[This Transcript is Unedited]
Boston Park Plaza Hotel
64 Arlington Street
Boston, Massachusetts 02116
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am Director of the Institute for Bioethics, Health Policy and Law, at the University of Louisville School of Medicine. I am Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
On behalf of the subcommittee and staff I want to welcome you to the second of our two days of hearings here in Boston on implementation issues under the HIPAA Privacy Rule. I also want to extend a welcome to those listeners who are tuning in live on the internet.
This is a very difficult day for all Americans. I want to thank all the subcommittee members, staff and witnesses for being here today. In my view, our efforts to protect the privacy of health information in the most effective and efficient way certainly justify meeting at this time. I would ask that we now observe a moment of silence. Thank you.
Before proceeding further, I would like to have introductions beginning with members of the subcommittee and staff. I would invite subcommittee members to disclose any conflicts of interest at this time. I will begin, to repeat, I am still Mark Rothstein and I have no conflicts of interest.
DR. DANAHER: My name is John Danaher. I’m a member of NCVHS and a member of the Subcommittee on Privacy and Confidentiality. I’m also the present CEO of a web-based health care compliance company, Quick Compliance, that is focused on training of HIPAA. I believe that my presence and participation in these hearings does not reflect a conflict of interest.
DR. COHN: I’m Dr. Simon Cohn. I am the National Director for Health Information Policy for Kaiser Permanente and a practicing physician, and a member of the NCVHS.
DR. ZUBELDIA: Kepa Zubeldia, member of NCVHS and subcommittee, and I’m President and CEO of Claredi Corporation.
MS. GREENBERG: I’m Marjorie Greenberg from the National Center for Health Statistics, CDC, and Executive Secretary to the Committee.
MS. KAMINSKY: I’m Stephanie Kaminsky, lead staff to the Subcommittee on Privacy and OCR of the Department of Health and Human Services.
MS. REISMAN: Susan Reisman, Fidelity Investments.
MS. BERGMAN: Jean Bergman, New Hampshire Department of Health and Human Services.
MR. ROTHSTEIN: Our first panelist please?
MS. CURRAN: My name is Donna Curran, I’m from Blue Cross Blue Shield of Rhode Island.
MS. SCHWARTZ: I’m Nancy Schwartz the Privacy Officer at Fallon Community Health Plan of Worcester, Massachusetts.
MS. RUBENSTEIN: Eleanor Rubenstein. I’m Health Benefits Consultant at Hobbs Group Employee Benefits. We’re a health benefits consulting firm.
MR. ROTHSTEIN: Thank you and welcome to all of you. Over the past two days the subcommittee has scheduled seven panels of invited witnesses. We had four excellent panels yesterday and we will have the remaining three this morning and this afternoon. We have addressed a variety of perspectives on the HIPAA Privacy Rule. In addition to the invited witnesses, we have had two time slots set aside for public testimony, 4:30 p.m. to 5:30 p.m., yesterday, and 2:45 p.m. to 3:15 p.m. today. Any individual who is not an invited witness may sign up to testify for five minutes. The public testimony slots are on a first come, first served basis.
Let me emphasize for those of you who weren’t with us yesterday the limited scope of this hearing. The final amendments to the Privacy Rule were published on August 14. We are all now emphasizing our efforts at compliance, preparing for the April 14, 2003, compliance date.
The purpose of this hearing is not to revisit the substantive elements of the Rule. We spent lots of time. Nevertheless, the subcommittee is well aware that it’s hard to talk about specific implementation issues without referring at least to some of the substantive areas of the Rule.
We are especially interested in learning from you answers to the following questions: What are the available resources for HIPAA compliance, including those from professional organizations and trade associations? Are compilations of best practices available and how are successful implementation strategies decimated? Are there any models for public/private partnership development that you would recommend? How should covered entities go about coalition building and developing consensus procedures? What outreach education and technical support programs are needed from the Office for Civil Rights, including suggestions for OCR priority setting? What areas are especially in need of guidance from OCR? How should we address the integration of HIPAA and other federal and state laws? Can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small employers, small providers and health plans?
This is the first of three sets of hearings that the subcommittee will be conducting. We will be meeting in Baltimore on October 29 and 30, and Salt Lake City on November 5 and 6. After our final hearing the subcommittee will submit its recommendations to the full committee for discussion and possible action at our meeting in Washington on November 19 and 20. If recommendations are approved by the full NCVHS, they will be transmitted in a letter to Secretary Thompson by Dr. John Lumpkin, chair of the full committee.
Because of the large number of witnesses for each panel and the narrow focus that I outlined earlier, I strongly urge that witnesses strictly adhere to the following rules. You will have 10 - 15 minutes to give your prepared testimony and I will supply you with a one minute notice.
After each witness I will invite subcommittee members to ask questions of a clarifying nature only to each witness in turn. And then after all of the witnesses of each panel have completed their testimony we will use the remaining time in the 90 minute slot for the subcommittee members and the witnesses to engage in some discussion about the issues that were more generally raised.
Witnesses may submit additional written testimony within 30 days to Marietta Squire, and I thank all of you for submitting written testimony today. I should remind you, we didn’t have this come up yesterday, but if any witnesses stray to far afield I will encourage to refocus their remarks or to conclude their testimony. We do want to focus on implementation issues and not some of the fine points of marketing, fundraising, research, and other issues that we’ve had the pleasure of dealing with for these last several years.
I would ask anyone in the room with a cell phone to please turn off the ringer and for our witnesses to speak clearly into the microphones so that you can be heard by those on the internet.
Do any of the subcommittee members have anything before we begin?
DR. DANAHER: Let me just add to Mark’s, Mr. Rothstein’s comments. Very much a focus I am interested in hearing from you is how, in what you are doing, the resources that you’ve identified, the resources that you as an organization has money, what best practices, etc., could be helpful to be exported to the physician community. Very much my concern is that small and medium physicians, who don’t have access to these resources and that don’t have the benefits that some of your organizations have, are lagging far behind your organizations. So what I specifically want to hear is what have you identified that could potentially be exported to them that would help small and mid-size physicians, I don’t mean just physicians, dentists, etc., get up to speed with the HIPAA mandates.
MR. ROTHSTEIN: Thank you. So without further adieu we’ll welcome our first panel which deals with the issue of health plans and group health plans and we’ll proceed in the order of the agenda listing, which I assume you all have. So we will begin with Ms. Curran.
Donna Curran, Director of Provider Network System, BCBS RI
MS. CURRAN: Thank you. My name is Donna Curran and I represent Blue Cross Blue Shield of Rhode Island here this morning. What I would like to do is talk to you a little bit about what we’ve done at Blue Cross to work with our provider community in getting them ready for HIPAA compliance.
Back in early 1990 we actually began working with our provider community to begin talking about HIPAA and we consider what we’ve done in the past year and a half to be one of the best practices in provider outreach. What we’ve attempted to do is go out and communicate with them on an ongoing regular basis.
Basically what we had done was we had, as I said, in early 1990, started communicating very general information about HIPAA to our provider community. Certainly, this isn’t anything that I need to read, but it is a statement that we provided to them very early on to begin making them recognize what the components were of HIPAA, and then we knew that we would need to drill down into more of the details as we moved along.
We actually set up a communications plan, a formalized communications plan in mid 2001 last year so that we would be able to go out and talk to them on an on-going basis. Our objective was to communicate to all appropriate audiences how the change in HIPAA EDI regulations would affect the claims process. Our target audience at that point in time was physicians and providers, internal staff who communicate with physicians and providers, vendors and our external business partners.
I think that it is important to note here that although our communications strategy began with communicating about the transactions and codesets, we always recognized that privacy was the key piece of the HIPAA legislation and wanted to ensure that we provided information on that also. We had a communication strategy that would position Blue Cross Blue Shield of Rhode Island as a leader in providing physicians with information which would enable them to be compliant with the new regulations, both for EDI and privacy.
We determined that we would need to develop an ongoing communication in which we would provide information. We wanted to ensure that we had a consistent message that was relayed to all of our constituencies. Lastly we wanted to be able to be in the position to provide technical information as it become available on testing schedules, requirements and desired outcomes.
We at Blue Cross Blue Shield of Rhode Island have taken a leadership role in providing information to our community. We’re an active member of our hospital association work group on HIPAA, transactions and codesets, we also have been working with our local Rhode Island Medical Society and the Rhode Island Medical Group Managers Association. Our goal here was really to be able to go in and co-author communication so that our providers would be getting one message from all of the major insurers in the state of Rhode Island. In Rhode Island we don’t have that many major insurers so it made it a little easier for us.
To date we’ve sponsored CME seminars for the Rhode Island provider community to raise awareness on HIPAA. We’ve had a series of seminars in the May timeframe where we touched on all of the components of HIPAA and we did sponsor those seminars for our physicians.
We’ve crafted communications pieces with, again, our Medical Society, Group Managers Association and all of the Rhode Island insurers so that they were getting one consistent message, and we’ll continue to do that through the implementation.
We’ve developed articles for our newsletters on a monthly basis, so every month our providers hear something about HIPAA, whether it’s on transactions and codesets, or whether it is on actually the privacy regulations.
We are both a Medicare carrier and intermediary in the state of Rhode Island so we have participated in any of the educational seminars or any of the educational opportunities that the Center for Medicare and Medicaid services have put on. Actually we were at a seminar with them on Monday evening.
We also have done a direct mail piece encouraging our providers and physicians to fill out the extension and telling them out to use the model compliance form.
That’s what we’ve done so far. We will continue with our communications plan and we have another series of educational seminars that will begin in late September and go though early October and November. We’re going to talk about privacy and one of the things that we have recognized in the past several weeks is that there is a lot of confusion in our community regarding the date for privacy versus the date for transactions and codesets. And also the confusion has probably been somewhat exacerbated by the fact that all of us are now talking to providers about filing an extensions.
What we now know is that what we need to do is get another message out there that basically says you can file an extension for transactions and codesets but that extension does not relate to any of the privacy mandates that have to be implemented in the doctor’s office. So again, we’ve gotten that message very recently that there is some confusion out there in the community so we do plan on addressing that in the seminars that begin on September 26.
We have a HIPAA privacy officer who will be doing a planned talk on provider privacy issues. Again we will continue to send out communications on HIPAA through our provider newsletter and we’re also planning to do direct mail pieces to vendors and other business partners focusing on our timeframes for the X-12.
We’ve attempted to get out a message that we are there to help and we do want to assist them, so we’ve developed a HIPAA Hotline and an e-mail address where they can send any of their questions and issues into us. Most questions and issues are discussed internally and what we’re trying to do is develop kind of a Q & A piece for the providers that will also get mailed out later this year.
One of the other things that I omitted on this slide was that we’ve also gone out and contracted with an entity whose working on a CD-ROM which we will provide to the practices in the state information on all the components of HIPAA from transactions and codesets through privacy and through security. The CD-ROM has been developed based on the CME seminars that we did earlier this year but we recognize that a lot of providers did not take the opportunity to gather that information.
So we are having this CD-ROM that will be sent out to all of our providers, compliments of us, that will give them some, what we hope they will find to be useful tools in order to make themselves ready for HIPAA. Again, this will focus not only on transactions and codesets but there is a section on privacy and where they can go and review forms and what they might be able to do to help themselves.
I believe that you heard testimony that talked about the Rhode Island provider community being a very small, smaller practiced based. Most of our provider groups are only one to three providers and it is, we have found that it has been very challenging for them to follow what the regulations are. They are looking to us for support and help. One of the challenges that we as a health plan fall into is how much assistance and guidance can we give them without actually taking responsibility for them being aware of the privacy mandates. So we are kind of walking a tightrope in what we do tell them and the information we give them, trying to provide them with a lot of detail but making sure that they are aware that it is their responsibility.
We’ve been feeding them since 2002 when the regulations were not yet finalized information on privacy. What we’re trying to do is make them aware of it. We’ve told them based on standards for privacy of individually identified health information that the proposal is to make use and exchange of protected health information relatively easy for health care purposes, and more difficult for other than health care.
We have told them that the privacy standards apply to electronic paper and oral health information. Again, another issue of confusion that we’ve seen recently as late as Monday night is whether or not the privacy standards are also applicable to everyone whether or not you’re an EDI provider. So that is also been an issue that has caused some confusion.
Again, I’m just sharing with you some of the information that we’ve provided to them on privacy. What the boundaries are, security, consumer control, who is accountable and responsible.
I think that the message that I would most directly like to get across here today is that we do want to, as one of the major health plans in the state of Rhode Island, be there to provide our physicians, our providers, our nursing homes, and our hospitals with information. Sometimes providing them with that information is a little challenging. Even for us, sometimes the regulations can be difficult to interpret and it's challenging for us to try to put those into plain language.
I think our biggest challenge right now is, although we have been communicating with them on HIPAA since 2001, we still walk into provider offices, our professional relations reps and say to them, we’re having a series of seminars at the end of the month, are you coming, and they look at us and say what is HIPAA anyway? I don’t know what it is.
We know that they are absolutely getting tons of information. They are getting it from us, from other insurance companies, they are getting it from consulting groups. We have one provider who showed us his HIPAA folder - it’s about this big.
They are getting a lot of information but they don’t know who to listen to, they don’t know who to go to. We are striving to work with the other insurers in the state of Rhode Island and our hospital association and our medical association to really become the entity they go to for all of the information that they need.
That’s a big challenge for us. Everyone who looks at any of the regulations has a different interpretation and sometimes coming to a meeting of the minds can take months.
That’s basically what I wanted to talk to you about today. I’d be happy to answer any questions. Again, we do consider we have a very aggressive outreach plan and we will continue to do this through implementation of both privacy and the transactions and codeset rules on October 16, 2003. Thank you.
MR. ROTHSTEIN: Thank you very much. Any initial clarification, questions, from the subcommittee members?
DR. DANAHER: I’d would just like to make a quick point and I need to issue a disclaimer to begin with to say that I participated in the outreach program that Ms. Curran offered. What fascinates me, in my private sector hat, what fascinates me is that many health plans around the country have talked about doing similar efforts but haven’t been, and I’m going to use the word courageous enough to do that for fear of the litigation exposure that they might have if they are seen as telling their provides that this is the way to interpret HIPAA for this is the thing to do, etc. Many many plans that I have spoken to, if anybody want off mind specifics which ones, but they’ve said oh, we’d love to do something like this but we’re frightened, we’re concerned about it and don’t want that risk. Having participated in those series I can definitely say that they were met by the doctors and the office managers as being extremely invaluable in terms of increasing their awareness, their education, finding resources, etc., and just kind of would throw it to Ms. Kaminsky, I wonder if, I don’t know how to work around the issue of organizations such as Blues plans that would like to play a more active role but are concerned about their potential exposure.
MS. KAMINSKY: Well, I’m not really sure how to respond except to ask back to Ms. Curran what the thinking was within Blue Cross Blue Shield of Rhode Island vis-à-vis liability and vis-à-vis expertise to talk about the privacy rule.
MS. CURRAN: Certainly, that’s been a challenge for us. If you look at talking to our legal people versus our business people there is definitely some challenge there in negotiating a middle ground that allows us to go out and do these presentations. Again, we are very concerned about the fact even through legal liability or just providers thinking that we’ve taken ownership for their HIPAA readiness, we’re very concerned about making sure that we qualify a lot of what we say and what we do.
But we feel very responsible in ensuring that our providers are made aware of HIPAA. So from a business point of view we sold that to our legal staff, to the other people in our company and in a lot of cases, what we’ve done is we’ve outsourced, so that lends us some amount of distance, I believe, but we’ve outsourced some of these presentations, the creation of these presentations. The creation of our CD-ROM have been outsourced to other entities to co-branded but we’re not the ones developing the information.
We’re very cautious, and this is where another one of our challenges comes up. We’re very cautious about going only to reputable web-sites or list-serves for information. But there are so many reputable web-sites or list-serves out there that it really does become a matter of getting a lot of documentation then trying to verify what you’re saying two or three times and then doing a really good job selling it and using the providers as we want to be their partners, we want to work with them, saying to them we need to help these people through this really quite challenging task of making themselves ready.
In the past several weeks we’re very very concerned about the fact that privacy has no extension. Privacy is in April and we’re just very concerned that they are not going to be where they need to be.
One of the questions that comes to us quite frequently, and quite frankly I’m not sure how to answer is, who are the privacy, what is privacy oversight? Is someone going to walk into my office someday and recognize that I haven’t followed the letter of the law on privacy? So there is a lot of, there’s some thought out there that nothing is going to happen if I don’t conform and then there’s also the thought out there that what will happen. Certainly we recognize what the penalties are for privacy infractions, but I think that at this point they still think it’s going to go away. I don’t know whether anyone else has that sense at all.
MR. ROTHSTEIN: Well, I think that your comments certainly fit in with what we heard yesterday from our panels of physicians. I think there is a perception among some small practices that they don’t need to worry about HIPAA, that their third party payers are going to ride in at the last minute and take care of all the problems that they might have.
I think the dilemma that you outlined is a real one for many organizations such as yourself. While you want to provide assistance you don’t want to have the providers over rely on you and view your efforts of relieving them of their independent obligations, quite aside from the liability issues. I think that’s a difficult message that we need to think about how to get out. So thank you for those comments. Ms. Schwartz?
MS. SCHWARTZ: Thank you.
DR. COHN: I guess, Mark, I would ask -- I will apologize, it’s 6:15 a.m. California time and the second day of hearings. I usually notice a little more than the first. Stephanie was actually congratulating me on how well I do in the mornings at these hearings.
I was just curious about are we into open discussion now? Because I do have a line of questions I would really like to ask but I just wasn’t sure where we were.
MR. ROTHSTEIN: You will certainly have an opportunity, I’ve got questions myself. The first round is what did you mean when you said sort of questions.
DR. COHN: I will hold my comments for the open discussion.
MR. ROTHSTEIN: You will be the first question when we move to open session. Ms. Schwartz.
Nancy Schwartz, Fallon Community Health Plan
MS. SCHWARTZ: Good morning. My name is Nancy Schwartz and I am please to be here today on behalf of Fallon Community Health Plan (FCHP). I am the project manager for FCHP’s HIPAA privacy implementation and the acting privacy officer.
FCHP is an HMO located in Worcester, Massachusetts, primarily serving Central Massachusetts. We have a membership of around 190,000 members in our commercial, Medicare+Choice, and Medicaid programs. In addition, we operate a PACE center for the elderly and we provide services for a small number of self-funded accounts. FCHP is closely affiliated with, but is a separate organization from, the Fallon Clinic, a multi-specialty group practice with medical centers throughout Central Massachusetts. FCHP and Fallon Clinic share resources in several areas and are collaborating on HIPAA initiatives in those areas, although we have separate initiatives for our entire HIPAA implementation; primarily we are sharing implementation around our technical and physical security issues and on privacy and security training.
FCHP supports Administration Simplification, and feels that both FCHP and our members will realize benefits from a successful implementation across the health care industry. We are currently handling only about 30 percent of our transactions electronically and have a commitment to increasing that percent. We see the transactions/codes sets initiatives providing a way to help realize that goal. We understand the necessity of maintaining privacy and security in an environment of electronic transmissions.
Recently, we have been seeing a great deal of discussion about changing corporate culture to make the privacy rules really work. However, we feel that this is already an important of our culture at FCHP. We are also already in compliance with state laws that address member rights requirements that are similar to HIPAA, including the right to access and amend records and the right to an accounting if disclosures. As a result much of our effort is to revise our current policies to bring them in line with HIPAA requirements.
Of course, we have areas where we can improve our processes. For example, while we have strict policies regarding disclosure of member information to outside entities, we have found that our internal communications processes can be improved. And we have found that we can strengthen security in order to minimize the possibility of inadvertent disclosures. We are also benefiting from the need to clearly document all of our policies and to have consistency among all of our departments.
In order to begin formal implementation of our initiatives to come into compliance with HIPAA, we developed a Project Management Office. The Project Management Office brings together the Project Managers and staff of two areas, one responsible for privacy and one responsible for security and transactions/code sets. The PMO coordinates the efforts of the two areas and ensures that project plans are developed and on track.
The project staff initially made efforts to read and understand the rules. This was followed by orientations for leadership and management staff. The next step was to complete a readiness assessment. While we initially felt that we would complete our own readiness assessment, we quickly came to the decision that we would benefit from an outside review. We felt that an outside review would provide more objectivity, which was especially important in the area of security where internal stakeholders might find fault with internal recommendations. We also felt that an outside consultant would bring more experience and knowledge to the project. As a result, we engaged a consulting firm to complete a readiness assessment on privacy and security. While we feel that the results were valuable for security, they were less so for privacy. The consultant had experience in security and the assessment was based on HIPAA as well as on best practices. On the other hand, we felt that the consultant we engaged did not have much more exposure to HIPAA privacy than we did, and the results were less useful.
Going forward from that assessment we developed detailed implementation plans. We decided that we would handle the privacy implementation with internal resources along with the support of an attorney with HIPAA expertise. We are developing our own policies and procedures, feel that we are the ones that know our own processes the best and are therefore best able to adapt them to the HIPAA privacy provisions.
Our Security Team made the decision to continue to use consultants to assist with security implementation. Despite the lack of the final Security rules, they are proceeding to implement security enhancements based on the proposed rule and the “best practices” recommended. We feel that security and privacy are tied together and that we must continue with the one to ensure compliance with the other. The first priority is being placed on security enhancements needed to support the privacy rule.
To help increase our knowledge and interpretation of HIPAA requirements, FCHP is currently participating in several local forums. These include the New England HIPAA Workgroup, a group of payers and providers who meet monthly to share issues and ideas. We also participate in the Privacy Officers Forum led by the Mass Health Data Consortium and in MHDC’s Security Officers Forum. These groups also include payers and providers and provide informational sessions as well as a chance to share ideas and progress. In addition, we participate in a subgroup of the Privacy Officers Forum for payer groups in the area.
We also refer to a variety of resources to help us work our way through the regulations. These include web sites such as MHCD, WEDI-SNIP, AHIMA, and AAHP. We also participate in a bi-monthly call hosted by AAHP that provides another forum for health plans nationwide to raise issues and share information and progress.
We have found the various forums to be a useful way of sharing and collaborating. We have also found, however, that we often come away from the sessions with more questions than that with which we started. We find that there are several ways of interpreting a provision, and sometimes these ways are widely divergent. Since these forums are not a source for answers, as a group we are often left wondering how we can resolve the issues. In some instances a questions has been documents to submit to HHS. I believe that in many other instances the parties simply go back to their own organizations and interpret in their own way. While we all are working to implement the provisions accurately, I am sure that in at least some instances, we are following very different paths to compliance.
Even as we continue to try to understand the provisions and as we develop our policies and procedures, we are developing our plans to train our workforce. We began last year to run articles on privacy and security in our staff newsletter, introducing privacy and security terms and concepts. We are now developing a general awareness campaign for the fall of this year, which will provide more information on privacy and security. This is meant to give staff a basis for better understanding the content of the formal training, which is planned for the beginning of next year. Our awareness campaign will have a multi media approach, including newsletter articles, e-mail, direct mail pieces, and hallway posters. Formal training is scheduled for the 1st quarter 2003. At this time we are considering e-training, and we plan to make a final recommendation for a vendor in the next month.
FCHP has been working jointly with Fallon Clinic on the selection of an e-training vendor and we have found that the two organizations have somewhat different issues in regard to the training. FCHP has mostly administrative staff while the Clinic must train frontline staff who interact directly with the patient, administrative staff and physician and clinicians. We also have different considerations in regard to resources. Virtually all FCHP staff have individual PC’s while Clinic staff often share PC’s and have limited ability to complete training at their workstations. In spite of the differences, we are hopeful that we can come to agreement on one vendor to meet all, or most, needs.
Another challenge in selecting an e-training vendor has been to find a reasonably priced vendor that can incorporate the policies and procedures for the Plan and Clinic without large customization fees. We consider it important to include our own policies and procedures along with general training. Also, in order to train on our own policies and procedures and to supplement the e-training, we plan to provide in services for targeted areas at FCHP such as Customer Service and Claims and at the Clinic for their cashiers and accountants.
As we work through our implementation process, we have found several areas of confusion for us, and we believe are areas of concern for other entities as well. Some of these are:
Business Associate Agreements: We could use even more guidance over what entities are considered business associates. For example, a software vendor will not use or disclose our PHI during a normal course of business but may have exposure to PHI when installing or trouble shooting software. Will this type of contracted entity be a business associate?
Relationships with Other Covered Entities: We contact with Medicaid to provide coverage for recipients that choose the plan. We are unclear about whether Medicaid and FCHP act separately as covered entities, or whether FCHP is a Business Associate of Medicaid. If we act as separate covered entities, is the recipient/member then faced with receiving two Notices of Privacy Practice and must contact each entity separately for their access, amendment and accounting?
PACE: We are not sure if our PACE program is considered a provider or a payer, or some combination of the two. We’re waiting to hear from HHS on an answer for that. Also, as most PACE members are also dually eligible for Medicare and Medicaid, will they be receiving three separate Notices of Privacy Practice as a result of their membership and will they need to contact three separate entities to exercise their member rights?
ASO’s and Health and Welfare Plans: We see a great deal of confusion around the responsibilities of the health and welfare plan, both full-funded and self-funded plans. Will there be some outreach to these organizations to help them understand their responsibilities?
Finalize Security Rule: As security is important to support privacy, it will b helpful to see the Security Rule finalized.
Interpretive guidance and answers to questions: It would be helpful to have prompt answers to questions and issues and additional interpretive guidance to assist in implementation.
In conclusion, we agree with the effort to protect the privacy of our members and we are working to implement the rules as we understand them. We have questions and confusion over some of the requirements, and are working with others in the industry and checking resources to try to have a better understanding. Unfortunately, we often find that different entities, each with the best of intentions, are interpreting provisions differently, adding to the confusion instead of clearing it up. Additional guidance and answers to questions, shared with all entities, could help to move us all in the same direction.
MR. ROTHSTEIN: Thank you very much. Clarification questions? We’ll move back to you for some substantive questions in a couple of minutes. Next on the list is Denise Hilger.
Denise Hilger, J.D., Senior Legal Counsel, Fidelity Investments
MS. HILGER: Thank you. Thanks for this opportunity to testify. As you know, I’m Denise Hilger, and I am attorney within the RISA practice of the Legal Department at Fidelity Investments. Fidelity Investments is one of the world’s largest providers of financial services, and it is the nation’s largest mutual fund company. Fidelity is not a health care provider, a clearinghouse, or a plan, and therefore, Fidelity is not a covered entity regulated by the HIPAA Privacy Rule. However, Fidelity is an employer that sponsors a variety of employee benefit plans and programs for its 31,000 employees, including group health plans. This sponsorship of group health plans requires Fidelity to grapple with compliance of the HIPAA Privacy Rule.
As you know, employer/plan sponsors are not directly regulated by the Rule, but group health plans are regulated. Under ERISA, a group health plan is a separate legal entity from the employer that sponsors it, but in most cases the plan has no address, no employees, and no assets that are separate from the employer. The plan does not enter into contracts -- the plan sponsor does. The plan itself is a bundle of promises, evidenced by a written document, which the plan sponsor brings into effect. The intangible nature of the plan and the interconnected relationship of the plan to the plan sponsor make compliance more challenging than one might initially expect.
In today’s testimony, I would like to talk about some of the difficulties that employer/plan sponsors are facing, and to discuss a number of questions that have been raised and conclusions that have been reached in Fidelity’s implementation effort thus far.
Employer/plan sponsors are struggling with the HIPAA Privacy Rule primarily because the compliance framework is not clear-cut for employer/plan sponsors. The challenge of untangling where responsibility for the obligations fall is exacerbated by competing demands for resources in a particularly difficult economic climate in which most companies are aggressively trying to control costs. Presently, many employers are preparing for annual enrollment. At the same time, many are facing double-digit increases in premium costs from their health plan carriers and HMO’s, and so they are evaluating their plan designs as well as the products and services these vendors provide. Internal staff is stretched thin, and hiring outside consultants to assist with compliance is not within the budget.
