with them. Mr. Rothstein said that to make major strides it was essential to have a first-rung political appointee spend a half-hour with the full Committee to get a flavor of the testimonies from the previous day and a half. He questioned whether the group could make a detailed presentation of recommendations by the September meeting, but said he was prepared to speak for half an hour on the magnitude of the problem and the consequences to public health, law enforcement, and social services with a focus on the need for serious attention and resources. Ms. Greenberg said Ms. Kaminsky and she could talk with Mr. Scanlon and Mr. Rothstein could talk with someone else about the meeting and a Subcommittee briefing. Time was of the essence. Dr. Cohn reiterated the need for leadership support from the highest level of HHS. Members considered who in HHS might be a champion for HIPAA and the extent the Administration embraced this. Ms. Greenberg said OCR put enormous effort and resources into getting this rule right and making it workable. It had high standing and there was a tremendous onus on the Department to promote, facilitate and work on implementation.
Ms. Kaminsky supported the strategy of getting others to listen and suggested that people in the Department who were extraordinarily involved with the privacy rule had the greatest impact on privacy policy. She remarked that privacy council people would also be appropriate. Mr. Rothstein suggested a conference call to hear Dr. Lumpkin's views.
Dr. Danaher noted Tom Sculley was on record as saying organizations wishing to contract with CMS had to be HIPAA compliant. Dr. Danaher encouraged such executive support.
Mr. Rothstein observed that everyone at the table had a good idea of the HIPAA privacy rule and he thought they were surprised by some of the testimony. He said he'd heard issues he hadn't considered and felt that those who could influence implementation of the rule needed to listen. Members clarified that it would be appropriate to have the testifiers at the meeting when the Subcommittee presented what they'd heard.
Dr. Cohn supported writing the letter, but focused on whether the Subcommittee was considering whether to devote tremendous amounts of resources and make an absolute commitment that everybody be in full compliance by April 14, or were they grappling with recommending a major effort to comply now, with everyone realizing compliance enforcement began in a year.
The next full Committee meeting was November 19-20. Even with a commitment, Mr. Rothstein noted nothing was likely to happen until January. Ms. Greenberg suggested drafting a letter to discuss with the full Committee in open session. Ms. Greenberg noted the timing might not be good for getting anyone at the full Committee meeting other than the head of OCR in his capacity of reporting. Issues could be shared then, but dialoging in two weeks with the full Committee meeting was premature. Ms. Greenberg proposed working in two phases: first an alert to initial concerns and invitation to present at the Data Council in October; second, a discussion at the November meeting. Dr. Cohn noted that a conversation with Subcommittee representatives might also get the information; Dr. Lumpkin and Mr. Rothstein could meet with whomever the Committee decided. Mr. Rothstein suggested mentioning their availability in the letter.
Ms. Greenberg supported moving the October hearing to Baltimore, but emphasized the need to hear from a broad range of constituencies and gain wider perspectives. Noting that each part of the country was different and MHDC and Massachusetts were active, she wondered if it wasn't worse in other parts of the country. Mr. Rothstein proposed that they get people from West Virginia, Delaware and the Philadelphia area. Ms. Kaminsky will draft a letter to circulate to the Subcommittee before the September meeting, including the themes of breadth, scope and timeliness as well as the need for broad educational programs, specific forms and guides, and OCR's timely responses to the issues. Mr. Rothstein will schedule time on the full Committee agenda. The general advice (e.g., a regional focus) will be taken into account in planning the next two hearings. The Subcommittee will seek people from Wyoming and surrounding states and rural areas for the Salt Lake City hearing. Dr. Zubeldia will line up facilities that serve the Indian community in Nevada and other outlying areas. Mr. Rothstein intends to have a mixture of speakers and topics to finalize at the September meeting.
The suggestion that OCR conduct an open door privacy call-in initiative on a monthly basis mentioned in the previous day's discussion will be among the 20 points to discuss in more detail for the November statement. The consumer outreach concept will be mentioned in the September letter.
Day One
Mr. Rothstein welcomed everyone to the first of two days of hearings on implementation issues under the HIPAA Privacy Rule. He noted that the final amendments to the privacy rule had been published last month and that they were shifting to a compliance mode in preparation for the April compliance date. Mr. Rothstein clarified that the purpose of the hearings wasn't to revisit the substantive elements of the rule (although the Subcommittee was well aware that discussing implementation issues involved referencing substantive areas of the law), but to learn from the testifiers' answers to at least the following questions: What resources were available for HIPAA compliance, including those from professional organizations and trade associations? Were compilations of best practices available and how were successful implementation strategies disseminated? Were there models for public/private partnership developments? How should covered entities build coalitions and develop consensus procedures? What outreach, education, and technical support programs were needed from OCR, including suggestions for OCR priority setting? What areas were especially in need of guidance from OCR? How should the integration of HIPAA and other federal and state laws be addressed? And how did the testifiers assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertained to small providers and health plans?
Mr. Rothstein noted that these were just a few of the implementation issues that the Subcommittee and eventually the full Committee planned to take up. He added that time was available for public testimony. Witnesses could submit additional written testimony within 30 days.
The Subcommittee will hold two additional sets of hearings on these issues, meeting in Baltimore October 29-30 and Salt Lake City November 5-6. After the final hearing, the Subcommittee will submit its recommendations to the full Committee for discussion and possible action at the November 19-20 meeting in Washington. Recommendations approved by the full Committee will be transmitted in a letter to Secretary Thompson by the Committee's Chair, Dr. Lumpkin.
Panel 1: Physician Practices
Panel 1: Physician Practices
Dr. Fine introduced himself as a family physician and a managing partner of the largest family practice in Rhode Island, a past president of the Rhode Island Academy of Family Physicians, and a member and past chair of the Primary Care Advisory Committee of the Rhode Island Department of Health. His work was split between caring for a diverse, economically stressed population in a busy urban Pawtucket practice and an exurban, farming town-practice in Scituate. He said his testimony represented himself and the Rhode Island Academy of Family Physicians, whose executive board he'd conferred with.
He explained that primary care in Rhode Island was still largely a retail, “Mom and Pop” operation. Seventy percent of Rhode Island primary care physicians practice in solo or very small groups and dealt with issues as they came up. Dr. Fine worked with five other full-time equivalent physicians in the largest family practice in Rhode Island. A few primary care groups of 30-60 physicians struggled to justify their size. Most didn't have an office manager, controller, or compliance officer. Some didn't even have a practice attorney or accountant. Most believed their main function was patient care, and some thought patient care alone would get them through the day. Dr. Fine described Rhode Island primary care physicians as acrobats of the particular, focusing on one person and their health challenges at a time in a world that required constant juggling. They juggled patient, hospital, health plan, nursing home, visiting nurse, government, and vendor needs. As an example, he noted the Home Health Certification and Plan of Care form he was required to complete four or five times a week.
Dr. Fine depicted HIPAA as a long list of problems with acronyms that didn't seem to have anything to do with patient care. An acronym problem appeared about every other year, accompanied by its own mysterious rules, threats, and profiteers. The rules constantly changed and physicians learned to assume there really weren't rules, only today's version. It was difficult to prepare to comply with a “final” rule that was always coming out “in a few months.” Threats for noncompliance were vague but ominous: jail, loss of license, huge fines or loss of market share. Profiteers showed up to solve problems no one knew they had, made recommendations, charged exorbitantly and left a multitude of disclaimers. Dr. Fine said no acronym was as compelling as someone you knew and cared about who was sick.
He agreed with Dr. Marcus that confidentiality was a two-edged sword. Good primary care was a high wire act and primary care physicians had to be open to all the sources about people they cared for (e.g., who was drinking, wouldn't come out of the house, or lost weight but wouldn't see the doctor?) while not falling into the abyss of violations of trust.
Dr. Fine said small primary care practices knew about a HIPAA rule, but still waited for the final version and some sense of what they had to do to comply. Letters from professional organizations were confusing. It wasn't clear who was supposed to file an extension and what it was they were extending. He read from a letter Rhode Island health professionals received from the Rhode Island Medical Society, Rhode Island MGMA, and all the Rhode Island health plans, remarking that communications like that made the primary care physician's eyes glaze over.
Health plans sent out letters about standards carriers used for billing information that Dr. Fine said didn't seem to apply to physicians who needed to submit claims on systems the plans controlled. Dr. Fine reiterated that it wasn't clear what small practices had to do to be HIPAA compliant, so they didn't do much. A host of professional organizations offered consultants and courses, but he noted those cost time and money that could have been spent learning about Lyme disease in kids, diabetes management, or congestive heart failure and offered little more than, “File for an extension and see what happens.” Dr. Fine said many physicians were becoming cynical about government's role in healthcare.
Dr. Fine detailed how his practice dealt with HIPAA, noting that with a practice administrator and compliance officer he had more resources and was probably more adept at handling the regulatory environment. Their compliance officer spent 50 hours unsuccessfully wading through Web sites and instruction manuals for comprehensible information on what HIPAA required and ended up filing for an extension. Dr. Fine said he believed they were most likely reasonably compliant, although he wasn't sure what compliant meant. His office used compliant billing software and EMR , maintained appropriate firewalls, and developed a confidentiality policy that employers and vendors were required to sign. Smaller practices had the resources, time, and energy to do this much. Dr. Fine suggested ways to make regulating patient privacy and confidentiality easier: ensure they really needed to do what they were asked, understand that their only job was patient care and resources committed to anything else diminished that care, understand that the confidentiality they wanted to achieve could be a two-edged sword and their role didn't always allow confidentiality to be airtight, and don't ask them to do things for health plans, so health plans could be in compliance. Dr. Fine said society had given health plans inappropriate power by refusing to regulate the market power of those plans. If physicians were made to devote time and attention to satisfying plans, patient care would suffer. Dr. Fine urged the Committee to understand the role small practices played in the health system and what they did everyday, and then design templates with clear directions these practices could follow while first tending to patient care.
Dr. Cohn said Dr. Fine's testimony made flying in from San Francisco worthwhile. He clarified that the extension Dr. Fine mentioned referred to electronic transactions; other areas of compliance didn't have an extension. Dr. Fine said none of his colleagues had that straight. Dr. Cohn noted that lack of clarity and Dr. Fine's testimony would be shared with the Subcommittee for Standards and Security.
Panel 1: Physician Practices
Ms. Keener described Harvard Vanguard Medical Associates (HVMA) as a large, multi-specialty group practice located in 15 sites throughout the greater Boston area. Ms. Keener had extensive experience managing large, complex projects. Nonetheless, implementing the privacy rule made her “head spin.” Although she found implementing the Privacy Regulations both interesting and thought provoking, it was frustrating for Ms. Keener and her small staff to decipher and interpret the regulations, anticipating what would be reasonable and scaleable while wondering what aspect of the rules would change and what might remain.
Ms. Keener began educating herself by reading the federal regulations and attending seminars on HIPAA regulations. She formed a project team, provided an overview of the regulations to senior management, and developed a preliminary budget. Like many other health care providers, their budget was limited and outside consultants weren't a viable option. They purchased a HIPAA compliance program that provided them with helpful work plans and assessment guides and confidence that they weren't missing some aspect of the privacy regulations. Understanding these privacy regulations was a slow process. Every time Ms. Keener reviewed part of the privacy rule (e.g., the accounting of disclosures requirement) she learned more. But she had many questions about what “reasonable” meant and wondered how others working on implementation interpreted the rule and so she joined the New England HIPAA Workgroup, a regional group of payors, providers, and vendors meeting monthly to discuss different aspects of HIPAA and collaborate on compliance. Ms. Keener said coalition building was beneficial and that she learned a lot in the privacy and security subgroup about how other organizations approached the regulations. She also joined the Mass Health Data Consortium and found the bi-monthly Privacy Officer's Forum where content experts shared information about and approaches to aspects of the privacy rule particularly helpful. Ms. Keener, along with representatives from Partners HealthCare and Boston Medical Center, formed the New England HIPAA Provider group so privacy staff could share policies they developed without fear that their work would be packaged and sold by a consultant. She said these provider meetings have been important in helping her shape HVMA's response to the privacy rules.
Participants drew up a list of topics that included: registration areas and patient confidentiality; patient communication; patient requests to restrict data (no one agreed to this request); training; designated record sets; minimum necessary requirement; transportation of medical records; NOPP; business associates; fundraising; disposal of PHI (both paper and non-paper waste); and authentication of patients. Meetings addressed how each planned to operationalize certain topics in hopes of arriving at a community standard or shared understanding of the regulations. Before deliberating how to implement each aspect of the privacy rule, they had robust discussions on the meaning of that section of the rule. Often their thinking was similar. When they reached an impasse (e.g., In considering the Accounting of Disclosure requirement, some contended that because accounting for public health disclosures was required by state law and under licensure disclosures were “health care operations” and outside the requirement; others felt that the comment section specified public health disclosures were required.) they consulted with their legal counsel and continued the topic the next month.
Ms. Keener reflected that some topics appeared nearly laughable on the surface (e.g., whether baby pictures sent in by parents to their obstetrician or pediatrician were PHI health information or could be displayed in the department), but pointed out their commitment to privacy, confusion about the intent of the regulations, and concern about enforcement, sanctions and public scrutiny. Members of the provider group continually reminded themselves that their goal was to find reasonable ways to protect patient privacy in the context of delivering quality health care. The group shared ideas and approaches to the rule as well as completed policies and drafts. Policies were not for public distribution. They also embraced best practices, which they suggested would more appropriately be called good ideas since the policies and procedures were new and couldn't have been tested enough. The group's philosophy was that they were all in this together and would help each other out; Ms. Keener said the meetings made her feel that implementing the privacy rule was actually do-able.
She noted other resources provided advice and time saving, informative, economical ways to interpret HIPAA regulations. HIPAA list serves familiarized her with nuances of the privacy rule. Websites (WEDI/SNIP, Health Privacy Project, Association of American Medical Colleges and portions of some law firm Web sites) provided useful information. A set of policies and procedures purchased from a law firm provided a basis of comparison for HVMA's existing policies.
HVMA considered three training options for their staff: training by themselves in large groups or department staff meetings, a “train the trainer” model, and an online training program. Ms. Keener said training on their own allowed: tailoring a basic program to specific departments, provided immediate responses to questions, and could address cultural change inherent in HIPAA compliance. While a few role-based online training programs were informative and interesting, HVMA expressed concern that the “train the trainer” model might dilute the message and concluded that it didn't provide enough flexibility to customize training to include their specific policies and procedures. Online training with an electronic link to their human resources information system for attendance tracking was still a consideration for staff unable to attend regular training programs. Ms. Keener said HVMA leaned towards creating their own training program.
Ms. Keener described strategies HVMA used to promote compliance with HIPAA regulations. Privacy tips built around weekly themes (e.g., computer security, telephone privacy, access to medical records) were displayed on posters, distributed in e-mails, and presented on HVMA's Web site. HVMA also implemented an information booth, a privacy telephone hotline, a staff quiz and recognition program acknowledging extra efforts in protecting patient privacy. Ms. Keener noted HVMA already had an EMR system with role-based access and a highly respected patient confidentiality policy.
Ms. Keener said trying to understand the complex HIPAA regulations was daunting. Given the vast quantity of information, summarizing even one aspect of the regulations required significant effort and it was frustrating to repeatedly come across widely varied interpretations made by intelligent, informed individuals. She encouraged the federal government to clarify what was “reasonable”, summarize HIPAA in a brochure format for both staff and patients, and provide ongoing guidance and FAQ's on the privacy rule.
Dr. Danaher asked how HVMA would handle training of contracted providers. Noting contracted providers would need to understand policies and procedures for each organization they were associated with, Ms. Keener said they'd probably require an online training program or proof of training. Dr. Harding agreed that the motivation for promoting privacy protection was that it was the right thing to do. He asked for suggestions on clarifying “reasonable,” “scalable,” and other subjective words. Ms. Keener said a standard set of expectations would make everyone more comfortable.
Panel 1: Physician Practices
Ms. Khaja said she understood the financial and emotional cost to physicians of compliance with HIPAA regulations. But she pointed out that physicians had asked for it and now had to do something with it. Electronic transference of health information was a reality and protections and standards were needed to guide its privacy. She noted MMS was aware that small physician and midsize practices had less support and offered help.
Ms. Khaja reported that MMS was actively involved in introducing and raising HIPAA awareness. Several educational programs were in place and an interdepartmental HIPAA workgroup had been formulated to provide the best and most accurate information. She noted MMS was aware of the irritation over the expanding HIPAA consulting industry and offered district-level continuing medical education programs that addressed HIPAA. She observed that people who had greater exposure to HIPAA (e.g., office managers, support staff) had a better understanding than physicians who were frustrated by the vastness and bulk of the regulations. Ms. Khaja said MMS offered two comprehensive educational programs, "Positioning Yourself for HIPAA," and partnered with a number of law firms to hold a series of grand rounds educational sessions throughout the state. Ms. Khaja advised that the hypothetical scenario teaching method worked well. Other MMS educational efforts included HIPAA toolkits, a HIPAA guidance booklet, a newsletter (paper and electronic), and a HIPAA hotline. Ms. Khaja also noted issues of concern to small and mid-size practices: uncertainty about the anticipated security standards, government generated forms, the issue of scalability, and a definition of business associates and HIPAA-related ways to treat them.
Panel 1: Physician Practices
As president-elect of MMS and a practicing cardiologist, Dr. Sullivan offered the perspective of both a small and a larger operation. He explained he'd played a part in the development of MMS's comprehensive policy on privacy and confidentiality passed in 1996 and Partners Healthcare System's privacy and confidentiality program created in 1998. Despite this involvement with privacy and confidentiality programs, Dr. Sullivan said he still had much to learn about HIPAA. While he agreed with Dr. Harding that protecting privacy was the right thing to do, Dr. Sullivan emphasized that the complexity, cost of implementation, and lack of adequate time (due to uncertainty about the final HIPAA rule) were great concerns.
Discussing his personal experience with the privacy rule, Dr. Sullivan pointed out areas that could be addressed to assist solo practitioners and small group physicians come into compliance. In his own practice, he designated himself the Chief Privacy and Security Officer, his office had a secured messaging Web site, and face-to-face he informed patients of the new privacy rule on a. Dr. Sullivan recommended several actions HHS could take to help small practices: releasing the final security rule, including sample forms, clarification of activities (e.g., phone, fax, e-mail), and "opt-out" comments for less than 10 FTE's. Stressing that small practices shouldn't be asked to pay hundreds of dollars for HIPAA toolkits, Dr. Sullivan advised that a package of model forms would help alleviate some of the financial burden. Noting security was entwined with privacy, Dr. Sullivan reiterated the need for the final security rule. Until then, small practices would have a difficult time judging how it would affect them on a day-to-day basis and what would be practical for them in dealing with it. Dr. Sullivan also identified the need for clarifying information concerning billing communications via the phone, fax or e-mail with respect to the small practice. And Dr. Sullivan noted the need for a clearer definition of the opt-out for less than 10 FTE's statement. Dr. Sullivan concluded by stating that he was very much in favor of privacy and confidentiality with force of the law behind it and that he was a strong advocate of the electronic exchange of billing information, but he emphasized that the complexity of the rule, implementation costs, and inexcusable delay in the release of the final rule needed to be addressed expeditiously.
Participants attempted to clarify the opt-out ruling. Dr. Cohn explained that it had to do with the Administrative Simplification Claims Act and issues related to billing Medicare. Medicare wouldn't accept paper forms from practices with greater than 10 FTE's. Ms. Kaminsky concurred that ASCA was the genesis. She clarified that practices with greater than 10 FTE's would have to bill Medicare electronically and that would make them a covered entity required to comply with the privacy rule. Dr. Sullivan pointed out that the majority of practices had less than 10 FTE's. Ms. Kaminsky reflected that Congress didn't want to force all providers to become electronic but that the industry appeared to be moving that way. Dr. Cohn said that he hadn't realized that the definition of abuses around security and privacy was related to electronic transactions and that he would need to review the hundreds of pages of federal rules.
Panel 1: Physician Practices
Mr. MacLean pointed out that Maine already had a comprehensive privacy statute in place and prior to the passing of that statute in 2000 the state went through a deliberation similar to the national debate around HIPAA. MMA had worked hard to provide low cost or free educational seminars and practical tools for their members. Mr. MacLean said he believed practitioners in Maine were comfortable with their law.
Mr. MacLean offered suggestions that could be implemented without requiring a large amount of personnel resources or finances. These included: appointing a privacy officer/staff trainer, developing and using a consent form; developing a simple privacy policy, addressing internal security and staff access; and adding a provision to the personnel policy stating that a breach of privacy was grounds for discipline. Mr. MacLean emphasized his belief that good faith efforts at complying with HIPAA privacy regulations were the same as best practices under the current law.
He advised that: technical assistance was best directed at the practice managers who were the most likely privacy officers, educational offerings needed to be simple and available to physicians in the evenings, practical tools included forms, summaries were difficult for lawyers because they didn't capture all the important aspects of a law, using a consent form from the beginning of a patient/physician relationship was a best practice, the AMA Web site and the MMA HIPAA hotline were reliable resources while the accuracy of vendors and consultants varied, training included education forums, coalition building was going on but sometimes turned into “group hand-wringing sessions.” Mr. MacLean said he wasn't doing preemption analysis, but advising people from Maine to comply with both rules until the governor stated otherwise.
Discussion
Mr. Rothstein said he'd heard agreement on a need for guideline clarity and model forms. He asked if the panelists saw a need for the Department to coordinate on-site training programs, including Web-based instruction and video conferencing. Noting the government made a huge effort to inform people about terrorism issues, Ms. Marcus advocated a similar effort with HIPAA. She asserted that providing information and instruction in multiple ways was always helpful. Dr. Sullivan agreed that education offered in a variety of forms would be useful. He expressed interest in model training programs geared for hospitals, physicians and related health care workers. Mr. Fine recommended simple, clear models and information that didn't reflect the complexity of the regulations. Ms. Keener emphasized that she looked for timely answers. Mr. MacLean felt the government needed to focus more on producing interpretive guidance and supplement that with opportunities for clarifying questions.
Noting Maine and Massachusetts both had a privacy policy in place, Dr. Danaher asked why Massachusetts' physicians were so far behind the curve while Maine physicians said many of the mandates wouldn't be a problem. Dr. Sullivan explained that Massachusetts's physicians were uncertain about the status of a bill still deliberated in the legislature after nearly four years, while Maine had passed its law. Ms. Khaja added that certain interactions with the patient might remain the same, but administrative (statutory) requirements weren't parallel and would involve a big change for Massachusetts. Mr. MacLean remarked that consent forms might be used in most practices in Maine, but the state still needed good notice of privacy practices. He pointed out that experience with the Maine statute taught them that forms and notices had to be short and simple, with no check boxes or blanks to fill in, or patients stacked up in admissions.
Dr. Harding asked whether it was the responsibility of the professional associations, the Department, HHSHHS or OCR to be the credentialer of HIPAA compliance. Ms. Khaja said, ultimately, it was the responsibility of the enforcement arm and that OCR was responsible for privacy issues. She suggested that this was why physicians felt more comfortable receiving a model form from the enforcement arm. Dr. Sullivan agreed that the government had final authority; vendors didn't have the power to certify a practice as HIPAA compliant. Mr. Rothstein recalled a similar occurrence 30 years ago when vendors touted their products as OCEA certified, even though OSHA never certified anything. Mr. Rothstein recommended consulting with the Subcommittee when these questions arose. Ms. Marcus cautioned that would further confuse things. Instead, she called for a government standard for HIPAA that physicians could use as a measure. Ms. Marcus emphasized that people could trust that, in following those suggestions, they'd be in compliance. She affirmed that doctors wanted to be in compliance, but didn't know what to do. Mr. Rothstein agreed that the government needed to set out the standards. Dr. Sullivan added that, although the term compliance wasn't new, it had taken on the connotation of confusion. Noting most people weren't aware that information going through an office network wasn't private and that she reminded patients not to e-mail her that way, Ms. Marcus emphasized the need for educational materials on privacy issues aimed at the public as well as doctors.
Panel 2: Hospitals
Mr. Halamka said CareGroup Healthcare Systems was made up of 6 hospitals, about a $1.4 billion integrated delivery network serving Eastern Massachusetts, 12,000 employees, 3,000 doctors, and about a million active patients. Mr. Halamka is responsible for all clinical, financial and administrative educational and research IT; HIPAA Administrative Simplification and implementation of the security rule also fall under his responsibilities. And as chairman of the New England Health EDI network, Mr. Halamka is responsible for Administration Simplification implementation throughout New England. He agreed with the first panel that there was much work to do and significant burden in implementing HIPAA. He also pointed out that HIPAA saved hospitals millions of dollars and benefited their patients and doctors.
He explained that in 1998 a number of organizations (e.g., CareGroup, Harvard Pilgrim, Tufts, Lifespan, U Mass, Lahey, Boston Medical Center, Children's) came together to talk about privacy, security, and public infrastructure and formed MHDC to deal with HIPAA as a region. MHDC became a group of 45 providers and payor groups representing about 90 percent of Massachusetts' health care transactions working together to implement administrative simplification without transaction fees or friction. Mr. Halamka said MHDC had a privacy and security rule and developed one trading partner agreement for Massachusetts where business partner trading arrangements were done collectively. Partners chose to have one set of forms, documentation and agreements for their own information interchange.
Mr. Halamka said each group was individually responsible for security and the implementation of the security rule in their own organizations, but together they learned how to do it right. Even though the rule wasn't finalized, they chose to implement basics for protecting themselves.
Mr. Halamka considered Massachusetts ahead of other states in terms of administrative simplification. Eligibility, specialty referral, claims status inquiry, referral authorization and inquiry, and electronic remittance were completed and claim status and submission (both institutional and professional) were in pilot. He said complete, live implementation of all of the NCX 124010 HIPAA mandated transactions would be in place throughout the region by winter.
