The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held hearings October 29-30, 2002, at the Marriott Hotel, Waterfront in Baltimore, Massachusetts.
Subcommittee members
Staff and Liaisons
Others
October 29-30, 2002
The Subcommittee on Privacy and Confidentiality held hearings October 29-30, 2002 on implementation issues under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. During the two days, the Subcommittee heard testimony from 35 individuals on seven panels and in public comments.
Panel 1: Physician and Other Health Professional Practices
Dr. Kibbe discussed the American Academy of Family Physicians' (AAFP) HIPAA action plan and strategy aimed at: educating members about impending rules, deadlines, guidances, and extensions; developing and providing tools to assist family physicians in implementing necessary changes at the practice level; and seeking statutory and regulatory changes to fix unworkable HIPAA requirements. Dr. Kibbe noted members' confusion over the privacy rule and said less than half of them had begun implementing the privacy standards. He encouraged accepting a zone of compliance regarding business associate contracts for small providers. Dr. Kibbe cautioned that a massive public education program was needed to prevent a public meltdown over HIPAA.
Dr. Smith advised that providers were having tremendous difficulty comprehending the regulations and until OCR provided information they couldn't be expected to be compliant. He said providers would benefit from an in-depth manual designed for the small or medium-sized group practice. Noting many didn't have financial resources to obtain additional guidance, Dr. Smith encouraged OCR to be the definitive source for privacy-related information available to all providers. He urged OCR to create specialty-specific programs and participate in regional and state meetings. And he noted the provider community needed more information about OCR's enforcement of the regulations, including a clear explanation of penalties for non-compliance and situations in which they applied. Dr. Smith emphasized that OCR needed to take responsibility for ensuring that patients, as well as providers, understood the new regulations and he recommended clearly identifying, articulating, and maintaining state and federal laws related to privacy in a compendium. Dr. Smith said APMA believed the covered entities, especially practitioners, needed more help in achieving compliance with the privacy regulations by the deadline. Most practitioners, already overwhelmed with existing regulations, struggled to comprehend the privacy regulations. APMA requested OCR's active assistance.
Dr. Jennings noted the concern of small practices and clinics, which often served the most vulnerable populations, about their inability to implement the rule because of the cost of compliance. Nurse practitioners were also concerned about disruption of continuity of care and dissolution of its quality through over-regulation. Outreach, education and technical support from the federal government were needed to implement the regulation in an uncomplicated, clear manner. Dr. Jennings said the nurse practitioners' knowledge of the concerns of clinicians and realities of implementing the rules in the various settings in which they practiced were under-utilized. Noting misinformation circulated, she suggested that their expertise and the deep patient trust nurse practitioners promoted could be utilized to convey the message about this process to patients.
Dr. Van de Castle said most of his patients came from other towns where they weren't comfortable with the care because some practitioners had inappropriately disclosed personal information about their patients. He acknowledged that, in rare instances the rule was workable, but only if practitioners were able to accept restrictions their patients requested that many small providers couldn't afford. Dr. Van de Castle emphasized that the small provider's greatest concern was the legalization of &the doctor-patient relationship. He said the key issue was how to enforce the privacy rulings. Dr. Van de Castle advised that all requests for restrictions be in writing and reviewed by a committee. Except in extreme dire circumstances, he recommended that the committee refuse all but certain situations he discussed. Dr. Van de Castle said providers had to come up with their own privacy practices and make it clear to their patients that they'd do their best to keep things confidential, but couldn't guarantee it.
Panel 2: Communicating with Consumers
Dr. Lefebvre recommended developing a public education initiative. Noting that communication messages were most effective when crafted in ways that reflected the realities of discrete audiences, he advised the Committee to identify priority audiences. He suggested that qualitative studies with each audience would help them understand each perspective on the issues and to develop long and short format media messages about the privacy rule and actions. Dr. Lefebvre also recommended media briefings in major markets by national spokespersons, sponsorship of local forums, presentations and workshops at key professional meetings, and targeted print advertisements in national publications read by the target audiences, as well as paid or public service advertising on television, radio and the Web.
Dr. Baur focused on the complexity of the regulations, concepts and vocabulary. Noting this issue involved language and culture as well as translation, she emphasized the need to consider audiences' prior knowledge and personal experience with the concepts being communicated. Remarking that notices distributed under the Gramm-Leach-Bliley Act were considered so dense, confusing and misleading that consumers threw them away, Dr. Baur recommended clear and easy to read notices of information practices as a tool for communicating with the public. Dr. Baur said the NHII vision was based on people understanding and accepting protections for the appropriate use and sharing of their personal health information and the sharing of health information is necessary for the vision to be realized.
Ms. McMullan said that in 1997 the Balanced Budget Act charged the Centers for Medicare and Medicaid Service (CMS) with developing information explaining people's rights and protections within Medicare and their options for receiving benefits. The goal was awareness and an understanding of opportunities as well as ensuring that accurate, reliable and relevant information was available through multiple information channels that people trusted and used. The key component was the Medicare and You handbook mailed out to 35 million households each year. Medicare also utilized a Web site and a toll-free help line and engaged advocacy groups, employers, healthcare providers, and states in getting the message out. Grants for state health insurance assistance programs helped recipients understand their Medicare issues and concerns and a national publicity campaign included prime-time bilingual advertising. Ms. McMullan reported that CMS planned on being fully compliant by April.
Ms. Schwartz shared insights gained from her experience directing large-scale national campaigns. She said the first issue was to be selective. Target audiences needed to be definitively and creatively segmented in order for the message to be understood and have significance. Noting important issues needed to be raised, she recommended asking important questions and researching the answers. Ms. Schwartz emphasized that having clear behavioral objectives from the outset was essential. &She suggested thinking in terms of where identified and prioritized audiences lived, learned, worked, played or prayed in order to determine effective channels and sources of communications, coupled with interpersonal outreach efforts to promote understanding, deliberation and action. Ms. Schwartz cited the America Responds to AIDs campaign as an example of prioritizing audiences and working in phases to address every aspect of an issue in the right time and place.
Panel 3: Health Systems and Institutional Providers
Mr. Lobb said Conemaugh Health Systems (CHS) utilized an operational team representing each entity and subgroup of services and a work group approach focused on helping define policy &interpretations development and interpreting the privacy rule. CHS didn't have an in-house legal counsel; most of the law's provisions were derived from discussions within the operational team, articles on how others interpreted the provisions, information from associations and frequently asked questions (FAQs) on the HHS's Web site, as well as from the regulation itself. Mr. Lobb broke down CHS's education and training models into four phases. The first phase met requirements of the HIPAA regulation provisions covering general awareness education. Mr. Lobb reported that CMS was entering the second operational phase. As each work group progressed through each operational task form and process, they also drafted a staff training approach using the American Health Information Management Association's (AHIMA) matrix. He said the external phase was next. CHS still needed to develop the monitoring phase and was looking for guidance from HHS. Mr. Lobb said CHS had done its best to interpret the privacy provisions, based on how peers and associations interpreted the law. He commended HHS on their recent fact sheets and urged them to do more.
Ms. Bowen said the Tennessee Health Information Management Association (THIMA) and other professional, compliance and technology groups as well as attorneys and others worked collaboratively with the Tennessee Hospital Association (THA) to share understandings of the privacy regulations and implementation process and develop best practices. THIMA representatives appointed to coordinate activities within each geographic region attended HIPAA-focused meetings at THA, brought information to their designated regions for discussion, and conveyed feedback at meetings on the state level. Each area hosted meetings and coordinated separate education sessions for privacy officers, physicians and practice managers focused on the implementation process. Representatives worked with an attorney, hired by THA, for review and response regarding state preemption analysis. AHIMA also offered certification in healthcare privacy. Ms. Bowen noted implementation of the privacy rule was more difficult than other HIPAA regulations. She said mailings from consultants offering to assist in providing "the HIPAA solution" created confusion and havoc, especially among small providers. Ms. Bowen stressed that small providers and other covered entities needed targeted, reliable educational programs in various formats and media. She &recommended that OCR produce and disseminate sample forms, in various languages. Ms. Bowen &suggested OCR expand its partnership with professional associations and other industry non-profit organizations, leveraging and reinforcing activities implementing privacy best practices and assuring that consistent understanding of the rule applied.
Ms. Weaver said most members of the American Association of Homes and Services for the Aging (AAHSA) attempted compliance, but many smaller facilities weren't able to implement HIPAA standards smoothly. Often, the only logical privacy official was the administrator or director of nursing services who was too busy. She noted that long-term care providers weren't only concerned with state preemption issues; federal laws also impacted the privacy rules. Many of these facilities couldn't afford lawyers to provide HIPAA services. So organizations pooled resources and groups worked together to articulate model policies and tease out the more troubling issues. Ms. Weaver added that fundraising was also a big issue for non-profit providers. First and foremost, Ms. Weaver said members needed a practical meaning for "scalable." She urged OCR to ramp up the Q&A process and provide feedback on its Web site. Noting that long-term care was so heavily regulated, she encouraged OCR to talk with the part of CMS that oversaw long-term care survey and certification. AAHSA supported recommendations that they develop model forms and recommended that OCR work with the states to reconcile inconsistencies at the federal level. Ms. Weaver also addressed the high cost of HIPAA implementation. She asked if at least state Medicaid programs could recognize providers' costs attributable to Medicaid for HIPAA implementation efforts.
Ms. Meinhardt emphasized that the long-term care industry was varied, with different providers providing a spectrum of services. Large organizations, especially the chains, had more resources and were farther along in implementation than independent owner/operators of independent facilities. Ms. Meinhardt said the industry needed clear, specific guidelines from HHS on how the privacy rules applied to them. Ms. Meinhardt focused on the guidance HHS needed to give to the long-term care industry. She expressed concern about the lack of guidance on the preemption of state law in respect to enforcement issues. And she emphasized that HHS needed to issue more guidance on the heath plan definition. Ms. Meinhardt said she'd requested that CMS consolidate, or at least coordinate, its privacy survey process with OCR, but she hadn't received a response. Noting the long-term care industry's enforcement concerns were based on past experiences with enforcement of other regulatory schemes, Ms. Meinhardt expressed concern that these enforcement actions wouldn't be kinder and gentler, as OCR promised.
Panel 4: Universities
Ms. Richardson discussed accounting for disclosures, focusing on how it related to research waived on authorization, reviews preparatory to research, and research on decedents. For those three areas, the August changes provided an extra provision: the accounting could be performed in summary form if the disclosure included 50 or more individuals' records. From an organizational perspective of having to track that information, it would be difficult to automate and then train researchers responsible for performing these accountings. She asked for short-term clarification of how this could be done. Ms. Richardson also asked that the privacy regulations be amended to eliminate the requirement to account for waived research, listed under 164.512(I). And she noted that another issue was identifying minimum necessary.
Ms. Shanley said academic medical center (AMC) structures were extremely broad and varied and that the diverse missions found in an AMC environment produced multi-faceted uses and disclosures: e.g., educational, research, and &healthcare provider issues. She said the practical difficulty that HIPAA issues created was due to common industry approaches within each segment and was difficult to identify. Ms. Shanley noted areas for regulatory clarifications proliferated. She said, in her experience, consensus and best practice had been costly and time consuming. Ms. Shanley reviewed the financial burden and noted other research issues.
Mr. Harrington said the academic medical center camp, which owned hospitals and/or practice groups, had been working on HIPAA for one or two years. The extension deadline caused a lot of the smaller colleges to become more serious and active regarding compliance. Mr. Harrington said a threshold issue confusing many people was whether HIPAA or the Family Educational Rights and Privacy Act (FERPA) applied to student records. He suggested that HHS add a Q&A providing guidance on this issue. Mr. Harrington discussed in detail the issue of schools serving dual populations, advising that he believed it was a reasonable interpretation of the statutes for HHS to say that HIPAA was the more specific statue and largely stricter with respect to privacy and confidentiality and thus would allow schools to opt into HIPAA. Mr. Harrington covered research issues, suggesting the agency consider either saying that they deemed recruitment to be a healthcare operation or a marketing operation, and have those use rules apply to research recruitment, or else to have a regulatory change. Mr. Harrington noted another issue was dual employment. The university paid part of the faculty of the College of Medicine's salary. The faculty members were also employees of the practice group, a separate legal entity associated with the hospital. From an administrative standpoint, he said it would be advantageous if they were deemed internal to the covered entity. The university asked for guidance from the agency. Mr. Harrington noted the agency had said that the final security rules would conform to the privacy rule and work together well. He urged the agency to carry the hybrid entity concept and the FERPA exemption into the final security rule.
Mr. Marks said the first issue that concerned his university clients was the Secretary's failure to publish the final security rules required by the statute. The second was the enormous complexity, ambiguity, and confusion of the HIPAA rules and the agency's delay in clarifying them. Third was the agency's failure to deal with the U.S. Supreme Court precedent, which made their informal guidance not authoritative. Fourth was the additional cost and delay HIPAA rules imposed on medical research. Fifth and important for privacy and confidentiality, was the Secretary's failure to assure early enough that the transaction standards were complete, thus ensuring confidence that the &healthcare payment system wouldn't face substantial disruption. And he said HIPAA's preemption rule proved to be extremely confusing, costly, and intractable.
Panel 1: Health Plans and Group Health Plans
Ron E. Hoffman, RHU, Legislative/Regulatory Analyst, Corporate Privacy Team, Mutual of Omaha Insurance Company
Colleen Grimes, Assistant Vice President, HIPAA Compliance, Amerigroup Corporation
Mr. Hoffman encouraged NCVHS to urge the Congress to provide full federal preemption for the HIPAA Privacy standards, OCR to provide more interpretive and interactive guidance, and HHS to delegate more resources to this area. Mr. Hoffman also encouraged OCR to provide more interpretive and interactive guidance to group health plans and the insurance industry, including specific HIPAA Privacy responsibilities of group health plan sponsors, obligations of plan sponsors regarding the use and disclosure of summary (de-identified) information, plan document change requirements of fully insured plan sponsors who do not receive protected health information, application of HIPAA privacy standards to governmental plans, HIPAA compliance obligations of an insurance issuer in its relationship with a small health plan during the additional transition year available to small health plans for compliance, and assistance with standardized notice and authorization forms for health plans and insurers that address the preemption questions. In order to facilitate the agency's responsiveness, Mr. Hoffman urged OCR to establish internal covered entity compliance issue teams, preferably by industry segments.
Speaking on behalf of the American Association of Health Plans (AAHP), Ms. Grimes said the challenge for health plans was applying these requirements to what they did daily at an operational level. She pointed out that many providers and some health plans were waiting for the final rule before moving towards compliance. She recommended that OCR work with covered entities, helping them implement the privacy rule by April 14 by providing more guidance and technical assistance regarding the rule's application to the business operations of health plans and healthcare providers and expanding work already done with interested parties on educational and outreach efforts. Ms. Grimes urged OCR to provide assistance to healthcare providers and health plans in working through regulatory gray areas. Ms. Grimes said minimum necessary use and disclosure of PHI also had to be clarified. Ms. Grimes advised OCR to provide a Notice of Proposed Rulemaking (NPRM). She also suggested that OCR engage in the types of outreach and education efforts undertaken by health plans and business, professional and state industry groups. Ms. Grimes recommended that OCR work with regional WEDI/SNIP affiliates to develop best practices and educate covered entities on how to successfully implement the rule. She suggested that an advisory board or consortium incorporating business, industry and professional groups was a proven, effective means of outreach and education. She recommended that OCR review the forms and model documents developed and indicate when materials met the minimum standards. Ms. Grimes emphasized that outreach, education and technical assistance were needed for health plans and all covered entities. Ms. Grimes strongly urged the government to provide necessary resources to support OCR in developing the implementation tools the entities needed. Ms. Grimes asked the Subcommittee to consider its role in the outreach and education of covered entities and urged them to develop best practices that could be uniformly used by covered entities.
Mr. Daley noted a recent Gartner report indicated that the average payer would spend over $14 million and the average provider over $5.6 million to comply with HIPAA. He stressed the importance of identifying measures that could ease the burden of compliance and allow covered entities to allocate resources to serve in other ways. Based on the preemption criteria, covered entities must decide on a provision-by-provision basis the portions of state law that would be retained and those that would be preempted by federal law. For entities doing business in multiple states, the process became further complicated. Preemption analysis had to be completed by each covered entity, including every payer, provider and clearinghouse. Mr. Daley said these redundant efforts drained valuable resources. Mr. Daley urged HHS to prepare and maintain an up-to-date, detailed privacy guide that showed covered entities and consumers the privacy provisions that applied to each state. He said this would alleviate the need for tens of thousands of covered entities to perform the preemption analysis and eliminate potentially conflicting determinations of which provisions applied within a given state. Mr. Daley noted other existing legislation on privacy, additional legislation being discussed at the federal level, and that the analysis would have to be conducted each time a new privacy law was passed. And he recommended that covered entities in compliance with HIPAA should be deemed to be in compliance with other federal privacy requirements. Mr. Daley suggested that a national plain-language HIPAA guidance be created. Mr. Daley recommended that HHS prepare guidance that described how vendor services might assist covered entities and what covered entities needed to do on their own. Mr. Daley concluded that the industry could benefit significantly from having access to a centralized preemption analysis and standard awareness and outreach materials. He suggested that HHS develop standard, uniform guidance on preemption; allocate additional resources for outreach and prepare awareness and outreach materials for providers and employers; and make available on the HHS Web site a list of publicly available HIPAA information, including links to other sites with HIPAA information.
Mr. Fitzgerald advised that much of the confusion in the employer community came from the fact that HHS had no authority to regulate employers directly. The privacy rule operated with the distinction that the group health plan and the plan sponsor of an ERISA plan were different people or entities, when in fact they weren't. Mr. Fitzgerald expressed concern that covered entities were at the mercy of an army of vendors and consultants, whose expertise was often limited to misinformation, baseless guarantees and scare tactics. Preemption issues complicated the already intricate details of the privacy rule. Mr. Fitzgerald stressed that the need for affirmation of ERISA preemption of state privacy laws was of particular importance. He said the preemption analysis would keep people aware of new updates that affected existing laws on privacy. Mr. Fitzgerald noted proposed provisions of the community pharmacy guide would be inconsistent with all the other transaction standards alluded to in the August 14 final rules, and he suggested that NCPDP 5.1 be modified to include name, complete date of birth, relationship to patient and gender, member identifying number and other key identifiers as required fields to be consistent with the treatment of information of standards adopted for medical and other clients. Mr. Fitzgerald noted confusion amongst employers regarding the reach of the privacy rule beyond group health plans. Mr. Fitzgerald suggested that the current defined transactions list, which focused essentially on group health insurance information, remain static with no others added and with the deletion of the term "first reported injury" from the regulation. Mr. Fitzgerald said that one single line item. FROI had been the most confusing to explain and its deletion would remove unnecessary ambiguity from the regulations. Mr. Fitzgerald suggested that a covered entity performing non-covered functions for a non-covered entity should be exempted from the regulations if the position was consistent actually and by policy with other operations of the non-covered entity. Mr. Fitzgerald suggested that a preferable alternative to the business associate agreement requirement would be a one-page statement similar to the notice of privacy practices (NOPP) for providers. He said that a simple standardized model form would be helpful and that the simplification and standardization of forms would reduce much of the ongoing confusion.
Ms.Williams expressed concern about the significant number of group health plans that had never heard of HIPAA administrative simplification and didn't recognize they were covered entities. Others believed an insurer, third-party administrator (TPA) , broker, or another service provider would take care of everything. She noted that the close relationship most group health plans had with the employers that sponsored them contributed to the confusion. Ms. Williams noted universal concern about both the cost of complying with HIPAA administrative simplification requirements and whether the April 14, 2003 deadline for privacy compliance was realistic. She noted the standards and implementation specifications were modified in August, leaving only eight months to comply. Noting that policies and procedures that weren't designed with the plan's specific operations in mind or an understanding of what needed to be changed and why were worthless, Ms. Williams said complying with the privacy regulations requirements for disclosure of PHI by a group health plan to the plan's sponsor required understanding the operations and structure of the plan within the existing structures and hierarchies of the business. Suggesting that a database detailing materials for the various types of covered entities, sources, prices, and criteria for obtaining access could be available on the Internet, Ms. Williams remarked that HHS probably would object, because establishing such a database would be expensive, time consuming, and place them in the role of passing on the quality of materials created by others. She said those objections were valid. However, virtually every group health plan had to do exactly that.
Panel 2: Health Authorities
Ms. Barnes said problems of looking at hybrid entities and making program determinations about what were covered entities was most difficult within the state government. She conveyed testimony from representatives of 20 states who discussed at the National Governors' Association that the federal preemption analysis was a very costly undertaking for those in state government who'd just experienced 15 percent budget cuts. They urged the Subcommittee to recommend that one federal preemption analysis be done for all 50 states. Ms. Barnes discussed tangential relationships. Given the complexities, Ms. Barnes said the Commonwealth of Virginia worked to implement HIPAA to the best of its ability. Key efficiencies to organizational structure included a joint NOPP and consent they believed would be easier for lower-educational-level recipients. Standardized business associate agreements were reviewed on the federal and state level for each silo. They worked with vendors the same way. Ms. Barnes said their preliminary analysis showed savings to the Commonwealth of about two-and-a-half-million dollars by sharing resources. She reiterated concern about the state mandatory reporting of protected health information (PHI) that was key for their Department of Health. Ms. Barnes requested the Committee's opinion on the validity of an organized healthcare arrangement to solve related public problems with HIPAA implementation.
Ms. Correll presented feedback from an informal telephone survey of 25 associations about how HIPAA information was being disseminated through provider health associations in the Commonwealth of Virginia and problems with implementation. Fifteen respondents vocalized concerns regarding primarily confusion about the privacy regulations. Some needed specific checklists to assist in HIPAA implementation, clarification of points, and assistance in locating answers. Everyone wanted templates. She noted a lack of understanding about testing requirements and said more training was needed for providers so that everyone understood the requirements the same way. Ms. Correll said difficulties in HIPAA compliance were compounded for DMS, because the Medicaid Management Information System (MMIS) was under development simultaneously with HIPAA.
Ms. Rose emphasized that people looked to and were waiting for OCR to provide them with an idea of what was feasible and could be expected. While recognizing that it was already November and they had to be ready by April, Ms. Rose called for a national standard that would help people move onto the next step and realize that they were doing this on their own. Ms. Rose said templates of privacy, policies and procedures, standardized documents, and a HIPAA maze to move through would be helpful. She also asked for assistance in developing clear, multilingual notices for Medicaid and the public health systems, and sharing the financing and resources needed for development. Noting it would help to know the national floor plan on which the states could build specifics of their additional requirements and clarify their differentiation, she emphasized the importance of getting a group to standardize this process, adding that inexpensive and easy training materials for technical support were also needed. Ms. Rose noted DHMD was looking for a compassionate, disciplinarian approach for the enforcement of HIPAA to be balanced with the weight of the task at hand.
Ms. Prescod explained how the District, faced with HIPAA challenges, formed the executive steering committee and a program management office. She said the District's challenges were unique. It wasn't a state, but was local and federal combined. In some cases, the provider community was largely indigent. Providers voiced their willingness to participate, but were unclear about how exposed they were with both providers and patients dropping out of the system. Ms. Prescod noted the cost was high for the District. They'd requested Federal funding twice and were concerned that they hadn't heard back. Ms. Prescod explained that 16 District agencies and administrations were initially considered as entities implementing the compliance. Six groups that had no concern with HIPAA received basic privacy training. It was decided that it was in the best interest of the District to take on the designation of a hybrid entity. The groups within the agencies that needed to comply were chosen, creating smaller, more manageable, entities. Standardized policies and procedures clarified the direction of deployment efforts and funding. Ms. Prescod said the health plan's challenges included the District's Medicaid MMIS system that was implemented in July through acquisition and was in the process of becoming HIPAA compliant. Ms. Prescod expressed concern about the vulnerability of the District's fragile provider community. She said the intent was to have all operations compliant by the deadline. Ms. Prescod asked the Committee to advise the Secretary that there was much work to be done. In many instances, a total revamping of business process and operations was needed. Ms. Prescod remarked that, while the cause, spirit and sentiment of HIPAA were good, it would take a lot of money and, like many jurisdictions, the District grappled with significant budget shortfalls. Ms. Prescod said any support in information sharing, basic tools for implementation, and funding on a federal level would be helpful.
Panel 3: Coalitions and Partnership Building
Mr. Schott emphasized the importance of bringing a rural perspective to these issues. The healthcare engine generally employed 15 to 20 percent of all employed individuals in rural counties and represented a similar percentage of the salary base, so it was important both from an economic and a health and human services perspective. The Medicare percentage in most rural community hospitals was 70 to 80 percent. Electronic transmission requirements were problematic for rural hospitals. A minor privacy issue was that it would change the structure and culture of rural communities. Mr. Schott questioned whether the Office for Civil Rights was the appropriate place to locate that enforcement agency. He thought there had to be some reasonable standard instead of a drop-dead date for enforcement. Mr. Sch ott emphasized that this was an unfunded mandate in many rural communities. He noted that via the Small Hospital Improvement Project (SHIP) grants, most rural hospitals received only about $9,700. SHIP was supported at the $50 million a year level for four years versus the $15 million the rural hospitals got. Mr. Schott said this "cowardly attempt" by Congress to solve the problem simply wouldn't pay for the cost of implementing HIPAA in rural hospitals. He recommended that the deadline for compliance for rural providers be extended and reiterated the need for a reasonable effort standard in making progress for compliance. The Rural Policy Research Institute (RPRI) was conducting a study of how rural hospitals were doing. Results were expected in December. Mr. Schott said the study was signifi cant because poli cymakers and members of the Congress would carefully read it. Mr. Schott emphasized again that one size didn't fit all and rural providers were structured differently than urban providers. He stressed that financial assistance, as well as realistic implementation and enforcement was critical.
Ms. Pritts noted that the states have regulated the privacy of health information for 40 years and implementation of the federal health privacy rule, which setsa federal uniform floor throughout the nation, would drastically change the landscape of privacy in many states. She said this process was complicated the preemption schematic, which preempting state laws contrary to the federal privacy rule. Other exceptions, created for public health and health plan reporting to their regulatory bodies, further complicate the procedure. Ms. Pritts said the preemption analysis was an arduous, time consuming and expensive process. Many consumer and provider groups weren't familiar with the laws and statutes in their state or the federal health privacy regulations. Even those who were familiar found it complicated, because many HIPAA provisions were ambiguous. Ms. Pritts recommended making this process as simple as possible. She said the lack of guidance, particularly from provider associations, was disturbing. Equally crucial was the need for a compliance handbook with clear outlines for what had to be done. Ms. Pritts encouraged HHS to continue to respond to questions interpreting the HIPAA privacy rule, helping consumers compare federal to state laws, work with CMS and other state agencies to determine how HIPAA interacted with other federal laws, and publish guidance on these issues. Ms. Pritts suggested that HHS engage in coalition building with each state and the sharing of that knowledge. She suggested that the privacy working group of the National Association of Attorneys General assist or disseminate information. Some state-based provider organizations had in place guides written with existing state laws in mind; Ms. Pritts said starting with these materials and overlaying the HIPAA privacy requirements would simplify the preemption analysis process. She concluded that preemption analysis was complicated and time consuming; sole practitioners and providers in small organizations needed a lot of assistance.
Mr. Mertz agreed about the need for a state preemption analysis accessible to all covered entities. He said raising money for the study was a difficult challenge; HHS's help was urgently needed and would directly impact how well entities could comply with the regulation and state laws. Mr. Mertz stated the Congress intended that most state laws be preempted, except for those exceeding the stringency of HIPAA requirements. But because of the way HHS interpreted HIPAA and a lack of clarity in the law about the definition of "contrary," the HHS regulation probably would preempt few laws. When HHS issued the proposed rule in 1999, it flipped the burden of proof and Mr. Mertz's gro up believed that it would be very difficult for the Congress to pass this statute. Mr. Mertz advised that HHS could re-define "contrary" so it really was a floor and that state laws that were difficult or burdensome to comply with could be preempted. Mr. Mertz noted states didn't have 50 neat-and-tidy health privacy laws; they were buried in thousands of bewildering and conflicting rules. While HHS acknowledged the complexity of state privacy requirements, they said it would be more efficient for professional associations or individual businesses to complete a preemption analysis. Mr. Mertz respectfully disagreed. Literally thousands, maybe millions, of covered entities were under this rule and suggesting that every one of them do its own preemption analysis seemed most inefficient. HHS recognized that a global analysis was necessary. And many small providers and specialty societies needing this most couldn't afford it on their own. Mr. Mertz proposed a comprehensive collectively funded study that included every HIPAA-affected entity in all 54 states and jurisdictions. Consistent standards could be used and the end product, available on the Web, could be updated on an annual basis. Mr. Stone emphasized that the Massachusetts Health Data Consortium (MHDC) took a community collaborative approach for acquiring resources to implement the HIPAA privacy regulations, as opposed to full reliance on the federal government. MHDC assumed three premises for delivering these resources: (1) most solutions would be local, because much expertise was at the level where services were rendered, (2) the working understanding that rarely was there only one solution to any problem, and (3) collaboration didn't violate anti-trust laws and issues about reaching consensus weren't competitive but afforded opportunities for further collaboration. MHDC's local expertise led them to recommend four areas for OCR. First, they thought OCR should continu e to be a resource for FAQs. MHDC encouraged OCR central staff to meet with regional folks who were doing coalition building and to speak at other privacy forums, training regional staff. MHDC urged OCR to link to and encourage HIPAA-specific Web pages to the covered entities' usual and trusted sources. MHDC sought more links to provider as well as health plan associations. Mr. Stone urged OCR to encourage resource sharing and he suggested that OCR becoming a repository for at least the criteria would stimulate sharing. He also wanted OCR to highlight portions of the regulations in a checklist, enumerating what the notice had to include. Almost universally, the 70-plus privacy officers in MHDC's regional group rejected generic forms. Mr. Stone said MHDC believed that sharing actual resources could be accomplished at the national level by national trade associations.
Panel 4: Testimony
Ms. Kube said physicians and practices from 'one-doc' shops to umbrella groups were totally overwhelmed. She stressed the need for education and clear instructions on what was expected, clarifying the regulations, and achieving cost containment. Ms. Kube presented examples of misinformation and noted how physicians panicked when they heard that privacy issues would be handled under OCR. She noted a problem related to vendors on the EDI side. Some small software companies, unable to get everything in compliance, were going out of business or selling out. With Medicare not even in compliance, she said nobody was compliant under EDI. Noting she wished there'd been clarifications some time ago, Ms. Kube advocated for a common sense way of h andling this, so people could take care of patients as well as protect their privacy.
Mr. Hughen discussed the need for learning solutions related to HIPAA implementation. Without acquisition of knowledge and skills on the job, he said the return on the substantial investments in HIPAA security and privacy would be greatly diminished. He expressed concern that the spirit and intent of HIPAA privacy could be compromised if systems and resources weren't available to enact real behavior change in the millions of healthcare workers affected. Mr. Hughen cautioned that the aggressive deadline and current lack of support and resources could propagate a check-the-box approach and that the covered entity's need to show compliance on paper might do little to effect behavior change and on-the-job performance.Mr. Hughen advocated that equal concern should be placed on compliance in daily practice and behaviors on every job, every day. Considering the vast quantity of people and the great diversity of job functions affected, he stressed the need for learning, not training. And he noted the additional complexity of profession and institution specific policies and procedures. Mr. Hughen recommended that OCR work with private industry to establish a minimum standard of acceptability for products targeted toward HIPAA learning and testing. He suggested developing a standard of competency testing that a covered entity could use to measure understanding and mastery of the material.
Speaking about preemption, Ms. Ryan said every profession, except for law, had some form of internship. She proposed that law schools, particularly those using state monies, institute a program where interns, in order to pass the state bar, would be responsible for the tedium of comparing state and federal regulations. Ms. Ryan said physicians and hospital administrators who stood up at the last HIPAA conference and said they had DOS-based systems and three kids in college and couldn't spend $60,000 to re-do computer systems were told it would cost $8,000 per physician. She contended that wouldn't begin to touch what vendors charged to become theoretically HIPAA compliant. She pleaded for cost c ontainment and consideration of the perception that they were being ripped off.
Ms. Delair presented a sense of the difficulties of implementing specific provisions, especially for a larger academic center and offered two recommendations for dealing with the preemption issue: either require that each state's Department of Justice conduct a preemption analysis, making it available to all constituents, or have a state's collaborative create a preemption and ask the Department of Justice to give an opinion and/or endorse interpretations of the regulations. Ms. Delair agreed that the written privacy notice provided some privacy for patients, delineating how the information would be used and their rights. However, she advised it was too long and confusing. And it added paperwork and extended the admission and registration time. She noted one burden related to the privacy notice had to do with ident ifying access points in a system. Ms. Delair said the most troubling aspect was determining which activities or points of service necessitated the notice and acknowledgment. She also noted that each of over 80 clinics received over 100 phone calls per day concerning matters such as appointment times, inquiries about lab results, or whether to take a medication. Ms. Delair noted that, according to the preamble, privacy notification wasn't required for appointment reminder type questions. But she said it appeared to her that any phone conversation involving some provision of advice would require mailing a notice. Ms. Delair asked for clarification about what constituted a point of service and when mailings were required. Delair stressed the diffic ulty of implementing the accounting of disclosures requirement.
Mr. Anderson described North Carolina Healthcare Information and Communications Alliance (NCHICA) as a case study of an effective HIPAA collaboration. A portion of NCHICA's activities was as a regional key WEDI-SNIP affiliate. NCHICA's mission was to determine ways to implement information technology and secure communications in healthcare. In 1999, NCHICA established a HIPAA task force charged with developing a strategy for addressing HIPAA compliance in an orderly, efficient manner. The work groups were a professional development opportunity. Over 350 individuals in six work groups developed training materials and white papers and presented workshops. The work groups did a preemption analysis for North Carolina and were creating sample model agreements. They did a gap analysis, developed planning tools and a compliance plan, and identified gaps to be supplemented. Sample documents available free on their Web site included an 83-page analysis of the HIPAA privacy rule in relation to 143 North Carolina statutes. The medical society, hospital association and major academic medical centers were adopting a business associate agreement that included no more or less than what HIPAA required. A security and privacy officers' work group developed a questionnaire to track what everyone was doing. Mr. Anderson explained that they sought to develop a consensus approach to the notice. He reported the Attorneys General offices in many states were developing the preemption analysis. In North Carolina, a broad-based group listed the state statute, cited and compared the HIPAA regulation, and wrote a summary or conclusion. Three-quarters of a million dollars had already gone into this; preemption still had to be included, and everything had to be re-done based on the last general assembly's modifications and changes. Another issue was defining the entities and relationships within and outside an enterprise. Managing implementation was a major issue, along with lowering the grade level of the privacy n otice and acknowledgment. Mr. Anderson advised that a standard business agreement and standardization of other documents would save money and agony. He explained that at recent CMS implementation round tables, people from CMS deferred questions about privacy. Mr. Anderson urged OCR to join them. Ms. Seitz represented a small organization in rural Alaska. She noted that in this large state where many providers were in extremely rural areas, telemedicine and teleradiology were used to provide care. Respondents wanted one approved site with approved and certified links to accurate interpretations of the guidelines and resources on best practice. Ms. Seitz also said they wanted certified vendors that met a standard for training materials and services. Ms. Seitz said changes in the regulations outdated computer software, training materials and draft policies her hospital purchased only a year or two ago. Making modificatio ns was a big burden and Ms. Seitz felt standards would benefit everyone. Poin ting out that the extreme cost of travel in remote areas was compounded by delayed and canceled flights, Ms. Seitz recommended Web seminars. She noted it took her 19 hours and three connecting flights to get to the hearings. Another issue was standards for training. She stressed that models or tools for training would benefit the whole healthcare community. Ms. Seitz noted that Alaska had no laws about juvenile records; adult or federal standards were followed. Ms. Seitz noted in some remote areas the feeling was, "Come and get us and force us." Ms. Seitz acknowledged that having standard, certified links on the Web site would be costly, and might not be realistic, but she posited that it could pay off to put that effort in now, rather than on the b ack end with enforcement and policing people.