Even for those companies that can hire a consultant, the hard part of compliance cannot be done from the outside. The compliance approach must be constructed in light of how the employer and the group health plan operate, and so most consultants are likely to require significant time from internal resources merely to understand an employer’s unique fact pattern. Furthermore, it has been our experience that the consultants are struggling with the same questions that we are. One area where we do expect consultants to be able to add value, however, is with respect to the training mandate. Often the experience required to design and develop training programs is not resident in-house and/or the subject matter falls outside of an organization’s basic competencies. Although Fidelity does have an in-house training function, it may be a more efficient use of our time and resources to tap into their strengths and use consultants for training.
We have not found a lot of useful resources on the web. There are plenty of high-level primers, but very little that gets down to the specifics, and not much in the way of tools, such as inventory or assessment tools, or models.
We have found the Mass Health Data Consortium web-site good for information, links, and networking with respect to the Privacy Rule. We do pay a membership fee for full access, however.
Like most large employers, Fidelity has a Benefits Department that has responsibility for the management of the benefit programs offered by the company. The individuals who work on the health plans have other plans and programs within their area of responsibility as well, such as life insurance, dependent care reimbursement accounts, and long term care benefits. No one individual is solely dedicated to the health plans, and the operations of the health plans are not wholly performed within the Benefits Department.
Some of the options within the medical plan are fully insured and others are self-insured, but the claims adjudication function is handled by the HMO’s, insurance carriers, and other third party administrators that maintain the systems and data necessary for making determinations about claims. Fidelity, however, is the plan fiduciary to which claims are appealed for the self-insured medical option as well as for the dental plan, the spending accounts, and several other plans.
Given this structure, perhaps the most critical and vexing task is the determination of when the Benefits Department is acting as an employer/plan sponsor versus when it is acting on behalf of the plan. The determination is important because when the line is drawn, it forms the basis for the privacy policy, and it provides clues as to where and how the firewalls must be erected. Although it might seem reasonable to conclude that whenever the Benefits Department is dealing with the health plan that it is acting on behalf of the plan, it quickly becomes apparent that to do so would disrupt many of the functions that the Benefits Department performs. The analysis requires greater precision. Thus, we have examined -- and continue to examine -- the functions one by one. The claims appeal function and the enrollment are two examples that we have evaluated.
Clearly, the claims appeals function is a plan administration function, and so when the Benefits Department convenes an Appeals Committee meeting, it does so on behalf of the plan. Today, in preparation for an Appeals Committee meeting, the health plan benefits manager takes in the appeal and drafts a fact summary. She sanitizes it by removing identifying information such as the name, company, division, and location, and she assigns it a random case number. At the meeting, she distributes the summary and presents the case to the Committee. The Committee then discusses the appeal, and a decision is made.
In response to the recently enacted ERISA claims and appeals regulations from the Department of Labor, and also, in part, due to the burdens imposed by the Privacy Rule, Fidelity is doing a cost-benefit analysis of outsourcing the appeals function. Although it is quite costly and purportedly difficult to convince reputable vendors to assume this fiduciary responsibility, we understand that a number of large employers have taken this approach and more are considering it.
Notwithstanding, in the event that Fidelity retain the fiduciary role for appeals, we will need to erect firewalls around the Appeals Committee function in order to comply with the Privacy Rule. The procedures will be tightened up and documented. All copies of the summaries must be returned and destroyed at the close of the meeting. Of course, at least one summary must be kept to document the decisions as well as to satisfy that claims and appeals regulations that require administration processes to ensure and verify that claims determinations are made consistently for similarly situated claimants. The hard copies must be retained in locked cabinets, and electronic copies must be stored in secure files to which access is appropriately limited.
In contrast to the claims appeal function, enrollment activities performed by the Benefits Department are not performed on behalf of the plan. As explained in the preamble to the December 2000 Privacy Rule and confirmed in the modifications issued in August, enrollment functions are not plan administration functions, but rather, they are performed by the employer/plan sponsor on behalf of its employees. Thus, when the Benefits Department conducts an annual enrollment, it does so wearing its employer hat, not its plan hat.
The conclusion that enrollment activities are performed, not on behalf of the plan, but on behalf of the employees, is important to effective employee benefits program management. If, in the alternative, employers were deemed to be performing enrollment functions on behalf of the plan, then the significant efforts that employers have made to integrate and coordinate benefits for employees, and the attendant efficiencies that have been gained, would be compromised or lost. For example, employers could not send multi-benefit annual enrollment forms without first obtaining authorizations. This is because demographic data, which is protected health information in the hands of a covered entity, is used on enrollment forms to encourage employees to use and purchase employee benefits, and the promotion of other lines of coverage, such as life insurance, would the definition of “marketing.” Similarly, if a COBRA participant contacted the Benefits Departments with his new address to assure that all future health plan correspondence would be received, that new address could not be disclosed to the pension administration system unless an authorization was obtained. This result would not be in the best interest of the participant. At best, it would be an annoyance to have to provide separate notice of an address change to the employer. At worst, it would result in a participant not receiving all of the benefits to which he is entitled.
Consistent with the general conclusion that enrollment activities are not plan administration functions, we have concluded that COBRA enrollment and payment collection activities and the issuance of HIPAA certificates of creditable coverage - which are records of enrollment - are all enrollment activities performed by the employer/plan sponsor on behalf of employees and other beneficiaries.
On our benefits web-site through which employees may enroll, there is a link to an on-line provider directory. The directory site enables employees to select a physician based upon the medical plan option that the employee has chosen and the employee’s home and/or work location. With this tool, as well, we have concluded that the function is enrollment-related and that Fidelity is providing this service as an employer/plan sponsor on behalf of the employee. Therefore, an authorization is not required in order to forward the demographic data to the directory site to facilitate the selection.
Verification of these conclusions would be helpful.
I’d like to touch on a few other implementation efforts. Fidelity has a corporate Privacy Office in place now. The Privacy Office was established as a result of the Gramm-Leach-Bliley legislation and regulations that are aimed at protecting the financial privacy of consumers and customers of financial institutions. We have been able to leverage processes and tools developed for Gramm-Leach-Bliley compliance, such as data collection templates. The corporate functions that were instrumental to Gramm-Leach-Bliley compliance - Purchasing, Legal, Audit - has been organized by the Privacy Office to play similar roles for HIPAA Privacy Rule compliance.
We have concluded that the corporate Privacy Office is not close enough to the operation of the group health plans to have a person in that office serve as the HIPAA Privacy Officer for the group health plans. Instead, an individual in the Benefits Department will assume this role with dotted line responsibility to the corporate Privacy Office. In a recent industry trade group conference call on HIPAA privacy in which I participated, many employers indicated that this was the approach they would take.
We are still in the assessment phase of information flows. We have completed an inventory of our vendors and begun the assessment of whether they are business associates (acting on behalf of the plan) or simply vendors acting on behalf of Fidelity as the employer/plan sponsor. We have prepared a first draft of a plan amendment, and we continue to review the policies and procedures in place.
The sample language for the business associate contacts provided in the NPRM and in the modification to the Rule was very much appreciated. We have reviewed it and have armed our Purchasing Department with a version to use in amending all business associate agreements. More sample language, such as for privacy notices, privacy policies, authorizations, and other written requirements would greatly aid employer/plan sponsors with compliance.
In closing, I’d like to thank you again for the opportunity to testify before this Subcommittee and to encourage further guidance for employers who sponsor group health plans.
MR. ROTHSTEIN: Thank you very much. Any clarification questions? Thank you. Ms. Rubenstein?
Helena Rubinstein, Consultant, Hobbs Group
MS. RUBINSTEIN: Mr. Chairman, members of the committee, I want to thank you for inviting me here today.
For a moment I’d like to talk about a few best practices that have been done in the employer community. The Mass Health Data Consortium has been working with consultants and lawyers in the community to help the employee community and employer community understand what its responsibilities are in terms of implementing HIPAA. On a monthly basis it is sponsoring various meeting. Last Wednesday, in fact, it sponsored me as I offered a three hour HIPAA workshop entitled "Who Me? Yes You. HIPAA and Employers." It focused on assisting employers in understanding their obligations under HIPAA.
On October 2, the New England Employee Benefits Council is going to have a HIPAA and Employer panel discussion. I think I can say that the various consultants here in Boston are working together with the various lawyers of the law firms to help the employers in town to understand what their obligations are.
What I could however, say, in mirroring what Donna Curran said, is one of the themes that has been mirrored to me by some of the employers is, what will they do to me? How are they going to know if I don’t comply? And what I’ve tried to respond is, that one of the tricks in this legislation is that your employees don’t have to come knocking on your benefits door and say you’re not complying with HIPAA. They can go directly to the Office of Civil Rights here in Boston and say my employer is not complying and then you’re going to get a knock on your door. That’s how I have responded to that. I don’t know if it has been effective but at least that’s how I’ve responded and I hope that’s been helpful.
Despite the many best practices that we’ve done, and another best practice that we’ve done is we’ve worked with our employers in helping them devise communication to their employees. By helping them get ready for HIPAA by telling them what HIPAA is and how HIPAA is going to be helpful to them and why it’s a good thing so that when they get the notice they’ll know what it is and not to be frightened and not to think, oh my good I’m getting this notice because my health data has been in some way used in a terrible way before this notice has happened.
Communication has been a very important part of the implementation for my employers. We have found some areas where we’re hoping to get clarification and that’s what I’d like to discuss in my remaining minutes.
I’m not going to speak about preemption because I know that you have a group this afternoon that’s going to be talking about the preemption issue.
So first I’d like to talk about the disadvantages of requiring a finite expiration date on the authorization. As the rules currently are written, an authorization must have a finite date. This may prove to be very challenging for mid-size and large employers, particularly those who provide benefits to their retiree population. It is not uncommon for employees, and even less uncommon for retirees, to request assistance with a benefits issue. Rendering this assistance often requires the use of protected health information, so an authorization might be required, particularly in the case of fully-insured plans. In order to be valid, an authorization is required to have an expiration date. However, it is difficult to know the length of time that will be necessary to resolve any particular problem. As the benefits specialist attempts to address the enrollee’s problems, she or he will also have to monitor the expiration of the enrollee’s authorization, and possibly obtain a new authorization, leading to further complications, as will as described in the next bullet. While this may not seem particularly vexing in the case of one needy enrollee and one benefits specialist, multiply the number of enrollees requiring assistance, and one can envision an employer requiring a back-up system just to monitor the expiration of authorizations. Sure, this can be done, but it is not optimal, particularly when additional authorizations may have to be executed in order to complete the original project. Certainly when employers are facing these double-digit increases having to set up additional systems at additional costs, they just can’t do it right now.
In other areas of the law, we permit people to specify an indefinite period of time. For example, the I.R.S. allows the power of attorney to expire using an indefinite time period. Should another clarification be release, the employer community would very much appreciate rules that would permit an enrollee to grant an authorization for the length of the assignment. This would clearly be at the enrollees desired behest. It wouldn’t force the enrollee to do so but if the enrollee chose to do so it would be an option.
Next we go to the timing of execution of authorizations. Could we have an execution in advance? Unless authorizations can be executed in advance, the process may prove to be administratively inefficient, particularly when it comes to multi-state employers, or employers who cover retirees. This problem may result in delayed access to care for some, which may be most acutely felt by those in the retiree community.
Assuming, for the moment, that authorizations delivered by e-mail or fax are considered valid, enrollees with access to neither may see their care delayed while the benefits specialist is forced to wait for the mail to come that delivers the necessary authorization. It could not be possible that the authorization was designed to be a barrier to prompt and efficient care, but unless authorizations may be executed in advance, that is exactly what they may become, and the next thing they may become is obsolete.
Should another clarification be released, the employer community would very much appreciate rules that would permit an authorization to be executed in advance. Again, this would be something that would be at the choice of the enrollee, not forced upon any enrollee.
Now we talk about the issue of changing between insured and self-insured status, and the HIPAA issues that the changes bring. While it is true that employers that self-insure their health benefits tend to be exposed to far more protected health information than are employers who purchase health benefits on a fully insured basis, the reality is that, for many employers, these categories are not hard and fast rules, but, rather, a choice for the moment.
It is a choice for as long as the financial analysis demonstrates that the choice is beneficial to the employer, and it is likely to change when that analysis changes. Further, errors occur, and despite the best efforts on all parties’ parts, protected health information may indeed land in the hands of a fully insured employer. At the vest least, that employer should have a policy in place to deal with such eventualities.
At this point, it might be prudent for that employer to have a Privacy Office to make certain that the correct action is taken. In fact, that is what I am instructing my fully insured clients to have. Pretty soon, there is little to distinguish the self-insured from the fully insured.
By differentiating between insured and self-insured plans, the regulations left a lot of confusion, and almost a checkerboard of those who must comply this year, versus those who must comply next year when they decide to self-insure. Further, for employers who have been purchasing their employee benefits on a fully insured basis, the decision to change their funding strategy is made after careful thought about the relative costs and risks, but often, without sufficient time to prepare for HIPAA compliance as a self-insured entity. It is far from inconceivable that there will be more than one employer who will reach a January 1 new plan year with a new funding strategy but an old HIPAA compliance strategy, one suiting it as a fully insured plan, but not one befitting its new status.
Should another clarification be released, it might end the confusion in the employer community if every employer were obligated to comply with clearly articulated regulations. If the regulations are clearly articulated and fit the needs of both small and large employers, with both an active and retiree population, then in the future, these rules will be observed and will become part of the regulatory fabric of the health care system. Should employers find these rules impossible from an administrative perspective, it is likely that, sooner, rather than later, they will be observed in their breach.
Next lets talk about guidance on e-mail and faxed authorizations. Although the rules regulating dissemination of the privacy notice give clear instruction regarding a plan sponsor’s ability to send the privacy notice via e-mail, there is little other instruction in the rules regarding e-signatures. This is of particular importance to employers who cover retirees, or employers with business locations and employees in multiple states.
When an employee in one state calls a benefits specialist in the home office, which is in another state, it is not likely that this employee will be able to stop in and sign an authorization that afternoon. Unless electronic signature, and faxed authorizations are acceptable under the rules, the result may be a delay in care.
Should another clarification be released, the employer community would benefit from clear rules permitting the use of electronic signatures in e-mail, and facsimile machines, for transmitting authorizations. Both the Department of Labor and the Internal Revenue Service have issued guidance on electronic media.
Should another clarification be released along the lines required herein, it would be of great benefit if DHHS guidance could be consistent with that provided by DOL and IRS.
And finally, if I have another moment, I want to talk about which entity must file for an EDI extension. I recognize that as a caveat, although this final point does not strictly deal with the privacy rules, I bring it to the attention of this committee because it is an issue that has bedeviled the employer community, as well as the legal and consulting communities. I raise this issue here because it does, tangentially, deal with the privacy rules.
Although both the transmission rules and the privacy rules state that an employer is exempt from having to comply with the EDI rules if only transmitting eligibility/enrollment information to health plans, employers are often plan sponsors, and this leaves open the question of the obligation of the plan itself. As I stated above, the rules seem to take as a given that all covered entitles process claims electronically.
In the typical self-funded context, however, the employer/plan sponsor does not process claims; this is a task left to the TPA. This has raised the question of who is obligated to file an Electronic Health Care Transactions and Code Sets Standards Model Compliance Plan. Section Two of the Administrative Compliance Act requires each covered entity to file for such an extension.
This question alone has resulted in great confusion, and additional cost for employers as they engaged lawyers and consultants to ponder whether: 1) the TPA must file the extension on its own behalf, and the employer, acting on behalf of the health plan is sponsors, is exempt from this obligation; 2) the TPA must file the extension, not only on its own behalf but on behalf of the clients for which it acts as a TPA, thereby covering the employer as well; 3) the TPA must file on its own behalf, and the employer, acting on behalf of the health plan it sponsors, must file on its own behalf; and 4) the TPA must file, not only on its own behalf, but on behalf of the clients for which it acts as a TPA, and the employer, acting on behalf of the health plan it sponsors, must additionally file on its own behalf.
As you can imagine, everybody is confused and I went around this very mulberry bush yesterday with a very very prestigious Washington law firm on behalf of a very very prestigious client. We spent over an hour wrangling over this issue.
In attempting to ascertain whether TPA’s had in fact filed on behalf of the clients for which they act as a TPA, you would not believe the responses I got from “I didn’t know employers were covered under HIPAA.– I had one TPA who said I didn’t know TPA’s were covered under HIPAA. You would not believe what I have heard. At this point I’m covering all my clients. I’m filing for them all.
I have a few various TPA’s who did send out letters to their clients indicating their intentions to file unless their clients had a different preference. I take it as a given that our large health plans want to comply with HIPAA and I know from my frequent communications with them on this very point that they have invested a great deal of money and vast resources toward achieving compliance. One particular health plan has told me that they put 70 people on their HIPAA plan. This is no small number of people and they spent millions of dollars trying to comply. I know how hard they are working on it.
It is only due to the lack of clarity when it comes to rules concerning employers and plan sponsors that the system seems to come apart. With October 16 quickly approaching it seems likely that if the correct answer is that the TPA should file the extension, not only on its own behalf, but on behalf of the clients for which it acts as a TPA, that is not occurring in many cases. And if that requires employers to pick up the slack, that is likely occurring even less frequently, as the confusion as to their obligations under HIPAA continues.
This confusion is even more evident in the case of employers who purchase health benefits on a fully insured basis. When their insurance companies file for an extension, the same questions are raised, and the rules offer no clarification, where clarification is greatly needed.
Should another clarification be released, the employer community, and the health benefits community in general, might appreciate clarification on these points. Although the specific issue raised by the need to file for an extension is itself self-limiting, it is the larger issue, that of the responsibilities of employers/plan sponsors, that requires further delineation.
While I recognize that the employer community is far from the only one clamoring for changes in the rules, the employer community is asking for something more basic - it is requesting clarification of its responsibilities under HIPAA’s privacy regulations. The Department of Health and Human Services would provide an enormous value to the employer community by providing clear guidance. Only with clear guidance will the employer community be able to embrace the rules and make them a regular part of their organizational culture. Failure to provide that guidance will sadly leave many employers with the notion that they are exempt from HIPAA and will leave many employees with the privacy protections that HIPAA seeks to provide.
I thank you for having me here today.
MR. ROTHSTEIN: Thank you very much. Any clarification questions? Before we get to general discussion, we need to amend our disclosure statements, so Marjorie? This was from Kepa, I’m sorry.
DR. ZUBELDIA: I have some additional disclosure. I just realized that I had a 401(k) managed by Fidelity Investments.
MR. ROTHSTEIN: As long as you made that, I would also disclose that Fidelity manages what’s left of my 401(k) as well as various other former assets. Dr. Cohn.
DR. COHN: I guess, two things. First of all, I want to thank everyone. It’s been a very useful sort of hearing. I actually think that the issues around ERISA and employer sponsored health plans have been very enlightening. Certainly I’m actually glad that HIPAA has begun to raise the issues around privacy.
Now, Helena, I would just sort of comment on the relationship to EDI extensions as this was the very last thing you brought up. That’s not a privacy issue. The deadline is October 16 and the reality is, of course, one would recognize that given that it takes about 10 minutes to fill out the form on the web-site, that probably organizations that are spending tens of hours with lawyers trying to figure out whether they ought to apply for the extension might be better off actually just going in and applying on the web-site, but that’s besides the matter.
However, I think that you bring up some very important issues which we will forward on to those in NCMS(?) that have been dealing with the whole ASSCA(?) extension issues. But recognizing that the ASSCA compliance extension is related specifically to the electronic transactions and as I said does not have a whole lot to do with the privacy rule except getting further guidance from CMS in terms of privacy.
As I said you brought up a number of very interesting issues. Now can I ask questions as follow-up since I didn’t get to ask all the good ones that were being brought up earlier? And this is perhaps my confusion a little bit so maybe you can help me.
I’m like Dr. Danaher, my colleague here, I did not participate in any of the educational programs that occurred in Rhode Island and I couldn’t quite tell whether your organization, which is Blue Cross Blue Shield, had been taking the lead independently to go out and train and advise and assist providers in Rhode Island around HIPAA or whether is was sort of a collaboration between all the other entities you described in the letters that had been sent out and all that. And I have a reason why I’m asking. Can you clarify that for me?
MS. CURRAN: Sure, I think that we’ve taken a couple of different tacks here. First of all, when we tried to put together the collaboration with the other insurance companies in the state of Rhode Island and the medical societies, one of the things that we found was that when you brought that many people into a room and tried to come to consensus on a piece of paper it took too much time.
We had done independently of that, Blue Cross had a communication plan that had activities that it was going to take on it’s own and we went out and looked for entities to help us with that but also dovetailed being involved with these other organizations to craft a message.
Our goal initially was to have everything go all through some kind of collaboration with the medical societies and the hospital associations. We just found that we couldn’t get consensus and we didn’t want to be in the position where we weren’t communicating with our providers. We have gone out for a lot of years saying to our providers that we want to be there to assist you. So we ended up wrapping those two initiatives into one and we placed things where they fit most appropriate.
Just as an example, the CME seminars that we did do, Blue Cross Blue Shield of Rhode Island outsourced the entire program through a CME consultant company and another company who did them for us and we were the sponsors. We did not sponsor that with other insurance companies. We did that on our own. We’ve kind of picked and dropped pieces of our communication plan into other peoples’ communications plans as we’ve gone along.
DR. COHN: Are you the predominant insurer in Rhode Island?
MS. CURRAN: There are two major insurers in the state of Rhode Island. Blue Cross Blue Shield of Rhode Island and United Health Care. There are, of course, other insurance companies. We have a neighborhood Health Plan of Rhode Island which does a lot of our membership for our right care population. We also worked with Federal Medicare on this. Our State Medicaid Society was involved in crafting this communication. So what we did was we tried to look at, we actually went to our providers and said who are the people you want to hear most from? And they told us and we tried to put that group together.
DR. COHN: Just to follow-up. The reason that I was just sort of pressing a little bit, we obviously heard yesterday a lot in Massachusetts about the Health Data Consortium, the various NEEHEN(?) efforts and all of this sort of mega collaborations between all the entities and we could imagine, I’m sure this didn’t happen in Rhode Island, but one could imagine at least in some states where you have one insurance company in the best of interests trying to educate providers giving one set of messages, others giving other messages, resulting in at least what one of the physicians yesterday described as massive confusion.
I was just wondering whether this sort of state wide collaboration is a state wide best practice we ought to be at least thinking about when we think about CMS and HHS are going to be assisting further with implementations. I was just trying to get a sense of that.
MS. CURRAN: No, that is a very valid point. We hoped to be able to solidify the communications with these other entities, even now in the coming months, because I agree with you. We from Blue Cross Blue Shield of Rhode Island’s point of view want to be seen as a leader in providing information of value to our providers. That’s our tag line.
We want to work with other entities to do so but if the other entities will hold us back in delivering a message, we will get out there and deliver the message and at the same time share the message we’ve delivered with those other insurers and hope that we don’t give out completely different messages to the same constituency. That is a problem that we are grappling with.
MR. ROTHSTEIN: Let me ask one follow-up and then I will get to Dr. Danaher. On the Blue Cross Blue Shield issue, is there any national coordination through the associations?
MS. CURRAN: They provide us with information and documentation that we can use in our communication plan. Certainly in the association memorandum that go out there are references to HIPAA. Each of us is an independent plan so I can’t say that there has been a lot of strong coordination there. Certainly our ITS plans and things that are more in line with our relationship as a sister plan for out of the area claims and all that business, there’s been more cooperation than just the message we’re trying to deliver to our individual providers.
MR. ROTHSTEIN: Thank you. Dr. Danaher.
DR. DANAHER: I’d like to just make a comment and then I’d like to ask a question. I think what I’m realizing from today’s testimonies and yesterday’s testimonies, is very much the adage, the old Tip O’Neil adage, which is all politics is local. What I think is that, Massachusetts for example, MMS, the Massachusetts Medical Society, has always had a historical reputation of being very proactive and in being very much out there. So I think that in Massachusetts they are the ones who are getting out to a number of organizations.
In Rhode Island, and I’m not as familiar with the Rhode Island medical site, I guess my point is that rather than having a blanket solution - yesterday I was a big adherent of we need to look to the medical societies and we need to look to the hospital association to getting that grass-root word out there. What I’m think I am realizing from Ms. Curran’s testimony, is that others, that in some states in some areas that it may actually be the health plan or others that is the one that makes the charge. That’s what I’m walking away with.
I’ve got a question for Ms. Hilger and also for Ms. Rubinstein. In my mind I have this hierarchy of organizations in terms of their preparedness in meeting the HIPAA privacy and soon to be security requirements. At the top of it in terms of awareness and proactivity, etc., are probably health plans, maybe hospitals, then physicians, etc. I really do think self-insured employers, group health plans sponsored through employers to me, there is a possibility of good recourses. I think there is a lack of awareness of what the responsibilities are.
Here’s the question. Ms. Hilger, in your testimony this really came out for me and that is, on page three, you said some of the activities in Fidelity are executed by our, we’ve got fully insured products so the insurance companies are doing things, TPA’s for self-insured products, the TPA’s are handling these things, etc. If Fidelity, has how many employees totals, 42,000 you said? 31,000. How many employees are in the benefits department, or how many employees touch or come into contact with PHI and are involved.
What I’m trying to get a sense of is how big is this problem. Is it the case that there are ten employees and everything pretty much at Fidelity is outsourced and there are 10 people who really touch PHI. I’m fully willing to believe that employers just don’t know what’s going on but I don’t know whether we’ve got an enormous challenge on our hands or whether we’ve got, that there’s a small group of people in each company, etc. Do you get the gist of my question?
MS. HILGER: Yes. I guess it comes down to the definition of PHI and how broad it is and how it covers demographic information. It really depends on whether it’s the plan or not that is holding the information.
In terms of the number of people in the benefits department, it’s about ten or so and then the appeals committee I believe has another 12 people, and those are the people who really get, probably two or three people actually touch the medical plans within the benefits department and the appeals committee is that group that gets the real detail about stuff, although those are cleaned, sanitized cases, but still I don’t know that they meet the definitions under HIPAA for that requirement. So it’s not that many people in terms of the benefits department.
If enrollment information, and enrollment information is PHI, but who has it, who’s holding it? That’s the question. If the definition of the plan is broadened in any way, well sometimes HR staff might have the enrollment information, so that’s the challenge.
MS. RUBINSTEIN: What I would add to that is there’s a greater challenge. My comments go as follows. As a general matter the HIPAA Privacy Rules by applying to health plans, health providers that conduct standard transactions electronically and clearing houses are one paradigm. Employers don’t fit that paradigm and the rules in some ways don’t fit employers perfectly. They are not clear enough for employers. So you’re right. Employers don’t know which way to turn. The rules have been very clear for Harvard Pilgrim, Blue Cross, they know what to do and they are doing it. But when you turn to our large employers it’s not that they don’t want to comply, they don’t know how to comply. Some of them have said, it doesn’t it apply, or they won’t know if I don’t do it because it’s not clear enough for them to do it.
DR. DANAHER: Not speaking as a member of the subcommittee, let me just speak as a private citizen, my reading of the group health plan sections of the reg and of the real employer responsibilities, I agree with you. I think that maybe what’s needed is for industry and consultants to work in collaboration to have more guidance to help you. Someone’s right, these are privacy hearings, etc., but I don’t foresee many employers filing for an extension and realizing that they, in terms of the transactions and codesets that their a covered entity in that sense.
MS. RUBINSTEIN: If I might make another comment, I think what I am hoping for is perhaps a companion piece that speaks specifically to the employer community that makes very clear what their requirements are, what their obligations are. Because my clients will comply as best they can comply, those who agree that they will do it. Is every single employer going to do it? No, I’d be lying if I said every employer in Massachusetts will be compliant. And will they comply perfectly? No, because I don’t think we understand perfectly what the obligations of HIPAA are for employers.
But if a companion piece were developed that very clearly delineates what the responsibility for employers are I think that would go very far toward helping all employers know what their obligations are and I think that would improve markedly compliance by the employer community.