He explained that MHDC used the consortium approach, leveraging it to educate payors and providers. Together, they produced and shared education materials with their organizations' individual practitioners, staff and employees. Mr. Halamka noted MHDC also did much privacy and security for policy making and education and promulgated that information throughout their groups.
Mr. Halamka said MHDC recognized that the Privacy Rule in its current form required notice, consent and transfers to third parties with appropriate trading partner agreements; standards and policies for accessing, copying, amending and dealing with complaints and enforcement; and an audit trail. Mr. Halamka explained that the individual organizations deferred policy-making regarding this set of Privacy Rule limitations to CareGroup's central committees. The committees are charged to develop a consistent master policy manual to be shared with their hospitals and doctors' offices, appoint privacy officers at each individual entity, and create a consistent disciplinary action program (basically stating that anyone compromising patient confidentiality will be fired). Every employee is required to sign an agreement acknowledging the disciplinary action that will take place if he or she compromised patient confidentiality. The committees also centrally produce standard forms, a single NOPP, and a Web-based staff-training program.
He reported that MHDC also did access control work. Discussions on who had the right to see patient information and under what circumstances were made as a group. Certain information (e.g., mental health and substance abuse) received special protection beyond what the privacy and security rules stated. A signed consent was required to access protected information electronically and an audit warning cautioned the user whenever that information was selected.
Mr. Halamka outlined CareGroup's Web-based complaint and amendment procedures. Active since 1999, “Patient Site” (PatientSite.CareGroup.org) offered CareGroup's active patients a standardized method for filing complaints and reviewing and amending their medical records. Patients could view the list of individuals who had access to their medical records and the reasons why. Mr. Halamka encouraged people to take an online tour and experience the medical record amendment and security audit process. Mr. Halamka noted that MHDC had a large research community, including $150 million in NIH sponsored research, that dealt with standard IRB and approvals for accessing patient identified or aggregated information throughout the network.
Mr. Halamka described CareGroup as a central organization that acted as an internal consultant and resource. CareGroup handled all their business associates' agreements and provided standardized templates and work plans, consents and authorizations, policies and procedures (including standard opt-out procedures and common policies on marketing, fundraising and development). Mr. Halamka noted their work team had a central oversight committee. Caregroup elected not to seek consulting assistance in its privacy and security activities, but occasionally hired a contractor with special technical expertise to assist with security issues. He said MHDC avoided “nay sayers” and “panic inducers” that claimed, “Unless you hire us you will have no chance of being HIPAA compliant.” Mr. Halamka said CareGroup's centralized organization that was possible because they were a large $1.4 billion organization probably wouldn't be feasible for non-affiliated practitioners and small practices. He encouraged HHS to develop templated policies and procedures for non-affiliated and small practices.
He stated that CareGroup viewed HIPAA, not as an IT project, but as a consortium involving legal, human resources, information technology, medical records, and appropriate individuals throughout the clinical community with an interest in balancing privacy and patient care. He said CareGroup was aware that if the balance was set too strictly, protecting patient privacy could compromise patient care. CareGroup also took into consideration that healthcare was ultimately a local phenomenon. Some local IT systems, organizations and infrastructures required customization of centrally mandated plans. Local committees were in place that worked through individual differences and reported the status of the implementation of the standard policies and procedures.
Mr. Halamka concurred with earlier panelists that CareGroup was challenged by the fact that the Security Rule still wasn't formalized. He expressed disappointment at the Security Rule's extreme lack of specificity. Because the rule was neither finalized nor specific, Mr. Halamka said CareGroup developed its own best practices: a matrix of 60 criteria. Mr. Halamka was confident that CareGroup had done a credible job attempting to protect confidentiality with appropriate security.
In terms of training, Dr. Danaher asked what CareGroup's obligation was to community physicians who admitted patients to their hospitals and what standards they were held to. Mr. Halamka explained that CareGroup credentialed a number of physicians and felt responsible for their education. He explained that all of CareGroup's Web-based training materials were available to their credentialed and risk-associated physicians. Credentialed physicians were required to sign a standard acknowledgment in order to receive access to clinical data. Mr. Halamka noted CareGroup also held their credentialed physicians responsible for their actions and required them to sign appropriate documentation acknowledging the need to protect privacy and confidentiality and giving them limited need-to-know access to data that was necessary as part of their admitting process. Mr. Halamka added that non-credentialed physicians couldn't access clinical information.
Noting one of HIPAA's selling points was it would save money but that he hadn't heard anyone testify about that until now, Dr. Harding asked where the savings would come from. Mr. Halamka pointed out several financial indicators. Because benefits eligibility, referral authorization and claim status were electronic, the number of denials, administrative delays and AR days had gone down and CareGroup had the lowest accounts receivable in the City of Boston. They got the data right from the HIPAA transaction and didn't have to fish for it after the patient left. He noted they'd been able to downsize their fiscal operations significantly because they no longer spent long hours on the phone trying to determine why a claim was pending. Mr. Halamka said the revision of the entire revenue process in the hospital that took place as a side effect of administrative simplification created a radical redesign of all the work processes and the cost of doing the whole revenue cluster. He emphasized the savings by giving numbers: $10 million a year on administrative simplification and $1 million in costs for the implementation of the Privacy Rule, showing a $9 million ROI. Dr. Harding said he was pleased that it wasn't all a horrendous obligation with no payback, both in the sense of privacy and of fiscal accountability and simplification.
Panel 2: Hospitals
Ms. Polley noted the dramatic contrast between her simpler institution and CareGroup. She described Sturdy Memorial as a small hospital located in Providence, Rhode Island with 145 beds (including 21 bassinets) and 12 physician practices with about 50 salaried physicians. As integrity officer for the hospital and Sturdy Memorial Associates, the umbrella organization for their physician practices, Ms. Polley was responsible for HIPAA privacy and security and transaction codes compliance. When the final Privacy Rule was promulgated in December, 2000, Ms. Polley appointed a Privacy and a Security Officer and constituted a task force to determine how to put the rules in place. They developed e-mail guidelines for communications between caregivers and patients, the only PHI that occurred over the Internet at Sturdy. All other information went through their intranet. Emphasizing that simplified security needs meant diminished risk, Ms. Polley said Sturdy hoped to keep their security needs simple by avoiding as long as possible other Internet transactions. E-mail guidelines included a contract between a practitioner and a patient, with an explanation of what e-mail was and wasn't good for that stressed that it couldn't be considered confidential. E-mail wasn't recommended for certain transactions and information. Practitioners were asked to print out all e-mail transactions and communications. Print outs and the contract became part of the medical record.
Sturdy decided early on not to write a single policy but to sign separate notices tailored to each site. The hospital and associates weren't affiliated entities and many physician practices were quite different from each other and the hospital. Ms. Polley said separate notices were simpler.
Sturdy rarely used consultants on any project. Noting that as soon as a rule was inacted a host of experts tried to sell their services, Ms. Polley said Sturdy felt they were just as capable as anyone else of reading and interpreting the rules and law.
Ms. Polley agreed with the other panelists that the uncertainty over the final rule was a complication. Sturdy felt forced into a waiting mode and handled the situation by formulating plans of action for optional versions of the final rule. Once the final rule was determined, Ms. Polley said Sturdy believed it could move ahead at a comfortable pace.
Noting the definition of a business associate was unclear, Ms. Polley said it was difficult to determine them. Once the hospital and SMR finally could assemble a list of business associates they were reasonably confident about, they were faced with the problem of locating their contracts with those entities. Ms. Polley explained they needed to find the contracts, centralize them, determine their expiration dates and decide how to update them. Their contract language was also under legal review. All this required extra people and time.
The minimum necessary requirement was a monumental task for Sturdy, yet Ms. Polley said Sturdy felt it needed to be done, with or without the privacy rule. Sturdy did a comprehensive computer menu review for job category and was working on better controls for restricting people to the minimum necessary personal information required. Sturdy also had plans to upgrade to the new version of Meditex software in order to do better audits of computer access. Ms. Polley noted that when two employees were found looking up people's information out of curiosity, Sturdy hadn't been systematic or careful enough to terminate them on the spot. Since then, Sturdy reintroduced their confidentiality statement, adding it to their annual performance reviews and made it clear that violation of the signed statement would result in immediate termination.
Ms. Polley said compliance with the privacy rule was time consuming and labor intensive, but she emphasized that it also had to be done. She concurred with Mr. Halamka that there was potential for savings as well; compliance didn't have to be expensive.
She identified available resources including the state hospital association, the New England HIPAA Workshop, MHDC, newsletters, and Web sites. Sturdy purchased a binder of model forms and guidance from a knowledgeable law firm in Boston. Ms. Polley also noted that the Boston Bar association was marketing their findings about preemption on disk and selling it for $395.
Ms. Polley agreed with Mr. Halamka that considering the most restrictive rule the best practice and following the most conservative approach was the best way to keep themselves and their patients' information safe.
She said Sturdy planned on handing out a commercial training product to all employees. Training would be department specific and done in department meetings. HIPAA privacy was included in Sturdy's employee orientation agenda. Ms. Polley said that she would make herself available as a resource to answer questions.
Ms. Polley wasn't worried about official enforcement. She suggested that the real threat was the court of public opinion: a mess up highlighted on the front page of the local paper would be much worse than any official enforcement action. She reiterated that they needed to do the right thing because it was the right thing, not because OCR would audit them. She pointed out that the official legal boundaries on the rule weren't yet clear and that it would most likely take years of case law to determine them.
Ms. Polley concluded that she was glad Sturdy was a small organization that she could wrap her arms around. She didn't see the Privacy Rule as any more onerous than APC's or APG's. She described it as another unfunded mandate that would be replaced with something else as soon as people got it under their belt. Ms. Polley suggested minimizing rule changes and not bringing back consent. She strongly expressed that the consent conversation had no added value as part of the admission process. At admission, patients were more concerned with the test or procedure than consenting to the use of their information. Ms. Polley contended that because the notice would cover consent, the conversation wasn't needed at admission.
Panel 2: Hospitals
Ms. Cramer described herself as one of a group of attorneys that work on health care and serve as legal counsel to the Vermont Association of Hospitals and Health Systems (VAHHS), which included 16 hospital members, a nursing home association, a mental health services council, and various individual providers, nursing homes and physician practices.
Although in spirit and principle the HIPAA privacy rules didn't drastically change long held tenents of confidentiality to which hospitals in Vermont were accustomed, Ms. Cramer felt that the level of nuance, administrative detail, and complication combined with the failure to preempt state law resulted in a challenging work load for already over-extended staffs in their small hospitals. She saw a need for more technical and financial resources and advocated an enforcement rollback extending the deadline another six months to a year beyond the current April 14, 2003 deadline. Ms. Cramer said VAHHS shared some of the other small providers' concerns. As an aside, she noted that Vermont attempted to enact a comprehensive law similar to Maine's, but every legislative session became a quagmire and it never passed. She said HIPAA compounded her job of trying to translate statutes that didn't match in terminology. Noting that from VAHHS' standpoint full implementation and compliance by April 14, 2003 was a daunting task, Ms. Cramer identified several hurdles: initial start up, inadequate outside guidance, a lack of preemption analysis, the notice requirements, business associate contracting, and work force training.
She said start up for Vermont hospitals was problematic because hospitals that began the process in 2000 were amending policies as changes occurred, while others had just begun tackling HIPAA. The lack of central structure created difficulties in getting started and maintaining momentum and coordination. Implementation teams of varying talents resulted in different interpretations of the rules. Significant effort was required of each organization to do the massive audit necessary to determine what they did and their disclosures. And the rule contained concepts that weren't easily assimilated. Ms. Cramer felt there was a definite need for outside counsel on federal rule interpretation and how it related to Vermont law. She pointed out that the State of Vermont and the federal government hadn't provided small providers with guidance assistance and she expressed strongly that this needed to be rectified.
Ms. Cramer also noted there wasn't a resource for preemption in Vermont. Some of the notices of health information practices didn't include Vermont law and there were conflicts in many areas (e.g., the Vermont patient privilege statute was stricter than the HIPAA rule). Also, many permissive disclosures under Section 512 of the HIPAA rule weren't allowed under Vermont law. Ms. Cramer asserted that a comprehensive preemption analysis was needed for these organizations to understand and comply with HIPAA and the Vermont laws.
She said the notice itself was another hurdle. The requirements resulted in a lengthy, user-unfriendly document; people had difficulty deciding how to incorporate Vermont law and patients often felt harassed receiving the notice upon registering. These problems meant providers had to have knowledgeable people available to respond to patients' questions regarding the notice. Ms. Cramer pointed out that this cost time and staff resources and was a burden.
Ms. Cramer added that work force and public training were also issues. She said patients needed to know what to expect with their health information and how it was used in hospitals. She reiterated that the NOPP shouldn't be there first encounter. Ms. Cramer commended the New Hampshire and Vermont Strategic HIPAA Implementation Plan coalition for sharing materials for best practices. And she again emphasized the need for more guidance and a final unchanging rule.
Panel 2: Hospitals
According to Ms. Ahn, YNHHS is composed of three main Delivery Networks including three (small, mid-sized, and large) hospitals. YNHHS is part of an academic medical center with the Yale University School of Medicine, which is under separate ownership and a separate entity, which in turn poses unique challenges to HIPAA implementation. The entities have proposed to form an organized health care arrangement for HIPAA purposes. Ms. Ahn reported that a HIPAA implementation structure was instituted January 2002 following an assessment phase. The System Executive Group leads HIPAA effort at the System level. Each Delivery Network has a coordinating council that facilitates HIPAA compliance efforts at the local level. System task forces focused on four major topics: EDI, education, privacy and security. YNHHS also has local Delivery Network, privacy and security task forces.
Although YNHHS acknowledges potential long-term financial benefits from EDI, Ms. Ahn expressed concern about the cost due to technical outlays for security related to the privacy requirements. The lack of federal financial assistance for hospitals' compliance efforts is a major problem.
Ms. Ahn identified several compliance and operational issues with respect to the following patient rights requirements: the patient's right to request a written Notice of Privacy Practices, the right to request a copy of PHI, the right to request amendment of billing or medical records, non-standard requests, the reasonable request for confidential communications and restrictions, the accounting of disclosures and the right to file a complaint. YNHHS considered the balance of outlining uses and disclosures of PHI with the likelihood of patient comprehension and the administrative burden of a large document. Ms. Ahn proposed a two-page, easy-to-comprehend version of a Notice of Privacy Practices that covered required elements and was reviewed by outside counsel.
Noting that inspections required a clinician to review the patients' records with them and answer any questions they had, Ms. Ahn cautioned that frequent requesters could impede care provided to other patients. Ms. Ahn said there needed to be more guidance on limiting the frequency of access with respect to a patient's right to request an inspection of their health records.
Another patient rights concern YNHHS faced dealt with the right to request amendment of billing records. Ms. Ahn said the billing representatives on their subcommittee for amendments stated emphatically that, for patient satisfaction and efficiency reasons, it was crucial to continue making simple corrections to billing records requested by patients over the phone. YNHHS believed a notation of the update in the billing (electronic) record would suffice. Ms. Ahn asked HHS for guidance regarding whether this would be acceptable as long as a formal right to request an amendment form is issued for non-standard requests.
Regarding accommodating reasonable requests for confidential communications and restrictions, Ms. Ahn asked HHS for guidance on technical expectations. She explained that the decentralized nature of many hospitals' information systems limited their ability to guarantee restrictions and confidential communications. Ms. Ahn said the practice will be to ask if the patient is in harm's way and if the organization's ability to provide quality health care, obtain payment, or manage health care operations will be compromised.
Ms. Ahn noted that accounting of disclosures was extremely burdensome. Disclosures to public health authorities, government agencies and the FDA primary fall to the Health Information Management (HIM) and medical records departments, which will also be the key departments for many of the other patient requests. Ms. Ahn asked HHS to reconsider accounting disclosures, pointing out that these disclosures, many of which originated with physicians, clinicians, social work or other departments and not within HIM or medical records, would be outlined in the Notice of Privacy Practices. In addition, accounting for all records reviewed preparatory to research would be burdensome, given that only a portion of the records reviewed will be utilized, and an authorization or waiver would be required if selected for the study.
Ms. Ahn reported that the relevant subcommittee had no major issues with the right to file a complaint at that time. She noted questions and concerns YNHHS had about implementation, including e-mail and fax, PHI and research, other research related issues, “reasonable safeguards,” and training. Ms. Ahn requested specific guidance on e-mail and fax from HHS. And she also asked whether OHCA's were strictly limited to treatment, payment and health care operations issues or could be expanded within the context of an academic medical center to include reviews preparatory to research. Alternatively, if that wasn't allowed she questioned whether there was an expectation that the two would designate each other business associates. Ms. Ahn also voiced concern aboiut unknown or unidentified databases containing PHI that may become a source of unknown disclosures. She also expressed concern about disclosures that originally fell under quality improvement, care coordination and quality management which are permitted without an accounting but which may later become the subject of a research study. Ms. Ahn concurred with the need for additional clarification and examples of what “reasonable safeguards” were and when they couldn't be operationalized (e.g., at considerable cost, one of their hospitals implemented polarizing screens on computer monitors on several units only to find they caused headaches and made the information difficult to read. Ms. Ahn appealed to HHS for direction in dealing with situations where good faith efforts hadn't worked. She also asked HHS for guidance on training requirements for clinicians who rotate within and outside their institutions (students, traveling nurses, social workers, temporary workers and contracted employees). Ms. Ahn also questioned the expectations for background investigations for temporary employees and student volunteers.
Ms. Ahn concluded with a list of low cost resources and educational methods YNHHS utilized including: AMA's “How to HIPAA” Web site; YNHHS's internal Intranet site that included a master calendar of events, privacy case studies highlighting internal incidents with post-HIPAA implications, and HIPAA Hunts” increasing staff awareness; HC Pro's video tape; and the state preemption analysis for all Connecticut state hospitals sponsored by the Connecticut Hospital Association.
Discussion-Panel II
Dr. Cohn asked Ms. Ahn and Mr. Halamka about the difference in their presentations in terms of value and opportunity and different levels of specificity. Ms. Ahn said she sat on the subcommittees producing these policies and procedures and therefore, was very familiar with the issues, which likely accounted for the difference in level of specificity. Mr. Halamka responded that, like Y2K compliance or implementation of any rule, there were gradations of what was reasonable to do. CareGroup tried to decentralize by using the Web, reuse resources, and share costs across the whole state so that the cost of this work was divided among some nine million patients and 5,000 hospital beds.
Dr. Harding asked what the safeguards were for appending records and subtle amendments a patient might want to make to avoid discrimination at a later time. Ms. Ahn said they addressed that situation with a statement in their policies and procedures that an issue where problematic results might occur had to be reviewed by their internal, legal and risk management people. Verification questions would be asked (e.g., information wouldn't be sent to an address that wasn't currently on file without a written request). Mr. Halamka explained that patient appendments were done self-serve on the Web and a workflow routing immediately notified the appropriate area so the change could be dealt with in terms of risk management and minimized medical liability. Dr. Harding agreed with Ms. Ahn that those few hospital patients who requested to see their records every day could be a problem.
Ms. Kaminsky asked Mr. Halamka to expand on ideas he'd brought from his work with CareGroup's affiliated physician practices about identifying low-hanging fruit physicians could easily do to upgrade security and privacy practices. Mr. Halamka explained that CareGroup had several hundred different IT systems. Affiliate doctors' offices had EMR, e-mail systems, and a variety of other electronic systems. And he said some of them violated a rational assumption that privacy was being adequately protected. CareGroup had identified vendors of certain systems that had egregiously bad security practices. He emphasized that the transmission of patient identified information over the public Internet had to be done with at least encryption, and preferably with auditing and access controls as well. Their own Web site offered secure, encrypted, audited communication between patients and physicians. He added that if one chose to e-mail without using a secure, encrypted Web application, at the very least he or she should understand the risks. He echoed Dr. Marcus's comments. Sending a piece of information over the public Internet through regular e-mail transaction was like sending a post card.
Mr. Rothstein said he'd heard that the main concern of the small physician groups in the first panel was procedural (e.g., forms, notices, off-the-shelf guidance from the Department that could be adopted and used with relatively little effort and expense), but that small hospitals had more substantive concerns. Ms. Cramer said public education and training were needed and the federal government's efforts were welcome. Standardizing forms helped. And she pointed out that it would be helpful if someone from HHS met with a representative from the state of Vermont and provided guidance. Ms. Polley said she used a pragmatic approach, unlike Mr. Halamka's technical approach. She pointed out that she was dealing with things on a different level and scope, and with much less computerized information than Mr. Halamka. She thought of a physician's practice more in terms of paper and whether there was glass between the receptionist and the waiting room. She needed to know where the reasonable line was and what had to be included in a notice. Then she could look at their information practices and make sure they made sense and were minimum necessary. Ms. Polley said guidance on what was considered reasonable and had to be included in a notice would be helpful. A model form could also help, but she said, ultimately, they had to do the work themselves. She said she'd particularly appreciated the clarification about incidental transmission of information and reasonable efforts.
Dr. Danaher reminded everyone that the goal of these hearings was to identify successful techniques, resources and strategies that could potentially be transplantable or exportable to the small and mid-sized physicians and provider groups that Dr. Sullivan had told them were totally lost. He asked about techniques, resources and strategies the panelists had experienced success with that might help these providers. Ms. Polley agreed that most physicians would get a glazed look if asked about technicalities of the HIPAA privacy rule. The rule needed to be translated into understandable terms. She pointed out that the recent guidance was helpful because it listed specific things that were and weren't okay. It also conveyed that if reasonable efforts to comply were being made, incidental exposure of information wasn't a fatal flaw. Ms. Polley suggested that they get away from administrative language and give examples. That way they could talk to physicians about paper-thin exam room walls and how to pass paper.
Ms. Cramer concurred. She noted that they'd heard repeatedly that delay with the final rule was a hardship. Physicians and small hospitals didn't have money, time or certainty. People wanted to be practical. She said the hospitals she worked with in Vermont still had certificate of need requirements. Two of them included redoing their waiting rooms to improve privacy in a recent capital renovation proposal. Both were denied. Ms. Cramer emphasized that the necessary level of appreciation and funding for privacy wasn't there.
Dr. Danaher noted that one thing they'd been talking about was the possibility of forming partnerships with state medical societies to enhance the dissemination of information and provide more clarity. He asked if that would be welcome. Ms. Cramer said yes. Ms. Polley said it was refreshing to have a group of people interested in what was working, what wasn't, and the barriers. She thanked them for caring.
Dr. Cohn said he wondered why Ms. Cramer was the only one who mentioned the need for an enforcement of rule compliance roll back and said he wasn't sure what “to eight, no less than six, months to a year following April 14, 2002” meant. Clearly it wouldn't help with the Boston Globe discussion, which he'd heard she was most concerned about. Ms. Cramer pointed out that back-and-forth interpretations and gaining an understanding of how information dissemination was impacted at the business associate, minimum necessary, or accounting-for-disclosure level took time. She was concerned that by the time the bell rang on April 14 people would have made good faith attempts at compliance and some things would be in place, but that these back-and-forth interpretations would take longer. Ms. Cramer worried that the public would believe everyone knew what he or she were doing and that everything was in place and that wouldn't be the case.
Panel 3: Ancillary Care Providers
Ms. Rafeld said 85 percent of the dentists in the state were members of MDS. Their major HIPAA resource was ADA, which provided a HIPAA privacy kit, privacy seminars, conference call seminars for state executives, articles in their journals and newsletters, a HIPAA section on their Web site, and staff available for technical and interpretative information.
ADA's HIPAA privacy kit was available to all dentists for $125-$150. Ms. Rafeld said the kit clearly defined what was expected of dentists in terms of compliance with the HIPAA privacy standard and contained samples of the forms and documents dentists needed to share with their patients. ADA also conducted a half-day privacy seminar. ADA had already scheduled 40 seminars across the country. State executives, state society executives and component society executives can participate in an ADA series of conference call seminars that provide current HIPAA privacy and compliance information. ADA journal and newsletter articles on HIPAA compliance were further sources of ongoing information. ADA regularly e-mails updates to society executives. Ms. Rafeld noted that the HIPAA section of the ADA Web site was also helpful and includes a calculator dentists can use to determine how much money they will save by submitting claims electronically. Ms. Rafeld said ADA staff were available to answer calls concerning technical information or HIPAA interpretation.
Ms. Rafeld reported that MDS created a HIPAA education coordinating committee and was active in HIPAA education for its members. Programs and resources included sponsorship of ADA seminars, HIPAA compliance seminars offered at the regional Yankee Dental Congress, journal and newsletter articles, links on their Web site to the ADA Web site, telephone technical assistance, and other seminars with Massachusetts's specific privacy information.
Dr. Harding wondered if dentists in Massachusetts were experiencing the same high-level anxiety as the states' physicians or if they felt ADA was taking care of HIPAA. Ms. Rafeld explained that while there certainly was some anxiety among dentists, MDS and ADA had been ahead of the curve in providing their members with information. She said hopefully they were less anxious and HIPAA compliance wouldn't create as much angst as OCEA compliance did.
Dr. Danaher said he was attentive to HIPAA awareness in Connecticut because his wife was a dentist there. He suggested there was less anxiety among dentists because the majority wasn't aware of what was happening. Ms. Rafeld agreed that might be true if the members didn't go to their Web site and ignored their newsletters and ADA HIPAA materials. Ms. Rafeld expressed confidence that if Massachusetts' dentists followed the guidelines in the ADA kit manual, there shouldn't be a problem meeting the April 14, 2003 compliance deadline.