Subcommittee Meeting Discussion Ms. Kaminsky said the next week's hearings would be more abbreviated and would start with more testimony from physicians and other professionals with small practices, MGMA, and practice managers. There might also be related testimony from the American College of Occupational and Environmental Medicine (ACOEM). Another panel tentatively titled integrated health systems and complex organizations of other types of providers was also scheduled. Implementation issues would also be discussed. Ms. Kaminsky was trying to get representation from the Indian Health Service and Gambro, a dialysis company. They'd hear from the general counsel for Valley Mental Health, which did a lot of contracting with the state, and another panelist discussing telemedi cine and telepharmacy issues. Another panel represented rural hospitals. The American Hospital Association (AHA) recommended a panelist from Banner Health, in Arizona. UHEN, the WEDI-SNIP affiliate in Utah, recommended a panelist from Cane County Hospital, in rural southern Utah. Mediconnect, a vendor to many systems and an active member on the Governor's Task Force on HIPAA, would also testify. Ms. Kaminsky noted that they'd talked a lot about their clients' problems coming up with mechanisms to account for the disclosure requirement and other operational issues that might apply to those types of facilities. Another panel would consist of state agencies, public health and research. Barry Lengel from the Offic e of Vital Records and Statistics in the Utah Department of Health would talk about registry issues. Jean Wiley from the University of Utah Resource for Genetic and Epidemiological Research, who had an enormous database formulated originally from Mormon genetic information, would also speak. Mr. Rothstein commented that the genealogical database in Utah was valuable for genetic research. Ms. Kaminsky said Denise Love, from National Association of Health Data Organizations, would probably be talking with them about research and public health issues as well. Ms. Kaminsky reviewed the potential testifiers for the second day. The panel on health plans included Provident Health Plan from Oregon and Deseret Mutual Benefit Association, which had links that would be explained. There was an inquiry into Utah Medicaid as well. Ms. Kaminsky reported there was more to be done to finish up the panels and said that if anyone had specific requests or interests, she'd follow up. Most of the second day was reserved for Subcommittee discussions pulling together thoughts about the past couple months' testimonies and a game plan. Members set aside 30 minutes for public testimony. Ms. Kaminsky noted a request to hear from malpractice insurance companies and said there was wr itten testimony from an osteopathic doctor concerning increased costs for malpractice insurance because of potential HIPAA liability. Ms. Kaminsky said she'd do her best to get representation from these insurers and asked for suggestions.
Day One
Mr. Rothstein welcomed everyone to the first of two days of hearings on implementation issues with the HIPAA Privacy Rule. He noted that the final amendments to the privacy rule were published on August 14, 2002. Covered entities and other interested parties are, or should be, preparing to comply by the April 14, 2003 deadline. Rothstein clarified that the purpose of the hearings wasn't to revisit the substantive elements of the rule (although the Subcommittee was well aware that discussing implementation issues involved referencing substantive areas of the law), but to learn from the testifiers answers to at least the following questions: What resources were available for HIPAA compliance, including those from professional organizations and trade associations? Were compilations of best practices available and how were successful implementation strategies disseminated? Were there models for public/private partnership development? How should covered entities build coalitions and develop consensus procedures? What outreach, education, and technical support programs were needed from OCR, including suggestions for OCR priority setting? What areas were especially in need of guidance from OCR? How should the integration of HIPAA and other federal and state laws be addressed? And how did the testifiers assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertained to small providers and health plans?
Mr. Rothstein noted this was the second of three sets of hearings dealing with these issues. The Subcommittee met September 10-11 in Boston, and will meet again in Salt Lake City on November 6-7. After the final hearing, the Subcommittee will submit its recommendations to the full Committee for discussion and possible action at the meeting in Washington on November 19-20. Recommendations approved by the full Committee will be transmitted in the letter to Secretary Thompson by the Committee's Chair, Dr. Lumpkin.
Mr. Rothstein noted time was available for public testimony. Witness could submit additional written testimony, but within 10 days rather than the usual 30 days, because of the tightened schedule in preparing the Subcommittee's final recommendations for the Secretary.
Panel 1: Physician and Other Health Professional Practices
David C. Kibbe M.D.; Director, Health Information Technology; American Academy of Family Physicians
Dr. Kibbe explained that AAFP's board of directors approved over a year ago a detailed HIPAA action plan and strategy. The initial step was to educate members about impending rules, deadlines, guidances, and extensions. AAFP committed to developing and providing tools to assist family physicians in implementing necessary changes at the practice level. They also committed to seek statutory and regulatory changes necessary to fix the more onerous, unworkable HIPAA requirements (e.g., the mandatory signed patient consent before conducting any healthcare treatment and legally binding business associate agreements that seemed to require family doctors to monitor much of the healthcare service industry).
Dr. Kibbe reported AAFP made progress in meeting these commitments. AAFP developed a HIPAA Web site ( www.aafp.org/hipaa.xml) &Hypertext& ;text-decoration:none;text-underline: none& offering tools and information. AAFP's communications and publications divisions devoted extensive coverage to HIPAA implementation in print, on the AAFP Web site, and via e-mail. A recent communications campaign instructed members on filing a transactions and code set extension plan with the Center for Medicare and Medicaid Services. Dr. Kibbe noted AAFP also participated in a specialty society coalition that addressed HIPAA privacy rule implementation and was instrumental in forming and leading another coalition on HIPAA EDI implementation. Both coalitions were developing implementation strategies and solutions for practicing physicians and their office staffs. AAFP also offered members the HIPAA EarlyView Privacy Tool developed by NCHICA. Dr. Kibbe said all three resources provided checklists, key document templates, and advice.
AAFP developed, in collaboration with the medical specialty coalition, an online (www.hipaa/pmsdirectory) HIPAA EDI practice management system director that lets a practice determine vendors' HIPAA readiness for each covered transaction. AAFP presented two HIPAA workshops on compliance at the 2002 Annual Leadership Forum and recently conducted a HIPAA audio conference targeted to chapter leaders. Dr. Kibbe said the presentations would be available at a number of state and regional academy chapters' upcoming meetings. He reported that about three-quarters of the audience in recent lectures on HIPAA at the AAFP annual assembly indicated they'd filed a transactions and code set extension plan with CMS. Dr. Kibbe said this argued well for members' awareness of the HIPAA transactions and code set standards and HIPAA.
Estimating that less than half of the members' practices had begun implementing the privacy standards, Dr. Kibbe said the most important reason for the delay was members' confusion over the privacy rule and exactly what they had to do differently. Dr. Kibbe said Dr Lumpkin summed up the problem in his September letter to the Secretary: OCR had failed to provide sample forms, model language or practical guidance, leaving covered entities at the mercy of vendors and consultants, many of whose expertise seemed limited by misinformation, baseless guarantees and scare tactics. Dr. Kibbe said vendors, lawyers and consultants with conflicting claims continued to bombard doctors. Urban legends circulated across the country (e.g., the rumor that HIPAA required all sign-in sheets to be eliminated or that copies of all electronic data had to be stored at least 50 miles off site). Dr. Kibbe said misinformation often appeared to be the byproduct of the complexity and scope of the privacy rule itself. And that confusion and apprehension were also a matter of well-intentioned healthcare workers who found themselves suddenly appointed privacy officials and spread erroneous beliefs about permissive or prohibitive behaviors ordained by the privacy rule. Dr. Kibbe showed an article in a well-known medical center's publication that he said contained over 40 substantial errors and conflicting guidances.
Larger organizations had begun to implement HIPAA and Dr. Kibbe noted this caused interruptions in the routine and necessary flow of healthcare information between practices, hospitals and pharmacies. He said sometimes this was due to over-zealous interpretations of HIPAA (e.g., a hospital stopped all fax transmissions to doctors' offices in the name of HIPAA, requiring doctors' offices to call the hospital for verbal radiology reports). Dr. Kibbe cautioned that delays in HIPAA privacy rule implementation would continue until there was a clearer picture of what was to be done, the priorities, and the latitude of enforcement. He noted there was also a cost factor. CMS reported about half-a-million covered entities filed an ASCA-mandated extension plan. Assuming each covered entity spent an hour researching the requirements for the transactions and code set standards and filling out the forms, Dr. Kibbe calculated that this activity alone cost providers over $50 million.
Dr. Kibbe said physicians and their office staff viewed the first step toward implementation, assigning basic meaning to a host of new constructs and documents (e.g., business associates, NOPP, requests to amend the medical record) as a lot of effort when there was precious little time or money to waste. He expressed concern about the one-size-fits-all solution to the privacy rule. In order to be workable, he said HHS and OCR had to create zones of compliance, rather than specific targets: e.g., the complex, lengthy NOPP should be simplified and shortened for small providers; more detailed notices should be voluntary. Dr. Kibbe said such flexibility would accommodate the needs of healthcare organizations of differing sizes and complexity and allow for the simplification of implementation, especially in medical practices and small provider organizations.
He recommended not requiring business associate contracts of everyone. He encouraged accepting a zone of compliance regarding business associate contracts for small providers, at least until the contracts were standardized and the costs of creating them were reduced.
Dr. Kibbe doubted patients would understand why they were handed multi-page notices of privacy practices on a first visit or appreciate the effort that went into making their medical information more secure. He suggested that inconsistent, clumsy implementation of poorly understood federal regulations only made it more difficult for patients to access their records and disrupted the flow of health information between doctors' offices, hospitals and health plans, degrading the quality of their primary healthcare system.
Dr. Kibbe agreed with Dr. Lumpkin that the healthcare system was on the verge of major, widespread disruptions unless quick action was taken with resources sufficient to inform the public and provider communities about the documents that would confront them. Dr. Kibbe emphasized that a massive public education program was needed to prevent a public meltdown over HIPAA.
Panel 1: Physician and Other Health Professional Practices
Lloyd S. Smith, D.P.M.; Vice President, American Podiatric Medical Association; Health Policy Committee, Chair
Dr. Smith explained that the American Podiatric Medical Association (APMA) was the national organization that represented nearly 11,000 doctors of podiatric medicine. He said most podiatrists were solo practitioners, in partnership or small group practices, and relied heavily on APMA information. He reported a noticeable increase in member inquiries about HIPAA as the compliance date approached. In addition to educational programs and communications in their publications, APMA made available a list of HIPAA resources including OCR's Web site and phone number, the CMS Web site, the free list serve for notification of Federal Register releases related to HIPAA, and information about HIPAA roundtable conference calls.
Dr. Smith said APMA had committed to developing an APMA HIPAA privacy manual including sample forms, which will be available to members on their Web site and in hard copy. Delayed until the privacy regulations were finalized in mid-August, he said the manual would be available soon.
He observed providers were having tremendous difficulty comprehending the regulations and until OCR provided them with information they couldn't be expected to be compliant. Many small office practices aware of the regulations hadn't begun to take action. Dr. Smith advised that providers would benefit from a detailed, in-depth manual designed for the small or medium-sized group practice. Noting many individual offices didn't have financial resources to obtain additional guidance, Dr. Smith encouraged OCR to be the definitive source for privacy-related information available to all providers at no cost. He commended the addition of FAQs to OCR's Web site and encouraged OCR to expand that list. He also recommended a monthly newsletter for providers.
Dr. Smith urged OCR to create specialty-specific programs to educate providers and to participate in their regional and state meetings. Recognizing that OCR resources were limited, Dr. Smith suggested that OCR commit to three presentations for APMA and each of the other provider groups.
Dr. Smith said state component societies and outside sources provided privacy rule training in addition to what was contained in the APMA HIPAA privacy manual. Many local component societies planned half- or full-day HIPAA presentations or seminars. APMA advised members inundated with information about HIPAA and unable to gauge the quality of that advice to review the guidance in the APMA HIPAA privacy manual and assess if further information was needed. Dr. Smith requested that OCR oversee vendors and their products and provide some quality control process.
Noting the provider community needed more information about OCR's enforcement of the regulations, including a clear explanation of penalties for non-compliance including situations to which they applied and their nature, Dr. Smith requested additional guidance from OCR. Would: (1) OCR representatives arrive unannounced in private offices, (2) OCR randomly inquire about individuals' privacy-related experiences, (3) patients complaints be encouraged and OCR obligated to investigate them, (4) providers have to submit proof that the privacy rule training mandate was satisfied? Dr. Smith reiterated that members needed to know how the new regulations would be enforced and that lack of definitive information frustrated those expected to abide by the regulations.
Dr. Smith added that they had concerns about patient education. Compliance with the privacy regulations would result in noticeable changes in daily practice activities and many patients would be confused by the changes, not understanding why they were being asked to sign, for example, a form indicating that they had been notified of their privacy rights. What if the patient refused to sign the form? If patients weren't educated and were resistant to changes implemented in private practice and elsewhere, what protections existed for covered entities? Did OCR have plans to educate patients about the new regulations? Dr. Smith didn't believe education should be the sole responsibility of the covered entity. He emphasized that OCR needed to take responsibility for ensuring that patients, as well as providers, understood the new regulations.
Dr. Smith said APMA wasn't familiar with best practices in the industry. He doubted that entities were unaware of the need to perform the state and federal preemption analysis fundamental to HIPAA integration and compliance. Noting most individuals weren't familiar with state laws regarding privacy, he emphasized that integration of HIPAA and other federal and state laws required action by OCR.
He recommended clearly identifying, articulating, & and maintaining state and federal laws related to privacy in a compendium readily available to the public. He pointed out that if practitioners didn't realize that differences in the standards existed or that a state standard was more stringent than one within the privacy regulations, the correct standard couldn't be followed. Dr. Smith encouraged the OCR to take responsibility for creating and maintaining that compendium.
Dr. Smith said APMA believed the covered entities, especially practitioners, needed more help in achieving compliance with the privacy regulations by the deadline. Most practitioners, already overwhelmed with existing regulations, struggled to comprehend the privacy regulations. APMA requested OCR's active assistance.
Panel 1: Physician and Other Health Professional Practices
Carol Jennings, Ph.D.; Professor, University of Maryland
Dr. Jennings read from the testimony of Dr. Jan Towers, Director of Health Policy, American Academy of Nurse Practitioners (AANP). She noted small practices' concern about their inability to implement the rule's perceived requirements, because of the cost associated with compliance. Dr. Jennings pointed out the cost of building new firewalls to protect computer-based records and electronic billing processes. Noting these practices and clinics often served the most vulnerable, isolated populations and the sparse supply of free or affordable consultation or guidance available to those with limited income, Dr. Jennings described these providers' concern about what would happen to patients if they couldn't operate. She also observed that some questioned the exploitative nature of consultants who charged heavy fees to help people learn how to implement new rules.
Nurse practitioners were also concerned about compromising the quality of care: that information about a patient being seen by a specialist wouldn't get back to the primary care provider, interfering with continuity of care. There were also fears that a nurse practitioner who released patient information might be held liable if the specialist didn't follow proper procedures.
In settings with sliding fee schedules, Dr. Jennings noted concerns regarding the kinds of consent forms that had to be used to determine eligibility of a patient for billing a particular way. Settings providing care to vulnerable populations questioned the kinds of restrictions that would be placed on clinics in determining eligibility.
Dr. Jennings reported continuing concern that tracking patients epidemiologically, or simply conducting an evaluation of how well a practice or community met the Healthy People 2010 standards, would be compromised by requirements to de-identify patient information in order to study patient care results. Clinics and practices often received third-party assistance printing newsletters, health promotion tips, or guides for care that couldn't be shared with patients without such subsidization. While the language of the law might, on the surface, be reasonable, Dr. Jennings expressed concern that potential for implementation and enforcement overkill could severely compromise patient care.
Dr. Jennings emphasized that outreach, education and technical support from the federal government were needed to implement the regulation in an uncomplicated, clear manner. She agreed that the rumor mill had a negative impact on practices. Noting what was currently available was high priced and, at times, seemed to feed the overkill frenzy emanating from these rules, she advised that these services shouldn't be economically prohibitive, hindering small practices and clinics in implementing the rules. She said harnessing these services would facilitate the logical implementation of the patient privacy rules.
Although nurse practitioners were confident that, down the road the patient privacy process would become routine and commonplace, Dr. Jennings pointed out that, right now, there was considerable anxiety. She recalled that there had also been anxiety 10 years ago when they implemented universal precautions and couldn't imagine practicing with gloves and eye shields.
Dr. Jennings agreed that a great deal of misinformation circulated through hearsay that could damage implementation of the regulations. Concerns regarding cost, payment, disruption of continuity of care and dissolution of its quality through over-regulation needed to be addressed. She said particular attention had to be placed on the impact of these regulations on the individual practitioner working directly with patients on a daily basis and cautioned that rules to prevent improper corporate activity shouldn't be implemented in a way that prevented clinicians from providing high-quality care. Dr. Jennings also advised that, although best practices could be an excellent way to guide implementation, rigid use of best practices that might be applicable only in unique and narrow situations could limit implementation.
Dr. Jennings noted resources for HIPAA compliance for individual practitioners were limited and costly. Groups were planning implementation, but she pointed out that some practices were extremely remote, didn't have access to resources, and couldn't get to conferences and it was a challenge to get them guidance. She expressed AANP's desire to work with CMS's advisory group on implementing and disseminating usable resources.
She noted earlier concerns reflecting the integration of HIPAA regulations with other federal and state requirements. She expressed further concern that information wasn't being disseminated and that resources for small providers and those working with vulnerable populations had to be protected. Dr. Jennings emphasized that nurse practitioners had positions as primary care providers, patient guardians, advocates and guardians of patient rights and needed to be included in policy-making activities related to implementation of these rules.
Dr. Jennings reiterated AANP's concerns about implementation of the patient privacy rules. The focus on implementation varied due to the variety of settings in which nurse practitioners practiced. She said nurse practitioners' knowledge of the concerns of clinicians and realities of implementing the rules in the settings where they practice had been under-utilized. And she suggested that their expertise and the deep patient trust nurse practitioners promote could be utilized to convey the message about this process to patients.
Panel 1: Physician and Other Health Professional Practices
Keith D. Van de Castle M.D., M.B.A., M.P.H., President, HIPAA Compliance Services
Dr. Van de Castle said most of his patients weren't from his town but lived in rural North Carolina and weren't comfortable with the care in their own small towns where some practitioners had inappropriately disclosed personal information about their patients. Dr. Van de Castle formed a training company, HIPAA Compliance Services, to teach physicians how HIPAA impacts their small practices. He shared what he'd heard traveling around the country listening to physicians' and office managers' concerns. Dr. Van de Castle said he didn't believe OCR had to be concerned with enforcement: the legal community would do that. She noted a patient settled for $10,000 with an office that divulged all their records, including HIV status; the clinic paid more than that in legal fees. Another case cost $85,000. Dr. Van de Castle said it wasn't OCR that physicians needed to be afraid of when it came to HIPAA, but the general public.
He described a case study where a blood pressure medicine only tested on men turned out to cause large asthma attacks in asthmatic women. One woman was brought into the ICU, intubated immediately, and lived. Another was brought to CCU. Well-known attorneys advised that the definition for treatment payment and healthcare operations concerned what one did for that patient, not what one did for the care of future patients. The respiratory therapist was threatened with loss of her job if she discussed patient information outside what was necessary for that patient. The patient was intubated late and, unfortunately had a negative outcome. Dr. Van de Castle noted a lack of proper HIPAA information. She said people were afraid and refusing to allow drug reps back into their offices or fax information to their practices.
Dr. Van de Castle told about a nurse who delivered at her hospital. She presented to her physician, saying she'd never had an abortion. After eight-and-a-half months of pregnancy, she revealed that she'd had an abortion in college. Co-workers read her chart and spread that information, which reached her husband. The husband transferred to Idaho and the nurse moved away from her family, which had lived there for three generations. The attorneys said there were no safeguards or policies. The case settled with the patient receiving $500,000. The hospital ended gossip and put in electronic safeguards. Dr. Van de Castle predicted that such suits would enforce the privacy regulation.
He told how a patient once confided that she didn't want her second husband to know she'd had a hysterectomy, her children to know of her drinking problem, her boss to know about her bout with depression, or her cousin who worked in his office to know anything. She emphasized that the small providers' greatest concern was the legalization of &the doctor-patient relationship. She remarked & that a small provider who practiced with mostly paper charts couldn't afford this component that could double the cost of the privacy regulations. Dr. Van de Castle noted that in some instances this was an acceptable cost. He gave an example of a husband who was an alcoholic, abusive to his wife, and frequently away on business trips. His wife had an affair and she asked her physician to keep it confidential. Many years later, she had Alzheimer's disease and her husband, who was moving away to care for her in a special retirement center, requested her records. The physician passed down the restriction. Dr. Van de Castle acknowledged that, in rare instances like this, the rule was workable. But for it to work, he pointed out that practitioners had to be able to accept the restrictions their patients requested, which required the cost of a separate library that the small provider couldn't afford. She noted physicians were taking out privacy malpractice insurance. Seven physicians in one week told him they'd paid out for privacy violations. She said nuisance lawsuits were driving providers nuts.
Dr. Van de Castle said the key issue was how to enforce the privacy rulings. He advised that the physician's policy be that all requests for restrictions be in writing and reviewed by a committee. Except in extreme dire circumstances, he recommended that the committee refuse all requests, except for ones similar to those he'd discussed. Dr. Van de Castle said providers had to come up with their own privacy practices and inform their patients, making it clear that they'd do their best to keep things confidential, but couldn't guarantee it.
Discussion
Dr. Harding noted they were focusing on the need for a base data system and conduit to deliver accurate information to the public, professionals and others affected by the HIPPA rules. He'd heard Dr. Lloyd say APMA was a conduit from OCR to their members; then the information had to be absorbed. Dr. Van de Castle had suggested that people absorbed information best with case studies. Dr. Harding asked what organizations could do to help transmit facts and data and get them utilized. With the recent requirement to re-up for the transaction part of HIPAA, not as many people as they'd hoped requested an extension. Dr. Harding asked what had to happen to get information across to people and have it absorbed.
Dr. Kibbe said they had to consider that the medical specialty societies were still learning, modifying information they had, and transmitting it to members. Simultaneously, they were gathering feedback about the limitations. He suggested that the medical specialty and state societies were an important reserve of information for practicing physicians and organizations they worked with (e.g., nursing homes, extended care facilities, hospitals). Dr. Kibbe observed that resource was largely untapped and needed to be developed. He said the real problem was getting the attention of the practices and their office staff, which he noted was a separate question from the issue of qualifying information so that they only got the best.
Dr. Kibbe pointed out that the issue of state preemption complicated vetting information and getting it to members, practices, and organizations. He suggested using untapped resources they could count on and implementing an accrediting or certifying process. He added that he wasn't sure it was workable, but he thought it would be better than having tens of thousands of unknowledgeable experts causing mass confusion.
Noting the societies felt vulnerable because they didn't know about vendor credentials, Dr. Jennings emphasized that quality federal guidance was needed. She asked if small grants were available to help providers develop a compliance manual developed by knowledgeable nurse practitioners in a way members could relate to it and recognize its relevance in particular care settings or patient care situations.
Dr. Smith remarked that whatever they did couldn't be in Federal Register legalese, but needed to be in basic language the average small physician practice and health practitioner understood. He suggested that the Committee or OCR encourage HHS or Medicare to develop a guidebook. Dr. Smith considered accrediting vendors compliant reasonable, but cautioned that requiring practices, hospitals, and healthcare professionals to be accredited would create a morass of problems. He noted APMA's membership represented 70-80 percent of the nation's podiatrists; had effective communications through a newsletter, e-news, and biweekly alert; and conducted seminars with regional and state organizations and affiliates. Dr. Smith suggested that OCR or a federal organization train a small cadre of health professionals certified or accredited to teach official two-to-three hour seminars.
Dr. Smith questioned the accuracy of the privacy manual the APMA was producing, given what he'd heard that day. Noting they were an average organization interpreting federal guidelines that weren't easy to understand, and an honest mistake might cause members to be victims of a substantial lawsuit, Dr. Smith observed that the organization could be compromised and need defending. Dr. Smith suggested working with special societies: about half of APMA's members belonged to one. He said state societies would also be good, but he noted many didn't want the responsibility of putting out official word.
Dr. Smith believed healthcare responded well to market forces. He advised that the best way to spend money on education would be on patients, who in turn would speak to providers about HIPAA. And he also suggested putting out accurate information in general interest magazines (e.g., the Ladies Home Journal)
Noting he'd repeatedly been asked what physicians needed to do for their physical practice, Dr. Smith said each practice was different and needed a physical assessment. He suggested that it might still be helpful to videotape a few models and post them on their Web site. He pointed out that hospitals and healthnets already had policy manuals. And he noted that many rural physicians belonged to IPAs and suggested going through them rather than e-mailing physicians.
Dr. Jennings remarkedthat individuals providing care directly to patients only needed to know their specifics, not everything about the privacy rule or HIPAA. He recommended developing something telling the provider working in a rural setting or in a migrant health clinic what they needed to be aware of and how they could protect their patients' privacy.
Dr. Smith said APMA was developing a top-ten list for implementation. Instead of a 60-page instruction manual, they planned on focusing on 10 items that included their privacy notice. After tackling that short list, they could go through the entire manual and become totally compliant.
Noting Dr. Kibbe estimated that less than half of AAFP's members were HIPAA compliant, Mr. Rothstein asked if APMA was in a position to take such steps to increase the percentage of compliance. Dr. Smith contended that compliance was considerably lower than 50 percent. He said people now recognized the word HIPAA, but were scared about implementation issues. Many people hadn't filed. Asked about ANP's understanding of HIPAA requirements, Dr. Jennings said many members had followed HIPAA since 1996, but they were just getting into the patient privacy process. Only a few would be able to implement it. Dr. Kibbe said the Coalition of Medical Specialty Societies was an informal group that had its own list serve and represented over 450,000 physicians. He said most family physicians belonged to their specialty organization and loyalty and trust in communications was reestablished through these organizations. He said representatives from these societies reported that less than 50 percent of their members had initiated a privacy rule implementation program.
Dr. Kibbe remarked that, in a larger context, HIPAA was about administrative implementation (e.g., standardizing business transactions between providers and health plans). He noted that this offered small practices and other providers benefits including efficiencies in running their practices, improved revenue collections, better business practices, and better communications with patients. Dr. Kibbe pointed out that many physician practices hadn't heard this. He emphasized that it was important they did, because privacy then could be seen within the context of that larger overall goal benefiting both them and the public.
Dr. Harding asked whom the members who weren't doing anything thought would take care of this for them. Dr. Jennings replied that "the rubber hadn't hit the road" yet for nurse practitioners. She predicted that people would realize the seriousness as they began to see lawsuits. Now there was anxiety and behavior indicating they didn't know what to do or where to go. Dr. Smith said traditionally the average podiatrist looked to APMA, the state society, and the malpractice company to present something like the privacy information. He expressed concern that the authenticity of information was not official. He emphasized organizations that weren't equipped to handle this would appreciate it if HHS provided official, formal training and documentation.
Dr. Kibbe added that they were doing a good job as a coalition and would launch a major media campaign within the major medical organizations about the transactions and code set standards and the fact that vendors and clearinghouses couldn't do it all. Practitioners had to ask transactions questions now, and in order to get paid might have to find a vendor who could at least get major transactions in place and tested with the health plans they did business with. Dr. Kibbe thought they were helping their members understand it was their responsibility. Dr. Kibbe said he believed a majority of practices would start HIPAA implementation and the privacy rule by April. The question was how far they'd get, and what trouble they'd encounter.
Dr. Zubeldia asked what role covered entities and HHS played in educating patients about the best way to do that. Dr. Van de Castle said it would be helpful if small providers could give patients a one-page handout written at the sixth-grade-level in large print presenting HHS's official word on HIPAA. Dr. Jennings suggested developing a video that a patient could look at in the office or on the Internet.
Panel 2: Communicating with Consumers
R. Craig Lefebvre, Ph.D., Managing Director, Health Communications and Social Marketing, American Institutes for Research
Dr. Lefebvre advised that communication messages were most effective when their content, form and style were tailored to the predispositions, attitudes, current behaviors, and aspirations of distinct and homogenous subgroups of the total population. American Institutes for Research (AIR) found that messages, whether informed by changes in science, technology, or privacy regulations, had to be crafted in ways that reflected the realities of discrete audiences. Dr. Lefebvre said a consumer-driven approach should guide information and education activities to: include segmentation of the U. S. population into smaller subgroups; research to understand and gain insight into their current life situations as it related to the health information privacy concerns; and develop messages and strategies that fit into peoples' lives, not preconceptions about them.
He said any public information campaign about privacy notices should concentrate on specific segments of the population (e.g., married women with children who we often perceive as the health information gate keepers for their families). Other segments included people with low education and literacy levels, those for whom English was a second language, high users of healthcare services, people with chronic diseases and disabilities, people with no usual source of medical care, and Medicare and Medicaid beneficiaries.
Dr. Lefebvre also recommended considering the intended reach and frequency of message delivery, credibility and usage of these various channels among the audiences, and the complexity of information delivered. He emphasized the difficulty of getting these messages in front of the audience at times when they were most likely to be open and attentive. He cited a recent report by the Henry J Kaiser Family Foundation indicating that only .4 percent of all broadcast and cable air time was dedicated to public service announcements. When only 27 percent of this time addressed health issues, the competitiveness for such a small amount of airtime, let alone airing them when the target audience might actually see or hear them, led AIR to reconsider how and when to use PSAs and to adopt paid advertising strategies to achieve the reach and frequency these messages needed to be effective.
Even if television and radio advertising were within marketing budgets, Dr. Lefebvre doubted they were always the right choice. For example, public service announcements saying to "ask your healthcare provider" about privacy notices would overwhelm providers and facilities with general questions and requests for information. Instead, Dr. Lefebvre recommended more extensive interpersonal and print-based tactics (e.g., editorial briefings, informational sessions with health reporters) that would increase their understanding of the issues that could then be passed on to their readers, viewers and listeners. He also recommended extended interviews on news programs, features in weekly and monthly news publications, news and special interest magazines, town meetings hosted by healthcare professionals, and other types of longer format, interactive media.
Dr. Lefebvre said long-term communications endeavors were important. Effectiveness was limited by the allocation of few resources to achieve objectives, inadequate conceptualization of both the problem and possible solutions from the audience's perspective, and narrow strategic and tactical choices. If the objective of the public education program was to increase awareness of changes in health information privacy regulations, he said it would be handled differently than if the focus were on the percentage of people that returned their acknowledgment of receiving a privacy notice. Different standards for success required different resources. Dr. Lefebvre said there was no rule of thumb for an expected ROI for a social marketing program. The more the goal was based on behavioral change, the more extensive and expensive the task became. Research evidence suggested that the most effective programs took a broad, multi-level perspective of behavior change and used multiple communication channels to target a variety of audiences and create a surround-sound environment.
Dr. Lefebvre said AIR learned in social marketing to clearly define and position desired behavioral changes in ways that were relevant to each target audience. He noted the need to understand and address costs, benefits and incentives as their target audience perceived them in order to change what they thought and did. Messages and opportunities to learn more about privacy issues had to be offered at times, places and states of mind when people were most likely to attend and respond to them. And innovative and unexpected ways of promoting their messages had to be developed that resonated with the public.
He recommended developing a public education initiative. He advised the Committee to identify priority audiences including media representatives, public relations staff of health care organizations, patient advocates employed by healthcare organizations, patients of various ages with low education and literacy levels, and people who frequently contacted healthcare providers. He suggested that qualitative studies with each audience would help HHS understand each perspective on the issues and develop long and short format media messages about the privacy rule and actions. Messages should be tested for comprehension and their ability to stimulate appropriate actions with each audience. Dr. Lefebvre recommended creating materials in print and electronic formats for key intermediaries: media kits, fact sheets and backgrounders, turn-key guides for public relations staff and patient advocates to use in organizing and conducting public information forums, as well as easy-to-read sample privacy notices, brochures and posters for providers' use. Dr. Lefebvre also recommended media briefings in major markets by national spokespersons, sponsorship of local forums, presentations and workshops at key professional meetings, and targeted print advertisements in national publications read by the target audiences, as well as paid or public service advertising on television, radio and the Web.
Dr. Lefebvre reiterated that the challenge, as they set their objectives and course in communicating to improve public understanding of the privacy rule, was to strive for simplicity, clarity, audience understanding, empathy and insight.
Panel 2: Communicating with Consumers
Cynthia Baur, Ph.D.; Health Education and e-Health Advisor, Office of Disease Prevention and Health Promotion, HHS
Dr. Baur said the Office of Disease Prevention and Health Promotion (ODPHP) became interested two years ago in communicating with the public about privacy. One motivation was the privacy policies appearing on health Web sites. ODPHP met informally with others within HHS and discussed issues related to communicating with the public about privacy. . Dr. Baur said various parts of HHS participated in an informal working group including Indian Health Services, Health Services and Resources Administration, CMS , OCR, and SAMHSA .They'd talked about using privacy notices as a communication vehicle that brings the public in contact with HIPAA regulations, as well as communicates about their rights and protections. ODPHP also worked with the Federal Trade Commission. Ongoing discussions looked at the public understanding of privacy, their concerns and notices of information practices as a tool for communicating with the public. ODPHP tried to understand what the public already knew about privacy and the general environmental conditions for increasing their consciousness of privacy.
Public opinion polls and consumer research show that the public has strong opinions about privacy. At the same time, how information is shared among organizations and how to protect personal information are relatively unfamiliar topics that the public has little direct personal experience with. Dr. Baur observed that strong opinions and little knowledge could contribute to a situation more vulnerable to polarization or dichotomization of opinions, creating a volatile environment. At the same time, the mass media play a role. Even before HIPAA and the privacy rules go into effect, the media are already talking about privacy, privacy notices and disclosure of information in medical records and there have been stories about violations and references to impending regulation. Dr. Baur said all this contributes to the general public's opinions and expectations.