DR. DANAHER: Let me just add one last sentence on that. I think that there really is a fundamental, at least providers know that HIPAA, start again. I think that there is a step back even to that compendium of guidance which is, I think there is a lot of, I didn’t know employers were covered under HIPAA. I think there are some very very fundamental basic awareness and education about that, so thank you very much.
MS. HILGER: May I add just briefly in response what Ms. Rubinstein had to say, that employers are not covered and so it is appropriate for employers to say “you can’t regulate us, you can’t tell us what to do,” but we do have these plans, but who has responsibility or how do we make that happen. Where do those responsibilities fall? That’s why the transactions requirements, while not within the responsibility of this subcommittee, the problem is illustrative. It’s the same issue. I’m the employer, I have a plan, if the TPA is not going to file and I’m not going to file because neither of us are regulated, who is going to do it, who has responsibility to do it on behalf of the plan.
MR. ROTHSTEIN: Let me just follow-up and then I will get to you. Your message is being heard loud and clear and we will certainly put that as part of our agenda when we bring it to the full committee for discussion. I think there is perhaps some assumption that large employers/plans have the expertise, the resources, the personnel to comply and therefore we don’t need to worry about spelling things out for them. That’s obviously not the case from what we’ve heard this morning and that there needs to be additional clarification. So I thank both of you for making that point that we’ve got that. Dr. Cohn.
DR. COHN: I guess I was probably going to follow-up on your comments. I actually, moving away from a technical issue, and I want to say that I’m not a lawyer, and I’m not sure, I’m not giving legal advice or whatever, certainly in all that I’ve heard from both you, I guess I’m sort of moving away from the EDI extension issues and sort of that stuff.
It’s really more that the committee has over the years held hearings where they did to employer sponsored plans and we know that there are some very good practices out there, in terms of very good firewalls related to the employer sponsored plans and the other functions of the employer. On the other hand, probably not such good practices everywhere in the industry. What I hear from you today, is I think a lot of thought related to making sure that firewall is a really good firewall and having to go back and look at it and if there are issues where it isn’t quite as tight as it should be maybe tightening it.
I think it’s actually a very good outcome and I really congratulate you on going back and looking at it. It sort of tells me that HIPAA is actually doing what it’s supposed to be doing, which is causing everybody to take reasonable steps to tighten these issues up and practices. I’m not giving you advice. I think were going to have to talk with CMS and HHS about making sure that there is good guidance capabilities to give organizations timely advice. Once again I just to congratulate you because I really think, what I’m hearing that’s sort of the good part of all of this stuff as opposed to scratching one’s head.
DR. ZUBELDIA: I have a question, maybe clarification for both Ms. Rubenstein and Ms. Hilger. Regardless of the HIPAA definition of a health plan, the employers before HIPAA had health plans. Some of them are administered by a TPA and the TPA is the one that is going to take care of the transaction compliance, no question about that. In the employer’s perception, who is the health plan? Is it the employer? Is it shared? Where is the boundary line?
MS. HILGER: Legally, it’s a separate legal entity. It’s promises. They do different pieces.
MS. RUBENSTEIN: An employer, to some degree, would think of a health plan in common parlance thought of it as the TPA, never thought of it as that set of promises. If you talk to the person in the street, who’s the health plan, it’s Harvard Pilgrim, its an insurance company, it’s a TPA and that’s how they internally thought of it.
And this is a step back for them in trying to understand that the health plan is, that thing in the corner, that set of promises, that intangible thing, you can’t put your hands on it, it is an intellectual concept that they administer. It’s something that they don’t understand, that they can’t get their hands around. That’s part of the dilemma that they have right now. Would you agree with that?
MS. HILGER: I do agree. The health plan, from our perspective, with Fidelity, it’s one health plan that has a number of options. One is the self-insured PPO that is administered by United Health Care and then we have fully insured options from Harvard, Pilgrim Health Care, and --, but it’s all one health plan. But our participants, the employees, probably think of it as oh, Harvard is my health plan, but legally, really, it’s all one plan.
DR. ZUBELDIA: Besides that the employer or besides that the TPA?
DR. COHN: Kepa, I think in her testimony she indicated that there were some functions that occurred within Fidelity.
DR. ZUBELDIA: Yes, what I’m trying to figure out, for the employers to understand what the responsibility is, the employer has to understand what the health plan is in the employers eyes. If they don’t understand that, they are not going to understand anything else about HIPAA and if the health plan is a piece of paper in a filing cabinet, that is the health plan. Pieces of paper don’t talk.
MS. HILGER: That’s the evidence of it. Yes, that is. But it’s this bigger thing. And I would respectfully submit that for the folks that are struggling with this, those of us who are looking at it, that perhaps it’s not that they don’t understand what a health plan is but that the way that the regulations talk about it, it doesn’t neatly fit into what we understand that a health plan is.
MS. RUBINSTEIN: It’s an intellectual exercise. It’s a little bit difficult for them to get their hands around. When I go to clients and I try to explain what the health plan is and that employers are not covered entities but they have responsibilities because they administer the health plan, that HIPAA found an interesting way to get them involved, so it’s an around about way of getting them involved with the health plan. It’s not a neat, clean way of explaining, that you have this thing that sits in the corner and it’s not something that you can touch and feel. I wish I had a clean way of explaining it.
MR. ROTHSTEIN: There is a semantic problem. I think the word plan is what confuses people. If we could agree to substitute a different term for plan because the word plan means so many other things in common parlance. When we use plan in the benefits plan it’s not nearly as concrete as our other meanings.
MS. RUBINSTEIN: Perhaps if we called it all the time ERISA Plan as opposed to plan we would have a clearer understanding. Maybe that would be a better way to talk about it. Would you agree to that?
MS. HILGER: That might help. I know that ERISA Plans are one of the plans that are contemplated under the rules.
MR. ROTHSTEIN: I want to ask Ms. Schwartz a question. There was something in your testimony that certainly relates to our third panel. As I recall you said that you had a less than great experience with a consultant that you hired to do the privacy part of your HIPAA compliance. And I’m concerned that there are many more people in the exact same position that you are in, that are having less than satisfactory experiences. I am wondering if you could shed some light on that in terms of how you selected your consultant and perhaps, I don’t know who would be responsible for producing this, if there were a document available, widely distributed, that would say something like “Tips in selecting your HIPAA privacy consultant,” or “what you should consider,” something, I doubt the government would want to get involved in doing that, but maybe some trade association or something.
MS. SCHWARTZ: I think just to address how we approached the consultant, we interviewed five different consulting firms and we looked at the large consulting firms as well as some local consulting firms here. I’m trying to remember back that far now. We were looking for experience in this type of assessment and we felt in our interviews with them that they had this, but as we went through the process, I think we found that HIPAA was so new, that they certainly didn’t have experience, no one has experience at this point. They were kind of feeling their way through the whole process.
I think we had concerns with their understanding of the regulations. We were working closely with an attorney at the same time and as we had questions the consultant came up with we’d go back to our attorney and speak to him and were finding differences of opinion. Again, we’ve been finding that as go through this all along. You talk to three different people and they have three different interpretations.
MR. ROTHSTEIN: Is there anything on the front end that would have helped you perhaps choose someone better or make the decision that you ultimately made that you wanted to do this in-house?
MS. SCHWARTZ: I wish I had an answer for that. We thought we had done the due diligence, we thought that we had a consultant that would give us what we needed. It’s hard to say what we missed. What they brought in looked good. They had reports, they showed us that they had worked with previous clients, and we found that they seemed to be starting from scratch with this. That they were making it up as they were going along.
Again, we did this over a year ago. So we certainly weren’t the first to go through a gap analysis but I think that we were relatively early on in their situation. At this point I think you might find consultants that have been through this enough times that they know what they are doing. We’re actually finding this now as we’re going through looking at vendors for our e-training. No one’s done the training before. This is new. So what we’re looking at in our training is experience in training, because we’re not finding that anyone has experience in HIPAA training. It doesn’t exist. That’s been an issue.
We’re finding it again with the trainers. A lot of times they are just developing their product, so they are coming out and showing us a demonstration and they are saying this is our beta product, it hasn’t been tested yet, we’re still making some changes, and we say why, this doesn’t look accurate, well, everything isn’t finished yet.
MR. ROTHSTEIN: But it’s for sale.
MS. SCHWARTZ: Oh, yes.
MS. GREENBERG: I was somewhat struck, you had mentioned that you had decided to develop your own policies and procedures and forms, etc., to tailor them obviously to your specific needs. Yesterday we heard from quite a few people that they would benefit from more model forms and model procedures that could be then adapted if there were something coming out of the National level.
I wasn’t quite sure if that was really in contrast to your approach, what I’m wondering particularly in light of Mark’s question, whether if there were more of those models available, you would have felt less of a need to go to a consultant in the first place. Whether those models plus your own knowledge of your own organization would allow you to make those adaptations and you wouldn’t need really to go to an outside source.
MS. SCHWARTZ: I think I would say that if there were good models out there that we could use we would be happy to try to adapt those rather than starting from scratch. It’s been a painful process, I’ll tell you that, to go through the policies and procedures.
I think when we started our choices for us as a health plan seemed to be that we would hire a consultant and again, having just been through a not so great experience with the readiness assessment, we weren’t sure that a consultant would be able to come in and do any better a job than we could in starting from scratch. But I think we would be happy to see models. As well as models, I think we have the model of the business associated addendum now, which is probably going to be useful, but models also for some of the forms that we need to do, Holly spoke about an authorization form, that would be useful I think.
We have a Medicare+Choice plan and we haven’t heard anything yet from CMS about them providing model forms for us. They have model letters, model forms for lots of things and we like to use those because we know were going to have a product they can approve. But we’re now faced with developing authorization forms, denial letters, different types of letters that we will use to send to our Medicare+Choice members and we don’t have any models from CMS so we’ll be submitting from scratch and again, it’s a painful process with CMS to have forms and letter approved.
DR. DANAHER: My next question is for Ms. Schwartz and Ms. Curran. Ms. Schwartz, I appreciated in your testimony the point that you made, that I think is a very real reality, is that a number of health plans are connected closely or under the same governance with a clinic, with a delivery system. So you’ve got once size doesn’t fit all in terms of what you’ve got to do in terms of training, in terms of a number of things, so I thought that was, I appreciated your bringing that up, that there are certain things that are applicable for health plans that are not, in terms of what you have to do for the privacy and security regulations.
The question that I have for the two of you is, as you think about executing on your responsibilities in terms of the privacy and security regulations, you are both in somewhat regional organizations. Do you interpret what you have to do, Ms. Curran, do you interpret as ok, well we’re going to train and provide guidance and everything in terms of the federal HIPAA in Rhode Island or the fact that you have a thousand members who also live in Massachusetts or Ms. Schwartz do you, being in Massachusetts, in other words, do you take the mind set of, if we don’t have operations outside of Massachusetts or if we don’t have operations outside of Rhode Island, then we’ll just concentrate, this is a state preemption kind of question, we’ll just concentrate on Rhode Island or Massachusetts, or do you take the mind set of well, we’ve got a thousand of our members, in Fallon’s case who also live in Rhode Island, or also live in New Hampshire, or something like that.
What I am trying to get at is your mind set for executing on the requirements of the privacy regulations, do you put the hat on that, hey we don’t have any operations in those states, or do you put the hat on that you’ve got members in it and thus we’ve got to do whatever that state requires.
MS. SCHWARTZ: We have focused on Massachusetts even though we do have members in Rhode Island, a handful in Connecticut perhaps. We have focused on the HIPAA and the Massachusetts regulations.
DR. DANAHER: Is that an issue, the concern about having in what your members who are under Rhode Island’s statutes or is that . . .
MS. SCHWARTZ: It’s our understanding at this point that because we are a Massachusetts based corporation we follow Massachusetts mandates.
MS. CURRAN: I’m going to agree on that. I’m not the Privacy Office for Blue Cross Blue Shield of Rhode Island but from what I have heard we have followed, in some cases our state laws were more restrictive than the HIPAA privacy ruling, so of course we are staying with what our state regulations say. It is my understanding that we have been looking at it as strictly being a Rhode Island based company, but I can obtain clarification and e-mail that to the committee or through Ms. Kaminsky.
DR. DANAHER: Thank you.
MR. ROTHSTEIN: Dr. Zubeldia.
DR. ZUBELDIA: We’ve heard extensively about the importance of collaboration and how one health plan cannot take care of all of this by themselves. You’re both involved with Medicare. One as carrier intermediary, the other as a Medicare+Choice. What would you recommend, we recommend to a secretary to do, to better assist the health plans in this collaboration efforts so you can get more assistance from CMS or from HHS or other government entities in achieving better collaboration in doing what needs to be done. What are some of the things that could be done that are not being today to the full extent?
MS. CURRAN: Well, I think that certainly as a Medicare carrier and intermediary we get a whole lot of information from CMS about what we should be communicating to the providers. What we do is try to, again, dovetail that into our ongoing communication plan because what we’re finding is, because of being a Medicaid carrier and intermediary, we might send a notice out that is under that letterhead. That goes out today and three days later something goes from Blue Cross.
We try to marry those two pieces together but one of the problems that we do run into is sometimes CMS has very specific deadlines and the piece needs to get out on such and such a day and maybe we can’t dovetail it the way we want to.
So I think that there needs to be recognition or perhaps they want to bless a communication plan where CMS is a part of it but it’s the overall communication plan for the entity who is the carrier or the intermediary, so that sometimes we’re actually sending out the same information to the same people just under two separate letterheads.
Again, I don’t that there has been a lot of discussions about the professional relations piece of communicating HIPAA requirements from the CMA point of view.
MS. SCHWARTZ: Are you speaking mainly about provider education? I have to say that Fallon has not done a lot with direct provider education at this point. A large percentage of our providers are with the Fallon Clinic and we know that they have their HIPAA initiative and they will be training and doing their policies and procedures. We have done some minor outreach through our newsletters to our providers and we are participating with, I think it’s with the Mass Health Data Consortium, we are participating in some training oriented for providers. I’m not sure what, we would be willing to participate if someone was leading an effort.
DR. ZUBELDIA: What can the government do to help you?
MS. SCHWARTZ: Help the providers?
DR. ZUBELDIA: To help you help the providers.
MS. SCHWARTZ: I’m not sure I have an answer for that.
MR. ROTHSTEIN: If you think of it, you can submit any comments to us within 30 days and we will consider any suggestions that you might have in answer to this particular question that was raised or more broadly. So please feel free to do that. I want to thank all four members of the panels for excellent testimony. We will take a 15 minutes break and panel number two will convene at 10:50. Thank you.
(Break)
MR. ROTHSTEIN: Welcome back. We are now ready to begin our second panel of today’s hearings on HIPAA Privacy Rule Implementation. I want to welcome all the members of our panel on the issue of state agencies and public health authorities. Just to remind you, you will have 15 minutes to speak. I will give you a one minute warning, should that be necessary, although I didn’t even need to warn our prior panel.
After your testimony we will have a brief, each of your testimonies, we will have a brief opportunity for members of the subcommittee to ask questions of a clarifying nature and then we will move to the next speaker. At the end we will have a more general discussion. So, without further adieu, we’ll move in the order in which you are listed on the agenda if there is no objection. And so we will begin with Ms. Allan.
Lorllyn Allan, Esq., Massachusetts Executive Office of Health & Human Services
MS. ALLAN: Thank you. My name is Lorllyn Allan. I am Director of the HIPAA Program Management Office within the Massachusetts Executive Office of Health and Human Services.
The HIPAA Program Management Office was formed in 2002 to coordinate and give technical assistance to the various state agency HIPAA compliance efforts. It is not itself directly responsible for compliance. That remains with the agencies, but we do give technical assistance and we try to coordinate.
As a framework, Massachusetts itself is known for being very much in the vanguard for both privacy protections and patients’ rights. Since 1975 all of our state agencies have been operating under a statutory privacy standard for all personal information that they hold on anyone in the commonwealth, not just health information. And it very much parallels HIPAA. It prohibits any unauthorized disclosures, agencies can only collect and maintain the minimum necessary information. They must provide audit trails on disclosures and uses. And they must allow the data subject access to the data and the right to amend the data.
So the concepts and a lot of the specifics of the HIPAA Privacy Rule are very familiar to our state agency personnel and very much embraced by our state agency personnel. They are now facing HIPAA, the HIPAA Privacy Rule, and I think they are finding it extremely challenging, very candidly, and I don’t think that Massachusetts is alone.
Because of the way state agencies are structured and because of their programs it has been very very difficult to fit them under the rule brick of the HIPAA Privacy Rule. We serve diverse populations and our programs reflect that. They often have diverse functions within them, they are not as clearly delineated as your private sector programs may be between health care provider, health care plan, and someone could fall completely outside of that realm.
Most of the HIPAA information sources and resources out there are geared to the private sector, to hospitals, to physician practices, or to large health plans. There is very little that addresses state agency issues and concerns. One web site HIPAA gives is a voluntary collaborative that is devoted exclusively to state HIPAA privacy and security issues. That has been very helpful, we do use that. But beyond that from the state perspective it feels like we are out there alone climbing this hill with no top in sight and no signs along the way and no warning signals saying you are going in the wrong direction.
Jim will discuss this a little bit more, he’s had much more direct experience, but all of our agencies, with the exception of the Medical Assistance Program which is clearly named as a covered entity, initially really struggled with how to designate themselves, if they had to designate themselves at all. Were they a covered entity, were some of their programs covered, and if yes, were they as a provider or as a plan, because there are different obligations under the rules for providers and for plans. They needed to know where they fit in with that.
That has been very time consuming, very frustrating. I hope we’re at the end of it. With the compliance deadline looming we’re basically saying we have to make determinations and move forward.
Beyond that exercise of trying to determine where state programs fit under HIPAA, I think there are probably three challenges that we see as a state. One has been financing this overall effort. The state is responsible for financing state-wide and tt’s become a state financing burden.
There are operational hurdles, again, because of the way state government is structured, we’re not like a private enterprise. And from the Health and Human Services Executive Office perspective we are very very concerned that we can avoid adverse program impacts from many of the provisions of the HIPAA Privacy Rule.
Let me give you a few examples. Massachusetts, like most states, is facing some severe revenue problems right now. We’ve had the single largest tax increase in our history and we are still cutting back on programs, and more program cuts are currently under consideration. Nonetheless, we are going to have to try to find the funds to develop, print, and somehow distribute all the privacy notices that are required under the rule.
For health plans, and Medical Assistance is clearly our largest health plan, those notices have to go out to anyone who is currently, at the time, an enrollee. At a minimum, it’s going to be 500,000 individual households that are going to have to receive some kind of notice. For people who are receiving services from our programs that would be considered provider programs, in most cases, the first date of access to service after the compliance deadline is going to be the compliance deadline. Many of these are patients who have long-term chronic needs that are in our state institutions or who are people who are receiving services on an almost daily basis from our various outpatients clinic.
At a minimum, this is going to be a $600,000 dollar tab. The way we are set up, each agency is going to have to some how find their share of that within their existing administrative funds, but it’s going to be difficult because their administrative budgets have been squeezed. They are knocking on our door saying find some more money for us.
Likewise, many of the providers that our agencies deal with are knocking on our doors saying we have HIPAA compliance questions, you have to help us cover. We’re saying, we’re not sure how we’re going to cover our own right now. It sort of goes around and around in circles.
Then you have to do a lot of upgrades, we expect, to computer systems, to our data and our IT systems generally, in order to be sure we can support the HIPAA Privacy Regulations in terms of our data and that we can meet the security requirements when those are finalized.
We don’t have cost estimates on that yet because many of our agencies have just begun their assessment. I think some of the systems will probably be pretty much ok, others will probably need a significant upgrade. And that’s going to be above and beyond any of the costs that are associated with the transactions rule which has a whole other set of system changes that are required of any agency that is doing business with the Medical Assistance Program. Just most of our human services agencies.
The training requirement is another very noticeable and substantial cost. We are estimating that we are at a minimum going to have to train 30,000 individuals. This includes those individuals that are in the workforce of covered entity agencies.
But as a practical matter, we have to train beyond that because so many of our state programs interact so closely with both public and private sector covered entities. They need to understand HIPAA thoroughly because they need to understand what information they can still access, how they can access it, and if there are any conditions or new terms of conditions parameters around how they can access and use that information. So in order for them to continue working we know they have to be trained fairly thoroughly in the HIPAA Privacy.
The HIPAA PMO itself expects to spend probably $260,000 dollars on training, but we know that in addition to that many agencies are hiring their own training trainers to give a more specialized focused training to their workforce.
We also think that there is a need for major educational programs, which is going to include educational materials, for a lot of state functions that you don’t normally associate with HIPAA. I’m thinking the judiciary because there are changes in the nature of some judicial orders under the HIPAA Privacy Reg. Most certainly law enforcement. They need to understand how they can continue to access protected health information, how they can use it in their law enforcement activities. I’m curious how we’re going to do that, very honestly. Law enforcement is not something that generally the human services agencies interact with on an on-going basis. We feel that they are absolutely going to have some training.
Your public health inspectors, child care licensing staff, any state staff whose job function now entails in some way shape or form having to access particular health information is going to have to be educated in how to use it.
We do face some implementation hurdles that don’t necessarily exist in the private sector because we do an enterprise approach to many things. I think many state governments do. We have centralized contracting, for example, we have centralized union negotiations, and we have centralized information support services. We are having to tap into all of these different -- and every day I find a new entity we have to tap into. The comptrollers office in terms of paying our vendors and providers, we have to have all of our state contracts in uniform, somehow we have to get the HIPAA required terms and conditions integrated into that and into the whole contract bidding process.
We have all of our union agreements negotiated centrally and are administered centrally. Because of the requirement for training in your covered entity agencies, we have to amend our union agreements. We can’t just go in and say now everybody has to be trained. We have to go to our centralized unit and say we have to amend these contracts. Many of the union employees work in agencies that are not covered entity agencies. We’re working on that and I don’t know how smoothly that’s going to go.
I think that we are really significantly impacted, too, on the technology services. ITD, Information Technology Division, pretty much maintains all of our intra and internet systems. They pretty much sign off on any kind of technology systems the individual agencies want to do. They have been very very helpful in working with us. They’ve really taken the lead in helping us understand what we are going to need for technology infrastructure to support both the privacy and security regulations. But they’ve also made it very clear that they look at the state-wide need, they look at state-wide priorities, and they are very reluctant to go forward with something that only a few agencies, it may only be applicable to a few agencies.
We’re working with them but they are not a dedicated resource. I think that is something that’s true across the board. None of our agencies can be dedicated resources for HIPAA. As much as we would like to I just don’t think any governor or state leader is going to say stop everything, make HIPAA a priority, not given all of the other issues and concerns that are facing states, it just couldn’t be done.
The area for potential adverse program impacts is something that really has me concerned. We have been working very hard over the last number of years to somehow more efficiently and effectively address the needs of clients who have multiple needs and need services from multiple agencies. And we’ve expanded a lot of energy in that regard. We are now concerned that the HIPAA privacy regulations are going to make us go back to the drawing board and rethink how we’re going to do that.
A lot of that is because our agencies are not all covered entity agencies. Even though their functions very much mesh. I think in some states where they are able to keep all of their medical assistance and social services programs within one agency this may not be as much of a problem. But Massachusetts, it really looks like it’s going to be a problem.
For example, just because of the way protected health information is defined, we’ve got medical assistance, mental health, you can’t even say that someone is a member or client, because that’s saying something about their mental status or how their health care is being paid for. We’ve got various teams that work together in trying to get client services, and look across the board and see how they can benefit from different agency services. Again, we’re wondering how we can keep doing that.
The provisions for authorizations in HIPAA I don’t think are going to be a great, I’m not sure if they are going to be a great deal of help to us since we’ve really looked very hard at this issue. I think this is an area that we could use some help.
We will use an authorization where we can but I’m not sure we can do a compliant authorization that is going to be sufficiently broad to encompass a case management kind of approach to a client. You don’t know always at in-take or initially what services and what other agencies you’re going to want to be tapping into. So you can’t do an authorization that says I authorize this specific department to release this specific information for this specific purpose.
Going back to a client periodically as you’re doing your case management to ask for more authorizations just doesn’t work. It will be viewed as bureaucratic harassment in addition to very much slowing down the provision of services. Also, very often the need for multi-state intervention is not apparent until there is some triggering event and often this is something very tragic triggering the event.
While a covered entity agency could give services on an emergency basis, it’s really questionable, they’d have to pause before saying I’m going to call in another agency for additional support for this family. Because that’s it, do I need an authorization? Does this fit into some exception? Is there an imminent danger which justifies my revealing this information without an authorization?
I don’t think we can ask case workers who are responding to immediate crisis situations to go through that analysis all of the time and take the risk that they may judge wrong and at some point later be subject to a lawsuit for not adequately adhering to the HIPAA Privacy Regulations. Just generally in that, working through the exceptions, and I’ve read them through many many times and I have to keep going back and rereading them and rereading them and rereading them. I think, bottom line, is that most of state functions that require access to PHI can continue but you have to go through such a long strenuous analysis before you can get to the point, yes I can get this information. I can get it with these conditions.
I really see paralysis setting in unless somehow we can very thoroughly educate not just our state agencies, but also the people out in the private sector who hold PHI that HIPAA doesn’t say you can’t ever give out any information ever anymore because I think that is sort of what I think a lot of the impression is.
I’ve picked this up in conversations with people, we’ve had reports, we’ve already had challenges to our juvenile court justice system which uses juvenile defender records for sentencing considerations, trying to get the person into the right program and say you can’t get this information anymore. Well that’s bogus. They can get the information but there, again, there’s so much misinformation about what HIPAA does and does not allow that I see us running into some real problems with the continuing smooth operation, just very essential basic state services without some better education about HIPAA. Again, what it does allow as well as what it does not allow.
We’ve had reports of state facilities not letting inspectors in to do records review saying HIPAA doesn’t let me let you do this anymore.
You wanted to know what would help. I think much earlier on it would have been helpful if we would have had a little bit of clearer guidance on how to put state programs under the HIPAA definitions, because state programs just don’t look like the HIPAA definitions. I don’t know how else to say it. At this point we’ve made our decisions and we’re moving forward.
We have to with the compliance deadlines looming, there’s just too much that has to be done. Now I’m not sure I want any more clarification. I don’t want to have to go back to the drawing board. We’ve just spent so much time on am I or am I not a covered entity.
I think as I mentioned before it would be very helpful to get some clarification on this authorization. I’m hoping that the way I read the authorization requirements are too stringent because I don’t see how they are going to work for us very honestly. I just don’t think they let us do the kind of comprehensive case management that we’ve strived to do, which is the best way for us to service our clients. Maybe I’m reading it wrong. Guidance on that, some kind of model forms for how state agencies can work with each other, even if they are not all covered entities would be very helpful.
Mind you, Massachusetts has it’s own privacy statute. Our agencies have to live by that law even without HIPAA, so HIPAA is not the only game out there. We want to abide but we need to be able to serve our clients.
I also noted a need for some education and I think we could use some real help here. We have to go beyond what’s normally thought of in the HIPAA world. We do have to educate law enforcement. We are going to have to educate the judiciary because there are things in HIPAA that affect them. If it were possible for the federal government to help give us some training tools, resources, maybe set up a web site that we could refer members of the judiciary and law enforcement to, that would be very helpful.
In law enforcement you go down to the very basic level of your local, your little town police officers, where there’s maybe two police officers in town, all the way up to the district attorneys offices and your state police, so to me it’s a little bit of an overwhelming task.
It also would be very helpful if we could get some kind of what I call a map about when and how PHI can be used and disclosed. There are so many exceptions and exceptions to the exceptions, then conditions to the exceptions. Every time I’ve tried to put together a sort of ready reference tool for our state workers I end up with multi-pages and multi-caveats, yes you can do it but then you’ve got to do this and only after you’ve done that. It would be helpful if we had something that was little bit easier to follow and also again we could use help in educating.
I’m talking broad education of the public sector as well as the private sector of what HIPAA does but also what it does not do. It does not shut all doors, that inspections can continue, we can still go into nursing homes and follow-up on reports of negligence, that we still can follow-up if we’re getting a report that a child daycare program is not providing the services that it should. That we still can go into hospitals and look at records if we need to do a quality assurance review. That we will have access to the basic information we need to do some basic public functions.
