[This Transcript is Unedited]
Boston Park Plaza Hotel
64 Arlington Street
Boston, Massachusetts 02116
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I’m the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
On behalf of the subcommittee and staff I want to welcome you to the first of two days of hearings on implementation issues under the HIPAA Privacy Rule. I also want to welcome our listeners who are listening us live VIA the Internet.
Before proceeding further it’s customary for us at our hearings and meetings to have introductions, beginning with members of the subcommittee and staff. I would invite subcommittee members to disclose any conflicts of interest they have at this time. I’ll begin by saying that I do not have any conflicts of interest. Richard?
MR. HARDING: I’m Richard Harding, M.D. I’m a clinical professor of psychiatry and pediatrics at the University of South Carolina and immediate past president of the American Psychiatric Association and member of the committee and subcommittee.
MR. COHN: I’m Simon Cohn, M.D. I’m the national director for Health Information Policy for Kaiser Permanente and practicing physician. I don’t believe I have any conflicts of interest. Obviously I’m a member of the subcommittee and of the National Committee for Vital and Health Statistics.
MS. GREENBERG: I’m Marjorie Greenberg from the National Center for Health Statistics, CDC. I’m the executive secretary to the committee.
MS. KAMINSKY: I’m Stephanie Kaminsky from the Office for Civil Rights. I am lead staff to the Subcommittee on Privacy.
MR. FINE: I’m Michael Fine, M.D. I’m senior managing partner of Hillside Avenue Family and Community Medicine in Pawtucket, Rhode Island and physician and chief in the Department of Family and Community medicine at Rhode Island Hospital.
MS. KEENER: I’m Betsy Keener. I’m the privacy officer at Harvard Vanguard Medical Associates in Boston.
MS. KHAJA: I’m Saliha Khaja. I’m an attorney for the Massachusetts Medical Society.
MR. SULLIVAN: I’m Tom Sullivan, M.D. I’m a solo cardiologist in Danvers, Massachusetts, president elect of the Massachusetts Medical Society and chair of the Privacy and Confidentiality Steering Committee at Partners Health Care in Boston.
MR. MACLEAN: My name is Andrew MacLean. I’m the general counsel at the Maine Medical Association.
MS. SQUIRE: I’m Marietta Squire. I’m with NCHS and staff to the subcommittee.
MS. CRAMER: I’m Anne Cramer, an attorney with Eggleston and Cramer in Burlington, Vermont and outside counsel to the Vermont Association of Hospitals and Health Systems.
MS. EKITA(?): My name is Leslie Ekita. I’m a consultant with Hayes Management Consulting.
MS. CALCAGNO(?): I’m Alex Calcagno. I’m on staff at the medical society.
MS. BUTKAVITZ(?): Anne Butkavitz, office manager for Dr. Marcus.
MS. SCHWARTZ: Nancy Schwartz, privacy officer, Fallon Community Health Plan.
MS. AHN: Jean Ahn, HIPAA project director, Yale New Haven Health System.
MS. KESSLER: I’m Martha Kessler. I’m a reporter with the Bureau of National Affairs.
MR. KOZIK: My name is Brian Kozik. I’m the compliance officer for the North Shore Medical Center in Salem, Massachusetts.
MS. DANCONIE(?): I’m Jane Danconie with the Office for Civil Rights.
MS. CENTURN(?): Hi. My name is Lisa Marie Centurn. I’m with the Centers for Medicare, Medicaid Services.
MR. EVENSTON: Scott Evenston, Office for Civil Rights.
MR. ROTHSTEIN: Thank you very much, and welcome to everyone.
The subcommittee has schedule seven panels of invited witnesses over the next two days to provide us with a variety of perspectives. In addition, there are two time slots available for public testimony, 4:30 to 5:30 p.m. on Tuesday, September 10th, that’s today, and 2:45 to 3:15 tomorrow, Wednesday, September 11th. Any individual who is not an invited witness may sign up and testify for five minutes.
The public testimony slots are on first come, first serve basis, although if the past is any judge we will not have a problem accommodating the public witnesses.
Let me emphasize the limited scope of this hearing. The final amendments to the privacy rule were published last month. We all are, or should be, shifting to a compliance mode preparing for the April compliance date.
The purpose of the hearing is not to revisit the substantive elements of the rule, although the subcommittee is well aware that it’s hard to talk about implementation issue without reference to at least some of the substantive areas of the law.
We are especially interested in learning from you answers to at least the following questions:
First, what are the available resources for HIPAA compliance, including those from professional organizations and trade associations? Second, are compilations of best practices available and how are successful implementations strategies disseminated? Are there any models for public/private partnership developments? How should covered entities go about coalition building and developing consensus procedures?
What outreach, education, and technical support programs are needed from the Office of Civil Rights, including suggestions for OCR priority setting? What areas are especially in need of guidance from OCR? How should we address the integration of HIPAA and other federal and state laws? And finally, can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small providers and health plans?
These are just a few of the implementation issues that the subcommittee and eventually the full committee plan to take up.
This is the first of three sets of hearings by the subcommittee dealing with these issues. We will also be meeting in Baltimore on October 29th and 30th and Salt Lake City on November 5th and 6th. After our final hearing the subcommittee will submit its recommendations to the full committee for discussion and possible action at our meeting in Washington on November 19th and 20th. If recommendations are approved by the full NCVHS, they will be transmitted in the letter to Secretary Thompson by Dr. John Lumpkin, chair of the committee.
Because of the large number of witness – and I think you’ve all seen our agenda that we have – and the narrow focus of the hearings, I strongly urge that witnesses strictly adhere to the following rules:
One, invited witnesses will have 10 to 15 minutes to give their prepared testimony. The close to 10 the happier I am. We will supply you with a one-minute warning. After each witness subcommittee members will have an opportunity to ask questions of a clarifying nature only. After all the witnesses of each panel have completed their testimony, the members of the subcommittee and the witnesses will use the remaining time of each session for further questions and discussions. That’s why it would be especially valuable if your initial comments were shorter, so we can have greater time for colloquy.
Witness may submit additional written testimony within 30 days to Marietta Rollison.
And number five, if any witnesses stray too far a field, such as going into what is the minimum necessary standard, I will enthusiastically encourage them to refocus their remarks or to conclude their testimony.
I would ask anyone in the room with a cell phone to please turn off the ringer. I want to please ask all of our witnesses, as well as subcommittee members, to speak clearly into the microphones for the benefit of those who are listening to us via the Internet.
And so with that we are ready now for our first panel, which is devoted to physician practice issues. I’d like to invite the witnesses to testify in the order that they’re listed on the program, unless there is some reason we should change the order.
Seeing no objections, I’d like to begin with Dr.
Eugenia Marcus.
Eugenia Marcus, M.D., Pediatric Health Care of Newton Wellesley
MS. MARCUS: Thank you, very much. I’m sorry I scooted in here at the last minute. It’s mornings like this that remind why I’m glad I don’t work in Boston.
I purposely titled this “What is this Hippo Thing?” because that’s what doctors think about at this point when you talk about HIPAA. They’re not quite sure what it stands for. They know it’s something that they have to do that the government is imposing on them. They’re not quite sure what it is.
It’s going to be like Y2K. They’re afraid it’s going to cost them money. They don’t realize that a lot of what they need to do is very simple. It’s education. It’s education of themselves, their staff, and their patients about things they need to do.
At this point I think the people who are responding from the physician offices are the office managers. There are a lot of meetings that are happening, which I’ll talk about later. It’s happening at that level of administration and leadership.
HIPAA has actually spawned an industry, which I’m sure everyone in this room is aware of. Everybody wants to sell you something to help you comply with HIPAA. The private sector is out there with books and newsletters and videos and CDs and websites and email news and teleconferences and all kinds of stuff about HIPAA.
Because there’s so many different components to HIPAA - there’s the transaction stuff, the security stuff, the privacy stuff - in the doc’s minds it’s sort of all jumble. Some of it, especially the stuff around the transaction sets, is technical in an area that they have no expertise in, so it seems the feeling that they get is that it’s pretty impossible.
The professional associations have really stepped up to the plate in HIPAA education with HIPAA newsletters, HIPAA tips on the website, teleconferences, printed material, some of which they sell for a modest fee, some of which is free. I’m on several list serves because of my information.
I didn’t get a chance to introduce myself actually. I’m Eugenia Marcus. I’m a pediatrician in private practice. I’m in a small group. We have three pediatricians. My office is in the medical building at the Newton Wellesley Hospital locally. I am very interested in information technology, and I chair the Information Technology Committee at the Massachusetts Medical Society.
I’ve been more than tuned into the issues around HIPAA. I’m on a variety of different lists serves that deal with HIPAA. People are ranting and raving about this horrible thing, and we should George Bush to cancel this thing. He’s going to make a lot of money out of it. There’s all kinds of stuff that’s going on.
People like the AMA, the Academy of Pediatrics, the Massachusetts Medical Society, which are the organizations that I have something to do with, all have some kind of programs that are out there to try to help the docs. The hospitals, the IPAs, the insurers, Medicare and Medicaid are often HIPAA help. This morning there’s a big HIPAA conference being sponsored by Medicaid and Medicare at this same time. My big critique of that is the notice for it came out like ten days ago. If you want doctors to respond, ten days is totally inadequate notice. They need two or three month lead time sometimes, depending on their schedules, to be able to rearrange patient care or other things that they’re doing in order to be able to get to an all day conference on something like this.
There’s a wide variety of interpretation of what these rules and regs are. On one of the list serves a doctor reported that the hospital had offered a HIPAA audit and advised him to encase his computer server in a locked metal box to protect the server and thus the data within. Anybody who know anything about computers knows that if he actually did this the heat from the computer would fry the data and then it would be totally secure, because nobody could get at it and it would be totally useless. Because of a lot of misinterpretation of what HIPAA and what is required, there’s a lot of angst in the community.
I’m going to talk now about some of the things that we’ve done in our office. You have to understand that this is ahead of the curve because most of my colleagues are not anywhere close to this point yet, but they could get there.
One of the things that we’ve done is that we’ve eliminated the sign in clipboard. We put a shredder in every doctor’s room and in the business office. Anything that has a patients name on it goes into the shredder. We put signs up around office indicating this is staff. Patients are not supposed to walk into certain areas.
We have a small office. I built this office six years ago. I built it around making some compromises between privacy and efficiency of workflow and patients’ comfort in the office. You’ll see that in a minute, because I have some pictures. We are moving towards eliminating paper in the office with a scanning program and an electronic medical record. We are not paperless yet, although that is an ever elusive goal.
This is our under-the-desk shredder in each one of the doctor’s offices. I forgot to ask Anne how much they actually cost.
MS. BUTKAVITZ: They’re anywhere from $50 to $200, however fancy you want to get.
MS. MARCUS: Do you remember what these particular one were?
MS. BUTKAVITZ: Those were probably about $60. You just kind of pull them right over the trash basket that you already have.
MS. MARCUS: As you see it fits right over the trash basket. It really works quite efficiently. You can’t put a whole big wad of paper in their, but four or five sheets at time it just gobbles it up. The cleaning service at the end of the day empties it. You can see the recycle bin right next to that. There’s no patient identifiable information in the recycle bin, but we get plenty of other stuff to recycle.
This is the lab. You can see that the lab is open to the rest of the office. We put up a sign that said, “Patients keep out.” One of the things you might want to notice is the printer. There is a printer in the lab. What comes up on that printer is lab results from the hospital and the radiology departments, so they don’t have a courier system that runs around the buildings and delivers it anymore. They just print it out directly to each doctor’s office. This is in an area that patients don’t have access to. Also our fax machine is in an area that patients don’t have access to.
We talk to our staff about what HIPAA is and emphasizing respecting patient privacy. We discourage hallway conversations. Keep voices low in unavoidably open areas. When we put paper charts in the racks in front of the rooms we turn them the other way so that you can’t see the patient’s name on the chart if you’re walking by in the hallway.
We have a white board that lets the doctor know which room they’re going into next. We use the child’s first names, so it’s “Joey” or “Mary” or something like that, rather than a last name or first and last name with it.
We’ve reminded people to shut the door when they’re talking to a patient or examining a patient or talking to a patient on the phone. When you’re dealing with children people seem to feel that they don’t need as much privacy as an adult. I don’t take that attitude. Parents are even like that. They’ll tell you anything about their kids, but they wouldn’t tell you that same thing about themselves or their spouse.
Sometimes this is an education thing. If a parent starts to tell me something in a hallway I say, “Let’s go into this room and shut the door, and then you tell me about this.” It takes a bit of education to the patients themselves to respect their own privacy.
Because I have been somewhat more aware of some of these things I have been a HIPAA police myself in that people who interface with us have had breaches of things, like the emergency room faxes us information on any of our patients that happen to be there overnight. Sometimes we’ll get two or three patients on the same sheet. In order to file that information we need to cut and paste the paper literally with scissors and recopy it on to a full sheet in order to do this.
The telephone triage service does the same thing, and we’re trying to educate them about one patient on one sheet of paper. Children’s Hospital does the same thing, and I haven’t yet found the person there. That’s such a huge behemoth, I don’t know who the person is there to actually tell them, “Hey, you’ve got to fix this.”
We never leave medical information on an answering machine when we’re calling a patient. We publish rules on our website for email. We do a lot email with patients. We’re migrating to a secure website for all electronic communications with the office. Now we’re still using Outlook for some of these things, but we will be using a secure website.
We’re considering additional privacy education. I mention this particular company because it’s one that I know about. A friend of mine runs it, but I would think they have a good – so that’s by way of disclaimer – but they do have a really good patient education program. I mean physician education program.
Our problem areas: We have an open front desk. We have no plans to enclose it. I thought long and hard about this, and we had a lot of debates between the various docs. I walked around in other doctor’s office. Those that did have partitions all the way to the ceiling with sliding glass doors the doors are always open. The staff behind it doesn’t like to be separated in that way from the people that they’re taking care of.
We have very people friendly staff. That’s the kind of people that I want to be working for me. Sometimes the kids run around the back area, and I’ll come out and I’ll find a receptionist with kid on her lap while she’s answering the phone. That kind of a warm and friendly atmosphere is what I want to promote. I’m not about to close this thing in. We talk about this in terms of how to keep things as private as we can.
Paper charts and open shelving, I know there’s something about the rules that this stuff had to be lock up. The office is locked up at the end of the day. That is as good as we’re going to get until we transition to the EMR with the scanning program. That’s happening now. It probably won’t get done by April. We also have to work on paper charts ending up on the doctor’s desk.
Here’s our front office. You can see the open charts there. This is not a sign-in clipboard at the front. It’s forms for registration. A patient actually takes that clipboard, fills it out, and then the form is handed back to the secretary.
The needs that I see is for accurate interpretation, simple checklists of how to come into compliance, whatever forms are needed they need these forms. They need to have these forms, and it has to be affordable.
That’s it.
MR. ROTHSTEIN: Thank you, very much. Any clarifying questions from subcommittee members?
Thank you, very much Dr. Marcus. Dr. Michael Fine, please.
Michael Fine, M.D., Hillside Avenue Family and Community Medicine
MR. FINE: Would it be okay for me to speak from the table?
MR. ROTHSTEIN: Certainly.
MR. FINE: Great.
Good morning. My name is Michael Fine. Thank you for allowing me to testify. I’m a family physician and a managing partner of the largest family practice in Rhode Island, past president of the Rhode Island Academy of Family Physicians, and member and past chair of the Primary Care Advisory Committee of the Rhode Island Department of Health.
I practice in Pawtucket and Scituate, Rhode Island. The former a busy urban practice that serves a very diverse, economically stressed population; and the later a rural practice that serves an exurban, still farming, country town, so that my days are sometimes split between caring for recent Columbian immigrants, Brown professors, and dairy farmers. I’m going to echo, I think, many of Dr. Marcus’s remarks.
I’m speaking today both for myself and for the Rhode Island Academy of Family Physicians, whose executive board I conferred with in preparing these remarks.
Before I focus on HIPAA, I want to talk for a moment about family practice and primary care in Rhode Island, so that there’s a context in which I can set my remarks about HIPAA itself.
First, it’s important you understand that primary care in Rhode Island is still largely a retail, Mom and Pop operation. Seventy percent of Rhode Island primary care physicians practice in solo or very small groups. That is, we practice in groups of one or two, and we kind of make it up as we go along.
When I said I work in the largest family practice in Rhode Island, that’s six full-time equivalent physicians. There are a few large primary care groups of 30 to 60 physicians, but even those are struggling to justify their size in terms of the economies of scale they realize, which may or may not exist in the primary care world.
Most primary care physicians don’t have an office manager, a controller, or a compliance officer. Some don’t even have a practice attorney or accountant. Most of us think our main function is patient care, and some of us think that patient care alone will get us through the day.
In this way, primary care physicians are essentially acrobats of the particular. This is, we focus on one person at a time and try to sort out their health challenges for them one health challenge at a time in a world that requires constant juggling. We juggle patient needs, hospital needs, health plan needs, nursing home needs, visiting nurse needs, government needs, vendor of medical equipment needs, information from the Internet, drug company advertisement, and detail people.
You haven’t seen anything until you’ve seen and tried to make sense of a form called the “Home Health Certification and Plan of Care,” a form I get to complete four or five times a week.
For us the HIPAA problem is one of a long list of problems that have acronyms - OCEA, CLEA, STARK I, STARK II, the BBA of ’97, E and M coding, PHOs, PSOs, IPAs, and HMO’s - that don’t really seem to have anything to do with patient care, but which we perceive as one more bean bag to juggle or one more plate to spin. One of these acronym problems seems to appear about every second year. Each of these acronym problems is accompanied by its own set of mysterious rules, threats, and profiteers.
The rules are always not quite certain yet, but the final rule is going to come out in a few months. Someone is always saying how important it is to prepare to comply with the final rule, though we’ve never seen a final rule that isn’t constantly changing. We’ve learned to assume there really are not rules, just today’s version.
The threats are always vague but very ominous. We will go to jail. We will loose our licenses. Someone will fine us more money then we make in a decade. Someone else is going to take away our market share – a very curious notion to people who often work 14 hours a day and want nothing more then to go home and get some sleep.
The profiteers are always people who appear from nowhere to help solve a problem we didn’t know we had. They make recommendations. They charge $99 for a book, $199 for a seminar, $1,000 to $10,000 for a private evaluation of our policies and procedures. They provide many disclaimers that protect them in case they’re wrong.
After all these initials and all these years our acronym problems get attention only after all the other fires are put out. Remember, we’re the folks who look at sore throats and listen to the hearts of the 25,000 people we each care for. There is no acronym that is as compelling as someone you know and care about who’s sick.
Those of us who worry about confidentially do it in the context of running into the people who are our patients in the grocery store and do that at the level of trying to decide whether it’s okay whether to greet a patient before they great us. We’ve all developed listening skills, so when a concerned or nosy neighbor who’s a patient wants to know something about someone else who may or may not be a patient, we listen attentively and then try to give away nothing, not even acknowledge that the inquired about patient is a patient of ours.
But in fact, as Dr. Marcus said, confidentiality is two-edge sword. In order to be best at patient care we rely on breaches of confidentiality provided for us by family members or neighbors. Who’s drinking? Who isn’t coming out of the house? Who’s losing weight but won’t come to the doctor? Good primary care is a high wire act that causes us to be open to all the sources we can gather about the people we care for while not falling into the abyss of violations of trust.
That said, here is what small primary care practices in Rhode Island know about HIPAA. First, we know there is a rule out there, and one of these days they will figure out what the actual regulations are and tell us what the rule is and what we are supposed to do to comply with it.
Some of us think that everyone is supposed to file an extension, but no one really understands what it is we are extending. No one knows what compliance is, or how to comply as things stand. We all hope that during the next year someone will tell us clearly what it is we’re supposed to do.
We do get letters from our professional organizations that tell us what to do, but those letters are usually more confusing then what we read in the throw away medical press. I’m going to read a paragraph of a letter that I received at the end of August. It’s a letter to all Rhode Island health professions from the Rhode Island Medical Society, the Rhode Island MGMA, and all the Rhode Island health plans.
“Please note the original date for compliance with the transaction and code sets is October 2002. In December 2001 the Administration Simplification Compliance Act (ASCA, Public Law 107-105) gave covered entities not compliant by October 16, 2002 the opportunity to extend their compliance deadline by one year to October 16, 2003.
This extension opportunity is applicable to all HIPAA-covered entities other than small health plans. Those with less than five million in annual receipts do not have to file an extension and have until October 16, 2003 to become compliant. In order to qualify for this extension, covered entities must submit a compliance plan before October 16, 2002.”
I actually think there’s a typo not in what I wrote but what was in the letter, but I’m not smart enough to figure out where the typo is. Maybe smarter people then I can understand this. I can’t. We get these letters all the time, and communications like this make the eyes of primary care physicians glaze over.
We also get letters from health plans telling us what they are doing, but those letters don’t mean much to us. The letters look all the same, and they say the same thing. Many of us get invited to meetings at which it appears the same information is to be repeated. It’s mostly about what standards the health carriers are using for billing information, standards that don’t seem to apply to us directly since we have to submit claims on systems the plans control and we don’t.
It looks like the plans feel they need to invite us to meetings so they can be in compliance, but it doesn’t look like we need to come to the meetings for us to be in compliance, so we don’t go. But then it’s really not clear what small practices need to do to be in compliance, so most of us, as I said, aren’t doing anything much at the moment.
I’d like to tell you what we’re doing to support the privacy rule training mandate, but I’m afraid I don’t know what the privacy rule training mandate is. There are consultants and courses from a host of professional organizations, but it looks like even those all cost time and money at the moment they’re not going to say much beyond, “File for an extension and see what happens.”
Some of us have spent the time and money and have noted with sadness that it’s time and money that could have been spent learning about Lyme disease in kids, diabetes management, or congestive heart failure. Those of us who have not yet become cynical have become now cynical about the role of government in health care.
As I said before, my practice is the largest family practice in Rhode Island, and it’s probably a little more adept at dealing with the regulatory environment then most. We have a practice administrator, and we even have a compliance officer. That person has spent about 50 hours trying to sort out what it is we’re supposed to do, wading through websites and instruction manuals, so yesterday we applied for an extension.
In truth, we are probably reasonably compliant, though we’re not really sure what compliant means. We use all HIPAA compliant billing software, and a HIPAA compliant EMR, and maintain appropriate firewalls, so our electronic database is not accessible from the Internet.
Over a year ago we developed a confidentiality policy that all our employers and all our vendors are required to sign. But few smaller practices have the resources, time, or energy to do this work.
How can we make all of this easier? Please don’t ask us to do anything until you are sure that what you’re asking we really need to do. Please understand that our only job is patient care, and understand that the resources we commit to anything other than patient care diminishes that.
Please understand that confidentiality is what we want to achieve, but sometimes that’s a two-edged sword. We have a role in the communities where we practice and that role does not always allow confidentiality to be airtight.
Please don’t ask us to do things for health plans so health plans can be in compliance. Society has given health plans inappropriate power over us by refusing to regulate the market power of those plans. If you make us devote time and attention to satisfy them, patient care will suffer again.
Instead, understand who small practices are, the role they play in the health system, and what they do everyday. Let’s design some templates so practices can just follow the directions. Templates that are written in English, so we can continue doing what we’re here to do, which is to patient care first.
Thank you.
MR. ROTHSTEIN: Thank you, very much. Dr. Cohn?
MR. COHN: This is just a clarification. I really want to thank you. I think you also chaired the Subcommittee for Standards and Security, which has been involved with HIPAA electronic transactions. It’s your testimony, which we will share with that subcommittee, is probably worth my flying in from San Francisco alone.
Having said that, I do want to make sure that you understand, and others on the Internet, that there is no extension for the privacy rules. The extension you’re referring to is for the electronic transactions.
I just want to make sure – I think you understand that. I just want to make sure, because some of you comments seem to indicate that you thought that somehow you could get an extension for a year.
MR. FINE: And I would just respond by saying I am certain that none of my colleagues have this straight.
MR. COHN: I absolutely agree. I think that’s the lesson and the message here, so thank you.
MR. ROTHSTEIN: Rich, any clarifications?
Thank you for that reality check testimony. Now, Ms. Keener.
Betsy Keener, Privacy Officer, Harvard Vanguard Medical Associates
MS. KEENER: Good morning. My name is Betsy Keener, and I am the privacy officer for Harvard Vanguard Medical Associates.
Harvard Vanguard Medical Associates is a large, multi-specialty group practice located in 15 sites throughout the greater Boston area. As the privacy officer I am in charge of developing and implementing our privacy policies, and so I function as the project manager for the privacy aspect of HIPAA.
In my comments today I will discuss our experience to date implementing the HIPAA regulations, including best practices, available resources, coalition building, our approach to training, and, of course, some of the difficulties we have faced.
In spite of my experience managing other large, complex projects, implementing the privacy rule often makes my head spin. Although implementing the Privacy Regulations has been both interesting and thought provoking, it has also been a frustrating experience as my small group of staff and I try to understand the regulations, interpret them, determine what is reasonable and scaleable, all while wondering what aspect of the rules will change and what will remain.
I started by reading the federal regulations and attending a couple of seminars on the HIPAA regulations. I worked with other staff to form a project team, provided an overview of the regulations to senior management, and developed a preliminary budget.
As with most other health care providers, our budget was limited and using outside consultants was not a viable option. We did purchase a HIPAA compliance program that provided us with some helpful work plans and assessment guides to help us get started. It also gave us a level of confidence that we weren’t missing some aspect of the privacy regulations.
Understanding these privacy regulations has been a slow process. Every time I review a specific part of the privacy rule (for example, the accounting of disclosures requirement) I learn more.
For me, however, just reading the privacy rule was not enough. I had too many questions about what “reasonable” meant and wondered how other institutions were interpreting the rule. It became critical for me to talk with others who were also working on privacy implementation.
I joined the New England HIPAA workgroup over a year ago. This is a regional group of payors, providers, and vendors who meet monthly to discuss different aspects of HIPAA and collaborate on compliance. In addition to speakers and a general session, each meeting usually includes subgroup meetings. I attend the privacy and security subgroup and have learned a lot about how other organizations are approaching both the privacy and anticipated security regs.
I also joined the Mass Health Data Consortium and have found its Privacy Officer’s Forum to be particularly helpful. The bi-monthly meetings often involve content experts who share information about, or approaches to, certain aspects of the privacy rule.
Several months ago while chatting with representatives from Partners HealthCare and Boston Medical Center, it occurred to us that we really needed to have a meeting with privacy staff who worked only for provider organizations. This way we wouldn’t be distracted by solutions developed by the payors, and we could more comfortably share with each other the policies we developed without fear that our work would be packaged and sold by a consultant. The New England HIPAA Provider meeting met for the first time in May, and we have met monthly since then.
Through the Privacy Officers’ Forum we are affiliated with the Mass Health Data Consortium, who generously donates space for our meetings. Any provider from the New England area is welcome to join our meetings. These provider meetings have been important in helping me shape Harvard Vanguard’s response to the privacy rules.
Prior to the first meeting we drew up a list of topics to discuss. Our aim in the meetings has been to address how we are each planning to operationalize certain topics in hopes of arriving at “community standards.” Of course, before we start discussing how we plan to implement each aspect of the privacy rule, we have robust discussions on what the section of the rule means.
The majority of time our thinking is similar. However, there have been times when we have disagreed on what the regulations mean. For example, at the last meeting we did not reach consensus on the Accounting of Disclosure requirement. Specifically, we disagreed on whether we needed to account for public health disclosures that are required under state law (infectious disease reporting, births, deaths, gunshot wounds, etc.).
Some in the group argued that since these are required by state law and required under our licensure, the disclosures would be considered “health care operations” and consequently would fall outside the Accounting requirement. Others felt that the comment section specified that public health disclosures were required.
When we reach an impasse we continue topics until the next month in order to consult with our own legal counsel as to how to interpret the regulations.
We have also had conversations about topics that on the surface appear nearly laughable, but I think serve to point out our commitment to privacy, our confusion about the intent of the regulations, our concern about enforcement and sanctions, and of course, public scrutiny.
For example, we discussed whether baby pictures sent in by parents to their obstetrician or pediatrician can be displayed in those departments. Are those photos protected health information? On the one hand, this is information that is not created or maintained by our health care organizations. On the other hand, these photos are facially recognizable and are thus PHI.
What should we do? Post them and note this in our Notice of Privacy Practice, or should we develop an entire policy about this? Are we driving ourselves crazy? That answer would be “yes.”
Generally, we do try to stop and remind ourselves that the goal is to protect patient privacy in the context of delivering quality health care and that we need to find reasonable ways to accomplish this.
Here’s a list of the initial topics the New England HIPAA Provider group was interested in addressing from an operations point of view, in the hopes of arriving at either a community standard or a shared understanding of the regulations: registration areas and patient confidentiality; patient communication; patient requests to restrict data – no one, by the way, is planning to agree to this type of request; training; designated record sets; minimum necessary requirement; transportation of medical records; Notice of Privacy Practices; business associates; fundraising; disposal of PHI (both paper and non-paper waste); authentication of patients.
Not only have we shared ideas and approaches to the privacy rule, we have also shared some of our draft or completed policies with one another, but not for public distribution. We would certainly embrace any best practices, but generally any new policies and procedures have not been tested long enough to call anything a best practice, but rather a really good idea.
The philosophy of the group seems to be that we are all in this together, and if we can help each other out we will. I find that when I leave these meetings I have the feeling that implementing the privacy rule is actually do-able. This is often a different experience from how I feel about HIPAA on other days.
