[This Transcript is Unedited]
Marriott Hotel, Waterfront
Baltimore, Maryland
Agenda Item: Welcome and Introductions.
MR. ROTHSTEIN: Good morning, everyone. My name is Mark Rothstein. I am the director of the Institute for Bioethics, Health Policy and Law, University of Louisville School of Medicine, and I am chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
On behalf of the subcommittee and staff, I want to welcome all of you to the first of two days of hearings on implementation of the HIPAA privacy rules.
I also want to welcome the listeners on the internet, who are listening to our hearings live.
Further, as is customary, I would like to have introductions of the committee members and other individuals, and I would invite subcommittee members to disclose any conflicts of interest that they might have at this time.
I will begin by noting that I have no conflicts of interest, other than those which will be apparent throughout these two days.
DR. HARDING: I am Richard Harding. I am the current interim chairman of the Department of Neuropsychiatry at the University of South Carolina, a member of the subcommittee since 1997 or 1998, and a member of the National Committee on Vital and Health Statistics.
I was previously the president of the American Psychiatric Association last year. My conflicts would be limited to that.
DR. COHN: I am Simon Cohn. I am the national director for health information policy for the Kaiser Permanente Medical Care program.
I am also a practicing physician. I am obviously a member of the subcommittee and a member of the committee.
MS. KAMINSKY: I am Stephanie Kaminsky. I am lead staff to the subcommittee, and I am in the Office of Civil Rights at the Department of Health and Human Services.
DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation. I am chair of AFFECT and co-chair of the policy advisory group on security of WEDI. I think there might be some people from WEDI or WEDI-SNIP testifying today.
I just found out this afternoon we have someone from Davis, White, Tremaine testifying, and that is one of the law firms that Claredi employs as counsel.
MR. DANAHER: My name is John Danaher, and I am a member of NCVHS, and also a member of the subcommittee on privacy.
I am the president and CEO of a compliance e learning company called Quick Compliance. I do not believe that my presence here today represents a conflict of interest. Thank you.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.
DR. KIBBE: I am David Kibbe from the American Academy of Family Physicians.
DR. JENNINGS: I am Carol Jennings. I am director of health policy at the University of Maryland School of Nursing. I am here today representing Jan Towers, the American Academy of Nurse Practitioners.
MR. ROTHSTEIN: For the witnesses and others, you don't need to indicate any conflicts of interest. That is just for the subcommittee members.
DR. SMITH: Good morning. My name is Lloyd Smith. I am a podiatrist practicing in Newton Center, Massachusetts. I am here today representing the American Podiatric Medical Association.
I serve as vice president of the association and chair of its health policy committee, which has responsibility for all federal health related issues.
DR. VAN DE CASTLE: Good morning. I am Keith Van DeCastle. I am a family physician. I am the WEDI SNIP co-chair for Virginia, Washington, D.C. and Maryland, and I am the president of a company solely devoted to HIPAA called HIPAA Compliance Services, which is a training company for physicians.
MR. LOBB: Richard Lobb, Conemaugh Health Systems.
MS. BOWEN: Rita Bowen, Erlanger Health System.
MR. RODIE: Dan Rodie, I am with the American Health Information Management Association.
MS. PARSLEY: Nancy Parsley with the American Podiatric Medical Association.
MS. WHITTAKER: Fran Whittaker with the American Podiatric Medical Association.
MR. PEELE: Rodney Peele with the American Podiatric Medical Association.
MR. STONE: Walter Stone, Center for Medicare and Medicaid Services.
MR. ROTHSTEIN: Welcome to all of you. The subcommittee has scheduled seven panels of invited witnesses over the next two days to provide a variety of perspectives.
In addition, we have scheduled public testimony from 3:00 p.m. until 5:00 p.m. tomorrow, Wednesday, October 30.
Any individual who is not an invited witness may sign up to testify for five minutes. The public testimony slots are on a first come, first served basis.
Let me emphasize the limited scope of this hearing. The final amendments to the privacy rule were published on August 14 of this year.
Covered entities and other interested parties are, or should be, getting ready to comply by the April 14, 2003 deadline.
The purpose of this hearing is not to revisit the substantive elements of the rule, although the subcommittee is well aware that it is hard to talk about implementation issues without reference to at least some of the substantive areas of the rule.
As detailed in the Federal Register notice announcing the hearings, we are especially interested in learning from witnesses answers to the following questions.
What are the available resources for HIPAA compliance, including those from professional organizations and trade associations.
Are compilations of best practices available and how are successful implementation strategies disseminated?
Are there any models for public/private partnership development?
How should covered entities go about coalition building and developing consensus procedures?
What outreach, education and technical support programs are needed from the Office for Civil Rights, including suggestions for OCR priority setting?
What areas are especially in need of guidance from OCR? How should we address the integration of HIPAA and other federal and state laws.
Finally, can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small providers and health plans?
This is the second of three sets of hearings by the subcommittee dealing with these issues. We met September 10-11 in Boston, and will meet again in Salt Lake City on November 6-7.
After our final hearing in Salt Lake City, the subcommittee will submit its recommendations to the full committee for discussion and possible action at our meeting in Washington on November 19-20.
If recommendations are approved by the full NCVHS, they will be translated in a letter to Secretary Thompson by Dr. John Lumpkin, chair of the NCVHS.
Because of the large number of witnesses for each panel and the narrow focus of the hearings, I strongly urge that the witnesses strictly adhere to the following rules.
First, invited witnesses will have 10 to 15 minutes to give their prepared testimony, and I will supply you with a one-minute notice. As you can see, artistic ability is not a requirement to chair this subcommittee.
Second, after each witness, subcommittee members will have an opportunity to ask questions of a clarifying nature only.
Third, after all the witnesses in each panel have completed their testimony, the members of the subcommittee and the witnesses will use the remaining time of each session for further questions and discussion.
Fourth, witnesses may submit additional written testimony within 10 days to Marietta Squire. The reason for the short period is because of our schedule in preparing our final recommendations for the Secretary.
Fifth, if any witnesses stray too far afield, I will encourage them to refocus their remarks or conclude their testimony.
Finally, I would ask anybody sitting in the room with a cell phone to please turn off the ringer, as well as lower the volume on the standard telephones that are here, and please speak clearly into the microphone, so that those on the internet can hear your testimony. I am sure they are very anxious to hear everything that the witnesses have to say.
With that, let me call the first panel to testify. Panel number one deals with physician and other health professional practices. Our first witness is Dr. David Kibbe.
Agenda Item: Panel 1. Physician and Other Health Professionals Practices. David C. Kibbe.
DR. KIBBE: Good morning. My name is David Kibbe. I am a physician and director of health information technology for the American Academy of Family Physicians.
I am also the president of the North Carolina Healthcare Information and Communications Alliance, better known at NCHICA, a WEDI SNIP affiliate, an organization that is well known for its work on HIPAA, and which has been involved in model health privacy policy and legislatively activity since its inception in 1994.
I am very pleased to be here today and, on behalf of the American Academy of Family Physicians' 93,000-plus members, let me thank the members of the Privacy and Confidentiality Subcommittee for this opportunity to address the important issue of HIPAA privacy rule implementation.
The timing is excellent, having just held our annual scientific assembly two weeks ago in San Diego. This is the academy's major annual conference, attended by over 5,000 member physicians, and an occasion that affords us the opportunity to converse with members about the important issues to the specialty as a whole, and to take the pulse of the membership over a very active week.
During the assembly, I presented lectures on HIPAA that were attended by over a quarter of the participants. We held a town meeting on HIPAA implementation that was moderated by academy physician leadership. There were several other sessions covering one or more aspects of HIPAA standard and their implementation. I can assure you that HIPAA is an active and much debated item among the AAFP leaders and its members.
What is the availability of HIPAA resources for our members, most of whom practice in solo practice or small groups of five or fewer physicians? Let me address our own education and implementation program for action.
Over a year ago, the board of directors of the AAFP approved a detailed HIPAA action plan including: A strategy to raise member awareness and educate them about the impending rules, deadlines, guidances and extensions;
A commitment to develop and provide tools to assist family physicians to implement the necessary changes at the practice level; and
A commitment to seek the statutory and regulatory changes necessary to fix the more onerous and unworkable requirements of HIPAA -- for example, mandatory signed patient consent before conducting any health care treatment, and legally binding business associate agreements that appear to require family doctors to monitor much of the health care service industry.
During the course of the year, the academy has done the following to make progress in meeting these commitments.
The AAFP has developed a HIPAA website, which is www.aafp.org/hipaa.xml. It contains what we consider to be essential, relevant and useful information and tools, both for those members just beginning the process of implementation as well as for those with larger and more complex implementation issues.
The site includes a series of four HIPAA articles that I authored for the AAFP's journal, Family Practice Management.
The Academy's communication and publications divisions have devoted extensive coverage to HIPAA implementation, in print, on the AAFP website, via e mail communications, to increase member awareness and education.
Most recently, a communications campaign instructed members on the issue of filing a transactions and code set extension plan with the Center for Medicare and Medicaid Services.
The academy has participated in a 12-member specialty society coalition formed to address HIPAA privacy rule implementation.
Additionally, we have been instrumental in forming and leading an even larger coalition on HIPAA EDI implementation. Both coalitions are developing implementation strategies and solutions for practicing physicians and their office staffs.
The academy has produced a How To Guide for implementing HIPAA privacy, available to members for a minimal cost, in print, CD-ROM and downloadable from the website.
For those that prefer a more interactive computer program, we are offering members the HIPAA EarlyView Privacy Tool, developed by NCHICA. Both resources contain checklists, key document templates, and advice.
The academy has developed an online HIPAA EDI practice management system director in collaboration with the medical specialty coalition, which is available at 222.hipaa/pmsdirectory.
The directory allows a practice to look up its PMS vendor to determine its HIPAA readiness for each covered transaction. Practices can also use the directory to investigate the extent of HIPAA readiness of other vendors.
We have presented two HIPAA workshops on compliance at the 2002 annual leadership forum and recently conducted a HIPAA audio conference targeted to chapter leaders across the nation.
We are also making these same presentations available to a number of state and regional academy chapters at their upcoming meetings.
How well are we doing in reaching our members with these messages? In some respects, quite well, and in others not so well.
For example, by a show of hands during my recent lectures on HIPAA at the AAFP annual assembly, roughly three-quarters of the audience indicated that they had filed a transactions and code set extension plan with CMS.
I think this augers well for our members' awareness about the HIPAA transactions and code set standards, and about HIPAA in general.
However, my best estimate about member privacy rule implementation is less hopeful. I would estimate that fewer than half of our members' practices have begun to implement a program of privacy standards implementation as of two weeks ago.
We need to discuss some of the reasons for this low level of privacy implementation among AAFP members, who are generally aware of their obligation, but have not acted.
The single most important reason for the delay is our members' confusion about what it is they must actually do at the practice level. What must I do that is different from my current practice, is the question that I hear most often.
To students of the privacy rule and its standards, a group I call the HIPAA literati, and to which, sadly, I must include myself as a member, this may seem a strange question.
Aren't the rules clear? After all, we have gone through a very long process of writing, amending and finalizing the privacy rule. Isn't this all pro forma and routine by now?
No. Out in the real world HIPAA is a complicated mess. Dr. John Lumpkin's statement in the letter which he wrote to DHHS Secretary Tommy G. Thompson of September 27, 2002, summarizes quite well what I believe is the problem here.
I quote: "The failure of the OCR to make available sample forms, model language, and practical guidance has left covered entities at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees, and scare tactics."
Doctors often don't know who to believe, what to buy, or from whom to get individual practice assistance. They are hearing conflicting claims, and are being bombarded by vendors and consultants giving conflicting stories.
Sometimes this misinformation comes from vendors or lawyers who have a product to sell that offers a "solution" to the problem.
Multiple urban legends are circulating across the country, spread by e mail and at meetings, such as the rumor that HIPAA requires all sign-in sheets to be eliminated or copies of all electronic data to be stored off site at a distance of 50 miles or greater.
Often the misinformation appears to be the byproduct of the complexity and scope of the privacy rule itself. Confusion and apprehension are simply a matter of well-intentioned health care workers, who suddenly find themselves appointed privacy officials, spreading erroneous beliefs about permissive or prohibitive behaviors within the privacy rule.
I want to show you an example of this that I got from a well known medical center. It is an article in a magazine.
This is a well-intentioned effort by laudable people who put this together. However, a cursory examination of this document and the articles in here revealed exactly what I am talking about. There are over 40 substantial errors. There are conflicting guidances about what to do. [Portion of testimony off microphone.]
To add to the confusion in our members' communities, some larger organizations have begun to implement HIPAA in ways that cause interruptions in the routine and necessary flows of health care information between the practices and hospitals and pharmacies.
Sometimes this is due to the over-zealous interpretation of HIPAA, as in the case of a hospital that has stopped all fax transmissions to doctors' offices in the name of HIPAA, a step that now requires the doctors' offices to call the hospital for verbal radiology reports. There are many other examples.
Delays in HIPAA privacy rule implementation, I think, will continue until there is a clearer picture of what must be done, in what priority, and with what latitude of enforcement.
Then there is the cost factor. CMS has reported that approximately half a million health care covered entities filed an ASCA-mandated extension plan by the deadline of midnight October 15.
Assuming that each of those covered entities spent an hour's time in researching the requirements for the transactions and code set standards, and in filling out the forms, I calculate that this activity alone cost providers over $50 million.
Physicians and their office staffs look at the time and effort that appears necessary to devote to private rule implementation.
The first step, of course, is simply to assign the most basic meaning to a host of new constructs and documents, such as business associates, notice of privacy practices, and requests to amend the medical record.
They see this as many, many times the effort. For the busy practitioner taking care of patients day in and day out, there is precious little time or money to waste.
One very specific concern of mine is that the privacy rule is a one-size-fits-all solution. To be workable, however, I believe HHS and OCR need to create zones of compliance, rather than specific targets for some aspects of compliance.
Such flexibility would accommodate the needs of health care organizations of differing sizes and complexity. Such ones would allow for simplification of implementation, especially in medical practices and in small provider organizations.
For example, I believe that the complex and lengthy notice of privacy practices requirements should be simplified and shortened for small providers. A more detailed notice could be voluntary.
We believe that business associate contracts should not be required of all those it would appear to be required of now, or that a zone of compliance with regards to BA contracts for small providers be acceptable, at least until the contracts have become standardized and the costs of creating them -- potentially many thousands of dollars for medical practices -- are reduced.
Clearly, we are merely at the beginning of a long and difficult period of HIPAA privacy rule implementation. A year hence we will know much more than we do now about the practical, down-to-earth realities of HIPAA in the offices of family physicians across the country.
Will our patients understand why we are handing them multi-page notices of privacy practices on their first visit, and appreciate the effort that has gone into making their medical information more secure?
Will the inconsistent and clumsy implementation of a poorly understood set of federal regulations merely make it more difficult for patients to obtain access to their records, and disrupt the flow of vital health information between doctors' offices, hospitals and health plans, ultimately, thereby, degrading the quality of our primary care health systems?
I would agree with Dr. Lumpkin's opinion that we are on the verge of major and widespread disruptions of the health care system unless action is taken quickly, with adequate resources to inform both the public and the provider community about the various documents and notices with which they are about to be confronted.
We need a massive public education program or we will have a massive public meltdown for HIPAA.
The academy appreciates this opportunity to submit a statement to the subcommittee, and looks forward to working with you to develop effective public-private-professional organization solutions to HIPAA privacy rule implementation.
MR. ROTHSTEIN: Thank you very much. Are there questions for clarification? I appreciate your testimony, Dr. Kibbe.
Let's move on to our second witness, and we will be back for questions for you in the panel discussion. Dr. Smith?
Agenda Item: Panel 1. Lloyd S. Smith.
DR. SMITH: Good morning. My name is Dr. Lloyd Smith. I am a podiatrist in private practice in Newton Centre, Massachusetts. I am here today representing the American Podiatric Medical Association.
APMA is the national organization representing nearly 11,000 doctors of podiatric medicine. I serve as vice president of the association and as chair of the health policy committee, which has responsibility for all federal health-related issues.
The APMA is keenly aware of the significant challenges created by the passage of the HIPAA act of 1996. When the privacy regulations were first released in December 2000, the APMA recognized that its members would need assistance in understanding and applying the regulations in private practice.
Most podiatrists practice as solo practitioners, partnerships, or in small group practices, and rely heavily on APMA for information.
As of April 14, 2003 date for compliance with the private regulations approaches, APMA has seen a noticeable increase in member inquiries related to HIPAA.
What is APMA doing to assist our members in preparing for the April 14 deadline? We are actively and aggressively educating our members. We have discussed the specifics of HIPAA in our many publications.
We have provided key leadership with HIPAA information, including through interactive presentations. We are constantly updating our members only website with new information.
We have made available a list of HIPAA resources, including the OCR's website and phone number. Other identified resources include the CMS website, the free list serve to receive notification of Federal Register releases related to HIPAA, and information about the HIPAA roundtable conference calls.
Most significantly, over a year ago, APMA committed to the development of the APMA HIPAA privacy manual, which will be made available to our members on the web site and in hard copy.
A respected, well-known law firm that understands the podiatric profession is drafting our manual. Not only will the manual discuss the specifics of the privacy regulations, but it will also include sample forms for use in the office.
We delayed production of our manual until finalization of the privacy regulations in mid-August, but expect it will be available to our members in the near future. We are proud of our efforts, but more needs to be done.
In our opinion, the OCR has not yet begun to reach the provider community with information about the privacy regulations. Until it does so, providers cannot be expected to be compliant with the regulations.
Providers are having tremendous difficulty comprehending the regulations as they currently exist. As a result, small office practices may be aware of the regulations, but have not yet begun to take action toward being compliant.
The information needs t be repackaged and presented in a way that is understandable to providers. The APMA has limitations in terms of financial and human resources, yet we have committed to the development of a privacy manual.
We are not, however, the definitive source of information on the privacy regulations. We believe that providers would benefit from the creation of a detailed, in-depth manual designed for the small or medium-sized group practice.
Many individual offices do not have the financial resources to obtain additional guidance on the privacy regulations. OCR should be the definitive source for privacy-related information, and it should be available to all providers at no cost.
The OCR should add more information to its list of frequently asked questions about the privacy regulations. The recent addition of these questions to OCR's website is positive, and they provide a starting point for individuals seeking more information on the regulations.
A monthly newsletter should be developed and sent to all providers free of charge. The newsletter should provide key information, important facts, and detailed instructions about the privacy regulations to all readers. As a starting point for distribution, the newsletter could be sent to all Medicare providers.
The OCR needs to create regional or state programs to educate providers. Representatives from COR should be available to participate in specialty-specific regional and state meetings.
For example, my region just completed a meeting involving podiatrists from Massachusetts, Rhode Island, Maine, New Hampshire, Connecticut and Vermont. The OCR's experts on the privacy regulations would have been most welcome at that meeting.
The provider community needs to have access to the experts on a grand scale, particularly as the date for compliance draws closer.
Recognizing that OCR's resources are not unlimited, and assuming that OCR has a team of experts addressing the privacy regulations, the OCR could commit to, for example, three presentations for APMA, as well as three presentations for each of the other provider groups, including, among others, the AMA, the American Osteopathic Association, and others.
This would ensure that all provider groups would have equal opportunity to hear from the experts. The APMA would be pleased to assist the OCR in scheduling presentations to podiatrists.
The privacy rule training mandate does present a challenge to APMA. Many of our local component societies are planning half day or whole day presentations on HIPAA.
THE APMA applauds the efforts of those state societies organizing HIPAA presentations or seminars but, from a national perspective, the APMA will not offer privacy rule training beyond the written information contained in the APMA HIPAA privacy manual. Members and their staffs must rely on the state component societies or other outside sources for this training.
As you can appreciate, our members are being inundated with information about HIPAA. We have been unable to gauge with any great degree of accuracy the quality of the information being offered.
Many vendors and consultants will not release their information unless an individual commits to utilizing the services or expertise offered by the vendor or consultant.
Rather than investigate the numerous array of vendors and consultants in existence, the APMA is advising members to first review the information contained within the APMA HIPAA privacy manual, and then assess what additional information might be necessary, if at all.
In our opinion, it would be helpful if the OCR would assume oversight of the products sold by vendors or, at the very least, establish a quality control process. If privacy-related products are developed for sale, there needs to be an oversight to better ensure that those products contain accurate information.
The provider community needs more information concerning OCR's enforcement of the regulations, including clear identification of the penalties for lack of compliance.
We realize that the penalties are known, yet are concerned that those penalties have not been effectively communicated to providers.
More education is needed on the amount of the penalties and the situations for which penalties will be applied.
Will OCR representatives arrive unannounced in private offices? Will OCR randomly contact individuals to inquire about their privacy-related experiences?
Will patient complaints be encouraged, and will the OCR be obligated to investigate every complaint? Will providers be required to submit proof that the privacy rule training mandate has been satisfied?
Our members need to know how the new regulations will be enforced, and the lack of definitive information is frustrating for those expected to abide by the regulations. APMA requests additional guidance from OCR, so that we may educate our members.
We also have concerns about patient education. Compliance with the privacy regulations will result in noticeable changes in daily practice activities. Many patients will be confused by the changes and may not understand why they are being asked to sign, for instance, a form indicating that they have been notified of their privacy rights.
What if the patient refuses to sign that form? If patients are not educated and are resistant to changes being implemented in private practice and elsewhere, what protections exist for covered entities?
The privacy regulations impact everyone, providers and patients alike. Does the OCR have plans to educate patients about the new regulations? That should not be the sole responsibility of the covered entity involved. The OCR needs to take responsibility for ensuring that patients, as well as providers, understand the new regulations.
The APMA is not familiar with best practices being done in the industry. We are unaware of compilations of best practices available.
In terms of the state/federal preemption analysis fundamental to HIPAA integration and compliance, we believe that entities are unaware of the need to perform this type of analysis.
Additionally, most individuals are not familiar with the state laws regarding privacy. The integration of HIPAA and other federal and state laws requires action by the OCR.
A compendium of existing state and other federal laws should be created and made available to the public. These laws should be clearly articulated, so that the average practitioner reviewing the information can understand them.
If the information is made publicly available in a standardized format, the likelihood of adherence to the standards increases.
If practitioners do not realize that differences in the standards exist, or that a state standard is more stringent than a standard contained within the privacy regulations, then the correct standard will not be followed.
If the state and other federal laws related to privacy are clearly identified and maintained in a common location, then practitioners will be better able to adhere to the correct standards. The APMA encourages the OCR to take responsibility for creating and maintaining such a compendium.
In general, we believe that the covered entities, particularly practitioners, need more help in achieving compliance with the privacy regulations by the established deadline.
Most practitioners are already overwhelmed with existing regulations and are struggling to comprehend the privacy regulations. More needs to be done.
As the national organization for podiatrists, we will continue to educate our members about HIPAA and the privacy regulations. We need your active assistance with that endeavor.
On behalf of the APMA, thank you for including us in today's hearing, and for providing us with the opportunity to offer comments.
MR. ROTHSTEIN: Thank you very much. Any questions of clarification for Dr. Smith? We will get back to you during the panel discussion. Dr. Jennings?
Agenda Item: Panel 1. Carol Jennings.
DR. JENNINGS: Good morning. I am Carol Jennings. I am a professor at the University of Maryland. I am very happy to be here.
I have been interested in the whole privacy process for a long time, and teach HIPAA and the latest iteration, as it comes out, to my students.
In fact, we just got a notice that we are to include HIPAA and the implications of the last rule in all of our curricula for nursing students.
I am going to do something that I tell my students never to do. I am going to read to you. I apologize, but I do want to be true to the testimony of Dr. Jan Towers, who is the policy director, and legislative director, for the American Academy of Nurse Practitioners.
I will briefly tell you who we are, where we practice, how we practice, and how it is unique. The American Academy of Nurse Practitioners is the largest full-service nurse practitioner organization.
We represent nurse practitioners in all specialties, and we represent over 75,000 of the nation's 82,000 nurse practitioners.
As many of you may know, nurse practitioners are advanced practice nurses, provide primary care and specialty services to individuals and their families.
Much like a family physician, they diagnose and treat acute episodic illnesses, such as infections and injuries, and also chronic diseases, such as hypertension and diabetes.
They take medical histories. They conduct medical exams. They order, perform and interpret diagnostic and laboratory tests, and make diagnoses and prescribe treatments, including medications.
Nurse practitioners have a minimum of six years preparation with additional professional nursing experience. Entry level preparation for advanced practice nurse practitioners is a master's degree.
Didactic and clinical courses prepare nurse practitioners and, by the time they leave our programs, they have many, many hundreds of hours of supervised clinical practice.
Nurse practitioners are licensed and regulated by the state board of nursing in the states in which they practice.
They provide practice in a variety of settings, including free-standing primary care clinics, physician practices, HMOs, nurse managed centers, hospital outpatient and inpatient settings, long-term care, schools, occupational health settings, public health departments, the VA, and other federal facilities.
Over 30 percent of nurse practitioners today work with vulnerable populations, which include the elderly, the homeless and indigent groups and chronically ill.
The autonomous nature of the nurse practitioner's advanced clinical practice requires accountability for health care outcomes.
Ensuring the highest quality of care requires certification. So, in addition to their licensure, they also receive certification as an advanced practice nurse, periodic peer review, clinical outcome evaluations, a code for ethical practice, evidence of continuing education and development and, of course, they have to fulfill a certain number of hours to be re-certified. So, there is a great emphasis on maintaining and upgrading their clinical skills.
Nurse practitioners are committed to seeking and sharing knowledge that promotes quality health care and improves outcomes and, within the practice, the maintenance of confidentiality of patient records, and the responsibility of each nurse practitioner to be a patient advocate is clearly stated.
Patient advocacy, including protection of patient privacy, has always been a very high priority. Steps have always been taken within our practices to protect patient confidentiality, and to prevent any exploitation through the inappropriate use of this confidential information.
We find ourselves in a unique position as we begin to implement the final rule that was released in August, protecting patient rights, the advocacy of patient privacy protection.
On one hand, nurse practitioners may be working in their own clinic, where they are responsible for the implementation of the patient privacy regulation in that setting, or they may be functioning in settings that require them to be knowledgeable about the issues surrounding the regulations, but do not necessarily control the business and practice interactions of the entities that they work for.
Let me just highlight some of our concerns regarding the implementation. I guess the first on everybody's minds is cost.
Small practices, or practices in clinics with limited income are concerned about their inability to implement the perceived requirements of these rules, because of the cost associated with compliance.
One example given was the cost of building new fire walls to protect computer-based records and processes used in electronic billing.
These practices and clinics often serve our most vulnerable and isolated populations, and our concern is, what will happen to patients if the cost for implementing privacy rules is so excessive that these practices and clinics can no longer operate.
Presently, there is a sparse supply of free or low cost consultation or guidance available to small practices, for those with limited income.
The costs charged by consultants who sell their how-to information is prohibitive to many small practices, and clinics serving low income populations.
Guidance systems need to be made available to them as well. She adds, questions arise regarding the exploitative nature of consultants, who charge heavy fees to help people learn how to implement new rules.
The second concern is compromising quality of care. In addition to the cost concern, that it may close practices and clinics, there is also a concern that it will be very difficult for health care providers to exchange information in order to help patients.
There are concerns that referrals to specialists will not be responded to. Hence, information about the patient being seen by the specialist will not get back to the original primary care provider, interfering with continuity of care.
Fears have also been raised regarding what happens to a provider who releases patient information to a specialist.
If the specialist subsequently releases this information to another entity, without obtaining the proper consents, will they be held liable -- the nurse practitioner -- if proper procedures were not followed by the specialist.
The next concern, establishing fee schedules. In settings where sliding fee schedules are used, there is concern regarding the kinds of consent forms that will have to be used to determine eligibility of a patient to be billed in a certain way.
In settings providing care to vulnerable populations, there is concern regarding the kinds of restrictions that will be placed on clinics as they determine this eligibility.
Another concern, patient care studies. There continues to be concern that simply trying to track patients epidemiologically or to simply conduct an evaluation on how well a practice or a community is meeting the Healthy People 2010 standards for health promotion, will be compromised by the requirements to de-identify patient information in order to study patient care results.
Under the marketing concern, clinics and practices often receive third party assistance with printing newsletters, health promotion tips, or guides for care, that could not be shared with patients without such subsidization. Concerns about loss of assistance in this area continue to be expressed by our nurse practitioners.
In summary, while the language of the law may, on the surface, be reasonable enough, the potential for implementation and enforcement overkill could, in fact, while protecting patient privacy, severely compromise patient care.
In response to the questions that you directed to us, the first question regarding outreach, education and technical support, outreach, education and technical support services from the federal government are seriously needed to help implement this law and its regulation in an uncomplicated and clear manner.
These services should not be economically prohibitive, so that small practices and clinics will be hindered in implementing the rules.
Currently, what appears to be available is high priced and, at times, appears to be feeding the overkill frenzy that appears to be emanating from these rules.