Thank you. I appreciate it. Any questions?
MR. ROTHSTEIN: Thank you very much. Any clarification questions?
MS. KAMIINSKY: I think your testimony in the beginning, in the written testimony mentioned something about the government agencies that you have determined to be covered entities at this point. I would just appreciate it if you could for the subcommittee talk about the range of agencies at this point that you’ve determined are covered entities and whether or not even within that world you’re deciding to call those guys hybrids or just treat them as covered entities. That’s my first follow-up. I have a couple.
MS. ALLAN: Let me respond to that. First of all, I think we have rejected hybrid, it just doesn’t work. The conditions to be a hybrid entity under the regulations are impossible. No one is going hybrid, either we’re going to be covered or not covered. Because you have to do such a splicing and separation of, if a person does a shared duty half of them that works for the covered entity can’t communicate with the half of them that works for the non covered entity. Our agencies share resources and infrastructure so we just need to be covered.
The easy ones that were covered are the two soldiers homes, we have two soldiers homes that we operate. They are basically hospitals, long-term care combined facilities specifically for veterans, so those are covered as hospitals as providers. Medical Assistance Program obviously is a health plan, covered as a health plan. Department of Public Health is covered and Jim’s going to tell you about that one. Our Department of Mental Health, which we see as a provider because they do provide direct in-patient and out-patient services. Our Department of Mental Retardation, again they operate some in-patient service units so we do consider them a provider entity. Department of Corrections through their Health Services Division, they will hybrid. The way they are set up their Health Services operation is a very distinct operation from the rest of the corrections operation, so they can hybrid.
Our group insurance commission, which is basically the insurance plan for the Commonwealth of Massachusetts, active and retired employees of the Commonwealth of Massachusetts. I seemed to have missed one because there are supposed to be nine. I can’t remember the ninth one, I’m sorry.
MS. KAMINSKY: That’s okay, that gives us an idea of the --.
MS. ALLAN: It’s the pharmacy program through our office of Elder Affairs. They operate what looks like an insurance program, which basically helps seniors that cannot afford pharmacy coverage through an insurance-like program.
MS. KAMINSKY: I have two specific follow-up clarification questions. The first was all that discussion around law enforcement and the need for some education around that. Can you just flesh that out a little bit? I’m a little lost from my reading of the 512 pieces of the regs., et cetera, what you’re talking about.
MS. ALLAN: It’s says you can access page A for law enforcement purposes then as I recall again it may be it’s worse than it seems because it takes so many pages to go through it. You can only ask for this information, and you have to make a showing of either a court order or, there is different, and I don’t know how our law enforcement agencies function right now very honestly. I suspect that there are different standards out there for different departments. I don’t know.
I’m saying is that we need somehow to work with them to be sure they understand that they can no longer just walk into say a hospital if they are looking for a suspect or something, and say I want to see who you admitted over the last five hours, or who’s walked into your emergency room over the last six hours, let me take a look at your log.
MS. KAMINSY: I think we heard similar testimony yesterday from Steve Vias(?) about maybe drug related . . .
MS. ALLAN: I’m concerned that they need to understand so that they do things right when they are out there. But they also need to understand what they can get so that if someone is saying “no” to them, they know whether that is a valid no or not a valid no. And given that I still don’t have it all clear, I see this as a really major challenge.
MS. KAMINSKY: The other question was around I guess, the judiciary. You talked about juvenile court and some kind of problem with this. This is all kind of new issues to me so if you could - -
MS. ALLAN: The feedback I’m getting is in terms of the judiciary. Most of it is they are now probably going to be asked to issue different kinds of orders than they have been asked to in the past. This issue was particularly raised by council at our Department of Mental Health. They are frequently in court either to get treatment orders if they have someone who is in one of their facilities that is not competent to give consent but has no guardian, no responsible person with them, they will have to go into court to get permission to treat.
And the feedback I’m getting is that now in order to cover themselves in terms of how they use the information they have on this patient, they are going to have to ask for more expanded orders than what they’ve been going into court and getting at this point.
There is also some concern around some of the commitment orders that may be requested. This has been presented to me and I’m saying the courts do need to understand that they are going to be called on now and probably be a little bit precise in some of the orders they issue perhaps so that people are armed sufficiently to get as much information as they need to be able to use PHI to the fullest extent that they need to use it if it’s a treatment kind of situation.
The juvenile court thing was brought to my attention. One of the justices of the juvenile court called to ask is this true that when HIPAA goes into affect we will no longer have access to these records for juvenile offenders. I said no, that is not true. It demonstrates the confusion that is out there and because there is this sort of chatter about HIPAA Privacy and the chatter is that you can’t, people are scared, there’s a scare factor, they are afraid that they are not going to live properly by the rules and so they are shutting their books completely. I’m finding this particularly with some of your smaller providers, some of your smaller, people who are not your big sophisticated hospital system or your more sophisticated and well staffed physician systems, or health plans. All they hear is HIPAA, HIPAA Privacy, HIPAA Privacy, do you have your HIPAA Privacy stuff in place. They are closing their books, no, we are not going to give out this information. So we really need to help them understand where it is still ok, where they are not violating.
MS. KAMINSKY: Actually just one more clarification from your testimony which was you talked about multi-state cases. Were you talking about for example a Medicaid emergency in this state, or I wasn’t sure.
MS. ALLAN: I’m sorry, if I said multi-state I probably meant multi-agency cases. I think I misspoke.
MS. KAMINSKY: Okay, never mind.
MR. ROTHSTEIN: Any other clarifications? Thank you very much. Mr. Ballin.
James Ballin, J.D., General Counsel, Massachusetts Department of Public Health
MR. BALLIN: Good morning. My name is Jim Ballin. I am General Counsel for the Massachusetts Department of Public Health. I am pleased to have the opportunity to address you this morning with regard to HIPAA and implementation with regard to public health authorities.
I’m going to go through these relatively quickly and leave time for further questions. Two basic areas I was planning on addressing were how we have addressed the issue of whether the Department is a covered entity and dealing with the definitions for health plan and health provider. Secondly I will discuss a little bit about some of the perceived impacts on public health practice. I think Lorllyn did a wonderful job in discussing some of the broader issues that the state agencies have addressed, so I’m going to try to focus specifically on public health authorities. I may not be able to talk as fast, but I will see what I can come up with.
Just as a very brief overview, the Massachusetts Department of Public Health conducts basic core public health activities and operates four state hospitals. There has never been any question in our mind that the four state hospitals are covered entities. It’s really the rest of the Department that we have been grappling with the issue for some time.
The Department collects a vast quantity of protected health information. We estimate over 200 hundred programs that collect or use PHI for various purposes. Those are often pursuant to state laws and regulations, but not always. And we also have a very complicated system of providing services to clients in Massachusetts, we coordinate with other state agencies, with local boards of health, community health centers, providers, the list is quite extensive.
Again, these are essentially your basic public health activities that one would typically see at a state health department. We collect PHI for disease surveillance and investigation, for delivery of health services, epidemiology, statistical analysis and research, for program evaluation and quality improvement, licensing, and help oversight functions and various activities involving emergency response among many other items I haven’t listed.
So now let me get into the first topic, which is the HIPAA covered entity status. I agree essentially with Lorllyn that the regulations were really written for the health care industry and that the public health authorities don’t fit really well within the definitions for health care provider and health plan. I know HHS made some efforts to clarify that in the final rule but in my opinion that didn’t suffice and in some cases may have made things a little bit more confusing.
I do believe that these definitions are ambiguous with regard to public health and we have attempted to get some guidance from HHS that we felt would be useful for us as well as all the other state health departments as well as local and county health departments. We have not had any feedback to date. I do understand the resources and restrictions that HHS has and my testimony does not intend to criticize the efforts that that agency has made.
Nonetheless, for those of us working at the state level trying to interpret these rules, the lack of guidance on how to interpret the regulations in our specific situation has been difficult for us.
I do believe I should mention we had an informal survey done for us by the Mass Health Data Consortium with regard to numerous state health departments. It certainly wasn’t comprehensive but we found a wide variety of interpretations for how state health departments and various programs were covered. Sort of a general feeling that some further guidance would have been helpful.
Let me give you just two quick examples. The end of the handout that I have has a list of some questions that we submitted to HHS, but I’m going to give you just two examples here.
The breast and cervical cancer early detection and screening program, this exists at many, if not most other states, it’s a federally funded program administered by DPH. We contract with providers to furnish these screening services to uninsured and underinsured women. Providers bill DPH as a payer of last resort and we -- to address the issue of again, whether this specific program is a plan or provider.
Another example. The state laboratory conducts, among other things, analytical testing of human blood samples. Those samples are submitted by medical providers or other laboratories to detect the presence of communicable or other diseases. DPH acts as a diagnostic laboratory but does not furnish testing directly with patients and in most cases did not bill for their services. In a few limited cases we do bill, but for the most part we do not. Again, the question is, is the state lab acting as a health care provider.
I won’t at this point go through the further examples but as I said we did provide an extensive list of questions that we felt were representative of the issues that we had with interpreting the covered entity definitions with regard to provider and plan.
So we started this process very shortly after the privacy rules were originally finalized, I guess that was in December of 2002. We initially had some contact with CDC and they offered some assistance in trying to obtain some guidance from HHS. That never materialized into any response and we also, as I mentioned, specifically sent the list of questions to HHS requesting guidance and we haven’t gotten that yet.
I will skip over what was really a year and a half worth of extensive discussions within the Department as well as with our HIPAA program management office, headed up by Lorllyn, to decide whether we were a covered entity or not. We reviewed, again, probably close to 200 programs that collect or use protected health information and the way in which they use that information and what actual information is collected is extremely diverse.
So it was a difficult assessment for us to go though and try to figure out how every one of these programs may relate to the health care provider or plan definitions.
Our general conclusions at this point, and we basically made this decision this summer, which again, probably a year and a half after the rule was initially finalized. Our conclusions were that we had a couple of programs that looked very much like health plans. We have many other programs that act very much like health care providers, or that we contract out with agencies to provide services.
And then we have the rest of the programs, which I am not sure I can quantify but it’s probably well in excess of 75 percent of what we do that really don’t fit the definitions at all. Again, we get into the problem of how do we deal with that, do we want to be a hybrid entity, and our decision was basically that a hybrid entity, for reasons that I think Lorllyn mentioned, was too difficult for us to do. In part it would make it very difficult for our programs to share protected health information when that was necessary for conducting public health practice.
Nonetheless, the decision to have these other programs voluntarily comply with HIPAA has presented a great deal of concern for many programs that believe that HIPAA doesn’t apply and why are we making them do this.
For example, the Cancer Registry is probably a good example of a program that really clearly doesn’t fall under these definitions, yet we are essentially saying you are now going to be covered under HIPAA.
My second part is just to give you a few anecdotes I guess about some of the perceived impacts of HIPAA on public health practice. These are questions I’ve been getting since day one on HIPAA and this is mostly just to give you a flavor of what the perceptions are out there, at least within our office and within the state about what HIPAA means to the public health work that we do and how will things have to be changed.
So again, here are just a couple examples.
Will HIPAA limit sharing of PHI between DPH programs as well as other state agencies? Again, that was sort of a decision we made to go against the hybrid entity status and we also note that HIPAA allows for coordination of benefits in some cases with other government agencies that are covered entities. So we felt in our case that being a covered entity as a whole was probably the best way to go.
Will HIPAA impede disease surveillance and other public health investigations? This of course was a very immediate concern particularly about a year ago when we were dealing with a wide variety of urgent situations involving anthrax and other disease surveillance activities. I believe and have stated this all along that HIPAA is very well crafted in terms of providing broad exemptions for core public health activities including surveillance, investigations, and intervention and that HIPAA does not impose a barrier to the routine public health work that we do.
Will HIPAA prohibit the disclosure of PHI when required for enforcement of DPH regulations? Again, this goes back to some of the issues that Lorllyn mentioned with regard to going to court for enforcement. DPH is a covered entity and a health oversight agency and there is a provision in HIPAA that basically allows a covered entity that is also a health oversight agency to use PHI for authorized activities including civil administrative or criminal proceedings.
Will HIPAA limit the ability of DPH to conduct research using PHI without authorization of the data subject? I know this is an issue that the whole research community has been concerned with. Again, I think HIPAA, though there is some hysteria out there, I think HIPAA is fairly clear in allowing for the ability of an IRB waiver of authorization if certain criteria are met.
Another question about will the DPH be required to provide an accounting of disclosures made for surveillance or research purposes. There was a great deal of concern amongst our department that having the entire department as a covered entity will be an enormous burden in terms of how we account for every disclosure or use of protected health information for our surveillance or research purposes.
Again, I think the privacy rule exempts from the accounting of disclosures for health care operations of the covered entity and that would include the surveillance activities that we conduct. The revised rule also addresses accounting of disclosures for research involving 50 or more individuals.
So those are just some examples. I would like to just conclude with a few statements.
HHS should, or maybe I should put in parentheses, should have provided appropriate guidance for public health authorities on covered entity questions. I do agree that at this point it is probably a little late to be changing our decisions with regard to this but it would have been very helpful to have some further guidance and I know that there was some attempt in the final rule to provide some guidance with regard to government agencies.
There were some examples I believe with regard to WICK and Ryan White programs, but again the nature of our programs are so complicated and diverse it was hard to come to some conclusions in many of these cases. Further guidance would have been very helpful.
There is a great deal of confusion about what HIPAA does and does not permit public health authorities to do with regard to protected health information. In Massachusetts there is a system of local health departments which is not the norm nationwide and I have talked to a number of local health departments that have been asking when we, the state health department, are going to be providing guidance to them on HIPAA. And that’s a fairly big issue because we don’t have the resources to be dealing with every local health department out there, but there is nonetheless the same concerns among local health departments that I have just discussed.
Finally, I just want to state that I do believe that the HIPAA Privacy Regulations demonstrate a clear intent to insure that core public health activities of public health departments are not impeded. Despite the confusion out there I think when one does carefully read the rules, we will undoubtedly change some of the practices and procedures that we do to conduct our business, that we will be able to do what we do and that HIPAA will not present any significant barrier to the public health practice that we do.
So that’s all I had to say and I’ll be happy to answer any questions.
MR. ROTHSTEIN: Thank you very much. Dr. Danaher.
DR. DANAHER: Mr. Ballin and Ms. Allan. I just need a clarification. This is a total reflection on my ignorance. How does the Department of Public Health interface, or is it part of HHS. Ms. Allan, you are the PMO for them.
MS. ALLAN: Right, we’re the executive office. Massachusetts, back in the 70’s, maybe early 80’s, set up a number of executive offices. Within those executive offices are related agencies that do related functions. So we are Health and Human Services, we have social services, the public health, mental health, we’ve got 17 agencies, commission for the blind, rehab commission, basically your social support service agencies.
We also have an Executive Office of Public Safety, which has all the public safety functions within it. Public Health is one of the Departments within the Executive Office of Health and Human Services.
DR. DANAHER: Ok, ok, great. And then just one other quick question and that is, you’re the PMO for Health and Human Services. Are there other, has someone looked at those six executive offices and their departments and just made sure that social service . . .
MS. ALLAN: Yes, we have done that. They put the HIPAA PMO office in human services because most of the agencies affected directly by HIPAA are human services agencies. We have taken a state-wide approach. We actually sent out surveys to every state government, every executive office, plus we just went through and we’ve done follow-up calls to anyone we thought might possibly be a covered entity. Elder Affairs is not part of our secretary of corrections, it most certainly is not part of our secretary, though they do add an interesting flavor to some of our meetings that most of our staff don’t usually get to hear.
We’ve actually just found another small program that’s stuck over in our Division of Employment and Training which is basically our unemployment insurance program. They are actually running a small health insurance program for uninsured, it’s sort of fallen off the radar screen. We’re trying to bring them in because they clearly would fit the plan definition. But we’re reaching out to all state entities.
DR. DANAHER: Is it fair to say that you, as the PMO, because you’ve got the biggest agency, have also been tasked to look at and coordinate efforts for the other six.
MS. ALLAN: Yes, for the entire state. We really have taken on entire state coordination.
MR. ROTHSTEIN: Any other questions?
MS. KAMINSKY: I have a follow-up for Mr. Ballin. You had mentioned the DPH oversees about 200 programs and the example that you gave of one program, for example, it’s neither fish nor fowl, neither provider nor plan, was the Cancer Registry. I’m just wondering just for those of us who are not as well versed in the public health world, if you could just mention a few other programs that you’re talking about.
I guess I’m asking in particular because though you creatively, and I think probably accurately, looked at surveillance activities as a health care operation and not necessarily needing an accounting for disclosure, I don’t necessarily know if that would hold true for the entities for disclosing PHI to you for those surveillance activities.
So, I guess it’s two different questions, but really the first question is for clarification sake if you could just touch upon a few others that you oversee.
MR. BALLIN: That we consider to be falling under plan or provider?
MS. KAMINSKY: Yes, plan, provider, or neither. Just to flesh out a feeling for where this information is coming from, where the PHI is coming from that you are talking about.
MR. BALLIN: Well we basically started our survey of all the programs at least a year and a half ago. We did it by bureau, which the Department is organized into probably six or seven different bureaus. Some of them we knew would be more likely to be fitting under the definitions than others.
There’s a Family and Community Health Bureau that administers many programs, such as early intervention, healthy start, many screening programs, these are all, many of them are operate as a payer of last resort type of program.
There are numerous programs within the Communicable Disease Program Bureau that we looked at and a number of screening programs.
There’s of course our AIDS Bureau, which for the most part does not collect identifiable information, but nonetheless we did look at a variety of programs in that bureau as well.
There is substance abuse services, which again we got some guidance from the federal SAMSA(?) Agency that basically substance abuse services would be considered covered entities.
And then, as I said, there are a number of other programs, we use the program rather loosely, it depends on how you really define it. We certainly operate a number of registries, Cancer Registry, Vital Records Registry, and the list goes on. A number of those registries I don’t believe would really fall under the definition of a plan or provider.
I don’t remember exactly what the second question was.
MS. KAMINSKY: Just about the surveillance activities, you said that you thought DPH wouldn’t have to account for those disclosures but I assume that that information is coming from hospitals or entities that are treating individuals and I assume, I’m thinking that you were just talking about DPH itself not necessarily the providers who would have that health information who would be disclosing it to DPH.
MR. BALLIN: Right, I was talking about, I guess there’s two issues. There’s providers disclosing information to DPH as they are authorized to do by law and what we do with that information, in certain cases, we use protected health information right down to an individual’s name to go out and do investigations with regard to sexually transmitted diseases and other activities. We will disclose very sensitive identifiable information in certain cases when we are authorized to do so.
MS. KAMINSKY: I’m just talking about where the accounting for disclosure responsibilities begin and end. You were saying that you thought the DPH didn’t have accounting for disclosure responsibilities in certain circumstances and I guess I was trying to clarify that that may be the case with what you do with that surveillance information. I think that the disclosure that go to DPH, even if they are allowed by the rule, the rule provides for that kind of a disclosure, I don’t think that that would necessarily be a health care operation of the entity that’s disclosing it to you.
MR. BALLIN: Right, I agree with that. I was only referring to information, PHI, that we have that we may subsequently disclose. Yes, providers, I’m sure, would still have to account for disclosures as required by law.
MR. ROTHSTEIN: Thank you very much. Ms. Bergman.
Jean Bergman, HIPAA Director, New Hampshire Department of Health and Human Service
MS. BERGMAN: Good morning Mr. Chairman, members of the committee, panel members and staff. I am Jean Bergman, Director of Technical Planning and HIPAA Coordinator if the New Hampshire Department of Health and Human Services.
I appreciate the opportunity to speak before you today relative to our Department’s initiative to comply with the HIPAA Privacy Rule. Specifically, I will address our covered entity status designation, and our general knowledge of the quality and expertise of consultant organizations in their role as HIPAA privacy experts and advisors to state agencies.
I would briefly like to familiarize you with the New Hampshire Department of Health and Human Services. Organizationally, the Department is an agency of the Executive Branch of New Hampshire State Government and is a legal entity. The Department is comprised of eight, maybe nine now, program d. Alcohol & Drug Abuse, Behavioral Health, Developmental Services, Community and Public Health, Children, Youth & Families, Child Support Services, Elderly and Adult Services and Family Assistance, and our newest division which is the Division of Juvenile Justice.
Also included are nine support offices and three health care facilities, an acute psychiatric care 172 bed facility, 110-bed home for the elderly, and a 14-bed halfway house for recovering men.
The Commissioner of the Department is responsible for the overall management of the Department, sets policy and oversees implementation of all services and programs. The Commissioner provides the leadership and direction necessary to ensure the design and delivery of a comprehensive and coordinated system of services that is community based and family centered.
Common control exists at the Department level in that the Commissioner has the direct power to significantly influence and direct the actions and policies of the entire Department. The Department’s divisions, offices and facilities do not have their own legal identities.
For over a year the Department has struggled with its designation status. It has had an overwhelming amount of advice and argument from attorneys, consultants and other states as to what the designation of the Department should be, hybrid, single covered entity with multiple covered functions, single covered entity. In short, the arguments followed the theory, if it walks like a duck and talks like a duck, it must be a duck.
In determining what the compliance responsibilities of the Department are under the HIPAA regulations, careful and long consideration has been given to not only the requirements of the privacy regulations, but also how the Department functions. It is the Department’s belief that it was not the intent of the U.S. Department of Health and Human Services, in the promulgation of the privacy regulations, to significantly impede the way in which business is conducted or services are provided by covered entities. Rather, the intent was, as stated in the preamble, to provide scaleable and workable standards for the protection of an individual’s privacy relative to their health care information.
Attempting to determine the proper covered entity designation as a state agency, was one of our largest stumbling blocks. We wondered how we would assess our HIPAA readiness if we were undecided regarding our covered entity status. As a result we made the decision to move forward with a total Department HIPAA privacy assessment rather than limit the review to obvious and known entities (just the ducks). We are thankful we did. Our assessment discovered many areas that might have been overlooked had we strictly followed the duck walk.
The Department acknowledged that to designate as a single covered entity will require the most central agency coordination and will require more effort on behalf of the department in developing compliant policies and procedures, a training program, and that enforcement of the standard on the entire department will be required. Conversely the Department perceives the risk of bifurcation of privacy compliance at the Department level far greater than the perceived burden of overall department compliance with the privacy rule.
Department services and administration of these services are provided seamlessly across the Department and, as an organization, follows a matrix model. It has been agreed that designation as a single covered entity for the purposes of complying the HIPAA privacy rule will support the Department’s organizational make-up and philosophy and will meet the intent and requirements of the Privacy rule.
It is the belief of the Department that compliance with the privacy rule can be accomplished and still maintain the Department’s organizational processes without establishing rules of practice for some and not for others, creating firewalls or boundaries between program areas that need to share resources and information in order to effectively serve our client populations, and duplicating auditing and compliance efforts across the Department.
As a Department we were pleased with the amendments to the hybrid definition which permitted covered entities that could quality as hybrid entities to choose whether or not they wanted to be hybrid entities as well as the deletion of the term primary from the rules. Because with a few exceptions the Department believes that most of what it does not related to health care and the designation of health care components would be contrary to the Department’s management philosophy.
Organizationally, state governments and agencies are not always the same. As you are aware, there is no template for state executive department organization. Although historically similar, there are more often than not very different administrative configurations. For the New Hampshire Department of Health and Human Services the amendments to the privacy rule creates a better environment for the way we do business to meet the privacy rights and requirements mandated therein and does not force us into a compliance designation that is contrary to our business model.
It has been presumed that state agencies will have a less rigorous compliance process than the other entities that fall under the requirements of the privacy rule. We have found this to not be the case. To implement the provisions of the privacy Rule and comply by April 2003 we must review every privacy practice, policy and administrative rule throughout the agency and either amend those that exist or create those that do not exist. For in-house practices, the process is not particularly painful.
However, where the practices and policies of the Department affect individuals outside of our agency, any new policy or practice must be promulgated through the Administrative Rules process, which includes notice of rulemaking, public hearings, comments, and finally legislative approval. Because of our diverse activities, the geography of the PHI within the Department, and our decision to designate the department as a single covered entity, this will require extensive efforts.
Further, because as a state agency, we are required to follow other privacy mandates, both federal and state, we will have to be vigilant in our review and cognizant of preemption issues.
To mitigate our risks in being able to complete the necessary tasks of a very complicated work plan, we are expanding our HIPAA infrastructure to include a Compliance Office which will work closely with our attorney’s, consultants, and the program areas to decrease the burdens on any one particular group of resources and organize an extended group of individuals around compliance issues.
This is an appropriate segue into our experience to date with the accuracy and quality of consulting organizations related to privacy. In most cases expertise of members of these organizations have been most strong in the areas of transactions and security. Most of the organizations seem to have a good to excellent understanding of the requirements of HIPAA in these two areas, and can effectively assess and recommend remediation techniques.
The accuracy and quality of the consulting has been less than we had hoped for privacy. It has been difficult for the consulting organizations to understand that one size does not fit all when it comes to assessing privacy within state government. A template used for a hospital or health plan cannot be placed on a government agency. We have not experienced the level of expertise we assumed was available in interpreting the complex standards and implementation requirements and determining the subtle and not so subtle impacts of the privacy rule on our business processes.
Privacy remediation at a state agency, like transactions and security, requires individuals who have extensive knowledge in privacy practices, individual rights, government operations, and some level of legal proceedings.
I hasten to say that my comments are not a reflection on the consulting organization’s general abilities in project planning and process. Their only lack of expertise is in the project area.
A few words on training. With regard to the privacy rule training, the Department is anticipating an interactive web-based training that will provide basic training on the privacy requirements and on the privacy policies and procedures of the Department. Although the privacy rule is far more intricate, we have been required in the past to do sexual harassment in the workplace and drugs in the workplace training. These trainings took well over six months to train the entire workforce of the Department. The training was done by selected in-house trainers, who also were required to attend train the trainers seminars. We were never sure that we were reaching everyone in the Department, or that our employees were getting consistent and correct information. To train our current workforce in this manner, again, will be extremely burdensome to the Department because of the increased demands on funding and human resources.
Our training program will be geared to the workforce, both employees and non-employees who are under the direct control of the department, to ensure that they have the requisite information and guidance to know what the rules are for the Department and how they can and must comply.
Thank you.
MR. ROTHSTEIN: Thank you very much. Any clarification questions for Ms. Bergman?
MS. KAMINSKY: I just wanted to go back to your comment about the hybrid division changing and why you were happy about that. I didn’t quite follow what you were to say vis-à-vis your own designation.
MS. BERGMAN: In the original rules it didn’t seem that we had any kind of wiggle room. When we looked at our organization we were in fact by definition a hybrid. We felt that we were going to, regardless of that definition, we were going to designate then as a single covered entity.
MS. KAMINSKY: You thought you were a hybrid before because it was not your primary function to deliver health care?
MS. BERGMAN: Well, we thought we were a single covered entity. Our attorney’s and consultants thought we were a hybrid.
MS. KAMINSY: Because it was not your primary function?
MS. BERGMAN: Because it was not our primary function to deliver health care. We argued that fact vehemently. When the amendment came forward we were pleased to see that we could do whatever we wanted to do within the realm of the standards.
MR. ROTHSTEIN: The floor is open for discussion. Ms. Greenberg then Dr. Cohn.
MS. GREENBERG: I want to thank all three of you for your excellent testimony. It was very informative. I had a question basically for Mr. Ballin and Ms. Bergman. We heard a lot yesterday from providers and how they were being helped by their national professional associations as well as collaborating across their profession, either in a state or regionally.
I wondered whether either of you or your departments of health have been assisted by or have been in regular communication with or gotten technical assistance from organizations like ASTO(?). You mentioned the locals needing help, whether NACHO is able to assist them. It seemed like it would be a parallel to the American Medical Association, etc., providing help to their provider groups.
