The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics held hearings November 6-7, 2002, at the Marriott City Center Hotel, in Salt Lake City, Utah. The meeting was open to the public. Present:
Subcommittee members
Staff and Liaisons
Others
November 6-7, 2002
The Subcommittee on Privacy and Confidentiality held hearings November 6-7, 2002 to monitor implementation of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), including the Standards for Privacy of Individually Identifiable Health Information (privacy rule). During the two days, the Subcommittee heard from17 witnesses in testimonies and talked with five panels to learn about the implementation activities of covered entities.
Panel 1: Covered Providers
Dr. Kalm told how, in searching for a way to facilitate compliance for private practitioners, he amassed 227 pages of documents that left him bewildered about how he ensured that he was in compliance with the "Orwellian-termed" administrative simplification provisions of HIPAA. He offered suggestions for helping private practitioners. He encouraged the Subcommittee to explain the acronyms and rules in clear, plain English and requested sample standard forms to guide him in how to be in compliance. Dr. Kalm encouraged the Subcommittee to step into the private practitioner's shoes, imagine being alone in that office, and then show him how to document he is in compliance.
Dr. Borgenicht suggested the Subcommittee consider whether solicitations for HIPAA products and services were unscrupulous marketing practices. He expressed concern about implications of the privacy rule for his office. Dr. Borgenicht emphasized it was essential to provide practitioners simple and clear information about reasonable means. He pointed out that what might be applicable to a large clinic might not fit his small office. Noting the dwindling number of small offices, Dr. Borgenicht said it was important to preserve them in a way that didn't hinder their functional efficiency and care-giving ambience.
Mr. Pulsipher said he worked in a medium-sized office with 16 physicians. Their front-line staff was intelligent, though many weren't college educated or used to understanding the regulations HIPAA represented. He said he found the standards difficult to read, but noted the modifications were in plain English, with good scenarios, excellent representation of the law, and examples of exceptions. Mr. Pulsipher mentioned resources to update people on HIPAA regulations. He said physicians needed more help from the Office for Civil Rights (OCR). He said frequently asked questions (FAQs) had excellent questions, but noted answers to questions on the OCR Web site wouldn't come back on an individual basis. He urged OCR to have a hot line so physicians could run scenarios, ask questions and get definitive answers. He requested OCR give physicians the forms that would make them compliant and answer reasonable requests.
Physicians Insurance, a physician-owned-and-governed professional liability insurer based in Washington State, didn't expect any impact on medical malpractice insurance premiums due to the HIPAA privacy rules. But Mr. Morse predicted there would be lawsuits under state law concerning health care information privacy issues. Mr. Morse noted instances where the privacy rules created problems, and cautioned that frustration and confusion over the rules could result in serious impediment to the delivery of health care. Dr. Morse suggested ways the Department of Health and Human Services (HHS) might alleviate the growing fear with guidance that assured that reasonable efforts to comply were expected, but that only clear defiance was cause for enforcement actions. He noted the document could explain how patient complaints would be addressed in a non-adversarial manner, assisting patients and providers in understanding and adjusting to the rules. He also urged HHS to further delineate "reasonable."
Panel 2: Integrated Health Systems and Complex Organizations
Ms. Thomason said the most difficult HIPAA privacy regulation issues related to size, complexity and the hybrid nature of how health information existed and was maintained by Intermountain Health Care (IHC). IHC had difficulty addressing minimum necessary policies and procedures, accounting of disclosures and acknowledgment of the notice of privacy practices. IHC's size and complexity presented workforce training issues. IHC also had scalability issues due to varying facility sizes. Ms. Thomason encouraged providing education for covered entities other than their own employees. IHC recommended educating the patient about public health, vital statistic and other routine disclosures mandated by law en masse via a list of routine disclosures required by law. IHC also suggested a phased-in approach to the privacy regulations.
Mr. Riopelle discussed examples of the regulation's unintended negative consequences on Gambro's caring for people. One issue they struggled with stemmed from how people bonded because of their chronic need for dialysis and the strong relationships between patients and staff. Mr. Riopelle said not being able to acknowledge together when a patient died would take a lot of adapting and diminish the familial environment and quality of care. Gambro sought guidance on reasonable safeguards to make incidental disclosures acceptable to OCR. Mr. Riopelle considered pre-emption the regulation's most significant failure. He said the training challenge was costly and, although he thought they'd be compliant on this issue by April 14, Mr. Riopelle doubted that those who'd met the requirements really would be trained by then. He also sought guidance on easing the cost and difficulty of the amendments requirement in the electronic environment.
Mr. Wunderli noted there were so many state laws in mental health that, before Valley Mental Health could do anything in the privacy area, they had to know which laws they were following. He pointed out that the pre-emption analysis was especially difficult in the mental health field, because they'd waited until August for the final privacy regulations. And so Mr. Wunderli prefaced his comments by acknowledging no one could be certain they'd be correct. But he said he believed that under HIPAA, with consent as an option for TPO and authorization required for other disclosures, it seemed that mental health continued to follow Utah's substantive law, as opposed to the procedural area in HIPAA. He believed the forms would change to follow more with HIPAA, but the idea would remain the same. Mr. Wunderli encouraged the Subcommittee to tackle the administrative problems other panelists mentioned.
Mr. Schade echoed what Dr. Kalm and Dr. Borgenicht said. He noted the Utah state informatics task force had found that nearly 80 percent of disclosures covered under the accounting of disclosures provision went electronically to the state. The problem was that there were few or no electronic interfaces into state systems and they tended to be disparate, non-standard, and difficult to use. In some states the different registries used different software products. Mr. Schade believed the ideal solution, bar changing the law, was to provide electronic interfacing into these systems, so that when data was uploaded into the state registry, it also would be loaded into the covered entities' accounting of disclosures database. Mediconnect recommended that OCR look into resources to create a common interface into electronic systems across the country. Mr. Schade also said the state agencies needed to be educated about accounting of disclosures in particular and HIPAA in general.
Panel 3: Rural Hospitals
Ms. Mitchell said the challenge for rural facilities was that, regardless of size, they had to comply with all the essential core functions of HIPAA. All the work had to be done; in a rural stand-alone facility it was just on a smaller scale. And regardless of who planned up-front or was at the facility level, the actual implementation was the responsibility of the facility. Understanding the regulations, especially legal interpretations, was another challenge. In rural communities, a higher percentage of physicians weren't covered entities because they didn't do electronic billing and their practices were too small to require complying with the Medicare electronic submission. And so, rural facilities faced the additional challenge of HIPAA education. The privacy rule also referred to safeguards that many considered the underpinning of the security regulation; but without defined regulations, it was risky for rural facilities to invest in them. Ms. Mitchell encouraged peer rural facilities to leverage state-based health care organizations and perform outreach to physicians. She urged the Subcommittee to provide privacy compliance assistance. And she asked everyone to be gentle: rural facilities took the effort seriously, worked hard at it, but didn't have resources to participate in an investigation. And, often, they were the sole provider in their community.
Mr. Sinclair urged the Subcommittee to heed Ms. Mitchell's comments. He emphasized that long distances and scant civilization would cause a long-range problem in his area. And he cautioned that this was an unfunded mandate that would close a lot of hospitals. Mr. Sinclair said the only things HIPAA would do was criminalize compassion and fund trial attorneys. Mr. Sinclair said training for rural facilities wasn't readily available. With the HIPAA regulations, Kane had to rebuild its offices. Another problem was the cost of HIPAA implementation. Mr. Sinclair said he had a choice. He wasn't able to pay his vendors, but he could buy a CT tube that might save someone's life, or he could pay $150,000 to be in compliance with HIPAA. He wanted to know who was to make that choice.
Mr. Cohen noted that 49 government programs in 23 departments were impacted by HIPAA. Eleven were covered entities; 12 were hybrid. Many were federal grant-in-aid programs: the largest, was California's $30-billion Medicaid program. The departments experienced a $20 billion shortfall in early stages of HIPAA implementation and during 2001 none began remediation, specific changes to IT systems, or business processes. Issues included different ways HIPAA impacted these programs. Pre-emption was a huge issue: California had one of the larger volumes of state law and so a bigger workload. Due to HHS's presently divided structure, Mr. Cohen noted entities were subject to OCR's and the Centers for Medicare and Medicaid Service's (CMS) divergent interpretations. Noting both focused on transactions and privacy as complaint-driven processes, he encouraged them to reconsider and agree on priorities and interpretations. He reported that the grayest areas in California were in social services. He suggested the states amend their plans, indicating programs covered by HIPAA, and that HHS approve or deny the amendments. Mr. Cohen noted that the states were an extension of the federal government through administering these grant programs and HHS had a stake in this. He also noted funding issues, emphasizing that California needed additional consideration, based on the sheer volume of state laws and how long it took to do a thoughtful pre-emption analysis.
Panel 4: State Agencies, Public Health and Research
Including data from a non-university provider in research requires patient consent, which Ms. Wylie said wasn't possible with millions of subjects. A waiver of this requirement either came through the IRB waiving consent authorization or HIPAA providing for researchers to state they only reviewed records preparatory to research. Ms. Wylie said she'd provided a comment last April, giving examples of other affected entities and noting that the Resource for Genetic and Epidemiologic Research (RGE) was more a library than a research project. The August response pointed her to the OPPR report on use of stored tissue or data. Samples were small and weren't linked to anything else, which didn't fit in with what RGE was or did. OCR said RGE should proceed with an IRB, but Ms. Wylie questioned whether that was an appropriate way to manage their resources. Dealing with past IRBs, RGE hadn't known how many subjects they'd recruit or the procedures they'd use. Ms. Wylie wondered about taking the preparatory-to-research avenue.
The National Association of Health Data Organizations (NAHDO) recommended to its members that a community wide state pre-emption analysis be conducted. Ms. Love suggested OCR conduct a federal pre-emption template and analysis for the federal laws as a model for the states, so states could concentrate on their local pre-emption analysis. NAHDO recognized that training wasn't a one-time effort, but continuous and ongoing. And NAHDO struggled with how to standardize it. Ms. Love suggested OCR conduct a federal pre-emption template and analysis for the federal laws as a model for the states, so states could concentrate on their local pre-emption analysis. Noting members repeatedly asked for a consistent message from OCR in the form of guidance and opinions, Ms. Love recommended OCR work with NAHDO, the governors, hospital associations, and professional and specialty societies as potential partners. Tools and guidances could be shared with members effectively and efficiently and these entities could serve as a conduit of information from OCR, while filtering redundancy and synthesizing questions back to OCR.
Dr. Nangle explained that the Department of Health was a hybrid entity with covered and non-covered functions; the immunization registry was a non-covered function. While he understood that agencies that determined they were non-covered entities had other issues in disclosing immunization records, he said it wasn't clear under what basis they did this. He suggested the Subcommittee might want to discuss this issue. Dr. Nangle said HHS recognition of the public health function would greatly increase the comfort level of private partners. Dr. Nangle noted another implementation issue in a hybrid registry organization related to their dependence on massive flows of information through integrated computer systems. To do this, Dr. Nangle said they'd built up a culture of data sharing, including data going over firewalls. He'd noticed a chilling effect as people who shared data with them, particularly the Medicaid program, had to fully evaluate the implications. Dr. Nangle said he believed the chill was temporary.
Noting the states were reporting significant fiscal shortfalls, Dr. Springmeyer contended that they were unnecessarily depleting what resources they had and suggested that delegation of responsibility between federal, state, and private parties would avoid duplication and maximize their ability to come into compliance. He said the state-federal pre-emption analysis was a massive undertaking and urged the federal government to do the federal law pre-emption analysis for the country. Dr. Springmeyer stressed that covered entity determinations were incredibly difficult; he suggested that if private providers received guidance directly from HHS, they'd come to a final conclusion and move on. Dr. Springmeyer suggested that the privacy rule implementation be postponed until a year after the security rule became final. He recommended that the Subcommittee recommend to the full Committee, HHS and the Administration postponement of the April privacy deadline, until resources became available to finalize the security rule. He called on the Committee to work closely with HHS to ensure a budget was adopted and technical assistance money appropriated and available to HHS, CMS, and OCR to assist the states and private providers. He urged the Committee to work with Congress to recognize that, in most circumstances, 30 days was unreasonable when OCR issued a non-compliance finding.
Panel 1: Health Plans and Clearinghouses
Mr. Stapley said the biggest issue facing OCR regarding education and technical support was the backlog of unanswered questions from organizations that didn't know what to do. Mr. Stapley said the preemption issue was Deseret Mutual's biggest difficulty and concern regarding compliance. Used to following the uniformity of ERISA, Deseret was concerned about how preemption would change how they administered their health plans. He noted they were also concerned about training focused on what was a covered entity under the regulations. Mr. Stapley emphasized that employers were confused. Deseret had put together a structured training program in an attempt to be proactive, and tried to help affiliated employers understand what their requirements were. Mr. Stapley said another concern related to the inconsistency between HIPAA and Gramm-Leach-Bliley (GLB). Mr. Stapley also noted the Explanation of Benefits (EOB) issue.
Mr. Casillas noted serious issues when a bank was a business associate of a health plan. He urged the Subcommittee to initiate general hearings on health care credit practices and cross-industry dialogues with banks and their medical clients discussing their concerns. He also recommended organizing or supporting demonstration projects that showed how efficiencies with medical payments could occur in the marketplace.
Subcommittee Discussion
In discussing the letter to the Secretary, members noted hearing continued confusion, misunderstanding, frustration, fear, and anger as the April 14, 2003 compliance date neared. Deficiencies cited included: inadequate guidance and technical assistance, a lack of model forms, general guidance that had limited relevance to professional niches and circumstances, no clarifications from OCR or answers to questions submitted via OCR's Web site. Nine-to-fifteen million health care workers needed to be trained and there was an absence of widely available training materials. Vendors and consultants continued to prey on covered entities that had no way to judge the necessity or accuracy of their offerings. Less than half the small providers had made any effort to comply with the privacy rule. Some rural providers gave up on compliance. And some Medicaid and other "safety net" providers might stop providing care to indigent patients, because they couldn't absorb the costs of complying. One witness said the difficulty and expense caused her practice to return to paper claims to avoid being a covered entity. Witnesses feared overzealous enforcement by OCR and private lawsuits. That fear had already resulted in negative health outcomes, including providers' refusing to share patient medical information that could have helped in treating other patients and a decline in mandatory or permissive reporting of essential health data to public health agencies, tumor registries, and other entities. Millions of health care workers need to be trained in the months ahead, but there is a shortage of expertise, materials, and funding. Witnesses said generic training wouldn't work. And consumers had received virtually no information about HIPAA.
The Subcommittee's discussion outlined the recommendations for implementing their privacy rule into four groupings.
DETAILED HEARING SUMMARY
Day One
Mr. Rothstein welcomed everyone to the first of two days of hearings on implementation issues with the HIPAA privacy rule. Mr. Rothstein clarified that the purpose of the hearings was to address issues on which recommendations to the Secretary of HHS were appropriate and to learn from the testifiers' answers to at least the following questions. What resources were available for HIPAA compliance, including those from professional organizations and trade associations? Were compilations of best practices available and how were successful implementation strategies disseminated? Were there models for public/private partnership developments? How should covered entities build coalitions and develop consensus procedures? What outreach, education, and technical support programs were needed from OCR, including suggestions for OCR priority setting? What areas were especially in need of guidance from OCR? How should the integration of HIPAA and other federal and state laws be addressed? And how did the testifiers assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertained to small providers and health plans?
Mr. Rothstein noted this was the last of three sets of hearings dealing with these issues. The Subcommittee met September 10-11 in Boston and on November 6-7 in Salt Lake City. After this final hearing, the Subcommittee will submit its recommendations to the full Committee for discussion and possible action at the meeting in Washington on November 19-20. Recommendations approved by the full Committee will be transmitted in a letter to Secretary Thompson by the Committee's Chair, Dr. Lumpkin.
Mr. Rothstein noted time was available for public testimony. Witness could submit additional written testimony by November 11, which was less than the usual 30 days because of the tightened schedule in preparing the Subcommittee's final recommendations for the Secretary.
Panel 1: Covered Providers
Dr. Kalm said that he practiced in an office entirely by himself. He had no receptionist, secretary or office manager and he contracted with a billing service and an outside accountant. Other than that, he performed his professional duties entirely by himself.
Dr. Kalm said his first awareness of HIPAA came through a mailing from American Psychological Association's (APA) Office of Health Care Systems and Financing in late July of 2002. The mailing gave have him an overview of HIPAA, threatened him with ten years in prison and $250,000 in fines for non-compliance, and directed him to a Web address misspelled "HIPPA" to file for an extension. The mailing detailed up to 90 main points that had to be considered in order to be in compliance. As a practitioner, he had to demonstrate awareness of these points, policies and procedures and deal with them, train and test staff, evaluate testing, monitor results and document everything in a standardized form that demonstrated compliance.
As an officer of the Utah Psychiatric Association, Dr. Kalm brought this matter to the executive board on August 2002. Some members who worked for major institutions (e.g., the state of Utah, University of Utah, and IHC) had heard something about it and thought their institution was taking care of it. Other private practitioners, like Dr. Kalm, reacted with near panic. He did an Internet search to see if there was a way to facilitate compliance for private practitioners and came up with a 50-page template for a comprehensive health care information protection agreement between business associates; a one-page certificate of group health plan coverage; a 41-page certificate policy statement; a 42-page guide to medical records documentation; a one-page medical billing code of ethics; a one-page sample form for consent for purposes of treatment, payment and health care operations; a one-page sample consent to use a disclosure of health information for treatment payment or health care operations; a three-page sample chief privacy officer job description; an 83-page framework and structured process for developing responsible privacy practices; a one-page sample consent for office procedure; and a one-page authorization to release information.
Dr. Kalm said in short order he amassed 227 pages of documents that gave him a few sample documents, mostly arcane guidelines, and left him bewildered about how he insured that he was in compliance with the Orwellian-termed administrative simplification provisions of HIPAA. In the meantime, Dr. Kalm had received various mailings to train him and/or his staff in HIPAA compliance for $300 and up. Dr. Kalm said he had no idea of these offerings' worth.
Dr. Kalm encouraged the Subcommittee to explain the acronyms and rules in clear, plain English. He requested sample standard forms that the government would accept to guide him in how to be in compliance. And Dr. Kalm encouraged the Subcommittee to step into the private practitioner's shoes, imagine being alone in that office, and then show him how to document he is in compliance.
Panel 1: Covered Providers
Dr. Borgenicht said he'd been a general pediatrician for 30 years and in a small private practice for 18 years. He first learned about HIPAA when he received solicitations to purchase CDs and manuals as well as suggestions to participate in special symposia sponsored by law firms and health-related organizations. He called the Utah Medical Association (UMA) and they clarified what HIPAA was about and suggested that he file for extensions until the rules for small offices and their applicability were clarified. Dr. Borgenicht suggested the Subcommittee consider whether these solicitations were unscrupulous marketing practices.
Dr. Borgenicht expressed concern about implications of the privacy rule of HIPAA for his office. He'd been told not to worry because some of the rules wouldn't apply to him, but he didn't believe this. He was sympathetic to testimony from larger offices, but noted that his small office had its own issues. His reception area, waiting room, multi-purpose room, two exam rooms and a bathroom were in a 636-square-feet area. His office manager greeted patients, made appointments, gave advice, took messages, dealt with insurance and billing matters, and kept general peace.
Dr. Borgenicht believed many aspects of the privacy requirements to be common sense in his small setting (e.g. placing charts face down in the racks outside examining rooms so patient identifying information wasn't visible). They were already cautious about patient conversations in such a small space and limited private conversations to the exam or consultation rooms. They were also aware of the necessity of being discreet with phone calls. However, the ambiance in his office had always been informal and Dr. Borgenicht was concerned that the form of practice dictated by HIPAA would change this.
Dr. Borgenicht agreed on the importance of protecting privacy but also emphasized it was essential to provide practitioners simple and clear information about reasonable means. He pointed out that what might be applicable to a large clinic might not fit a small office. Noting the dwindling number of small offices, Dr. Borgenicht said it was important to preserve them in a way that didn't hinder their functional efficiency and care-giving ambience.
Asked if his manager used electronic transactions for insurance claims, Dr. Borgenicht said that she did.
Panel 1: Covered Providers
Mr. Pulsipher said he worked in a medium-sized office with 16 physicians. There were three sites, suburban and rural, just south of Salt Lake City. They had 120 staff members; many were part time. He said most of the staff were wonderful, intelligent women who weren't college educated or used to reading and understanding the sort of regulations HIPAA represented. He said he'd tried explaining to some astute staff members what they'd need to do to come into compliance and they didn't understand. He emphasized that this was a problem because they were on the front line and would have serious difficulty not inadvertently divulging informational items that were important.
Mr. Pulsipher discussed resources that might help people get up to date on HIPAA regulations. He recommended the OCR Web site. He'd printed off both the 31-page standards for privacy and the 187-page final modifications to the privacy rule. He had found the standards difficult to read, even with his Ph.D., but he noted the modifications were written in plain English with good scenarios, excellent representation of what the law said, and good examples of exceptions. He pointed out that people didn't know about the modifications; none of his colleagues used the OCR website. Mr. Pulsipher said the Medical Group Management Association (MGMA) Web site and its chat links were also useful. The downside was one to had be a member. Hillphysicians.com had a guide and a checklist on a spreadsheet that walked through many suggestions on how to get ready.
Mr. Pulsipher's office used the Utah Health Information Network (UHIN) to do their electronic data interchange (EDI) with most of their insurance companies. He considered UHIN a leader on these issues and said they made sure his office was HIPAA compliant. He also worked closely with UMA, who'd been helpful. He recommended to people in Utah a popular seminar put together by two local lawyers who'd worked in Washington and provided a 70-page handout that included a diskette with sample forms.
Mr. Pulsipher said the Medical Office Manager put out a very helpful monthly newsletter that addressed HIPAA. It was written in basic English with real-life examples specifically for office managers. He said they were willing to talk with office managers about what they were doing.
Mr. Pulsipher said most of what people did was Draconian. He was glad to see that the way many people conducted business in the office had changed after the August regulation changes. Mr. Pulsipher believed the government was working to make HIPAA a meaningful thing. He agreed with the concept of privacy and wanted to protect information. He also believed physicians could use more help from OCR.
Mr. Pulsipher noted there was a way to ask questions on the OCR Web site, but the answers wouldn't come back on an individual basis. He believed the FAQs had excellent questions and were a step toward receiving definitive answers. Mr. Pulsipher recommended that OCR have a telephone line he could call to run scenarios or ask questions and get definitive answers.
Mr. Pulsipher said if he called OSHA and asked them to see if he was compliant, they'd come by for free, run through his office and procedures, and give him a recommendation so he could come up to law. It was non-discoverable so they wouldn't come back two weeks later to find out if he'd done them. He said he'd like OCR to do the same thing.
Mr. Pulsipher said that the required notice of privacy practices was a compromise and that he didn't have to give a consent form anymore. However, he now had to pass out his notification to everybody. He noted he had 32,000 active patients. If he gave an eight-page notice to every patient, he'd have to have a stack of paper 100 feet tall. The paper alone would cost $1,800. Getting it printed would cost $8,300. Mailing it would cost $24,000. He couldn't afford that when people were just going to throw it away. He requested that OCR or someone give them the forms that would make them compliant and reasonable requests, so they could do whatever they could.
Mr. Rothstein asked how aware physicians in the practice were of the HIPAA privacy rule, and if they were similar to the solo practitioners they'd heard. Mr. Pulsipher said they'd all heard of HIPAA because he'd brought it up in board meetings and made sure they knew general outlines of what HIPAA was about and how it would impact their office financially and in other ways. He said they were possibly more conversant than a small group physician would be, but they weren't in charge of implementation, so they didn't know particulars on how they'd do it.
Asked how much time he'd spent going over the documents he referenced, Mr. Pulsipher said 50-to-100 hours. It took him 15-to-20 hours to understand the documents he'd mentioned in his testimony. He said he planned to read them more than that and would reformat them so the people doing the administering would understand them. He would also use flip charts because he wanted something low tech and portable.
