[This Transcript is Unedited]
Salt Lake City Marriott
City Center
220 South State Street
Salt Lake City, Utah
DR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am the Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. I want to welcome all of you to the Privacy and Confidentiality Subcommittee's hearings on the HIPAA privacy rule.
For those of you who are not familiar with the National Committee on Vital and Health Statistics, it is a federal advisory committee consisting of private citizens who meet and make recommendations to the Department of Health and Human Services as well as to Congress. In particular, we make recommendations dealing with the Health Insurance Portability and Accountability Act.
So on behalf of the members of the subcommittee who are here this morning and the staff, I want to welcome you to the first of two days of subcommittee hearings here in Salt Lake City.
As is customary, we are being broadcast live on the Internet, so I want to welcome all of the listeners who are listening to us on the Internet. We hope you find the hearings of value.
At the beginning of each hearing, we have introductions of the subcommittee, and also declarations of any conflicts of interest. So let me begin by saying again -- and I apologize, our name tags have not arrived yet. I am Mark Rothstein, and I am a professor at the University of Louisville School of Medicine, and I have no conflicts of interest on the matters we are hearing today.
DR. ZUBELDIA: My name is Kepa Zubeldia with Claredi Corporation. I am a member of the committee and subcommittee.
DR. HARDING: I am Richard Harding. I am a child psychiatrist, professor of psychiatry at the University of South Carolina, and a member of the committee and subcommittee. My only potential conflict of interest would be that I am an immediate past president of the American Psychiatric Association.
DR. GREENBERG: I am Marjorie Greenberg from other National Center for Health Statistics, CDC, and Executive Secretary to the committee.
MS. KAMINSKY: I am Stephanie Kaminsky from the Office for Civil Rights, and I am lead staff to the subcommittee.
DR. HORLICK: I am Gail Horlick, and I am from the Centers for Disease Control and Prevention, and I am staff to the subcommittee.
MS. SQUIRE: My name is Marietta Squire, and I am staff to the subcommittee.
MS. JUNIEN: Katie Junien from Intermountain Health Care.
MS. THOMASON: Mary Thomason from Intermountain Health Care.
MS. STAAB: Mary Staab from Intermountain Health Care.
MR. SCHADE: Fred Schade from Mediconnect.
MR. COHEN: Burt Cohen from California Office of HIPAA Implementation.
MS. VOLPE: Catherine Volpe from Indiana State University.
MS. DRAPER: Susie Draper, Intermountain Health Care.
DR. SPRINGMEYER: Doug Springmeyer, Utah Department of Health.
MR. VARGA: Wayne Varga from Web Book Security.
DR. ROTHSTEIN: And our witnesses, please?
MR. PULSIFER: My name is Curt Pulsifer. I am practice administrator for Canyon View Medical Group.
DR. BORGENICHT: I'm Lou Borgenicht. I am a pediatrician in general practice in Salt Lake City.
DR. KALM: I am Michael Kalm, a psychiatrist in Salt Like City.
DR. ROTHSTEIN: Thank you to everyone who is attending this hearing.
We have scheduled today four panels of witnesses, as you can see on the agenda, representing a variety of interests and perspectives. In addition, from 4:45 to 5:15 today, we have public testimony scheduled. This is an open time slot, and we will permit any individual who is not an invited witness to testify for up to five minutes. These public testimony slots are on a first-come, first-serve basis.
Let me mention briefly the purpose of these hearings. We are dealing exclusively with HIPAA implementation issues, specifically the privacy rule implementation issues. We would like you to address issues on which recommendations to the Secretary of HHS are appropriate.
As you may have seen in the Federal Register notice announcing the hearings, we specifically identified certain areas that we are interested in, and we have listed eight questions. The witnesses are not required to answer all eight questions, although in the past, some have tried.
First, what are the available resources for HIPAA compliance, including those from professional organizations and trade associations?
Are compilations of best practices available, and how are successful implementation strategies disseminated?
Are there any models for public-private partnership development?
How should covered entities go about coalition building and development consensus procedures?
What outreach, education and technical support programs are needed from the Office of Civil Rights, including suggestions for OCR priority setting?
What areas are especially in need of guidance from OCR?
How should we address integration of HIPAA and other fedreal and state laws?
Finally, can you assess the accuracy and quality of the information and services vendors and consultants provide, especially as they pertain to small providers and health plans?
As some of you know, this is the third set of hearings that the subcommittee has held in the last two months. We met September 10-11 in Boston, and October 29-30 in Baltimore. We will meet today for a full day, and a half day tomorrow.
After our final hearing, which of course is tomorrow, the subcommittee will meet and attempt to develop recommendations based on our hearings throughout the country, and submit those to the full NCVHS for its consideration at our next regular meeting, which is scheduled for November 19-20.
If the full NCVHS approves recommendations or develops recommendations based on our suggestions, a letter will be transmitted to Secretary Tommy Thompson by Dr. John Lumpkin, who is chair of the full committee.
Here are basically the ground rules for the witnesses. We will give you ten to 15 minutes to give your prepared testimony. I will hold up a sign that alerts you that you have one minute left. After each witness, the subcommittee members will have an opportunity to ask questions of a clarifying nature only. Then after all the witnesses of the panel have completed their testimony, then the members of the subcommittee and all panel members will use the remaining time to engage in a discussion of the issues raised.
Witnesses may submit additional written testimony -- I now some of you already have submitted testimony -- by November 11, which is close of business on Monday. I apologize for the short time period, but as you have heard, we need to submit our recommendations to the full committee by the 18th. So if you are interested in submitting additional written testimony, please do so by November 11 to Marietta Squire.
I would ask anyone in the room with a cell phone to please turn off the ringer, and for our witnesses to please speak clearly into the microphone so that you can be heard on the Internet.
If there is nothing else right now, I would like to move to the first panel, which consists of the topic of covered providers. I would invite Dr. Michael Kalm to be our first witness.
DR. KALM: Good morning. To be slightly repetitive, I am Michael Kalm. I am Secretary of the Utah Psychiatric Association, and I am a private practitioner of psychiatry in Salt Lake City, Utah.
When I say private practitioner, I mean precisely that. I practice in an office entirely by myself. I have no receptionist, no secretary, no office manager. I contract with a billing service that does billing for me. I have an accountant that does my taxes. Otherwise, I perform my professional duties entirely by myself.
My first awareness of HIPAA came through a mailing from the American Psychiatric Association's Office of Health Care Systems and Financing in late July of this year. This mailing gave me an overview of HIPAA, threatened me with ten years in prison and $250,000 in fines for non-compliance -- that got my attention -- directed me to a web address which was mis-spelled, HIPPA with two P's instead of HIPAA with two A's, to file for an extension.
The mailing indicated that even with the extension, there had to be full compliance with something called the privacy rule by April 14, 2003, and something else called the transaction standards by October 16, 2003.
The mailing went on to detail between 66 and 90 main points that had to be considered in order to be in compliance. Regarding these main points, the essence was that I as a practitioner had to be able to demonstrate awareness of these points, policies and procedures to deal with them, training of staff in these policies and procedures, testing of staff in these policies and procedures, evaluations of the testing, monitoring the results and documentation of all of the above in a kind of standardized form that would indeed demonstrate compliance.
After I started breathing again, as an officer of the Utah Psychiatric Association I brought this matter to the attention of our executive board, where the general reaction was, huh? HIPAA? What's that?
DR. ROTHSTEIN: Excuse me, Dr. Kalm. When was this, when you brought it to the board?
DR. KALM: This was August of 2002, just this year.
DR. ROTHSTEIN: Thank you.
DR. KALM: Some of our members who worked for major institutions like the state of Utah or the University of Utah or Intermountain Health Care, or IHC as it is known locally, reacted with, oh yes, I have heard something about that, but the fill-in-the-blank institution is taking care of all of that, I think.