That was my first question and then sort of a related one is that it’s my understanding that a lot of departments of public health have privacy officers, I don’t know if they are separately a privacy officer or tend to be along with the CIO’s. But do you know of any association of privacy officers across states? I’m just interested in knowing because although every state in some ways is unique a lot of your activities obviously are in common across state departments of public health. I know Medicaid, which also used to think that every Medicaid agency was unique, found out that HIPAA made them see that they had more in common than they had previously thought.
I’m just wondering what kind of activities, either at a regional or national office, are going on among health departments or with your national associations such as ASTO.
MR. BALLIN: Well, we did early on have some discussions with ASTO about trying to get some clarification on the covered entity definitions. We worked with an attorney, working with them, and again we had sort of the same problems. We submitted some questions hoping that there could be a state submission to HHS that would cover the issues and concerns of all 50 states rather than every health department in the country having to separate write in. Again, we never heard back. I don’t know what happened to it. After that I think that they have been involved in HIPAA issues, I’ve occasionally been involved in some conference calls that ASTO has had but again, I’ve not seen a lot, at least I haven’t, in terms of state health department coordination on HIPAA issues.
MS. GREENBERG: Is it more informal than communication across health departments? Although each of you has to do your own assessment, there does seem like there’s a lot of benefit to not everybody having to reinvent the wheel.
MR. BALLIN: There definitely is. We’ve had somehow, through the Massachusetts Health Data Consortium which is an organization that’s done a great deal of work on HIPAA and really helped us as well as really the whole health care industry in the state. Through them we’ve had some assistance because they have a wide variety of contacts throughout the country. They’ve been able to provide some assistance to us in terms of how other states are dealing with the issue.
I think early on I was hoping that there would be some organization of state health departments that would take the lead in providing guidance because so many of our programs are federally funded and exist throughout the country in health departments so our issues are not unique. I do regret that it is felt to us that we are sort of on our own here to make our own decisions.
MS. GREENBERG: About the other question, do you have a privacy officer in your organization?
MR. BALLIN: We don’t yet. We are in the process of trying to hire one. We’ve been a little behind in our whole compliance process. We got pretty held up in terms of the covered entity issue and where we were going. So we’re late in a number of areas and the privacy officer is one that is in the process. There was some effort to drag me in but I resisted. We think that will help us significantly to have someone who can actually dedicate full time to this because we have not yet had a full time person working on HIPAA in our office.
MS. GREENBERG: I was just wondering if Ms. Bergman could ---
MS. BERGMAN: Would you like me to address the same --
MS. GREENBERG: If your experience has been similar or if you had anything else to add there.
MS. BERGMAN: Since I work at the department level and public health is a division within our department, I’m probably not as familiar with their immediate issues. However, I do know that we have read a number of issue briefs coming out of ASTO and a number of our employees and staff have been involved with regional conference calls.
On the other hand, we regularly monitor the NEME(?), but they have a number of work groups, there latest being a public health work group which is members from 50 states at this point. We have also tried to keep up to date with WETE(?) and also GIVES(?), which was mentioned before and there are a number of white papers from those organizations.
As state agencies I think we’ve tried to coordinate and understand our problems and try not to reinvent the wheel.
MR. ROTHSTEIN: I’m sorry for interrupting. Thank you very much. Dr. Cohn.
DR. COHN: First of all, I want to thank you all. It’s been very interesting testimony. In my own mind putting it together I think I’m sort of hearing that within the Department of Health and Human Services, in most states the model of HIPAA seems to work. Ms. Allan, I wanted to follow-up on an area that I was trying to figure out how this was going to work which you had identified as an issue related to the interaction between health and human services and outside non-covered commissions, departments, agencies, in the state in terms of collaboration on work activities, things that are really not disease management that are probably, maybe in the broader term may be case management, just to use the word right. I couldn’t’ quite figure out how you were going to address it and I was actually going to ask the same question for Jean knowing that she’s working primarily within the department. Is this an issue that New Hampshire has also?
MS. ALLAN: I think in Massachusetts it’s probably different than New Hampshire because of the way we’re structured again. Our executive office is there to provide coordination among independent agencies, but they are independent agencies. The agencies are often related, like our direct financial assistance is within our secretariat as is the medical assistance program. Social services, which is the primary agency for support for families and children in need of services, children at risk. The division of youth services, which really serves the criminal justice system in terms of disturbed youth. They are all within our secretariat but they are independent agencies.
Public health would be a covered entity, medical assistance is a covered entity, mental health is a covered entity. But for example, social services is not nor is the department of transitional assistance, which is just a cash assistance program. But clients are getting services very often from a number of these agencies.
For example, we have spinal chord injury patients. We sort of pulled together in the executive office level a special task force that has agency representatives from all of our agencies that provide any kind of mental health, our Commission for the Blind, our mental retardation services, the Mass Rehab Commission, that will sit and look at cases and try to determine if there is some better way of servicing them or can they bring in services from a number of different agencies to give a comprehensive support to someone who needs services. That’s on an individual basis.
Families really present a challenge because there may be an in-take at one of our mental health centers that clearly indicates that there is potential for a disruptive or disturbed home environment. Normally the in-take worker would notify social services. Now this isn’t a mandatory report because it’s not necessarily suspected child abuse of any kind, we do have mandatory reporting laws in the state for abuse situations. Flags are going up, red lights are going off. Here’s a situation where maybe there are children at risk or at least a home environment that could use intervention. So the normal thing would be to bring this in and make a referral and have a case worker make contact with the family to assess whether there is difficulty or not.
HIPAA doesn’t let us do that anymore because coming into a mental health center says I’ve got a mental health problem. We can’t even, under HIPAA, tell somebody else that this person is a client, unless there is a state law mandating that we report it. We can’t just do a case referral on it as we used to do. Could we get an authorization? In some cases we might be able to but candidly, again, mental health is one that I’m particularly familiar with, it’s unlikely you are going to get an authorization particularly an informed authorization at in-take in many of these cases. And you have to do the assessment, is this such an emergency that I’m ok in reporting this under the HIPAA rules?
I think people are going to be very conservative. People are worried about violating HIPAA. What we see it as this huge potential for lawsuits all over the place is one of the primary things that HIPAA has done for state agencies very candidly.
So we are going to have to be very very careful and our case workers are going to be very very careful and all our concern is that this is really going to impede services to our clients where they most need them and we’re really grappling with how are we not going to let this happen?
DR. COHN: I heard the problem before pretty well but you’ve identified it a little more clearly. I guess the question is, this is not a Congressional hearing. This is a hearing by the National Committee on Vital and Health Statistics which is trying to advise HHS about implementation and how we can ease burdens, make these work better. I’m still waiting for some sort of solution and I was just sort of wondering if you had any thoughts or . . .
MS. ALLAN: Well we are looking. One of the things that we are going to look at doing and this is something I guess that New Hampshire is involved in, we are looking at all of our regulations, we are looking at our state statutes. If we have to go in and do substantial regulatory revisions, we’re looking at how we can do that so that some of these things become required by law.
Now you’re walking a very delicate balance as a state agency because you don’t want to overreach. You don’t want to put into affect either laws in statutory form or in regulatory form that could go too far or that could be abused in terms of the states reach in sharing information. We’ve tried to balance in the state statute we do have on privacy, really balance program needs against individual rights. If we’re going to err we’re going to err on the right of the individuals privacy rights.
When you get particular social services where what you are trying to do is to prevent harm to families or to children or to get people into a situation where they are going to be better able to handle their lives either physically, mentally, economically, any impediment to that becomes a real concern. So we are looking at our regulations, we may do regulatory changes, we’re looking at how we can use authorization and where we can use them. Some guidance on that would be very helpful.
I’m reading what is required to be a compliant authorization and I’m saying it’s going to be almost impossible to do one on in-take or to do one at the beginning which really is what is considered compliant because of the specificity that is required within the authorization. As I said before, it’s not realistic to keep going back to a client repeatedly for additional authorizations.
We will look at statutory changes if we need to. We will not be able to get regulatory changes in place for, it’s usually an 18 month process, very candidly, to get regulations through the system. Again, we have to go through a centralized notice system. We’re only a handful of agencies that are putting forth regulatory changes. We go through the process. Statutory changes is anyone’s guess. The last few years our legislature has exclusively focused on budgets almost to doing nothing else. They have done other things but almost every piece of legislation gets back shelved just to deal with budget problems. So you can’t guarantee that you are going to get the attention you need. I see the HIPAA rules as being a step backwards for services for people in that respect.
DR. COHN: Jean, do you have any comments from New Hampshire?
MS. BERGMAN: I’ve lost sight of the question. Could you restate it for me please?
DR. COHN: It had to do with communications beyond the Department of Health and Human Services that have to do with things that are in the welfare and interests of the person receiving services, or whatever. I just had heard testimony by Lorllyn that was indicating to me that there was issues relating to communication of data that she felt necessary around case management and other things like this because they were outside of the agency.
MS. BERGMAN: I think in some regards New Hampshire is unique in that we have, we’re small, we’re rural, we have a very tight-knit service community which includes hospitals, doctors, other health care providers. From a department perspective we all have all of those divisions that either contract with or regulate those entities under one roof.
Also, you’ll be hearing this afternoon from a group called the NHVSHIP(?) which is a consortium . . .
MS. KAMINSKY: No, they are not coming.
MS. BERGMAN: They aren’t coming? Too bad. They are a consortium of Vermont and New Hampshire because we are border states and share clients and services of hospitals, physicians and other health care providers who have come together to deal with the issues of HIPAA. They have a steering committee, they have broken out into various work groups, privacy, security, transaction and codes, and I think they just go further down the line from there. So the communication with regard to what needs to be done and how it might be done works very well there.
We have tried to stay away as a department from being the trainer for the state of New Hampshire, whether it be other state agencies or providers within. We just don’t have the resources or the money.
But what we have done is we’ve had many many training sessions with community mental health centers, developmental disability folks, nursing homes, residential care facilities and have sort of educated them to the point where they are able then to go out and find this assistance that they need in order to be compliant with HIPAA. But we have not taken on the chore of helping them become compliant.
MR. ROTHSTEIN: We are running over so I would ask the remaining three subcommittee questioners, including myself to limit the questions, if possible, and I would ask the panelists to make your responses as brief as possible so that we don’t back up this afternoons panel. Dr. Danaher.
DR. DANAHER: Just a brief point and then a quick question. Ms. Allan, I thought it was fascinating the issue you brought up about the litigation and the litigiousness around the privacy mandates and the privacy mandates. It just kind of begs the question, and I don’t want to feed into the stereotype, but just the kind perennial question of whether the types services that you provide, and the populations that you provide them to, whether they are more litigious than the general society.
MS. ALLAN: No, I don’t think so, but I think that the state provides a very nice target for people, which is why we are particularly concerned about it.
DR. COHN: The question that I have is more for Mr. Ballin and that is, Massachusetts is one of the more progressive states, arguably one of the more wealthier states, I just worry hearing about the resources and everything at the state level. I’m coming away with the impression that local public health officials in Massachusetts are pretty much undermanned, understaffed, underfunded, etc., and probably have not done much to get into compliance with HIPAA. Is that a fair statement?
MR. BALLIN: I think that is a very fair statement. I would go so far as to say they are fed up for the most part with state and federal mandates. Many of the health departments, again because we don’t have a county system, many of them are in very small towns, extremely understaffed, barely have any computer systems at all. Any additional mandates on them are very significant and we have to deal with that every day with regard to our public health regulations that in many cases get enforced at the local level. So I do think there is certainly an issue.
I’ve had some contact with some of the larger health departments such as the Boston Public Health Commission. They are obviously in a better situation to deal with HIPAA compliance issues. But nonetheless, I think every local health department is concerned to one extent or another about HIPAA requirements.
DR. COHN: The irony is that the issues that the regulations cover can often be felt the greatest in a small community or a small area just because of the, the fact that everybody knows everybody else. Anyway, perhaps it’s most salient there.
MR. ROTHSTEIN: Kepa did you have a question? I have one question that I’d like to ask all of you perhaps and in particular Mr. Ballin. I have heard frequently from public health officials throughout the country that even in advance of the compliance date they are running into difficulty obtaining the kind of surveillance data and reporting that they’ve used forever and that HIPAA does not expressly prohibit disclosing and yet providers and hospitals and so forth are making it very difficult to get the data they need on infectious diseases, sexually transmitted diseases, suspected child abuse, you know what the list is.
One of the concerns that I have is that we heard in prior panels about the lack of training that physicians were receiving especially in small group practices and the small provider organizations. I’m concerned that the training itself might be limited to what they need to do to comply not with what they can still do notwithstanding HIPAA. It may not be included in the standard training exercise and so maybe this is a question for the wrong panel but they left yesterday.
Can you shed any light on this concern and in particular make any recommendations about how we can suggest that this issue be resolved so that you can still get the data that we need for public health purposes.
MS. GREENBERG: Can I just add, I really want to reemphasize that and also what I heard yesterday, a lot of was - when in doubt don’t provide the information. I think the mindset is, as you said, the concern about litigation, etc., but that where there are a lot of questions, the safest thing is just don’t provide it.
MR. BALLIN: I think that is a real challenge for us and I have hit upon that exact sentiment many many times - we’re not really sure for now, we’re not going to provide it. It’s going to take a great deal of education, particularly to the smaller providers out there that may not be familiar with the exemptions in HIPAA that are, as I mentioned before, I think they are appropriate to allow public health to proceed as it must. It’s going to take some educational effort on our departments’ behalf to provide some education particularly to the providers out there and hopefully from others as well through some of the trade associations and other groups.
I don’t know, we’re not even there yet, in terms of being able to do that, we’re caught up in our own issues of how to meet the deadlines and come into compliance.
There is no doubt, I do get quite a number of calls related to the question of - we’re concerned we cannot provide this under HIPAA, we won’t be able to after the compliance date - and in most cases I found that there is an exemption that would specifically allow for that reporting and that there is not a significant issue but again, the perceptions out there are that HIPAA doesn’t allow you to do anything and let’s just hold onto it until we’re sure we can.
MR. ROTHSTEIN: Not to place any greater burdens on you and your agencies, but it strikes me that if public health reporting were item number 35 on the HIPAA training for providers, it would be lost, whereas if OCR produced a small pamphlet that said HIPAA and Public Health Reporting, and made those available to you and you could then distribute them to the normal reporters, the county health departments and so forth, that might be a more efficient way of making sure that the regular reporters continue to do so. Would you be comfortable with that?
MR. BALLIN: I think that’s a very good idea and I think actually coming from HHS, even though distributed by the state, I think would be very helpful. To a certain extent we are in a position where we have to interpret someone else’s regulations, which we are not always comfortable doing. I think that would be very helpful in order for us to be able to conduct education as to what HIPAA really requires.
MR. ROTHSTEIN: Would either of you like to comment on that. Ms. Bergman?
MS. BERGMAN: We’ve give this some thought and what it appears to us is that we’re lacking in our public health division relative to actual policies and procedures around surveillance and oversight activities. Although we may very well have enabling legislation that provides for surveillance and gives us the authority to do surveillance, the actual process by which we go about doing surveillance and why is somewhat vague and limited.
We see HIPAA as giving us an opportunity perhaps to beef up those areas and actually provide a policy or a procedure at the department level for the type of businesses that we actually perform on a day-to-day basis which are lacking now.
MS. ALLAN: I would like to encourage that kind of thing actually. One of the overwhelming things we are facing is, as I mentioned earlier, getting people to understand what HIPAA does not do as well as what it does do. Any help in that regard would be very useful.
I want to add something for law enforcement would be very helpful. I don’t know how to go out and educate the law enforcement community about the steps HIPAA requires them to take now in order to access PHI, under what circumstances they can access it, how they can use it.
MR. ROTHSTEIN: Well, thank you very much. We appreciate your testimony. It’s been extremely helpful to us and the subcommittee will stand in recess for lunch until 1:15. We will resume with our final panel at 1:15. Thank you.
(Whereupon, a luncheon recess was taken)
MR. ROTHSTEIN: Welcome back and we are ready to begin our seventh and final panel on the two day hearings. This last panel will be on consultants and other resources. Before we get started this afternoon I want to take a minute to thank all the people who have made this hearing of the Subcommittee on Privacy and Confidentiality possible. In particular our lead staff Stephanie Kaminsky who spent many hours putting together these expert panels and we thank her. I also want to thank Marietta Squire from HHS, although she’s not here at the moment, she’s obviously working on some project, and Cheryl Wilhide, our contractor who worked on getting the arrangements for this meeting. We thank all of them for making this very productive meeting possible.
On our schedule, though we are beginning this last panel somewhat panel, I want to alert those in person as well as those listening via the internet that we have no public testimony scheduled so after this session will begin obviously at 1:30 p.m., instead of 1:00 p.m. and go to 3:00 p.m.. Then we will take a 15 minute break and proceed directly to the subcommittee discussion which will focus on our next two hearings in Baltimore and Salt Lake City. So without any further adieu, let me just introduce the panel members and note that Dorothy Wagg, who was listed on our schedule as the fourth speaker has submitted expert written testimony which has been distributed to the subcommittee members but she will not be able to be with us this afternoon.
We will proceed directly with the other three listed speakers in the order in which they are on our agenda. So first, Mr. David Szabo.
David Szabo, J.D., Boston Bar Association HIPAA Preemption Task Force, Nutter, McLennen and Fish LLP
MR. SZABO: Thank you very much and thank you to the National Committee and Subcommittee for inviting me to come and speak with you today. I would also add my thanks to Stephanie Kaminsky who expedited my appearance and has been very helpful in that process.
My name is David Szabo, I’m a partner at the Boston law firm of Nutter, McClennen and Fish. I’m here before you today in my capacity as co-chair of the Boston Bar Association’s HIPAA State Law Preemption Task Force. The BBA Task Force was organized by attorney Robin Johnson at the law firm of Freeman Johnson, well over a year ago to begin our efforts.
To a degree I’m here under a little bit of false pretenses because the title of co-chair overstates my contribution to the task force work and minimizes hers. Without Robin’s leadership and effort there would be no task force. She has organized a group of 33 volunteer attorneys into eight subcommittees with the purpose of reviewing a wide range of state laws, regulations, executive orders, court rules, and cases in order to analyze each and every one of them to determine their interactions with the final privacy rule.
The committee has developed a list of more than 200 laws and regulations in sources of authority that its comparing to HIPAA for preemption and analysis purpose. The Preemption and Analysis Subcommittee of that group was chaired by Steve Bernstein at McDermott Will and Emery, who has developed a conceptual outline for performing a preemption analysis which has been of invaluable guidance to the other subcommittees in their work.
I could go on for some time acknowledging the work of all the individual lawyers in both private practice and government service who have donated uncounted hours to this project. I cannot acknowledge them today but they will be acknowledged in our written final report.
Our report will be in the form of a grid, sometimes called a side-by-side analysis, in which a state law or regulation will be summarized alongside a summary of a relevant provision of the privacy rule. Next we will have our conclusion regarding preemption and in some cases along with additional commentary or a qualification on that conclusion. The Bar Association plans to release the side-by-side analysis along with the conceptual template some time in the fall of this year in CD-ROM form. And that is something that the Bar Association will be publicizing to make available for sale. The law firms and lawyers who will participate in this don’t realize anything from that, that’s something we’ve done basically for the benefit of our members and the Bar Association.
Our subcommittee chairs, in addition to supervising the work of their committees, have appeared at quarterly meetings of the Mass Health Data Consortium Privacy Officer Forum to describe the various state laws that apply to health information. Our experience is that privacy officers are well aware of their obligations to abide by state and federal law and have shown great interest in the work of the task force.
In my capacity as the co-chair of the New England HIPPA Work Group Privacy and Security Committee, I have received many expressions of interest in the status of our analysis and its availability to health care organizations.
As this committee is probably aware, many other groups are studying the question of HIPAA preemption. I think the Health Privacy Project at Georgetown, the American Bar Association, the state of Maryland, and many professional and trade associations. I’m sure there are many others going on right now that I’m not even aware of.
The complexity of HIPAA preemption is the result of several factors. State privacy law easily meets the test of being a crazy quilt, so-called, or patch work, of inconsistent, overlapping, and unclear mandates. Massachusetts does not have a single comprehensive law governing the privacy or use of health information. It has many such laws governing the obligations of health care providers, insurers, government agencies, and others. These include imbedded in licensing laws, regulations governing professional discipline, evidentiary privilege statutes, fair information practice statutes, public health reporting laws, crime prevention statutes, and many others.
A second cause of this complexity is the administrative simplification statute itself and its partial preemption clause that saves state laws that are more protective of privacy and access and preempts many but not all others. We can blame Congress for this if it makes anyone feel better, but we should remember that Congress failed repeatedly to adopt a national medical privacy law after the enactment of HIPAA in 1996. Political questions, including preemption, regulation of research, the rights of parents, and other questions prevented Congress from reaching a consensus. The complex partial preemption language creating a private floor but not a ceiling is an example of a political compromise that was required to enact a law authorizing the secretary to create the privacy regulations that here today.
I’m proud to be associated with the efforts of the BBA Task Force. I believe our work product will be useful to attorneys, privacy officers, and others with sufficient legal or technical background to make use of it. But it’s a technical tool, it’s not written in layman’s terms, it’s not meant to be something widely pushed out necessarily to a provider on the front lines.
Without Robin Johnson, our volunteer attorneys, the support of the BBA Steering Committee, and the association’s leadership our work could not have been possible. I hope everyone finds it useful when it’s released.
But there are important limits to the utility of a preemption analysis and the degree of certainty it can offer. As an example, I would like to cite the Massachusetts Privacy Act, a law of general application, that applies to all persons and businesses, not just those in the health care industry. The HIPAA privacy rule is long, detailed and complex. It sets forth substantive rules, mandates procedures to enforce them and document them, and regulates both external disclosures and internal uses of health information by covered entities. What is not permitted by the rule is forbidden. The Massachusetts right of privacy law, on the other hand, is one paragraph long. It consists of two sentence and 33 words. It reads in full as follows -- a person shall have a right against unreasonable, substantial or serious interference with his privacy. The Superior Court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages -- this law is simple, short, general and vague. It mandates no policies and procedures and requires no forms. It does not require the appointment of a privacy officer, designation of affiliated covered entities, or organized health care arrangement.
But, unlike HIPAA, it allows state courts to award damages or provide equitable relief, injunctions and court orders from invasions of privacy. Now I ask you, is this law less protective of privacy of HIPAA or more so? The answer is a good lawyers answer. It depends. The final rule may end up becoming the best practice for the protection for individually identifiable health information. However, anyone at any time could argue that a user disclosure of health information permitted by HIPAA is a violation of the statute that I just read to you. And it would be up to the Massachusetts courts to decide the point. Not even our task force of 33 lawyers and our list of 200 points of authority can change that.
My strong impression is that HIPAA compliance can be divided into three tiers, and you’ve probably heard this already. The first tier is composed of large organizations, such as the licensed health plans and the integrated delivery systems. They have made substantial investments in HIPAA compliance in terms of staff, legal resources, consultants, and technology. Some of them are ready now. Most of the rest will be ready in April.
The second tier is composed of organizations that are aware of HIPAA and have started their efforts, but are a long way from being ready. There efforts may be hampered by under capitalization and thin or non existing operating margins. HIPAA is one of many mandates they must comply with. They will do what they can with what they have.
The third tier are individuals and organizations that aren’t aware or don’t want to hear about HIPAA. This includes small organizations and sole proprietors and may include large organizations that have little or no realization that HIPAA may apply to them. This may include some self-insuring employer sponsored health plans. Some providers are well prepared to meet their HIPAA obligations and providers, or as clearing houses, are only now discovering that they have a distinct set of obligations with respect to their own employee health benefit plans. It also includes a lot of business associates who may be surprised by a new contact they have to sign in April in order to keep their customer base intact.
I think government can take some steps to make this process easier. Small providers need access to approved forms of notices, authorizations, and most of all, policies and procedures that are simple enough for a small organization to use but are compliant with the intent of the rule.
A ten page notice is of no use to anyone and I’ve seen these documents drafted by very competent able attorneys and I try to image the response of a patient getting one of these documents and trying to read it and understand it while they are also getting their health care.
A 30 page procedure manual is of no use to a sole practitioner social worker or a small medical group. Some form of administrative simplification for small organizations and sole practitioners is needed.
The cost of HIPAA implementation should be taken into account in setting provider rates of payment, especially for health care providers that are highly reliant on government payments. An example would be community mental health services, whose entire patient population may consist of state funds and Medicaid payments.
Some providers have literally no money to divert to HIPAA compliance. Others will be forced to make painful choices between investing in compliance and other investments in quality improvement, clinical staffing or health technology.
Finally, I think outreach efforts such as those sponsored by this Subcommittee are of great importance. Special educational programs targeted at smaller organizations, health plan sponsors, and others who may not be fully aware of their obligations can only be helpful.
I thank you for your interest and I’m happy to take any questions that the subcommittee may have.
MR. ROTHSTEIN: Thank you very much Mr. Szabo. Any clarification questions? We’ll be back to you for the general discussion. Our next witness is Barbara Ruffino.
Barbara Ruffino, Privacy Consultant, Integrated Collaborative Solutions, Inc. (ICSI)
MS. RUFFINO: Thank you, again, I also want to thank the Committee and the Office for Civil Rights for making this possible.
There are three areas I want to address in the brief time I have. The first is the impact of the privacy rules on provider officers and that’s based on my experience. Second are some of the HIPAA myths I have encountered over the past several years of HIPAA consulting. And the third is the HIPAA resources, those that are available primarily for providers, small offices, and those that are not available.
In terms of the impact, as I said, my experience, I’ve been consulting on HIPAA for about three years. It includes experience with major medical centers, health systems, health plans, provider offices, provider associations, both state and local and regional, and one on one with provider offices, including my own physician, as well as pharmacies. I’ve done consulting in a wide range both on the technology, very limited, that’s not my area of expertise, some of it on security, and some of the major part of it on privacy. So that’s the experience.
In the three years that I have been doing this, and I have presented to a number of provider offices as well as providers, I continually am amazed that when we present what HIPAA is really about in terms of privacy, the response is this really is a better business practice than what we’ve been doing, particularly from provider office staff saying we were never happy about doing it that way.
Including this morning with my own doctor, when I said what should I tell the committee, he said tell them it’s really a good idea. You can take that from my provider, a very small office.
MR. ROTHSTEIN: Well, we have vote.
MS. RUFFINO: One vote. As I see in my experience with these provider offices there are three major problems. The first is that the standards are still not fully understood. I think you’ve heard that both yesterday and today by the physicians and the other providers. They are trained to treat patients. If the 80-20 rule applies for physicians and other providers, they probably would like the 90-10, which is 90 percent of their time is on treatment and ten percent on business. Unfortunately they also now have to manage a major business enterprise with regulatory issues and business issues, reimbursement issues, all of those things consuming far more time than they want. And if they have any time and energy to get around to it, HIPAA is not going to be their first priority.
The second is that physicians are not what we in the change management business call early adopters. In fact, they are frequently not that in terms of even clinical guidelines. And again, since they are probably spending less than ten percent by choice and maybe more not by choice, they are not going to spend their time on business management issues unless they are absolutely critical.
For example, we’ve long known that the electronic transmissions are more cost effective, more efficient, require fewer staff, and yet not all doctor offices are electronically sophisticated, and why is that? My guess is that first of all it’s time consuming to implement that, it’s not where they want to spend time, and if they have additional cash it’s going to go for clinical issues rather than the electronic, although Dr. Weintrub can address that since he’s on the technology side as well.
But I think that physicians and other providers are much more interested in clinical improvements in their office, not business improvements.
And the third problem I think is clearly the squeeze on reimbursement rates which David just mentioned. There was no money included in the HIPAA legislation for any additional reimbursements. In the most recent survey by the Health Information Management Systems Society and Phoenix Health Systems and previous surveys, all of the payers are way ahead in turns of implementation as opposed to the providers and especially small offices. I think they get ranked higher in terms of implementation success or progress and I think the reasons are simple.
First of all the payers can more easily find the money, they have more access to financial markets than a small provider does. And the second is they have the first dollars. When the premium comes in they take theirs first and then they can make the cost accommodations down the line and that’s sometimes at the expense of the providers level. That may be an oversimplification but sometimes perception is reality.