Panel 3: Ancillary Care Providers
Ms. Janos has represented health care providers on regulatory issues for the past 15 years. She's advised clients on HIPAA since HIPAA was enacted in 1996. Most recently she's helped the Massachusetts Home Care Association (MHCA) with their HIPAA implementation efforts. Ms. Janos cautioned that the April deadline wasn't sufficient time for home care providers to become HIPAA compliant. Although she provided people with information and gave seminars, Ms. Janos said she was only able to present a broad overview, which wasn't enough. Ms. Janos supplied MHCA and the Chain Drug Store Association with a book of samples and forms, but she emphasized that it was up to the association to incorporate them into their daily practice and make it work. Ms. Janos indicated that it clearly wasn't as easy as putting their letterhead on the forms because so much variation existed; an authorization for a home care provider was going to be different from an authorization for a pharmacy or dentist's office and an authorization for a small home care provider with a staff of five would be different from an authorization for a large home care provider with a staff of 2,000. It would take time for each provider to assimilate the regulations, get their policies and procedures in place, and train staff. Ms. Janos advised that the April deadline was a problem for homecare providers.
Ms. Janos described MHCA as a trade association comprised of 97 freestanding agencies unaffiliated with hospitals, nursing homes, long-term care or assisted living facilities. Ms. Janos commented that the HIPAA regulations were readable, understandable, tried to be scalable and recognized good faith compliance. Still, she emphasized that providers faced many challenges, some of them shared with all providers and others unique to them. One of the biggest challenges shared with most other providers was the lack of resources to make required changes. Home care providers were already stretched too thin and overwhelmed with paperwork and reimbursement issues. Typically, no one was dedicated solely to medical records, IS, or QA functions. Ms. Janos reiterated that handing out the added responsibilities of privacy and security officers was a burden for home care providers.
Another challenge most providers faced was the lengthy requirements for the NOPP. Ms. Janos acknowledged that a document that let every individual patient know exactly how their record would be used, exactly what disclosures might be made, and about their rights to their records was a worthy goal. She said the problem was that the regulations required a large array of information in plain English. Ms. Janos contended that, when all the requirements were addressed, it was no longer simple or understandable. She noted one of numerous required disclosures to an elderly home care patient: “We may disclose PHI about you to authorized federal officials so they may provide protection to the President, other authorized person or foreign heads of state or conduct special investigations.” Ms. Janos pointed out that simplifying the notice and making it understandable was especially important since it was taking the place of the consent form and would be the document a patient had to acknowledge receiving.
Ms. Janos said another layer to the NOPP issue for home care providers was that HHS also required home care patients to receive an OASIS notice similar to the HIPAA Privacy Notice. OASIS told the patient how their information was intended to be used, circumstances under which CMS might release it, and the patient's right to see, inspect and copy his or her records. Ms. Janos said the notices overlapped and confused patients. She encouraged the government to reconcile them.
Ms. Janos noted two unique challenges for home care providers that centered on the home medical record. Due to the nature of home care, home care providers found it difficult to keep home medical records secure. A multi-disciplinary team had access to the home and the medical record was open for view by nurses, clinicians, meal deliverers, medical equipment deliverers, as well as family and visiting friends. And mobile care workers often carried portions of the home medical record back to their residence between visits, compounding the security issue. Ms. Janos suggested that patients sign a release acknowledging that they are aware that they have a home medical record and that it won't be completely secure. Ms. Janos emphasized that properly dealing with unique security issues associated with the home medical record required consideration.
She said training was another key concern for home care providers in meeting the ambitious timeline for HIPAA compliance. Home care providers didn't come into a central office on a regular basis and were drawn from a wide geographic area, making training difficult. Ms. Janos expressed confidence that home care providers could get policies and procedures in place, authorizations and NOPP written, but cautioned that all the necessary training might not be accomplished by the deadline.
Ms. Janos also addressed the burden of dealing with preemption issues in Massachusetts. BBA was studying the hundreds of statutes and regulations of the Massachusetts' privacy and medical records laws to clearly identify the preemption issues. She gave the conflicting example of the HIPAA law that allowed records to be released pursuant to the Massachusetts medical records statute related to hospitals that stated, if a subpoena was issued to a hospital, provider records could be released if the patient's name was in the caption of the subpoena. Ms. Janos emphasized that Massachusetts' providers couldn't finalize policies until they had a clear understanding of what laws were and weren't preempted. She said Massachusetts' providers, like providers everywhere, were struggling.
Panel 3: Ancillary Care Providers
Mr. Young said he he'd seen a lot of changes in his 20 years of home health experience. He described VNA as a Medicare certified and JCAHO accredited agency serving the Merrimack Valley and Greater Lowell areas since 1909. VNA employed over 200 people each week, including salaried, hourly and per-visit employees. Per-visit employees supplemented the peaks and valleys of the business.
Mr. Young said VNA dealt with HIPAA by breaking it down into process and implementation. Process referred to what needed to be done, who did it and when they needed to be done. Mr. Young agreed with Ms. Janos that the regulations were concise and understandable. Nonetheless, he said completing what VNA had to do was a daunting task. VNA designated key individuals responsible for compliance within their areas of the organization, was developing a plan to put compliance changes in place, will have trial runs to insure everything worked and will monitor procedures for on-going compliance.
Mr. Young explained that implementation covered how they would do that. VNA knew what they needed to do and how to do it, but they weren't sure they could accomplish it within the given timeline. Mr. Young pointed out that the whole HIPAA regulation was supposed to start in October 2002, but although that was delayed a year, the privacy piece timeframe didn't change. He concurred with Ms. Janos that there were several challenges for home health care providers in meeting the April deadline. The primary difficulty was that home health care providers didn't care for their patients in a controlled environment. Since care was given in the patients' home, employees were guests and needed to abide by house expectations, be considerate, and respect the patients' right to privacy as well as give them the care they needed. In an effort to identify privacy issues and implement appropriate changes, the VNA began to meet as a group that networked with their state and national associations. They considered issues such as, “Was it a breach of privacy because employees of FedEx, UPS or the post office were aware that medical supplies were delivered to a person's home?” or “Was it a breach of privacy if a neighbor saw a person that could be identified as a medical provider by a car placard, ID badge or VNA smock, even though the ID was important for patient and care provider protection?” Mr. Young said that VNA was trying to comply, but was having trouble identifying what was right or wrong. Cost was another challenge because implementation involved a cost that couldn't be recouped due to managed care contracts with set rates. Like Ms. Janos, Mr. Young agreed that training without jeopardizing patient care would be difficult. He suggested that teams of ten be formed with one member from each team being trained at a time. Mr. Young also agreed with Ms. Janos that the privacy notice was too complicated for their older patients, already inundated with documents to sign. Mr. Young concluded that the VNA intended to comply, but it would be difficult.
Panel 3: Ancillary Care Providers
Mr. Ortiz expected CVS Pharmacies to be compliant by the April deadline, but anticipated several challenges including preemption, the Notice of Privacy, non-routine disclosures, training, and cost. Noting that CVS operated in 32 states, he said preemption issues impacted what went into their NOPP. Mr. Ortiz pointed out that a national assessment of which states would have an impact on the NOPP was costly and he suggested that the Secretary work with the Attorneys General to have the state laws that might preempt HIPAA posted on each state's Web site. Mr. Ortiz observed that privacy laws were located in many places (e.g., state statutes and regulations, the Pharmacy Practice Act, the Department of Health Practice Act) and a thorough search by individual providers would be problematic.
The NOPP posed several problems for CVS, including length, distribution, good faith effort, and patient acknowledgements. Mr. Ortiz concurred with Ms. Janos that the Notice of Privacy Practice required so much information that it was confusing. He suggested that the notice be reader-and-user friendly and boil down to the minimum absolutely essential. Additional information was available via interactive voice response (IVR), the Web site and printed materials). Mr. Ortiz said issuing a NOPP to CVS's 42 million individual patient-customers, encouraging them to acknowledge receipt, and then capturing their acknowledgement were problematic. CVS was considering printing the NOPP on the back of the pharmacies' monograph and receipt with a tear-off acknowledgement strip that could be scanned and transmitted to a central office. Another possibility for patient acknowledgement involved IVR patients could access with a unique patient identification number. Mr. Ortiz urged HHS to conduct a public education campaign informing consumers what to expect, including the NOPP, and encouraging them to sign the acknowledgment of receipt. Otherwise, Mr. Ortiz predicted chaos at the pharmacy counters on April 14.
Mr. Ortiz also encouraged clarification of what constituted a “good faith” effort. He said it wasn't clear that just sending home the NOPP was enough or if it needed to be followed up with a call or more. Noting someone other than the patient picked up forty percent of all prescriptions, Mr. Ortiz questioned what was considered a good faith effort, and reiterated that a clear definition of “good faith” effort was needed.
Mr. Ortiz foresaw dealing with non-routine disclosures as a huge challenge. State laws required CVS to routinely create electronic files of all Schedule II controlled drug prescriptions dispensed to patients, and transmit them monthly to the Department of Health. While clearly allowed in the law enforcement exemption of HIPAA, Mr. Ortiz noted this wasn't for health care treatment or payment, and that adding these millions of records to the individual patient files was a huge undertaking. Fourteen of the thirty-two states CVS was located in required controlled prescription monitoring. It was also commonplace for CVS to receive regulatory requests concerning the prescribing practices of certain practitioners in conjunction with DEA or state police Control Drug Division investigations. Mr. Ortiz noted that this could lead to other non-routine disclosure that had to be recorded in the patient's file--and if CVS was asked to not make the investigation public, CVS would have to suspend putting that disclosure in the patient's file. Mr. Ortiz stressed that these non-routine disclosure issues were problematic for pharmacies.
Training all 45,000 CVS employees by April 14 was a difficult goal. Mr. Ortiz hoped to be able to train with the use of a CD-ROM and a facility for self-testing, but stressed that developing the training modules, creating the CD-ROM, and getting all 45,000 employees trained by the deadline was a very aggressive timeline.
Mr. Ortiz disputed the statement that providers were going to save the cost of privacy implementation with the standardization of electronic billing. He contended that pharmacies were oriented toward electronic claim submission prior to HIPAA and that there wouldn't be any additional savings. Instead, Mr. Ortiz predicted they'd incur millions of dollars of cost initially and on a routine basis going forward.
Panel 3-Discussion
Dr. Harding noted that several speakers wanted to see a shorter NOPP. He said that when he tried imagining the NOPP printed on the back of one of the forms and explaining about protecting the President to 85-year-old patients he began to think it would be tough going. He asked if it would be possible to pull the NOPP down into an abbreviated Reader's Digest form and have a detailed tract available. Mr. Rothstein read the specific provision and response from the latest version of the regulations: “Many commenters generally urge that the department modify the rule to allow for a simpler, shorter, and therefore more readable notice. Some of the commenters explained that a shorter notice would assure that more individuals would take the time to read and be able to understand the information. Others suggested that a shorter notice would help to alleviate burden on the covered entity. A number of these commenters suggested that the department allow for a shorter summary or a one-page notice to replace the prescriptive notice required by the privacy rule, …”
The response read: “The department does not modify the notice content provisions of Section 164.520b. The department believes that the elements required by this are important to fully inform the individuals of the covered entity's privacy practices, as well as his or her rights. However, the department agrees that such information must be provided in a clear, concise, and easy-to-understand manner. Therefore, the department clarifies that covered entities may utilize a ‘layered notice' to implement the rule's provisions, so long as the elements required by Section 164.520b are included in the document that is provided to the individual.
For example, a covered entity may satisfy the notice provisions by providing the individual with both a short notice that briefly summarizes the individual's rights, as well as other information, and a longer notice layered beneath the short notice that contains all the elements required by the privacy rule.
Covered entities, however, while encouraged to use a layered notice, are not required to do so. Nothing in the final modifications relieves the cover entity of its duty to provide the entire notice in plain language so the average reader can understand it.”
Responding to a question on another topic, Mr. Ortiz explained that for investigative purposes law enforcement could request Schedule II prescription information from the Massachusetts Department of Public Health. He said it was considered a non-routine disclosure issue rather than a health care issue. Under HIPAA, a patient had a right to documentation of all non-routine disclosures of their PHI, which he said would include this disclosure.
Mr. Rothstein asked how the small, independent pharmacists would learn about the HIPAA Privacy Rule and if the pharmacy association was helping. Dr. Harding said the National Community Pharmacists Association (NCPA) and the National Association of Chain Drug Stores were developing a training program for independent pharmacists. Dr. Danaher reflected the situation for the retail pharmacy was a compressed microcosm of the essence of HIPAA because the pharmacy's frequent interaction with the patient constantly tested the minimum necessary disclosure, verification of requests and other privacy issues. Mr. Ortiz said that was partly accurate. Because CVS pharmacies were under one central company operation, they had the ability to control the process more than loosely affiliated associations. However he acknowledged that CVS had 4,000 pharmacies from Las Vegas to Bath, Maine and found that to heighten control matters such as prescription record requests previously allowed at individual pharmacies would need to be handled through their central location. Dr. Danaher pointed out that CVS had two levels of personnel, the pharmacists and the pharmacy check out clerks. Mr. Ortiz said CVS realized there would be frequent training of the high-turnover check out clerks.
Ms. Janos pointed out that, whether or not everyone was fully compliant by the due date, everyone was trying to comply and the Committee had achieved its important goal of getting everyone to rethink how he or she delivered care and handled information. Dr. Cohn asked Mr. Ortiz why they hadn't considered sending information (e.g., NOPP) home by mail instead of trying to convey it at the point of care. Mr. Ortiz said they were considering all options, including the mail, but historically they'd experienced poor response with mailings.
Ms. Kaminsky found the concept of implementing the home record challenging. She asked if someone could explain the state law context for rules already in place concerning a patient requesting access to their home health or another medical record. She asked if the proposed release would ask patients not to file a complaint with OCR for a breach because it was too hard to contain the privacy and confidentiality in the home arena. She also requested recommendations on what OCR or the Department might do to assist in this tricky area of implementation. Ms. Janos replied that, surprisingly, Massachusetts didn't have a particularly well-developed medical records statute. They had one law that merely stated that medical records should be protected to the extent allowed by law. Massachusetts had limited statutes dealing with physician/patient communications, but the state didn't have a well-developed medical records statute specific enough to deal with the home record situation. Ms. Janos explained that the release wasn't intended to take away someone's rights to go to OCR, but was a way to get the patient to acknowledge the limited privacy aspect of a home record. She said the option of making the home record electronic was being considered, but was seen as an overwhelming task. Ms. Kaminsky reminded listeners of the concept of good faith running throughout the regulations and said that although they couldn't control the patient or his or her family with respect to the home medical record, they could take reasonable steps to put policies and procedures in place. Ms. Kaminsky welcomed examples of ways to protect a home record.
Ms. Janos said that the news of the layered notice was fabulous and asked if it was acceptable to give patients the abbreviated form that stated the complete notice was available, rather than giving them both forms. Ms. Kaminsky directed her to the preamble pages.
Noting that CVS ran flu clinics in most of their pharmacies, Mr. Ortiz said one of their latest issues was determining the responsibility of the covered health provider for providing a service or treatment beyond their primary health care. Mr. Young said VNA encountered the same problem with clinics in their elder housing facilities. They did the best they could to comply with privacy, patients' rights and responsibilities they had with respect to medical information. But this was often complicated in home care's uncontrolled setting.
Panel 4: Community Providers
PPoC was one of the larger Planned Parenthood affiliates and consisted of 18 centers. PPoC offered “primary GYN” that included annual OBGYN exams, birth control, STD testing, HIV testing and treatment, colposcopy, and abortion procedures in four centers. Ms. Lane noted that confidentiality and privacy had always been an important, serious issue to them and PPoC was in favor of the HIPAA principles. They'd established an in-house committee to determine how to tackle the regulations and they worked with Beacon Partners on an initial assessment. That gap analysis indicated that, even though PPoC was an agency committed to privacy, confidentiality, and security (they already had a confidentiality policy, safety and security committees, a security manual, and a system for dealing with breaches of confidentiality), they weren't 100 percent compliant with any of the standards and had a long ways to go.
Ms. Lane said they were shocked with the amount of effort required to become 100 percent compliant, as well as the cost assessment of over $100,000. PPoC realized a lot was scalable and that much of what had to be done was only formalizing what they'd already put in place, being deliberate about where they scaled it and aware of the rationale behind their decisions. Ms. Lane gave the example of their decision not to lock up their medical records every time they were unattended, because that would impede workflow in their small centers, adding that they intended to develop systems and patient flow to ensure that records weren't unattended. PPoC also handled the issue of hanging charts on the outside of doors by turning them around instead of buying chart racks.
Ms. Lane explained that all employees other than clinicians handled multiple tasks (e.g., front-desk work, answering phones, posting charges, doing blood tests, and counseling) and needed to see the whole medical record. She said this was a matter PPoC would address in its procedures. Ms. Lane noted that in some ways PPoC felt that HIPAA worked against their ability to be flexible and meet the needs of their customers. PPoC was a non-traditional practice in the sense that they were an adjunct to many of their patients' OBGYN or primary care physician. For instance, a patient might choose to come to them if a scheduled appointment at their OBGYN took too long. Forty percent of their patients were walk-ins and PPoC worked hard to make their services customer friendly and flexible. Ms. Lane pointed out that in some ways HIPAA seemed to drag them back to do more paperwork, counseling, documentation and formalizing of procedures rather than maintaining flexibility.
PPoC is implementing a new medical software package and will be collecting and entering data differently. Ms. Lane said this gave them more capability in terms of security, because they could segregate parts of the patient information that could be viewed by function. Ms. Lane said implementing new systems along with the new medical software was key to their compliance strategy. She said PPoC realized that a lot of time was needed for formalizing and documenting procedures of what they were already doing in terms of security and privacy and setting up forms and new systems. Similar to when PPoC added a compliance officer a few years ago, they assigned someone as privacy officer rather than hire another employee.
Ms. Lane noted that PPoC was working on technical issues. They questioned whether they should have the same expectations in terms of updating personal computer passwords for those who only worked on computers a few times a week. And they weren't sure how to deal with people who shared computers and passwords. They also had to decide whether to keep computers at the front desk where it was most convenient for checkout or move them where information wasn't compromised.
As recipients of Title X and in their role as grantee of planning grants for two states, Ms. Lane said they were working with their counsel to learn more about their responsibilities for their delegates in terms of financial controls, medical protocols, and their quality assurance plans.
Mr. Rothstein asked if other Planned Parenthoods aided PPoC in their compliance efforts. Ms. Lane said they weren't on their own; they had the federation. As one of the larger affiliates, PPoC tackled HIPAA earlier than others. She said the federation was helpful; they were coming out with a HIPAA manual and provided good HIPAA training in Atlanta. She said PPSA was also helpful. Ms. Lane expected them to assist with the wording of their documents when the standards were finalized. Ms. Lane said PPSA understood Planned Parenthoods' medical protocols and was helpful in fitting in HIPAA to the way Planned Parenthoods worked. She noted that Title X in New England also had begun to provide training, resources and extra funding for HIPAA.
Dr. Danaher mentioned a current case involving attempts to gain access to Planned Parenthood's pregnancy records. Ms. Lane asked whether that would be a violation of HIPAA, in addition to other violations. She understood that prosecutors argued that they needed and claimed they should have access to the pregnancy records because they weren't conducted by a licensed professional, but by clinic assistance. Ms. Lane contended that HIPAA didn't distinguish between testing information obtained by medical assistants and licensed professionals; this information itself was part of the protected medical record.
Dr. Harding said he understood Ms. Lane to say that Planned Parenthood looked at the issues of Massachusetts and preemption of HIPAA with the help of a local attorney group who provided an assessment of compliance according to the Massachusetts law, indicating where that differed from HIPAA and which laws preempted others. Ms. Lane clarified they were in Connecticut and their laws were different, especially around minors and their rights. She explained that Connecticut was in fairly good shape, having wonderful law around minors in terms of their rights to their reproductive health information, to obtain abortions, HIV testing, STD testing, and mental health referrals. She said they did have some difficulty around mandated reporting, especially in terms of statutory rape. Planned Parenthood has always been a mandated reporter of sexual abuse, but she noted there were changes in the statutory rape laws and that it wasn't always clear in instances where statutory rape and sexual abuse intersected if they should be a mandated reporter of statutory rape, when it didn't fall under the strict sexual abuse guidelines. This often had to do with age. Ms. Lane questioned where HIPAA stood, regarding what they reported and to whom.
Panel 4: Community Providers
Dr. Perlman said the Mental Health and MHSACoM represented over a hundred community-based providers and operated a range of programs including individual therapy, medication management, residential programs, in-office and home visiting services. A large portion of their client pool was poor and was served under federal and state finance programs; a few years ago many would have been institutionalized.
As mental health and substance abuse providers, Dr. Perlman said MHSACoM always was committed to confidentiality and privacy of clients and their records. MHSACoM knew the importance of keeping records out of harm's way, yet Dr. Perlman emphasized that HIPAA implementation represented a major challenge. Their corporate Compliance Officers Committee and a subset, the HIPAA Steering Committee, developed a training and implementation project. The training program met monthly for seven months and covered major HIPAA topics. In August, participants received a CD-ROM with policies and procedures adaptable to their individual needs. Dr. Perlman said the next step was to do a training module keyed to the type of staff residential providers had and the kinds of programs they ran.
Dr. Perlman considered what MHSACoM had done a best practice and suggested that they were developing an industry standard. She noted that individual providers wanted to have the trade associations behind them as they made decisions and moved forward, believing it would help in a legal situation. HIPAA had caused coalition building. MHSACoM had become involved with MHDC, HHS's executive office, and brought consumers into the discussion.
Dr. Perlman emphasized that their providers faced challenges. The biggest challenge was uncertainty. Organizations were making dramatic changes to accommodate the new regulations and so many unknowns made it difficult. Dr. Perlman observed that the privacy rules were finalized just after MHSACoM distributed their templates for policies and procedures. Now the consultants had to do--and be paid for--an update. The security regulations still weren't final. Neither were the code sets for mental health and substance abuse. The preemption issues were major and that analysis wasn't finished so this would have to be updated. And there was ongoing speculation about changes in deadlines and content.
She noted another issue in Massachusetts was that some state agencies weren't telling their providers much regarding what they were doing or expected providers to do about HIPAA. Some weren't even certain whether they were covered entities themselves. She noted that they were chronically underfunded and never had enough money to go around to all of their organizations. They knew the costs were large and totally unpredictable. They'd originally been told that that the cost of privacy and security would be offset by savings from using transactions. She said that wasn't going to happen, particularly with the compliance date. Gap analysis was also expensive. They'd been told filling the gaps would cost $100,000 and then there was the cost of the analysis. Dr. Perlman reiterated that there were so many up-front costs and so little savings. Residential programs wouldn't save money on standard transactions because the implementation costs for HIPAA were so high and they didn't bill for individual services. Training was as dramatic a cost issue as the CVS dilemma Mr. Ortiz had discussed. MHSACoM's residential programs had large numbers of entry-level staff who were barely literate. Training them would be a challenge. Like the home health providers, they had to put replacement staff on for coverage while training the residential staff and paying them for non-productive time. They also had to make infrastructure changes (e.g., hardware, software, and physical structure like furniture placement and waiting room organization). Everything cost money and there was no place to get it.
Dr. Perlman said the requirements were extremely complex. Training about these complicated requirements was a challenge, especially with the different levels of education. For many employees, English wasn't their first language. They were going to have to translate a lot of materials into other languages. The issue of tracking disclosures, as previously discussed, was a challenge. And so was figuring out the trade-off between technology and security, particularly for those who provided services in their clients' homes and used laptops and PDAs to great benefit. Now they had to work out the security of the technology, which created another cost and challenge.
Dr. Perlman cautioned that some providers believed that either the state agency they contracted with or their billing software company would take care of HIPAA for them and that they didn't have to do anything. She noted that at the CMS meeting, billing companies (which only earned money if their customers got paid) talked about doing filing extension requests for their customers. Dr. Perlman cautioned that this led people to think they didn't need to be concerned with HIPAA. But she noted their billing companies were dealing with only the standard transactions and code sets. Some 75-to-80 percent of HIPPA was in the privacy and security part and people needed to take care of this themselves. Dr. Perlman said MHSACoM believed that they'd set a standard for their industry. They providing training and technical assistance and developed templates that their providers were using.
Dr. Harding revisited the topic of educating employees at different educational levels. He asked if there was any requirement that the notice be given in a manner appropriate to the developmental and/or language level of the employee. Mr. Rothstein noted that it said “plain English” and that that varied widely. Ms. Kaminsky thought the original preamble said to put it in the language appropriate for those with limited English. She didn't know what to do in the case of limited mental capacity. Dr. Harding said CVS had something written at about a sixth-grade level that wouldn't be appropriate for a lot of people. Recalling the testimony from Planned Parenthood, Mr. Rothstein said if one saw emancipated minors in Connecticut that might suggest that the notice was quite different from the kind one would give to an adult.
Dr. Perlman noted there were thousands of issues. In terms of this issue, they'd been thinking of a layered product or statement. She said their members had a long-standing tradition of getting consents from their clients. They already had ways of dealing with those issues. She believed all the questions raised were important and relevant to what they must consider.
Panel 4: Community Providers
Mr. Coffee said CHC HIPAA Collaborative was made up of members of the Massachusetts League of Community Health Centers who'd worked together for a year to identify a common approach to the elements of HIPAA. He said they'd found the task daunting. Although each rule brought unique challenges, they faced the privacy rule with the greatest trepidation.
He explained that community health centers were community-based and community-governed non-profit organizations. In Massachusetts, community health centers provided services to about 10 percent of the population (some 600,000 patients) at 104 service sites. Their collective mission was to remove barriers to accessing health care; provide high quality, culturally sensitive, comprehensive primary care and related services; and in doing this improve individual and community health. Barriers were financial, geographical, ethnic, linguistic, and cultural.