Other private practitioners like myself reacted with near panic. Does that mean us? What do we have to do? I took it upon myself to research this further, to see if there was some way to facilitate compliance for the private practitioners. I did an Internet search and came up with a 50-page template for a comprehensive health care information protection agreement between business associates, a one-page certificate of group health plan coverage, a 41-page certificate policy statement, a 42-page guide to medical records documentation, a one-page medical billing code of ethics, a one-page sample form for consent for purposes of treatment, payment and health care operations, a one-page sample consent to use a disclosure of health information for treatment payment or health care operations, a three-page sample, chief privacy officer job description, an 83-page framework and structured process for developing responsible privacy practices, a one-page sample consent for office procedure, and a one-page authorization to release information.
Thus, in short order, I had amassed 227 pages of documents that gave me a few sample documents, mostly arcane guidelines, and left me bewildered as to the question I started with, how do I insure that I am in compliance with the Orwellian termed administrative simplification provisions of HIPAA?
Simplification? I think not.
In the meantime, I have been receiving mailings from this or that organization offering to train me or my staff in HIPAA compliance for $300 and up. I have no idea as to the worth of these offerings.
Stephanie Kaminsky's October 24 e-mail to me regarding this hearing suggested several topics this committee would like to hear about. The first one on the list was, quote, what outreach, education and technical support programs are needed from OCR, including suggestions for OCR priority setting, unquote. Being something of a computer geek, I thought OCR stood for optical character recognition. Linking to some of the sites that Ms. Kaminsky recommended, I found out that OCR in this case referred to the Office for Civil Rights.
Starting from this example, I have some suggestions for helping the private practitioner. Number one, do not assume that we know what you know. Explain the acronyms and explain the rules in clear, plain English.
Number two. Help us with sample standard forms that the government will accept. We want to be in compliance. We just want to know how.
Number three. Put yourself in the shoes of the private practitioner. You cannot foresee everything. But imagine that you are alone in your office like I am. Show me how you would document that you are in compliance.
Number four, looking at some of the topics from Ms. Kaminsky's e-mail such as, quote, how are entities managing to do the state-fed pre-emption analysis fundamental to HIPAA integration and compliance, unquote, I ask myself, what are they talking about? What does that mean? Does that have something to do with me?
Number five, after you have had a chance to understand the ignorance I have demonstrated in this testimony, tell me what I need to know. There are a lot more like me.
Thank you.
DR. ROTHSTEIN: Thank you very much. That is a point of view that we need to hear, and that is one of the reasons we are not having this hearing in Washington. So we appreciate that.
Does anyone have any clarifying questions?
MS. KAMINSKY: I just want to apologize for the acronyms.
DR. ROTHSTEIN: Our next witness is Dr. Borgenicht, is that correct?
DR. BORGENICHT: Correct.
DR. ROTHSTEIN: Thank you.
DR. BORGENICHT: I have to offer a disclaimer, which is that Dr. Kalm and I never talked beforehand.
My remarks are much in the same vein, although I have noticed that I have spelled HIPAA incorrectly, which may tell you something right there.
MS. KAMINSKY: It doesn't matter, it's just an acronym.
DR. BORGENICHT: That's right, and hopefully not an anachronism.
Anyhow, thank you for the opportunity to participate in these hearings on the HIPAA privacy rules. I have been a general pediatrician for 30 years, and I have been doing private practice for the past 18, in a small office, 620 square feet, in Arida.
I first heard about HIPAA when I began receiving solicitations to purchase CDs, manuals and suggestions to participate in special symposia sponsored by various law firms and health-related organizations.
My first call was to the Utah medical association, which was helpful in providing some perspective on HIPAA and suggesting that the most constructive thing I could do, other than file these in a circular file, was to actually file for an extension until the rules and their applicability got clarified, particularly as they might apply to small offices.
Just a comment about the inundation of my office by those looking to profit from my ignorance about the implications of HIPAA. I passed this information on, as I said, to the UMA, but then wondered whether I should be contacting either a state or a federal agency, for example, perhaps the Federal Trade Commission, about what seemed to be possibly unscrupulous marketing practices. It is an issue that the committee might look into.
In any case, I am concerned about the implications of the privacy sector of HIPAA for my office. I have been told recently that quote, some of the rules will not apply to your office, so don't worry about it, but doubt that this is true. So confusion reigns.
I have read the testimony given by a pediatric group at hearings in Boston, and agree with most of their comments. But the size of my office is tiny in comparison with theirs, other issues are relevant.
Let me describe my office. Patients enter my office directly, walking into the waiting room and reception area, where my office manager, who literally does everything that I don't do, sits. She is a wonder. She is able to do simultaneous multi-tasking, a necessity in a small office. She greets patients, makes appointments, gives some advice, takes messages, deals with all insurance and billing matters, and keeps the general peace in the waiting room.
I have a room used simultaneously for weighing children, storing immunizations in our refrigerator, and for performing the little lab work we do. There is a bathroom and two separate exam rooms, and finally, my consultation room where I talk with patients after the examination and after any necessary procedures have been completed. All of this in only 636 square feet.
In this setting, some aspects of the privacy requirements are common sense. Charts can be placed backwards in the slots on the exam doors, so that patient identifying information is not visible by anyone walking to the bathroom. We are already cautious about patient conversations in a small space, since most of my discussions take place either in an exam room or a consultation room, and we are aware of the necessity to be similarly discreet with phone calls.
This said, one of my concerns about HIPAA is stylistic. The ambiance in my office has always been informal. We do not stand on formality or medical ceremony. I wonder whether the HIPAA regulations will change all this. Will the form of practice dictated by HIPAA change things essential both to the pleasures and to the efficacy of my practice?
While it is clearly important to protect patient privacy in the age of multifaceted transfer of privileged information, it is also essential to provide practitioners simple and clear information about what the reasonable means are to achieve this. What may be applicable to a large clinic may not at all be applicable to a small office. While there are fewer and fewer of us left, it is important to preserve us in a way that does not hinder our functional efficiency and our caretaking ambience.
Thank you.
DR. ROTHSTEIN: Thank you. Another very powerful message. Any questions? Kepa?
DR. ZUBELDIA: Dr. Borgenicht, when you said that you have the office manager that deals with all the insurance information, are you using electronic transactions?
DR. BORGENICHT: We are.
DR. ROTHSTEIN: Any other questions? Mr. Pulsifer, your comments.
MR. PULSIFER: I am pleased to be able to come and speak. I had short notice, but I have been looking at HIPAA for two years now, and so I have something to say about this issue.
I work in an office with 16 physicians, which in Utah is considered to be a medium-sized office. There are many single practitioners that still practice in my local area and all the way through the state. There are also some larger clinics than mine as well, but it is a medium-sized clinic.
I have three different sites that I work out of. It is considered suburban and rural. My area is just south of Salt Lake City, about 50 miles.
Let me just describe my staff for you. They have described who is running their office; here is who is running my office. I have 120 staff members. Many of those are part-time people. Of those people, I have six people that have graduated from college.
Most of these people are women. They are wonderful, intelligent, bright, helpful individuals I love to have in my office, but they are not college educated, and they are not used to reading the sort of regulations and understanding them that the HIPAA sort of things bring to the table. I have tried to explain to some of my most astute staff members, who just simply don't understand what they have to do to come into compliance.
That is a problem for me, because I am not the one that is going to divulge any of this protected health information, because my job doesn't interface much with patients. These people are the people on the front lines. They are going to have some serious difficulties not divulging inadvertently some of these informational items that are really important. So that is a problem for me.
I spent some time thinking of what sort of -- because one of your questions asked what sort of resources am I aware of that might help people in a general sense on getting up to date on HIPAA regulations.