Let me move now to the myths. The one, and here I have to admit a bias. As a former cabinet director of the Department of Elderly Affairs in Rhode Island and as the executive director of a public policy research and demonstration program for consumers, primarily elderly, I come with a very severe consumer bias to HIPAA and to privacy as well as the transactions. In point of fact, and I tell all of my clients which is HIPAA is essentially consumer legislation. It was called health care portability for a reason because it had to do with insurance portability and the consumers need to have insurance.
Administrative simplification which we now all refer to as HIPAA was actually as much an industry initiative as anything else. And the industry wanted to have administrative simplification for good reasons. That it would reduce health care costs, but that’s really, from a consumer point of view, it’s not going to help the consumer that much. It’s really for those in the food chain from the payers down to the providers. Very little of administration simplification from the transaction side and electronics side has any direct consumer benefits. All of the benefits are going to accrue to the industry itself in the form of fewer forms, quicker access to information, and payment. So I think it’s inaccurate and inappropriate to describe administrative simplification as simply another federally unfunded federal mandate. It wasn’t just a federal mandate. It was a federal mandate and that’s the privacy rules and those I think are more accurately described as consumer mandated because as you look at the history of HIPAA, and you obviously now more about it than I do, but it looks like once they got electronic promotion, then the consumer advocates came in and said wait a minute, it’s one thing to walk into a file room and take out five or ten paper files, but when you walk out with a diskette with everybody’s file, or even worse, from 100 miles away you access that, then we want to be sure that there is security.
So that’s where the privacy is not a federal mandate in the typical sense but a consumer mandate and they’ve asked the Department of Health and Human Services and the Office of Civil Rights to manage that for consumers and I applaud that.
But again, I think that the unfunded federal mandate is what people heard and all of a sudden took a negative attitude about it and we spoke earlier and I said I think that sort of shift that people now understand that privacy is far more serious than just to give it the short hand of another unfunded federal mandate.
As I said before, the health care industry is going to get the lion’s share of those benefits, any financial benefits that accrue. So also in terms of unfunded, frankly, as a consumer, I’ve been paying for the privacy and security, I just haven’t been getting it as a consumer. So I think that it is funded, it’s funded by consumer premiums and savings on the electronic transactions.
Now I want to address just quickly the issue of the resources. That has been very difficult for those of us in consulting because there hasn’t been a lot out there. One of the things that I will say that has impressed me with HIPAA, and David just spoke about it as well, and that is the collaborative efforts that have been going on throughout HIPAA. I was down in Baltimore of September of 1999 with one of the first HIPAA summit groups and it was an incredible experience because it was people from all across the industry, the consultants, the vendors, the federal government, all of the representatives were there, everybody took on an assignment, or many of the people there, to produce papers and resources that anyone in the industry could use without paying, so they would be made available.
I think that some of the other groups, WETE(?) certainly has taken a very strong position in terms of providing resources, some of the trade associations, the NCPDP, National Council on Drug Programs has done that for the pharmacy industry, AMA has done it for the medical industry, there’s just a lot of things that have been done that are available to people.
Now that having been said, there’s a down side to that, which is that many of the resources that are out there are less than what is helpful or accurate. Certainly in my business I run into that all the time. I hope mine is not, but it’s very hard for providers to know what to choose and if you pick one, you heard yesterday that there was a kit and if you bought that kit you would be compliant. That kind of advertising worries me because it’s not that simple. It’s not rocket science, but to buy a book and put it on a shelf and say I’m HIPAA compliant is not the way it works.
For providers, what they are concerned about is what if I buy the wrong book and I’ve based my whole HIPAA program on that and it turns out to be wrong? Frankly, I think that if they’ve made that effort, they are not wrong, but they may have to make some changes, and that’s what I advise them. It’s not a matter of being right or wrong it’s a matter of paying attention to what you are doing and how you do it.
But they are concerned about which resources are the best resources, which ones, what policy works, what doesn’t. A number of associations and organizations have taken that on and as I said, some are good, some are not. I do think there are some things the Office of Civil Rights or the committee or whoever is in charge of this can do.
First of all, and I think Brian Cozick(?) yesterday in his public testimony talked about the guidance and Mr. Rothstein said that he never goes without his privacy rule. Well, when I go to clients I never go without the guidance as well as the rule because the guidance that you sent out last July was a wonderful document. It was easily readable, and it was understandable by even those who would rather not understand.
I think that additional guidance, based certainly on what you have heard over the last two days here and what you will hear in the other hearings would be a very very help. It doesn’t address all of the questions so the FAQ’s are helpful. But one of the issues I had with the FAQ’s was I was with a client and we had a state program, it actually was an ADAP(?) program that helps HIV patients with pharmaceuticals, and we didn’t know whether it was covered or not and so we sent a question to whatever the web-site address is and we never heard anything back. It’s a little frustrating and it makes a big difference as to how you do something.
My feeling is if you’ve got somebody’s health information you’re a covered entity, think of it that way, similar to what both of the health departments said.
I think that the guidance and FAQ’s, much more available and accessible would be very helpful. Having spent my early years in consulting in the federal government, there were clearinghouses of information that were made available. Most of my work was on the Department of Education side but there were clearinghouses for information on early childhood education when we were first trying to get kindergartens nationwide, so people knew where to go, which programs had for all intents and purposes valid research, if not certified. You don’t need to necessarily certify it but say, here are the things that we’ve looked at and appear to be realistic and they properly represent what HIPAA is. That’s the problem that we have, that it’s not being properly represented. I don’t know how else to do it than for the appropriate authorities in Washington to work with whoever they can to identify appropriate resources.
The second is to develop a very simple HIPAA practice management handbook for small provider offices. Even in the original rule it had here’s what’s expected of provider offices. But to flesh that out and, as David said, with some sample policies and procedures, the forms are readily available but where do they go get them? I know where they are because I spend every day doing HIPAA consulting but you walk into a doctors office and they don’t have the time to do that research.
Some of that, I think WETE(?) has done a wonderful job with their recent publication for small practice implementation, I think California Health Foundation has done some, but at least point people to that. I don’t know if it’s possible to do it but certainly a basic handbook to get people started would be extremely helpful. All the information is out there it’s just somebody collecting it and putting it together.
I think also that one of the things that came up before and, as my bias as I said was consumer advocacy, I am very concerned also about what happens with consumers on this. I hear providers being concerned that the minute it happens next April that there’s going to be a rush of patients asking for their information. I doubt that very much.
But I do think that patients and consumers need to understand what this law does do and doesn’t do. Early on I heard from colleagues in Florida that the elderly were being told don’t give providers any information. That’s not the purpose of HIPAA, it’s to improve information for health care purposes. Those kind of scare tactics are kind of dying away very quickly. But that does worry me when those things come out.
I will say that as a consumer, every time I go to a doctor’s office and have to fill out a form I think about it very differently now than I would have, and I do not fill it out the same as I would have three years ago. There are questions on there that I know that if they are going to keep it private fine, if not there’s a lot of questions out there that shouldn’t be asked. They have no value you for my health care treatment. Those are the kinds of things that people should be looking at and consumers need to know that they don’t have to answer every question. That’s part of what that should be in terms of keeping things private. If it has to do with their health care, they should. That’s my fear, they will balance off and not answer the health care questions the way they should.
I think that additional guidance, FAQ’s, I think if the FAQ’s were based partly on the categories of providers, for example FAQ’s for hospitals and health plans, FAQ’s for small offices, and make sure that the small offices know that it’s not just physicians, because I work with chiropractors, acupuncture and all of those, and it means all of them. In fact I got a question the other day, does this really mean pediatricians? Yes it does. Some of the most fun of HIPAA is getting some of the question.
I think that those things will help providers and I think they are all serious about doing this and this is sort of the opportunity to step back. They’d rather not do it but I have not heard any criticism of what it is they have to do except those that have misinformation, such as I can no longer have a sign-in sheet, but other than that I think it’s going to be helpful to them in terms of their relationships with patients and I think they understand that.
Thank you again for the opportunity to provide this information and I’m happy to answer any questions.
MR. ROTHSTEIN: Thank you. Dr. Danaher.
DR. DANAHER: May I just put a place holder, it’s not exactly a clarification, so I apologize, but I just want to revisit this. I think what Ms. Ruffino brought up which I think is very very salient, is this concept of a clearinghouse and frankly, let me reveal my own bias, I’m less concerned that Fallon Health Plan, for example, based on earlier testimony, utilized or happened to get a bad consultant or a consultant that whatever, and I’m much more concerned that unequivocally we are hearing that providers, small and medium size providers, are behind the eight-ball.
Number one, they are way way way behind the eight-ball, and number two have very very limited resources. It’s picking a bad provider or paying three thousand dollars for a Massachusetts state preemption analysis or something like that, could people be financially ruinous or it will have a much greater impact on the small and medium size providers. I think these constituents, our constituents, don’t have the 14 million dollars that xx has or whatever, over the next three years to spend on this.
I’d like to come back and revisit but I just wanted to put those comments in. I think that the need for a clearinghouse for small and medium size providers that really can facilitate the things that they need to get done is really an excellent idea. Thank you.
MR. ROTHSTEIN: Any other clarifications/place holder comments? Dr. Weintrub, please.
James Weintrub, M.D., Founder, Digital Physicians Network, LLC
DR. WEINTRUB: Thank you. Good afternoon. I want to thank the subcommittee for inviting me and giving me the opportunity to present our work.
My name is James Weintrub, and I am a practicing physician and software developer. Our company, Digital Physicians Network, develops healthcare solutions for consumers, patients, and physicians. We were invited because we are completing our latest project, which is an educational CD-ROM created to help Blue Cross Blue Shield of Rhode Island educate their providers - specifically physician practices - about HIPAA.
You’ve heard already from legal, technical, policy, and organizational specialists on HIPAA. Our perspective is different: it centers on the practical problems of giving physicians and their office staff a simple, bare-bones explanation of HIPAA and the necessity of complying with it, and giving them easy access to the tools and materials they can use to meet its requirements and deadlines. For this presentation, I’m focusing on compliance with the privacy rule.
I’m a plastic surgeon serving as chief of the division of plastic surgery at the Providence Veteran’s Administrations Hospital. One day a week I attend patients, and as Clinical Assistant Professor of Surgery, supervise the Brown University trainees. The rest of my time is devoted to running Digital Physicians Network.
As a practicing physician, I have daily contact with doctors and the culture in which we work. I understand the pressures, time constraints, and conflicts involved in trying to balance the needs of patients, colleagues, staff, and legal, regulatory, and reimbursement requirements. The last thing doctors want to hear is that they have to comply with more cumbersome, complex, and confusing legislation.
Based on my interaction with physicians, here are some observations:
They don’t get it. Even after some years of publicity about HIPAA, many physicians are only casually aware of it, many think it’s optional - like the physicians practice compliance - and most don’t know there are penalties for non-compliance. There’s a huge need to get physician buy in; compliance is a tough sell and obviously has not been successful to date.
They haven’t been given the tools. Government and industry resource are comprehensive, but they’re scattered, not physician-oriented, and the material is difficult to locate and use.
What I’d like to talk to you about today is the effort we’ve just gone through to help physicians understand and comply with HIPAA and the process of building a multimedia application to accomplish that goal.
For background purposes, I will briefly explain some of our other Digital Physicians Network projects that are relevant and similar in nature to the HIPAA project, all of which illustrate our company’s focus on giving users an easy-to-use way to access and understand information.
Early on we developed a personal productivity - Benefit Buddy - that lets consumers get information about their health insurance coverage, its benefit structure, and how to navigate their delivery system.
We also developed MSA Central, a web-based application that explains Medical Savings Accounts, a confusing hybrid of health insurance and an investment vehicle with complex eligibility requirements.
Another physician practice compliance application helps ensure the proper assignment of Evaluation and Management codes, a complex system with specific definitions, rules, and algorithms.
Blue Cross Blue Shield of Rhode Island knew of our healthcare applications for physicians and consumers and, after we proposed a package of educational seminars and a multi-media CD-ROM, engaged us to work with them on the project.
One component of the project was to hold a series of four free continuing medical education (CME) seminars for physicians, at central locations, convenient times, and with a faculty of national and regional specialists in various aspects of HIPAA. Audience response - measured on formal evaluation forms - was extremely positive in every category.
The information developed for and presented in the seminars was the basis for the content of the second component of the project, the multimedia CD.
This component of the project was the development of a software application, presented on compact disk for both Windows and Macintosh personal computers and containing a narrative of the information presented in the seminars, screen displays emphasizing the main points of each section, and appropriate resources.
Before we could do anything, we took a long and hard look at what would be involved in doing this project and doing it well. The early stages of the development process are the same, regardless of the presentation medium you’re using.
Identifying the need is the first step in any development project, the equivalent of a novelist getting the germ of a plot. And nothing could be more exciting to developers than finding a complex system that needs simplification and lends itself to multimedia presentation on widely-available personal computers.
What needs simplification more than HIPAA? The legislation is tremendously convoluted, long, and frequently-changing; the impact on the physician’s daily work is undeniable; the penalties for non-compliance are severe; virtually all physician offices have personal computer systems in place; and, to date, no vendor or government has adequately met the needs of physicians’ practices by providing simple tools, customizable materials, and one-stop shopping for HIPAA compliance.
We next had to decide our design goals. Because our company is dedicated to making life simpler for health care providers and consumers, some goals were obvious and consistent with our historical approach: make a complex set of concepts easy to understand; make an overwhelming amount of material digestible by breaking it into manageable pieces; make boring material interesting by presenting it in a multi-media environment; make all the collateral material and actionable information easily available and in context; make the application itself easy to use (or in the case of the seminars, organize the content so it’s easy to follow); and make the physicians confident that they can manage the project and can access everything they need to accomplish it successfully.
At a very early state, we examined HIPAA itself to see what we would need to know in order to do our work. A few things immediately became crystal clear to us: HIPAA legislation, with its thousands of pages of legal and technical information, is outside the physicians’ usual frame of reference. We could break HIPAA down into general components, privacy, security, and transaction standards, but each component is so complex in and of itself that explaining it properly requires even more specific levels and types of expertise. To adequately describe how to comply with the privacy rule, for instance, meant we had to involve specialists in health care law, health care policy development and implementation, practice management, training and education, and technology. We couldn’t do it by ourselves. We realized that we needed more than one perspective to be able to translate HIPAA into terms, concepts, and practical tasks that physicians could manage.
That’s why our presentations - and therefore the content of our CD application - necessitated the participation of consultant specialists in a number of fields.
We also realized that because the HIPAA legislation is so long, we couldn’t tell it all. We have to present the audience with on the information that was most relevant and necessary for them to complete a compliance project successfully. Doctors and their office staffs do not have free time.
Consequently, the essential challenges of the project were to distill HIPAA, extract and repackage its key parts, locate and present in context the collateral materials such as the Notice of Privacy Practices and Authorizations, and suggest operational steps in the compliance project plan.
And put everything in proper perspective, sequence, and easy-to-grasp handfuls.
We decided the seminar presentation would include a speaker on each of the main components, slides serving to backup their speeches, and handouts of sample wording, forms, and checklists. The software would present the same material in multi-media formats: voice narration, screen displays, and a resource section for collateral documents and information.
We assembled five experts from across the country: a health care attorney, a policy expert who had participated on a national level with HIPAA workgroups, a member of the National Committee on Health and Vital Statistics with expertise in employee training, a consultant/trainer from a nationally-recognized practice management firm, and a physician/solutions developer to cover transaction standards.
Gathering material was more difficult - and emphasized the need for the product we were creating. Even when you know what you’re looking for - and most physicians would not - it’s extremely difficult, for example, to find the Notice of Privacy Practices on government web-sites. It’s buried deep in a source document. As an aside, it would be ideal if the public sector would put all actionable HIPAA information and documents on a single web site. The federal site for copyright information is a great example -- it’s a really powerful resource that makes accessible and available all the information a user requires.
Besides the concerns with content were certain practical issues. The software to tell the story of HIPAA required some other expertise: a project manager to run the job, a writer to develop the script, a professional voice talent to narrate it, a programmer and graphic artist to put it all together so it worked properly and looked good, and, of course, and intellectual property attorney to bless it. We also needed a sound studio, a printing company, and a CD production house, In all, we needed over a dozen different talents to produce our HIPAA CD.
The middle part -- putting it all together and making it happen -- is hard work, and I don’t need to relate all the details.
The best part of every party, of course, is talking about it afterwards. We discussed the positive reception our seminars received, and we’re almost to that point with our CD. We haven’t quite delivered it yet, but this is what we knew we have accomplished:
We’ve told the highlights of the HIPAA story in simple language and a logical sequence.
We’ve tailored it to our target audience: physicians. We’ve created a Cliff Notes for doctors: Getting Your Practice Ready for HIPAA.
We’ve gathered relevant source documents and pointed them to appropriate and helpful resources. For example, we explained that the Model Compliance Plan is really an extension for transactions, provided both the web link and the PDF file, and told them how to complete and submit it.
In short we gave them actionable information in context and, of great importance when you’re short of time, made it available in one place and in an attractive form.
That’s the story of our HIPAA project, an interesting and challenging experience for all of us who worked on it.
I thank you for the opportunity to be here today and would be happy to address your questions.
MR. ROTHSTEIN: Any clarification questions for Dr. Weintrub? If not, let’s proceed then to our general discussion with all of the panelists. The floor is open for subcommittee members to ask questions.
DR. ZUBELDIA: Ms. Ruffino, since you are a practicing consultant, as you heard this morning, how the choice of a consultant is a critical and difficult problem and sometimes people make the wrong choice. Physicians are probably not going to engage a sequence of consultants until they get the right one. What we would be your recommendations to us on how to make that choice? Is that clearinghouse of consultants that we’ve heard about, is that a solution? Is there some level of expertise that’s has to be met, or some qualifications that have to be met by the consultants? What would be your recommendation?
MS. RUFFINO: I don’t think you can do that. I think that the solution there is not for the committee or OCR to do that. I think it’s really, for example, the state associations can do that, the hospital associations, medical societies, if they want to do that. I think that if you provide materials and resources for them they will know it when they see it but it is very difficult for them but I would not get into it.
First of all I wouldn’t be recommending consultants necessarily. If they have a sufficient size staff they probably don’t need them. If they attend sessions they can probably get enough. I don’t want to say there’s not that much to do but it’s not as complex as some would make it seem. I’m a consultant with a little bit of a different focus. I think that consultants should be minimal in HIPAA. It is a business issue and that’s what they should be focusing on. There are obviously some legal sides to it but I think we have over complicated the whole thing for everybody.
I think a basic set of resources and then if they need somebody to come in, let the local medical society or the trade association, if it’s a chiropractor, let them identify some people who have worked well with them. I would not put myself forward as a certified HIPAA consultant even if that were available. I just think that is a little bit like selecting lawyers, they all have the degree, and unfortunately in HIPAA there’s no degree, and there’s no time to do that.
MR. ROTHSTEIN: I’d like to follow-up on that question if I may. That is one of the concerns that we all have is that a range of providers and health plans, and I suppose even clearinghouses, have probably just been throwing money away on consultants and vendors who charitably are not up to speed. What we are searching for, at least I’m searching for, is a way that we can prevent that. Clearly there is a role for consultants and vendors in all sorts of things such as training employees and working out procedures and the like. I don’t know how to recommend that we deal with this issue.
One of the things we explored, you may have heard at an earlier panel, I asked someone would it be valuable if some group published a guide to selecting a HIPAA expert or consultant and what to look for. If I’m a sole practitioner in internal medicine in some small community, I may not know where to go and then I get this glossy brochure saying hire me, I’m HIPAA compliant, I’ll keep you out of jail, etc., and there goes two thousand dollars and you are no better off. Can you help us?
MS. RUFFINO: I think the process is backwards. I think first they have to see what it is that’s required. That’s why I say if you have a basic HIPAA handbook for them and say look, here’s what an office needs to have and to do, here’s the kinds of policies, and then decide whether they need a consultant.
I offered my services to my own physician a couple of months ago and he said well, I think we’re all set because Silvia has this under control, she’s been doing this, we just hired her. So Silvia got in touch with me and I went in to meet with her and she had a big binder and said here’s what I’ve collected, take a look at it. I looked at it and it was wonderful, it was all from the CMS web-site, and it was all on physician office compliance. It wasn’t HIPAA. She hadn’t gotten anything on HIPAA. She took compliance information and thought that HIPAA was included in that and so she was meeting the HIPAA compliance.
That’s the kinds of things, so there’s got to be something, a HIPAA compliance issue today, three years from now let’s just assume it’s regular office compliance, so if we get too focused on HIPAA consultants.
I think what offices need to know is what do you need to do to protect the privacy of your patients’ information and your own liability and it doesn’t need to be 150 pages. Then, if they need a consultant to do that they can bring someone in and then I think there are other resources out there to do that. I think if you have a basics for them let them see what it is they are supposed to do first, not have the consultant come in and tell them what they should do.
That’s the problem. The consultants are coming with a whole laundry list of things you should do without ever knowing what the practice is about, how many patients, what kinds of patients, there is a difference between a physician’s office that does electronic transactions and one that is all paper. It may or may not be a substantial difference, but there is a difference.
Let the practice decide first based on what the basics are and then find the consultant to fit that. We’re getting too many consultants in telling people what they have to do for HIPAA and as we discussed before a large percentage of that is just plain wrong or different thinking.
MR. ROTHSTEIN: Mr. Szabo did you want to . . .
MR. SZABO: I guess I would first of all thank you and endorse what I just heard in terms of the comment that I think that to get into the business of adding consultants or certifying them or trying to correct probably what are almost inevitable errors in the market is a task that probably a government agency is not well suited to and can only get you down a kind of side road of other kinds of disputes and entanglements.
I think a guidance document from the appropriate office in terms of what’s the scope of the requirements of HIPAA, especially one tailored toward what, shorthand, the lawyers and consultants are calling TPO. The people doing treatment and payment and the health care operations that support those that don’t get into the exotic questions of push through marketing plans for pharmaceuticals or disease management programs or raising money for non-profit foundation, which are all important questions, but don’t affect the practitioner probably as much in his or her office.
Saying here’s what the parameters of the problem are, or your obligation, here are some of the major elements of your obligation, and we’ll give them, working through their various professional societies who are getting up to speed and often in many states do interview lawyers and consultants and others as a service to their members, saying here are the people we’ve talked and here’s what they can do.
I think there are ways for the market and professional societies to correct some of these excesses and mistakes but I do think a guidance document would be very helpful.
There is a question of the right emphasis and approach and I’m glad to hear mention a comparison to the compliance issue in terms of Medicare/Medicaid fraud and abuse compliance and compliance plans. For many good reasons for many years the Office of the Inspector General and the US Attorney’s Office and others resisted very strongly the idea of giving different kinds of guidance and advisory opinions to industry, in part because a prosecutor never likes to write a letter saying oh, that’s justifiable conduct and that finding that letter used against him in a trial in a different factual context.
I think you have to decide in part in issuing guidance documents whether the priority is changing behavior versus protecting a later legal position in the event of, say, a prosecution or an enforcement action. I think there was a logic behind having OCR do enforcement of this rule as opposed to OIG and I think there is a logic to having perhaps a slightly different approach to the availability of guidance, notwithstanding the burden of producing guidance, which would be materials. The idea of how much are we going to say and how much are we going to tell people. This is the scope of what you need to do and this is what’s ok.
I think the negative effect of providing too much guidance, if there is such a thing, is less in this field than in the fraud and abuse arena where you’re talking about the possibility of people taking advantage of the government for financial reasons as opposed to wanting to simply educate providers in what things they can do to improve their business practices.
I would endorse what I just heard.
MS. RUFFINO: One of the things that providers don’t want is gotcha management, which is here’s the rule, you try to figure it out, you try to pick the right consultant and if you’re wrong, gotcha. That’s what has happened with all of the other compliance issues. They are doing the best that they can, they get the wrong, I mean how many have gone to jail now for the wrong consultants. That’s the problem. So tell them up front what it is you expect of them, they don’t have time to figure it out themselves, and let them move from there. They can handle it but they need to have the basics in from of them.
DR. DANAHER: I think this is a very productive discussion. Barbara, let me just kind of, I’d like to go back and forth with all three of you. I have a little bit different view in terms of what I foresee as happening with medium to small practices in the use of consultants. I think fundamentally practitioners, be they dentists, a doctor, physicians, acupuncturists, etc., have a mindset of, we’re extremely busy, is it a cost benefit analysis, I can bring in an OSHA consultant who will do a gap analysis on my practice, get there in 48 hours and give me some kind of stamp of approval, that’s what I’m going to do.
I really think it boils down to a very crude back of the envelope cost benefit, it’s easier for me to bring somebody in than to have Silvia, so I actually foresee this being an incredibly burgeoning area of consultants.
The second thing is, to Mr. Szabo’s point, I totally agree that OCR does not want to get into the business of saying who is a good consultant, who is a bad consultant, etc. But I do think that in this concept of a clearinghouse, and I’ve been struck by the role that state agencies, medical societies, hospitals associations play in decimating in information and providing awareness and education.
I do think, it seems to me and Stephanie can tell me whether I’m wrong, that OCR could play a role in saying to Mass Medical Society, Mass Hospital Association, give me a list of resources that you’ve vetted, Rhode Island, give me a list that you’ve vetted, etc., and put them all up under a thing with a big disclaimer that basically says we are not endorsing these but these have put forth as potential resources that have been demonstrated to be useful, or whatever. Maybe it doesn’t work that way, maybe OCR says Mass Medical Society put up a site on your web site or MHA you put up a site on your web site so that we can send people there.
Whether it’s a central clearinghouse or whether it’s really a diverse decentralized clearinghouse I think the reality is that people are going to be clamoring for resources.
The last question I have and then I’ll stop my comments, in other areas there are not-for-profit bodies that have grown up, xx for web-sites, xx for disease management, xx and xx etc., that kind of have set some standards for which people, organizations, measure themselves for lack of a better word. I guess what I’m getting at is, is there a role for there being some kind of, since HIPAA is going to be with is and the tenets and principles of HIPAA in terms of handling medical privacy are going to be with us for our lifetimes, is there a role for, and I don’t know who would do it, OCR, or HHS, encouraging the formation of a not-for-profit entity that kind of said you oversee certain things. My comments are not as well focused as I’d like them to be but I would be interested in your responses.
MR. SZABO: Thank you. I guess to your last point, certainly I would anticipate that aspects of say HIPAA and privacy are going to be reflected in revised JCHL accreditation standards. They already have HIM, a chapter on HIM, a chapter on patient dignity, privacy is already worked in there a little bit. I would fully expect that there is going to be a big new chapter coming out for standards for review and of course that gets imbedded in Medicare participation and often picked up by state regulatory authorities by delegation.
Similarly, while I haven’t talked to them, I would be amazed if NCQA had let this go past their radar screen and wasn’t looking at the question of privacy and health plan standards and dealing with subscriber information.
I think some other interesting questions are who’s going to speak to the self-insured health plan and I’m not quite sure, just out of ignorance, what would be the right accrediting body or right standards private sector standards setting body that would speak to other organizations that are less subject to the regular kind of bureaucratic paper driven, if I can call it that, review process that is say the standard of accreditation.
There are private sector organizations that are trying to work at developing standards, some are general privacy oriented organizations that are multi-industry, others like Mass Health Data have more of a regional focus, but focused on health care. I think unquestionably there is going to be a role for those organizations and you’re going to see them emerge and there will undoubtedly eventually be a leader. I’m not sure I’m in a position to predict who it’s going to be.
MS. RUFFINO: On the two issues, one is that NCQA and xx actually did a joint communiqué or white paper on HIPAA privacy about two years ago, they were certainly there and will continue to be there.
On the clearinghouse issue, I think that what OCR could do, and again, I would get away from recommending because there is more liability there. The clearinghouses, when I was in the field of education, were much more in terms of what’s being done in terms of research. You could find out who is doing research on early childhood education. I do think that OCR could work with the state associations and whatever trade associations are interested to say, if you are going to have HIPAA resources for your providers, here’s the categories of resources that we would like you to have available for them. What you find, you go out to Connecticut Dental Association and there’s a couple of things, you go to Mass Dental or Mass Medical, Mass Medical has been in the forefront of what ought to be out there for people. Certainly I have recommended it to all of my clients including those that are not just physician practices because of the quality of their resources.