Mr. Coffee said, the Greater Lawrence Family Health Center (GLFHC) had provided care in the Merrimack Valley for 22 years. The active patient base of 35,000 people represented nearly half the population of the city, making GLFHC one of the state's largest health centers. There were four primary care sites and 11 other service sites that including a prevention and education library, an area health education center, and a CDC 2010 project focusing on diabetes and coronary health in the Latino population.
He said Information Systems or Information Technology (IT) departments tended to be responsible for HIPAA compliance for health centers because the transaction rule was published first and many elements of HIPAA depended on information technology decisions and changes. He noted many believed that all aspects of compliance would be addressed by IT, though that wasn‘t the case.
Mr. Coffee noted that over the subsequent eight months, many private insurance payors, as well as CMS, had to meet testing and compliance deadlines for the transaction rule. Health care centers faced the challenge of increasingly diverse and multi-cultural patient populations, including refugees and undocumented persons. Massachusetts Health Centers provided services to a patient population speaking nearly 40 languages; many were illiterate. Some centers needed to translate documentation into as many as 20 languages. Centers provided services to homeless populations, substance abusers, and the mentally ill. Mentally ill patients already had difficulties navigating the health care system and Mr. Coffee expressed concern that the language and concepts of HIPAA could further disrupt patient care.
Mr. Coffee noted staffing and staff training were difficult. Community health centers hired from the local community (thus providing culturally sensitive environments of care and making the center, as a local employer, a fuller community resource). Many staff members spoke English as a second language and had difficulty with legal concepts pertaining to health care. One health center provided services to a homeless population at 70 sites. He said training staff at that many sites and developing and maintaining a viable monitoring system for authorization and access tracking seemed overwhelming, given the time frame. Also, many centers experienced staff turnover rates as high as 22 percent; the need for constant ongoing training would drain valuable resources from patient services.
Health centers struggled with increased demand for services and decreasing, less stable reimbursement. With funding cuts, lower reimbursement from insurers (including Medicare and Medicaid), health centers had to be even more vigilant.
Mr. Coffee noted compliance costs came at a time when maintaining services was increasingly problematic. Community health centers had limited staff resources for providing policies and other documents for updating, building and monitoring systems. In most centers, staff wore multiple hats and many individuals responsible for HIPAA compliance didn't have authority over affected staff.
Many community health centers were at the mercy of practice management software vendors who were focused on impending deadlines for the transaction rule in terms of when features would be designed, tested, and available. Prices were an unknown.
While the PHI concept of the privacy rule was fairly straightforward and easy to understand, Mr. Coffee noted the implementation details were difficult. The granting and revocation of consent to care required to track extensive and multiple system changes. Mr. Coffee's system vendor hadn't yet looked at how to change their product for tracking consents and had only begun to look at audit trails of record access. Mr. Coffee said many health center organizations were moving toward EMR, which entailed enormous system and organizational challenges, as well as priority status.
Noting the rules lent themselves to many interpretations, Mr. Coffee emphasized that the provider community needed guidance from HHS. He added that a standardized gap assessment tool and resources for training staff would help. He stressed that many segments of staff needed training including front desk, line clinicians, and senior managers. And he noted that it would be invaluable if the federal government provided resources for engaging value-added vendors, products, and services. Mr. Coffee also sought clarity about what a “good faith effort” entailed.
Mr. Coffee said the CHC HIPAA collaborative (created in response to the provider group's health center specific issues, including being short on staff and cash needed to implement the HIPAA privacy rule) was a “best practice.” Collaborating, the groups didn't have to tackle HIPAA alone and individual staff could focus on familiar areas and use collective resources to help in less familiar areas.
Working groups included: the HIPAA Education Coordinating Committee supported by MHDC and the New England HIPAA Workgroup. Collaborative members were also active in these groups and facilitated the exchange of information to the collaborative. Given the short period left prior to implementation, Mr. Coffee expressed concern about working effectively enough with all available resources and potential partners.
Resources used by the collaborative included its own Web site for posting messages, discussion threads, and document templates designed by the group; the MHDC, HIPAA DOCS, HHS, CMS, and OCR Web sites, materials from HECC, NEHW, WEDI-SNIP and a health care compliance association from Boston. Mr. Coffee said these resources were well organized and contained timely information.
The collaborative formed four workgroups focused on: transaction and code sets, privacy, security, and HIPAA training elements. The training work group developed materials based on the published rules, tailoring Power Point presentations for different health center audiences (e.g., senior management, boards of directors, front desk, line employees, physicians, and other clinicians). Presentations were provided to the collaborative membership through their Web site.
Mr. Coffee noted the accuracy and quality of vendors and consultants varied widely. HIPAA had generated a cottage industry and the collaborative tried to evaluate vendors and products for the centers. Over time, more vendors offered more products and services, and evaluating them took increasing amounts of time. HIPAA and the final rules were new and no one could claim a track record for providing successful HIPAA solutions.
He reiterated that many people still thought of HIPAA as an information technology issue, when in fact it was a health care issue. The federal government mandated providers to train employees and become compliant, but he noted health centers would be training patients and the public as well. Mr. Coffee urged the federal government to educate the public on the basic principles behind the legislation and regulations. Patients already felt health care was buried under a mountain of paper and with health center staffs working at and beyond their limits, he said it was difficult to look to the future positively or see purpose behind another federal regulation.
Mr. Coffee emphasized that health centers needed more resources for staff and systems. He said there wasn't enough time to gain an understanding of the regulations, write policies and procedures, train staff and patients, and test HIPAA compliant transactions with all vendors.
Discussion
Dr. Danaher asked Mr. Coffee whether the relationship between the academic teaching hospitals and the community health centers still existed and if so, could the academic medical centers be a resource for the community health centers. Mr. Coffee said the relationship still existed and they were trying to determine whether the parent or umbrella organization would actually have an impact on the health center. Dr. Danaher mentioned that the rural hospital service administration, RHSA, had a grant for creating a resource center to assist rural hospitals in their efforts to become HIPAA compliant. Dr. Danaher wondered if there were any grants available to assist the community health centers. Mr. Coffee said that after six months research, GLFC hadn't found anything they qualified for that was of substance. The funding agency for GLFC, the Bureau of Primary Health Care, had begun considering funding, although there wasn't any direct funding targeted at HIPAA yet.
Mr. Coffee confirmed that community health centers were a 501-C3. Noting they'd heard requests for the federal government or HHS to provide public education several times that day, Dr. Harding asked the current status. Ms. Kaminsky responded that OCR was shifting towards outreach and education. Technical assistance print materials were being developed; videos for educational seminars created; training across the country was scheduled, including massive two-day training sessions at five sites; and various forms of media were being engaged to spread HIPAA awareness. Ms. Kaminsky said she hadn't heard of any plans for public service announcements, but noted the Committee could suggest them. Outreach efforts were directed to providers in the pharma-technical systems and to help patients understand what the privacy rules meant to them.Brian Kozik explained that NSMC was comprised of two acute care hospitals, a rehabilitation hospital, and a physician organization. NSMC was part of Boston's Partners Health Care System, which employed about 35,000 individuals plus 100,000 members of the primary physician network. NSMC employed 5,000 employees and 796 physicians. NSMC designated itself as an affiliated-covered entity and so was faced with insuring all of Partners' entities and developing their approach to patient privacy in conjunction with each other.
Mr. Kozik said the July 2001 guidance was an excellent resource providing “plain English” questions and answers to many of the final privacy regulations' gray areas. He said he'd printed it off the Internet, disseminated it to 50-60 people at the medical center, and received a lot of positive feedback. He noted he'd gotten weekly calls from people asking what offices should do about sign-in sheets and white boards, and he recommended the Subcommittee issue guidance. Mr. Kozik said that it appeared that the burden to inform patients of the new federal standards defaulted back to the provider community. However, he emphasized that the government needed to prepare some communications to the general public.
Mr. Kozik reported that a major challenge for North Shore was to train more than 5,000 employees and physicians on the final Privacy Rules. North Shore had three shifts of people and a number of them were non-English speaking individuals. He noted the need for computer interactive handbooks, videos, and PowerPoint presentations. Mr. Kozik said he was looking at computer interactive materials for physicians and nurses and the handbooks for people who couldn't get to a training session.
Mr. Kozik said that like Y2K, consultants were coming out of the woodwork offering various training tools. Noting a cost was involved, he asked how much to budget for training. He noted the need to train all new employees at orientation and again when they changed their privacy practices significantly.
Mr. Kozik said North Shore did their best to obtain acknowledgment that the patient entering the hospital received the Privacy Notice, but he asked what should be done when the patient wouldn't sign, where acknowledgments should be filed, and how to disseminate the notice if their practice changed significantly. Mr. Kozik noted they would need a field in their computer system to track that they'd given the notice so it wasn't repeatedly given to the same patient.
Pointing out the need to design systems to capture and enforce requests, Mr. Kozik said he saw the right of allowing patients to directly opt in and out of a facility as another major hurdle. He gave the example of the florist presenting flowers for the hospital to deliver to a patient who'd opted out of the directory.
Mr. Kozik cautioned that fund-raising had become a logistical and financial drawback to the HIPAA regulations. After April of 2003, specialist physicians could no longer solicit or reveal names of patients with in-house staff to conduct fund-raising activity. While on the surface this might seem understandable from a privacy prospective, he noted a number of negative consequences. Mr. Kozik pointed out that in order to allow patients to consider fund-raising, authorization forms had to be submitted up-front at the time of admittance. He said they were asking patients to be grateful before they'd received any medical service to be grateful about. He said North Shore expected a low response in terms of signed authorization forms. And he cautioned that the necessity of raising funds for biomedical research and community benefits like indigent care could be severely impacted due to their inability to reach out and assess peoples' interest and potential in giving.
For years, fundraisers had abided by ethical standards promulgated by the Association of Healthcare Philanthropy and worked confidentially with physicians in handling information. He said the new regulations significantly reduced their ability to raise funds and added approximately two million forms (two million people entered the Partners' system annually) to the paper and electronic management of their hospitals.
Mr. Kozik encouraged the Committee to consider adjusting the regulations to provide fund-raising staffs' access to the names of physicians, departments, and divisions. He noted that these three elements would be granted under normal hospital operations and thus wouldn't require an authorization form.
Mr. Kozik said he emphasized that diagnosis and treatment of patients wouldn't continue to be accessible unless an authorization form was signed in advance. He said it was important to recognize the physician, department, and division specific information described only the area of the hospital where the patient received treatment and the name or specialty of the treating physician. It didn't include specific information related to diagnosis or treatment.
In terms of best practices, Mr. Kozik said he'd heard a lot that day from people wondering how to train. He noted that Partners and North Shore had developed a cost-effective module approach to training (HIPAA Core Training) substantial enough for the board level that could be broken down into modules for teaching at various levels. Mr. Kozik described North Shore's core training as an overview that covered many topics: What is HIPAA? Why is privacy important? How will HIPAA impact patients' rights? How HIPAA will impact you as an employee? What are your responsibilities? How does one report a breach? And what should one tell a patient or family member that wants to complain about a privacy issue?
Mr. Kozik said they also had in development job specific models that included admitting, registration, ED and financial counselors, marketing/QA/fund-raising, research, mental health clinics (in addition to information listed under MD and Nursing), nursing, patient care services (which included rehab therapists and technologists), medical staff, residents, medical students, information systems, HIS staff, finance (which included patient accounts, credit and collections, and customer service), HR/occupational health, and contracting and materials management.
Discussion
Ms. Kaminsky noted that the Department was in the process of updating the July 2001 guidance that reflected modifications recently finalized. It will be posted on the Web.
Dr. Danaher asked Mr. Kozik who would have responsibility for training medical students that rotated through North Shore or Salem Hospitals and if there would still be Harvard Medical School training policies and procedures. Mr. Kozik said they hadn't decided how to tackle that. He noted that they'd trained about 15% of the staff already. Real life examples for therapists in the rehabilitation area were very helpful. Getting down to the core basics and showing what the identified information was, giving real life examples, common breaches, people in the news, people trying to access records—all that really hit home. Mr. Kozik said he'd received a lot of feedback from those types of questions.
Mr. Kozik explained that the training was mandatory. Noting the difficult of getting to the physicians and nurses, he said that was the reason for handbooks with a rip-out test that could be sent back to them. Hopefully they could track that in their HR system.
Dr. Danaher noted there was still the question of how to get doctors to sit long enough. Mr. Kozik said he'd offer a lot of food and some CME credits. He noted that NSMC offered physician's training sessions at 7 am and also at 6 pm when physicians weren't doing their day-to-day schedule.
Day Two
Mr. Rothstein thanked the Subcommittee members, staff and witnesses for being there on a very difficult day for all Americans. Reflecting that their efforts to protect the privacy of health information in the most effective and efficient way justified meeting at that time, he asked everyone to observe a moment of silence.
Panel 1: Health Plans & Group Health Plans
Ms. Curran said BC/BSoRI worked with HIPAA since 1996. For the past year-and-a-half they'd regularly communicated with providers through an outreach program. Most of their providers had smaller practices (one-to-three providers). The objective was to communicate how changes in HIPAA EDI regulations would affect the claims process. BC/BSoRI's audience included physicians and providers, internal staff communicating with them, vendors and external business partners. BC/BSoRI formalized a communications plan for on-going contact with the creators of HIPAA. They'd begun by focusing on the transactions and code sets, but Ms. Curran emphasized that they'd always recognized privacy was the key legislative peace and intended to provide that information.
Ms. Curran reiterated the need to develop ongoing communication with HIPAA in order to consistently provide information (including technical information on testing schedules, requirements and desired outcomes). BC/BSoRI provided information on HIPAA transactions and code sets to their hospital association work group. Working with the Rhode Island Medical Society and the Rhode Island Medical Group Managers Association, BC/BSoRI co-authored communications so providers receive a uniform message from all insurers in the state. BC/BSoRI also sponsored CME seminars to raise their community's awareness. The provider newsletter featured monthly articles about HIPAA transactions and code sets as well as the privacy regulations. And as a Medicare carrier and intermediary, Ms. Curran noted they participated in CMS's educational opportunities. Their direct mailings encouraged providers and physicians to fill out the extension and explained how to use the model compliance form. This fall, BC/BSoRI will talk at a series of educational seminars about the confusion over both filing for extensions and the date for privacy versus the date for transactions and code sets. Ms. Curran emphasized the importance of communicating that extensions didn't relate to any of the privacy mandates to be implemented in the doctor's office. BC/BSoRI is also preparing direct mail pieces for vendors and business partners focusing on their time frames for the X-12.
BC/BSoRI developed a HIPAA hotline for providers and will mail them a question-and- answer piece at the end of the year. A contractor is working on a CD-ROM intended to help providers get ready for HIPAA. Based on CME seminars presented earlier in the year, Ms. Curran said it would contain all the components of HIPAA related to transactions and code sets through privacy (including forms) and security. Ms. Curran said BC/BSoRI tried to give providers as much assistance and guidance as possible without the regulations bring finalized, while emphasizing that ultimately this effort was their responsibility.
Ms. Curran reported that providing providers, physicians, nursing homes and hospitals with information was challenging. The regulations were difficult to interpret and cast in plain language. The biggest challenge was that providers got so much information from BC/BSoRI and other insurance companies and consulting groups that they didn't know who to turn to. BC/BSoRI strove to work with other insurers and their hospital and medical associations and Ms. Curran noted that this, too, was a challenge because everyone had a different interpretation and coming to consensus could take months.
Dr. Danaher said that he'd participated in the outreach program and doctors and office managers had found it extremely valuable in increasing their awareness and finding resources. He noted that many health plans around the country had talked about doing similar efforts, but feared exposure to litigation from interpreting HIPAA and hadn't been courageous enough to do it. He asked how organizations might play a more active role, given their concerns about potential exposure.
Ms. Curran said negotiating a middle ground between their legal and business people involved qualifying a lot of what they said and did. She said the way BC/BSoRI focused on and addressed its concern, not just about liability but also that providers took ownership for their HIPAA readiness, ultimately enabled them to do presentations. She said BC/BSoRI felt responsible for ensuring that their providers were more aware of HIPAA. From a business point of view, they sold that to their legal staff, and others in their company. They often outsourced development of the information and presentations. Ms. Curran said they'd been cautious about only accessing reputable Web sites and list-serves. She said it was a matter of gathering a lot of documentation, verifying it, and working with the providers as partners, clarifying that BC/BSoRI wanted and needed to help them through this challenging task of making themselves ready.
Ms. Curran emphasized that over the past weeks BC/BSoRI had become concerned that privacy still hadn't been extended and that providers wouldn't be ready in April. One question that came to them frequently that Ms. Curran couldn't answer was who and what would provide privacy oversight. She noted that some thought nothing would happen if providers didn't conform. Ms. Curran said providers recognized there would be penalties for privacy infractions, but at this point some still thought it would go away. Mr. Rothstein said Ms. Curran's comments fit in with what they'd heard yesterday from physicians. Some small practices perceived that they didn't need to worry about HIPAA because their third-party payers would ride in at the last minute and take care of all the problems. He reiterated Ms. Curran's concerns about providing assistance without providers over relying on them.
Panel 1: Health Plans & Group Health Plans
Fallon Community Health Plan (FCHP), an HMO primarily serving Central Massachusetts, has about 190,000 members in their commercial, Medicare+Choice, and Medicaid programs. FCHP also operates a PACE center for the elderly and provides services for self-funded accounts. FCHP is closely affiliated with Fallon Clinic, a multi-specialty group practice with medical centers throughout central Massachusetts. Ms. Schwartz noted they share resources in several areas and, while having separate initiatives for HIPAA implementation, collaborate on technical and physical security issues and privacy and security training.
Ms. Schwartz said FCHP felt it and its members would benefit from successful implementation across the healthcare industry and supported Administration Simplification. FCHP was working on increasing the percent of transactions (currently about 30 percent) handled electronically and believed that the transactions/codes set initiatives provided a way to reach that goal. She noted the importance of maintaining privacy and security regarding electronic transmissions.
Ms. Schwartz said a commitment to making the privacy rule work was already an important part of FCHP's corporate culture. FCHP was already in compliance with state laws addressing member rights requirements similar to HIPAA, including the right to access and amend records and to accounting of disclosures.
Ms. Schwartz noted that, even though FCHP had strict policies regarding disclosure of member information to outside entities, they realized that their internal communications process could be improved. Strengthened security will minimize the possibility of inadvertent disclosures. FCHP will also benefit from clearly documenting their policies and having consistency among all departments.
FCHP developed a Project Management Office (PMO) to begin formal implementation of their compliance initiative. The PMO brought together and coordinated efforts of the areas responsible for privacy, security, and the transactions/code sets and insured that project plans were developed and on track. Ms. Schwartz explained that the project staff conducted orientations for leadership and management and an independent readiness assessment on privacy and security. She noted that outside consultation brought experience and knowledge to the project and objectivity that was especially important in the area of security where some might have found fault with internal recommendations. Ms. Schwartz reported the results were more valuable for security than privacy. The consultant had experience in security and that assessment was based on HIPAA as well as best practices. However, the consultant didn't have much more exposure to HIPAA privacy than FCHP did.
After the outside assessment, FCHP developed detailed implementation plans and decided to use internal resources along with the support of an attorney with HIPAA expertise to handle the privacy implementation. Believing they knew their own processes best, FCHP felt it could best adapt them to the HIPAA privacy provisions. However, Ms. Schwartz said the security implementation team continued to use consultants. Despite the lack of the final Security rules, FCHP proceeded to implement security enhancements based on the proposed rule and recommended best practices. Ms. Schwartz said FCHP felt security and privacy were tied together and that they had to continue with both to ensure compliance. Action steps needed to support the privacy rule were FCHP's first priorities for security enhancement.
Ms. Schwartz said FCHP participated in the New England HIPAA monthly workgroup, the Privacy Officers Forum led by the Mass Health Data Consortium, and MHDC'S Security Officers Forum to help increase their knowledge and interpretation of HIPAA requirements. She noted a variety of resources (e.g., Web sites such as MHCD, WEDI-SNIP, AHIMA, and AAHP) guided FCHP through the regulations. FCHP also participated in a bi-monthly call hosted by AAHP that provided a national forum for health plans to share issues, information, and progress. Ms. Schwartz said the forums were useful for sharing and collaborating. But she noted there were often multiple and widely divergent interpretations of provisions. Forums weren't a source for answers and Ms. Schwartz said she often left with more questions and wondering how issues might be resolved. Sometimes she submitted a question to HHS. Other times, parties went back to their own organizations and interpreted in their own ways. Ms. Schwartz cautioned that many might be following very different paths to compliance.
Ms. Schwartz detailed FCHP's plans to train their workforce. Last year FCHP began to run articles introducing privacy and security terms and concepts in their staff newsletter. A multi media awareness campaign (newsletter articles, e-mail, direct mail pieces, and hallway posters) scheduled for this fall will give staff a basis for better understanding privacy and security when they begin formal e-training planned for the first quarter of 2003. FCHP worked jointly with FC to select an e-training vendor. However FCHP has mostly administrative staff while the clinic's staff is front line. They had different considerations in regard to resources. And virtually all FCHP staff had individual PCs, while clinic staff often shared and had limited ability to complete training at their workstations. Ms. Schwartz is hopeful they'll come to an agreement. Finding a reasonably priced vendor that could incorporate the policies and procedures for the plan and clinic without large customization fees was another challenge. FCHP wanted someone who'd incorporate his or her own policies and procedure along with general training. Targeted areas include FCHP's service and claims and the clinic's cashiers and accountants.
Ms. Schwartz pointed out confusion over the Business Associate Agreements. She said FCHP could have used more guidance about what entities were considered business associates (e.g., would a software vendor who wouldn't use or disclose their PHI during a normal course of business, but might have exposure to PHI when installing or trouble shooting be considered a business associate?). Other Covered Entities was another area of confusion. FCHP contracted with Medicaid to provide coverage for recipients choosing that plan and was unclear whether Medicaid and FCHP acted separately as covered entities, or whether FCHP was a business associate of Medicaid. If they acted as separate covered entities, would the recipient/member be faced with receiving two Notices of Privacy Practice and need to contact each entity separately for their access, amendment and accounting? Ms. Schwartz noted that FCHP was waiting to hear from HHS whether their PACE program was considered a provider, payer, or combination. Noting that most PACE members were dually eligible for Medicare and Medicaid, she also questioned if they'd receive three separate Notices of Privacy Practice and need to contact three separate entities to exercise their member rights. Ms. Schwartz said FCHP was also uncertain about ASO's and responsibilities of the health and welfare plan, both full- and self-funded. She asked if there would be outreach to help organizations understand their responsibilities. Ms. Schwartz noted that the interpretive guidance and answers to questions were confusing and that prompt answers to questions and issues and additional interpretive guidance would assist implementation. She reiterated that security was essential and that it would have been helpful to have the Security Rule finalized.
Panel 1: Health Plans & Group Health Plans
Fidelity Investments is a mutual fund company and provider of financial services, not a covered entity regulated by the HIPAA Privacy Rule. However, Ms. Hilger noted that as an employer that sponsors group health plans, Fidelity is required to grapple with compliance of the HIPAA Privacy Rule. Unlike group health plans, employer/plan sponsors are not directly regulated by the Rule. Ms. Hilger explained that under ERISA, a group health plan is a separate legal entity from the employer that sponsors it, but in most cases the plan has no address, employees or assets separate from the employer. The sponsor--not the plan--enters into contracts. The plan itself is a bundle of promises, evidenced by written documents, which the plan sponsor brings into effect. Ms. Hilger emphasized that the plan's intangible nature and its interconnected relationship to its sponsor made compliance challenging.
Ms. Hilger said employer/plan sponsors struggle with the HIPAA Privacy Rule primarily because the compliance framework wasn't clear-cut for ERISA plans. Untangling where responsibility for the obligations fallis exacerbated by competing demands for resources in a particularly difficult economic climate in which most companies aggressively try to control costs. Ms. Hilger pointed out that many employers preparing for annual enrollment faced double-digit increases in premium costs from their health plan carriers and HMOs and were evaluating their plan designs as well as the products and services these vendors provided. Internal staff was stretched thin and hiring consultants to assist with compliance wasn't within budgets for many employers. Even when a consultant could be hired, compliance had to be constructed in light of how an employer and group health plan operated, and consultants were likely to require significant time from internal resources merely to understand an employer's unique fact pattern. Ms. Hilger noted consultants struggled with the same questions Fidelity did.
Ms. Hilger said consultants could be expected to add value in meeting the training mandate. Sometimes the experience required to design and develop training programs is not resident in-house and/or the subject matter falls outside an organization's basic competencies; in those cases, using consultants could be a more efficient use of time and resources.
She noted Fidelity hadn't found many useful resources on the Web. She noted there were a lot of high-level primers, but few got to specifics and there was little in the way of inventory, assessment tools or models. She said the Mass Health Data Consortium Web site was good for information, links, and networking with respect to the Privacy Rule.
Ms. Hilger explained that at Fidelity Investments, the Benefits Department had responsibility for management of the benefits programs offered. Options within the medical plan are both fully and self-insured. The HMOs, insurance carriers, and other third-party administrators that maintain the systems and data necessary for making determinations about claims handle the claims adjudication function. Fidelity is the plan fiduciary to which claims are appealed for the self-insured medical option and the dental plan, the spending accounts, and several other plans. Ms. Hilger said the most critical and vexing task, given that structure, was determining when the Benefits Department acted as an employer/plan sponsor versus when it acted on behalf of the plan. She emphasized that this determination was important because it provides clues as to where and how firewalls had to be erected. Although it might seem reasonable to conclude that whenever the Benefits Department dealt with the health plan it was acting on behalf of the plan, Ms. Hilger said it quickly became apparent that doing so would disrupt many functions the Benefits Department performed. Therefore, Fidelity examined the functions one by one. Fidelity determined that the claims and appeal function was a plan administration function. When the Benefits Department convened an Appeals Committee meeting, it did so on behalf of the plan. The health plan benefits manager took in the appeal, drafted a sanitized fact summary, and gave it a random case number. The summary and case were presented to the Committee.