Panel 1: Covered Providers
Mr. Morse said that Physicians Insurance was a physician-owned and governed professional liability insurer based in Washington State. They insure about 7,000 physicians, 2,000 dentists, and 20 hospitals, mostly in Washington State but with some business in Oregon, Idaho, Montana and Alaska. They were formed by physician leaders in the medical association in 1983, and shortly thereafter joined the Physician Insurers Association of America, a trade association of health care provider-owned professional liability insurance companies.
Mr. Morse said they didn't expect any impact on premiums due to the HIPAA privacy rule, but he predicted there would be lawsuits under state law that involved health care information privacy issues. Historically these cases had been rare and their cost negligible. Although they might see an increase in privacy related claims due to the publicity that occurred as the April enforcement date approached, they foresaw no impact on medical malpractice premiums. Many hundreds of hours of their staff time had been spent understanding the HIPAA privacy rule. They compared it to existing state law, and developed educational programs for their insureds. They were going to hire attorneys to help with some of the trickiest issues. However, these expenses represented a negligible percentage of their operating expenses and had no conceivable impact on medical malpractice premiums.
Mr. Morse said they devoted resources for helping their insured implement the privacy rule for several reasons. Most companies owned by their physician policyholders devoted considerable resources to risk management services. Their own risk management department estimated that, even before HIPAA, nearly half of all inquiries from their insureds dealt with some aspect of using or disclosing patient medical and financial records. As long as they continued to provide this service, Mr. Morse said it was imperative that they be conversant with the HIPAA privacy rule. He also noted that their devotion of resources to this effort helped heighten the trust between physicians and their patients, both in the quality of care delivered and the prevention of medical malpractice claims. If new privacy protections were implemented smoothly, Mr. Morse said there was an opportunity to promote that trust. If they ever implemented poorly, that trust could be damaged.
Mr. Morse explained that nearly two years ago PIAA formed a task force to assist member companies with their own HIPAA compliance issues as business associates of their insureds. The task force included many attorneys employed by companies across the nation. Together, they developed information from member companies so each could be ready to be a business associate, and provide services to their insureds to help implement the privacy rules.
Mr. Morse reported his company had developed a HIPAA privacy manual for their insureds that they issued in three steps. The first step had been mailed out several months ago to help their insureds perform the type of gap analysis needed to identify possible deficiencies in their current privacy practices, and to document that they'd taken reasonable steps in light of their capabilities to improve privacy protections. This material included a month-by-month calendar to ease the process of preparing to implement the rule. They planned to soon send a set of templates for forms, policies, and procedures that took into account the privacy rules and the more stringent state laws. They worked particularly hard to develop templates for forms in plain language, as required by the regulations, and to keep the volume of material at a manageable level. By far, the most difficult portion of this effort was identifying and incorporating state laws that were more stringent than the HIPAA privacy rules. They fully expected thinking to change regarding how to appropriately use state law, even after the April 14 deadline. The final step in their privacy manual focused on templates and resources for staff training materials, which they hoped to have available in January. Their manual was provided to their policyholders at no charge, and the Washington State version was available to the public on their Web site (www.phyins.com). Mr. Morse reminded everyone that the Washington state version took the more stringent Washington state laws into account.
Mr. Morse said they'd worked closely with the Washington State Medical Association, the Washington State Hospital Association, several attorneys and various organizations that worked together to develop HIPAA materials in the state. They also met with large and small clinic managers to share ideas and identify logistical barriers to implementation of the rule. They obtained input on the forms from volunteers, whose only contact with health care was as patients.
Mr. Morse noted instances where the privacy rules created problems. It required the physician who was a direct service provider to give a patient the notice of privacy practices the first time the physician delivered services to that patient on or after April 14, 2003. The rule also required the physician to make reasonable efforts to obtain an acknowledgment of receipt from the patient at that time. Mr. Morse said it was unrealistic to apply this requirement to settings outside the physician's office. A physician couldn't realistically comply when the first service delivery was at the hospital bedside, the nursing home, or other facilities outside the physician's office. The duty he spoke of didn't apply in an emergency, but these examples were intended to be emergencies. It was clear that HHS contemplated that hospitals, nursing homes, and others would develop organized health care arrangements and OHCA, with their medical staff, was to provide the patient with a single notice of privacy practices on behalf of all members of OHCA. However, several hospital attorneys reported that they were advising clients not to form OHCAs. The legal reason included the difficulty of managing the privacy practices of all the members of the medical staff. In addition, there was increased potential that such arrangements could expand hospitals' vicarious liability for the negligence of otherwise independent members of the medical staff.
Mr. Morse asked HHS to acknowledge that the application of the notice of privacy practices requirement of settings outside the physician's office interfered with the delivery of health care and needed to be the subject of a future amendment to the rules. He said it would be especially helpful if meanwhile HHS announced that it wouldn't enforce the requirement outside the physician's office until such time as this portion of the rule was amended.
Dr. Morse cautioned that frustration and confusion over the HIPAA rules could result in serious impediment to the delivery of health care. He suggested that HHS draw further on the use of "reasonable" which appeared hundreds of times in the rules. He urged HHS to issue a guidance document that declared reasonable efforts to comply were expected, and that only clear defiance was cause for enforcement actions. The document could describe how patient complaints were to be addressed in a non-adversarial manner in order to assist patients and providers in understanding and adjusting to these rules.
Dr. Morse said there were other ways for HHS to alleviate the growing fear, particularly with guidance, in regard to the enforcement of the duty to comply with more stringent state laws. He emphasized that anything that could be done about this problem would better enable physicians to protect patient privacy.
Dr. Morse said there was common ground among patients, providers, insurers, and regulators. Everyone involved worked to maintain and increase trust and openness between patient and physician that was necessary to the delivery of high-quality health care services.
Discussion
Responding to Dr. Morse's statement that HIPAA wouldn't impact insurance premiums, Dr. Harding reported this was brought up in another hearing where a physician said he paid $1,500 for liability insurance for HIPAA compliance, though it wasn't specifically for malpractice. Dr. Morse agreed it wasn't for malpractice. He said those products were available and included some that indemnified physicians for civil fines. Many companies considered offering coverage only for defense of administrative enforcement actions.
Dr. Harding asked if HIPAA becoming a standard of care would move them into the malpractice area. Dr. Morse said some plaintiff attorneys might see it that way, but his company didn't. He said there were standards of care with respect to the handling of patient health care information. When abused, there could be real injury to patients. However, there were injuries in the medical malpractice arena that were far more severe, disabling, and expensive. Given the extent of those cases, he didn't see how privacy-related cases would have any impact.
Mr. Rothstein asked if he'd recommend that concerned physician policyholders purchase additional coverage for HIPAA and health privacy issues. Dr. Morse said Physicians Insurance wasn't a broker and so he wouldn't say either way. But he said they'd placed in their policy, at basically no cost, limited defense reimbursement coverage (about $25,000) to protect physicians from the cost of defense in an administrative enforcement action by the federal government. Mr. RothsteinMorse said they'd advise physicians who had enough concern that there was a market for a more comprehensive insurance product and urge them to look into it.
Dr. Zubeldia asked if the panelists' estimated that HIPAA might require increasing the $25,000 limit and a higher premium. Dr. Morse said they were driven by their policyholders' wishes and so didn't yet know. If they had a significant or overwhelming demand for higher limits, they'd work to make them available.
Dr. Harding asked how far along in the process participants' peers were. Dr. Kalm said his peer group included all kinds of mental health providers, social workers, and psychologists. He'd found that his peers in the social work community tended to think they weren't covered entities. They scrupulously avoided electronic transactions, and he'd cautioned them but they didn't seem to fully understand about their faxes and e-mailing. He said the APA did a lot to help their membership become compliant. He cautioned that psychiatrists were already inundated with paperwork that took away time from patients and that HIPAA would cause more.
Dr. Kalm said the issue, particular to psychiatry, was in the area of psychotherapy notes. A number of his colleagues took notes with a laptop computer and that made some patients uncomfortable. He noted that under the privacy provisions, he'd have to keep two charts, one for medication issues and another for psychotherapy notes.
Dr. Harding asked if most of his peers signed up for the transaction delay in order to ask for an extension in the transaction. Dr. Kalm said those he'd talked to have, but he couldn't answer for the general membership. Asked if he filed electronic claims, he said his billing service filed for him.
Dr. Harding asked if others had feelings about where their peer group was in the process. Dr. Borgenicht said he didn't have any hard data, but noted it was available from the Intermountain Pediatric Association. He didn't believe there were many solo pediatric practitioners in Salt Lake City. He said moderate-sized uni-specialty groups might be aware of it, but they'd punted the issue to people like Mr. Pulsipher, who was in charge of interpretations for physicians. He suspected that most pediatricians filed extensions. He said he believed individual physicians were buffered from the HIPAA reality.
Mr. Pulsipher said all his colleagues with moderate-sized clinics knew about HIPAA and so did their office managers. It was the small offices of one or two doctors that didn't have any idea and were terrified. Mr. Rothstein said he thought that if Mr. Pulsipher asked his colleagues about HIPAA, they'd indicate a general level of understanding, as well as apprehension. He suggested that if asked whether they supported reasonable efforts to increase the privacy protections for patients, especially in this electronic age, they'd say yes. Mr. Rothstein said the concept wasn't inherently objectionable or alien, but what physicians had done for 2,000 years. The question was how they'd establish reasonable standards for compliance and facilitate compliance and support, through guidance and technical assistance.
Mr. Pulsipher pointed out that, although it sounded like a friendly approach, the penalties ($250,000 for willful disregard of private health care information) were serious. He said rationally he thought it was wonderful to come to an understanding and protect this information. On the other hand, the consequences were high, and this made him angry. Dr. Borgenicht agreed, noting unnecessary reactions stemmed from fear, anxiety and ignorance. He said an orthopedist told him he was about to spend $30,000 remodeling, to be HIPAA compliant. Someone told him he didn't have to, and he canceled. Dr. Borgenicht said the Utah Medical Insurance Association introduced a program in which physicians and patients agreed that, should there be conflict or problem in the future, they'd rely on an arbitration agreement in lieu of a malpractice claim. His office was considering the cost of instituting them. Agreements between physicians and patients would take a lot of time to do, but Dr. Borgenicht said they were a higher priority to him than an eight-page privacy agreement for HIPAA.
Mr. Morse remarked on the tremendous fear of enforcement they'd heard about over something no one felt he had time to adequately come to grips with. He addressed the need for the federal government to reassure providers in some way consistent with the statute and rules that they'd collaborate when it came to enforcement. Mr. Morse emphasized that he wasn't talking about gross abuse (e.g., patient names sold to pharmaceutical manufacturers), but a fear of enforcement among individuals dedicated to protecting patient privacy.
Mr. Rothstein said several witnesses at prior hearings urged them to recommend to the Department that OCR publish the enforcement guidance standards they plan to use when investigating complaints. He asked if releasing such a document and stating that the most severe penalties and criminal sanctions were reserved for gross abuse would alleviate some concerns expressed. Mr. Morse said he believed so. Dr. Kalm said he understood the need for privacy and wasn't opposed, but stressed that he also was concerned that not everyone was trained as well as he or she ought to be in the area of privacy. A patient told him about going to another physician and being assured it would be private, and the next day the friend of the wife of the doctor's partner asked about her tests. Dr. Kalm emphasized this had nothing to do with electronic transactions, but with an awareness of certain things being kept private.
Dr. Harding said he'd heard several things through each of their testimonies. One was the issue of vendor certification for accreditation or accuracy. When they received fliers offering a $500 course, they went on faith that the company knew what it was doing and what they said was HIPAA compliant. He asked how HHS could be helpful. The other issue was the difficulty with definitions (e.g., scalability, reasonableness) and the lack of official answers. People were told they could only receive general answers and it was hard to get anyone to state official policy. He asked if this was what they were asking for. Mr. Pulsipher said that would be helpful, though he cautioned that HHS's Web site would be flooded. He said definitions of terms would definitely be helpful.
Dr. Zubeldia said the concept of scalability was fundamental in HIPAA regulations, so a small practice didn't have to have the same educational structure and materials as a group practice or the policies and procedures of a large university. He noted there were two extremes in terms of scalability. One was that they were to write their own rules according to their own interpretation of reasonable policies and procedures for their practices. The other extreme presented in the hearings was that the government should provide sample policies and procedures about what was reasonable. If this happened, there wouldn't be the flexibility that came from building their own rules. He said they also saw the option of state associations defining common practices in the state that should be associated. He asked about their reactions to the three options.
Mr. Pulsipher said he liked how the CT codebook explained the way doctors billed for service to Medicare. It gave a definition of what they billed for a typical office call, and a section in the back gave examples. He emphasized that he didn't want the government telling him what was reasonable. His front desk was different than anyone else's in the state, and they couldn't know what it was like. But describing a typical setting and ways to accommodate HIPAA regulations in an exemplification manner would be useful.
Dr. Kalm said he'd like the government to give him a sample that he could accept if it looked reasonable or modify and send back for approval. Starting from ground zero with no idea of how to approach this was overwhelming. Mr. Pulsipher said he was talking about specific things that happened in the office that might violate patients' privacy and weren't in a form. Dr. Zubeldia concurred that policies and procedures probably weren't in a form or the same for a group as they were for a private practice. He asked if they'd like the government to provide sample policies and procedures. Dr. Kalm said yes, subject to modification, if they were realistic. Mr. Pulsipher said he wasn't interested in that. He liked "reasonable because it provided leverage to look at what he considered doable in his clinic without spending $30,000 to remodel.
Dr. Zubeldia noted the preamble to the modification conveyed the rationale behind the changes. There was a substantial amount of information on sample cases. Mr. Pulsipher said he'd received the 187-page document that morning, printed it out, and liked what he'd read so far. He'd found the examples particularly helpful.
Dr. Zubeldia noted the initial, proposed and final rule were published. The preamble was over 800 pages and full of scenarios and cases including what to do in each and why the rule was written that way. He asked if he was looking for something beyond that. Mr. Pulsipher said he and others wouldn't read 800 pages. But he'd use it if it was organized, had examples and he could print it out and have an index he could track. Mr. Pulsipher said he had ten-to-fifteen questions. Finding answers in a reasonably indexed database on the Web would serve him.
Dr. Borgenicht said he'd opt between Dr. Kalm's approach and a rugged individualist approach where he understood what could be done and handed in a proposal so someone could tell him whether it was reasonable. He believed this would work better in many situations and practice settings. Dr. Zubeldia asked if he expected the government to tell him his changes were reasonable or would hire an attorney. Dr. Borgenicht said he didn't want to hire an attorney. He said it didn't matter whether it was a government agency, an official, or an intermediary he didn't need to pay. What mattered was that there was an interactive process that might be a solution. Asked if the state associations or UMA performed this service, Dr. Borgenicht said UMA might as they sent out monthly HIPAA updates in their newsletter and were involved. He noted one of UMA's lawyers was involved and might be an option.
Recalling that Dr. Borgenicht had said he hoped the formality of the procedures didn't change the culture of his office, Dr. Harding asked him to expand on that concern. Dr. Borgenicht explained that his office was small and informal. The office manager had been with him for 13 years, knew his patients well, and there was an ebb and flow. These conversations often gave her more information about families then he had. He wondered if HIPAA implementation would stifle these interactions.
Noting Physicians Insurance was in a number of states, Dr. Harding asked if they were spending an extraordinary amount of time on pre-emption. Mr. Morse said yes, but cautioned that even those situated only in one state needed to be concerned about pre-emption. Mr. Morse said his pain came from the federal government telling Utah physicians what model policies, procedures, and forms to use (which, in itself, was great), without coordinating them with Utah state laws. He said they might have to do a disclaimer stating this didn't take state law into account.
Mr. Morse said the Washington law had been the most agonizing part of what they'd done. He said it wasn't just a matter of sixty days under one law and ninety days under another. Sometimes the laws presented different solutions. Often they'd opted to say for both solutions, because clearly neither was more protective of the patient. He emphasized it was complicated. Physicians Insurance planned on hiring attorneys from other states to help with pre-emption issues, but they didn't have the resources.
Dr. Zubeldia asked about equivalent efforts in other states. Mr. Morse noted an effort in Oregon led by the medical association and another in Washington that drew upon the North Carolina NCHICA example.
Panel 2: Integrated Health Systems and Complex Organizations
Ms. Thomason said her primary focus was coordinating implementation of the privacy regulations throughout IHC. The most difficult HIPAA privacy regulation issue related to size and complexity and the hybrid nature of how health information existed and was maintained by IHC. She noted IHC was a nonprofit integrated health system that provided both health plans and health care systems and served 480,000 covered lives. In 2001, their health services included 117,782 inpatient visits, 28,600 births, and 5,612,399 outpatient services in various settings. Some 21 hospitals ranged from a 520-bed LDS hospital to several 20-bed rural facilities. A physicians division consisted of about 400 physicians with 89 clinics, an air ambulance service, home care and medical equipment services, retail pharmacies, and occupational medicine clinics. IHC also participated in joint clinics with the state of Utah for children who were in newborn ICUs, provided athletic trainers for high school football teams, and served as the official sports science and medicine supplier to the U.S. ski and snowboard teams.
Divisions supporting IHC's business included a physicians billing service for their employed physicians, a collection agency, and 14 legally separated but affiliated foundations. IHC health plans offered health maintenance organizations and point of service plans as well as contracts with other insurance companies, third-party administrators, preferred provider organizations, and self-funded employers and so leased the IHC network of providers and hospitals. IHC health plans and IHC services were separate legal entities. Since IHC was a single legal entity that included all of their health services, and their focus was on health care, IHC didn't consider themselves a hybrid entity, even though some of these unique health care settings hadn't involved covered functions as defined in HIPAA.
Ms. Thomason said that, after much discussion, they'd decided that the relationship between their IHC Health Services and health plans was one of an organized health care arrangement. This arrangement allowed the most flexibility to adequately share data for joint operations. But since their data commingled in some databases, they'd have difficulty addressing minimum necessary policies and procedures.
Accounting of disclosures caused another major implementation struggle. One implication of being a single covered entity was the need to provide a single accounting for patients across IHC, especially since many disclosures required in the accounting were done electronically on a corporate basis. IHC estimated they made over a million electronic disclosures per year in accounting, largely to meet requirements of the Utah Health Data Commission and Department of Vital Statistics. They knew that some health providers looked at these disclosures as operations, but they didn't use any of this information for an operations purpose and so they needed to place it in accounting. She noted the estimate didn't include disclosures to research. They had about 500 research projects active at LDS hospitals, but didn't yet know how many had IRB authorizations waivers and needed to be in accounting.
Ms. Thomason said acknowledgment of the notice of privacy practices was also challenging. IHC did over six-million interactions a year in a variety of health care settings, but lacked a centralized system to monitor whether they'd already provided the notice. She said IHC planned to provide notice once in their clinics, where they saw the same patient many times. Otherwise, she said they'd probably provide notice and seek acknowledgment every time they saw a patient in an inpatient, urgent care, or other setting.
Ms. Thomason said the size and complexity of IHC presented unique workforce training issues. IHC had 23,000 employees plus volunteers and non-employed credentialed providers. They'd decided it would slow and/or prevent the process of health care to funnel all disclosures to expert departments (e.g., medical records, billing). Currently, protected health information that was disclosed for treatment (e.g., child abuse reporting) happened in clinical areas, not medical records departments. She noted this decision had major training implications. They needed to focus training on what they needed to know in a detailed manner in order to provide clinical front-line people with proper training.
Ms. Thomason said they'd defined 53 groups needing specialized training and 52 content modules to develop in house. For example, the emergency department was to receive training on in-depth modules on prevention of incidental disclosures, recommended efforts to verify identity, disclosures to law enforcement and media, and how and when to enter information in an accounting of disclosures. This was in addition to the basic general privacy instruction required for all employees.
Ms. Thomason said they'd also had scalability issues due to varying facility sizes. Some large facilities had entire departments devoted to risk or compliance; smaller facilities might only have one administrator who did all of it. They planned to provide limited training to non-employed providers so that they understood their policies and procedures and what it meant to be in an organized health care arrangement and share notices and provisions. She noted the decision to not centralize disclosures impacted the need for widely accessible accounting for a disclosures tool as well.
Ms. Thomason said that the hybrid multi-media nature of how information was stored in IHC presented additional complex challenges. They'd found 78 databases or record sets at IHC or maintained by business associates that contained protected health information. Of these, 18 were designated record sets as defined by the regulations.
She said IVC had a complicated network of interfaces between electronic systems, both to and from clinical and billing databases, but no one system contained all identifiable information used to make decisions about an individual's care, let alone all billing and payment information. Like their clinical data repository, some contained much but not all of their clinical information. For example, Stork Bytes was an electronic medical record for obstetric patients. Although key information interfaced to the clinical data repository, it also contained critical information on fetal monitoring which was only stored on this system. Therefore, sections of both the clinical data repository and Stork Byte systems were designed record sets under these regulations.
Ms. Thomason explained that even though they were one of the most wired health care systems, many of their medical records and some billing records were solely on paper, and paper records on a patient were often maintained in a different location. Thus, they couldn't provide patients with all their IHC records at one contact point. They'd have to send patients to different facilities or agencies where they'd had treatment, and train front-line employees how to find out where all the records were stored, both electronically and on paper.
Ms. Thomason noted the issue of attachment of amendments wasn't a major issue with paper, as amendment documents were approved and added to the records. Whatever they had was electronic, and they didn't have the capability to attach an amendment at all, let alone attach it to pertinent sections of the record. She emphasized that they had to be careful that they didn't destroy the integrity of the data. Also, with existing interfaces, they didn't always know where the information was distributed or ended up, so they didn't know where to forward copies of amendments.
Ms. Thomason said OCR's FAQs were excellent. Noting many questions submitted were about the privacy regulations and that they'd thoroughly researched the regulation and all documents published by the Department (developing an online document on a CD that cross-referenced everything published) ensuring that scenarios they submitted weren't already addressed, Ms. Thomason requested answers to those questions about policy and procedural impacts that were essential for them to determine how to proceed.
Ms. Thomason encouraged providing education for covered entities other than their own employees. IHC had 2,500 physicians affiliated with IHC, but only 400 employee physicians and staff were to be trained by them to any great extent. The rest were dependent on the professional organizations, consultants, or seminars. She noted others expressed similar concern in earlier testimony about the accuracy of information distributed and covered entities' confusion over what regulations stated and implied. While OCR needed to provide public education, she emphasized it was imperative that providers first be given accurate, substantial education so they endured, at best, embarrassment responding to an informed public and, at worst, lawsuits.
IHC recommended that for public health, vital statistic and other routine disclosures mandated by law en masse, the regulations allow educating the patient via a list of routine disclosures required by law, rather than a specific accounting every time information was disclosed. She said this would make the accounting provision less expensive and onerous, while still educating patients on where their information was disclosed and why.
Another suggestion was for a phased-in approach to the privacy regulations. IHC endeavored to be compliant by April 14. They'd been working on this process formally over a year, and informally for several years through their compliance department and education. An extensive disclosure document finished in 1998 had to be completely revised. Ms. Thomason expressed concern that there was still much to do (e.g., training, the minimum necessary and research procedures, and development or buying of an accounting of disclosure software tool). Noting the regulation made allowances for small health plans, she requested that large organizations also be given extra time to assess the impacts on their policies and procedures, as well as make necessary cultural changes. She said this would also allow vendors time to develop software solutions to assist them in implementation.
Dr. Harding asked how long was the list of routine disclosures for public health and vital statistics. Ms. Thomason said it shouldn't be long; only what was required by state law and only past disclosures, rather than individual ones. Noting there was different research disclosure accounting for 50 or more, she called for something similar to that concept. Perhaps not an individual calling in a communicable disease, but the Utah Health Data Commission and the trauma register disclosures they were required to do by law. Ms. Greenberg asked if these were included in their privacy notice. Ms. Thomason said, according to the regulation, they couldn't cover it in a privacy notice. As it was presently written, there had to be a separate accounting. Both said they'd mention that they were required by law to do certain disclosures, and then specifically refer to them.