Dr. Baur noted the HHS working group had spent a lot of time talking about the complexity of the regulations, concepts and vocabulary they contained, and what it meant to talk to the public about privacy. There were many unfamiliar words and others most people seldom used. Many people didn't know what a medical record was. Dr. Baur emphasized that the Committee needed to consider audiences' prior knowledge and personal experience with the concepts being communicated.
Plain language communication is a regulation requirement. Though vague, the regulations give a few guidelines on how to communicate simply. Dr. Baur also noted that health information is difficult for much of the public to understand. The authoritative national assessment of adult literacy identified a quarter of the U. S. English-speaking population as having the lowest literacy skills. For other segments, English was a second language. She emphasized that literacy is more than an issue of translation from English to other languages: literacy in native languages, culture and experience with health and the medical care system are considerations. She commented on the need to touch upon concepts in other cultures about privacy and what a provider-patient relationship and medical record were. Noting people typically don't use information they don't understand, Dr. Baur said it will be hard for people to determine how to use a complex regulation with a lot of unfamiliar vocabulary. Dr. Baur concluded that plain language contributes to understanding privacy protections and rights..
Dr. Baur spoke about notices distributed under the Gramm-Leach-Bliley Act. The financial services companies had been required to notify their customers about information practices and remedies related to protecting their personal information. The notices companies chose to send were described as dense, misleading, confusing and cumbersome. Unflattering media coverage and anecdotal information reported consumers throwing these notices away. A year after the notices were distributed, references to problems with them still showed up in congressional testimony. Dr. Baur said these notices are part of the larger context of the public building its knowledge and experience about privacy and privacy protections, even before the HIPAA regulations go into effect. Dr. Baur emphasized that public education about privacy and protections for personal information is essential for the success of the regulations. Effective notices could be a vehicle in that public education. Dr. Baur pointed out that this didn't necessarily imply model notices. It is difficult to come up with model notices that adequately convey the range of information practices organizations encompassed. But she noted an opportunity for guidance to help explain different approaches that could improve notices as a way for communicating with the public. For further information on writing effective privacy notices, she noted references from the Federal Trade Commission.
She emphasized that it matters that consumers understand how their information will be protected. Understanding is an important part of informed decision making by patients and caregivers. Helping consumers and patients understand privacy protections is also an opportunity to promote trust in their providers and the healthcare system. Furthermore, (bring next paragraph up)the vision of the National Health Information Infrastructure (NHII) is based on people being comfortable with the appropriate sharing of health information. Without public understanding and acceptance of the protections afforded by HIPAA and state laws, it will be difficult to realize many elements of the NHII.
Panel 2: Communicating with Consumers
Michael McMullan, Deputy Director for Beneficiary Education, Center for Beneficiary Choices, Centers for Medicare and Medicaid Services
Ms. McMullan said that in 1997 the Balanced Budget Act charged CMS with developing information for people with Medicare, explaining their rights and protections within the program and their options on how to receive benefits. Congress directed CMS to do this through direct mail, a toll-free telephone line, the Internet and a national publicity campaign. The goal was to create awareness and understanding about Medicare. Ms. McMullan observed that it took a while for people to reach understanding, which was a very different level of learning than awareness. Irrelevant information wasn't retained and Medicare members needed to be able to readily access information as they need it. Thus, the goal was to create awareness and an understanding of opportunities available to individuals, as well as to ensure that accurate, reliable and relevant information was available through multiple information channels that people trusted and were willing to use.
He said the key component was the Medicare and You handbook mailed out to 35 million households each year. Medicare has an Internet site ( &Hypertext&www.medicare.gov) and a toll-free help line (1-800-Medicare). CMS also engages advocacy groups, employers, healthcare providers, and states to get the message out. Grants for state health insurance assistance programs help people with Medicare understand their Medicare issues and concerns at an individual level of need. A national publicity campaign includes prime time bilingual advertising focused on increasing awareness of Medicare's 800 number and Web site. CMS also does considerable consumer research assessing how useful the people with Medicare, and caregivers find this information.
Ms. McMullan reported that Medicare served 40 million people. Each month 200,000 people are added to the Medicare rolls. The Medicare and You handbook (which contained the privacy notice) is mailed each fall to 35 million households at a cost of about $30 million. A direct mailing would cost about $11 million. Ms. McMullan added that, without a context, there was no reason to believe people read it. He said the Internet was versatile, flexible, easy to navigate, and the best value for an investment of $5 million. Presently, it wasn't the main source of information, but he predicted that would change as boomers become a major part of the Medicare population. Costs for the toll-free number ranged between $50-$60 million. The yearly publicity campaign was $25,000,000. The majority of the cost went for airtime. CMS spent under $10,000,000 a year on research and assessment activities.
In terms of funding publicity for the privacy notice, Ms. McMullan noted that seniors watched an average of 27 hours of television a week and it was an excellent channel for creating awareness. He noted it was important to present information to an audience in the way they used it. Ads presenting information to Spanish speakers followed a different approach than for English-speakers.
Uniquely a federal program, Medicare was subject to other privacy notices in addition to HIPAA. The Freedom of Information Act protected the privacy of records requested and the Privacy Act gave them responsibility for any records they stored. Ms. McMullan noted CMS would have these requirements for privacy for a long time. With the HIPAA privacy rule, CMS had to evaluate its different responsibilities. As a health plan, it was covered for Medicare, Medicaid and state health insurance assistance programs as well as fee-for-service programs managed directly. Only the Medicare fee-for-service required the notice, which already had been developed. With the Medicare-plus-Choice and other Medicare plans, the states had their own direct responsibility.
Ms. McMullan reported that CMS planned on being fully compliant by April. He said they were taking their designated record set (DRS) to HHS for validation and then they would be prepared to respond.
Ms. McMullan said CMS didn't know how many requests there would be for the privacy information. One similar requirement only pulled 35,000 requests per year; but some people estimated as high as one out of ten people would respond. If so, CMS would get four million responses.
Panel 2: Communicating with Consumers
Beverly Schwartz, Senior Vice President, Director, Social Impact Marketing Group, Fleishman Hillard
Ms. Schwartz shared insights gained from her experience directing large scale national campaigns:e.g., the non-advertising aspects of the National Youth Anti-Drug Media Campaign, for the Office of National Drug Control Policy and the national partnerships, advertising, and projects for the American Responds to AIDS campaign, the first health campaign in the United States to do a national mail out to everyone in America.
Ms. Schwartz said the first issue was to be selective. In her experience, talking to everyone was like talking to no one. Target audiences needed to be definitively and creatively segmented in order for the message to be understood and have significance. Noting important issues needed to be raised, she recommendedasking important questions and researching the answers. Did consumers read any of the publications about privacy rules the law required banks, mortgage companies, credit card companies and insurance companies to send? What would make HIPAA rulings and information more important to them? What actions were realistic and doable? In what form did the public need to see, hear or talk about the information in order to take notice and understand their rights? Personally, Ms. Schwartz said she was amazed at how many privacy pamphlets she received from her mortgage and credit card companies and how little she read them because she didn't know what she could do about them.
She emphasized that having clear behavioral objectives from the outset was essential. She recalled Ms. McMullan's comments about the difference between an awareness campaign, and one aimed at changing behavior. She advised the Committee that if they intended to do behavioral actions in relationship to the privacy standards, they needed to know where they were going or "they were likely to end up somewhere else." She cautioned that, if they didn't remember that marketing changed the structure of a system, and communication informed about the existing system, then from the outset, they had to recognize that they were changing an established system and therefore, needed to clarify what they wanted the audience to do as a result of the change. She noted that professionals had different information needs and behavioral goals than the public, and that included legal ramifications. Consumers needed to see the issues in "people terms." They needed clear alternatives presented to them, and time to work through those choices and their role in them.
Ms. Schwartz also stressed that integrated marketing and communications programs worked. She said it was important to remember that some kinds of marketing tools had some kinds of effects for some kinds of people, some of the time. She noted that, not knowing what to do, programs often used mass media to overcome a lack of grass roots work. She agreed that mass media could play a significant role in creating levels of awareness in mainstream populations, but she pointed out that it didn't necessarily have the same role with disenfranchised populations. Media needed to be used to support a program, not as the program itself. She suggested thinking in terms of where identified and prioritized audiences lived, learned, worked, played or prayed, to determine effective channels and sources of communications, coupled with interpersonal outreach efforts to promote understanding, deliberation and action.
She gave an example of the youth anti-drug media campaign that used partnership development including faith-based, community coalitions and state and national organizations. The campaign used outreach through the entertainment community, interactive Web-based programs, and a large segment of earned media coupled with public information dissemination and corporate sponsorships, as well as an aggressive paid media component. Ms. Schwartz noted that the youth anti-drug media campaign was a prevention program and different than information and awareness programs.
Ms. Schwartz noted the America Responds to AIDS campaign was an example of prioritizing audiences and working in phases to address every aspect of an issue in the right time and place. She said they might not need to do a mail out to every American about privacy standards, but reiterated that there were right times, places, people, phases and media to create an awareness of the rules and change behavior around the system.
Discussion
Dr. Zubeldia commented that he'd thumbed through Medicare and You 2003. The cover highlighted the Medicare privacy rights that were on pages 50-52. He said that, if he were a Medicare beneficiary, he probably wouldn't get past page three. He looked in the glossary, but couldn't find what Medicare meant by privacy. He said there was still some work to do.
Dr. Zubeldia said he'd also gotten a lot of notices of privacy that the Gramm-Leach-Bliley proliferated, and he hadn't read them either. He asked what the purpose of the HIPAA privacy rule was overall; were they telling consumers because they wanted to get to providers indirectly through them or because they wanted patients to be the HIPAA police? Was it because they wanted the patients to know how a computerized society should behave, and what they should expect to happen with their electronic medical information? If so, what was the purpose?
Ms. McMullan said the handbook was a reference tool for individuals. She contended that there was so much to know that the best they could do was to teach where to go to get the information when people needed it, including their rights. Most people didn't need to engage their rights in interacting with their direct service provider, but when they did they had to know what they were. Ms. McMullan compared this to homeowner's insurance. People hoped a tree never fell on their garage, but, when it did, they wanted to be sure that they could go to their homeowner's policy and figure out what needed to be done to engage with the insurance company. She said the purpose of HIPAA privacy was to instill awareness that everyone had rights and what to do if they needed to engage them.
Dr. Baur pointed out an important connection between the HIPAA privacy regulations and the NHII. A central premise of the NHII is that people need to feel comfortable with the electronic movement of their health information around many parts of the health system. The larger goal is to go beyond awareness and help the public understand privacy and electronic health information flows. This is similar to the way the health literacy concept is used. Health literacy is more than being able to read and write; it is navigating the healthcare system, that is getting what you need to handle your health concerns. Health literacy includes the information-seeking component Ms. McMullan talked about, but is more than just finding information. Health literacy means finding the information you need and using it to make health decisions.
Dr. Lefebvre said that for different segments of the population there were probably different objectives for what was to be accomplished with this type of an educational program. At the basic level, for those who weren't engaged in the healthcare system, having some awareness of where to go for information when they need it was probably appropriate. People who were heavy users of the healthcare system were going to be much more invested in this issue. There would be much more relevance on a daily or weekly basis and for those people there should be a different, more detailed set of objectives. More engagement in a variety of behavior would be needed versus a typical 25 to 30 year old single white male who very rarely has contact with the healthcare system. Looking at the African American population, especially those who receive government benefits, when issues of privacy come up, issues of suspicion might also come up. Dr. Lefebvre said that this understanding of how different populations approached this issue was what he meant in doing research on specific groups. From numerous health communications campaigns conducted over the years, we know enough about communicating about health information to almost be able to predict, for different segments of the population, how this kind of issue was going to be received.
Ms. Schwartz said she wasn't sure the public had an adequate alternative behavior. The intent was for them to understand the rules and be able to navigate healthcare. But Ms. Schwartz questioned whether patients could say no if they weren't comfortable with computerized movement of their health records. And she asked, if they did, would they ever receive healthcare again? Ms. Schwartz said she was perplexed. She wanted people to understand this, but wasn't sure what they wanted them to do. Mr. Rothstein said the purpose of informing people was that the rule established rights for individuals that they couldn't exercise without knowing them. Ms. Schwartz interjected that among the rights was the right to complain to OCR if any of those rights were violated. Mr. Rothstein noted that informing also helped facilitate patient-provider interaction. He pointed out that the burden for informing patients about how HIPAA affected the physician-patient relationship was placed on the physician. Mr. Rothstein added that it would be extremely time and resource consuming, as well as awkward, if people hadn't heard and were confronted with all this and asked to sign a notice in the doctor's office.
Mr. Rothstein expressed interest in segmenting the message based on the audience. He noted that trust levels for the federal government varied widely by race and ethnicity. And he asked where they would start HIPAA education. And if it turned out that people 60 and over were least concerned about health privacy, and 30-to-40 year olds were most concerned, but also less likely to need medical care--who did they begin with? Dr. Lefebvre reflected that the difficult choices they faced might be why people in many programs tried to take the safe ground and be all things to all people. From a communications and marketing perspective, he recommended focusing on the media, media representatives and reporters. Obviously, if they did an awareness campaign and the general population rushed to their doctors with questions, many physicians wouldn't have the answers either. They wouldn't have advanced the patient-physician relationship. Dr. Lefebvre advised that a focused outreach effort aimed at bringing health reporters and media representatives up to speed on these issues would set the agenda for what and how people should think about HIPAA and the privacy rule.
Ms. Schwartz said her first action would be to learn which population was most in need of knowing the information. As a patient, she said she still slightly questioned this whole issue. She wasn't sure how this rule would affect her, except now she would have a real defined place that she knew she could complain to. As an educated health consumer, she knew she had the right to ask for her records and could take her x-ray film to the next doctor. She said she didn't know that she felt or sensed anything different, due to the HIPAA rules. She suggested the best segment of the population to start with would be those with the least understanding of the medical issues. On the other hand, starting with the hardest population to reach flew against communication theory. It seemed to her that it would be like preaching to the choir, unless they looked at the hard-to-reach populations.
Dr. Cohn said he thought a successful campaign could prevent the healthcare process from grinding to a complete halt in mid-April when everybody was confronted with a nine-page notice of fair information practices and, hopefully, a summary and requested someone explain it all to them. He asked if there was some way to get plain communications out to providers, so they could understand what to do between now and April? Dr. Baur said she thought Ms. Schwartz's response reflected the interplay between opinions and prior experience. People might have strong opinions with little or a lot of experience. There were many combinations. She said Ms. Schwartz might have both strong opinions and a lot of experience and so when she gets this notice she looked for what was different. Someone else with strong opinions and little experience might have a different question. Dr. Baur thought it again went back to understanding where people started from and the kinds of questions they formulated. She suggested that providers could also be segmented. The same kinds of strategies could be used to determine how to speak plainly to them, the information they needed, and how they wanted to talk about it to their patients or their office staff. Dr. Baur noted there were all kinds of research to aid in helping providers learn how to speak plainly and she thought it would make them more comfortable with the whole project.
Ms. Schwartz asked if the notice had to be a nine-page document. Dr. Cohn said he understood that a summary document could be placed on top. He thought most organizations determined that it took between six-and-eight pages to respond to the requirements. He suggested having a two-or-three paragraph summary so people didn't do what they did with the Gramm-Leach-Bliley Act notices. Ms. Schwartz wondered if the best way to start the campaign was to pare down the document and make it as people-and-user-friendly and understandable in plain language as possible. Dr. Cohn said his understanding was that they had to have a later notice because there was so much in the other notice that they worried people wouldn't read it. Ms. Kaminsky explained it was a response to comments on the NPRM. Based on trial runs entities made, there were concerns about how lengthy notices would have to be to comply. So, the Department okayed a summary overlay, but they still had to provide comprehensive notice. She believed those requirements came from an intent to be very comprehensive in notifying individuals about their rights and the full impact of the privacy rule. Dr. Cohn asked if they have to be sent out together. Ms. Kaminsky said it could be given when a direct provider saw a patient, but they did have to be given together. Dr. Baur noted that the informal work group had been working on the layered notice. She said IHS was developing a summary or top notice.
Dr. Danaher said he wondered whether CMS was better suited than OCR to enforce and roll out the privacy regulations. He noted there were internal checks and balances and he wondered if CMS could leverage the infrastructure, experiences and some of the budgets. He recalled hearing from the first hearings and today's panel about working with state medical societies, professional associations and others to enhance the communication and dissemination of information to community-based physicians. He wondered if invoking Internet concepts of direct-to-consumer marketing might be the greatest impetus to help providers adopt privacy policies and procedures, and make sure that their offices were HIPAA compliant. He asked whether they could better utilize CMS's resources and should think of more direct-to-consumer play.
Ms. McMullan believed that the way the Department looked at the privacy issues was through a network and a privacy council that had participation from the involved components. She suggested there were opportunities to leverage from what CMS was doing for Medicaid, CHIP and their contractors that didn't necessarily draw the conclusion that they should be enforcing the rule. They might help communicate and foster understanding of what the research showed people wanted to know, when they wanted to know it, and how receptive they were to the information. She believed this was a better asset than enforcement.
Ms. McMullan agreed with Ms. Schwartz that they needed to understand what motivated consumers and why they cared. She used the clinical trial as an example in giving privacy information. Most people who went into a clinical trial did so out of intellectual curiosity or were experiencing a health crisis and sought alternative care. They had a motivation and were looking for information. She reiterated the importance of understanding what motivated the consumer, including the motivation for the consumer to get a certain response from their physician or provider.
Mr. Lefebvre said he used to run community heart disease prevention programs that did studies to learn how to get physicians to adopt what were then new national cholesterol education program guidelines. They found the most motivating factor was educating patients to state that their cholesterol levels were too high, a variable that showed dramatic differences between the two communities. Mr. Lefebvre noted it had nothing to do with CME, grand rounds, or who they talked to in their peer network. He'd also worked with CMS in public relations and advertising about Y2K compliance issues on provider outreach. Mr. Lefebvre said the two most effective ways CMS found to reach out to physicians for education were advertising in peer journals and promotion of the toll-free number and Web site. He said the largest increase in hits to the Web site for information about how to become Y2K compliant and ensure they'd be paid on time came from advertisements in the Wall Street Journal.
Dr. Baur said direct-to-consumer advertising in healthcare is a appeal to consumers to ask their healthcare providers for something. Dr. Baur suggested the Subcommittee consider whether that was the right way to reach people about privacy.
Addressing the earlier conversation about the nine pages on privacy practice, Dr. Zubeldia complimented Medicare on the handbook, noting that all of the information on privacy was contained in two-and-a-half pages in 12-point text or larger. With small print, it could be condensed into one page. He asked if others could use this. Ms. McMullan explained that it was written for Medicare as a health plan; rights that didn't relate to Medicare were excluded. She said CMS had spent a lot of energy trying to simplify complex concepts, but the copy wasn't as simple as it might get over time. They were still close to the legal language and a balance that strove to give everyone the fullest understanding of their legal rights in plain language. She saw no reason others couldn't use it as an example.
Mr. Rothstein noted that CMS' role as provider was defined on page 50 of the Medicare handbook. Noting the handbook went to 35 million people, he asked if it was possible to include some information about HIPAA and the privacy rule. Ms. McMullan said CMS provided information on the HIPAA privacy practice and rights, fulfilling its obligation under the privacy rule to inform members of the health plan. The health plan they were informing was the fee-for-service Medicare, which was at least 85 percent of the Medicare population. She said any other information about HIPAA would have to be of more relevance to the population they served than other benefits and rights that CMS had to explain, because they had to hold the handbook to a certain weight to afford postage. Mr. Rothstein agreed it was an issue of practicality. But he added that it would help if 35 million patients had a tear-off sheet.
Ms. Greenberg observed that the reason it mattered that consumers understood privacy protections was that it promoted consumer acceptance of information exchange as part of NHII. She noted that the Committee had worked for years on how to communicate the importance of healthcare information and responding to requests for healthcare information with the appropriate privacy protections. Ms. Greenberg acknowledged the difficulty in sending different messages to various segments, but expressed concern about a risk the earlier panel brought up that the message of why, under appropriate conditions, information should continue to be provided might be lost in an over-zealousness to communicate privacy protections and rights.
Ms. McMullan remarked that her experience at CMS had been that their letters requesting records be used for research hadn't always been clear. And she reflected that incentives for consumers to participate or have their records used in studies also weren't clear. Ms. McMullan emphasized the importance of explaining with clarity that this participation was vital for the public versus individual good and that individuals weren't at risk. Over the years, Ms. McMullan said CMS had gotten much better at this and was successful in getting people to participate in Medicare surveys. She suggested that this was partly due to how people loved Medicare. But she emphasized that the key was to put themselves in the consumers's place. Dr. Lefebvre said he believed they were discussing a step-by-step approach to how much information people might access when they needed it. He recommended looking at the model used for national health information clearinghouses in terms of how much information people needed when they were diagnosed with specific diseases (e.g., whether to go to the NIDDK or the National Heart, Lung, and Blood Institute clearinghouse to get the information they need). He said he believed the question was about accessibility of information. And he suggested that the clearinghouses could provide information on how visitors tracked through their Web sites or combed through publications to get what they needed.
Considering their discussion about segmented messages and audiences, Dr. Harding suggested first getting the privacy information out to those most vulnerable to discrimination in health insurance and jobs, the chronically ill and high utilizers. In terms of behavioral objectives, Dr. Harding cautioned that, in taking away people's ability to consent for treatment, payment and healthcare operations, they were sending a double message about their medical records. Noting people would now be more passive, he questioned whether the specific behavioral change was about authorization or access to their medical records.
Responding to Dr. Danaher 's & query about whether CMS was better suited to enforce and roll out the privacy regulations, Dr. Harding remarked that CMS was also an entity and said he thought there'd be inherent conflict with CMS providing enforcement. Dr. Lefebvre agreed with the two populations Dr. Harding proposed.
Dr. Baur compared the idea of providing summaries or highlights about privacy to nutritional facts labels that have become an important communications tool for getting information about food products to consumers. She noted that, unlike HIPAA, the current nutrition facts labels are the outcome of a decade-long process of education, consensus building and scientific study.
Dr. Baur said the issue of mixed messages about privacy and privacy protections was critical in clarifying what the message actually was. The public receives multiple messages about privacy, and there had to be a core message about privacy related to health information to which other messages can be added. . She said it linked with the point she'd tried to make about the current environment for communicating with the public about privacy. Whatever was done around HIPAA needed to be cognizant of the fact that there was not much consensus about some aspects of privacy. . The mixed message issue was real and part of the communication and information environment. Noting many people didn't even realize they had the right to ask the doctor questions, Ms. Schwartz suggested this might be an opportunity to educate people about their rights. Rather than change or create behavior, she suggested they might just have to clarify people's roles and what they had the right to do.
Dr. Zubeldia noted that once a year Medicare beneficiaries got the packet in the mail at a cost of $30 million. Twelve times a year many also received the Medicare summary notice that replaced the explanation of benefits. Section 18 of that booklet explained that the notice provided important Medicare news and information. Noting it would cost little to print a message concerning privacy rights on the summary notice, Dr. Zubeldia suggested this would be a good mechanism for conveying that information. Dr. Zubeldia acknowledged that he didn't read many communications from his payers, but he said he did read the explanation of benefits to know how much he to had pay out. Ms. McMullan noted there were many requests for conveying information via the notice. Noting people checked it to confirm their liability and if they needed to act on any denied charges, she questioned how meaningful it would be to offer privacy information there. She emphasized that access to information had to be provided when it was relevant to people and they sought it, not when the others wanted them to know it. She said this was why she emphasized an access rather than a constant-information approach.
Dr. Lefebvre encouraged them to explore as many different channels and opportunities as possible, for getting the message across. He reiterated that advertising research suggested that it took at least seven exposures to a 30-second commercial before a person paid attention and remembered it. Dr. Baur suggested another research question was whether the information belonged on summary notices.
Dr. Danaher reflected that he was always struck by the purchasing power and influence CMS had on the marketplace. Noting a typical Medicare beneficiary who used the healthcare system received up to four different notices of primary practice (Medicare's, the contracted carrier's, the provider seen, and another if they were hospitalized), Dr. Danaher pushed for harmonization. He believed more entities would comply if Medicare declared the notice of privacy practice everyone was to use, so that they could all match. He suggested people threw out notices stuffed in with their financial statements because they said different things and diluted the message. Dr. Danaher contended a single official notice of privacy practice blessed by Medicare for carriers and providers would be less confusing for the beneficiary.
Panel 3: Health Systems and Institutional Providers
Richard L. Lobb, M.B.A., Manager of Information System, Corporate Privacy Office for Conemaugh Health Systems.
Mr. Lobb said he'd been in healthcare for 20 years and CHS's HIPAA compliance officer for about a year. He also served as co-chair of the EPA alliance organization that represented Pennsylvania's providers in the allied health services affected by HIPAA. CHS had four acute care facilities, and provided a physician organization of some 70 physicians servicing half-a-million patients each year. Mr. Lobb said CHS had home health, rehabilitation services, nursing care centers, a teaching facility for Trauma IER services, and a large allied health education program. CHS was also a self-funded group health plan, which brought even more challenges for HIPAA implementation. Mr. Lobb noted the Quecreek Mine disaster happened 27 miles from their facility and receiving most of the miners who needed medical care and providing medical care to people in the news was CHS's wake-up call regarding privacy.
Mr. Lobb said he reported to a board eight-to-ten times per year. A working committee that represented each entity and subgroup of services focused on helping define policy development and interpreting the rule. The committee broke into work groups. The patient intake work group addressed the notice of privacy practice, the restriction processes and logistics for actualization. The HR work group focused on self-funded group health plan issues and compliance. The transaction code set work group focused on compliance with the transaction code set initiative. The security work group focused on both the ISO international standards and the proposed security rule information, assessing risks and developing a strategy to mitigate them as they moved forward. The public relations work group's goal is educating external contract constituents that share PHI. The record retention and destruction work group focused on both electronic- and paper-based systems and destruction of documents and records. All work groups reported to the working committee. Mr. Lobb noted that work groups held more meetings than the operational team, which met once a month. Implementation and/or interpretational questions that needed further assistance were brought to this main committee.
Even though the operational team and work group approach appeared to contribute toward a common understanding of the privacy law and input on how one needed to implement it, Mr. Lobb reported that most managers and directors involved in the initiative were busy on a day-to-day operational basis and could provide limited assistance beyond scheduled meetings. He also noted most consultants dealt at a high level of assignment of the rules provisions, not on an operational support level. CHS used specialized consulting services to help with the security assessment and risk ranking of assessment results. Most recently, an EDI consultant/specialist helped them through their transaction data element review.
Mr. Lobb said CHS didn't have an in-house legal counsel; most interpretations of the law's provisions were derived from discussions within the operational team, articles on how others interpreted the provisions, information from associations (e.g., AHA), and FAQs on the HHS Web site, as well as from the regulation itself. Mr. Lobb said CHS only sought the assistance of outside legal counsel when there was no other means to assist in the interpretation of the provisions.
Mr. Lobb broke down CHS's education and training models into four phases. The first phase met requirements of the HIPAA regulation provisions covering general awareness education by getting the word out on uses, disclosures, and general information everyone needed to know during this phase. CHS was more than ninety percent complete with this phase. They'd decided not to wait on the modified rule, but noted instead areas that they knew were concerns and had potential for change when they did their awareness training up front. Mr. Lobb explained that he'd begun by training some 100 groups in person and used the Internet and videotapes to assist in further training.
He reported that CMS was entering the operational phase. As each work group progressed through each operational task form and process, they were also drafting an approach to training effective staff using AHIMA's matrix. He said the external phase was next.
Mr. Lobb reported that the work groups were concerned about how external constituents would view them after they implemented their privacy policies. He explained that this was a small regional community and information was shared through the media relatively quickly. To ward off unnecessary confusion and limit potential miscommunication, Mr. Lobb said he'd decided to hold a series of public meetings for external constituents (e.g., law enforcement, district attorneys' offices, social service centers, women and youth, coroners, regional clergy, regional media, nursing homes, boarding homes, and rehabilitation facilities) and address privacy policy that might directly affect them. He said CHS tried to work in synergy to ease the patient intake process and help constituents understand their requirements under the law. CHS planned on holding these public meetings at the end of February and into March, addressing both the patient requirements and their administrative duties under the law by sharing with each group a copy of their notice of privacy practice and reviewing how the privacy provisions affected each area. Noting this entailed a close look at disclosures, Mr. Lobb emphasized that it was critical that anyone looking at these laws did a state preemption analysis. He said a group of volunteer attorneys would review the Pennsylvania preemption next week at the EPA Alliance HIPAA summit in Hershey. Mr. Lobb said doing their own assessment on preemption would ease the intake of patients from nursing, boarding or rehabilitation facilities.
CHS stillneeded to develop the monitoring phase and was looking for guidance from HHS. Their focus was to mitigate. If they ran into an issue with an employee that infringed on their policy developed under guidance of the HIPAA privacy regulations, they'd mitigate and follow up as part of their overall service excellence, and continuous quality improvement processes. Mr. Lobb said hopefully this would put the issue to rest. Noting sanctioning was a component, Mr. Lobb said HHS hadn't told him anything about it, other than, "Do it." He asked HHS to tell CHS what they wanted them to do, so he could implement it.
CHS delivered the information through a combination of Internet, in person and written communications, focus groups, and self-made video training programs using skit-based training. Mr. Lobb said they'd done their best to interpret the privacy provisions, based on how associations and peers interpreted the law. He noted HHS did a good job on recent fact sheets and he recommended they do more. He suggested that HHS develop the notice of patient privacy and forms such as PHI restrictions and patients' rights to confidential communications. He said even draft policy would help it. And he added that it also would help if covered entities better understood which components of the privacy provisions applied at different levels of enforcement.
Mr. Lobb pointed out that the position of privacy officer wasn't a protected position under law. He asked HHS to give them legal authority and protection from unfair termination practices. Noting the Commonwealth of Pennsylvania was an at-will employment state, Mr. Lobb contended provisions should be built into the law that protected the privacy officer from actions of their employer that made objective reasoning in favor of the privacy provisions an endangered event.
Panel 3: Health Systems and Institutional Providers
Rita Bowen, MA-HIMT, RHIA, CHP, Privacy Officer and Director of Health Information Management, Erlanger Health Systems
Ms. Bowen said Erlinger Health Systems was a Hamilton County Hospital Authority that served a region of four states: Tennessee, Georgia, Alabama, and North Carolina. Erlinger was a level one trauma center with a residency program associated with the University of Tennessee and provided services to multiple campuses. An active member of THIMA and AHIMA, Ms. Bowen said both organizations were already trained in the protections, legal requirements, and release of information functions associated with PHI exercised in HIM departments. Ms. Bowen said THIMA and other professional, compliance and technology groups; attorneys; and others worked collaboratively with THA to share understandings of the privacy regulations and implementation process and, in turn, develop best practices. Noting that morning's discussion about the implications of faxing, she said they'd developed a fax protocol and many of their hospitals already had implemented this best practice.
THIMA appointed HIPAA champions to coordinate activities within each geographic region. Champions attended HIPAA-focused meetings at THA and took information back to their designated regions for discussion, and conveyed feedback at meetings on the state level. Each area hosted meetings and coordinated education sessions focused on the implementation process: one for physicians, another for practice managers. THIMA conducted an open session on HIPAA implementation and best practices. A panel provided samples of their policies at THIMA's state fall meeting. Champions worked with an attorney, hired by THA, for review and response regarding state preemption analysis. Ms. Bowen said results of this analysis would be disseminated throughout the state.
Ms. Bowen said AHIMA provided members with discussion threads regarding best practices through its electronic communities of practice. Two-day seminars, Getting Practical With Privacy, provided attendees with a HIPAA resource book and guidance. All-day privacy institutes for privacy officers dissected topics such as business associates, minimum necessary rule, DRS, and tracking restrictions for practical understanding and implementation.
She said AHIMA also finalized a certification in healthcare privacy. Several members already held it. She emphasized that providing HIM and other professionals with this training and certification would be helpful to the healthcare industry, as well as individuals thrust into positions that addressed introducing HIPAA regulations into organizations, environment, and culture. She added that certification of programs and developers would also be helpful.
Ms. Bowen noted implementation of the privacy rule was more difficult than other HIPAA regulations. She emphasized that it would require concerted efforts by many organizations to assure that people weren't misled and taken advantage of. She said she'd received many mailings from consultants offering to assist in providing "the HIPAA solution." She said this created confusion and havoc, especially among small providers who hadn't the luxury of working with an appointed HIPAA champion. Ms. Bowen said she'd heard a consultant tell a physician that HIPAA mandated he computerize his office. When she asked her own technology vendor if they could support a special flat at the enterprise-access level to signify that the patient had requested a restriction to their PHI, they indicated that wasn't necessary. The vendor then advised her to decline any request to restrict information. Ms. Bowen said this level of advice raised concern, as many small providers depended on consultants and vendors to provide them with a condensed version of what the regulations said and implied. She stressed that small providers and other covered entities needed targeted, reliable educational programs in various formats and media. Ms. Bowen suggested that if the Office for Civil Rights couldn't provide these educational sessions or certify programs, they might establish a partnership with AHIMA or a similar organization to provide this service.
Ms. Bowen also recommended that OCR produce and disseminate sample forms, in various languages, (e.g., the core for the patient privacy notice, based on typical provider settings, authorization forms, and acknowledgments). She said this would assure that the public received consistent information, no matter which covered entity they dealt with. She suggested OCR expand its partnership with professional associations and other industry non-profit organizations, leveraging and reinforcing activities implementing privacy best practices and assuring that consistent understanding of the rule applied.
She noted Dr. Harris's earlier comment on the need for a common conduit for the delivery of good data. She agreed that positive partnerships would assure consistent communication to the public and assist in providing practical guidance, so covered entities weren't at the mercy of misinformed vendors and consultants. She said it was important that healthcare entities understood reality versus perception. She reported that AHIMA had posted best practices on its Web site (ahima.org) and was ready to work with OCR to share these practices with the healthcare community.
Ms. Bowen explained that HIPAA privacy training was being conducted in stages. She reported that most large organizations had provided that first level of organizational awareness to their staff about HIPAA and its implications when the patient's rights were violated. A core understanding of the privacy rule for their work force focused on the need to know, what to know, and knowing the difference concept. They'd already developed computerized training. Their workforce was mandated by policy to complete this module annually. And HIPAA education had been added to the orientation of each new associate.
She reported that Erlinger was currently involved in stage two of four educational efforts to assure that job specific functions were targeted and focused on areas where behavior, practice and routines might need to change. She encouraged other organizations to organize their training with this methodology.