Currently, the rumor mill is having a very negative impact on practices. Everyone has heard something, but little can be documented. Harnessing this will facilitate the logical implementation of the patient privacy rules.
I think nurse practitioners have no doubt that the patient privacy process, down the road, will become very routine and commonplace, although right now it is surrounded by a lot of anxiety.
We had the same anxiety when we implemented universal precautions, probably, 10 years ago, and we could not imagine practicing with gloves on and eye shields to protect ourselves.
Question two was the areas in need of guidance. Currently, there seems to be a great deal of misinformation being circulated, through hearsay, that can be very damaging to the implementation of the regulations.
The concerns regarding cost, payment, and the disruption of continuity of care and the dissolution of quality of care through over-regulation needs to be addressed.
Particular attention needs to be placed on the impact of these regulations on the individual practitioner who is working directly with patients on a daily basis.
Rules to prevent improper corporate activity should not be implemented in a way that clinicians, such as nurse practitioners and physicians, are no longer able to provide high quality care to their patients in both private and public settings.
Question number three regarding best practices, while best practices have been found to be an excellent way to guide implementation, caution should be taken not to set limits in implementation through rigid use of best practices that may be applicable only in a unique and narrow situation.
Question four regarding available resources for HIPAA compliance, the availability of resources for the individual practitioner right now appears limited and costly.
Our organization is very willing to work with the advisory group in CMS on the implementation and dissemination of usable resources.
Question number five regarding privacy rule mandates, where approaches are being made, groups are getting together to discuss and share ideas and plan for the implementation of these rules in an efficient, logical and cost effective manner.
Unfortunately, not everyone has access to this kind of resource. Hence, the need for other kinds of guidance and resources.
As an organization, we are attempting to discover where the problems exist, so that we can facilitate and increase knowledge and guidance regarding the issues surrounding implementation.
As many of you know, sometimes our practices are extremely remote, and the feat would be to get the guidance to those practitioners as well, who perhaps could not readily come to a central area for conferences.
Questions six, seven and eight were regarding private-public partnerships, integrating federal and state mandates, and accuracy and quality of information and service.
Some concerns expressed earlier reflect concern regarding the integration of these regulations with other federal and state requirements.
There is a great deal of concern that the accuracy of information being disseminated is lacking, and that improved resources for the small provider and the provider working with vulnerable populations need to be protected and assisted, so that their valuable work does not get undone.
We would emphasize that nurse practitioners, because of their position as primary care providers and as patient advocates and guardians of patient rights, need to be included in the policy making activities surrounding the implementation of these rules.
In closing, you can see that we have a variety of concerns regarding the implementation of the patient privacy rules, both in our own clinics and practices, and in the institutions, practices, clinics and agencies that we serve.
Because we are in so many settings, issues that focus on implementation are varied. Also, because we are in these settings and play a pivotal role in the care provided there, they can be a valuable resource in the implementation process.
To date, this resource has been under-utilized. We are here to offer our help in any way we can. While nurse practitioners have multiple concerns regarding the implementation of these rules, they also have a great deal of knowledge regarding the concerns of clinicians and the realities of implementing the rules in the settings where they practice.
They also are very good at promoting patient trust. They are a very trusted entity, and I think their expertise could be utilized to also convey the message about this process to patients.
The American Academy of Nurse Practitioners is willing to provide more information and to be of assistance to you in your activities, and we thank you for this opportunity.
MR. ROTHSTEIN: Thank you very much. Are there initial questions for Dr. Jennings? All right, let's proceed to Dr. Van DeCastle.
Agenda Item: Panel 1. Keith D. Van DeCastle.
DR. VAN DE CASTLE: Thank you. I am truly honored to be here today. Due to the fact that I get the wonderful opportunity to get to be last on this panel, I am going to ask the committee's permission to give a little bit more verbal testimony and to try to elaborate, because some of the panelists have already hit on some of my key points.
I am just a rural hick country doc. I graduated from the University of Tennessee Medical School. My classmates honored me with a Golden Scalpel award as the one student with the brightest future in medicine.
I went and practiced in a clinic in Myrtle Beach. I found out that who came to me in my clinic in Myrtle Beach was patients that didn't feel comfortable getting care in their own home town.
So, the greatest majority of my practice wasn't anybody who lived in Myrtle Beach, but was people who actually didn't feel comfortable in small, rural North Carolina or wherever, and would drive down to see me as their family doc in Myrtle Beach, because of concerns about people in their own small town knowing this. I became amazed by this.
This continued when I went and practiced at a federally designated rural health clinic in Mississippi. It turns out that the people who came to my clinic were largely people from other small towns, who came to this small town, whereas the majority of the people in my small town went other places for their medical care.
They had real reasons for doing this. There were real stories behind clinicians who had actually not lived up to the Hippocratic oath and had been willing to discuss stuff and had not been forthright with their patients about their honesty and disclosing information.
So, I became very interested in HIPAA and decided, in 1995, to go back to school full time to study HIPAA. This was kind of bizarre and all the other practitioners thought I was a little bit nuts to do this at the time.
I had a couple of instances that really kind of seriously attracted me. I had this practitioner down the road who had actually had an incident happen where his nurse had actually divulged something about a cheerleading physical in order to try to get her daughter a position on the cheerleading squad.
There had been an incident where a patient, who was a high school football player, had died from an arrhythmia on the football field.
So, she went to this other cheerleading sponsor and said, you know, I don't know if you should take this girl who has a sinus arrythmia -- which almost every teenaged girl will have at one point in time -- on the cheerleading squad, and she did.
As a result of that, the word leaked out and the physician was sued for $50,000. Now, he had not done anything, but his nurse had done something wrong. Because he was the deeper pockets, they chose to go after him.
He ended up settling for a lesser amount, but it became very clear to me that America is not waiting for HIPAA. Privacy is a greater concern to Americans every single day.
I went back to school, studied HIPAA, and I have traveled around the country. I did 25,000 miles this month speaking to small rural groups across the country.
I was honored to get to do the national webcast for the American College of Physician Executives. As a result of this, I continually get calls for people asking me to come speak.
I have been in places like Abingdon, Virginia and Massoula, Montana and wonderful little small places like this.
I get to actually hear a lot of concerns from physicians and their office managers about this. It has been really interesting to actually get to listen to all these comments.
That is why I feel particularly honored to come and speak with you today. First of all, I want to reassure the committee that I don't think you guys need to worry about enforcement at all. I think the legal community is going to do this just fine for you guys.
At over 200 talks, I have actually given out my home phone number. I received a call yesterday from a clinic that actually had to pay out two privacy violations already this year.
The first one, somebody asked for all their records. They divulged all their records. They also actually divulged their HIV status, which they shouldn't have given, just on the basis of a simple authorization.
They duked it out and eventually the patient settled for $10,000, but the clinic had more than that in legal fees before they got to that point.
They had another case where someone divulged some information about a patient while in the hospital, who turned out to be the wife of the person's boss. They are being sued for $85,000.
I think what you are going to see is that the legal profession will do a wonderful job of enforcing the privacy regulations. I forever tell people, do not fear the government. Fear the general public.
It is really the general public that you really need to be afraid of when it comes to HIPAA. You guys really don't have enough teeth to really put a lot of fear into a lot of clinicians' hearts, where a lot of attorneys do.
What I decided to do, after studying all this and learning about this is, I decided to form a company. I met with a bunch of people. I went to over 100 HIPAA conventions. I was like David Kibbe says, one of the HIPAA illiterati or literati, depending on how you choose to look at it.
What I did was, I formed a company that I thought made sense about HIPAA and we formed a training company called HIPAA Compliance Services.
In response to the fact that there are a lot of consultants and other people who want a lot of money, we decided to put together a training program based on the case study method, and we market this to physicians and their entire staff, including a policy and procedure manual at the low cost of $50 for a physician.
What we decided to do is, after learning and working with the American College of Physician Executives for several years, I learned that physicians and clinicians are terrible at remembering things.
Actually, the study showed that, you know, when the American College of Physician Executives train clinical staff, that their remembrance of what they have been trained on after three months is less than 10 percent.
What little they did remember was case studies. What we have decided to do is actually go out and try to teach HIPAA using the case study method, because we find that that is the part that physicians remember about this.
So, as I go around the country, I try to teach physicians using the case study method, how HIPAA will actually impact their small practice.
With that, I would like to actually go through a case study with you. First of all, you need to know what HIPAA is, if you don't already.
Second of all, this is a case study that happened actually near here, that was presented to me. A blood pressure medicine was going to the second round of clinical trials.
The first round of clinical trials, it had only been tested on men, like a lot of blood pressure medicine. It turns out this drug interacted with a hormone therapy.
It turns out that women who are on hormone therapy, taking this new blood pressure medicine, if they are asthmatic, can have the worst asthma attack of their lives.
This one woman was brought to the ICU, was intubated immediately, and it saved their life. Another woman was brought into the CCU. What happened is that they had had a well-known attorney firm come and advise them on HIPAA and tell them that the definition for treatment and payment and health care operations was simply that health care operations was what you do to take care of that patient, not what you do also to take care of future patients.
The respiratory therapist was threatened with loss of her job if she discussed patient information outside what was necessary for that patient. The patient was intubated late and, unfortunately, had a negative outcome.
What this is, is a lack of proper HIPAA information. They should know that they in health care are allowed to share information with this kind of thing.
What I am seeing is that there is so much scare going on about HIPAA that people are deciding to do all the wrong things.
I see people not willing to let drug reps back into their office. I see people not willing to fax information, like David Kibbe said, to their practice.
There is a story of a nurse who delivers at her hospital. She actually presents to her physician and tells her physician that she has never had an abortion. That is what a gynP0A0 means.
After eight-and-a-half months of pregnancy, she actually confides in her doctor, that she did have something happen in college. She was whisked away, her sorority sisters took her away, and she had an abortion.
She decided that it was important to share this with her physician. Her physician agreed. Her physician felt like he had been given this information -- now, many obs that I have told this story to said, it is their practice to hide information that is medically necessary out of the patient's chart because of concerns over patient privacy.
Many physicians, even though they think this is medically necessary, and they may not be the ob who delivers this case, they will hide this information from the patient's care givers.
Anyway, she went ahead and told her physician. Her co-workers noticed that this had been changed to a G2P0. They said to themselves, gee, I wonder why this woman decided, at eight-and-a-half months, to change her chart. I guess she kind of got nervous about this and decided to share this information.
What happened is that her co-workers confronted her, it got to be fairly gossipy in this small southern town.
It turns out that her husband was vice president at the bank, heard about this little story that had happened at the local rumor mill, which was called the hospital.
The nurse delivered at the hospital. Zero people came by to visit the nurse at the hospital, which was very unusual for a nurse that delivers at her hospital.
So, the husband was transferred to Idaho. The nurse was asked to move away from her family that had lived there for three generations. The attorneys said there were no safeguards or policies.
Explain to me why the attorney said the ICU should be allowed to look at ob's records. Explain to me why the ER should be looking at the ob records of a woman delivering.
Anyway, they settled this case out and the patient received $500,000, which is not an inordinate sum, considering the fact that this woman's life was ruined.
This is how the privacy regulation will be enforced, is by people actually getting sued similar to this. This woke up this entire hospital. They have decided that gossip can no longer be permitted.
They have decided some other things that they are going to change. They are putting safeguards in place electronically.
This is a patient that comes to me when I was a physician. She came to me and said, I don't want my second husband to know I had a hysterectomy, because I think he will think of me as less than a woman.
Now, she doesn't want her children to know about her drinking problem. She doesn't want her boss to know about her bout with depression. She doesn't want her cousin who works with you to know everything.
This is the most unworkable part of the entire privacy regulation. This is the greatest concern of the small providers that I talked to.
This is, by far, in every single talk, the subject that garners the most attention. This is the legalization of the doctor-patient relationship.
This is something that a small provider, who practices with largely paper charts, cannot afford to deal with. This single part, I would venture, will actually double the cost of the privacy regulations.
This is an acceptable case for certain instances. Let me give you an example of a certain instance. Mr. and Mrs. Black had been married.
Mr. Black is an alcoholic, was abusive to his wife, and frequently is away on business trip. Mrs. Black actually has an affair with Mr. Black's brother.
She tells her physician about this. Her physician says, I will keep this confidential. Fast forward 30 years. Now, Mrs. Black is older, has Alzheimer's. Mr. Black is moving away to take care of his wife in a special retirement center. He wants all of his records.
The physician passed down the restriction and agreed to not give that information to Mr. Black because that information wouldn't be in the patient's best interests.
In a few rare instances like this, this is a very workable law. To pass this off to every rank and file practitioner, that they need to be able to accept restrictions, just because a patient asked them to, is to ask them to create a whole separate liability issue for your small providers that they cannot financially handle.
It is getting to the point where they are going to have to take on privacy malpractice insurance. As I give talks, I received seven different physicians last week who told me about privacy violations that they paid out cash for.
The average one is about $50,000. They are not usually large things. They are usually kind of nuisance lawsuits that drive providers nuts.
This is, I think, the most important issue, when I go around and speak to providers, that I would merely ask you guys to consider, is how to actually enforce this.
I see providers saying what does this mean. If someone comes to me and wants to restrict information, do I have to do this?
I know I have a new staff member. The first two days of my new staff member at work, I have to learn what are Mrs. Jones' restrictions, what are Mr. Black's restrictions, everyone in my clinic, who would actually like to keep something a little private. Now I have entered into a legal relationship with them, where I have accepted them.
I tell practitioners all the time, your policy simply has to be that if somebody wants a restriction, they will put it in writing, it will be reviewed by a committee, but except in extreme dire circumstances, the committee should refuse all requests.
Except in cases like Mr. and Mrs. Black, where there is an overriding medical need, this is an unworkable situation for many providers, and it is something that I think is actually the most important issue that you guys can actually consider going forward.
I speak with a provider in Montana who tells me, okay, I get it. I need to send a notice of privacy practices. That is fine. I need to take a look at my office and try to figure out how to be more private. That is fine. I need to enter into a legally binding contract?
I tell providers all the time, simply tell the patient that I will do my best to make sure that your husband doesn't find out about your hysterectomy, but unfortunately, I have to work with humans.
This is the best I can do, is to try to give you my word, to try to keep this as private as possible. Thank you for your time.
MR. ROTHSTEIN: Thank you. First, any clarifying questions for Dr. Van DeCastle? Let me then open the floor for general discussion with the entire panel members, and the floor is open for questions or comments from the subcommittee members.
DR. HARDING: Can I start?
MR. ROTHSTEIN: Please.
DR. HARDING: Thank you all very much. We appreciate the testimony and look forward to the discussion here and, please, if you have questions or comments, please help us.
One of the things we are focusing on is how we can best present this to the public, to the professionals, to all kinds of different individuals who are affected by these rules.
I think I kind of was writing down here, as you all were speaking, that there is a base data system, or knowledge system, that has to be dealt with.
It has to be delivered through some conduit. I think Dr. Lloyd was talking about the APMA being a conduit from OCR to your members.
Then it has to be absorbed or dealt with, and I think Dr. Van DeCastle said that he found the issue of case studies to be the way that people absorbed things the best.
What is your thinking of what your organizations can do that will help with this transmission of facts and data and get them out there and get them being utilized.
Evidently, with the recent requirement to re-up for the transaction part of HIPAA, there were not as many people signing up for the extension as we would have liked to have seen.
What has to happen, in your opinions, to get things across to the public, that will allow good data to be conduited to people, and have it absorbed, in your opinion? Maybe Dr. Kibbe can go first.
DR. KIBBE: Dr. Harding, you are asking the $64,000 question, and I don't have a single answer to that question that will guarantee success.
I think that we have to take into consideration the fact that the medical specialty societies, including the American Academy of Family Physicians, are still getting up to speed.
We are still learning ourselves. We are still modifying the information that we have, and transmitting to our members.
We are, at the same time, gathering more and more feedback from our members about the limitation, as it occurs.
I think that the medical specialty societies -- and I am talking about not only the major medical specialty societies, but the state societies as well, are still a very important reserve of information for practicing physicians, including the organizations that they work with in communities such as nursing homes, extended care facilities and hospitals.
I think that that resource is largely, at this point, untapped, and needs to be developed further.
One of the questions you are asking, or implicit in the question you are asking is, given that we have an extremely diverse group of practices, medical specialties, and communities in which they practice, practice types, et cetera, one of the real problems here is just simply getting the attention of the practices and their office staffs, and there is no one absolute way to do that.
That is a separate question, I would suggest, from the issue of then qualifying that information, so that they only get the best information.
One of the problems that was mentioned here, but which I did not take up, is the whole issue of state preemption.
It complicates the matter of vetting, if you will, or filtering information, so that it gets to the members and to the practices and to the organizations.
So, I think we have an untapped set of resources here that we can count on. That would be one thing I would suggest.
I also think -- and I will finish with this -- at some point or other, we are going to get to some sort of accrediting or credentialing or certifying process.
I hesitate to recommend that. I am not sure it is workable. I think it would be better than having tens of thousands of experts, who are not really very knowledgeable, but who are selling products, and are out and about, causing mass confusion in this environment.
DR. JENNINGS: I think that is a very good point. There are a lot of vendors out there who are selling their HIPAA product.
We feel vulnerable. We don't know anything about their credentials or how much they know. So, I think we need some federal guidance, or we need some people out there, that we know that they know what they are talking about and we can trust them.
Certainly, our organization will do a lot to communicate the privacy process to our nurse practitioners. We do that with our annual meeting. We certainly can have a workshop that just deals with this issue.
I was going to ask if any small grants might be available to help providers develop a compliance manual. I think if nurse practitioners had something that was developed by knowledgeable nurse practitioners, they could relate to it very readily and they could see exactly how relevant it is in a particular patient care setting, or a particular patient care situation.
So, that is another thought, but we certainly will be doing a lot of work within the organization. That is where our practitioners come.
David said the same thing. They come to the organization to be updated and to get the policy information that they need.
DR. SMITH: I will take a stab at a couple of comments. First of all, whatever gets done can't be in Federal Register legalese.
It needs to be simple, big type, basic language, that the average, small physician practice, health practitioner, can understand in a sit down, easy-to-read format. Otherwise, it will be on a shelf or in the trash as it is received.
I do think there needs to be a guidebook developed, of some sort, by somebody. I imagine OCR or this committee can encourage that, maybe out of HHS or through Medicare or somebody.
Again, there should be some sort of official information for us, and this would seem to be it.
As far as accrediting, I think accrediting vendors might be a reasonable approach. I do not think that practices or hospitals or health professionals should need to, in any way, be accredited as compliant. I think that would create a huge morass of problems for everyone.
I think, from an APMA point of view, one thing we have as an organization is a very loyal membership base representing 70 to 80 percent of the podiatrists in this country.
It is somewhat unique compared to other medical organizations, who have a much smaller percentage, but we do have a high percentage of loyal members who read our information regularly.
We have a very effective communication set of vehicles, from a monthly newsletter to a force e news, to an every-other-week short alert.
We also are very well tied into our regional and state organization and affiliates with seminars, such as the one I addressed. We could certainly reach, in a seminar format, most of our members within a one-year cycle, if, in fact, someone decided to put together a HIPAA training seminar, of sorts.
One thing we tried several years ago, when it came to training podiatrists about the new ENM documentation guidelines, is that we set up a seminar to train local trainers on the new ENM documentation guides.
Perhaps OCR or some federal organization could do that, train a relatively small cadre of physicians, podiatrists, other health professionals, who could be certified or accredited to go out and do a seminar and, in a two or three hour seminar, perhaps pass on the information.
Many of our state components are doing that. I know in Massachusetts we are doing that in December. I think if there was something more formal or more official, that would be helpful.
As I wonder about the accuracy of our own privacy manual that APMA is producing, and also the accuracy of the information we are going to present, it makes me a little uneasy, from hearing the comments today, that maybe we are not presenting the best information because we aren't the official source.
We are just an average organization trying to interpret federal guidelines, which are not easy to understand.
If we make a mistake, it is an honest mistake, but if we pass it on, maybe our members are going to be the victim of a substantial lawsuit from misinformation.
Maybe our integrity as an organization is going to be compromised and will need to be defended for the same reasons.
One of the things I would like to say, there are a lot of physicians, maybe even half the physicians, that aren't part of any specialty societies.
You are going to have to figure out how, one, to work with the special societies. I think David Kibbe is absolutely right. Working with the state societies is a very good place to do that.
Having worked with a couple different state societies, a lot of them are reluctant to go out for the same reasons you just said, because they don't want to take the responsibility of putting out the official word.
I think if we look back on health care, I think health care responds to market forces very well. I think that, although we should try to do our best to educate a lot of physicians and clinicians, I think your biggest bang for the buck is going to be educating patients, because they will go in, in turn, and speak to providers about what the deal is on HIPAA.
I think if you have a very limited budget, I would think that putting out accurate information in such things as Ladies Home Journal and stuff like that, as long as you could be aware of that information, it might be the some of the best ways you could actually get the information across to the general public, as to what exactly it is.
I think it would be better for you guys to do this proactively than to find out, like David did, when he was reading this magazine how much actually misinformation is being put out there, and I would suggest that.
I think that one of the questions I hear over and over again from practices is, what do I need to do for my physical practice.
Having visited dozens of different practices, every one is completely different. It needs to have a different physical assessment.
You can't go out to hundreds of thousands of practices and make an individual thing. It might be something where HHS goes through and does a few models and says, in this office, these are some reasonable steps to make, and produces a video, puts it on their web site.
Although you won't be able to garner this for a lot of offices, I get requests from offices every day, if we could produce something that would show them how they need to make this.
This is, I think, one of the most helpful pieces of information. I think as far as hospitals and health nets, I think a lot of them actually have a lot of these policy manuals and stuff now.
I don't think there is really that much difference between them. I would encourage you to try to do something as far as the use of e mail or trying to get out to the physicians.
A lot of the actual rural physicians are members of IPAs, and there are associations of IPAs that get the word out. So, a lot of time you can get the word to each of these IPAs, who will reach 300 to 400 doctors each, and that might be an effective way to get the word out.
DR. JENNINGS: I just wanted to make a comment. That was my point, that probably individual providers who provide care directly to patients do not have to know everything about the privacy rule or about HIPAA.
They need to know what they need to know. So, if you could develop something for the provider who works in a rural setting or with a migrant health clinic, what are the points that you will have to be aware of, and how can you protect that particular patient's privacy.
I think many of us have kind of said the same thing, but that would be helpful.
DR. SMITH: I have one other point. I think that one of the things we have looked at, as we have developed our manual, is a top ten list to implement.
We realized that presenting people with a 50 or 60-page instruction manual was a challenge, but if we could get them to focus on 10 items -- and we don't know what the 10 items are yet, but posting your privacy notice is going to be one of them.
Even something as basic as that, and getting a privacy notice to them that they can post, is also very basic, but that is at least a start.
If we can get them to focus on 10 items up front, maybe they will get through the whole manual and become totally compliant. The simple things are the things that are going to work.
MR. ROTHSTEIN: I have just a short question. Dr. Kibbe mentioned the figure, an estimate. He said that fewer than half of the members of his group -- the American Academy of Family Physicians -- were HIPAA compliant.
I was wondering whether you would be in a position or taking such steps. Dr. Smith, do you have any sense of the percentage of your group's members?
DR. SMITH: I am sure it is considerably lower than 50 percent. I think that people understand the word HIPAA. That is where our membership is at right now.
I shouldn't say they understand the word, HIPAA. They recognize the acronym, is probably where they are at.
They are scared about what the implementation issues are. We raised a question -- I did -- a couple of weeks ago, about transaction standards and how many people had not filed for their extension.
No one raised their hand. Afterwards, five people came up to me and said, what do we do, it is October 19 now. I think there were a lot of people that didn't file who were embarrassed to raise their hands that day, yet we were out there day after day telling people to file. I think that is kind of where we are at.
MR. ROTHSTEIN: Dr. Jennings, any sense of ANP and their understanding of HIPAA requirements?
DR. JENNINGS: I think many of them certainly have followed HIPAA since 1996, but they are just getting into the world of the patient privacy process.
As Dr. Tower said, that has always been a hallmark of nurse practitioner practice, has been the confidentiality and patient protection.
In terms of these new regulations, I would say a very small number could go out and implement them, at this point.
DR. KIBBE: In terms of estimates, I think I can do a little better than just speaking for AAFP. The Coalition of Medical Specialty Societies, that is an informal group that has been meeting now for about six months, has its own list serve, represents over 450,000 physicians, practicing physicians.
One of the speakers pointed out here today that one of the realities of medical care in American medicine now is that most family physicians belong to their specialty organization. Most internists belong to the ACPASIF, most pediatricians belong to the AAP.
Loyalty and trust in communications has been re-established, I think, in this country over the past 25 years on a medical specialty basis.
The representatives of those 15 or 16 medical specialty societies who, by the way, we think will grow in number as we go forward, feel that, as of a couple of weeks ago when we were talking about this field, that considerably fewer than 50 percent of their members overall are implementing a privacy rule implementation program right now.
The other thing I would like to point out about that is that, we have to see this in terms of the larger context of HIPAA implementation.
HIPAA is about administrative implementation. HIPAA is about standardizing business transactions between the providers and health plans. That is a very good thing. That offers providers, including small practices, enormous potential benefits in terms of efficiencies in running their practices, improved revenue collections and better business practices, better communications with their patients about those things.
That is a message that most physician practices have never heard. It is important that they hear that message because privacy, then, is seen within the context of that larger overall goal, which benefits not only them, but benefits the public.
I am finding it much easier to talk about the role of privacy rule implementation, once my members understand that the implementation of transactions and code set has benefit to them.
If it invigorates electronic communications, we must be very careful to protect the privacy and to put in place the security measures.
I think that is another issue. To the extent that we isolate privacy from the larger picture, I think we run up against more and more problems with our members.
DR. HARDING: Just one thing. In your opinion -- and I know you can't speak for all your members and so forth -- but in your opinion, if people aren't doing anything, who is it that they figure will do something for them?
I mean, do they feel, what the heck, the clearinghouse will take care of all this for us, or something like that? What is it that they feel -- who will fill the gap, if they don't, so to speak? Do you have any thoughts about that?
DR. JENNINGS: I don't think the rubber has hit the road yet for nurse practitioners, and maybe other providers.
I think, as we start seeing some lawsuits, as my colleague commented on, and they become more publicized, people will realize, I have got to take this very seriously.
There is a lot of anxiety now, a lot of behavior that indicates they don't know what to do or where to go.
DR. SMITH: Me, personally, in my own practice, and most of my colleagues, are hoping and praying that that is going to happen over the next year or so, but it is totally, completely, out of our control, as individuals running a practice.
As far as presenting the privacy information, for the average podiatrist, they are going to look at APMA and the state society and the malpractice company, to do that kind of information presentation, which is traditionally how this stuff has been transmitted.
My concern is that the authenticity of that information is interpretive. It would be much nicer if there was official, formal training or documentation forthcoming from HHS on this, that didn't put that responsibility on organizations that really are not that well equipped to handle this.
DR. KIBBE: Let me just add that we are, I think, as a coalition, doing a fairly good job now, and will be launching a major media campaign within the major medical organizations, which has somewhat already started, about the transactions and code set standards and the fact that you can't rely on the vendors or the clearinghouses to do it all for you. You really have to start asking the transactions questions now.
It may be necessary for you to find a new vendor who can, at least, get the major transactions in place and tested with health plans that you do business with, so you can be paid.
I think we are making progress in helping our practices and our members understand that they have got to act. It isn't somebody else's responsibility.
I think that, up until very recently, I think the assumption has been the vendors will take care of it, and that isn't happening. What is happening, at least universally, is what Dr. Smith mentions.
I think the other issue -- and I want to make clear about this -- is I believe a majority of our practices, between now and April, will start HIPAA implementation and the privacy rule.
It is just, how far will they get and how much trouble will they encounter between now and then, that is the question.
I would also like to say one last thing, is that I think it is correct, the public is really going to make the difference here.
DR. ZUBELDIA: We have heard wonderful testimony this morning. I am wondering how important it is to educate the patients and what is, in your eyes, the best method to achieve that.
Obviously, we need to make sure that all the covered entities comply with HIPAA and understand what it is that they need to do.
What role do the covered entities play in educating the patients? What role does HHS play in educating the patients? What, in your eyes, is the best way to approach that part?
DR. VAN DE CASTLE: I would like to take a stab at that. I think what it is, it would be tremendously helpful for a lot of small providers if HHS would put out a one-page handout that they could give to their members, to give to their patients saying, this is from HHS. It is an official word on HIPAA.
It would be something that each small provider could hand out, that is written at the sixth grade level, like you say, in large print.
Each of these providers is trying to figure out how they are going to communicate to their patients about this.
It would save a lot of trouble if HHS could try to come to grips with this and actually could do that. I think that would be something that could be tremendously valuable, especially to the smallest of all providers.
DR. JENNINGS: I also think, when there has been new information that has had to be communicated, I think the visual route is very helpful.
If a video could be developed, that a patient could either look at in the office, or perhaps find on the internet, I mean, all of our patients surf the web now.