The other sources of information that I’ve used regularly are the list serves on HIPAA. It’s important to sift through the varying advice, but I’ve learned a lot about the nuances of the privacy rule that would have taken me longer to discover on my own. On the other hand, this research can be time consuming and the level of detail discussed can be quite overwhelming.
In addition, there are websites - WEDI/SNIP, Health Privacy Project, the Association of American Medical Colleges, to name a couple – that have useful information and provide helpful links to other websites. Also, some law firms have put together HIPAA information that is either displayed on their websites, or have policies and procedures available for a fee.
Harvard Vanguard opted to purchase a set of policies and procedures from a law firm we work with to provide us with a basis to compare with our existing privacy policies. This seemed more economical than to interpret the regulations completely on our own.
However, there continue to information gaps. For example, I would love to see a good summary of HIPAA in a brochure format for both staff and patients. I haven’t seen one anywhere. Also, more frequent guidance from HSS is critical. This can either be formal guidance document or more frequent updates to FAQs. There are so many nuances to this regulation that need to be clarified, and it would save us all a lot of time that is currently being spent either reading arguments on the list serves or contributing to those discussions.
In spite of our questions we are continuing to move forward. We are planning to begin a HIPAA awareness campaign in September – actually next week – at Harvard Vanguard. From the beginning our philosophy on the privacy rule has been that we want to protect patient privacy because it is the right thing to do, not just because of the new federal law. We want our patients to trust that we are handling their personal information confidentially. We have incorporated this philosophy into the awareness campaign, and will continue it into the formal training program as well.
We have developed a poster campaign with a theme of the week (for example, computer security, telephone privacy, access to medical records, etc.). The privacy tips associated with the theme will be displayed on posters, distributed by email, and found on the Harvard Vanguard Intranet. We will also have an information booth at each site for a limited period of time, and a privacy hotline number to field staff questions, a staff quiz (complete with prizes) and a campaign to acknowledge staff that go the extra mile to protect patient privacy. The goal is to get staff thinking more actively about privacy.
We have not yet finalized our formal HIPAA training for the nearly 4000 staff at Harvard Vanguard. We are still considering three options: doing the training ourselves in either large groups or in department staff meetings; a “train the trainer” model; and using an on-line training program.
We are leaning towards doing the training ourselves primarily so that we fully address the notion that compliance with the privacy rules will involve some culture change on the part of the staff. We can also respond immediately to any questions that may come up, and we can tailor the presentation to the audience here at Harvard Vanguard. We are concerned that using the “train the trainer” model may dilute the message.
Our strategy is to develop a core training program that can be easily tailored to the various departments. Certainly some issues are the same for everyone: how to authenticate the callers, the minimum necessary requirement, computer-related security, etc. However, we recognize, for instance, that the privacy issues that the clinical medical assistants are grappling with may be quite different than those in medical billing.
We evaluated several on-line training programs that offer role-based training and have found a few programs that are informative and reasonably interesting to watch and listen to. However, we are concerned that most of the on-line programs do a good job of describing the HIPAA regulations, they generally do not provide the flexibility to also train staff on Harvard Vanguard’s specific policies and procedures.
Some of the on-line programs do allow for customization, and we may offer the solution for staff who are unable to attend a regular training program. We have not yet determined how we will be able to track attendance at these training programs, although we are hoping to craft an electronic link to our human resources information system.
We are fortunate at Harvard Vanguard that we have had an electronic medical record for over 30 years. As a result, I believe our staff has always had a heightened awareness of privacy issues. Our medical record system already has role-based access based on the job title of the employee. Medical assistants have a different level of access to patient information than registered nurses, who have a different access then physicians.
While we will need to review these levels of access under the privacy rule, we do not have to start from the beginning, which will save us a significant amount of time. We will still need to develop standards for the minimum necessary requirement for management staff, however.
Harvard Vanguard’s patient confidentiality policies and policies on breaches of confidentiality were at one time considered to be best practice and can be found on several industry websites. We have existing written policies that allow patients to access their medical record, or to request an amendment to their record.
However, these and other policies must all be modified to be HIPAA compliant. In addition, our medical record system records staff access to the patient records on a fairly granular level, which allows us to perform audits when a breach of confidentiality is suspected.
Implementing a privacy rule is a large effort. Yes, there are many policies and procedures to either develop or modify to reflect the new regulations. We will need to train nearly 4000 staff, which we hope will result in a culture change that furthers our existing climate of protecting patient privacy.
However, it is not the actual work that is daunting. It is trying to understand these complex regulations. It’s scary and frustrating when two intelligent, informed individuals can arrive at different conclusions from the same document. This happens over and over again. There’s so much information that trying to summarize even one aspect of the regulations requires a significant effort.
Each thoughtful question from a staff person can involve large amounts of time to research. With only eight months left before we are expected to be in full compliance with the regulations, I don’t have that kind of time to spend researching.
Fortunately, enough organizations or private individuals have been willing to share their knowledge of privacy with the rest of us. I have greatly appreciated their willingness to fill the knowledge gap. I believe the federal government needs to do more to clarify what is “reasonable” before it is decided in the media or through the court system.
I hope the National Committee on Vital and Health Statistics can encourage the Department of Health and Human Services to publish regular guidance and FAQs on the privacy regulations so that we can spend more time implementing the rule, and less time trying to decipher it.
Thank you.
MR. ROTHSTEIN: Thank you very much for that. I want to welcome Dr. John Danaher, committee member and subcommittee member as well. I’ll open the floor briefly for clarifying questions from subcommittee members. John.
MR. DANAHER: Betsy, good morning, and thank you for your testimony.
Is Harvard Vanguard both a group and staff model HMO?
MS. KEENER: We’re not an HMO at all. We’re a large multi-specialty group practice. We were an HMO when we were affiliated with Harvard Pilgrim, which we are no longer part of. We haven’t been for several years.
MR. DANAHER: So all the clinicians associated with you are on salary?
MS. KEENER: Yes.
MR. DANAHER: Okay. So there’s no clinicians that you contract with who are in private practice and group practices themselves?
MS. KEENER: We do have some specialists that see our patients on a contract basis, but the vast majority of our physicians are employees of Harvard Vanguard.
MR. DANAHER: How are you approaching – I understand how you’re thinking about, very thoughtfully, the 4,000 employees. How about those groups that are not directly under your employ? How are you thinking about training? Are you thinking about doing it, or are you asking them to show you proof that they’ve undergone training?
MS. KEENER: We haven’t gotten that far. We will either ask them to show us proof that they’ve been trained at their parent organization, or we will ask them to do an on-line training program that we offer them.
Because they have to be trained in our policies and procedures we can’t just rely on training in another organization, is my understanding. They can understand HIPAA if they work at some organization, but they have to understand what Harvard Vanguard’s policies and procedures are. We’ll need to do some type of training with them.
MR. DANAHER: I think for me that’s at least kind of an interesting point is that you might have an organization, a group, that’s got to both learn their own policies and procedures of Goddard Medical Associates or something and then also because they’re contracted to Harvard Vanguard also Harvard Vanguard’s.
MS. KEENER: Right, we may have different ways of doing things.
MR. HARDING: I’d like to thank you, too. I’m Richard Harding.
I’m glad that you raised this topic that the others also have raised about the motivation with us and the idea of that it’s the right thing to do to protect privacy, as opposed to “you must do this.” I think that’s been one of the things that has been troubling to all of us, of wanting to do it for the right reasons but have it come out sounding like it’s a must, instead of right.
I’m also just thinking here out loud about the issue that you raised about reasonableness or scalability. The subjective words that are in there I think were put in for good reason, because it’s pretty hard to know exactly what’s reasonable. I can see how it’s caused a great deal of going like that when you see that and trying to figure out how to define that without having the courts define it.
MS. KEENER: Exactly, or the media.
MR. HARDING. - or the media. I think those kinds of things would be helpful. If you have ideas I would certainly be interested in hearing them and appreciate what all three of you so far have said about some of those areas.
MS. KEENER: That was the main motivation in forming this provider group. Our feeling was if we were all doing it relatively the same way then it would work and patients would have a similar set of expectations when they went to partners or Goddard or a CareGroup or any of the – even the small physician offices. If you could arrive at some kind of community standard then it felt more comfortable for all of us.
We could discuss what “reasonable” means. Does it mean partitions? Does it mean glass? Does it mean a sign that says, “Please wait here”? Does it mean acoustic tiles? I could go on for hours.
MR. ROTHSTEIN: Anything else? Thank you. Now our next two speakers, Ms. Khaja and Dr. Sullivan.
MS. KHAJA: Thank you.
Good morning. My name is Saliha Khaja. I serve as associate counsel to the Massachusetts Medical Society and generally provide in-house advice and representation to the society on a number of corporate matters and health care related type programs and projects. Specifically, my legal practice area includes regulatory compliance relating to HIPAA, Fraud and Abuse, and Board of Registration in Medicine requirements.
I’m certainly pleased to be here today on behalf of the medical society and to share with you our efforts and our experiences to date in educating Massachusetts physicians about HIPAA and regulatory compliance requirements. The medical society applauds the committee in holding these hearings and is grateful for this opportunity to testify before you.
It’s interesting that you bring up the issue of privacy being a good thing. We have long supported privacy, both at the state and federal level. We continue to remind our members that this is something that they wanted. This is something that was brought to our leadership over membership concerns over the erosion of the patient/physician relationship. We asked for it; we got it. Now we have to do something with it, right?
Our Government Relations Department has worked very hard in bringing some relief to the small physician practice and the mid-size practice. That tends to be our target group because they have a little bit less support out there, so we try to help them in compliance efforts.
As for our message to our members, we strive to impress upon them that regardless of HIPAA electronic transference of health information is a reality. In light of this, we need protections and standards to guide the privacy of this information.
We understand that compliance with the HIPAA regulations certainly comes at a cost to physicians both financially, emotionally, and also in terms of practice change. There are changes that need to their day-to-day practices and their office policies. We’re constantly trying to help them with tackling each of these various areas.
In order for the medical society to accomplish its goals of providing the best and most accurate information and certainly something that will be useful and pragmatic to our members, we formulated an interdepartmental HIPAA workgroup. That consists of staff from the various departments, myself from the Office of the General Counsel, our Department of Health Policy/Health Systems, our Government Relations Department – Alex is here today – and our Membership Services Department. We’re trying to formulate ideas from each of these various groups to put out products and to vet products that will be helpful and useful.
As far as what we’ve done, you’ve heard from some of the panel members already. We’ve offered a number of district-level, continuing medical education programs that address HIPAA. In presenting to some of these groups I can tell you we found a varying level of understanding by the attendees. Interestingly, or maybe not interestingly, the attendees who were staff members, people who are office managers, support staff, they tended to have more exposure to HIPAA and a better level of understanding then perhaps the physician attendees.
As you can image that also created a great deal of frustration among the group. I can tell you there was a great of frustration expressed by physicians at one meeting that targeted the outright complexity of the regulations and the associated difficulty in trying to understand what needs to be done by smaller to mid-size group practices. We have very intelligent audience members, so it certainly is no reflection on their ability to understand difficult concepts, but it’s just the vastness and the bulk of these regulations, I think, that is very intimidating and difficult for them to tackle.
Of course, there was also a great deal of frustration and irritation over the birth of a HIPAA consulting industry. They have millions of consultants sending them pamphlets in the mail, emailing them, targeting them, and trying to sell them what may be good information and what may not be good information and also what is very costly. All of this plays into the mindset of trying to comply with HIPAA.
This fall we’re sponsoring two comprehensive educational programs entitled, “Positioning Yourself for HIPAA.” They have objectives including understanding the legal and administrative impact of the regulations, trying to help them in developing appropriate operational and procedural activities to comply with the HIPAA mandates.
We’re trying to scale it down and streamline and essentially demystify what is HIPAA. I think you get a sense that there’s a concern over what exactly it is and what exactly needs to be done. That’s our goal.
We held a very successful series of grand rounds education sessions. These were held throughout the state at 25 locations and truly proved to be successful. We partnered with a number of law firms in the state who were familiar not only with the legal requirements specific to Massachusetts, but also certainly the more local practices of medicine that may be unique to Massachusetts. This gave our members and anybody who attended the opportunity to have a one-on-one dialogue with an attorney and to present different scenarios and get answers to questions that were burning inside.
One of the teaching methods that seemed to be working well was introducing a hypothetical scenario, so having the patient come to the office. What happens when the patient walks in the door? What happens when the nurse takes the patient to the examining room? Tracing the whole treatment process up through hospitalization, and then also focusing on issues that are associated with the death of the patient and the protection of the information at that point.
We also are looking at offering HIPAA tool kits, both at a charge and also offering information that’s at no charge. We currently have some information that we’ve compiled that - Betsy had mention different work groups. The WEDI/SNIP group has been very good at putting out what we believe to be good information. We’ve made a compilation of good information that we’re offering.
We’ve also written our own HIPAA guidance booklet that we’ve tried to gather good pointers on drafting your own legal documents and drafting your own forms, but also certainly with the caveat that you have this looked at by a lawyer, which doesn’t make the reader happy. It’s something that needs to be done, because a lot of the forms have to be tailored to the individual practices.
That’s a message that we’ve been trying to hammer home, that it is scalable; it is reasonable. Enforcement, hopefully, will take into consideration your individual practice, needs, the size of you practice, the nature of your practice, and things of that nature. So we have those HIPAA tool kits coming out.
We also use our own media to get the word out. We have a newsletter called “Vital Signs” that’s distributed to our membership of approximately 18,000 physicians in the Commonwealth. We featured a number of articles including important deadlines to be aware of with HIPAA, proposed changes to the regulations, the extension that we’ve talked about.
We have an upcoming issue of Vital Signs, I believe it’s this October, that will also focus on projected costs, how to have discussions with you vendors and those types of issues. We have an electronic version of Vital Signs that comes out every week that contains a HIPAA tip, trying to alert the reader to what might be a current development they need to be aware of.
We have a HIPAA hotline. Our Department of Health Policy/Health Systems supports this HIPAA hotline to answer general questions. That hotline has been very hot. I can tell you it’s been ringing off the hook. I am the person who answers the more legal related questions. They come to the Office of the General Counsel.
In August of this year our president, Dr. Charles Welch, wrote a letter to our Massachusetts physician, which may have sounded much like what Dr. Fine had said. Again, it’s targeting sort of a deadline and trying to remind people that it’s still out there. It’s just keeping the awareness up.
Earlier this spring I was invited to speak at the Hampden District Medical Society’s annual meeting on the topic of HIPAA. At that point in time, as you can imagine, the biggest hurdle was trying to teach physicians both about the final privacy rules as well as what might then be final because the NPRM was still pending.
That made people outraged. They said, “Just tell us what we need know.” It was a little difficult to do that. We’re happy that the final rules are out and that they do much like what the NPRM was. What they heard as what might be coming is truly here, and we have to live with it.
A lot of these meetings that we’ve had with members have generated discussion over certain issues. That’s what I wanted to bring to the committee’s attention. People are looking for forms from the government. People are receiving forms, finding forms on the Internet, getting forms from us, getting forms from their friends, making their own forms; but everybody wants to see something come from the government. They’re more comfortable with it. They feel more secure that it’s correct. They also want to use it as a starting point and feel like at least they have a baseline to work off of.
Everybody wants to know what to do about their business associates. Is my cleaning staff in the evening are they considered business associates? Should they be treated differently then a utility person? There’s a difficulty in them understanding who qualifies as a business associate and who doesn’t. That would be helpful to have some guidance on defining business associates.
I also just wanted to briefly mention we have a number of our staff members who participate in a variety of statewide work groups focusing on HIPAA issues. As we’ve already heard, the New England HIPAA workgroup is excellent. The Mass Health Data Consortium is excellent. There is the HIPAA Education Coordinating Committee, which is facilitated by the Mass Health Data Consortium. I sit on the Boston Bar Association’s HIPAA Preemption Task Force, which is an excellent group of local individuals that are trying to pour over all of the hundreds and thousands of privacy rules that we already have in Massachusetts and see how they stack up to the new federal privacy rules.
I just got an email yesterday from the chair of that committee telling all of the members that three different subcommittees addressed the same preemption issue and came up with three different answers. That’s something we have to address tomorrow at our next meeting. The point is, everybody sees it differently. Everybody thinks it will be enforced or interpreted differently; and so guidance, as best we can get, would be helpful.
The Massachusetts Medical Society, as I mentioned, has been very actively involved in introducing and raising HIPAA awareness in Massachusetts. The areas that we can spend more energy with simplifying and demystifying the compliance process for the smaller to mid-size groups include:
Once again, thank you for taking the time to listen to our experiences and concerns. The medial society is very grateful to have had this opportunity to share them with your committee.
MR. ROTHSTEIN: Thank you. Dr. Sullivan?
MR. SULLIVAN: Thank you.
Good morning. My name is Tom Sullivan. I’m the president-elect of the Massachusetts Medical Society. It’s a responsibility I take seriously. At 221 years old we’re the oldest state medical society in the United States. We represent approximately 18,000 physicians, as you heard. I also hesitate to say we represent any physicians, just that we have 18,000 members. Trying to represent physicians is a real job.
I’m a practicing cardiologist in the North Shore of Boston. I have an appointment at the North Shore Medical Center, which is one of the affiliated community hospitals in the Partners HealthCare System. I maintain a solo practice in Danvers, Massachusetts.
By the way, I do have some experience similar to what you heard. For the first nine year I was in solo practice, then for approximately 12 years I became an associate medical director. I was one of 7,000 employees of a not-for-profit staff model HMO. Then in 1995 I returned to solo practice. I feel I have that perspective of a small operation as well as a pretty large one.
I’m pleased to be able to testify here today before the National Committee on Vital and Health Statistics’ Subcommittee on Privacy and Confidentiality. Thank you for providing me with the opportunity.
On my behalf, and also on behalf of the medical society, I’d like to also thank you for holding these hearings on privacy rule implementation efforts. I believe there are a number of areas that can be addressed to assist solo practitioners, such as myself and small group physicians, in coming into compliance with HIPAA privacy regulations.
I consider myself to have probably more than the average exposure to the HIPAA regulations because of my long-term interest in this topic. Over the course of the years I’ve been involved with a number of professional associations and activities and devoted a lot of time to this. Currently I serve as the chair of the Confidentiality and Security Steering Committee at Partners, arguably one of the largest health care systems in the country.
We were real pioneers. I see Brian Kozik sitting here, too, who I met through Partners, and you’ll hear from him later. In 1998 we developed a very comprehensive privacy and confidentiality program after several years of discussing with many physicians on the staff at Partners, especially psychiatrists who dominated our committee. We made that available public ally to the Internet in 1998. I think Harvard Vanguard and Kaiser and the Mayo also put their policies and procedures on. It was hosted by CPRI Host.
In addition, I chair the American Medical Association’s e-Medicine Advisory Committee. We get involved with a lot of these issues at the AMA. Also in 1995, a year before HIPAA, at my behest our state medical society created a very comprehensive policy on privacy and confidentiality. It was passed by our House of Delegates in 1996. We also brought it to the American Medical Association, and they used it as the basis of their privacy and confidentiality policy. So in coming to Massachusetts, you’re sort of in one of the hotbeds of concern in New England.
Some of you may know, you heard that Mass Health Data Consortium was mentioned. I was a part of that, too. We, and the National Library of Medicine, funded the book, the study that was – the book, if you don’t know it, For the Record, which was published by the National Academy of Sciences. That was partly our funding that created that.
I certainly agree that we’ve been in the forefront of saying that protecting privacy is the right thing to do. As Bill Braithewaite(?) used to like to say, “The industry and the citizens came to us and said, ‘Make us do what we know we have to do.’” Saliha said we’re getting what we asked for. We’re very much in favor of it, but we’re worried about the complexity and the cost of implementation.
I can also tell you that I’ve chaired my own hospital’s privacy committee. There’s nothing like terminating an employee for privacy violations that gets the word around that we’re serious about this. I’ve been involved with a few of the efforts steering the right way how to do that. It’s not pleasant, but that is one of the most powerful implementation tools we have.
I said I can probably do a pretty decent job of telling physicians what the privacy rules are and how they came to be and how they’ve evolved over time; at the same time I’m having some difficulty preparing my own private office for the April 2003 compliance deadline. I principally wanted to speak today just about my own personal compliance efforts and what I’m grappling with as a solo practitioner.
Generally, the complexity of the regulations and the lack of adequate time due to the uncertainty and the changes that have occurred in implementing the final privacy rules has caused me a great deal of concern. I’m not concerned just for myself, but also for similarly situated colleagues who will be working on implementation with a small budget.
Despite all my HIPAA knowledge I’ve got a lot to learn, and yet I think I know more then 98 percent of the physicians in this country. I have a lot to learn. I have yet to prepare any forms in my own office, because I’ve helped write them for these huge institutions. I have not drafted a final privacy notice yet, and I have not specifically trained my single employee, who’s a certified medical assistant and who’s also my office manager.
I have designated myself as the Chief Privacy Officer and the Chief Security Office. I have obtained a secure password for my office manager to log on to the network hospital system and to access patient medical records on a need-to-know basis. That was brought up by one of the questions a little earlier.
I direct my health system and my hospital’s security and privacy program, but I’m not an employee. When I said my employee needs to access the medical record to prepare lab tests and so forth they said, “Well, she’s not an employee.” Here I am the director, the head of the program. What kind of hold do we have on your employee?
I can tell you that in my experience, again, that the people who in my recent experience who’ve taken this privacy rule most seriously have been the practicing physicians who are not the employees of big organizations who have either terminated or severely disciplined some employees who don’t live up to what they consider their own personal standards are of privacy.
I’ve obtained personally a secured messaging website with the assistance of the American Medical Association and the Massachusetts Medical Society. We promoted the organization called “MEDEM,(?)” which some of you may have heard about. It’s a joint venture of a number of specialty societies. One of the biggest features of that is secure messaging.
I’ve also made it my practice to verbally inform my patients of the new privacy rule on a face-to-face, one-to-one basis, even though I’ve not consistently documented that in my chart. I’m still looking for an authoritative sample privacy notice from HSS or OCR, similar to what has been done with the business associates, that’s geared toward small practices.
I want to focus again on some specific things that I think HSS can do. One I just mentioned, the sample form for small practices. Two is the final Security Rule. Three is clarification of some activities, and you’ve heard a litany of them recently. To me the issue of phone, fax, and email is a little bit confusing. And then fourth, the clarification of the “Opt-Out” comments for less than 10 FTEs.
I’m departing a little bit from my prepared remarks, because I didn’t want to make this boring. I mentioned here that a package of model forms is what I think small group practices would really be very much helped by, if you could facilitate that.
I don’t think that we should be asked to pay hundreds of dollars for so-called HIPAA tool kits that are being circulated in the market place. I hope it’s clear to most, if not all of you, that similar to rising malpractice premiums and other health care costs, we’re unable to pass these costs on to our patients or even to negotiate with health plans to include them as a legitimate, necessary, and mandated cost of our operations. We need assistance so that we don’t have to shoulder this burden finically. At least if we had model forms or a sample form to begin the process, we could personalize them to suit our individual needs.
Again, you’ve heard there seems to be consistent message from the Office of Civil Rights that rules are meant to be “scalable.” I sort of echo – it’s nice going fifth or sixth in line. You can say I agree with most of my colleagues here. We really need to understand scalability a little bit better.
Let me move on to the security rule. I think it goes without saying that it’s difficult to get a good handle on HIPAA privacy rules will impact my day-to-day operations without having the benefit of a final security regulation. There’s a great deal of talk that the final security rule will be similar to the proposed rule; but it’s almost four years since we’ve had the proposed rule, and we have no final, authoritative information.
It would be tremendously helpful to see what the entire package looks like, because I believe that security is very much intertwined with privacy. We need to see that final security rule as soon as possible to feel comfortable and see what’s practical for a small group practice. And yet the compliance is only eight months away.
I’ll address the third item, the phone, fax, and email activities. It seems to me there’s a lot of conflicting information - This is one where I may have missed some very clear statement - regarding phone, fax, and emails of protected health information. They’re involved with the standard transactions -- and I do understand the difference between the codes and transactions in the privacy rule -- but for many small offices billing transactions might utilize the fax machine as well as paper and the post office.
I’ve heard from some sources that fax transmissions are not really included under HIPAA, unless there’s a billing clearing house. Thus, one should not worry about them. Others have said, “Well, it’s unclear whether faxing is covered, so you should go ahead anyway and consider faxing as covered and just be compliant.”
What about all the physicians who still do all their billing on paper but need to fax PHI to hospitals or other physicians when one of their patients is being seen? This area needs to be clarified. Again, maybe it’s clear and I missed it in all these regulations, but that’s a question I have.
And then finally, the opt-out issue for less than 10 FTEs. I’m not sure where this came from. I’ve recently been reading the same list serves that others have referred to and I’ve seen these how to escape from HIPAA. We’ve been wondering whether we’ll be exempt from HIPAA if we have less then 10 FTEs on our own staff. If that’s true, 10 FTEs, most physicians in the country don’t have 10 FTEs. There’s probably only 20 or 30 or 40 percent of physicians in the United States that have more then 10 FTEs.
MS. MARCUS: Is that a per doc number?
MR. SULLIVAN: Right, per doc. Right.
I think of all these things and these regulations, and I’m referring to my peripheral brain now days more and more. I have my little Palm Pilot with Hippocrates, and I’m wondering whether or not I need the HIPAA rules on these, whip them out in my office and say, “Let’s see. I’m exempt here,” whatever. It really is complex. We really could use some clarification from HHS.
In summary, let me make it very clear, as I said, I’m very much in favor of the new emphasis on privacy and confidentiality. It’s a good thing for all of us that it has the force of law behind it.
I’m a strong advocate of promoting the electronic exchange of billing information, and also, in the near future, of clinical information. I believe it will help us reduce costs in the long run, and improve the care of our patients.
Nevertheless, the short-term implementation costs and the complexity of the privacy rule and, in my opinion, the inexcusable delay in the release of the final security rule, need to be addressed expeditiously.
Thank you once again for the opportunity to present my opinion with the perspective of a solo practitioner who’s also been around.
MR. ROTHSTEIN: Thank you, Dr. Sullivan. Any clarifying questions?
MR. COHN: I think we need to sort deal with opt-out. My understanding is the opt-out really has to do with Administrative Simplification Claims Act in having to do with issues related to billing the Medicare and the issue that Medicare is not going to accept paper forms as part of the ASCA Compliance Act, except that there was an exception made for people of less than 10 FTEs.
Stephanie, can you clarify that? I don’t think this has anything to do with the Privacy Rule.
MR. SULLIVAN: You may be right. I may have – I’m just telling you what I’ve seen on a list serve.
MR. COHN: I just want to make sure we get this clarified in the moment here, rather than waiting.
MS. KAMINSKY: That’s correct. That’s were the genesis came from, but my understanding is that in general when ASCA was passed it gave physicians the one-year delay for the Standards and Security, but it threw in that if you are billing Medicare you have to become electronic. You have to do your billing electronically.
One the one hand, it gave a little leeway; but it also forced more docs to become covered entities who otherwise wouldn’t, with the exception of the 10 physician office. There’s another exemption also, I believe.
Therefore, it is linked to privacy, because once you become a covered entity you must comply with the privacy rule.
Folks who bill Medicare will have to do it electronically, that will then make them a covered entity, and they will then have to comply with privacy. There is this 10-office employee exception for the billing of Medicare.
MR. SULLIVAN: Just remember that 10, that comprises a huge number of docs. Most docs who practice in this country don’t have 10 FTEs.
MS. KAMINSKY: Well, not all health care providers are covered entities. This has always been a piece of the way this HIPAA regulation has been moving through. There was always a little bit of leeway put out there for folks who are going to continue to do things on paper instead of electronically.
There was sense, if I understand correctly, that Congress didn’t want to force all providers to become electronic and play by the games of HIPAA. On the other hand, there was a notion that the industry was moving in that direction and there have been other things, such as this ASCA legislation, that have tried to advance that direction.
MR. SULLIVAN: Thank you.
MR. COHN: Stephanie, thank you for the clarification. I guess my understanding – I’ll have to go back and read the hundreds of pages of federal rules. I had thought that the definition of abuses around security and privacy were not related to electronic transactions. I guess that’s my misunderstanding.
MR. ROTHSTEIN: Thank you. Now, Mr. MacLean.
Andrew McClean, J.D., Maine Medical Society
MR. MACLEAN: Good morning. Again, Andy MacLean with the Maine Medical Association.
You’ll probably hear many of same themes from me this morning. I do think that there are a few twists that we can offer from the Maine perspective.
Here are a few facts about the Maine Medical Association. I would also comment that we have some demographic factors that impact our health care system in Maine that are substantially different from the other witnesses you’ve heard from this morning.
Obviously, we’re the largest state in New England. We’re the most rural. We have a population that in general is older, sicker, or unhealthier than most of the population. That does have a significant impact on our health care practitioners in Maine.
Maine’s Washington County, the far eastern county in Maine, it wouldn’t be unusual for a pediatric sole practitioner in that country to have 75 percent of the families on Medicaid in their patient payor mix.
I think one of the over-arching themes I try to sound when I’m speaking to physicians – and this is certainly different and perhaps one of our frustrations with the whole HIPAA privacy process – is physicians have also had a privacy obligation, unlike perhaps the other covered entities.
Here are several of the bases, I think, for the physician’s obligation. We’ve had an ethical obligation for many years. There are common law bases for the obligation. Most particularly in Maine we have a comprehensive privacy stature ourselves. I think we were one of the first states that attempted to pass such a law. I think it provides a worthwhile learning experience for other states and all of us as we look to HIPAA implementation.