Ms. Bowen noted a deficit in physician and dentist practices' understanding of the HIPAA privacy regulations. Some hadn't even heard of HIPAA. Others didn't understand the impact on their practice or the need to assure a person's privacy. Ms. Bowen suggested this was partly because they hadn't had a formal HIM function. Many had confused comments and communications regarding delays in implementation (i.e., the option to file a delay for the transactions and code set standards requirements) with obligations under the privacy rule. Others thought everything was still unsettled and required continued changes due to unintended consequences or clarification issues.
She reported that large employers with self-funded employee benefit plans received little to no guidance regarding their information practices subject to the HIPAA privacy rule. She recommended that OCR target these professionals and covered entities with a marketing or public relations campaign and increase awareness of the privacy rule, required time lines, and resources.
Ms. Bowen said they'd gone through the privacy regulations locally and nationally and found many were still confused regarding fundraising. She recommended that OCR provide additional assistance to promote understanding and facilitate implementation of this requirement. Ms. Bowen also noted she'd presented a list of Web sites in her written testimony that providers and health plans might find helpful and suggested that OCR could list and link them from its Web site.
Panel 3: Health Systems and Institutional Providers
Maureen Weaver, Partner, Wiggin and Dana LLP
Ms. Weaver, representing AAHSA, said some members were larger organizations (e.g., hospitals and health systems) and had internal resources or benefited from earlier implementation efforts by the health systems they belonged to. Many smaller facilities (e.g., 60-bed rural nursing homes, a 30-bed facility affiliated with a low income senior housing project) weren't able to implement HIPAA standards smoothly. Often, the only logical privacy official in these organizations was the administrator or director of nursing services who was often too busy to even review HIPAA standards. Ms. Weaver emphasized that these providers needed help becoming HIPAA standardized. AAHSA offered numerous educational sessions on HIPAA to raise awareness at annual meetings. Participation in these sessions had risen greatly since the first one in 1998, and Ms. Weaver believed most members were in the process of implementation. AAHSA also published a handbook last year geared to long-term care providers in HIPAA.
Ms. Weaver said that long term care providers weren't just concerned with state preemption issues; federal laws impacted the privacy rules as well. For example, OBRA, the Medicare conditions participation for long-term care providers for nursing homes, had several provisions more restrictive, stringent, and protective of patients' rights than HIPAA laws. Thus, long-term providers weren't able to purchase form notices for privacy practices or right to request access because of specific issues they needed to address for OBRA (e.g., under OBRA a nursing home resident has the right to request access orally or in writing, and the facility must provide access within 24 hours, instead of the 30-day turn around required under the HIPAA privacy rule). Under OBRA, a resident has the right to request restrictions on disclosure of information, with few exceptions; under the privacy rule, this was an option the facility could consider and make a reasonable determination about. Ms. Weaver said AAHSA's handbook focused on specialized concerns for long-term care providers. AAHSA also intends to provide model policies and procedures and roll out audio conference sessions over the next several months.
In addition to AAHSA's national level efforts, Ms. Weaver said many state affiliates provided assistance to members and some had developed innovative approaches. Many of these facilities couldn't afford lawyers to provide HIPAA services. So organizations pooled resources. In Connecticut, a group of long-term care providers pooled resources and engaged her firm and other consultants to develop best practices and model policies, procedures and forms compliant with OBRA and state law requirements. They put it together using a collaborative mode. The partnership divided into functional work groups (e.g., clinical, administrative, business office, medical records, and information systems). Groups worked together to articulate model policies and tease out the more troubling issues. Ms. Weaver said fundraising was a big issue. They were not-for-profit providers and there were sticky questions in the fundraising and marketing areas.
One notable benefit of the collaborative approach has been the networking and support function provided for participants as a result of their HIPAA partnership. Ms. Weaver said their Connecticut Affiliate, CANPFA, was forming a medical record health information council. They had also started to do best practices. For example, HIPAA partnership members developed a process members used in identifying business associates in a long-term care setting and obtaining business associate agreements.
Even with all these efforts, Ms. Weaver said they still needed HHS's help. First and foremost, members needed a practical meaning for "scalable." For example, what did "scalable" mean to a nursing home administrator who answered phones and implemented HIPAA simultaneously without a lot of resources in people, time, or money. Ms. Weaver noted there were minimum steps a smaller facility could take to be in compliance, so long as it recognized that some organizations couldn't realistically implement and master every aspect of the privacy rule in the five months left.
Ms. Weaver urged OCR to ramp up the Q&A process and provide feedback on its Web site. And she encouraged OCR to talk with the part of CMS that oversees long-term care surveys and certification. Long-term care was so heavily regulated that state inspectors came to the average nursing home two-to-three-times per month. Every time, a disclosure of PHI had to be tracked and disclosed, if accounting was ever requested. Ms. Weaver asked how facilities could keep track of those disclosures, particularly when surveyors weren't in the habit of telling them what they looked at in a patient's record.
Ms. Weaver said AAHSA supported recommendations that they develop model forms for their members. Noting that many of their elderly people didn't speak English as their primary language, she said translating forms into foreign languages would be helpful.
AAHSA recommended that OCR work with states to reconcile inconsistencies at the federal level she'd mentioned. She noted they'd done a preemption analysis for Connecticut and that there was a need to alter model forms and educate providers that many state laws were more restrictive and protective and, for the most part, HIPAA didn't preempt them.
Ms. Weaver also addressed the high cost of HIPAA implementation. She asked whether it was possible for at least state Medicaid programs to recognize providers' costs attributable to Medicaid for HIPAA implementation efforts. This was a particular issue for nursing homes supported by government payers. They derived 75-to-80 percent of their revenues from Medicaid programs. Some states, like Connecticut, had provisions that allowed for recognizing the costs of implementing federal initiatives. They had caps and issues with them. Ms. Weaver realized that budgets were tight; still, she believed this was a critical issue for many facilities.
Panel 3: Health Systems and Institutional Providers
Robyn A. Meinhardt, R.N., J.D., Foley and Lardner
Ms. Meinhardt shared four points. First, the long-term care industry was varied, with different providers throughout. A spectrum of services were provided. And there were wide differences in between the types of resources available to people in the industry. Large organizations, especially the chains, had more resources and were farther along in implementation than independent owner/operators.
Ms. Meinhardt's second point was that the industry needed clear, specific guidelines from HHS on how the privacy rules applied to them. Clearly the rules weren't written with a long-term care perspective. Resources at skilled nursing facilities and other long-term care providers were extremely limited, in part because of the numerous regulatory structures they struggled under on a day-to-day basis. Staff tended to be less well educated than in an acute care setting, and facilities struggled to get and retain them. When training staff on HIPAA issues, they needed clear guidance from HHS about requirements in language that everyone could understand and apply to their daily work.
She said that there was a lack of clarity in the health plan definition in the rules, including the statute. Because of the current catchall provision in the health plan definition, there was confusion that continuing care contracts were possibly considered health plans. They'd asked CMS for guidance, but hadn't received any. Ms. Meinhardt conveyed the industry's concern about enforcing HIPAA. Unfortunately, they'd experienced state surveyors coming in with non-standardized interpretations of various regulatory schemes and weren't convinced HIPAA would be different.
Ms. Meinhardt said that the long-term care industry provided a number of different types of layers of care: home care providers and home visitors provided companionship, basic house cleaning, and errand-running services; home &healthcare (which was a covered entity type provider if engaged in transactions); assisted living facilities; sub-acute care facilities; and skilled nursing facilities. Each might be a stand-alone facility or part of a multi-level retirement community (MLRC) where residents moved through various levels of acuity of care, depending on their health needs. All these players in the long-term care industry tried to structure their HIPAA compliance, and each trade association tried to deal with them as it came up with models.
Ms. Meinhardt reported efforts were made to provide assistance. The National Center for Assisted Living published three different versions of a HIPAA policy manual, including one for skilled nursing facilities. More than 2,000 copies had been sold (members, $199; non-members, $249). The Florida Long-Term Care Association bought 500 copies for resale to members.
Ms. Meinhardt mentioned that CMS held monthly hour-long conference calls for long-term care providers. While a laudable effort, she noted that reports about the effectiveness of the calls were mixed. The most common complaint was that callers were told to submit privacy-related questions in writing through the Web site and answers hadn't been forthcoming. Ms. Meinhardt pointed out that CMS dealt with transaction standards and were being asked privacy questions. She concurred that people received few answers on privacy through HHS.
In spite of these implementation efforts and help given long-term care providers, Ms. Meinhardt conveyed a concern that many, perhaps most, independent owner/operators of skilled nursing and other long-term care facilities still weren't aware of HIPAA and needed special attention, assistance, and specific guidance.
Ms. Meinhardt focused on the guidance HHS needed to give to the long-term care industry, reiterating that the privacy rule didn't have long-term care facilities in mind. The rules on marketing, incidental disclosures, minimum necessary, and physical safeguards, impacted common uses of PHI in the residential care setting. Community celebrations were held on residents' birthdays. Newsletters included specifics about residents and their pictures. Communication with the residents' families helped keep everyone in touch. Names and room numbers were posted in the lobby to facilitate visitation. Names, room numbers and types of diet were noted on meal trays. And the minimum necessary rule interfered with the common practice of telling ancillary staff information about residents' problems or special needs so the housekeeping staff could help maintain a therapeutic environment.
Ms. Meinhardt asked the Subcommittee to imagine how they would deal with the privacy rule if HIPAA's jurisdiction included activities in the home where they lived and expected to be known by name and treated like family. She noted that one didn't have a business associate contract with the baby sitter, separate mailboxes for each family member, individual bathrooms and a lock on the cabinet doors. She said obviously HIPAA didn't apply to their own homes and residential care settings were at a completely different point on the spectrum than acute care settings, where these rules were aimed. Ms. Meinhardt emphasized that more guidance from HHS was needed about how these rules fit into a residential setting. Noting HHS announced it was working on technical materials for various health industry segments, Ms. Meinhardt said she presumed this included the long-term care industry.
She explained that the Long-Term Care Consortium was a group of about 20 of the largest long-term care companies. They'd worked for two years to develop model documents and implementation guidance for members and others in the industry. The consortium recently contacted OCR to discuss their concerns and offer materials they could use in developing technical components for the long-term care industry. OCR declined. Ms. Meinhardt cautioned that long-term care was getting lost in the shuffle when it came to getting guidance from HHS. She said HHS needed to include industry representatives in the development process in order to provide meaningful, usable guidance to the long-term care industry. And she emphasized that the guidance had to be written at the same reading level that HHS expected NOPP to be written and focus on what could be done. She reiterated that the average lower-educated worker needed to understand these guidances and comments.
Ms. Meinhardt's third point was that HHS needed to issue more guidance on the heath plan definition. For long-term care, this guidance needed to state whether, or under what circumstances, continuing care contracts were deemed to be health plans. She noted that continuing care contracts--in which a MLRC agreed to provide residential care in the setting that best met a resident'shealthcare needs at the time--were common in the long-term care industry.
She said the problem was that, under the catchall definition "health plan," there wasn't a concept of risk anywhere in the regulations or preamble and no discussion of what a plan was. There was the implication that a health plan was an entity that accepted some risk or provided some insurance, but there was no explicit recognition. The catchall definition merely read "any other individual or group plan or combination or individual or group plan that provides or pays the cost of medical care." Ms. Meinhardt cautioned that continuing care contracts could fall under that definition. Noting this quandary of whether other types of entities were health plans was surfacing across the &healthcare industry, Ms. Meinhardt said she hoped HHS would provide guidance to resolve this before April 14.
Ms. Meinhardt said, lastly, the long-term care industry's enforcement concerns were based on past experiences with enforcement of other regulatory schemes. State agency representatives applying federal laws frequently surveyed their facilities and often didn't interpret the laws consistently, either in the state agency or from visit to visit, even when the same surveyor did the interpretations. Noting that state agency surveyors would almost certainly conduct HIPAA surveys; Ms. Meinhardt expressed concern that these enforcement actions wouldn't be kinder and gentler, as OCR promised.
Ms. Meinhardt also said the privacy rule, itself, was ambiguous, allowing for a wide range of interpretations. When the state surveyors were making those interpretations, that ambiguity made compliance difficult and increased the risk of liability and enforcement actions. Ms. Meinhardt said the industry needed clear guidance from HHS regarding the specifics of privacy rule implementation. She added that guidance also needed to flow down to the state surveyors as well as everyone trying to implement the rule.
Ms. Meinhardt expressed concern about the lack of guidance on the preemption of state law in respect to enforcement issues. There was no nationwide preemption analysis that definitively laid out the laws with which nationwide long-term care providers needed to comply. Some states had done segments or all of their own preemption analysis, but there was nothing yet on a nationwide basis. As a result, the costs of implementation efforts rose, various interpretations of state laws filtered down, and policies and procedures had to be redone. Noting that staffs then needed to be re-trained on revised policies and procedures, Ms. Meinhardt pointed out that all this added to the cost.
Ms. Meinhardt said HHS declined to be involved in the various preemption analyses efforts. She believed the courts would eventually determine whether a state law was preempted or not, and HHS' blessing on any preemption analysis probably wouldn't carry much weight. But she noted that wasn't a comfort to everyone trying to come into compliance.
Echoing Ms. Weaver's comments about long-term care facilities having been surveyed for privacy issues by both CMS and OCR, Ms. Meinhardt said she'd requested that CMS consolidate, or at least coordinate, its privacy survey process with OCR. Again, she hadn't received a response.
Ms. Kaminsky asked if the continuing care contracts Ms. Meinhardt mentioned were issued by nursing homes as opposed to health insurers. Ms. Meinhardt said, usually, MLRCs with independent and assisted living sections offered them. They might also have a sub-acute section and/or a skilled nursing facility. Usually a hospital would be outside the contract, which was between the resident coming in and the company that ran the various components.
Ms. Kaminsky noted there was no risk associated and wanted to know if they used it as a debit. Ms. Meinhardt said it amounted to the provider of care (the company at all levels) billing the resident for whatever level of care the resident received, either on a monthly or quarterly basis. It was no different than billing a patient for a hospital stay. Ms. Weaver noted there were continuing care retirement communities with contractual arrangements containing an element of risk where the resident entering the facility paid an up-front entrance fee. In some cases, there was a draw down on the entrance fee. In others, the facility applied about 15 percent of that fee toward funding operations and the balance was returned to the resident or estate, in the event they were discharged or passed away.
Discussion
Mr. Lobb recommended a better detailed and focused approach (e.g., reasonableness, minimum necessity, and incidental disclosures) on the subjective information in the regulations. He said they'd guessed what preemptive meant and had changed the general awareness educational component several times as they'd learned what others were doing. He stressed that if HHS or OCR had been clearer up front about what mandates or requirements made up training and education, he could have presented that information more comprehensively at the beginning, instead of going back and making iterational changes.
He said HHS' guidance was good. His perspective was that interpretation of the regulation was what was difficult and the more guidance the better. They couldn't afford to constantly turn to an attorney and relied a lot on their medical records directors to assist in definitions of disclosures and how they impacted their hospital environment.
Mr. Lobb read a comment from the previous week's Modern Health Care. The topic was that the time for filing extensions had passed and 25 percent of the organizations requested extensions. The comment was that, even though the deadline had passed, CMS officials didn't yet plan aggressive enforcement of electronic standards. Mr. Lobb said this took a lot out of enforcement. He again recommended better delineation down to specific level requirements for institutions. He said he realized everyone had different requirements, market groups, and providers, and that this had been an issue throughout the hearings.
Noting they'd talked in the previous panel about double messages, Dr. Harding recalled the request for specifics and definitions of things, but using the reasonable standard. He said the two seemed opposite or mutually exclusive. He asked if there was a type of regulation that was more specific, and another that used the reasonableness standard, and how to separate them. Ms. Bowen said through discussions with other HIM professionals she'd discovered everyone had trouble tracking restrictions. Everyone's first reaction was to say they couldn't until they had reasonable factor, so that was what they were looking for. She wondered what was reasonable under the tracking restrictions that they might have been asked to do. She reported they were working with communities from their practice centers to see what others were doing. Ms. Bowen said if they were at least doing the same thing, they would be in the same situation together. She stressed that it would be helpful to receive guidance.
Ms. Meinhardt said she believed the point to be that if HHS had something in mind they wanted them to do or not do, they needed to let them know. She had heard from the Region Eight OCR representatives that they were sending out guidance to the OCR regions about what to look for in enforcement. Why not give them that information as well so they knew what it was they wanted them to do and not do. For specifics, let them know, otherwise, let them use the reasonableness standard.
Ms. Kaminsky interjected that no guidance had yet been sent to the regions on what the enforcement process would look like in the future, this was planned to be done at a future date.
Regarding the question Dr. Harding raised, Mr. Rothstein said that this was the traditional dilemma that regulatory agencies were put in. If they used language like reasonable, people didn't know what they meant, it was too vague. On the other hand, if they went into excruciating detail, then they said they were micro-managing their business and not giving them any flexibility. He asked which would be better between the two.
Ms. Weaver said he'd made a good point. There was tension. She suggested the need to distinguish between regulation and guidance. While she believed HHS was on the right track. The regulation was probably as specific as it could be, considering the hundreds of different types of providers, plans, clearinghouses, and other entities subject to this law. It was in the guidance that they asked for answers. Common operational themes developed as facilities tried to implement the rule. OCR just issued a Q&A addressing the issue of names on patient doors. Guidance stated putting names on doors wasn't necessarily violating patients' privacy, and thus wasn't necessarily a situation where they needed to get an authorization or give them the right to object. She acknowledged that it might seem a small point, but it was guidance, and it was giving prompt answers to questions different providers raised.
Mr. Lobb said just the interpretation of a particularly rule was about accounting for disclosures. He said he was looking at broader accounting for disclosures than Ms. Bowen, who'd indicated that the state nursing association was potentially included. Mr. Lobb considered that an operational requirement and normal operational practice. Ms. Meinhardt said whether a state licensure agency conducting a survey was healthcare operations or required by law in healthcare oversight was a big issue with lawyers arguing both sides. She said she'd advised her clients, based on what had come from HHS, that it was health oversight activity and a disclosure that needed to be tracked. She knew others gave different advice. Ms. Bowen said their hospital association advised that it was something that had to be tracked as well. All the required things they thought might have fallen under operations (e.g., reporting to the cancer registry, vital records) were to be tracked. She noted that was laborious.
Ms. Meinhardt said it would be helpful for HHS to provide guidance on this. She knew they had been submitted as formal questions to HHS.
Mr. Rothstein asked the panelists' best guess as to the percentage of covered entities in their field that were either in compliance, close or making good steps. He noted that morning panelists estimated less than 50 percent--in some cases considerably less. Mr. Lobb agreed on the professional provider side: the doctors and some allied health practices (e.g., PAS). He reported that the institutional side in the Pittsburgh area was at some stage of implementation. Ms. Weaver considered that an accurate estimate for long-term care providers she dealt with. She suggested it was a matter of juggling competing priorities weighing on them in order to make time for it effectively.
Mr. Rothstein asked how they could reach people who were at less than 50 percent. Ms. Weaver believed they'd heard the message and that it was a providing the resources needed to do it. Trade associations were providing resources, but they could only do so much. Smaller providers didn't have 100 percent compliance with every aspect of the rule and needed more guidance. She suggested that some specific issues might be coming up because they also needed guidance on how the reasonable standard applied.
Dr. Zubeldia said a common theme was the gap in getting responses to the questions. He noted there was a place to ask questions about HIPAA, but wondered if it was a good place to get answers. He asked about the panelists' expectations: whether they expected to hear within a week, one or six months. Ms. Meinhardt pointed out that when OCR was first appointed guardian of the privacy rule in 2000, they created the OCR Web site for the privacy rule, which included FAQ. Just a few weeks ago Ms. Meinhardt got their first responses to any of those questions. She said it would be reasonable to get answers within a month and said she hoped they'd receive a slew of responses soon. Mr. Lobb said he'd submitted his last question about two months previous. He reviewed the FAQs site frequently and hadn't yet seen any response to their questions. Mr. Lobb said that his expectation would be within a month. He counted on information being given in a way that he could finalize their policy development and move implementation plans forward. A response that took three-to-six months might mean form redesign and retraining. Noting the next five months were critical, Ms. Weaver said a shorter response time would be in order over time. She emphasized that they needed more intense help now. Her expectation for response was a month, depending on the question. Some questions could and should be answered sooner.
Ms. Kaminsky asked if Conomaugh qualified as an affiliated legal entity, if there was common ownership and control of all those Conomaugh pieces. Mr. Lobb said they didn't qualify; they had some covenant sharing but totally separate operational boards. She said they felt OHCA was better suited for them.
Ms. Kaminsky said a concern she repeatedly heard with the accounting for disclosures requirements was that it was very challenging for businesses to develop a mechanism to track disclosures. Recalling they'd heard at the Boston hearing about software that captured every disclosure in a specific situation, she asked how they tackled the account for disclosures. Mr. Lobb said they'd originally broadly interpreted it to include a lot of different requests. Consultants helped with revenue reimbursement initiatives. They were setting up their decision support system to collect information shared electronically with consultant firms. Using legal counsel, they talked more in depth about accounting for disclosures and only came up with a few types of court-ordered subpoenas that fell outside business operations. Mr. Lobb said they planned on tracking it manually with the consultant services that were part of their normal operational practice.
Mr. Lobb said that it was for court ordered subpoenas, those were the only items they were viewing as disclosures under this law, unless the Department of Health and Human Services gave them better guidance. Ms. Bowen said that her large facility looked at it a different way. Their interpretation of what they'd seen on the postings called for a broader tracking scope that included vital records, birth and death certificates. She said they planned to computerize tracking and have it logged through the privacy office in an access database. This was because of their state reporting.
Panel 4: Universities
Carol Richardson, HIPAA administrative coordinator and privacy officer, Johns Hopkins Health System and Johns Hopkins University &
Ms. Richardson discussed accounting for disclosures, focusing on how it related to research with waived authorization, reviews preparatory to research, and research on decedents. For those three areas, the August changes provided an extra provision: the accounting could be performed in summary form if the disclosure included 50 or more individuals' records. Ms. Richardson said she didn't believe this offered individuals any extra protection. Individuals requesting an accounting and receiving one where their information was used for two different research purposes in those areas were likely to be about disclosures for less than 50 people. They would have received a detailed list of disclosures. If their information were used in a research protocol for over 50 people, they'd have also received a summary of disclosures. Thus, Ms. Richardson said from an individual perspective, they were getting information that appeared to be confusing. From an organizational perspective of having to track that information, it would be difficult to automate and then train researchers responsible for performing these accountings. She asked for short-term clarification of how this could actually be done.
She pointed out that in starting a research project, researchers might have an idea of the number of individuals they were using and the information they were going to receive. However, over time, the number of individuals they had PHI for might increase. And so, they might end up doing detailed accountings for a portion of that research project and, as more subjects joined the project, be doing summary accountings at the end. This would be confusing for everyone. She requested short-term clarification and asked that the privacy regulations be amended to eliminate the requirement for account for waived research, listed under 164.512(I). Or, she suggested, the privacy notice requirements could be amended to state they only had to identify themselves as a research organization.
Ms. Richardson said another issue was identifying minimum necessary and looking at how that might be implemented within an organization. She suggested looking first at the use of the paper medical record and issues that revolved around its use. She noted it was hard to limit access to an individual document that was involved in the paper medical record. The only way to limit access was to create multiple versions of that paper record, and she felt this was an unworkable solution. So individuals who needed access would have to only use what they needed access to. Electronically, this was a problem as they were relying on the vendor's applications. What was retained in systems, and how a user gained access to the information, category, or type of information was possibly co-mingled on a screen for viewing or editing. So, individuals who needed access to that information were seeing more than what was considered the minimum necessary, but in order for them to do their jobs they would need access to this information. Ms. Richardson emphasized that some of these items had to be considered while they implemented the minimum necessary requirements, but the greater risk and impact of the requirements related to the disclosure of PHI.
Panel 4: Universities
Jean M. Shanley, Attorney, Office of the Vice President for Legal Affairs, University of Texas Southwestern Medical Center at Dallas &
Ms. Shanley said she'd been working on the HIPAA project since its inception. In the course of focusing on practical problems, she'd noticed areas where regulatory clarification came up. It was difficult to separate the two. She said Academic Medical Centers (AMC) structures were extremely broad and varied. No two AMC environments were alike and every time they reviewed the facts in different scenarios, they found out how everyone operated differently. There were usually multiple entities involved in the PHI flow. The relationships were often unique, and the analysis was significantly impacted by how PHI was flowing. Often there was no common ownership or control, especially in the case of their campus, where they didn't own a hospital. They had the medical school and some affiliated non-profit entities associated with it, but all of their training activities occurred in connection with affiliated hospitals.
Ms. Shanley explained that often private and public entities worked together, which added to the complexity, due to the different problems and concerns that arose in those different arenas. For example, UT Southwestern was a state institution. They were affiliated with a county hospital and also some private hospitals, and they each had different concerns.
She said that the diverse missions found in an academic medical center environment produced multi-faceted uses and disclosures: e.g., educational, research, and healthcare provider issues. The practical difficulty that HIPAA issues created was due to common industry approaches within each segment and was difficult to identify. There was limited industry guidance on the application. Often individuals left seminars regarding the rules uncertain what it meant for them when they got back to their campus, because each campus was unique.
Ms. Shanley noted areas for regulatory clarification proliferated. In her experience, consensus and best practice had been costly and at times consuming to achieve. A significant amount of effort was expended just on basic structural issues before getting to the need for different policies and procedures. A structural topic discussed on her campus was organized healthcare arrangements, mainly because there was no common ownership or control. They weren't looking at an affiliated covered entity. That was an option they only had with their hospitals. So far, she'd found that many seemed to disagree on whether an OHCA was something elected or something that arose by operation of law. The regulation didn't talk about election, yet it was a popular topic in discussion arenas, whether or not they were going to elect an OHCA. She believed this to compound the problem of what liability might arise from an OHCA. Ms. Shanley conveyed concern that this was a fictional legal arrangement that invited other joint liability arguments.
Ms. Shanley cautioned that if people felt it was something they elected then it would be treated like a joint venture they were entering into, and people were very hesitant to do that, especially when public and private institutions were working together. Law firms had advised that they should get indemnification when working in an organized healthcare organization environment. UT Southwestern couldn't do that. So, working with private hospitals resulted in a concern over the liability and caused issues with their relationships. They had to consider what the relationship required, which increased time and cost. Ms. Shanley said the regulations weren't clear about where they all stood, and that compounded the practical problems in coming to the table.
Dr. Harding asked Ms. Shanley if she would explain about OHCA and designation versus operation of law in layman's terms. Ms. Shanley explained that, for example, with regard to the hybrid entity rule and the affiliated covered entity rule, the regulation specifically said that it was a conscious decision made by the covered entity and what it wanted to be. It then appeared to possibly be the training site's work force that should have assumed responsibility for the training of that student.
Ms. Shanley said training sites were seeking business associate agreements. The school didn't feel they were performing a service on behalf of the hospital, which was what the business associate relationship dictated. This created confusion about where the responsibility would lie and how those institutions were to work together in that setting. Ms. Shanley said they needed to look at whose training obligation it was. It might have to do with what the training obligations should be. A school could certainly incorporate certain privacy training into its curriculum, but that wasn't what the privacy regulations required. They required training on specific policies and procedures. She questioned how the school was going to train on all these different training sites' policies and procedures when they weren't familiar with them. She said she couldn't speak for all sites and hospitals; they needed to ask them directly what their concerns were. It could be they were concerned that liability was involved with assuming responsibility, and designating the students as their work force increased their liability to an extent that they weren't willing to take it on. She suggested that they look at what the nature of that relationship was when they took on that student. Many times there wasn't much to gain from the students. They had a couple of extra helping hands but sometimes they were also overseeing the students and it often took just as much time to train and oversee them as doing the job without them. Perhaps they were looking at these situations as recruitment opportunities. That wouldn't be taking on a lot of liability, and they preferred it to be a more low risk scenario. The more liability attached to each student the more the educational institution might be discouraged from participating in these types of programs or reduce the diversity of options they offered. Ultimately, this would hinder the quality of the education because the reason the educational institution looked for a variety of circumstances in the clinical settings was to give a diverse type of practice exposure for that student.
Ms. Shanley said another issue was how to avoid administrative duplication when trainees rotated through multiple training sites. Noting medical residents often went to a secondary hospital for three days and rotated through various sites, she asked how they'd train them. It would be a huge burden for the resident if each institution was required to train them on their policies and procedures. Ms. Shanley noted there already was a great deal of discussion about residents and their work hours and how much time they spent on training activities. There was also a limited amount of time in a day and they needed to give as much training and practical experience as possible to each resident. If training was the educational institution's responsibility, it was not possible for them to train on all the specific policies and procedures of hospitals and training sites they were not familiar with so this created implementation hurdles.
She reviewed the financial burden, noting that charitable institutions had limited resources and HIPAA costs were significant. Southwestern alone had more than a dozen internal committees and subcommittees and at least six external committees at affiliated entities. She pointed out that this was a significant amount of time and people participating in these committees (including a lot of clinical people included to ensure what they did worked in practice) had other full time responsibilities. In addition there were consultant fees, outside counsel fees and system upgrades. Ms. Shanley noted many thought system upgrades were all connected with EDI, but it was also functions like accounting. Noting they'd had a meeting about handling patient complaints and realized these complaints came from various areas on different topics, she pointed out that they'd need a computerized way to coordinate them. And they'd need computer assistance for training. She noted, too, that there was an increase in time spent negotiating with third parties.
Ms. Shanley said the University of Texas realized HIPAA was here to stay and that everyone, including the entities they worked with, was resolved to implement it. She suggested that compliance costs would be easier to absorb over a longer period of time. And she noted there were only six monthly meetings between then and April 14; they could only meet so often and keep up with the pace of running an institution.
Ms. Shanley noted other research issues: secondary uses of registries, the relationship between parent and subsidiary institutions, and hybrid entity quandaries. As a university, she said they were able to qualify for a hybrid entity designation, but when she looked at it in terms of the research environment she became concerned about accounting for disclosures, which applied in the disclosure setting but not in the use setting. As soon as they declared hybrid entity status, they would have to shift to disclosures as opposed to a single entity where everything was a use. A physician who was both a healthcare provider and a researcher would be constantly going back and forth, but a single entity environment wouldn't present these accountings. As a hybrid, they'd also incur an accounting obligation for internal operations that she said no one was prepared to document. Ms. Shanley noted the need for a forum for academic medical centers to bring questions forward as they arose.
Noting clinical training sites were seeking business associate relationships with academic medical professional training centers, Ms. Kaminsky asked what they were for. Ms. Shanley answered that it would be for whatever type of healthcare facility was providing a training clinical practicum site for the medical student and for the educational institution student. She said the training facility sought to have the school sign a business associate agreement. The agreement applied where the covered entity (the hospital) disclosed their PHI to another entity to do an activity or function on behalf of that hospital. But Ms. Shanley contended it was actually the other way around. The school was hiring a training institution to do a service on behalf of the school, but the school wasn't disclosing PHI so she said it didn't look like the school needed a business associate agreement. The PHI flow was in the opposite direction of the business associate agreement. She said the point was they'd asked for agreements that weren't really needed. She suggested bringing them to the table and asking why they requested them: was it a liability concern, clarification of the regulations, or another reason.
Mr. Rothstein asked if it was because they were trying to escape the requirement of providing HIPAA training. Ms. Shanley acknowledged that could be a concern. If the school was the business associate, then the school was responsible for training each student. That was hard to do when they couldn't train on the hospital's policies and procedures. She asked how they'd know what their procedures were.
Dr. Danaher believed the logic was that the training impetus of a covered entity was more strenuous than the business associate's. He said he dealt daily with the question of whose primary responsibility it was to train the medical students and residents and where they had exposure to PHI. The logic behind classifying business associates was if it was the hospital and medical center's responsibility and they were employees of the covered entity.
Panel 4: Universities
Peter Harrington,Senior Associate Counsel, University of Vermont
Mr. Harrington described the way the University of Vermont was set up, in contradistinction to UT Southwestern. The University of Vermont represented the smaller schools that didn't own or operate a physician's practice or hospital. However, they did have a medical school. He pointed out substantive areas and concerns he'd learned about through participation in the association's list serve and a conference of the National Association of College and University Attorneys, which actively provided education and research to help its members understand HIPAA.
Mr. Harrington said he believed personally that there were two camps regarding compliance by higher education institutions. The academic medical center camp, which owned hospitals and/or practice groups, had been working on HIPAA for one or two years. The extension deadline had caused a lot of the smaller colleges to become more serious and active regarding compliance. Mr. Harrington said the issue he'd heard most in his list serve discussions with other higher education lawyers was the FERPA exception, which governed how universities, colleges and K-12 schools needed to treat education records of their students. FERPA covered every record held by a school that directly related to any of its students enrolled there. HHS carved out the definition of PHI as both education records as defined by FERPA and, treatment records, which were carved out of FERPA. It said that they understood that school nurses or clinics were going to have records about a student. They also understood that there was a subcategory of records (treatment records kept by just the medical provider) that weren't used for billing and that the student might never see. HHS had looked at both types of records and decided that they would exclude both from the definition of PHI. The implication for university clinics that cared for both students and non-students was that it created a practical problem of having to follow two sets of similar but significantly different regulatory regimes for treating the records and individually identifiable health information. For example, a physical therapy group served not only students, but also faculty and staff, and an audiology clinic could also serve the community. They had dual populations and needed to figure out a combined set of policies that covered both FERPA and HIPAA. This was an issue as the two laws differed in significant ways.
He said a threshold issue confusing many people was whether HIPAA or FERPA applied to student records. He noted a statement in the preamble to the December 2000 final rule including a school clinic within the definition of healthcare provider engaged in HIPAA transactions, making it a covered entity that had to comply with the privacy rules. His colleagues referred to this and believed they needed to comply with HIPAA. Mr. Harrington contended that education and treatment records weren't covered by HIPAA. The privacy rule said so. He believed that, if one read the whole comment, they'd see HHS intended to say that if a school clinic wasn't covered by FERPA via receiving federal financial assistance, then FERPA wouldn't apply. He suggested that HHS add a Q&A providing guidance on this issue.
Mr. Harrington discussed in detail the issue of schools serving dual populations. He said a school could comply with FERPA and (because HIPAA was stricter) voluntarily impose HIPAA on themselves. He doubted there was a way to avoid the problem of still having treatment for two kinds of records. He suggested that, in passing HIPAA, the Congress had no intent to preempt FERPA. And he believed it was a reasonable interpretation of the statutes for HHS to say that HIPAA was the more specific statute and stricter with respect to privacy and confidentiality and thus would allow schools to opt into HIPAA. He said the more specific law (HIPAA) should take precedence and that the judge and an agency when construing the two statutes should want to give effect fully to both as much as possible.