Mr. Rothstein noted disclosure accounting was only activated by an individual request, and they didn't know how many they'd have. Ms. Thomason pointed out that it only took one person to ask for all of his or her disclosures over the last six years. She said the idea of trying to reconstruct that was overwhelming. They had to account for disclosures from CASHA in Idaho all the way to Dixie Regional in St. George, Utah, and some people moved a lot. Ms. Thomason said she didn't see that a provision for the research of 50 or more was practical. At this point, IHC didn't find it helpful to use the alternate method and wasn't sure how they'd do it.
Panel 2: Integrated Health Systems and Complex Organizations
Mr. Riopelle explained that Gambro was a dialysis provider with 530 clinics; 40,000 people depended on them for their dialysis treatment in 32 states. He said Gambro had a field for the extension of transactions and was currently implementing changes. So far they'd invested 30,000 hours of professional time, a seven-figure total cost, and a huge drain of at least one year of their IT budget. Gambro had a proprietary system and couldn't use consultants, but had to build and modify their own system in order to be compliant. Mr. Riopelle estimated it would take about 18,000 hours of professional time to accomplish implementation of privacy.
Mr. Riopelle said Gambro needed guidance on incidental disclosures. The only guidance they'd seen was the example in the August modification of the physician and nurse at the nurse's station. He pointed out that in the dialysis business they operated in a bullpen, outpatient setting. Stations were set up all over the room; curtains and private rooms didn't work because they were taking the blood out of peoples' bodies, cleansing it, and putting it back. Nurses had to monitor each patient constantly. They didn't have resources, from a reimbursement standpoint, to place an RN in front of every dialysis station, and so the bullpen environment was critical.
Mr. Riopelle emphasized that they were dealing with chronic illness and three-or-four times a week, patients came in for three-to-four hours and interacted with the staff, including social workers, talking about their health care. Conversations were discreet and quiet, but the patient couldn't be disconnected from his machine in order to address psychosocial issues and other patients inevitably heard some of this. Mr. Riopelle asked if it was an incidental disclosure due to the fact that they were all in a treatment environment. He asked if there were reasonable safeguards to make these incidental disclosures acceptable to OCR (e.g., patients could sign a confidentiality agreement acknowledging that essential conversations would be overheard as they dialyzed in their facility). Mr. Riopelle emphasized that specific guidance outside of the hospital environment that allowed them to address this would ease their comfort level concerning OCR and enforcement.
Mr. Riopelle noted amendments were an easy concept in the paper world. If they wanted their medical record amended, they'd have an exchange about that, document it, and send it along with further disclosures to the medical record. But in the electronic environment, it was costly and difficult to adhere to this requirement. They didn't yet know how they'd do this. They were a proprietary user and developed everything they could in house, because their use was unique. He asked how to append in their information management system a request for amendment and all the documentation including rejection and rebuttal electronically. Noting modifying their internal system to accommodate this requirement could be a multi-million dollar undertaking, Mr. Riopelle asked for guidance.
Another issue Gambro struggled with stemmed from how people bonded because of their chronic need for dialysis. Two people who received dialysis next to each other for three-to-four hours at a time, three times a week, knew a lot about each other and often became friends. Strong relationships developed between patients and staff. If a patient didn't show up, others wondered if he or she had died. In the past, staff would cry and tell them the patient had died. With the new regulations, he said they'd have to tell them they couldn't say, but that they could try and call that person. Mr. Riopelle said this would take a lot of adapting and diminish the familial environment and quality, which wasn't the intended consequence of this regulation. Mr. Riopelle said he didn't want to be the one to ask the newcomer if they had permission to tell everyone if they died. He anticipated if their 500 center directors were told they could no longer give notice to others when someone died, they'd continue to do it because, in their hearts, they felt it was right to do. Acknowledging he didn't have an answer, Mr. Riopelle requested guidance.
Mr. Riopelle said there were dozens of examples of how this regulation would have unintended negative consequences on their business of caring for people. One dealt with CMS Form 2728, which they filled out on all their patients. Gambro reported to Renal Networks who monitored the ESRD providers. The networks also requested information for research projects, but Gambro didn't have the HIPAA-compliant authorization form for research. Mr. Riopelle questioned that the federal form could be used as a valid research authorization, the quasi-governmental oversight agency was telling them to provide information for the purposes of research, under that authorization. Gambro had an obligation to report to the government agency, and sought a discussion with CMS to resolve this issue.
Mr. Riopelle said the training challenge was costly. Gambro was in 32 states and this training changed how people worked so much that the training had to be done in person. In January, he'd be part of a team that went to every clinic director in every state, meeting with each for four hours to educate him or her about their privacy policies and procedures. Some 12,500 employees would do Web-based computer training. Noting the costs would be huge, Mr. Riopelle said it would be helpful if the government gave more guidance than just saying, "Get it done." He said Gambro would get this done and be compliant on this issue by April 14, 2003, but he doubted that everyone who'd met the regulation requirements would be trained by then.
Mr. Riopelle said one item they could use guidance with was who to include in their workforce. The regulations explicitly defined workforce, but there were still concerns. Gambro had physicians coming to their clinics and didn't know if they were included. They didn't work for Gambro, in the layman's evaluation, but were credentialed by them. Gambro planned to educate them, but weren't obligated to train them. Mr. Riopelle emphasized that this was a problem. Some 2,000 physicians came to their clinics intermittently, interacting with patients who they were rounding on, but weren't plugged into Gambro's privacy practices. Mr. Riopelle said he believed that in four-to-five years this would be part of Gambro's daily habits and routines, but that he'd like OCR's guidance acknowledging that training was evolutionary.
Mr. Riopelle considered pre-emption the regulation's most significant failure. The intent had been to create a national standard for privacy, which they still needed. Mr. Riopelle said they had challenges complying with the regulations. Training and incidental disclosures were tough. The worst was the plaintiffs' lawyers who'd gathered two weeks previous for a three-day seminar on how to sue health care companies for privacy violations under state law. He said he was pleased that there was no private right of action in HIPAA. He had fines to worry about, which they'd do their best to mitigate, but the thought of the plaintiffs' lawyers moving from tobacco and asbestos to Aetna, Gambro and Intermountain kept him up at night.
Mr. Riopelle noted HIV laws in Georgia and New York were different than HIPAA and they'd have to follow HIPAA and each state law. He said the cost to change 32 states internally would be more than a-million-and-a-half dollars.
Mr. Riopelle said there were tools (e.g., the Georgetown Privacy Project), but nothing a provider could rely on. Health Care Leadership Council was working on a substantial project that seemed comprehensive. A law firm estimated the cost of Gambro gearing toward that scope at five million dollars. Mr. Riopelle said what ruined the intended good in this legislation was the downstream risk of the state pre-emption. Noting that if Gambro had to give possibly millions of dollars to an injured party and their lawyer, it would have to come out of research and development, staffing and care, Mr. Riopelle asked the Subcommittee to address this.
Dr. Harding asked if the private letter ruling was the prudent professional standard or a ruling from the federal government. Mr. Riopelle likened it to the tax environment. A private letter ruling from the government on an aggressive tax issue provided a much clearer question-answer function. He noted it existed in every other part of the federal regulatory environment. If they had an issue with OIG or HCFA, there were functions to gain guidance that were missing here. He recalled that Mr. Campenelli stated a few weeks ago that there was no intention of a private letter ruling function as part of the enforcement or support.
Panel 2: Integrated Health Systems and Complex Organizations
Mr. Wunderli said Valley Mental Health was a 501(c)(3) not-for-profit corporation. In Utah, the counties were the local mental health authorities, with the responsibility of providing services to the seriously mentally ill at or below poverty level. Valley Mental Health contracted with three counties as the local mental health and substance abuse authority. They had over 60 locations and served about 20,000 clients per year. They were the sole capitated Medicaid provider for these three counties and served Medicare as well.
Mr. Wunderli described their involvement with HIPAA as one of discovery. When the first regulations came out in 2000, they'd jumped on them. Their transactions and security functions were moving along. The privacy functions were such that in the mental health field, they had always been very protective of confidential information. They had numerous laws in the state and their company had a huge confidentiality policy.
Mr. Wunderli said that what they were doing was important in a national privacy law. In the privacy area, the first regulations came out, and they had made the changes, realizing that whatever came out, the pre-emption analysis had been referenced. They went to numerous conferences and learned about privacy, all the while knowing there would be further amendments and they still couldn't know which laws they'd be following until they went through the pre-emption analysis. He noted this was more difficult in the mental health field, as they waited until August for the final privacy regulations. They'd received 450 pages on the Internet and still hadn't seen the regulation. Mr. Wunderli said they could have taken the comments out or gone back to the old ones and done the correlation themselves, but they waited until October so they'd know exactly what they were dealing with. Mr. Wunderli said he' finally been able to download the final privacy regulations two weeks ago. He focused primarily on the pre-emption analysis, both in his comments and in dealing with the regulations, saying there were so many state laws in mental health that before they could do anything in the privacy area, they had to know which laws they were following.
Mr. Wunderli prefaced his discussion of several discoveries by acknowledging that he wasn't certain that they would be correct. Generally with the pre-emption analysis, a more stringent state law would be the one that pre-empted. He found that one of the definitions was the form, substance, or need for expressed legal permission from an individual for use or disclosure of individually identifiable health information. This provided requirements that narrowed the scope and increased the privacy protection afforded. With few exceptions, all disclosures in the mental health field required consent or legal permission. He believed that under HIPAA, with consent as an option for TPO and authorization required for other disclosures, it seemed that mental health continued to follow the state's substantive law, as opposed to the procedural area in HIPAA (e.g., the accounting notice, business associates, and release of information procedures). He believed the forms would change to follow more with HIPAA, but the idea would remain the same.
Mr. Wunderli pointed out that, under HIPAA, they treated persons who had authority to act for the deceased person as the personal representative to whom they gave the PHI. Under Utah state law, the privilege died with the person, therefore, they were able to give information to a personal representative anyway, as the information and privilege were dead. In A and D regulations, the personal representative had to qualify. Mr. Wunderli believed that they all had the same effect and wouldn't cause many problems.
Mr. Wunderli interpreted HIPAA to state child abuse was a permitted disclosure if required by law, the individual agreed to disclosure, and the disclosing entity believed disclosure necessary to prevent serious harm to the individual or other potential victims. Law enforcement believed disclosure wasn't intended to be used against the individual and was harmful if the individual wasn't informed immediately. Utah state law had an absolute duty to report child abuse. There was no qualifying reason, such as preventing serious injury. Under the federal alcohol and drug regulations, they were exempted from confidential requirements, but reported according to state law. Mr. Wunderli believed they were allowed under HIPAA to use the state law, but with the state law they still had to get an individual agreement to disclose it and needed a qualifying reason to report, which took them out of the state law.
Mr. Wunderli noted that they constantly got subpoenas for information in mental health areas. He believed that would change as they used Rule 45, but he said it was similar to the child abuse reporting law in that they could use the state law, but would have to change it because of the way HIPAA required them to do some things.
Mr. Wunderli said he'd searched through the privacy regulations and thought he'd found the requirement they had in Utah and many states about a duty to warn. (A therapist who received information that a client would cause serious harm to somebody identifiable had a duty to warn that person and the police).
Mr. Wunderli said the big area in the fields of medical and mental health dealt with consent fo minors, both for treatment and disclosure to parents and others. He'd done a multifaceted analysis of federal and state regulations, state law and HIPAA and his initial conclusion in terms of giving records to the parent or guardian was that they would follow HIPAA A and D regulations and state law without making any changes. Mr. Wunderli said he'd analyzed the relationship of HIPAA to the drug and alcohol regulations and considering underlying philosophies and policies it appeared that in most instances, the federal A and D regulations would trump HIPAA, but they were to continue following federal A and D regulations in respect to the substantive-type law.
Mr. Wunderli said procedural things also needed to be changed. He encouraged the Subcommittee to tackle the administrative problem Ms. Thomason and Mr. Riopelle mentioned.
Panel 2: Integrated Health Systems and Complex Organizations
Mr. Schade echoed what Dr. Kalm and Dr. Borgenicht said. Small providers often didn't know that HIPAA applied to them. Many covered entities had waited until the final modifications were released before they began to make changes and were ill prepared and desperately needed education and information about HIPAA. Mr. Schade said the core provisions in HIPAA generated a conflict between patients' right to know who their protected health information was being disclosed to and the covered entities' new burden of having to track that information.
Mr. Schade explained that Mediconnect provided software solutions for HIPAA compliance. They were working on the Utah state informatics task force, which dealt with health information and provided jobs in Utah. They'd found that nearly 80 percent of disclosures that would be covered under the accounting of disclosures provision went electronically to the state. Mr. Schade emphasized that was a large number of disclosures, considering IHC alone sent millions of disclosures every year. These disclosures included inpatient, cancer and trauma registries and other things the state mandated and HIPAA required to be tracked under the accounting of disclosures provision. If patients asked for their accounting of disclosures, they needed to be able to report them in detail.
Most states provided covered entities with a computer and software developed by the state. Covered entities were required to enter their data into the system, often manually. Periodically this data was transmitted to the state, usually electronically, and stored in the state repository. Mr. Schade said the problem was that there were few or no electronic interfaces with these state systems and they tended to be disparate, non-standard, and difficult to use. In some states the different registries, such as inpatient, trauma, cancer, were different software products, which caused another level of complexity for getting these disclosures.
State agencies that oversaw these registries were often unaware of HIPAA and the law's requirement that covered entities, like IHC, had to account for these disclosures. Some agencies, when they knew about HIPAA, were reluctant to allow interfacing into their registries as they were concerned about privacy and didn't want any tampering with that information. Without these kinds of interfacing it significantly added to the burden of large complex providers manually double-entering that information into another system for the accounting of disclosures requirement.
Mr. Schade believed the ideal solution, bar changing the law, was to provide electrical interfacing into these systems, so that when they uploaded that data into the state registry, it would also be electronically loaded into the covered entities' accounting of disclosures database, or other reporting system. They recommended that OCR look into resources to create a common interface into these electronic systems across the country. They were prepared to assist in this task force and come up with a standard that every state could implement to simplify the job of getting this data out. It wasn't going to be a large task like an HL-7, but a smaller interface that allowed for easier capturing of that data.
Mr. Schade said the state agencies needed to be educated about accounting of disclosures in particular, and HIPAA in general. They'd found that some portions of the state would understand HIPAA but many parts had no idea about HIPAA or how it impacted them. They also believed there needed to be some pressure from OCR or HHS on the states to get them to understand the burden added to covered entities and to help them open up and work in conjunction with the covered entities in getting data into their systems, for accounting of disclosures. There were possibly some opportunities to even create global databases for smaller entities that didn't have an IT type of resource. They could use it to get their accounting of disclosures for state mandated data uploads, without needing to generate their own systems for this information.
Discussion
Dr. Zubeldia asked if they were assuming that this recommendation was to be undertaken under the authority given to the Secretary under HIPAA. Mr. Schade answered potentially, yes. Mr. Rothstein asked if it was purely an IT problem. He asked if this problem could be eliminated through technology if the software existed and the states were willing to open their systems. Mr. Schade said he mostly believed so. Some states didn't have this kind of solution in place and they needed to look at that. Larger states like Texas and California had IT systems and solutions that would make a significant inroad to solving the accounting of disclosures problem.
Mr. Rothstein asked Ms. Thomason if she also believed that as they became more electronically compatible at all of their locations it would get easier. Ms. Thomason said their plan was to either make or buy a tool that allowed an automatic download into a larger accounting of disclosures software database. They were also going to need an Internet solution in order to provide the ability of entering individual disclosures, one at a time, wherever they occurred, in whatever clinic and place. It was going to be a major training issue, especially in the clinical areas, as they had never done this before. For them to realize and remember to enter data was a large and difficult piece. Once HIPAA went into effect, it was probably going to be a focus for them to follow up and see if it was actually occurring appropriately.
She said if they designed the system right, it would be easier for them if they incorporated interfaces into the large systems, but the disclosure pieces were very different. She believed it to have been originally based on the experiences of medical records departments who entered a tremendous amount of disclosures in their software and in the process. However, due to the way HIPAA was written, those types of accounting were excluded. Medical records did it for authorizations, treatment, and payment, but those were excluded. Most of what was included in the accounting wasn't currently tracked by anyone.
Dr. Harding asked Ms. Thomason how they educated volunteers, who numbered in the thousands, in a large hospital system. Ms. Thomason replied that this was one of their 53 goals. They planned on having online modules so that a volunteer was given an orientation to meet joint commission standard as they first came in. They were also going to define for the volunteer group what pieces of the privacy modules had to be viewed and signed off on. For example, they were going to need to understand media and the facility directory. Dr. Harding said that, by definition, they weren't to have access to a great deal of personal health information. Ms. Thomason said it depended on where they worked. Most volunteers just worked at a front desk and had access to the facility directory. Sometimes they did filing or other things in some of the departments, so they might have more access. They counted on supervisors deciding what their volunteers had to know.
Mr. Rothstein presumed that this was probably not unique to HIPAA and that they'd been doing this for years. Anyone who worked in a health care institution, from a student to a resident to a secretary, was told about the confidentiality restrictions. Ms. Thomason concurred and added that they had confidentiality agreements that everyone in their workforce had to sign. It outlined much of what was contained in HIPAA (e.g., they weren't to share information and if they did they could be in great trouble). Even though it wasn't required by the regulation, they still planned on retaining that piece for their own policy, as then they knew that the volunteers had a basic knowledge of expectations regarding privacy. Mr. Rothstein said that now that it was required, it suddenly brought out a higher level of anxiety about not being able to do it, and whether what they were doing satisfied the legal standard.
Dr. Zubeldia requested that Mr. Wunderli educate them on the subject of pre-emption. His understanding was that when one law pre-empted another, they were to comply with the one that pre-empted. If HIPAA pre-empted state law, they would then have to comply with HIPAA, unless the state law had a higher standard, in which case they were to comply with the state law. He said he understood that there were three laws, and really no pre-emption. He wanted to know if Mr. Wunderli was saying that they had to comply with all three and find the highest common denominator. Mr. Wunderli said Dr. Zubeldia was correct. He was talking about complying with all three because they could do it with all three without saying that one pre-empted the other. They were stating that this was their practice and in this practice they weren't going to violate any of the three and were going to maintain a high standard. That type of analysis was particularly set forth in the HIPAA regulations with respect to the federal A and D regulations. They said that what they wanted to do was comply with both laws, so they were to go through an analysis and figure out a way to do something that complied with both laws.
Mr. Wunderli said the other part of his question was how they were to modify state law to comply with HIPAA if state law pre-empted, like in the example of child abuse. In this case, he said they were permitted to disclose if it was required by law, but in a specific way. Ms. Kaminsky said she thought there was another provision, particularly on child abuse. She added that the only time the pre-emption came into play was if the two laws were contrary and both couldn't possibly be abided. Thus, if they could abide by both, they were to do that. Due to the way the privacy law was written, it permitted certain uses and disclosures in certain situations. This was supposed to dovetail with the way state law required or prohibited certain types of uses and disclosures.
Ms. Kaminsky said that in regard to the child abuse piece, the public policy disclosures (which were long, detailed, and tricky to read), said in Section 164.512(b) that they were permitted to disclose under part one 2(ii), a public health authority, or other appropriate government authority authorized by law to receive reports of child abuse or neglect. The reporting for child abuse and neglect was also handled in 512(c). She believed that the elements they were bringing up were for other situations described in 512(c).The allowance to report for child abuse to an authority that was in place for that purpose was absolute; there was no qualifier. Mr. Wunderli asked what the qualifiers then applied to. Ms. Kaminsky said they weren't for child abuse, other types of abuse, or domestic violence situations. They were only in certain situations, such as if law required the disclosure, complied with, and limited to the relevant requirements of that law. There were a number of clauses in 512(c) that talked about when they could disclose. One of them had a qualifier that they were talking about. She believed that there were provisions built into the regulations to allow disclosure of child abuse.
Dr. Zubeldia said that they were all qualifiers. The last one on the list said that it was to the extent that the disclosure was expressly authorized by statute or regulation, which would cover it 100 percent because it was authorized and required by state law. Mr. Wunderli said that it was tied together with an 'and', which was the problem he'd experienced.
Dr. Harding said he'd brought up the issue of Dr. Borgenicht's concern about the formality of procedures changing the culture. Mr. Riopelle had brought up that same issue, especially around the notice of death within his unique culture that they had developed over the last decade. Dr. Harding said that everyone had a different opinion, which was one of the problems with the reasonableness issue. It still seemed to him that Mr. Riopelle's concern about informing friends and the staff or the group about the death of someone was a reasonableness issue. He didn't want HIPAA to be messing with their culture and he acknowledged that HIPAA was trying to improve confidentiality and, eventually, the culture as well. He believed that the rules would apply and that they could inform people of a death, but couldn't tell the details. The fact that someone committed suicide wasn't the minimum necessary.
Mr. Riopelle said Dr. Harding gave great guidance. He said they could ask the rest of the room and everyone would come up with a reasonable way to inform people about an untimely expiration, but the question was whether it was going to satisfy OCR, and if it was defensible. He might state that they were impacting patient care and still get fined. This unknown was his concern. He believed these questions to be surmountable and that they were going to, as an industry in dialysis, create solutions with defensible positions in the event of an inquiry by OCR. He would much rather do that in conjunction with guidance than alone.
Ms. Greenberg asked Ms. Thomason if she could identify what an organization such as IHC would consider positive about this rule. Ms. Thomason clarified that she wasn't the IT privacy officer, but the project leader. She said IHC did a lot already and had many elements HIPAA represented. She was personally glad to see protections for patient information didn't end with the state line, as information flowed everywhere. She felt positive about a national regulation on privacy of health information. They struggled with details, but the concepts were excellent. She believed in the philosophy of patients needing additional protections and more control over their information as well as rights of access. She said that her state didn't have an access right to information. Their attorneys might have, with their authorization, but patients didn't necessarily have access rights. HIPAA brought that forward and at least established a minimum set of protections.
Ms. Greenberg said she was unclear about whether the decision to allow state laws that were stricter to pre-empt was made by the Department or at the Congressional level. She didn't believe it was Congressional or optional.
Ms. Thomason commented that in her state they were looking to identify where state laws provided extra protections (e.g., HIV, genetics). They intended to introduce legislation stating that unless specified as a specific type of records, HIPAA was followed. That was a possible solution that didn't involve OCR. Instead, the state could take the initiative to declare the baseline; anything above would be specifically state.
Mr. Riopelle said many states took creating aggressive, comprehensive state-related privacy legislation that was possibly more contrary and stringent as a mission. He noted this was great for patients, but it increased the risk and complexity for a company operating in many states. He hoped other states did what Ms. Thomason discussed. Dr. Harding agreed. He asked Ms. Thomason how they guaranteed the integrity and uniformity across the hundreds of databases when the patient requested an amendment. Ms. Thomason said that was one of their challenges. Many times an interface was written to do an initial upload into a clinical data repository, but they might not be written to update the other, depending on whether a change was made in the Sunquest lab system. They tried defining it by policy. Any amendment made was designated as a record set and became the major source of information on the patient. They were possibly going to have a procedure where, if they made a change in Sunquest, they manually notified so that the change was also made in the clinical data repository.
Recalling that Mr. Riopelle mentioned Gambro hadn't yet figured this out, Dr. Zubeldia noted they were just five-and-a-half months away. Mr. Riopelle said their challenge was from the transaction standards and changes that had to be made to a proprietary system. They weren't unique having proprietary systems, but the issue absorbed much of their dedicated and contracted resources. Even finishing their privacy assessment just after the August guidance and new rule came out and stating clearly the changes they had to make to the systems for privacy, there still wasn't enough time and resources for them to comply with transactions and with a way to make sure amendments had integrity and were tracked and followed. They hoped to find a solution, but getting their transaction standards in place by October was the priority or they couldn't bill at all. They had to bill and get paid to exist as a company and spend some of those dollars on changing their IT systems so they complied with the regulations.