It is a law that was submitted by the Maine Medical Association in 1996 when issues were being debated in Congress. It was based on a draft bill that was either developed by the Massachusetts Medical Society or a privacy working group that I know has been on-going in Massachusetts for some time.
Also interestingly, there were two specific issues out there in the marketplace that I think were of great concern to legislators in Maine that prompted this legislation: One was that the marketing tactics of pharmaceutical companies, and the second was one of the large health plans in Maine was requiring an extremely invasive six-page form of information to be filled out basically before any outpatient mental health services could be provided.
I’m going to repeat one of Saliha’s phrases. We have certainly tried to demystify the privacy laws when we’ve been speaking to physicians in Maine. We have worked very hard to provide low cost or free educational seminar and practical tools for our members. Our CDO and I have been out speaking over the last two years about the Maine privacy law and about HIPAA to basically anyone who would listen to us: practices, hospital medical staffs, county medical societies, and so forth. We’ve been working tools, some of which you’ll see attached in my packet.
It’s my feeling, and part of my message, that good faith efforts at complying with the HIPAA privacy regulation are the same as best practices under current privacy law.
This is a slide that I took from a presentation, about an hour-long presentation that I’ve given on our state privacy law and HIPAA. It’s one of those things where doctors will say, “Gee, the rule’s in flux. We can’t do anything. We’re paralyzed until it’s finalized.” I think that’s nonsense.
This is the kind of thing I say, “Look, if you take nothing else from this talk this morning, here are four things that I think you can and should do when you go back to your office right now that will not break the bank and will not absorb an inordinate amount of personnel resources in your practice.”
Obviously, appoint a privacy officer. Don’t make more out of that then I think is intended. It simply means that someone on your staff should know something about the privacy obligations that the physician has and collect the materials that come in across the desk and coordinate the training for other members of the practice.
Develop and use a consent form. You’ll see in the packet I have drafted a one-page consent form that in my view is useful as a general – I think it is what would have been intended as truly a consent form under the original privacy rules. Something that would be used as part of new patient in-processing, something that could be combined with the other documents that you put in front of a patient at the beginning of the relationship, the informed consent, the financial responsibility pieces, that kind of thing.
I also say that that general form is necessary, but it may not be sufficient. You may need to look at a belt and suspenders approach. The second part of this is the authorization form concept under HIPAA. There maybe some types of treatment for which informed consent about the disclosure needs to be closer in time to the proposed release.
In Maine, for instance, that would be HIV testing. It may also be the case with some of the other sensitive areas of treatment, such as mental health and substance abuse. You might want to take this general form and adapt it to something that is more specific, more narrowly tailored.
Third, develop a simple privacy policy. Issues of internal security, staff, and I probably should have put, listening to Dr. Marcus’s talk, patient access within the office.
Finally, take a look at your personnel policy. You ought to have a provision in there that emphasizes the importance of staff, protecting the confidentiality of patient information.
Now, I’m not going to put you through this. I’m going to quickly run through these slides. I think you’ll find some of the quotes from the Wall Street Journal kind of amusing. It’s been very interesting to watch this national debate about the HIPAA privacy rule, because we lived it in Maine between 1996 and 2000. We have lived with our law now for two years. After the first hubbub about it I think practitioners in Maine are quite comfortable with it.
These show you the types of authority for disclosure under the Maine law. The problem with the initial attempt was that it set a standard of written authorization by the patient and provided no exceptions. That’s what had people backed up in hospital waiting rooms and emergency rooms and so on.
You’ll see the one or more of 20 statutory exceptions. Under the Maine law, this is the way we really address the issues of treatment payment and health care operations. Those are the types of things that are the subject of the exceptions to the requirement for written authorization.
I would like to try to address the specific questions that were put to us in the initial email briefly. In terms of technical assistance that I think practices could use, aim at the practice managers who are the likely privacy officers. In terms of educational offerings, remember if you want to attract physicians generally they’re going to have to be in the evenings. Simplify, simplify, simplify, I think is the message.
Offer practical tools. You’ve heard it several times this morning. Forms, form consents, form authorizations, form Notice of Privacy Practices are very helpful. I heard Betsy’s request for summaries. I guess I would offer one thought about why that doesn’t happen more often, and this may just be the lawyer in me. I think lawyers are very uncomfortable with summaries, because it’s very difficult to capture all of the important aspects of the law in a summery. Rather than go through that exercise, frankly whether it’s the government or any of us that are trying to help out the medical community, I would focus on those more practical tools.
Best practices: I guess the main thing I would offer here is regardless of the March 27th changes to the privacy regulation that say that consent isn’t necessary for treatment, payment, and health care operations, I think using the type of consent form that I described and that I’ve included in the packet at the beginning of the relationship is a best practice. It’s something that I would certainly recommend that all of you use.
Compliance resources: Certainly we’ve turned to the medical societies by and large. We’ve been doing the work on our own. I also use the AMA website a lot. I included that, because you can get to all of the other national specialty society websites from there. They all have this type of information on the website.
We continue to do education forums. We have planned, now that the regulation’s final, we have a half a dozen around the state taking place between now and the end of the year. We have a - it’s more then a HIPAA hotline. We have a legal hotline. Gordon and I take anywhere from a dozen to two dozen calls a week about a variety of compliance and other legal issues.
How are practices handling the training mandate? I think it varies. I mentioned that we’ve done some of this, other outside resources certainly. Privacy officers in the practices are doing some of that on their own. By and large, in my observation in Maine, I think they’re doing a pretty decent job.
Coalition building: Some of this is going on. I think it’s more common with the more technical aspects of HIPAA compliance, the transaction standards rule, the technical people. I think, frankly, it’s more valuable in that area. You’ve heard it from – I think Betsy mentioned perhaps more than any of us the conflicting interpretation. I do think there’s a danger that these sessions can turn into group hand wringing about, “Oh, what do we do? What do we do?” I think the energy is better directed at the practical tools and forms and so forth.
Preemption analysis: This is something – one of those things that only lawyers could love. I feel a little guilty whenever I take calls from people who say, “How are you doing in your preemption analysis?”
My response is, “I’m not doing a preemption analysis.” I don’t have time to do a preemption analysis. I don’t really care to do a preemption analysis. One day the governor of Maine, if he should choose to pursue the exception, is going to sort this out. Until then, our advice is going to be assume that you’re going to have to comply with both.
I don’t think that the Maine statute conflicts with the privacy rule. I think certainly there’s an argument that Maine’s law is more protective, because we still retain – I think, though, with the exceptions you may say the exceptions swallows the rule. But I still think that from the best practice standpoint and the premise of the law is written authorization to disclose. Again, it’s a completely unrealistic expectation that a physician practice would do this.
HIPAA vendors and consultants, certainly the accuracy and quality varies. You’ve heard this theme loud and clear, that I think we’re very concerned about the scare tactics that we hear. The message seems to be, “You couldn’t possibly comply with this law without our help.” I think that’s disturbing.
Thank you.
MR. ROTHSTEIN: Thank you, very much.
We have a few minutes for general questions. I’d like to just ask one question of the panel. I thank all of you for you testimony.
A common theme has been your, if I may collectively refer to your remarks, as the need for the department to come out with more clarity in terms of giving you model forms and guidelines and so on and so forth.
My question is besides producing the model for various practices and a model notification and model this and that, do you see a need for actual training to be done by the department? In other words, for the department to actually coordinate on-site training programs, to do web-based instruction, to do video conferencing, etc., besides just producing these documents. From you various perspectives, would you rather tailor it to your own institutions, and you’ll take the ball and run with it?
MS. MARCUS: I think you need to do everything. We definitely would benefit from having sample forms and instructions on how to use them and adapt them and what kinds of things are going to be the most important.
Just looking back at the efforts that the government made around the terrorism and the bio-terrorism stuff, where they had webcasts and then they had videos. If you couldn’t make the time to the webcasts you could order the videos. I think some public health organization actually made them available, and they were free.
I think that there are so many different ways in which you need to reach the people who need to know that whatever you can do is going to help. In the same way that the private sector is responding with newsletters and tips and CDs and stuff like that, if the docs had that available from the government and didn’t have to pay $100 or $300 for whatever the private sector is offering that would be really helpful.
Just like I mentioned, Medicare and Medicaid is having, as we speak, a HIPAA seminar with ten days notification. If I wasn’t obligated here this morning and had this already blocked out in my schedule, I would have looked at that and said, “Can’t get to it,” and it would have gone into the recycle pile.
That response is being duplicated in multiple offices. If they can’t get to that, maybe if they had a video that they could throw into their VCR at night they might be able to get to that; or if there’s a webcast that they could log on to at 10 o’clock at night, although who wants to look at HIPAA at 10 o’clock at night.
The thing is that multiple ways is always very helpful. Before I just close, if you have another couple minutes, this summer I was a patient. I have some comments about HIPAA from the point of view of a patient. If you have time for that we’ll go to that.
MR. ROTHSTEIN: Thank you Dr. Sullivan. Dr. Fine.
MR. SULLIVAN: I just sort of echo what Dr. Marcus said. Just as we want you to produce a model, a sample Notice of Privacy, you could produce a model or sample training program, a videotape available, a web cast, a Power Point thing that you could download.
I think a model training program that maybe it wouldn’t be one size fits all, but something for hospitals. I’m obviously more concerned with the provider side then the payor and the clearinghouse. Model compliance, model training programs for hospitals, physicians, related health care workers, I think would be very helpful.
MR. ROTHSTEIN: Dr. Fine.
MR. FINE: I was going to add only that it depends on whether – the answer to the question is it depends. It depends on whether models and information can be made simple and clear. If it’s models that reflect the complexity that people are struggling with and try to cover the bases of all possible options, it’s not going to help much.
MS. KEENER: I have one thing I’d like to add to that.
I think having a model, anything would be very helpful if you can get it us soon. April is coming up very quickly. For those of us in a large organization, we have a lot to do. We have a lot of people to train. If you give us a model training program in February, I’m going to be happy. It’s just not enough time to do it. Anything you can get to us in the fall would be great, but after that it just won’t help us at all.
I would just also add that from my position what I really need is timely answers to questions. If a bunch of us in the room are struggling with something, is there someone we can send a quick email to? Is there someone we can call? Just so that in within a month or so we have an answer to a question instead of writing and finding out much later.
MR. MACLEAN: I think that the professional organizations are comfortable with the role of developing these tools and tailoring them to our individual membership.
I would have the government focus more time on interpretive guidance. I meant to mention that I thought that the guidance document that OCR published in the summer of 2001 was extremely helpful. While no one likes to read the Federal Register, I though the clarifying comments in the March 27th publication were excellent, too.
I would have you focus more on that kind of thing, and maybe supplement that with an opportunity to ask specific clarifying questions.
MR. DANAHER: I’d like to ask a question of two of the presenters. I thought that they were both excellent presentations.
There’s a little bit of a dissidence I have. When Mr. MacLean, when you presented - and again I just thought it was terrific - the impression I’m walking away with is that many of the mandates, especially in the areas of privacy and security, especially in privacy, are not going to be a big problem for the Maine physicians, because in point of fact there’s already a Maine privacy regulations that may or may not be more stringent. It’s almost as HIPAA for the Maine physicians is an almost non-event. My perception is that if we were to go to many of these offices that they would have policies and procedures, etc.
Then Ms. Khaja’s presentation made it sound – and I think probably Dr. Sullivan is probably the number one most knowledgeable physician in Massachusetts on HIPAA, quite frankly. Massachusetts has had a privacy act in place also. So I guess I’ve got this dissidence in trying to understand why have the Maine docs gotten it and it’s not going to be a problem for them; and the Massachusetts docs, who have also had a privacy reg, they’re so far behind the curve, or whatever.
MR. SULLIVAN: Can I comment a little bit on that?
We’ve had some privacy laws in Massachusetts, but there has been a bill in the Massachusetts legislature for almost four years now that has not passed yet. It’s been discussed not to the level similar to where it was done in Maine. I think Maine had the advantage of actually passing the law, where as in Massachusetts, as usual, was still deliberating on passage of the comprehensive law that allows, for instance, private right of action, which I don’t know if the Maine law does. The proposed Massachusetts law does, and it hasn’t passed.
There’s been a debate, but it’s in a small circle of legislatures and privacy advocates. Therefore, most physicians, I think, don’t know about the Massachusetts statutes, even though Saliha has referred to the fact that we do have some other ones, but they’re no where near as comprehensive as what has been debated over the last few years.
MS. KHAJA: Just a few comments on that. I think it always seems to be more ominous when it’s coming from the feds. People think back to Fraud and Abuse and how it’s criminal in terms of prosecution. I think while certain practices, in terms of interaction with the patient, may remain the same in Massachusetts, what you don’t have are parallel administrative requirements.
I don’t anybody has a Notice of Privacy Practice document in Massachusetts, even though some of those practices may certainly be in place. It’s these other types of statutory requirements, legal documents, I think, that are what the big change is focused on, but not so much in terms of, “Do we work to protect privacy?” Absolutely. Massachusetts has been very good at that.
MR. MACLEAN: I think that most Maine physicians, if you walked into most practices in Maine you would find them using some sort of consent and authorizations form. Now that the rule is final and with the new emphasis on the Notice of Privacy Practices, we need to spend some time there. I would not say that you would walk into most Maine practices and find a good Notice of Privacy Practices in place.
I did include from the AMA website one of their model notices. I’ll tell you my initial reaction to it. It’s a good document, but it’s lengthy. Our experience with the Maine statute, whether it’s forms or notices, they have got to be short and simple. No boxes to check. No blanks to fill in, because you will have people stacked up at admission if you do.
MR. HARDING: Richard Harding.
One of the issues that has been swimming around in my head is the phrase, “HIPPA compliant.” We’ve heard about HIPAA compliant forms, HIPPA compliant vendors. Who’s the credentialer of that?
What I heard was maybe the medical association gets leaned on to say, “Okay, who’s HIPAA compliant? What’s a HIPAA compliant form?” Does the professional associations feel that’s their responsibility to be the credentialer of HIPAA compliance, or is that something the department, HSS, OCR, should be doing very clearly for people?
MS. KHAJA: I think ultimately it’s the enforcement arm. For privacy it will be OCR. That’s what I tried to allude to in my testimony, which is our physicians are going to feel more comfortable if they’re provided with a form from the enforcement arm then if they’re provided with a form from somebody else.
MR. SULLIVAN: That’s a good question, because it comes up. I chair the Information Systems Committee in my hospital. We’re hearing the discussion among the vendors all the time. When they’re talking about HIPAA compliance they’re talking about the final security. Just as there was in the last year or so prior to Y2K, there were these, quote, Y2K certification programs, but none of them were – as far as I know – directed by the government.
It’s similar to there are groups setting themselves up now saying we’re going to certify that you’re HIPAA compliant, but nobody has the kind of authority, or the ring of authority, that may mean something, other than they may be a big organization or they’ve got some real stars and some vendor’s background.
MR. ROTHSTEIN: To follow up on that, I think there is a substantial likelihood of confusion among small practitioners who get a solicitation and say, “Purchase this because it’s HIPAA compliant.” They have the erroneous impression that it’s met some federal standard, when really it’s just marketing slogan.
We had the same thing 30 years ago when OCEA came into existence. We had vendors saying that this is OCEA certified, and OCEA doesn’t certify anything. I think to the extent that the medical associations perhaps could publicize that. You’re likely to be bombarded with mailings saying, “Buy our HIPAA compliant,” and there is no such thing and consult with us, or whatever.
Dr. Marcus?
MS. MARCUS: I think that that’s going to further confuse things. There has to be some standard by which the physicians can measure things. If you come out and say that the word “HIPAA compliant” really has no teeth, it’s like saying the emperor has no clothes. The docs are just going to throw up their hands further and say, “I give up. I’m just not going to do any of this.”
I think it behooves the government to put some standard behind saying, “If this has or includes this, this, this, and this then it meets the minimum standards for HIPAA. You can trust that if you do these things you will be incompliance.” I think docs want to be compliant, but they just don’t know what they need to be compliant to.
MR. ROTHSTEIN: Well, clearly the government needs to set out the standards. I think the concern is that it’s got this self-proclaimed Good Housekeeping seal that some commercial entity bestowed upon itself. That would be my concerned.
MR. SULLVAN: Physicians are familiar with the term “compliance” long before the Administrative Simplification. We have the issues CLEA, the labs in our offices, were you compliant with Fraud and Abuse, one of the first big parts of HIPAA before Administrative Simplification. I think we’re all familiar with the word “compliance,” but I agree that unfortunately it’s taken on this connotation that is confusing.
MR. ROTHSTEIN: Simon, did you have any further questions? With that – yes?
MS. MARCUS: Can I just make one other suggestion?
In addition to producing materials to educate the doctors about HIPAA and what they need to do, I think it’s really important to produce materials to educate the public about privacy issues. They don’t really understand that, and they’re breaching their own privacy all the time. They do it in the sense that they’re just totally unaware of it.
Public service announcements, videos, the insurance industry is really good at that. Who are those two characters on TV that were blamed for killing the prescription? You could do a scenario like that around the privacy stuff, and that’s going to sail right home to the public.
Putting the entire onus on the physician is not going to meet everything that you need. For instance, I tell patients when they send me email that they shouldn’t use their work email, because they don’t own that email and their boss has the right to look at that email if they so choose. I say get yourself a hot mail account, because you can use, if you need to, because then you can use your office computer to access the Internet, send the email from the hot mail account, and the message stays on the hot mail account. It doesn’t go through your office network.
People were just, “Oh, really!” They had no idea about stuff like that. One dad was asking me for a mental health referral for his kid. I wanted to check out a couple of people before I gave him the names.
He said, “Well, why don’t you send me an email?” I went through this scenario. He gave me his office card, his office email. I said, “I’m not so sure you want this to go through you office network, because you may not want your boss to know about your kid’s mental health problems.”
He looked me straight in the eye and he says, “I’m the boss.”
I said, “Okay.” In general, the public doesn’t understand things like that. In this new electronic age, they really need to start to understand that. You could do a lot of good with public education.
MS. ROTHSTEIN: Thank you for that point. Once again, thank you to all the witnesses. We know you’re very busy, and we appreciate you sharing time with us.
Unfortunately, we are behind schedule; but we will take our break now. The second panel will begin promptly at 11:30.
(A short recess was taken)
MR. ROTHSTEIN: We’re on the record again. This is Mark Rothstein, chair of the National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality. I want to apologize to the members of the second panel for running over.
My plan is to have this panel between now, 11:30, thereabouts, and 12:45. I understand that some of you may need to leave early, so we have readjusted the order in which you will be giving your presentations. With only four on this panel, as opposed to six on the last panel, I don’t think that should be too great a problem. That’s why I was a little bit free with your time. I apologize for doing that.
As we did at the beginning of the morning the subcommittee members introduced themselves and indicated any possible conflicts of interest. Dr. Danaher came in late and did not have an opportunity to do that, so I’ll recognize him now.
MR. DANAHER: Thank you, Mark.
First of all, I’d like to apologize for being late. My name is John Danaher. I’m a member of NCVHS and a member of the subcommittee on privacy. I am also the president CEO of a web-based training company focused on health care compliance, with a special focus on HIPAA. I do not believe that my presence today will be a conflict of interest. I thank you for allowing me to be here.
MR. ROTHSTEIN: Thank you.
Let me just remind the panel members to please speak into the microphones. You will have 10 to 15 minutes for you initial remarks. I’ll give you a one-minute cue. After your initial presentation I’ll ask members of the subcommittee if they have any questions of a clarifying nature for each speaker. Then at the end of all four presentations we’ll have a panel Q and A and chance for some interaction.
Because of his schedule I have put Dr. Halamka first. If there are no objections from the co-witnesses on this panel, please proceed.
John Halamka, Chief Information Officer, Caregroup Healthcare Systems
MR. HALAMKA: Good morning, and thank you. My name is John Halamka. I’m the chief information officer of the CareGroup Health Care System.
CareGroup is six hospitals, about a $1.4 billion integrated delivery network serving eastern Massachusetts, 12,000 employees, 3,000 doctors, about a million active patients. As CIO of that organization I’m responsible for all clinical, financial, and administrative educational and research IT. Therefore, the responsibility for HIPAA Administrative Simplification and the security rule implementation for this collection of hospitals and doctors falls to my organization.
In addition, I’m chairman of the New England Health EDI network, which I will describe in a moment, is a consortium of 45 major payor and provider organizations in Massachusetts largely, but we’ve also expanded to Connecticut and Rhode Island. That organization is responsible for Administrative Simplification implementation throughout the New England region. In the respect that being chair of that, I’m responsible for administrative simplification across the New England region, moving today about 150,000 HIPAA transactions a day across largely hospital-oriented groups.
I’m also the CIO of the Harvard Clinical Research Institute, responsible for maintaining patient privacy on all of the clinical trial data gathered across 1,700 hospitals, and I’m associate dean of Harvard Medical School, responsible for all educational technologies. At Harvard I’m protecting student and faculty privacy.
I wanted to focus our remarks today on really the hospital side, of course talking about privacy and security, but mentioning a bit about Administrative Simplification, because it does dovetail into privacy and security, given the consortium approach we’ve taken in New England.
I will completely agree with the previous panel in saying that there’s much work to do and there’s significant burden in implementing HIPAA, but from a hospital’s perspective it’s both what we want. As an entire legislation, HIPAA saves us millions of dollars. It does things that we really need to do for the benefit of our patients and our doctors anyway. The three areas I’ll describe, the administrative simplification, privacy, and security rule.
In 1998 John Glasser, the CIO of Partners, and Rick Shoot, the CIO of Tufts, and others gathered together in New Orleans -- gathered Mass Health Data Consortium and a number of other organizations came together to talk about privacy, security, public infrastructure. At that meeting we decided to do HIPAA together as a region.
You can see some of the partners that came together: CareGroup, Harvard Pilgrim, Tufts, Lifespan, U Mass, Lahey, Boston Medical Center, Children’s. Today as I mentioned, it’s 45 provider and payor groups representing about 90 percent of the health care transaction done in Massachusetts, working together to implement administrative simplification without having transaction fees or friction. It’s really a convening organization agreeing how to use the standards embodied in HIPAA to reduce cost of medical care.
In addition to doing the administration simplification, we have an important privacy and security rule, in that together we adjudicate how we going to exchange transactions. Business partner trading arrangements are done collectively. Today, this organization has one trading partner agreement for Massachusetts.
Of course, we’ve all signed our individual agreements with each other. That is, we produced the one document and I sign it with Tufts and Blue Cross and Harvard Pilgrim, etc. In effect, from an efficiency standpoint we agree as a state to have effectively one set of forms, one set of documentation, one set of agreements for the information that we are interchanging amongst ourselves.
We’ve also been able to do security together. Although we’ve said, “Yes, Partners, Blue Cross, Harvard Pilgrim, we’re individually responsible for security and implementation of the security rule in our organizations,” we’ve learned lot together about how to do it right. We know the rule isn’t yet finalized or implemented, but as I’ll described there’s some basics of protecting ourselves that we’ll all want to do anyway.
Just as an amusing anecdote, Zip Davis(?), a large publisher, decided to challenge the security of the NEHEN network and all of these various payors and providers, and asked my permission to bring white hat hackers into the data center of CareGroup and give them 48 hours over a network connection inside the data center to try to compromise the security of patient information traded by this consortium. They were not successful.
They did, however, write a wonderful 30-page article in Baseline magazine in June describing their efforts to break the security and compromise privacy of this group. Some of the theoretical attacks that they performed gave this group enough warning, if you will, to be able to bolster it’s security measures as a group. Now, in fact, we have a document that says, “Folks, we are going to protect ourselves and here are some of the basics, although the security is not final, that we have learned from these white hat hackers, we better have these security measures in place.”
To give you a sense of where we are as a state, I think that you will find we are much ahead of the United States with regard to the administrative simplification portion. We have completed in the State of Massachusetts eligibility, specialty referral, claim status inquiry, referral authorization and inquiry, and electronic remittance. We’re just in pilot on claim status across these various organizations I’ve described, claims submission, both institutional and professional. In the winter we will have a complete, live implementation of all of the NCX 124010 HIPAA mandated transaction throughout our region.
We have really taken this consortium approach and leveraged it to educate all of our payors and providers. Because we do this together, as was described by the last group, there’s enough mass that we can produce education materials and share them with the individual practitioners, the individual staff members and employees of our various organizations. Although we came together for the purpose of administrative simplification, we do much privacy and security for policy making and education and promulgate that information throughout all of our groups.
How are we doing with the Privacy Rule? We recognize the Privacy Rule in its current form requires notice, consent, and transfers to third parties with appropriate trading partner agreements, appropriate standards and policies for accessing, copying, and amending, dealing with complaints and enforcement, and a audit trial to find out who got the information.
Each of our individual organizations in CareGroup has deferred to the central committees of the CareGroup organization the policy making regarding this particular set of Privacy Rule limitation. They way we’ve organized ourselves, as we said, at CareGroup, the integrated delivery networks, we will come up with a consistent master policy manual that will be shared with all of our hospitals and all of our doctor’s office. We will have privacy officers appointed at each individual entity. We will, together, produce standard forms centrally. We will produce a single Notice of Privacy Practices to be disseminated throughout all of our organizations.
We will develop a central staff training program, web-based, as was described would be ideal for NCVHS and HHS to do, a consistent disciplinary action program, which basically states if you compromise patient confidentiality you’re fired. Pretty simple. Every employee, both doctor and staff, must sign an agreement upon becoming an employee or affiliated care group that acknowledges the disciplinary action that will take place if you compromise patient confidentiality.
Together we decide on access controls. Who has the right to see patient information and in what circumstance? We have certain information, such as mental health and substance abuse information that get special protection. This is even beyond what the privacy and security rules state today. You cannot access mental health or substance abuse information electronically without signing a consent, if you will. As you click on that element that you are going to access it states, “This is especially protected information. This access will be audited, guaranteed.” We will email the author of the note, if it’s a mental health and substance abuse note, at the very act of opening this you must tell us why you are looking at it. We’ve done quite a bit of access control work.
Standardize complaint and amendment procedures, of interest we have made available to the 1 million active patients of CareGroup a web-based amendment procedure, so that we, with appropriate access control, a patient is given an user name and password access to their entire medical record and then is capable of both amending that medical record and reviewing the audit trail on-line, showing all individuals who have access to that medical record and why.
We’ve been up on that since 1999. We’ve done about 2.5 million transactions through that system since 1999. It’s called “Patient Site,” and it’s available for you to look on at the web at PatientSite.CareGroup.org. You can take a tour and actually exercise the medial record amendment and security audit process.
As I mention, standard policies for addressing compliance and dealing with non-compliance throughout our organization. We have a large research community, about $150 million in NIH sponsored research and dealing with standard IRB and standard approvals for accessing of patient identified or aggregated information throughout the network.
All of our business associates agreements are handled centrally. And of course, standard op-out procedures and dealing with common policies on the marketing, fundraising and development side across all of our hospitals.
That’s a huge amount of work but, again, the way that we’ve decide to do it is that we have this central organization we call CareGroup that is going to be responsible for those work plans that I’ve mentioned, the communication of all HIPAA requirements to the affiliates.
In effect, acting as an internal consultant and resource.
We have elected not to seek any outside consulting assistance in our HIPAA privacy or security activities. Occasionally we will hire, for example, in the security realm a contractor who may have special expertise on some technical issue, but we’ve not brought in any of what I call those – I think the last panel referred to it – the nay sayers and panic inducers who say, “Unless you hire us you will have no chance of being HIPAA compliant.”
Just to tell you, I probably get a dozen emails a day saying, “We are HIPAA experts,” spelled H-I-P-P-A. I write them back that a HIPPA is an African female animal.
We have provided template and work plans, policies and procedures, consents and authorizations. We can do that because, again, we’re $1.4 billion organization. As the last group stated, the non-affiliated practitioner or the small practice just can’t do the kinds of things that we can do because of our size. I encourage HSS to develop templated policies and procedures for dissemination to those non-affiliated practices.
We participate on committees both national and regional. The training program has been developed on the web.
Our work team is divided quite simply. We have a central oversight committee. I’m responsible for security rule and all administrative simplification. Leon Goldman, who is our Compliance Officer, is responsible for privacy and the templates, consultation and training around that.
HIPAA, for us, is not an IT project. HIPAA is a consortium project involving legal, human resources, information technology, medical records, appropriate individuals throughout the clinical community with a great interest in balancing privacy and patient care. We know that you can protect patient privacy but compromise their care if the balance is set too strictly.
We also recognize that health care is ultimately a local phenomenon. This means that there may very well be local IT systems, local organizations or infrastructures that do require some customization of those centrally mandated plans. Although everything I’ve mentioned to you we handle at a central CareGroup level, we also have some local committees that are able to give that local flavor, the local spin, work through some of the work processes and procedures at local community hospitals, and then report back to the central location how implementation of our standard policies, procedures, guidelines and materials have progressed.
As was also stated by the last group, we are challenged by the fact that the security has not been formalized. And yes I have during that long winter night six months ago sat down in front of fire and read the entire Security Rule in it’s nine point type from end to end and was disappointed with such recommendations as: Firewalls are good. Encryption is good. In general you should audit.
Well, this a bit a Mom and apple pie since there’s absolutely no specificity to the rule. I can create a firewall that’s useless. I can create encryption that any MIT graduate student in two hours can break. In fact, for us, since the rule is not finalized and not specific, we had developed what I consider our own best practices. It’s a matrix, in effect, of 60 criteria that I took from both my experience, from For the Record. Some best practices are implemented across the nations in other IDNs (integrated delivery networks) for authentication, role-based access control, auditing, etc.