There is certainly a class of patients that cannot readily access computers, but that is really narrowing considerably.
I think that, whatever we do, you need to have a good infrastructure in terms of using the internet.
MR. ROTHSTEIN: I think that question and the answers is a very good segue to our second panel, which will deal with communicating with consumers.
I want to thank all four or you for very fine testimony. That is going to be very helpful to us. The subcommittee will take a break for 15 minutes, and resume at 11:05 with panel 2, on educating consumers.
[Brief recess.]
MR. ROTHSTEIN: If you could take your places, everyone, please, let me welcome you to the hearing of the subcommittee on privacy and confidentiality, of the National Committee on Vital and Health Statistics. This is panel number 2, communicating with consumers.
Before we get started with the panel, just a word to notify our witnesses, you will have 10 to 15 minutes to testify. I will give you a one-minute notice.
After your individual testimony, we will open the floor for brief questions by the subcommittee members, if they didn't understand something, et cetera, ask you to clarify, and then we will have our panel discussion at the end of the completed testimony.
So, without any further ado, I will welcome all of you and ask Dr. LeFebvre if he can proceed.
Agenda Item: Panel 2. Communicating with Consumers. R. Craig Lefebvre.
DR. LEFEBVRE: Thank you. Good morning. My name is Craig Lefebvre. I am managing director for health communications and social marketing programs at the American Institutes for Research.
I appreciate this opportunity to testify before the National Committee on Vital and Health Statistics Subcommittee on Privacy about the uses of social marketing concepts and techniques to help educate the public about the HIPAA privacy standards that will go into full effect April 14, 2003.
Based on my experience with developing, implementing and evaluating social marketing programs, and the empirical and practical lessons learned from over 25 years of work in this field, I will focus my comments on several key issues.
The first issue is that communication messages are most effective when their content, form and style are tailored to the predispositions, attitudes, current behaviors and aspirations of distinct and homogenous subgroups of the total population.
My colleagues and I have found that messages, whether they are informed by changes in science, technology or, in the case of HIPAA, privacy standards regulations, need to be crafted in ways that reflect the realities of discrete audiences.
This means that a consumer-driven approach should guide public information and education activities, to include segmentation of the U.S. population into smaller subgroups, research to understand and gain insight into their current life situations especially as it relates to the health information privacy concerns, and then the development of messages and strategies that fit into these people's lives, not our preconceptions about them.
For any public information campaign about privacy notices, for example, I would be thinking about specific segments of the population, such as married women with children, who are often the health information gate keepers for their families, people with low education and literacy levels, people for whom English is a second language, high versus low users of health care services, people with chronic diseases and disabilities, people with no usual source of medical care, and Medicare and Medicaid beneficiaries.
We need to account for this variety of perspectives, as well as others, as messages about privacy rules are developed and delivered.
The second issue concerns the selection of channels of communication. We need to select these channels, that are used to reach each of these audience, when considering such factors as the intended reach and frequency of message delivery, the credibility and usage of these various channels among the audience, and the complexity of information being delivered.
One thing we have learned to do very well in social marketing is how to use research with our audiences to develop messages that prove to be very effective when we test them with representatives of the target audience.
What we often fall short on, and in many public information campaigns this is true, is getting these messages in front of the audience's eyes and ears, at times when they are most likely to be open and attentive to them.
Public service announcements are the most obvious example of our attempting to achieve the broad reach and frequency of our commercial counterparts, who pay for such time.
A recent report by the NUJ Kaiser Family Foundation noted that only .4 percent of all broadcasting cable air time is dedicated to public service announcements.
When one considers that 27 percent of this time addresses health issues, the competitiveness for such a small amount of air time, let alone airing these public service announcements when the target audience might actually see them, has led some of us to reconsider how and when to use PSAs, and has led others to adopt paid advertising strategies to achieve the reach and frequency these messages need to have to be effective.
Even if television and radio advertising were within the reach of most marketing budgets, I still do not believe they are always the right choice.
Nowhere is this better demonstrated than with HIPAa privacy notices. A quick 15 or 30-second public service announcement with a call to "ask your health care provider" about privacy notices can certainly push people to overwhelm health care providers and facilities with general questions and requests for information.
However, these types of formats cannot be expected to provide people with the quality of information from perceived creditable and authoritative sources that explains the various complexities of health information privacy.
Rather, I would suggest that more extensive interpersonal and print-based tactics be considered, such as editorial briefings and informational sessions with health reporters, to increase their ability to understand and articulate these issues for the viewers, listeners and readers.
Extended interviews on radio and television news programs, feature programs in weekly and monthly news and special interest magazines, town meetings hosted by health care professionals, and other types of longer format, interactive media, would be important to consider and use to cultivate a more informed public.
The third issue is that social marketing campaigns to influence behavior are long-term endeavors, whose effectiveness has been found to be limited by the allocation of relatively few resources to achieve objectives, or conceptualization of the problem and possible solutions from the audience's perspective, and narrow strategic and tactical choices.
Objectives for a public education program that are stated as increases in awareness of changes in health information privacy regulations, for example, versus what percent of people return their acknowledgement of receiving a privacy notice, set different standards for success and the resources necessary to achieve them.
Unfortunately, there is no rule of thumb for an expected ROI for a social marketing program. We do know that, the more behavior change becomes a goal as opposed to simply building awareness, the more extensive and expensive the task becomes.
We also have research evidence to suggest that the most effective programs take a broad, multi-level perspective of behavior change and use multiple communication channels to target a variety of audiences, to create a surround-sound environment.
Finally, what we have also learned in social marketing is that we have to clearly define and position desired behavioral changes in ways that are relevant to each target audience, understand and address the costs, benefits and incentives, as our target audience perceives them, for changing what he or she thinks and does now.
Offer the messages and opportunities to learn more about privacy issues at times, places and states of mind when they are most likely to attend and respond to them.
Finally, develop innovative and unexpected ways of promoting our messages that resonate with them.
Given this background, I have several recommendations for how to begin to develop a public education initiative around this issue.
The first step, I believe, is to identify several priority audiences. I believe key ones in this case would include media representatives, public relation staff and patient advocates employed by health care organizations, patients of various ages with low education and literacy levels, and people who have frequent contact with health care providers.
The next step, I believe, is to conduct some qualitative studies with each of these audiences, to understand each of their perspectives on the issues I have raised.
The next step would then be to develop long and short format media messages about the privacy rule and actions they should take.
We should then test these messages for comprehension and their ability to stimulate appropriate actions with each audience.
Only then would I begin to create materials in print and electronic formats that can be distributed to, and used, by key intermediaries.
For example, media kits, fact sheets and background just for reporters to use when writing about privacy issues, turn-key guides for public relations staff and patient advocates to use to organize and conduct public information forums in their areas.
Sample privacy notices and promotional materials, such as brochures and posters, can be used by providers, that meet regulatory requirements and are also comprehensible to people with less than a sixth grade reading level.
I would then supplement these materials with a variety of outreach materials, including media briefings in major markets by national spokespeople, sponsorship of local forums in these same markets, presentations and workshops at key professional meetings, and targeted print advertisements in national publications read by the target audiences.
Then, after we have some of these key activities and local mechanisms in place, and only then, would I consider the use of paid or public service advertising in television and radio, as well as on the web.
As we look forward to potentially using communications to improve public understanding of the privacy rule, our challenge is to strive for simplicity and clarity, audience understanding, empathy and insight, and focus, not volume, as we set our objectives and course.
I want to thank the committee for the time to present some of the essential points I believe should be considered in any public information or education program around the HIPAA privacy rule. I appreciate your attention, and look forward to continuing to discuss the most effective ways to introduce and explain the privacy rule to the public. Thank you.
MR. ROTHSTEIN: Thank you very much. That was quite a list you rattled off, and I tried to keep up with you.
DR. LEFEBVRE: Yes, I apologize that the copies apparently did not make it, but they will be available.
MR. ROTHSTEIN: That is fine. Let me remind all the members of the panel, if you haven't submitted written comments and would like to, or if you would like to supplement your remarks, we allow 10 days for you to do so, and you can submit them to Marietta Squire. Any clarifying questions?
MS. KAMINSKY: This isn't to clarify, but it is a request for repeating something you said. You listed in the middle, toward the beginning, suggestions about ways to get to consumers in ways that are sort of helpful to them.
You had a long list, including town meetings and other things. Can you just repeat that list of items that you stated?
DR. LEFEBVRE: Yes, what I was talking about there, well, the town meetings in particular.
MS. KAMINSKY: And the other things, though.
DR. LEFEBVRE: I talked about editorial briefings and informational sessions with health reporters, extended interviews on radio and television news programs, feature articles in monthly and weekly news and special interest magazines, the town meetings, and then basically the list was, an other types of long format interactive media.
I think my point here is to really focus on, how do you develop interactive ways for people to learn about the privacy rule, rather than assuming that simply reading something or listening to something one time is actually going to get through to most people.
MR. ROTHSTEIN: Thank you very much. I am sure we will have many more questions for you and your co-panelists. Let's move now to Dr. Baur.
Agenda Item: Panel 2. Cynthia Baur.
DR. BAUR: Thank you very much for inviting me to testify today. I am also very pleased to be here to talk to you about this topic. It is one that we feel is very important, and we are very happy that the committee and the subcommittee are taking this up.
Dr. Lefabvre had talked to you about a particular approach to communications, social marketing. I am going to talk a little bit more broadly about communication, why communication around the privacy rule, and around a specific aspect of the privacy rule, notices of information practices that is an important issue, and some of the thinking that we have been doing the past couple of years on this topic.
I want to begin by making a few remarks about how I got interested in this topic. I am from the Office of Disease Prevention and Health Promotion at HHS. One of the things that my office does is actually provide information to the general public about various health information topics.
About two years ago, we became interested in this general topic of communicating with the public about privacy.
At that time, one of the concerns was about privacy policies that were appearing on web sites, in particular.
We started informally meeting with other people within HHS to discuss some of these issues around privacy policies, around communicating about privacy. We also worked with staffers from the Federal Trade Commission, who were working on this issue.
Over the course of the last two years, we have been having these ongoing discussions about how it is that the public understands privacy, what their concerns are and, again, this role of notices of information practices in this whole process as a tool for communicating with the public.
So, again, we became interested in this because we are health information providers ourselves. We actually have a couple of Healthy People 2010 objectives that relate to this topic, one on improving the health literacy of the public, and another one on improving the quality of health information web sites.
Again, communicating with the public about privacy is relevant to both of those. We also, as an office, have a lead in the department on assessing the reliability and utility of health web sites for consumers and, of course, as I mentioned, privacy is a key concern of theirs.
One of the things that we have spent a lot of time talking about over the last two years is trying to get a handle on what the public already knows about privacy, and what are the general environmental conditions, if you will, about educating the public on privacy.
So, what do we know from public opinion polls and consumer research? First of all, the public has very strong opinions about this. At the same time, it is a relatively unfamiliar topic, and they have little direct personal experience.
In many ways, this creates a very volatile environment, when you have strong opinions and little knowledge, because it makes the situation more amenable, then, for polarization and dichotomization of opinions about these things.
At the same time, as Dr. Defebvre indicated, there certainly is a role for the mass media in all this. Even before HIPAA goes fully into effect and the privacy regulations go into effect, there is a lot of conversation, if you will, in the media about privacy, about privacy notices, about medical records.
You can pretty well pick up any major publication and find at least one or two stories per week about violations, references to the impending regulation.
All of that contributes to the environment in which people are formulating their opinions and developing these expectations, if you will. Then, the notices and the regulations are going to be feeding into that environment.
Finally, we have spent a lot of time talking about just the complexity of the regulations themselves, and the concepts and vocabulary that is contained in the regulation, and what that means in talking to the public about privacy.
There are many unfamiliar words. There are many big words that people don't use on a regular basis. There are many terms that people would not have encountered.
We have to deal with the basic fact that many people may not even have a very good sense of what a medical record is.
So, when you start talking to people about what personal health information is in their medical record, you have to deal with all of these issues around what is their prior knowledge and personal experiences with these basic concepts that you are trying to communicate to them.
I want to talk briefly about plain language, small p, small l, not in terms of the mandate within the regulation to communicate in plain language, and the Federal Government's efforts around plain language, but this idea of plain language as an approach to communication.
I want to talk about why plain language communication matters. First of all, it is a regulation requirement. Even though the guidance and the regulation is vague, there are some guidelines about how to institute plain language communication.
At the same time, we have to recognize that most health information, not just the privacy regulations, but most health information that we all produce or are partners in producing, is very difficult for the majority of the public to understand.
According to the authoritative national assessment of adult literacy that was done in the early 1990s, there is about 25 percent of the U.S. English speaking population that has very low literacy skills.
This is even before we start talking about populations that may not have English as their primary language.
As I indicate here on the slide, there are additional considerations of language, or culture. This is more than an issue of translation. This is really getting at the concepts that may exist in other cultures and for other people about what privacy is, about what a provider-patient relationship is, about what a medical record is.
This idea about how do you communicate with people and what are the appropriate ways for communication are really embedded in understanding these issues about culture and language.
There is another reality that we are dealing with here, and that is that people typically don't use information they don't understand.
So, if we are starting from a place where we have got a complex regulation with a lot of vocabulary that people are not familiar with, then we are going to have to deal with the fact that this is going to be hard for them to figure out how to use, and that we are going to have to take that as our starting point, rather than assuming some familiarity with all this up front.
Finally, our point is that plain language really contributes to people's understanding of privacy protections and rights, and we want to hold that there as the goal, that that is really what we are after, that people really understand what it is that this regulation is about, and the ways that their health information will be protected, and that plain language and these ideas embodied in communicating, in clear and simple language with people, in ways that they can understand, really toward the overall goal that we are all after.
I want to talk specifically for a moment about this issue of the notices of information practices. It is something that we have discussed in this informal working group that I referenced.
We have had participation from various parts of HHS in this informal working group, Indian Health Services, Health Services and Resources Administration, some substance abuse and mental health services, EMS, as well as OCR representation.
We have talked a lot about the notices as a tool for communicating with the public, that it is something that is more than just telling them about their rights and protections, but it is really a way for the public to kind of come in contact, this gateway or point of entry for the public with these regulations, and that it is happening in the context of existing health care relationships.
It is an explanation, of course, of their protections and rights, but it is also very concretely a physical embodiment of these very abstract rights and protections in something as vague to them as information practices.
So, we do think that notice is something the committee might want to look at in terms of the opportunities for using it as a communication vehicle.
I just want to make a few references to another situation related to notices of information practices. This relates to the notices that were distributed under the Gramm-Leach-Bliley act, which relates to the financial services industry.
They were also required for notifying consumers of these companies that these consumers had relationships with, about the information practices and remedies related to protecting their personal information.
The notices that companies chose to disseminate were variously described as dense, misleading, confusing and cumbersome.
There was a lot of unflattering media coverage and anecdotal information about consumers just basically throwing these notices away.
Still, over a year later, after the notices were originally distributed, references to problems with the notice are still showing up in congressional testimony.
I think it is important to think about notice in these other environments. Again, it is part of this larger context in which the public is building knowledge and experience about privacy, about privacy protection, even before the HIPAA regulations go into effect.
What do notices and good communication have to do with each other? First of all, public education about privacy and protections for personal information, as I indicated, is essential for the success of the regulation.
We really do need people to understand what these regulations are about, and what their protections and rights are.
Public education around notices is one place to start. It shouldn't be the only thing, but it is one place to start.
Effective notices can be a vehicle, not the only thing, but they can be a vehicle for contributing to public understanding.
I do want to point out that this doesn't imply necessarily model notices. I mean, that is not what the conclusion is meant. It is very difficult to come up with model notices that adequately convey the variety of information practices that a variety of organizations would have.
What this indicates is that there is the opportunity for guidance for many different approaches that can help improve notices as a way for communicating with the public.
I want to conclude with this slide. Why does it matter that consumers understand their privacy protections? First of all, we believe that understanding is an important part of informed decision making by patients and care givers, that you really can't talk about being informed consumers of health care services, if you don't understand the protections that are being afforded to you for your personal health information.
Again, because these are happening in the context of health care relationships, you have the opportunity here to either promote trust or undercut trust, and we think that is a very important opportunity that should be there.
Finally, because I also have had the opportunity and the privilege to work on the NHII work group as part of the NCVHS, we believe that promoting consumer acceptance of information exchange as part of the national health information infrastructure is a very important part of this consideration.
The NHII vision is really based on people being comfortable about the information flows that need to take place in order for the vision of the NHII to be realized.
If we don't have this understanding and acceptance of the kinds of protections that are coming into place, then we really could potentially be undercutting many of the elements of the NHII.
I just want to conclude, on the handout, there are a couple of references from the Federal Trade Commission on effective notice, for anyone's further information.
Again, I want to thank you for the opportunity to talk to you about this, and I would be happy to answer any questions.
MR. ROTHSTEIN: Thank you. Any clarifying questions from the members? Okay, we will be back to you with follow up questions. Ms. McMullan?
Agenda Item: Panel 2. Michael McMullan.
MR. MC MULLAN: I believe that I was invited here to discuss a case study about how to notify members in a health plan -- Medicare fee for service is a health plan -- about their privacy rights.
To do that, I want to give you a little bit of context that describes our opportunity to provide that notice.
In 1997, the Balanced Budget Act gave the Centers for Medicare and Medicaid Service, the direction to develop information for people with Medicare, to explain to them all of their rights and protections within the Medicare program, and to discuss their options on how to get their Medicare benefits.
In addition, Congress gave us direction on how we were to do it. They discussed direct mail, a toll-free telephone line, the use of internet and a national publicity campaign.
This is very important, because these are the tools that we are using to inform people of their privacy rights.
The goal of this program was to create awareness among people with Medicare. Medicare is well loved among the people who have Medicare, but they don't understand it.
It is interesting to listen to some of the other comments. It does take a very long time until people understand, as opposed to become aware. Those are very different levels of education.
Our current opportunities, the way we are looking at it, is how people become aware of how they can get information when they need it.
Another reality, particularly among the Medicare population, is that they want information when they need it, and they need ready access at that point. Getting information to them when it is not relevant to their situation, they don't retain the information.
So, our goal is to create awareness, to generate an understanding of what opportunities are available to individuals, to make sure we have one voice, the same message through multiple information channels, that we create accurate, reliable and relevant information -- relevant meaning important to people and the way that they perceive it, and you have heard a little bit about that.
Access is important, and I will describe how we are providing that. We want to make sure that people perceive the channels that we are making available to them as trusted sources of information.
We have to also make sure that what you provide to them, people are willing to use.
So, the key components that we have is the Medicare and You handbook, which I gave to you, and I will reference that a little bit later.
That is mailed out to 35 million households in October of each year. Again, this was specified in the statute, that we were to do an annual mailing, because our open enrollment period in Medicare is in November and December. So, that is one tool.
We also have an internet site, www.medicare.gov. I invite you all to look at that. It is really a quite good consumer site for people with Medicare.
We have a toll-free help line, 1-800-Medicare. That help line began as a help line to help people understand the differences between the health plans that were available to them.
The mission of the help line has expanded considerably with a change in which our funding is received. So, that is available 24 hours a day, seven days a week. We experience our greatest call volume during the fall, although we have a continued demand on the help line. Services in each of these three areas are available in English and Spanish.
We also rely heavily on partners. We have a lot of mechanisms that we use to engage advocacy groups, employers, health care providers, states, in order to get our message out.
We give grants to states for state health insurance assistance programs, to help people with Medicare understand both their Medicare issues, their supplemental issues, Medicaid, and anything that is at an individual level of need.
We also have a national publicity campaign. This is the second year that we are running that campaign. You may have seen our ads. They are on prime time in the news hour.
We have three general market ads and one Spanish language ad. We began this last year, with ads that you may have seen. They featured Leslie Nielsen. They were sort of comedy-driven ads to gain awareness, to get people to pay attention to the fact that we did have 1-800-Medicare and the web site available to them. I will go over a little bit more about the details of each of these.
We also spend a lot of time doing consumer research, an assessment of how useful the people with Medicare, and care givers, find this information. So, that is an important feature of all of this.
We invest a great deal of resources into each of these areas to make them useful to people. We are trying to understand, both with plain language and the way in which information is conveyed, to ensure that, when people need it, they can understand it clearly.
I also want to give you some idea of the cost of doing this. Medicare serves 40 million people. Two hundred thousand each month come onto Medicare. So, it is a large program, national in scope, with a common benefit package.
As I mentioned, the Medicare and You Handbook, I am going to give you sort of general dollar amounts, not precise. The Medicare and You Handbook is mailed out each fall to 35 million households, and we also make it available to partners. We spend about $30 million doing that.
The privacy notice is in the Medicare and You handbook. It begins on page 50. That is the way we chose to notify our members, so to speak, of their privacy rights.
To do a direct mail, a direct mail to 40 million people costs about $11 million. Without a context for it, there is no reason to believe that people will read it. I think you heard a little bit about that on the financial notices.
We also use the internet. This is the best value for the investment. It is the most versatile, the most flexible. We can make it easy to navigate, so that people can get right to the answer that they want.
We spend about $5 million providing information over the internet to consumers, the Medicare.gov web site.
The issue with our population is that, while the seniors themselves, there is a growing number of seniors using the internet, it is really not the main source of information for our current population.
As the boomers become a greater portion of the Medicare population, we anticipate that that will change.
Having said that, we have, as I mentioned before, a very large number of partners who we facilitate pushing out our information, our accurate, reliable, relevant information, through one voice, through the internet.
We also, the 1-800-Medicare number, that costs, depending on the volume of calls, because call volume drives the budget there, but you are talking in the range of $50 to $60 million to do that.
I am just trying to give a context for this, as we try to educate the American public in how much you provide to them, in doing these sorts of things.
Our publicity campaign this year is a $25 million investment. The majority of the costs for the publicity campaign is buying the air time. That is really the largest part of all of that.
Then, we spend less than $10 million a year on our research and assessment activities, to make sure that we understand what people are doing.
To just give you some concept of, if you were to do some kind of publicity around the privacy notice, looking at only seniors, the use of media is very different by age group.
Seniors watch an average of 27 hours of television a week. So, that is why we find using that tool is a significant opportunity to create awareness. Remember, that is what we are trying to do, and not to educate.
I would just add emphasis to what you already heard, about the importance of understanding the consumer and how to direct the message.
You have to be able to understand the audience and give them the information in the way that they want to use it. It is very hard to give them information and get them to pay attention to it in a form that is not familiar to them, and not useful to them.
When we do our ads for the general market, meaning English speaking, people with Medicare, and we look at how to present the same information to Spanish speakers, we have a different approach.
There is just a different way of making the connection with the audience. So, we do a very different set of information.
Now, to get more to the point about our privacy notice, something else that is unique about Medicare, because we are a federal program, we are subject to other privacy notices.
We have the Freedom of Information Act, in which we have to protect the privacy of records that are requested. We also have the Privacy Act responsibility for any records that we store.
So, as a federal entity, we have had other responsibilities around privacy for a very long time.
With the HIPAA privacy rule, we have had to look at what our different responsibilities are. As a health plan, we are covered for our health plans for Medicare beneficiaries, our health plans in the Medicaid and state health insurance assistance programs, and for our fee for service program that we manage directly.
It is only for Medicare fee for service that we are required to send the notice out. The other health plans have their own direct responsibility. So, the states and the N-plus-C plans and other Medicare plans have a direct responsibility.
We have, as I said, developed a notice. The other responsibilities that we have under the privacy rules, we expect to be fully compliant by April, which is when the compliance date is required.
We are in the process of taking our designated record set, which is part of the requirement, in realizing the privacy rule, to the department, Health and Human Services, so that they can validate it and then we will be, as I said, prepared to respond.
When we look at volume of requests as a health plan, we don't have any empirical evidence to base volume. There are people who believe that the volume of requests for information under the privacy rule are quite high.
When we look at other similar requirements, we get 35,000 requests a year, and when we did a post card within our handbook one year, we got about 80,000 responses.
So, if there are any markers for this, that is one we are looking at. Some people have estimated as high as one out of 10 people would respond. If that is the case, we would get four million. Who knows. We don't know what the volume of requests will be for the privacy information. As the largest health plan around, we thought it would be useful for you to see how real life information is being shared.
MR. ROTHSTEIN: Thank you. There are several things I would like to follow up on when I have a chance. Any clarification questions from the group? Okay, we will get back to you shortly. Now, the last member of this panel, Ms. Schwartz?
Agenda Item: Panel 2. Beverly Schwartz.
MS. SCHWARTZ: Thank you. Good morning. My name is Beverly Schwartz. I am a behavioral scientist by discipline, and I currently direct the social issues portfolio at Fleishman Hillard, a large domestic communication firm.
I am associate editor of the Social Marketing Quarterly and, prior to my current position at Fleishman, I was vice president for social marketing at the Academy for Educational Development and, prior to that, social marketing specialist at the Centers for Disease Control.
I am saying that because the two major national campaigns that I developed and implemented were recently the non-advertising aspects of the National Youth Anti-Drug Media Campaign, for the Office of National Drug Control Policy. The drug czar at that time was Barry McCaffrey.
At CDC, I managed all the national partnerships, the advertising, and all the projects for the American Responds to AIDS campaign. That was from 1987 to 1992.
Ironically, that was the first health campaign in the United States that actually did a national mail out to every person in America. I know it didn't cost $11 million in 1988. That was under Surgeon General Koop.
I did have the opportunity of reading Dr. Lefabvre's remarks before this. So, I didn't want to duplicate them. We do share a particular way of thinking about social marketing and behavior change.
So, what I did today was just come up with three issues from my experience directing large scale national campaigns, that I would like to impart, and then talk a little bit about the aspects of the national youth anti-drug media campaign, because that splits completely into both an advertising and a non-advertising aspect.
The first issue is to basically be selective. In my experience, talking to everyone is like talking to no one.
Target audiences need to be definitively and creatively segmented in order for the message to be understood, and to have importance.
Ask important questions and research the answers. In doing any campaign, important issues need to be raised. In this campaign in particular, do consumers read any of the publications they are required to receive by law about privacy rules, from banks, mortgage companies, credit card companies and insurance companies?
What would make HIPAA rulings and information more or less important to them? What actions are realistic and doable to the public? In what form do they need to see, to hear, or to talk about the information in order to take notice and understand their rights?
I am amazed. I guess I may know less about HIPAA than anyone on this panel. So, maybe I am a major target consumer.
In that way, I am amazed by how many privacy pamphlets I get in from my mortgage companies and my credit care companies, and how little I read them, because I don't know exactly what to do about them.
I don't know if I have alternatives to what they are telling me. They are telling me they are not selling my name or they are not giving away information.
That is fine, but I am not sure exactly in the end what it means to me, because I don't know what I can do about it.
Having clear behavioral objectives from the outset is very important. Ms. McMullan just spoke about the difference between an awareness campaign, which is the Medicare campaign, and what they are using basically television ads for, and what is the difference between when you want somebody to do a different behavior, and that is a behavior change campaign.
Indeed, if you are wanting the public to do any behavioral actions in relationship to the privacy standards, then Yogi Berra said it best. If you don't know where you are going, you are likely to end up somewhere else.
So, if you don't remember that marketing changes the structure of a system, and communication informs about the existing system, then from the outset, you will need to recognize that you are changing an established system and, therefore, need to clarify what you want the audience to do as a result of the change.
Professionals will have different information needs and behavioral goals than the public, and that includes legal ramifications.
Consumers need to see the issues in people terms, not in expert terms. They need to have clear alternatives presented to them, and then time to work through the alternative choices and their role in them.
Again, I stress, that is if you are asking for the public to have any behavioral changes from the way things exist now.
Number three, integrated marketing communication programs do work. It is important to remember that some kinds of marketing tools have some kinds of effects for some kinds of people some of the time.
Not knowing what to do, programs often use mass media to overcome a lack of grass roots work. Although mass media can certainly play a significant role in creating levels of awareness in mainstream populations, it doesn't necessarily have the same role for disenfranchised populations.
Media should be used to support a program, not as the program itself. Therefore, you should think in terms of where the identified and prioritized audiences live, learn, work, play or pray, to determine effective channels and sources of communications, coupled with interpersonal outreach efforts that will promote understanding, deliberation and action.
Those are my major key points, and I just want to go back into the last two campaigns, large scale, that I did work on.
The youth anti-drug media campaign uses partnership development, including faith-based, community coalitions, national and state organizational based.
It uses outreach through the entertainment community. It uses interactive web-based outreach, and it uses a large segment of earned media, which is non-paid media, replacements, coupled with public information dissemination and corporate sponsorships, along with an aggressive paid media component.
So, there you have -- and on my handouts you will see basically the six pillars of the campaign, all of which are rather important, if you are doing a surrounding of the public with an information and with support for a behavior change you want them to do.
Now, I know this program is a prevention program, which is very different than an information and awareness and an after-the-fact.
I know that the HIPAA privacy standards will have very different motivations and very different pieces and efforts in play, but this is kind of an idea of the panoply of things you use.