This morning, I went to my office at 4 o'clock, thinking about it. I went to the OCR website which is, by the way, an excellent website. I was quite surprised. I thought it was going to be like some other government websites I have been in, where there are things all the way down on the left side of the column and there are things all the way across the top, and there is no way you can get to what you want. This is a very clean, efficient delightful website, and I have to applaud that website.
I printed off, after a little bit of looking, the standards for privacy of individual identifiable health information, unofficial version, which is right here. It is the law, and it is 31 pages. Then I printed off, which I found interesting, the final modifications to the privacy rule; it is 187 pages. That is right here.
I find the 31-page article very difficult to read. I have a Ph.D. It is not in the health field. I have a Ph.D in education. Actually, it is not education, it is literature. I taught on a college campus for 15 years.
DR. ROTHSTEIN: This is not literature.
MR. PULSIFER: It does put you to sleep, though. But since that time, I transitioned into the health field. I read lots of texts that are as dense as this, because I read contracts for insurance companies, and they are every bit as difficult as this. So I am used to reading this sort of text. I am willing to read this.
What I was really surprised at is that the modifications are wonderfully written. I was very surprised. Plain English, good scenarios, excellent representation of what the law says, and a pretty good example of exceptions. I was surprised as I looked at that this morning; wow, that is pretty nice. So that is going to be very helpful.
People do not know about this. As I was calling around to my colleagues in the state -- and I belong to the medical management association and the local Utah medical management association, I was an officer for a couple of years, so I know a lot of the people. I asked them, what websites are you using? Not one of them mentioned this website. So somehow, we have got to get that information out to the people.
I listed it on my handout sheet of useful websites. I think it is very useful. It is up to date. They also have wonderful latest FAQs, questions that are answered. They are actually excellent questions. they are a lot of the questions that I had, and they are answered clearly. I was really surprised. Having dealt with government agencies for quite some time, usually you don't get any help from government agencies, and usually they say after you talk to them -- I talk to a lot of Medicare people on the telephone and on the websites, and their response is usually, you can't use what I have said to you in any sort of court of law. This one didn't say anything like that. It gave me lots of suggestions. So that was pretty helpful as well.
I looked at some of the other things that I found useful. You will notice on my handout that the MGMA website is very useful. A lot of people in my situation belong to the medical management group, management association. They have chat links that are very useful. The only downside to that is, you have to be a member of MGMA. That is a wonderful organization, but in these gentlemen's situation, they probably don't have their office managers participate in that sort of thing. So there are many people that don't have access to these chat groups, that are interactive, that let you address these issues.
I found as I went to -- I am computer savvy, like most people in our society these days, and I am not afraid to look on the Internet. You look up HIPAA, and you can find tons of information. I found this nice website at Hill physicians.com, that had a guide on how to get yourself ready for security and privacy issues. It had a checklist on a spreadsheet that walks you through many wonderful suggestions on how to get ready.
I just happened to find it. I don't know who these people are. I listed all the information on my sheet here. They are in San Ramon, California. I don't know what they are doing there or who they are, but they sure did a wonderful job. It was probably about 100 pages of text. Most of it was explanations and questions answered about current HIPAA things.
I have gone to seminars. We have had a lot of help here in Utah. UHAN, which is the way we do our electronic data interchange with most of our insurance companies, I think is a leader in the nation on those sorts of issues, making sure they are HIPAA compliant in that way. They have dragged us kicking and screaming into the 21st century on this issue.
But they also worked very closely with the Utah Medical Association, who has been very helpful. They went through a list of different seminar companies and picked out one by a couple of lawyers that are local, that have both worked in Washington and have put together a seminar, that I was not able to attend because it is so popular. They asked me to wait until December to attend the seminar, but I did get the handout from their seminar. It is about 70 pages long, very well written. It gives you a sample, it gives you a diskette at the end of the presentation that gives you sample forms that you can use. Very useful. They talk in plain English. I have talked to people that have gone to that seminar. I highly recommend it for people in the state of Utah; I don't know if they go outside of the state.
They have just offered it one time in Salt Lake City, but they are going down to Provo, they are going to different areas of the state to broadcast that message. That has been an excellent thing. There have been other seminars that have been just atrocious, that you pay $150 to $300 for. I go to those and I sent my staff to them, and I finally stopped going myself. I send my privacy officer to all these things and my security officers to them.
There is a newsletter that is very helpful. It is put out by Medical Office Manager. It is a monthly newsletter that comes out, and for the last year and a half, they have been addressing HIPAA on a regular basis. It is written for office managers, but it is written in very basic English, with real-life examples. They are willing to go out and speak with other office managers and ask for what sort of things they are doing.
I find that most of the things that they are doing are very Draconian. I am glad to see after August, when you changed some of the regulations, some of the things these people have done really changed entirely the way they conduct business in the office.
I'm glad to see many of the things I was most concerned about have been changed positively. I think the government is working to make this a meaningful thing. I agree with the concept of privacy, I want to protect this information. I like these physicians would also like to have a little more help from you folks.
One thing I noticed is that on your OCR site, you have a little click on the mailbox and submit a question. I thought it was a great thing. I clicked on the mailbox and here is what I got. It said, feel free to ask any question you want to, but in bold letters it said, individual responses will not be provided.
I would like to have the OCR put their money where their mouth is and have somebody on a telephone line I can talk to and run by scenarios, or ask questions and get definitive answers. I think that would be very helpful.
I applaud what they have done so far. The questions I would have asked, five or six of them, are on your latest FAQs that just came out; excellent. Excellent questions and wonderful responses. So it is a nice step into what ought to happen, but it would be very helpful if you could speak with somebody who could give you a definitive answer and you could run scenarios by them and ask them those sorts of questions.
Another thing I would like to do is the same thing OSHA will do for me right now. If I call OSHA and say, could you come by my office and see if I am OSHA compliant, they will come by and for free, run through my office, run through my procedures and give me a recommendation so I can come up to law on that sort of thing. They also promise that it is non-discoverable, which is a nice thing. So they can come in and give me a bunch of recommendations, but they don't come back two weeks later and find out if I have done them. I would like that same sort of possibility for these sorts of things. I could call somebody and say, could you come by my office and see if procedures that I think are reasonable are actually effective and acceptable. That would be a very useful thing for me to do. I don't know how feasible it is for the government to do, but it would be very helpful for me as well.
Let me say one thing about the notice of privacy practices that I have to give out. It is a compromise that I don't have to give a consent form anymore. Now I can pass out my notification to everybody. I have 32,000 active patients. If I printed out and give one of those to every one of those -- I did the numbers this morning when I couldn't sleep -- it would be a stack of paper 100 feet tall, that I would have to have on hand just for my active -- because it is eight pages long. You have to have it to everybody and get them to sign it. The paperwork is 100 feet tall. It is 20 stacks five feet tall of paperwork which I have to hand to people. I know what happens when I hand it to them; it goes right in the garbage can. They will not read that. I have read it, and I can barely understand it. But it is written by lawyers, and I am protected, and that is the point of that sort of thing.
The cost of that is staggering to me. Just the paper alone is $1800 for my little 16-doctor practice, $1800. To get it all printed up is going to cost me $8300, just to print it up. If I wanted to send it out in the mail, my cost would be $24,000 to send that out.
I can't afford that, I simply cannot afford to do that, when I know that when it gets in peoples' hands, it is going to be thrown away. So I am looking for some help in that area as well.
That is really all I have to say. I am happy with the way August 11 made some serious changes, which are very helpful to my clinic, meaningful changes. I am willing to comply, I will comply. I have resources to throw at this; these people don't. I have a privacy officer, I have a security officer. They are not me, they are somebody else that I can assign to that sort of thing, but not everybody has that luxury.