In effect, what I’m going to call this, because we’re in Boston today, is something that will pass not the security rule necessary but the Boston Globe test, which I think is actually even more severe. Would a well-informed member of the public look at this matrix of 60 criteria and say that we had done a very credible job in attempting to protect confidentiality with appropriate security?
That’s really what these 60 criteria do. It means I can sleep at night knowing that we have created a moat, if you will, around all of our IT systems that guarantee the privacy rule could be enforced by having appropriate security measures.
Ultimately what I do is I remediate the worst offending systems. We know the rule is not final; the rule is not specific. I do the very best to have to pass this Boston Globe reasonableness criteria.
I’ll summarize my comments by saying we’ve done administrative simplification as a region. It has saved millions of dollars. Partners has experienced a $20 million savings; CareGroup a $10 million dollar savings. Overall administrative simplification has really improved work process. Together as a consortium we’ve done this rapidly, at low cost, with great savings.
The privacy rule is just good business. Our patients depend upon us to protect their privacy and confidentiality. It’s hard, but we have to do it. The security rule, we desperately want to be formalized. But in the time that we have while it is not formalized, we’ll mitigate risk so we can appropriately protect privacy and confidentiality with the security rule.
Thank you.
MR. ROTHSTEIN: Thank you. Any clarifications?
MR. DANAHER: Dr. Halamka, thank you, very much.
Would you – the BI for years has positioned itself as a community hospital. There are lots of community physicians who admit. What outreach, in terms of training, if any, what is CareGroup’s obligation to those community physicians who are admitting patients to your hospitals? What are you doing for them and what standards are you holding them to?
MR. HALAMKA: A very good question. CareGroup credentials a number of physicians. Those credentialed physicians we feel we’re responsible for education. In fact, to get access to any clinical data our credentialed physicians must sign a standard acknowledgment, sort of an equivalent to what we’re giving to the patients about privacy protection, which also includes the various penalties for inappropriate access.
We hold these credentialed physicians responsible for their actions, have them sign appropriate documentation acknowledging the need to protect privacy and confidentiality, and give them limited need-to-know access to the data that’s necessary as part of their admitting process. All of the web-based materials we make available for training will also be available to our credentialed and risk associated physicians.
I will also say that our non-credentialed physicians, that doc who refers to us from Texas, or from the Middle East, cannot get access get access to our clinical information. We’ve just make the rule if you’re not credentialed we can’t sanction you; therefore, no access.
MR. DANAHER: I just want to make sure. This is very helpful for me. If you are a community physician that’s credentialed and has admitting privileges to one of CareGroup’s hospitals, you will have access to CareGroup’s policies and procedures in regard to privacy and security. Then also perhaps be required to sign a form saying you’ve read them and understood them and blah, blah, blah, blah, blah.
MR. HALAMKA: That’s correct.
MR. DANAHER: Thank you.
MR. HARDING: This was a very good presentation.
This is just a brief question. One of the selling points of HIPAA was that it was going to save a lot of money. I don’t think that I have heard anybody in testimony say that this is going to save us money until your testimony. Where is that savings coming from?
MR. HALAMKA: Well, I’ll give you several financial indicators. Because we’re now doing all benefits eligibility, referral authorization, claim status, electronically this means that the number of denials, administrative delays, AR days, have gone dramatically down, to point where we now have the lowest accounts receivable in the City of Boston. We get the data right from HIPAA transactions as the patient is in front of us. We don’t have to go fishing for data after the patient has already left.
We’ve been able to downsize our fiscal operations significantly, because no longer do you have to sit on the phone for hours a day trying to figure out why a claim has been pended. It’s all electronic. You just ask. Simply, the revision of the entire revenue process in the hospital that takes place as a side effect of administrative simplification creates a radical redesign of all the work processes and the cost of doing the whole revenue cluster.
I’ll tell you, here’s the numbers: $10 million a year on administrative simplification and savings, $1 million in the cost of privacy rule implementation. A $9 million ROI sounds pretty good to me.
MR. HARDING: It does to me, too.
MR. ROTHSTEIN: I don’t think they’re looking for any investors.
MR. HARDING: It’s very pleasing to me as a person who’s been involved with this to see that it isn’t all a horrendous obligation with no payback, both in the sense of privacy as well as in sense of fiscal accountability and simplification, which was the original idea.
Thank you.
Alice Polley, Sturdy Memorial Hospital
MS. POLLEY: Thank you, very much.
I’m Alice Polley. I’m vice president for clinical services at Sturdy Memorial Hospital down in Attleboro, Massachusetts.
I’ve been asked to represent a small institution. The contrast between my organization and John’s is dramatic. We’re hardly in the same universe. This is going to be an interesting contrast.
Sturdy is located almost in Providence, Rhode Island. We’re in southeastern Massachusetts, down near the Rhode Island boarder. We have 145 beds, that includes 21 bassinets. We own 12 physician practices with about 50 physicians on salary. We’re not even a drop in the bucket compared to John’s organization. Our efforts are correspondingly simpler.
Back in December of 2000 when the final privacy rule was passed, we got going on it. It fell to me, because I’m in charge of compliance at my organization. As is typical in most small organizations, everyone wears lots of hats. I have departmental responsibility. I have fiscal responsibilities. I’m the integrity officer for both the hospital and the Associates – Sturdy Memorial Associates, which is the umbrella organization for our physician practices - and I got stuck with HIPAA privacy and security and transaction codes compliance.
I immediately chose someone to be the Privacy Officer and someone else to be the Security Officer, and constituted a task force by pulling together the proper functions and the proper people in our culture to figure out how to put all the rules in place.
They starting meeting in March of 2001 and are continuing to meet. Some of our early decisions – I thought this might be a helpful place to start. We developed email guidelines for communications between caregivers and patients. These are the only transmissions of personal health information that actually take place over the Internet in our organization. Everything else passes in the intranet. Our security concerns aren’t as complicated.
Frankly, I hope we keep them off the Internet as long as we possibly can. It simplifies the task, and it simplifies the risk, or diminishes the risk. By diminishing risk that way we don’t have to spend a lot of money to try to do it.
The email guidelines involve a contract between a practitioner, whether it’s a nurse practitioner or physician. In a couple a cases it’s a social worker. It involves a contract between the caregiver and the patient. That contract requires a conversation over what email is good for and what it isn’t good for. It cannot be consider confidential. Certain transactions or information shouldn’t be passed over email.
That contract becomes part of the medical record. We also ask the practitioners to print out every email transaction or communication and put that in the record as well. That’s what we’ve done to try to put some controls on that.
We also decided early on that the hospital and the associates or physician practices would not become affiliated entities. We are not going to write a single notice. Many of the practices are quite different from each other. They’re certainly different from the hospital. I think the best to keep the notice as simple as possible in each place is to tailor it to each place, rather than try to come up with a consolidated document. Not that anyone’s ever doing read these things, but it’s just going to be simpler, I think, to try to keep them tailored to the specific site.
We also decided that we wouldn’t use consultants. The phrase “flavor of the month” comes to mind. As soon as some rule gets passed there’s suddenly a whole host of experts out there trying to sell their services. What needs to happen here is we need to read the rule. We need to read the law, and then we need to talk to a lot of people. We’re as capable of doing that as any of you or anyone who sells their services as consultants, so we haven’t used any. Most of the time we don’t on any project.
Some of the difficulties that we’ve faced: Everyone has mentioned this already so I don’t have to dwell on it, but the uncertainty over the final rule has been a complication. We got started right away, and then the administration changed and the NPRM came out. While I was I aware of issues with the final rule, and I was delighted to see that the NPRM addressed those issues, it also lent – it forced us into a waiting mode. We had to say, “Okay, if the final rule goes into effect, we’ll do this. If the NPRM passes as it’s written, we’ll do that.” Then we had to wait and see what happens.
Now that we have a final final rule we’re actually finally moving ahead at a pace that feels more comfortable. So that’s been annoying.
Defining a business associate: I can’t tell you the number of times that I have been in roomfuls of lawyers trying to decide the definition of a business associate. Just when they think they’ve got someone will say, “Well, what about the dialysis provider in this hospital?” Or, “What about this particular person in that situation?” Then all of a sudden they’re at each other’s throats again and they haven’t got a clue. This has been difficult. It’s been hard for us to try to figure out who our business associates really are.
Once we finally had a list that we were reasonably confident of, we then starting looking for our contracts with those entities. It may be true in some very well organized, centralized organizations that contracts all live in one place, but let me tell you, at my organization they don’t. They live everywhere. The Department of Case Management has some contracts that don’t live anyplace else. Cardiac rehab has a contract. They’re everywhere.
We had to find them and centralize them and then look them and figure out, “Okay, what’s their expiration date? What kind of language do we have put in? Are we going to do it on a normal rollover, or are we going to do it by way of amendment before the normal rollover? Or is it an evergreen contract and then we need an amendment?” This has taken extra people and extra time.
It hasn’t costs us any money, except for the time. I don’t think that the privacy rule has to be terribly expensive. I would agree with John that there are some potential for savings. I also don’t think this has to be very expensive. It’s time consuming, labor intensive, but it doesn’t have to be expensive.
Right now our contract language is under legal review. With the year’s extension that we’ve been giving to actually exercise the amendments or the contracts I think we’re going to be fine. This has tied us up in knots for months.
Then there’s the minimum necessary requirement. We’re doing a comprehensive computer menu review right now for job category in the hospital. It’s a monumental task, but thank you, very much. It needs to be done anyway. We really haven’t done this as carefully as we should have all along the way. If privacy were dropped tomorrow we would continue this task, because it’s good business. We should be restricting people to the minimum necessary personal information that they need to do their jobs.
We’ve done a decent job but not a very good job at that. We are now going to do a much better job whether privacy comes or goes or whatever. We need to do that. We also need to do more audits of computer access. Our system doesn’t allow us to do audits as well as we want it to, so we’re upgrading to the next version of our Meditex software in November, and then we will have more audit capability.
Just when we were trying to figure out what our audit capabilities were we found two employees who had simply been surfing out of curiosity and looking up lots of people’s information, including mine. The consequences were not pretty. In fact, what we’d found was that we hadn’t been systematic enough and careful enough to justify terminating them on the spot.
We publicized this event so broadly now, and we’ve reintroduced the confidentiality statement that everyone had already signed but forgotten about. It now has become part of our annual performance review process for every employee, every volunteer, and every physician as part of the recredentialing process. Now the bar has been raised and the knowledge is out there that we expect people to use only the information that they need to use. If anybody violates this rule again it will be termination on the spot.
We would not have taken that on if the privacy rule hadn’t come along right now. This is a good thing. You’ve helped us in that regard. It’s a lot of work, but it needs to be done.
In terms of resources, most of them have already been mentioned. The state hospital association has done a good job, the New England HIPAA Workshop - the group that John has led, has been very effective - Mass Health Data Consortium, there are newsletters and websites and so on.
The one product that we purchased was a binder of model forms and some guidance from a law firm here in Boston that gets it. We spent a little bit of money on their product, just to give us something around which to wrap our situation.
In terms of preemption, the Boston Bar Association is taking care of that for us. I wouldn’t begin to take that on myself. They’re going to be putting their findings on a disk, which they’re going to sell for $395, and we are going to buy it. I hope that it makes sense. I think the gentleman from Maine has the right idea though, just take the most restrictive rule and consider it best practice and follow it. I’m not a lawyer. I don’t want to be a lawyer. I don’t want to pay a lot of lawyers. We’ll do the best we can on that one and just take the most conservative approach. I think that will keep us safe and that will keep our patients’ information safe.
In terms of training, there is one commercial product that we are planning to hand out to all of our employees. Training will be done in department meetings. It will be department specific. The housekeepers don’t need the same presentation as medical record clerks or billers or nurses or physicians. What we will do is stress patient confidentiality through this. They don’t need to know the technicalities of the rule; they need to know the intent.
HIPAA privacy has already been added to our new employee orientation agenda. I’m on the agenda to speak to the physicians on our medical staff at their annual September risk management meeting. That will draw in not only the physicians that are salaried by us, but the other 125 or so that have privileges that are not salaried. If they have questions I’ll make myself available as a resource to answer them. You’ve heard the Mass Medical Society is doing a very good job on this as well. They have resources available there.
In terms of enforcement, frankly, I’m not worried about official enforcement. I’m just not worried about it. The Office of Civil Rights is no more scary then the OIG or the Attorney General. It’s just not the issue. The real threat is the court of public opinion. Patients have a right to expect us to keep their information confidential and to use their information appropriately. If we mess up and end up on the front page of the local paper that will be much worse than any official enforcement action.
This is a situation where we need to do the right thing because it’s the right thing, not because the Office of Civil Rights is going to hire additional people to do audits on us. We’ve got to keep this in perspective. Beside that, I think it’s going to take years of case law to determine where the official legal boundaries really are on this rule. It just isn’t clear yet.
In conclusion, yes, we are a small organization. Thank goodness. I would rather be small then be large and complex. At least I’ve got an organization that I can wrap my arms around. I can go and I can ask people to do something, and they’ll do it. They all know who I am. Frankly, I don’t mean any disrespect, but this no more onerous than APCs or APGs. It’s just another unfunded mandate. When we get this one under our belt something else will come along. It’s not that big a deal.
If you really want to help us out, then don’t let the rule change very often and don’t bring back consent. I don’t think the consent conversation as part of an admission process has any value added. I don’t patients care about their information at that moment in their lives. I think they care about the test they’re going to have, the procedure that they’re going to have, the illness that their mother has, whatever. Their mindset isn’t on administrative trivia, which is what they would think of this. I don’t think consent for use of information adds value. It doesn’t that we have less responsibility, but Notice will cover it. Don’t let consent come back.
Thank you, very much.
MR. ROTHSTEIN: Thank you. Clarifying questions from the subcommittee members? Okay, thank you. Ms. Cramer.
MS. CRAMER: Good afternoon. I’m Anne Cramer from the law firm of Eggleston and Cramer, which has 14 attorneys, only three of whom do health care with me.
We serve as legal counsel to the Vermont Association of hospitals and health systems. That is an organization that has 16 hospital members. It includes 14 acute care facilities, a psychiatric hospital, and the Veteran’s Administration Center.
Just to orient you all, there are only 600,000 people in Vermont. They are cared for by 16 hospitals in Vermont, as well as the Dartmouth Medical Center.
Eleven of the hospitals in our membership have 75 or less licensed beds. One is 19 licensed beds. Our firm provides counsel to the association, which has about 11 staff people. We also provide counsel to the Vermont Health Care Association, which is the nursing home association, the Vermont Counsel of Developmental and Mental Health Services, individual providers, nursing homes, physician practices, you name it. I don’t do HIPAA full-time, although it’s starting to feel a little bit like it.
We are happy to testify today primarily on behalf of our Vermont hospital members. That will be the focus of my comments.
To start, although in spirit and in principal the HIPAA privacy rules do not drastically change long held tenants of confidentiality to which hospitals are accustomed in Vermont, the level of nuance, administrative detail, complication combined with the failure to preempt state law results in a challenging work load for over extending staff in our small hospitals.
Just as an aside, certainly in Vermont, I know in other hospitals, we have staff shortages. We have staff turnovers, so administrative personnel who might be available to do some of this work are frankly struggling to make sure we have nurses on the floor and techs in the x-ray rooms.
We definitely need more technical and financial resources, at least from our perspective. We are very concerned about the time now left between now and April 14, 2003. We’ve encouraged the concept of an enforcement roll back on the idea of allowing another six months to a year after April 14, 2003.
Just to back track – and some of this will be repetitive of what you’ve heard from others, but I guess there’s some consistency, particular to small providers. The HIPAA privacy rules have not brought clarity or certainty to the law regarding health information.
Just as an aside, in Vermont we attempted since virtually 1995 to enact a comprehensive law somewhat similar to Maine. That was just a complete quagmire in every legislative session, so that’s never occurred. We have very dispersed law that we try and piece together and translate together to figure out what the law is in Vermont without HIPAA.
As background, I’ve been lecturing on this topic really from the late 1980’s. The job of trying to translate statutes which don’t match in terminology is something that is not new to me, but adding HIPAA on top of it has just simply become a larger and more complicated project.
A provider simply has to know Vermont law, HIPAA law, and then needs to try to figure out the circumstance which controls. As you may have realized, the statute use terms like waiver, authorization, consent. Sometimes they mean the same thing; sometimes they mean different things. People are really trying to wrestle at times with really what a word means in a specific legal context.
With the potential for penalties and the likelihood of private litigation, which will be based on the federal privacy standards, compliance with health information confidentiality rule has significantly become more burdensome. That’s really not to say - as Alice has said, confidentiality has always been taken seriously, but now we have a different level that we’re really trying to decipher, both with the federal and the state law.
Simply from our standpoint, the full implementation and compliance by April 14, 2003 and the organizations that I see and work with is a daunting task. People take it seriously and are working for it, but there are significant hurdles.
To review those, first, simply start up. Many hospitals started a process soon after the final rule became, quote, final in 2000. Others put it on hold with the idea that it would be delayed or the final rule will change significantly. There are those who are starting today, and there are those who have been working on this for a year and half and they are now amending policies that they had written earlier this year or last year.
In small hospitals there’s a difficulty in figuring out how to get going and keeping that momentum going. Simply determining who’s going to be responsible is not a simple thing. Health information obviously is dispersed through out any organization. The use, the practices, the policies are different depending on the department and the tools. You don’t necessarily have a natural, central structure for someone to take over and dictate to others how changes are going to be made or implemented.
Few privacy officers who have been named at any of the hospitals that I’ve worked with have that as a sole job. They may be the HR person. They may be the chief financial officer. They may be the information person. They may be the medical records director. There are a lot of different people wearing different hats who now have privacy under their work assignments.
To fully implement the HIPAA privacy rule, each organization has to do a really thorough, massive review or audit to figure out what they do and the disclosures that they make now. This level of examination exceeds what we’ve done in the past for compliance plans or for Y2K failures. I think this is probably the most all-pervasive work plan that has been rolled out to hospitals yet.
Theoretically, each hospital can simply dictate that every department should take whatever effort it needs to both identify uses and disclosures and change policies. The reality is they have significant resources used in trying to understand the rule, apply them in Vermont, and spend the time reviewing current operations in the context to revise and implement new policies. The rule, as you’ve heard, is not user-friendly.
The types of coordination teams who are being put together can be anything from the information systems director, the chief financial officer, patient accounts director, director of medical records. Sometimes clinical folks will be involved; sometime they won’t, simply because of time constraints.
Many of the hospitals also own physician practices. They may be directly affiliated with nursing homes, home health, behavioral medicine providers. They’re trying to put this all together and integrate to the extent possible their policies and procedures.
The reality is these team members and their talents vary. If they’re determining an interpretation of “minimum necessary” as it’s used throughout the organization, they may have some significant hurdles, as well as trying to figure out which disclosures will be tracked for accounting purposes, particularly when they’re oral disclosures, as opposed to something that might be electronically audited.
We have definite need for outside counsel and consultants to at least advise on what the rules mean. This, despite also an aversion to using outside counsel and consultants, there is simply people need to figure out what the rules mean, how does it relate to Vermont law.
At the same time these implementation teams, frankly, right now are wrestling with the other aspects of administrative simplification. They like – as you’ve heard from the physicians – don’t understand the transaction and code set rules or their delays. They are also trying to determine what should be reasonable safeguards to secure health information with a fear of what they do then needing to be changed as soon as we have a security rule finalized.
A major start up challenge is that the rule contains concepts that aren’t readily assimilated. Without more guidance on both the federal rules and state laws often there’s some complex decisions that hospitals find daunting to navigate. For instance, the decision on whether to be an organized health care arrangement or an affiliated cover entity stops people in their tracks. They really need to make those decisions quickly. They may require medical staff bylaw changes. They may require corporate bylaw changes, and they should be made now while they’re starting to draft policies.
The second hurdle, as I’ve already alluded to, the outside guidance is inadequate and the preemption analysis is lacking. To date, the State of Vermont and the federal government really have not provided help to small providers. Speculation as to what the final rule would be up through August 13, 2002 did not help.
Now with the rule modification there is a lot of resource material that has to be revised. Many of the resources you’re looking at you don’t know whether you can rely on them, because you’re not quite sure whether they’ve anticipated the final rule sufficiently. If they don’t have a copyright date of September 1 or later for this year, it’s a question mark.
The Center for Medicare and Medicaid Services has started to sponsor events. We certainly encourage that, but it also has admitted that it’s been at the beginning of its work on the privacy rule compliance.
The State of Vermont, I would say, has been without resources to provide any guidance. The state agencies continue to struggle with their own GAP analysis and policy changes. They ask others like me for assistance.
Generally, the small providers and hospitals I work with do consider the WEDI/SNIP resources helpful. They don’t take it down to the level of detail needed to actually implement in the organization, but it’s a good starting place.
The myriads of vendors and consulting organizations exist. They tend to expensive. The reality is they don’t eliminate the internal input needed for individuals on site to actually understand their current, existing health care practices and to implement policy change. The opportunity to save any time or money through the use of outside vendors is simply not realistic.
Lawyers asked to advise on the privacy rules can easily get caught up in wrangling with the nuances in the rules, such as what is the workforce that has to be trained; or what is the scope of services and communications included in direct treatment; again, whether a hospital should designate itself as an OHCA or an affiliated covered entity.
We have also found that given the prospect of enforcement and penalties, legal counsel will give you over-conservative advice. That results in hospitals being paralyzed. They don’t know what to do. They want to be practical and all of a sudden the risks seem over-daunting.
Again about preemption, there simply isn’t a resource in our state. There are probably ten attorneys in Vermont who practice law, to be liberal. In saying that, three of us are getting together Friday to start the process of going line-by-line through what is an inch or two thick of state law that may or may not impact on the HIPAA privacy regs. There’s just simply no simple prospect on this.
What I find with some the Notices of Health Information Practices that I’ve looked at is the hospitals simple want to rely on the HIPAA rule. When you look at a series of the disclosures that they list for patients that might occur, they actually have failed to consider that the Vermont patient privilege statute is stricter. Many of the permissive disclosures under what is Section 512 actually would not be allowed under Vermont law. Those analyses are not yet out there for these organizations to really understand and grasp.
A third major hurdle is the notice itself. Anyone can write it, but it’s not user friendly. When you look at 520 and the requirements, it results in a lengthy detailed and technical document. Again, most folks are having trouble trying to wrestle with what Vermont law survives when they start writing these notices.
Third, the notice is given to patients when they’re registering. They don’t want it then. They can’t deal with it. They often found it harassing to have yet one more piece of paper that they need to sign that they’ve acknowledged receiving it. Yet, we all know and fear that this notice is going to be the essential document which determines whether or not the hospital has appropriately complied with privacy rules, including whether it might be exposed to private causes of action for privacy breach.
Providers really should have a person available who can respond to question regarding the notice and actual health information practice. Again, because of the complexity of rule, the limitation of time and staff resources, this is a burden. It will take some time to sufficiently train a pool of people to field those questions well.
I realized my time is waning, so the other hurdles to be consider are business associate contracting. As other folks have said, it’s tough to figure out who’s a business associate. I will emphasize that there are many, many agreements that are not in writing today. People need to really do some serious screening to figure out those relationships that now will need to have written agreement. Those that are in writing expect to have actually negotiate the terms. They’re going to learn that that’s not the case.
Work force training is an issue. I will emphasize on the side that public education – someone mentioned it earlier – really is needed across the board. Patients need to know what to expect with their health information and how it’s used in the hospital. When they get the Notice of Privacy Practices it should not be their first encounter.
Vermont and New Hampshire providers have put together a coalition, the New Hampshire and Vermont Strategic HIPAA Implementation Plan. It’s been a good coalition. It has a website. It’s been trying to share materials for best practices. Most all of those materials need to be amended now. At least operationally providers have tried to work together to avoid the consultants and do to do what they can to share good practices. More guidance would be welcome and no changes from here.
Thank you.
MR. ROTHSTEIN: Clarifying questions? Ms. Ahn, please.
Jean Ahn, HIPAA Project Director, Yale New Haven Health Systems
MS. AHN: Good afternoon members of the subcommittee. Thank you for this opportunity to present on the HIPAA privacy rule implementation. My name is Jean Ahn, and I am the HIPAA project director for the Yale New Haven Health System in Connecticut.
I’d thought I’d start off by providing some brief background information on the health system before using the bulk of my time to address issues that are of major concern to the system in the HIPAA privacy rule implementation.
As you can see here the Yale New Haven Health System is composed of three main delivery networks that include the Yale New Haven Hospital in New Haven, Connecticut; Bridgeport Hospital in Bridgeport, Connecticut; and Greenwich Hospital in Greenwich, Connecticut. For the purposes of HIPAA this system will consider itself one, single-affiliated covered entity.
Along with the Yale New Haven Health System it forms an academic medical center with the Yale School of Medicine, which is under separate ownership and is separate and entity; and, therefore, also poses unique challenges to the HIPAA implementation. However, for HIPAA purposes the entities have proposed a form an organized health care arrangement.
Just for some comparative purposes in terms of some general statistics, Greenwich Hospital is small community hospital composed of 160 beds, and had roughly about 10,400 admissions in fiscal year 2001. Bridgeport Hospital is mid-sized hospital with about 425 beds and roughly 20,500 admissions in fiscal year 2001. Yale New Haven Hospital is a larger hospital with 944 beds and roughly 41,600 admissions in fiscal year 2001.
System-wide we have roughly 9,500 employees and 3,200 members of the medical staff, all of whom will need to be trained on the HIPAA privacy rule, as well as internal system policies and procedures.
We have a HIPAA implementation structure that was instituted last January, 2002 that followed on the heels of our assessment phase that kicked off last July, 2001. I will state that full project management facilitation it has helped enormously that we have senior management who chair most of our subcommittees and tasks forces.
For example, our HIPAA effort at the system level are chaired by the system executive group led by our systems CEO and President, Joseph Zackaneno(?), and our system HIPAA council, led by our Executive Vice President, Gail Capazalo(?).
Each of the delivery networks also has a coordinating council that facilitates at the local level the HIPAA compliance efforts. They are led by Bridgeport Hospital Chief Operating Officer, Hope Regan(?), Greenwich Hospital Chief Operating Officer Quinton Freeson, and Yale New Haven Hospital Senior Vice President Brian Condon.
You’ll note that we have system task forces for the four major topics: EDI, education, privacy, and security. Under privacy and security we also have at the local – that is that there are local delivery network privacy and security task forces. It’s important to point out that each of the privacy and security system task forces are now focused on working on 20 different documents each related to privacy.
Quickly in terms of a budget perspective, with all due respect to Dr. Halamka, his presentation focused primarily on the transaction code set requirements. Although we do see from benefits from EDI in the long run, I think at least from the outset for privacy and security reasons there are some significant concerns about the cost that we’ll need to pay out in terms of technical outlets for security related to the privacy requirements.
Therefore, the major concern is that there are not federal monies available to assist hospitals in their compliance efforts, particularly at a financially difficult time.
Having said that, I will now focus the remainder of my presentation on the issues that all of our HIPAA foot soldiers are facing. If time permits we’ll also focus on some of the resources that are available and have been utilized by the systems, as well as our approach to training.
Listed above are obviously the individual rights provided under the privacy rule. I thought I would focus in on what our subcommittees are facing in terms of some of the detailed issues with each of these patient rights.
First of all in regard to the patient right to request a written Notice of Privacy Practice, the health system committee did receive a condense two-page version of a Notice of Privacy Practice from another health care institution. When they first received it they were somewhat skeptical, because we had been working on a seven to eight page document.
However, upon further review and trying to balance what our responsibilities to our patients are in terms of outlining what the uses and disclosures of PHI would be, balancing that with the likelihood that they will understand and be able to read a seven to eight page document and balancing that again with administrative burden, they have now reconsidered and have proposed that the two-page document may be what we will be utilizing, as long as it covers all the required elements in the privacy rule and it is reviewed by outside counsel and our HIPAA consultants.
Secondly, in regard to the right to request a copy of protected health information, one of the outstanding issues that this subcommittee faces is the issue of frequent requesters who request the right to inspect their records. Here you’ll find that in terms of in-patients there are some in-patients who request the right to inspect their records on a daily basis or sometimes several times a week. This constitutes having a clinician sit with them, review the record with them, and then answer any questions that they might have. You can see that it could impede care provided to other patients. Therefore, although the privacy rule does address time and manner of access, we would appreciate some guidance on limiting maybe the frequency of access.
Regarding the right to request amendment of billing or medical record, the billing representatives on our subcommittee for amendments have state emphatically that for patient satisfaction and efficiency reasons that it is crucial that we be able to continue our process where if a patient calls over the phone with a standard request for a simple correction that we be allowed to make those corrections over the phone and just make the notation in our electronic record.
For all other non-standard requests that we receive that can’t be resolved, we would issue them a formal right to request an amendment form that would be filled out and returned back to use. Therefore, the system would like to ask HSS if there are any objections to doing so.
In regard to having a reasonable request for confidential communications and restrictions accommodated, the subcommittee that is working on this is faced with the issue of a decentralized nature of information systems. Therefore, the question comes up that our ability to absolutely guarantee restrictions and confidential communications across the board is limited.
The criteria that are being held up are, for example, is the patient in the harms way; does the requested restriction restrict our ability to provide quality health care, obtain payment, or manage health care operations. Therefore, these are the major criteria that they are proposing to hold up to these requested restrictions and confidential communications. Again, the question posed to HSS is are there further technical expectations regarding the request for restrictions and confidential communications.