When we did the America Responds to AIDS campaign, it is a good example of prioritizing audiences, and doing things in phases.
Obviously, there was a crisis, and it was a life and death crisis in this country in 1987. People had absolutely no idea that there was a virus out there that could be fatal.
They had no idea how it was transmitted, or how it wasn't transmitted. So, in a very tough decision, we realized that we just couldn't, as I said, talk to everybody at the same time, because it would be a waste of money, a waste of effort, a waste of time, and many people would not understand it.
So, we needed to start prioritizing our audiences. That is a tough decision to make, but when you prioritize and you develop a campaign in phases -- which I find many people don't really think they have the option of doing -- then you can get to everybody and you get to every aspect of the issue, given the right time and the right place.
So, I do want to stress the fact that you may not have to do a mail out to every American, put in every mailbox, about privacy standards, but there are the right times, the right places, the right people, the right phases, and the right types of media to use, to either create an awareness of the rules, or to change behavior around the system. Thank you very much.
MR. ROTHSTEIN: Thank you. Any clarifying questions? All right, the floor is open for panel discussion.
DR. ZUBELDIA: First, I want to thank the panel for excellent testimony. I have a comment and then a question for the entire panel.
This Medicare and You 2003 pamphlet, I was thumbing through it and, on the very first page, it talks about your Medicare privacy rights -- on the cover, I am sorry, Medicare privacy rights.
That was exciting, how important this is. However, I couldn't find it in the table of contents. I couldn't find anything about privacy in the index either. It is buried in pages 50 to 52.
If I am a Medicare beneficiary, I probably won't get past page three. I may look in the glossary, what does Medicare mean by privacy. It is not in the glossary either. I think there is some work to do. That is just a comment.
A question that I have, I think this panel has, at least in me, raised an awareness. When you mentioned the notice of privacy that Gramm-Leach-Bliley has been distributing, I have been getting lots of those, too, and I don't read them, either. They all pretty much say the same thing.
We use the information the way we have been using it before and, if you don't like it, go to another institution. Well, they don't say that. That is my reading of them.
What is the purpose of the HIPAA privacy overall? We have been talking on the panel, is the purpose to change behavior? What do you think is the purpose of telling the consumers about health care privacy?
Are we telling the consumers because we want to get to the providers indirectly through the consumers? Are we telling the consumers because we want the patients to be the HIPAA police?
Are we telling the consumers because we want the patients to know how a computerized society should behave, and what they should expect to happen with their electronic medical information? What do you think is the purpose of this?
MS. MC MULLAN: First, thank you for your comments on the handbook. Just before I give you my answer to your direct question, this document is really used as a reference tool for individual. This sort of leads into my answer to your question.
There is a lot that people need to know about how to interact with the health care system, regardless of who their insurer is. In the case of a health plan, and for providers, in how they interact with the provider.
My own view of all of these is that there is so much information to know, that the best we can do for people is to know where to go to get the information when they need it.
That includes about their rights. People, whether you are in Medicare or other insurance products, your rights in interacting with your direct service provider, you have rights, protections under the law.
You need to know what they are, when you need to know them. Most of us never need to engage them but, when we do, we need to know what they are.
I just invite people to think about homeowners insurance. You know, you hope a tree never falls on your garage but, when it does, you want to be sure that you can go to your homeowners' policy and figure out what you need to do to engage with your insurance company at that time.
So, the direct answer to your question, I believe awareness that they have the right, not understanding what the rights are, but that they have the rights, and then where do I go if I need to engage those rights.
DR. BAUR: I just want to make a brief comment on that. As I indicated, we obviously think there is a very important connection between the HIPAA privacy regulations and the NHII.
At least the working assumption has been that people do need to feel comfortable with an electronic means for moving their health information around, for many parts of the health system to work.
So, I would say the larger goal probably does go in the way we think of it, it does go beyond the awareness and does move closer to the understanding.
It does dovetail with the way we use this health literacy concept that I referred to. Health literacy, for us, is more than being able to read and write. It really is navigating the health care system.
It is both the information seeking component that Ms. McMullan talked about, but it is also much more than just finding the information. It is using it and it is the decision-making piece that I also referred to in my slides.
DR. LEFEBVRE: Just to wrap that up, I would say that I think, for different segments of the population, you will probably have different objectives for what you want to accomplish with this type of an education program.
At a very basic level, people who aren't very engaged in the health care system, having some awareness of where to go for information when they need it is probably appropriate.
However, if you are someone who is a heavy user of the health care system, you are probably much more invested in this issue. It probably has a lot more relevance to you on a daily or weekly basis, and I would suggest, for those people, they have a different set of objectives and they will want to know much more about the privacy rule.
They will probably want to engage in a variety of behaviors that will be much different from, let's say, the typical 25 to 30-year-old single white male who very rarely ever has contact with the health care system.
If you start looking at your African American population, especially those who receive government benefits, you can expect that, if you start raising issues of privacy, you will also raise issues of a lot of suspicion of, what is government doing with my information.
That type of understanding of how these populations are approaching this issue is part of what I am talking about when I talk about doing this type of research on these very specific groups of people.
We know enough about communicating about health information to almost be able to predict, for different segments of the population, how this kind of issue is going to be received.
MR. ROTHSTEIN: Ms. Schwartz, did you want to comment on this? You don't have to.
MS. SCHWARTZ: I just sort of wonder if I should or not. I was hoping I was clear in my remarks that I am not sure the public has an alternative behavior that you want them to do.
Yes, you want them to understand the rules, yes, you want them to be able to navigate the health care. If they are uncomfortable with computerized movement of their health records, what are their options?
Can they say no and then do they ever get health care again? Does an HMO touch them? I mean, I think there are -- I don't see clear alternative behaviors, as I was researching this issue for the testimony.
So, I am a little perplexed. I think it is great that they understand it, but I don't really understand what you want people to do with it.
MR. ROTHSTEIN: I think the purpose of informing people is many-fold, but clearly, the rule establishes rights for individuals. They have the right of access to their medical records. They have a right to request correction. They have a right to this, that and the other thing. Certainly, you can't exercise your rights unless you know what they are.
MS. SCHWARTZ: And a right to complain to OCR if there is a violation of those rights.
MR. ROTHSTEIN: Also, it helps facilitate the patient-provider interaction. All the burden for informing patients about how HIPAA affects the physician-patient relationship is placed on the physician.
It is probably going to be extremely time consuming and resource consuming and awkward if people have never heard of this and now suddenly, you are in the doctor's office, and you are going to be confronted with all this information and be asked to sign a notice and so forth.
I have so many questions, I don't know where to start. I will just ask one and then let people ask other questions.
I am very interested in the idea that I think virtually everybody talked about, in terms of segmenting the message based on the audience.
The question I have is, where do you start? In other words, when you did the AIDS education, you had to pick out a group that you thought you should start on.
I don't know where I would start in terms of HIPAA. For example, I do research on consumer attitudes as well. If, from our research, it turns out that people who are 60 and over are least concerned about health privacy, the group that is most concerned about privacy are in the 30 to 40 year old range, who are least likely to actually use health services.
So, now the people who are using the services aren't necessarily that concerned -- speaking in generalities -- about privacy, when people who actually don't use the services are concerned about it, for all sorts of reasons.
The trust levels for the federal government vary widely by race and ethnicity, with African Americans least trustful and most suspicious of the government, followed closely by whites, whereas Hispanics and, to a lesser extent, Asian Americans are more trusting of the Federal Government with regard to these kinds of issues.
It makes the call on where you start in terms of this segmented message very difficult. I was wondering if you had any words of advice. Dr. Lefebvre?
DR. LEFEBVRE: I was thinking, as Beverly was saying, that these are the difficult choices you are faced with. This is why people in a lot of programs to try to take the safe ground and try to be all things to all people.
I think, from a communications perspective, and from a marketing perspective, that I would really focus on the media, and media representatives and media reporters.
I really think that, as this message goes out, that your conduits are really probably one of the most important people to have educated.
I sat in on the end of the last session. Obviously, if we do an awareness campaign very broadly speaking, to the general population, who then rushes to their doctor to start asking questions, then you have physicians who don't know the answers either, and you have not facilitated a patient-physician relationship.
I really think that most people will tell you that they get their health information from physicians when, in reality, they really get it from the media.
I really think that a focused outreach effort to health reporters, to the media representatives directly, to get them up to speed on these issues, will in the long run set the agenda.
The media, again, are very powerful agenda setters for not just what people should be thinking about with respect to HIPAA and the privacy rule, but also how they should be thinking about it as well.
I think that is probably where this type of education program can be very quickly won or lost, is how you get your coverage come April 13.
MR. ROTHSTEIN: Ms. Schwartz, did you want to comment on how to -- I have a hunch I know how you decided which group of people to start with for the AIDS education, but how would you go about even thinking about this issue in terms of HIPAA?
MS. SCHWARTZ: I guess, if I was going to plan this campaign, my first action would be to think about the population that was most in need, or in critical need of knowing the information first.
Given that, I am going to be really slightly questioning, again, about this whole issue. Every time I go to the doctor's office, I sign a form at the doctor's office that says, I release my records.
To me, that is a privacy thing. I am signing them away to my insurance company. So, I am not sure how this rule and these stanzas are going to affect me, except that now I am going to have a real defined place that I know I can complain to.
I am trying to figure out in my mind, when you ask the segmentation, what population would it be very different for, what these privacy standards would affect.
I am an educated health care consumer. I know that, when I go to my doctor, I have the right to ask for my records right now.
I take my x-ray film from where I get my x-rays and I take it to the next doctor, and I can do that and nobody can tell me I can't.
So, I am not sure, with HIPAA rules, that I am going to feel or sense anything much different. So, if you wanted to segment a population, I think you have to go for the people that might not even understand -- we are talking about disenfranchised people -- that what they are signing when they go to a doctor's office, that they are signing those privacy rights away.
I guess I would look at those people who have the least understanding of the medical issues, which would be the hardest population to reach.
I have to tell you, while I say that with one hand, I should also say that I usually hate starting with the hardest population to reach, because that flies against a lot of communication theory.
In this aspect, I think a lot of people are going to say, okay, that is great, but what is different. I may be really wrong.
Everybody in this room may be saying that I am very naive, but it is not -- it seems like you may be preaching to the choir, unless you look at the hard-to-reach populations.
MR. COHN: First of all, I want to thank the panel. This has been a fascinating set of testimony and conversations.
I think you really do bring up the issue of what the heck are we talking about, which I think is always a good issue to be brought up early in an advertising campaign.
MS. SCHWARTZ: Was trying to be very respectful.
DR. COHN: I agree with you. I guess my view, as I think about it, recognizing that, obviously, different campaigns will have different points, and recognizing that I am an MD and not a JD, I was sort of struck, in my own mind, that a successful campaign would hopefully help prevent the health care process from grinding to a complete halt in mid-April of next year when everybody goes into a pharmacy and they go, what is this form that I need to sign? What does it mean?
They go to see their doctor and they suddenly are confronted with a nine-page notice of fair information practices, and hopefully a summary at the beginning and they want somebody to explain it to them.
I am hoping that maybe, if the government does its work in terms of informing everybody, that maybe, when they see this the first time they won't go, my god, what is this.
Maybe that is the wrong approach to all of this, but when I was sort of listening to everything, I mean, the populations and everyone else, and I agree, that we need to focus, but if we could just achieve that by mid-April of next year, I think that would be a great success.
That is sort of a question for you, Beverly, does that make sense, what I am saying.
Cynthia, I guess I have a question for you. I was very much struck by your comment about plain talk. It seems to me that there has been a real lack of plain communication going on in this whole thing, and I think we heard that in the first panel.
Do you think there is some way to get some plain communication out to providers, so they could understand what to do with all of this between now and April? Beverly, maybe you first, and then Cynthia.
DR. BAUR: I just wanted to follow up on the previous comments by Beverly. I think her response, in some ways, reflects the interplay here of both opinions and prior experience, because you are really dealing with both.
People may have strong opinions and a lot of experience, may have strong opinions, little experience. There are lots of combinations you can think of, too.
Beverly may be somebody with both strong opinions and a lot of experience and then she is getting this notice in that context and saying, okay, so now what is different?
Somebody else, who may have strong opinions and little experience, that may not be the question they have, is what is different. It may be, what are you telling me about my medical records here. It may be a whole new set of questions.
I think it goes back, again, to understanding where those people are starting from in terms of the kinds of questions they might formulate.
To your point about the plain language, I think there is a lot of opportunity for speaking very plainly about these things.
Again, it goes back to, just as you think about the general public being segmented, and which audiences you want to reach, and what are the priorities, you would think about providers the same way.
You would use the same kinds of strategies of trying to figure out how to speak plainly to them, what is the information that they need, how is it that they want to talk to their patients about this. Is it going to be them, is it going to be someone on their office staff?
I mean, there is all kinds of research that could be done to help providers figure out how to speak very plainly to their patients.
I would hope it would make them much more comfortable about this whole project, and there are definitely recognized techniques for how to do that.
MS. SCHWARTZ: Can I just ask a clarifying question? Does it have to be a nine-page document?
DR. COHN: My understanding is that there is a summary document on top that can be provided. I think that most organizations, when they have tried to figure out how to respond to the requirements that are in the regulation, figure it is somewhere between, I think, six and eight pages.
I am struck that it is going to be like me and Kepa, with the Gramm-Leach-Bliley act, and I know what I have done, which is similar to what Kepa has done with his notices. I think it is sort of that same sort of concern that we all have.
Yes, I agree, it would be nice if it was two or three paragraphs.
MS. SCHWARTZ: I am wondering if that is a great place to start the campaign, to see if you can get that down to as people friendly and as user friendly and as understandable in plain language as possible. That probably also has a lot to do with length also.
DR. COHN: I guess I should ask Stephanie this one, because I may be misrepresenting reality on this, but this is my understanding of why they need to have a later notice, is because there is just so much in the other notice, that we worry about people actually reading it. Is that a correct representation? I don't want to misrepresent that?
MS. KAMINSKY: It was a response to comments on the NPRM. There were a lot of concerns, I guess, based on some of the trial runs that entities had made, with creating notices and realizing how lengthy they would have to be to comply.
So, the department, in its preamble to the final modification, said it is okay to do a summary overlay, but you still must provide the comprehensive notice as well.
I was not part of the development of the original reg that created the requirements for that comprehensive notice. My sense is that those requirements came from an intent to be very comprehensive in notifying individuals about their rights and about the full impact of the privacy rule.
DR. COHN: They have to be sent out together? You don't just send out the summary notice, you send out the full thing?
MS. KAMINSKY: It doesn't have to be sent. It can be given at the first -- when a direct provider sees a patient. Yes, they must be given together.
DR. BAUR: On this issue of the layered notice, too, that has been something we have been working on in this informal work group that I mentioned, that has IHS and HRSA and CMS and SAMHSA and OCR participation.
IHS is particularly interested in developing a summary or top notice, and has been making progress on that.
DR. DANAHER: I have a two-part comment that I think Ms. McMullan and Dr. Baur, you might be best suited to answer.
The first one is -- and I don't mean to be grabbing a hot potato, and I say this with all due respect -- but I wonder whether CMS is not better suited to enforce and roll out the privacy and security regulations. Again, I don't mean to be provocative in saying that.
When you were going through, Ms. McMullan, the budget, the infrastructure, the coalitions, whatever, which you have, I understand the historical sort of -- I am sorry, I understand the context of having the fox guard the henhouse kind of thing.
The first thing I kind of wonder is whether CMS could be -- it just strikes me that we could be leveraging the infrastructure, the experience, some of the budgets, et cetera, of CMS more in this effort.
Then, as part of that, you know, I am wondering whether we have the paradigm wrong, not so much wrong, but it is an ancillary part of the paradigm.
By that I mean, the first set of subcommittee hearings that we had in Boston, I think we came away, and from the first panel we heard this morning, we heard, work with state medical societies and others to enhance -- and professional associations to enhance -- the communication and dissemination of information to community-based physicians, which is something I think we should definitely do, et cetera.
I guess I just wonder whether going direct, kind of invoking some old internet concepts of direct-to-consumer marketing might actually be the greatest impetus that we could have, to get providers to adopt privacy policies and procedures, and to really make sure that their offices are HIPAA compliant.
So, just kind of the idea of, the biggest impetus to get it done, to get caught up on his education, is if a patient comes in with something they have gotten off the internet and says, what about this new clinical trial or this new clinical study, am I eligible for that.
I guess the question I have is two part. One is, could we be better leveraging or utilizing, in some way or another, the resources of CMS and, in doing so, kind of an ancillary thing is, should we be thinking of more direct to consumer play here?
MS. MC MULLAN: I think the way the department is looking at the whole issue of privacy is through a network, a privacy council, that has participation from all the different involved components.
I think that there are certainly opportunities to leverage what CMS is doing for Medicaid, Medicaid, CHIPS, all of our contractors, that don't necessarily draw the conclusion that we should be enforcing the rule.
We can help communicate, we can foster the understanding of what the research shows about what people want to know, when they want to know it, how receptive they are going to be to the information, which might be a much greater asset than necessarily enforcement, because OCR has the enforcement infrastructure for other rights and protections. We are doing that, to a great extent.
I think Ms. Schwartz has an important message here. You have to understand what is going to motivate the consumer, and why do they care?
In giving them this information, you used the example of a clinical trial. Most people look for that information when they have a need, they are experiencing some health crisis, and looking for alternatives in treatment.
If I have no health crisis, unless I have some sort of intellectual curiosity about clinical trials, I am not going to be looking for that information.
So, you have to understand what is going to motivate the consumer, including motivate the consumer to go and try to get a certain response from their physician or provider.
MR. LEFEBVRE: If I could quickly tell two stories relevant to your two questions, one story is back when I used to run community heart disease prevention programs, we ran studies to see about how do we get physicians to adopt what were then the new national cholesterol education program guidelines.
When we looked at our community of physicians and we looked at a comparison community of physicians and looked at how they adopted new treatment standards and practices, the overwhelming determinant of what predicted physicians adopting the new standard was patient requests, educating patients to go into their offices and say, my cholesterol is too high at 240 milligrams per deciliter.
We saw dramatic differences in those two communities of physicians, solely on that variable. It had nothing to do with CME. It had nothing to do with grand rounds. It had nothing to do with who you talked to in your peer network.
The second example is, I also worked with CMS in doing public relations and advertising about Y2K compliance issues on provider outreach.
When we looked at what was the most effective way of reaching out to physicians for education, the two things that we saw were, a, advertising in peer journals. The second thing we found is that, when we were finally able to promote the 800 and web site to physicians, that the largest increase in hits to the web site for information about how to become Y2K compliant and ensure that you were going to be paid on time was articles in the Wall Street Journal.
DR. BAUR: I have no opinion about where enforcement ought to be located within the department. To this point about direct to consumers and its appeal to physicians, I mean, advertising is a strategy, a communication strategy, and you can use advertising in other situations.
So, if you think about direct to consumer advertising, it has got some particular goals associated with it. Those goals may not necessarily suit what it is that you want physicians to do.
I think that is the only thing that I would offer to think about. If you think about, for example, direct to consumer in the pharmaceutical context, the primary context of that is to get people who come in contact with that message to go ask someone else about it.
You have to think about, is that really what you want providers to do, if you are going to use that strategy. Again, advertising is a strategy, one of many that we have been talking about here. Is that the right one to get people to do, to give people the information that you want.
DR. KEPA: I want to go back to a previous strain for a minute, when we were talking about the nine pages on the privacy practice.
I don't want to take my previous comments on improvements on the Medicare handbook as a criticism. I think that Medicare has done here, in two and a half pages, a wonderful job of a privacy notice.
In fact, this is not a summary notice. This is all of it, and it is only two and a half pages, and it is not four point. This is at least 12 point or bigger text. So, this could be condensed, if you want to condense it in small print, to one page, but it doesn't have to be nine pages.
Is this something that could be used by everybody else, not just Medicare?
MS. MC MULLAN: Getting back to the former comment about how to leverage the investment that we are making to reach out to people with Medicare, this is for Medicare as a health plan.
There are some rights that are not included because they don't relate to Medicare as a health plan. We spent a lot of energy trying to understand how to simplify complex concepts.
This is not, perhaps, as simple as it could get over time, because we are so close to the legal language and the carefulness that people want in the balance, to make sure that you have given people the fullest understanding of their legal rights and plain language.
I think we have done a very credible job in making it as plain language as possible, and there is no reason that other people can't use it as an example.
MR. ROTHSTEIN: If I may, I would like to follow up on that question and ask you a Medicare question. The notice that is on page 50 here, that is, of course as you said, in your role as a provider.
You do send this out to 35 million people. I was wondering -- and maybe, Walter, you have some help on this -- is there any legal or practical reason why the next mail out could not include some information about HIPAA and the privacy rule and other aspects of HIPAA more generally?
MS. MC MULLAN: This is the HIPAA privacy practices, the information here on HIPAA rights. That is our obligation under the HIPAA privacy rule to inform members of our health plan, and the health plan that we are informing is the fee-for-service Medicare, which is 85 percent, at least, of the Medicare population.
So, this is. If there is other information to provide people about HIPAA, it has to be of equal import to all of the other benefits and rights that we have to explain to people with Medicare.
So, the answer is, depending on the relevance to the population that we are serving, because again, just a practical point, we have to keep this under a certain weight, so that we can afford the postage.
MR. ROTHSTEIN: That was the practical issue, yes, and of course, it has to be connected because it is a self mailer and so on.
Even though this satisfies your duty as a covered entity, it is still clear that even the people who are covered by Medicare, when they go to their physician, they are going to be given another, separate notice.
To the extent that they could be clear on this and informed about that, I think, is extremely valuable. If we could have some sort of additional sheet here or something as a tear off, and you get 35 million people to see it, my eyes get big when I think about that.
Marjorie was next, and then Richard, and then we are going until 12:45 on this panel, if that is okay with you.
MS. GREENBERG: My question is somewhat in a different direction, but it follows up on one of the points in Cynthia's slides, about one of the purposes of communicating with consumers, and why it matters that they understand privacy protections, is to promote consumer acceptance of information exchange as part of the NHII.
Long before we talked about the NHII, this has been an issue, I know, that this committee -- not necessarily this committee, but the national committee -- has considered over a period of years, as well as people in the department.
That is, how do we communicate with people about the importance of health care information and the responding to requests for health care information with all the appropriate privacy protections, et cetera.
There is a lot of concern in the research and even in the public health community in the area of voluntary surveys, et cetera, that the reaction is going to be, when in doubt, just don't provide the information, and this is both coming from the providers and from the consumers as well.
I wondered if any of you had any experience in that area. I realize that it is difficult to send a lot of people different messages, but there is a risk that, in communicating the privacy protections and rights that, as I think the earlier panel said, there will be over-zealousness and a message of why, under appropriate conditions, information is provided and should continue to be provided, will be lost, if any of you can comment on that.
MS. MC MULLAN: I will just give you our own experience in Centers for Medicare and Medicaid Services. While we are making, I think, very considerable strides in making ourselves clear to the people that we serve, we haven't always taken that approach.
In research studies and explaining to people why records should be used for research -- Medicare does a lot of supportive research -- the letters haven't always been very clear. It is sort of, trust us, it is okay.
Again, why should they care? Thinking about it from the consumer's perspective, when you are asking for an individual to participate, or allow their records be used for a study, why should they care? What is in it for them?
What is in it for them may be the public good instead of an individual good, but explaining it with a level of clarity, simply, about why this is important and they are not at risk, there is no risk to them, it is really putting things plainly and directly to people.
I am the first to say that that is a rut. Over the past five, maybe longer years, we have become much better at that at CMS, but we weren't always very good at that.
What is in it for them. Why should they care? What are they at risk for? Be as clear as possible.
We have great success in getting people to participate in Medicare surveys. Again, people love Medicare. Also, it is the government, which is another aspect of concern. So, I think that you just have to put yourself in the consumer's place.
MS. GREENBERG: Anybody else have any experience in that area?
DR. LEFEBVRE: I would say plenty of experience. I think that you can use that kind of -- I think that you can use that kind of -- I think you were describing a step-type of approach to how much information can people actually access when they need it.
It certainly seems -- I mean, the model that is used for national health information clearinghouses would also be another model I would look at in terms of how much information do people need when they are diagnosed with specific diseases.
Do they go to, let's say, the NIDDK clearinghouse or do they go to a National Heart, Lung and Blood Institute clearinghouse to get as much information as they need at that point in time.
I am sure that many of those clearinghouses can point you in directions about how people track through their web sites or how they track through different kinds of publications to get as much as they need at that particular point in time. The question really is accessibility of information.
DR. HARDING: Thank you again for your testimony. I have three things that I would like to say, and then see if you have any response to any of the three of them, and I will do it in a minute. It won't be long.
You talked at first about the segment messages and based on audiences and starting with who. My suggestion would be that we start with those most vulnerable to discrimination in health insurance and jobs, chronically ill and high utilizers. That is where I would shoot it at, just thinking here off the top of my head.
Secondly, we talked about behavioral objectives. You were saying, okay, what is it we are trying to get people to do.
Well, we have sent a double message, because we have taken away people's right, so to speak, their former right, to consent for treatment, payment and health care operations.
We have taken that away and made them passive in that, where they can sign a written notice, but it is more passive than it was before.
Now, what do we tell them that they should do? We have taken something away. We have kind of said, okay, this is just going to happen.
What is it we want to change their behavior on? Authorization? Access to their medical records? There are a number of things. We are giving a mixed message there, as far as their activity in what they are doing, what all of us are doing in their medical record.
Third -- and then I will stop -- is I was intrigued by John's comment there about CMS and so forth, enforcing and so forth. It would seem that, you know, we all have concerns about enforcement and who will do that, OCR, CMS and so forth.
I think, though, that there is an inherent conflict with CMS providing some enforcement, because they are also an entity. The entity will have to enforce on itself.
I am sure that has all been thought through very carefully, but when you have to enforce a rule on yourself, it just seems like there is a conflict there somewhere that either needs to be thought through again, or explained clearly, as to why that decision was made.
That isn't the reason for these hearings, but John bringing it up, it is certainly something that is of concern, and I will stop there.
MR. ROTHSTEIN: Any comments?
DR. LEFEBVRE: I will start with the first one. I would basically agree with each of the populations you described as being a place where I would most likely start as well.
Especially when you said which groups of people were more likely to be discriminated against in terms of jobs and so forth is what my supposition was when I heard the data about 30 to 40 year olds probably being the most interested in the privacy issue. That was my immediate leap, was that it probably had to do with exactly those kinds of issues. I would agree with that point completely. I think that would be a fine place to start.
As to the third point, I am going to stay out of it, but I would also agree. Being a lay person on the outside of the government, I would not like to see a group like CMS or people who are actually providing the services, be the people put into that kind of position, where they would have to have that dual role with, frankly, their beneficiaries, let alone all the other perceptions that could be put on that. I don't know if anybody wants to pick up on that
DR. BAUR: I actually wanted to comment on this mixed message idea. I think that is an important thing. I spent a lot of time thinking about the nutrition facts label and how that came into being, and the facts label as a communication tool.
I talked to the people at FDA who do the consumer research for the nutrition facts label as well as other things.
It is interesting that the nutrition facts label as we know it today, on virtually all the packaged products that we buy, is that it came at the end of the process of education and consensus building and scientific study, and that there was this decade-long process around that. Then the label, as a communication tool, was the outcome of that, rather than the starting place.
I do think this issue of the mixed messages is a critical one for this, in terms of clarification of what is the message here. There may be multiple messages and they may be messages going to different audiences, but there should be a core around which that is built.
It goes again to the point I was trying to make about the environment. While we may be talking specifically about HIPAA, HIPAA is making its debut, its appearance, in this larger context, this larger environment, in which discussions about privacy, discussions about personal health information, about notices, that is real. That is going on now and has been going on.
There isn't consensus out there about it. So, whatever you do around HIPAA has to be cognizant of the fact that there is a consensus right now in our society about some of these things.
So, the mixed message issue is real. It is part of the environment that you are working in.
MS. SCHWARTZ: Your comment just brought a thought. Maybe this is actually -- sometimes we are trying to explain things to people and we are sort of in a defensive role because we have to, and they have to understand something.
Maybe this is presenting a huge opportunity here to actually let people know that they have rights in general. Lots of people who don't even think they have the right to ask the doctor questions -- we certainly know this is a big issue -- maybe HIPAA does present, if you look at it in a different paradigm, an opportunity to educate people about their right, and also maybe it helps to, instead of asking what behavior we want them to have or what we want them to do, maybe we just need to clarify their role.
What is their role in all this now? Maybe that is an easy way to think about a campaign or what they need to know, if we can clarify their role.
It would be great if we could just have something that says, you can now do this, you now have the right to do that. You can ask your doctor this. You can take your record here. You can complain to this.
That might be a really great opportunity, if we think a little bit broader than just the privacy standards.
MR. ROTHSTEIN: Thank you. We have time for two brief questions and two brief answers.