Because of the recently enacted ERISA claims and appeals regulations from the Department of Labor and the burdens imposed by the Privacy Rule, Ms. Hilger reported Fidelity was doing a cost-benefit analysis of outsourcing the appeals function. She noted it was costly and purportedly difficult to convince reputable vendors to assume this responsibility; yet a number of large employers took this approach, and more were considering it.
Ms. Hilger noted that, if Fidelity retained the fiduciary role for appeals, firewalls had to be erected around the Appeals Committee function in order to comply with the Privacy Rule. Procedures were to be tightened up and documented. All copies of the summaries were to be returned and destroyed at the close of the meeting. However, one summary must be kept to document the decisions and to satisfy the claims and appeals regulations which require an administrative process to ensure and verify that claims determinations are made consistently for similarly situated claimants. Hard copies were to be retained in locked cabinets, and electronic copies stored in secure limited-access files.
Ms. Hilger said that enrollment activities performed by the Benefits Department are not performed on behalf of the plan. The preamble to the December 2000 Privacy Rule and the modifications issued in August confirmed that enrollment functions are not plan administration functions, but were performed by the employer/plan sponsor on behalf of employees. When the Benefits Department conducted an annual enrollment, Ms. Hilger said it did so wearing its employer hat. Ms. Hilger said the conclusion that enrollment activities are performed, not on behalf of the plan, but on behalf of employees, is important to effective employee benefits program management. She noted that if employers were deemed to be performing enrollment functions on behalf of the plan, then the significant efforts employers had made to integrate and coordinate employee benefits, and the attendant efficiencies gained, would be compromised or lost. She noted an example where employers would be unable to send multi-benefit annual enrollment forms without first obtaining authorizations. This is because demographic data, which was PHI in the hands of a covered entity, is used on enrollment forms to encourage employees to use and purchase employee benefits and to promote other lines of coverage, and therefore would meet the definition of “marketing.” In another example, Ms. Hilger said that if a COBRA participant contacted the Benefits Departments with his new address to assure that his COBRA coupons would be received, that change could not be disclosed to the pension administration system unless authorization was obtained. At best, she said it would be an annoyance to the participant to have to provide a separate notice. At worst, it would result in a participant not receiving all of her or his benefits.
Consistent with the general conclusion that enrollment activities are not plan administration functions, Fidelity concluded that COBRA enrollment, payment collection activities, and issuance of HIPAA certificates of creditable coverage (records of enrollment) are also enrollment-related activities performed by the employer/plan sponsor on behalf of employees and other beneficiaries. Ms. Hilger was also described a link to an on-line provider directory on Fidelity's benefits Web site. The directory site enables employees to select a physician based upon the medical plan option the employee had chosen and the employee's home and/or work location. Fidelity concluded that the function performed by this tool is enrollment-related and that Fidelity was providing this service as an employer/plan sponsor on behalf of the employee. Therefore, Fidelity concluded that authorization is not required in order to forward demographic data to the directory site to facilitate selection. Ms. Hilger said verification of these conclusions would be helpful.
Ms. Hilger reported that Fidelity had a corporate privacy office in place that it had been able to leverage processes and tools developed for Gramm-Leach-Bliley compliance (e.g., data collection templates). Corporate functions instrumental to that compliance (e.g., purchasing, legal and audit) had been organized by the privacy office to play similar roles for HIPAA privacy rule compliance. Ms. Hilger said Fidelity had concluded that the corporate Privacy Office was not close enough to the operation of the group health plans to have anyone in that office serve as the HIPAA Privacy Officer for the group health plans. A member of the Benefits Department would assume that role with dotted line responsibility to the corporate privacy office. She said a number of participants in a recent industry trade group conference call on HIPAA privacy indicated they were taking that same approach.
She said Fidelity was still in the assessment phase of information flows. They'd completed an inventory of their vendors and begun assessing whether they were business associates acting on behalf of the plan or vendors acting on behalf of Fidelity as the employer/plan sponsor. And they had prepared a first draft of a plan amendment and would continue to review the policies and procedures in place.
Ms. Hilger said she appreciated the sample language for the business associate contacts provided in the NPRM and the modification to the Rule. She welcomed similar sample language for privacy notices and policies, authorizations and other written requirements, predicting that they would aid employer/plan sponsors with compliance.
Panel 1: Health Plans & Group Health Plans
Ms. Rubinstein began talking about best practices in the employer community. She noted that MHDC was working with consultants and lawyers through various meetings sponsored to help the employees and employers understand their responsibilities in implementing HIPAA.
Mirroring Ms. Curran, Ms. Rubinstein said a question some employers had was, “What will they do to me--How are they going to know if I don't comply?” Ms. Rubinstein said she'd responded that employees could go directly to the OCR and say that their employer wasn't complying. She hoped but didn't know that her response had been effective.
Another best practice Ms. Rubinstein mentioned was that MHDC helped employers devise communications telling their employees what HIPAA was, how it would be helpful to them and why it was good. Ms. Rubinstein said these communications were an important part of the implementation for employers and that they'd found areas where they hoped to get clarification.
Ms. Rubinstein discussed disadvantages of requiring a finite expiration date on the authorization, noting it might be challenging for mid-size and large employers, particularly those providing benefits to their retiree population. She noted it was common for both employees and retirees to request assistance with a benefits issue. Often this required the use of PHI, so an authorization might be required. In order to be valid, authorizations required an expiration date. But Ms. Rubinstein pointed out that it was difficult to know how long it would take to resolve any problem. As benefits specialists attempted to address enrollees' problems, they had to monitor the expiration of the enrollees' authorization, and possibly needed to obtain new ones, adding complications. While this might not seem vexing in the case of one needy enrollee and one benefits specialist, an employer would need a back-up system just to monitor the expiration of multiple enrollees' authorizations. That could be done, but it wasn't optimal, particularly when additional authorizations were needed to complete many projects. Costs kept some employers from being able to do this. Ms. Rubinstein noted the IRS allowed the power of attorney to expire using an indefinite time period. Should another clarification be released, she requested rules that permitted an enrollee to grant an authorization for the length of the assignment.
Ms. Rubinstein also addressed the timing of execution of authorizations and proposed having an execution in advance. Without them, she cautioned that the process might prove to be administratively inefficient, particularly when it came to multi-state employers or employers who covered retirees. She added that this problem might result in delayed access to care for some and would be most acutely felt in the retiree community. Ms. Rubinstein remarked that surely authorization wasn't designed to be a barrier to prompt and efficient care, but unless they could be executed in advance that was exactly what they might become.
She next addressed the issue of changing between insured and self-insured status, and the HIPAA issues the changes brought. She noted that employers who self-insured their health benefits tended to be exposed to far more PHI than employers who purchased health benefits on a fully insured basis. For many employers, these categories weren't hard-and-fast rules, but a choice for the moment. She said it would remain a choice for as long as the financial analysis demonstrated it was beneficial to the employer, and it was likely to change when that analysis changed. Errors occurred, and despite the best efforts of all parties, PHI might land in the hands of a fully insured employer. At the very least, Ms. Rubinstein said employers should have a policy in place to deal with such eventualities.
Ms. Rubinstein said, at this point, she instructed her fully insured clients to have a privacy office to ensure correct action was taken. She said soon there'd be little distinction between the self-insured and fully insured. Differentiating between them, the regulations created confusion and a checkerboard comprised of those who needed to comply this year versus those who had until next year when they self-insured. Employers who'd purchased their employee benefits on a fully insured basis made the decision to change funding strategy after careful consideration of relative costs and risks. Often this was done without sufficient time to prepare for HIPPA compliance as a self-insured entity. Ms. Rubinstein predicted that many employers would reach a January 1 new plan year with a new funding strategy but an old HIPAA compliancy strategy--one that worked while they used a fully insured plan but wouldn't match compliance for self-insured.
She suggested that a new clarification obligating every employer to comply with clearly articulated regulations might end the confusion. She believed that with clearly articulated regulations fitting the needs of both small and large employers with active and retiree populations, the rules would be observed and become part of the regulatory fabric of the health care system. Conversely, Ms. Rubinstein predicted the rules would be breeched by employers if they found them impossible from an administrative perspective.
Ms. Rubinstein discussed the guidance on e-mail and faxed authorizations. Although the rules on dissemination of the privacy notice gave clear instruction regarding a plan sponsor's ability to send the privacy notice via e-mail, the rules said little about e-signatures, which were important to employers who covered retirees or employers who had employees in different states. When an employee in one state called interstate to a benefits specialist in the home office, he or she couldn't stop in and sign an authorization that afternoon. Unless electronic signature and faxed authorizations were acceptable, delays in care might result.
Ms. Rubinstein emphasized that the employer community, would benefit from clear rules permitting the use of electronic signatures in e-mail and facsimile machines for transmitting authorizations. She added that both the Department of Labor and the Internal Revenue Service issued guidance on electronic media and she recommended that HHS guidance be consistent with them in this matter.
Noting this issue bedeviled the employer community as well as the legal and consulting communities, Ms. Rubinstein questioned which entity needed to file for an EDI extension. Although both the transmission rules and the privacy rules stated that an employer was exempt from having to comply with the EDI rules if only transmitting eligibility/enrollment information to health plans, Ms. Rubinstein pointed out that employers were often plan sponsors, leaving open the question of the obligation of the plan itself. She reiterated that the rules seemed to assume that all covered entitles processed claims electronically. But she pointed out that in the typical self-funded context the employer/plan sponsor didn't process claims, processing was left to the TPA.
Ms. Rubinstein said the question resulted in great confusion and additional cost for employers as they engaged lawyers and consultants to ponder four scenarios with the TPA : (1) filing the extension on its own behalf and the employer, acting on behalf of the health plan it sponsored, being exempt; (2): filing the extension on its own behalf and on behalf of the clients for which it was acting as a TPA, thereby covering the employer as well, (3) filing on its own behalf and the employer, having acted on behalf of the health plan it sponsors, filing on its own behalf; and (4) filing on its own behalf and on the behalf of the clients for which it was acting as a TPA and the employer, who was acting on behalf of the health plan it sponsored, additionally filing on its own behalf. Ms. Rubinstein said she'd spoken over an hour on this issue with a prestigious Washington law firm on behalf of an equally prestigious client. Everybody was confused.
Ms. Rubinstein said that when she asked TPA's whether they'd filed on behalf of their clients, responses included that they didn't know employers or TPAs were covered under HIPAA. At this point, Ms. Rubinstein said she was covering by filing for all of her clients. She said a few TPAs sent out letters to clients indicating they intended to file unless their clients had a different preference. She said she believed that large health plans wanted to comply with HIPAA and knew from frequent communications that they'd invested considerable funds and resources in achieving compliance. One health care plan told her they'd put 70 people on their HIPAA plan and spent millions of dollars trying to comply.
She contended that the system seemed to come apart only when the rules concerning employers and plan sponsors were unclear. The correct thing to do, with the October 16 deadline coming so quickly, could be for the TPA to file the extension on its behalf and on behalf of the clients for which it acted. But Ms. Rubinstein noted in many cases this wasn't occurring. This might mean that employers had to pick up the slack, but she pointed out that this occurred even less frequently, due to continued confusion over what their obligations were under HIPAA. Ms. Rubinstein said this confusion was even more evident in the case of employers who purchased health benefits on a fully insured basis. She said that when their insurance companies filed for an extension, the same questions were raised, and the rules offered no clarification.
Ms. Rubinstein said that if another clarification was released the health benefits community would appreciate clarification on these points. While she acknowledged that the specific issue raised by the need to file for an extension was itself self-limiting, Ms. Rubinstein emphasized that the larger issue of employers/plan sponsors' responsibilities required delineation. She summarized that the employer community was asking for something more basic than a change in the rules; it was requesting clarification of its responsibilities under HIPAA's privacy regulations. And she advised that HHS would provide enormous value to the employer community by issuing clear guidance. Only with clear guidance could the employer community embrace the rules and make them a part of their organizational culture. Failure to provide that guidance would leave many employers believing they were exempt from HIPAA and many employees without the privacy protections that HIPAA meant to provide.
Discussion
Dr. Cohn noted Ms. Rubinstein brought up important issues that the Subcommittee had forwarded to CMS, which was dealing with the ASCA extension issues. He said the ASCA compliance extension was related specifically to the electronic transactions and didn't have much to do with the privacy rule, except getting further guidance from CMS in terms of privacy.
Asked if BC/BSoRI took the lead independently to train, advise and assist providers around HIPAA or whether it was a collaboration between all the entities, Ms. Curran said BC/BSoRI took a couple tacks. In trying to pull together collaboration with other insurance companies and the medical societies, they'd found that trying to reach consensus with too many people took too much time. Independently, BC/BSoRI developed a communication plan of activities to do on its own, then looked for entities to help and dovetailed involvement with these organizations in crafting a message. The initial goal was do everything through collaboration. But Ms. Curran said they couldn't always get consensus and didn't want to stop communicating with their providers. So BC/BSoRI wrapped the two initiatives into one and placed things where they fit most appropriate.
Dr. Cohn asked Ms. Curran if BC/BSoRI was the predominant insurer in the state. Ms. Curran said there were two major insurers: BC/BSoRI and United Health Care. A neighborhood Health Plan of Rhode Island did a lot of membership for their right care population. They also worked with Federal Medicare. And the state Medicaid society was involved in crafting the communication. Ms. Curran said BC/BSoRI asked their providers whom they wanted to hear from, and then tried to put that group together. Dr. Cohn explained that the reason he pressed was that they'd heard yesterday about Massachusetts and the Health Data Consortium, the various NEEHEN efforts, and mega collaborations between all the entities. And he noted that Rhode Island and some other states had such statewide collaboration where one insurance company, in the best of interests, tried to educate providers with a single set of messages, avoiding mixed messages and massive confusion. He said this was a statewide best practice to consider with CMS and HHS and further implementations.
Ms. Curran said that was a valid point and that she hoped in the coming months they'd be able to solidify communications with these other entities. She reiterated that BC/BSoRI wanted to be a leader in providing information of value to customers. She said BC/BSoRI wanted to work with other entities to do this, adding that if others held them back they'd deliver the message themselves and then share it with other insurers, hoping they weren't giving completely different messages to the same constituency, which was a problem they'd grappled with. Asked if there was any national coordination through the associations, Ms. Curran said the association memoranda contained references to HIPAA. ITS plans and others in line as sister plans for out-of-area claims experienced cooperation. But Ms. Curran emphasized that each was an independent plan and she couldn't say that there was strong coordination.
Dr. Danaher said he was reminded of Tip O'Neill's adage that “all politics is local.” He noted MMS had a historical reputation of being proactive, but said he wasn't as familiar with Rhode Island. Yesterday he'd been a big adherent of having the medical societies and hospital associations get out that grass-root word, but today Dr. Danaher said he realized the health plans might be the ones to make the charge. Dr. Danaher pictured a hierarchy of organizations in terms of their preparedness in meeting the HIPAA requirements. On top of the list in terms of awareness and pro-activity were health plans, hospitals, and physicians. He said self-insured employers and group health plans sponsored through employers might have good resources but probably lacked awareness of the responsibilities. Noting that Ms. Hilger stated in her written testimony that TPAs handled PHI, Dr. Danaher asked how many Fidelity employees came into contact with PHI. Dr. Danaher said he was willing to believe employers didn't know what was going on, but he wasn't sure whether they had an enormous challenge on their hands or only faced a small group in each company.
Ms. Hilger said it came down to how broad the definition of PHI was and whether it was the plan that held covered demographic information. Ms. Hilger said the benefits department had about 10 people and the appeals committee had another dozen. Two or three people really touched the medical plans within the benefits department. The appeals committee got the details as cleaned, sanitized cases. Ms. Hilger didn't know whether that met the definitions under HIPAA. If the definition of the plan was broadened, the challenge was that sometimes HR staff might have the enrollment information.
Ms. Rubinstein said there was a greater challenge. The HIPAA Privacy Rules as applied to health plans, providers that conducted standard electronic transactions, and clearinghouses were a paradigm. But employers didn't fit that paradigm, and in some ways the rules weren't clear enough and didn't fit employers. She said Dr. Danaher was right; employers didn't know which way to turn. Ms. Rubinstein said the rules had been clear for Harvard Pilgrim and BC/BSoRI. They knew what to do and were doing it. Large employers also wanted to comply, but didn't know how. Personally, Dr. Danaher said his reading of the group health plan sections of the “reg” and of real employer responsibilities led him to agree with Ms. Rubinstein. He said industry and consultants that collaborated needed more guidance. He didn't anticipate employers realized that they were a covered entity and had to file for an extension.
Ms. Rubinstein said she'd be lying if she said every single employer in Massachusetts complied. She added that she didn't anticipate them complying perfectly, because they didn't understood perfectly what employers' obligations were under HIPAA. She said she was hoping for a companion piece that spoke specifically to the employer community and clarified their requirements and obligations. She contended that this would markedly improve compliance by the employer community. Dr. Danaher pointed out that another fundamental educational point had been missed: employers didn't know they were covered under HIPAA in the first place.
Ms. Hilger responded that employers weren't covered and it was appropriate for them to be resistant to regulation. Asking who had the responsibility to educate and issue these plans, she noted the transactions requirements dealt with the same issue and was illustrative. If she were an employer and had a plan and the TPA hadn't filed and she wasn't going to either because neither of them were regulated, then who had responsibility to do it on behalf of the plan? Mr. Rothstein stated the message was heard and they'd put that as part of their agenda when they brought it to the full Committee for discussion. Noting an assumption that large employers/plans had the expertise, resources and personnel to comply and therefore the Subcommittee wouldn't have to spell things out for them, Mr. Rothstein said obviously that wasn't what they'd heard that morning. Additional clarification was needed.
Dr. Cohn observed that over the years the Committee held hearings regarding employer sponsored plans and knew there good practices in terms of firewalls and other functions of the employers. He said he'd heard a lot of concern about making sure that firewall was as tight as it could be. Dr. Cohn reflected that this was a good outcome, signaling that HIPAA was causing everybody to take reasonable steps to tighten the issues and practices. He said the Subcommittee would talk with CMS and HHS about making sure there were good guidance capabilities to give organizations timely advice.
Dr. Zubeldia noted that employers had health plans before HIPAA, regardless of the HIPAA definition. A TPA administered some and it would take care of the transaction compliance. He asked about the employer's perception of the health plan. Was it the employer, shared--Where was the boundary line? Ms. Hilger said legally it was a separate entity. It was promises and they did different pieces. Ms. Rubinstein responded that an employer thought of a health plan in common parlance as the TPA and not as a set of promises. Internally, employers thought of the health plan as an insurance company--a TPA. The intellectual concept they administered was something they didn't understand. That was part of the dilemma. Ms. Hilger agreed. Fidelity's perspective was that a health plan had a number of options: the self-insured PPO and fully insured alternatives. But legally it was all one plan. Dr. Zubeldia reflected that, in order for employers to understand their responsibility, they had to understand what the health plan was under their eyes. If the health plan was only paper in a filing cabinet, the employers couldn't understand anything about HIPAA. Ms. Hilger contended that it wasn't that folks struggling with this didn't understand what a health plan was, but that the way the regulations talked about it didn't fit into what people understood about a health plan. Ms. Rubinstein said it was difficult for employers to get their hands around that intellectual exercise. She tried explaining to them what the health plan was and that they weren't covered entities but had responsibilities because they administered the plan. But she said this wasn't something they could touch and feel. She wished she had a cleaner way of explaining it. Mr. Rothstein said this was a semantic problem. He suggested that the word “plan” confused people and substituting another term would clear up a lot. Participants considered that calling it “ERISA Plan” (a plan contemplated under the rules) might convey a clearer understanding.
Mr. Rothstein recalled that Ms. Schwartz had said FCHP had an unsatisfactory experience with a consultant hired to do the privacy part of their HIPAA compliance. He expressed concern that many people were in that position and asked how FCHP selected their consultant and if there was any widely distributed document providing tips on selecting a HIPAA privacy consultant. Ms. Schwartz said FCHP interviewed five different consulting firms. They'd talked with large as well as local consulting firms, looking for experience in this type of assessment and they believed they'd found it. But they found that HIPAA was so new that the consultants didn't have experience. Ms. Schwartz said FCHP had concerns with the consultants understanding of the regulations. They were working closely with an attorney and they had questions the consultant came up with. They consulted with three different people and received three different answers. Mr. Rothstein asked if there was anything on the front end that would have helped them choose someone better or make their ultimate decision of doing this in-house. Ms. Schwartz replied that FCHP thought they'd done due diligence. She explained that FCHP had done this over a year ago, so they weren't the first to go through a gap analysis but they'd been relatively early. She said at this point one might find consultants that had been through this enough that they knew what they were doing. She said FCHP had a similar experience with vendors and e-training. Trainers were showing them demonstrations and saying it was their beta product. It hadn't been tested yet and they were still making changes. FCHP hadn't found anyone with experience in HIPAA training.
Ms. Greenberg noted that Ms. Schwartz had mentioned that FCHP had decided to develop their own policies, procedures and forms tailored to their specific needs. She recalled that yesterday quite a few people said they'd benefit from more model forms and procedures. Ms. Greenberg asked if the panelists would feel less of a need to go to a consultant if more models were available. She asked whether those models plus their knowledge of their own organization would allow them to make those adaptations so they wouldn't have to go to an outside source. Ms. Schwartz said if there were good models that they could use, they'd be happy to adapt them rather than start from scratch. Going through policies and procedures was a painful process.
Ms. Schwartz said that after their experience with the readiness assessment, FCHP wasn't sure that a consultant would be able to do any better job then they could starting from scratch. She said they'd be happy to see the models. They already had the model of the business associated addendum and models for forms they needed to do.
Ms. Schwartz said FCHP had a Medicare+Choice plan and hadn't heard anything from CMS about providing model forms. She said FCHP had model letters and forms for many things and liked to use them, because they knew they'd have a product they could approve. FCHP was faced with developing authorization forms and letters they'd send to their Medicare+Choice members and didn't have any models from CMS. Noting they were submitting from scratch, she reiterated how painful a process it was to have forms and letters approved by CMS.
Dr. Danaher asked if having members in different states with different state regulations was an issue. Ms. Schwartz said FCHP understood that because they were a Massachusetts-based corporation they followed Massachusetts' mandates. Ms. Curran agreed. In some cases Rhode Island laws were more restrictive than HIPAA, so BC/BSoRI was staying with state regulations. Ms. Curran said her understanding was that they looked at it strictly as a Rhode Island-based company, but she'd obtain clarification and e-mail it to the Committee.
Noting they'd heard extensively about the importance of collaboration and how one health plan couldn't take care of everything by itself, Dr. Zubeldia noted that both Ms. Schwartz and Ms. Curran were involved with Medicare (one a carrier intermediary, the other a Medicare+Choice) and asked what they'd recommend. Ms. Curran replied that as a Medicare carrier and intermediary BC/BSoRI got a whole lot of information from CMS about what they should communicate to providers. They tried to dovetail that into their ongoing communication plan because they'd realized that, as a Medicaid carrier and intermediary, they already might have sent a notice out under their letterhead. She said BC/BSoRI tried bringing the two pieces together, but sometimes CMS had specific deadlines and they couldn't always dovetail. Dr. Cohn said he thought there needed to be recognition or perhaps an agreed upon communication plan where CMS was a part of, but not the overall, communication plan, so sometimes information could be sent to the same people under separate letterheads. He noted there hadn't been much discussion about communicating HIPAA requirements from the CMS point of view.
Ms. Schwartz said that Fallon hadn't done much yet with direct provider education. She said a large percentage of their providers were with Fallon Clinic that had its own HIPAA initiative and training, policies, and procedures. Fallon did some outreach through their provider newsletter and participated in training oriented toward providers. Ms. Schwartz said she wasn't sure what the government could do to help FCHP help providers. Mr. Rothstein encouraged her to submit any suggestions or comments within 30 day so the Subcommittee could consider them.
Panel 2: State Agencies/Public Health Authorities
Ms. Allan said the HIPAA PMO was formed in 2002 to coordinate and provide technical assistance to the various state agency HIPAA compliance efforts. PMO isn't directly responsible for compliance; that responsibility remains with the agencies. Ms. Allan noted that Massachusetts has long been in the vanguard for privacy protections and patients' rights. Since 1975 all of their state agencies operated under a statutory privacy standard for all personal information held in the Commonwealth. Ms. Allan noted this paralleled HIPAA and prohibited any unauthorized disclosures: agencies could only collect and maintain the minimum necessary information. Audit trails were required on disclosures and uses. And the data subject was entitled access to the data and the right to amend it. Concepts and many specifics of the HIPAA Privacy Rule were familiar to and embraced by state agency personnel, but Ms. Allan emphasized that they found it extremely challenging. Because of the way state agencies were structured and their programs, it was difficult to fit them under the rubric of the rule. They served diverse populations and this was reflected in their programs. Many held diverse functions and weren't as clearly delineated between health care provider and health care plan as the private sector programs. Someone could fall completely outside their realm.