In regard to the accounting of disclosures, our subcommittee has stated that this will extremely burdensome. Please note that for our HIM departments and our medical record departments, they are being seen as the key bodies for all of these patient requests: the right to request access, the right request amendment. Then on top of this HSS is now asking them to please account for all disclosures to public health authorities, government agencies, and the FDA.
We would like to ask that if you reconsider that these actually be accounted for, particularly since these disclosure will be noted in our Notice of Privacy Practice, and given the fact that many of these disclosures do not originate within HIM or medical records but with physicians directly, clinicians directly, social work directly, or other departments.
Lastly, in regard to the accounting disclosures, again, burdensome will be the accounting disclosures for reviews preparatory to research. Here again, only a portion of the records that are reviewed will be used in the study. Those records that are used do require a patient authorization or an IRB waiver. On the note, one of our delivery networks that has an electronic medical records system, the issue is that when physician access an electronic medical record you can’t tell whether they’re looking at it for a treatment purpose or for a review preparatory to research. Therefore, for all of these reasons there is some issue and concerns regarding these accountings for disclosures.
Regarding the right to file a compliant, the subcommittee has no major issues at this time.
Quickly, in terms of time I’m going to focus on some of the other areas where our health system is facing some issues and concerns regarding implementation.
First of all, in regard to the email and fax that others have raised, although the July, 2001 guidance that was posted by HHS does state that all forms of PHI transmitted need to be subject to the privacy rule, no specific guidance was provided on email and fax. Therefore, if possible guidance would be appreciated here. On the slide I’ve listed some of the question that have come up for this group.
In regard to PHI and research, earlier I noted that the Yale New Haven Health Systems and its affiliated medical school have proposed to form an organized health care arrangement. The question is whether OHCAs are strictly limited to treatment, payment, and health care operations issues, or whether within the context of an academic medical center that can be expanded to include reviews preparatory to research, as well as research activities. Alternatively, if that is not allowed is it the expectation that the two designate each other as business associates?
In terms of some other related issues, in regard to research there are the issue of one, access databases that are unknown and unidentified by the covered entities. Even with all the training we’ll have, sanctions in place, business associate agreements in place, these type of databases may continue to exist and be used reviews preparatory to research. How do we address this issue?
And secondly, disclosures are permitted without an accounting for health care operations issues, again, for things such as quality improvement, care coordination, quality management, etc. Sometimes eventually these topics are used for reviews preparatory to research, but because they never accounted for we would not know that. We ask HSS to consider these situations.
Regarding “reasonable safeguards” that have been raised several times by panelist, again, we would request additional clarification and examples of what reasonable safeguards are and specifically guidance about when reasonable safeguards cannot be operationalized.
An example, at one of our health care systems hospitals is in regard to polarizing screens. At considerable cost one of our system hospitals did implement polarizing screens on the majority of computer monitors on several units in order to safeguard against incidental uses and disclosures.
It turned out on visit to floors that often these screens were taken down and discarded to the side. When we asked staff why they stated that it was very difficult to read. It gave them headaches.
We brought that to our occupational health department because of concerns about occupational safety hazards. The physicians there did support staff concerns. We’re faced with a situation when we have tried to implement reasonable safeguards and there is a potential for a safety issue here. How do we address this situation when good faith efforts have been attempted and apparently do not seem to be working?
Quickly, two issues related to training. The first is in regard to clinicians who rotate within and outside of our institutions. Individuals such as physicians, students, traveling nurses, social workers. Is it feasible to require that they take HIPAA training at each of these respective institutions?
We’ve heard from medical staff that it’s going to be very difficult to have them actually complete one training, and then to actually ask them to complete three or four different sets of training does not seem to be feasible to us. Therefore, guidance would be appreciated if one set of one training can be approved where we receive sign-off on that training, as long as hospital or system specific policies and procedures are provided.
A best practice here appears to be if a hospital association has not yet talked about training that maybe the state hospitals would convene and join together to collaborate on set of training to eliminate this issue of redundant training.
Also in regard to the HIPAA concept of workforce, again, this issue relates mostly to a lot of the security policies and procedures that are coming up that related directly to privacy. But again, we have the issue of standard verses non-standard members of the work force. So in particular, in regard to non-standard members, individuals such as temporary employees, students, volunteers, are different criteria going to be used to evaluate them, for example, in regard to background investigations?
Background investigations are a costly activity to conduct. They cost approximately we hear $75 per head. For our policy purposes we will institute that for all system standard employees, but what are the expectations for non-standard employees. Similarly again for training, how do we address the issue of temporary workers and contracted employees who are only on-site for a limited period of time, sometimes maybe a few days but will have access to PHI.
Very quickly, because I have one minute left, in terms of resources that they system has utilized on a low-cost basis, I’ve listed here some of the websites that we’ve utilized. The first one, the AMA “How to HIPAA” has been very helpful for our physician practice organizations.
Moving down to the internal Internet site and other resources that we have internally, we do have a HIPAA Internet site for the system that employees can use to access information on HIPAA. There’s a master calendar with all the HIPAA events there and a restricted workspace where members of our task forces can go to download the current versions of documents, as well as obtain access to minutes and status updates, that sort of thing.
There are also privacy case studies that we’ve started to highlight internal incidents that have post-HIPAA implications. Most recently we did a privacy case study involving a high profile police case that involved disclosure to the media.
Then lastly, regarding our HIPAA Hunts. We have done some HIPAA Hunts – on the next slide, which I’ll show you – to enforce to staff maybe who don’t have a good understanding of what HIPAA is, just to increase their awareness and then also to gather their thoughts on what some of the potential violations are and also what some of the low cost solutions are.
And lastly, in terms of the last few resources, HC Pro has a video tape out has been extremely helpful to staff in terms of depicting a lot of the patient violations that are out there. Roughly, that cost has been discounted, for about four copies of the videotape was about $1000.
In regard to our Connecticut Hospital Association, they’ve been a fabulous resource in terms of being able to share and express concerns and ideas. On our behalf they have actually sponsored and commissioned the state preemption analysis for all the Connecticut state hospitals.
Having said that, if there are any question please let me know. Thank you.
MR. ROTHSTEIN: Thank you, very much. We especially appreciate the great specificity of your recommendations for us to take. First some clarifying question from the subcommittee on the last presentation? And then I’ll open the floor for questions and comments on all the panel. Dr. Cohn?
MR. COHN: First I want to thank the panelists. It’s been a very interesting set of presentations.
I think I have question for both Jean and John, only because I’m sort of struck with – there was a very strong difference in the type presentation you gave in terms of both the value and the opportunity and how this was going.
Obviously, John you’re from Massachusetts; Jean you’re from Connecticut. Is it you’re giving it a different level of specificity? Or would you blame the Massachusetts effort? What’s going on here?
MS. AHN: I think our presentations do deal with the levels of specificity. I actually do sit on all of the subcommittees that are producing all of these policies and procedures, so I do have the details about what the issues and challenges are facing are.
MR. HALAMKA: I guess our answer would be that we recognize that they’re like Y2K compliance or implementation of any rule, as you suggest there are gradations of what is reasonable to do.
Together, by trying to share the costs across the whole state, we’ve been able to reuse a lot of resources so that Partners and CareGroup, etc., take the cost as you presented and just divide them over a million – or in our case lets say probably about nine million patients – and 5,000 hospital beds, etc., so that the per entity cost of actually doing some of this work is probably less.
As well we’ve tried to decentralize by using the web a lot of the time to train and such. So it could again be that the way we’re accounting for some of our cost for delivering this is less because of technological approaches.
MR. HARDING: I’m going to appear ignorant here, but one of the issues that has come up is the amending of records and patients having the ability to amend. We had always discussed in the committee the issue being more that they could append the record, as opposed to amend the record.
What are the safeguards in the amending that you’re talking about? Certainly if a patient said, “My date of birth is wrong,” that’s not a big issue unless there’s an issue of being eligible for something because of age.
What about the more subtle amendments that a patient may want to put in there to look out for their discrimination at a later time or something like that? It might be true, but they feel it’s not what they want in their records.
MS. AHN: Actually, our policies and procedures for that actually stating that if there’s any issue where there is problematic results that might likely occur that we need to bring it to our internal, legal, and risk management folks to take a look at before hand.
When I was addressing the billing record amendments and I stated that over the phone that some standard requests would be accommodated, there are some verification questions that are asked before that information is provided and verified.
For example, we would not send out information to an address that’s not currently on file with the system. But otherwise a written request would be required.
MR. HALAMKA: Just as an example we’ve done is that since all this is done self-service on the web there’s work flow routing that takes place. For example, if an individual patient goes to the web and changes a demographic then that’s routed to the appropriate individuals in both either the fiscal area or the HAIMA, the Health and Information Management Area.
If they change a clinical or amend - it’s really, you’re right, it’s really append not amend – a problem list, a medication list, a note, that’s routed to the clinicians involved. Their offices are effectively immediately notified that the patient has added an over-the-counter medication or they added a problem, changed a note. Therefore, it’s dealt with in appropriate ways with risk management, if necessary, but mostly from a medical liability standpoint to inform clinicians.
MR. HARDING: I’m sure that there’s just those few people that somebody was talking about who want to see their record everyday in the hospital. It could be a real problem.
MS. KAMINSKY: I want to thank all the panelists. I really enjoyed the varied perspectives that our brought to the table this morning. I think it will be very helpful to the committee and the department.
In particular though, Dr. Halamka, when we had spoke in advance of the hearing we had spoken a little bit about your work with the affiliated physician practices of CareGroup. The kinds of things I think you had talked about your ideas about identifying low hanging fruit that physician practices could easily do to upgrade security and maybe privacy practices within their offices. I’m wondering if you could just identify a couple of those ideas that you mentioned previously?
MR. HALAMKA: Sure, absolutely. When I was describing the security rule implementation and the notion of the Boston Globe test, the stay-out-of-the-newspaper-with-bad-stuff, what I was saying was when you look at the fact that we have, let’s just say in CareGroup, several hundred different IT systems. In the affiliate doctors offices they have electronic medical records, email systems, a variety of electronic systems. Some of these systems are so bad that they violate what would be a rational person’s assumption that we are protecting privacy adequately.
For example, sending patient identified information on the public Internet with no encryption, auditing, or access control is very, very bad. We’ve identified within CareGroup there are certain vendors of certain systems that have got egregiously bad security practices. What we’re basically saying to folks is, “Well, as you read the security rule and it says ‘encryption is good,’ it doesn’t really say should we used DDDES or 120 bit secure sockets. It doesn’t get to a level of granularity.”
If you have a system that is unencrypted and transmitting public health information over the Internet, lets fix that one first. At least get it encrypted. If you choose to do email without using our secure, encrypted web application at the very least you need to understand the risks.
This is what Dr. Marcus was suggesting. If a patient sends information from a place of work, their employer owns that stuff. They can read it. Sending a piece of information over the public Internet through regular email transaction is a bit like sending a post card. There are probably dozens of server administrators along that route who can just read it.
Understand your risks. If you agree that you understand the risks and consent to the risks, maybe you can use regular old email with your doctor’s office, but as also was stated, most patients just don’t understand that. We tell the docs, “Hey, use Patient Site. That will give you secure, encrypted, audited communications between patients and yourself.”
The basics of understanding how you EMR is protected and audited, make sure there’s not a trail. Basically, what we’ve tried to inform them about is not the subtleties of 128 bit secure sockets or DDDEs, but just encrypt, just audit, just give passwords to every person in your office that are strong and different, some of those stay-out-of-the-Globe kinds of things.
MR. ROTHSTEIN: I have a question that I’d to ask to Ms. Polley and Cramer.
In the first panel the witnesses representing small physician groups made, I think, a statement to the effect that their number one concern was what I’ll characterize as sort of procedural. They wanted forms, notices, off-the-shelf guidance from the department that they could use with relatively little effort and adopt with relatively expense and so on.
In you testimony for relatively small hospitals what I seemed to hear was something a little different in the sense that what I heard you to say was your concerns were more of a substantive nature. In other words, don’t go back to consent. Don’t do this, that, or the other thing, as opposed to giving us some sort of suggestions or marching orders as to how we might recommend on the procedural side, if you will, that the department can help you in compliance.
Am I reading your – or interpreting what you said wrong?
MS. CRAMER: Sounds like a loaded question.
MR. ROTHSTEIN: If it sounds that way it certainly wasn’t intended that way.
MS. CRAMER: In part I think, this maybe a little bit of time constraint and not trying to repeat things said before, I would say public education and training is so needed. We would really welcome whatever efforts we can get from the federal government.
Standardizing forms helps to a degree. I’ve told you my problem in Vermont. There’s a lot of interpretations, and I would love it if someone from HHS would like to sit down with someone from the State of Vermont and help try and provide some guidance on that. I’m not sure whether that addresses your question.
MS. POLLEY: I tend to take a very pragmatic approach to almost everything. When John’s talking about physician practices your whole mindset is very technical. All your information is computerized. When I’m thinking of a physician practice I’m thinking more in terms of paper. I’m thinking in terms of whether or not there’s glass between the receptionist and the waiting room. Is it possible to easily overhear conversations or not? I don’t need guidance from Washington about how to deal with that.
I needed the clarification about incidental transmission of information and reasonable efforts. Those were two very important pieces of helpful guidance that came out recently. Then I’m looking at physical layout and number of people in what square footage and what paper is available to be seen and is the print big enough that it can be read upside down. Where are our computer screens placed?
We’ve also had people complain about the polarizing screens. We depressed computer screens, put them under desks. We’ve turned desks around. Very physical, physical, pragmatic kinds of things that I don’t need help from Washington on that. I just need to know sort of where the reasonable line is and what has to be included in a notice.
Then the burden is on us to look at all our information practices, make sure they make sense to us. Are they necessary? Are they at a minimum necessary, and then have we captured on a piece of paper. A model form could be helpful, but ultimately we’re going to have to do the work ourselves.
I’m just dealing at a very different level and a different scope and much less computerized information, much less technical then John, who is a computer wizard.
MR. DANAHER: I think very much part of the goal of these hearings is we early on identified - we were much less concerned about whether large, academic, organized delivery systems were going to be compliant with the regs. We kind of felt that they had the resources, etc., to get there.
What I think the goal and the hope of these hearings is our perception was – and I think in the first panel we heard it was born out – our perception is that small and mid-sized physicians and other provider groups are totally lost. That’s what we heard from Tom Sullivan, Dr. Sullivan this morning, who arguably is the most informed of the presenters from the various physician groups.
I guess kind of what we’re interested in hearing from you is what techniques, what resources, what strategies, etc., that you’ve had success with in your organizations that potentially could be transplantable or exportable that could help these providers?
MS. POLLEY: I would agree with that earlier speaker that if you asked any physician on the street or in a hospital corridor to talk about the HIPAA privacy rule and the technicalities in it and so on that you’d get a blank look, glazed eyes. It would not be a useful encounter.
If it’s translated into terms that they understand, because keeping information confidential is sort of part of our business, then I don’t think it’s that big a deal.
MR. DANAHER: That’s what we’re looking to you to help us identify. What are those translation strategies that can take this kind of ambiguous regulation and help clarify it and help educate and help them out?
MS. POLLEY: The incidental guidance that we got recently was helpful. It talked about a list of things that are okay and list of things that are not okay, a sense that if an organization is making reasonable efforts to comply that the incidental exposure of information isn’t a fatal flaw.
We can then look at – or we talk to physicians about – how are their exam rooms set up. Are the walls paper thin or not? Is that an issue? Should we be doing something about that? How do they pass paper? Do they just hand it to someone to carry across the street?
MR. DANAHER: How do we clone you? How do we clone you and get you out there doing this to the Vermont –
PARTICIPANT: That’s a different panel.
MR. DANAHER: In other words, the lawyer sitting next to you is saying, “Vermont is woefully underserved, woefully understaffed,” the hospitals, the doctors, whatever. You’re saying, “It’s easy. It’s easy. You just go out there and communicate.” What we’re trying to identify is techniques, strategies for doing this communication, for doing this outreach. That’s what we’re trying to figure out.
I understand exactly what you’re saying about sitting there, about partitions, whether it should be a glass partition. How do we communicate those things?
MS. POLLEY: Just give examples. Get away from administrative bureaucratize, and give examples.
MS. CRAMER: You’ve heard this repeatedly: The delay in the final rule has been very – it’s been a hardship. For physicians, small hospitals, they don’t have much money. They don’t have much time, so they’re not going to do this twice. You have a lot of people who are starting that effort today. The phone calls are ringing. Certainty is helpful.
People like to be practical. I think Alice’s approach is really smart. Just to give you one issue, and this is with the State of Vermont that I work with, the hospitals that I work with still have certificate of need requirements. I have two hospitals who had included in a recent capital renovation proposal redoing their waiting rooms to improve privacy. That was denied in both instances. The level of appreciation for privacy and spending money is not out there as much as it needs to be.
I think from my standpoint, now that we have a certain rule the level of nitty-gritty guidance – I’ve done some grand rounds, and you just need to really be able to try to speak people’s language and use examples of what you can and can’t do.
For a lot of communications it hasn’t really changed from the old law. It’s more the administrative detail piece of it.
MR. DANAHER: One of the things that we’ve talked about are forming kind of partnerships with state medical societies to enhance that dissemination of information so that there’s greater clarity, etc. Would that be something that would welcome?
MS. CRAMER: We would welcome that, yes.
MS. POLLEY: I find it very refreshing that you people exist, that there’s a group of people with an interest in how we’re doing this and what’s working and what isn’t and where are the barriers. Thank you, very much for even caring.
MS. ROTHSTEIN: Thank you. We aim to please. Dr. Cohn?
MR. COHN: Speaking of that, Anne, I was actually curious. You made a comment obviously asking for, let me quote here, “any enforcement of rule compliance should be rolled back,” I’m not sure exactly what that means, “to eight no less than six months to a year following April 14, 2002.”
What’s interesting is is that in all of our testimony this morning you were actually the first person who made a comment like that. I’m actually curious of the other presenters, is that helpful? Clearly it won’t help you with the Boston Globe discussion, which I think Anne you’re most concerned about. Is that something that we should be considering? I’m just sort of surprised in all of this stuff this is the first time it’s come up, and it only seems to be from you.
MS. CRAMER: Well, one of the things that I’m concerned about, and it is the court of public opinion, is I’d like the public to have some appreciation that this is not simple to just achieve. Everyone has this sense that the bell is going to ring on April 14th, all the forms are going to be in place, or I’m going to have this pool of people who can answer questions.
I don’t see that at that level. I see people doing a lot of good faith attempts and that there will be things in place, but I think it’s going to take some time for back and forth interpretations and really getting a good understanding of how information dissemination is impacted, whether it be at the business associate level, whether it be minimum necessary, whether it be an accounting for disclosure.
I’m concerned about that bell ringing and all of a sudden having a public perception that we all know exactly what we’re supposed to be doing.
MR. ROTHSTEIN: Thank you for that answer. I thank all of our panelists. Again, I apologize for holding you over. The subcommittee will stand adjourned until 1:45 when we will begin panel three on ancillary care providers.
(Whereupon, a luncheon recess was taken.)
A F T E R N O O N S E S S I O N (1:45 P.M.)
MR. ROTHSTEIN: Good afternoon, and welcome to our third panel of our hearings on HIPAA implementation strategies, with particular respect to the privacy rule. I want to thank all four of our testifiers for coming this afternoon. Sorry to get a little bit of a late start. This morning was so fascinating we just couldn’t break away. I’m sure we’ll have that problem this afternoon as well, but we’ll try hard to keep on our revised schedule.
We’ll go in the order that’s listed on the agenda, if there are no objections. The first witness will be Ms. Rafeld. Before she begins testifying, let me just clarify that we’ll ask you to speak for 10 or 15 minutes. I’ll give you a warning when you have one minute left. At the end of each of your testimonies I will ask if there are any clarifying questions from the members of the panel about each witness. At the end then we’ll have a panel discussion and more wide ranging questions, so please begin.
MS. JANOS: Could I just ask is anyone using the Power Point; because this is on, and it’s pretty loud. I’m not using one, and you’re not using one. I’m wondering if we could just turn that off. That would be great.
MR. ROTHSTEIN: Excellent. Whenever you’re ready.
Karen Rafeld, Massachusetts Dental Society
MS RAFELD: Thank you for the opportunity to come and make comments before this subcommittee. My name is Karen Rafeld. I’m assistant executive director of the Massachusetts Dental Society. I’ll give just a brief history – not history, a little bit about the Mass Dental Society so you know our perspective and where we’re coming from.
We have approximately 4,700 members in Massachusetts. Approximately 3,700 of those members are actually practicing dentists. Approximately 1,000 of our members are retired. We have a member percentage of approximately 85 percent of the dentists in Massachusetts are members of the Massachusetts Dental Society. We have a way of communicating with most of the dentists in Massachusetts.
I presume that most of you have, or all of you have, the outline that I submitted as my testimony. I’m basically just going to speak from that outline. I’m going to change the order, however, a little bit. I’m going to start by talking about resources that are available from the American Dental Association.
My comments will speak to the one question, or one issue, that you invited comments on and that is what resources, especially no or low cost, are available to people trying to come into compliance; for example, sources such as professional trade associations, health consortiums, task forces, and so forth. That’s the issue that I plan to speak on.
Resources for our members come from primarily three areas, that is members of the Massachusetts Dental Society. Our national organization, the America Dental Association, is probably the major resource where I, as a staff person the Massachusetts Dental Society and our members, ultimately will look to for information about HIPAA compliance.
I brought with me today to show you a copy of what the ADA, the American Dental Association, has produced as a HIPAA privacy kit for our members. This is available to actually all dentists in the United States. It’s actually at a lesser cost to members than non-members. This sells from the ADA for I think in the order of $125-150 per manual.
I have reviewed the manual, and from my perspective, at least, it is a good kit and a good resource for our members. If our members purchase this kit, or if any dentist in my view purchases this privacy kit, the information is very clear in what is expected of our dentists as far as compliance with the HIPAA privacy standard. It contains samples of every document and ever piece of paper that our members should put forth to their patients as far as compliance with the HIPAA privacy standard. This is available to our members and actually to all dentists.
The ADA has also put together a privacy seminar, which is a half a day seminar that they will, upon an invitation from any of the state societies, come send their staff people out to the states to present the HIPAA seminars. I was on the ADA website just a couple days ago and between now and April the ADA has scheduled 40 such seminars across the United States. These are by invitation from the state societies. Massachusetts, in fact, has two of these seminars scheduled, which I’ll talk about in just a few minutes.
The ADA also has provided a series of conference call seminars for state execs, state society execs and component society executives, to help us make sure that we have correct information about HIPAA privacy and compliance so that we then can appropriately inform our members.
They also have created and have published in their journal and newsletters a series of articles on HIPAA compliance. They, on a regular basis, communicate by email to society executives with any new information that’s available from HIPAA or any changes that we need to be aware of.
They also, as many organizations obviously have a website, the ADA website has a section of that website that is devoted to HIPAA information with links to any number of other websites including the Center for Medicare and Medicaid Services website for HIPAA information.
One of the unique and interesting aspects of the ADA website is a calculator that our members or dentists can use to plug some basic information and let the calculator figure out actually how much money they will save by submitting claims electronically. I think it’s sort of the ADA’s subtle way of telling our members that it’s a good idea to submit electronically, because you’re lives will be easier. Maybe not that they’ll have to comply with HIPAA, but their lives will ultimately be easier if they submit electronically.
Finally, ADA staff are also available to any member dentist who calls to provide them with any kind of technical information or any interpretation of the HIPAA requirements that they might have questions about.
From a Massachusetts Dental Society perspective, our major information on compliance for our members comes from the American Dental Association. We also, at the Mass Dental Society level, will be sponsoring a series of seminars, as I mentioned earlier. We will be sponsoring two of the ADA seminars. We’ve invited the ADA staff to come to Massachusetts on the mornings of November 13th and 14th. When our members or any dentist actually signs up for this seminar from the ADA they get the HIPAA compliance manual or this privacy kit that I mentioned earlier as part of their signing up for the seminar.
We have had such a response to these seminars – huge response from our members or their staff – that we’ve actually had to change the location of the November 13th seminar to accommodate a larger audience. I think that tells something at least that our members are aware of HIPAA privacy compliance and are willing to come to a seminar to learn about it.
We will also be sponsoring – the Massachusetts Dental Society will also be sponsoring additional HIPAA seminars with Massachusetts specific privacy information as well. That will be included in the November seminars as well.
We have a regional Yankee Dental Congress, which is regional educational and exhibitor meeting, in January every year. This January we’ll be including in our educational portion some seminars on HIPAA compliance that will be conducted by a local attorney here in Massachusetts. He will also be talking about the national HIPAA regulations.
The Massachusetts Dental Society has also included a series of articles on HIPAA in our newsletters and journals, not only just the privacy part of the HIPAA standard but also the transaction and code set standards. We also have links on our website to the American Dental Association website. As I said earlier, the ADA site also links to the Center for Medicare and Medicaid Services.
We offer technical assistance to our members who call, providing them with clarification about who has to comply and when their deadlines are for compliance. Right now we’re focusing on the deadline for filing for an extension of the transaction code sets and obviously the April 2003 deadline for coming into compliance with the privacy standard.
As a Massachusetts Dental Society staff I also obtain additional information that I pass on to our members from the Massachusetts Health Data Consortium. That organization has a HIPAA education coordinating committee, of which the Massachusetts Dental Society is a member. This group is providing information to Massachusetts on HIPAA compliance.
It is in the process of sponsoring seminars across the state for providers, vendors, claims processors, payors, clearing houses. As a matter of fact, there was a presenter from this group at one of the regional meetings held by the Center for Medicare and Medicaid Services this morning at the Massachusetts Medical Society.
Those are the resources that are available to our Massachusetts Dental Society Members. Thank you.
MR. ROTHSTEIN: Thank you. Clarifying questions?
Dr. Harding.
MR. HARDING: Thank you.
We heard this morning that the physicians in Massachusetts are pretty upset about this whole thing, those who know about it maybe is a better way to describe that. Is there a lot of angst among dentists about the requirements, the issues of HIPAA, or has that not come on their radar screen? Or do they feel it’s something that will be taken care of by the NDS?
MS. RAFELD: I would say that there’s probably some angst. I think a couple things are happening. I think there’s some anxiety. I think there’s also a feeling since we have been publishing information since the middle of the summer, since the American Dental Association has been providing them with information, they may be less anxious then the physicians. I didn’t hear the testimony this morning.
Certainly there’s some anxiety. Certainly from where I sit whenever we put any information we certainly get a lot of phone calls into the Mass Dental Society about do I have to comply and am I covered and what do I need to do? I think as we probably get closer to the deadlines there will be more anxiety.
I’m hopeful that because we have just provided them with so much information and tried to hold their hands that this is not going to be – create as much turmoil as other federal regulations that have occurred. I’ll give you a perfect example that was the OCEA compliance a number of years ago that was really anxiety provoking for our members. I think this less so, because I think we’ve been ahead of the curve in providing them with information.
MR. DANAHER: Ms. Rayfeld, I should divulge my vested interest in that and that my wife is a dentist in Connecticut. I’ll preface my points by saying that I do believe that the way to reach and educate and assist dentists is through the state societies, even more so I think then the medical societies. I think the dentists really look to the state societies for guidance.
MS. RAFELD: I would agree.
MR. DANAHER: The one comment I would make is this, and I’d like to push back. Most of these efforts, frankly even on the national level, are just now beginning. So I guess what I just wanted to elicit from you is your level – and you can push back to me about this – my perception is that the reason why anxiety, at least in Connecticut, may not be there is that the vast majority of dentists really are not aware of what’s happening
MS. RAFELD: That could be true. We’ve certainly tried to communicate with our members, Massachusetts’ members. They may not read their newsletters. They may not go to our website. They may not read the material from the ADA, so that could be true.
MR. DANAHER: Do you think given these timelines that it’s reasonable – for example, the first series will be the November 13th and 14th. Given the April 14, 2003, I just kind of want to get you sense of how realistic it is, or the likelihood or whatever, that the dentists will be in compliance with – an again, I am not one to view it as a drop dead date or whatever. It’s a continual process.
MS. RAFELD: I think that if our dentists – and they don’t even actually have to attend this seminar. I’ve actually told some members who I’ve talked to that if they buy this kit from the ADA – I’m certain that the ADA attorneys have been speaking with you folks all along in the development of this kit. Some of the information or the information that I’ve told our members from my perspective if they buy this kit and they do everything in this kit they will be in compliance; and they will be in compliance by the April 2003 deadline. That’s how good I think this manual is for them.
All they need to do – there are documents in here that all they need to do is take out, put on their stationary, understand the reason why they’re doing it, and just do it. It’s all here. They just need to follow everything that’s been told to them in this document.
MR. ROTHSTEIN: Okay. Well, thank you, very much. We’ll move to our next witness, Ms. Janos.
MR. JANOS: Thank you.
My name is Ellen Janos. I’m manager of the health section at Mintz Levin in Boston. The primary focus of my practice for the last 22 years has been health care. For the past 15 years or so I’ve been representing health care providers on regulatory issues. I’ve been advising clients on HIPAA since 1996 when HIPAA was first enacted. Certainly for the last eight to ten months I’ve been spending almost all of my time on HIPAA compliance.
For the past year I’ve been working with the Massachusetts Home Care Association to help them in their HIPAA implementation efforts. I would like to provide a little bit of a different – before I get into my prepared remarks I’d like to respond a little bit to some of the questions that you’ve been asking.
I frankly don’t think it is enough time until April. I am out there speaking and providing people with information and doing the seminars and giving the seminars. I’m only able to provide, and the associations are only able to provide, very – except for I’ll get it in a minute the use of samples and forms – broad overview.