I have been looking at it for two years now, ever since it first hit my windshield. I have been looking at it on a regular basis, and I would say I have spent 50 to 100 hours of my personal time looking at it. These people don't have time for this, and most of my colleagues don't, either. We need some help. We would like for the OCR or somebody to step up, give us the forms that are going to be compliant, make reasonable requests, and we are glad to do whatever we can.
DR. ROTHSTEIN: Thank you. I just have a brief question. I know you have spent a lot of time working on this, but the physicians in the group, how up to speed are they? Are they similar to the solo practitioners that we heard, or are they more well versed?
MR. PULSIFER: They all have heard of HIPAA, because I have brought it up in board meetings with physicians, and I made sure they know of general outlines of what HIPAA is about, and how it is going to impact their office financially and in other ways as well. So they are more conversant perhaps than a small group physician would be, but they are not in charge of implementation, so they know no particulars about how we are going to do this sort of thing.
DR. ROTHSTEIN: So they have this general sense --
MR. PULSIFER: Vague, nagging fear, yes.
DR. ROTHSTEIN: Thank you. Any other --
DR. KALM: May I ask a question?
DR. ROTHSTEIN: Sure.
DR. KALM: Could you estimate how much time you have spent just going over the documents you have referenced today?
MR. PULSIFER: Sure. I'd say 50 to 100 hours. Not these documents. I can read these documents in maybe 15 to 20 hours, it would take me to read these documents and understand them, a single reading. I will read them more than that, for sure. But my staff cannot read most of these documents. They can read some of them. I have to then reformat the documents so they are understandable for the people that are going to be actually administering this sort of thing
I have flip charts, by the way, that I bought for $500 for education as well. It is kind of a nice idea. It is not going to be a Power Point presentation. I wanted something very low tech, portable, where it explains a lot of these uses. I have listed that in my toolkit as well. There are many things out there, but you go through a lot until you find a good one.
DR. ROTHSTEIN: Thank you very much. Mr. Morse.
MR. MORSE: Thank you. My name is Gary Morse. I am vice president and general counsel of Physicians Insurance, a mutual company. We are a physician-owned and governed professional liability insurer based on Washington State.
Before I go on with my prepared comments, I just appreciate the way you all have been listening to these folks in the real world. The problems they have presented to you are identical to the fears and the confusion and the anger and the frustration that we as a service provider have experienced in Washington State. They present the real world. I will do my best to present the real world from my perspective.
Our company and our subsidiaries insure about 7,000 physicians, 2,000 dentists, 20 hospitals, mostly in Washington State, but with some business in Oregon, Idaho and Montana and Alaska.
We were formed by physician leaders in the medical association back in 1982, and shortly thereafter we joined the Physician Insurers Association of America, which is a trade association of health care provider owned professional liability insurance companies. Attached to my testimony is a copy of a November 5, 2002 letter from the Physicians Insurers Association to Susan McAndrew at the Office for Civil Rights, discussing one of the matters I will touch upon today in my third bullet point.
I will address the following issues. The expected impact of the HIPAA privacy rules on medical malpractice insurance premiums, what companies like ours can do to assist our insureds as they implement the HIPAA privacy rules, and a couple of instances where the privacy rules interfere with the efficient delivery of quality health care with some proposed solutions.
I have been asked to comment on the expected impact. I saw some of the eyes over there, and it looked like it was a surprise to you. But I was asked to comment on the expected impact of the HIPAA privacy rules on medical malpractice insurance premiums.
The short answer is, we expect no impact on premiums. Let me briefly elaborate. There is no private cause of action for violation of the HIPAA privacy rules, but there can and undoubtedly will be lawsuits under state law that will involve health care information privacy issues. However, historically such cases have been rare, and their cost has been negligible. Although we may see an increase in privacy related claims, simply because of the publicity that will occur as the April 13, 2003 enforcement date approaches, we foresee no impact on medical malpractice premiums.
It is true that many hundreds of hours of our staff time has been spent on understanding the HIPAA privacy rules -- comparing them to existing state law, and developing educational programs for our insureds. We will have to hire attorneys to help with some of the trickiest issues. However, these expenses in our case represent a negligible percentage of our operating expenses, and will have no conceivable impact on medical malpractice premiums.
Based on my comments, you might wonder why we are devoting so many resources to helping insured implement the privacy rules. I have asked myself that question many times, especially when dealing with the tricky issue of whether a particular piece of state law was more stringent than the HIPAA privacy rules. But there is a clear answer to the question.
Most companies like ours that are owned by their physician policy holders devote considerable resources to risk management services. Our own risk management department estimates that even before HIPAA, nearly half of all inquiries from our insureds dealt with some aspect of using or disclosing patient medical and financial records. As long as we provide this service, it is imperative that we be conversant with the HIPAA privacy rules.
A second reason to devote our resources to this effort is the vital importance of the trust between physicians and their patients, both to the quality of care delivered and to the prevention of medical malpractice claims. If new privacy protections are implemented smoothly, there is an opportunity to promote that trust. If they are implemented poorly, that trust could be damaged.
Nearly two years ago, the PIAA formed a task force to assist member companies with their own HIPAA compliance issues as business associates of their insureds. I have had the opportunity to serve as one of three co-chairs of that task force, along with Libby Lincoln of MMIC in Minnesota, and Catherine Walberg of Camco in Kansas. The task force also includes many attorneys employed by companies across the nation. Together, we developed information from member companies so that each PIAA member company can be ready to be a business associate, and to provide services to their insureds to help implement the privacy rules.
So at Physicians Insurance, we have developed a HIPAA privacy manual for our insureds which we are issuing in three steps. The first step was mailed out several months ago to help our insureds perform the type of gap analysis needed to identify possible deficiencies in their current privacy practices, and to document they have taken reasonable steps in light of their capabilities to improve privacy protections. This material also includes a month by month calendar to ease the process of preparing to implement the rule.
Soon we will send our insured a set of templates for forms and policies and procedures that take into account the privacy rules and the more stringent state law. We have worked particularly hard to develop templates for forms in plain language, as required by the regulations, and to keep the volume of material at a manageable level. By far, the most difficult portion of this effort has been identifying and incorporating state law that is more stringent than the HIPAA privacy rules. We have taken our best stab, and others in the state are continuing to look at the issue. We fully expect thinking to change on how to appropriately use state law, even after April 14, 2003.
The final step in our privacy manual will be templates and resources for staff training materials, which we hope to have available in January, 2003. Our manual is provided to our policy holders at no charge, and the Washington State version is available to the public on our website at www.phyins.com. But I'll just add here, of course it is the Washington State version taking into account Washington State laws that are more stringent than HIPAA.
In this process, we have not worked in isolation. We have worked closely with the Washington State Medical Association, the Washington State Hospital Association, several attorneys and various other organizations working together to develop HIPAA materials in the state.
We have met with large and small clinic managers to share ideas and identify logistical barriers to the implementation of the rule. We have obtained input on the forms from volunteers, whose only contact with health care is as patients.
Let me move to a couple of instances where the privacy rules are creating some problems.
We have nothing but praise for the sincere and quite successful effort by HHS to prevent these rules from interfering from the efficient delivery of high quality health care. As you might imagine, as we all learn more about the impact of the rules in the real world, we will identify some problems.
The letter from PIAA attached to my testimony speaks to the following issue, that deserves further consideration by the committee and HHS. The privacy rule requires the physician who is a direct service provider to give a patient the notice of privacy practices the first time the physician delivers services to that patient on or after April 14, 2003. The rule also requires the physician to make reasonable efforts to obtain an acknowledgement of receipt from the patient at that time.
However, it is completely unrealistic to apply this requirement to settings outside the physician's office. How can a physician realistically comply when the first service delivery is at the hospital bedside, the nursing home, or other facilities outside the physician's office?
Of course, the duty I have talked about does not apply in an emergency. But none of these examples are intended to be emergencies. It is clear that HHS contemplated that hospitals, nursing homes and others would develop organized health care arrangements -- another acronym, OHCA -- with their medical staffs, which would provide the patient with a single notice of privacy practices on behalf of all members of the OHCA.