She explained that most of the HIPAA information sources and resources were geared to the private sector: hospitals, physician practices, or large health plans. Little addressed state agency issues and concerns. She noted one Web site was a voluntary collaborative devoted to state HIPAA privacy and security issues. Ms. Allan said it was helpful, but beyond that the state perspective was that they were climbing alone without an apex in sight or signs or warning signals to indicate they were going the wrong way. She added that virtually all of their agencies initially struggled with how to designate themselves (were programs covered; if so, were they a provider or a plan). Ms. Allan stressed that this was time consuming and frustrating. With the compliance deadline looming, they had to know where they fit in.
Ms. Allan identified three other challenges the state faced: the state was responsible for financing this overall effort and it had become a burden, operational hurdles because state government was structured differently than a private enterprise, and concern from the HHS Executive Office perspective that they avoided adverse program impacts from many provisions of the HIPAA Privacy Rule.
Massachusetts, like most states, faced severe revenue problems, had the largest tax increase in its history, and was still cutting back on programs. Nonetheless, Ms. Allan said they had to find funds to develop, print, and distribute all the privacy notices required under the rule. Their largest health plan, Medical Assistance, had to send notices to at least 500,000 enrollee households. In most cases, the first date of access for people receiving services from provider programs would be the date of the compliance deadline. Many of these patients had long-term chronic needs and were in state institutions, others received services on almost a daily basis from various outpatient clinics. At a minimum, Ms. Allan said this one tab would be $600,000. Each agency had to find their share of that within their existing administrative budgets that already were squeezed.
Ms. Allan reported that many providers were asking for answers to HIPAA compliance questions that the state agencies also lacked. Ms. Allan anticipated considerable upgrading of computer and IT systems and data in order to support the HIPAA Privacy Regulations in terms of their data and meet the security requirements when finalized. Noting many agencies had just begun their assessments, Ms. Allan said she thought some systems would probably be okay, while others would need significant upgrades. She noted this was above and beyond costs associated with the transactions rule that required another whole set of system changes from all agencies doing business with the Medical Assistance Program (most HHS agencies).
Ms. Allan noted the training requirement was another substantial cost. She estimated that, at a minimum, their state agencies had to train 30,000 individuals, including those in the workforce of covered entity agencies. But she added that training had to go beyond that because many of their state programs interacted closely with public and private sector covered entities. To continue working together, they also needed to understand what information they could still access, how to access it, and any conditions or parameters around accessing and PHI. Ms. Allan said HIPAA PMO itself expected to spend around $260,000 on training. In addition, many agencies were hiring trainers to give a more specialized focused training to their workforce.
She also pointed out a need for major educational programs, including materials for a lot of state functions that weren't normally associated with HIPAA. For example changes in judicial orders meant that law enforcement needed to understand how to access and use PHI. Noting that human services agencies didn't interact with law enforcement on an on-going basis, Ms. Allan said she didn't know how that training would be provided. She emphasized that public health inspectors, child care licensing staff and any state staff whose job function related to access of PHI would have to be educated in how to use it.
Ms. Allan explained that their state agencies had an enterprise approach to many activities (as many state governments did) and faced implementation hurdles that didn't necessarily exist in the private sector. In order to pay their vendors and providers, the comptrollers office had to have all their state contracts and the whole contract bidding process in uniform, HIPAA required terms and conditions. Centralized contracting, union negotiations, and information support services all had to be tapped into. Ms. Allan said every day she found another entity they had to tap into.
She noted that all of their union agreements were negotiated and administered centrally. Because of training requirements in their covered entity agencies where many union employees worked, their agreements had to be amended. Ms. Allan said they were working on that, but she didn't know how smoothly it was going.
Ms. Allan reported their state agencies were significantly impacted on technology services as well. The Information Technology Division (ITD), maintained most of their intra and Internet systems and signed off on any technology systems individual agencies chose. Ms. Allan said ITD had taken the lead in helping them understand what they needed for technology infrastructure to support the privacy and security regulations. However, she said ITD made it clear that they focused on state-wide needs and priorities and were reluctant to go forward with actions applicable to only a few agencies. Ms. Allan emphasized that this was true across the board. Given all the other issues and concerns facing the states, none of their agencies could be considered a dedicated resource for HIPAA.
Noting that they'd worked hard over recent years to more efficiently and effectively address the needs of clients with multiple needs who needed services from multiple agencies, Ms. Allan expressed concern that the HIPAA Privacy Regulations would send everyone back to the drawing boards to rethink how they could that. She explained that much of that was because all their agencies weren't covered entities, even though their functions meshed. In states where all medical assistance and social services programs could be kept within one agency, she said this might not be much of a problem. But she pointed out that PHI determined whether someone received medical assistance. And, with mental health, they couldn't even say someone was a member or client because that conveyed details about his or her mental status or how the health care was paid.
Ms. Allan said when they could they planned to use an authorization, but she doubted a compliant authorization would be sufficiently broad to encompass a case management approach to a client. She pointed out that they didn't always know at intake or initially what services and other agencies they would want to tap into and so couldn't state a specific department, information, or purpose. Ms. Allan said going back to a client periodically as they did their case management and asking for more authorizations would be viewed as bureaucratic harassment by the client and slow down the provision of services. Ms. Allan said she'd read through the exceptions many times and still reread them. She thought that most state functions that required access to PHI could continue, but had to go through a long strenuous analysis. Often the need for multi-agency intervention wasn't apparent until there was a triggering (commonly tragic) event. While a covered entity agency could give services on an emergency basis, Ms. Allan said caseworkers who responded to immediate crisis situations couldn't be expected to analyze all of the time whether an imminent danger justified revealing PHI without an authorization and risk being subject to a lawsuit for not adequately adhering to the HIPAA Privacy Regulations.
She anticipated a paralysis setting in unless they thoroughly educated people out in the private sector who held PHI about what HIPAA did and didn't allow. Some state facilities were no longer letting inspectors in to do records review. And they'd had challenges to their juvenile court justice system that used juvenile defender records to try to get individuals being sentenced into the right program. Noting there was so much misinformation about HIPAA, Ms. Allan cautioned that they'd run into real problems with the continuing smooth operation of essential basic state services without better education about HIPAA.
Ms. Allan said it would be very helpful to get clarification on authorizations. She hoped that the way she read the authorization requirements was too stringent, because she didn't think that they'd let them do the kind of comprehensive case management that they strived to do and that was best for their clients. She emphasized that model forms for how state agencies would work with each other, even if they weren't all covered entities, would be very helpful.
But stressing that much earlier it would have been helpful to have clearer guidance on how to put state programs under the HIPAA definitions, Ms. Allan said, at this point, they'd made their decisions and were moving forward with compliance deadlines looming and too much still to be done. She said she wasn't sure she wanted that clarification now. They'd spent too much time on “Am I or am I not a covered entity.” She didn't want to go back to the drawing board.
Ms. Allan said that she was talking broad education of the public as well as private sector about what HIPAA did and didn't do. She noted that HIPAA didn't shut all doors; inspections continued. They still followed-up on reports of negligence in nursing homes or that a daycare program wasn't providing proper services. They still did quality assurance reviews in hospitals. They had access to the basic information they needed to do basic public functions. Ms. Allan also requested the federal government to provide training tools and resources including a Web site to educate members of the judiciary and law enforcement.
Ms. Allan reminded everyone that Massachusetts had its own privacy statute. Their agencies had to live by that law, even without HIPAA. Ms. Allan said they wanted to abide and needed to be able to serve their clients.
Asked about the range of agencies determined to be covered entities and whether they'd decided to call some hybrids or treat them all as covered entities, Ms. Allan said the concept of hybrids was rejected; it wouldn't work. Under the regulations, conditions for being a hybrid entity called for too much splicing and separation and were impossible. With shared duty, employees working for the covered entity couldn't communicate with the rest working for the non-covered entity. Agencies shared resources and infrastructure and needed to be covered. Ms. Allan noted the list of covered agencies included: Department of Public Health, Department of Mental Health, Department of Mental Retardation, Medical Assistance Program, Group Insurance Commission, the soldiers' homes, and the pharmacy program through their office of Elder Affairs. Department of Corrections was a hybrid.
Ms. Kaminsky asked Ms. Allan to clarify how law enforcement needed education. Ms. Allan said page A could be accessed for law enforcement purposes. But she added that they needed to help law enforcement understand that they could no longer walk into a hospital and see the admittance records. Ms. Kaminsky noted they'd heard similar testimony yesterday.
Asked to expand upon a problem she'd referred to in juvenile court, Ms. Allan explained that frequently appearances in court were necessary to get treatment orders for someone in a facility that wasn't competent to give consent and had no guardian. The feed back was that in order to cover themselves in terms of how they used the patient information, they would have to ask for more expanded orders. Ms. Allan reported there was also concern about commitment orders that might be requested. She said the courts needed to understand that they had to be precise in orders issued so people were armed sufficiently enough to use PHI to the fullest extent in a treatment situation.
To demonstrate the confusion about HIPAA Privacy, Ms. Allan told how one of the justices of the juvenile court asked her if it was true that when HIPAA went into effect they'd no longer have access to juvenile offenders' records. The judge had to be assured that wasn't true. Ms. Allan said people, particularly smaller providers, were afraid that they couldn't live properly by the rules and they were shutting their books completely. Ms. Allan emphasized that they still needed to help providers understand where it was still ok and they weren't in violation.
Panel 2: State Agencies/Public Health Authorities
Mr. Ballin said that the Massachusetts Department of Public Health (MDPH) conducted basic core public health activities and operated four state hospitals. He said MDPH never questioned that the state hospitals were covered entities, but had grappled with the rest of the Department for some time. He estimated that over 200 programs collected or used PHI. Usage was often, but not always, pursuant to state laws and regulations. Mr. Ballin noted MDPH also had a complicated system for coordinating with other state agencies, local boards of health, community health centers and providers. Basic and typical public health activities included: collecting PHI for disease surveillance and investigation, delivery of health services, epidemiology, statistical analysis and research, program evaluation and quality improvement, licensing, and help in oversight functions and various activities involving emergency response.
Mr. Ballin agreed with Ms. Allan that the regulations were written for the health care industry and that public health authorities didn't fit well within the definitions for health care provider and health plan. He acknowledged that HHS made efforts to clarify that in the final rule, but he added that didn't suffice and in some cases might have made things worse. He advised that the definitions were ambiguous with regard to public health and noted that they'd attempted to get guidance from HHS useful for them and other state, local and county health departments, but hadn't received any feedback. He said he understood the resources and restrictions HHS had and stressed that his testimony didn't intend to criticize the agency's efforts. However, he emphasized that the lack of guidance made it difficult for those trying to interpret these rules at the state level. Mr. Ballin noted that an informal survey of numerous state health departments by the Massachusetts Health Data Consortium found a wide variety of interpretations for how departments and various programs had been covered and a general feeling that further guidance would have been helpful. He mentioned two examples.
A federally funded program administered by DPH, the breast and cervical cancer early detection and screening program existed in many, if not most, other states. Mr. Ballin said they contracted with providers to furnish screening services to under and uninsured women. Providers billed DPH as a payer of last resort. MDPH had addressed again whether a specific program was a plan or provider.
Another example involved a state laboratory that conducted analytical testing of human blood samples submitted by medical providers or other laboratories to detect the presence of communicable or other diseases. DPH acted as a diagnostic laboratory but didn't furnish testing directly with patients and, except for a few limited cases, didn't bill for services. Again, the question was whether the state lab acted as a health care provider.
Mr. Ballin reiterated that further examples provided an extensive list of questions representative of issues they had with interpreting the covered entity definitions with regard to provider and plan. He noted they'd begun this process shortly after the privacy rules originally finalized and had offered CDC assistance in trying to obtain guidance from HHS. They'd also sent a list of questions to HHS and requested guidance. Mr. Ballin said they'd never received a response to either effort.
Mr. Ballin summarized a-year-and-a-half worth of extensive discussions within the Department and the HIPAA program management office determining which of close to 200 programs were covered entities. He noted that the ways they used PHI and the actual information collected were extremely diverse and that it was difficult to assess how each program related to the health care provider or plan definitions. Their general conclusions at this point, were that a couple of programs looked like health plans, and many others acted like health care providers or contracted out with agencies to provide services. Mr. Ballin reported that the remaining 75 percent of the programs didn't fit the definitions and, for the reasons Ms. Allan mentioned, they'd decided a hybrid entity would have made it too difficult for their programs to share PHI necessary for conducting public health practice. Mr. Ballin noted the decision to have other programs voluntarily comply with HIPAA caused concern about many programs that people believed didn't apply to HIPAA (e.g., the cancer registry).
He shared questions that conveyed some of the perceived impacts of HIPAA on public health practice and how things needed to change. One question was whether HIPAA limited sharing of PHI between DPH programs as well as other state agencies. He explained that a decision had been made to go against the hybrid entity status and noted that HIPAA also allowed for coordination of benefits in some cases with other government agencies that were covered entities.
Many asked whether HIPAA impeded disease surveillance and other public health investigations. Mr. Ballin said this was an immediate concern, particularly when they'd dealt with the wide variety of urgent situations involving anthrax and other disease surveillance activities. He emphasized that he'd stated all along that HIPAA was well crafted for providing broad exemptions for core public health activities, including surveillance, investigations, and intervention and that HIPAA didn't impose a barrier to the routine public health work they did.
Another question was if HIPAA would prohibit disclosure of PHI when required for enforcement of DPH regulations. Mr. Ballin said this went back to issues Ms. Allan had mentioned about going to court for enforcement. He explained that DHP was a covered entity and health oversight agency and that a provision in HIPAA allowed a covered entity that was also a health oversight agency to use PHI for authorized activities including civil administrative or criminal proceedings.
Mr. Ballin said an issue that concerned the whole research community was whether HIPAA limited the ability of DPH to conduct research using PHI without authorization of the data subject. He reiterated that, even though there'd been some hysteria, he thought HIPAA was fairly clear in allowing for the ability of an IRB waiver of authorization, if certain criteria were met.
Mr. Ballin said that he believed the Privacy Rule exempted health care operations of the covered entity from the accounting of disclosures, including surveillance activities they conducted. He noted the revised rule also addressed accounting of disclosures for research that involved 50 or more individuals. Mr. Ballin said it would have been very helpful to have appropriate guidance for public health authorities on covered entity questions. He noted there had been an attempt in the final rule to provide some guidance with regard to government agencies. Mr. Ballin said there were examples with regard to WIC and Ryan White programs but the nature of their programs were so complicated and diverse it was hard to come to a conclusion in many of those cases.
He said that there was a great deal of confusion about what HIPAA did and did not permit public health authorities to do in regard to PHI. He said that in Massachusetts there was a system of local health departments, which was not the norm nationwide, and he had talked with a number of local health departments that had asked when the state health department were going to be providing guidance to them on HIPAA. He said this was a big issue as they didn't have the resources to be dealing with every local health department out there, but there were nonetheless the same concerns among local health departments he had previously discussed.
Finally, Mr. Ballin stated that he did believe the HIPAA Privacy Regulations demonstrated a clear intent to ensure that core public health activities of public health departments weren't impeded. Despite much confusion, he said that he believed by carefully reading the rules, they were able to change some of the business procedures they conducted. He said that they were still able to do their business and HIPAA did not present any significant barrier to their public health practices.
Dr. Danaher asked how MDPH interfaced and if it was part of HHS. Ms. Allan explained that in the 70s and early 80s Massachusetts set up a number of executive offices. Within them were support service agencies: HHS, social services, public health, mental health, the Commission for the Blind, the Rehabilitation Commission. MDPH also had an Executive Office of Public Safety, which contained the public safety functions. Public Health was one of the departments within the Executive Office of HHS.
The HIPAA PMO office was put in human services because most of the agencies affected directly by HIPAA were human services agencies. Ms. Allan said MDPH took a state-wide approach, sending surveys to every state government and executive office and conducting follow-up calls to anyone they thought might be a covered entity. She said Elder Affairs wasn't part of their secretary, though they added flavor to some of their meetings that most of their staff didn't usually get to hear. And MDPH recently found a health insurance program for uninsured stuck in their Division of Employment and Training fit the plan definition and they were trying to bring them in. She said MDPH was reaching out to all state entities and had taken on coordination for the entire state.
Noting Mr. Ballin mentioned that DPH oversaw some 200 programs and gave the example of the Cancer Registry as one that was neither a provider nor plan, Ms. Kaminsky asked about other programs similar in this way. Even though they'd creatively and accurately looked at surveillance activities as a health care operation, Ms. Kaminsky suggested they didn't necessarily need an accounting for disclosure. But she didn't know if that would hold true for the entities disclosing PHI for surveillance activities.
Mr. Ballin said MDPH started its survey at least a year and a half ago. They did it by bureau, knowing some were more likely to fit under the definitions than others. The Family and Community Health Bureau administered many programs (e.g., early intervention, healthy start, and many screening programs). Many operated as a payer-of-last-resort type of program. They'd also looked at programs in the Communicable Disease Program Bureau, AIDS Bureau, Substance Abuse Services, and a number of registries that Mr. Ballin didn't believe would fall under the definition of a plan or provider. He noted there were a number of programs and much depended on how they defined them. Mr. Ballin noted two issues: providers disclosing information to DHP as they were authorized to do by law, and what they did with that information. In certain cases, PHI was used to investigate sexually transmitted diseases and other activities. When authorized, sensitive identifiable information was disclosed in certain cases.
Ms. Kaminsky said she was trying to clarify if disclosure of surveillance information wasn't one of the circumstances Mr. Ballin had in mind when he said he didn't think DPH had accounting for disclosure responsibilities in some circumstances. Mr. Ballin concurred. He said he'd been referring to PHI that they could subsequently disclose. Providers still had to account for disclosures as required by law.
Panel 2: State Agencies/Public Health Authorities
Ms. Bergman explained that the New Hampshire HHS was an agency of the Executive Branch of New Hampshire State Government and a legal entity. Its programs included Alcohol and Drug Abuse, Behavioral Health, Developmental Services, Community and Public Health, Children, Youth and Families, Child Support Services, Elderly and Adult Services and Family Assistance, and the Division of Juvenile Justice. In addition, there were nine support offices, three health care facilities, an acute psychiatric care 172-bed facility, a 110-bed home for the elderly, and a 14-bed halfway house for recovering men.
Ms. Bergman explained that the Commissioner of the Department was responsible for the overall management of the Department, set policy, and oversaw implementation of all services and programs. The Commissioner provided the leadership and direction necessary to ensure the design and delivery of a comprehensive, coordinated community-based and family-centered system of services. Ms. Bergman explained that common control existed at the Department level. The Commissioner had direct power to significantly influence and direct the actions and policies of the entire Department. The Department's divisions, offices, and facilities didn't have their own legal identities. Ms. Bergman said the Department had struggled with its designation status. She said it received an overwhelming amount of advice and argument from attorneys, consultants and other states as to what the designation of the Department would be (e.g., hybrid, single covered entity with multiple covered functions, single covered entity).
In determining the Department's compliance responsibilities under the HIPAA regulations, Ms. Bergman said careful, long consideration was given not only to the privacy regulation's requirements, but also to how the Department functioned. The Department believed that it wasn't HHS's intent, in the promulgation of the privacy regulations, to significantly impede the way in which covered entities conducted business or provided services. Rather, as stated in the preamble, the intent was to provide scaleable, workable standards for the protection of an individual's privacy relative to their health care information. One of the department's largest stumbling blocks was in determining the proper covered entity designation as a state agency. They had wondered how they would have assessed their HIPAA readiness if they were undecided regarding their covered entity status. As a result, she continued, they had made the decision to move forward with a total department HIPAA privacy assessment rather than limit the review to obvious and known entities. She noted they were thankful that in their assessment they discovered many areas that might have been overlooked had they strictly followed the “duck walk.”
The department acknowledged that designation as a single covered entity would have required the most central agency coordination and more effort on behalf of the department in developing compliant policies and procedures and a training program, and enforcement of the standard on the entire department. The department perceived the risk of bifurcation of privacy compliance at the department level far greater than the perceived burden of overall department compliance with the privacy rule.
Ms. Bergman said department services and administration were provided seamlessly across the department and followed a matrix model. It was agreed that designation as a single covered entity for the purposes of complying with the HIPAA privacy rule supported the department's organizational make-up and philosophy and met the intent and requirements of the Privacy Rule. The Department believed it could comply with the privacy rule and still maintain its organizational processes. It planned to do this without creating inequitable rules of practice, duplicate auditing or compliance efforts, firewalls or boundaries between program areas that needed to share resources and information in order to effectively serve their client populations.
She said the department was pleased with the amendments to the hybrid definition permitting covered entities that could qualify as hybrid entities to choose whether they wanted to be hybrids as well as the deletion of the term primary. With few exceptions, the department believed that most of what it did wasn't related to health care and the designation of health care components was contrary to the department's management philosophy.
Ms. Bergman explained that organizationally state governments and agencies weren't always the same. There was no template for state executive department organization. Though historically similar, administrative configurations often differed. The amendments to the privacy rule created a better environment for the way the New Hampshire HHS did business to meet the privacy rights and requirements mandated therein and didn't force a compliance designation contrary to their business model.
Ms. Bergman said it had been presumed that state agencies had a less rigorous compliance process than other entities falling under the requirements of the Privacy Rule. This wasn't the case. In order to implement the provisions of the Privacy Rule and comply by April 2003, they had to review every rule throughout the agency, amending those that existed and creating those that didn't. For in-house practices, the process wasn't particularly painful. However, the department's practices and policies affected individuals outside their agency and any new policy or practice had to be promulgated through the Administrative Rules process, which included notice of rule making, public hearings, comments, and finally legislative approval. Because of their diverse activities, the geography of the PHI within the department, and their decision to designate the department as a single covered entity, this would require extensive efforts. As a state agency, they were required to follow other privacy mandates, both federal and state. They had to be vigilant in their review and cognizant of preemption issues.
She said that in order to mitigate the risks inherent in a very complicated work plan, they were expanding their HIPAA infrastructure to include a Compliance Office which would work closely with their attorneys, consultants, and program areas to decrease the burden on any single resource and organize an extended group around compliance issues.
Ms. Bergman addressed her department's experience to date with the accuracy and quality of consulting organizations related to privacy. In most cases, their expertise was strongest in the areas of transactions and security. Most organizations seemed to have a good-to-excellent understanding of the requirements of HIPAA in these areas and were effectively able to assess and recommend remediation techniques. She said the accuracy and quality of the consulting was less than they'd hoped for with privacy. It had been difficult for consulting organizations to understand that one size didn't fit all when it came to assessing privacy within state government (e.g., a template used for a hospital or health plan couldn't be placed on a government agency). They hadn't experienced the level of expertise they'd assumed was available in interpreting the complex standards and implementation requirements and in determining the impacts of the privacy rule on their business processes. Ms. Bergman noted that, like transactions and security, privacy remediation at a state agency required individuals with extensive knowledge in privacy practices, individual rights, government operations, and some level of legal proceedings. She emphasized that her comments weren't a reflection on the consulting organization's general abilities, only their lack of expertise in the project area.
Ms. Bergman said the department anticipated that interactive Web-based training would provide basic training on the privacy requirements, policies and procedures. Their training program was geared to both employees and non-employees under the direct control of the department, to ensure that they had the requisite information and guidance to know the rules and how to comply. In-house trainers were required to attend Train-the-Trainers seminars. Ms. Bergman said training the entire workforce again was extremely burdensome because of increased demands on funding and human resources. They were never sure they'd reached everyone or that employees received consistent, correct information. In the past, it took over six months to train the entire workforce about sexual harassment or drugs in the workplace.
Discussion
Asked what the hybrid division changing had to do with her own designation, Ms. Bergman explained that that there didn't seem to be any wiggle room in the original rules. She said New Hampshire's HHS considered itself a single covered entity, but its attorneys and consultants thought they were a hybrid because delivering health care wasn't their primary function. When the amendment came forward, they were pleased to see they could do whatever they wanted within the realm of the standards.
Ms. Greenberg said they'd heard a lot the previous day about how providers were being helped by their national professional associations as well as collaborating across their profession, either in a state or regionally. She asked whether organizations like ASTHO had provided regular communication or technical assistance and noted that NACHO would potentially seem to offer a parallel to AMA in providing help to provider groups.
She recalled that Medicaid also used to think that each of its agencies was unique, but found through HIPAA that they had more in common than they'd thought. She noted many departments of public health had privacy officers and, even though in many ways each state was unique, a lot of their activities were in common. Ms. Greenberg asked if there was an association of privacy offices and about activities among health departments and their national associations such as ASTHO. Mr. Ballin said MDPH had early discussions with ASTHO about clarifying the covered entity definitions. They'd worked with attorneys and had similar problems. They'd submitted questions hoping there would be a state submission to HHS that covered the issues and concerns of all 50 states, rather than every health department in the country acting separately. They'd never heard back. After that, MDPH was involved in HIPAA issues and he occasionally joined in ASTHO conference calls. Mr. Ballin said he hadn't seen a lot in terms of state health department coordination on HIPAA issues. But even though each did its own assessment, he said there was a lot of benefit to everyone not reinventing the wheel. Through MHDC, which helped the whole state health care industry, MDPH had a wide variety of contacts throughout the country. MHDC provided assistance in terms of how other states dealt with the issue.
Mr. Ballin said early on he'd hoped some organization of state health departments would take the lead as so many of their programs were federally funded and their issues weren't unique. Ms. Greenberg asked if they had a privacy officer in their organization. Mr. Ballin explained they had been held up by the covered entity issue and were behind in their compliance process and in the midst of hiring one. They thought having someone working full time on HIPAA would help them significantly. Ms. Greenberg asked if Ms. Bergman's experience had been similar. Ms. Bergman explained that because she worked at the department level and public health was a division within their department she probably wasn't as familiar with their immediate issues. She said a number of their employees and staff had been involved with regional conference calls. They monitored the NEME regularly, and had a number of work groups. The latest, a public health work group, had members from 50 states. They also tried to keep up to date with WEDI and GIVES. Ms. Bergman said as state agencies they tried to coordinate and understand their problems and not to reinvent the wheel.