What is HIPAA? What is an authorization have to look like? What is the Notice of Privacy Practice have to look like? What are the requirements for business associates? That training to go on and it is going on and it has been going on. But that’s obviously not enough. I think you’re going to hear from Carlos Ortiz and from Bob Young on what do specific providers have to really do. How do they roll up their sleeves?
We helped the Chain Drug Store Association with their model program. We gave them a beautiful book that’s now outdated, because it was done before this past August when the revised regulations came out. We’re in the process of providing the Home Care Association with a beautiful book with samples and forms, but at the end of the day they have to take that stuff and I don’t think it’s as easy as putting their letterhead on it.
To really make it work you have to incorporate that into their daily practice. An authorization for a home care provider is really going to be a little bit different then an authorization for a pharmacy or a doctor’s office or a dentist’s office. An authorization for a home care provider with 2,000 members might look a bit different then an authorization for a home care provider with five staff, as opposed to 2,000 staff.
The variation here is tremendous. To make it really work for each provider they really do have to assimilate this and try to take their existing policies, their existing procedures and get them HIPAA compliant. I’m not saying that it can’t be done. Everyone out there is doing their very best to try to get it done. I think since we’ve just had final regs come out in August that it’s going to take providers some time to get policies and procedures in place. That’s going to take a few months. Then they have to train their staff. It’s going to be tight. This is what I’d say about that.
Let me just tell you a little bit about the Massachusetts Home Care Association that I represent. It’s a trade association with 97 member agencies. As I said, there are some very small agencies that have five people, five staff people, and large agencies with 2,000 staff people. The agencies are free-standing agencies. Then there are those that are affiliated with hospitals or nursing homes or long term care or assisted living facilities.
I know you’ve probably heard all morning, particularly if you were talking to the doctors, all about the problems with HIPAA and the difficulties with HIPAA. I want to tell you as someone who have waded through regulations for 20 years - STARK, the Safe Harbors, Medicare/Medicaid reimbursement regulations – these are really pretty good regulations. They’re readable. They’re understandable. They really are trying to be scaleable in that there is at least a recognition in the regulations themselves that you’re going to have a small doctor’s office trying to comply, as well as Partners Health Care systems. There’s a recognition of that.
There appears to be a recognition of good faith compliance, which you don’t see in STARK or you don’t see in some of the other health care regulations. Overall, they’re very positive in many respects. That’s not to say that providers are not going to have a huge task ahead of them, but I think as regulations go they are quite well done. That’s the good news. And providing opportunities like this, of course, is always welcome.
I want to just spend a couple of minutes talking about some of the challenges that are faced by home care providers. The home care community is very different then the rest of the provider community.
One of the biggest challenges for home care providers – and you’re going to hear this over and over again, I guess, from everybody – is that typically most home care companies just do not have the resources that are necessary to make the kind of changes that are required by these regulations. They don’t have typically - and it’s hard to talk about a typical homecare provider - but typically – and this is I think true for a dentist’s office or a doctor’s office – there’s not one dedicated, one person who may be dedicated solely to the IS function or someone who is dedicated solely to the medical records function. Even some small home care providers don’t have one person dedicated to a QA function.
Figuring out who’s going to wear that privacy officer’s hat or the security officer’s hat, who’s going to take on those responsibilities is not that simple. It’s not as simple, at least for home care companies as it might be for other kinds of providers.
You’re dealing with an industry where you’ve got providers already stretched too thin, already overwhelmed with paperwork, overwhelmed with the levels of reimbursement and cuts in reimbursement. You’ve got people who are stretched too thin and now you’re adding this overlay over that. I think it’s going to be a real challenge for home care providers.
One particular piece of the regulations that I just want to point out to you, and maybe folks have done it already, is what I consider to be the centerpiece of the regulations, which is the Notice of Privacy Practices. The notice is a very worthy goal: To be able to let every individual patient know exactly how their record is going to be used, exactly what disclosures may be made, and most importantly what their rights are, rights to accounting, rights to access, rights to copy their records, etc., etc.
The regulations required that that notice be in plain English. For our elderly and infirm 85-year-old home care patients that’s very nice. The problem with it is is that the regulations require a whole array of required information to go in that notice. When you put it all in there it’s not in plain English anymore. It’s not easily understandable. It’s not one page; it’s five pages.
I fought with actually the folks that were doing the chain drug store sample forms. I said to them, “You can’t make it like that. You’ve got to make one page. You’ve got to make it simple for a pharmacy customer coming in.” My folks in my office kept saying to me, “It’s got to be in there. The regulations say every single thing is required to be in this notice.”
Just let me give you a example of what has to be in that notice, if you haven’t really looked a that. Among the numerous required disclosures that a properly worded notice to an elderly home care patient will have to include as the following:
“We may disclose PHI about you to authorized federal officials so they may provide protection to the President, other authorized person or foreign heads of state or conduct special investigations.”
That’s one of 25 different permitted or required disclosures. I guess I just say that to let you know that this notice, which really is a wonderful part of the regulations and now, of course, has achieved great importance now that we don’t have a required consent. It’s that notice that a patient has to acknowledge receiving, and is taking the place of the consent. That notice really is not going to be that meaningful. It’s going to be one more piece of paper.
To add another layer to that, in the home care area home care patients are required to get what we call an “OASIS Notice.” It’s a required HHS notice. OASIS is Outcome and Assessment Information Set. It’s part of the home care documents. Every patient that enters into home care is required to get a packet that includes an OASIS Privacy Notice. This notice is in many ways very similar to the HIPAA Privacy Notice.
It’s a standard notice that has to be in a certain form. It requires that you let the patient know how their information is intended to used. It specifies the circumstances under which CMS may release the information. It again gives the patient the right to see, inspect, copy, etc.
I would have hoped that the government would have attempted to reconcile these two things. You’re giving to the same patient privacy notices that are covering many of the same things, and it’s overlapping and confusing. It would be nice if the two arms of the government could talk to one another and try to sort that one out.
Let me just touch upon two unique challenges for home care that you’re not going to see elsewhere. One is the home medical record. Home care patients, obviously the care is being in their home. It’s not a centralized place. You have on any given day you might have one home care provider visiting; you might have several visits. There’s a multi-disciplinary team of people coming out. There might be a nurse coming out. The next day it might be someone else. The next day it might be someone else.
Home care providers have been grappling with this concept of a home record, as well as a record that has to be kept at the central office. That home record is obviously open for view by a whole host of people, not only the health care clinicians coming in to take care of the patient but family members. There are Meals on Wheels people coming in and out of the house. Even neighbors are coming in and out of the house. We have great challenges to be sure that that record is secure, to be sure that there aren’t unintended disclosures. It’s not easy.
I’ve actually been helping the association draft up some sort of release for the patients. If the patient kind of says to the company, “I recognize that this a home record and that it’s not going to be as secure,” and will give us a release for that. It just presents some unique challenges for the home care provider that you necessarily don’t find elsewhere.
I think what it really means is that we’re going to have to work a little harder to get our forms in place, to get our policies in place. It just takes a little more thinking about how to deal with this home record.
In addition to the record being in the home, you also have the situation with mobile care workers that often times workers are bringing portions of the record with them back to their own home, back to office. You’ve just got issues having to do with the security of medical information that don’t exist elsewhere.
I spoke in the beginning a little bit about what I think is an ambitious timeline. The concern I have really is getting the training done. I think people are going to be able to get policies and procedures in place. I think people are going to be able to get authorizations written, Notice of Privacy Practices written. I’m not so sure that all of the training can be accomplished by that date.
For home care providers who have workers who don’t come in on a regular basis to a central office, it’s not so easy to say, “Okay, on Monday everyone’s getting trained and that’s it.” These are people generally over a wide geographic area who it’s very difficult to get in for training purposes. I think the training component is going to pose a special challenge for them.
One last comment, I think you’re going to hear from someone on this tomorrow. In Massachusetts I think we have – I guess in every state – we have a huge burden ahead of us to try to deal with the preemption issues. The Boston Bar Association in Massachusetts has been for months now taking on the burden of trying to sort through hundreds of statutes, regulations, cases that are the patchwork of the Massachusetts privacy laws and medical records laws. I don’t think we’re going to every have a fully implemented HIPAA program in any of our providers in Massachusetts until we’ve clearly established what preemption issues we’re dealing with.
Let me give you just a very tiny example just so you have a sense of what some of the preemption issues are. HIPAA allows under certain circumstances when a subpoena is received by a provider it allows those records to be released pursuant to the subpoena. It’s pretty straightforward.
In Massachusetts we have this bizarre little medical records statute as it relates to hospitals. If a subpoena is issued to a hospital provider, for example, you can only release those records if the patient’s name is in the caption of the subpoena. It’s a little twist on a statute, but what it really does is it now makes folks figure out what is our rule on subpoenas. Do we say that all subpoenas are fine, and they can also be released? Or do we have to say that Massachusetts’ law preempts the federal law?
I don’t think anyone wants to sort of set their policies in stone until we have a clear understanding of what laws are preempted and what laws are not. I know the Boston Bar Association has been working very diligently to try to do that. I don’t know what their timetable is. You may hear from them about that. I think that’s going to be one more little bump in the road in terms of getting this compliance under way.
I think that’s all I have to say. I’m happy to answer any questions. I really want to thank you again for the opportunity to come here. I think the providers of Massachusetts, like everywhere, are struggling. I think they’re appreciative of this opportunity to let you know what some of the issues are.
MR. ROTHSTEIN: Thank you. Any clarifying questions? Okay, we’ll be back to you later. Mr. Young, please.
MR. YOUNG: Thanks for providing this venue for us today.
Ellen asked if I would maybe just kind of walk through the steps of what an agency is feeling at this point in time and maybe give you an idea of where we’re at.
Before I do that I’ll give you a little bit of background.
Again, my name is Bob Young. I’m the chief financial officer at the Visiting Nurse Association of Greater Lowell. I’ve been there for 17 years, and I’ve been in the home health business for a little over 20 years. I’ve sort of seen the evolution of a lot of things that have gone on in health care over the years.
The agency itself, in terms of the background of the agency, the VNA of Greater Lowell has been in existence since 1909. We’ve been providing services for a little more than 90 years out the Merrimack Valley and Greater Lowell areas. With the advent of Medicare in 1965 we became certified with Medicare, and we also got JACO accredited in 1999. We still have that accreditation today.
The budget for the agency is roughly around $10 million. With that we get visits about, 125,000 visits a year to a little more than 6,000 people in that area. In terms of an employer, we actually employ a little more than 200 people in any given week. That’s made up folks from the salaried employees, hourly employees, as well as per visit folks.
We use the per visit people to kind of supplement the ebbs and flows, the peaks and valleys of our business so that we don’t people sitting around with no visits to do. Consequently, if we get over-burdened visits we have the opportunity to call people in to provide more services to them.
We kind of broke out the whole HIPAA process into two areas. One was process and the other one was implementation. We looked at the process piece and said, “Okay, what do we need to do?” You have regulations in there God knows how many hundreds of pages long. Someone sits there and says, “Now we have to go through and read through this thing word for word and figure out where we’re going to go with that, and then we have to figure out how we’re going to implement that.”
We looked at the process and said basically who does it and when does it need to be done. What we did was the first piece of business that we thought needed to be done obviously was read and understand the regulation. I think Ellen posed it pretty well. I, too, have read a lot of regulations over the years. I thought that it was pretty concise and understandable. Of course, there was still the daunting task of how do we get it all done. We understood what we needed to do, but it is an awfully long process.
We said, “Alright, if we sit then and then document implementation deadlines and timelines for compliance and kind of do a flow chart of this to figure out where we need to be and on what date.” Obviously we can’t get together at 2 o’clock on the 13th of April and say, “We’ve got to start doing this privacy tomorrow, so where do we go from here?”
We have, in fact, started the work. We’ve identified key individuals who will be responsible for certain areas of compliance within their areas of the organization. Obviously, then we’re going to have run trial runs, or mock trials, to make sure that in fact we are compliant and things work appropriately before we actually go live, so we can insure the quality that we don’t loose any data, and that all the things kind of flow in the process at the same time.
The last piece of that then is to monitor the procedures that we’re going to put in places for this compliance and make sure that on an on-going basis those get complied with.
Now we’re at the implementation phases. We sit down and say, “Okay, how do we do this?” We know what we need to do. We know how to do it. We don’t have a whole lot of time to do it, so how are we going to get it done.
One of the things, too, that Ellen mentioned was the timeframe. I find it interesting that this whole HIPAA regulation was supposed to start in October of 2002. That’s been delayed a year, but the privacy piece has still stayed there. In my mind I said, “Okay, they put the HIPAA regs in place so that we could get this done first and then deal with privacy second.” In fact, now we’ve bumped privacy up to the front of the list. To some providers that not going to be as big of an issue as it is in home health.
Primary, the reason for that is that many of the areas that folks provide care in are in a controlled environment. We don’t have a controlled environment. We have patients’ homes. That might be a nursing home. It might be a multi-family dwelling. It might be a single family dwelling, but the point is that we’re going into their home.
Frankly, we’re a guest in their home. We have to make sure that we abide by the kinds of things that they want to have happen in their home and be respectful, and at the same time respect their rights to privacy but give them the care that they need.
When we looked at that we said, “Okay, the first thing that we’ve got to do is we’ve got to start meeting as a group.” We started at the management level with critical staff and kind of walked through the process. We identified a privacy officer, but that person was the head of the QA department. So basically half of their time now is dedicated to HIPAA and the other half is dedicated back to the QA issue. Which they part and parcel of the same thing, but they got out and there are others that we’ve got to cover.
That person, someone then had to pick up the slack for them and so forth and so on. There is obviously a cost involved in doing this as well. I’ll get to cost in a moment.
We have groups - we have our state association and the national associations just networking amongst ourselves as to how are we going to implement this, what kinds of things are we going to do. We’ve already started those meetings to try to get a sense of let’s not reinvent the wheel. If one person has a good idea then why can’t we incorporate that all the way across the board.
We can, but then we said, “Now we’ve got to start looking at the specific identifying the issues that we need to address and how to do that.” We’ve got things like medical record, referral, communication – and communication is really between the family or the patient themselves, the physician, and our office. Again, how do we respect the privacy of these people but still discuss the kinds of things that we need to do?
People need medical supplies. Those have to be delivered to the home. We have a process were we get them delivered overnight. As long as we put the order in by 5 p.m. they’ll have their supplies the next day; but they get delivered by FedEx, UPS, the post office, things like that. Obviously then somebody else knows that these people are getting medical supplies.
We sit back and say, “Is that a breach of privacy or isn’t it?” I think that’s where we’re stuck. I think you’re right. I think we can get regulations in place, but it’s a question of in trying to comply or trying to do the right thing are we, in fact, impeding on these people. You’ve got a multi-family dwelling, and we’ve got a placard on the car that identifies it as the VNA. We’ve got an ID badge with the person’s name and a smock that says VNA of Great Lowell. That’s really for the protection of not only of our employees but of our patients.
We say to our patients, “This nurse, or the therapist, is coming out to you home. They’ll have a smock. They’ll have an ID. You can feel free to let them in the home.” That’s great, but if they’re knocking on the door and the next door neighbor comes out of their apartment or something, we’ve now identified that this person is getting services.
Is that a breach of their privacy? We’re trying to do the right thing; but is it right or is it wrong? That’s really where we’re stuck. Again, I think it’s compliance and it’s the attempt to comply is the thing is the thing that’s kind of fuzzy for us.
Identification and recognition we’ve talked about. We have to go back through all of our contracts for business associates. We have to change paperwork for confidentiality. Then no matter what we do there’s a cost involved. For our agency we looked at the cost first year out of the block to do the whole HIPAA piece at about $125,000, then with about a $35,000 annual cost without any change in the regulation. From our perspective, with 125,000 visits a year, that’s added a dollar to the cost of our visit. We have no way to re-coop that.
We’ve got managed care contracts, which are in place. We know how the managed care entities are right now. They’re not giving away the store, so those rates are tough. Medicare is under PPS, so there’s no way to increase rates there. We’ve got a Medicaid caseload, and we know what the situation is with the state budget, so we have no chance of increased reimbursement there. As a not-for-profit organization that the VNAs are - and I know there are other for-profit entities in the home care arena - but from the not-for-profit status we have no place to recoup that at all.
Things are going to fall through the cracks, but we’ve got to get it done, no matter what the cost. We have to do that without jeopardizing patient care, which gets into the whole training aspect of things. We’ve got 200 employees that we have to train. As Ellen said, we can’t just pull them all out of the field, put them in room, and train them.
What we’ve got to do is we’ve got to break up teams. If we’ve got ten people on the team, we’ve got to pull out one person from that team at a time and train them. The other nine people still have to visit all the patients in that team, and they have to get all the visits done. We’re going to have a lot down time with that.
It’s another piece of paper. It’s explaining something to individuals. You can get around this with a disclosure statement. I don’t know if anyone’s ever tried to explain to an 80-, 90-, or 100-year-old person about a disclosure statement with 15 other documents that they have to sign before they get into care. They just don’t know.
We held under scrutiny with state surveyors, JACO accreditation, and those kinds of things. Did you tell you patients that this is what you were doing, and so forth and so on? It’s very complicated for the patient.
Hopefully we can get through to those things and hopefully we can comply. We intend to comply, but it is a very daunting task that the industry is faced with at the moment.
MR. ROTHSTEIN: Thank you. Any clarification questions? Let’s move to our final witness. Welcome back Mr. Ortiz.
Carlos Ortiz, R.Ph., VP of Government Affairs CVS/Pharmacy
MR. ORTIZ: Good morning or afternoon. I’m Carlos Ortiz, and I’m vice president of government affairs for CVS Pharmacy right up here in Amherst, Massachusetts not too far from here. It’s a place that was once described as the place where the people from Cambridge stopped for gas on their way to Woodstock and never left. Now I’m one of those people.
I’d like to talk to you about some of the challenges that I think we’re going to be facing as we try to get into compliance by April 14th. We expect to be fully compliant, but we are going to have some challenges.
First of all, CVS operates in 32 states. As Ellen said, one of the issues that we’re struggling with is the preemption or which laws might be more stringent then HIPAA, which state laws might in fact preempt or be more stringent then HIPAA that would impact what we put on our Notice of Privacy Practices.
We could have – I’m a sure a firm like Mintz Levin and Ellen would be more than happy to do that national assessment for us. Our national trade association has priced out what it would cost to do a national assessment. They got a quote from one law firm of $1.4 million just to do a national assessment of which states would have an impact on the Notice of Privacy Practices.
Our suggestion, which I would hope that maybe you would carry back, is to have the Secretary of Health and Human Services work with the various state Attorney Generals to have a posting on their state website as to what the state AG thinks might, in fact, be a preemption of HIPAA for that particular state. That would, I think, go a long way, especially toward helping a lot of the small providers who obviously cannot afford what we’re talking about.
For pharmacy I can tell you there are privacy laws that are all over the state statutes and regulations, sometimes it’s in the Pharmacy Practice Act, sometimes it’s in the Department of Health Practice Act, sometimes it’s in case law as Ellen stated, sometimes it’s an insurance law. It’s all over the ballpark. To expect that the individual providers will be able to do that kind of thorough search of the statues and regulations is going to be very problematic.
The other challenge that we have is CVS has over 42 million individual patient customers right now. The thought that we are going to have issue a Notice of Privacy Practice to all 42 million of them and get an acknowledgement that in fact they received the Notice of Privacy Practice is very daunting. The confusion that I think is going to be created at the pharmacy counter I think a prescription for chaos.
I brought a draft of our Notice of Practice. I have it back in my briefcase over there. Trying to explain that what it is that I’m passing out to this patient you don’t have to read it all here, but you have to sign and acknowledge that you did receive this from me. Even if only 10 percent of the people say, “I’m not signing anything until I find out exactly what I’m signing for and why,” that still 4.2 million people at CVS if only 10 percent of them start questioning. I would just like to suggest that if any of you need prescriptions filled next spring that you do it well before April 14th. There’s going to be chaos at our pharmacy counters on April 14th.
What we would like to suggest is that there’s a definite role for Health and Human Services to do a public education campaign. Clearly with PSAs to – and we realize that PSAs and a public education campaign is a two-edged sword that might create more questions then it answers for providers. But we think that you really have role to do a PSA or a public relations campaign to say, “This is coming. This is what it’s going to mean for, for the American consumers. And this is what your health care provider is going to need to get from you.” In fact, when they’re presented with the Notice of Privacy Practice hopefully they’ll know something about what it is that you’re doing.
We agree with Ellen that this Notice of Privacy Practice at its basic requires so much information that it’s going to be very confusing. We’d like to make another suggestion - and I know this would require regulatory change, but just throwing this out – the notice should be very reader and user friendly and boiled down to the minimum that is absolutely essential. If the person then wants additional information about privacy practices that that should be made available to them. It would be made available via the IDR (Interactive Voice Response), going to a website, printed materials, however; but that the basic NOPP be as minimal as possible. That’s just for future. That’s not obviously for April 14th, because it would require some regulatory change.
The third challenge is what constitutes a “good faith” effort on behalf of the provider? Is that trying one time? Is it trying two times? Is it trying three times, four times? Forty percent of all prescriptions are picked up by someone other then the patient. Pharmacy is unique in that it’s the only health care service that is routinely delivered to someone other than the patient. It’s delivered sometimes to friends, neighbors, family. Sometimes it’s the taxi cab driver that’s just coming down to deliver and pick-up the prescription. Some definition with regard to what constitutes a good faith effort.
Is it just sending home this NOPP, or Notice or Privacy Practice, with whoever the caregiver is presenting the prescription? Or does it mean that after you send it back to them you have to call them up? I don’t know what constitutes a good faith effort, but we really need some clarification.
We anticipate that in order to get these 42 million acknowledgements that we’re going to need to get that, in fact, we’re going to probably try and keep it as simple as possible. We’re going to – first of all our NOPP will probably be printed on the back of the monograph and receipt that we have in our pharmacies. We’re installing duplex printers in all of our pharmacies that print on both sides of the paper, so that the receipt will be printed on one side and then the NOPP will be printed on the back side of that.
Part of that NOPP will have a tear-off acknowledgment strip, which will then be scanned into our system and transmitted to some sort of central office. That will be one way of capturing the acknowledgment. We’re talking about an interactive voice response system that would require us to deliver to each patient a unique patient identification number or PIN, because the regulations allow for something other than an actual signature to identify the patient. Then they would have to give the interaction voice response their PIN number, similar to what you do when you activate a credit card that’s sent to you in the mail.
We’re talking about of taking our credit card readers and transmitting, again using a unique patient identification number, some sort of acknowledgement back to a central database to capture the acknowledgment. We’re working with a lot of different things to try and find out exactly how we’re going to capture that acknowledgement, just because the sheer number of acknowledgements that we’re going to have to capture and store for six years - six years from the last date of service. You know you’re going to have to have that. Theoretically that could be sometimes forever.
One of the things is really how do you encourage people to actually sign this acknowledgment. There are going to be a lot of skeptical people out there with regard to signing any sort of acknowledgment. Again, I think that’s were some sort of good public relations campaign on the part of Health and Human Services with regard to patient and consumer education might go a long way.
One of the largest challenges we have is what are non-routine disclosures, something other then for health care, treatment, or payment. We have state laws that require us – one in Massachusetts right here – require us to routinely create an electronic file that we send to the Department of Health on a monthly basis of all Schedule II controlled drug prescriptions that are dispensed to patients. While that’s clearly allowed in the law enforcement exemption of HIPAA, it is not for health care treatment or payment.
We’re going to have to now capture these millions of records in somehow individual patient files now, because should a patient want to know what non-routine disclosures we made of their health care information we’re going to have to be able produce that. We have probably out of the 32 states that we’re in we have 14 states that require some sort of controlled drug prescription monitoring of patients and sending it to some sort of state agency.
In many states it’s commonplace for us to receive a regulatory request concerning the prescribing practices of a certain prescriber that may not have anything to do with the patient, but the DEA or the Control Drug Division here of the Massachusetts state police may be investigating a practitioner. Now they’re asking us for information about that practitioner’s prescribing practices. If we disclose that, which is again allowed, we’re going to have to capture that this was another non-routine disclosure in some sort of separate patient file.
Sometimes they ask us that we do not make this public, because it might impede their investigation. Now we’re going to have to suspend putting it into this patient file until such time that they allow us to put that into patient file, because they’ve asked us to suspend that disclosure. We see that portion of it just being an absolute huge challenge that we’re going to somehow get around.
For training we estimate that we have about 45,000 employees that we’re going to have to train. That includes 12,000 to 15,000 pharmacists, about 25,000 pharmacy support personnel, and about 4,000 front office and management people that might have access to PHI. Those 45,000, training those employees just that one aspect is going to be well over $1 million to CVS.
We are envisioning that it will probably be at minimum a two-hour training session. We’re hoping to be able to do this via CD-ROM, which we have used in other types of training, with some sort of self-test type of facility. It is a very aggressive timeline for us to get 45,000 people trained as soon as we finish the training modules and the CD-ROM in the timeframe that is going to be available to us.
Originally they said that with the standardization of electronic billing that providers were going to be able to save the cost of the privacy implementation. That was just complete pie-in-the-sky fallacy. There’s no way that we’ve going to be able to re-coop the cost. First of all, pharmacy was very electronically claim-submission oriented prior to HIPAA. There’s not going to be any savings from electronic standardization of transmission of claims for us. We’re going to be incurring millions and millions of dollars of cost initially and on a routine basis going forward.
Those are the major challenges that I see. I, again, like the rest of the panel want to express my appreciation to the National Committee of Vital Health Statistics Subcommittee on Privacy for coming to the provider community and trying to get our feedback with regard to all of these issues. I will answer any questions. Thank you.
MR. ROTHSTEIN: Thank you. Questions from subcommittee members? Dr. Harding.
MR. HARDING: Several you mentioned the issue of brevity the notice. We’ve heard from different people today that some would suggest that we do a Reader’s Digest version, and then others say it’s absolutely impossible, You have to every single thing in there as stated in the law.
When you’re talking about printing it on the back of one of the forms and so forth and when I see talking an 85-year-old about protecting the President I start thinking of my father-in-law and thinking it’s going to be pretty tough going on that.
The idea of pulling it down into an abbreviated Reader’s Digest form and then having another tract that’s available after that, is that not a reasonable way to proceed?
MS. JANOS: That’s a very reasonable way to proceed. I would like to advise my clients to proceed that way. I’m not exactly sure that the regulations permit you to proceed that way. If they do that would be terrific.
MR. ROTHSTEIN: Let me clarify. That issue has been raised, and Stephanie found it. I never travel without my regs. Let me read the specific provision that deals with that from the latest version of the regs.
It says, “Many commenters generally urge that the department modify the rule to allow for a simpler, shorter, and therefore more readable notice. Some of the commenters explained that a shorter notice would assure that more individuals would take the time to read and be able to understand the information. Others suggested that a shorter notice would help to alleviate burden on the covered entity.
A number of these commenters suggested that the department allow for a shorter summary or a one-page notice to replace the prescriptive notice required by the privacy rule, etc., etc., etc.”
Here’s the response:
“The department does not modify the notice content provisions of Section 164.520B. The department believes that the elements required by this are important to fully inform the individuals of the covered entity’s privacy practices, as well as his or her rights.
However, the department agrees that such information must be provided in a clear, concise, and easy-to-understand manner. Therefore, the department clarifies that covered entities may utilize a quote, layered notice, end quote, to implement the rule’s provisions, so long as the elements required by Section 164.520B are included in the document that is provided to the individual.
For example, a covered entity may satisfy the notice provisions by providing the individual with both a short notice that briefly summarizes the individual’s rights, as well as other information, and a longer notice layered beneath the short notice that contains all the elements required by the privacy rule.
Covered entities, however, while encouraged to use a layered notice, are not required to do so. Nothing in the final modifications relieves the cover entity of its duty to provide the entire notice in plain language so the average reader can understand it.”
This is your lucky day. Ask and you shall receive.
MR. HARDING: The only other thing, switching topics, the reporting of Schedule II prescriptions to a central – I imagine that’s law enforcement?
MR. ORTIZ: Well, in Massachusetts the Department of Public Health requires us to report it. The statute requires us to report to the Massachusetts Public Health, but the law enforcement then can go to the Massachusetts Department of Public Health and obtain that information for investigative purposes.
MR. HARDING: I’ll drop it right there and maybe talk to you privately about it. It seems like that’s a different issue then health care.
MR. ORTIZ: It is a different issue than health care. That’s why we consider it non-routine disclosure, and hence that if, in fact, Ellen Janos were to come to CVS and say, “I want to know if she has a right to under HIPAA all of the non-routine disclosures that you made of my personal health information.” We would have to have a file created for Ellen Janos of these non-routine disclosures, which include, in our opinion, that disclosure to the Department of Public Health.
MR. ROTHSTEIN: I have a question for you, Mr. Ortiz. You described the CVS plan, and I’m wondering this maybe a question that you’re not familiar with. What I’m curious about is how the small, corner, independent pharmacists, not the Walgreen, CVS pharmacists, is likely to learn about the HIPAA privacy Rule. Is the pharmacy association doing much?
MR. HARDING: There’s a national trade association for independent pharmacy owners called the “National Community Pharmacists Association,” NCPA, which is working in conjunction with our national trade association, National Association of Chain Drug Stores. They have both been working very closely with one of Ellen Janos’s partners, Michael Bell, to develop a training program similar to this for the independent pharmacists.