Mr. Harrington covered research issues. He said he heard most about patient recruitment issues that were important to doctors trying to recruit patients to their clinical trials without going to the IRB. He believed the August 2002 final rule stated they could do recruitment within the covered entity. This meant a researcher could obtain a PHI on people possibly eligible for a trial and contact them; his logic was that the only disclosure would be to the patient. But he was concerned that someone could say it was in the preamble, though that preamble statement wasn't consistent with the rule. (164.502 states that unless a use or disclosure is authorized in the HIPAA privacy rule, it isn't permitted.) Mr. Harrington suggested the agency consider either saying that they deemed recruitment to be a healthcare operation or a marketing operation, and have those use rules apply to research recruitment, or to have a regulatory change. As he read it, Mr. Harrington said the December 2000 preamble implied that research recruitment was probably a healthcare operation. The new rule stated it wasn't a healthcare operation or marketing and, therefore, it was okay because it was disclosure to a patient. He suggested the agency look closer and shore up the grounds.
He suggested another option for recruitment was to review records preparatory to research, but he noted that probably didn't encompass recruitment. The agency had said they wanted to help recruitment, which was partly why they had the review preparatory to research rule. On the other hand, in December of 2000, they'd said that when they did these, they couldn't record; only de-identified PHI was to be recorded by the researcher. It was in the preamble, not the rule, and seemed to add a restriction. Because of this, he contended that the suggestions in his written testimony would really assist researchers without doing any significant harm to privacy interests of the patient.
Mr. Harrington said the other issue was dual employment and that this was where the model of his institution was unique and came into play. The university paid part of the faculty of the college of medicine's salary. The faculty was also employees of the practice group, a separate legal entity associated with the hospital. They had dual responsibilities and it wasn't clear under the rules whether in doing research they were deemed within the covered entity practice group or outside researchers. From an administrative standpoint, he said it would be of great benefit if they were deemed internal to the covered entity. The university asked for guidance from the agency.
Mr. Harrington noted the agency had said that the final security rules would conform to the privacy rule and work together well. He encouraged them to consider that the hybrid entity concept and the FERPA exemption weren't in the proposed security rule. Mr. Harrington said this could lead to anomalous results, if their student records weren't covered by the privacy rule but might be covered by the security rule. Mr. Harrington urged the agency to carry those two concepts into the final security rule.
His last two issues were questions from colleagues. They had contractual arrangements for their student clinic and hired outside clinicians. Mr. Harrington suggested this was a case of whether a reasonable or specific rule would better serve and he said guidance would be useful. He encouraged the agency to posit a hypothetical of a university with a clinic that hired a local practice group to provide care. Who was the covered entity? Who had the duties under HIPAA? Were business associate agreements needed, and did the FERPA exception apply, if the records were student records?
Mr. Harrington's last issue had to do with student interns. He contended that when they sent students to a hospital, it was the hospital's duty to train and educate them on HIPAA. Places were trying to make them business associates, even though they weren't performing a function on their behalf and weren't getting any of their PHI. He believed the rule was fairly clear, but suggested that a guidance document could put the issue to rest.
Panel 4: Universities
Richard Marks, Esq.; Davis, Wright, Tremaine &
Mr. Marks summarized five major issues outlined in detail in his written testimony. He said the first issue that concerned his university clients was the Secretary's failure to publish the final security rules required by the statute. The second was the enormous complexity, ambiguity, and confusion of the HIPAA rules and the agency's delay in clarifying them. Third was the agency's failure to deal with the U.S. Supreme Court precedent, which made their informal guidance not authoritative. Fourth was the additional cost and delay HIPAA rules imposed on medical research. Fifth and important for privacy and confidentiality, was the Secretary's failure to assure early enough that the transaction standards were complete, thus ensuring confidence that thehealthcare payment system wouldn't face substantial disruption.
Mr. Marks said that, under the statute, initial security standards had to be adopted by February 1998. This was an explicit statutory command and the deadline was long past. Security remained the framework in which privacy in transactions were implemented. Without security, all the privacy rules were no help. He noted the rules still hadn't been issued and that this blocked planning by systems, vendors and that the industry was paralyzed and vulnerable on security. A public dispute had broken out between vendors and providers. Vendors said they were being asked to assure their clients, hospitals, physicians, and health plans systems were secure. Yet, the vendors themselves didn't know what the federal government's security standards were. Vendors, universities and other covered entities couldn't design systems or plan.
He said it was important that there was a mini-security rule in the privacy rule. The mini-security rule (Section 164.530) stated there had to be appropriate security on April 14. The failure of HHS and the Secretary to get these rules out, so people could learn them and incorporate needed security into their systems, put all covered entities and their business associates in legal jeopardy. It forced them to be vulnerable to lawsuits in the state courts for failures due to penetrations, hacking attacks, and other incidents attributable to failure of security. Mr. Marks emphasized that this was an enormous practical problem. But he said the solution was simple: get the standards out. Reporting that the latest rumor was that these rules would be published on December 27 in the Federal Register, he noted they'd heard similar rumors for three years.
Mr. Marks said the enormous complexity, ambiguity and confusion in the rule was compounded because HHS hadn't been assiduous in clarifying it. He reiterated that this confusion needed to be remedied. Originally unnecessary, he said it had become an integral feature of the privacy rules and the enormous, long, complex preambles that attempted to explain them. The document was over 2,000 8-1/2-by-11 pages. Mr. Marks said that construction was so complicated that people couldn't understand and apply it without enormous problems. As an example, he cited HIPAA versus FERPA requiring university health centers to apply two sets of complex rules, which wasn't feasible on a day-to-day basis without a direct line to a lawyer.
He said HIPAA's preemption rule had proven to be extremely confusing, costly, and intractable. The preemption studies being conducted were costly, time consuming, and would produce only a checklist that they hoped would guide clients, covered entities, physicians, and hospitals through this maze. He said the privacy issues turned out to be unfriendly to consumers. He wondered how people would react when they received a 12 page or perhaps 5-page "streamlined" NOPP that they weren't likely to care about, but would consider another obstacle to receiving fast and compassionate care.
Mr. Marks noted that in 2001, the United States Supreme Court decided United States v. Mead Corporation. The case held that informal administrative guidance wasn't authoritative. Yet HHS proposed to guide the industry with informal guidance. Mr. Marks said HHS needed to take a leadership role and make full disclosure to the industry, stating that they relied on informal guidance to their peril. Dr. Harding asked for a clarification about a recent suit brought by the Louisiana and South Carolina medical associations and others where this issue was thrown out. Mr. Marks replied that although these issues were mentioned, the authoritativeness of the particular ruling wasn't at issue. He predicted that this would come to a head when Hopkins, Texas, or Vermont relied on some informal guidance and a hacking attack or leak caused medical records to be published on the Internet. The institution, trustees, or physicians would be sued. And at that point, a court might look at the guidance and say that they had relied upon it to their peril and it was wrong. Mr. Marks reiterated that an enormous problem had surfaced, even though it had been brought to HHS' attention that full disclosure and a deliberate, scholarly treatment was needed. The administrative law was extremely complex and in any particular case a court might or might not agree with HHS or give it the force of law.
Mr. Marks said that the last point was that the kind of guidance the courts would give deference to was either a rule making or an administrative adjudication. He predicted many adjudications in the future.
He said HHS' record of making progress in rule makings was neither good nor fast. The statute said that they could only have one a year for any particular standard. HHS would have to go up to the next level and probably well beyond that, in order to give universities and others in &healthcare who were trying to work their way through this complex rule the guidance they needed.
Mr. Marks said that they were entering an era where computational techniques were at the point where they could revolutionize biomedical research. Yet, the whole notion of creating repositories used this year for cancer, in 10 years for heart disease and in 20 years for Alzheimer's were in jeopardy due to restrictive interpretation and rules around HIPAA authorization. He predicted that enormous additional costs would be levied for patient recruitment and there would be so much paperwork and obstacles that these rules would hamper research and discourage people from participating.
He said that the consequence of all this was that as patients, they'd all pay. They all had an interest in medical research and the progress that would be made in diseases that they might have. He hoped the committee would look at this consequence seriously. On behalf of his clients, he suggested that eventually the policy behind these rules be changed.
Mr. Marks said that HIPAA mandated one of the largest computer system conversions in history. He said they knew from experience in large systems projects that there needed to be a great deal of time for testing and adjustment. To do that, they needed stable transaction standards so industry could code and wrap business processes around them, put them into practice and test them. Normally in big systems projects (e.g., the telephone industry) where standards and systems were well known and established, people tested for years. They weren't going to have time for even the bare bones testing that a systems engineer would want in dealing with the transaction standard. Mr. Marks said this meant that the difficulties of electronic data interchange, which involved standards for complex data processing and business process redesign, probably weren't going to work in substantial ways. He cautioned that a crisis was in the making that would affect privacy and security of people's records as well as theirhealthcare. If two-to-five percent of transactions didn't go through by October 17, 2003, it would be an enormous problem. With 20-30 percent or greater, he predicted a disruption inhealthcare.
Discussion
Noting he assumed that most academic medical centers were well on their way, Mr. Rothstein asked how far along smaller colleges and universities were in terms of compliance, and if the panelists had any recommendations about the kind of technical assistance and support HHS could provide to get them up to speed.
Mr. Harrington said the only evidence he had was anecdotal. There'd been a lot of activity on the list serve when they'd asked for the deadline extension. He believed the attorneys representing these institutions were well aware, but he didn't know in terms of where people presently were with implementation. He'd informally asked on the list serve and received few responses. His overall impression was that starting September and October a lot of places began catching up.
Mr. Harrington noted that the FERPA exception was a big issue and people could use guidance. He thought CMS's decisional tool was excellent. He reported that people involved in HIPAA research loved the covered entity and wrestled with definitions. For anyone who wasn't a lawyer or was exposed to HIPAA for the first time, decision trees were great. He believed examples were excellent, particularly when questions came up around contractual arrangements, especially for colleges.
Mr. Harrington asked about separate research records (not medical records) held by a researcher governed by the HIPAA rules: did they follow minimum necessary, business associate, or weren't they covered because they weren't in a DRS. He noted this was another place where guidance would be useful. Ms. Shanley said she didn't have a clear sense of where the industry was as a whole. She suggested that the Association of American Medical Colleges might provide guidance, particularly after its mid-November symposium where the medical colleges would share implementation concerns and gain a sense of where everyone was. Ms. Shanley said a forum that provided prompt answers and clarifications on an ongoing basis would be the best way to receive guidance without stalling. Issues that couldn't receive clear resolution could stop things completely. At the least, they were hard to work around. Ms. Shanley emphasized that the important thing was having a place to get an answer.
Mr. Marks reiterated the complexity of the issue and confusion. In the short run, the rules were unchangeable. But he noted HHS could create an office that had authority to make rulings and get answers out fast. With a privacy implementation date of April 14 and less than a year for transactions, even a month was too long to wait for answers. Mr. Marks recommended that HHS establish an office, staff it with good people who had authority to make rulings, so there was hope they'd be considered authoritative under the Mead doctrine. He emphasized that if there was going to be any hope that this system would go into effect without confusion on April 14, HHS had to step in and furnish guidance and resources.
Dr. Danaher said academic medical centers had made and continued to make fairly good progress. He depicted a bell-shaped curve for the institutions, but noted they were working through their issues and their committees were moving on policies and procedures. Dr. Danaher said universities were just beginning to address their lives as hybrid entities. Actualizing the research implications was both their biggest headache and the biggest thing they struggled to resolve. He noted many universities had shared IT services.
Dr. Danaher noted the university employed people who also worked in AMC and resided on or off campus. Figuring out where some hybrid entities began and ended was difficult. For example, what was their responsibility for people on campus who provided services to the university 80 percent of the time and to the hospital the rest of the time? He said he saw two responses. Academic medical centers executed their strategies to be compliant, devoid of what the rest of the university did. And, sometimes, someone tried to help the entire university comply, because it was going to be so costly. Even though the hospital was ahead, they wanted global pricing, strategy, and theme. Dr. Danaher said the designation wasn't between small, medium or large. And he thought the hospitals and academic medical centers they were associated with were ahead of them in a number of ways.
Ms. Richardson said her responsibility to Hopkins spanned both the university and health system. They looked at this as one large entity that had areas considered fully covered and others that weren't. On the university side, some schools were considered a fully covered function. In other schools, anyone obtaining PHI from the health system or another fully covered school had extra requirements to follow. Ms. Richardson emphasized that it was difficult to look at an individual who functioned both in a covered school and another mode not under the HIPAA requirements. It was difficult, from a training perspective, to relay that, based upon the role one performed, that one had to function differently. Having consistency in an organization as large as Hopkins was an issue. They had entities and schools that functioned separately, even though they performed the same function. It was difficult to bring consistency to that and ensure that they trained everybody and did everything the same way. Ms. Richardson stressed the difficulty from a research perspective. There had been no guidance in some areas and they had to interpret as they moved ahead. They felt that if they didn't take time to determine what they wanted to train people on, they'd run out of time.
Dr. Danaher asked if they had driven the entire organization at the same rate or pockets, such as hospitals, were further along with HIPPA and privacy preparation. Ms. Richardson said Hopkins was developing one policy, one form, and one procedure to perform this activity anywhere. And they also moved at the same rate from a policy perspective. The problem on the university side was deciding who was affected, because this changed frequently, depending on who was getting PHI from where.
Mr. Marks contended that all universities struggled with this, adding that he didn't want to give a sense of optimism about academic medical centers. Some academic medical centers, like Hopkins, were much farther along than others. But they all faced this unfunded mandate, a whole new set of responsibilities and training, and ran into flaws built into the privacy rule. They'd asked questions and gotten no firm answers. Many academic medical centers were just beginning to realize how difficult it would be dealing with HIPAA. They were looking at litigation risk management issues in order to be minimally compliant by April 14 and simultaneously trying to find money and answers. They hoped their vendors would come up with systems designed to help them comply, and that hadn't yet happened. The vendor community had been unresponsive because the rules were so difficult to figure out--and in the security area there weren't any.
Like universities, Mr. Marks said they were worried about the student health center and research done in a non-medical setting (e.g., psychology, sociology, anthropology departments) and had just begun to deal with these issues systematically. Different organizations were running into the same ambiguities infused into the structure of the privacy rule. They couldn't get answers, so they were trying to figure out how they could comply, control costs, and make a good faith effort. They were perplexed and worried.
Ms. Shanley agreed that Hopkins might be further along than some other academic medical center environments. She suggested that was because they were structured with a centralized, unified oversight that provided authority to roll out consistent policies and procedures. She noted everything moved slower at the University of Texasbecause so many hospitals with their own boards and administrations were brought together. She reported consensus and negotiation building and that they'd completed their gap analysis in September. In that process, the need to pull the institutions together became clear. But until they did pull together and communicate, it wasn't clear how they'd impacted others and there was initial hesitance and confusion about why they needed to come together. For example, the university had put together a security role-based matrix and there'd been much discussion with physicians concerned that nursing and other support staff would be put where they couldn't rely on them. The hospitals were possibly putting together their own role-based matrices and physicians at the medical school also might put together their own, but unless they coordinated, physicians were going to be reliant on whatever hospitals put together. Ms. Shanley emphasized the need to negotiate, which made pulling things together harder.
Ms. Shanley said differences of matrix were also an issue in the hybrid entity designation. Because the rules weren't finalized until August, they couldn't look at that issue extensively until recently and Ms. Shanley said she'd become hesitant and concerned. She said it was a threshold issue and unclear and had to be decided at the onset, so compliance activities could flow from that designation. For example, if they incurred accounting obligations to appease the accounting issue, they'd have artificial disclosures inside the campus that weren't disclosures with a single entity. Ms. Shanley said she didn't want to recommend going forward unless she was sure of the practical impact. She was frustrated because she didn't know how to complete that analysis, move forward with policies and procedures, and mesh the two together. Dr. Danaher remarked that it was like the OHCA matter she'd mentioned: the question was where was the threshold for a hybrid entity and did they treat them more like covered entities.
Mr. Marks said they'd discovered that when they brought people together new liability and risks had to be negotiated. Once this was appreciated and negotiated at higher levels, it eventually became a board of trustees' issue. He noted these negotiations took time and money and, with the transaction costs that came from dealing with the risks from all these business associate agreements, the costs were overwhelming. Mr. Marks predicted that as universities appreciated the full measure of what HIPAA required, entered these negotiations and ran into the blocks Ms. Shanley described, everything would slow down.
Ms. Richardson said they'd learned a lot from Y2K about putting things together. The only reason they had a centralized group presiding over this was because her responsibility for this project was deemed to be across both organizations. She said this was a vehicle to gain more consistency inside the Hopkins organization, even though now most entities functioned independently. If they hadn't done this, she said there'd probably be more issues today. Ms. Kaminsky asked if there was common ownership and control and those entities met the affiliated covered entity designation. Ms. Richardson said they did on the health system side, but the university was separate. She said they were working on how they would share data between the health system and university as two separate types of identities.
Mr. Marks said he hoped the Committee understood people were worried that fundamental issues were still being discussed six months before the privacy compliance was to be enacted. He said this indicated how difficult the HIPAA implementation process had become and that he didn't believe they'd soon see resolution of these difficulties. Mr. Marks observed that it was an enormous and expensive set of tasks to learn how to apply organized healthcare arrangements, single covered and hybrid entities, and business associate contracts, and then layer the security rights on top in January.
Panel 1: Health Plans and Group Health Plans
Ron E. Hoffman, RHU, Legislative/Regulatory Analyst, Corporate Privacy Team, Mutual of Omaha Insurance Company
Mr. Hoffman represented Mutual of Omaha Insurance Company and the Health Insurance Association of America (HIAA). Mr. Hoffman said HIAA's nearly 300 members provided a full array of health insurance products, including medical expense, long term care, dental, disability and supplemental coverage to more than 100 million Americans. Mutual of Omaha was one of the largest providers of health insurance and also one of the nation's largest administrators of Medicare Part A claims. Both support strong, nationally uniform privacy standards.
Mr. Hoffman explained that Mutual of Omaha's perspective of HIPAA and compliance with privacy initiatives came from being a multi-line insurer (offering covered and non-covered lines of business); an affiliated Covered Entity, a Hybrid Entity and a Group Health Plan; an administrator to Group Health Plans where they are business associates; an organization that offers FEHB plans and administers group health plans to non-federal government entities; a financial institution/licensee under Gramm-Leach-Bliley (GLB) and related state initiatives; a national company subjected to regulation by State Insurance Departments; and most likely, a "commercial" business subjected to new privacy ordinances to be passed at the local level in a number of California cities or counties. Due to the complexity of coordinating compliance activities associated with a patchwork of federal and state privacy laws, Mutual of Omaha authorized creation of a Corporate Privacy Team in 2000.
The Privacy Team's first project was a privacy impact assessment with a focus on GLB. The Corporate Privacy Team led and managed the project, in conjunction with a major consulting firm familiar with their operations. The assessment was completed in twelve weeks. Mr. Hoffman said the consultant brought value to the project for Security and Transaction/Code Set requirements and made it clear that the complexities of privacy were more than initially expected. Once compliance implementation work was completed on GLB in July 2001, the Corporate Privacy Team focused on HIPAA Privacy. The company estimated it will take 8,000 workdays (one FTE x 7.75 hours/day) to implement all the HIPAA privacy requirements. Through September 2002, their HIPAA compliance project cost was more than $1 million; one-time initial compliance costs by April 2003 were estimated to be more than $2.75 million. Including one-time costs associated with bringing HIPAA EDI standards online and complying with GLB privacy mandates, Mutual of Omaha calculated it will cost them $11 million to be GLB and HIPAA compliant by April 2003.
Mr. Hoffman said Mutual of Omaha considered the multitude of federal and state privacy laws affecting their collection, use, storage and disclosure of personal financial and medical information and decided it would be more effective and less costly to develop their own computer-based training program. Their associates were given training on the privacy policies and procedures established to comply with GLB, but Mutual of Omaha concluded that it wouldn't be sufficient to simply develop HIPAA Privacy training as an overlay to GLB training. Mr. Hoffman said the relationships between HIPAA, GLB and other applicable privacy-related policies and standards had to be explained so associates could distinguish between requirements. Mutual of Omaha's privacy outreach was limited to their workforce and captive agents. They'd also released general HIPAA awareness newsletters to their Group Offices for distribution to group health plan clients.
Responding to a request for information on the availability of compliance resources from trade associations, Mr. Hoffman noted educational resources and publications HIAA offered. HIAA published a four-part series on HIPAA Privacy Rules. The first publication, HIPAA Primer, An Introduction to HIPAA Rules, Requirements, and Compliance, was followed with publications offering implementation guidance: HIPAA Action Items for Physicians' Offices and others for Home Care Providers and Insurers. HIAA also offered opportunities to earn designation as a HIPAA Associate or HIPAA Professional, based on successful completion of course work derived from its published materials. Mr. Hoffman remarked that although HIAA's publications and educational opportunities were helpful, their attempt to provide reasonable and accessible HIPAA privacy rule education was frustrating. The lack of clarification available from OCR on fundamental interpretations of the standards and requirements created uncertainty in the design of educational materials beyond a basic content level. Mr. Hoffman contended that no trade association should be asked to serve in the role of interpreting the Privacy Rule for its covered entity industry segment as a substitute for OCR's failure to provide guidance. Mr. Hoffman suggested that OCR form covered entity industry teams to assist OCR with their understanding of implementation issues unique to each industry. Covered entity industry teams would be made up of industry volunteers, trade association volunteers and OCR staff.
Mr. Hoffman echoed comments and concerns voiced by panelists during the HIPAA hearing in Boston regarding employers and plan sponsors of group health plans. Mutual of Omaha planned to offer sample documents, including plan document language, certification and notices, but Mr. Hoffman emphasized they'd encourage the plan sponsor to review these documents with their own legal counsel and personalize them to fit their specific circumstances. Mr. Hoffman anticipated that employers would request more guidance than they were comfortable providing or felt was their responsibility.
Mr. Hoffman noted reliable resources to assist employers as sponsors and health plans were scarce. He said the "Covered Entity Decision Tool" posted on the OCR Web site was helpful, but OCR didn't provide clear direction and a plan sponsor needed clarification once they determined they were a group health plan. He stressed that direction from OCR was needed to ensure that plan sponsors acknowledged their responsibilities under the rule. Numerous law firms, consultants and employee benefit organizations were sending client alerts and other public documents summarizing the impact of HIPAA on employers and group health plans they sponsored. Mr. Hoffman pointed out that information on the requirements for group health plan sponsors willing to accept only summary or de-identified information wasn't consistent. For example, some sources concluded self-funded group health plan's sponsors always received PHI and therefore must fully comply with HIPAA; others reached different conclusions. Private sector advice on the requirements for insured group health plans and sponsors was far less consistent, ranging from advising sponsors that they could avoid having to comply with HIPAA if they didn't receive PHI to advising that the sponsor still must perform nearly all the group health plan requirements, other than plan document revision and certification.
Mutual of Omaha's efforts to educate employers, as issuers or administrators of group health plans, was further complicated because many plan sponsors offered more than one type of health plan option (self-funded and insured) and often these came from more than one issuer/administrator. Mr. Hoffman remarked that he hadn't seen any publication that addressed the nonfederal government groups (e.g. school districts and municipalities) who offered self-funded health plans and elected to "opt-out" of certain requirements of HIPAA's Title I health insurance reforms provisions. Some of these groups believed that because they opted-out of complying with certain HIPAA Title I provisions, they were exempt from HIPAA's Title II Administration Simplification provisions. Also problematic was the fact that CMS administered the annual HIPAA exemption elections of nonfederal government plans, while OCR enforced the HIPAA Privacy Rules.
Another issue Mr. Hoffman said needed to be addressed was the dichotomy of practical compliance for insurers as covered entities in their relationships with small health plans. He said CMS's Q&A clarification aimed at assisting health plans determine what receipts to use to decide whether they qualified as a "small health plan" was helpful and appreciated. Small health plans received an extra year to come into compliance with the rule and this additional year would benefit qualifying small health plan sponsors. But he noted confusion about potential inconsistent implementation of HIPAA privacy compliance because these small health plans' insurance issuers and (TPAs) will need to be in compliance as covered entities in their own right by April 2003. Mr. Hoffman cautioned that difficulties would undoubtedly arise during the transitional year as insurers attempted to follow and implement their own compliance policies and procedures when their small health plan partners' compliance programs were still under development. For example, small health plans might expect to continue to receive PHI from their insurers and TPAs after April 2003. Conversely, the insurers and TPAs might feel compelled to require proof that the Privacy Rule requirements could be met before releasing PHI to a small plan business partner. Mr. Hoffman encouraged OCR to provide guidance and engagement in these areas to encourage small health plan compliance and assure consumers their privacy rights were appropriately protected under the HIPAA Privacy standards.
Mr. Hoffman noted preemption was a major issue to insurers. Congress chose not to give HIPAA privacy full federal preemption status and states were free to establish privacy standards more stringent than those in the federal Privacy Rule. Most states already had a multitude of laws and regulations detailing when, how and what personal information might be used or disclosed, including health information and identifying information. Much of it wasn't traditional insurance regulation but now affected insurers' operations. More legislation and regulation was being considered and passed in state legislatures and agencies. HIAA and other industry associations jointly commissioned a national HIPAA Rule Preemption Analysis by a national law firm, Shaw, Pittman, LLP to assist insurers with the preemption question. The analysis, which is available on the Internet on a subscription basis, provided a comprehensive overview of each state's laws and regulations that directly affect the application of the federal Privacy Rule standards to the operations of health insurers and the PHI insurers created, obtained, held, used or disclosed. Mr. Hoffman said the analysis was only a starting point for insurers, who subsequently had to apply its findings to their products and operations. Noting the analysis took five months, cost more than $1,000,000, and had to be continually updated and revised, Mr. Hoffman said the industry was spending exorbitant amounts of time and money addressing inconsistent state and federal privacy requirements.
He stressed that he couldn't overemphasize the administrative burden stemming from the lack of federal preemption. It was burdensome for a local physician; for a health insurer with insurance products sold and subscribed to on a nationwide basis, this diversity and constant change was overwhelming. For covered entities with multi-state operations (e.g., health insurance issuers) this state-based diversity required enormous effort. Mr. Hoffman reiterated that many of the state individual health information privacy protections weren't specifically insurance regulation, unsettling decades of industry work with organizations, like the National Association of Insurance Commissioners (NAIC). Mr. Hoffman strongly expressed the health insurance industry's need for full federal preemption for the HIPAA Privacy standards.
Mr. Hoffman concluded with a list of several specific recommendations. He encouraged NCVHS to urge the Congress to provide full federal preemption for the HIPAA Privacy standards, OCR to provide more interpretive and interactive guidance, and HHS to commit more resources to this area. Mr. Hoffman also encouraged OCR to provide more interpretive and interactive guidance to health plans and the insurance industry, including specific HIPAA Privacy responsibilities of health plan sponsors, obligations of plan sponsors regarding the use and disclosure of summary (de-identified) information, requirements of fully insured plan sponsors to an individual's requests for access to PHI in the sponsor's possession, application of HIPAA privacy standards to self-funded nonfederal governmental plans, HIPAA compliance obligations of an insurance issuer in its relationship with a small health plan during the additional transition year available to small health plans for compliance, and assistance with standardized notice and authorization forms for health plans and insurers that address the preemption questions. In order to facilitate the agencies responsiveness, Mr. Hoffman urged OCR to establish internal covered entity compliance issue teams, preferably by industry segments.
Panel 1: Health Plans and Group Health Plans
Colleen Grimes, Assistant Vice President, HIPAA Compliance, Amerigroup Corporation
Speaking on behalf of AAHP, Ms. Grimes discussed how health plans were working towards implementation of the HIPAA Privacy Rule and how OCR could assist health plans and providers prepare for compliance. AAHP is a national organization representing health maintenance organizations, preferred provider organizations, and other network plans. Amerigroup is a multi-state managed healthcare company serving people who receive healthcare benefits through state-sponsored programs including Medicaid, State Children's Health Insurance Programs (SCHIP) and FamilyCare. Although a government-sponsored program, Ms. Grimes said Amerigroup experienced the same challenges as commercial plans. She focused on three areas: challenges faced by health plans in implementing the privacy rule; efforts by AAHP and other industry groups to assist with compliance activities; and ways OCR could help covered entities implement the rule.
Amerigroup and AAHP's member health plans strongly supported protecting the confidentiality of health information. Ms. Grimes said the health plans strove to balance consumer protection with the need to arrange delivery of high-quality, cost-effective healthcare. The HIPAA privacy rule impacted almost every aspect of health plan operations; much of what health plans did on a daily basis involved use and disclosure of PHI governed by the privacy rule. Ms. Grimes reported that health plans were making great progress towards implementation of the privacy rule by April 14, 2003, but she noted these efforts involved substantial financial and administrative costs. For example, Amerigroup had a multi-functional team of 24 full-time IT and business process employees implementing the HIPAA privacy rule, data security for privacy and the transactions and code sets standards. By the end of 2002, Amerigroup estimated it would have invested more than five million dollars in associate resources, business process reengineering, and technology to support HIPAA compliance.
After finalizing its privacy rule policies and procedures, Amerigroup undertook training non-HIPAA associates and developing administrative systems (e.g., privacy notices, business associates agreements) to support compliance with the privacy rule. Ms. Grimes said the challenge for health plans was applying these extensive, comprehensive requirements to what they did daily at an operational level. The privacy rule provisions regarding access and amendment to PHI were an example. Under the privacy rule, health plan members had the right to access, amend or obtain an accounting of disclosures concerning health information contained in the covered entities' designated record set (DRS). A covered entity was required to identify the records that comprised the DRS. The DRS was defined as a group of records maintained by the covered entity that included but wasn't limited to: enrollment, payment, claims, case or medical management record systems used whole or in part to make decisions about members. Noting this could mean any item, collection or grouping of information that included PHI and was maintained, collected, used or disseminated by or for the entity, Ms. Grimes said some health plans and providers believed medical records were the only things impacted by the privacy rule. She added that there was a downstream impact when business associates handled member PHI on behalf of the covered entity. At their request, members were granted confidential communication or restriction and the covered entity would be required to contact all business associates handling PHI on their behalf. For many health plans, DRS included PHI located in a variety of departments, applications, databases, systems, and geographic locations. Ms. Grimes pointed out that health plans had to develop extensive tracking systems that enabled them to link or centralize all of a member's PHI in the DRS and amend as appropriate. She emphasized that this was a challenge for health plans, because there wasn't any application available that could centralize all the information systems.
Ms. Grimes reported that Amerigroup and other health plans undertook comprehensive outreach efforts with employers and healthcare providers, educating them on the requirements of the privacy rule. She noted this outreach included providing and participating in educational seminars, provider and employer newsletters, development of business associate agreements, and information on use and disclosure regarding contract provisions. Health plans were also drafting documentation to carry out provisions in the privacy rule, including member notices, authorization forms, business associate agreements, policies and procedures, training manuals, and data use agreements. Ms. Grimes pointed out that when health plans changed policies and procedures, this impacted provider and facility manuals and contracts and, in turn, resulted in changes to front and back office operations for providers. Noting health plans and providers were developing and implementing policies and procedures based upon their own interpretation of the privacy rule and modeled on their own specific business processes, Ms. Grimes said the risk was that the result could be a lack of the standardization they strove to achieve. Ms. Grimes stressed that guidance conducted through a joint effort of outreach and education was needed to uphold standardization of changes required to carry out the privacy rule.
Ms. Grimes noted a number of efforts industry associations and business groups conducted to assist covered entities in complying with the HIPAA privacy rule. AAHP sponsored a series of educational seminars and audio conferences highlighting aspects of the privacy rule; held a twice-monthly conference call for member health plans to discuss the impact of the privacy rule on business operations; published a series of regulatory briefs on privacy rule compliance issues; and was developing a model notice form health plans could use to inform members of privacy practices and member's rights. Amerigroup was involved in a local partnership of providers and payers educating health plans, healthcare provider hospitals, physicians and office staff on compliance issues through a series of regional seminars (in-person, audio conferences and online). The partnership included the Mid-Atlantic Health Initiative (MAHI), the Southern HIPAA Administrative Regional Process (SHARP) and the NJ SHORE WEDI/SNIP Regional Initiatives. All three were among the groups formed as part of the Strategic National Implementation Process (SNIP) through the efforts of the Work Group for Electronic Data Interchange (WEDI). WEDI/SNIP involved healthcare providers, health plans, clearinghouses and vendors who collaborated to provide educational materials, white papers on best practices, discussion forums and other programs bringing together interested parties on implementation issues. There were 25 regional SNIP affiliates.
She pointed out that many providers and some health plans were waiting for the final rule to be published before moving towards compliance. Noting that at a recent seminar in Washington, 90 percent of the physicians and their office staff said that was their first HIPAA conference, Ms. Grimes expressed concern about the limited time left for implemention.
Ms. Grimes reported that the Oregon Payers' Cooperative: developed an authorization form for the release of PHI that would be used by providers and health plans, drafted a matrix template to help healthcare providers and health plan staffs determine if and when PHI could be shared without prior written authorization. The Oregon Medical Association and Oregon Hospital and Health System Association were reviewing the form and template for their members. Ms. Grimes stressed the need for the standardization of more forms and the need for OCR to review them and respond with minimum standard requirement feedback.
She recommended that OCR work with covered entities, helping them prepare to implement the privacy rule on April 14 by: (1) providing more guidance and technical assistance regarding the rule's application to the business operations of health plans and healthcare providers and (2) expanding work already done with interested parties on educational and outreach efforts.
Ms. Grimes urged OCR to provide needed assistance to healthcare providers and health plans in working through regulatory gray areas of the privacy rule. She noted OCR released helpful guidelines through a series of FAQs, but she pointed out that this guidance didn't address significant questions about compliance, including: the definition of a covered entity and of a business associate; guidelines on minimum necessary use and disclosure of PHI; and best practices for informing individuals of their privacy rights, preemption, and enforcement of the rule. She noted those involved with healthcare services (e.g., ambulance companies, fire and rescue units, rural providers) were uncertain whether they were covered entities under the rule. And she added that state and local government agencies also might not realize the privacy rule applied to them. She pointed out that the definition of a business associate was still unclear. Many healthcare providers and employers believed they were business associates of the health plan to which they submitted claims. Business associates were also difficult to define when health plans dealt with delegated contracts.
Ms. Grimes said minimum necessary use and disclosure of PHI also had to be clarified. Many providers and hospitals, believing it was prohibited under HIPAA, refused to release medical information for member authorizations and referrals for treatment. Hospitals also refused to release PHI or allow on-site activities that were a normal part of health plan operations and should be allowed for treatment.
She cautioned that notifying individuals of their privacy rights might be problematic for health plans and confusing for members. The average privacy notice was five-to-six-pages and would be doubled for those required to offer it in a second language. She predicted the length and content of the notice would generate thousands of calls into health plans from confused members and result in increased administrative cost and decreased member satisfaction.