Ms. Thomason said one benefit to all this was they might not see a host of amendments. To date a tremendous number of people hadn't asked for access. It would increase, especially after it was published more, but Ms. Thomason noted amendments had been fairly rare in the paper world. They'd have corrections to process, but she hoped they wouldn't have to attach amendments the way they did in the credit report industry.
Panel 3: Rural Hospitals
Ms. Mitchell said that Banner Health System was a two billion dollar health care organization that resulted from a merger between the Lutheran Health System in Fargo, North Dakota and the Samaritan Health System in Phoenix, Arizona. They had over 22,000 employees and over 30 facilities across seven states. They interfaced with over 5,000 physicians. Some of the facilities were large metropolitan hospitals; others were small rural facilities. Banner had organized a central HIPAA compliance office in June of 2000 that provided support for all Banner facilities. However, the facilities were responsible for the actual implementation of the remediation plans.
Ms. Mitchell said some of the services Banner provided to the rural facilities would have been the biggest challenge had they operated as stand-alone facilities. Banner identified roles and tasks at three levels, the corporate HIPAA compliance office level, the regional level, and the facility level. She noted a couple universal truths between them. All the work had to get done; in a rural stand-alone facility it was just on a smaller scale. And regardless of who did the up-front planning and who was at the facility level, the actual implementation of privacy rules and regulations was the responsibility of the facilities. It wasn't something anyone else could do for them, ultimately they had to absorb and own it.
Ms. Mitchell said the HIPAA compliance office at Banner had performed the majority of the tasks through phase one and part of phase two for their remediation effort. So far, they'd tasked their rural facilities with implementing the communication program, which meant reaching out to the department heads and setting expectations for the education programs, both with the department managers and the workforce they supervised. Banner asked them to implement an education program for the physicians and tried to provide support and guidance on their actual implementation. Banner asked them to implement the corporate policies and procedures, which Ms. Mitchell emphasized wasn't a small feat. Some 45 policies affected every employee in varying degrees, and in many instances insuring compliance required significant practice changes. Banner asked them to implement the business associate agreement analysis and contract changes for contracts performed at a facility level. Ms. Mitchell talked with their facility contacts in their rural hospitals and the Arizona Hospital Association hospital membership, many of which were small facilities, and received guidance or lessons learned regarding challenges they'd faced.
Ms. Mitchell said there wasn't a single individual in a rural facility who didn't wear multiple hats. The challenge was that, regardless of the size of the facility, they had to comply with the same essential core functions of HIPAA. When they discussed identifying people to allocate to the remediation efforts, it was a large request as they were already so stretched from a resource standpoint.
While there was some high anxiety by the HIPAA contact at each of these rural facilities, Ms. Mitchell said there wasn't yet a huge sense of urgency. She said in part this was due to being stretched so thin in their day-to-day operations of patient delivery that had to take precedence. This made it an uphill battle for project managers to get the support they needed.
Ms. Mitchell said another challenge was understanding the regulations, especially the legal interpretation of what was reasonable, what was a covered entity, who their business associates were, how they applied the Organized Health Care Arrangement (OHCA) designation, and the state pre-emption analysis. She noted one external and two internal lawyers, all well versed in the HIPAA regulations, spent over two hours determining the categorization under HIPAA of the 48 entities that were part of Banner. While figuring out some of the legalese, they recognized that the HIPAA project coordinators were overwhelmed with the need to demonstrate some sense of progress. Vendors and consultants selling products and services generated a lot of misinformation. Rural facilities sensed this and felt that they needed to move, but didn't know where. There wasn't a good reference source to tell them what they needed to do, when, or in what order. Ms. Mitchell said what she had found talking to colleagues was that other organizations had done things for HIPAA remediation that didn't contribute to overall compliance. She noted that was a high risk for a rural facility with resources already stressed.
Ms. Mitchell noted another challenge was that in rural facilities and communities, a higher percentage of physicians weren't covered entities because they didn't do electronic billing and their practices were too small to be required to comply with the Medicare electronic submission. And so rural facilities faced the additional challenge of HIPAA education.
Ms. Mitchell said too many people posed as experts. She received four-to-five calls per week. She'd ask what they knew about her facility, what more they knew than she did about HIPAA, and what they could really offer her. She noted there was a place and time for vendors and consultants, but she said differentiating where the need was versus what they were trying to sell was another risky proposition for a rural facility with limited resources.
Ms. Mitchell said that the privacy rule referred to safeguards that many would say were the underpinning of the security regulation. The security program being implemented across Banner was more capital intensive and required longer lead times than their privacy regulation. Without defined regulations, it was again a risky proposition for the rural facilities to invest in any of those safeguards, as they didn't know what the alternative regulations would be.
Ms. Mitchell suggested peer rural facilities leverage their state-based health care organizations. For example, in Arizona, the Arizona Hospital Association had been a powerful facilitator in getting peer hospitals together. They'd approached it collaboratively and didn't view it as a competitive initiative. They'd shared policies, procedures, best practices, insights into vendors, and created a forum to coordinate with MGMA, the Arizona Medical Association, and the Arizona Physician Licensor Board on how to reach physicians. They also used this to reach the media.
Ms. Mitchell recommended that rural facilities perform outreach to physicians, using HIPAA information and privacy milestones to connect with the physicians and establish entree for educating them on hospital-based compliance issues. She requested that the HHS and the OCR consider helping the rural facilities perform that physician outreach by synthesizing information they thought the physicians needed to know in a monthly newsletter downloadable from the Web, which facilities could package and redistribute to their physician community.
Ms. Mitchell suggested that they also provided legal guidance. She thought they'd been comprehensive and thoughtful in providing as much support as they could. She recognized the difficulty in balancing between the government dictating specifically what they did and leaving latitude for them to manage remediation, in light of their operational process. She also said there were areas where clarity would be helpful, stressing that they needed to publish the security rule.
Ms. Mitchell asked the Subcommittee to consider providing privacy compliance assistance. One recommendation from the Banner senior management was to allow the rural facilities to ask for assistance that would result in a checklist of steps they should take toward compliance. Lastly, she asked that everyone be gentle with them. Several rural facilities she'd talked with in Banner and across Arizona and Colorado expressed concern about being fully compliant. They took the effort seriously and worked hard at it, but felt they were at the mercy of learnings happening at larger facilities and communication of those learnings to them. They didn't have resources to participate in an investigation and, in many instances, were the sole provider in their community. If they jeopardized their ability to deliver care, they'd affect a total population.
Noting Ms. Mitchell had said that some physicians didn't use electronic billing in their practices, Ms. Horlick asked if they used clearinghouses. Ms. Mitchell said no, adding that a few in metropolitan Phoenix subscribed to the government conspiracy theory. They didn't want to do anything electronically, believing that someone would grab that information. She said it was a curious perspective, but more pervasive than she'd imagined.
Ms. Mitchell said Banner, viewing the physicians as part of an organized health care arrangement, designated itself a covered entity. Ms. Kaminsky said she assumed these various facilities were separate legal entities, so she thought Banner qualified as an affiliated legal entity. Ms. Mitchell said most of those entities, like the hospitals, did business as Banner Health Systems, thus Banner Health Systems became the covered entity.
Panel 3: Rural Hospitals
Mr. Sinclair urged the Subcommittee to pay attention to Ms. Mitchell's comments that he said were accurate and understated some of the problems. He emphasized that long distances and scant civilization would cause a long-range problem in his area. The entire infrastructure was on the other side of a mountain and they didn't receive it. He cautioned that this was an unfunded mandate that eventually would close a lot of hospitals.
Mr. Sinclair noted they ran the ambulance service and, because of size, their dispatch system went through the sheriff's office. When they dispatched an address, half the community identified the patient. If a neighbor heard and offered to take care of the kids or bring a casserole, he or she was in violation of the HIPAA regulations. Mr. Sinclair said in a small town everybody knew everyone else; no one could isolate and lock up information. He said what HIPAA would do was criminalize compassion.
Mr. Sinclair said the only thing HIPAA would do was fund trial attorneys. He'd gone to six seminars, some put on by the state, others by "experts." They'd called Medicare to be sure they'd be compliant and were always told to ask their attorney. Mr. Sinclair said they couldn't afford to put an attorney on staff. He said they'd sent business office employees and nurses to conferences, and the most important thing they brought back was ask an attorney because nobody understood the requirements.
Mr. Sinclair said Kane was an independent, freestanding facility, one of three in the state. He didn't have a corporate office to fall back on. They only way they'd end up in compliance was when somebody cited them with deficiencies and they tried to correct them.
Mr. Sinclair said training for rural facilities wasn't readily available and that he had a problem with separation. In 1960 they built the hospital with a business office that had three people working in it. Medicare regulations came out in 1965 and they added a 1600-square-foot doublewide trailer with 11 employees, but still treated the same number of patients. In 1995, they began a plan to go from a 20-bed acute care hospital with 13-long-term-care beds to a nine-bed-acute-care, 26-bed-long-term-care facility. They'd deliberately made an open office for medical records in the business office so they could communicate. People always ran back and forth and were cross-trained in both departments. With the HIPAA regulations, they had to rebuild the business physicians' offices into small compartments so people didn't have access to accounts.
Mr. Sinclair said that they had six providers in their area. Four were employed by the hospital; two were independent. They faxed lab results to the independents, he didn't see another way to do it, but he also saw a lot of privacy issues with that practice.
He also believed they'd have problems due to their hospital size and how they were structured, including problems determining where people worked. For example, emergency room standard practice was that they didn't have office personnel at night. If a patient came in, they called staff. If they needed a medical record, they'd walk down the hall to medical records, pick it up, and bring it back for the physician to review. If the physician was in their clinic, there was no question about the right to see it. But if an independent physician took an ER call for a person who came in with chest pain, they didn't know about the right to see that record, even if they were giving this person Viagra.
Mr. Sinclair said another problem was the cost of HIPAA implementation. They looked at changing their computer system and the quotes were between $150,000 and $200,000. They'd had to replace half their medical staff after September 11, because people left to be close to family members. Since then, they hadn't been paid for a single Medicare or Blue Cross patient. They had to have provider numbers for Medicare and a UPIN number to submit electronically, but the providers and insurance companies hadn't yet been able to process that information. Mr. Sinclair said he'd juggled finances between paying employees and vendors. His vendors were getting less and less. He didn't have $150,000 to put into the new computer system. On October 6, flooding and a brownout broke their CT tube and it would cost $35,000 to fix it. Mr. Sinclair said he had a choice. He wasn't able to pay his vendors, but he could buy a CT tube that might save someone's life--or he could pay $150,000 to be in compliance with HIPAA. He wanted to know who was to make that choice.
Panel 3: Rural Hospitals
Mr. Cohen said California legislation required all state entities, departments, boards, and commissions to complete an assessment by January 1, 2002 in a legislature-created form specified by their office. The assessment was performed based on status as of the end of 2001. Their office was then mandated to summarize this information and report it to the legislature, which they did. The entire report was available on their Web site, and the committee had a copy of the executive summary.
Mr. Cohen highlighted some information on the report. He noted that of more than 200 sent out assessments, they had identified 49 government programs in 23 departments impacted by HIPAA, the largest being California's thirty-billion-dollar Medicaid program. Many other programs covered were also federal grant-in-aid programs. Of the 23 departments, 11 were identified as covered entities; 12 were considered hybrid.
Mr. Cohen said the departments experienced a $20 billion shortfall during the early stages of HIPAA implementation, and thus didn't do much during the last fiscal year. Also, the fiscal year began July 1 and the budget wasn't signed until September so even though there was money in this year's budget for HIPAA implementation, there was a delay in departments going through the process of getting contractors, staff and plans in motion again.
Mr. Cohen believed their assessment helped to facilitate the HIPAA awareness process, which included preliminary planning. They were presently receiving more specific plans and schedules from departments and would use them to monitor and track the implementation process and summarize and report the results to their agency, the governor's office, and the legislature. At the time of the assessments, no departments had begun the remediation process, the specific changes to their IT systems, nor the business processes, but they planned to reach that stage this year.
Mr. Cohen said HIPAA was a unique combination of specific detailed changes and a cultural change that shifted the way people viewed their jobs. The number of governmental programs affected drove the complexity in any area and Mr. Cohen emphasized that some departments had many. Issues included the different ways HIPAA impacted those programs as a covered entity, a business associate, someone who exchanged data, the number of information technology systems impacted, and the number of new federal rules that came out and the frequency with which they were revised. They also had to implement standard transactions and codes with private providers in a way that minimized the impact on providers and the claims they submitted. Above all, they wanted to avoid disruption of services to the clients they served, including more subtle ways like increased paperwork or the provision of health care becoming more bureaucratic.
Mr. Cohen said they'd organized work groups that dealt with county-state and legal issues, communications with private providers, research and interpretation of each of the rules. Different elements of private providers were represented in an advisory committee and Mr. Cohen said they hoped to make communication one of their main themes for HIPAA implementation this year, so they could transition together smoothly. He said pre-emption was a huge issue as California had one of the larger volumes of state law and therefore a bigger workload.
Mr. Cohen believed their role, as the statewide HIPAA office, was to provide leadership, direction, oversight, and monitoring. He said there were several ways they could constructively work with their partners at the federal level on these issues. On the other hand, HIPAA also imposed new administrative requirements and activities, documentation, and tracking activities that created new workload, resource and personnel demands for their departments. States also had unique issues. They were administering government programs, which were far less clear than those in the private health care arena where HIPAA evolved.
For example, their foster care program that provided new homes to abused and neglected children had an important health care component. HIPAA stated that health care wasn't the primary purpose of the program, but it was certainly more than incidental and so they didn't know whether it was a covered entity. Mr. Cohen said this area would benefit HHS's continued dialogue and assistance. The same was true in their welfare program. Their TANF program provided temporary mental health, alcohol, and drug treatment services. They used Medicaid funds to provide case management in their adult protective services program and, under the personal care option, in-home supportive services provided by non-licensed personnel, and thus not through a health care service per se. Mr. Cohen said these, too, fell into a gray area and coming to consensus about what was and wasn't covered would be beneficial.
Mr. Cohen said the alternative was to pass the deadline into a complaint-driven process that made them subject to petty litigation and agendas driven by others. CMS and OCR planned on transactions and privacy being a complaint-driven process. He suggested it would be more desirable if OCR and CMS organized and agreed on priorities and interpretations instead.
Mr. Cohen said that getting assistance on what was and wasn't covered by HIPAA would allow them to avoid spending scarce resources in unnecessary areas and perhaps avoid laying off people.
Mr. Cohen suggested that one option was for states to amend their state plans and indicate whether a particular program was covered by HIPAA. That way, HHS could approve or deny those plans; they could get an administrative determination, and reach an administrative agreement before they went into an adversarial complaint-driven process.
Due to the present divided structure of HHS, entities were subject to CMS's and OCR's different interpretations. It was conceivable that, after a sufficient number of complaints were processed, CMS might decide something was a covered entity while OCR decided it wasn't. There was no mechanism to resolve that. Mr. Cohen suggested it would be easier to resolve this up front. HHS, as an organization, also had a stake in this, as states were an extension of the federal government through the administering of these grant programs. They were doing their work and administering their programs and were often dealing with the neediest, most disabled people in society.
Mr. Cohen noted that pre-emption was an issue within federal law, when there was a conflict between HIPAA and another federal statute. He suggested it would be more efficient if the federal government took on that responsibility rather than risking states making different interpretations.
He also noted funding issues. The Committee already recognized that states and other entities needed help in terms of the technical infrastructure for implementing privacy. California needed additional consideration, based on the sheer volume of state laws and how long it took to do a thoughtful pre-emption analysis.
Ms. Kaminsky said she was pleased with Mr. Cohen's explicit examples of gray areas and interpretations of whether the programs were covered entities or not. She asked about other examples. Mr. Cohen said the report didn't go into more detail, but he noted the grayest areas were in social services.
Discussion
Ms. Kaminsky asked about the $150,000 computer upgrade. Mr. Sinclair explained they had a combination of hard paper medical records, but electronically transmitted everything to Medicare, Medicaid and insurance companies or they didn't get paid. He said they had an EMTALA investigation and the "feds" came in and exonerated them. Six months later, the same incident was investigated again. The fourth time, a trial attorney filed a complaint and the people who'd done all the investigating were going to survey compliance. Mr. Sinclair said that was why they needed to do everything they could to upgrade their computer system. Computers made them fill everything in; there were too many chances to leave blank spaces with a paper medical record.
Mr. Rothstein asked if the problem with HIPAA and its implications was because it was a mistake to do anything in this area or that the economics of running a rural hospital made compliance impossible. Mr. Sinclair said it was both. They didn't have the resources; he couldn't envision them ever being fully compliant. And when they dispatched the ambulance, everyone in town knew why. Mr. Rothstein said he didn't think either example was in violation of HIPAA. Mr. Sinclair said his experience with the "feds" surveying led to a different conclusion, and he hadn't seen anything come out that alleviated that fear.
Mr. Rothstein asked Ms. Mitchell if she also believed the HIPAA regulations put rural hospitals under the gun. Ms. Mitchell said they were under the gun, but she also believed the regulations provided a fair amount of latitude in terms of addressing some requirements. There were ways to do it procedurally with education and audit that might minimize higher cost solutions used in larger metro facilities.
She noted that the rural facility culture was non-private when it came to privacy issues. Because of the community-based culture, it was conducive toward wanting to know if people were "in or out" and breaches that occurred tended to be of the general population. In downtown Phoenix, that breach occurred when a senator checked into the hospital. It was no less significant in a rural facility, but the two cultures created some of the complexity and determined where each drew the line. On the one hand they wanted to support the community; on the other, people had the right to protection and privacy. Ms. Mitchell said fundamentally, rural hospitals recognized that there was a need for the regulation, and hoped to qualify and manage some of the more challenging parts of implementing it.
Dr. Harding expressed concern about the issue of unfunded mandates. He said he understood Mr. Sinclair and that he wasn't saying it didn't cost money to go along with HIPAA standards. Dr. Harding said the mutual agreement he hoped they could come to would be to try and assure as much privacy as the term said, reasonable, with everyone being at least as private as peer operation could be.
Dr. Harding said he knew the affect of EMTALA and didn't want to mix it with HIPAA. He said he was a doctor and that legislation had probably been the most destructive issue between professional, hospital and doctor associations and the federal government. He hoped HIPAA didn't take that course but helped rural and other hospitals work with HHS to not be a financial or legal burden. The Committee's goal was to be directive and helpful in finding a way to handle the admission process, so it didn't get announced over the radio. He also didn't want this to be an anti-cultural issue that changed the culture of every town.
He agreed with Mr. Sinclair that it shouldn't be an unfunded mandate nor have them spend money when they had other demands of higher priority. Some examples Mr. Sinclair gave made Dr. Harding wonder if they'd gotten advice from somebody too strict in interpretations. But he acknowledged that they were still working on a source for interpretations. He hoped that the possibility of Mr. Sinclair going to jail for infractions associated with EMTALA wasn't a reality and that they could stop any fear about HIPAA.
Mr. Sinclair noted that size of a hospital made a difference. When someone needed surgery, they had two nurses and both knew the patient. The surgeon, assistant, admissions office, and housekeeper also knew the patient. About 15 people had access to that information and talked to the community.
Another problem came from trying to control the cost of health insurance; one of the largest cost increases. They'd previously controlled this by asking the insurance company to see who all the patients had gone to, the hospital and cost. If three hospitals did the same procedure, they'd negotiate a reduced rate. Mr. Sinclair said if he asked for that information now, the companies wouldn't give it out, because of HIPAA regulations. He couldn't find out where his health dollars were going.
Mr. Sinclair noted that in a rural community, ten percent of the population used 75 percent of the resources. Those ten percent went to a tertiary care hospital. Therefore, 75 percent of his health care dollars went out of the community. Drugs took nearly 20 percent. They treated about 90 percent of the population with ten percent of the health care dollars. Mr. Sinclair said the insurance company got between 17-23 percent of the premium to cover administration, which was more than he got for providing 90 percent of the care. Yet when he went to them to learn what he might do better, they wouldn't allow it due to the HIPAA regulations.
Dr. Harding said asking for statistics should be different than asking for identifiable health information. Mr. Rothstein asked Mr. Sinclair if people said they wouldn't stop treating patients in the emergency department to comply with HIPAA, therefore they weren't going to do anything about HIPAA, or were they just doing what didn't cost them money? Mr. Sinclair said that, with a group like Banner, small rural hospitals and administrators relied about 90 percent on the corporate office providing directions. Everyone he knew tried to be in compliance. And everyone had this fear that, no matter what they did, it wouldn't be good enough. Someone would come in and hurt them. Other programs had come in, embarrassed them, and took resources from direct patient care, forcing them to cut costs and services, increasing an outward migration of patients.
Mr. Rothstein said it might be valuable for HHS to break down the compliance costs, not by dollars that varied by institution, but by identifying ten actions that wouldn't cost them anything. For example, a reminder at the next staff meeting of their ethical obligations, and signs that cost a negligible amount of money versus a computer system. Mr. Rothstein said they only deluded themselves by thinking that every health care provider and facility could do all that the rule required by April 14. Perhaps they needed to facilitate the providers and covered entities, helping them to at least use what was available at no cost.
Ms. Mitchell said that was an excellent suggestion. Facilities were bombarded with recommendations, many driven more by a desire to make money than to help them become compliant. Noting that ultimately the interpretation of what was deemed right, wrong, or reasonable would come from the Committee, she said a list of low-cost starting points for showing diligence in privacy remediation would help everyone, especially rural facilities. Ms. Mitchell noted that in Arizona they shared the information as a hospital membership group, and cut through some hype. However, when push came to shove, Yavapi Valley was on their own. They didn't have a hospital association or Banner to work with if someone launched an investigation. She emphasized that a reference list could give a sense of comfort about what was truly reasonable.
Dr. Zubeldia asked what technical assistance the panelists sought from the Department. Mr. Sinclair said people that surveyed and evaluated compliance had to be trained in what to consider. Before they showed up, he needed interpreted guidelines in English, a ten-point bullet checklist, and consistency year-to-year and one-surveyor-to-the-next.
Ms. Greenberg asked if any professional associations or the Office of Rural Health in the Health Resources and Services Administration had provided useful assistance. Mr. Sinclair said much had been copied from the Federal Register and elsewhere, but they'd used it. Ms. Greenberg asked if it had been tailored to them. Mr. Sinclair said it wasn't specific to small rural hospitals.
Ms. Mitchell noted that AHA organized a monthly conference call with rural facilities. It was a mechanism to talk about unique implementation considerations in a rural facility. She hadn't seen any specific deliverables or action items, but it was a forum to collaborate.
Dr. Harding noted they hadn't heard much about it, but one reason HIPAA and administrative simplification existed was to save money. Recalling that Ms. Greenberg inquired earlier that morning about the positives of that, he asked if they foresaw a point where administrative simplification and uniformity of transmission of electronic medical data would save them money. Ms. Mitchell did. She said if the vision of a single standard was truly realized, and payors and clearinghouses were held accountable for receiving information and turning around claims, there was an opportunity. She said they were tracking it, albeit cautiously, as they didn't necessarily see a downside for the health plans. She believed OCR was responsible for this.
Ms. Mitchell added that they felt like they'd either get sued into submission for both privacy and security or they'd do it on their own. She focused on cost avoidance rather than cost savings. Burdensome as the privacy regulations seemed, she said they gave them a vehicle to address a federal regulation for privacy and confidentiality that, at some level, was defensible. It still didn't mean that civil actions wouldn't occur on a state basis, but it provided a forum for showing due diligence. There were potential opportunities for cost or legal fee avoidance down the road by doing what they needed to now. Participants noted that wasn't a cost reduction. Asked if he could reduce his Medicaid staff from 11 people to six, if all this was implemented, Mr. Sinclair explained that the reception area had to be covered, so staff would be working on other things if a patient was there. Even if they could save 30 seconds per filed claim it wasn't going to let them cut staffing.