I don’t know what level of angst they might have, the independent pharmacists. I really just don’t know, but I know there are tools that are being developed.
MR. ROTHSTEIN: It’s in the pipeline, but it may well be not nearly as far as advanced as say the dentist manual or the steps that you’ve taken in your company.
MR. ORTIZ: I don’t know. That could very well be the case. I just don’t know.
MR. DANAHER: Mr. Ortiz, these are just some comments based upon your testimony, because I found your testimony extremely enlightening. I don’t think I realized these things. I just kind of want to throw them out and get your reaction.
To me the enactment and the training of the privacy and security regs, mostly privacy, in the retail pharmacy world it’s almost the most concrete microcosm of these regs. I guess by that I mean the fundamental transaction in nature is of a provider, i.e. the pharmacists or whatever, interacting regularly and frequently with the patient.
What I’m getting at is that fundamental nature is constantly testing minimum necessary disclosure, verifying the request, etc. That strikes me as that inherent relationship is really the essence of the privacy reg. Kind of as you were saying that that was dawning on me. Probably even more so then say medical records in a hospital or a customer service rep or a member service rep in a health plan.
Also it was dawning on me as you broke down the demographics of your work force that need to be trained that there is different levels of interaction. There’s different socio-economic levels. I guess what I’m getting at is where as in a hospital or in a health plan it seems to me things are much more spread out. There’s time – people completing a request. It just seems to me that the very nature of retail pharmacy situation is almost a very compressed microcosm of the essence of HIPAA.
Am I overstating the case?
MR. ORTIZ: No, I think part of what you’re saying is absolutely accurate, part of it isn’t.
I think the one thing is that we have, because it under one central company operation, we have the ability to control the process perhaps a lot more than a more loosely affiliated associations. But we do have 4,000 pharmacies that go all the way from Los Vegas, Nevada to Bath, Maine.
One of the things that we have found is that a lot of the things that we were allowing to happen at the store are no longer to be able to happen at the pharmacy. For example, a state police person coming in and requesting prescription records about some individual, because they’ve just picked them up and they’re in jail and they want to know what drugs they may be on, etc. That’s all going to stop. Everything will have to come through our central location now in order for us to have some control.
People coming into our pharmacies and requesting prescription records for income tax purposes – and like I say, it’s often someone other then the patients – that all has to stop. It’s all going to be centralized. The only way you’re going to be able to get a prescription record is by interacting with a person or an interactive voice response system in our front office and giving your patient ID number or, in fact, having it mailed to your home. A lot of the things that we were allowing to happen in individual pharmacies just are not going to be able to happen in a company like CVS anymore.
MR. DANAHER: You also have, to me, two gradations of personnel. You’ve got those people who are truly health care professions, i.e. the pharmacists, who this maybe very familiar with; but then also it seems to me, and I don’t mean to be derogatory, the $10 an hour, the $8 an hour, the $7 an hour checkout clerk.
MR. ORTIZ: We clearly recognize that. We have pharmacists – now the entry-level degree for a pharmacist is six years of college – and you have, like you say, the $10 an hour clerk, where we have a huge turnover. We may be training those pharmacy counter clerks – we may have a turnover of 100 percent in hourly people in any given store.
We’re going to be training those hourly clerks on a routine basis. It’s going to have to have to happen probably every month we’re going to be training somebody in most stores.
You’re absolutely right. We have all sorts of different levels. We have a very low turn over in our pharmacists, but we have a very high turn over in the hourly cashiers that may be the person actually distributing the prescription to the customer.
MS. JANOS: I think one thing that’s worth noting, and I think they’ve both mentioned it, is that as everyone’s trying to actually comply with the regulations what these really have done has made everybody rethink how they’re delivering care and how they’re handling information.
The homecare providers are rethinking what does it mean to have the smock on and what does it mean to send the car out there or what does it mean to have a conversation at the counter about the drug interactions. It really has raised everyone’s sensitivities. I think everyone will be, and is going to be, more sensitive and really rethink how they’re doing things.
Whether that gets them fully compliant by the due date, no; but it definitely has achieved some really important goals of getting people to think about things.
MR. DANAHER: I couldn’t agree with you more. Mr. Young, your testimony, to be quite frank of my naivety and ignorance, I really hadn’t thought about the home medical record and the security that’s required with the home medical record. I appreciated that, thank you.
MR. COHN: These have been great panels all day. We can thank Stephanie for that.
Carlos, I have a question for you specifically about pharmacy. I was sitting here getting some consternation of the work processes you were describing. And certainly the way you described it I certainly wouldn’t want to be at pharmacy, at least as you’ve indicated, the week after the 14th.
Having said that, I was actually just rethinking about how people are doing these processes. I guess I was just sort of curious why you didn’t think as a general rule pharmacies might not be sending information home by mail, other conveyance, as sort of Notice of Information Practices, as opposed to trying to do it at the point of care in the same way that I think many others are not anticipating having people coming in to the doctor’s office and grabbing them at that point.
MR. ORTIZ: We’re exploring every option, including even mailing to the home as certainly one option. Our response with regard to mail in getting the acknowledgement is very, very poor, with regard to even anything. For example, let’s just take something that’s more important in the patient’s mind is when you have a recall of a particular drug product for whatever reason. We call and we can’t get hold of the individual, so we mail something and say, “Hey, your –
A very serious one was one where they had a product recall on the product that’s used where someone gets a bee sting or has some anaphylactic allergic reaction to a product. What was happening with this product was that it was accidentally discharging, so that when the person then had this anaphylactic reaction and went to use the kit there was no drug left. There was a huge product recall.
We had thousands and thousands of people. We tried calling them. Then we sent mail and we say, “Look, this a very important issue. We’d like to have some acknowledgement from you that you received this letter and you’ve taken the necessary steps to avoid a possible medical emergency.” We get very little response from the people.
The mail option, while it’s a option we’re considering, we just don’t think we’re going to get a very big response with regard to getting the necessary acknowledgment that they received it that’s required by law. That option has been explored, but we have some certain concerns with it for that very reason.
MS. KAMINSKY: I want to thank all the panelists for very interesting testimony.
I, too, was sort of fascinated by the concept of a home record in the home health industry. It’s not something I’ve ever really thought about, although maybe I should have as somebody working on this privacy rule. I find it to be really troubling from an implementation perspective. I mean extremely challenging, not troubling but challenging.
I guess I have sort of a multi-part question. I wonder if you, Ellen, know of, if you could explain at all what the state law kind of context is for this in terms of – Bob or Ellen, there must be kind of rules out there already if a patient wants to have access to their medical record, even it’s a home health record.
I don’t know, maybe there aren’t such rules, because it’s obvious that they can have the access. There must be some context that this is playing off against. That’s sort of part one.
Part two is I’m curious about this release that you talked about drafting. I don’t know how much you can tell about that, but would it go as far as to ask patients not to issue a compliant with OCR for some kind of a breach, because it’s too hard to contain the privacy and confidentiality in the home arena. I could see it going that far.
Then third of all, if you have any sort of creative ideas about things that OCR or the department could do to assist with this very tricky area of implementation.
MS. JANOS: I just want to say that surprisingly Massachusetts does not have a particularly well-developed medical records statute. We have one particular statute that says medical records shall be protect to the extent allowed by law. It says nothing.
Then you of course have physician/patient statutes dealing with physician/patient communications, but that’s very limited. We have in Massachusetts a General Right to Privacy Statute that overlays all of the medical or private information. We don’t have, surprisingly, a well-developed medical records statute that would be specific and deal with a situation like a home record. That just doesn’t exist.
The release really wasn’t in any way intended to take away someone’s rights to go to OCR. It was really more of a way to get the patient to acknowledge that with respect to – there is a record at the office as well. The central office does keep a record, but there has to be a record kept at home because there are people in and out, care givers.
Bob was just talking to me ahead of time about his agency’s efforts to try to computerize everything and maybe do away with the home record. Have some computer record that would allow immediate access by any caregiver walking in there. That’s a pretty daunting task, and they’re working on it.
It wasn’t intended to take away anyone’s rights. It was really intended to just let them know that there’s only so much we’re going to be able to do with that home record. We can only protect it so much. At some point we have no more control over it, and they need to understand that. Not that we would in anyway say, “You can’t go to OCR.”
I do think that that concept of good faith does run throughout these regulations. I can’t imagine if there was an inadvertent release by someone at the home that the home care company would ultimately be liable for that, unless they were careless with it. We do have to put policies and procedures in place that – we can’t control the patient. We can’t control the person’s family with respect to that record, but we have to take some reasonable steps to try to put some things in place.
Do we have any recommendations and any ideas? We’re thinking through it, and it’s not particularly well developed at this point. We will definitely see if we can come up with something that might be useful from your end.
MS. KAMINSKY: I would say that the department would welcome examples that you have come up with about how to protect a home record.
MR. ROTHSTEIN: And please note that we’ve mentioned to prior panelists that if you have additional written comments – I know you’ve all submitted some on something that may occur to you – please feel free to do so. Send them to Marietta Squire. We have asked that they be done so within 30 days.
MS. JANOS: Can I just ask one follow-up question on the layered notice, which is fabulous, really welcome news?
I’m assuming that the notice that goes to them could simply say the full, complete notice is available. They don’t have to get two pieces of paper. They could get one abbreviated form. Or has that yet to be thought through?
MS. KAMINSKY: I would just point you to the preamble pages.
MR. ORTIZ: If I could make just one statement. One of the things is that, and CVS has been working on this for well over a year now, and yet everyday we’re coming up with something new. What we find is as you deal with this issue over here something else pops up over here.
One of the things that just came up because we’ve been concentrating all of our efforts with regard to pharmacy. We run flu clinics in almost all of our pharmacies. We hadn’t even thought about what is the responsibility of a covered health care provider who is providing a service or treatment or something in their location that’s other than what their primary health care is.
Maybe it’s the VNA responsibility to deal with if you’re contracting with VNA; maybe it’s not. We don’t know. We’re sort of working through things like that. They’re just questions that come up everyday with regard to –
MR. YOUNG: That’s actually an excellent point, Carlos. We do have clinics not only for flu clinics but we also have elder clinics at elder housing facilities. Sometimes people have nothing else to do. It’s like, “Oh, this a great thing. I’ll go stand in line and get my blood pressure taken or do this, that, and the other thing.”
But then there are complex medical questions that come up in the context within a forum of people. They say, “We can’t discuss that right now. We can talk about that later and get your name and so forth.” We do try as best we can to comply with privacy, even today, and patients’ rights and the responsibilities that we have with respect to medical information.
It is very, very, difficult once you get out of that controlled setting to be able to do that. We did. We talked about the home. We talked about patients who will tell you, “I don’t want my family members to know what it is that’s going on.” But yet one of the family members is, in fact, the primary care giver, so they’re right in the home. They want to sit there while you’re observing or caring for the patient, and you have to ask them to leave. In some cases if you’re in a studio apartment they have no place to go. “Can you go outside for 20 minutes while I do this?”
You have all those people who say, “Why?” Then you’re leaving the caregiver with the patient, and then there’s a whole other host of situations that come up that don’t have anything to do with privacy. It’s that one-on-one situation in a patient’s home. Again, you’re the guest and you run into all those issue as well.
MR. ORTIZ: Here’s our first draft of NOPP. That’s the first draft. It’s very small print, even for my eyes they’re a little difficult to read.
MR. ROTHSTEIN: Thank you all very much. We will stand in recess for 15 minutes. That means that panel number four will begin promptly at 3:35.
(A short recess was taken.)
MR. ROTHSTEIN: Good afternoon everyone, and welcome to the fourth and final panel of today’s, first of two days, dealing with our hearings on HIPAA Privacy Rule implementation issues.
The final panel for today before our public testimony session is from community providers. Let me just re-state the rules we’ve been working under all day. Basically, you’ll have 10 to 15 minutes for you initial presentation. I’ll give you a one-minute warning. After each of you makes your presentation, we’ll entertain brief questions of a clarifying nature from the subcommittee members. Then once all of you have completed the testimony we’ll sort of a panel question and answer session.
We’ll go in order in which your names are listed on the agenda. We’ll begin with Susan Lane.
Susan Lane, Director, Planning & Grants, Planned Parenthood of Connecticut
MS. LANE: Hi, I’m Susan Lane. I’m the director of planning and grants at Planned Parenthood of Connecticut. We are one of the larger Planned Parenthood affiliates. We have 18 centers throughout the State of Connecticut. We do what we call “primary GYN,” essentially annual OBGYN exams, birth control, counseling, as well as dispensing of methods. We do STD testing, HIV testing, and treatment. We also do colposcopy. We do abortion procedures in out four of our centers.
When HIPAA sort of finally hit our radar about a year and half ago I think we really kind of welcomed it, to tell you the truth. Being Planned Parenthood, confidentiality and privacy has always been an important issue to us, and something we’ve taken very seriously. I think we sort of really kind of welcomed, at least, the principle. We’re very much in favor of HIPAA in principle.
About a year ago we established kind of an in-house committee to look at how we were going to tackle this and then sort of – I wouldn’t say having second thoughts but sort of seeing what this really means in terms of operationalizing it. We sort of met monthly and did a lot of education of ourselves, also because at that time still the standards where still in draft form and sort of figuring out what was coming out.
Also at that time we were really searching for consultants, someone who could do a GAP analysis to sort of get us started. We found a firm here in the Boston area, Beacon Partners, and worked with them to do an initial assessment in GAP analysis.
They essentially came in and did interviews over about a three-day period, both at our administrative office and at one of our health centers. The feeling being that our health centers are very similar from center to center, very sort of minor differences. The procedures and the systems are all very much the same. They could look at one and really get a sense of we need at all health centers.
We did that, and after they came into the interviews and then went back. Also, they did things like they came in with a computer to see if they could break into our system. We have a medical management software that we use.
They came back with their inch thick GAP analysis. Even though, as they said in their sort of executive summary, that we are an agency has really thought a lot about privacy, confidentiality - we have a confidentiality policy. We have a system when there are breaches of confidentiality, what do we do and those sorts of things. We are an agency that unfortunately has had to think a lot about security in the last decade or so, and certainly has a safety committee, security committee, a security manual, a lot of security procedures.
But even that and given all that when they looked at 100 percent compliance with any of the standards we were at zero percent. We are in partial compliance of about 43 percent. We really still had a long way to go, even though we were an agency and a provider that was already partly there.
But also we have a fairly narrow scope, so really our exposure is probably a lot less than a community health center or an organization that’s doing primary care. We don’t do a lot referrals out. We don’t deal with a lot of different labs, so we don’t have a lot of business associates and that chain of trust problem.
Also, I think what really got us is when we looked at the bottom line in terms of where they felt they would be at 100 percent compliance was over $100,000 in terms of when they sort of did the cost assessment.
Since then we have kind of been working with them and sort of discussing what this means. This was sort of an initial shock to us in terms of how much this was going to cost and how much effort it would be. I think what we have found is – I’m not sure where we’ve come on the cost and so forth – but a lot of this can be scaleable. I think they were sort of worried at first in terms of what we would have to do and what level of systems and controls we would have to have in place.
I think we’ve now gotten comfortable with this idea of scalability and understanding that a lot of what also has to be done is formalized what we already in place and also being very deliberate about where we do scale it and what is our rationale behind it.
To give you some examples, especially when HIPAA first came out I know our clinical services vice president was inundated with advertisements for, “Must get new racks for medical records. Old ones are going to be not HIPAA compliant. Cannot have charts outside the door.” As our consultant said, just turn it around in your case. You may not have to go this whole route.
The consultants said to be fully compliant you’d have to lock the – every time your medical records were unattended you would have to lock them. In a small center with three staff, where they’re running to the back, to the front, to the lab, and so forth, is that reasonable? No. That’s something we have come to say, “No. We cannot lock them every time we leave the room,” but we’re going to develop systems and patient flow to make sure that they are not unattended and to develop other systems also about when we look at the way our centers’ staffing is.
Everyone in our center does everything. We have a clinician, but in terms of the medical assistance that are on the front desk, they’re answering the phone, they’re posting charges, but they’re also doing the blood tests. They’re doing counseling. Everyone has to see the whole record. That’s something that going to be written in our procedures, as opposed to having only certain people can see a certain part of the medical record. That just isn’t feasible for us.
I think once we got used to this idea of that we need to take this and kind of scale it to our business practices and documenting that and then at the same time putting procedures in place to guard as much as we can against the security breaches and breaches of privacy.
Other things that were still overall a challenge for us, in the last few years we’ve worked very hard to make our services more customer friendly. We’re dealing with mainly young women who want to be in and out quickly, who want to get the results or to talk to the clinician on the phone, not necessary have a formal come in for a visit. Walk-ins, in some of our centers 40 percent of our patients are walk-ins.
We’re a non-traditional practice in the sense that for many of our patients they are an adjunct to their OBGYN or their primary care. If they can’t get into their OBGYN because it takes two weeks, but they can walk in Planned Parenthood tomorrow afternoon, they will.
In some ways what we’re finding is some of these HIPAA things are kind of working against what we’ve worked very hard to become very flexible, to sort of open up the way we do business to meet the needs of our customer. In some ways we feel that HIPAA is kind of dragging us back to more paperwork, more counseling, more documentation, more formalizing of how we do things, as opposed to being a little more flexible.
Currently, we are in the throes of implementing a brand new medical service software package. Much of our strategy for complying with HIPAA also has to do with – it’s all coming at the same time as implementing this new software, which is going to actually mean that we do things differently in terms of how we enter data, how we collect data.
It’s actually, it terms of security, giving us more capability. We can segregate what parts of the patient information can be seen by function, which we couldn’t with our current systems. A lot of our strategy for complying with HIPAA has to do with implementing new systems and this new medical services software.
But still I think we also realize it’s going to be a lot of time in formalizing and documenting procedures of what we’re already doing in terms of security, in terms of privacy, setting up the forms and systems for people to be able to request changes to their record and how do we document that.
We’ve more or less either we’re going to be assigning someone as the privacy officer, as opposed to hiring – certainly not hiring somebody, but that will be someone else’s duty in addition to whatever else their doing. It’s very much for us like compliance was a few years ago. Someone became the compliance officer and now we’re going to have a privacy officer.
Then setting up the systems as to how do things get kicked to the privacy officer to make the calls in certain cases and so forth. How does that get documented and so forth?
Some other challenges that we have are around security and passwords and computers. With this new software system that we’re implementing we’ll be having more computers in the centers, but you often have more people then you have computers. You have people who only on computers a couple times a week, are they supposed to change the password every month? Are they going to remember their password, and where do they keep that and how do we keep that secure in terms of people sharing computers and so forth? Not sharing passwords and not putting the sticky on the machines and so forth. Those are issues that we need to resolve.
Where do we put the computers? It’s more convenient to have them at the front desk certainly for check-out, but we’re making sure that the information is not compromised and can’t be seen by other people.
These are things that we’re still struggling with. Also, we are recipients of Title 10 and two states on the planning grants, as such we are the grantee. We have delegate agencies. We’ve been working with our consultant a little bit about and hearing more from certainly from Title 10 about this in terms of what are our responsibilities in terms of our delegates.
For the most part, just as we are responsible for our delegates in terms of their financial controls we’re responsible in terms of their medical protocols and their quality assurance plan. We are going to be responsible. They need to answer to us to make sure that they’re compliant with HIPAA, and it’s implementing and on schedule. That’s another area for us that’s probably a little different then other providers.
MR. ROTHSTEIN: Thank you. Questions of a clarifying – I have one question. There are many Planned Parenthood chapters. To what extent have you been aided in your compliance efforts by the other Planned Parenthoods? It sounds like you’re pretty much on your own.
MS. LANE: No, actually we’re not. We sort of started that way. We have the federation. Actually, they’re affiliates. There are 150 affiliates nationwide. A) Because we’re one of the larger ones we probably sort of tackled it early. The federation now has – actually they’re coming out with a HIPAA manual.
They’re actually being tremendously helpful. They actually had a wonderful HIPAA training in Atlanta where we sent, as part of our way of attacking this, we sent many of our regional managers in some of our other clinic staff to that training. Many of these people will be sitting on the various committees that will be drawing up all these forms, procedures, and systems that we’re going to be doing.
So PPSA has actually been very helpful. Once everything is finalized in terms of the standards, we’re really expecting that they will be actually giving us language. It’s been very helpful, because they understand our medical protocols. Really sort of fitting in HIPAA to the way the Planned Parenthoods work, it’s going to be tremendously helpful.
Now Title 10 actually in this region is also taking on HIPAA and doing trainings and going to be providing resources, and actually be providing extra funding to help us to fund this.
MR. DANAHER: This is a little bit slightly off-the-wall comment, and I’m not making light of this by any means. It’s truly not a test case for HIPAA, but there is this very interesting case that’s going on right now in terms of trying to gain access to Planned Parenthood’s pregnancy records. It will be interesting to see how that plays itself.
MS. LANE: And would that be a violation of HIPAA, in addition to all sorts of other violations. Certainly HIPAA is just another layer of which that this is another violation. When you look at HIPAA they don’t – only because there’s no case in which they –
I guess the prosecutors and trying to argue that they need access to the pregnancy records and are claiming they have access because they were conducted by a licensed professional and instead conducted by clinic assistance. Certainly HIPAA doesn’t distinguish between information that was obtained, testing that was done by medical assistants versus testing that done by – it’s all part of the medical recorded and protected health information.
MR. DANAHER: Still it’s pretty fascinating.
MS. LANE: Very much so.
MR. ROTHSTEIN: Thank you. Dr. Harding.
MR. HARDING: Just a clarification, you were kind of saying that you – to look at the issues of Massachusetts and preemption of HIPAA you kind of went to a local attorney group and had them kind of assess you and tell you if you were in compliance in Massachusetts law and where that differs from HIPAA and which one preempts and so forth.
MS. LANE: First of all, we’re in Connecticut. As much alike as they are, the one big difference is around the law. I assume you’re talking about minors. Connecticut has wonderful law around minors in terms of they have their right to access and their rights over their reproductive health information, rights to obtain an abortion, HIV testing, STD testing, mental health referrals, and so forth. This is for un-emancipated as well as emancipated minors. We are in fairly good shape in Connecticut.
We actually have some difficulty, and this we’ll also find more as the time goes on, is around mandated reporting. Right now we have a little – especially around in terms of issues of statutory rape. We have always been a mandated reporter of sexual abuse. Certainly that has been very clear cut, and that has not been a problem.
As there have been some changes to the statutory rape laws, it’s not clear sometimes where statutory rape and sexual abuse intersect in certain interpretations as to are you a mandated reporter of statutory rape when it doesn’t come under the strict sexual abuse guidelines. This often has to do with age and so forth. Then where does HIPAA come in, in terms of what we report, to whom, and so forth. It’s just another layer.
MR. ROTHSTEIN: Dr. Perlman, please.
Sylvia B. Perlman, Ph.D., Mental Health & Substance Abuse Corporations of Massachusetts, Inc.
MS. PERLMAN: I do feel a little silly having to stand back here with the computer.
PARTICIPANT: Many people did this morning. It’s fine.
MS. PERLMAN: Okay. I also figure frankly at this hour of the afternoon anything I can do to keep you awake is also good.
My name is Sylvia Perlman. I’m the director of quality management for Mental Health and Substance Abuse Corporations of Massachusetts, which is a statewide association. We have about 100 members statewide.
I want just give you a quick little outline of where I’m going to go in this discussion. I’m going to deviate probably a little bit. You have my written testimony. You also have – I did make copies of the Power Point presentation, but I am feeling as though I want to say a few things that might be a little different, particularly from some of my points would be very similar to what the people on the last panel said. I’d rather say some slightly different things.
I’m going to tell you a little bit about our organization, a little about what we have been doing in terms of our work on HIPAA, and then focus – as people did in that last panel – on the challenges that our providers are facing.
As I said, we represent over a hundred community -based providers. They operator a very substantial range of programs, everything from individual therapy, medication management, in-office kinds of services through - what’s particularly significant for HIPAA purposes - through both home visiting services, very analogous to what the home health people were talking about, and residential programs where our clients actually live in facilities that we operate.
Almost all – a large proportion of our clients are poor and served under federal and state finance programs. Many of them, in fact, would have been institutionalized not very many years ago.
I want to emphasize the point that, just as my colleague from Planned Parenthood did, that as mental health and substance abuse providers we have always had a major commitment to confidentiality and privacy of our clients and their records. We have always known that were the records to get into the wrong hands that harm could be done, so we’ve always been careful. And yet, even though that the case, again as with Planned Parenthood, still HIPAA implementation does represent a major challenge for us.
The way in which we have organized our efforts in our association is, I think, relevant to this discussion. We have had for several years a corporate Compliance Officers Committee that meets regularly. They have taken on HIPAA implementation in the last year or so as part of their agenda. We have a smaller subset of that group, which we call a HIPAA steering committee, that has helped make decisions around the work that we’ve been doing.
In fact, they contributed the ideas that I’m presenting this afternoon really come in large measure from that steering committee, which we had a conversation and they talked among themselves about what they saw as the big issues.
What we have done is that we developed a training and implementation project. We offered the training program beginning last December and ending this past June. It was once a month for seven months. We covered most of the major HIPAA topics.
In August we sent out to all of those who participated in the project a CD-ROM with policies and procedures that can now be adapted by each member to their own needs. In fact, we sent that CD-ROM out just about a week before the privacy rules where finalized, so that increases our challenge.
The next step is that we will be doing a special training module for residential providers, which needs to include some different kinds of elements because of the kind of staff that they have and the kinds of programs they run.
You asked in your series of questions about best practices. We basically consider that what we’ve done is pretty much a best practice. That’s what we’ve certainly tried to do. What has been unstated by any of the speakers I’ve heard, but it’s something that we have really talked about in our group as part of the best practice concept, we believe that we are developing what amounts to an industry standard.
It’s our sense that in terms of – as issues arise for individual providers that they want to have the trade associations work kind of behind them as they make decisions and go forward. It’s their feeling that this will help them in a legal situation, if need be. Hopefully, it won’t come to that, but the industry standard is being set by this project.
I want to just quickly mention one – I was at the CMS meeting this morning that somebody else referred to earlier in Watham. They’re doing a series of outreach training to providers. The speaker referred to – and I didn’t much like this but – he kept talking about there’s good HIPAA and there’s bad HIPAA. I, frankly, am not sure I agree that there’s exactly bad HIPAA, but certainly I would say one of the good HIPAA things is that there has been some coalition building around this issue that we haven’t seen around other things.
We’ve become involved, our organization, with the Massachusetts Health Data Consortium. We’ve also worked with our executive office of Health and Human Services, and we’ve worked some with consumers to try to bring them in on the discussion.
I want to talk next about, and really focus on, the kinds of challenges that our providers are facing. Again, some of them are very similar to what we’ve talked about earlier, and so I’m going to go over those pretty quickly. I’ve grouped them into categories of uncertainty, cost, complexity, and technology versus security issues.
I’m going to talk first about uncertainty. I’m not going to harp on this, because I think other people have said it and will say it. I think it’s certainly one of the biggest challenges. There are so many unknowns. Organizations are having to make dramatic changes to accommodate the new regulations. They don’t mind doing it. They know they need to. It’s a good thing to do. I think most of HIPAA is good, but there’s so much uncertainty still out there that it just makes it extremely difficult.
As I said, for example, the privacy rules were finalized just after we sent out our templates for policies and procedures. Now we have to go through a process where the consultants do an update, and we pay for that and all that.
The security regulations aren’t final yet. The code sets, at least for mental health and substance abuse, aren’t final yet. There’s ongoing speculation about possible changes in either deadlines or content or whatever.
The preemption issues, again, I’m not going to talk a lot about that. It’s certainly a major issue. We are fortunate that one of our consultants working with us on our project is one of the attorneys with the Boston Bar Association working on the preemption analysis. Hopefully, our templates actually incorporate most of the appropriate state laws when they preempt HIPAA. But that analysis isn’t finished yet, so that, too, is going to have to be updated.
Another issue that we have is that in Massachusetts some of our state agencies are not really telling their providers very much about HIPAA, either what they’re doing or what they expect the providers to do. In some cases I think they’re not even certain about whether they’re covered entities themselves.
Next is the cost issue, which obviously everyone is talking about today. It’s certainly extremely importance to us. We are chronically under funded organizations of various sizes, but never have enough money to go around. The costs we know are large, but totally unpredictable at this point, really.
Originally we had been told that, as somebody mentioned earlier, that there would be offsetting. That the cost of doing the privacy and security parts would be off set by the savings from using transactions. Well, we can forget that. I think we all know that isn’t really going to happen, and particularly with the compliance date. The extension, if it ever could have happened, it isn’t because of the extension.
It’s also very expensive for providers to do the GAP analysis. I don’t how much Planned Parenthood paid to have that GAP analysis done, but they were told it would cost $100,000 to fill the gaps, but there was also a cost just to get the GAP analysis done. There are so many upfront costs and so little savings.
Residential programs aren’t really going to save money on standard transaction at all, because their cost for implementing HIPAA are going to be very high. They don’t bill for individual services, so they don’t really have any offsetting savings.
Another cost issue, as was mentioned in the last panel, is training. Our organizations, it’s probably as dramatic as the CVS issue that was talked about. We have very different kinds of employees. Our residential programs have large numbers of kind of entry-level staff, many whom are barely literate, if I may say it that way.
Training them is going to be a challenge, as the home health providers were saying. We have a lot in common with the home health providers. That became clear to me as I listened to them. When we train residential staff we have to put replacement staff on to make sure there’s coverage. When we’re training clinical staff we have to pay them for non-productive time. We’re losing significant revenue there.