DR. ZUBELDIA: Following up on your question, about once a year, the Medicare beneficiaries get this in the mail, and that is $30 million worth of expense.
At least most likely 12 times a year they get a Medicare summary notice, which replaces what used to be the explanation of benefits.
That Medicare summary notice, in this booklet it explains that Section 18 is a general information section, provides important Medicare news and information.
Would that be a good mechanism? The reason I am saying this is that it is not just Medicare. Every payer in the country sends remittance advice on paper today to the provider, and explanations of benefits to the patients on paper today. It would cost very little to add a little corner and print a message there, that concerns the privacy rights.
Since you are media experts and communication experts, is that a good mechanism? If I don't read very many communications from my payers, one that I certainly read is the explanation of benefits, to find out how much I need to pay after they pay their part.
It is a very good mechanism. Is that something that should be used?
MS. MC MULLAN I can tell you, just from the Medicare summary notice perspective, that that is very highly sought out real estate, to get information on the Medicare summary notice.
Because people are looking at it to see what their liability is, what has been covered, what their liability is, if there has been any denied charge that they can take an action, that their frame of mind is really more in the payment mode.
We can look at what the opportunities would be to put privacy notice information on there. I just don't know how meaningful it would be.
People become accustomed to it, and don't pay attention to messages unless it is relevant to them. That is one of the most important parts of what we have learned over the time of doing what we have been doing.
You have to provide access to information because people seek it when it is relevant to them, not when we want them to know it, but when it is relevant to them.
That is why the approach we have taken is more of an access approach, rather than a constant information approach.
DR. LEFEBVRE: Briefly, I would also encourage you to explore as many different channels and opportunities to get the message across to people as possible, and not just solely on two or three.
Again, the advertising research suggests that it takes at least seven exposures to a message before a person even pays attention to it and remembers it. There, you are talking about 30-second commercials, not one page or nine page summaries of rules and regulations.
DR. BAUR: I was just going to say, I think it is a research question, whether that information belongs in that print out or not.
DR. DANAHER: I just would like to make one quick point, just to CMS, because I am always struck by the purchasing power and influence that CMS can have on the marketplace.
A typical Medicare beneficiary, who accesses the health care system, will now, in this, get probably four different notices of privacy practices, one from Medicare, one from the contracted Medicare carrier -- Blue Cross/Blue Shield of Alabama -- one from the provider that they are going to see, the doctor they are going to see, and one if they have to be hospitalized.
I guess I would just push for harmonization. Wouldn't it be great if Medicare could use -- I don't think you would get that much push back from these different entities if you were to say, you know, for our Medicare beneficiaries, this is the notice of privacy practice we would like to use, or whatever.
I just kind of throw that out to you because I think one of the reasons why people throw away the notices in their financial statements is that, you know, it all says different things depending on the bank it comes from, and it just dilutes and waters down the message.
So, if there was kind of one official notice of privacy practice blessed by Medicare, that the Medicare carriers use and the Medicare providers use, I think it would be less confusing for the Medicare beneficiary.
DR. DANAHER: With that, I want to thank you again for some very unique and stimulating views. We will stand adjourned for lunch until 1:45. I would ask that the panel members for panel 3 as well as the members of the subcommittee plan to begin promptly at 1:45, so we are not too late.
[Whereupon, at 12:52 p.m., the meeting was recessed, to reconvene at 1:45 p.m., that same day.]
MR. ROTHSTEIN: Good afternoon. We will go to the third of our four panels today, dealing with HIPAA implementation issues, and this is the Subcommittee on Privacy and Confidentiality, of the National Committee on Vital and Health Statistics.
I would like to welcome our four afternoon panel members, and I want to just remind you that you will be asked to provide 10 to 15 minutes of testimony.
I will hold up a sign when you are down to one minute. Then, after each of your comments, we will ask the subcommittee members if they have any clarifying questions. Usually there are not, but occasionally there are. Then, at the end, we will have a panel discussion of the issues that were raised.
So, if there are no further questions, I would like to welcome all of you and ask Mr. Rich Lobb to begin.
Agenda Item: Panel 3. Health Systems and Institutional Providers. Rich Lobb.
MR. LOBB: Thank you, Mr. Chairman and committee members. My name is Rich Lobb. I am the corporate privacy office for Conemaugh Health Systems.
What I would like to do, I shared with some of you folks right before I got here, I just got bifocals. They tell me at this stage I need them. So, I am trying to adjust in reading with bifocals for the very first time.
So, if I happen to ad lib a little bit, please bear with me. I will also try to embellish some of the comments that were made earlier by the morning group, where I see it might help to better interpret and understand for you folks.
My focus is going to be tactical from an implementation perspective. I will just give you a little bit of background on myself.
I have been in health care for 20 years. I worked both in physician practice management, home health, acute care, in finance, in patient accounting, in medical information systems, as well as, just recently, in compliance, moving over to compliance for the privacy implementation.
I also serve as the co-chair of the EPA Alliance Organization out of Pennsylvania. It is an alliance that represents the providers of Pennsylvania for outreach, for this year at least, associated with HIPAA.
That would be for institutional providers as well as professional provides in the allied health services that are affected by HIPAA.
To that event, what I will do here is briefly explain who we are, because I know we have a time limit. I don't want to waste all of our time on Conemaugh Health Systems.
Just to give you the breadth of the challenges related to HIPAA implementation that we have to deal with, we are an acute care facility. We are a system.
We have four acute care facilities, one of the largest ones between Harrisburg and Pittsburgh, and our primary care facility is called Memorial Medical Center. We service actually half a million patients a year through these acute care facilities, as well as we have a physician organization that has around 70 physicians.
We have home health, we have rehabilitation services. We have nursing care centers. We also are a teaching facility for Trauma I ER services, and we have a large allied health education program also.
As you can see, we have numerous challenges surrounding HIPAA implementation at our facility. We also are a self funded group health plan, which throws in the mix more challenges for HIPAA implementation.
You folks might be aware of Conemaugh, although you probably don't recognize the name. This summer, late summer, we were brought to the spotlight. The Quecreek Mine disaster happened 27 miles away from our facility.
We were the facility that was lucky enough to receive most of the miners that needed medical care and review in our facility.
So, we had a wake up call when it came to privacy, relative to that service that we provided the miners.
With that said, I would like to just give you an overview of how we approached our governance, and then move through our implementation process with you.
About a year ago, they approached me, and I am not sure why they approached me, but they did, to sit in as the privacy officer for our organization.
I think it had to do with three things. One, transaction code sets, which I was familiar with, two, information systems which I was familiar with and, three, privacy, which I had absolutely nothing to do with and had no idea what I was doing when I got into it.
When I did get into it, I was blessed with the ability to report to a board. We actually have a corporate compliance committee, which is a subset of Conemaugh Health Systems' board of trustees that I report to.
I report up to them between eight to 10 times a year. So, the board, at the board level, is very familiar with what we are doing, and our challenges as well as our successes in implementing HIPAA within our institution.
Along with that, we have formed a committee, a small working committee, that consists of approximately 20 folks that represented each of our entities, and our subgroup of services, such as our rehab facilities and nursing care facilities.
The focus around that working committee was really to help define policy development, to help with the interpretation of the rule.
Most of the folks that sit on that committee are folks directly impacted by HIPAA, such as our medical records directors, our patient intake or patient registration folks.
So, we made a concerted effort to try to spread the wealth out and have the folks serve on that committee that had the most impact on trying to implement this law.
Where we are at right now is, we broke out in a few subsets we call work groups. A couple of work groups that we have, I would like to just share with you, and I will give you the intent of each work group.
The patient intake work group, which addresses the notice of privacy practice and the restriction processes and the logistics involved with making it happen.
We have an HR work group which is geared toward the self funded group health plan issues and compliance around those issues with HIPAA.
We have a transaction code set work group, which is obviously focused around compliance with the transaction code set initiative.
We have a security work group, which is focused right now around both the ISO international standards as well as the proposed security rule information that is out there currently.
The focus of that is to assess a risk, and to develop a strategy to mitigate those risks as we move forward.
We also have a public relations work group. I think this is the one that, in hearing this morning's testimony, might be the most interesting for you to hear more about, so this is where I want to spend most of my time.
The group actually is not kicked off yet. So, when you ask for best practices, I can't tell you if this is a best practice. I have no idea.
I think it will be good and it will serve us appropriately in hitting our target market groups, and we will talk more about that in a minute.
The group is focused toward educating all of our external contract constituents that we come in contact with and share PHI information with, and we will go from there.
The record retention and destruction work group, we are focused around obvious record retention issues, whether it be electronic or paper based, and also destruction of those documents or records after federal requirements or state requirements allow us to.
Each one of these work groups reports up to the working committee, which I obviously sit on all of them, so I get to report out to the working committee.
We hold more meetings, frequent meetings, relative to the work groups than we do for the operational team. The operational team normally meets once a month, and this information is bumped up and shared with the operational team.
If there are any implementation questions at all, or interpretational questions that any of the work groups want to bounce off the main committee, this is when it happens.
Here are my observations. Although the Ops team and work group approach I have taken seems to be a great source of common understanding of the privacy law, as well as a great source of input on how we need to implement, there is limited assistance beyond the scope of scheduled meetings.
Most managers and directors involved in the HIPAA initiative are functional and are very busy on a day-to-day operational basis, dealing with their department needs.
I have also found that most consultants that I have addressed, or have been advertising with HIPAA implementation services, at most, deal at a very high level of assessment of the rules provisions and not on an operational support level.
I have used very specialized consulting services to help with the security assessment and the risk ranking of assessment results.
Most recently, I am engaged with an EDI consultant or specialist to help us through our transaction data element review.
Conemaugh Health Systems does not have in-house legal counsel that can assist in policy development and serve as a consult to assist with the interpretation of the privacy provisions.
Most of the interpretations of the law's provisions are derived from discussions within the Ops team, reading articles on how others have interpreted the provisions, different associations that we belong to have helped, including the AHA, and also going back to the frequently asked questions on the Department of Health and Human Services web site, and the actual privacy regulation itself.
When I run into conflicts between various sources on provisions interpretation, I do seek assistance of outside legal counsel, which is very expensive. I use outside legal counsel only when there is no other means to assist in the interpretation of the provisions, due to the high cost associated with such services.
To give you an example, we just did one question recently. I got the bill back from the legal counsel and it is close to $700 for the research to get that one answer. So, it is not a cheap process.
Now, to briefly focus on the education and training models that we are using at Conemaugh, I would like to break it down into basically four phases. I do have an attachment that is in your handout that is in the back of the book that shows the different phases and the relationships, in each one of those phases, with the types of education and focus awareness that we are trying to do.
The first one obviously is the awareness phase. What we have done during this phase is meet the requirements of the HIPAA regulation provisions covering general awareness education, by getting the word out on uses and disclosures, and just the general information that everybody needs to know during the course of the awareness phase.
We are actually close to 90 percent, maybe even a little bit beyond 90 percent, complete with that. I know a lot of people have been waiting to do their implementation training, awareness training, based on the modified rule coming out in August.
I chose not to wait for that rule. We have just noted some areas that we knew were concerns and had the potential for change when we were doing the awareness training up front.
The reason for that is that we have so many people to train. It is me who is doing the training. So, I started out actually doing training in person with probably well over 100 or so events of training, until I finally had to back out of that and went somewhat interactive on the internet, and we also made videotapes to assist in our training.
Now, the operational phase we are really getting into now. As each of the work groups progresses through each operational task form and process that needs to be in place to comply with the HIPAA privacy provisions, we are also drafting an approach for dealing with training effective staff.
Now, to assist this training, we turned to the American Health Information Management Association's matrix that they proposed for training staff in house, and I have that as an attachment also.
I think the HIMA has done an excellent job in focusing specific training needs based on specialized training topics and general training topics, to the different types of positions that are affected by HIPAA.
As you can see, I think it does a very good job, and has worked out a nice outline to be used by myself and others, to help us foster good operational training on issues in our facility.
Now, the external phase is one that I think had kind of interested Stephanie when we had talked on the phone, and I will share with you our plan. Again, it is just a plan. I wouldn't consider it a best practice at this point. It might turn out to be a real lemon. Here is what we are planning on doing.
In the work groups, there was general concern about how our external constituents will view us after we implement our privacy policies.
Initial reaction to any new perceived constraint put on the external constituents usually ends up as discussion over the morning newspaper at Conemaugh Health Systems' expense. We are kind of a small, regional community, and information is shared through the media relatively quickly in our area.
To ward off unnecessary confusion, and to help limit potential miscommunication, I decided to hold a series of public meetings for external constituents, to address privacy policy that could affect them directly.
The following is a list of those external groups we have identified so far. We have identified law enforcement, including district attorneys' offices, social service centers, women and youth, coroners, regional clergy, which I have now had some meetings with already, regional media, nursing homes, boarding homes, rehab facilities. We have tried to work in synergy with these folks to ease the patient intake process, and to help them better understand our requirements under the law, as well as understand and know theirs. Then, funeral homes.
One that I would like to add to the list, we were just talking about this last week, after this was already published, and that was ambulance associations and EMS services.
These public meetings will be held closer to the privacy compliance date. We are not planning on doing this until probably the last two months of compliance, at the end of February into March.
We will try to address both the patient requirements and our administrative duties under the law by sharing with each group a copy of our notice of privacy practice, then review each specific area that the privacy provisions affect them by.
This would obviously entail a very close look at disclosures. One of the gentlemen that testified earlier had mentioned state preemption. It is critical that anybody who is looking at these laws do a state preemption analysis.
We are blessed in our state. We have a group of volunteer attorneys that are coming from different associations and different legal groups that are actually providing us a review of our state preemption, next week at our EPA Alliance HIPAA summit up in Hershey, Pennsylvania, and we are hoping to take that information back and do our own self assessment on a preemption, but it is extremely important that we do that.
We also are trying to work with the regional nursing homes, boarding homes, rehab facilities, to help us with patient intake, by sharing with the patients, who select Conemaugh Health Systems for their facility, as provider of choice, patient intake kits, which would include the notice of privacy practice with acknowledge, patients' right to restrict form, and the patient's right for alternative and confidential communication, which is required during the intake process based on the privacy provisions.
What this would do is facilitate the ease of intake of the patient from the nursing, boarding or rehab facility, into our facility.
The monitoring phase we have yet to develop. We are actually looking for guidance from DHHS on that. The focus is going to be to try to mitigate. So, if we run into an issue where we have an employee that infringes on our policy developed under guidance of the HIPAA privacy regulations, we will mitigate and also follow up as part of our overall service excellence, and continuous quality improvement processes, and we hope, through mitigation, that the issues will be put to rest.
Obviously, sanctioning falls in this somewhere, although I haven't quite figured that out because DHHS hasn't told me anything about it, other than do it.
So, one recommendation, from my perspective, would be, let us know what you want us to do and we will do it, from a very tactical perspective.
Delivery methods that we use for delivering this education is a combination of internet, in person, written communications, focus groups and self-made video training programs where we use skit-based training.
Some of my observations -- I will try to make this as brief as possible, or closing comments, I guess I will go to, since I only have one minute.
As mentioned throughout this testimony, we have done our best job with the interpretation of the privacy provisions based on how the various associations or peers and others and ourselves have interpreted the law.
As the committee is aware, the use of the word responsible -- at least the new modified rule that came out -- the old rule or the OCR rule showed it 34 times within the 42 pages of the unofficial combined privacy rule guide.
The Department of Health and Human Services has done a good job on recent fact sheet publications, and we recommend that they do more of that.
There should be no reason why certain forms could not be developed by DHHS, such as the notice of patient privacy, some of the other forms like PHI restrictions and patients rights to confidential communications. Even draft policy would help.
It would be helpful also if covered entities better understand what components of the privacy provisions apply to what level of enforcement, whether it be fines, how much, criminal, how long a jail term.
As far as the privacy officer position itself, it is really not a protected position under law. I would ask that the Department of Health and Human Services give the people in these positions some sort of legal authority and protection from their employer, from unfair termination practices.
I don't necessarily mean that I am looking at that from a subjective perspective. I am looking at that from a higher level objective perspective.
The Commonwealth of Pennsylvania is an at-will employment state, and I am sure there are many at-will employment states in the nation.
There should be provisions that are built into the law that protect the privacy officer from actions of their employer that would make objective reasoning in favor of the privacy provisions an endangered event. That we don't want to see. At this point, the time is up.
MR. ROTHSTEIN: Thank you very much, Mr. Lobb. Any questions of a clarifying nature? We will get back to you for our panel discussion. Let's see who is second on our list. Ms. Bowen, please?
Agenda Item: Panel 3. Rita Bowen.
MS. BOWEN: Chairman Rothstein, members of the privacy subcommittee, ladies and gentlemen, good afternoon. My name is Rita Bowen and currently, I am the privacy officer and enterprise director for health information management at Erlinger Health Systems in Chattanooga, Tennessee.
Erlanger is a Hamilton County Hospital Authority, but we serve a region of four states, that being Tennessee, Georgia, Alabama and North Carolina. We are a Level One trauma center, and we do have a residency program associated with the University of Tennessee.
We have multiple campuses on which our services are provided. There are 819 beds, 28,569 annual inpatient visits and 281,674 annual outpatient visits.
As privacy officer and director of health information management, often called the medical record department, my job is to oversee the health information management functions at the enterprise, as well as to implement and assure HIPAA compliance with the privacy regulations.
These are not disparate tasks, inasmuch as the HIM functions contain many of the requirements called for in the privacy requirements.
I am also an active member of the Tennessee Health Information Management Association and the American Health Information Management Association.
These professionals, and these associations, have already been trained in the protections, legal requirements, and release of information functions associated with health information or protected health information exercised in HIM departments throughout the country.
These associations are continuing our tradition of seeking and sharing best practices that could be implemented, in this case, for the HIPAA privacy requirements.
Before commenting on the questions raised by the subcommittee staff, I would like to briefly note some activities that are going on in Tennessee, that I think will help lead to the success for HIPAA privacy.
I am happy to report that, in Tennessee, professional groups such as the Tennessee Health Information Management Association, compliance, technology, attorneys and others are working collaboratively with the Tennessee Hospital Association to share understandings of the privacy regulations and implementation processes and, in turn, developing best practices. This is our push for harmonization.
Our groups have discussed industry best practices, especially regarding fax processes. This was discussed this morning where many hospitals had put up the implications that fax would stop.
We developed a fax best protocol, and many of our hospitals have already implemented this best practice.
THIMA has also appointed HIPAA champions, and I am proud to say that I am one of those champions, to coordinate activities within each geographic region of our state.
The HIPAA champions attend the HIPAA focused meetings at the Tennessee Hospital Association, and have agreed to take information back to their designated regions and discuss and feedback, and bring back to those meetings at the state level.
Each area is hosting meetings and is coordinating educational sessions for physicians and their practice managers.
For example, in Chattanooga, we recently conducted a HIPAA readiness seminar for our patients. This was a joint effort between the Chattanooga area health information management association. We involved the medical group management association, our Hamilton County Medical Society, and the University of Tennessee.
We had 211 participants at that session. While we felt that was a success in having that meeting, we realized that we reached less than 40 percent of the medical practices within our community.
We are making plans to conduct two additional sessions, one specifically aimed at physicians, to educate them regarding HIPAA regulations, and another session focused on the implementation process that will be aimed at office managers. Other areas of our state are doing the same thing.
Also, at our state fall meeting just last week, the HIPAA champions conducted an open question and answer session for HIAA implementation and best practices discussion.
The panel provided samples of policies that they had developed and indicated that those policies could be shared.
It was also announced that the HIPAA champions were working with an attorney, that has been hired by our Tennessee Hospital Association, in the review and the response regarding state preemption analysis. The results of this analysis process will be disseminated throughout our state.
Nationally, AHIMA, through its electronic communities of practice, provides AHIMA members ready access for discussion threads regarding best practices.
The AHIMA has also provided a number of two-day seminars entitled, Getting Practical with Privacy, which provided attendees with a HIPAA resource book and provided clear direction that could easily be followed. AHIMA is scheduling another series of these seminars for early 2003.
AHIMA also afforded those who are fulfilling the privacy officer role the opportunity to attend an all-day privacy institute during our September national convention.
This institute immediately sold out and three additional institutes had to be scheduled. The institutes dissected the following topics for practical understanding and implementation.
Those topics were business associates, minimum necessary rule, designated record sets, and tracking restrictions.
I was asked to provide the direction on two of the above topics, and found that many of our members are still confused on these topics.
AHIMA has also just finalized a certification in healthcare privacy, and several of our members now hold this certification.
Providing HIM and other professionals with the training and certification pertinent to health care privacy will be helpful to the health care industry, as well as those individuals who, like myself, are thrust into positions that must address the HIPAA regulations and its introduction into our organizations, environment and culture.
This point was also raised this morning, that recognition of some type of certification to programs or to the developers of those programs would be helpful.
The implementation of the HIPAA privacy rule is undoubtedly more difficult than other typical regulations. I believe it will require concerted efforts by many organizations to assure that people are not misled or taken advantage of.
Consulting firms are always ready to step in and assist, as a means of profitability to themselves, to offer advantage to small, uninformed providers.
Over the past year, I have received a flurry of mailings from consultants who want to assist and provide the HIPAA solution.
I believe this flurry comes from them trying to build business, but it has created confusion and havoc among providers, especially small providers that have not had the luxury of working with an appointed HIPAA champion.
I actually heard a consultant tell a physician that HIPAA mandated that he computerize his office.
My own hospital technology vendor, when I asked if they could support a special flat at the enterprise access level, to signify that the patient had requested a restriction to their PHI, indicated that this was not necessary.
The technology vendor advised me that I should just say no to any request to restrict information. This type of misinformation raises concern, because many small providers depend upon consultants and vendors to provide them with a Reader's Digest version of what the regulations say and imply.
I believe that the small providers and other covered entities need targeted, reliable educational programs in various formats and media.
If the Office of Civil Rights cannot provide these educational sessions, or perhaps certify accurate programs, then perhaps they could establish a partnership with an organization such as AHIMA to provide this service. Providing providers and health plans a direction to a reputable source would be very helpful.
Developing forms called for in the HIPAA privacy rule is another issue. It would also be very helpful if OCR could produce and disseminate sample forms, in various languages, such as the core for the patient privacy notice, based on typical provider settings, authorization forms, and acknowledgements.
Assistance in this area of OCR would be helpful to assure that the public is receiving consistent information in these regards, no matter which covered entity they may be dealing with.
OCR should expand its partnership, professional associations such as AHIMA, and other industry non-profit organizations, to leverage and reinforce activities already underway regarding the implementation of the privacy best practices, and to assure that consistent understanding of the rule is applied.
Dr. Harris commented this morning that we need a common conduit for the delivery of good data. Positive partnerships would assure consistent communication to the public and assist in providing practical guidance to covered entities, so they are not at the mercy of misinformed vendors and consultants.
It is important that health care entities understand what is real versus perception. I know that AHIMA has posted best practices on its web site -- ahima.org -- and I know that my association would be very happy to work with the OCR to ensure that these practices are shared with the entire health care community.
Training regarding HIPAa, specifically in regard to privacy, is being conducted in stages. I believe that most large organizations have provided that first level of organization awareness to their staff regarding HIPAA and its implications, should the patient's rights be violated.
This has worked well because it has provided a core understanding to the privacy rule for our work force.
We have focused, in our organization, on the need to know, what to know, and knowing the difference concept. In my institution, we have already developed computerized training.
Our work force is mandated by policy to complete this module annually. HIPAA education has also been added to the orientation of each new associate.
We are currently involved in stage two o four educational efforts to assure that job specific functions are targeted, so that we focus on areas where behavior and practice and routines may need to be changed. I recommend that other organizations organize their training in this methodology.
From my experience and meeting with others engaged in privacy, I find a deficit in physician and dentist practices understanding and education in the HIPAA privacy regulations.
I and other HIM professionals have found many physicians, dentists and other health care providers that still have not heard of HIPAA. While others may have heard the term, they really do not have a full understanding of the impact to their practice, and the need to assure a person's privacy. In part, this is probably due to the fact that such persons have not had a formal HIM function in the past.
Many of these health care professionals and their staff have confused comments and communications regarding delays in implementation, specifically with the option to file a delay for the transactions and code set standards requirements, with the obligations under the privacy rule.
Still others have the opinion that everything is still unsettled, and most likely from publications from Health and Human Services, regarding continued changes due to unintended consequences or clarification issues.
I have also found that large employers with self-funded employee benefit plans have received little to no guidance regarding their information practices subject to the HIPAA privacy rule.
I believe it would be advisable for OCR to target these groups of professionals and covered entities with a marketing or public relations campaign to increase awareness of the privacy rule, the required time lines, and the resources we are discussing here today.
We have also gone through the privacy regulations locally and nationally and found that many are still confused regarding fund raising.
If the OCR could provide additional assistance to promote understanding, and facilitate the implementation process of this requirement, it would be very helpful.
You asked for helpful resources and web sites. I have put together a list of web sites that are part of my formal testimony, broken down between government sites and others.
I found these sites helpful, and I believe they could be of assistance to other health care providers and health plans. Perhaps the OCR could approve the list and list such web resources and link to them from the OCR web site. This would greatly assist health care providers and health plans.
Obviously, my review of these web sites only constitutes my approval. As I have noted in earlier testimony noted this morning, some seal of approval from OCR would be very helpful to the health care community.
Mr. Chairman, that completes my formal testimony. Again, my thanks to you and the subcommittee, for the opportunity to present my reflections and thoughts on this important issue, and questions concerning the implementation of the HIPAA privacy regulations.
If you, the subcommittee, or staff have any questions on these issues, I would be pleased to respond to those this afternoon or in the future.
MR. ROTHSTEIN: Thank you very much. Do we have initial questions? Okay, we will move on to our third panelist, Ms. Weaver.
Agenda Item: Panel 3. Maureen Weaver.
MS. WEAVER: Thank you. Good afternoon. My name is Maureen Weaver and I am a partner in the Connecticut law firm of Wiggen and Dana.
I am here testifying today on behalf of the American Association of Homes and Services for the Aging, otherwise known as AAHSA.
AAHSA represents 5,600 mission-driven, not-for-profit nursing homes, continuing care retirement communities, assisted living and senior housing facilities, and community service organizations.
AAHSA is committed to advancing the vision of healthy, affordable, ethical aging services for America. AAHSA estimates that, every day, its members serve about one million Americans in this regard.
I should say this meeting is somewhat gratuitous because, as we speak right now, AAHSA is handing its annual convention and trade show right down the street at the convention center. So, it was fortuitous for me to be able to come into town and testify here.
I would like to thank the subcommittee for inviting AAHSA to provide its input. AAHSA supports the goals behind HIPAA and its privacy requirements. Confidentiality is a fundamental right reflected in the missions and daily work of AAHSA member facilities.
I would also like to thank all of you. I understand how difficult it is to devote time and attention to these types of activities, and volunteer efforts, I am sure, on the part of many of you.
I am going to read through portions of my testimony, but I will warn you now, I am going to skip around some in the interests of time, so if you are following along, you might lose me a little bit if you are tracking the written part.
Our experience with HIPAA implementation among smaller providers -- because I understand that you would really like us to focus on smaller providers today, and many of our members are probably what you would consider to be smaller providers.
Our experience is very consistent with what I have seen this committee reporting out to date. I looked at the report of the last meeting that was held in Boston, and there are experiences that many of our members, and many of the smaller providers that my firm deals with, whether they be nursing homes of physicians or home health care agencies, are far from being fully compliant with the privacy rules, and many of them have not even yet started.
Now, let's take the AAHSA membership, for example. Some of our members are larger organizations, like hospitals and health systems, and they have internal resources, or they benefitted from earlier implementation efforts by their health systems that they belong to.
We have many smaller facilities among our membership. For example, we could have the 60-bed rural nursing home, or a 30-bed facility that is affiliated with a low income senior housing project.
These organizations have not been able to get up to the mark in terms of implementation efforts. The only logical privacy official in these organizations might be the administrator or the director of nursing services. Yet, on any given day, you could call a facility and find that the administrator himself is answering the phones. That happened to me once with one of my 60-bed rural nursing home clients.
You might walk into the facility and find out the director of nursing is distracted from even learning about HIPAA because she has got to go cover a shift for a nurse that called out sick. You know, we have a nursing shortage out there right now, and that acutely affects some of the smaller providers.
These providers can't run alone to the finish line on April 14. They definitely need help. Now, AAHSA, like many trade associations -- we heard about some of these efforts today -- has taken steps to help its members.
AAHSA has offered numerous educational sessions on HIPAA, to raise awareness at annual meetings.
I know I gave the first AAHSA talk on HIPAA back in 1998, and I had a room full of about five people and they were mostly consultants.
Today, I am proud to say that I just finished a two-hour session down at the convention center, and we had a brimming room full of 250 people who stayed late and followed us out with all sorts of questions. It was obvious that they were very much tuned in to the privacy rule requirements, and many of them were well on their way to implementing it.
In addition to these educational efforts, AAHSA published a handbook last year, which I authored, along with other members of my firm, especially geared to long-term care providers in HIPAA.