However, in discussions with several hospital attorneys, I have been told they were advising their clients not to form OHCAs. The legal reason for this advice includes the difficulty of managing the privacy practices of all the members of the medical staff. In addition, there is an increased potential that such arrangements could expand hospitals' vicarious liability for the negligence of otherwise independent members of the medical staff.
We would ask that HHS acknowledge that the application of the notice of privacy practices requirement to settings outside the physician's office interferes with the delivery of health care, and needs to be the subject of a future amendment to the rules. Meanwhile, it would be especially helpful if HHS were to announce that it will not enforce the requirement outside the physician's office until such time as this portion of the rule has been amended.
My last comment is less specific, but is much more closely related to the comments you have already heard this morning. It is about the overall potential serious impediment to the delivery of health care as a result of the frustration and confusion felt about these rules.
Physicians have always been dedicated to the sanctity of the physician-patient privilege, and all health care providers are sensitive to the importance of protecting the privacy of an individual's health information. Yet, many are throwing up their hands in response to regulatory requirements across the entire spectrum of their practice, from patient billing to enormous amounts of paperwork, to OSHA requirements, to medical malpractice risk, and yes, to the HIPAA privacy rules.
Countless physicians have lamented to me, they just want to take care of their patients, but the insurers and the government won't let them do it.
Now, we are not going to solve that problem here. But HHS can do something about the fear of one more set of regulations. My thought is to draw further on the use of the word reasonable that appears hundreds of times in the rules. Perhaps HHS can issue a guidance document declaring that reasonable efforts to comply are what is expected, and that only clear abuse will be the subject of enforcement action. Perhaps the guidance document can describe how patient complains wherever possible will be addressed in a non-adversarial manner in an effort to assist patients and providers in understanding and adjusting to these rules.
There are probably other ways that HHS could alleviate the growing fear, particularly with regard to guidance regarding the enforcement of the duty to comply with more stringent state laws. I believe that anything that can be done about this problem will better enable physicians to protect patient privacy.
There is a common ground here among patients, providers, insurers and regulators. Everyone involved is working to maintain and increase the trust and openness between patient and physician that is so necessary to the delivery of high quality health care services.
Thank you for asking me to testify today, and thank you so much for your hard work on these issues.
DR. ROTHSTEIN: Thank you, Mr. Morse, we appreciate your testimony. Any clarification questions for Mr. Morse?
DR. HARDING: Only one. Your first one about the insurance, that it would have no impact on premiums and so forth. I think this was brought up in a previous hearing, where a physician said that he had bought liability insurance for HIPAA compliance, and it cost him $1500. I guess that is not malpractice.
MR. MORSE: That is not malpractice. Those products are available. They even include products that will indemnify you for civil fines. Many companies are considering offering defense only for defense of administrative enforcement actions. That coverage is out there. It is not the core of what we do. But certainly, if somebody wants to buy that coverage, that is going to increase the operating expenses. They will pay a premium for it.
DR. HARDING: I guess the other part would be that if HIPAA becomes a standard of care, could that get you into the malpractice area?
MR. MORSE: Well, maybe there are some plaintiff attorneys who are more clever than I am. We don't see that.
Yes, there are standards of care with respect to the handling of patient health care information. When abused, there can be real injury to patients. Sadly, there are injuries in the medical malpractice arena that are, with all due respect to the privacy issue, far more severe, far more disabling, and far more expensive in our experience. In light of the extent of those cases, we do not see how the privacy related cases are going to have any impact at all.
DR. HARDING: Thank you. I have other things, but --
DR. ROTHSTEIN: Yes, well, the floor is now open for questions. But before we change topics, with your consent, Richard, I'd like to follow up on this issue.
Is it your testimony that I am understanding correctly, that if one of your physician policy holders called you up and said, I am concerned about this HIPAA stuff; would you recommend that I purchase some additional coverage for HIPAA and health privacy issues, am I correct in saying that you would say we don't think you need it?
MR. MORSE: No, we would not say we don't think you need it, and we wouldn't say we think you need it. We are not a broker.
DR. ROTHSTEIN: Right.
MR. MORSE: But what we would do is two things. I'll just speak for my own company now. We have placed into our policy at basically no cost a limited defense reimbursement coverage to protect physicians from the cost of being defended in an administrative enforcement action by the federal government. It is very limited. I think it is $25,000; it will be used up very quickly, but it is something.
We would advise the physicians that if they have enough of a concern, we would point them in the direction where they could go. There is a market for the type of more comprehensive insurance product, and we would urge them to explore that market.
DR. ROTHSTEIN: Thank you.
DR. ZUBELDIA: Is it your estimate that HIPAA may require to increase that $25,000 limit to a higher limit, and therefore a higher premium?
MR. MORSE: We will be driven by our policy holders' wishes in that regard, and we don't know yet. If we have an overwhelming demand or even a significant demand for higher limits, we will work to make those available.
DR. ROTHSTEIN: Dr. Harding.
DR. HARDING: I have a couple of questions maybe for most of those who are testifying here this morning. I want to first thank everybody for the testimony; it has been excellent. I have a couple of things I'd like to ask just to get a general feel.
You all are special. That is, you have some interest in this for whatever reason. Compare yourselves in your estimate to your peer group. Where are you compared to your peers in private small groups and in a group situation? Are the people that you know about where you are in this process?
DR. KALM: As a psychiatrist, my peer group includes all kinds of mental health providers, social workers and psychologists. I found that my peers in the social work community tend to think they are out of the loop, that they are not covered entities. They are scrupulously avoiding electronic transactions, and I caution them about where their faxes are going or coming from, and any kind of e-mailing, and they seem to be not clued in. The psychologists tend to be more clued in and the American Psychological Association is doing a lot of work to help their membership become compliant. As I was listening to the comments on the impact on the quality of care, there is one point that I think is common to all of us, and one that is unique to psychiatry. The one that is common to all of us is, we are already inundated with paperwork that is taking away from our time with patients.
This is going to be more. Just listening to the time involved of trying to understand any of this, as well as implement it, is enormous time taken away from patients.
The issue that is particular to psychiatry is in the area of psychotherapy notes. Some of my colleagues sit with a laptop computer on their laps as they talk with patients, and they are typing away. Some patients are comfortable with this. The ones who are not come to me. They find this impersonal, they find it cold, there is no bond, there is no connection, there is no relationship with their psychiatrist, who is basically doing 15-minute medication checks anyhow.
In my situation, I find in my 25 years of practice, I have a very difficult time being connected with a patient and writing at the same time. I call it the Gerald Ford in me. It is hard for me to take notes anyhow.
Under the privacy provisions, I will now have to have two charts essentially. I will have to have one chart for medication issues, and I'll have to have another chart for psychotherapy notes, and I am already contemplating what is that going to look like, having two rafts of paper on each of my knees, as I go from one knee to the other, writing a psychotherapy comment or a medication comment.
DR. HARDING: Do you feel that most of your peers have signed up for the transaction delay to ask for an extension for the transaction?
DR. KALM: The ones I have talked to have, but the general membership, I cannot tell you.
DR. ZUBELDIA: Do you file electronic claims?
DR. KALM: Pardon?
DR. ZUBELDIA: Do you file electronic claims, or does your service bureau --
DR. KALM: My billing service files electronic claims, yes.
DR. HARDING: Do others of you have feelings about your peer group as far as where they are in the process here?
DR. BORGENICHT: I don't have any hard data, but it would be easy to find from the Intermountain Pediatric Association. They have e-mail lists and could actually ascertain that fairly quickly.