We also have to make infrastructure changes, hardware, software, physical structure in terms of furniture placement, waiting room organization, all of that kind of thing. Again, it all costs money, and there’s no place to get the money from.
The next thing I want to talk about is the complexity of the requirements. Just the fact that we need to train people in these very complex requirements represents a challenge. We have to train people who serve in many different kinds of capacities. Many of them do not have very high levels of education. That’s a challenge.
We also have many – and I haven’t heard anybody mention this today, but I’m sure it’s not just our issue – we have many employees and many clients for whom English is not their first language. We’re going to have to deal with translating a lot of materials into other languages. That certainly is a challenge.
And the issue of tracking disclosures was discussed earlier.
Another challenge as we see it is figuring out the trade-off between technology and security. It’s particularly true for the people who provide services in their clients’ homes who have learned to use laptops and PDAs over the years, to great benefit. It really has made a difference in what they’re able to do and how efficiently they can work. Now though we have to worry about the security of the technology, which is undoubtedly good. Again, I wouldn’t call it bad, but it does represent an additional cost and a challenge in terms of just figuring it all out.
My last point is one that it’s a little risky to even talk about this; but I’m going to mention it anyway, because I do feel very strongly about it. From what I hear I am quite convinced that there are some providers that think that either the state agency they contract with or their billing software company is going to take care of HIPAA for them, that they really don’t have to do anything about it.
Actually, at the CMS meeting this morning I heard billing companies talking in ways that made me even more nervous about this. As it turns out, and I was not aware of this, the billing companies absolutely want to submit the extension requests for their customers, because if that extension doesn’t get submitted correctly their clients, customers aren’t going to get paid. They only – obviously, the billing companies – only earn their money if their customers are getting paid. They want to do that, and they apparently are doing that.
However, that leaves the customers, I believe, feeling more strongly that, “See, I don’t really have to worry about HIPAA.” We know it’s only the standard transactions and code sets part of HIPAA that their billing company can possibly really be dealing with. There’s much more to it. We’ve been told actually that it’s probably 75 to 80 percent that is in the privacy and security part, so nobody else can take care of it for you. You have to do it yourself. I think people will be very eager to believe that they don’t have to do, that their software company is going to do it for them.
In conclusion, we believe that we have set a standard for our industry. We have been providing training and technical assistance. We, as I said, have developed templates that are our providers now have in hand and are working on. HIPAA compliance issues have been high on our agenda for at least the last year or so and are going to continue for at least the next year or so.
I’d be happy to answer any questions. I did not say it in the beginning, but I will say it now that we are very grateful to have this opportunity to actually speak to you and appreciate the fact that you were listening to us.
MR. ROTHSTEIN: Thank you. Some questions for Dr. Perlman? Dr. Harding.
MR. HARDING: I shudder to bring this up, but you raised the topic of educating some of you’re employees that have different educational levels. Then I was thinking about the notice that we have been talking about, and certainly people who we are going to be notice to have different education, language, developmental, etc., etc.
Do we have some kind of a requirement that the notice must be given in a manor appropriate to the developmental level or the language level or the what ever?
MR. ROTHSTEIN: It just says plain English, but the plain English is going to vary widely depending on all sorts of things.
MS. KAMINSKY: I think in the preamble to the original rule – this is off the top of my head so this just Stephanie Kaminsky speaking now from memory. I think in the preamble to the original regulation I’m pretty sure that given that OCR is the agency involved there is language about limited English proficiency and the need to do – put it in the language that’s appropriate. However, I don’t know if you’re comment was going to the comment of mental capacity, which may be an issue with this particular population.
MR. HARDING: All of the above. I was thinking that one product that CVS has that’s probably written at a sixth-grade level or something -- I don’t know what they would choose -- there are going to be a lot of people that isn’t appropriate for.
MR. ROTHSTEIN: Well, and also from the testimony from Planned Parenthood. If you’re in Connecticut and can see un-emancipated minors, that might suggest that the notice is quite different from the kind that we’d give to a adult.
MS. PERLMAN: We had, just to respond a little bit, and I just want to say that what I present just now is certainly just the tip of the iceberg. I didn’t go into any of these thousands of issues that are out there, some of which I could talk about more intelligently then others.
In terms of this one in particular, we have been thinking in terms of the layered kind of product, statement, whatever it’s going to be called. In fact, our members are accustomed to getting consents from their clients. That’s been a long-standing tradition. They do have ways of dealing with those issues.
Yes, I would say that every question that you raised is certainly an important and relevant one that we do have to think about.
MR. ROTHSTEIN: Other questions at this point? Okay, we’ll move to Mr. Coffee.
MR. COFFEE: Good afternoon. My name is James Coffee. I’m the director of information systems and technology for the Greater Lawrence Family Health Center. We’re located in Lawrence, Massachusetts, which is just south of New Hampshire.
I’m also co-chair of the Community Health Center HIPAA collaborative, which is group of health center members of the Massachusetts League of Community Health Centers. We’re working together to identify a common approach to all the elements of HIPAA. The collaborative was formed last year in response to the impending compliance dates of the published rules. We found early on that this would prove to be a daunting project.
Although each rule brings unique challenges, the ones that we face with the greatest trepidation at present is the privacy rule.
While my testimony reflects many conversations with health center colleagues and input from many centers across the state, I do not claim that it represents the full range of issues and concerns of all health centers. Thank you for hearing and accepting my testimony.
Community health centers are community-based and community-governed non-profit organizations. In Massachusetts community health centers provide services to approximately 10 percent of the population, roughly 600,000 patients at 104 service sites.
Community health centers have a collective mission to remove barriers to accessing health care, provide high quality, culturally sensitive, comprehensive primary care and related services. By doing both of these things, improve individual and community health. Barriers to care that health centers work to remove may be financial, geographical, or ethnic, linguistic, or cultural.
I’d like to give you a little bit of background on my organization. Greater Lawrence Family Health Center has been providing care in the Merrimack Valley for 22 years. Our current, active patient base is 35,000 people. This represents nearly half the population of our city and makes Greater Lawrence Family Health Center on of the largest health centers in the state.
We have four primary care sites and 11 other service sites that include a prevention and education library, an area health education center, a CDC 2010 project that is focusing on diabetes and coronary health in the Latino population. HIPAA is very much on our minds throughout our organization.
As the director of information systems and technology it has fallen to my department to spearhead the response to HIPAA and HIPAA compliance. Displacement of HIPAA responsibility in IS or IT departments appears to be the norm for health centers. I expect that this is also true for other provider organizations.
The reason may be as simple as the fact that the transaction rule was the first to be published, but is also obvious from many elements of HIPAA depend directly or indirectly on information technology decisions and changes.
My co-chair on the HIPAA collaborative are IT professionals like myself. It is still the perception in many quarters that all aspects of compliance will be addressed by IT. We know, as I’m sure you know, that there is nothing further from the truth.
Now I’d like to directly address the issue of the privacy rule. The privacy rule was published in final form on August 14, 2002. That leaves 8 months to bring our organizations into compliance, which is not a long period of time. Although the proposed rule has been public for some time, according to the legislation there should be 24 months between publishing the final rule and the compliance date.
We currently have eight months. During those eight months we must also ramp up testing and meet compliance deadlines for the transaction rule with our many private insurance payors, as well as Medicare and Medicaid.
Community health centers have several HIPAA related challenges that may not be faced to the same degree by other types of provider organizations.
One is our increasingly diverse and multi-cultural patient population, which includes refugees and undocumented persons. Through multi-lingual staff and translation services, Massachusetts Health Centers provide services to a patient population speaking nearly 40 languages and many patients are illiterate. Some health centers must translate documentation in as many as 20 languages, which is very costly.
In addition, many health centers provide services to homeless populations or to people who are substance abusing or mentally ill. Mentally ill patients already find navigating the health care system especially difficult. Requiring them to read and understand language concepts that many of us find hard to comprehend may cause some patients to become lost to care.
How do we accurately express complicated concepts unique to the U.S. care system in language that may not contain relevant terms? Communicating the intent and rights of the privacy rule to patients who are anxious about their care is a delicate process. Patients may end up not understanding what they are signing. As I mentioned, the health center explicit mission includes removing barriers to access in care, whether these barriers are income, geography, insured status, or ethnic, linguistic or cultural background.
Centers are concerned that compliance with the rule does not itself create barriers to care by creating confusion and anxiety in patients who for a variety of reason have trouble understanding what is being communicated.
Staffing and staff training is a very difficult issue. Like other safety net providers, community health centers hire staff from the local community, both because it is appropriate to providing culturally sensitive environments of care for patients and because it makes the center a fuller resource to it’s community as a local employer.
Many staff members who come from communities that they serve speak English as a second language and have difficulty with legal concepts that pertain to health care. In addition, one health center provides services to a homeless population at 70 sites. Training staff at 70 service sites and developing and maintaining viable monitoring system for authorization and access tracking seems frankly overwhelming, given the time frame.
Many community health centers experience high levels of staff turnover. My own health center has experienced staff turnover rates as high as 22 percent.
The need for constant ongoing training will take valuable resources from other areas and from patient services.
Like other safety net providers in Massachusetts and other states, health centers are struggling with increasing demand for services and decreasing and less stable reimbursement. With cuts in funding from the fiscal year 2003 state budget, lower reimbursement from insurers, including Medicare and Medicaid, health centers must be even more vigilant in watching our bottom lines and making the best use of our limited dollars.
Compliance cost are coming at health centers at a time when maintaining services is increasingly problematic. Community health centers have limited staff resources for providing policies and other documents, updating, building and monitoring systems that will need to be put into place to reach compliance.
In most health centers many staff wear multiple hats and often manage projects that are not obviously connected to a persons title. Many staff responsible for HIPAA compliance do not line authority over other staff affected by privacy rules. In many centers the IT department and/or the human resources department is one person. The security officer may also be the privacy officer and/or the corporate compliance officer.
Many community health centers remain at the mercy of their practice management software vendors, who at this time are focused on the transaction rule and its impending deadlines. It is important to remember that compliance or not, the transaction rule will affect our bottom lines.
The protected health information concept of the privacy rule is fairly straightforward and easy to understand: just don’t give out patient identifiable information. It is the implementation details that will prove difficult.
Tracking the granting of and revocation of consent to care will require extensive and multiple system changes. I know that my system vendor is not currently looking at how to change their product for the tracking of consents and is just starting to look at the audit trails of record access. As I said, I am at their mercy when it comes to this feature when it will be designed, tested, and available, and I don’t know the price.
Many health center organizations are appropriately moving towards and electronic medical record, which entail enormous system and organizational challenges, and requires priority status as an IS project.
I would like to offer a few comments on some the specific questions I understand the subcommittee has an interest in.
Technical assistance: I believe the provider community needs more guidance with the regulations from HHS. A big part of the part of compliance is the interpretation of the rules, as many parts are ambiguous and could lend themselves to many interpretations and every consultant is entitled their opinion. Having a standardize GAP assessment tool would help move implementation along.
Resources for technical assistance to train staff are definitely needed, and there are many distinct groups of staff that need training, including front desk staff, line clinicians, and senior managers. Since all provider organizations are looking toward the same goals, having the federal government provide us resources for engaging value added vendors, products, and services would invaluable.
Regulations talk about “good faith effort.” What is a good faith effort? The term is open to many interpretations. One organization has drafted a privacy notice in excess of ten pages that the staff felt was needed to cover all the bases and demonstrate a good faith effort. By the way, that was the homeless organization that came up with a ten-page privacy notice. Obviously, this far too complicated a notice to give to the average patient.
Best practices: For community health centers I believe developing the CHC HIPAA collaborative has been a best practice. It was created because there were specific health center issue as a provider group, including the fact that we are very short on staff and cash, both of which are needed to implement the HIPAA privacy Rule.
The idea was that by collaborating we would not all have to tackle the whole of HIPAA alone. Individual staff could give more attention to an area in which they were more familiar and use the resources of other health centers to help in areas in which we were not as familiar.
There are several working groups with the collaborative that have formed to support the HIPAA implementation, including several other working groups including what we had heard about previously, which was the HIPAA Education Coordinating Committee, which is supported by the Massachusetts Health Data Consortium, the New England HIPAA Workgroup. The CHC HIPAA Collaborative members are also members of these groups and facilitate the exchange of information to the collaborative.
I do not say this to criticize any of these efforts, but with HIPAA compliance dates looming there is now so much activity it can be difficult, if not impossible, to work effectively with all available resources and/or potential partners.
Resources: The resources that the CHC HIPAA Collaborative uses include our own website for posting messages, discussion threads, and document templates designed by the group. The Massachusetts Health Data Consortium website and materials from the HECC, the NEHW, WEDI-SNIP, materials from a recent health care compliance association compliance in Boston, the HIPAA DOCS website, and the HHS, CMS, and OCR websites, which are all good resources. They’re well organized and contain timely information.
How are we approaching the training mandate? The CHC HIPAA Collaborative formed four workgroups to correspond to the transaction and code sets, privacy, security, and training elements of HIPAA. The training work group has been working to develop training materials based on the rules as they are published. We’re using Power Point software and tailoring the presentations to different health center audiences, such as senior management to include boards of directors, the front desk, line employees, physicians, and other clinicians. These presentations are provided to the collaborative membership through our website.
Accuracy and quality of vendors: The accuracy and quality of vendors and consultants varies widely. As is obvious, HIPAA has generated some cottage industry of consultants and new products. We’ve joked about the materials claiming to solve our HIPAA requirements. Through the CHC HIPAA Collaborative workgroups and meetings of the co-chairs we have tried to wade through the mountains of vendor information in an attempt to keep each center from having to evaluate each vendor and to weed out those that do not present a clear solution or direction.
Unfortunately, health centers have had the experience with promises that were not kept and products that did not exist. With the passage of time more vendors are offering more products and services, and evaluating the quality of vendors or products is taking increasing amounts of time as the compliance timeline is shortening. No one can really claim a long track record of providing successful HIPAA solutions to customers precisely because HIPAA and the final rules of its components are a new mandate.
In closing I would like to leave you with several thoughts. First, HIPAA is still thought by many in the industry to be an information technology issue, when in fact it is a health care issue. The federal government mandates providers to train employees and become compliant with the regulations. But in the end, health centers will be training our patients and the general public as well. The federal government should take more steps to educate the public directly on the basic principles behind the legislation and the regulations.
Patients already think that health care is buried under a mountain of paper, and we are now going to be adding to it. With staff in our health centers working at and sometimes beyond their limits, it is often difficult to look to the future positively or see positive purpose behind another federal regulations.
Speaking for health centers, we need more resources for staff and systems to really do it right. Eight months does not provide enough time to gain an understanding of the regulations, write policies and procedures, and train staff and patients, and also prepare to test HIPAA compliant transactions with all our vendors.
This concludes my testimony. Thank you for the opportunity to provide it. I’m happy to take questions.
MR. ROTHSTEIN: Thank you. Dr. Danaher.
MR. DANAHER: Mr. Coffee, my knowledge of Boston and the community health centers is a bit dated, so bear with me if you would. There is a very historical trend of the academic teaching hospitals being close partners with the community health centers. For example, Deaconess was very involved with Rocs Comp.
The first question I have is do those relationships still exist, and can those academic medical centers be a source of resources for community health centers?
MR. COFFEE: That’s a really good question. Yes, the do still exist. We’re actually grappling with that at the collaborative right at the moment, trying to figure out whether or not. The acronym I believe is OCHA, O-C-H-A, which is – OHDA, yes. Whether or not the parent organization or the umbrella organization actually will have impact on the health center itself, we’re still trying to figure that out. We’re not really sure.
MR. DANAHER: Some of them are so close, the Community Health Centers with the academic centers that, yes, I could see that.
MR. COFFEE: We’re still trying to figure that out. It just sort of depends.
MR. DANAHER: The quick question I have is that I am aware of HERSA, the rural hospital service administration, having a grant for creating a resource center to assist rural hospitals in their efforts to become HIPAA compliant. Are there any RWJ, a Kaiser Family Foundation, federal grants out there that are potentially able to assist in this effort?
MR. COFFEE: Working with my grant writer, who does a great deal of research, we’ve been looking for about the last six months and really have not found anything of substance that would be funding that we would qualify for. Although the Bureau of Primary Health Care, which is the funding agency for my agency, is starting to talk about it there is no direct funding from them yet specifically targeted at HIPAA response.
MR. ROTHSTEIN: Dr. Harding.
MR. HARDING: Are community health centers a 501-C3?
MR. COFFEE: Yes, they are.
MR. HARDING: That’s what I thought. I just wanted to be sure.
I have a question more for Stephanie and Marjorie. Something that has come through all of the – most of testimony today has been this request that the federal government or HHS or somebody do a great deal of public education in the area of letting people know what’s coming and what we can do about it and so forth.
What’s the current status of that from your knowledge? What are we doing with that area?
MS. KAMINSKY: There are a number of activities going on. Actually, I have a list and I was going to discuss it with the subcommittee tomorrow, so I may not be recalling all of them.
OCR is shifting its focus towards outreach and education right now. They are issues – I don’t know if issuing is the right verb – but they’re letting a very large contract right know to a contractor to develop written, technical assistance materials.
They’re also putting together videos for educational seminars. They’re going to be doing trainings throughout the country. They have five sites that they’ve picked to do massive two-day training per site seminars for everyone who’s affected by HIPAA.
There are various media that we are now trying to engage to get the word out, be it in the form of technical assistance to providers or also be it to the public, to consumers.
MR. HARDING: Public service announcements?
MS. KAMINSKY: I don’t know if that’s in the works. It could be something that the committee could maybe suggest. It’s certainly something that I’ve seen done for outreach and education for other initiatives, so it would certainly be something that could be done. I’ve not heard plans for public service announcements.
I know that the outreach efforts are directed on the one part to providers in the pharma-technical systems and then on the other to consumers to try to educate the public, as one of the testifiers said earlier today, to try to help patients learn what these privacy rules will mean for them.
MR. ROTHSTEIN: Other questions? I want to thank you for sharing your thoughts with us. They are very helpful, especially coming on the heels of three prior panels. We’re starting to get a picture of what it’s like out there in the real world to try to comply with the upcoming privacy rule from all different perspectives. It’s been extraordinary helpful to us, so thank you for coming.
It’s time to shift gears now for us to move to our to our public testimony phase. I would like to ask Mr. Kozik to come forward. As you’re coming forward Mr. Kozik, let me share with you the great burden that you are going to have to bear.
You are the public. As our sole public testimony you have 285 million people counting on you.
Agenda Item: Brian Kozik, North Shore Medical Center
MR. KOZIK: Thank you for that tough burden.
First, I’d like to thank the subcommittee and chairman for allowing me the opportunity to participate in the public testimony, and especially Stephanie.
My name is Brian W. Kozik, and I’m the director of compliance and audit services for the North Shore Medical in Salem, Massachusetts. The North Shore Medical Center is comprised of two acute care hospitals, a rehabilitation hospital, and a physician organization.
We are part of the Partners Health Care System, Boston, Massachusetts. Partners employs approximately 35,000 individuals plus 100,000 members of the primary physician network. The North Shore Medical Center employs 5,000 employees and 796 physicians.
We will be designating ourselves as an affiliated covered entity. By designating it as an affiliated covered entity we are faced with the challenge of insuring all Partners’ entities are developing their approach to patient privacy in conjunction with each other. I’d also like to note that consistent with our number one mission of patient care, I think the federal privacy rule is a good thing, as it furthers our goal of protecting the privacy of the patients we care for each and every day.
I’d like to discuss assistance I feel is necessary, along with some challenges. I actually added a best practice that I wanted to share later on, too.
I found the guidance issued in July, 2001 as an excellent resource in providing as I say, quote/unquote, plain English questions and answers to many of the gray areas of the final privacy regulation. In fact, when I printed it off the Internet I probably disseminated it to over 50 or 60 people at the medical center and got a lot of positive comment back, because people really understood the questions and answers.
For example, weekly I get calls asking me if offices need to eliminate sign-in sheets. Also when a physician practice or hospital registration area is being renovated I’m asked to look at the plans and render an opinion regarding the need to sound proof booths. I’ve actually had blueprints come across my desk. I’ve been asked about the need eliminate white boards. I would recommend the subcommittee that issue future such guidance.
This one is for you Dr. Harding. Thank you for leading in. It appears that the burden to inform patients of the new federal standards defaults back to the provider community. However, the government should prepare some form of communication to the general public.
Some of the challenges that I’ve faced: A major challenge that I faced at North Shores is to train the 5,000 plus employees and physicians on the final privacy rule. I have three shifts of people and a number of non-English speaking individuals. I was working on – this is an aside – patient rights for JACO and I remember trying to get the patient rights translated to Spanish. It was long drawn out process. We were successful, but it took a lot time.
To train this many individuals I will need a toolbox of methods: computer interactive handbooks, videos, and PowerPoint presentations. I’m looking at the computer interactive more for physicians and nurses and the handbooks for people who I can’t get them to a training session.
Like Y2K, consultants are coming out of the woodwork to offer you the latest and greatest training tool. I check my voice mail at lunch, and I had two calls today. That’s not bad. With consultants and other tools comes a cost. How much should be budgeted for training? Again, training is not just one time. We need to train all our new employees at orientation and when we change our privacy practice significantly.
I will say that at North Shore Medical Center I actually starting working on this in August of 2000 and in over a year worked in a new employee orientation. What I do is a presentation on compliance; a presentation on core HIPAA training, which I’ll talked a little bit about; and then I conclude with the video, “Keeping It to Yourself,” which is an excellent video. We’ve already started to do that and logging people in in attendance.
Privacy Notice: Patients are asked to sign a whole host of documents upon entering the hospital. Now we much include a six to seven page privacy notice for each patient and make an attempt to obtain his or her acknowledgment of receiving the notice. What will I do or how will I document if they decide not to sign the acknowledgement? Where should this acknowledgement be filed? I will need a field in our computer system to track that I gave the notice, so I don’t repeatedly give it to the same patient. How will I disseminate the notice should our practices change significantly?
I also see the right of allowing patients to opt in and out of facility directory as a major hurdle. We will need to design systems to capture the requests and enforce the requests. For example, what will happen if the florist presents to the hospital to deliver flowers to a patient, however, the patient has opted out of the directory?
There’s one area of HIPAA regulations that I’d to also mention, some logistical and financial drawbacks – fundraising. Briefly, moving forward after April ’03 specialists physicians can no longer solicit or reveal names of patients with in-house staff to conduct fund raising activity. While on the surface this understandable from a privacy prospective, a number of negative consequences loom.
In order to allow patients to consider fundraising, authorization forms are being submitted up-front at the time of admittance. We are asking patients, in essence, to be grateful before they have had any medical service to be grateful about.
We expect a low turnout in the number of authorization forms to be signed. As a result, the potential for raising necessary funds for biomedical research and community benefits like indigent care will be severely impacted because of our inability to reach out assess people’s interest and potential in giving.
For years fundraisers have abided by ethical standards promulgated by the Association of Healthcare Philanthropy and have worked confidentially with physicians in handling information. These regulations will significantly reduce our ability to raise funds and will add approximately 2 million forms (2 million being the number of people who enter the Partners’ system in a given year) to the paper and electronic management of our hospitals.
We’re asking the committee to consider in any future adjustments to the regulations that the regulations provide fund raising staffs access to name of physicians, department, and division. These three elements would be granted under normal hospital operations, and thus not require an authorization form.
Please let me clear that diagnosis and treatment of patient will continue not to be accessible unless an authorization form was signed was in advance. It is important to recognize the physician, department, and division specific information describes only the area of the hospital where the patient receives treatment and the name or specialty of the treating physician. It does not include specific information related to diagnosis or treatment.
I’ve attached a lengthier testimony to this document.
As far as a best practice, I’ve heard a lot today about people wondering how to train. I think at Partners and North Shore we came up with a pretty good, really cost effective way. We developed a module approach to training. We call it “HIPAA Core Training.” HIPAA core training may be just enough for the board level or for certain level people, but then we are going to get into modules.
We have the core training, which is overview: What is HIPAA? Why privacy is important? How will HIPAA impact patients’ rights? How HIPAA will impact you as an employee, your responsibilities. What should you do to report a breach and what you should tell a patient or family member that wants to complain about a privacy issue?
After core we have, or are developing, the following job function specific models: admitting, registration, ED and financial counselors, marketing/QA/fundraising, research, mental health clinics (in addition to information listed under MD and Nursing), nursing, patient care services (rehab therapists, technologists), medical staff, residents, medical students, information systems, HIS staff, finance (patient accounts, credit and collections, customer service), HR/occupational health, and contracting and materials management.
I’ve attached how that module looks to the document. What I wanted to do is basically when I train on compliance, too, I tell everybody that compliance isn’t Brian Kozik. It’s everybody’s job. So the same thing with patient privacy. It isn’t my job; it’s everybody’s job. What I’m tapping into is all existing staff meetings. I’m not creating a special meeting just to train on HIPAA. I want people to know it’s something we should be doing everyday.
Again, thank you Mr. Chairman for the opportunity to participate in the public testimony. Thank you.
MR. ROTHSTEIN: Thank you. Any questions for Mr. Kozik?
MS. KAMINSKY: I just neglected to mention earlier in my response to Dr. Harding’s questions that the department is in the process right now of up-dating the July, 2001 guidance. When we’re not involved with planning testimony for the NCVHS we’re revising guidance that will be posted on the web hopefully in the near future that will reflect the modifications that recently were finalized.
MR. ROTHSTEIN: Any other questions or comments?
Dr. Danaher.
MR. DANAHER: Mr. Kozik, on your training modules on the back who is going to have the responsibility for training the medical students that rotate through North Shore Hospital or Salem Hospital?
What I’m getting at is kind of one of the issues that I am intrigued by how people are approaching it, that is, is it the case that there will be Harvard Medical School training policies and procedures. One month when they’re in North Shore they’re in North Shores; and the next month when they’re at the Brigham they have to learn – you know what I’m saying. Is there enough confluence because you’re an OCH?
MR. KOZIK: I can’t really answer that how we’re going to do that. I think we haven’t decided how to tackle that yet. That’s again one of the challenges because of exactly of what you said, the rotating throughout the system.
MR. DANAHER: It’s an interesting challenge.
In the training that you have done have you noticed – for example, you were talking about – let me just go back to your testimony here.
Have you launched some of the beginning training?
MR. KOZIK: Yes. I’ve probably trained over 15 percent of the staff already. I find it’s really successful is real life examples in their area. In other words, when you’re in the rehab area you can give them real life examples for therapists. That was very, very helpful.
I had done HIPAA training, like I said, early on in my career at North Shore in August of 2000. I did a presentation that was very technical. It was what HIPAA was about. I could see it going over their heads, the crowd. At the end of the meeting I said, “Does anybody have questions?”
They said, “Yeah, what did you just tell me?”
So with the core, getting down to some basics and showing them what the identified information, what identified information is, giving them real life examples, common breaches, people in the news, people trying to access records, really hit home. I got a lot of feedback from there on those types of questions.
MR. DANAHER: Did you make the training mandatory or optional?
MR. KOZIK: We made it mandatory, yes.
What I did is up front I went to the president’s direct reports. I report to the president of the hospital. What I wanted to do is not give him HIPAA core training, because I knew he understood that. What I did is I went to them and said, “This is what I need you to do.” What I needed is to have it be supported as a mandatory training effort.
That’s why on the physician and nursing side it’s going to be difficult to get to some of those people. That’s why I need those other tools of handbooks that maybe give a rip out test that you can send back to me. We can hopefully track that in our HR system.
But yes, we made it mandatory.
MR. DANAHER: So there is the sense that – just because I know a lot of organizations almost have a two-tiered thinking – the age old question of how do you get the docs to dictate and sign their charts, or how do you get them to sit through something.
MR. KOZIK: Offer them a lot of food and some CME credits. We’re going to be doing a training of physicians at 7 o’clock in the morning. I have some sessions that will be 7 o’clock in the morning and some that will be 6 o’clock at night so we can tap into when they’re not doing their day-to-day schedule. It’s been trying to think it out, think ahead of them.
MR. DANAHER: Thank you.
MR. ROTHSTEIN: This concludes today’s public testimony session. I want to advise members of the public who may be listening or interested in testifying that we have another public testimony session tomorrow from 2:45 to 3:15 p.m. You’ll have an opportunity, if you want, to participate then.
I also want to advise our listeners via the web that tomorrow we will be starting promptly at 8:45 a.m. We will have three panels of witness tomorrow: One on health plans and group health plans; the second one on state agencies and public health authorities; and the third on consultants and other resources.
So until 8:45 tomorrow morning – not necessarily so fast, I have Dr. Cohn.
MR. COHN: I just had a question. Stephanie, you had indicated that you were going to be explaining, going to talk to us tomorrow. I don’t see it on the agenda.
MR. ROTHSTEIN: There is time after the public testimony from 2:45 to 3:15 there’s an hour for subcommittee discussion. From 3:15 to 4:15.
MR. COHN: The reason I’m asking obviously I think there’s been – Richard began to ask Stephanie some questions. I think the hearings today obviously bring up lots of questions, some of which are just questions of information having to do with what OCR is now planning to do as we move towards implementation. I just wanted to make sure we had a chance to –
MR. ROTHSTEIN: Yes, we’ve got an hour schedule for that tomorrow. As I envision that time we would talk about up-coming hearings in Baltimore and Salt Lake City, issues that we wanted to further explore, types of witnesses that we might want to invite to that, as wells as kind of an update on where OCR is. Okay?
And now we are officially adjourned until 8:45 tomorrow morning.
(Whereupon the meeting was adjourned at 4:52 p.m.)