Dr. Harding asked if they counted on their billing procedures being simplified. Ms. Mitchell expressed hope that, instead of having to comply with two-dozen proprietary standards for electronic transmission, they'd deal with one and get down to half-or-a-quarter of the number of people that managed them. She believed that the essence of the administrative simplification was, indeed, simplification and they may be able to achieve some economies, though there were many associated dependencies (e.g., vendors, clearinghouses, payors) and their diligence in achieving those efficiencies from an operations standpoint. Ms. Mitchell saw it as an opportunity, but neither she nor their finance department would make any definitive statements on cost savings. They were talking in terms of cost-saving opportunities.
Dr. Zubeldia asked if they'd looked at posting remittance advice electronically or doing referrals, claims status, or eligibility electronically and how much time that might save.
Mr. Sinclair said that they electronically transmitted claims for Medicare and Medicaid. The insurance company paid electronic claims faster. He hadn't seen any savings, only an extra step, on work done electronically in-house. Dr. Zubeldia noted that was interesting, because they must use UHIN in Utah, and they had a tool to calculate the savings on the transactions that they posted on their Web site. The reports indicated substantial savings through the transactions, even for a small practice or small hospital.
Panel 4: State Agencies, Public Health and Research
Ms. Wylie said that RGE was established as the data resource for the collection, storage, study, and dissemination of medical and related information for the purpose of reducing morbidity and mortality, which in this case, meant research. They had over 13 million records that came from a variety of sources (e.g., the family history library of the LDS Church). They had birth certificates back to 1960, death certificates back to 1904, and cancer registries of Utah and Idaho back to the 1960s. They had driver's license data and some CMS follow-up data. The research focused mostly on cancer, but other diseases and conditions were also studied. Ms. Wylie said that the data didn't come from any individual, but if they were looking for a breast cancer gene, for example, they'd talk to the family, as there was a much higher incidence of cancer than one might expect.
They worked through contracts with their data contributors who specified which data they provided and how they could use them. Most importantly, each data contributor reviewed and approved or disapproved every single use of their data, as use was project specific only. There was no data mining. The researcher submitted an application to their review committee and data contributors considered it. Projects had to have independent IRB approval. RGE required an annual renewal and a data disposal plan.
Ms. Wylie said in projects where the de-identified data was sufficient (e.g., epidemiology types of studies) they provided data sets to researchers. For example, they could just pull data for someone looking at cancer risks in mothers of twins and their offspring. However, many people used the database to identify potential subjects for research projects. A third party, her office or a cancer registry, would contact those people about being in the project. If the information on potential subjects came from a doctor's records, they would be brought to them and linked into the database. The potential subject would receive a letter stating why they had their information and that a researcher wanted to contact them about participating. If they agreed, the identifying information was provided to the researcher.
Ms. Wylie said the database strengths came from statewide family history and vital records data. While Utah was a small state, she noted it also had a fairly contained population, making it useful for research studies. RGE did a statewide cancer registry and had all incidents and did a lot of cancer research. She said the limitation was that RGE's health medical data was limited to what came from the cancer registries and what they got from vital records. They didn't have any medical data from HCFA or driver's licenses. For non-cancer studies, researchers usually brought data sets to them (e.g., the statewide voluntary autism registry, or a researcher might get together with peers and bring all the cases of laterality defects in newborns).
Ms. Wylie said an ongoing project linked their family history records to the medical records in the University of Utah Health Sciences Center data warehouse. They linked to demographic information that included name, address, social security number and birth date on approximately 1.3 million people. Associated medical information gave them about 21 percent of the Utah care market. For some conditions, they had all the cases. The linking was within one covered entity, the University of Utah Hospital and Health Sciences Center, triggering HIPAA issues.
In order to get more data on more people, Ms. Wylie said they'd have to continue facing HIPAA issues. Including data from a non-university provider in research would require patient consent. This wasn't possible with millions of people. If they proceeded that way, people who chose not to participate or couldn't be found would shrink the population level data. She noted a waiver of this requirement came about through the IRB waiving consent authorization, or by HIPAA providing for researchers to state they were only reviewing records preparatory to research. The problem was they weren't a research project, but more like a library. In order to deal with this, Ms. Wylie read HIPAA requirements and provided a comment last April, giving examples of other affected entities.
Ms. Wylie said the responses came out in August and pointed her to the OPRR report on use of stored tissue or data. They didn't actually talk about data alone, but dealt with tissue repositories in which the tissue and associated data came from consented subjects. Samples were small and weren't linked to anything else, so it didn't fit in with what they were. Also, when IRBs evaluated those tissue repositories, which OCR said was how they were to proceed, they looked at potential uses of the data and tissue, because most tissue repositories were for specific purposes. Ms. Wylie asked if an IRB or privacy board waiver of consent was the most appropriate method of managing these resources. Dealing with past IRBs, they hadn't known how many subjects they'd recruit or the procedures they'd use. She wondered about taking the preparatory-to-research avenue.
Ms. Wylie said she strongly believed that the area of research where data from large data sets was used alone needed to be considered separately. She didn't believe they should be completely exempt from HIPAA. The disclosing entity needed to maintain a document stating that the records had been disclosed, and to whom. There needed to be IRB approval of all research using those resources, and some kind of institutional oversight for their operation. Ms. Wylie said they'd begun to look at how they'd manage these research resources. They knew of three-or-four resources at the University of Utah alone. She said linking data was easy to do; people linked data sets all the time. But it raised significant privacy and confidentiality issues, especially when health data was involved.
Panel 4: State Agencies, Public Health and Research
Ms. Love said NAHDO represented private and public health data agencies across the country that maintained statewide or large health care utilization databases for purposes of research, public health, public policy and market purposes. NAHDO had been actively involved with standards initiatives at the national level and evaluated the implications of these initiatives for members and state health data agencies. Ms. Love said members repeatedly asked for a consistent message from OCR in the form of guidance and opinions. Communicating about personal health information issues to the general public and state legislators could be useful, but no one seemed to be leading that conversation at the national and state levels. Ms. Love presented a fact sheet drawn up by the CDC about a year ago that made a difference when members were considering public health exemptions and whether public health reporting would be preserved under HIPAA. NAHDO distributed about 350 of them, often just before a meeting with an attorney general's office or a provider association and they resolved many issues for members in a timely way. Ms. Love emphasized that this type of fact sheet for other issues would be helpful and associations could get them to whoever needed them at the right time.
Ms. Love said one present priority was understanding entity designation. Out of the 32 state data agencies, four reported they were covered entities, another four said they were hybrids, and 24 said they weren't covered but didn't know what their umbrella legal entity was. She said an ongoing question was why public health agencies with pre-emption exemptions would want to be a covered entity over the whole department; putting firewalls between every person and program within an umbrella agency would be costly.
Ms. Love noted a need to talk a bit more and for short guidance about firewalls. She said being designated a covered entity didn't keep them from due diligence on policies and procedures and that there was confusion about what a firewall might be. She added that she didn't believe it made a difference in the exemptions whether they were a covered entity or a hybrid, yet a lot of energy and time went into that at the expense of other implementation efforts. Ms. Love said several mentors suggested that OCR look at the government antitrust models for issuing private interpretations that weren't regulatory or the law, but informed people about what was needed regarding gray areas.
Another area NAHDO struggled with was how to standardize training. There were provider systems, state and local health departments, and a lot of privacy information. NAHDO recognized that training wasn't a one-time effort, but continuous and ongoing. Ms. Love said she was overwhelmed at the HIPAA summit by all the options for vendors and training manuals, but she questioned how those materials would translate effectively for the state person answering the phone or in the field with a laptop.
Noting that some local health departments hoped the state health department would help them with their HIPAA implementation, Ms. Love pointed out that states didn't have the infrastructure of some larger entities and couldn't always do this. She said NAHDO recommended to its members that a community wide state pre-emption analysis be conducted with everyone working together, and she asked if OCR would make that recommendation to communities. Ms. Love also reported that small hospitals and providers faced issues of vendor credibility and product reliability, noting there wasn't enough history with the vendors and the work they were doing (e.g., HIPAA credentialing or certification). And she noted that members suggested OCR conduct a federal pre-emption template and analysis for the federal laws as a model for the states, so states could concentrate on their local pre-emption analysis.
Ms. Love said they identified several best practices through the North Carolina Health Information Communications Alliance, Sharp, and UHIN. NAHDO sponsored a HIPAA Gives listserv for states to discuss HIPAA-related issues. She recommended that OCR work with NAHDO, the governors and hospital associations, and professional and specialty societies as potential partners. Tools and guidances could be shared with members effectively and efficiently and these entities could serve as a conduit of information from OCR, while also filtering redundancy and synthesizing questions back to OCR. Asked if all the entities were state agencies, Ms. Love said there were private sector organizations such as 3M and health information companies, but the core of their membership were state-based organizations. Some 37 states had mandates to collect health care data, but only about a dozen had statewide data collection efforts without mandate. She commended HHS and OCR for responding to their needs by presenting another option for data dissemination that included the limited data set.
Panel 4: State Agencies, Public Health and Research
Dr. Nangle noted he was responsible for several offices with functions in data collection and statistics, including the immunization registry. The purpose of immunization registries was to improve vaccination coverage, especially among children under two years of age. A single computerized repository for all children's immunization records, accessible by authorized users, solved the problem of fragmented childhood immunization records due to administering vaccines at multiple sites. An administrative rule from a section of the Utah administrative code provided legal authority to share immunization information through the state health department and the immunization registry among participating providers, schools, daycare centers, and public programs. The rule provided that immunization records of everyone in Utah might be included and there was an opt-out procedure.
Dr. Nangle noted that immunization registries also helped consolidate and automate immunization record keeping for private and public clinics. They did forecasts of immunizations due on every patient coming in each day and generated reminder postcards to families. In Utah, they only bore the cost for public clinics, but the function was available to private providers. The registries also produced reports that assisted the state health department in monitoring surveillance immunization levels statewide.
Utah's registry was a public-private partnership. A cooperative effort among government agencies, health plans, and private immunization providers, Dr. Nangle said about 50 percent of the funding came from health plans. An oversight committee comprised of representatives from the health plans, private providers and public health authorities governed funding. More than 40 percent of the private providers used their Web-enabled immunization computer application.
Dr. Nangle explained that the Department of Health was a hybrid entity with covered and non-covered functions; the immunization registry was a non-covered function. USIS intended to continue to disclose immunization records to immunization providers except for those who opted out. While he understood that agencies that determined they were non-covered entities had other issues in disclosing immunization records, he said it wasn't clear under what basis they did this. If they'd decided that they were covered, they still weren't a provider. He suggested this was an issue the Subcommittee might want to discuss.
Dr. Nangle believed that the implementation issues arose from the USIS provider agreement with their largest private partner only covering the period prior to HIPAA implementation. The health plan's legal staff wasn't convinced they were a non-covered entity with a public health exemption and not a business associate. Noting that nearly all states had immunization registries, Dr. Nangle said HHS recognition of the public health function would greatly increase the comfort level of private partners.
Dr. Nangle noted another implementation issue in a hybrid registry organization related to their dependence on massive flows of information through integrated computer systems. To do this, they'd built up a culture of data sharing, including data going over firewalls. He said they'd noticed a chilling effect as people who shared data with them, particularly the Medicaid program, had to fully evaluate the implications. Dr. Nangle said he believed this chilling was temporary.
Panel 4: State Agencies, Public Health and Research
Recalling that he'd thought Utah was the only state with few people and no money to implement HIPAA, Dr. Springmeyer pointed out only three-or-four states had the resources; even the federal government's resources were severely limited. Dr. Springmeyer said the Utah population database was successfully administered. The state contracted with the University of Utah to perform the cancer registry function. He said it would be tragic if, because of HIPAA, they were unable to discover important linkages to disease and use genetic codes to eliminate suffering. Dr. Springmeyer expressed confidence that a collaborative effort would lead to determining a way to protect confidentiality while still making use of available technology and data.
Dr. Springmeyer noted that the 20 states that participated in the roundtable all reported significant fiscal shortfalls. Contending that they were unnecessarily depleting what resources they had, he suggested that delegation of responsibility between federal, state, and private parties would avoid duplication and maximize their ability to come into compliance.
He said the state-federal pre-emption analysis was a massive undertaking. Utah had a collaborative task force with private, public, state and others willing to contribute their knowledge, accept part of the state statute and rules, and attempt to come up with the blessing of their attorney general with a conclusive comprehensive state pre-emption analysis that covered entities could build into their notices of privacy practice. Dr. Springmeyer said the fear was that they'd pass a statute that deferred to HIPAA unless they specifically completed their analysis and added many exceptions. Every covered entity would then have to modify their notice of privacy and resend it. The task force planned to complete the pre-emption analysis before the NPPs had to go out, so they could avoid the costs of re-sending.
Dr. Springmeyer urged the federal government to do the federal law pre-emption analysis for the country, instead of all 50 states doing their own. He noted the federal government already had done much of it in the preamble to the original rule and had given assurance that there was little conflict between various sections in federal law. He requested that the Office of General Counsel formalize and issue these documents. While he understood the courts might interpret it and render a contrary interpretation, Dr. Springmeyer said receiving that before the April 14 deadline still would bring a calming effect.
Dr. Springmeyer stressed that covered entity determinations were incredibly difficult. Utah private providers were unclear whether disclosure was required by law under 512(a) or if the use of 512(b), in the context of public health disclosures, along with stating it was "unauthorized" rather than "required," was intentionally different enough to make disclosure voluntary. He contended that if private providers received guidance directly from HHS, they'd come to a final conclusion and move on.
Dr. Springmeyer reported the task force's analysis was that once they got the data pursuant to an exception, it was no longer HIPAA data; their USIS registry could continue to function as it had before. He expressed concern over interaction between the administrative provisions of the privacy rule and the lack of a final security rule. He noted they'd been told that HHS would be streamlined when the final security rule was issued and explicitly scalable with the privacy rule. They'd counted on the NPRM to be the final security rule. If it wasn't, a great deal of money had been wasted. Dr. Springmeyer suggested that the privacy rule implementation be postponed until one year after the security rule became final. It would require statutory action by Congress, but it made sense that the policy rule would follow similarly to what was happening with the transaction rule. All the major Utah state health plans, including Medicaid, were to be fully compliant with the transaction rule in October 2003. He recommended that the Subcommittee recommend to the full Committee, HHS and the Administration postponement of the April privacy deadline, until resources came available to finalize the security rule.
Dr. Springmeyer said some formal binding process could be developed between state and federal regulators on conflicts of interpretation, whether it was a covered entity or pre-emption. He asked that CMS and OCR implement an explicit, written staged-enforcement process, particularly if the privacy rule implementation couldn't be postponed. For example, guidance as to whether getting their notice of privacy practice, training, or policies correct was most important. Dr. Springmeyer wanted to know what to be looking for when they responded to a complaint, and if it was substantial compliance as they'd been told. He also wanted to understand the fiscal restraints imposed on states and whether they would be creative in allowing them to enter into compliance plans they supervised, rather than imposing civil monetary penalties. He emphasized that any concrete, written signals from the federal government on enforcement strategy, short of an enforcement rule, would be extremely helpful.
Dr. Springmeyer understood that $42.5 million was authorized but hadn't yet been appropriated for technical assistance. He called on the Committee to work closely with HHS to ensure a budget was adopted and technical assistance money appropriated and available to HHS, CMS, and OCR to assist states and private providers.
Noting that, in the event they were to be found non-compliant, the statute presently said they only had 30 days to respond unless additional time was granted by the Secretary, Dr. Springmeyer said that didn't give nearly enough time to make a major change in an IT structure. He urged the Committee to work with Congress to recognize that 30 days was unreasonable in most circumstances where OCR issued a non-compliance finding. Dr. Springmeyer also called for clear collaboration between the Departments of Education, Agriculture, Labor, and Justice on HIPAA-implicated issues. The task force wanted to be assured that they weren't going to be asked to do something inconsistent by another department or agency.
Discussion
Dr. Zubeldia asked about the three or four resources Ms. Wylie said were at the university. Ms. Wylie said data from a variety of sources had been linked together solely for research purposes. Ms. Kaminsky asked if she believed IRB approval should be automatic. Ms. Wylie said it should continue as it was; they didn't release data until they could document that an IRB had reviewed and approved a project. And they didn't review for all the issues IRBs did. Mr. Rothstein explained that Ms. Wylie was suggesting that no IRB approval be required in collecting the data, only in using the data for research. Dr. Zubeldia asked if they released de-identified data sets. Ms. Wylie said they sometimes did, when appropriate. But no project received data from them without IRB approval.
Asked what he considered a reasonable extension for a cure period, Dr. Springmeyer said a minimum of 90 days, with recognition that there often was distinction between substantial and non-substantial changes in federal regulations and that any fundamental change to a state program might require at a minimum six months.
Remarking that the 501.2(b) exception concerning covered entities disclosing to public health and HIPAA's intent was clear, Ms. Horlick asked Dr. Springmeyer to re-state his concern and if he had a recommendation for how OCR might provide additional clarification. Dr. Springmeyer noted two concerns. One was misinformation. Training had been non-specific and stated that they weren't to give anything to anyone without explicit authorization or prior consent, which didn't indicate exceptions for law enforcement or public health. He said they'd drafted seven letters. Several providers notified them that they'd diagnosed a communicable disease and the patient wouldn't allow them to send it. After he'd sent a letter, educating them, they no longer had an issue. Dr. Springmeyer reiterated that it was a matter of educating providers.
He said the bigger question concerned voluntary disclosure, pursuant to a public health authorization, as opposed to a requirement, subject to the public health exception as they believed it to be. Their USIS reporting was thus voluntary and a provider that didn't choose to participate wasn't in violation of the law. Their rule explicitly authorized them to release the information and give the patient the opportunity to opt out. According to HIPAA, it wasn't the traditional consent that they expected for an authorization for release. If OCR and CMS agreed that Section 512(b) was intended by the use of the term authorized to encompass voluntary authorized releases, Dr. Springmeyer said clarification on their FAQs site and other authoritative guidance would help providers.
Mr. Rothstein observed that it wasn't just a Utah problem. They'd heard from public health officials throughout the country that essential, lawful, authorized, and required disclosures weren't made due to misunderstandings about HIPAA requirements. He noted a need for education. And he asked Dr. Springmeyer for recommendations they might make to the Department about tackling defensive practices. Dr. Springmeyer said OCR had devoted appropriate time to the public health and law enforcement exceptions. However, people couldn't learn about the exceptions until they were comfortable with the rule. He said all the training CMS and OCR did was appreciated. And they'd quickly turned around misunderstandings with letters citing the statute and specific rule. Language out of Congress' enactment added credibility, guidance in the original statute was clear, and there'd been no intent to interfere with traditional public health functions.
Noting testimonies had indicated there'd been no misuse of RGE information, Dr. Harding asked why Dr. Springmeyer was concerned if there wasn't an issue. Ms. Wylie explained that RGE information was workable as it stood; however, if they expanded beyond its utility in cancer, it would become subject to HIPAA. Dr. Harding said utilization would be taken care of by IRB. Ms. Wylie explained that, for example, asking IHC to disclose to RGE all records linking to the Utah database for use by the data warehouse would come under HIPAA. They'd need authorization from every single person.
Mr. Rothstein said he thought HIPAA was the least of Ms. Wylie's problems, because they sought to do research accumulating a repository of medical records. Ms. Wylie clarified how they wanted the linking to work. The data warehouse would provide information about individuals (e.g., name, address, birth date, but no medical information). That information would be linked and a file created with a unique ID number for each data set. Information provided could then be deleted, leaving a file that matched the number in the UPDB with the person's number in the data warehouse. Ms. Wylie said they wouldn't be getting any medical records, but only linking information. For example, if Dr. Skolnick wanted to study the genetics of interstitial lung disease, after all the approvals, they'd request that the data warehouse people pull up all records of people who had diagnosis codes and give her the IDs of everyone who was in UPDB. They'd then do a familial analysis and identify pedigrees most likely to be productive.
Dr. Zubeldia asked if they then built a master patient index between the medical records for the university and UPDB. Ms. Wylie said they would, but required the data warehouse to assign a unique ID number, instead of using a medical record number. Dr. Zubeldia said he believed that would still be considered as the key for linking the records. Ms. Wylie said that they couldn't do it any other way. They were doing it within house, and their counsel advised they were one covered entity, therefore, HIPAA didn't necessarily apply. If they wished to go beyond the 21 percent of the Utah population represented within the data warehouse's health information, then HIPAA would come into play. Mr. Rothstein said he'd have to be convinced that what they were doing wasn't covered by a requirement for IRB approval. Ms. Wylie asked what the IRB would approve. Mr. Rothstein said they were approving the facilitation for the collection of individually linkable medical information for research purposes.
Ms. Wylie asked Mr. Rothstein if he'd sat on IRB panels. He replied he'd sat on many. She said that she'd had to fill out the forms both for application and renewal and still wasn't able to answer questions that didn't address their security practices. Mr. Rothstein said it was done all over the world; everyone who looked at it agreed IRB approval was needed. Ms. Wylie said most she was familiar with involved people gathering data for specific research, even if it could later be used for other projects. Mr. Rothstein clarified that it extended beyond specific research. Ms. Wylie said then it would be IRB based. Mr. Rothstein concurred, adding that if they satisfied IRB, they satisfied HIPAA. Thus, the hurdle was IRB.
Ms. Wylie replied that IRB didn't have the expertise to evaluate, but that was another issue.
Mr. Rothstein asked Mr. Cohen if when they were doing their HIPAA analysis in California had they spotted a reluctance to disclose mandatory information essential to public health. Mr. Cohen said that depended on where they went. In California, people acting in the capacity of their office were personally indemnified; state agencies didn't carry the private sector's sense of personal liability. But private providers had an overall questioning effect emanating from the uncertainty of HIPAA. Doctors who wanted to send the full patient record when they referred, so there was awareness of drug interactions, wondered if they could still do that. He believed they could, because it was treatment. But HIPAA was complicated and the sanctions serious, creating questioning and hesitancy. Noting this tied into a 20-30-year medical practice history of increasing paperwork, regulations and scrutiny, Mr. Cohen said practitioners were gun shy.
Among state agencies, Mr. Cohen said it was more a matter of the level of awareness and developing a specific strategy for how to implement these issues. Positions were being eliminated in California. People had multiple responsibilities, and it was less a matter of fear and more a question of how everyone adjusted to the changes. The research community contended with much uncertainty and questioning, which Mr. Cohen said probably extended from the University of California that did a great deal of research with several state departments.
Ms. Love said that they saw pullback in data release and two public health agencies cited HIPAA as the reason they wouldn't release data. She said the tools (e.g., the fact sheet that helped them communicate to providers about the public health exceptions) were available. But it was an excuse for agencies to get out of what they didn't want to do.
Ms. Love emphasized that the more consistent and pervasive the message was, the better and easier it would be. She suggested going back to a national framework or framing the discussion from the top and carrying it through the various segments of health care collection and distribution. She said many of the agencies that'd talked weren't primarily service delivery businesses, but information collection and dissemination, and especially concerned about HIPAA's impact. A common framework for communications would be most helpful to her members and their partners.
Asked about the administrative mechanism to resolve differences between CMS (which is implementing security) and OCR (which is implementing privacy), Mr. Cohen explained that, in one sense, the administrative separation of HIPAA was understandable because each agency was responsible for different rules. CMS was transactions, codes, and security. OCR was privacy. But in an environment uncertain about what covered entities were among governmental programs CMS might get a complaint about something considered a covered entity in California while OCR got a complaint saying the same thing wasn't covered. Mr. Cohen said he wasn't aware of an office responsible for all of HIPAA or any administrative mechanism within HHS for resolving this problem. There was no one way of advocating for the states, short of waiting for the complaint process to begin. Noting HHS stated at another conference that they were doing an assessment of their own; Mr. Cohen said when his office requested a copy, HHS had no idea if they would be able to do that.