I was talking to Stephanie earlier, before we began the formal part of the proceeding, about how the long-term care providers, we are not only concerned about state preemption issues. We are also concerned about federal laws that impact with privacy rules -- for instance, OBRA, the Medicare conditions participation for long-term care providers, nursing homes.
There are several OBRA provisions that are more restrictive, more stringent, more protective of patients' rights than HIPAA laws.
So, our long-term providers can't go out and purchase these form notices for privacy practices, or forms for right to request access. There are specific issues that they will need to address that speak to OBRA.
For example, under OBRA, the right to access, a nursing home resident has the right to request access orally or in writing, and the facility has to provide access within 24 hours, instead of the 30-day turn around requirement that we have under the HIPAA privacy rule.
There are other provisions that are more restrictive, for example, right to request restrictions. Under OBRA provisions, a resident has the right to request restrictions on the disclosure of any information, with very few exceptions. That is an absolute right.
Under the privacy rule, that is an option the facility can consider and make a reasonable determination about whether or not they want to honor the request. Under OBRA, you have to honor the request, except under certain specially-limited circumstances.
So, our book focused in on some of these specialized concerns for long-term care providers and, over the next several months, AAHSA intends to roll out audio conference sessions as well as provide model policies and procedures.
Now, aside from AAHSA's efforts at the national level, many of our state affiliates are providing assistance to members as well, and some have developed some very innovative, resourceful approaches.
Many of these facilities can't afford lawyers to come in at whatever it is, $700 an hour, whatever the fees may be, to provide these HIPAA services.
So, in some instances, organizations have pooled resources. In my state -- that is Connecticut -- a group of long-term care providers that are part of AAHSA's Connecticut affiliate, have banded together to form a HIPAA partnership.
They pooled their resources to engage my firm and the help of some other consultants, some being volunteer from some other larger organizations, to develop best practices and develop model policies and procedures and forms that are compliant with OBRA, that are also compliant with state law requirements.
The way we put it together is by using the collaborative model. The partnership divided into functional work groups, such as clinical, administrative, business office, medical records and information systems. Each of these groups worked together to articulate model policies and to tease out some of the real troubling issues.
Fund raising is a big issue for us. We are all not-for-profit providers and there are some real sticky questions in fund raising areas, as well as the marketing area, too.
One notable benefit of the collaborative approach has been the networking and support function provided for participants as a result of our HIPAA partnership.
CANPFA, which is our Connecticut Affiliate, is now going to form a medical record health information council as a permanent portion of the association and have particular meetings for that group.
In addition, one of our goals in designing this structure was to foster best practices, and it is a little too early to tell, but we think we are well on our way.
For example, HIPAA partnership members developed a process for members to use in identifying business associates in a long-term care setting and in obtaining business associate agreements, an actual functional operational process that a long-term care business can follow for that purpose.
These efforts are not enough to get all of these providers to the finish line. HHS really needs to help, too. I provided some ideas along these lines in my written remarks here.
I won't go into detail. I am just going to hit on some of the main points. I think, first and foremost, we would really like to see a practical meaning given to that word, scalable, that pops up in all the regulations.
What does it really mean to that nursing home administrator, who has to answer phones and implement HIPAA at the same time, and doesn't have a lot of resources in either people or time or money to help them out with that.
Are there minimum steps that a smaller facility can take and be in compliance, recognizing the reality that some organizations realistically do not have the option to fully master and implement every aspect of the privacy rule in the five months they have left. It is just not going to happen.
If OCR could really ramp up the Q&A process and provide feedback through its web site, it would be really helpful for long-term care providers, for example, if OCR would talk to CMS, the part of CMS that oversees long-term care survey and certification.
For example, we have got one issue out there in long-term care where we are so heavily regulated that the average nursing home could see state inspectors coming in maybe two or three times a month.
Every time that state inspector comes in, there is a disclosure of PHI that has to be tracked and disclosed, if accounting is ever requested.
Well, how is that all going to pan out and how are facilities going to keep track of those types of disclosures, particularly when surveyors aren't exactly in the habit of telling you what they looked at in a patient's record when they come in.
We also support the recommendations that we develop some model forms for our members. In particular, many of the elderly folks do not speak English as their primary language, and translating forms into foreign languages would also help.
We would like to see OCR work with states to help them reconcile some of the inconsistencies that I just talked about at the federal level.
I think, in terms of preemption analysis, we have done the preemption analysis for Connecticut. We found that, for the most part, HIPAA does not preempt state laws.
We have many state laws that are more restrictive and more protective, and there is a need to alter model forms and educate providers about that.
Finally, I wasn't able to be here this morning, but I did see in some of the written testimony references to the high cost of HIPAA implementation, and some of the testimony so far this afternoon has referred to that.
I will be the daring one to ask the question, and that is whether or not it is possible at all for at least state Medicaid programs to recognize providers costs attributable to Medicaid for HIPAA implementation efforts.
This is particular an issue for nursing homes. Nursing homes are supported by government payers. For the most part, nursing homes derive 75 to 80 percent of their revenues from Medicaid programs.
Some states, including ours, do have provisions that allow for recognizing the costs of implementing federal initiatives. They have caps and issues with them.
It would be very helpful if there could be at least a dialogue started along these lines. I know budgets are tight and it might be a pipe dream on my part to even make the suggestion, but I think it is a critical issue for many of these facilities.
In closing, I would just like to say that AAHSA very much appreciates this opportunity to share its views. We would be very happy to answer questions formally here, or go into more detail or provide you with more information about some of the issues I referred to before, the special issues for long-term care providers. Thank you very much.
MR. ROTHSTEIN: Thank you. Do we have any immediate questions? Hearing none, then we will move to our final witness, Ms. Meinhardt.
Agenda Item: Panel 3. Robyn A. Meinhardt.
MS. MEINHARDT: Thank you. Thank you for inviting me here to talk about the issues facing the long-term care industry.
I come at it from a little bit different perspective than Maureen. So, I think, actually, our perspectives will blend together in a way that will give you a pretty good picture of what is going on in that industry.
I was invited here today, as far as I understand it, because my health law practice includes working with skills nursing and other long-term care clients on HIPAA issues.
I have canvassed a number of people I know, either lawyers for the industry, people in the industry, people in trade associations, that work in that industry to bring together the comments that I am going to give to you today, so that you can get a broader picture.
I have four main points that I want to make today. The first is that the long-term care industry is a varied industry. It is not the same kinds of providers that you find throughout.
There is a real spectrum of services that are provided there. There is also a wide spread between the types of resources that are available to the people in that industry.
The large players, the large brand-name organizations, the chain organizations, have a lot more resources and are a lot farther along in HIPAA implementation than independent owner/operators of independent facilities, and I will talk about that in some more detail.
The second point is that the industry, as a whole, needs to get from HHS clear and specific guidelines on how these privacy rules apply to what goes on in their industry.
It is clear that, when you read the rules, they were not written from anything close to a long-term care perspective. I will give you some examples of that.
Also, resources at skilled nursing facilities and other long-term care providers are extremely limited, in part because of the numerous regulatory structures that they struggle under on a day-to-day basis.
Finally, staff in these facilities tend to be less well educated than, say, staff in the acute care setting. These facilities struggle to get staff, struggle to retain them.
So, when you are talking about training staff in HIPAA issues, we need clear guidance from HHS in terms of what is required, and that needs to be in language that those staff members can understand and apply in their daily work.
My third point is that there is a lack of clarity in the health plan definition in the rules, and this includes in the statute.
Because of the current catch all provision in the health plan definition, there is confusion that continuing care contracts might be considered to be health plans.
We have asked for guidance on that from CMS, and that has not been forthcoming as of this date.
Finally, I want to note that the industry is very concerned about enforcement of HIPAA. They have had a lot of experience with state surveyors coming in with non-standardized interpretations of various regulatory schemes. HIPAA Is not going to be any different.
The promise of kinder and gentler enforcement probably will not make its way down to the state surveyors. So, that is probably not what we are going to see. Now, I will address each of these in some more detail for you.
First of all, the long-term care industry does provide a number of different types of layers of care. If we want to talk about those in sort of an order of acuity, we would start with home care providers, home visitors, people that provide companionship and basic house cleaning, errand running kinds of services, moving on up to home health care, which would be a covered entity type provider, if they engage in transactions.
Then, assisted living facilities, a little more acute, moving up to sub-acute care facilities and then, finally, skilled nursing facilities, and there are any number of variations on each of those themes, depending on the state that you are in.
These may be stand alone facilities, or they might be a part of what can be called multi-level retirement communities, where the residents are moved up through various, and back down through various levels of acuity of care, depending on their health needs.
It is against this backdrop that all these various players in the long-term care industry are trying to structure their HIPAA compliance, and that their trade associations are trying to deal with as they come up with models for these people.
There have been some efforts made at providing these types of assistance. I was pleased to hear Maureen talk about another guidance document that I hadn't heard of until today.
The National Center for Assisted Living has published a HIPAA policy manual that has been prepared by an Ohio law firm, Rolf and Goffman. I haven't seen it, but I have talked to people who are implementing it, who are using it.
There are three different versions of the manual that are available, including a version for skilled nursing facilities.
The price is extremely reasonable, based on what I see in the marketplace, $199 for members of the association and $249 for non-members. That is a very usable price.
I understand that more than 2,000 copies have been sold to date. The Florida Long-Term Care Association apparently just bought 500 for resale to its various members. So, that is a bright spot.
The Centers for Medicare and Medicaid Services, CMS, has been holding monthly hour-long conference calls for long-term care providers.
While that is a laudable effort, reports about the effectiveness of those calls are mixed. The most common complaint is that, when privacy-related questions are asked, the caller is instructed to put the question in writing and submit it through the web site.
There have been no answers forthcoming yet to those questions, at least not for the people I talked to.
Granted, this is CMS. They are dealing with transaction standards, by and large, and they are being asked privacy questions. The reason they are being asked privacy questions is because we have gotten very few answers on privacy questions from anybody at DHHS.
Despite these various implementation efforts that are being made, and help that is being provided to long-term care providers, there is a concern that many, and perhaps most, of the independent owner/operators of skilled nursing and other types of long-term care facilities, are simply not aware of HIPAA.
They don't know how to spell HIPAA yet, and they haven't given any thought to implementing. I have heard that from a number of people across the industry.
It is this group that now needs special attention and assistance and specific guidance. People say that, for this group, HIPAA is not a factor. It is simply not on their radar screen whatever, and this is something that DHHS, I believe, needs to pay attention to at this point in time.
I would like to focus on the type of guidance that DHHS needs to give to the long-term care industry. I mentioned that, reading through the privacy rule from a long-term care perspective illustrates very well that they did not have long-term care facilities in mind when they wrote these regulations.
For example, the rules on marketing, the rules on incidental disclosures, minimum necessary, physical safeguards, all of these rules impact common uses of protected health information in the residential care setting.
For example, they often have community celebrations of residents' birthdays. They send periodic newsletters which include specifics about some of the residents. They may have pictures. They may have some notation about something special that happened about an individual. They list birthdays, in those letters.
They feel that this kind of communication with the families of the residents is very important to keep the families in touch with what is going on with their relative, who lives in that facility.
They also post names and room numbers in the lobby to facilitate visitation. There is not always somebody sitting out in the front like there is in hospitals. They don't have that many staff members available. So, they post the names and room numbers, so that visitors can find the person that they are looking for when they come in.
They include the type of diet, along with the name and room number, on the tray, in order to make sure that the right meal gets to the right person and so on.
Also, the minimum necessary rule seems to get in the way of the common practice of telling ancillary staff certain pieces of information about residents' problems or special needs, so that the housekeeping staff can help create the therapeutic environment they want to create for people who live in these facilities.
To try to put this in perspective, I want you to try to imagine, just briefly, how you would deal with the privacy rule, if HIPAA's jurisdiction were suddenly expanded to include activities in your own home, the place where you live, and where you expect other people to treat you like family, where you want it to be the place where everybody knows your name. It is far different from the hospital setting.
For example, you can imagine having business associate contracts with the baby sitter, separate mail boxes for each family members, a lock on bathroom cabinet doors or, actually, individual bathrooms.
Obviously, there is a spectrum here that I am talking about. HIPAA is not going to apply to your own home, and these are not the kinds of things that will apply in residential care settings.
Residential care settings are at a completely different point on that spectrum than acute care settings, which the rules were aimed at.
Because of that, we need to get more guidance from HHS as to how it sees these rules fitting into a residential type of setting, when people live there for a very long time. They don't have acute, short episodes of care.
DHHS has announced that it is working on technical materials for various health industry segments, and I presume that this is going to include the long-term care industry.
The Long-Term Care Consortium, which is a group of about 20 of the largest long-term care companies, has been working for two years now, to develop model documents and implementation guidance for their members and other people in the industry.
The consortium recently contacted the Office of Civil Rights, to discuss their concerns and to offer their materials to OCR for its use in developing these technical materials for the long-term care industry.
For some reason, OCR declined that offer, and it is not clear why they did that.
Long-term care, I believe, is in danger of getting lost in the shuffle when it comes to getting this kind of guidance from DHHS about HIPAA.
In order to provide meaningful and usable guidance to the long-term care industry, DHHS must include representatives of the industry in the development of that guidance, or it is not going to be of any help whatsoever.
Furthermore, they need to include these representatives on an urgent basis.
The guidance needs to focus more on what can be done, as opposed to being a listing of what cannot be done.
The guidance needs to be written at the same reading level that HHS expects people to write their notice of privacy practices at.
The reason for that is because, again, the lower educational level, on average, of people who work in long-term care facilities. They need to be able to read and understand these kinds of guidance and comments from HHS.
Finally, long-term care organizations need to have available some kind of responsive forum for asking questions and getting answers to their specific concerns.
DHHS has not yet addressed this, has not yet provided it. The current written question and answer method that OCR offers is not responsive to this industry segment or, frankly, to any other health care industry segment that I am aware of.
Moving to my third point, DHHS needs to issue more guidance on the health plan definition. Now, this is a relatively small and discrete point, but I just want to bring it to your attention briefly.
For long-term care, this particular guidance should state whether or under what circumstances continuing care contracts will or will not be deemed to be health plans under HIPAA.
These continuing care contracts are relatively common in the long-term care industry. Under these contracts, an individual in a multi-level retirement community agrees that the multi-level retirement community, or the MLRC, will provide residential care in the setting that best meets the resident's needs at the time, depending on what their health needs are.
The problem is that, under the catch all definition of health plan, there is no concept anywhere in the regulations or in the preamble of risk, and no discussion of what a plan is.
There is the implication that a health plan is an entity that accepts some kind of risk or provides some kind of insurance that involves risk, but there is no explicit recognition of that.
The catch all definition, then, doesn't have that concept built into it, and the catch all definition reads as follows: any other individual or group plan or combination or individual or group plan that provides or pays the cost of medical care.
These continuing care contracts can fall under that definition, if you don't imply some definition of insurance or risk.
Therefore, HHS needs to provide some guidance on this particular definition, again, not just for this industry, but this issue comes up across the health care industry, in terms of other types of entities wondering if they are health plans or not. We hope that this issue gets resolved before April 14, 2003.
Finally, I want to talk about the enforcement issues a little bit more. The long-term care industry's enforcement concerns are based on their past experiences with enforcement of other regulatory schemes.
These facilities are frequently surveyed by state agency representatives, who are applying federal laws, and they often do not interpret those laws consistently, either in the state agency itself or even one surveyor, from one visit to the next.
Because of this, because HIPAA surveys will almost certainly be conducted by state agency surveyors, there is understandable concern that these enforcement actions that come about as a result of state surveyor activity are not going to be the kinder gentler types of surveys that have been promised by OCR.
The privacy rule itself is ambiguous. This committee has noted that strongly recently. That allows, of course, for a wide range of interpretations, and when it is the state surveyors that are making those interpretations, that makes compliance very difficult, and increases the risk of liability in the context of enforcement actions.
So, the industry needs clear guidance from HHS as to the specifics of privacy rule implementation in the privacy rule context, and that guidance needs to flow down to the state surveyors, as well as the people who are trying to implement the rule.
There is also a real concern about the lack of guidance on the preemption of state law with respect to enforcement issues.
There is, as yet, no nationwide preemption analysis that definitively lays out the laws with which nationwide long-term care providers must comply.
There are some states that have done pieces or parts or all of their own preemption analysis, but there is nothing on a nationwide basis, as of yet.
As a result, the costs of implementation efforts are rising as policies and procedures must be redone, as various interpretations of state laws filter down, and the staff then needs to be retrained on those revised policies and procedures. All of this, of course, adds to the cost.
DHHS has declined, at the request of one of the long-term care trade associations recently, to be involved in the various preemption analyses efforts that have been undertaken to date.
That is understandable. It is the courts that will eventually determine whether a state law is preempted or not, and DHHS' blessing, if you will, on any particular preemption analysis probably wouldn't carry a lot of weight with a court.
That is not any comfort to the people who are trying to implement these laws and to come into compliance.
As Maureen mentioned, many long-term care facilities get surveyed for privacy issues, in particular, both by CMS and OCR. The request, again, by a trade association for the long-term care industry was recently made to CMS that it consolidated, or at least coordinate, its privacy survey process with OCR. There has been no response to that request to date.
In closing, thank you very much for listening to these concerns. I do believe that the long-term care industry is an embattled one and needs some special assistance in regard to implementing these very ambiguous regulations.
There is a lot of work to be done, and I thank those on this committee who are in a position to help bring pressure to bear on DHHS to provide assistance. Thank you.
MR. ROTHSTEIN: Thank you, and thank all of you for a very illuminating testimony that I am sure my colleagues will want to follow up on. The floor is now open.
MS. KAMINSKY: Just one clarifying question, please. These continuing care contracts that you mentioned in your testimony, are these contracts that are issued by nursing homes as opposed to health insurers? I am a little confused.
MS. MEINHARDT: Yes, they are usually offered by multi-level retirement communities that have an independent living section, they have an assisted living section, they might have a sub-acute section in their company and they might have a skilled nursing facility. They don't usually have a hospital. That would be outside the contract.
So, they are issued, they are a contract that is agreed to by a resident coming in, and that company that runs all those various parts of its organization.
MS. KAMINSKY: As you said, there is really no risk associated, it is really sort of a debit as you use it kind of situation?
MS. MEINHARDT: What it amounts to is that the provider of care, which is the company at all levels, ends up billing the resident for whatever level of care the resident is getting at the time, whether it is on a monthly or quarterly basis.
So, it is really no different than a hospital billing a patient for a hospital stay.
MS. WEAVER: Maybe I can clarify that a little bit. There are continuing care retirement communities with contractual arrangements where there is an element of risk involved, where the resident will enter the facility and pay an up front entrance fee.
Then there are different models of how that is structured. In some cases, there is a draw down on the entrance fee. In other cases, the facility will basically be taking about 15 percent of that entrance fee and using that to fund its operations, and then the balance gets returned to the resident or their estate, in the event they are discharged or they pass away.
So, it is not quite real estate, it is not quite insurance. It kind of falls in between the two.
MR. ROTHSTEIN: I have a question. Mr. Lobb, I think you didn't get a chance to go through, or answer, the following questions that your colleagues on the panel did, and that is, I know that the institution that you are affiliated with has taken many steps to get into compliance with the HIPAA privacy rule. What actions, on the part of OCR or HHS could have made your job easier?
In answering that question, or thinking ahead to what sort of steps could be taken to facilitate compliance by other covered entities?
MR. LOBB: I think, in looking back at the journey I have made so far with this, in our institution, if I had one recommendation, I would say a much better, detailed, focused approach on the subjective information that is in the regs -- reasonableness, just a definition of -- I was even just looking this morning.
Minimum necessity is not really defined well in there. Incidental disclosures are not defined well in there. I guess it is preemptive, from our perspective of what we interpret those to mean.
The general awareness education component that we have done, I have changed a few times, in going through the regs, learning what other people were doing.
If DHHS or OCR was a little bit more clear up front of what mandates or requirements make up a training and education, I might have been able to do that and presented that information more comprehensively at the beginning, instead of having to go back and make iterational changes to it.
The guidance that DHHS has put out is very good. I think compliments need to be made to them for doing that. My perspective would be the more guidance the better. Again, it is our interpretation of this regulation.
I can't turn to an attorney all the time, because of the cost. I am relying on my medical records directors a lot to assist in definitions of disclosures, and how that impacts our hospital environment.
The more definition, the more guidance to help alleviate the interpretation, the better, from our perspective.
Another thing I could comment on, this came out in Modern Health Care last week. When the CMS had made this comment -- and I know where they are coming from when they made this comment -- the article was written around looking for more time. Twenty-five percent of the organizations requested extensions. It goes through defining about 500,000 health care providers out of two million.
There was a comment that was made somewhere along the way, and I will read this. It says, although the deadline now has passed, CMS officials don't plan aggressive enforcement of electronic standards quite yet.
That takes kind of the bite out of enforcement. Our administration, gratefully so, and the CEOs, are sitting out with a lot on their plate, a lot more than HIPAA privacy at this point, and they are looking at this, they are reading this information and they are thinking, gee, there are not going to be a lot of issues relative to compliance and enforcement issues.
If any, a recommendation I could make is better delineation of the requirements, down to very specific level requirements for institutions would help.
I know that everybody has their different requirements, different market groups and different providers, and that has been an issue and a theme throughout this whole hearing. So, that is the recommendation that I could make.
MR. ROTHSTEIN: Thank you. Other questions?
DR. HARDING: This is just a puzzlement to me. We were talking in the last panel a little bit about double messages.
One of them that always keeps ringing in in my ears here, as you all were talking, is that you are asking for specifics and definitions of things, but on the other hand, used the reasonable standard. The two are kind of opposite or mutually exclusive or something.
Is there a type of regulation that we should be more specific about and one that we should use the reasonableness standard on, or how do we separate those two? I didn't word that question very well. I hope you got my point.
MS. BOWEN: From my perspective, from discussing with other HIM professionals, we are having trouble with tracking restrictions.
Everybody's first reaction is just to say no. Really, you can't just say no until you have that reasonable factor. So, that is what we are looking at.
What is reasonable for a person to ask, under the tracking restrictions that they may ask us to do. What should you have as some examples of things that you should try to make efforts to meet?
That would be very helpful for us, to kind of have some guidance from that standpoint. We are working with the communities from our practice centers to look at that and see what everyone else is doing.
We feel like if we are at least all doing the same thing, we will be out there together in the same boat, so to speak, but it would be helpful to receive that guidance.
MS. MEINHARDT: Could I respond to that as well? It does seem to me that the point, I believe, that the panelists are trying to make is that, to the extent that HHS has something in mind it wants people to do or not do, they need to let us know that.
I understand, for example, that they are now sending out guidance to the OCR regions about what to look for in enforcement. Why don't they give us that information, so that we know what it is they want us to do and what it is they don't want us to do.
To the extent they have something specific in mind, let us know. Otherwise, let us use the reasonableness standard.
MS. KAMINSKY: I just want to interject. There has been no guidance sent to the regions on what the enforcement process will look like in the future. That has not been done.
MS. MEINHARDT: Okay. I heard that from the Region Eight OCR folks. So, whatever.
MS. KAMINSKY: Maybe we are just having a semantics question here. That is to come in the future.
MR. ROTHSTEIN: Let me pick up on the question that Dr. Harding raised. I think this is the traditional dilemma that regulatory agencies are put in.
That is, if they use language like reasonable, people say, what do you mean, that is too vague. If they go into excruciating detail, then they say they are micromanaging your business and not giving you flexibility.
If you were to choose between one of these two, I mean, obviously the people who are interpreting the privacy rule and providing guidance need to negotiate between those extremes, but from your perspective, which would be better? In other words, giving you maximum flexibility in terms of how to comply with the spirit of the privacy rule, or spelling things out in detail and giving you very clear information, but perhaps not giving you the flexibility that you want?
MS. WEAVER: I think you make a very good point. There is that tension. I think you have to distinguish between regulation and guidance.
On the one hand, I think HHS is already on the right track, because the regulation itself is probably as specific as you could have made it, when you think about the hundreds of different types of providers and plans and clearinghouses and other entities that are subject to this law.
I think it is in the guidance where we are actually asking for specific answers to questions. There are common operational themes that develop over time as facilities go and try to implement the rule.
For example, I understand that OCR just issued a Q&A addressing the whole issue of names on patient doors. Now, that might seem like a silly little issue, but for a provider, that could be a pretty big issue.
There was some guidance, I understand, that came out and said that putting names on doors in a facility isn't necessarily violating patients' privacy. It is not necessarily the kind of situation where you need to go and get an authorization or give them the right to object.
Again, it might seem like a small point, but it is guidance, and it is giving prompt answers to questions that facilities or hospitals or trade associations raise.
MR. LOBB: I would like to comment about even just the interpretation of a particularly rule. We were talking about accounting for disclosures.
Robyn has one take on it. I have another one. We are looking at accounting for disclosures that are more broad than what she is looking at.
She indicated that the state nursing association would be potentially included.
MS. MEINHARDT: It was Rita, actually.
MR. LOBB: Okay, sorry. We were looking at that as an operational requirement. So, we would not account for disclosures for that, for a nursing agency coming in and taking a look -- a state nursing association coming in and taking a look at our skilled nursing facility.
In our interpretation, that would be considered normal operational practice.
MS. MEINHARDT: You mean a licensure agency, a state licensure agency? That is a big issue out there right now. A state licensure agency comes in, conducts a survey. Is that health care operations, or is that required by law in health care oversight?
There are lawyers arguing both sides of the fence out there. I have been telling my clients, based on what I have seen coming out from HHS, that that is health oversight activity. It is a disclosure that needs to be tracked. I know there are others out there giving different advice.
MS. BOWEN: I will just add to that. Our hospital association has advised us that is something that has to be tracked as well.
All the required things that we thought may fall under operations, such as reporting to the cancer registry, vital records, all of that, will be tracked. That is very laborious.
MS. MEINHARDT: These are issues that it does seem HHS could provide guidance on, and it would be very helpful. I know that they have been submitted as formal questions to HHS.
MR. ROTHSTEIN: I am trying to get all of these down. Any other questions? Let me ask you something that came up this morning in both of our panels, and that is your sort of best guess as to what percentage of the covered entities in your field are either in compliance or close to there or making good steps, versus the people who are just in denial or clueless or don't spell HIPAA correctly.
This morning, the figure that we heard repeatedly was, clearly, less than 50 percent and, in some instances, well less than 50 percent. Does that accord with your view from your experience?
MR. LOBB: It does on the professional provider side, on the docs, and some of the allied health practices, like PAs and such.
I would have to say that the institutional side, which I am also a member of our western PA group, our compliance group, that represents a fair number of hospitals around the Pittsburgh area, they are all in the midst of HIPAA implementation, at some stage of the implementation.
So, on the institutional provider side, I would say they are probably doing a valid effort in trying to meet that April 14 date.
MS. WEAVER: I think that is a pretty accurate estimate for long-term care providers I deal with. I would say the estimate is probably a little further south from the 50 percent.
I do think that many of them are in the awareness phase out there. There are not too many of them out there that don't know how to spell HIPAA. I think most of them are educated. It is just a matter of juggling these competing priorities that they have weighing on them, trying to make time for it effectively.
MR. ROTHSTEIN: Any sense on how to reach these people, the ones on the south end of 50 percent?
MS. WEAVER: I think they hear the message. I think it is just a question of giving them the resources they need to do it.
As I said in my testimony, the trade associations are providing that resource, but can only do so much. As I said in my recommendations, I think some of these smaller providers may need some guidance from you all, indicating that they don't have the 100 percent compliance with every aspect of the rule.
Again, this gets back to the reasonableness question. Maybe we need some guidance on the fact that the reasonableness standard does prevail. Maybe that is not so clear and that is why we are all coming up with these real specific kinds of issues. What is reasonable for the size of the proprietor.
DR. ZUBELDIA: One common theme among the many themes that have come across from this panel is the gap in getting responses to the questions.
There is a place where you can ask questions about HIPAA, but perhaps there is not a good place to get answers to those questions.
I would like to know, what is your expectation to get answers to the questions? In some cases, you know that, when you ask a question, you are not going to get a specific answer, but it is going to come as part of further guidance or an answer to FAQs.
Is your expectation that that should happen within a week, a month, six months? What is the expectation that you have for the questions to be, in one way or another, answered by the department?
MS. MEINHARDT: I would just point out that whenever it was that the Office of Civil Rights was first appointed as the guardian of the privacy rule, at some point shortly after that, there was the creation of the OCR web site for the privacy rule, which included an FAQ place, where you could submit a question and it said, we will answer your questions.
That was some time in the year 2000. It was just a couple of weeks ago, maybe three weeks ago, that we got the first responses to any of those questions that had been building up since some time in the year 2000.
I would certainly have expected that we would have gotten answers far sooner than that, and it has just been a mystery as to why we haven't.
I am glad that hopefully the flood gates have now opened and we will be getting a whole slew of responses to questions that have built up over the years, but we have only seen the one set so far.