She also noted confusion about preemption, because the privacy rule didn't create a federal standard for uses and disclosures of health information. Ms. Grimes pointed out that this might result in inconsistent and unpredictable application of state privacy laws by different covered entities.
Ms. Grimes advised OCR to provide an NPRM that described how OCR intended to enforce provisions of the privacy rule. She noted this would provide covered entities with an understanding of the issues OCR believed most important. Ms. Grimes strongly urged OCR to respond quickly to the issues with guidance and technical assistance.
She also suggested that OCR engage in the same types of outreach and education efforts undertaken by health plans and business, professional and state industry groups. Ms. Grimes recommended that OCR work with regional WEDI/SNIP affiliates to develop best practices and educate covered entities on how to successfully implement the rule. She suggested that an advisory board or consortium incorporating business, industry and professional groups was a proven, effective means of outreach and education. She recommended that OCR review the forms and model documents (e.g., business associate agreements) developed and indicate when materials met the minimum standards of the privacy rule. Ms. Grimes also said OCR needed to develop a series of brochures and other educational materials to help covered entities understand how the privacy rule worked in the "real world".
Ms. Grimes said Amerigroup and AAHP's member health plans were deeply committed to protecting the privacy of their members and that health plans led the way in implementing the privacy rule. Nevertheless, she emphasized that outreach, education and technical assistance were greatly needed for health plans and all covered entities. Ms. Grimes believed OCR was in the best position to undertake this critical task and she strongly urged the government to provide necessary resources to support OCR in developing the implementation tools the entities needed. Ms. Grimes asked the Subcommittee to consider its role in the outreach and education of covered entities and urged them to develop best practices that could be uniformly used by covered entities.
Panel 1: Health Plans and Group Health Plans
Jim Daley, HIPAA Program Director, Blue Cross Blue Shield of South Carolina
While BCBSSC fully supported the goal of safeguarding individual healthcare information, Mr. Daley said it was important to be aware of the significant challenge to the healthcare industry that implementation of all current HIPAA rules represented. He noted a recent Gartner report indicated that the average payer would spend over $14 million and the average provider over $5.6 million to comply with HIPAA. Noting current and anticipated HIPAA initiatives (including transactions and code sets, privacy, security, and the employer, provider and health plan identifiers) called for a substantial dedication of resources for the healthcare industry, Mr. Daley stressed the importance of identifying measures that could ease the burden of compliance and allow covered entities to allocate resources to serve the consumer in other ways.
BCBSSC began addressing HIPAA in 1999. They created a HIPAA privacy task force consisting of representatives from law, compliance and operational areas representing all lines of business to review existing corporate-wide privacy policies and practices and adjust them to accommodate HIPAA-specific requirements. Members were also responsible for assuring that the privacy requirements were addressed within their respective areas. During these efforts, Mr. Daley said NCNSSC found two areas particularly troublesome: concerns about federal and state law preemption and awareness and outreach.
Mr. Daley said preemption continued to be a concern from two perspectives. Numerous state (e.g., over sixty statutes in South Carolina address confidentiality of health information) and federal laws were associated with privacy and additional legislation under discussion. Based on the preemption criteria, covered entities must decide on a provision-by-provision basis the portions of state law that would be retained and those that would be preempted by federal law. For entities doing business in multiple states, the process became further complicated. Preemption analysis had to be completed by each covered entity, including every payer (including employer health plans), provider and clearinghouse. Mr. Daley said these redundant efforts drained valuable resources that covered entities could otherwise spend to safeguard PHI and benefit the consumer.
BCBSSC joined a coalition with other BCBS plans and hired outside counsel to assist in the preemption analysis. Mr. Daley pointed out that many small or rural providers didn't have access to legal staff with expertise to conduct a preemption analysis. And every time a privacy law changed or a new one was passed, the analysis had to be revised. Mr. Daley said he'd be much happier to find providers reading medical journals than state laws or the Federal Register.
Mr. Daley pointed out that the preemption process was compounded by Section 160.204 of the rule that introduced a process whereby a state could apply to except a provision of state law from preemption. While this might help accommodate certain specific needs, he counseled that covered entities and consumers would have difficulty discerning which exceptions had been requested and approved. And he questioned whether state insurance companies would be expected to provide preemption guidance.
The preemption process would also be frustrating and confusing for consumers, Mr. Daley cautioned. It would be difficult for them to determine which provisions applied to them. Instead of promoting an individual's ability to know his or her privacy rights, the process would only confuse them. Mr. Daley urged HHS to prepare and maintain an up-to-date, detailed privacy guide that showed covered entities and consumers the privacy provisions that applied to each state. He said this would alleviate the need for tens of thousands of covered entities to perform the preemption analysis and eliminate potentially conflicting determinations of which provisions applied within a given state.
Mr. Daley noted other existing legislation on privacy, including GLB, the Privacy Act of 1974, and the Federal Substance Abuse Regulations. Additional legislation was being discussed at the federal level. With the passage of each new bill, he observed there was potential for requirements to change and for previous efforts by covered entities to be legislated out of compliance. He said the preemption analysis would have to be conducted each time a new privacy law was passed. And he recommended that covered entities in compliance with HIPAA should be deemed to be in compliance with other federal privacy requirements to avoid conflicting or fluctuating requirements and provide a clearer statement of federal privacy laws for consumers.
Due to the lack of understanding about HIPAA within provider and employer communities, Mr. Daley said payers found it necessary to develop awareness materials to fill the gap and he noted this presented potential problems. First, information provided might vary depending on which payer offered it, creating uncertainty among providers over specifics of the HIPAA requirements. Second, creating awareness programs diverted payer resources that could benefit the consumer in other ways. Also, some providers were beginning to question what information was allowable to share under HIPAA. While indicating a step forward in protecting consumers' privacy, consumers could be negatively impacted (e.g., delays in authorization for services or determination of the amount of coverage) if required and allowable information was withheld due to misunderstanding HIPAA provisions. Mr. Daley suggested that a national plain-language HIPAA guidance be created and made available to providers on the Internet, explaining their basic requirements and referencing additional sources. Mr. Daley said the FAQ section of the HHS/CMS Web site was a prime source of information for specific questions, but he advised that it didn't provide the higher-level explanation of requirements many covered entities might need. He noted a WEDI/SNIP work group had drafted a white paper addressing provider awareness.
Pointing out that many employer health plans used a third-party payer to handle transactions and code set requirements, but not privacy, Mr. Daley said these plans had to be made aware of their obligations under the privacy rule. He remarked that this awareness was often dependent on information provided by payers, business associates, vendors and consultants and that the amount and quality of information varied. And he observed that the level of awareness influenced the amount of protection PHI received within the employer health plan and that, in turn, affected the privacy of consumers. He noted, too, that not understanding the HIPAA privacy requirements could impede the flow of PHI, impacting the employee. That disruption could potentially inhibit the consumer's ability to obtain coverage or have their claims processed. Mr. Daley said payers creating awareness materials for employers encountered the same issues: consistency of information varied and awareness initiatives diverted resources from other essential activities.
Mr. Daley stressed that HIPAA compliance was the responsibility of the covered entity. BCBSSC recognized that vendors offered services that could help covered entities address HIPAA requirements, but Mr. Daley cautioned that vendor statements could also mislead covered entities into thinking compliance could be achieved merely through the purchase of a product or service. Mr. Daley recommended that HHS prepare guidance that described how vendor services might assist covered entities in their HIPAA efforts and what covered entities needed to do on their own.
Mr. Daley concluded that the industry could benefit significantly from having access to a centralized preemption analysis and standard awareness and outreach materials. He suggested that HHS develop standard, uniform guidance on preemption; allocate additional resources for outreach and prepare awareness and outreach materials for providers and employers; and make available on the HHS Web site a list of publicly available HIPAA information, including links to other sites with HIPAA information.
Panel 1: Health Plans and Group Health Plans
Kevin J. F. Fitzgerald, Esq., Health Care Counsel, General Electric Company
Mr. Fitzgerald spoke on behalf of the ERISA Industry Committee (ERIC), a non-profit association committed to the advancement of employee retirement, health, and welfare benefit plans of America's largest employers. He said that he shared much of the sentiment already expressed as well as what Dr. Lumpkin conveyed in his September 27 letter to the Secretary. Until the final regulations on August 14, there hadn't been a sense of urgency amongst much of the health industry regarding the privacy rule deadline. Mr. Fitzgerald believed this feeling was due to the industry's unwillingness to be the first to dip their toes into compliance.
He advised that a good deal of confusion in the employer community was driven by the fact that HHS had no authority to regulate employers directly. As a result, Mr. Fitzgerald said they were regulated as group health plans, the employee welfare benefits plan created and operated under ERISA. He explained that there was no actual entity known as the group health plan within GE or any other employer, only a contract between the company and its employees to deliver benefits. The privacy rule operated with the distinction that the group health plan and the plan sponsor of an ERISA plan were different people or entities, when in fact they weren't. The plan sponsor almost used a proxy for the employer rather than the creator of the ERISA benefit plan. The creator function was really the essence of what plan sponsor meant, so there was a lot of uncertainty within the industry.
Mr. Fitzgerald added that employers, particularly large employers, came in a large variety of flavors. For example, the structure and operation of the group health plans at General Electric (GE) were relatively well suited to the HIPAA compliance regime, because about 90 percent of their 170,000 domestic employees were in benefit plans operated centrally from corporate on a self-insured basis, but some other employers based their benefits strategy on a more localized basis, permitting regional operations to select and manage the offerings. Because GE was basically centralized, they had a great deal of organizational and related physical segregation from non-covered aspects of their operation. And their plan provider and group health plan knew where the other resided, making it easier for them to make the distinction. Employers with a more localized benefits strategy made compliance decisions at a local level, where necessary compliance sophistication might not exist. Mr. Fitzgerald said he spent a lot of time coaching affiliates on privacy issues such as the transaction application extension. But from a HIPAA standpoint, he stated that whether or not an employer was centralized, like GE, the group health plan concept in the regulations encompassed all the fragmented operations and functions. This meant that the employer needed to try to link all the locally managed programs within one firewall, and this required time and effort.
According to Mr. Fitzgerald, most of the training he reviewed focused on what the provider or health plan needed to do to comply with the privacy rule, not what the employer needed to do. Most of the support for employers came in an extensive, customized format from a retained law firm, so the consulting houses didn't have a monopoly on the information available or its interpretation. Mr. Fitzgerald concurred with the comments expressed in Dr. Lumpkin's September 27 letter.
Mr. Fitzgerald expressed concern that covered entities were at the mercy of an army of vendors and consultants, whose expertise was often limited to misinformation, baseless guarantees and scare tactics. He emphasized that there was a lot of desperation for knowledge out there.
Preemption issues also complicated the already intricate details of the privacy rule. While his written comments would help settle employer and ERISA plan questions and concerns, Mr. Fitzgerald stressed that the need for affirmation of ERISA preemption of state privacy laws was of particular importance. He also agreed with Mr. Daley's point on preemption and real time research, pointing out that the real time aspect of the preemption analysis was important so people could be made aware of new updates that affected existing law and privacy.
Mr. Fitzgerald noted the controversy between the retail drug and pharmaceutical benefits management industries over proposed provisions of the community pharmacy guide that would be inconsistent with all the other transaction standards alluded to in the August 14 final rules. He echoed arguments presented in the pharmaceutical care management industry's October 17 letter. It would be the only standard that didn't allow basic data fields such as patient name, Social Security number, and address. In most standards these fields were required for the reasons health plans required and wanted them in the pharmacy transactions. Mr. Fitzgerald pointed out that the HIPAA goals of administration simplification and uniformity would be achieved by making its optional fields mandatory or situational in the same way they were addressed in other standards.
The retail pharmacy industry expressed their concern that PBMs and other carriers would be able to use the data for their own or unrelated purposes, including selling it to manufacturers. But since PBMs would be acting as business associates of group health plans, they would be legally bound to use and disclose the information they obtained from pharmacies solely for the purposes of performing their contracted-for services in a manner consistent with the privacy rule. Mr. Fitzgerald added that even without the privacy rule, GE contracting specifications wouldn't permit marketing or other contractual use of employee data. Nothing in the privacy rule, including the necessary copy, prevented pharmacies from including these basic deals in pharmacy transactions. And these fields were required for clinical and payment verification purposes, so they met the minimum necessary standards. Pharmacies weren't required to apply the minimum necessary standard when responding to a reasonable request for data from health plans for their business associates. And Mr. Fitzgerald pointed out that, if the minimum necessary standard was truly the concern, changing the optional fields to situational fields where the minimum necessary standard wouldn't apply could eliminate it.
For GE and other self-insured plans, Mr. Fitzgerald said making sure the pharmacy standard transaction paralleled the identification data field of other health claims transactions was important, because of their fiduciary obligation to make sure that all claims dollars were paid appropriately. Putting all the identification eggs in one date field basket would lead to late, incomplete or rejected claims which could clog phone lines, interruptions in people getting their prescriptions, and wholesale shutdown of the retail pharmacy sector after April 14. Also, proper identification enhanced the effectiveness of patient safety features such as drug utilization review and interaction analysis done now at the pharmacy counter. Mr. Fitzgerald said it was critical for effective management of the benefits that information such as relationship code, complete data person, and gender be provided by retail pharmacies as part of any claims submission. Mr. Fitzgerald emphasized that transaction standards for pharmacies must take into account the self-insured plans' fiduciary responsibility and the importance of maximized patient safety. He suggested that NCPDP 5.1 be modified to include name, complete date of birth, relationship to patient and gender, member identifying number and other key identifiers as required fields to be consistent with the treatment of information of standards adopted for medical and other clients.
Mr. Fitzgerald pointed out that there was a great deal of confusion amongst employers regarding the reach of the privacy rule beyond group health plans. In-house medical clinics staffed only by nurses or with full time physicians were one area. These clinics tended not to engage in electronic standard transactions, even though they used many different types of electronic communications in dealing with colleagues, providers, and patients. Mr. Fitzgerald suggested that the current defined transactions list, which focused essentially on group health insurance information, remain static with no others added and with the deletion of the term "first reported injury" from the regulation.
Mr. Fitzgerald said that one single line item. FROI had been the most confusing to explain and its deletion would remove unnecessary ambiguity from the regulations. Noting FROI was known as a workers compensation term and that workers compensation was explicitly excluded from the regulations, he recommended excluded it from the transaction list.
Other complications came with outsourced clinics that deemed themselves covered entities. Mr. Fitzgerald suggested that a covered entity performing non-covered functions for a non-covered entity should be exempted from the regulations if the position was consistent actually and by policy with other operations of the non-covered entity.
Another difficult issue was the business associate agreement requirement. Most large employers created over 100 agreements; GE expected to do about 200 and would need to add another five pages to an already lengthy administrative service agreement and reformat the document. Mr. Fitzgerald suggested that a preferable alternative would be a one-page statement similar to the NOPP for providers stating they'd comply with HIPAA as expressed in the regulations. He agreed with Ms. Grimes that a simple standardized model form, such as the one produced by the Oregon authorization project, would be helpful. For example, GE administered their disability benefits centrally and used a standard authorization form on a national basis, but was unsure how many versions they had to create by April 14 to meet the HIPAA requirements. Mr. Fitzgerald emphasized that the simplification and standardization of forms would reduce much of the ongoing confusion.
Mr. Fitzgerald emphasized that ERIC and its members took confidentiality of employee data seriously and worked to achieve compliance by April 14, 2003.
Panel 1: Health Plans and Group Health Plans
Christine Williams, J.D., Employee Benefits Group, Gordon, Feinblatt, Rothman, Hoffberger and Hollander, LLC
Over the past two years, Ms. Williams advised group health plans and TPAs on HIPAA administrative simplification and assisted them in preparing for compliance with the administrative simplification requirements, including transactions, privacy and security. All of the group health plans and TPAs she worked with viewed the protection of sensitive information as a high priority and already had procedures in place to help ensure that sensitive information wasn't disclosed improperly. Most were also committed to achieving compliance with the HIPAA administrative simplification requirements. However, she noted that actually doing this was proving to be difficult.
Ms. Williams said a larger concern was the significant number of group health plans that had never heard of HIPAA administrative simplification and didn't yet recognize that they were covered entities. Others believed that an insurer, TPA, broker, or another service provider would take care of everything to comply with the requirements. She said about a week before the October 15 extension deadline, a paralegal identified about 15 group health plans the firm had worked with in the past, but not recently. The paralegal called a representative of each plan to remind them about the deadline. Over two-thirds of the representatives hadn't heard about HIPAA administrative simplification and had no idea that the plans were covered. A few asked for assistance in filing the model compliance plan, but were unaware of the nature of the administrative simplification requirements and unprepared for compliance. The representative of one plan that wasn't excepted said the plan wasn't covered and later called back to say she'd called HHS's HIPAA hot line and been advised that the model compliance plan was only for doctors and hospitals that billed Medicare. Ms. Williams assumed that representative talked with someone who was thinking of the provider compliance plans many physicians and hospitals had in place in order to assist them in accurately billing Medicare.
Ms. Williams said the first step in achieving group health plan compliance with administrative simplification was to make group health plans aware that they were covered entities. She noted that the close relationship most group health plans had with the employers that sponsored them contributed to the confusion. Ms. Williams explained that a single employer group health plan was usually just a document. The plan had a separate legal identity under ERISA, but no practical separate existence. Decision makers were employees of the employer. The employer handled many plan administrative functions and paid for some, most, or all costs associated with the plan. Ms. Williams said it was understandable that most employers that sponsored group health plans didn't think of the plans as separate entities, but as another of the many administrative and management functions the employer performed. According to the Department of Labor, there were approximately 2.8 million group health plans in the country in November 2000. In the preamble to the final privacy regulations, HHS used a figure of 2.125 million fully insured and a few thousand self-insured group health plans. HHS also stated that there were about 7,000 hospital and 630,000 non-hospital providers. Either way, Ms. Williams said the numbers considerably exceeded the total of other covered entities.
She said, even if most of the group health plans were small and therefore had an extra year to comply with HIPAA administrative simplification requirements, they still weren't aware that eventually nearly all covered entities had to comply. The preamble indicated that HHS believed that someone other than the group health plan sponsor, meaning the employer, was to take care of privacy compliance for group health plans. For example, at page 82,765, the preamble accounted for about 12,200 health plans under the privacy regs. However, in footnote 45 HHS clarified that the 12,200 plans included TPAs and thus they also were required to comply.
Ms. Williams reported that to date, many insurance carriers and TPAs hadn't taken a leading role in group health plan compliance. The earlier speakers had been the exception in that they appeared to be taking a leading role with customers. In many instances, insurers filed model compliance plans for themselves, but not for the group health plans they covered. Similarly, many TPAs didn't file for themselves as they weren't covered entities, nor did they file for their group health plan clients. She said, perhaps, insurers and TPAs could be faulted for not taking care of their customers but they were probably on solid legal ground: the covered entities were obligated to file the model compliance plan.
She said the October 15 deadline would have been a golden opportunity for HHS to make a concerted effort to alert group health plans and begin educating them about the administrative simplification requirements. Instead, the HIPAA administrative simplification grapevine reported that approximately 500,000 model compliance plans were filed by the deadline. She said either all the other covered entities were prepared to comply with the transaction standards or, more likely, they didn't know they were covered entities.
Ms. Williams believed multi-employer plans mostly knew they were covered because typically they had a structure and existence entirely separate from any contributing employers. Ms. Williams believed multi-employer group health plans were, in general, far ahead of single employer group health plans in awareness of HIPAA administrative simplification and farther down the road to compliance because they were treated as entities separate from employers and had legal advisors to focus on plan issues.
Ms. Williams noted everyone had great concern about the cost of complying with the HIPAA administrative simplification requirements as well as concern about whether the April 14, 2003 deadline for privacy compliance was realistic. The privacy regulations included 58 standards and 60 implementation specifications. In many cases, compliance had to be tailored specifically to the plan's individual operations. And the standards and implementation specifications had been modified in August, leaving plans with only eight months to comply.
She said that the bulk of the privacy requirement was the creation of policies and procedures appropriate for the covered entity. These not only needed to reflect requirements of the regulations but the covered entity also had to be able, from an operational standpoint, to live with and, from a compliance standpoint, live up to its structure, business operations, policies, and procedures.
Ms. Williams said HHS indicated in the preamble that the privacy policies and procedures would come in individualized packages. For example, page 82,769 stated the final rule encouraged development of policies by professional associations and others that reduced costs and facilitated greater consistency across providers and other covered entities. Development of policies was to occur on two levels. The association or other large-scale level and the entity level came first. Due to the generic nature of many of the final rules' provisions, the Department anticipated that trade/professional associations and other groups that served large numbers of members or clients would develop materials to be used broadly. Assuming that the complexity of larger healthcare entities (e.g., hospitals, health plans) would require them to seek more customized assistance from outside counsel or consultants, the Department presumed that each hospital and health plan (including self-administered, self-insured health plans) would, on average, require 40 hours of outside advice.
Ms. Williams said her experience was different. A generic set of policies and procedures wouldn't be designed for the average group health plan and so wouldn't be utilized. She noted that policies and procedures that weren't designed with the plan's specific operations in mind or an understanding of what needed to be changed and why were worthless. For example, the privacy regulations imposed very strict limits on what information could be disclosed to the sponsor of a group health plan. In order for the plan to disclose anything more than enrollment, dis-enrollment and summary health information for limited purposes, the regulations required that the plan document be amended to include specific provisions. The sponsor needed to provide certification to the plan that amendments had been made, they'd abide by them, and that they ensured adequate separation between health plan administration functions performed and other functions. Ms. Williams said the problem was plan administration functions were usually performed by the sponsor housed in the HR department who also received non-PHI medical information from employees. In addition, decision-making power relating to both employment-related and administration functions were often vested in the same individual (e.g., a vice president for HR). This structure made it difficult to achieve adequate separation and realistically, few business would undertake major structural changes to the decision-making hierarchy. Ms. Williams emphasized that this meant that complying with the privacy regulations requirements for disclosure of PHI by a group health plan to the plan's sponsor required understanding the operations and structure of the plan within the existing structures and hierarchies of the business, in order to find a way to comply with the privacy regulations. This wasn't a task that could be achieved in a one- or two-hour meeting, nor was it something that an insurer or TPA could effectively manage for its plan customers.
Noting many group health plans required to comply with HIPAA administrative simplification requirements were also required, under ERISA, to file an annual form 5500 with the US Department of Labor, Ms. Williams suggested HHS could obtain the names and addresses of plans that filed within the last year and send them notices that they might be a covered entity. Alternatively, the notice could direct recipients to the CMS Web site and the covered entity decision tools; or HHS could establish a hot line, staffed by trained counselors to assist group health plans in determining whether they were covered entities and their compliance deadlines. A database detailing materials for the various types of covered entities, sources, prices, and criteria for obtaining access could be available on the Internet. Ms. Williams reflected that HHS probably would object because establishing such a database would be expensive, time consuming, and place them in the role of passing on the quality of materials created by others. She said those objections were valid. However, virtually every group health plan in the country had to do exactly that.
Discussion
Dr. Danaher noted that, in his experience, what brought health plans to a halt as they worked to implement the HIPAA privacy standards was the state preemption analysis issue, especially with larger plans that had multi-state operations. He said it was enough for doctors and provider networks to be learning about developing policies and procedures and questioned that they had any understanding of state preemption analysis. If federal HIPAA regulations superseded the state preemptions, Dr. Danaher asked Mr.Hoffman and Ms.Grimes if HIAA and AAHP would be supportive and if there was a way to layer that in.
Mr. Hoffman said Nebraska had an active state initiative tied with the WEDI-SNIP process, including a Nebraska SNIP privacy work group and entities working with EDI and security. On the privacy side, a legal counsel that supported the Nebraska Hospital Association, which was in charge of the local SNIP work group, had done a comprehensive preemption analysis and the work group was finalizing their update with the August rule changes. In addressing the rule, Mr. Hoffman said the 2000 NAIC model that many states were offered for complying with GLB included a health privacy component with a provision that, if they complied with HIPAA, the requirements of the rules for health privacy related to that model were no longer applicable. He said the problem was that there were so many different interests at the state level: the state attorney generals, the political process and the state insurance departments were all looking at HIPAA.
Mr. Hoffman said South Dakota was concerned about being able to enforce standards for their constituents and met on Monday to entertain different avenues of health privacy rules. He reported they were also concerned about losing the enforcement ability and were looking at adopting one of five options they would comment on at the state level. He said they supported the HIPAA privacy standards and were concerned about potential state activity in regard to adopting their own HIPAA-like privacy rules. Ms. Grimes agreed. She acknowledged there was good intent with making HIPAA the floor, but cautioned that if one did business in more than one state trying to operationalize and keep current on all the regulations was an impossibility. For example, a call center that took calls from multiple states would have to train people to know these rules and if they couldn't keep current they'd be at risk of breaching member confidentiality, so they had to come to consensus. Political and other issues had to be dealt with regarding the state preemption issue.
Ms. Grimes said Amerigroup did business in Texas and the new state law that Mr. Fitzgerald mentioned wasn't aligned with HIPAA. Amerigroup was going to deal with different and more stringent rules that the states were passing with good intent. It would increase their costs, confuse their members, and have an insurmountable impact on the industry if it wasn't addressed now. Mr. Hoffman added that the 50-page Nebraska preemption analysis of laws and regulations applicable to the provider and payer was available on the Nebraska SNIP privacy work group Web site. Dr. Danaher remarked that the national state preemption analysis done by small firms and even state-by-state efforts done by bar associations weren't the panacea. He said Ms. Grimes' example of a call center nurse working for a national managed care company and handling calls from members in multiple states clearly illustrated the difficulty of this issue.
Ms. Grimes said she'd been trying to explain the complications to senior executives and superimpose HIPAA on how they did business. Many good parts of HIPAA would streamline how they did business on a daily basis, but the state preemption piece was troublesome. Ms. Grimes said the preemption analysis she'd reviewed would have to be put into a form that let folks on the line understand what an emancipated minor was. For example, in Texas, a 16-year-old had a right to an abortion without her family knowing about it. That had to be translated into the EOB and sent by the carrier to the subscriber (the parents). Ms. Grimes stressed that the Committee had to take the state preemption issue forward due to the impact on the industry, provider, and health plan, as well as the costs that would be incurred if something wasn't done.
Mr. Rothstein clarified the relationship between NCVHS and the preemption issue. He noted the preemption language was set into statute and HHS was basically stuck with it. The committee had the opportunity to make recommendations to Congress and they'd submit an annual report on HIPAA, as directed by the Congress. They had heard what was being said, but it was unlikely to be reflected in their recommendations, because there was nothing the Department could do at this point except provide guidance.
Dr. Harding asked Mr. Daley whether the definition of HIPAA compliance needed to be a patented term and if there was anything the Committee could do to help people define exactly what the term "HIPAA compliant" meant. Mr. Daley said that was best addressed by awareness and outreach. He reiterated the question of what HIPAA compliant was when they had preemption issues with the state. No one knew for sure, but they'd find out after court cases or enforcement issues come up. He emphasized that this was why it was important to tell people where they could find out what they needed to know to address their areas.
Mr. Daley expressed concern about misleading literature related to privacy from vendors who claimed their products would help solve HIPAA compliance problems, when in reality it was an encryption that might help some aspect of security or privacy, but wouldn't make them HIPAA compliant. He believed the Committee needed to help people realize that HIPAA was more than buying a product or one-time compliance with part A, B, C of HIPAA. Compliance was an ongoing effort that included privacy, security, identifiers, transactions, and a multitude of things. Dr. Harding asked whether that was a federal statement that had to come from an enforcement body like OCR. Mr. Daley noted it was a federal law, adding that education from the federal government about what the law meant would be appropriate.
Ms. Grimes suggested expanding the outreach and tapping into MAHI and other groups. CMS and some states had been active, tapping into AAHP and AHA and others as the best way to get to the physician. Ms. Grimes advised that a multi-functional advisory board with OCR and HHS involved was critical for outreach.
Mr. Fitzgerald said good faith compliance meant they would do their firewalls, circulate notices, and touch everything they could (e.g., preemption), realizing there might be technical violations where an interpretation was off. Mr. Fitzgerald suggested this soft implementation would be the standard until there was some degree of mastery within the industry. Mr. Hoffman added that it would be helpful if some government publications also targeted the media. When he'd worked HIPAA portability, Mr. Hoffman said he found that the majority of the consumer questions and compliance issues were misrepresentations emanating from media articles. Major national publications contained errors in the interpretation of the law and even the agencies were mislead by local newspaper articles. Mr. Hoffman anticipated more of this as the deadline approached.
Noting they'd had an entire panel the day before on how to reach consumers regarding HIPAA, Mr. Rothstein asked if Mr. Daley believed it would be valuable if OCR issued some statement that HHS didn't certify any products, services, or plans and that therefore the term "HIPAA compliant" didn't convey any guarantee. Mr. Daley said he believed that statement would be helpful: HIPAA was an ongoing process and the requirements would continue to be sorted out over the next few years.
Mr. Rothstein asked for more details about Mr. Hoffman's earlier recommendation that OCR have covered-entity industry teams in place to assist each industry with its unique implementation issues. Mr. Hoffman explained that the recommendation resulted from the frustration of reviewing Q&A guidance that tended to be directed toward providers. Because of the complexity of the insurance industry, the plans had been overwhelmed and needed help with a number of rules and regulations that appeared to be geared toward a provider type of arena and had unintended consequences on the health insurance arena. Mr. Hoffman said he didn't know if their message got across to HHS. HIAA met frequently with HHS and were teaching them about their business and identifying how these unintended consequences occurred.
Mr. Rothstein remarked that OCR would have to increase its staff by 100 to do this recommendation. He asked how one might get the ability to provide industry-specific information without resources at the federal government level. He noted one thing done over the last decade to get drugs approved through FDA was to increase the industry responsibility for funding new drug analysis and evaluation by FDA. He asked how the industry would view pooling money from their individual projects and contributing through legislation to set up the ability to staff these positions that would provide industry-specific HIPAA guidance. Mr. Hoffman said that was an interesting suggestion. Insurance-related trade associations such as the Health Insurance Association of America were in operation because companies paid annually for support. So it was possible for the industry to do special research projects funded as a group.
Noting that he knew the health plans came together to agree on common disease management programs instead of, for example, having their own asthma programs, Dr. Danaher asked if HIAA and AAH could come up with sample authorization and NOPP consent forms. Ms. Grimes said she believed those forms already existed. She recommended that OCR and HHS look at the standard forms from AHAP, AMA, and AHA and see if they met the minimum criteria.
Noting that Medicare, the country's largest payer with operations in 50 states and Puerto Rico, which spoke Spanish, had published a two-and-a-half page, 12-point, notice of information privacy practices in their manual for beneficiaries, Dr. Zubeldia asked if private industry could also do this. Ms. Grimes said that the health plan notices she'd seen had been a minimum of five pages. She said they'd look at it as a model, but she emphasized that the notice had to be crafted based on each business's and health plan's operations, which differed from provider operations. Dr. Daley said BCBSSC considered what Medicare did the baseline standard, determined how it folded into their plan, and applied it across their company. BCBSSC was condensing the privacy notice into about four pages that would be easy to mail, read and compare.
Dr. Hoffman said he'd presented the health plan perception on HIPAA compliance to a group of Medicare contractors in Baltimore. CMS also presented their HIPAA privacy compliance activities and Dr. Hoffman cautioned that they were going to have a bare bones type of notice that wouldn't have passed Mutual of Omaha's legal counsel's test.
Ms. Grimes said they needed to take into account that states had different criteria. She noted state preemption requirements were also on the notice. The states also had different grade-level requirements, but HIPAA didn't have criteria on those. This and other things could lengthen the notices.
Mr. Hoffman noted that on a preemption basis, California and other states were dictating certain flush scores. Dr. Zubeldia said that was supposedly good for all 50 states and Puerto Rico. Ms. Grimes concurred, but added that they were required under state law to submit any member information including their notice of privacy for approval and specific criteria that was more stringent than HIPAA that had to be applied to the notices.
Panel 2: Health Authorities
Kim Barnes, HIPAA Compliance Director, Office of Family Health Services, Virginia Department of Health
In the Commonwealth of Virginia, the Secretary of Health and Human Resources didn't have the advantages of states where their Medicaid department was combined with health or mental health into a single organization. Eight different functions were segregated into their own departments under the Secretary of Health and Human Resources. Each had to staff up to accomplish HIPAA compliance within their own silo. Compounding this, the Bureau of Insurance resided within the State Corporation Commission, which wasn't even part of the executive branch.
Ms. Barnes pointed out that the determination of covered entity status was more difficult within state government. It was easy to assume that the Medicaid Department of Medical Assistance Services was a covered entity and that the Department of Health was a hybrid entity, but within that were problems of looking at hybrid entities and then making program determinations about what was covered. Ms. Barnes gave examples. Would a breast and cervical cancer program that paid a capitation rate to area providers to determine the eligibility of participants be considered a health plan? The Department of Health owned their local health district delivery units; they weren't part of local government. However, in mental health, the local governments owned the delivery units and the central office had no control. So if they did centralized claim processing for an affiliated entity they didn't own, were they then considered a clearinghouse? And if a program used honorarium contracts with outside physicians who saw recipients in their physician offices, as a business associate agreement, was the central office administration of those honorarium contracts a covered or non-covered entity? Ms. Barnes reported that a group of 20 states that met the previous week at the National Governors' Association to discuss problems with implementation wanted to testify that the federal preemption analysis was a very costly undertaking for those in state government who just experienced 15 percent budget cuts. They hoped the Subcommittee would recommend that the federal preemption analysis be done for all 50 states, rather than relying on 50 different interpretations paid for separately.
Ms. Barnes discussed tangential relationships. For example, the new Housing and Urban Development (HUD) regulations regarding section eight voucher housing required administrators to identify houses that posed a lead-poisoning risk. Under a state reporting mandate, addresses of all children who tested positive for lead poisoning were held by the state health department and therefore carved out of the privacy rule. Ms. Barnes asked how they could facilitate sharing to meet HUD regulations. She noted also that the Women, Infants & Children (WIC) program under the Department of Agriculture was determined an exempt entity. However a number of nutritionists who performed services within WIC also provided medical nutrition therapy, an allied health professional activity devoted to a patient. In that case, what was covered and what wasn't when funded by a separate discreet organization.
Given these complexities, Ms. Barnes said the Commonwealth worked to implement HIPAA to the best of its ability. The Secretary of Health and Human Resources was forming an organized healthcare arrangement within the eight organizations. Common patients, particularly those of lower income status, were reviewed for quality assessment and improvement. Recipients received services in a number of silos. They looked at how the services were being delivered, made sure recipients got proper services between mental health rehabilitation and the department of health, and improved patient flow.