But I think OCR could say, here’s the categories of things that you should have on the web-site available for people and then they can work with each other. They do that all the time. So if Mass Medical has something that Connecticut doesn’t have or the Hospital Association of Massachusetts can share what they’ve got with the Hospital Association of Rhode Island. I think the collaborative efforts during this whole HIPAA thing have been outstanding and I think this is an opportunity to both leverage that but to help direct that by saying if you go out to your state association your going to get a standard set of kinds of things, they may be different in each state, but at least there will be some standardization of what’s available so you don’t get more if you’re in Massachusetts or you get minimal lists if your in Idaho or Utah. There’s a way for OCR to help leverage that.
MR. ROTHSTEIN: Dr. Weintrub would you like to respond?
DR. WEINTRUB: Sure. I think the idea of standards is better than a standards organization personally. I think collating the proper resources, categorizing by various entities makes classifiable and understandable for the various folks who are looking for those resources. So if it’s about a physician practice you go to the section about physician practices, if it’s a different sort of entity you go to a specific tailored section for that entity. Those kinds of standards by entity I think would be very useful.
In terms of physicians looking for standards organizations I don’t think that’s really what they want. There’s a concept in surgery called the surgical atlas where basically the night before surgery you look up how to do an operation. That’s what people want. They want to go to one place and look up how to do something. Hopefully they know something before they go to the text.
DR. DANAHER: I’ve got a follow-up question. Mr. Szabo, I’ve had the chance to see some of the output of your task force, or the task force you co-chaired and it’s truly very impressive work. My question for you is that, where I saw it was at the Mass Health Date Consortium. In my activities I have yet to come across physicians or provider offices who, as everyone is giving testimony, they haven’t gotten their arms around HIPAA let alone the issue of state preemption analysis. It seems as if the main recipients of the good work that your organization is going to be doing are the hospitals and the health plans. Have you given any thought to the role of the output of your committee to provider offices?
MR. SZABO: That’s a great question. Let me start with kind of what I took as, we took as a task force as our charge through the Health Law Steering Committee, which was to produce a technical tool that would be useful first of all to attorneys and then I think equally useful, hopefully, to privacy officers and others who had taken the time to steep themselves a little bit in the rule and understand what it is about and give them a cross-reference and some guidance as to what laws are there and a short form analysis of how they can begin looking whether it applies, whether state or federal law applies in a particular situation.
It is not going to be produced in a form I would, say, just hand it to a provider and say here you can use this and it will tell you what the answer is. I think it is probably more of a technical tool for specialists to help generate advice that in turn may be passed in a more appetizing or a more appropriate issue focused form for the people who may actually be asking questions.
As to what I would say to either a hospital manager or a practicing physician or practicing clinician or someone else, someone at a health plan about state law and the general issue of preemption, I think my first question would be today, pre-HIPAA, are you abiding by state law? Hopefully their answer will be yes, although the answer might be gee, I don’t know, what is it? And physicians generally understand that dealing in patient secrets improperly is at the very least probably malpractice and is going to get them in trouble with the Board of Registration in Medicine. They generally have a good culture of privacy to start with.
The second point is if that you really do think you know state law and you are complying with it today, well the answer is you’re still going to have to comply with it. If it’s not as strict as HIPAA it’s not as though you get a free pass. And if it’s stricter than HIPAA for example, a genetic testing statute or HIV statute, you still have to comply with it. So in the general level I think you can simplify it to say, HIPAA in no circumstances other than perhaps patient access questions, which is a different focus, but generally speaking there’s no sense that the HIPAA privacy rule has suddenly reduced privacy protection.
It works generally as a floor, not a ceiling. If you are aware of some special obligation you have, such as mental health and substance abuse records or HIV records or genetic testing data, you still have to meet that higher standard. I think for the front line person I would leave them with that message and let’s distill your particular question where the answer can get a little complex but then it’s fact based.
The short answer is no, we’re not trying to push it out either to hospitals, clinical managers, or cancer care units either. It’s really a technical tool.
DR. DANAHER: I’d just like to follow-up. I’d just like to engage you on this a minute more. I think what’s interesting about HIPAA for me is that it is the greatest across the board focus on a discreet period of time. Even though we are all sitting around, we know that it’s organizational performance enhancement, etc., it doesn’t go away, there’s a deadline, all these sort of things, but I guess in my experience to your very point, not only when I have asked the providers in this region but also actually the health plans and the delivery systems whether they are in compliance with their state privacy laws, the answer that I have gotten is they don’t know, across the board.
And I say well how do you train now and there may be something during orientation, point of fact, there usually isn’t something during employee orientation and they will point to a binder on their shelf and say there’s the state laws, the state regs there.
What I am encouraged by about HIPAA and the fact that it is kind of crescendoing up to a date with all kinds of things and as much as we hate the scare tactics that are associating with it, let’s be frank. It’s human nature, sometimes people don’t move unless there are things associated with it. My point it, in my experience I have not seen an across the board systematic understanding and practice in operationalization of state privacy standards and state privacy regulations. If organizations know of them it’s usually a reflection that they’ve had a problem or they’ve had an encounter and they’ve been forced to go and learn it or learn something about it.
Just to conclude my comments I’m actually encouraged by this increasing awareness because I think it’s also resulting in organizations and individual providers going back and making some effort to learn what their state privacy regulations are.
MR. SZABO: HIPAA has certainly raised the bar, if nothing else, in terms of awareness. And that works from both sides of the coin, in a sense, in that providers, and plans, and clearinghouses are more aware and they are making efforts to say, gee, what are all those state laws and are we in compliance with them as well as what are all the federal standards.
But the awareness level among the general public, the consumer, the patient, the subscriber, is skyrocketing. The fact is that maybe a state law that may have been kind of a dusty relic on the shelf may suddenly become widely used, or lawyers may think, hmm, maybe there’s an invasion of privacy claim, and your seeing it in employment law, you’re seeing it in other kinds of law, can I throw a privacy claim at the end of the complaint and make it another level.
I think part of that also is the changes in information technology that were also mentioned. It used to be you had to manually get that information. Now you can get it over the internet. And people are also aware now of the value of information as a commodity which means that our behavior has changed and therefore people’s concerns about information have changed.
I would agree with your statement and say it’s part of several factors that are coming together, the laws that people didn’t think about are now, I believe, they are going to think about much more frequently.
MR. ROTHSTEIN: I’d like to ask Mr. Szabo the following. Yesterday one of our witnesses suggested to us that HHS should get together with the attorneys general in each of the 50 states and do a preemption analysis along the lines of what was done in Massachusetts. Now obviously in some states there may be far less law to deal with. Based on your experience with this preemption analysis that you’ve done, do you think that’s a good idea?
MR. SZABO: That’s an interesting question and I’ve seen similar questions on some of the list serves about HIPAA. Can’t the states, for example, get together and do something about this. It certainly could be very useful as guidance and to have some document put together with some sponsorship.
Let me divide it into two questions. One is perhaps would it make sense for there to be some initiative to make sure that it occurs in each and every state if some private body hasn’t done it or hospital association hasn’t done it or somebody hasn’t done it to see that this effort is replicated in some manner across the country. I think it’s a good idea otherwise I wouldn’t be doing it here so I think it makes sense to be done in other jurisdictions.
The second question is whether it should be, for example, through the Offices of Attorney General, with many capable attorneys that are certainly capable of looking at the law and coming to conclusions. We have been very careful in our effort and we have state lawyers involved. I think some of them have testified before this subcommittee as part of these hearings through the Department of Public Health. We have an attorney from the state’s attorney general office involved in our effort. They are there in their personal capacities and we have not asked any government agency to endorse our work product nor would we do so.
For one thing, it is possible in a particular case in a preemption question that a state agency will have an interest in the manner, or to put it less politely, they’ll have an ax to grind. An example of that, for example, was in this state a number of years ago, litigation about whether state law regarding HMO’s providing prescription drug benefits, requiring those benefits to be offered in a certain way was preempted by amendments to federal law governing Medicare+Choice plans.
The state had an extremely clear view that there was no preemption. The federal court eventually disagreed. Our work product is guidance. It’s a technical tool. We don’t purport to say its law. I would be concerned if an attorney general’s office felt that if they had to promulgate it that it would suddenly become an expression of law that they felt would be binding on people. My professor once told that sometimes the lawyers only answer is it depends. Some of these specific questions are going to be very fact specific as to how they arise as to whether federal or state law applies and wins out in the end.
I guess my short answer to that is that I think it would be seen as a great challenge. Many attorneys general might shy away from it because they’d say we don’t want to lock ourselves into a position or they might feel they need to advocate for the state interest or the state legislature while performing that and maybe they don’t want to be in that position.
On the other hand, I certainly see the logic in it and the idea that there should be some more guidance and hopefully uniformity of interpretation is a good thing. I think we need to try to find as much certainty for constituents as we can. I just foresee some, both technical and for lack of a better word political problems in trying to enlist the 50 attorneys general to undertake that.
Again, there could be questions where OCR might be in variance with the attorney generals and let’s reserve that question, maybe we want to hear what a federal judge has to say about that some day. I guess I’d like to see more thoughtful guidance put forward and people will begin to illuminate the problems and come to at least better answers if not absolutely the right answers as we progress.
MS. KAMINSKY: I want to thank all the panelists for thoughtful testimony once again. But I have another question for you, Mr. Szabo, about the preemption analysis. This one is a little more technical than some of these more overview questions that we’ve been talking about.
As much as everyone may be overwhelmed by the HIPAA privacy rule and I have my days myself I must admit, I’m even more overwhelmed at the idea of anybody having to do a preemption analysis. As somebody who has legal training, I don’t even know where entities would start. It just seems like an incredibly overwhelming project. I was hoping that you might be able to speak a little more in detail about the methodology that the group used to tackle where these 200 laws came from, particularly case law.
I can imagine turning to a certain codified section of the statue or a certain codified section of the regulations, but just sort of where did you guys decide, how did the task force decide to do this? I guess another sort of piece of that would be were there any surprises that came up along the way? Pieces of law that you wouldn’t have thought in the beginning you needed to look at but that came about. I guess last but not least, you’ve already mentioned some areas that state law is more stringent in your view, the HIV piece, the genetics piece, but I’m curious if there are others that you are now using maybe in your legal capacity to advise clients as your doing implementation plans, information that’s come from this thing, you couldn’t possibly be giving a proper implementation guidance package to your clients without knowing. Sort of broad, but . . .
MS. SZABO: I will see if I can touch on answers to all those very good questions. First, it seemed like a good idea at the time. Secondly, I wish Dot was here as it was already mentioned, she was unavoidably caused to have to leave us today. Because we really started with, she’s not only a lawyer but she’s a HIM, Health Information Management person, and she used to take around for her speeches, she said I have here this list of all state laws that bear upon health information, and we all would be impressed at how long the list was.
So that was one of our starting points, was actually something that Dot had produced for her own work and was generous in sharing with us.
Once we turned loose our committee of 33 lawyers on that question, we found that there were a lot of other laws that we could append to that list that at least touched upon it in some way. Now some of them were very obvious, the patients’ bill of rights here in Massachusetts that mentions confidentiality of information, the HIV statute, clearly whether a dog bite reporting statue is a health information law until you think about well, it’s not the dog we’re worried about it’s the patient. We may be reporting the identity of someone who has suffered a particular injury. That’s maybe kind of a trivial example but we covered a lot of ground.
Our primary focus has been on statutes and then on regulations and a couple of executive orders. We have circulated lists of cases that people have been helpful enough in one of the law firms in particular that had done some work for one of its own clients and collected a lot of cases that they shared with us. So we had a lot of people throw information into the pot and that’s how all of these collaborative efforts work. People have to be willing to share the information for the benefit of getting a work product.
The preemption analysis, basically we simply followed the template in the regulation, obviously, that you have. Certain kinds of state laws that are by definition saved, such as things related to public health reporting as, an example. Then we had to look for those others, the question of if they are contrary, if there’s a conflict, the tough one is more stringent. What we discovered is that for some state laws we had to look at things section by section to determine whether a state law was more stringent either in terms of protection or privacy allowing greater patients access or placing, making less coercive for the patients, or placing stronger conditions on written permissions and consents to use information.
There’s a multi-part test for determining what’s more stringent and that’s kind of where the rubber meets the road in terms of our looking at it and trying to balance and evaluate a particular state law. If I can, without running on too long, I will give you a quick example of where it got a little complicated.
In Massachusetts a psychotherapist has an obligation to produce a patients record for the patient. However, if the therapist comes to the conclusion that producing the record would be detrimental, would adversely affect the welfare of the patient, they don’t have to produce it. Instead they can either offer to send it to another therapist, or produce a copy with the patients written consent to the patient’s attorney. So the patient doesn’t get the whole record but either another clinician or the attorney will get the entire record.
HIPAA has the same concept but it’s a different standard. Instead of the general welfare of the patient, I believe it’s imminent harm, I think it may even be physical harm to the patient, has to be the standard for withholding the record. Therefore, which law controls? State law, let me think here, HIPAA gives the patient more access, therefore, on that question, HIPAA wins. There is, however, also a provision in HIPAA that says that the clinician doesn’t have to produce the record if there is information in and about a third party that was obtained under a promise of confidentiality. That’s another ground for the clinician withholding the record or withholding a portion of the record.
Our state does not recognize that, at least the codified section, the state statute doesn’t recognize that. Therefore, arguably, the state gives a greater right of access than HIPAA and state law should win on that clause and not HIPAA. There are also other exceptions in HIPAA for if giving the information to a proxy would, there would be a concern that the proxy or the personal representative, excuse me, might use the information against the interest of the patient. So that’s an exception in HIPAA.
I’m not sure I can find the exact same exception in state law although I might find other basis in state law for coming to the same conclusion. So again, it’s not necessarily clear to me which whether sitting here right now and not recalling having the template in front of me, who wins. You also have to remember to take into account other principles of state law that could bear on those kinds of questions. So you have to do a provision by provision and to look at it.
The problem is our state laws evolved over a period of many many decades. Some very well thought out and well written, others just cursory provisions. Compare that to this complex regulation that was thought out in one piece, sometimes leads to difficulty interpreting results. Have I touched on all your points?
MS. KAMINSKY: Eventually.
MR. ROTHSTEIN: Any further questions? I want to thank the members of the panel and remind you that if you have additional written comments or suggestions or recommendations we invite them within 30 days and you can send them to Marietta Squire and she will forward them on to the members of the subcommittee. So thank you all very much. There is no public testimony as I mentioned earlier. So the committee will take a break until 3:05 and then we will proceed directly to the subcommittee discussion section of the agenda.
(Break)
MR. ROTHSTEIN: Welcome back. The subcommittee is in session for our final discussion of our agenda for two upcoming hearing and they will be October 29 AND 30 in Baltimore and November 5 and 6 in Salt Lake City. I think what I would like to do is to ask Stephanie to run through some of the initial plans that we have for our next hearing in Baltimore and then we can discuss the kinds of witnesses that we still think we need to hear from and then, as well, the witnesses we might want to talk to in Salt Lake City. The Salt Lake City meeting comes so closely after Baltimore we won’t have time to plan in Baltimore in Salt Lake City. So we really need to plan for both today.
MS. KAMINSKY: Before I touch on this I’m not sure if you were going to also get to the other topic that I wanted to talk about which is what OCR is currently planning to do vis-à-vis technical assistance. I also wanted to take this opportunity to take stock while I have the subcommittee partially gathered here to talk, to revisit what we talked about in June, which spurred these hearings, which is what we’re trying to do here, before we talk about who we want to get for the next one.
So I want to talk a little bit about what OCR is doing, what we hope to achieve from these hearings, whether it is to direct OCR more specifically in its current endeavors with technical assistance or whether it is to go further than that in some regard which we kind of touched on in the June meeting, that there could be other outcomes from these hearings besides just making recommendations about technical assistance. Then I’d be happy to talk about some of the thoughts I have for the next hearings.
OCR, as I mentioned yesterday, is turning, I don’t like to say turning its attention, because I think we’ve been trying to do technical assistance all along while we’ve been working on the rule. But with the rule out the door some more resources are being liberated right not to at least put forth some additional guidance.
It was very nice to hear over and over again during the testimony that people were positive about the July 2001, very positive about the July 2001 guidance. We’re working on updated guidance right now to reflect the, because that guidance is no longer accurate given the modifications to the rule, so we are going to try to do a piece that is very similar in style and format trying to sort of keep that discussion and then some FAQ’s. Sort of an explanation of different parts of the rule and then some FAQ’s and hopefully we’ll be using feedback from the last guidance that we’ve been aware of to help make this one even better. That’s the goal. So we are working on that.
We also, it’s been in the works for some time and my understanding is that it is closer to being out the door than it has been before, I don’t know what stage it is in, as I mentioned we are funding a technical assistance contract for a very large sum of money where we are asking the contractor to put together written technical assistance as well as educational videos. These written technical assistance pieces are supposed to be oriented to different types of covered entities. There will be a set of documents for small providers, for hospitals, for health plans, there is a list like that. I think that we heard over and over again that there is a real wish for or desire for or need for that kind of practical guidance, oriented towards each entity and hopefully this piece of technical assistance that we are working on or this contract will produce that.
DR. DANAHER: . . . just in terms of timeline and deliverance because really one of the things we heard so much about was we have to get this stuff in our hands right away so can you shed some light on this process?
MS. KAMINSKY: I don’t think it’s a question of an RFP. My understanding is that this is going to be a modification on an already existing contract that HHS has underway right now. I’m hoping, I don’t know a lot about government contracts, I’m sorry to say, but I’m hopeful that the reason that that was the way we decided to go was that that would be quicker because it’s already sort of underway. I have no idea what the timeframes are and I can try to get some feedback from the office for our next meeting.
Obviously we all want something as quickly as possible. We understand the urgency. There were testifiers today who said don’t even give us your guidance sheet, you’re overdue, we don’t want it now. I hear that this, we have a very small window and its tricky to try to get something useful out in such a short time frame.
I’m sure that others at OCR are well aware of that but I will try to get some better information about the nature of the contract, i.e., what pieces we’re requesting, what covered entities we’re talking about. I’d like to get some more details about this contract to share with the subcommittee so that we can take that into account when we, when you, make your recommendations back to the department.
In my eyes, and this is just a little bit of a digression and I’d like to hear from you what you think about this, one of the potential positive outcomes from these hearings, as I see it, would be to put together some specific recommendations that could be passed on to the contractor who is working on this technical assistance. So the more we know and the more I can provide to you about what this technical assistance stuff is going to look like, the more I think specific and hopefully useful we can make our recommendations. That would be my thinking anyway.
MS. GREENBERG: Are they likely to include the development of model forms? Are they likely to be that specific?
MS. KAMINSKY: I don’t know, but that would be exactly the kind of recommendation that we could certainly submit and given the fact that we have this big contract underway it would be timely to make that forceful recommendation if that is where we came out and have that maybe cleared by OCR and given to the contractor. I haven’t heard about model forms as part of it, I’ve heard more about a pamphlet for the rural health providers, a pamphlet for, that kind of information pieces for particular entities.
MS. GREENBERG: Do you know about public health?
MS. KAMINSKY: I don’t have that list. I will get it for the next, we have a meeting in two weeks I think, we’re probably going to have a break out session when we have the full committee meeting, so maybe at that point I can share with the subcommittee what, if I get permission to do it, which I don’t . . .
MS. GREENBERG: One interesting question is, you said it’s well funded so it might not even be necessary, but if there are certain groups they did not plan to focus on, it might even be the agencies in the department or something they could contribute into, we heard about community health centers, the public health groups pretty much seem to be on their own here, their associations don’t seem to be in much of a position, or haven’t been providing much hands on, I think the small association . . .
MR. ROTHSTEIN: I think it’s a good point about the other HHS agencies. If they weren’t planning on doing something for the Indian Health Service, maybe they can make sure they get their own pamphlets.
MS. GREENBERG: Yes, HRSA, Indian Health Services, it could be sort of the economies of scales of getting involved with that.
DR. COHN: Is what you are talking about a web-site that has sort of HHS approved documents, training, all these other things that have basically been approved or at least reviewed by OCR and the federal government and therefore would be able to be able to use in confidence that this stuff was ok?
MS. GREENBERG: You are asking me about . . .
DR. COHN: Is that what you were sort of talking about when you said all those contributions? Or maybe I should ask Stephanie if that is what she is talking about.
MS. GREENBERG: Well, I was actually thinking that, if it’s not currently funded to serve certain constituencies, that other parts of the department might be able to enhance the funding, other parts of the department that has those groups as their constituencies might buy into it.
MS. KAMINSKY: I think that’s a really interesting and excellent point. I will certainly raise it internally at OCR or maybe a more apt place would be to raise it with the privacy implementation forum that John Planning(?) is involved with which is I think the Department of Health and Human Services. He runs a monthly meeting for all the operating divisions to talk about how they are dealing with the privacy rule. If it’s appropriate or whatever that may be something that could be raised there.
I think that OCR feels very under the gun itself to get its own guidance out the door to reach a very wide audience, many of whom we’ve heard from in the last two days. I think their focus is just to get this contract out the door to handle the OCR issues foremost. There is an ongoing concern from the operating divisions about getting technical assistance out to their constituencies and OCR is constantly being put in the position of being asked to clear or review or sanction the materials that are going out from those organization. So we do have a tension in the department and maybe if they had some additional funds they could spend on this, they could tag onto this contract.
On that point, one of the things that came up at our last meeting in June was a question about what the heck, is there some place people can find out about the, John had mentioned knowledge about a HRSA grant, or something for training that is out there but that nobody knows what is out there, I do have with me. . . I can just circulate for people to look at, part of an inventory that the department has put together looking at what the various operating divisions are doing. It’s many pages but I have it turned open to the technical assistance piece. This is really just for your own information to get a feel for some of the technical assistance that is going on out there but I don’t know of any plans to post this publicly. I have a pamphlet that reflects some of the technical assistance that at least the Title 10 part of the HHS is now putting out there. You are right, Marjorie, that coordinating the technical assistance activities with the other pieces of the department certainly should be taken into account.
DR. ZEBELDIA: Stephanie, have you looked at doing technical assistance for the general public?
MS. KAMINSKY: You mean consumers? Yes, I think that will probably be part of what goes on with this big technical assistance contract, but I will get the details for the next meeting. I mentioned this yesterday, I know there is concern that outreach and education has to go to consumers and technical assistance has to go to covered entities. There is a need for all of that. I do think that that is in the works.
MS. GREENBERG: When you say the next meeting you mean later this month.
MS. KAMINSKY: Yes, I wanted to talk a little bit about that meeting because we have to come up with our agenda for that meeting and so I want to make sure we are all on the same page for that. We can wait for that piece after we get through this piece, which is to just revisit where we’re going with these hearings, to hear some feedback from you about what you heard so far and to think a little bit about where we want to go from here in terms of advising the department or doing other things.
I guess the only other point I want to make as a general matter is that I did come back from the last subcommittee meeting we had and reported both informally and formally some of what we discussed at that meeting to my colleagues and to my superiors at OCR. I know that we had discussed the idea, and its come up a number of times in this meeting, of OCR putting on its web-site some sort of a, well the clearing-house notion, that we would take into account the good resources that are out there and somehow gather them together and point people in those directions.
The informal conversations that I’ve had with some folks there were not particularly favoring that approach. The suggestion that did come back was that if NCVHS wants to put on its web-site some of the resources that it feels are worthy, that it has reviewed or it wants to sanction and it wants to serve that public interest, that would be fine. So I just wanted to pass that back down, or back along the line.
DR. COHN: Stephanie I appreciate that. I had no idea the advisory committee of HHS had the authority to sanction, I had no idea that we had the authority to sanction information or . . .
MS. KAMINSKY: You really don’t . . .
DR. COHN: I say that tongue in cheek . . . I think you need to checkmark that one as an issue that may be better eventually to HHS and for OCR in terms of seeking some sort of clearing house function or leveraging other information. It might be a good use of resources on the other hand to develop everything internally if you spend some of your time reviewing things and making sure they were appropriate, making sure other people had access to them, might be a good way to do things.
DR. COHN: Stephanie I know you were trying to jump over into what we’re going to do for our next meetings and all that. Let me just ask since one of the things we had heard about was sort of a general hope that there would be timely response to, there are obviously various types of technical support.
One of the issues we have heard over the last two days was geez, wouldn’t it be nice if there was a way to contact OCR and get an answer to a vexing or ambiguous problem having to do with this ambiguity of the fact that this thing is x number of pages long and has all 9 point type anyway and in certain points things are open to interpretation.
I think we’re hearing from people that geez, they need an employee and consultants to do lots of research and come up with their own interpretations which may or may not be consistent with an overall compliant approach to implementation. But wouldn’t it be nice if there was a way for the federal government to advise and have sort of a common understanding. What sort of plans does OCR have to provide this sort of capability in any timely fashion?
MS. KAMINSKY: Well, you know that we have the privacy mailbox on the OCR privacy web-site where people can submit the questions that they have and the idea was that we would not be responding individually to those questions but rather aggregate them and respond en mass or in bulk to and create frequently asked questions documents similar to the FAQ’s that are on the admin.simp web-site. Although hopefully organized a little bit more easily accessible. I think those FAQ’s sometimes can be difficult to access the actual the FAQ you are looking for and the answer to.
MS. GREENBERG: People may not realize that. I heard a number of people say we submitted a question and we never got an answer. I assumed it was the same way as with the administrative simplification that the policy is not to answer each question but to develop FAQ’s that are responsive to the questions.
MS. KAMINSKY: I think we do an auto response that says that. I’m not sure but I could check. We have at one point. I think what they were really saying was that they haven’t even seen aggregated answers, unlike the Admin.Simp web-site. . .
DR. ZUBELDIA: I think that is a very frustrating user experience if you want. I keep hearing it everywhere. You send a question to the FAQ on the Admin.Simp or to ask HIPAA and never get an answer. That is very frustrating.
MR. ROTHSTEIN: I’ve heard that dozens of times and I think that there hasn’t been a guidance published with FAQ’s in over a year and if the department has no intention of answering questions submitted at all or in a timely manner that function should be deleted from the web-site.
MS. GREENBERG: I agree.
MS. KAMINSKY: I would really suggest strongly that the subcommittee voice that loudly in its recommendations. Not necessarily that, you can say whatever you want to say, but I would really personally be pleased if the subcommittee could throw its weight behind strongly advising that the FAQ piece of our work at OCR be handled with more responsiveness to the public.
I think that it has really been an unfortunate problem and I touched last time on some of the reasons I thought it was happening. I don’t necessarily think it would be useful for me to go there again now. I just think the subcommittee would be doing a great service to the public if it would make these kinds of recommendations.
DR. ZUBELDIA: On the other hand, I’ve heard Karen Trendell(?) say that they have a bunch of people at CMS answering e-mails, so I’m not sure its because they are getting an overflow situation and they in fact have a bunch of people answering e-mails but they can only answer a small percentage of the incoming question. That may be another possibility.
MS. KAMINSKY: I’m not sure I understand what, you know that CMS obviously is handling their responses to the public differently that OCR is. What exactly are you . . .
DR. ZUBELDIA: Karen says that they have a lot of people answering e-mail, that they are in fact answering questions.
MS. KAMINSKY: You mean another approach that OCR could take would be to answer direct questions. Actually OCR does answer a fair amount but we get an enormous amount and our staff, I won’t say our staff is smaller than CMS, because CMS has a very small staff dedicated to HIPAA it seems to me given the size of the task that they have at hand, but these cultures have gone in different directions and the responses have been different.
MS. GREENBERG: It’s hugely resource consuming, I know, because one of my staff is part of the administrative simplification FAQ team and it’s not just that one person answers a question, it has to be vetted through a lot of different people and often they aren’t easy answers. That’s why the questions were posed.
MS. KAMINSKY: Yes, that’s true.