Speaking as to going forward, I think it would be reasonable to get the answers within a month, is just my own sense. That just is based on the urgency now of folks that are trying to implement that rule that really need that guidance.
If it comes in the form of a response to frequently asked questions, that is fine. I don't think people have the right to expect individualized responses. Still, basic guidance should be forthcoming.
MR. LOBB: The last question I submitted was about two and a half months ago. I do review the frequently asked question site frequently, and I haven't seen any response to ours either, but it has only been two and a half months.
DR. ZUBELDIA: What is your expectation?
MR. LOBB: Well, my expectation would be probably within a month. I am counting on information to be given or shared with me that I can react to, to finalize our policy development and move our implementation plans forward.
If it is three months, six months down the road, it might mean going back, retraining, looking at form redesign, who knows what else, related to fixing the problem.
MS. WEAVER: The next five months is critical, and I would think that a shorter response time would be in order over time. We need the help and we need it more intensively at this point.
DR. ZUBELDIA: What would be your expectation?
MS. WEAVER: Again, I think a month is reasonable, depending on the question. There might be some questions that could be answered, and should be answered, even more quickly than that.
MS. KAMINSKY: I really want to thank all the panelists for the testimony this afternoon, in particular, the long-term care panelists. We haven't heard from that industry, really, so extensively yet, and the testimony was really illustrative and illuminating and interesting and thought provoking. So, I thank you for that.
My question, however, is for Conomaugh. It is sort of a two part question, and it has to do with your designating yourself -- I don't think that is what we would say at OCR -- but the fact that you are an organized health care arrangement.
My first question, it wasn't clear to me whether you could have qualified as an affiliated legal entity, if there is common ownership and control of all those Conomaugh pieces.
MR. LOBB: There is really, truly, no. I mean, we have separate boards. I think that is what has driven it. We have some covenant sharing, but totally separate operational boards. We felt that the OCA would be better suited for us.
MS. KAMINSKY: Given that fact, one of the areas that I have heard over and over again, great concern from major health systems such as yours, is the accounting for disclosures requirements, that businesses coming up with a mechanism to track disclosures seems to be really challenging for folks who are going to be subject to that requirement.
We heard, in the Boston hearing, about at least one example where, with an electronic record, there was some software that was capturing every disclosure that was going on, but that is unique, or not necessarily unique, but a specific situation. I am wondering how you are tackling the account for disclosure?
MR. LOBB: When we started looking at that, we made a broader interpretation than what we have now. We did interpret it originally that it was going to include a lot of different requests coming in.
We use a lot of consultants at our facility to help us with our revenue reimbursement initiatives. There is a lot of information that is shared with these consultants.
So, we were setting up something in our decision support system to collect that information, that we share electronically with these firms.
Then, after we sat down, we actually did use legal counsel for this, and talked a little bit more in depth about accounting for disclosures, and we really could only come up, after discussion, with a few types of court ordered subpoenas that fall outside business operations.
So, we do plan on tracking it, but it is going to be a manual tracking. We don't look at consultant services as anything different than normal operations, because we use them to make business strategy, planning decisions and they are part of our main set of how we do business. So, we consider that normal operational practice.
MS. KAMINSKY: So, essentially, it is going to be a manual tracking mechanism?
MR. LOBB: Manual tracking system for court order subpoenas, and those are the only items we are viewing as disclosures under this law, unless the Department of Health and Human Services can give us better guidance.
MS. BOWEN: Let me offer, from another large facility. We look at it a little differently from that standpoint.
We plan to computerize our tracking in an access data base, because we feel it is a much broader scope that we will have to track, from our state reporting, vital records, birth certificates, death certificates, all of that would have to be logged, according to our interpretation of what we have seen on the postings.
So, we plan to have everything computerized, and it is going to come into one central location to be logged, and that will be through the privacy office. We will have someone there to do that.
MR. ROTHSTEIN: Anything else? I want to thank all four witnesses for the fine testimony. We will take a very brief recess until 3:30, and that will just give us time to have panel number four come forward.
[Brief recess.]
MR. ROTHSTEIN: Welcome back to the hearing of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
I want to greet our panelists for panel number four today, dealing with the issue of universities and HIPAA implementation strategies.
Let me remind you all of the ground rules for the testimony. You will have 10 to 15 minutes to present your initial testimony. At the end of that time, we will entertain questions from the subcommittee members, dealing with clarification type issues.
Then, at the end of the presentations by all the panel members, we will have an open question and answer session.
I want to assure all the witnesses that we are not burnt out from a whole day of testimony. We are just warming up. We are very anxious to hear what you have to say, and we will begin with Ms. Shanley.
MS. SHANLEY: I have a power point presentation. I seem to have some trouble pulling it up, so I have it in handout form, if you just follow along with me.
DR. DANAHER: I can help you with that. May we have a couple of minutes?
MR. ROTHSTEIN: Certainly. Let me see if I can give you some additional information about what we have been hearing today.
We have heard from various groups of covered entities. We have heard from long-term care, we have heard from different types of health care providers, and we are interested in hearing how universities, in their multitude of roles, are in the process of complying with the HIPAA privacy rule.
Maybe what we ought to do is jump ahead and get another witness, and then we will come back when we are powered up. Mr. Harrington, are you ready to go?
MR. HARRINGTON: Believe it or not, I also have a power point presentation.
MR. ROTHSTEIN: Ms. Richardson?
MS. RICHARDSON: I don't have a power point presentation.
MR. ROTHSTEIN: Okay, low tech is good sometimes.
Agenda Item: Panel 4. Universities. Carol Richardson.
MS. RICHARDSON: My name is Carol Richardson. I am from Johns Hopkins Health System and Johns Hopkins University, as the HIPAA administrative coordinator and privacy officer.
I also come to let you know, as an active member of the American Hospital Association and also of the Maryland Health Care Commission's HIPAA working group. Both of them are really in place for different reasons, but to further education of the bodies of people who really utilize the services of our groups, and also to help share information and interpretation, so that we could basically get to the end goal here in mind.
Today, I would like to focus on two areas that really deal with the implementation of the privacy rule, the first item focusing on the accounting for disclosures as it relates to research, and a second item focusing on minimum necessary.
For the accounting for disclosures, this item that I wanted to focus on was dealing with research as it relates to research that is waived on authorization, also research that relates to reviews that are preparatory to research and research on decedents.
For those three areas, the changes that came out in August actually provided an extra provision where, if the accounting for the disclosure included 50 or more individuals' records, that it could be performed in summary form.
If the accounting for disclosures was less than for 50 individuals, it had to be done on an individual-by-individual basis.
I want to focus on this item because, from an individual's perspective, we believe this extra provision does not offer the individual extra protection.
For an individual who may request an accounting and receive an accounting where their information was possibly used for two different research purposes that fall into one of these three items, and possibly one of them was for disclosures less than 50 people, they would receive a very detailed list of those disclosures.
If their information was used also in a research protocol where there was more than 50 individuals, they would receive a summary of their disclosures.
So, from an individual perspective, they may be getting information that appears to be confusing. From an organization perspective of having to track that information, it is difficult to automate that and then also to train the researchers who would be responsible for performing these accountings.
In my testimony, I have offered a few different solutions to address this item. First, asking for short-term clarification of how this could actually be done.
In a research project, in starting out, we may have an idea of how many individuals, the information that we are going to be receiving for that project.
However, over time, the amount of individuals that we have PHIUs for that research project could increase. So, we may end up with a situation where we are doing detailed accountings for a portion of that research project and summary type of accountings near the end of that project, if we have used more than 50 individuals in that disclosure.
So, I think it is a little confusing for not only the people who have to do it, but the people that would receive it.
In the short term, we are asking for clarification but, in the long term, we are asking that the privacy regulations be amended to eliminate the requirement for accounting for waived research.
That would be research that is listed under 164.512(i), or to amend the privacy notice requirements in basically stating that you have to identify yourself as a research organization.
The second issue that I wanted to bring up was just identifying minimum necessary, to look at how this could be implemented within an organization.
First, looking at the use of the paper medical record and the issues that revolve around use of that. The documents that are involved in that paper medical record, it would be very hard to limit access to an individual document that is in there for use.
The issue that we could run into is that the only way to limit access would be possibly to create multiple versions of that paper record, and we feel that is an unworkable solution.
So, the individuals that may need access to it, it would be through policy deemed that they would only use what they would need access to.
From an electronic standpoint of the information that is retained in systems, we are somewhat at the mercy of our vendors applications that we have purchased, since it is -- a lot of the information that is retained electronically of how an end user actually gains access to it, the information or category or type of information may be co-mingled on a screen for viewing or editing.
So, an individual that would need access to that information may be seeing more than what is considered the minimum necessary but, in order for them to do their job, they would need access to that information.
We feel that some of these items that I have mentioned actually have to be considered when we are implementing the minimum necessary requirements. However, we feel the greater risk and impact of these requirements really relates to the disclosure of PHI. That is all I have.
DR. ROTHSTEIN: Thank you. Any clarification questions? Before we jump back to the beginning, let me clarify, myself, that what we really are seeking from the panelists here, as well as in the other sessions, is some practical advice that we can relay to OCR and the Secretary on implementation issues, rather than the substantive questions that we have been dealing with for a long period of time. Let me jump back in the schedule, now that I see you are up and running, Ms. Shanley.
Agenda Item: Panel 4. Jean Shanley.
MS. SHANLEY: Thank you. I appreciate your patience. My name is Jean Shanley. I am an attorney at the University of Texas Southwestern Medical Center at Dallas.
My goal today is to do exactly that, to try and communicate to you some of the implementation hurdles that we have been experiencing at UT Southwestern.
I have been working on the project there since its inception for about two years now. My focus is going to be on practical problems but, in the course of focusing on practical problems, I think there are some areas where regulatory clarification has come up. So, there will be some of that in there, because it is difficult to separate the two.
MR. ROTHSTEIN: We understand.
MS. SHANLEY: I want to start by just reviewing with you the summary of my discussion points. It has been my experience, both in working at our institution as well as communicating with others, that there are significant organizational complexities.
I guess sort of resounding the point that Robyn Meinhardt made on the last panel, I guess everyone thinks they are special. We think we are special as well. There are very unique things in an academic medical center environment.
As you read the regulations, they are obviously written on a higher level, so that they can be applied more broadly.
I think what happens is, when you begin to start to drill down, you start to come in contact with different anomalies or complexities as they apply to your particular segment of the industry.
I am going to touch on two areas with regard to regulatory clarification as well as practical implementation problems. Those are organized health care arrangement issues, as well as educational and training issues.
I want to finish off with just one slide to give you an appreciation for some of the financial burdens that we see, and how that impacts the project as a whole.
Just to start out, organizational complexities, AMC structures are extremely broad and varied. I want to just frame my discussion by giving you some background facts about some various AMCs.
I think the only general statement you can maybe make about AMC environments is that no two are alike, and every time you start to review the facts in different scenarios, you begin to find out that everybody operates differently.
There are usually multiple entities involved in the PHI flow. When you look at those entities, the relationships are often very unique, the operations they put in each area and segment are often unique and, when you start to look at how the PHI is flowing, it impacts the analysis significantly.
There is often no common ownership or control. That is especially the case on our campus, where we do not own a hospital.
So, we have the medical school and some affiliated non-profit entities associated with that, but all of our training activities occur in connection with affiliated hospitals.
I think it is also an added complexity when you layer on top of that, that there are often private and public entities working together, and there are different problems and concerns that arise in those different arenas, once they start to work together.
UT Southwestern, for example, is a state institution. We have a county hospital that we are affiliated with, but also some private hospitals, and they have different concerns.
The diverse missions that you find in an academic medical center environment really produce this multi-faceted picture of uses and disclosures -- educational issues, research issues, health care provider issues.
When you start to drill down on the HIPAA issues, it becomes literally like a dazzling prism. The issues shoot out like light.
I think the practical difficulty that this creates is the common industry approaches within that segment of the industry are difficult to identify. There is limited industry guidance on the application.
We have all been to seminars on what the rules are, but very often, I think, people leave still with a sense of their not being quite sure what that means for them when they get back to their campus, because their campuses are so unique.
Then there are areas for regulatory clarification which do proliferate. The consensus and best practice, in my experience, have been very costly and time consuming to achieve, a significant amount of effort expended just on basic structural issues before you even get to how you are going to roll out different policies and procedures.
So, let's start with that. A structural topic that is discussed on our campus is organized health care arrangements, mainly because there is no common ownership or control. So, we are not looking at an affiliated covered entity. That is the option that we basically have with our hospitals.
One thing that I found so far is that many seem to disagree on whether an OHCA is something you elect, or whether it is something that arises by operation of law.
If you read the regulation, it doesn't talk about election. Yet, when you move into discussion arenas, that is all I ever hear anyone talking about, is whether or not they are going to elect an OHCA.
I think this compounds, really, the next problem, which is what liability might arise from an OHCA. I think there may be concern that this is some sort of fictional legal arrangement that may invite other joint liability arguments.
If people feel that it is something that they elect, maybe it is like a joint venture they feel like they are entering into, and people are very hesitant to want to do that, especially when you have got public institutions working with private institutions.
Some very sage outside counsel advice I have heard from fine law firms is that, when you are working in an organized health care organization environment, perhaps you want to get indemnification.
Well, UT Southwestern can't do that. So, when we are working with private hospitals, they feel like they are wearing this big sign on them that says, you know, deep pocket.
What that results in is a concern over the liability, chills our relationships. We have to stall, we have to stop, we have to work through that and figure out what the relationship requires, and that is increased time and increased cost.
I don't think it is clear under the regulations where exactly we all stand, and that compounds the practical problems that we seem to find when we come to the table.
DR. HARDING: I think I am the only non-attorney -- I guess Kepa and I. I have just a question about what the meaning is and the significance of your second bullet, many disagree on whether OHCA arises by designation or by operation of law. Could you just explain that to a doc?
MS. SHANLEY: Sure. For example, with regard to the hybrid entity rule and the affiliated covered entity rule, the regulation specifically says that that is a conscious decision made by the covered entity that may want to be that, and then they have to go ahead and designate themselves as that. Then, from that point forward, the regulations apply to them in a certain way, as opposed to just arising as an operation of law.
If you meet the definition of an OHCA, it appears that you may just be one. It is not just something you decide you are going to be.
DR. HARDING: So, the functioning says you are.
MS. SHANLEY: Exactly.
DR. HARDING: Okay, thank you.
MS. SHANLEY: I am going to move to my next topic, which is the educational training issues. Obviously, in the education setting, the education of health care professionals requires clinical practice experience.
Schools without clinical facilities, for training practicums, must affiliate with those health care facilities, which is something that is very common on our campuses, as well as a lot of others.
So, how does HIPAA apply to these affiliation-type arrangements? I am going to go through an example, just so we have something concrete to chew on.
The example I have here is allied health professionals. Let's say you have a nutritionist that the school is educating.
The school needs to affiliate with a hospital, for example, to provide that training site. Whose trainee is this student?
If you read the regulations, there is a section in the regulations that talks about trainees as if it is hospitals. This is the school's student. Whose health care operations are those?
I guess, when you read the definition of work force, it may appear that that could be the training site's work force and that they should assume responsibility for the training of that student.
Training sites have been seeking business associate agreements. That is the reality of what is happening out there.
The school doesn't feel like they are performing a service on behalf of the hospital, which is what the business associate relationship would dictate.
So, it creates some confusion about where the responsibility lies and how exactly those institutions are to work together in that setting.
So, we have to look at whose training obligation that should be. Maybe that has to do with what the training obligations should be.
A school can certainly incorporate into its curriculum, I suppose, certain privacy training, but that isn't what the privacy regulations require. They require training on specific policies and procedures.
So, how is the school going to be training on all these different training sites' policies and procedures, when they are not familiar with those? How do we work through this?
Maybe some of the practical issues, I can't speak for some of these training sites and these hospitals. We would need to call them to the table and ask them what their concerns are.
Maybe their concerned that liability concerns involved with assuming responsibility, and designating the students as their work force, increases their liability to an extent that they are not really willing to take on.
I think we may want to look at what the nature of that relationship is when they take on that student. A lot of times there really isn't -- it look son the surface as if there isn't much in it for them. Maybe they get a couple extra helping hands around, but sometimes they are also overseeing the students. So, sometimes it takes just as much time to train and oversee than it would to do the job yourself.
I think a lot of times they may be looking at these situations are recruitment opportunities. They certainly wouldn't want to be taking on a lot of liability in that context. They would prefer that to be a more low risk scenario.
The more liability that it appears there is attached to that student and responsibility for privacy issues surrounding that student may result in discouraging them from participating in these types of programs or at least reducing, for the educational institution, the diversity of options that they have, which ultimately may hinder the quality of the educational program.
The reason that educational institution will look for a variety of circumstances in the clinical settings is to give a diverse type of practice exposure for that student.
Another practical issue is how to avoid an administrative duplication, where you have got trainees rotating through multiple training sites.
A classic example of this is the medical residents. They are very often going to a hospital just for three days and that may not be their main hospital, and there may be a variety of sites that they rotate through. How are we going to train them?
We really want to think about how much we burden that resident, if we are going to require each institution to have training on their policies and procedures.
There is a lot of discussion particularly, I am sure you are aware, with regard to medical residents and their work hours. There is sensitivity regarding how much time the residents are spending on their training activities.
The flip side of that is that there is concern that there are only so many hours in the day, and you have to communicate as much training as you can to that resident and give them as rich a practical experience as you can in the time that is permitted.
It is certainly not going to be in the best interest of residency training programs if there is a lot of training burden involved here. So, how do we train them?
If it is the educational institution's responsibility, there is no way they are going to be able to train, again, on all the specific policies and procedures of hospitals and training sites that they are not familiar with. So, this creates some implementation hurdles.
Finally, I just wanted to review some of the financial burdens. Charitable institutions have limited resources, as a lot of different segments of the health care industry, and we are certainly no exception.
The HIPAA costs are really significant, and I have just bulleted a couple here. Obviously, there are some additional FTEs, internal committees, subcommittees.
Just at Southwestern alone, I think I wrote them down. We have more than a dozen internal committees and subcommittees, and we have at least six external committees at our affiliated entities. We have to coordinate with them somehow.
This is just a significant amount of time, a lot of people's work days, and there are a lot of people participating in these committees who had other full time responsibilities before they joined in.
It is a lot of clinical people, because we can't implement a policy and a procedure in a vacuum. We have to bring the clinical input to the table, so that we know what we are doing is going to work for them.
We, of course, have consultant fees and outside counsel fees, systems upgrades. A lot of people think of the system upgrades just in connection with EDI, but it is really more than that, if you are looking at accounting.
For example, we had a meeting the other day with regard to how to handle patient complaints, and we realized that we have a lot of patient complaints coming in from different areas on different topics.
How to coordinate them? We are going to need some sort of computerized way of dealing with that.
Training, with a large institution, there is no way we can train without some sort of computer assistance.
Increased time negotiating with third parties, as I touched on earlier, and the time of the employees of our affiliated entities as well as internal people's time.
Why am I running through all this? We realize that HIPAA is here to stay. I think we realize that entities that we work with, everyone is resolved to implementing HIPAA, and that is where everyone is focused on at this point in time.
I will tell you that the compliance costs will be easier to absorb over a longer period of time. There are only six monthly meetings between now and April 14. There are 12 bi-monthly meetings. There are less than 25 weekly meetings between now and April 14.
There is only so often that you can meet, when people are trying to fit this into their regular activities, so that the health care institution doesn't shut down while you are trying to implement HIPAA.
In conclusion, I just wanted to state that I am not presenting to you today all the issues that arise in connection with HIPAA. There are obviously a lot of others that people touched on with me, when I reached out to individuals for input for today's discussion.
They had to do with research issues and some secondary uses of registries seemed to be a concern. The relationship between parent and subsidiary institutions, we have one example of that on our campus, and it is not really clear how a parent might be able to share with a subsidiary.
Hybrid entity issues, in particular, I have been looking at that in a research setting. As a university, we would be able to qualify for a hybrid entity designation, but when I start to drill down in the research environment, I become concerned about things like accounting for disclosures, which apply in the disclosure setting, but not in the use setting.
So, the minute you declare hybrid entity status, you start to shift yourself to disclosures, as opposed to a single entity, where everything is a use.
So, the same activities, such as a physician who wears both a health care provider hat as well as a research hat, and he is constantly taking those hats on and off, switching them on and off, in a single entity environment, you wouldn't have those accountings.
Just because we declare a hybrid entity status, all of a sudden we incur an accounting obligation for internal operations that no one is prepared to start to document to that degree?
There are a lot of issues. I think really what we need is a forum for academic medical centers to bring these questions to the forefront as they arise.
I don't even know what all the questions are that are going to come up in the next six months. This is just what I have learned so far.
I want to thank you for the opportunity to speak to you today, and I hope there are more such opportunities in the future for our segment of the industry. Thank you.
MR. ROTHSTEIN: Thank you very much. Are there clarifying questions?
MS. KAMINSKY: One quick one. You mentioned that these clinical training sites are seeking business associate relationships with these academic medical professional training centers?
MS. SHANLEY: That is right.
MS. KAMINSKY: I was confused, though, what that business associate relationship would be fore. That is for the academic medical center to do the training on behalf of the hospital; is that what you are saying?
MS. SHANLEY: It would be for the hospital, or whatever type of health care facility it happens to be, who is provided a training clinical practicum site for the student, for the medical school student, for the educational institution student.
MS. KAMINSKY: They would become the business associate of the training institution?
MS. SHANLEY: The training facility is seeking to have the school sign a business associate agreement. A business associate agreement applies where the covered entity, which would be the hospital, disclosing their PHI to another entity to do an activity or function on behalf of that hospital.
It is really the other way around. The school is hiring this training institution to do a service on behalf of the school, for training, but the school is not disclosing any PHI. So, it doesn't look like the school needs a business associate agreement. The PHI flow is in the opposite direction of the business associate agreement. Is that clear?
MS. KAMINSKY: Yes. I am not sure why it would be needed at all.
MS. SHANLEY: That is the point. They are asking for them very often. Maybe we need to bring them to the table and figure out, why are they asking for them, what is the concern? Is it a liability concern? I am kind of speculating. I don't know why they are seeking those. Is it just because they need clarification on the regulations as to how to handle training sites or training situations?
MR. ROTHSTEIN: Could it be that they are trying to escape the requirement of providing HIPAA training?
MS. SHANLEY: That could be a concern. When it is a business associate, it is not someone you have to train. You just put those requirements in the contract, as opposed to a work force designation. So, maybe that is what they are trying to do.
That means that, if it is the business associate -- if the school is the business associate, which doesn't make sense, then the school would be responsible for training that student. That is kind of hard to do, when we can't train on the hospital's policies and procedures? How would we know what those are?
DR. DANAHER: I think that the logic is absolutely that. In other words, the training impetus of a covered entity is more strenuous than the training impetus of the business associate.
This is the world I live in every day. Whose responsibility is it, whose primary responsibility is it to train the medical students and residents?
Is it the medical schools or is it the hospitals in which they rotate, where they have exposure to the PHI? If it is that hospital's and the medical center, if they are employees of the covered entity, then I think that is what the logic is behind classifying them as business associates.
MR. ROTHSTEIN: I think that is something that we can explore further. Thank you. Mr. Harrington?
Agenda Item: Panel 4. Peter Harrington.
MR. HARRINGTON: Thank you very much for the opportunity to speak, members of the committee. My name is Peter Harrington. I am senior associate counsel at the University of Vermont.
I think I should describe a little bit about the way the University of Vermont is set up, in contradistinction to Jean's institution. I think we are a little different, and we do, I think, a little bit more represent the smaller schools, even some college issues, by virtue of the fact that we don't own or operate either a physician's practice or a hospital. However, we do have a medical school. So, we are sort of just another model of an institution that may have some unique perspectives.
What I would like to do is, going to the power point presentation, to try to point out some substantive areas that I think my colleagues in the higher ed legal world are wrestling with, concerns that I have learned about through participation in our association's list serv, and also having spoken myself earlier this year at a conference of the National Association of College and University Attorneys.
That association has been active in trying to really help its members come to grips with HIPAA and to provide education and research around HIPAA.
So, I am going to try to both address the implementation issues, although, frankly, my presentation was geared a little bit more toward substantive suggestions, or suggestions for additional guidance or even regulatory clarification. I will, whenever I can, try to talk about practical implementation questions.
I will say that, just anecdotally, there is obviously no empirical data on it, but just my impression of compliance by higher education institutions are that there are sort of two camps.
There is the academic medical center camp, which is the ones that own hospitals and/or practice groups, like Jean's institution, that I think have really been working on HIPAA now for one or two years, let's say.
I think, on the other end of the continuum, are smaller colleges that are really, I think, just getting around to HIPAA compliance
I think the extension deadline of earlier this month caused a lot of those colleges to really say, okay, we need to do something now, and I think that has been a real trigger to get people active and really moving on HIPAA.
I think also the fact that the deadline is so close now for compliance with the privacy rule, that a lot of people are paying attention now.
We had a session at NACUA in, I believe, it was in May or early June, and I think there were 350 conference attendees, and they had over 250 people attended the HIPAA session.
These were lawyers representing colleges and universities. I think that indicates there is a lot of interest currently.
I will just give this disclaimer that you have probably heard many times today, but the views I am presenting are my own views, and not the views of the University of Vermont.
MR. ROTHSTEIN: Nobody is presenting anybody else's view.
MR. HARRINGTON: Or NACUA. So, with that disclaimer, I would say the single issue that I have heard the most about in my list serv discussions with other higher ed lawyers is the FERPA exception.
I think it may not be one that you have heard as much about. It is particular to higher education, obviously, because FERPA is the acronym for family education rights and privacy act.
It governs how universities and colleges and K-12 schools need to treat education records of their students. FERPA covers every record held by a school that directly relates to any of its students enrolled there.
DHHS, as you know, carved out of the definition of protected health information both education records as defined by FERPA and, secondly, treatment records, which were carved out of FERPA.
FERPA said, we understand school nurses or clinics are going to have records about a student. We also understand there is a subcategory of records that the doctors can hold that the student may never see.
They are not used for billing. They are really just treatment records that are the ones kept just by the medical provider, that are carved out of FERPA.
So, HIPAA looked at both and said, we are going to exclude both of those from the definition of PHI.
The implication of this, though, for university clinics is that, at least for clinics that care for both students and non-students, it creates a real practical problem of having to follow two sets of similar, but significantly different, regulatory regimes, for how they are going to treat the records and the individually identifiable health information.
For example, at the University of Vermont, we have a couple different services. We have an audiology clinic that does a lot of hearing testing and other related kinds of medical care, and then a physical therapy group that serves not only students but also faculty and staff and, in the case of the audiology clinic, the community.
So, you have dual populations and they are needing to figure out, can we do a combined set of policies that cover both FERPA and HIPAA.
I think they are really up against some problems there, because the two laws do differ in some significant ways.
On this page, page 8, I have just outlined some of the ways the two laws differ.
There is also one sort of threshold issue, I think. I think there are a lot of people that really are confused about whether HIPAA applies or FERPA will apply to records pertaining to their students.
I think part of the problem was that, in the preamble to the December 2000 final rule, there was a statement that I think was misleading to people, or at least could be misunderstood by people.
On page six of the handout, the first bullet point talks about this. There was a statement saying, however, to the extent that a school clinic is included within the definition of health care provider and is engaged in HIPAA transactions, it will be a covered entity and must comply with the privacy rules.
I know that some of my colleagues have pointed to that and said, see, you do have to comply with HIPAA. Student records really aren't carved out. I have been saying no, that is just not the case.
Education records and treatment records are not covered by HIPAA. They said so. The qualifier, I think, was missing. I think if you read the whole comment, you would see that DHHS intended to say there, if you are not covered by FERPA, that is, if you don't get federal financial assistance, FERPA won't apply to you, and that is what that meant.
This may be a real good area where DHHS might want to, in a Q&A, issue some guidance that would be useful to people.
I go into some more detail about the effect of this problem, and I won't belabor it, but essentially, it requires schools that serve dual populations to have two sets of policies and practices.
I think they can -- a school, I think, could say, well, we will comply with FERPA, but where HIPAA is stricter, we will voluntarily impose HIPAA on ourselves, and I think that would be okay. I don't think there is any way to avoid the problem of still having different treatment for the two kinds of records.
One suggestion is to consider -- and I know the agency has spoken to this and has said that, under its discussion in the December 2000 preamble, they said, in the relations of federal law section of the preamble, they said, we think there was no intent, when Congress passed HIPAA, to preempt FERPA.
I would argue that it is actually -- I think it would be a reasonable interpretation of the two statutes together, that DHHS could, I think, say that we think HIPAA is the more specific statute, and that it largely is stricter with respect to the privacy and confidentiality. Therefore, we want to allow schools to opt into HIPAA.
I think that, in fact, preparing this presentation I was thinking, what are the rules of construction that would lead you there, and I think we just covered them.
One is that the more specific law should take precedence over the more general law. I would argue that HIPAA is more specific.