Key efficiencies to organizational structure included a joint NOPP and a joint consent they believed would be easier for lower-educational-level recipients. In addition, standardized business associate agreements had been reviewed on the federal and state level for each individual silo. They worked with vendors in the same manner.
Mr. Rothstein asked if joint consent meant joint acknowledgment. Ms. Barnes said each organization would have their own acknowledgement, but the verbiage would be the same and would include the provision about notifying individuals that they were part of an organized healthcare arrangement. With a goal of achieving a literacy level that would be understandable to all participants, every department would use the same type of clearly understandable notice, so people wouldn't be confused in receiving services at both the mental health and health departments and feel they were being told different things.
Regarding shared human resources, the Secretary's council on HIPAA Compliance was the impetus to building the organized healthcare arrangement. They were the key experts within each organization responsible for HIPAA compliance. Ms. Barnes noted that sharing resources in this way meant that the attorney general's office on physicians only had to perform its service once instead of advising eight different agencies separately. She said their preliminary analysis showed savings to the Commonwealth of about two-and-a-half-million dollars by sharing the resources amongst the group.
Ms. Barnes reiterated concern about the state mandatory reporting of PHI that was key for their Department of Health because of immunizations, STDs, lead poisoning prevention and other activities. Now that they were carved out of the privacy rule, she asked whether they would also be carved out of the security rule. Ms. Barnes requested the Committee's opinion on the validity of an organized healthcare arrangement to solve related public problems with HIPAA implementation.
Panel 2: Health Authorities
Deborah Correll, R.N., M.S.A., Training Manager, Virginia Department of Medical Assistance Services
Ms. Correll presented feedback from an informal telephone survey of 25 associations about how HIPAA information was being disseminated through provider health associations in the Commonwealth of Virginia and problems with implementation. Some 23 associations were familiar with HIPAA; 18 said HIPAA was addressed at their statewide conference. Two associations that hadn't yet addressed HIPAA had it on their agenda. More than half the associations identified a total of 97 regional associations. Six regional associations said they provided members with information about HIPAA; ten didn't. Five were "unsure." Four said "some." Of those that didn't provide information, three expected that all regional associations would provide HIPAA information in the future. Eleven said "no. Three were "unsure." Eight said "some."
Fifteen respondents were confused about the privacy regulations, often questioning whether it applied to them or wanting to know how to ensure that they were making a good faith effort. Some needed specific checklists to assist in HIPAA implementation, clarification of points, and assistance in locating answers. Everyone wanted templates.
Ms. Correll concurred with other problems mentioned in previous hearings. She noted that limited computer literacy thwarted providers in transferring from paper to electronic. Filing an extension also was a challenge for those that didn't have computers and had been directed to local libraries to meet the deadline. She noted a lack of understanding about testing requirements and said more training was needed for providers so that everyone understood the requirements in the same way. She also noted concerns about FERPA.
Difficulties in HIPAA compliance were compounded for DMS, because MMIS was under development simultaneously with HIPAA. Ms. Correll said the new MMIS infrastructure would improve customer service and meet HIPAA compliance as well as allow enhanced flexibility and cost effectiveness in making future modifications.
Ms. Correll said DMS was trying to comply with HIPAA-required transactions and code sets, including ASC versions 40-10 and NCPDP version 5.1. New plastic ID cards had electronic capability for immediate access to eligibility and benefits information, including prior authorization and service limit status. Secure access via Internet was also available. Release was anticipated in June 2003. She noted these changes impacted the way DMS did business with providers and would influence office practice management. The new MMIS was scheduled to be implemented for the extended mandatory HIPAA compliance date. DMS would continue to accept electronic media claims until compliance became necessary. EDI recommended third-party certification for HIPAA compliant transactions and code sets, and DMS followed this lead. Electronic transactions were required to be submitted directly to the physical agent to provide proof of transaction testing and certification through level two as outlined by WEDI. This confirmed certification prior to open training partner testing on April 16, 2003. Ms. Correll noted that if providers hadn't done preliminary testing, certification of transactions, as recommended by WEDI, would cause challenges to DMS. Simultaneous implementation of HIPAA and MMIS created the necessity for an extensive communication plan for HIPAA initiatives to succeed. She said the HIPAA Web site assisted providers, business associates and others as well as served as a reference for DMS-related provider information on HIPAA. Medicaid memos were also on the Web site, giving providers MMIS-related information on Implementation of HIPAA.
Ms. Correll said all provider training from March 2002 forward included HIPAA-related information. DMS collaborated with MAHI, the regional WEDI-SNIP, in five HIPAA 101 sessions.
DMS's business associate agreement's chain of trust, data security plan attachments, scope of work attachments, data security plan exhibit A, and work force confidentiality agreement were on the Web site. DMS worked with contract monitors to implement business associate agreements. Templates for the agreements had been reviewed by the Commonwealth's Office of the Attorney General and met the privacy rule definitions set forth by the Code of Federal Regulations.
Ms. Correll said DMS worked with their call center and customer service unit during all these changes. DMS was developing an employee-awareness-in-online-training program that met training requirements, using a blended approach of instructor led and on-line e-learning. DMS also used the Internet to distribute provider manuals, so updates on HIPAA could occur as needed. Provider manuals were to be distributed to 45,000 providers.
Panel 2: Health Authorities
Brenda R. Rose, Health Policy Analyst, HIPAA Project Coordinator, Office of Operations and Eligibility, Medical Care Programs, Maryland Department of Health and Mental Hygiene
Ms. Rose explained that in 1991 Maryland promulgated the Maryland Confidentiality and Medical Records Act that serves as a guideline for how medical records are used, maintained, disclosed, authorized and released. The act defined what records were, however they were transmitted, and established rules regarding regulations and individual's rights to inspect, amend and correct information. Ms. Rose noted Maryland's current law was similar to the HIPAA privacy rule. She said the difficulty was in HIPAA's prescriptive requirements that were different from the Maryland statutes. The Medical Records Act developed rights advisors, employees of the statewho function similarly to privacy officers or risk managers in general hospitals. Rights advisors were established in major hospitals, providing education to staff and residents on their rights and responsibilities. They also collected patients' opinions, concerns and grievances and acted as mediators. Ms. Rose emphasized the importance of being clear and concise about changes in the privacy law enacted as a result of the confidentiality act and frontline application of the law, resolving issues before they escalated. HIPAA exceeds Maryland law in the administrative simplification requirement. She noted that, in the federal preemption analysis, it was complicated to determine what one was, how one interacted with another, and what type of designation one had under HIPAA. The designation one had determined the requirements and responsibilities undertaken. Ms. Rose noted the importance of training personnel and having administrative and technical physical safeguards in place in order to protect the security of the health information. She explained that Maryland Medicaid was under the Department of Health and Mental Hygiene (DHMH) and included all public health issues and mental health issues.
In 2000 Maryland created the State Advisory Council on Medical Privacy and Confidentiality to assist public and private organizations, community hospitals, doctors organizations and associations in setting the standards of applicability of the HIPAA requirements. Ms. Rose said DHMH worked with the Maryland Attorney General to complete the analysis of preemption. The Health Law section of the State Bar Association worked with the Subcommittee to develop materials to assist with determining the applicability of the laws in governing particular health disclosure situations. The problem was DHMH had to deal on a provider basis and Medicaid-only providers tended to be small and provide services to a special population. Ms. Rose expressed concern over what would happen to the provider base of these small providers who often provided services in response to social or medical needs unmet by large insurance companies. She stressed that the impact of HIPAA requirements was significant on small providers with limited resources and infrastructures. "Mom and pop" organizations traditionally nurtured as a provider base were concerned: currently they submitted electronically, but HIPAA would drive them to paper, unless other billing options were created.
Noting Medicaid gave consideration to special populations, Ms. Rose said provider education was tailored for and worked well in partnerships among small groups. Examples included partnerships with advocacy organizations and the public organizations that served them, which Ms. Rose said made HIPAA and the privacy rules more applicable. Tailoring the training allowed a meaningful service to clients, whether at home or at the hospital, informing them of HIPAA's effects on their lives. Advocacy groups often gave DHMH resources to get the word out. Funding was obtained through a foundation to design HIPAA training for providers and consumers with developmental disabilities, one of DHMD's vulnerable provider/patient populations. These positive approaches shared the educational needs and maximized resources. Under DHMH, Maryland Health Care Commission also offered provider education and a guide to privacy readiness on their Web page and was active in large organizations and hospitals. And the State Advisory Counsel on Privacy and Confidentiality continued to disseminate information. DHMH utilized a train-the-trainer approach with a vendor to develop over a hundred agency trainers who go out to areas that include local health departments. People from other departments were invited to attend. Internet Web-based modules also got out the information.
Similar to what happened with the Medical Records and Privacy Act in the early 1990s, Ms. Rose noted there was a lot of misinformation about HIPAA. She emphasized that people looked to and were waiting for OCR and that what would be most helpful would be to provide them with an idea of what was feasible and could be expected. While recognizing that it might not be feasible, given that it was November and they had to be ready by April, Ms. Rose called for a national standard. She said a standard would help people move onto the next step and realize that they were doing this on their own. Clarification on that role would be especially helpful.
In terms of technical support, Ms. Rose said templates of privacy policies and procedures, standardized documents, and a HIPAA maze to move through would be helpful. She also asked for assistance in developing notices that were clear, in multiple languages for Medicaid and the public health systems, and sharing the financing and resources needed for development. Noting it would help to know the national floor plan on which the states could build specifics of their additional requirements and clarify their differentiation, Ms. Rose emphasized the importance of getting a group to standardize this process. She said inexpensive and easy training materials for technical support were also needed.
Ms. Rose remarked that in adopting the Medical Records Privacy and Confidentiality Act, DHMD realized the biggest change that had to occur was a cultural change, realizing how they must begin to think about protecting information differently and must integrate it into their everyday activities. It took time. Ms. Rose said Maryland was in good shape in understanding the philosophy and principles behind HIPAA. DHMD was looking for a compassionate, disciplinarian approach for the enforcement of HIPAA to be balanced with weight of the task at hand.
Panel 2: Health Authorities
Marian P. Prescod, Director, HIPAA D.C. PMP, Office of the Deputy Mayor for Children Youth Families and Elders
Ms. Prescod explained how the District, faced with HIPAA challenges a year ago, formed the executive steering committee and a program management office. She noted the District had one plan, the District Medicaid office, and many other agencies performing as provider components. Cross-functional advisory teams included technology management, business process issues, and the Office of the Corporation Counsel for the District. Their first effort was a self-assessment instrument for the northeast agency and administration. People were asked what they needed and their feedback helped create the in-depth, independent assessment done by a vendor. The District was now implementing the compliance.
Ms. Prescod explained that 16 District agencies and administrations including the plan as well as the Department of Health, Mental Health Office of the Aging, and Metropolitan Police were initially considered as entities implementing the compliance. Six groups that had no concern with HIPAA received basic privacy training. Others (e.g., the Office of Contacting and Procurement, Chief Financial Officer and Corporation Counsel) were in the funding debate. It was decided that it was in the best interest of the District to take on the designation of a hybrid entity. The groups within the agencies that needed to comply were chosen, creating smaller, more manageable, entities. Standardized policies and procedures clarified the direction of the deployment efforts and the funding needed to accomplish them. The information was disseminated through their Web site, centralizing the process. This changed the initial budget earmarked for HIPAA, so the designation of hybrid entity was helpful.
She noted the challenge faced in the District when only two entities were implementing compliance while observing the privacy rule. Determining how to cordon off one group from another, designating who could or couldn't share information and with whom became a challenge. Ms. Prescod said it was a manageable challenge and the benefit of compliance by those groups would benefit the District's overall program.
Ms. Prescod said the health plan's challenges included the District Medicaid's MMIS system that was implemented in July through acquisition and was in the process of becoming HIPAA compliant.
Ms. Prescod expressed concern about the vulnerability of the District's fragile provider community. She said last year's spring summit brought some understanding to providers of the challenges for HIPAA and sparked interest and that they continued to work aggressively with this community to ensure that no one was left behind.
Other groups, such as St. Elizabeth's Hospital, were implementing compliance. St. Elizabeth was being renovated. Implementation would begin in November with testing starting in April. Ms. Prescod said the intent was to have all operations compliant by the deadline. The Program Management Office managed compliance implementation for the District and other subcommittees (e.g., Policies and Procedure, Technology Management, Agreements and Contracting, Training and Legal Resources) handled bottlenecks that arose in the process. The substrata of committees was designed to move the agendas and ensure the realization of the benefits from HIPAA. She noted the public safety group was a good example of combined efforts and how the District was run.
She said training combined efforts of the Internet and classrooms at UDC, ensuring an ongoing learning environment for the provider community and the administration of the District government.
Ms. Prescod said the District began the process late and so there were many challenges. They'd used the results of the assessment and, in partnering with other jurisdictions and learning from their mistakes, were ensuring that they'd be compliant. Ms. Prescod pointed out that the District's challenges were unique. The District wasn't a state, but was local and federal combined. In some cases, the provider community was largely indigent. Providers had voiced their willingness to participate, but she said they were unclear about how exposed they were as an entity that had both providers and patients dropping out of the system. Ms. Prescod worked with the city's legislative body to put their public health infrastructure first and maintain their focus.
She noted the cost was high for the District. They'd requested Federal funding twice and were concerned that they hadn't heard back. Ms. Prescod asked the Committee to advise the Secretary that there was much work to be done. In many instances, a total revamping of business process and operations was needed for both invulnerable and vulnerable entities. Ms. Prescod remarked that, while the cause, spirit and sentiment of HIPAA were good, it would take a lot of money. Many jurisdictions, like the District, grappled with significant budget shortfalls. Noting the challenge was how to put monies into a program like this, she said any support in information sharing, basic tools for implementation, and funding on a federal level would be helpful.
Noting he assumed that the Chief Medical Examiner's office would have contact with PHI, Dr. Danaher asked why they weren't viewed as having an impact on it. Ms. Prescod replied that, in terms of global definition for those required to comply and for billing purposes, the Chief Examiner's Office didn't meet the requirements. Although the agencies discussed didn't have a full-blown effort going on, because of their contact with health information, they'd be instituting a base level of privacy. They wouldn't be required to do the notification and other things required by law, but they'd be trained. In the future, if agencies changed their operations to meet the requirements, they'd come into the streamlined operations for more formal treatment on HIPAA. The Office of the Medical Examiner as of now would be doing some of the procedures for safeguarding the information and other things required for HIPAA.
Dr. Danaher asked if there was a different designation for information associated with the county's handling of the deceased. Ms. Prescod said she didn't know that she could answer accurately, but she noted they'd decided the Office of the Medical Examiner would need to institute better practices for safeguarding information. Ms. Rose said they had to start with the interpretation that if one performed a HIPAA transaction one was a covered entity and the privacy rule applied. As they'd said, the Office of the Medical Examiner wouldn't conduct billing or benefits or any other such transaction covered under HIPAA. She noted their organizational structure was different in that it was included under DHMH, but Ms. Rose said she could see how it wouldn't be carved out as a covered entity. Dr. Danaher observed that they were kind of bestowed with that covered entity designation. Ms. Rose said that was the problem. It was difficult to figure out whether one was covered, what needed to be done, and what kind of arrangements and notices had to be given as a result. Ms. Barnes explained that the Medical Examiner's Office was part of the Department of Health. Noting there was a difference between holding PHI and performing a covered function as part of the hybrid organization, Ms. Barnes said OFHS considered holding PHI provided an opportunity to enhance security. Notice of the decedent was shared and made public information, not notice of the rational or the diagnostic code, so PHI wasn't transferred out. Ms. Barnes clarified that the majority of the states were organized so that their Medicaid was part of their Department of Health and so it would be easier to determine that whole organization as the covered entity. The Commonwealth was broken out in a way that the hybrid entity was more appropriate.
In listening to the testimony, Dr. Harding noted several thoughts stuck in his mind: Virginia was using HIPAA implementation as an opportunity to upgrade it's information system, transaction set requirements would be a problem for some Medicaid-only people in Maryland, and a focus on revamping business operations in the District. Noting HIPAA had a ripple effect, Dr. Harding asked about the positive and negative effects on the panelists' operations.
Ms. Prescod said the District grappled with the issue of a base premise for privacy and confidentiality and data sharing across agencies. They'd seen it as an opportunity to standardize and bring solace to their patient population as well as solve intra-agency problems of information sharing. She noted it also forced them to look at the way they billed for services and how they standardized the heath care delivery system. But Ms. Prescod added that the up-front cost was to the detriment of the District, even though it would be good in the long run. She estimated a cost of up to $40 million for the District.
Mr. Rothstein asked what recommendations Ms. Barnes and Ms. Correll would like the Committee to make to HHS regarding the privacy rule. Ms. Barnes said the HHS's legal office described the privacy act as scalable and employing the due diligence provision that provided latitude for how OFHS re-trenched current functions done to meet it. But she said OFHS and others involved in administrative simplification in the District were concerned that fragile providers might drop out or go back to paper and be non-HIPAA compliant. Ms. Barnes emphasized that everyone appreciated flexibility in implementation. Intricacies in state government (with aspects owned by local providers, localities and others as well as the state) made it difficult to standardize an educational plan that met requirements for having all staff members trained. She suggested that acknowledgement that different treatment facilities had multiple owners would give protection from penalties.
Ms. Prescod emphasized that education and training at the provider level had to infuse an understanding that this wasn't just a federal mandate without a hope or prayer of becoming compliant. She noted that low-or-no-cost training and instruments as well as technical assistance would be helpful to the provider community.
In writing regulations and guidelines, Ms. Correll also noted information had to be at a readability scale suitable for a broader range of individuals than just providers. She reminded the Subcommittee that, with small providers, the person implementing the standards of compliance probably hadn't attended college.
Dr. Zubeldia asked if it was important to have training materials available that providers could distribute to patients. Ms. Correll said it was essential. She noted the Department of Medical Assistant Services had handbooks for Medical recipients along with their own notice of privacy. Ms Barnes reported OFHS was fortunate to have a HRSA grantee in Northern Virginia who'd given money to create a privacy notice that was in multiple languages and appropriate for the current client population.
Ms. Rose noted that rights booklets, which had been in place for patients for more than ten years as a result of the confidentiality act, detailed what needed to be done, what to expect from healthcare providers, and how medical records would be used. She stressed the importance of everyone sharing the same information. She emphasized, too, that it was important to consistently implement the regulations. Emphasizing that there was one principal guiding rule throughout HIPAA, Ms. Rose said they had to encourage everyone to understand it.
Dr. Harding said he was struck by how HIPAA was received ambivalently as either an unfunded mandate or an incredible tool for improving the privacy and uniform transmission of standards. Reaffirming that the Committee felt it was a benefit, he asked how it could be seen that way at the rural level where people had difficulty seeing the benefits. Ms. Barnes questioned that could be achieved in this economic climate: the Commonwealth of Virginia faced up to 15%-across-the-board budget cuts and she said these activities would be deemed an unfunded mandate. A positive aspect she noted was that this brought agencies of the Secretariat together and broke down silos that had existed in terms of sharing between Medicaid and the Department of Health. Ms. Barnes said they could demonstrate saving up to $2 million over the next biennium in things directly unrelated to HIPAA coordination. Noting OFHS was looking at their carved out data bases under HIPAA, Ms. Barnes said OFHS was employing the security provisions regardless of whether they were under HIPAA coverage.
Observing that healthcare reform and patient's rights always seemed to ring true, Ms. Prescod recommended the message that, besides the initial pain of implementation and in the spirit of privacy, you're involved in your rights and in your healthcare delivery and patients' rights and healthcare reform. She said included this message in the federal contributions portion would also help.
Dr. Zubeldia suggested that if the medical examiner's office harvested organs transplants that might be reimbursed by the recipient's insurance. Ms. Prescod said PMO would look into that.
Panel 3: Coalitions and Partnership Building
Val Schott, M.P.H.; Director, Office of Rural Health, Oklahoma Rural Health Policy and Research Center, Oklahoma State University, Center for Health Sciences; President, National Rural Health Association
Mr. Schott emphasized the importance of bringing a rural perspective to these issues. He began with the premise that healthcare was important, as was the ability of Medicare beneficiaries to access those services, in addition to other care and services in rural communities. He didn't think everyone understood the distance that people had to go to receive those services, or the economic impact on facilities within rural communities. The healthcare engine generally employed 15 to 20 percent of all employed individuals in rural counties across America and represented about 15 to 20 percent of the salary base, so it was important both from an economic perspective and from a health and human services perspective. Mr. Schott said that as a recovering hospital administrator from a big city, when the Medicare population jumped up to 22 or 23 percent, they all got excited and rushed out to find more commercial insurance patients. The Medicare percentage in most rural community hospitals was 70 to 80 percent, so every time Medicare was tweaked, the unintended consequence was that rural providers (specifically rural hospitals) were hurt. Mr. Schott stressed that if there was no healthcare in a rural community, there could be no economic development. Nobody would move or expand a company into an area where there was no access to good schools and good primary healthcare. Rural healthcare people were very concerned about HIPAA privacy issues and even though people said the leg islation was right for all the wrong reasons, rural people were still in support of HIPAA and its implementation. Electronic transmission requirements were problematic for rural hospitals. Vendors could handle it, but they simply weren't available at a reasonable cost to rural hospitals. Privacy was a great concern for rural hospitals and other providers. This was a classic example of the view that one size fits all. Just as there was a struggle with the idea that healthcare for a child wasn't the same as healthcare for an adult, the rural delivery system couldn't be just a downsized version of the urban system, which was what it seemed to be. He noted that many rural providers threw up their hands with the privacy issue, saying they couldn't comply, so they'd stop trying and let others catch them if they could. While that was absolutely inappropriate, there simply were not enough resources to solve their problems. When Mr. Schott spoke with the administrator, CFO, compliance and privacy officers at a rural hospital there might be one other person at the meeting besides himself, and that person also swept out at night and drove the ambulance on Saturday. Resources weren't available to expand staff in rural communities and community hospitals, and when they did so it was for medical staff on both treatment and administrative sides. There were a variety of providers in the safety net. Many rural hospitals were tax supported, with a patient base consisting of 70-to-80-percent Medicare recipients; another 10 percent m ight be covered by state Medicaid, and the rest were "the dreaded self- or no-pay." Doctors and clinics were faced with the same issue. Privacy was another significant concern in rural health clinics and community health centers. There was talk on the national level about a tax credit specifically to help rural health clinics with implementation. A minor privacy issue was that it would change the structure and culture of rural communities. He gave the example of his wife having to buy a lock for the front door when her house in a town in north central Oklahoma sold, because no one could find a key. She had lived there nearly nine years and that simply was the way it was in the safe, trusting environment of many rural communities. Mr. Schott cautioned that the regulatory processes, although well-intended, would change that culture. And he added that there simply weren't adequate guidelines from "the feds" on enforcement, and the rules kept changing. Mr. Schott questioned whether the Office for Civil Rights was the appropriate place to locate that enforcement agency. He thought there had to be some reasonable standard instead of a drop-dead date for enforcement.Providers making reasonable efforts to comply ought to be rewarded instead of punished for not quite meeting the bar. Mr. Schott emphasized that this was an unfunded mandate in many rural communities. Funding was grossly inadequate. Most rural providers struggled to keep their doors open and didn't have computer systems. And for those that did, it wasn't a matter of upgrading systems: many hospitals still used DOS-based systems, and weren't even up to the Pentium level. He characterized the pitches that many consultants sent out when the process started as "a computer disk for $18,000 would make one HIPAA compliant." He noted that via SHIP grants, most rural hospitals received only about $9,700. SHIP was supported at the $50 million a year level for four years versus the $15 million the rural hospitals got. Mr. Schott said $15 million was laughable and that this "cowardly attempt" by Congress to solve the problem was referred to in Oklahoma as the chicken SHIP program. It simply wouldn't pay for the cost of implementing HIPAA in rural hospitals. Mr. Schott recommended that the deadline for compliance for rural providers be extended and reiterated the need for a reasonable effort standard in making progress for compliance. RPRI was conducting a study of how rural hospitals were doing. Results were expected in December. Mr. Schott said the study was significant because policymakers and members of the Congress would carefully read it. Mr. Schott emphasized again that one size didn't fit all and rural providers were structured differently than urban providers. He stressed that financial assistance, as well as realistic implementation and enforcement was critical. For many rural hospitals this was an unfunded mandate, there wasn't enough money available to keep the doors open, much less for additional expenditures such as HIPAA and privacy. The critical access hospital designation helped some of the smallest hospitals. The year before they converted, the smallest hospitals in Oklahoma lost an average of $394,000, a big hit in communities of 2,500. A year after conversion, they lost an average of only $70,000. They still lost, but weren't bleeding as quickly. Noting she wanted to be sure the Subcommittee understood the groups for which he sought additional assistance, special rules or dispensation, Ms. Kaminsky asked how Mr. Schott defined rural providers and if he was talking about critical access hospitals or something broader.He replied that critical access hospitals were under 50 beds; this was broader. About 1,400 hospitals had 50 beds or less. Some 2,500 hospitals were rural. There also was a myriad of providers: doctors, nurse practitioners, physician assistants, and related processes (e.g., pharmacists were an important part of the rural delivery system). Patients at critical access hospitals that were eligible received a SHIP grant.
Mr. Schott agreed that the word "rural" wasn't defined well in this country, nor was the provider base. He believed there were about 19 active definitions of 'rural,' but from his perspective it included all hospitals that served rural communities as well as all the providers that went with that base. Mr. Schott suggested the Federal Office of Rural Health Policy might have appropriate data defining rural. Mr. Schott clarified that there were about 2,200 dues-paying members in NRHA representing much larger numbers in rural communities. Affiliated groups of state rural health associations had another 10,000 members.
Panel 3: Coalitions and Partnership Building
Joy Pritts, J.D., Senior Counsel, Health Privacy Project, Georgetown University
Ms. Pritts explained that her area of focus was analyzing privacy laws as they pertained to health matters and in recent years she'd studied state health privacy laws as they would interact with the Federal Health Privacy Rule. Ms. Pritts did the preemption analysis for the state of California. She focused that day on the preemption issue and how it might play in the implementation process. The states had regulated this area for 40 years and implementation of the federal health privacy rule would drastically change the landscape of privacy in many states. The federal privacy rule essentially set a federal uniform floor throughout the nation. Ms. Pritts said this process complicated the preemption schematic, by preempting state laws contrary to the federal privacy rule (e.g., a covered entity couldn't comply with both or the state provision stood as an impediment to accomplishing the goals of the federal privacy rule). A law more stringent (i.e., imposing more restrictions) wouldn't be preempted, even if it were a state law. Other exceptions created for public health and health plan reporting to their regulatory bodies further complicated the procedure. The preemption analysis was an arduous, time consuming and expensive process. While there was more than one way to undertake it, one couldn't get around the fact that it was a provision-by-provision comparison of federal and state law.
A number of challenges arose. Many consumer groups, including provider groups, weren't familiar with the laws and statutes in their state. This didn't mean they weren't in compliance; Ms. Pritts noted lack of knowledge of the law wouldn't be sufficient for determining HIPAA compliance. And she said a positive aspect of HIPAA was consumers were learning about the state laws.
Ms. Pritts noted that many weren't familiar with the federal health privacy regulations. Even those familiar with the law and HIPAA found it complicated, because many HIPAA provisions were ambiguous and open to interpretation. HIPAA claims that it is a provision of the state law that if it is contrary it will be preempted. Preemption analysis in courts is arrived at by reconciling differences between the statutes so neither is knocked out. The resulting detailed provision-by-provision analysis can be a lengthy undertaking. Ms. Pritts said comparing a state law to HIPAA privacy regulation was like comparing apples to orange, but comparing access provisions was easier because they were structured similarly. However restrictions on use and disclosure became complicated. Even more complications arose depending on how broad a covered entity's practice was. Ms. Pritts pointed out that the general health privacy law wasn't the only law that applied: Entities that covered sensitive medical conditions (e.g., sexually transmitted diseases, minors, and mental health conditions) were subject to additional laws in every state. Condition-specific requirements were also compared and these varied from state-by-state. Some provisions included few statutes; others outlined comprehensive provisions. Ironically, the states that protected their patients' health information most comprehensively had the highest implementation costs, because their preemption analyses were the most complicated.
Ms. Pritts said speculation that a lot of state law wouldn't be preempted by HIPAA had validity only if one went through the preemption analysis. State law didn't preempt HIPAA, which meant there were two requirements. A covered entity could be in compliance with both by complying with the most stringent. California required a provider to produce medical records within 15 days, once requested; doing so also complied with the federal regulations requiring it to be done within 30 days. Often requirements differed and one ended up with dual requirements. In New York, a person denied access to medical records had a right to review by an independent three-person board appointed by the health commissioner. The right of review by HIPAA privacy regulation was with a person designated by the covered entity. Compliance with the state wasn't necessarily HIPAA compliant, so it became a dual track.
She noted that many people felt the preemption schematic wasn't worth the effort, and believed instead that simplifying and a universal standard were a good course of action. Ms. Pritts emphasized that the states were active in this area and had fine-tuned their statutes to the needs of their citizens. Many state statutes were more stringent than HIPAA, either giving people more access to their own health information or putting more restrictions on how it might be used or disclosed. These wouldn't be preempted under the current framework. However Ms. Pritts cautioned that a uniform preemption would lose the higher strata of protections. While HIPAA created a floor, much above that would be lost with full preemption. Ms. Pritts recommended making this process as simple as possible.
Ms. Pritts noted an attachment to her written testimony listed available preemption materials, including free and low cost sites, but pointed out that there wasn't much out there for providers. She said the lack of guidance, particularly from provider associations, was disturbing. Severe lack of resources to engage in preemption analysis was observed. The disconnect between what members thought they needed and what they really needed made it a hard sell. Equally crucial was the need for a compliance handbook with clear outlines for what had to be done to become HIPAA compliant.
Ms. Pritts' recommendations focused on what HHS could do to simplify the preemption analysis process. She encouraged HHS to continue to respond to questions interpreting the HIPAA privacy rule, helping consumers compare federal to state laws, working with CMS and other state agencies to determine how HIPAA interacted with other federal laws, and publish guidance on these issues. She emphasized that this was a repeated request by providers and other state agencies that had CMS oversight. She noted that there weren't many materials on the interaction of HIPAA and other federal statutes that governed them. Observing that HHS had the most familiarity with federal privacy regulations and that the greatest familiarity with the state laws was within the states themselves, Ms. Pritts suggested that HHS engage in coalition building with each state and the sharing of that knowledge. She remarked that she didn't think HHS had resources to do this type of analysis on it's own. Given how these issues were often challenged in state court, she suggested that the National Association of Attorneys Generals' privacy working group might assist or disseminate information. She said she'd heard the National Governors' Association and state Medicaid agencies were active in HIPAA analysis and often led the charge in getting the preemption analysis done. State-based provider organizations were also great sources because some had in place guides written for their members with existing state laws in mind. Ms. Pritts said overlaying the HIPAA privacy requirements on top of their guide would simplify the process. She concluded that preemption analysis was complicated and time consuming. Sole practitioners and providers in small organizations needed a lot of assistance that didn't yet exist.
Discussion
Dr. Danaher noted there was a dearth of good preemption analysis and acknowledged the work that the Georgetown Privacy Project was doing, calling it the best and most publicly accessible work in the area. He asked how Ms. Pritts envisioned the 50-state commentary being used. She said it was the starting point in the discussion of how people were often not familiar with their own state laws. She noted how time consuming it was, even without the federal overlay, to identify state laws and put them into a format that everyone could read. Ms. Pritts expressed some concern that, despite their opening statement that what they produced wasn't a preemption analysis, some people used it and thought that work was already done, when in fact they'd merely taken the first step.
Panel 3: Coalitions and Partnership Building
Alan Mertz, Executive Vice President, Health Care Leadership Council; Chair, Confidentiality Committee
Mr. Mertz explained that the Health Care Leadership Council (HCLC) was an organization of 150 CEOs of the country's leading healthcare institutions and organizations. The Confidentiality Coalition that he chaired was formed in 1995, had 130 trade association members, and represented the entire spectrum of the healthcare community. Mr. Mertz's experience with HIPAA began in 1995, as chief of staff to one of the six House chairmen that drafted HIPAA. He also was involved in the administrative simplification provisions. He agreed with the Georgetown Privacy Project about the need for a state preemption analysis that was accessible to all covered entities. Mr. Mertz said raising money for the study was a difficult challenge, but would lead to recommendations; HHS's help was urgently needed and would directly impact how well entities could comply with the regulation and state laws.
He noted that the need for a global study (preemption analysis) was first stated by HHS in the proposed rule in 1999: "The private sector will need to complete a state-by-state analysis to comply with the rule." Mr. Mertz noted that four steps had to be taken in order to be in full compliance: (1) the Privacy Project tried to identify state statutes, common law, constitutional law, case law and state regulations relating to privacy, (2) statewide rules that actually related to the HHS rule had to be identified, (3) state rules that were preempted had to be determined, and (4) where state laws weren't preempted, how entities could comply with both had to be determined as referenced in earlier testimony. Mr. Mertz emphasized that while this might sound straightforward, it was unbelievably complex.
Mr. Mertz said the Congress intended to create some national uniformity and, as noted, a federal floor for privacy standards. It intended that most state laws be preempted, except for state laws that exceeded the stringency of HIPAA requirements. But he pointed out that because of the way HHS interpreted HIPAA and a lack of clarity in the law itself relating to what was meant by the word "contrary," the HHS regulation probably would preempt few laws. He noted there was no legislative history of debate on this provision. The Senate didn't have an administrative simplification provision. Mr. Mertz said he spoke to the counsels from the three House committees that put the law together and they remembered clearly that where state laws would be difficult to comply with, they were supposed to be preempted. That was why HIPAA was written the way it was. A provision or requirement under this part of this rule superseded any contrary provision of state law, with the exception of more stringent laws.
However, when HHS issued the proposed rule in 1999, it flipped the burden of proof by saying that the standards didn't supplant state law, except to the extent that state law was contrary, creating a very different burden of proof. HHS's definition of contrary (one had to prove it was "impossible to comply with both state and federal law") made an unbelievably high standard. HHS could just as easily have said "contrary" meant different, conflicting, or difficult to comply with both. Mr. Mertz's group believed that it would be very difficult for the Congress to pass this statute. They would like them to have total uniformity, but short of the Congress doing that, HHS could re-define "contrary" such that it really was a floor and that state laws that were difficult or burdensome to comply with could be preempted.
Mr. Mertz noted states didn't have 50 neat-and-tidy health privacy laws. They were buried in thousands of bewildering and conflicting rules. The process of uncovering privacy laws would be a challenge for those who mapped the human genome project, let alone lawyers on K Street. It was almost impossible. He said his first experience with a state preemption analysis was for the chairman of the Ways and Means Committee in 1998. They did Florida as a private test state and found that a Lexis search wouldn't uncover most laws. There were 13 different statutes in Florida and the summary took 35 pages. Georgetown Privacy did Florida and 60 different state laws. In a nationwide study of state law, they were amazed at the range of laws that affected privacy of health information. Examples included library code, food, drugs and cosmetics, family code, revenue and taxation, general school operation, state of the government, printing and documents, adoption code, alcohol, drug abuse, communicable diseases, business and professional codes, probates, trust, fiduciary.