My sense is, there are not a lot of solo practitioners in Salt Lake City, in pediatrics. My sense is that the larger groups, moderate sized, moderate specialty, uni-specialty groups may be aware of it, but they have punted the issue to people like Mr. Pulsifer, who are basically in charge of interpreting these things for physicians. But it might be interesting to assess fairly easily how many people -- I suspect that most people, pediatricians and pediatric offices, filed extensions.
As far as what the physicians know and how anxious they are, I can tell you anecdotally, asking people in a nursery a few weeks ago what they know about HIPAA, and they said, what? So I think the individual physician is buffered from the HIPAA reality.
MR. PULSIFER: I think people in my situation are all aware of HIPAA. All my colleagues all know about it, that have moderate-sized clinics, and even four or five doctors. If their office manager, that has time to get away from the front desk, they know about this issue.
I find that small offices, one, two doctors, they don't have any idea. They are like deer in the headlights when you mention HIPAA. They are terrified.
DR. ROTHSTEIN: I want to follow up that question. If you asked your colleagues or your physician partners about HIPAA, they would have this sort of general level of understanding, perhaps as well as apprehension and so on. Yet, I would imagine that if you asked them, do you support reasonable efforts to increase the privacy protections for patients, especially in the electronic age, they would all say, of course.
So the problem it seems to me is translating these two ideas. It is not a concept that is inherently objectionable or alien; it is what physicians have done for 2,000 years. The question is, how can we both establish reasonable standards for compliance, and facilitate that compliance and support, through guidance, technical assistance and so on.
Not to put words in your mouth; that is my take on this. I would be interested in your comments.
MR. PULSIFER: One of my concerns is, it sounds like such a friendly approach, but the penalties involved are very serious, $250,000 for willful disregard of private health care information. I understand that, but still, that is the big stick that gets people real nervous about things.
So it is not like we can approach this in any sort of sane, rational way. We have this huge thing looking us in the face, and I'm sorry to say, it doesn't happen.
I have an office down the street from me a little ways. They spent $500,000 defending themselves against a different sort of issue, came up absolutely no decision against them, it cost them a half a million dollars to defend themselves. I can see some of this happening on HIPAA as well. I don't want to spend $800,000 to defend myself against an inadvertent mistake that I may have made. That is a problem for me.
So this, wouldn't you agree rationally -- yes, I do agree rationally. I think it is wonderful that we can come to some sort of understanding and protect this information. I want my information protected, that is a great idea. But the big club that you are coming at us with is very intimidating, and makes me angry.
DR. BORGENICHT: I agree completely with what you said. I think that is the humane philosophy behind all this rigmarole. But there are the issues of what the cost of compliance is going to be.
I heard a story the other day from an orthopedist who came in and spoke to somebody about the fact that he is doing $30,000 of remodelling so that he could be quote HIPAA compliant, unquote. Somebody who is a very sensible person said, you don't have to do that. So he called up his contractor right then and there and said, cancel this. But that is the kind of stuff that is going on out of fear and anxiety and ignorance.
I have one other comment I want to make. It is a little digression, but I just want to be able to put it in. When we were talking about the cost of instituting a privacy agreement, both in terms of actual cost, but the cost in terms of time and getting every patient in your practice to sign one.
Last weekend, I was in a meeting in which the Utah Medical Insurance Association with which I am insured talked about a program they developed over the last two years about arbitration, which makes eminent sense, being effective in offices where people have used it, arbitration instead of a malpractice claim situation.
Now, these are basically agreements that you would have your patients sign, saying I agree, should there be some conflict or problem in the future, to rely on an arbitration agreement that both of us will sign.
I won't go into the procedures. This is something to me that is almost more important than anything else, in terms of agreements between physicians and patients. This is something that obviously, for me to do in my office, would take a lot of time and would be a higher priority in some sense than doing an eight-page privacy agreement for HIPAA.
MR. MORSE: May I interject just an observation? I think you are hearing a tremendous fear of enforcement over something that nobody feels they have the time to adequately come to grips with. It ties into some of my comments. If there is some way consistent with the statute and the rules that the federal government can reassure providers that when it comes to enforcement -- and I have heard talk of this, the federal government is your friend, we are here to be collaborative.
When we have a patient complaint, which as I understand it, OCR has no choice but to investigate in some fashion -- and I don't know how you define the limits of this, but generally speaking, the result is going to be advice on how to improve things in the practice, and that is it.
Now, at some point there is a gross abuse. At some point, patient names are being sold to pharmaceutical manufacturers. We are not talking about that. I haven't thought through personally how easy or difficult it would be to define this, but there is a real fear of enforcement here among individuals who are by their very training dedicated to protecting patient privacy.
So just an observation.
DR. ROTHSTEIN: Several of the witnesses at prior hearings have urged us to recommend to the Department that the Office for Civil Rights publish some enforcement guidance, in other words, the standards that they plan to use when investigating complaints and so on.
It seems to me that if such a document were released, if it said we reserve the most severe kinds of penalties and even criminal sanctions for this kind of conduct, in other words, selling patient medical records without consent, et cetera, do you think that would go toward alleviating some of the concerns that you here expressed?
MR. MORSE: I certainly think so, but I would defer to the other gentlemen in the room on that question.
DR. KALM: I'm not really opposed to the concerns, because I agree with the need for privacy. I am concerned that not all of us are trained as well as we should be in the area of privacy.
One of my patients told me a horror story of going to another physician for certain kinds of tests which I won't name, and assured that this was going to be private, and the next day she heard from the friend of the wife of the doctor's partner, why are you having these tests done. It has nothing to do with electronic transactions, it has to do with an awareness of a real need to keep certain things private.
That is oftentimes not in our awareness. It wasn't done maliciously, but these things happen.
DR. HARDING: Again, a question for any of you. I have heard several things through each of your testimonies, several issues. One was the issue of vendor certification for accreditation or accuracy, that when you get these flyers and so forth, and they want you to take a $500 course, you are going on faith that they know what they are doing and what they say will be HIPAA compliant. Is there something that HHS can do that would be helpful for that?
The other is accurate definitions, that you are having some difficulty with words like scalability, reasonableness, and having difficulty with official answers. You are saying, call or type in a question, and they say they can't do that individually, but they do have general answers for many categories, that I agree are very helpful; that is a great advance. But it is hard to get someone to say, this is the official policy. Is that what you are asking for?
MR. PULSIFER: That would be helpful if they would do that sort of thing for us. I don't know how you would do it. You're going to be flooded on your website with requests, because we just don't understand that.
As far as definitions of terms, yes, absolutely. Reasonableness, scalability, those sorts of things.
DR. ZUBELDIA: Let me piggyback on that. The concept of scalability is fundamental in HIPAA regulations. So a small practice doesn't have to have the same educational structure and materials that a group practice would have, and doesn't have to have the same policies and procedures that a large university would have.
But in terms of scalability, there are perhaps two extremes. One, you write your own reasonable -- according to your interpretation of reasonable -- policies and procedures for your own practice. Essentially you write your own rules.
The other thing that we have heard sometimes in these hearings is that the government should give you the sample policies and procedure as to what is reasonable. If the government gives you what is reasonable, there won't be this flexibility that you can build into your own rules.
We also see state associations define some common -- I wouldn't call them best practices, but common practices in the state that should be associated.
What is your reaction to those three options? You write your own, the government tells you what to do, or there is a state agreement on what to do?
MR. PULSIFER: I like what the CT code book has done. They will explain -- that is how all doctors bill for every service to Medicare. It will give a definition of what you bill for a typical office call, and then they will give a section in the back that gives examples. A problem presents with this question, and this is what you do, this is 99213. It would be nice to have at least something like that.
I don't want the government telling me what is reasonable. I don't like that. I like to say, hey, I am asking about my front desk configuration in privacy. My front desk is different than everybody else in the state. They can't possibly know what my front desk is going to be like. But if they would say, in a large group setting, you have this sort of thing happening, they can describe a typical setting, and the ways to accommodate HIPAA regulations in some sort of exemplification manner, that would be useful for me. That really would be useful.