Dr. Zubeldia said about 80 percent of the accounting for disclosures would be for state public health agencies under state law requirements. It had been proposed that the states keep track of those disclosures, so that when a patient asked after five years where all the data had gone, providers could find out from the state health agencies.
Dr. Springmeyer asked where they'd get jurisdiction to impose a requirement on a non-covered entity, which state health functions would mostly be. He noted they'd heard testimony that a generalized inclusion in the notice of privacy practice of the types of disclosures required by law would be sufficient, rather than itemization. He said the ultimate question was whether patient protection was sufficient to justify the immense administrative burden that would be placed on those reporting to them as public health agencies. The comment back was that HIPAA required them to establish a data system that accounted for each disclosure, and so they had to account for all of them, because they couldn't know who would ask. He emphasized that this was an immense burden; a less specific accounting for release would lesson the burden.
Ms. Horlick asked Ms. Love about the entity designations and what types of state agencies were part of the four covered entities and if any were state public health agencies. Ms. Love said two were centers for health statistics; another was a division of administrative services information systems. She said they were getting different levels of hierarchy in the organization, either responding or labeled as such. She noted that states approached HIPAA differently. Some states took a fragmented approach, others were more centralized or part of a collected approach.
Ms. Horlick said she wasn't clear on the implications for traditional non-covered functions, when they were considered a covered entity. She reiterated Ms. Love's observations that some agencies that didn't appear to be providers or payors designated themselves covered entities.
Ms. Love said a lot of programs in one umbrella agency were non-covered and brought up the cost issue. If they all played by the same rules, had similar training and requirements, and did the same thing, it would be easier to administer from a state's perspective, but Ms. Love wasn't sure what that would mean for NCHS. She didn't believe it meant that they'd be held to minimum necessary. There were public health exemptions, but she believed HHS intended for public health to have a special exemption. Noting the bar seemed higher for covered entities, Ms. Love questioned why a small public health non-covered entity would want to be a covered entity.
Ms. Love added that there was some misperception about due diligence for firewalls. She was concerned that an umbrella covered entity agency would think that they wouldn't have to do their due diligence. She wanted to see policies and procedures in data hand-offs, just as good information practice, not as a covered entity, so that they could exchange with anyone in the department. The preamble was fairly clear, but there were some areas where simple guidance might go a long ways.
Dr. Springmeyer cautioned that people thought access to PHI within a hybrid-covered entity was free and open, regardless of whether they were a physician component of that entity. He recommended addressing this in the FAQs.
Ms. Kaminsky said guidance defining firewalls would be helpful. Her understanding of a deciding factor was that once they were a hybrid, they needed to do an accounting if they disclosed, because they went from a covered to non-covered entity.
Panel 5: Health Plans and Clearinghouses
Mr. Stapley said Deseret Mutual was a consortium of four companies that administered benefits for the Latter Day Saints (LDS) church and entities affiliated with them, including Brigham Young University, Brigham Young University Idaho and Hawaii, and LDS Business College. They also did voluntary plans on behalf of LDS missionaries. Deseret had 130,000 plan participants throughout the states and did benefit administration in 80 different countries around the world. Deseret had a supplemental accident policy with an enrollment of some 2.5 million Americans. Deseret's largest concerns about how the privacy rules might affect them were related to their participants being largely dispersed throughout the United States.
One of the founders of UHIN, Mr. Stapley was Chair of UHIN's board of directors. UHIN was heavily involved in the development of standards and helped create the regulations for the HIPAA transaction rules. He said Deseret supported the privacy regulation and believed it would help solve the issue of carelessness. Mr. Stapley said the biggest issue facing OCR regarding education and technical support was the backlog of unanswered questions from organizations that didn't know what to do. In retrospect, had OCR been able to anticipate questions they could have dealt with them in an incremental fashion. Mr. Stapley noted the need for a process to catalogue organizations' questions and put something in place that systematically determined how to respond.
Mr. Stapley reiterated the fear many organizations felt, even knowing that potential penalties wouldn't include jail time. Fearful and desperate, entities guessed and spread misinformation. He stressed that this had to be stopped.
Mr. Stapley personally expressed concern that the regulations were drafted more broadly than the statute. For example, Deseret was clear about what a group health plan was when they looked at transaction standards. But as the privacy regulations were adopted, group health plan was defined more broadly than the statute possibly permitted. This affected some administrative arrangements made with Missionary Medical. Mr. Stapley explained that the program was designed to provide medical services for LDS missionaries worldwide. No premium was charged and the charitable contributions were used to support the mission. He didn't believe HIPAA was designed to cover this, yet it looked like it did. He asked whether there was authority in the statute to define health plan that broadly.
Another question was if Deseret was included by virtue of the privacy regulations, did the part that related to pre-existing conditions and portability also apply to them. If it did, Mr. Stapley said it would be a major concern.
Mr. Stapley said the preemption issue was their biggest difficulty and concern regarding compliance. Used to following the uniformity of ERISA, Deseret was concerned about how preemption would change how they administered their health plans.
He noted they were also concerned about training regarding what was a covered entity under the regulations. While HHS had put out a tool on this issue, from experience in developing the rules related to transactional standards, they also seemed to have had a strong impact on the privacy standards, which was a different issue.
Mr. Stapley said employers were confused. Deseret had put together a structured training program in an attempt to be proactive, and had been helping affiliated employers understand what their requirements were. The employers, shocked, raised additional issues on how the regulations might impact them that Deseret hadn't anticipated. Employers and plan administrators were having particular difficulty understanding the applicability of the HIPAA privacy regulations for administration of medical savings accounts; flexible spending and health care accounts; on- and off-site company-sponsored health clinics; flu shots; pre-employment physical examinations; fitness centers; health promotion and health risk assessment programs; disease management programs; health surveillance activities like toxic exposure and drug use; employee assistance programs; leave share programs; acting as an advocate of employees and similar issues. The primary purpose of many of these activities wasn't to provide treatment, yet, under certain circumstances, they could lead to treatment or the collection of information later used for providing treatment. Mr. Stapley asked if employers became covered entities by providing or promoting these various programs. If so, then HIPAA's impact on public health and employee relations would be enormous. HIPAA would have a negative effect on these traditional employer functions and on an employer's ability to continue to offer group health plans to its employees. He requested additional guidance and clarification on these and other employer-specific issues.
Mr. Stapley talked about an employer that had a job share program, which brought peoples' hours down from 40 to 20 per week. In order to qualify, employees had to submit documentation proving they had a disability that met their standards in order for them to enter the program. Many employees were hesitant to be giving out this very private and confidential information.
Mr. Stapley said employers had historically been advocates for their employees as they interfaced with administrators of employee benefits, particularly those that administered welfare benefit plans. In order to do so, the human resources department had to collect data that was clearly private. They could get a release of authorization and file it, but were concerned employers would get frightened and not help at all.
Mr. Stapley said that another concern related to the inconsistency between HIPAA and GLB. Their organization broadly administered benefits. They did all the welfare benefits, medical, dental, life insurance, and disability as well as financial benefits. They had 401(k) plans, 403(b) plans, and they administered a defined benefit master retirement plan. Their concern was that they had a centralized enrollment function and this information was being collected for both the purpose of administering a financial benefits program and as a welfare benefits program. He wanted to know if this meant that the information they were collecting was subject to the provisions of HIPAA when they were using it for the purpose of the financial benefits program. One example of how this could affect them related to a major employer with a practice of sending Thanksgiving and Christmas gifts to all of their retirees. The employer depended on his organization to keep track of the retirees, because they were also responsible for sending them their monthly retirement checks. He didn't know if he was able to give out this information to the employer. Under HIPAA they couldn't, unless they had specific authorization. Under GLB, they could. He requested guidance.
Mr. Stapley said recently they'd been told that the higher standard applied, which put them at a disadvantage. In a competitive environment (which Deseret wasn't), if they had two plans competing with each other, and one said they were only subject to GLB because they didn't do welfare benefits, and the other said that they were subject to HIPAA because they did, this was a big deal. Mr. Stapley hoped OCR didn't underestimate the impact.
Mr. Stapley noted the EOB issue. He said their plan covered dependents to age 26. In so doing, they had a contract holder that paid premiums, which was the address to which they would send EOBs. By definition, the EOBs had certain information that showed what was done and their co-pay. Even deleting the ICD-9 and CPT codes wouldn't solve the privacy issues as it still stated what actually occurred. When they sent out an EOB it was going to generate issues with the contract holder and it wasn't practical for them to keep track of EOBs sent to different addresses.
Mr. Stapley said that they didn't know of a lot of best practices. Something useful they had done that related to the security issue under HIPAA was that they had developed a tool called the Utah Security Education Tool (USET). It was a computer generated training tool that went through issues related to security. They'd put it into a CD, made 2000 copies, and sent it to every physician in the state of Utah. Mr. Stapley said it was a great inexpensive tool that was enormously helpful and many physicians said it eliminated the issues of what to do. He requested that OCR consider doing something like this for the privacy issues.
Mr. Stapley said Deseret had put together a structured program for the training mandate directed to their participating employers. It related to training their new employees and the training of all employees with respect to the work processes and how they may possibly be impacted. He believed that proactive use of this program was his employers' most useful tool.
Mr. Stapley reiterated the issue of there being so many unanswered questions. Every time they spoke with a new employer, they received questions they hadn't anticipated and couldn't answer. Even those involved in drafting the regulations and the law couldn't answer them, which was a major concern.
Mr. Stapley said that UHIN was an outstanding model for public-private partnership that had benefited the entire country. Early on, they'd recognized that they couldn't start with EDI but had to have standards. They created a standards committee comprised of people affected by these standards (representatives from billings offices in a physicians office and hospital, claims shops with health plans, the state insurance department, Medicaid and Medicare). Members knew exactly how each standard would affect them and there were virtually no unanswered questions in the final version. Mr. Stapley said the process they'd gone through in conjunction with five other states had a profound impact and the new national transaction standards had few problems. He noted that transaction standards were simpler than privacy, and suggested getting the people involved that were affected at that level and bringing in other smart people to work with them and move it all forward.
Mr. Stapley said he'd felt for a long time that the privacy standards needed to happen; yet he also felt that the state preemption issue had been ignored through the process. State lines didn't bound health care. Their state regularly received people from adjoining states and it wasn't an exception to have a person in a single episode receive care in three different states. It was impossible for his organization, which worked in all 50 states, to look at the combinations that they needed to track in order to determine which standard applied in a given situation. He believed that states should do the things they were supposed to do, but this particular issue needed a national standard. He said the states needed to recognize that it was the only thing that would work.
Mr. Stapley said the questions of accuracy and quality of information and services of vendors and consultants also remained unanswered. Even the most expert of consultants did not know the answers to what a covered entity or a business associate was and how they would be affected by the regulations.
Asked to tell about the UHIN effort to draft the standards and where it fit in the time frame of the development of the HIPAA standards, Mr. Stapley explained that UHIN's process followed a different sequence then HIPAA, and had dealt with privacy in 1994. The idea was to have a uniform method for handling EDI with respect to health care transactions in Utah. During the process, UHIN realized they needed to be involved with the national process or face the need to change everything they'd done at a later time. By the time HIPAA was an issue, they'd already developed coalitions with Washington, South Carolina, Minnesota, Maryland and Utah. He reiterated the importance of having people on the committee who knew the process.
Panel 5: Health Plans and Clearinghouses
Mr. Casillas said rearranging core competencies between banks, their medical clients and technology partners to create new digital networks formed the basis for medical banking. The emerging segment was primarily driven by the implementation of HIPAA's privacy rule in medical payment channels. As banks and EDI industry groups focused on implementing HIPAA's transaction and code sets rule, the application of the privacy rule was ignored. Mr. Casillas said this created a difficulty in gaining both industry consensus on impacts and appropriate implementation procedures. He emphasized that providers needed to actively ensure that the banks they did business with fully complied with HIPAA requirements. The way in which banks and the medical community moved $1.3 trillion affected health care efficiency and demonstrated the need for the HIPAA policy.
Mr. Casillas said the technology that bridged banks with their medical clients was often fragmented, inefficient, and with privacy risks. There were some payment channels that offered more security than HIPAA required, but their research and HHS guidance had suggested that this wasn't true across the majority of medical payment channels.
Mr. Casillas sought to clarify the Subcommittee's understanding of the arena of policy inspection. He said he'd founded the Medical Banking Project to research, document, and facilitate medical banking convergence. He was the HFMA subject matter expert in medical banking and authored eLearning modules to assist in education efforts. When a firm he'd co-founded was sold to a national firm that provided accounts received financing for community banks, he gained insights in how health care administrative operations and banking infrastructure met and what could be done to make that process more efficient (e.g., clearing misunderstandings about medical receivable between banks and medical clients, a critical issue in implementing HIPAA).
Mr. Casillas said most banks and hospitals were found in small towns and formed a critical axis for supporting the local economy. They wanted to help each other as HIPAA converted paper to electronic processes, and misunderstandings were being corrected.
Mr. Casillas explained the research behind the roundtable format they used to implement HIPAA. In 1998 he'd visited 50 lock-box facilities, talked to bankers, banking associations and technology firms. Mr. Casillas drafted a white paper that identified HIPAA's privacy rule impact on lock-boxes. By October 2001, a wave of questions coming into their offices led them to seek definitive guidance from HHS and they organized a roundtable in Washington, DC. Many groups were invited and used that framework to explain their research. Even though HHS unofficially concurred with their findings, the issue met with resistance among banking groups and workgroups continued to meet. HHS confirmed that, where there was access to PHI by covered entity partners, a business association was formed, regardless of the type of entity. And if any entity was performing covered entity functions, the HIPAA rule applied.
Mr. Casillas noted signs of progress. There were business associate model contracts for banks posed on Web sites. And banking associations acknowledged that most banks were considered business associates for their medical clients, though they hadn't yet come to terms with their potential status as HIPAA clearinghouse covered entities.
Noting the Committee wasn't focused on substantive issues, Mr. Rothstein asked Mr. Casillas to speak about more technical assistance issues. Mr. Casillas said they needed to become more proactive in meeting with the banking associations. The American Bankers Association and NACA had developed working papers that described a position that leading experts didn't agree with. Because their conclusions hadn't been confirmed, confusion continued about when a bank was a covered entity.
Mr. Casillas noted serious issues when a bank was a business associate of a health plan. The network that supported the medical payments process (to the extent the network had access to PHI) also needed to be compliant with HIPAA's rules and regulations, and that was difficult when they were taking remittance information in an 835, for instance, and sending it to the ACH network. The ACH network itself was comprised of four financial clearinghouses, including the Federal Reserve, as well as 36-40 other types of financial clearinghouses. Payments information moved through these clearinghouses and the entities sometimes had PHI access.
Mr. Casillas said section 1179 in the HIPAA privacy rule appeared to exempt payment processing. However, HHS had provided guidance that when payment was accompanied with the protected health information or the EOB, the ACH network was considered an open network. In that case, encryption was required, which was already in the proposed security rule. Mr. Casillas said this would create a hardship for banks, because that technology wasn't available for just moving payment. When the providers' banks received remittances coming from ACH, they might convert the CTX transaction and create an 835 file for the medical provider. The receiving depository financial institution could then be considered a covered entity, something many didn't understand.
Mr. Casillas noted the majority of RDFIs were community banks. Most weren't even aware of HIPAA. A number of banks understood GLB, but the categories of protected information were different than HIPAA. He noted many banks that reported they were already implementing privacy, but they were referring to GLB. Mr. Casillas reiterated the acute need for awareness in this segment. The way they chose to enable this was through roundtable Web casts where participants spoke with industry experts and banks addressed the issue. He noted many more Web casts needed had to happen to make everyone aware of the issue.
Mr. Rothstein said he wanted to be clear about what different banks did. Certain health plan clearinghouse functions were covered by the privacy rule and there was no problem with them. Gray-area functions weren't clear. Mr. Rothstein asked about the level of compliance planning and implementation in the health clearinghouses and if they were covered.
Mr. Casillas said he couldn't testify to the compliance of the clearinghouses. He met with them regularly and his understanding was that they were clear, but he couldn't comment because his focus was on the medical banking community. Mr. Rothstein remarked that Mr. Casillas' focus was on those who were in the gray area. Dr. Zubeldia asked how gray the gray area was. He understood that any bank translating from a CTX transaction to an 835 was made a clearinghouse, but he didn't know what it took for this to happen. The CTX transaction was an encapsulation of the 835, and there was no translation of the contents. The 835 was wrapped with CTX and sent through NACA, but both the payer and provider ended up with the same 835. So, the clearinghouse concept would only apply if there was conversion from a non-standard format into a standard format, or vice versa. Dr. Zubeldia's understanding was that this wasn't happening. A standard format was delivered to the provider in the same format. For transit, it had been encapsulated in a CTX transaction, which was the same as if it had been encapsulated in a FedEx envelope. The content hadn't changed nor translated.
Mr. Casillas said there probably wouldn't be any impact on that scenario, which was an area of confusion. Many banks provided full accounts payable outsourcing services. They received the health plans' propriety payment file, reduced it to an 835 transaction created from the non-standard file, and then enveloped it in CTX for delivery through ACH. They also took other payments and inter-bank transfers, developed checks, and created paper EOBs, which were then sent to providers. Mr. Casillas noted a series of banking activities in accounts payable outsourcing that was outside of Dr. Zubeldia's scenario. Dr. Zubeldia said that was self-inflicted; those banks chose to be in the clearinghouse business, opposed to all banks that handled 835s.
Mr. Casillas said that was correct. However, there was an issue in the average community bank. They received the ACH transaction, took the CTX component, credited funds to the providers account or truncated or deleted the remaining part of that transaction. He said the issue was how that process occurred, because the remaining part of that transaction often had PHI. Mr. Casillas emphasized the impact of HIPAA's privacy rule in the financial spectrum. And he noted they'd been trying to isolate it.
Mr. Casillas said they'd discovered an acute need for awareness through a survey. The banking industry passed from denial to gradual acceptance only recently, and the need for awareness was acute. He noted a serious impact on standard loans. A bank loaning money to a medical provider didn't necessarily establish a pretext for developing a business associate contract. Under the privacy rule, giving access to PHI through the medical receivable, which was an asset that collateralized a provider's loan, would be illegal. The problem was a number of providers went bankrupt or did other things that violated that loan document. As a result, the bank had no recourse and couldn't attach that receivable. In addition, if the bank provided its receivable as part of the bankruptcy to the bank, without a business associate contract, the privacy rule indicated that this was punishable by the largest fines allowed. While obviously not the intent of HIPAA, it was a serious issue in routine lending between banks and medical clients. Mr. Casillas suggested the Committee look into this.
Mr. Casillas said it was common practice for entities to sell their receivables. The privacy rule didn't address this, but only showed what could be done if an entity became a covered entity after acquiring the receivable or PHI. The privacy continued after the transfer, but a bank wasn't a covered entity.
In terms of securitization (a very large industry segment that financed health care in this country), Mr. Casillas said a true sale was necessary in order to give investors confidence to invest in SPVs. Mr. Casillas pointed the Subcommittee toward the regulatory conflict that occurred with revised UCC Article 9, which made transfer receivables easier for banks but diametrically opposed HIPAA requirements. Mr. Casillas pointed out that UNICITRAL conventions put out by the United Nations, which were followed in the development of securitization, and the new bankruptcy reform laws, if passed, would be diametrically opposed to transferring PHI in a bankruptcy situation.
Mr. Casillas urged the Subcommittee to initiate general hearings on health care credit practices and cross-industry dialogues with banks and their medical clients discussing their concerns. He also suggested that organizing or supporting demonstration projects that showed how efficiencies with medical payments could occur in the marketplace would be useful.
Subcommittee Discussion
Asked about solutions to EOBs and non-emancipated minors seeking treatment without parental involvement, Mr. Stapley suggested that the minor could pay at time of service. She said the challenge was that a contract holder agreed to pay the premium. As such, they were financially responsible for the bill. This just didn't relate to non-emancipated minors. For someone 25 years old and in college, the system still automatically generated an EOB. The EOB could be changed to delete information, but merely sending an EOB to the policyholder raised a question and would include the kind of visit (e.g., OB-GYN). Mr. Stapley said having some exemption process was the only way to do it.
Mr. Stapley said EOB was an important part of control in administering a health plan. When he sent it to someone, he expected him or her to look at it and question whether the service actually happened. If they eliminated the EOB, they'd eliminate a critical part of the control for preventing fraud and abuse. Thus they needed to continue sending the EOB. Mr. Stapley couldn't think of a good way to this.
Dr. Zubeldia pointed out that if the patient sought benefits under a health plan, at some point the person paying for that contract would know benefits were drawn. He suggested that the only practical solution would be cash payment at time of service. Mr. Stapley cautioned that if they stopped sending out EOBs they'd generate fraud. Given the array of state law on privacy, Ms. Kaminsky said this couldn't be a new issue. Ms. Stapley said the practicality was new. From a practical perspective, if they asked someone to pay the bill, eventually they'd find out that a transaction occurred. Once that first question was raised, subsequent questions naturally followed. Dr. Zubeldia noted that if his children used his credit card, they could tell the merchant not to send him a receipt, but he'd still find out. He said the analogy was the same. Ms. Kaminsky said she was looking for solutions. Mr. Stapley said he didn't know if there was a good solution.
Mr. Casillas said what was on the EOB was critical in updating financial records. He didn't know if EOBs that went to patients could be different than those going to providers. Noting the patients were different in terms of what they did, Mr. Stapley said the EOBs could reflect that difference.
Subcommittee Discussion on Recommendations
Mr. Rothstein suggested they create a short letter and attachment in which they detailed their recommendations, satisfying both the Secretary who wanted something general and OCR that wanted specific guidance. He proposed that the introductory letter include conclusions put together in their September 27 letter. They'd also include general support for the goals of HIPAA and the privacy rule, the August 2002 amendments, the guidance, FAQs, and October's integrated text of the privacy rule. Specific findings gleaned from witnesses would be noted in the letter (e.g., the continued confusion and misunderstanding) and detailed (e.g., that OCR needed to prepare a one-page handout on HIPAA) in the attachment.
Dr. Zubeldia noted there would be a lot of recommendations in the full report and it would be difficult to summarize them in one-or-two pages. Much they couldn't even touch on. He proposed it would be easier to have a full report with a cover letter. Mr. Rothstein said, as he envisioned the letter, they wouldn't be commenting on or summarizing any of the recommendations, which were many and complicated. Noting they'd heard powerful statements that they didn't want buried, he suggested putting the findings in the follow-up letter. For example, they'd heard some providers were so frustrated with trying to comply that they were going back to paper, which was contrary to everything Congress intended to do with this law. Mr. Rothstein emphasized that these things needed to be highlighted in the letter.
Dr. Danaher approved of a short-form summary letter that didn't include recommendations and a larger letter capturing the essence of what they'd heard. Dr. Danaher said he liked the original format and broke what they'd heard down into two categories: one actionable and another requiring more deliberation that was HHS driven. The first was comprised of tools and mechanisms to facilitate communication and adherence to the regulation. The other dealt with the providers', covered entities' and hybrid communities' advice and concerns (e.g., state preemption analysis).
Mr. Rothstein recalled he'd originally said two pages and wound up with six. He suggested they cut back to three or four pages, but noted they'd heard there were things only the Congress could do, and others that involved CMS and required HHS-wide efforts. OCR could do some things tomorrow, if they chose. And then there were substantive areas where people said they needed guidance.
Ms. Greenberg said everyone would read something that was short and conveyed the overall findings. Noting there was richness in the testimonies and that the Department looked to the Committee to be as specific as possible, she recommended an attachment similar to a report. Much they didn't want buried could be highlighted in the cover letter. She suggested that the first issue was whether there could be adequate implementation and compliance by the deadline, given all they'd heard. She said any over-arching conclusions needed to be in the letter. She noted she was conflicted, because she didn't know if delays were even possible. People had talked about delaying any heavy enforcement, but they'd also heard testimony about how, even if the Department took a soft approach, litigators were ready to pounce. They'd been sobered by responsible providers' inability to comply by the deadline. And other excellent recommendations needed to be addressed first. She added that coalitions that could help people comply were limited to a few states; for privacy to succeed, they needed to encourage coalition building throughout the country. Ms. Greenberg emphasized two concerns: the ability to get everyone into compliance and that there would be chaos if, without coordination, consumers got different notices of privacy practices from every provider. She added coordination also was important in research and public health.