He noted Ms. Pritts had mentioned why determinations in content areas were needed. Mr. Mertz gave the example of privacy notification. Over 30 states had different notification requirements. The federal form could be anywhere from two-and-a-half to eight pages long. Not having this federal form (because we wouldn't preempt a similar state law; it's not contrary), a four-page notification would be required. That would mean both a federal and a state notification.
Mr. Mertz imagined how incredibly difficult it would be to have a pharmacy with millions of people picking up prescriptions and getting twelve-page forms that were different in every state.
Mr. Mertz understood that HHS didn't have resources to unravel the complexity of the laws or help with the privacy analysis and steadfastly resisted doing so. While HHS acknowledged the complexity of state privacy requirements, they also said it would be more efficient for professional associations or individual businesses to complete. He respectfully disagreed. There were literally thousands, maybe even millions, of covered entities under this rule and suggesting that every one of them do their own preemption analysis seemed most inefficient. HHS recognized that a global analysis was necessary, but said they didn't think it would be unduly burdensome or unreasonable for covered entities to undertake that study.
As Ms. Pritts mentioned, there'd been a number of attempts to study a state preemption analysis, however, so far studies weren't global but were of either one entity or one state. Such studies weren't useful when organizations operated in several states. And due to the integrated nature of healthcare, an entity couldn't be considered separately, because business associates were also under the rule. Mr. Mertz said it was important to know the requirements for business associates and others one did business with, not just for oneself.
Many small providers and specialty societies needing this most couldn't afford this on their own. The cost to organizations doing these studies in many cases ran $50,000 for a single state. One of the largest studies done by health plans and almost completed cost between $1,500,000 and $2,000,000, just for information on how state law affected the plans. It wouldn't help providers or other covered entities. Beyond this, because there was no consistent methodology in these studies, there were lots of gray areas. HCLC concluded that if HHS wouldn't help, groups had better try to do it collectively. Mr. Mertz suggested a comprehensive collectively funded study. HCLC had already selected a law firm to do it. This single study would include every HIPAA-affected entity in all 54 states and jurisdictions. Consistent standards could be used and the end product would be available on the Web. Anyone could search their particular state or states and type of entity and find checklists. It would be updated on an annual basis, reflecting changes in state law and any further modifications to the HHS regulations.
Mr. Mertz said the cost of the study would be surprisingly low, given the complexity. He wasn't sure the firm could actually do it for this, but they'd quoted a price of $1.15 million, with updates costing about $100,000. The cost-per-user could be anywhere from $5,000 to $50,000, but he noted that would leave out a lot of specialty societies with providers who couldn't participate because of a lack of resources.
Mr. Mertz stressed that the study needed to start immediately. They had a total of $700,000 in commitments, but couldn't start until they received pledges for another $400,000, because of the compliance deadline.
HCLC would have preferred that HHS had done this analysis and provided covered entities with a road map indicating where state law was preempted and what the state laws were. That not being the case, HCLC requested their partnership in designing the study, setting the standards, certifying the findings, and helping with funding. They proposed that HHS pay for one-third of the study ($300,000-$400,000) to enable them to proceed. If provided with limited funding, HCLC might agree to make it available in the public domain. HHS's time was needed, as well as its help with the cost of updates. Mr. Mertz said the benefits wouldn't just be to covered entities, but would also help meet the Congress' intended goals for privacy regulation, including education toward compliance. Noting that, due to state law complexity, a lot of state laws were probably foreign to many, Mr. Mertz said it would greatly improve the covered entity's compliance with both federal and state privacy regulations.
Mr. Mertz added that funding the study would help smaller entities that couldn't afford it on their own. It also would save millions of healthcare dollars, because it wouldn't have to be redone a hundred times by state medical societies and other organizations.
Panel 3: Coalitions and Partnership Building
Elliot Stone, Executive Director and CEO, Massachusetts Health Data Consortium
Mr. Stone emphasized that MHDC took a community collaborative approach for acquiring resources to implement the HIPAA privacy regulations, as opposed to full reliance on the federal government. MHDC assumed three premises for delivering these resources: (1) most solutions would be local, because much expertise was at the level where services were rendered, (2) the working understanding that rarely was there only one solution to any problem, and (3) collaboration wasn't an anti-trust violation and issues about reaching consensus weren't competitive but afforded opportunities for further collaboration.
He explained that MHDC evolved as the appropriate local convenor and resource for HIPAA. As with NCVHS, no other entity covered that niche. MHDC developed a pattern of watching what NCVHS did and replicating that at the local level. The consortium collected large data sets from providers and government agencies, so as Congress was drafting Kennedy-Kassebaum and then HIPAA, they'd been an advocate for standards around data transmission and protection.
MHDC was a non-profit, health data organization nearly 25 years old, but other provider, hospital and health plan associations could be convenors. Many convenors were IT consultants, some were WEDI-SNIP regional affiliates of non-profits, others were "usual suspects" (e.g., fiscal intermediaries for Medicare). Mr. Stone said intermediaries played a key role when CMS went out to talk about the transactions.
As they'd heard earlier, the regional Medicaid privacy officer was active in coalition building. Mr. Stone noted their region was unique: most health plans had headquarters in Massachusetts and so many other data organizations around the country also took on this role.
MHDC's local expertise led them to recommend four areas for OCR. First, they thought OCR should continue to be a resource for FAQs, which he said led to more frequent clarification pronouncements from OCR. Mr. Stone noted the clarifications that came from the FAQs had been useful.
MHDC encouraged OCR staff to meet with regional folks who were doing coalition building and to speak at other privacy forums. In this way, OCR central staff could train regional staff.
Above all, MHDC urged OCR to link to and encourage HIPAA-specific Web pages to the covered entities' usual and trusted sources. MHDC sought more links to provider as well as health plan associations.
Mr. Stone said it wouldn't take an enormous effort for local provider, health plan, and other trade associations to become a resource for their members. He pointed out that some already were. He noted these groups were tremendously talented at advocacy. For example, the Massachusetts Medical Society Web site (MassMed.org) was a helpful resource for both large and small group physicians.
He cautioned that OCR would be on a no win path if it tried to develop model forms, policies, and notices for a wide variety of covered entities. One size wouldn't fit all. And trade organizations and expert groups (e.g., the Georgetown Privacy Project) could more easily get actual samples of notices, acknowledgment forms and policies from their own members.
Mr. Stone urged OCR to encourage resource sharing and he suggested that OCR become a repository for at least the criteria would stimulate sharing. He also wanted OCR to highlight portions of the regulations in a checklist, enumerating what the notice had to include. He noted that before anything was put on the OCR or trade association Web site it needed to have the approval of the entity's chief privacy officer or counsel and demonstrate to OCR that those sign- offs had been done before the links were made.
Almost universally, the 70-plus privacy officers in MHDC's regional group rejected generic forms and preferred work done by an actual provider labeled and donated as such. Mr. Stone conceded that a large number of providers were waiting for things to show up on the shelf at the local stationary.
Mr. Stone shared the highlights of what his coalition and partnership did in Massachusetts and recommended to other local convenors. Every group they worked with, whether with privacy, security or chief information officers had a mission statement and provider and health plan co-chairs, so there was coalition building from the beginning. Both perspectives were listened to. Privacy officers broke up into provider and health plan groups, but met all together to understand Massachusetts' needs.
Mr. Stone reported that a lot of voluntary work had been done on preemption analysis by the Boston Bar Association (BBA). MHDC endorsed BBA's template that put every regulation and state law into a useful format.
The coalition was made up of covered entities (payers, government agencies and providers). MHDC regularly surveyed privacy officers and other groups to understand their priorities. Recently, DRSs were the high priorities. They routinely published and discussed lessons gleaned from the group. They initially learned much from presentations on business associates and recently realized that health plans wouldn't be business associates of the providers. They were covered entities on their own and would need fewer business associate agreements. Another lesson learned, as part of the trust aspect of HIPAA, was that providers talked with one another when they got requests from health plans. Requests from covered entit ies that realized they were subject to the pains and penalties of the law, were doubted less.
Partners Health Care System (PHCS) shared all of their training work plans. Members included the Massachusetts General Hospital, Brigham and Women's Hospital, a multi-hospital system and physician groups. They shared timelines and modules for training physicians and employees, noting common elements among their training documents. Hospitals like PHCS have shared policies, work plans, and forms. PowerPoint presentations by experts (e.g., BBA, hospitals, and health plans) were available on their Web site.
Another recommendation to coalitions was for more cross-reference between privacy and transactions. MHDC felt that recently there had been too much focus on privacy and not enough discussion about transactions. Mr. Stone said HIPAA was also about getting paid and MHDC believed that small providers would be more upset about HIPAA when the check wasn't in the mail than if, in someone's mind, they weren't complying with privacy regulations. Providers believed there wouldn't be any HIPAA privacy police, except for their patients, but the absence of the check was the ultimate reminder to comply with other aspects of HIPAA besides privacy.
Mr. Stone said MHDC believed that sharing actual resources could be accomplished at the national level by national trade associations. He also believed that there was consensus among privacy and security officers that HIPAA gave the healthcare industry an opportunity for collaboration among covered entities which would establish trust among consumers, providers, employers and health plans, and not just collect the data accurately and consistently, but treat employees and patients consistently and with dignity.
Discussion
Ms. Pritts said the complications would be even greater for consumers because they wouldn't know who to go to or what section of what law they might have a complaint or concern about. Mr. Rothstein concurred, pointing out that had been the topic of one of the previous day's panel discussions. He asked Mr. Stone to expand upon his comment that it wouldn't be productive for OCR to produce model forms, since it departed from what prior testifiers, especially those who represented small providers, said.
Mr. Stone emphasized that MHDC believed OCR should be a resource of actual forms and encourage sharing. Privacy officers who'd searched the Web sites for models said generic forms didn't reflectthe culture of their facility and would require a total rework. Mr. Stone said it would be helpful if OCR had criteria and a list of components that should be included in a notice. He said the idea of a one-size-fits-all model form for all the varieties of covered entities was a non-starter that would place OCR in the position of doing work it wasn't necessarily suited to do. He suggested they could outsource it and put the burden on the trade association. One of each kind of covered entity around the country couldmake an actual document available for ot hers to use. Mr. Rothstein brought up the earli er suggestion of OCR/covered entity industry teams with someone at OCR responsible for working with each industry. He noted it would be good if rural health plans or subsets of providers (e.g., dentists, advanced nurse practitioners) could go to a sub-level of the site and click on information specially tailored for their particular needs.There also could be links to model forms.
Mr. Stone agreed. He thought the OCR/covered entity-industry team was a good way to start. He also suggested that every national trade association could have a dedicated HIPAA Web page linked to the state level, with examples. People looking for something specific (e.g., a psychiatric facility notice) could start with the national association of psychiatry, which could guide them to a member with that information. He suggested it would be just as easy for OCR to find things, either from the top-down or bottom-up. He added that it wasn't OCR's sole responsibility to facilitate this. Associations also had to advocate for the regulations their members and organizations wanted in place.
Mr. Rothstein added that ideally, one could click on California and find out about specific problems associated with covered entities there. Mr. Stone agreed, giving the example of his group's Web site which had columns for privacy regulations, resources, references, education and training that included who to contact, what to read, how to comply, and regional initiatives going on locally and in other areas. He said as much play was given to what was happening in North Carolina as their own activities, because they hadn't invented everything yet. MHDC encouraged every one of their local health plans and hospital associations to have a specific HIPAA Web site, and Mr. Stone said they did. Noting there was another hearing the following week in Salt Lake City and the Subcommittee sought testimony about various forms of telemedicine, Ms. Kaminsky asked Mr. Schott if his association had any related privacy concerns or challenges. Mr. Schott said telemedicine and telecommunication brought hope of extending service to many rural communities, but didn't have the answers yet.
Noting another issue was the requirement that physicians be registered within the state where the service was offered, he advised there'd be special challenges with the privacy requirements and telemedicine.
Mr. Stone said the Massachusetts Board of Registration and Medicine was looking closely at physicians practicing across state lines. Ms. Kaminsky said she was familiar with the licensure issue, but she was looking for special concerns about the application of the privacy rule in that context. She assumed there would be security rule applications. Mr. Schott concurred. He noted the RPRI panel would address that in their December report.
Ms. Pritts revisited the notice issue, saying she agreed that notices had to fit state and federal law, so one uniform notice might not be useful. Mr. Mertz suggested that a simple federal notice could say that state laws and rules might also be applicable and vary. Then one wouldn't be responsible for reprinting state and federal notices. Ms. Pritts said providers reported that wasn't helpful. They wanted a notice they could use without the disclaimer. Mr. Mertz said providers knew their state laws and he suggested a form from the industry team could indicate to insert portions of that law that differed. Mr. Stone disagreed, noting his group's difficulties unc overing state laws. Mr. Mertz pointed out that at least one lawyer traveled around the state and spoke about the state law at all the meetings.
Panel 4: Testimony
Diane Kube, Associates in Oncology/Hematology P.C.
Ms. Kube said physicians and practices from 'one-doc' shops to umbrella groups were totally overwhelmed. She stressed the need for clear education on what was expected and clarification on what the law meant. She emphasized that overwhelmed administrators, managers and physicians couldn't be expected to read and understand 2,000 pages of regulations. Ms. Kube focused on a number of misleading things and how most physicians panicked when they heard that privacy issues would be handled under OCR. Ms. Kube also emphasized the need to clarify all the general information and said she believed the combination of education and cost containment could help. AN
Ms. Kube's own practice (an oncology and hematology practice with 5 MD's, 2 physicians assistants (PA's), and 50 employees with between 150 and 200 patients a day) began looking into this two years ago. They were growing, remodeling suites, and could make modifications bringing about 98% compliance with security and privacy issues. They had locked files, dropped computer screens, and the Maryland Health Care Commission cited the practice as a model. Ms. Kube noted the state put together packets and got information to the community ahead of the federal government. She said the one component that still was a problem related to vendors on the EDI side. PANCalling herself "a bit of a heretic," Ms. Kube said she probably was in violation, because she'd refused to submit the extension for her physicians. She said instead, they chose to "drop" paper. One reason was bids between $3000-$30,000 to get software into compliance, without a guarantee. Ms. Kube felt they'd done everything humanly possible to bring about compliance and were at the mercy of software vendors that told them nine months ago everything would be compliant, and it wasn't. Ms. Kube stressed that this was a big decision; they had a four-week turn around for cash flow and $15 million in drugs and services in 2001. She noted another factor in Maryland was the referral base system; referrals and treatment plans required an attached form so the majority of insurance claims still could only be sent by paper. The only on es that could be sent electronically were CMS.
Ms. Kube gave examples of misinformation, including the story that sign-in sheets weren't allowed. And she told about a pediatric group that gave each child the name of an animal, rather than use the child's name. Ms. Kube emphasized that physicians, managers and allied healthcare professionals believed in the spirit of this law and held it in highest regard. She noted they'd argued for years that there was too much access to medical records by insurance companies and other entities. But she contended they didn't need 2,000 pages of regulations to tell them the importance of patient safety, privacy and security. She emphasized the need to ta ke care of the patients, not just protect their records. Ms. Kube also pointed out that computeri zation could be a hindrance. She said she'd spent two weeks trying to clear a patient who probably wouldn't live if he didn't get specialized surgery within the week. She said the problem resulted from computerization. Because of cancer, the gentleman quit his job and was put into COBRA. Checks went in October 1st, but he wouldn't be in their computer system for 60 days.
Ms. Kube reemphasized the need for help in clarifying the regulations and getting cost containment. Noting that the bill Senator Kennedy introduced would put medical records online, she said her practice had been looking to put medical records on a computer-based program for five years. A program that entailed all the needed aspects didn't yet exist, and the minimum start-up cost for her practice alone was half-a-million dollars. She said it would cost billions of dollars to get the country's healthcare industry compliant. Noting the lack of understanding, Ms. Kube said she doubted most physicians could do it, though the Montgomery County Medical Society encouraged every member, even if they wer e exempt, to follow the spirit of this law and the regulations. Ms. Kube stressed they needed help enacting it.
Asked what she meant by cost containment, Ms. Kube described the carpetbaggers after the Civil War who tried to sell anything to make a buck. She noted the huge number of phone calls, mail, e-mail, and faxes from vendors claiming they could make them HIPAA compliant. Ms. Kube reported that some small software companies, unable to get everything in compliance, were going out of business or selling out. She cautioned they might end up with as few as four companies doing billing systems and related things that sold software. Practices would be at their mercy, paying whatever they said, to become compliant with federal regulations.
Acknowledging there were unknown factors once data was sent online, Ms. Kube confirmed that she wasn't asking HHS to say only so many dollars had to be spent. She only wanted to prevent anyone from taking advantage. She said another reason her practice dropped paper was because of horror stories about insurance companies changing their software programs and things getting lost. Noting one practice had five week's worth of claims lost in the cyber system because of conversions, Ms. Kube pointed out that that could put a lot of people out of business. Her group felt it was safer to have information both in their computer and on paper. Ms. Kube expected night mares over the next 12 months until all the conversions happened. With Medicare no t even being in compliance, nobody was compliant under the EDI and now people were onto the next step with privacy and security. Ms. Kube said she'd wished there'd been clarifications a while ago and now advocated for a common sense way of handling this, so people could take care of patients as well as protect their privacy.
Panel 4: Testimony
Richard Hughen, Principal, Accumentor Corporation
Mr. Hughen, had 20 years of experience with enterprise class learning systems with Johnson and Johnson, Abbott laboratories and other large entities. Acumentor is a healthcare learning firm providing turnkey health, safety, quality assurance and regulatory compliance learning and performance support solutions. Noting that, depending upon the source, between 9 and 15 million people needed to be educated on HIPAA privacy regulations, Mr. Hughen discussed the need for learning solutions related to HIPAA implementation. He defined training as generally instructor focused with the trainer prescribing what would be learned and how. By contrast, he said learning was typically learner centric, focused on promotin g acquisition of a defined body of knowledge, typically defined by an expert or regulatory agency but in a manne r determined by the learner that accommodated his or her needs. Mr. Hughen added that learning didn't, by definition, assure application of the knowledge and skills on the job. Without that workplace behavior change, he said the return on the substantial investments in HIPAA security and privacy would be greatly diminished.
He expressed concern that the spirit and intent of HIPAA privacy could be compromised if systems and resources weren't available to enact real behavior change in the millions of healthcare workers affected. Mr. Hughen cautioned that the aggressive deadline and current lack of support and resources could propagate a check-the-box approach and that the covered entity's need to show compliance on paper might do little to effect behavior change and on-the-job performance. Mr. Hughen advocated that equal concern should be placed on compliance in daily practice and behaviors on every job, every day. Considering the vast quantity of people and the great diversity of job functions affected, he stressed the need for learning, not training. And he noted the additional complexity of profession and institution specific policies and procedures. He emphasized this was a huge undertaking requiring a well thought out approach to the many facets of learning and an equally well thought out plan for delivery and implementation.
Though the learning problem had great breadth and depth, the plethora of job categories, was actually a chore of some redundancy considering the repetition needed from physician to physician, nurse to nurse, hospital to hospital and practice to practice. Given the redundancy, available technologies could be used efficiently.
Noting they'd heard from other panelists that the market was quickly filling with products of diverse quality built without accepted standards with some based on incorrect information, Mr. Hughen recommended that OCR work with private industry to establish a minimum standard of acceptability for products targeted toward HIPAA learning and testing. He said Acumentor approached DHS, HHS and OCR with this concept this past summer, but the weight of assimilating the feedback during the comment period precluded active engagement.
Mr. Hughen said precedent existed for this type of public-private collaboration and working relationship on standards, such as the FDA's work on good manufacturing processes in the pharmaceutical and medical device industry. Noting there were numerous examples, not of endorsement, but standardization and guidance, he suggested developing a standard of competency testing that a covered entity could use to measure understanding and mastery of the material. Currently, quantitative testing of HIPAA knowledge could actually increase legal risk, he cautioned, because there was no agreed upon or accepted standard, even in intent or spirit.
Asked to explain more about the FDA's work on good manufacturing processes, Mr. Hughen said the rules for manufacturing pharmaceutical or medical devices were more expansive than the 2,000 pages of the privacy rule and they worked with the industry. For example, one company established minimal acceptable criteria of training; they didn't endorse the product but the covered entity knew that product covered the bare minimum.
Mr. Hughen suggested that the minimum knowledge of the rules and regulations needed for a physician, nurse or occupational therapist specific module could be identified and would become bare minimums. He contended that a channel within OCR that acted as a filter and reviewed the material, not endorsing it but indicating it was correct and a viable product, would help the buying community greatly.
Ms. Kaminsky agreed that this was an interesting idea, but she questioned how it would work, given that so much training had to be based on each covered entity's own policies and procedures and tailored to their specific functions and business models. Testifiers had already expressed differing opinions about whether sample or model forms could be useful. Mr. Hughen responded that at the level of dealing with specific policies and procedures it wouldn't be realistic. He said the enforcement arm, whether through OCR or the legal system, would eventually deal with that. Mr. Hughen said his idea would be useful at a higher level, before institution-specific policies and procedures. His view of the testimony was that the community struggled "a few thousand feet above basic awarene ss." Mr. Hughen thought specific HIPAA awareness at the job function level would work.
Dr. Danaher agreed that the relationship between the FDA and engineering was exactly as Mr. Hughen presented. The group went to the FDA and said they would develop all the training for free if they could then take the courses, commercialize and sell them. It wasn't endorsement, but clearly if the government used it, others would be interested. Responding to Ms. Kaminsky's point, he noted that in terms of training for HIPAA, there was minimum necessary disclosure to verify a request. One could work hand in hand with HHS and OCR to define fundamental concepts. But Dr. Danaher thought Ms. Kaminsky was right about the PN's and what HIPAA meant for fundrai sers. If some private company worked with the government and created and superimposed a version, Dr. Danaher said it would probably be at a $20,000-$40,000 level and could be done in conjunction with a private-public partnership. Health plans would come up with their own policies and procedures. At the ground level, organizations would decide how their nurses would deal with white boards and other details.
Panel 4: Testimony
Abigail Ryan
As a faculty member at Northern Virginia Community College, Ms. Ryan said she was acutely aware of the gross under funding of healthcare and the problems physicians faced since they generally had no training in business or finance.
Speaking about preemption, Ms. Ryan said every profession, except for law, had some form of internship. She proposed that law schools, particularly those using state monies, institute a program where interns, in order to pass the state bar, would be responsible for the tedium of comparing state and federal regulations. Ms. Ryan pointed out that business associates and others wouldn't sign contracts without showing them to their lawyers at $250 an hour. Noting small hospitals given $9,000 to implement HIPAA ended up paying out the bulk in legal consulting fees, Ms. Ryan asked for help in holding the legal profession accountable.
Ms. Ryan suggested that HIPAA would never have come into place if it weren't for the issue of national security. She noted that physicians and hospital administrators stood up at the last HIPAA conference and said they had DOS-based systems and three kids in college and couldn't spend $60,000 to re-do computer systems. The physicians were lectured, told they had to comply, and that it would cost $8,000 per physician. Ms. Ryan contended that wouldn't begin to touch what vendors charged to become theoretically HIPAA compliant. She pleaded for cost containment and consideration of the perception that they were being ripped off.
Panel 4: Testimony
Katherine Delair, HIPAA Privacy Officer, University of Wisconsin Hospital and Clinics
Ms. Delair presented a sense of the difficulties of implementing specific provisions, especially for a larger academic center and offered two recommendations for dealing with the preemption issue: either require that each state's Department of Justice conduct a preemption analysis, making it available to all constituents, or have a state's collaborative create a preemption analysis and ask the Department of Justice to give an opinion and/or endorse interpretations of the regulations.
Ms. Delair agreed that the written privacy notice provided some privacy for patients, delineating how the information would be used and their rights. However, she advised it was too long and confusing. Even with the layered notice option, she believed it would confuse and frustrate patients. And it added paperwork and extended the admission and registration time.
She noted one burden related to the privacy notice had to do with identifying access points in a system (e.g., hospital registration administration areas or clinic sites) and developing processes to provide the notice and obtain acknowledgment. The preamble to the recent publications suggested other ways of providing service would be electronically or via a community occasion or a phone service. Ms. Delair said the most troubling aspect was determining which activities or points of service necessitated the notice and acknowledgment.
She also noted that each of over 80 clinics received over 100 phone calls per day concerning matters such as appointment times, inquiries about lab results, or whether to take a medication. Ms. Delair noted that, according to the preamble, privacy notification wasn't required for appointment reminder type questions. But she said it appeared to her that any phone conversation involving some provision of advice would require mailing a notice. That meant developing a process for identifying all phone calls, determining which constituted a point of service or treatment, noting which patients hadn't received privacy notices, sending them out and tracking returns. Ms. Delair asked for clarification ab out what constituted a point of service and when mailings were required. And she e xpressed interest in the clarification that the regulation only required acknowledgment at the first face-to-face service, which eliminated a lot of problems with telephone communication. Asked by Ms. Delair if her interpretation of the phone call and privacy notice was correct, Ms. Kaminsky acknowledged that, if it were correct, it certainly would be an operational challenge.
Ms. Delair stressed the difficulty of implementing the accounting of disclosures requirement. One problem was that it required a preemption analysis of what HIPAA and state law required. Under Wisconsin state law, she believed they would have to account for things that HIPAA couldn't require (e.g., TPO type activities). Ms. Delair had difficulty deciding whether HIPAA or state requirements applied. Another problem was identifying the kinds of disclosures that had to be accounted for and developing a process for each. Disclosures could literally come from any one of their 5,000 employees (e.g., clinical staff reporting infectious disease to the state as req uired, or the Information Systems (IS) department, relating to research studies). Ms. Delair said there wasn't one easy process for implementing this regulation; it would require many different processes to implement correctly.
Panel 4: Public Testimony
W. Holt Anderson, North Carolina Healthcare Information and Communications Alliance, Inc.
Mr. Anderson described NCHICA as a case study of an effective HIPAA collaboration. A portion of NCHICA's activities were as a regional key TKEU-SNIP affiliate. A 501(c)(3) established in 1994 with over 300 institutional members, NCHICA's mission is to determine ways to implement information technology and secure communications in healthcare. Mr. Anderson said NCHICA had done a variety of projects related to clinical uses of technology.
In 1999, NCHICA established a HIPAA task force charged with developing a strategy for addressing HIPAA compliance in an orderly, efficient manner. Over 350 individuals in six work groups produced awareness educational sessions. The work groups were a professional development opportunity. Participants presented workshops and developed training materials and white papers. The work groups did a preemption analysis for North Carolina and were creating sample model agreements eliminating the need for attorneys to negotiate and manage endless varieties of agreements. They PAN did a gap analysis, developed planning tools and a compliance plan, and identified gaps that had to be supplemented. Sample documents were available free on their Web site, including an 83-page analysis of the HIPAA privacy rule in relation to 143 North Carolina statutes. The medical society, hospital association and major academic medical centers were adopting a business associate agreement that took the work group 13 months to negotiate. The agreement included no more or less than what HIPAA required, minimizing the effort necessary. Anyone who wanted to negotiate special provisions could put them in another agreement. The NOPP took 15 months and state law hadn't yet been incorporated. Entities that had to implement a notice and build it around internal policies and training, first had to do the state preemption analysis. Mr. Anderson reflected that HIPAA's core centered on privacy. A security and privacy officers' work group developed a questionnaire to determine what everyone was doing. Questions included: whether they'd provide copies of the notice to local media, would it be available in Braille or on videotape, how would the handicapped be included, how many different languages would be included, and how would they get acknowledgment. Mr. Anderson explained that they sought to develop a consensus approach to the notice. Mr. Anderson reported the Attorneys General offices in many states were developing the preemption analysis. In North Carolina, a broad-based group listed the state statute, cited and compared the HIPAA regulation, and wrote a summary or conclusion. Noting these regulations were complex and the preemption analysis difficult and not always clear, Mr. Anderson said the summary conclusions would take further analysis and case law to determine. They'd spent 13 months and hadn't gotten to the regulations and Attorney Generals' opinions and case law. Three-quarters of a million dollars had already gone into this, and preemption still had to be included and everything had to be re-done based on the last general assembly's modifications and changes. Another issue was defining the entities and relationships within and outside an enterprise. Mr. Anderson said the state and local county governments struggled to determine what was subject to HIPAA and define an organized healthcare arrangement. Managing implementation was a major issue, along with lowering the grade level of the privacy notice and acknowledgment. Mr. Anderson said for 15 months they'd tried to simplify their draft, but found certain words required by HIPAA couldn't be used at an eighth-grade level. North Carolina law required consents in many cases. Even though it was optional according to HIPAA, consent would continue to be used. Mr. Anderson advised that a standard business agreement and standardization of other documents would save money and agony. From the task force's vantage point, larger enterprises and academic medical centers had the intellectual and other resources to invest in HIPAA compliance. Individual practices didn't and acted catch-as-catch-could. Mr. Anderson expressed concern about judging what was good or bad. He explained that at recent CMS implementation round tables, people from CMS answered conference call questions from the public. CMS deferred questions about privacy (about 25 percent of all the questions), giving OCR's toll-free phone number. Noting the conference calls were an effective way of gaining public input and answering questions, Mr. Anderson urged OCR to join them. He emphasized the importance of OCR and CMS coordinating, so the Department presented a similar format, look and feel. Mr. Anderson said regional SNIP affiliates served as gateways for collaborating and getting information to providers. He said affiliates were in various degrees of organization and were run differently, but all were a resource. About half the states already had affiliates; others were being formed.
Panel 4: Public Testimony
Barbara Seitz, South Peninsula Hospital
Ms. Seitz represented a small organization in rural Alaska. She noted that in this large state where many providers were in extremely rural areas, telemedicine and teleradiology were used to provide care. Everywhere from Anchorage (population 600,000) to villages of less than 100 people had to comply with the same guidelines and regulations. She said eight questions had been sent to privacy officers and CEOs across Alaska. Respondents wanted one approved site with approved and certified links to accurate interpretations of the guidelines and resources on best practice. Ms. Seitz also said they wanted certified vendors that met a standard for training materials and services. Ms. Seitz said she worked in a small community-based hospital with 15 beds for acute- and 25 beds for long-term care. Their 260 employees also provided hospice and home health services. Funding was entirely rural. Ms. Seitz said changes in the regulations outdated computer software, training materials and draft policies her hospital purchased only a year or two ago. Making modifications was a big burden and Ms. Seitz felt standards would benefit everyone. Pointing out that the extreme cost of travel in remote areas was compounded by delayed and canceled flights, Ms. Seitz recommended Web seminars. She noted it took her 19 hours and three connecting flights to get to the hearings. Another issue was standards for training. Ms. Seitz said the message she'd heard that morning implied that one could train staff with no other guideline than, "Do it yearly or when something new comes up." Noting some organizations would have a minimally adequate video and certificate while others provided interactive on-line training, she stressed that models or tools for training would benefit the whole healthcare community. Ms. Seitz contrasted Wisconsin's numerous standardized, easy-to-follow healthcare, privacy and confidentiality laws with the minimal laws in Alaska. She noted that Alaska had no laws about juvenile records; adult or federal standards were followed. Some things already were being done and only had to be documented, though many facilities didn't follow federal law. Ms. Seitz noted in some remote areas the feeling was, "Come and get us and force us." She emphasized that these hearings made a big difference in Alaska. Ms. Seitz acknowledged that having standard, certified links on the Web site would be costly, and might not be realistic, but she posited that it could pay off to put that effort in now, rather than on the back end with enforcement and policing people. HIPAA compliance was costly and done with networking and all available resources. Still, without standardization there was no assurance that they were doing what had to be done. Ms. Seitz clarified that by "certified links on the Web site" she meant having a standard, vendor training, and marketing materials reviewed by an organization that qualified its accuracy, similar to the Good Housekeeping seal of approval.
Subcommittee Meeting Discussion Ms. Kaminsky said the next week's hearings would be more abbreviated and would start with more testimony from physicians and other professionals with small practices, MGMA, and practice managers. There might also be related testimony from ACOEM. Another panel tentatively titled integrated health systems and complex organizations of other types of providers was also scheduled. The first speaker was from Intermountain Health Care, a health provider and health plan in Utah that was complex and underwent extensive privacy analysis. Implementation issues would also be discussed: Ms. Kaminsky was trying to get representation from the Indian Health Service and Gambro, a dialysi s company. They'd hear from the general counsel for Valley Mental Health , which did a lot of contracting with the state, and another panelist discussing telemedicine and telepharmacy issues. Another panel would be on rural hospitals. AHA recommended a panelist from Banner Health, in Arizona. UHEN, the WEDI-SNIP affiliate in Utah, recommended a panelist from Cane County Hospital, in rural southern Utah. Mediconnect, a vendor to many systems and an active member on the Governor's Task Force on HIPAA, would also testify. Ms. Kaminsky noted that they'd talked a lot about their clients' problems coming up with mechanisms to account for the disclosure requirement and other operational issues that might apply to those types of facilities. Another panel would consist of state agencies, pu blic health and research. Barry Lengel from the Office of Vital Records and Statistics in the Utah Department of Health would talk about registry issues. Jean Wiley from the University of Utah Resource for Genetic and Epidemiological Research, who had an enormous database formulated originally from Mormon genetic information, would also speak. Mr. Rothstein commented that the genealogical database in Utah was valuable for genetic research. Ms. Kaminsky concurred, adding they wanted to do more powerful linking of this database to other sources to match up the data, but they weren't a research study themselves and, because of the privacy rule, probably wouldn't get a waiver for authorization. She said Denise Love, from National Association of Health Data Organizations, would probably be talking with them about research and public health issues as well. Ms. Kaminsky reviewed the potential testifiers for the second day. The panel on health plans included Provident Health Plan from Oregon and Deseret Mutual Benefit Association, which had links that would be explained. There was an inquiry into Utah Medicaid as well. Ms. Kaminsky reported there was more to be done to finish up the panels and said that if anyone had specific requests or interests, she'd follow up.
Most of the second day was reserved for Subcommittee discussions pulling together thoughts about the past couple months' testimonies and a game plan. Members set aside 30 minutes for public testimony. Ms. Kaminsky noted a request to hear from malpractice insurance companies and said there was written testimony from an osteopathic doctor concerning increased costs for malpractice insurance because of potential HIPAA liability. Ms. Kaminsky said she'd do her best to get representation from these insurers and asked for suggestions.
Mr. Rothstein thanked everyone for attending. Noting they'd reconvene next week in Salt Lake City, he adjourned the meeting at 4:18 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ 3/16/03
__________________________________________________
Chair Date