DR. KALM: I would like the government to give me a sample form that I could either accept if it looked reasonable to me, or that I could pencil in modifications for, then send it back to somebody, these are my modifications and why I am suggesting them, and then have someone tell me that is okay. But to start from ground zero for me, without having any idea of how to approach it, that seems to be overwhelming.
MR. PULSIFER: For the forms, you're talking about? The forms we have to get filled out?
DR. KALM: Yes.
MR. PULSIFER: I'm talking about specific things that happen in the office that might violate the privacy of patients, that aren't in a form.
DR. ZUBELDIA: Policies and procedures, that is probably not a form, and it is probably not the same for a group practice like a private practice, where you are by yourself. So would you like the government to have sample policies and procedures?
DR. KALM: Yes, subject to modification if they are not realistic.
MR. PULSIFER: And I'm not interested in that. I like the reasonableness clause. It gives me some leverage to take a look at what I think is doable in my clinic, so I don't have to spend $30,000 to remodel.
DR. ZUBELDIA: You looked at the preamble of the final rule in your research. You found these standards for privacy, and then you found the modification to the rule in August.
MR. PULSIFER: Yes.
DR. ZUBELDIA: The preamble to the modification of the rule in August has the thinking behind the changes, and explaining why certain things were changed. There is a substantial amount of information on sample cases like you are referring to. Is that what you are talking about?
MR. PULSIFER: Yes, I think so. Like I say, I got hold of this particular document 187 pages this morning, and I printed it out. So I am definitely going to read this.
I liked what I saw so far. I glanced through maybe ten, 15 pages all the way through it, and saw they did have examples. That was helpful for me. The FAQs have examples. Those are useful.
DR. ZUBELDIA: So the initial rule was published, then there was a proposed rule published, then there was a final rule. In that final rule, the preamble is 800 and something pages.
MR. PULSIFER: i didn't print that off.
DR. ZUBELDIA: It is full of examples, and sample scenarios and sample cases, and what to do in each case, and why the rule was written in a certain way in response to those comments. It is full of that. Are you looking for something beyond that? If you think the rule puts you to sleep, trying reading that preamble. And it is very exciting.
MR. PULSIFER: People are not going to read 800 pages, that is correct. But if it were organized in some sort of reasonable fashion, so I could print it out and have an index I could track, what about this area that I could look at some examples in.
I understand what HIPAA is about for most of my office. I have maybe ten or 15 questions I'm not sure about. If I can find that in a meaningful fashion on a database or a reasonably indexed thing, or search a website to come up with examples, that would be great, that would be very nice. I'm not going to read 800 pages, I know I won't do it, and nobody else is going to read 800 pages to do that, so maybe that is overkill. But an indexed version of it, great.
DR. BORGENICHT: Getting back to your first question, I would opt somewhere between Dr. Kalm's approach and what I would call the rugged individualist approach, which is, here is what I understand could be done, here is my proposal, somebody tell me whether this is reasonable or not. I think it would fly better in situations in a variety of practice settings.
DR. ZUBELDIA: Would you expect the government to tell you that your changes are reasonable or not? Or just hire your own attorney?
DR. BORGENICHT: No, I don't want to hire an attorney for anything. Whether it is a government agency or an official or some intermediary whom I wouldn't have to pay for doesn't matter to me. If there is an interactive process, that may almost be a solution.
DR. ZUBELDIA: Do the state associations perform that sort of service? Would the UMA do that?
DR. BORGENICHT: I think the UMA might well. They have been very involved with HIPAA. They are sending out little HIPAA updates in the monthly newsletter. There is a lawyer there actually who has been involved with it. So that would be an option.
DR. HARDING: Dr. Borgenicht? It means do not borrow. You made a statement that caught my attention. That was that you were hopeful that the formality of the procedures didn't change the culture of your office. Could you expand a little bit on that, as to what culture you are talking about?
DR. BORGENICHT: In a sort of nebulous way, my office as you could see from my description is small, and it is also informal. Patients come in, there is an ebb and flow. My office manger has been with me for 13 years, knows my patients very well. She has conversations with them to which I am not privy, but gives her lots more information about the families than I often have.
I wonder whether those sorts of things won't happen. They happen in public, in the waiting room. It is both the constraints of physical space and the constraints of -- I don't know whether linguistic space is the right word, but whether we can't have conversations like that. Or for example, in my own fantasies, she will call me if there is an urgent phone call and say, you need to talk to Mrs. So-and-So, in full ear of everybody, and she will transfer the call to my office. Are those the kinds of things that might be affected at some point? I have no clue.
DR. ROTHSTEIN: Any other questions for the panelists? Richard, please.
DR. HARDING: We still have a little bit of time.
DR. ROTHSTEIN: We've got plenty of time.
DR. HARDING: Malpractice. You are in a number of different states, so you have probably much more concern about the issue of pre-emption than perhaps others on the panel. Is that something that you are spending an extraordinary amount of time on in your company, talking about the pre-emption issues and so forth among each state, and more strenuous interpretations, or whatever the legality is?
MR. MORSE: The short answer is yes. Slightly different gloss on it. I think anybody in this room needs to be concerned about pre-emption, even if you are only focused on one state.
DR. HARDING: Yes.
MR. MORSE: I feel your pain on this issue, because how can the federal government tell Utah physicians, here are some model policies and procedures and forms, which would be a wonderful thing, unless the federal government has sat down and figured out how much of Utah law affects what are in those models? Or do you just do a big disclaimer where you say, this doesn't take into account state law, which is probably what you have to do.
Getting back to your question, on Washington law alone, it has been the most agonizing part of what we are doing, because -- well, you know why, probably better than anybody in this room, because you are so familiar with this. But it isn't just a matter of, is it 60 days under one law and 90 days under the other. Sometimes the two laws have entirely different solutions to problems. In many instances, we have opted for saying that both solutions survive, because one isn't clearly more protective of the patient than the other.
It is complicated. In fact, what we are going to do for the other states, we are not going to even attempt. We don't have the resources. We are going to hire attorneys in those other states to help us with the pre-emption issues. We just don't have the resources.
DR. ZUBELDIA: Are there not equivalent collaborative efforts in the other states, like in Washington?
MR. MORSE: There is a pretty good effort in Oregon, led by the medical association, but I really don't know. I am really not up to speed as to what is going on in those states.
You all are probably well aware of the North Carolina NCHICA example, which is a model we have tried to draw from. I'm sorry, I really don't know in the other states.
DR. ROTHSTEIN: Thank you. Many of these other state folks have testified before us, and so we are getting more information nationwide.
If there are no further questions, I want to thank all four of you for very helpful testimony that you can be assured will be carefully considered by the committee in terms of putting our recommendations together for the Department.
Our second panel is scheduled to begin at 11, and we will begin promptly at 11.
(Brief recess.)
DR. ROTHSTEIN: We are ready to resume with our second panel on integrated health systems in complex organizations.
I want to alert people listening on the Internet as well as those in the room to a slight schedule change. Mr. Chuck Davis is unable to be on this panel, so we moved Mr. Fred Schade, I believe it is, to the second panel. That will mean that panel number three on rural hospitals after lunch will take some time off that. It will begin at 1:30 and end at 2:30. We will take a break from 2:30 to 2:45, and then the final panel on state agencies, public health and research will run from 2:45 to 4:30, the public testimony from 4:30 to 5:00, and we will have a 5:00 p.m. adjournment. So a slight change, and we will be moving up this afternoon's session by 15 minutes.
Let me welcome all of the panel members for the second panel. In case you were not here for the first panel, some of you we will ask to speak for ten or 15 minutes. I'll give you a one-minute warning, should you need it, and we will have questions at the end of the four presentations.