Dr. Cohn said that he had been hearing within HHS that in most states the HIPAA model seemed to work. He said he couldn't figure out how Ms. Bergman would address the issue Ms. Allan identified related to how HHS and outside non-covered commissions, departments and agencies in the state would collaborate on work activities that were more case than disease management. Ms. Allan said Massachusetts was probably different than New Hampshire because of the way they were structured. Their executive office provided coordination among independent agencies. Agencies were often related. Direct financial assistance; the Medical Assistance Program; Social Services (the primary agency supporting families and children at risk), the Division of Youth Services (which served the criminal justice system in terms of disturbed youth) were all independent agencies within the secretariat. Ms. Allan explained that public health was a covered entity, as were medical assistance and mental health. Social Services and the Department of Transitional Assistance weren't. She noted that clients often received services from a number of agencies. A special task force with agency representatives from all the agencies that provided any kind of mental health looked at cases on an individual basis to determine if there was a better way of servicing them or if services from a number of different agencies could be brought together to give comprehensive support.
Ms. Allan added that families presented a challenge because an in-take at a mental health center could clearly indicate potential for a disruptive or disturbed home environment. Normally, the in-take worker notified Social Services. This wasn't a mandatory report, but flags went up. Possibly children were at risk or at least in a home environment that might need intervention. Normally, there'd be a referral and a case worker would contact the family and assess whether there was a difficulty. Ms. Allan said HIPAA didn't let them do that anymore, because coming into a mental health center stated they'd had a mental health problem. Under HIPAA, they couldn't even say someone was a client, unless a state law mandated that they report it. They could no longer do a case referral as they used to do. In some cases, they might be able to get authorization, but it was unlikely anyone would get an informed authorization at in-take. And one had to assess whether this was enough of an emergency that one could report it under the HIPAA rules.
Ms. Allan said people worried about violating HIPAA and would be conservative. What was seen as a huge potential for lawsuits caused state agencies and their caseworkers to be careful. Ms. Allan's concern was that this would impede the services their clients most needed. She said they grappled with how to not let this happen. Dr. Cohn said he'd heard the problem before, but Ms. Allan identified it more clearly. He noted that this wasn't a Congressional hearing, but a hearing by NCVHS that was trying to advise HHS about implementation and ways to ease burdens and make things work better. He said he was still waiting for some solution and wondered if she had any thoughts.
Ms. Allan said Massachusetts and New Hampshire were looking at all of their regulations and state statutes to see how they could do substantial regulatory revisions that might be required by law. As a state agency, they walked a delicate balance, not wanting to put into effect laws in statutory or regulatory form that could be abused in terms of the state's reach in sharing information. She said they tried to balance program needs against individual rights in the state statute on privacy. If they erred, it would be toward the individual's privacy rights.
Ms. Allan expressed concern about any impediment to social services trying to prevent harm to families or children or get people into a situation where they were better able to handle their lives. She said guidance on how they might do regulatory changes and use authorizations would be helpful.
She said it was going to be almost impossible to do an authorization on in-take or it at the beginning, which was considered compliant, because of the specificity required. It wasn't realistic to keep going back to a client for additional authorizations.
Ms. Allan said it usually took 18 months to get regulatory changes through the system; they couldn't get regulatory changes in place soon. Only a handful of agencies were putting forth regulatory changes. Statutory changes were anyone's guess. Over the last few years the Massachusetts legislature almost exclusively focused on budgets and almost every other piece of legislation got shelved. Ms. Allan said they couldn't guarantee that they'd get the attention needed. In that respect, she saw the HIPAA rules as being a step backwards for services for people.
Ms. Bergman noted that New Hampshire was small, rural and had a tight-knit service community. From a department perspective, all the divisions that contracted with or regulated those entities were under one roof. A New Hampshire and Vermont consortium of hospitals, physicians and other health care providers dealt with the issues of HIPAA. The steering committee broke out into work groups that included privacy, security, and transaction and codes. She said communications about what needed to be done and how it might be done worked well.
Ms. Bergman said the department didn't have the resources or money and tried to stay away from being a trainer for other state agencies or providers. Instead, they held training sessions with community mental health centers, developmental disability sites, nursing homes and residential care facilities and educated them to go out and find the assistance they needed to become HIPAA compliant.
Dr. Cohn told Ms. Allan that the issue she brought up about the litigiousness around the privacy mandates was fascinating. Asked whether the types of services and population were more litigious than the general society, Ms. Allan said she didn't think so, but that the state provided a nice target which was why they were particularly concerned.
Dr. Cohn said he had the impression that local public health officials in Massachusetts were understaffed and under funded and probably hadn't done much to get into compliance. Mr. Ballin said that was a very fair statement; local public health officials were fed up with state and federal mandates. Massachusetts didn't have a county system and so many health departments were in very small towns, extremely understaffed, and barely had any computer systems. Additional mandates on them were significant and they dealt with them in public health regulations that in many cases were enforced at the local level. Larger health departments (e.g., the Boston Public Health Commission) were in a better situation to deal with HIPAA compliance issues, however every local health department was concerned about HIPAA requirements. Dr. Cohn said the irony was that the issues the regulations covered often felt greatest in a small community, because everyone knew everyone else. Perhaps it was most salient there.
Mr. Rothstein said he heard frequently that, even before the compliance date, public health officials throughout the country were running into difficulty obtaining the kind of surveillance data and reporting they'd always used. HIPAA didn't expressly prohibit disclosing it, and yet providers and hospitals were making it very difficult to get the data they needed (e.g., on infectious and sexually transmitted diseases, suspected child abuse). Mr. Rothstein expressed concern that they had heard in prior panels about the lack of training for physicians, especially in small group practices and smaller provider organizations. He expressed concern that training would concentrate on how to comply, not what was still okay to do. He asked if the panelists could shed any light on this concern or make any recommendations about how they could still get the data needed for public health services.
Ms. Greenberg said what she'd heard yesterday was, “When in doubt, don't provide information.” She said the mind set was concern about litigation and that the safest thing was not to provide it. Mr. Ballin agreed. He said it would take a great deal of education, particularly to the smaller providers who might not be as familiar with exemptions in HIPAA that allowed public health to proceed as it must. He said it would take educational effort from the department and, hopefully, other groups including trade associations.
Mr. Ballin said MDPH was still caught up in how it could meet the deadlines and come into compliance. He reiterated that MDPH received a number of calls. People thought they wouldn't be able to get information after the compliance date and in most cases he found exemptions that specifically allowed for reporting. The perception, however, was that HIPAA didn't allow them to do anything and they had to hold onto everything until they were sure they could.
Mr. Rothstein said public health reporting would be lost if it was item 35 on the HIPAA training for providers, but if OCR made available a pamphlet entitled HIPAA and Public Health Reporting they could efficiently distribute it to reporters and county health departments. Mr. Ballin agreed and said having it come from HHS would be helpful. He noted that, to a certain extent, they had to interpret someone else's regulations, which they weren't always comfortable doing.
Ms. Bergman said it appeared that their public health division lacked in actual policies and procedures around surveillance and oversight activities. Although they'd enabled legislation that provided for surveillance and gave them the authority to do it, the actual process for doing it and why was vague and limited. She said they saw HIPAA as giving them an opportunity to beef up those areas and provide a policy or procedure at the department level for the type of businesses they performed daily.
Ms. Allan said she liked to encourage that. One overwhelming issue they faced was getting people to understand what HIPAA didn't do as well as what it did. Ms. Allan said she didn't know how to educate the law enforcement community about the steps HIPAA required them to take now in order to access PHI, under what circumstances they could access it, and how they could use it.
Panel 3: Consultants/Other Resources
Mr. Szabo explained that the BBA Task Force reviewed and analyzed state laws, regulations, executive orders, court rules, and cases to determine interactions with the final privacy rule. Members developed a list of more than 200 laws and regulations and compared them to HIPAA for preemption and analysis. The task force's final report will summarize state laws or regulations alongside a synopsis of the relevant provision of the privacy rule and provide conclusions regarding preemption and additional commentary or qualifications. BBA plans to release the analysis on a CD-ROM along with the conceptual template in the fall of 2002. Mr. Szabo noted that the law firms and lawyers who worked on the project wouldn't be monetarily compensated.
BBATF subcommittee chairs also describe the state laws that apply to health information at quarterly meetings of the Mass Health Data Consortium Privacy Officer Forum. Mr. Szabo said privacy officers were aware of their obligations to abide by state and federal law and were interested in the task force's work. Health care organizations also expressed interest in the task force analysis. Mr. Szabo noted that the Health Privacy Project at Georgetown, ABA, the state of Maryland, and other professional and trade associations also studied HIPAA preemption.
Mr. Szabo said several factors contributed to the complexity of HIPAA preemption. State privacy law was inconsistent, overlapping, and had unclear mandates. In Massachusetts, many related laws governing the obligations of health care providers, insurers, government agencies, and others are imbedded in licensing laws, regulations governing professional discipline, evidentiary privilege statutes, fair information practice statutes, public health reporting laws, and crime prevention statutes.
Another cause is the administrative simplification statute itself and its partial preemption clause that saves state laws more protective of privacy and access and preempts many, but not all, others. Mr. Szabo noted that Congress repeatedly failed to adopt a national medical privacy law after the enactment of HIPAA in 1996. Political questions including preemption, regulation of research, and parental rights prevented Congress from reaching a consensus. Mr. Szabo said the complex partial preemption language that created a private floor but not a ceiling was a political compromise required to enact a law authorizing the Secretary to create the present privacy regulations.
Mr. Szabo emphasized that the report was a technical tool and wasn't meant for providers on the front lines. He cautioned that there were limits to the utility of a preemption analysis and the degree of certainty it could offer. He cited the Massachusetts Privacy Act, a law of general application that applied to all persons and businesses. The long, detailed, complex HIPAA privacy rule set forth substantive rules, mandated procedures to enforce and document them, and regulated both external disclosures and internal uses of health information by covered entities. What wasn't permitted by the rule was forbidden. The Massachusetts right of privacy law consists of two sentences. “A person shall have a right against unreasonable, substantial or serious interference with his privacy. The Superior Court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages.” This law is simple, short, general and vague. It requires no forms and mandates no policies or procedures. It doesn't require the appointment of a privacy officer, designation of affiliated covered entities, or an organized health care arrangement.
Unlike HIPAA, the Massachusetts right of privacy law allows state courts to award damages or provide equitable relief, injunctions and court orders from invasions of privacy. Mr. Szabo said the final rule might become the best practice for the protection of individually identifiable health information. However, he noted anyone at any time could argue that a use or disclosure of health information permitted by HIPAA was a violation of the state statute and the Massachusetts courts would decide the point.
Mr. Szabo portrayed HIPAA compliance as divided into three tiers. Large organizations (e.g., licensed health plans and integrated delivery systems) that had made substantial investments in HIPAA compliance in terms of staff, legal resources, consultants, and technology comprised the first tier. Some were ready now. Most would be ready in April.
The second tier was composed of organizations that had begun their efforts but were far from ready and might be hampered by under capitalization and thin or non-existent operating margins. HIPAA was one of many mandates they had to comply with and they'd do what they could with what they had.
The third tier was made up of individuals and organizations unaware of or resistant to hearing about HIPAA. This included sole proprietors, self-insuring employer-sponsored health plans, and business associates surprised by a new contract required in April to keep their customer base intact. Some providers were well prepared to meet their HIPAA obligations. Others (e.g., many clearing houses) were only now discovering that they had HIPPA- related obligations with respect to employee health benefit plans.
Mr. Szabo suggested that: small providers be given access to approved forms of notices, authorizations, and policies and procedures simple enough for a small organization to use yet compliant with the intent of the rule; a form of administrative simplification be tailored for small organizations and sole practitioners; the cost of HIPAA implementation be taken into account in setting provider rates of payment, especially for providers highly reliant on government payments (e.g., community mental health services) whose entire patient population might rely on state funds and Medicaid payments; and outreach and educational efforts targeting smaller organizations, health plan sponsors, and others not fully aware of their obligations.
Mr. Szabo noted that some providers literally had no money to divert to HIPAA compliance. Others were forced to make painful choices between investing in compliance or in quality improvement, clinical staffing and health technology.
Panel 3: Consultants/Other Resources
Ms. Ruffino reported that provider office staffs consistently thought HIPAA offered better business practices than what they'd been doing. Ms. Ruffino identified three major problems with provider offices. First, the standards still weren't fully understood and even if provider office staffs had time, HIPAA wouldn't be their first priority. Dealing with regulatory, business, and reimbursement issues consumed far more time than providers wanted. Physicians and other providers trained to treat patients would probably prefer spending 90 percent of their time on treatment and ten percent on business, instead of the 80-20 rule.
Secondly, only critical issues were likely to get physicians' attention or resources beyond patient care. Ms. Ruffino noted, although it had long been known that electronic transmissions were more cost effective, efficient, and required less staff, not all doctors offices were electronically sophisticated. She postulated that this was because implementation was time consuming and not where physicians wanted to spend time or money.
The third problem was the squeeze on reimbursement rates: no money was included in the HIPAA legislation for additional reimbursements. The most recent survey by the Health Information Management Systems Society (HIMSS)and Phoenix Health Systems (PHS) indicated payers were ahead of providers, especially small offices, in implementation. Ms. Ruffino noted payers could more easily find money, had more access to financial markets, and also had the first dollars. As premiums came in, payers could take theirs first and make cost accommodations down the line, sometimes at the expense of the provider.
In regard to myths, Ms. Ruffino said HIPAA (or administrative simplification) was as much an industry initiative as anything else. Industry wanted administrative simplification for good reasons (e.g., reducing health care costs) and the payers and providers would benefit with fewer forms, quicker access to information, and payment. But Ms. Ruffino cautioned that HIPAA wouldn't help consumers much.
Noting that it was consumer advocates that pointed out a diskette with everybody's file on it or information accessible from 100 miles away necessitated more security, Ms. Ruffino suggested privacy rules were more accurately described as consumer mandated than as an unfunded federal mandate. She applauded that HHS and OCR had been asked to manage privacy for consumers. Contending that consumer premiums and savings on electronic transactions funded privacy and security, Ms. Ruffino said consumers had been paying for privacy and security; they just hadn't been getting it.
Remarking that there hadn't been many resources available, Ms. Ruffino said the collaborative efforts throughout HIPAA were impressive. She told how at one of the first HIPAA summit groups, everyone took on an assignment to make papers and resources available at no cost to anyone in the industry. She noted that the National Council on Drug Programs (NCPDP), WEDI, AMA and many others provided resources. She said the downside was that many resources were too meager or less than accurate and it was hard for providers to know which resources to choose. In Ms. Ruffino's view, providers that based their whole HIPAA program on a book that turned out to be wrong would still be ahead, though they might have to make some changes. Recalling the compliance kit they'd heard about yesterday, she expressed concern about simplistic advertising.
Ms. Ruffino said, like Mr. Rothstein, she never saw clients without the guidance, which she described as easily readable and understandable even by those who'd rather not understand. Noting the federal government had clearinghouses (e.g., the Department of Education's Web site on early childhood education) where people knew to go for valid information, Ms. Ruffino urged the Committee to make the guidance and FAQ's more accessible. Ms. Ruffino recommended a simple HIPAA practice management handbook for small provider offices with sample policies and procedures and the information on obtaining forms that Mr. Szabo requested. And she urged that current resources such as WEDI and the California Health Foundation be pointed out.
Noting that, early on, the elderly in Florida were told not to give providers any information, Ms. Ruffino emphasized that consumers needed to know the purpose of HIPAA was to improve information for health care purposes. As a consumer, every time she filled out a form in a doctor's office she thought about it differently than she did three years ago, considering whether her answer might have value in relation to her treatment. She noted many questions didn't have anything to do with health care and expressed concern that important questions wouldn't be answered the way they should.
Dr. Danaher interjected that he thought the clearinghouse idea facilitating that things got done for small and medium-size providers was excellent, but his concern was that these providers were far behind the eight-ball. These providers had limited resources and picking the wrong consultant or paying three thousand dollars for a Massachusetts state preemption analysis could be financially ruinous for many providers.
Panel 3: Consultants/Other Resources
Dr. Weintrub, a practicing physician and software developer who was completing an educational CD-ROM to help Blue Cross Blue Shield of Rhode Island educate providers, discussed the process of building a multimedia application to help physicians understand and comply with HIPAA. Dr. Weintrub observed that, even after years of publicity about HIPAA, many physicians were only casually aware of it, many thought it was optional, and most didn't know about penalties for non-compliance. He emphasized the need for physician buy in, and noted that compliance was a tough sell and physicians hadn't been given the tools. Government and industry resources were comprehensive but scattered, weren't physician-oriented, and the material was difficult to locate and use. Dr. Weintrub said the educational CD-ROM was intended to give physicians and their office staff a simple, bare-bones explanation of HIPAA, the necessity of complying with it, and easy access to the tools and materials they could use to meet its requirements and deadlines.
A preliminary component of the project was a series of four free CME seminars for physicians with a faculty of national and regional specialists in various aspects of HIPAA. Information developed for the seminars also formed the basis for the content of the multimedia CD. In addition to a narrative of the information presented in the seminars, the software application contained screen displays emphasizing main points of each section and appropriate resources.
Dr. Weintrub said developers found a system as complex as HIPAA that needed simplification and lent itself to multimedia presentation on widely-available personal computers exciting to work on. The impact on the physician's daily work was undeniable; the penalties for non-compliance were severe; virtually all physician offices had personal computer systems and there was a need for simple tools, customizable materials, and one-stop shopping for HIPAA compliance for physicians' practices.
Design goals included making: complex concepts understandable; an overwhelming amount of material digestible by breaking it into manageable pieces; boring material interesting by presenting it in a multi-media environment; collateral material and actionable information available and in context; the application itself easy to use; and physicians confident they could access everything needed and manage the project successfully.
Dr. Weintrub noted that HIPAA legislation, with its thousands of pages of legal and technical information, was outside the physicians' usual frame of reference. HIPAA could be broken down into general components, privacy, security, and transaction standards, but each was so complex that explaining it required even more specific levels and types of expertise (adequately describing how to comply with the privacy rule meant involving specialists in health care law, health care policy development and implementation, practice management, training and education, and technology).
Because HIPAA legislation was so long, the focus was on only the most relevant information necessary to complete a compliance project successfully. The project's essential challenge was to distill HIPAA, extract and repackage its key parts, locate and present in context collateral materials (e.g., the NOPP and Authorizations), and suggest operational steps in the compliance project plan while putting everything in proper perspective and sequence.
The seminar presentation includes a speaker on each main component, backup slides, and handouts of sample wording, forms, and checklists. The software presents the same material in multi-media formats: voice narration, screen displays, and a resource section references collateral documents and information. Five experts were assembled: a health care attorney, a policy expert who participated with HIPAA workgroups on a national level, a member of NCVHS with expertise in employee training, a consultant/trainer from a nationally-recognized practice management firm, and a physician/solutions developer to cover transaction standards.
Dr. Weintrub said gathering the material (e.g., the NOPP) was difficult, demonstrating the need for the product. Dr. Weintrub recommended that the public sector put all actionable HIPAA information and documents on a single Web site (similar to the federal site for copyright information).
He said together, they told the highlights of the HIPAA story in simple language and a logical sequence, tailoring it to physicians; created Cliff Notes for doctors (Getting Your Practice Ready for HIPAA); gathered relevant source documents and referenced appropriate and helpful resources (e.g., the explanation that the Model Compliance Plan was really an extension for transactions, provided the Web link and PDF file and told how to complete and submit it).
Discussion
Dr. Zubeldia asked Ms. Ruffino, as a practicing consultant, her recommendations on how to choose a consultant. He wondered if the clearinghouse of consultants mentioned would be a solution and if some level of expertise or qualification had to be met. Ms. Ruffino said that state hospital or medical associations could do that. She noted that offices with sufficient staff that attended sessions probably wouldn't need consultants. Ms. Ruffino said she thought consultants should play a minimal role in HIPAA. While recognizing that there were legal aspects, Ms. Ruffino opined that the focus should be on the business perspective. Ms. Ruffino emphasized relying on a basic set of resources and, when somebody had to be brought in, having the local medical society or trade association identify people who'd worked well with them.
Mr. Rothstein noted everyone was concerned that providers, health plans, and even clearinghouses had probably thrown money away on consultants and vendors who weren't up to speed. Noting that clearly there was a role for consultants and vendors in training employees, working out procedures and other things, he recalled an earlier panel explored whether it would be valuable for some group to publish a guide to selecting a HIPAA expert or consultant. Ms. Ruffino said she thought the process was backwards; practices should first see what was required. She stressed that a basic HIPAA handbook would enable practices to see what an office needed to have and do, and explain required policies. Then they could decide whether they needed a consultant. Ms. Ruffino gave the example of offering her services to her own physician who thought he was all set because he'd hired someone who'd been doing this. The staff member had a big binder with materials from the CMS Web site on physician office compliance. None of it was HIPAA, which was what the compliance information had to meet. Ms. Ruffino saw a problem with consultants coming with a whole laundry list of things to do without knowing what the practice was about. Ms. Ruffino emphasized that right now the concern was HIPAA. Three years from now it could be regular office compliance. Basically, the issue was protecting the privacy of patient information and one's own liability. That didn't require 150 pages.
Mr. Szabo agreed that government agencies weren't well suited to certifying or adding consultants. He supported a basic guidance document about HIPPA, even though he believed the market and professional societies could correct some of their own excesses and mistakes. Mr. Szabo stressed that the basic guidance document shouldn't include exotic questions that didn't affect the average practitioner's practice. But he said it could list resources (e.g., lawyers, consultants) the professional societies interviewed as a service to their members.
Focusing on the importance of right emphasis and approach, Mr. Szabo said he was glad to hear a comparison to the Medicare/Medicaid fraud and abuse compliance and plans. For many good reasons and years, the Office of the Inspector General and the US Attorney's Office strongly resisted giving guidance and advisory opinions to industry. Mr. Szabo said that was partly because of fear that some behavior could be called justifiable conduct and that information disseminated could be used against them in a trial with another factual context.
Mr. Szabo said a key decision in issuing guidance documents was whether the priority was to change behavior or protect a later legal position in the event of a prosecution or enforcement action. There was logic behind having OCR enforce this rule rather than OIG, and there was logic to a different approach to the availability of guidance, notwithstanding the burden of producing it. He noted the scope of what would be said was also important. Given that the goal was simply to educate providers to improve their business practices, Mr. Szabo said he believed the negative effect of providing too much guidance (if there was such a thing), was less than in areas such as fraud and abuse. He endorsed what they'd just heard.
Ms. Ruffino again emphasized that dependence on consultants was the wrong message; providers could handle this, but they needed the basics. Dr. Danaher expressed a different view in terms of medium to small practices' use of consultants. Noting that practitioners had a mindset of being extremely busy, he predicted that on the basis of a back-of-the-envelope cost benefit analysis they'd bring in an OSHA consultant to do a gap analysis of the practice and give their stamp of approval. Because it would be easier to bring somebody in than hire knowledgeable staff, Dr. Danaher foresaw a burgeoning field of consultants. He agreed that OCR wouldn't want to get into the business of saying who was a good or bad consultant, but he liked the concept of a clearinghouse. He noted he'd been struck by the role state agencies, medical societies and hospitals associations played in decimating information and providing awareness and education.
Dr. Danaher postulated that OCR could request that professional organizations in various locations provide lists of resources they'd vetted and post them with a disclaimer stating they weren't endorsing anyone but putting forth potential resources that had been demonstrated to be useful. If that wouldn't work, he suggested OCR might ask the Massachusetts Hospital Association, for example, to put the information on their Web site.
Dr. Danaher noted that HIPAA tenets and principles regarding medical privacy would be around for everyone's lifetime and that, in other areas such as disease management, not-for-profit bodies had set standards by which organizations could measure themselves. He wondered whether OCR, HHS or another appropriate body could encourage formation of a not-for-profit entity that set standards and oversaw HIPAA-related issues.
Mr. Szabo anticipated that aspects of HIPAA and privacy would be reflected in revised JCHL accreditation standards. There already were chapters on HIM and patient dignity that included the issue of privacy. Mr. Szabo anticipated a new chapter on standards for review, which would get imbedded in Medicare participation and might easily be delegated to state regulatory authorities. Similarly, he expected NCQA was looking at questions of privacy and health plan standards and how to deal with subscriber information. He said other interesting questions related to what accrediting or private sector standards setting body would speak to self-insured health plans or organizations less subject to the review process related to standards of accreditation. And he noted that private sector organizations were working at developing standards. Some were multi-industry general privacy-oriented organizations; others, like MHDC, were region specific and had a more focused application, such as in health care. He predicted that an unknown leader would emerge. Ms. Ruffino remarked that NCQA and JCAHO already did a joint communiqué on privacy about two years ago. Both organizations would continue to be in place.
Ms. Ruffino supported such clearinghouses not making recommendations, due to liability issues. She said OCR could suggest categories of resources state organizations and trade associations might make available to their providers and then Connecticut Dental Association, Massachusetts Medical, and the Hospital Association of Massachusetts could collaborate. Noting that collaborative efforts regarding HIPAA had been outstanding, Ms. Ruffino envisioned that OCR could both leverage continued collaboration and help direct it by pointing out that a set of standards would evolve. Such standardization would ensure that one didn't get more in Massachusetts than in Idaho or Utah. Dr. Weintrub remarked that the idea of standards was better than a standards organization. Collating the proper resources and categorizing them by various entities would make resources classifiable and understandable to the various groups looking for those resources. A physician practice and other entities would each have a section tailored for them. He noted the concept in surgery called the surgical atlas where before surgery one reviewed the procedure. People wanted to be able to go to one place and look up how to do something.