Mr. Rothstein suggested they go through the various recommendations and if the Subcommittee thought something was important they'd move it forward. He said he didn't think they could get away from recommending some kind of delay on the implementation date. Ms. Greenberg reiterated that the level of compliance they could realistically expect by April was questionable. She suggested phasing. Dr. Harding perceived a shift of motivation with people covering themselves rather than focusing on what the law required. While this might have increased compliance and sped things along, he cautioned it would be seen as a burden, not the intended positive protection of patients. He recommended that this be part of their recommendation for a delay.
Mr. Rothstein noted they'd heard repeatedly about the fear of enforcement. Over zealous enforcement was feared. All this fear was becoming a prime motivator, when it was meant to be ancillary. He suggested they table the question of whether to go with the brief or longer model for the letter. Mr. Rothstein remarked there were different ways to recommend an extension and that they could raise serious questions about whether compliance could be achieved by April without actually making that recommendation. He noted he didn't know their power in implementing an extension.
Ms. Greenberg observed there were many unanswered questions. The bottom-line question was whether they wanted implementation with so much unanswered. She contended they'd never have everything answered and some questions could only be answered through implementation. As they got answers, they could slide further along. She emphasized that issues with the security rule were important; nonetheless, she cautioned that they could delay things forever.
Dr. Zubeldia reported that the addenda regarding transactions modified less than five percent of the transaction content. After they were published, people had eight months or more to implement them. He noted the August modifications on the privacy rule were substantial. Consent was a substantial revision and there was only six months to implement changes.
Dr. Danaher said the transaction and code sets extensions were one of the most confusing things about implementation of the privacy portion of HIPAA. The covered entity community had believed the extension also applied to the privacy regulation. Noting the patients' rights movement appeared dead in terms of managed care, he cautioned that continuing to issue extensions would do the same thing to HIPAA. An extension would further dilute the desired effect, create further confusion, and possibly negate what they strove to accomplish. Dr. Danaher strongly recommended that OCR, NCVHS, and HHS do further outreach, sending the message that April 14, 2003 wasn't the end but the beginning and implementation was good, despite the criticisms. And he emphasized that they had to ensure that the constituencies had the resources and tools to realize this ruling.
Ms. Greenberg reiterated that the bottom line was the extent there was enough information between now and then for realistic compliance. She agreed that this was a revolutionary process and with setting priorities and stating that, with given tools, certain things could be done by April 2003. Others couldn't.
Dr. Zubeldia concurred. Noting a common theme heard was the fear of enforcement because what might happen was unknown, rather than an extension he suggested making specific recommendations including an action plan and enforcement as guidance to the Secretary for a future enforcement rule.
Ms. Horlick suggested a good faith effort as a first step in working out the standards. Providers probably wouldn't ever get all the answers to their questions and it was difficult to implement when they went unanswered. The Committee could put in examples about what basic things needed to be done until the questions were resolved.
Mr. Rothstein noted they'd already had the transaction extension, the delay in the standards and the security rule, and he said they ran the risk of compromising the integrity of the statute and undermining the ability of HIPAA to get off the ground if they recommended another extension. A lot of covered entities had devoted considerable time and effort to come into compliance relative to their competitors. They'd be punished if others were offered additional time. Mr. Rothstein also noted consumer concern. The 1996 law was enacted and people expected the standards of protection of health information to be raised. They'd have a hard time justifying delaying this another year.
Ms. Kaminsky agreed. She said some of the frenzied activities were tied to the April compliance date. She believed that concrete recommendations to OCR and the Department in regard to education, outreach and technical assistance would be most helpful. She said the recommendation had to be clear and communicate to the covered entity community their enforcement strategy, alleviating fear and misinformation and sorting out questions. She said the covered entity cooperative, technical-assistance-oriented approach could be folded into the outreach, education and technical assistance communications they recommended. Ms. Kaminsky noted her concern with the Department and OCR's scant resources. She emphasized that she didn't want a preoccupation with hammering out enforcement issues to take away from the need to do all the outreach, education and technical assistance. She called for a clear commitment in communicating to the country the enforcement approach.
Dr. Harding expressed concern that if they continued to keep the April 2003 deadline a tremendous reservoir of doctors, hospitals, and CE's were going to use non-accredited vendors, resulting in a cynical group who didn't get what they needed. He cautioned that this was already happening. People didn't want to go to jail and were paying a lot of money to get things they didn't need. He said he didn't know if resources were available to educate people about whether this was a launch or had to be done by the deadline. Dr. Harding acknowledged that he was ambivalent about whether to go forward, due to these competing factors.
Mr. Rothstein recognized they had to come back to this issue and it would be brought up in the full committee meeting as well. He said he wanted to get agreement on some of the other items, so they could make additions, subtractions, and modifications. He read the nine topics on the findings sheet that were issues he'd pulled from the testimonies: (1) continued confusion, misunderstanding, and lack of guidance and technical support; (2) less than half of the small providers had made any effort to comply; (3) vendors and consultants continued to lack ability to help covered entities; (4) many rural providers had given up on the idea of compliance because they were unable to do it; (5) difficulties and expenses forced some providers to abandon EDI and return to paper; (6) Medicaid and other service providers might drop out of the system because they couldn't afford to comply and couldn't pass on the added costs to Medicaid or others; (7) the fear of violating HIPAA led to adverse health outcomes, like failure to share health information about a patient when it might help with the treatment of others, and a lack of public health reporting; (8) the estimate of nine-to-15 million health care workers who needed to be trained and a shortage of training materials and funding; (9) the great fear of over zealous enforcement that would be costly to defend against, so even if they were in compliance they'd have to hire defensive legal counsel.
Dr. Zubeldia added three more: (10) without preemption, compliance with multiple state requirements simultaneously might be impossible; (11) multiple preemption analyses by multiple covered entities in the different states were wasteful, difficult, non-definitive and expensive: (12) state or regional coalitions were effective.
Dr. Danaher said he wanted to be careful the Committee didn't pass on urban legends. Noting concern and fear were voiced by a number of payers about providers using paper to circumvent being classified as a covered entity, he questioned that there was any evidence of that. Mr. Rothstein pointed out that the administrator from the large oncology group specifically stated it in her testimony and the rural health person from Oklahoma said they were losing their Medicaid providers. Dr. Danaher suggested that they verify some of these cases before putting them in the letter. Mr. Rothstein proposed phrasing this finding in ways that avoided drawing conclusions as to the veracity of the testimony or widespread nature of the problem. They didn't have time or resources to track down and double check testimony, but could try to avoid drawing unwarranted conclusions.
Ms. Kaminsky added pent up anger to the confusion and frustration brought up as the first topic. She questioned the seventh point about the sharing of health information to help with the treatment of others. Mr. Rothstein recalled a witness testified that they'd been unable in ER to get information about what was done to a patient that would have been helpful in treating another, because of HIPAA concerns. Mr. Rothstein believed this was based on a misunderstanding of the rule, but he said fear of violating HIPAA provoked it.
Ms. Kaminsky recalled an issue of government entities being able to share information outside of the covered entity, when social service organizations were involved with the care or treatment of a particular individual. She said she didn't yet know how to express that finding, but would after reviewing the testimony.
Mr. Rothstein asked if the estimate of nine-to-15 million health care workers needing training million seemed accurate. Ms. Greenberg said they knew it was in the millions, but that there might be better estimates. Dr. Zubeldia recalled hearing that workers needed to be trained more than once. Mr. Rothstein said that was true in a number of ways. They'd repeatedly heard that it wasn't possible to have one type of training for everyone; a large health care institution might have 12 training systems. Dr. Zubeldia said the training materials and the training itself were expensive.
Ms. Kaminsky noted the shortage of funding wasn't just for developing training materials. There were serious costs with taking people out of the workforce, particularly in the long-term care industry where they had staff shortages.
Dr. Danaher said they were in a bind with preemption issues because the state privacy regulations already existed. Ostensibly, the organizations already were supposed to abide by them. He believed HIPAA was the first time they'd ever tried to accurately adhere to a state privacy regulation currently in effect. The difficulty they faced was working through operationally how to begin the process of adhering either to a state or federal standard. Dr. Zubeldia said he was trying to express something else. If the state hospital association, state medical association and each payer that operated in the state did their own preemption analysis it would be wasteful and there wouldn't be any concordance between the analyses. Dr. Danaher agreed.
Mr. Rothstein introduced the largest list: education, outreach and technical assistance: (1) OCR needed to prepare a one-page handout on HIPAA for providers to give to their patients (Ms. Kaminsky pointed out that this related to the consumer problem); (2) outreach efforts need to be segmented, beginning with those most vulnerable to discrimination and hardest to reach (e.g., chronically or mentally ill, substance abusers); (3) technical support needs to focus on "fragile providers" (i.e., rural and Medicaid doctors, ANPs); (4) OCR should establish covered entity industry teams to assist each industry with its unique issues; (5) OCR Web site needed to be revamped, segmented by industry and other classifications, and contain links to professional and other groups (Dr. Zubeldia said they wanted to note that the current OCR site was praised by many testifiers; Mr. Rothstein agreed, but emphasized the need for improvement) (6) OCR should publish a list of topics on which vendors and consultants might be valuable and areas covered entities could do on their own; (7) OCR needed to inform those filing for extensions that they were possibly covered entities for the privacy rule; (8) OCR was to train regional OCR staff and speak at professional meetings; (9) state-specific notices needed to be developed; (10) OCR should have regular conference calls on compliance issues; (11) OCR was to have Web seminars; (12) OCR needed to start a monthly newsletter; (13) OCR should sponsor train-the-trainer programs; (14) physicians had never heard the message that the privacy rule was part of an effort to save ten percent or more on billing and transactions; (15) public education needed to proceed along many tracks, including town meetings, editorial briefings, feature articles, and extended radio and TV interviews; (16) need to promote consumer acceptance of information interchange; (17) OCR should pursue mail outs to all 35 million Medicare recipients via the annual CMS guide; (18) FAQs were not responsive to the needs of specific entities, professions and industries (e.g., the long-term care, academic medical centers); (19) the need for answers to be posted within 30 days; (20) OCR needed to provide more examples (e.g., the CMS coverage decision tree): (21) education needed to address defensive practices; (22) the need for OCR to establish a toll-free help line to answer questions; (23) OCR needed to provide on-site consultation, like OSHA; (24) OCR needed to publish a list of no- and low-cost compliance measures. Ms. Kaminsky asked what number 21 meant. Mr. Rothstein explained that providers who were erroneously fearful of violating HIPAA refused to disclose mandatory disclosure information or permissive disclosure information.
Mr. Rothstein said number thirteen addressed the fact that one-size-training didn't fit all. He suggested adding number 14, as consumers had no idea about the rule and their first exposure was likely to be the notification. He doubted they'd be able to handle it. Ms. Greenberg said they'd heard a need for consumer education, but she noted there was also a risk of undermining relationships if they come out too strongly when the physician provider community wasn't adequately educated. Ms. Kaminsky again emphasized how little had been done to educate the consumer about this rule that was supposed to be for the consumer's benefit. Ms. Greenberg said they needed to do both.
The next topic, Regulation and Enforcement, had ten sub-topics: (1) for OCR to review, approve and issue model forms; (2) OCR should issue a statement that it didn't certify any products or services as HIPAA compliant; (3) OCR should set minimum standards for training; (4) OCR needs to communicate with providers and other covered entities about enforcement and penalties; (5) the need for central preemption analysis; (6) OCR needs to reassure providers that reasonable efforts to comply wouldn't lead to enforcement actions and penalties; (7) the privacy notice should include a list of mandated disclosures and this list doesn't need to be included in accounting; (8) OCR should publish a federal preemption analysis; (9) OCR should extend the 30-day cure period to at least 90 days and, for complicated matters, up to six months; and (10) enforcement for security and privacy should be in the same agency.
Dr. Zubeldia noted that the publishing of a preemption analysis was mentioned, but so was a recommendation for the states to do their own preemption analysis. Mr. Rothstein noted that it was like FERPA and GLB. Ms. Horlick pointed out that they could reference that much, if it was in the preamble. They'd discussed taking FERPA out and talking about the privacy act. While they could do that, Mr. Rothstein noted anyone running a university health service would have students, faculty and staff coming in with two sets of rules. Students would be under FERPA and the faculty and staff under HIPAA. They'd have a system that tried to comply with two divergent sets of requirements.
Ms. Kaminsky considered how they'd communicate these recommendations. She suggested it might be appropriate to delve to a level of granularity in certain instances. They'd heard rich testimony and many specifics. She recommended organizing them and using drop-down points, so anyone who had to make decisions about recommendations to take forward could understand where the recommendations came and what needed to be done. Mr. Rothstein agreed, but pointed out the limitations of their timetable. Ms. Greenberg agreed there was a wealth of information, but given the time frame she said it was impossible to pull it all out and organize it. She thought they should say in the letter that the Committee had gathered a tremendous amount of information. In the time available, they were putting forward their major findings and recommendations. But there was considerably more detail in the testimony, and it was available. They could either commend it to OCR for further analysis or offer a way to harvest the information further, possibly through a small contract. Ms. Greenberg said she'd been thinking about the Committee's role, what they were supposed to do, and what was to be left for OCR. She questioned that OCR realistically had resources to continue or if the Committee needed to provide further help. She reminded them that a lot of needs could be pulled together on best practices and other helpful issues.
Ms. Kaminsky contended that people were looking for guidance on specific areas, not best practices. Dr. Zubeldia pointed out that some testimony was missing and that they'd be receiving more.
Mr. Rothstein cautioned that the summary could end up so short that the Department would misunderstand and think they'd taken care of something they hadn't. Ms. Horlick said that could happen in the confusion over the covered entity designations. For example, the Department could say they'd put out a covered entity decision tree, which was helpful, but weren't going to answer the question regarding social service agencies with foster care in that level of detail. Dr. Zubeldia noted they'd heard the covered entity decision tree was flawed. For example, the decision tree made anyone who said they'd converted data from non-standard to standard, a clearinghouse, which wasn't necessarily the case. He emphasized that the decision tree was a helpful tool, but not definitive. Ms. Horlick said she wanted to recognize where they'd attempted to provide guidance. Ms. Kaminsky said the point was the Department could mistake that this issue had been taken care of through the decision tree when many levels of detail, questions, and gray areas hadn't been addressed.
Ms. Greenberg noted they were all in agreement and the only question was how to get this done. At a minimum, they could commend it all to OCR. She asked if there was anything more the Subcommittee could do to follow the letter. Mr. Rothstein said OCR needed to work with industry groups in developing guidance. The Committee had specifically been asked to recommend that OCR come up with guidance on: health plan sponsors; applicability of the privacy rules to long-term care facilities; who provided HIPAA to residents and other medical trainees; the training of health workers engaged at multiple sites (e.g., social workers); home health care records; exactly what was a good faith effort; non-routine disclosures; hybrid entities; FERPA/HIPAA overlap; fax, phone and email of protected health information; providing notice when the first contact wasn't in the doctor's office; incidental disclosures outside the hospitals (e.g., in a dialysis setting); amendment of e-records; notification to other patients of a death; HIPAA's relationship to federal alcohol and drug abuse regulations; fire walls for covered entities and hybrid entities; and public health disclosures.
Mr. Rothstein discussed issues he'd classed together because they required major Congressional or Department-level action. Topics included: the Congress considering HIPAA user fees (e.g., collected under FDA to generate funds for HIPAA outreach and education); HHS separating education, outreach and technical support functions of OCR from enforcement; possibly creating a new Office for HIPAA Information and Outreach; the Congress resolving ambiguities and inconsistencies between HIPAA and other federal law (e.g., FERPA, GLB, the privacy act); the Congress creating tax credits for HIPAA compliance, at least for certain providers (e.g., rural providers); the Congress providing compliance grants to the states; Medicaid recognizing HIPAA compliance costs; extending the privacy rule one year, as discussed; the Congress funding $42.5 million dollars for technical assistance authorized by ASCA. Dr. Zubeldia noted the recommendation for Congress to consider changing the law so HIPAA privacy was preempted.
Dr. Harding asked how the $42.5 million would be used. Dr. Zubeldia said the money would go for HIPAA implementation that was part of ASCA, but he didn't think it specified what part of HIPAA implementation. Ms. Greenberg said it was included in the law and would go to the Department, who would spend it. She noted it was in the law related to an extension for the transaction code set standards, which seemed to be its purpose, but could be used for privacy as well. Dr. Zubeldia said he believed the Department wanted to use at least some of that money to implement the provider ID.
Mr. Rothstein pointed out that some topics on the lists were mutually inconsistent: if they chose one, they couldn't choose another. He suggested focusing on their position. Would they give their own recommendations or report on recommendations they'd heard? Several people testified HIPAA should preempt state laws dealing with health information. Did they want to declare that as the Committee's sentiment or pass along views? With the former, the Committee would have to debate 65 different issues. On the other hand, reporting on what they'd been told didn't convey as much impact.
Ms. Greenberg said that while the Subcommittee shouldn't recommend things they found unreasonable, they needed to include recommendations they weren't prepared to support. On the preemption issue, for example, there was support for states having stricter views and probably there wasn't time or testimony for a definitive position. Ultimately, the full Committee could say that, while there were pros and cons, preemption made it difficult, if not almost impossible, for organizations that worked in many states to comply. This was already a problem and had to be revisited. Rather than recommending that Congress make HIPAA preemptive, Ms. Greenberg said more had to be done to heighten understanding of the difficulties inherent in the situation.
Dr. Zubeldia considered the situation of multiple states with conflicting laws without HIPAA. A provider operating in several states was subject to the laws of each. But with HIPAA, that provider wasn't subject to federal law, fines and a potential jail term if they didn't handle it correctly. Ms. Greenberg agreed this complicated the situation.
Dr. Zubeldia said they needed to summarize recommendations from the testifiers and state in a separate section of the letter the Subcommittee's guidance in support of the testifiers' recommendations. He noted that the Subcommittee might not fully or equally support all of the testifiers' recommendations and that a summary of everything recommended by the testifiers could be a separate set.
Mr. Rothstein asked if they needed separate rules for the prime recommendations: would they list 25 recommendations on education and outreach, but not comment or vote specifically except for the top few. Ms. Horlick noted in the past they'd written lengthy letters outlining what they'd heard, but their recommendations in the letters were the ones the Subcommittee supported.
Asked what form would be most useful to OCR, Ms. Kaminsky said she wasn't sure about the form but she thought it would be useful to prioritize their top five-to-ten recommendations. She said the resource issue was so severe that the best they could do was help decide priorities. Ms. Greenberg agreed. She asked if they wanted to reaffirm their statement in the September letter that they didn't have enough resources. Mr. Rothstein said they wanted to reaffirm that clearly.
Ms. Kaminsky said OCR had considered hiring someone who was a compliance expert because people who'd written this regulation and been involved had worked from the perspective of setting policy, not from the perspective of real-life implementation issues they'd talked about.
Dr. Zubeldia said the lack of resources had to be addressed. Ms. Kaminsky noted Mr. Scanlon said that, to some extent, that was the reality of the federal government and of HIPAA, the way it was legislated. She said it behooved the Subcommittee to be creative and facile in thinking through low-cost, high efficiency recommendations. This was hard to do, because they wanted to put forward ideal recommendations. But they contended with real world constraints. She didn't know what latitude was available in terms of resources. Mr. Rothstein noted the frustration of trying to develop recommendations aimed at getting this law working as intended and providing assistance for covered entities and consumers (challenges difficult enough with a blank check) when they had to ask themselves what six people could do in six months. Ms. Kaminsky said that question was important to think about if their recommendations were going to be slotted into a structure where they could be followed.
Dr. Zubeldia said the report nine years ago gave an estimate of $42 billion dollars in savings with $26 billion dollars in expenditures, for a $16 billion net. Now people were saying they didn't have resources to spend $26 billion dollars. They wanted to reap the net savings without paying out the cost and it didn't work that way. People couldn't get the same savings by spending a minimum amount to do HIPAA. Ms. Kaminsky asked if he was talking about covered entities and not necessarily OCR or the Department. Dr. Zubeldia said he was talking about everybody. Unfortunately, the Department had to cover the cost and OCR didn't save anything with HIPAA, because it didn't do the transactions. They had 100 percent of the costs and none of the savings. Ms. Greenberg pointed out that the overall budget, presumably Medicare, would have savings. Dr. Zubeldia clarified that Medicare was in the same situation. Today they received 98 percent of the claims electronically. They'd have to spend all the money and would receive little back in savings.
As they couldn't resolve the money issue, Ms. Kaminsky suggested they pick priorities from the whole. Mr. Rothstein proposed starting with education, outreach, and technical assistance. Each of the seven participants could pick one and they'd adjust them afterwards.
Ms. Kaminsky suggested national conference calls on a monthly basis. Making the best privacy expert in the country available to the entire country for an hour a month would meet a different need than the hot lines and provide enormous gains at low cost. CMS already did this for other topics and she thought OCR would be receptive.
Ms. Greenberg suggested model forms that at least included the minimum necessary. Mr. Rothstein clarified that the need for OCR to prepare a one-page handout referred to a separate fact sheet that doctors could give patients. Ms. Greenberg suggested that it could also be posted and given to the press. Dr. Zubeldia was in favor of OCR publishing a list of no- and low-cost compliance measures.
Dr. Danaher supported coalition building with state societies and professional associations, which have often succeeded in advancing implementation for their members. Participants discussed ways OCR could support and participate in statewide coalition building on a monthly basis through workshops, conference calls and other vehicles. Dr. Zubeldia noted WEDI-SNIP had been building coalitions; others existed before WEDI-SNIP. NEHIN in Boston and UHIN had been going on for years.
Dr. Harding said he supported the need for technical support to focus on "fragile providers" (e.g., rural and Medicaid doctors, ANPs). He noted that he'd been impressed with the direct fragile providers.
Ms. Kaminsky asked if these were the people most concerned about privacy violations. Dr. Harding reported that, by their culture, they were. Ms. Kaminsky noted they'd heard that this wouldn't change. Dr. Harding agreed. Ms. Greenberg added that they also had the least infrastructure, so they were at greatest risk to go under. Mr. Rothstein remarked that the representative from Advance Nurse Practitioners made a compelling case for technical assistance because of working in rural areas. Dr. Zubeldia reflected that rural areas had a different cultural standard of privacy.
Ms. Kaminsky said it came back to being struck by the medical banking issues they'd heard. When a bank had access to PHI and misused it, the repercussions were possibly more significant. She appreciated the funding issue and the cost issue of training and supporting the rural providers. Ms. Kaminsky said she was also trying to think through getting the most from the limited funds.
Dr. Zubeldia said concern with the fragile providers was due to a different cultural standard of privacy. They were suddenly being forced to change their cultural standard, and that was possibly more than they could handle. Ms. Kaminsky asked if they had a position on that. Noting this issue had to be worked through, Ms. Greenberg expressed concern that, even respecting their different cultural standards, they didn't have resources to adequately comply and their ability to provide services could be jeopardized.
Ms. Greenberg said they also had the least infrastructure, so they were at greatest risk to go under almost. Mr. Rothstein reminded the Subcommittee of the woman from the Advance Nurse Practitioners who made a very compelling case for technical assistance for them because they worked in rural areas.