MS. GREENBERG: But on the other hand, it is not really a viable situation to invite people to ask questions. I think we heard there is a lot of good faith effort to figure these things out on their own and a lot of people may be sending frivolous questions, but I think a lot of them don’t. I don’t know if there is any way to differentiate, even to encourage, in a state or an area for the questions to kind of be filtered by like the Mass Health Data Consortium, so that the questions that are submitted are really ones that can’t be answered at the local level and there needs to be some kind of timely response obviously. Otherwise you shouldn’t even offer the opportunity to ask questions.
MS. KAMINSKY: It’s a tricky situation now because we have quite a backlog. It’s not just a timely response on a going forward basis. We have an enormous stack.
MS. GREENBERG: I am sympathetic.
MR. ROTHSTEIN: I have a question before we get to the agenda, that is, in our letter to the secretary in response to the NPRM one of the things that we recommended was that when the final rule is published that there be a complete new version of the rule that is in print and available because in the federal register - so it is coming.
MS. KAMINSKY: It’s going to be on the web.
MR. ROTHSTEIN: For the interest of those who are listening on the internet, the August revisions only listed the changes and there is not place where you can see sort of the new version from start to finish and I’m advised that that is now going to happen sometime soon. I’m very pleased to hear that.
DR. COHN: I apologize. I didn’t realize I was destroying your agenda. It appears that there are a couple things that are very obvious from this session and likely from whatever the feelings that we may come forward with I think we talked about . . . would there be enough OCR technical systems, answering questions, either FAQ’s or responses in a timely manner. I think we’re also thinking that we probably ought to be recommending that the OCR develop some sort of clearing house consisting of not only OCR approved sample documents, forms, best practices, etc., etc.
I guess I’m sort of wondering, I haven’t been taking notes as we went through, but there are probably a couple other things from the hearing about things that ought to be happening. I wonder if maybe a short letter to OCR, maybe as early as our September meeting to go over the full committee, might not be inappropriate. I just sort of bring it up, is there something we could sketch out as a brief one page letter saying we’ve had these hearings, its already apparent that x, y and z are . . .
MR. ROTHSTEIN: I think that’s a very good suggestion. I think there are certain areas that we have heard repeatedly, the need for a notification form, the need for an authorization form, etc. How about if in advance of the September meeting Stephanie and I work together and we’ll circulate to the subcommittee, not everything that we heard, just two or three things that we could, I think, very easily agree on, so that we can get that out in a preliminary letter to the secretary and then follow-up with more detailed things in November. Would that be agreeable?
DR. COHN: Yes, I think that kind of an interim update with some actionable things that they can do would be terrific.
MS. KAMINSKY: So let me talk a little bit about the agenda. Just as a little intro this is not very developed in parts that I was focusing on today and yesterday’s hearing in part because I had lined up some South Carolina testifiers and I’m not sure they are going to be coming to Baltimore. I can mention those people as well.
Before I get to actual testifiers, I just want to put on the table one more thought, suggestion, idea, which is the following. Since we last met OCR’s leadership has changed. The new Director of OCR is Rick Campanelli. Robinsue Frohboese, who had been Acting Director for the last 18 months, is now going to be Deputy Director, which is really what her official role is. Rick Campanelli, who is a civil rights attorney with a very wide ranging background, has stepped up to the helm. So there was some thoughts by some regional folks actually that maybe we should have invited Rick to come to this hearing, which was an interesting idea.
There’s been a request to have OCR present some kind of update at the full committee meeting in September and I think there’s some thought that Rick may come and present at that. I think there may be an invitation to have him present at that. I didn’t know whether anybody here would think it made sense to invite Rick to either speak or listen or participate in discussion at the Baltimore hearing. I don’t know if he would be able to but I just thought the subcommittee on privacy might want to try to get a sort of private, not private obviously, but a focused conversation with Rick Campanelli(?).
So that was one kind of idea that came to, I don’t know if he would be willing, especially if he was going to take the time to come to the next full committee meeting, he might think that he presented what’s going on with OCR, that they are close together, but that’s one idea I had, that I wanted to throw out there.
In addition, I had spoken to Holt Anderson of NCHICA in North Carolina, I forget what that stands for, North Carolina Health Information something or other, which is kind of the Mass Health Data Consortium equivalent in North Carolina. I was looking for Holt to help with the South Carolina hearing and he was the one who pointed out that the hearing dates we had selected were exactly when the E Health Initiative meeting and the Fifth National HIPAA Summit were going to be going on and he was going to be going to that.
Now that we’ve moved it to Baltimore Holt can come and testify if we’d want to hear from him at the next hearing. Now I had not invited Elliot Stone to this hearing because we had said originally that we were trying to hear more from the providers than from the organizations that are kind of networking with providers. I don’t know whether that was the right choice or the wrong choice, this would be a diversion from that but certainly we can, this is just one idea that I had. I’m just going to tell you the ideas.
Holt did point me in the direction of David Kibbe(?), who is a physician with the American Academy of Family Physicians, he’s the Director of Health Information Technology, and he is the President-elect or something of NCHICA. He actually presented a few weeks ago at the Harvard HIPAA Colloquium and I think could represent again sort of the family physician perspective on HIPAA, maybe similar to what Michael Fine gave us yesterday, but another . . . so he already accepted an invitation. I had told him about South Carolina, I haven’t gotten back in touch but I thing that he will probably be amenable to Baltimore and I think he would be a really strong testifier.
I sort of went to that Harvard HIPAA Colloquium and gleaned a few people, but Bruce Freed(?) from Shaw Pittman was there. Bruce used to be at HICVA(?), he was one of the senior people in Medicare and now he is a partner at Shaw Pittman. The Blue Cross Blue Shield Association, I believe, commissioned Shaw Pittman to do a 50 state preemption analysis. Bruce has been very involved in that and he agreed to come and speak with us at the Baltimore hearing about that sort of whole 50 state thing.
I was disappointed that I couldn’t procure anybody from a Medicaid agency to come and speak at yesterday or today’s hearing, but have been in touch with a group. I don’t know what the acronym standards for, NMEH, National Medicaid EDI, there is a privacy working group on NMEH and I have been in touch with them and so they may, I was looking to them to just supply me with individual Medicaid agencies to come and testify, but I think they are interested in putting together a collective piece of testimony from their subcommittee, so I’m hopeful that they will be able to get that together in time for the Baltimore meeting. I think they will be.
DR. DANAHER: I think that it might just be worth a minute of post mortem on this, maybe I came a few minutes late, but I just want, rather than putting together an agenda, just think a moments discussion about whether we all agree what the problem still is.
MS. KAMINSKY: That is what I started to say in the beginning and we didn’t really go there. Even more than that, what did we do in the last two days, did we do what we thought we were going to do, what do we want to do from here, so we can sort of have a context to put together the agenda for.
DR. DANAHER: Just from my very selfish point of view I think that these two days have only reconfirmed for me that there is a cross the board lack of awareness lack of understanding, lack of resources, total ignorance by small and medium size providers. I really believe that health plans are well on their way, they’ve got money and people, hospitals, etc., even small ones as we heard, and I just think that where I would like, where our recommendations are going and in the time that is available, the greatest usefulness of these hearings goes back to what we can do between now and April 14, 2003, and prompt OCR to do to help that constituency of small and medium sized providers. I don’t know whether people agree with me or don’t agree with me.
DR. COHN: I think that the beginning statement that we want to do whatever we can between now and April, obviously, to ensure successful implementation, I absolutely agree with you. I’m not completely certain in my own mind given the testimony that the problem statement of the group that you are identifying is necessarily inclusive of all of the things that need to be focused. I think I heard that there were people that did not have HIPAA awareness. I heard significant issues by all groups that were testifying related to technical support, issues that they had with implementation, the likelihood that if things aren’t done right that there’s going to be a lot of money going down the wrong drain, people are going to do implementations in tremendous amounts either overshoot implementation or do the wrong implementation, and that isn’t a small provider issue.
I’d say offhand if we want to focus more about small providers we probably better talk to groups who represent small providers to find out what they are already doing as opposed to just jumping to the assumption that there’s an immediate problem there.
DR. DANAHER: Again, given the vagueness to me of much of this regulation in terms of things reasonable efforts, reasonable periods of time, no purposefully, no delineation about what compromises training, how much time, etc., I’m less concerned that, personally, it’s my personal bias, less concerned that EAL(?) spends two million dollars more than they should spend or that Fallon, I’m less concerned with the haves than I am with the have nots.
I think there are big, and I again, also the other thing I don’t want us to make the mistake of, is thinking that somehow once April 14, 2003, comes we don’t have to worry about this and we’re all shooting for that date. I guess what, and this just may be where you stand is where you sit, the big issue for me is that the basic tenets of what this regulation is all about and what this is intended to do in terms of serving consumer interests is being totally unheard about by whom I would argue is potentially the most important constituency, and that is the providers. I’m much less concerned about whether a big hospital or small hospital spends too much or too little or gets a bad consultant.
MR. ROTHSTEIN: Let me comment and with all due respect to OCR I believe that this is a problem that is too big for OCR. The solution to it is too big for OCR. I think that what we need is a serious commitment from the highest levels at HHS to make this work. I think the current staff of OCR and CMS and whoever else is working on this could put in 24 hours days between now and April and we still would be in big trouble because what we need, and of course I’m not privy to what this contractor is doing, but I think it’s clear we need massive public education programs, through public service announcements, through all sorts of media.
We need very specialized responses to specific problems by even large corporations and their health benefit plans, large hospitals, and of course small hospitals and visiting nurses, everybody comes in with a separate, difficult issue to resolve and we just, I haven’t seen the kind of appropriate response to a law that is going to affect every single person in the country. This is not just a provider law, this is a law that affects everyone who picks up a prescription, it is just massive. I could be wrong, but it seems to me that there may well be some underestimation of the scope and complexity of getting HIPAA off the ground. I don’t know whether we as a committee have that, or even a subcommittee, have the authority to make that case. I would like to see someone from the highest level of the department attend our full September meeting, where we can make this case.
MS. GREENBERG: I think you putting it at the top of HHS is a valid thing to do because I think that we heard that the public health departments are going on their own, the local health departments, forget it. No resources. I asked about their national associations sort of knowing the answers, but there are some good people there, but they can’t begin to do it. That’s all under . . . OCR has got to at least initially be focusing on the real covered entities and CMS certainly the ones we know are covered entities. The issue about employer ERISA plans and all of that. It almost goes beyond the department, you get into the Labor Department as well.
I think you’re right, what really struck me was how massive the impact is of this. I think you really didn’t hear anybody saying this is not good, the government has gone awry by suggesting that we need to improve our policies. In fact, maybe one person, but it was heartening to me to hear the people say we had kind of vague policies, this is really forcing us to look at our policies and procedures and to improve them. It’s a tremendous opportunity. But on the other hand, it’s a tremendous job.
I think it certainly is the role of the committee, to say, you’ve got to recognize this as a time of constrained resources. The old budget surplus slipped away before we knew it was there. I think that this is beyond OCR and that’s why I was trying to think about building on to what OCR is doing. Your recommendations go down to the secretary and the data consult, but some kind of emphasis on hey, this really has a huge impact and people are not ready for this. It needs a lot more effort than is going into it. This will be over time. We were talking at lunch about the whole issue of enforcement and you get the feeling you don’t really want to come on too heavy on enforcement early on because, for a lot of reasons, because it is such a huge job. On the other hand, you don’t want to make it sound like the emperor has no clothes and there’s no teeth in this.
I think that type of message should go into the letter that you’re talking about. It’s a lot bigger than I think a lot of people have realized.
DR. ZUBELDIA: What I’m hearing Marge say, this has to get to the general public. This needs to be on the nightly news, needs to be on Oprah, all those shows. This subcommittee has a precedent of getting something in the news, at least with the individual identifier.
MS. GREENBERG: Negatively. You don’t want to scare people off. It’s got to be done well. We certainly don’t want the horror stories but it does impact, your point, it actually affects everybody except that rare person who has never been to the doctor.
DR. DANAHER: I think Mark you are absolutely right. It’s like any initiative in an organization. Unless it gets executive, the very highest buy-in it doesn’t, any initiative that touches every person in an organization, lets say the CEO themselves is championing it, it just kind of falls by the wayside. At the same time I think also there is a disservice in that for lack of a better analogy, there is no C. Everett Coop out there articulating and making it understandable and palatable to the public, to providers, saying, this is what you need to know.
MR. ROTHSTEIN: Well, John Fanning looks a little like C. Everett Coop, we can get him out there.
DR. DANAHER: You see what I’m saying, it almost is a sense of if you were to have a Office of the Surgeon General type person who is out there articulating the importance, I think the value proposition to consumers or why it is important to them, what this is all about, really has not been. Consumers know the importance of protecting their health information. I just think having someone they could identify with would be very useful.
MS. GREENBERG: To counteract also the idea of when in doubt we won’t provide any information. This could really shut down a lot of research and a lot of valuable activities.
MR. ROTHSTEIN: At the CDC’s First Annual National Public Health Law Conference, they had a series of break-out sessions. The session on HIPAA in public health, there were people hanging from the chandeliers. To a person, there was incredible anxiety about their continued ability to do traditional public health surveillance, epidemiology, investigations, reporting and so forth, because hospitals and providers are misinformed about HIPAA. They wanted to know what was going to be done to fix this situation.
DR. COHN: I certainly support I think your view. I don’t know that we necessarily have to get Tommy Thompson in the room to make the case to him. I think a properly crafted letter might do more than have him show up and having spend five or ten minutes talking to him. At least at this point. I also mentioned the Data Council as quite the right group, either they will go obviously to the Data Council. But generally these letters do find their way up to the deputy secretary or others.
MR. ROTHSTEIN: If it would be possible to have the assistant secretary for health, the deputy secretary, someone of the first rung of political appointees to spend a half hour with the full committee just to get a flavor of what we’ve heard in the last day and a half, I think that would be absolutely essential if we’re going to make major strides.
MS. GREENBERG: Would you be ready to do that by the September meeting?
MR. ROTHSTEIN: I don’t know that we could make a detailed presentation of our recommendations but I’m prepared now to speak for a half an hour about the magnitude of the problem that we have heard. The scope of the problem that we have heard, and the lack of preparation and the consequences to all sorts of things, public health, law enforcement, you just go right down the list, social services, things that I hadn’t even thought about that we heard today, if this is not handled properly. I think all of us could make that case. I’m not sure what I would recommend to fix it, other than saying listen, this is coming up and it needs very serious attention and resources.
DR. COHN: I’m thankful that we have an attorney for a chair. I’m not sure at this point I would be able to speak for half an hour on that.
MS. GREENBERG: Well, Stephanie and I could talk with Jim Scanlon and you can talk with Sue or whoever, about if we might get somebody to come to the meeting and get a sort of a reverse briefing, we’re always asking people to brief us, and we’d like to brief them on what we’ve heard here. Time is of the essence.
DR. COHN: The other piece, of course, is that we have this new person who is heading OCR, I’m glad that we have another acting person even though I thought Robin Sue was excellent, and obviously we don’t want to undermine that person, but maybe then there will be some higher level people can attend at the same time. Really what we are talking about is this person, I apologize if I’ve already forgotten his name, he needs leadership support from the highest level of HHS to make things happen. The leadership really needs to come from the highest level.
MS. GREENBERG: It’s an advantage of having someone new in the position because we are not being at all critical of him nor his predecessor. All we want to do is support the need for resources and a commitment to put this right below bio-terrorism on the HHS . . .
DR. ZUBELDIA: Somebody new is going to be flooded with requests from everywhere. This will be just one more. This will be just one more request to do something. I’m sure Mr. Campanelli is going to be completely flooded with requests from everybody just because he is new and everything is new to him. I think this will get lost in the shuffle.
DR. DANAHER: The other think I think we have to ask ourselves, quite frankly, is really two questions, which is, is what we’re doing, first of all, is there a champion in HHS for what we’re doing who is a political appointment? Frankly, the reality is if you’re a career, it’s a little hard to get to out in front of some of these things. The second things is, is what we’re doing embraced, I’m not saying this as a criticism, I’m asking as an honest question, is it embraced by the Administration? Because to a point, Mark, I think you are absolutely right, but if nobody, if the secretary, or the deputy secretary, nobody wants to be seen as too closely associated with this issue then as much as I think it’s the right avenue to go I don’t think it is necessarily going to be a successful avenue.
MS. GREENBERG: Well the thing is they’ve put enormous efforts into getting this rule. They could have killed the rule and they made the decision not only not to but to make it more workable. Just compare it to what’s been rolling out on the rest of HIPAA. You can really see the resources that have gone into getting this rule right, as much as you could, and get it out in time for the April 14 compliance date. To me that says that this has pretty high standing in the department, right up to the top.
I think that the message is this is really good, that it got out when it did, but that puts a tremendous onus on, you’ve only done the first step, it puts a tremendous onus on the department now to get out there and really promote and facilitate and work on its implementation.
DR. DANAHER: Marjorie, I hear what you’re saying. But who would you say, which person in HHS or which person in the executive branch or in the legislative branch is most associated and most supportive of the work that the agency is doing? What individual?
MS. GREENBERG: Who chaired the privacy council?
MS. KAMINSKY: Anne Agnew, the exec sec was really I think the chair if there was one . . .
MS. KAMINSKY: This is my response to what everyone is saying. As somebody who is new to OCR, new to the Office of the Secretary, and new to the committee, I feel a little bit hesitant to identify which individual I would suggest. I think the strategy of getting somebody, in addition to the head of OCR, or whoever we can get from OCR to listen, is an appropriate and a good one. I think that these suggestions are on the right track. Whether that would be some of the folks who you are naturally thinking about, deputy secretaries of HHS and whatnot, versus whether it should be somebody or a group of people who were more closely associated with the privacy rule, i.e., the privacy council folks, to me is the question. I have some opinions about that but I’m not sure they are really. . .
MS. GREENBERG: That’s why I think it would good to talk to Jim Scanlon about that and maybe it should be someone from ASPE(?) . . .
MS. KAMINSKY: There are people within the department who were extraordinarily involved, extraordinarily involved with the privacy rule. These are the people who are having the greatest impact on privacy policy right now and it seems to me that these probably would be good ears to get to on this. Again, that’s just my own very personal opinion and its not necessarily based on kind of an understanding of or clear knowledge of who would strategically be the best person in terms of getting that exec level buy-in that you are talking about being so essential.
There are sort of two different questions and it may be appropriate to try to get some privacy council folks as well as some others, I’m not sure. I’m curious when NCVHS gets other sort of political appointees to come and listen or attend NCVHS meetings what strategies are used to pull the particular people to come to those.
MS. GREENBERG: It’s very difficult to get the people, the higher ups in the agency, we finally did get Donna Shalaha to actually come to the 50th Anniversary Symposium. That was pretty much at the end of her tenure. That was the first time we interacted with her. We never did have the deputy secretary. I remember we did finally get the administrator’s CMS. It’s hard to get these folks to come.
MR. ROTHSTEIN: We may want to have a conference call certainly with John Lumpkin and see what his views are.
MS. GREENBERG: Frankly, he’s been trying to get a meeting with somebody around the NHII, which this is very much related to the NHII, frankly I think. It’s the underpinning really of the NHII and he’s been trying for a year without success.
DR. DANAHER: What I have in mind is somewhere along the way Tom Sculley(?) is on record of having said organizations which wish to contract with NICMS are going to need to be HIPAA compliant. There is somewhere that he got out there and said something like that. That gets picked up everywhere, everybody knows it, etc., so I guess that kind of executive support, and then if you could actually endorse those people to speak more frequently about it. I just think really it has a pronounced affect.
MR. ROTHSTEIN: I think sitting around this table are people who have a pretty good idea of the HIPAA privacy rule and I think to a person we were surprised at some of the testimony we heard, speaking certainly for myself. I heard issues that I hadn’t even considered, let alone the resolution of those issues. I think those in positions to influence the course of the implementation of the rule need to hear what we’ve heard. It’s that simple.
MS. KAMINSKY: As a sort of strategic point, though, you're thinking that it would be appropriate to have these folks at the full committee meeting when we would be presenting to the full committee what we’ve heard so far so that everybody can hear all at once, both full committee members as well as some of these people?
MR. ROTHSTEIN: Correct.
MS. GREENBERG: That was my question, would we be ready or whether you need, the next meeting of the meeting is after the last of the three hearings, in November.
MS. KAMINSKY: I’m asking because it seems like the point of presenting to colleagues within the full committee might be slightly different than the point of presenting to departmental people. The orientation of the presentation might be slightly different. I think it would be fine because it’s essentially the same information. I was just checking that that is really what we think would be the plan.
DR. COHN: I’m struggling a little bit. I think certainly getting a high level person to listen would be fine. I am well aware that we are in the middle of a political season, in the midst of a political season, there are elections coming up and things like that that I think do play in some to this and we just need to be careful. This is not a political body and I don’t think we suddenly want to jump into that.
I think the other piece is that . . .
MS. GREENBERG: I don’t think the discussion has really been political.
DR. COHN: No, but it is a political season. I think the other issue is that one of the things that we are going to need to grapple with, based on the facts that are beginning to emerge is, is the solution to devote tremendous amounts of resources, make this absolute commitment that everybody is going to be in full compliance by April 14, or are we going to be recommending that geez, you need to make a major effort but you really need to be facing an end compliance enforcement over a year. Given that those are sort of slightly different messages and I don’t think I have the answer to which approach we should take. It’s a very different message to tell the leadership.
The question is do we want to deliver a message in two weeks or do we want to wait until we have a slightly better idea of what makes the most sense to actually begin to go to the high level leadership face to face. I’m not saying we don’t do a letter because I think a letter is very appropriate. But what are we recommending?
MR. ROTHSTEIN: Well, our next meeting of the full committee is the 19th and 20th of November. That’s another two months, it’s close to Thanksgiving and I don’t think, even if there were a commitment, probably nothing would happen until after the 1st of the year.
MS. GREENBERG: You know what, maybe a good approach would be to get together a letter which can be discussed with the full committee in open session. Certainly I would discourage Rick Campanelli(?) from coming and giving, someone from OCR would be expected to come and report, so I would discourage him from coming, it would be a nice opportunity for him to meet with the committee and that would make a letter have a little more personal touch to it. But, maybe say in the letter, this was the first of three hearings, but we feel given the timeframe and everything else and given what we heard that people are making decisions of all types and that we need to communicate this to you sooner rather than later, say whatever you want in it, but we will have a fuller assessment at the end of our three hearings and we would like to have a discussion with you at the November meeting on these issues. Trying to get someone, the timing may not be that good, I think it is a little premature to try to get somebody at the full committee other than the head of OCR in his capacity of reporting. You can certainly share things with him then. To get this kind of dialogue at the full committee meeting in two weeks when you haven’t even gone through discussing this with the full committee yet and you don’t have anything written yet, etc., but so that could be kind of a two phase thing. Alert them to initial concerns for, and even ask then to present that at the Data Council in October or something. Then also say you would like to be able to have a discussion at the November meeting.
MR. ROTHSTEIN: Well, I think that is probably a wise suggestion given the fact that even if we were unanimous, their schedules are probably all booked up of anybody we’d want to talk to for the next month or more.
DR. COHN: You know the other issue, this is just another option, we need to figure out who we need to be talking to, but there is the option of the committee deciding that what we want to do is have you and John, whenever these people are available, to go and meet with them, the two of you, and have a conversation. I don’t know that coming before the full committee as opposed to you both representing the thoughts of the committee or you even individually representing the thoughts of the committee. The answer to this question is how best to get it to them.
MR. ROTHSTEIN: We might include in the letter something like we would be available to meet with you at your convenience.
DR. COHN: Yes, exactly.
MS. GREENBERG: We haven’t been too successful at that yet.
MR. ROTHSTEIN: Maybe it hasn’t been convenient.
MS. GREENBERG: Can I say something about the November hearing? Not the November hearing, the October, the next hearing. I think that several people have said that this was really good to have the hearing but to have it here in Boston. I think that I supported the move to Baltimore for a variety of reasons but I am still hoping that we, and it sounds like from your preliminary investigation related to South Carolina, we have some people from outside the Washington metropolitan area we’re already thinking about inviting. I think that it is important to hear from some of the same constituencies but from a different region because New England is different in some respect, I mean every part of the country is different. Massachusetts has a lot of laws and have obviously a very very active, Mass Health Data Consortium is frankly one of the best in the country and we heard a lot of good things about what they are doing. It may be worse actually than what we’ve heard in other parts of the country.
I guess, although I think the groups you mentioned are certainly important and we’d want to hear from them, I wouldn’t narrow it down too much to just a few groups either. I think part of the reason we decided to do this regional hearings is to try to hear from some different parts of the country and get some different perspective. I myself thought the people you recommended or were talking to from North Carolina would be good to hear from and I would recommend staying somewhat broad again across the different constituencies although there may be some groups you want to hear from more than others.
MR. ROTHSTEIN: Maybe we can get some people from West Virginia, from Delaware, just in the area, the Philadelphia area is not too far away.
DR. DANAHER: The other suggestion, and it’s not a criticism, Stephanie and I talked about this a lot, I think personally I found the testimonies from, there is a very real HIPAA circuit of speakers who go around and we saw a few of them. I think I benefited more when I heard from people that were spending more time in the trenches actually trying to deal with these issues and problems rather than a professional speaker. I think Stephanie did a fabulous job, it’s just a suggestion going forth, that we continue to keep that focus. Often the names that we don’t recognize are the people who actually have the best insights to these issues.
MR. ROTHSTEIN: Well, we have actually run out of time for our agenda. Let me suggest some follow-up steps. In advance of the September meeting I will prepare, with Stephanie’s assistance, a draft letter that we will circulate to the members of the subcommittee for approval and then to the full committee. I will see if we can’t get some time on the agenda too, and I don’t recall how full it is at the moment, whether we can accommodate it. We will also take the general advice into account as we move forward with the next two series of hearings. That is to try to have a regional focus so that, for example, at the Salt Lake City hearing, we’re going to try to get somebody from Wyoming, and maybe some surrounding states, some rural areas.
DR. ZUBELDIA: I’m lining up some Indian health type of facilities, not Indian health, but facilities that serve the Indian community and some people from xx, Nevada and other outlying areas that normally would not come to any of these meetings.
MR. ROTHSTEIN: We hope to have a mixture of speakers and topics and we can also finalize that at the September meeting. We’ll still have a month before our first hearing so we don’t need to resolve that now. Maybe we’ll make some progress in the next couple weeks, but our first priority will be to get a letter along the lines that we discussed this afternoon ready for the full committee.
MS. KAMINSKY: Along those lines do you think it, we can start to work on the letter, but do you think it makes sense to take any input from subcommittee members of particular things that you might want to see in that?
MR. ROTHSTEIN: Well, I think, let me take a first cut at it. I don’t want to put too much in it. I can tell you what main themes we’ll have, the breadth, scope and timeliness of the issue as well as the need for broad educational programs and specific forms, guides, etc. I think that’s basically what we heard.
DR. COHN: And timely responses to the issues from OCR.
MS. KAMINSKY: I guess I bring it up, I know we are out of time, but John yesterday in a conversation after the first couple of panels was talking about the idea of having OCR doing some kind of an open door call-in initiative on a monthly basis, similar to the CMS open door forum initiatives that have been going on since Sculley(?) took over CMS where people can, it’s divided up by topics, like rural health, like nursing homes, etc., etc., whether there is a new initiative coming out or not, I’ve only attended a few of them. They get the experts from CMS to be on the telephone and basically take questions and have open discussion about these particular topics and John had thought that if we could once a month have that kind of access to OCR privacy experts.
MR. ROTHSTEIN: I think that’s a fine idea. I wouldn’t put it in the September letter. I would raise it as one of the 20 points that we are going to suggest at a much more small level of detail for the November statement.
DR. ZUBELDIA: In the September letter you are going to have this consumer outreach concept?
MR. ROTHSTEIN: Correct, yes. Well if there is no further business I want to thank you all for support at this meeting. I want to thank Stephanie again for the great job that she did. If there is anyone still listening, thank you for hanging in there with us. The meeting is adjourned.
(Whereupon, the meeting adjourns at 4:23 p.m.)