Dr. Danaher commended Mr. Szabo on the BBA task force's work. Noting that physicians and provider offices hadn't gotten their arms around HIPAA, let alone the issue of state preemption analysis, he asked about that committee's output to provider offices. It seemed as if the main beneficiaries would be hospitals and health plans. Mr. Szabo explained that the task force's charge through the Health Law Steering Committee was to produce a technical tool useful to attorneys. He hoped it would be equally useful to privacy officers and others who understood the rule. It provided a cross-reference, guidance about the laws, and a short form analysis of how to decide whether state or federal law applied in a particular situation. But he clarified that the document wouldn't be produced in an easy-to-use form for providers. The report wasn't geared to hospitals, clinical managers, or cancer care units, but was a technical tool that helped specialists generate advice that in turn might be passed on in a more appropriate issue-focused form to those asking the questions.
Regarding state law and the general issue of preemption, pre-HIPAA, Mr. Szabo said he'd ask a hospital manager, practicing physician, practicing clinician or someone at a health plan if they were abiding by state law. Sometimes, providers weren't aware of what the law was, though he generally found that physicians understood that dealing with patient secrets improperly was, at the very least, probably malpractice and would get them in trouble with the Board of Registration in Medicine. Mr. Szabo pointed out that state law would still have to be complied with post HIPAA and the higher standard would apply. If HIPAA was stricter, it would apply. And if a state statute was stricter (e.g., genetic testing or HIV) it prevailed. Mr. Szabo emphasized that the HIPAA privacy rule didn't reduce privacy protection. Patient access, which had a different focus, might be an exception.
Dr. Danaher noted that when asked if they were in compliance with state privacy laws, local providers, health plans and delivery systems always said they didn't know. He added that most providers didn't offer training during employee orientation. Noting that usually an organization that knew the state privacy standards and regulations had faced a problem and was forced to learn about it, Dr. Danaher said he was encouraged that HIPAA involved consequences for non-compliance. With the increasing awareness of HIPAA, organizations and individual providers were making an effort to learn their state privacy regulations. Mr. Szabo agreed that HIPAA raised the bar in terms of awareness. Providers, plans, and clearinghouses were making efforts to become compliant with not only state, but also federal laws and standards. Awareness among the general public and consumers was skyrocketing. Mr. Szabo remarked that “dusty relics of state laws” were suddenly being used and lawyers were adding privacy claims to employment and other law issues bringing them to another level. He reflected that this was partly due to the changes in information technology they'd mentioned. Not only was so much information readily available on the Internet, but also people were aware of its value as a commodity, which changed their behavior and concerns about information.
Mr. Rothstein asked if HHS and the attorneys general in the 50 states should do a preemption analysis similar to what was done in Massachusetts, as suggested yesterday. Mr. Szabo said he'd seen similar questions on list serves about HIPAA. He advised that a document put together with sponsorship could be useful as guidance. An initiative could ensure that it occurred in every state. However Mr. Szabo questioned whether a preemption analysis should be done through the offices of attorney generals. BBA's task force effort carefully involved state lawyers, some of whom testified at earlier hearings. They participated in personal capacities and the group hadn't asked any government agency for endorsement. Mr. Szabo explained that a state agency might have an interest regarding preemption. (In Massachusetts there had been litigation about whether an in-state law requiring HMO's that provided prescription drug benefits to offer them a certain way was preempted by amendments to federal law governing Medicare+Choice plans. The state held the extremely clear view that there was no preemption. The federal court eventually disagreed.
Mr. Szabo expressed concern that an attorney general's office might decide they had to promulgate the analysis, and that it would become an expression of binding law. This might not deal appropriately with very fact specific questions that arise and whether federal or state law applied and won out in the end. Many attorneys general might shy away because they didn't want to lock themselves into a position or didn't feel the need to advocate for the state legislature while working on the project. On the other hand, Mr. Szabo supported the idea of more thoughtful guidance and uniformity of interpretation so people could come to at least better, if not absolutely right, answers over time. Ms. Kaminsky said she was overwhelmed by the thought of a preemption analysis and, despite her legal training, didn't even know where entities would start. She asked about the methodology BBA's group used to tackle where these 200 laws came from, particularly case law. She inquired about any surprises that came up; pieces of law Mr. Szabo didn't initially think had to be looked at, but later did. She noted the Massachusetts law was more stringent regarding HIV and genetics, and asked if there were other laws Mr. Szabo used in his legal capacity to advise clients while doing implementation plans. Ms. Kaminsky wondered if she might possibly be giving a proper implementation guidance package to clients without knowing it.
Mr. Szabo said one of the group's lawyers, who was also a HIM person, developed an impressive list of state laws that had bearing upon health information. The committee of 33 lawyers added more. Some were obvious (e.g., the HIV statute and the Massachusetts patients' bill of rights) He said a dog bite reporting statute might not seem to fit, until one considered the patient as well as the dog. Laws about reporting the identity of someone who suffered a particular injury were included. Mr. Szabo said the primary focus was on statutes, then regulations and executive orders. Lists of related cases were circulated and expanded by people who shared information for the benefit of getting a work product.
The preemption analysis followed the template in the regulation. Once state laws related to public health reporting were set aside, Mr. Szabo and his group looked for others and questioned which were more stringent. Some state laws had to be looked at section by section to determine which was more stringent in terms of protection or privacy, allowing greater patient access, permitting less coerciveness toward patients, or placing stronger conditions on written permissions and consents to use information. A multi-part test was used to evaluate which laws were more stringent.
Mr. Szabo gave an example of the complications encountered. In Massachusetts, a psychotherapist had an obligation to produce a patient's record for the patient. However, if a therapist decided that producing the record would adversely affect the welfare of the patient, the therapist didn't have to produce it. Instead it could be sent to another therapist or, with the patient's written consent, to the patient's attorney. The patient wouldn't get the whole record, but either another clinician or the attorney would get the entire record. HIPAA had the same concept but a different standard. Instead of the general welfare of the patient, Mr. Szabo believed imminent harm (perhaps even physical harm to the patient) was the standard for withholding the record. HIPAA provided the patient with more access, therefore HIPAA would win on that question. However, a HIPAA provision stated the clinician didn't have to produce the portion of a record that contained information about a third party that was obtained under a promise of confidentiality. The codified section of the state statute didn't recognize that, therefore, arguably, the state would give a greater right of access than HIPAA and state law would win on that clause. Other exceptions in HIPAA covered the giving of information to a personal representative, if that person might use the information against the interest of the patient. And other principles of state law that might have bearing on similar questions also needed to be considered. Mr. Szabo observed that state laws evolved over many decades. Some were well thought out and written, others just cursory provisions. Comparing them to this complex regulation thought out in one piece, it was sometimes difficult to interpret results.
Agenda Item: Subcommittee Discussion
Mr. Rothstein noted the Subcommittee had final hearings on this matter on October 29-30 in Baltimore, and November 5-6 in Salt Lake City. The meetings were close together and they had to plan both. Ms. Kaminsky said she wanted to cover what OCR planned to do vis-à-vis technical assistance and revisit the purpose of these hearings before talking about whom to get for the next meeting. She reiterated that OCR was focusing more attention on technical assistance. But with the rule out the door and more resources available, she asked if they should put forth additional guidance. Noting that they'd heard that people were very positive about the July 2001 guidance, Ms. Kaminsky said updated guidance to reflect modifications to the rule was being worked on. It will be similar in style and format, with an explanation of different parts of the rule and FAQ's. Hopefully, feedback from the last guidance would help make this even better.
Ms. Kaminsky reported that OCR was funding a large-sum technical assistance contract. The contractor would put together written technical assistance as well as educational videos oriented to different types of entities (e.g., small providers, hospitals, health plans). They'd heard repeatedly of a real desire for practical guidance and, hopefully, these pieces would meet that need. Dr. Danaher asked the timeline for completion. Ms. Kaminsky said she understood they would result from a modification of an already existing HHS contract and she hoped they would be done quickly, as it was already underway. She said she'd report on the timeframes at the next meeting. Ms. Kaminsky acknowledged the urgency of getting something out as quickly as possible. Testifiers that day even said they didn't want a guidance sheet because they felt it was overdue. She commented on the dilemma of having a very small window and how tricky it was to get something useful out in such a short time frame. Ms. Kaminsky said she knew others at OCR were aware of that, but she wanted more details about the contract ( i.e., what pieces were requested for what covered entities) so the Subcommittee could take them into account in making recommendations.
She suggested putting together specific recommendations for the contractor working on this technical assistance. Ms. Kaminsky requested input. Ms. Greenberg asked if the documents were likely to be specific enough to include the development of model forms. Ms. Kaminsky said that was the kind of recommendation the group could submit. A big contract was underway; she thought a forceful recommendation OCR could clear and give to the contractor would be timely. Ms Kaminsky said she knew of plans to provide pamphlets for rural health providers. Ms. Greenberg wondered if public health would be covered.
Ms. Kaminsky said if she got permission, they'd probably have a break-out session from the full Committee meeting and she'd try to have the list of covered entities. Noting they'd just heard about community health centers and other public health groups being largely on their own, Ms. Greenberg commented that technical assistance was well funded so it might not be necessary, but if they didn't plan to focus on certain groups, agencies in the department might contribute. Mr. Rothstein concurred. If, for example, they weren't planning on doing something for the Indian Health Service (IHS), IHS might be able to make sure they got their own pamphlets. Ms. Greenberg supported the idea, adding that HHS had the economies of scales for that involvement. Dr. Cohn wanted to clarify whether Ms. Greenberg was referring to a Web site with HHS approved documents and training that were approved or at least reviewed by OCR and the federal government and could be used in confidence. Ms. Greenberg said her point was that, if it wasn't currently funded to serve certain constituencies, other parts of the department with those groups as their constituencies might enhance the funding. Ms. Kaminsky considered that an excellent point and said she would raise it internally at OCR or with the privacy implementation forum.
Ms. Kaminsky said OCR felt under the gun to get guidance to a wide audience, many of whom testified at these hearings. Operating divisions focused on getting technical assistance to their constituencies. OCR had been constantly asked to review or sanction those organizations' materials and there was already tension in the department. Ms. Kaminsky suggested that perhaps additional funds could be tagged onto this contract.
She circulated a partial inventory of what various operating divisions were doing so members could get a feel for the kinds of technical assistance in progress. She said she wasn't aware of any plans to post it publicly. She also noted a pamphlet that reflected the technical assistance from the Title X part of HHS. Ms. Kaminsky agreed with Ms. Greenberg that technical assistance activities had to be coordinated with the Department's other efforts. Dr. Zebeldia asked if technical assistance for the general public was being considered. Ms. Kaminsky affirmed that consumers' needs would probably be addressed with the technical assistance contract; she said she'd have details for the next meeting. Ms. Kaminsky reiterated her concern that consumers received outreach and education and covered entities got technical assistance. She said she thought it was in the works.
Ms. Kaminsky said she'd informally and formally reported at OCR some of what was discussed at the last Subcommittee meeting. No one particularly favored OCR putting a clearing-house on its Web site and it was suggested that NCVHS could serve that public interest and put some of the resources it felt worthy on its Web site. Noting that, as they knew, an advisory committee of HHS didn't have the authority to sanction information, Dr. Cohn said the idea of a clearinghouse function and leveraging information might best be saved for HHS and OCR. He reflected that a good use of resources might be to develop everything internally, if time was spent reviewing things, making sure they were appropriate and other people had access.
Dr. Cohn reiterated that people testified about needing an employee and consultants to research and come up with their own interpretations, which might or might not be consistent with an overall compliant approach to implementation. He wondered if there was a way for the federal government to advise or give answers to vexing or ambiguous problems of interpretation. He asked if OCR planned to provide this capability in a timely fashion. Ms. Kaminsky reminded him that people could submit questions to the privacy mailbox on the OCR privacy Web site. The idea was that responses would be made en mass to aggregates of questions, similar to the FAQ's on the administrative simplification Web site. She remarked that it could be difficult to access the desired FAQ and answer and hoped the OCR privacy mailbox was more organized and accessible. Ms. Greenberg said she'd heard a number of people say they submitted questions and never received answers. Ms. Kaminsky said she believed there was an auto response. She said that she'd check.
Dr. Zubeldia said he kept hearing that it was frustrating to send questions to the FAQ on the Admin Simp or Ask about HIPAA and never get an answer. Mr. Rothstein concurred. Noting a guidance with FAQ's hadn't been published in over a year, he said if the department had no intention of answering questions in a timely manner, that function should be deleted from the Web site. Ms. Greenberg agreed. Ms. Kaminsky urged the Subcommittee to strongly advise that OCR handle FAQ more responsively. She said it was an unfortunate problem and reiterated that she'd touched on some reasons she thought it was happening at the last meeting. She said the Subcommittee would do the public a great service if it made that recommendation.
Dr. Zubeldia remarked that Ms. Trudell had reported that a lot of people at CMS were answering e-mailed questions. Ms. Kaminsky pointed out that OCR did answer a fair amount of questions, but had gotten an enormous amount and that the cultures had gone in different directions and so the responses had been different. Ms. Greenberg asserted that it was hugely resource consuming. Not just one person, but many on the administrative simplification FAQ team answered a question, and often the answers were complex. Ms. Kaminsky agreed. Ms. Greenberg said it really wasn't viable to invite people to ask questions, as some might be frivolous. She wondered how questions might be answered locally by something like MHDC, so the questions that got through were ones that really required more expertise. A timely response would still be needed, otherwise the opportunity to ask questions shouldn't be offered. Ms. Kaminsky noted there was quite a backlog; this was more than just making a timely response from this point forward. Ms. Greenberg was sympathetic.
Mr. Rothstein wondered about the response to the Subcommittee's recommendation that a complete new version be available in print when the final rule was published. The August revisions only listed the changes and there was no place to see the new version from start to finish. Ms. Kaminsky said it would be on the Web.
Dr. Cohn reviewed what he recalled of the sessions and wondered if the Subcommittee could sketch out a brief one-page letter to OCR and the full Committee, explaining what they'd heard during the hearings and what was already apparent. Mr. Rothstein suggested that items heard repeatedly be included (e.g., the need for notification and authorization forms). If agreeable, he said he'd work with Ms. Kaminsky before the September meeting and circulate a list of things they thought could be agreed on, so a preliminary letter could go to the Secretary. A follow-up letter with more detail could be sent in November. Dr. Cohn agreed, especially if it included some actionable things.
Ms. Kaminsky reported that OCR 's leadership changed since the group last met. The new Director was Mr. Rick Campanelli, a civil rights attorney with a broad background. Ms. Robinsue Frohboese, who had been Acting Director for 18 months, went back to her official role as Deputy Director. She noted some regional people believe Mr. Campanelli should have been invited to this hearing. OCR was asked to present an update at the full Committee meeting in September and Mr. Campanelli might do that. She asked whether Mr. Campanelli should be invited to speak, listen or participate in discussion at the Baltimore hearing. She also wondered if the Subcommittee on Privacy might want to schedule a focused, semi-private conversation with Mr. Campanelli, though she wasn't sure he could, especially if he came to the full Committee meeting.
Regarding the agenda, Ms. Kaminsky spoke to Holt Anderson of the North Carolina Healthcare Information and Communications Alliance (that state's equivalent to MHDC) about testifying. Elliot Stone was a possibility though he hadn't been invited because of the original decision to hear more from providers than organizations networking with them. Dr. David Kibbe, a physician with the American Academy of Family Physicians who presented at the Harvard HIPAA Colloquium had accepted the invitation to represent the family physician perspective on HIPAA. Another testifier would be Bruce Freed who used to be a senior person in Medicare at HCFA and a partner at Shaw Pittman, the group the Blue Cross Blue Shield Association commissioned to do a 50 state preemption analysis. A privacy working group on NMEH expressed interest in putting together a collective testimony from their Subcommittee.
Dr. Danaher requested that they step back a moment and agree on the problem. Ms. Kaminsky said she also wanted to review what happened in the previous two days, whether they'd accomplished what they expected and what they wanted to do in the future so they had a context to put together the agenda. Dr. Danaher said the two days reconfirmed an across the board lack of awareness, understanding and resources and a particular lack of knowledge among small and medium-size providers. Health plans, even small ones were well on their way. He said the Committee's greatest usefulness would be to prompt OCR to help the constituency between then and April 2003. Dr. Cohn agreed that the goal was to ensure successful implementation. He didn't think the needs of small and medium sized providers encompassed all the important needs. He'd heard about the lack of awareness, need for technical support, and implementation issues. Dr. Cohn said he was also aware of the likelihood of a lot of money going down the wrong drain, with more than just small providers either overshooting or doing the wrong implementation. He suggested that if they wanted to focus more on small providers they'd better talk to groups who represented small providers and find out what they were already doing.
Given the vagueness of the regulation, Dr. Danaher said he was less concerned with the haves than the have-nots. He stressed that their efforts shouldn't stop once the April 14, 2003 implementation date came. The big issue was that the basic tenets, regulation, and intention were unheard by potentially the most important constituency--the providers. Dr. Danaher said he was much less concerned whether a hospital spent too much or too little or got a bad consultant.
Mr. Rothstein contended that, with all due respect to OCR , this problem and its solutions were so big that a serious commitment from HHS's highest levels was needed to make this work; the current staff could put in 24 hour days until April 14 and there still would be trouble because it was clear that massive public education programs were needed. Even large corporations and their health benefit plans, large and small hospitals, and visiting nurses needed specialized responses to specific problems. Each one had its own difficult issue to resolve and Mr. Rothstein said he hadn't seen an appropriate response to this law that would affect everyone. This wasn't just a provider law, but a massive law affecting everyone who picked up a prescription. Mr. Rothstein cautioned that there was an underestimation of the scope and complexity of getting HIPAA off the ground. He didn't know whether the Committee had authority to make that case, and he wanted someone from the highest level of the Department to attend the full September meeting where this case could be made.
Ms. Greenberg commented that putting this at the top of HHS was valid: the public health departments were on their own and local ones had no resources. National associations had good intentions, but couldn't do it. OCR needed to focus initially on covered entities and CMS issues included employer ERISA plans. The scope extended almost into the Labor Department. Ms. Greenberg acknowledged that the massiveness of the impact was striking. The government had gone awry, but Ms. Greenberg said she was heartened that people said the policies were vague because that would force them to review and improve policies and procedures. It was a tremendous opportunity, as well as a tremendous job.
Ms. Greenberg affirmed that it certainly was the Committee's role to recognize this was a time of constrained resources. The old budget surplus had slipped away, and the letter had to emphasis the huge impact that had. More effort over time was needed and reasonable, restrained enforcement would be needed early on for many reasons, including that it was a huge job. She added that it also had to have teeth in it. Dr. Zubeldia agreed this needed to get on the nightly news and Oprah. He noted the Subcommittee had set a precedent getting the individual identifier in the news. Ms. Greenberg pointed out that the news precedent was negative. She emphasized that publicity had to be done well. And she reiterated that the law virtually would impact everybody.
Dr. Danaher agreed with Mr. Rothstein that, like any initiative in an organization, unless it got the highest executive buy-in, it wouldn't go, even if it touched everyone in the organization and the CEOs championed it. He said it was a disservice that there wasn't a C. Everett Koop articulating the importance of HIPAA and making it understandable and palatable to the public and providers. Ms. Greenberg noted that would counteract the idea of OCR not providing information, which could shut down a lot of research and invaluable activities.
Mr. Rothstein reported that a session on HIPAA in public health was held at CDC's first Annual National Public Health Law Conference and people were “hanging from the chandeliers.” To a person, there was incredible anxiety about their continued ability to do traditional public health surveillance, epidemiology, investigations and reporting because hospitals and providers were misinformed about HIPAA. They wanted to know what was being done to fix this. Dr. Cohn supported that view. He proposed that at that point a properly crafted letter might do more than having Secretary Thompson spend five or ten minutes talking with them. Mr. Rothstein said that to make major strides it was essential to have a first-rung political appointee spend a half-hour with the full Committee to get a flavor of the testimonies from the previous day and a half.
Mr. Rothstein said he wasn't sure the group could make a detailed presentation of recommendations by the September meeting, but that he was already prepared to speak for half an hour about the magnitude of the problem and the consequences to public health, law enforcement, and social services. His focus was on the need for serious attention and resources. Ms. Greenberg said Ms. Kaminsky and she could talk with Mr. Scanlon and Mr. Rothstein could talk with someone else about getting that person to the meeting for the Subcommittee to brief. Time was of the essence. Dr. Cohn focused on the Committee not wanting to undermine the new person heading OCR and reiterated the need for leadership support from the highest level of HHS to make things happen.
Ms. Greenberg observed that an advantage of having someone new in the position was that they weren't being at all critical of him or his predecessor, but only wanted to support the need for resources and a commitment to putting this right below bio-terrorism. Dr. Zubeldia pointed out that somebody new would be flooded with requests and cautioned that theirs would be lost in the shuffle. Remarking that it was hard for career people to get out in front of such things, Dr. Danaher asked if there was a champion, political appointee in HHS for HIPAA and if what they were doing was embraced by the Administration. Ms. Greenberg said OCR put enormous effort into getting this rule. OCR not only kept it, but resources went into getting the rule right and making it workable. It had high standing and there was a tremendous onus on the Department to promote, facilitate and work on implementation.
Ms. Kaminsky supported the strategy of getting others to listen, but as somebody new to OCR she expressed reservations about identifying an individual. She noted that people in the Department who were extraordinarily involved with the privacy rule had the greatest impact on privacy policy and suggested they'd be good people to get. She also thought privacy council people would be appropriate. Ms. Kaminsky said she was curious how NCVHS got political appointees to attend meetings. Ms. Greenberg acknowledged it was difficult to get higher ups in the agency. Mr. Rothstein suggested a conference call to hear Dr. Lumpkin's views. Ms. Greenberg said he'd been trying for a year to meet with somebody around NHII, which she considered closely related to the privacy law.
Dr. Danaher noted Tom Sculley was on record as saying organizations wishing to contract with CMS had to be HIPAA compliant. Dr. Danaher encouraged such executive support.
Mr. Rothstein observed that everyone sitting around the table had a good idea of the HIPAA privacy rule and he thought they were surprised at some of the testimony. He said he'd heard issues he hadn't considered and that those who could influence implementation of the rule needed to listen. Ms. Kaminsky clarified that Mr. Rothstein thought it would be appropriate to have the testifiers at the meeting when the subcommittee presented what they'd heard so far. Ms. Greenberg again asked if others thought they would we be ready or should meet in November after the last of the three hearings.
Dr. Cohn supported writing the letter, but focused on the question of what they were recommending. He said the Subcommittee had to grapple with whether the solution was to devote tremendous amounts of resources and make an absolute commitment that everybody be in full compliance by April 14, or recommend that people make a major effort to comply now, realizing compliance enforcement began in a year.
Mr. Rothstein pointed out that the next meeting of the full committee was November 19-20. Even with a commitment, he noted nothing was likely to happen until January. Ms. Greenberg suggested getting together a letter to be discussed with the full Committee in open session. Someone from OCR was expected at the next meeting, but she said they could explain that this was the first of three hearings and given the timeframe and attendant decision making required, they wanted to have a fuller assessment after the hearings at the November meeting. Ms. Greenberg noted the timing might not be good for getting anyone at the full Committee meeting other than the head of OCR in his capacity of reporting. Issues could be shared then, but dialoging with the full committee meeting in two weeks was premature. Ms. Greenberg proposed working in two phases: first alerting them to initial concerns and inviting them to present at the Data Council in October and, second, a discussion at the November meeting. Dr. Cohn noted that a conversation with Subcommittee representatives might also get them the information and that the Committee could have Mr. Rothstein and Dr. Lumpkin meet with whomever they decided. Mr. Rothstein suggested mentioning their availability in the letter.
Ms. Greenberg said she supported moving the October hearing to Baltimore, but emphasized the need to hear from a broad range of constituencies and gain other perspectives. Noting that every part of the country was different and MHDC and Massachusetts were both active, she wondered whether it was worse than they'd heard in other parts of the country. Mr. Rothstein proposed that they get people from West Virginia, Delaware or the Philadelphia area. Dr. Danaher agreed that testimony from people in the trenches was more beneficial than from people on the HIPAA speaker circuit; often people with unfamiliar names had the best insight.
Mr. Rothstein said Ms. Kaminsky would prepare a draft letter to circulate to the Subcommittee before the September meeting, including the themes of breadth, scope and timeliness as well as the need for broad educational programs and specific forms and guides. Dr. Cohn added the idea of timely responses to the issues from OCR. Mr. Rothstein will also see about scheduling time on the full Committee agenda. He noted the general advice (e.g., a regional focus) will be taken into account in planning the next two hearings. The Subcommittee will seek people from Wyoming and surrounding states and rural areas for the Salt Lake City hearing. Dr. Zubeldia said he was lining up facilities that served the Indian community in Nevada and other outlying areas that normally wouldn't come to the meetings. Mr. Rothstein hoped to have a mixture of speakers and topics to finalize at the September meeting.
Ms. Kaminsky noted the previous day's discussion about OCR doing an open door privacy call-in initiative on a monthly basis, similar to the CMS forum initiatives where experts take questions and have open discussion on the telephone. Mr. Rothstein agreed that was a fine idea that he would raise as one of the 20 points to discuss in more detail for the November statement. Members confirmed that the consumer outreach concept would be mentioned in the September letter. After thanking Ms. Kaminsky for her work in setting up the hearing, Mr. Rothstein adjourned the meeting at 4:23 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ 2/14/2003
Chair Date