The second is that the judge, when construing two statutes, and an agency, when doing the same, should say that they want to give effect fully to both statutes as much as possible.
I would say that is an option for DHHS to consider. It would make the lives of colleges much simpler, to treat both populations.
The next area I would like to cover is some research issues. Jean has touched on a lot of these. The one that I am hearing the most about is patient recruitment issues.
This is of great interest to university researchers and their staffs. I have heard two or three different presentations to groups of researchers and their staffs at our hospital, which we don't own, but is right next door to our university.
This issue comes up all the time. Everyone wants to know about this, because it is very important to doctors who are trying to recruit patients to their clinical trials, to be able to do so without having to go to the IRB. This is really what you hear.
I think in the August 2002 final rule, DHHS did seem to say that you can do recruitment within the covered entity -- i.e., the researcher can obtain a PHI on people who might be eligible for a trial, and contact them.
Their logic was that the only disclosure here would be the disclosure to the patients themselves, of their own PHI.
I thought the result was really a very good one. It seems that the agency is saying that they understand this and want to permit it.
There are just a few problems. I would be concerned as a researcher that someone could say, well, that was just in the preamble, but if you really look at the rule, that preamble statement by DHHS really isn't consistent with the rule.
164.502 says, unless a use or disclosure is authorized in the HIPAA privacy rule, it is not permitted. So, someone could say, there is no such allowance for Dr. C to go look at Dr. A's patient list and look at their records, to do this research.
So, I am suggesting in my notes that the agency consider one of two things, either saying that they deem recruitment to really be a health care operation or a marketing operation, and have those use rules apply to research recruitment, in fact, the December 2000 preamble implied -- didn't state directly but implied that research recruitment was probably a health care operation. At least, I read it that way.
Now, in this rule they are saying, no, it is not, we said clearly it is not a health care operation and it is not marketing. It is okay, because it is disclosure to a patient.
It is interesting logic, but I would like the agency to look at that closer, to give the same relief I think they have intended to, but to shore up the grounds for it.
Another way is, obviously, is to have a regulatory change, but I don't think the agency needs to go that far. I think an interpretation, maybe in the form of Q&A, would be very useful there.
The other option for recruitment -- this is on page 13 -- is that a lot of people, I think, in the research community thought this at first. They said, well, recruitment is review preparatory to research, that that is probably not encompassing recruitment.
Again, the agency even said, yes, we want to help recruitment, that is part of why we have this review preparatory to research rule.
They said also, in December of 2000, well, when you do those, you can't record -- this is the underlined portion of the first bullet point -- only de-identified PHI may be recorded by the researcher.
Essentially, that wasn't in the rule. It was in the preamble. It seemed to add a restriction.
Secondly, that does seem to foreclose this avenue for recruitment. It seems to say, if you are doing recruitment, you can't use a review preparatory to research.
For those reasons, my suggestions are on the bottom of 13, which I think would really assist researchers without doing any significant harm to privacy interests of the patient.
The other issue is the dual employment issue and here is where I think that the model of my institution might be unique and come into play.
The way we are set up is that the people that are on the faculty of our college of medicine get paid, in part, by the university. They are also employees of the practice group, which is a separate legal entity associated with the hospital.
So, these people wear two hats. They have the university hat and what we call the dual employees. It is unclear, under the rules, whether, when they do research, whether they will be deemed within the covered entity practice group, or whether they will be deemed an outside researcher.
It would obviously be of great benefit, from an administrative standpoint if they were deemed to be internal to the covered entity. We ask that some guidance from the agency -- that the agency consider that and perhaps issue some guidance there.
Just very quickly to cover, I am going to skip ahead to page 18. I know that the agency has said that the final security rules were going to try to conform with the privacy rule and make them work together very well.
We would encourage them to consider two points when they do that, and that is that the hybrid entity concept is not in the proposed security rule, and the FERPA exemption also is not in the proposed security rule. It could lead to anomalous results if your student records aren't covered by the privacy rule but they might be covered by the security rule. We hope that the agency will carry those two concepts into the final security rule.
The last two issues, real quickly, these are other questions that I am hearing from colleagues. Well, we have these contractual arrangements where we have a clinic -- we have our own student clinic where students come to get care, we are hiring outside clinicians.
Some guidance here would be very useful. I think here is a case where you question, should we have a reasonable rule or should we have specific rules.
I think here is an example where examples given in a Q&A could be very useful, if the agency, say, were to posit a hypothetical of a university with a clinic that hires a local practice group to provide care. Who is the covered entity? Who has the duties under HIPAA? Are business associate agreements needed, and does the FERPA exception apply, if the records are student records.
The last issue, I think actually Jean just covered it and you just had a discussion about that. These are student interns, but clearly, my view is that, when we send out students to a hospital, it is the hospital's duty to train and educate them on HIPAA. Surprisingly, we are getting places to try to make us business associates, even though we are not performing a function on their behalf and we are not even getting any of their PHI.
I think this is another good example where I think it is fairly clear in the rule, but a guidance document would put the issue to rest, or a guidance Q&A would be issued for that. Thank you very much for your time and attention.
MR. ROTHSTEIN: Thank you. Any clarification questions? Let's move on to Mr. Marks.
Agenda Item: Panel 4. Richard Marks.
MR. MARKS: Let me summarize five major issues for you that are outlined in detail in my written testimony and see if I can't leave a couple of minutes for questions.
The five major issues that my university clients are concerned about are, first, the Secretary's failure to publish the final security rules required by the statute.
Second, the enormous complexity, ambiguity and confusion of the HIPAA rules and the agency's delay in clarifying them. The testimony reinforces what you have heard on this panel today.
Third, the agency's failure to deal with the U.S. Supreme Court precedent, which makes their informal guidance not authoritative.
Fourth, the additional cost and delay that HIPAA rules impose on medical research.
Fifth, important for privacy and confidentiality, the Secretary's failure to assure that the transaction standards are complete wasn't early enough to ensure the confidence that the health care payment system are not going to face substantial disruption.
Let me run through these one by one. Under the statute -- you see it on the screen -- initial security standards had to be adopted by February of 1998, an explicit statutory command.
That deadline, obviously, is long past. Security remains the framework in which privacy in transactions are implemented. If you don't have security, then all the privacy rules are of no help.
The fact that the rules haven't been issued, even though they were promulgated in proposed form in August of 1998, way after the deadline for promulgating the final rule, remains a roadblock maintained by the Secretary to planning by systems, vendors and the industry.
Everybody in universities and everyone else needs computer systems that are secure, in order to implement HIPAA.
This is not a system, a nationwide system, if electronic data interchange that is going to be implemented in any other way than through technology and associated business processes.
Right now, the industry is paralyzed and vulnerable on security. You may be aware, and I have described in my testimony, the fact that a public dispute has now broken out between vendors and providers.
Vendors say they are being asked to assure their clients, hospitals, physicians and health plans, that their systems are secure.
Yet, the vendors don't know what the federal government's security standards will be. So, they can't design systems. They can't plan. Neither can universities and other covered entities.
Now, it is important that there is a mini-security rule in the privacy rule. The mini-security rule, Section 164.530(c) says that there has to be appropriate security on April 14.
The failure of HHS, the failure of the Secretary, to get these rules out so that people can figure out what they are and incorporate security that is needed into their systems, that is going to affect privacy implementation to, and put all covered entities and their business associates in great legal jeopardy because they are going to be vulnerable to lawsuits in the state courts for any failures due to penetrations, to hacking attacks, and similar incidences that are attributable to failure of security, this is an enormous practical problem.
The solution is very simple. Get the standards out. We have all heard rumors. The latest rumor I received during Ms. Shanley's testimony, which is that these rules are supposed to be published on December 27 in the Federal Register. We will see. We have had similar rumors for the last three years.
Next, the enormous complexity, ambiguity and confusion in the rule and the fact that HHS has not been at all fast, at all assiduous, in clarifying it.
You have heard from my colleagues on this panel about the items that I have got here. I won't have to repeat them, except to point out that this confusion needs to be remedied.
It was probably unnecessary in the first place, but it is built in. It is an integral feature of the privacy rules that have been put out, and the enormous, long, complex preambles, which attempt to explain them.
I hope you understand that these documents are printed out in 8-1/2 by 11 form. They are now over 2,000 pages.
That should tell you that lots of the construction is way too complicated for the job, and it is not something that is within the realm of possibility for people to understand and apply without enormous problem.
HIPAA versus FERPA, which Peter discussed, is a wonderful example where the agency requires university health centers to apply not one, but two sets of complex rules, which you really can't apply on a day-to-day basis unless you have a direct line to a lawyer whenever you need one.
I don't want to go through this without mentioning the fact that HIPAA's preemption rule has proven to be extremely confusing and costly and intractable.
The preemption studies that are going on now, we have done them in two states -- one large and one small -- are very costly, time consuming and, in the end, will produce only a checklist that we hope will be able to guide clients, covered entities, physicians, hospitals, through this maze.
To close this particular subject, I want to point out to you that it turns out that these privacy rules are very unfriendly to consumers.
I stand around at a client, look at the people who are trying to get to the elevator to go upstairs, people in wheelchairs, people who are sick, people who are concerned about their family.
I wonder how they are going to react when they get a 12 or a 10 or maybe a streamlined 5-page notice of privacy practices handed to them. It is something that they are likely to care not a whit about, just consider just another obstacle to their getting fast and compassionate care.
In 2001, the United States Supreme Court decided a case, the United States v. Mead Corp. The specifics of the case, which involved a custom service letter ruling aren't important to you.
The case held that informal administrative guidance isn't authoritative. No one is entitled to rely on it. Yet, HHS proposed, before the Mead case, to guide the industry with informal guidance.
You have heard about the enormous complexity of these rules and the confusion that even learned experts have in trying to apply them and advise people on how to apply them.
HHS needs to take a leadership role and make full disclosure to the industry, that they rely on their informal guidance to their peril.
DR. HARDING: Excuse me. I just have like another non-legal questions.
MR. MARKS: I bet it is going to be a legal question.
DR. HARDING: Well, trying to clarify. Wasn't there just a suit brought by Louisiana Medical Association and the South Carolina Medical Association and a number of medical associations that tried to bring this issue back up and it was thrown out? Am I on a different topic?
MR. MARKS: I think that is a legal question. My question is that, although these issues were mentioned, the authoritativeness of the particular ruling is not at issue. So, my answer is no.
Where this is going to come to a head is when a covered entity, such as Hopkins or Texas or Vermont relies on some informal guidance. There is a hacking attack or there is a leak of some sort and medical records get published to the internet.
The institution or trustees or the physicians involved are sued. At that point, a court may look at the guidance and say, well, you relied upon it to your peril and it is wrong.
We don't have to give it what lawyers call deference. The actual term is Chevron deference from a Chevron case in 1984.
It is an enormous problem that has now surfaced, even though it has been brought to HHS' attention that it needs full disclosure and a deliberate, scholarly treatment from HHS so that we know what their position is on it.
The point for you to understand, and certainly the point for every covered entity and every business associate out there is, in a particular case, a court may or may not agree with what HHS says, it may or may not give it the force of law.
This is an extraordinarily complex area of administrative law and I wish that it were different. Certainly, Justice Scolia, who dissented in the Mead case, thought it was different and thought it should be, but it is what we have, and we have got to deal with it.
MS. KAMINSKY: Just by way of clarification, is the main distinction here the difference between informal guidance versus a regulation, and in the lawsuit that you were talking about was whether or not the regulation that HHS issued had the force of law? I think that may be part of it.
MR. MARKS: The last point is that the kind of guidance the courts will give deference to is either a rule making or, as I pointed out in my testimony and Ms. Kaminsky just summarized so well, an administrative adjudication.
I am sure we will have plenty of administrative adjudications, but we don't have any yet.
Now, HHS' record of making progress in rule makings is not good. The process is not fast. Of course, the statute says you can only have one a year for any particular standard.
HHS is going to have to go up, as they say in sports, to the next level and probably well beyond that, in order to give universities and other people in health care, other covered entities, their business associates, their administrators and physicians, who are trying to work their way through this complex rule the guidance that they need. This subject is treated in greater depth in the written testimony.
Let me add to what Peter said about research. We are entering an era where computational techniques are now at the point where they can revolutionize biomedical research.
Yet, the whole notion of creating repositories that can be used this year for cancer, 10 years from now for heart disease, 20 years from now for Alzheimer's, are all in jeopardy because of the restrictive interpretation, restrictive rules around HIPAA authorization.
What is going to happen is that there are going to be enormous additional costs levied for patient recruitment, and so much paperwork, so many obstacles, that people who have looked down the road in the research communities are going to be worried that they are going to be spending far too much money on recruiting and far less on research.
These rules are going to hamper research and discourage many people from participating in it.
Of course, the irony of it is that, as patients, we are all going to be paying. We all have an interest in medical research and the progress that is going to be made in diseases that we may have.
So, this is a consequence that I hope this committee will look at seriously. A suggestion that I have on behalf of any clients, of course, is that eventually the policy behind these rules will be changed.
Finally, HIPAA mandates one of the largest, if not the largest, computer system conversions in history. I don't know what is comparable except maybe the conversion in Europe to the euro.
We know from experience in large systems projects that there needs to be a great deal of time for testing and adjustment.
To do that, you need stable transaction standards so that industry can code them, wrap business processes around them and then put them into practice and test them.
Normally, in a project, in a big systems project -- for example, in the telephone industry where standards are actually well known and the systems well established -- people would be testing for years.
As I came up on the train today, I saw an ad in the newspaper for Intel Corporation asking, should you ask that your computer be tested quadrillions of time. The answer was yes, and that is what we do.
We are not going to have time for even the bare bones testing that a systems engineer would want in dealing with the transaction standard.
This means that the difficulties of electronic data interchange, which involve standards for complex data processing and business process redesign, are probably, in some substantial way, not going to work.
So, we have a crisis in the making. The point is that that crisis is going to affect privacy and security of people's records, as well as their health care.
We are in a situation where, if two percent or five percent of transactions don't go through by October 17 of next year, it is going to be an enormous problem. If the number is 20 or 30 percent or something greater than that, I think you are going to see disruption to health care.
It is a concern about all of HIPAA that is very unpleasant to contemplate. I think the time to contemplate it is now, so that people can begin to prepare for what will happen. Thank you very much for the opportunity to be here today.
MR. ROTHSTEIN: Thank you very much. I appreciate it. Any clarifying questions before we open it up? Okay, the floor is now open for general discussion.
Let me ask no one in particular the question of HIPAA compliance in the university and college setting. I would assume that most of the academic medical centers are well on their way. That is the testimony that we have received from all sorts of people.
As Mr. Harrington suggested earlier, there are many small colleges, little health clinics for students and staff, that are covered entities as well.
The question that I have is, how well along do you think, in terms of compliance, these smaller colleges and universities are, and do you have any recommendations about the kind of technical assistance and support that HHS could provide to get these people up to speed?
MR. HARRINGTON: The only evidence I have is just anecdotal evidence and impressions of what people are saying.
I do think there was a flurry of activity, at least on the list serv that I am involved in, when we asked for the deadline extension of October.
I think that the attorneys representing these institutions are well aware of it. Where places are at in terms of implementation, I don't know.
I did put out a question on the list serv asking where people are at, kind of trying to take an informal, somewhat empirical stab of where are people at, are they hiring consultants or are they not. Are they doing it in house? How are they setting it up?
I got very few responses. I think you can read that two ways. Either people hadn't been doing anything and, therefore, couldn't really say what their plans were so much -- this is the end of the summer -- or people didn't have the time to respond to an e mail.
I guess my overall impression was a lot of places were playing catch up starting September, October.
In terms of what they would find useful on guidance, some of the areas I outlined, I know that the FERPA exception is a big issue. I think people really would love guidance there.
You know, I think a decisional tool was an excellent one that was put out by CMS. I know first hand, from some people who are involved in HIPAA research, they love covered entity and they wrestle with the definitions.
If you are not a lawyer or just having HIPAA exposure for the first time, those kinds of decision trees are great. So, more along those lines.
I think also examples are excellent, particularly when a lot of questions come up around contractual arrangements.
We have this doctor come in to provide care here and we don't know if he is the CE, or whether FERPA applies or not. So, I think examples of a couple contractual arrangements, I think, would be of benefit to colleges, many of whom deliver those things under contract.
Obviously, the research we have covered a lot, but that is something to consider.
One other big thing I just wanted to mention on research is, people say research records, not medical records, but separate research records held by a researcher governed by the HIPAA rules. Do you have to follow minimum necessary, business associate, or are these not covered because they are not in a designated record set. So, that is another area that I think guidance would be useful.
MS. SHANLEY: I don't know that I have a clear feeling as to where the industry is as a whole. I will tell you that, a couple of weeks from now, in mid-November, the Association of American Medical Colleges is holding a symposium conference in San Francisco.
That may be an organization that is able to provide some guidance on that question, particularly after that meeting.
The point of that meeting is for AMCs to come together and share their implementation concerns and get a feel for where everyone is, and the ones that are further along, maybe offer some input to those that aren't as far along.
As far as what kind of technical assistance, I think forums are always helpful. I really think some sort of forum where we can get prompt answers to questions and clarifications on an ongoing basis would perhaps be the most helpful thing for receiving guidance, so that there isn't a lot of stalling.
Once an issue comes up, it can really stop things stalled dead in the water, when it is not really clear in the room how to proceed or what the responsibilities are. When it hangs things up, it is kind of hard to work around it, if it is kind of a seminal issue that you have to decide one way or the other before you go forward.
I think that is the most important thing that I would put on the top of the list is, when questions arise -- as I mentioned earlier in my testimony, I can't even begin to tell you now all the questions that I might have over the next six months and thereafter.
The idea is that, when the questions do arise, that there is a place to go and a way to get an answer.
MR. MARKS: I think, if I may, what you have heard today, without contradiction, how complex it is and how confused people are about it.
The rules are what they are and can't be changed in the short run, but HHS could create an office that has authority to make rulings, and to get those answers out fast.
We heard in the previous panel people talking about taking a month, but the privacy implementation date being April 14 and less than a year to go for transactions, a month is way too long.
What I would recommend to HHS is that they establish an office and staff it with very good people, give it authority to make rulings, so that there is some hope that those rulings would be considered authoritative under the Mead doctrine, and put them to work.
Just on this panel, you have heard people who have a raft of questions. The same thing on the previous panel, and I bet every panel that you have heard from has the same sort of thing.
If there is going to be any hope that this system is not going to go into effect on April 14 in a state of confusion with fundamental questions unresolved, then HHS is going to have to step in and furnish that kind of guidance and that level of resources.
DR. DANAHER: Mark, I would like to try to answer your question from my experiences, and then I would like to ask Mr. Marks and Ms. Richardson to kind of reality test me.
From what I have seen and my experiences, the academic medical centers, by and large, have made fairly good progress and are making fairly good progress.
Obviously, there is a bell shaped curve where the institutions are, but you have got committees that have been working on their policies and procedures, they are grappling with some of the, should medical students and residents be business associates from the medical school. So, they are working through these issues.
In my experience, the universities are just now beginning to address their lives as being hybrid entities. I think to kind of test my theory, number one is, without question, actualizing what the research implications are, is first and foremost, their biggest headache and the biggest thing they are trying to get their arms around.
Secondly, they are really -- this is preeminent universities -- second, they really are just now addressing these issues.
For example, many of them have shared services, IT services, that the university may employ people who also work in the AMC -- the academic medical centers -- that may be on campus or off campus, whether phone services, et cetera.
Trying to figure out where that kind of hybrid entity begins and where it ends off and if somebody -- take a facility, just to pull one out of the air -- say you have got some people on the campus who, 80 percent of the time, they are providing services to the rest of the university, and 20 percent of the time they are providing it to the hospital, et cetera, what is their responsibility under that kind of situation?
I guess if I were to -- so, the response that I am seeing is two-fold. One is that the academic medical centers are executing on their strategies to be compliant, devoid of what the rest of the university is doing. That is one thing I am seeing, just because the rest of the university is kind of lagging behind.
Then, the second thing I am seeing is that sometimes there will be someone such as Ms. Richardson's position, that will be trying to get their arms around the entire universe because it is going to be so costly, so expensive, et cetera.
Even though the hospital may be way out ahead, or pretty much out ahead, et cetera, they want to kind of figure out a global pricing and a global strategy and a global theme to address that.
In summary, and I would like to just end my comments here, number one, I don't think the designation is between small, medium or large.
I think universities, as a whole, are just now, across the board, beginning to come to terms with their status as hybrid status, and others. That is number one.
Number two is, I think, by and large, the hospitals and academic medical centers that they may be associated with are ahead of them in their trying to deal with that in a number of different ways.
I would love your responses, whether I have --
MS. RICHARDSON: If we talk about Hopkins, my responsibility spans both the university and the health system side. So, we are looking at this as one large entity, in a sense, but we have different areas that are considered fully covered and some that are not.
So, if I look at the university side, we have some schools that are considered a covered function fully, and then we have some schools where we are basically identifying when someone comes in contact with PHI from the health system, or one of those schools that is fully covered. Then they have these extra requirements to follow.
It is difficult to look at the individual who may be in that school, and may be partly functioning in that mode for part of their life, and another mode where they are not really under the HIPAA requirements.
So, it is difficult from a training perspective to try and relay that to the individual that, based upon the role they are performing, they need to function differently.
I can say, generally, it is an issue to try to have consistency in such a large organization as Hopkins. We have entities and even schools that function separately, even though they are performing the same function.
So, it is difficult to bring consistency to it, and then to ensure that we have trained everybody the same way and that they are doing everything the same way.
From research, it is very difficult. If there has been no guidance on some areas, we have had to interpret and move ahead.
We feel that, if we don't take the time to determine what that item is that we want to train somebody on, we are going to run out of time.
We are basically going ahead, from a research perspective to say, we need to start training next month.
DR. DANAHER: Have you driven pretty much the entire organization at the same rate, or are there pockets, such as the hospitals, that are further along with developing policies and procedures and notice of privacy practice, et cetera, and other parts that are --
MS. RICHARDSON: As we look at the Hopkins world, we are coming up with one policy, or one form, one procedure to perform that activity, no matter where it is performed.
I can say from a policy perspective, we are moving at the same rate. The problem is, on the university side, looking at the schools and bringing those individuals on board saying, this is my pocket of people in this school that is really affected, because that pocket of people changes very, very frequently, depending on who is getting PHI and from where.
MR. MARKS: My impression is that all universities are struggling with this. I would not want to give you any overall sense of optimism about academic medical centers as opposed to universities in general.
I think there are some academic medical centers -- and my impression Hopkins is one of them -- that are much farther along than others.
I think all academic medical centers are looking at this unfunded mandate, looking at a whole new set of responsibilities and training, and they are running into the basic flaws that are built into the privacy rule.
They are trying to get answers to these questions, some of which have no firm answers. As you have heard, there is no place to go to get a clarification from HHS.
I can assure you that there are many academic medical centers that are just beginning to realize how difficult it is going to be to deal with HIPAA.
I think they are looking at strategies of minimal compliance as of April 14. I think they are looking at litigation risk management issues and hoping that they will be able to traverse this time period, and try to find money, and try to find answers.
They are hoping their vendors will come up with systems that are designed to help them comply with HIPAA, something that hasn't happened yet. The vendor community has been unresponsive, because the rules are so hard to figure out. Of course, in the security area, there are no rules.
In the non-hospital setting -- that is, the universities that are worried about the student health center and those kinds of operations -- or about research that is done in a non-medical setting, in the psychology department or the sociology department or anthropology department, they are just beginning to deal with these issues in a systematic way.
I can tell you, because I wrestle with these issues and try to counsel people every day, that they are running into these same -- I call them flaws, these ambiguities that are infused into the structure of the privacy rule.
They can't get answers. They have no place to turn for answers. So, they are trying to figure out how they can comply and control costs and make a good faith effort, and they are perplexed and worried.
MS. SHANLEY: I would like to provide an answer to that question, if I may. I think it is a really good question.
I agree that Hopkins may be further along than some other academic medical center environments. I think one of the reasons -- it is my understanding of the way you are structured is such that there is sort of a centralized, unified oversight that perhaps gives you the authority, gives you the ability to roll out policies and procedures in a consistent way.
At our institution, because we have so many different hospitals who all have their own boards and administrations, once you bring those entities together, the train starts to move a lot slower.
You have got consensus building and negotiation building, and we had our gap analysis in September. In the course of that, it became apparent that we really needed to pull all the institutions together for the first time, which had not happened prior to that.
Even though each of us had been doing different things at different rates, and we first brought them together, it was just a select small group of people.
There was initial hesitance and confusion as to exactly why we all needed to come together. I think the hospitals may have felt that they could -- they may not be as beholden to the university and the physicians for their activities as maybe the physicians are to the hospital.
At our campus, it kind of feels like a lot of issues, the medical school is sort of at the center of the wheel and the hospitals are all around the wheel.
So, until we pulled them together and started to communicate about some of these issues, it wasn't really clear to them how things would impact us.
I will give you a specific example. We put together at the university a security role-based matrix. There had been a lot of discussion with physicians about how to do that.
Physicians were very concerned that nursing staff and other types of staff that support them couldn't be limited in a way that wouldn't permit the physician to rely on them.
When you move over to the hospital setting, the physicians are relying, a lot of times, on the nursing staff of the hospital. So, the hospitals might be putting together their role-based matrices.
So, our physicians at the medical school, we can put together our own, but unless we coordinate with them, our physicians are going to be reliant on whatever they have put together as their role-based matrix.
So, we have to pull them together and now begin negotiating on issues like that. So, it is much harder to pull things together.
In the hybrid entity designation, that is an issue. The rules were only finalized, and they were rather significantly changed, as of August.
So, we did not really begin looking at that issue very extensively until very recently. As I look at that issue, I become very hesitant and very concerned. I think that that is a threshold issue.
It seems to me that is something you should be deciding up front and at the outset, so you can allow your compliance activities to flow from that designation.
It is not really clear to me, once we do that, for example, on the accounting issue, am I all of a sudden incur accounting obligations because now I have these artificial disclosures inside the campus that weren't disclosures before when we were a single entity.
I don't want to make a recommendation that we go forward with something like that unless I am sure what kind of practical impact that is going to have.
I just think there is a lot more to that rule than meets the eye. I am a little bit frustrated now because I don't know how we are going to complete that analysis and then move forward with policies and procedures and mesh the two together.
DR. DANAHER: I think it is a little bit like the OHCA thing you were saying, how do you decide, or where is that threshold for a hybrid entity, and do you treat them more like covered entities.
MR. MARKS: And when you bring people together, what you suddenly discover, when they begin to understand it, is that they understand that there is new liability, there is new risk, that has to be negotiated.
Once it is appreciated and starts to be negotiated at higher and higher levels, eventually it becomes a board of trustees issue.
Then, doing these negotiations take time and the transaction costs become significant. When you add those transaction costs, the transaction costs that you have, dealing with the risks with all these business associate agreements, all of a sudden, these costs become overwhelming.
As universities begin to appreciate the full measure of what HIPAA requires and start to try to get into these negotiations, and they run into the sort of road blocks that Ms. Shanley is describing, things slow down.
MS. RICHARDSON: I just want to add a point here. When this was a thought years ago about HIPAA, about how we were going to put this together, Y2K, we learned a lot.
The only reason that we have a centralized group who is over this is not because of who I am employed by, because I am employed by the health system, but my responsibility was deemed to be across both organizations for this project, because of who I report to and her responsibilities.
So, we actually set it up that way, that we would have central control and deal with these issues. So, this is the vehicle to get us to have more consistency inside the Hopkins organization, even though right now, most entities and schools function on their own.
If we hadn't gone through that measure, yes, we would probably have more issues today.
MS. KAMINSKY: Do those entities all meet the affiliated covered entity designation, if you so chose that? Is there common ownership and control?
MS. RICHARDSON: We do on the health system side, but the university is separate. So, we are dealing with those issues about how we are going to be sharing data between the health system and the university as really, two separate types of identities.
MR. MARKS: I hope the impression that you get is that it is a worry, that these sorts of fundamental questions being discussed six months before the privacy compliance thing, I think that speaks volumes about how difficult the HIPAA implementation process has become.
I don't think you are going to see a resolution to any of these difficulties any time soon. As people try to figure out how to apply organized health care arrangements, single covered entities, hybrid entities, and deal with all of that, business associate contracts, and assuming this is right, layer the security rights on top of this in January, it is an enormous and expensive set of tasks.
MR. ROTHSTEIN: On that cheerful note, I will thank you all for your contributions and giving us our marching orders, and thank you for participating.
If you want to supplement your comments, you have 10 days to do so and mail them in or e mail them to us, although I know you have already submitted written testimony.
So, thank you all and let me remind our listeners on the internet that we will stand adjourned now until 8:30 tomorrow morning. We begin a half hour earlier tomorrow. We can't wait to get going. So, we will start at 8:30 tomorrow morning.
[Whereupon, at 5:15 p.m., the meeting was recessed, to reconvene the following day, Wednesday, October 30, 2002.]