Ms. Horlick said she liked the idea of the toll-free help line but was reluctant to waste a recommendation on something that might not be feasible. Dr. Zubeldia suggested that it might be more feasible to answer questions within 30 days. Ms. Greenberg asked if they could take questions on the hot line. Mr. Rothstein said that wasn't possible; they had a backlog of 50,000 questions. Ms. Greenberg asked if CMS had a hot line and Dr. Zubeldia said they did. People could submit questions, but it wasn't a hot line for answers. Instead, the most frequently asked questions were answered on the Web site. Noting he was concerned about defensive practices, Mr. Rothstein said he also liked numbers four and 21. Dr. Zubeldia remarked that wouldn't cost anything. Education would happen whether one addressed one or another.
Ms. Horlick asked if that would be different than number 24, on no- cost and low-cost compliance. Mr. Rothstein said 21 went to the issue of ensuring that hospitals knew HIPAA didn't prohibit them from sending vital records, whereas 21 was a list of what they could do. Dr. Zubeldia reiterated that these were things one could do that would involve minimal or no cost. Mr. Rothstein reviewed their six picks; that technical support needed to focus on fragile providers; OCR should establish covered entity industry teams; have regular conference calls; education needed to address defensive practices; OCR publish a list of no-cost and low-cost compliance measures; and OCR should support and participate in state wide coalition building.
Members discussed whether number 15 related to public education should be in the top ten and if it belonged with number one or 16. They summarized that they'd leave the rest and highlight what they felt most strongly about. Mr. Rothstein said they might have a paragraph saying they'd love to be able to do others, but didn't think resources were available (e.g., the help line and 30-day response to FAQs).
Ms. Kaminsky commented that it showed a sensitivity to the constraints, which she thought would be welcome. Ms. Greenberg felt it was a reasonable recommendation. If someone made a recommendation and couldn't support it, it needed to be qualified in that way. Mr. Rothstein re-opened the issue about whether they needed to combine this with something else or if it should stand alone. He noted Ms. Greenberg already had an early ballot in for model forms.
Ms. Greenberg suggested they say "develop," not just "review" and list the minimum things that had to be in a model form, rather than reviewing ten million of them. Noting that developing model forms and issuing guidance seemed like variations on a theme, Ms. Kaminsky proposed collapsing the whole section with the guidance section. Ms. Greenberg felt it did go with guidance and that issues of enforcement were separate. Ms. Kaminsky agreed and added that some issues needed to be pulled into technical assistance. Ms. Greenberg said that was why she voted for it. Mr. Rothsteinasked if they should go into technical assistance, which went with model forms. Ms. Horlick thought they were saying they should either develop model forms or specifically list what would go in the forms. Personally, she thought they should develop model forms.
Dr. Zubeldia pointed out that was resource intensive. Mr. Rothstein contended that to be most effective a model ought to be industry specific, because a generic model form wouldn't be valuable. Ms. Kaminsky didn't think OCR would make a generic form; they'd resisted that as being low utility. Ms. Horlick reasserted that it needed to be a form, not a list of what should be in the form, because the rule already had what should be in it.
Mr. Rothstein wasn't clear if they wanted to collapse guidance, regulation and enforcement into one unit called education, outreach, technical assistance, guidance and enforcement. Ms. Greenberg recommended pulling some things out of regulation and enforcement and putting them in with guidance (e.g., model forms). Dr. Zubeldia said they'd end up with more than seven guidance recommendations, but that was okay.
Mr. Rothstein asked which ones, other than number one, they wanted to move to guidance. Ms. Kaminsky suggested number four. Both she and Mr. Rothstein asked about number three. Ms. Greenberg said it was similar to model forms. Dr. Zubeldia cautioned that if there were minimum standards for training as regulation, it could reduce the flexibility of implementation.
Mr. Rothstein suggested they could just put more guidance on training. Ms. Kaminsky said she didn't understand the minimum standards for training. She realized that it was discussed a bit in Baltimore and came up as a recommendation. She asked if somebody could make a concrete statement on what would be a standard for training.
Dr. Danaher thought organizations, hospitals and health plans, greater than 100 in size were trying to demystify and introduce basic HIPAA understanding and lingo. Everybody needed to know that HIPAA required a privacy officer and who that was and their responsibilities. Everybody should know simple HIPAA concepts, such as verifying the requester, minimum necessary disclosure, and what PHI meant. Noting small and medium-sized physician offices didn't realize HIPAA required them to have a set of policies and procedures, Dr. Danaher called for that education component as well as assisting them in developing policies and procedures. He noted they were all working through who had to be trained on what, based upon the policies and procedures. He asked how they'd make sure that a fundraiser, such as the one they'd heard about at Johns Hopkins, knew what they could and couldn't do. How would they let everyone in an organization know that Care Group now had a non-retaliation policy, so if they witnessed a PHI violation and reported it, they wouldn't lose their job.
What he'd heard and suggested was that guidance came from OCR that didn't endorse any product, but basically said certain things would be worthwhile foremployees in a covered or hybrid entity to understand, so they could appropriately handle patients protected health information. People didn't even know what "PHI" meant. Education was needed.
Dr. Zubeldia offered another perspective. For four-or-five years, there'd been ten thousand different courses on HIPAA 101, which gave high-level concepts of HIPAA. If a hospital said they'd train everybody in the hospital on HIPAA and gave them HIPAA 101, he contended they weren't doing what they needed to do. Being involved in the hospital, Dr. Zubeldia said they needed to get trained on specifics, not generalities. There had to be minimum HIPAA curriculum. Dr. Danaher agreed. Mr. Rothstein said HIPAA 101, as described, was probably underinclusive for many. Maintenance people didn't need the whole course, but did need some instructions about it and, as Dr. Zubeldia suggested, the things they needed to do. Mr. Rothstein concurred. Dr. Zubeldia summarized, noting there had to be guidance on what HIPAA training entaile d. Was HIPAA 101 enough for everybody or should there be some things specific to the job or the environment?
Picking up on Dr. Zubeldia's point about the regulation including specific, complex things about marketing and research and 101-level training being insufficient, Dr. Danaher emphasized that people couldn't take a 101 course and expect to know that. Responding to Mr. Rothstein's perspective,he agreed that janitors and food service people didn't need to know much about it, but he added one might be surprised at how much they did need to know, not because it was part of their specific job, but because food service people went into Mariah Carey's room at Mass General. Mr. Rothstein agreed, noting they didn't need to know about billing. Dr. Danaher concurred. Dr. Zubeldia restated the need for minimum requirements for training that were specific to the industry and one's job, as well as an overview of HIPAA. an>
Ms. Kaminsky said numbers one, three and maybe eight should be moved to guidance. Mr. Rothstein said if preemption was moved, five had to be moved as well. Ms. Kaminsky wasn't sure because the federal preemption analysis was so much more within HHS's purview as something it might accomplish, whereas the state component was so big it was just a concept.
Mr. Rothstein said he understood, but they could recommend that OCR take steps to facilitate preemption analysis at the state level and eliminate duplication by coordinating the efforts of local people. They'd heard that people in the states were doing this and could take the lead, so it wouldn't have to be from Washington. Ms. Kaminsky said she thought it would be considered guidance if OCR were doing the categorizing. She said it should be more of an overview activity. Dr. Zubeldia asked how it would be if they said OCR or HHS should leverage existing resources in the preemption analysis and come up with a database of state preemption studies. Mr. Rothstein said it would be valuable, even if OCR didn't do anything themselves. If they had preemptions on a Web site with a drop down menu, clicking Oklahoma could give links to whoever did Oklahoma. Dr. Zubeldia sug gested clicking North Carolina would take one to NCHICA. Ms. Horlick noted much of this was already on the HIPAA Gives Web site and it would be more like a clearinghouse.
Ms. Kaminsky noted that if they agreed that numbers one, three and eight belonged in guidance, that left them with numbers two, four, five, six, seven, nine and ten to choose from. Mr. Rothstein pointed out that all he'd done was scoop up the recommendations of others; he said they might first want to decide whether they wanted to recommend any of them. They might not want to extend the 30-day cure period, for example.
Ms. Greenberg asked to clarify whether they said numbers one and three went with guidance, and wanted the preemption component in with guidance. Ms. Kaminsky thought number eight, which involved GLB, was different than number five. Ms. Horlick said it was guidance. Ms. Greenberg agreed it provided guidance, but suggested a separate category for the whole preemption area, because it was so complicated. Ms. Kaminsky observed that state preemption issues were slightly different than federal. Ms. Greenberg said she'd thought Ms. Kaminsky was going to say that trying to coordinate or provide information on the state preemption studies was more of a guidance issue and she was about to agree. She wondered if it was semantics, noting both needed to be in there and categorized. Dr. Zubeldia said OCR should do the federal preemption, but Ms. Kaminsky questioned that preemption was the right choice, when considering coordinating two federal laws.
Mr. Rothstein interjected, putting it on the table and asking if anyone wanted to strike any recommendations. Referring to the issue of preemption, Ms. Greenberg recommended that all related things be in one place and that they make it clear that there were two different things: an analysis of federal laws (which might not be so much preemption as something else) and a separate category on the preemption issue. She wondered if the Subcommittee was recommending number five, a central preemption analysis.
Mr. Rothstein recommended that OCR coordinate existing resources and facilitate access. Ms. Greenberg noted that was different than a central preemption. She said they could acknowledge that a central preemption analysis was needed, though it might not be feasible and expertise in the state laws might not exist centrally. Therefore they could recommend the coordination approach with links and encouraging strong coalition building at the state and regional level. She noted the latter might encourage the collaborative preemption analysis at the state level that Ms. Love proposed. Dr. Zubeldia said OCR should participate in that, at least by reviewing it.
Mr. Rothstein pointed out that three recommendations (numbers seven, nine and ten) called for major changes in the rule. Dr. Zubeldia said he was uncomfortable with ten. Mr. Rothstein suggested they discuss them, again reminding everyone he was just collecting what they'd heard.
Ms. Kaminsky said number seven might even need a regulation change. Noting that policy was looked at in the last modification and public policy disclosures had to be accounted for, she said this was a slightly different kind of recommendation. Mr. Rothstein said that was why he thought it would require making a rule. The question that remained was whether they were persuaded of the need to do that. Mr. Rothstein said they didn't want to, because they'd have to account for it. Ms. Greenberg concurred, adding that the recommendation that it should fall on public agencies wasn't realistic either. Mr. Rothstein agreed.
Dr. Zubeldia said the problem was that it wasn't only mandated disclosures. The immunization registry in Utah wasn't required. Ms. Horlick said that was different and concerned whether authorization to disclose public health information encompassed voluntary disclosure. Dr. Zubeldia said having to track disclosures to state agencies that weren't mandated, such as voluntary disclosures to a state agency for immunizations, could be a problem. He didn't know there was much they could do about that.
Mr. Rothstein asked if Dr. Zubeldia would be willing to accept number seven with language recommending that OCR revisit the issue because of testimony about consequences of the current rule. Ms. Kaminsky said she liked the idea but didn't want to dilute the recommendation by pulling in the privacy notice piece, because she felt that wasn't the issue. Mr. Rothstein commented that instead of accounting, the privacy notice was put in. Ms. Kaminsky said it was there now and had to be done that way at this point. Mr. Rothstein agreed to take it out.
If they omitted the accounting for mandatory disclosures, Ms. Horlick asked if they'd have to develop the same mechanism to account for other disclosures. Dr. Zubeldia said they'd have to develop a mechanism to account for disclosures, period. That had to be in place. The question was whether the accounting log would be made up of 80 to 90 percent state mandated disclosures or if it would only be exceptions. If all the state mandated disclosures were tracked, exceptions would drown in the morass and they might not be able to make significant sense of that law because there'd be so much noise in it from the state-mandated disclosures. Ms. Kaminsky asked if they had heard about some of that being communicated in a not completely identified format.
Mr. Rothstein wanted to clarify if the recommendation regarding number seven was thatOCR reconsider deleting mandatory disclosures from the accounting requirements. Ms. Kaminsky asked if the point was mandatory disclosures or public health disclosures and Dr. Zubeldia said ideally, public health disclosures would be better. If they said mandatory, the states that did not require some of the disclosures would have a lot of pressure to require them. Mr. Rothstein was concerned that if they said public health disclosures, consumers might not be apprised when their PHI was released. Dr. Zubeldia said they'd be appraised by the notice of privacy practice, but Mr. Rothstein said not if it was public health, because they were permissive disclosures not specified in the notice. Dr. Zubeldia thought the would have to be specified. Mr. Rothstein said the regulations stated that disclosures could be made for public health p urposes, but didn't indicate what that meant. If they did not get an accounting, how would one know exactly when personal material was sent for "public health purposes?"
Dr. Zubeldia suggested that maybe the guidance should be that the notices of privacy practice identify mandated disclosures as such and say that state law required disclosures for public health. Ms. Horlick said there'd be a long list and Ms. Greenberg noted other, more permissive states would still have to be accounted for. She gave the immunization registry as an example, stating that some state laws mandated reporting; others didn't, so it was permissive. Dr. Zubeldia countered that if a state mandated it, it had to be kept track of. Mr. Rothstein said he was willing to go as far as mandatory, but thought the rest raised problems.
Ms. Horlick said the word "mandate" was clear; people knew that meant to report communicable disease. But she questioned the word "authorized." Was it that the legally authorized public health agency was authorized to report? Dr. Zubeldia said he felt comfortable saying that, if it was a state mandate, the disclosure didn't have to be accounted for; but he emphasized that in the notice of privacy practice, the state mandated requirements for additional disclosures would have to be listed in order to balance it.
Ms. Horlick wasn't sure it was clear how much detail had to be in that. Mr. Rothstein said they could make it whatever they wanted and Ms. Horlick agreed. Dr. Zubeldia observed that if it was a communicable disease, and one state had a requirement to report and another state didn't, a patient might choose a particular state based on that and so it needed to be open.
Mr. Rothstein thought Dr. Zubeldia's suggestion provided more privacy protection to consumers than the current rule because one couldn't find out until after the fact that information was shared. He said this would satisfy consumer interest in knowing beforehand and provider interest in not being burdened with producing an accounting of mandatory disclosures. Ms. Horlick pointed out that it assumed people wouldn't be notified in other ways. Ms. Kaminsky said she was sorry, but obviously "notice" was back in the recommendation.
Dr. Zubeldia commented that one of the privacy concepts in Europe was that a database couldn't contain any of one's information unless that individual was aware of that database. With these disclosures, a person treated for cancer might never find out that it was disclosed to the cancer registry, unless they asked the provider for a list of disclosures. Dr. Zubeldia said forcing this to be in the notice of privacy practices meant a person would become aware that there was a cancer registry and that their data would go. An accounting of disclosures wouldn't be needed. Ms. Horlick feltthey'd have to think about how long and detailed that notice would be. Mr. Rothstein said they didn't need to resolve that because they were recommending that OCR reconsider it.
Mr. Rothstein said number ten might be defensible, but he didn't know they had time to defend it. He proposed deleting it. Dr. Zubeldia concurred, noting there was a potential problem with two different agencies enforcing the rule in different ways.
Noting CMS already had a massive education campaign in place, Mr. Rothstein said the argument could be made that, given resources, CMS would be better at enforcement than OCR. Dr. Zubeldia suggested another solution would be for the two agencies to coordinate enforcement on privacy and security without having it under the same agency. Ms. Kaminsky called for a strong recommendation for tighter coordination with CMS, not just on enforcement but also on outreach, education, and technical assistance.
Ms. Greenberg stressed that if this was the only recommendation on security there needed to be a recommendation or at least a finding that it would be extremely helpful to get out that final rule on security. Dr. Zubeldia commented that they'd been saying that for four years. Ms. Greenberg acknowledged that and reiterated that it needed to be at least a finding. Ms. Kaminsky said it was almost irrelevant at that point. With the April compliance date for privacy, the security rule would have twenty-six months between when it was published and its compliance date and whatever training would be required.
Dr. Zubeldia suggested that they consider number nine, the cure period. Noting they'd added three points to the guidance and that it was a massive list, Mr. Rothstein asked if there were things they wanted to highlight.
Ms. Kaminsky brought up two pieces to Ms. Greenberg's recommendation about employers: group health plan issues and another touched upon earlier when Mr. Stapley spoke about all the health activities employers did for their employees that confused them about their covered entity status.
Noting firewalls would be his pick, Mr. Rothstein said the question was whether they should pull out some to save or just leave them all in. Ms. Kaminsky pointed out that she'd said to prioritize but that the list also needed to be organized in terms of regard to topics and fleshed out.
Mr. Rothstein asked if everyone agreed that it waswithin his or her mandate to recommend and conceivably even make amendments to the statute. Dr. Zubeldia wasn't sure about point eight. Ms. Greenberg replied that they could recommend that HHS seek amendments.
Ms. Horlick wondered about number three, if they did the preemption analysis. Mr. Rothstein agreed to take that off and said they'd ask the Congress, because it might require statutory tweaking. Ms. Horlick noted that they didn't know if the OCR would do the preemption analysis. Ms. Greenberg said that after the Department did the analysis it should determine whether it needed to seek Congressional release. Mr. Rothstein was inclined to delete number three, but Dr. Zubeldia questioned that, saying the Congress should resolve inconsistencies. He suggested that the Committee go back to the OCR and indicate that where necessary, they seek amendment through the Congress.
Ms. Kaminsky recommended that they separate out where they were asking HHS to go to the Congress and what HHS could take care of itself. For example, point number one obviously was for Congress, but point number two belonged in the regulation and enforcement list. Mr. Rothstein said that was probably true and they could move it, but the question was about the concept. In number two, though nobody said so, they probably felt more comfortable having the enforcement agency separate from the agency in the Department they would need to work with on training, education and outreach. Ms. Horlick pointed out that people giving the guidance would know and understand it best. Dr. Zubeldia asked if people would go to OCR with a draft of a form and ask for a statement to take to the bank that said OCR reviewed this and it was good and they wouldn't be penalized because they'd already do ne it.
Mr. Rothstein reflected that there were political considerations in why it might be a good idea. Everyone recognized the need for a tremendous increase in the amount of resources committed to outreach, education and guidance. But Mr. Rothstein said those resources weren't likely as long as OCR administered that program. Politically, more funding might be given to another agency within the Department that had a title that included the words information and outreach.
Noting there was a HIPAA office at the CMS level, Dr. Zubeldia wondered whether they should recommend the creation of an office at the HHS level. Ms. Kaminsky said CMS was part of HHS, so a HIPAA office at the HHS level would encompass both OCR and CMS. Dr. Zubeldia agreed that that was the point. Ms. Kaminsky said it deserved serious discussion. Dr. Zubeldia went on to delineate a HIPAA office above and beyond what was at CMS, because the HIPAA office at CMS was centered on transactions and security only. Dr. Zubeldia said perhaps there should be a HIPAA office for everything. Ms. Kaminsky suggested that it went to the coordination issue she raised earlier; whether it was dealt with by two separate agencies or offices within HHS or with a pivotal umbrella overseeing the HIPAA piece was a strategic question. She noted the testimony indicated that many, smaller providers and other covered entities had been very confused by messages coming from different parts of HHS.
Dr. Zubeldia said at one point that task was conducted within ASPE. Ms. Greenberg pointed out that one person, Dr. Braithwaite, had done it. Dr. Zubeldia noted that he was gone, leaving a big gap and said there should be a formalized HIPAA office that coordinated sides for privacy, security, transactions, identifiers. Noting this was an important issue, Mr. Rothstein said they probably wouldn't have time either that day or at the next meeting to give it the attention needed. He asserted that they'd respond once the security regulations came out, but Ms. Greenberg noted it would be a final rule and didn't require any response. Mr. Rothstein indicated he was trying to table it for now. Ms. Greenberg said they could at least say the Department should seriously consider, at a minimum, a HIPAA focal point office at the Office of the Secretary level to assure coordination among the components dealing with HIPAA. She suggested that HRSA, which had responsibility for rural health, "safety net" providers, and community health centers, was surely doing some things. She believed they had a HIPAA focal point, that again didn't seem to be coordinated enough with OCR or CMS, and that some focal area that overlooked all of it might be helpful. Ms. Kaminsky observed that in terms of categorization, this would go under regulation enforcement recommendations, not under what should be recommended to Congress. Ms. Greenberg agreed, adding that this might represent a problem or opportunity, because Dr. Braithwaite had been very involved with the privacy, too. He wasn't exclusively involved in transaction, but he was only one person. Dr. Zubeldia remarked that although Dr. Braithwaite was the focal point, John Fanning worked hand-in-hand with him. Ms. Greenberg said Mr. Fanning was still involved. Ms. Kaminsky remarked that Dr. Braithwaite's absence created some of the unfortunate lack of communication. Even the Admin-Simp Web site under his purview was really no longer updated. She stressed a need for better, tighter coordination and cautioned that without somebody taking it on, she didn't know how it would get done.
Mr. Rothstein asked whether the following statement would suffice. The Department should seek additional funding from Congress for HIPAA implementation and guidance. Ms. Greenberg said they couldn't wait for that. Ms. Kaminsky asked if she thought it should go into the regulation and enforcement category. Mr. Rothstein said all of the suggestions (e.g., tax credits for HIPAA compliance, compliance grants to the states, allocating $42.5 million dollars) had to be done by the Congress. Ms. Kaminsky stressed that HHS had the discretion to create an office. Dr. Harding thought that was good. He said he'd leave off the user fees. Mr. Rothstein said he was reiterating his suggestion from Baltimore that since industry people knew nothing definitive about how much money they were putting out for this, for the same money or maybe less due to eliminating duplication, the government could specify what would meet the requirements. Mr. Rothstein conceded that Dr. Harding was probably right; it would be a non-starter politically, although it did work on FDA drug approval, which was a more unified industry. Dr. Zubeldia remarked that there was a direct financial repercussion if a drug got approved or not. Mr. Rothstein agreed.
Mr. Rothstein asked if the Subcommittee was going to support a tax credit. Ms. Greenberg said it should be considered.
Mr. Rothstein asked about compliance grants to the states and asserted that they were essential. He also asked about the $42.5 million in increased Medicaid compensation to recognize the HIPAA compliance costs of Medicaid providers. Dr. Harding said it was a nice thought, but indicated that it was unlikely that more money could be gotten out of Medicaid at that time. Mr. Rothstein thought getting money out of Congress for anything was a long shot, but he said it didn't hurt to put that in as one possibility.
Dr. Danaher said he was more sanguine about tax credits and he'd been surprised that traditional sources of funding and education (e.g., RWJ, Kaiser Family Foundation, Pugh) had been silent. He wondered if there were outreach steps or overtures that could help them realize the importance of this effort and see whether they would help. He acknowledged RWJ efforts in giving seed grants for people to come up with innovative ways of addressing things.
Dr. Zubeldia said HRSA had some money for hospitals. He reported that RWJ did the private public key encryption work with the five state project, but thought this was just too big and overwhelming for them. Dr. Danaher suggested that if the Committee, OCR, or somebody else could have a number of meetings with the California Wellness Foundation, or Kaiser they could be told of the crying need in the provider community and it might strike a chord and lead to some funding. Mr. Rothstein said they could get them on the agenda for their January or February meeting.
Mr. Rothstein said the last two items on the list were extending the privacy rule one year and amending HIPAA to preempt state law. Ms. Kaminsky noted they'd already crossed out the one- year extension and she felt they'd dealt with the preemption issue. It was a Congressional matter.
Dr. Zubeldia asked if they should recommend that the Congress pass a law that amended HIPAA. Mr. Rothstein said he couldn't support that yet. There were many ramifications and he'd have to think about it. He said it was telling a state, like California, that they were basically repealing state law in all those areas. Dr. Danaher said he wouldn't be able to support it. Dr. Zubeldia stated that it wouldn't work. Mr. Rothstein said they would take that out.
Ms. Horlick said she would schedule a conference call. The plan was to have a draft letter out on November 12, a conference call if possible on November 14, and a revised draft to the full Committee by e-mail on November 15. Dr. Harding would present it on November 19 at the first day of the full Committee meeting. Mr. Rothstein said he'd be back on November 20 for the vote. Dr. Zubeldia said he couldn't make that meeting. Mr. Rothstein thanked everyone for their help, whereupon, at 12:47 p.m., the meeting was adjourned.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ 4/12/2003
_________________________________________________
Chair Date