So we will begin with Mary Thomason.
MS. THOMASON: Chairman Rothstein and members of the Privacy Subcommittee, I want to thank you for this opportunity.
I am Mary Thomason, RHIAA, the HIPAA project leader for Intermountain Health Care. Translated, that means that I have been immersed in those 800-plus pages for over a year now, so my primary focus has been to coordinate the implementation of the privacy regulations throughout IHC, which is our acronym for Intermountain Health Care. My background has been in health information management, information systems and in the clinical laboratory.
The most difficult HIPAA privacy regulation issue for us are related to two main areas, our size and complexity, as well as the hybrid nature of how health information exists and is maintained by IHC today.
To give you a little background, Intermountain Health Care is a nonprofit integrated health system. We provide both health plans and health care services. To put our size in perspective, we serve 480,000 covered lives with our health plans, and in the year 2001, our health services included 117,782 inpatient visits, 28,600 births, and 5,612,399 opportunities to provide outpatient services in various settings.
We provide both traditional and not-so-traditional forms of health care. On the more traditional side, we have 21 hospitals that range from a 520-bed LDS hospital, to several 20-bed rural facilities. We have a physician's division of around 400 physicians, with 89 clinics, an air ambulance service, home care and medical equipment services, retail pharmacies and occupational medicine clinics.
On the not-so-traditional side, we have unique health care arrangements such as participating in joint clinics with the state of Utah for children who were in newborn ICUs, providing athletic trainers for high school football teams, and serving as the official sports science and medicine supplier to the U.S. ski and snowboard teams.
To support our business, we have divisions that include a physicians billing service for our employed physicians, a collection agency, and 14 legally separated but affiliated foundations.
IHC Health Plans offers health maintenance organizations and point of service plans, as well as contracts with other insurance companies, third-party administrators, preferred provider organizations, self-funded employers and so on that lease the IHC network of providers and hospitals.
Both IHC health plans and IHC services are separate legal entities. Since our Health Services is a single legal entity, and that includes all of our health services, and our focus is health care, we do not consider ourselves a hybrid entity, even though some of these unique health care settings may not involve covered functions as defined in HIPAA.
Some of the issues that relate to the size and complexity of IHC are -- well, first of all, after seven months of discussion and several legal opinions, we decided the relationship between our IHC Health Services and our IHC health plans would be one of an organized health care arrangement under this regulation. We decided that this arrangement allowed the most flexibility to adequately share data for our joint operations.
However, since our data is commingled in some databases, we will have difficulty in addressing minimum necessary policies and procedures, because we have to be very careful how much information is shared and for what purposes.
Other than that, probably the major implementation struggles we are having are regarding the accounting of disclosures. We realized one of the implications of being a single covered entity was that we would need to provide a single accounting for patients across all of IHC Health Services, especially since many of our disclosures which have to be in the accounting -- for example, the state law requirements -- are done electronically on a corporate basis.
We have estimated we make 1,-92,700 electronic disclosures per year that must be in the accounting, largely to meet the requirements of the Utah Health Data Commission and Department of Vital Statistics. We know some health care providers are looking at these kinds of disclosures as operations; however, we do not use any of this information for our operations purposes, so we don't feel we can justify calling it operations and therefore not including it in an accounting.
This estimate does not include disclosures to research. We have around 500 research projects active at LDS hospitals currently, for example, and yet we do not yet know how many of these have IRB authorization waivers and would have to be in an accounting.
The acknowledgement of the notice of privacy practices may also be very challenging, since we have such a variety of health care settings and no one centralized system where we can check that we have already provided the notice. I refer you back to the volumes that we do, probably in excess of six million a year. Right now, we are planning to provide the notice once in our clinics, because we know we will see the same patient again and again, but otherwise, we will probably have to provide the notice and seek acknowledgement every time we see a patient in the inpatient setting, in urgent care, or some of the other settings.
Finally, the size and complexity of IHC presents unique workforce training issues. We have 23,000 employees, not counting volunteers and non-employed credentialed providers. We decided early on that it would slow or even prevent the process of health care to funnel all disclosures to expert departments such as medical records or billing departments. Much of the protected health information that is currently disclosed for treatment, for child abuse reporting or to funeral directors as an example currently happen in clinical areas, not in medical record departments.
This decision has major training implications. In order to provide the level of training needed for these clinical front-line people, we are focusing the training on what they need to know and in the detail that they need to know it.
Based on our early assessments, we have defined 53 different groups who need specialized training, and 52 different focused content modules that we will be developing in house. For example, the emergency department will get training not only on the basic general privacy that we are required to do for all of our employees, but also in-depth modules on prevention of incidental disclosures, recommended efforts to verify identity, disclosures to law enforcement, disclosures to media, and how and when to enter information in an accounting of disclosures.
We also have scalability issues, as were mentioned earlier. Because we have such a diverse population or size in our facilities, we may have whole departments at LDS hospital devoted to risk or compliance, but at our small facilities, the administrator may wear all of these hats.
We are planning to provide limited training to non-employed providers, to the extent that they understand our policies and procedures, what it means to be in an organized health care arrangement, shared notices and provisions and things like that.
This decision not to centralize disclosures also impacts the need for widely accessible accounting for a disclosures tool as well.
For issues related to the complexity of our health information, how does the hybrid multi-media nature of how information is stored in IHC present additional challenges? To date, we have found 78 different databases or record sets that contain protected health information at IHC or are maintained by our business associates. Of these, we determined 18 are designated record sets as defined in the regulations, including by the way the 2002 Olympic treatment records.
We have a complicated network of interfaces between the electronic systems, both to and from clinical and billing databases, but there is no one system that contains all of the identifiable information used to make decisions about an individual's care, let alone all the billing and payment information.
Some, like our clinical data repository, contain much but not all of our clinical information. For example, we have a system called stork bytes. That is an electronic medical record for obstetric patients. Although key information is interfaced from stoke bytes to the clinical data repository, stork bytes also contains critical information on fetal monitoring and it is stored only in that system. Therefore, sections of both the clinical data repository and stork byte systems are designed record sets under this regulation.
In spite of being named one of the most wired health care systems in the United States, many of our medical records and some of our billing records are totally on paper, and paper records on a patient may be maintained in a different location even within the same facility. Because of this, we cannot provide a patient with all of their IHC records at one contact point. What we will have to do is send the patient to different IHC facilities or agencies where they have received treatment, and we have to train the front-line employees very well on how to find out where all the records are stored, both electronically and on paper to assist the patient with access or copies as required in the regulation.
Finally, this multi-media, multi-location of protected health information brings up the issue of attachment of amendments. In the paper world, this was not a major issue. The amendment documents were, if approved, added to the records. However, we have so much that is electronic, and we do not always have the capability in our systems to attach an amendment at all, let alone do attached to the pertinent sections of the record. We must be very careful that we don't destroy the integrity of the data.
Also, with existing interfaces, we do not always know where the information is distributed or ends up, so we don't always know where to forward copies of amendments.
What recommendations can we make to the committee that would assist us in implementing the privacy regulation as well as others? First of all, we want to commend the OCR's efforts in clarifying various privacy related issues, especially their FAQs. We found those to be excellent documents.
We know that there has probably been a high volume of questions submitted on their question line about the privacy regulations. I know we have submitted quite a few ourselves. It wold be very, very helpful to have replies to these specific questions.
We have been very careful to thoroughly research the regulation and all the documents that have been published by the Department to make sure that the scenario that we are asking is not already addressed. In fact, we have even developed our own online document on a CD that has cross references to everything that you have published. But these particular questions, we found the answers nowhere. They do have policy and procedural impacts that are important for us to know how to proceed from here.
Providing education for covered entities other than our own employees would be very, very valuable. We have 2500 physicians approximately affiliated with IHC but only 400 IHC employee physicians and their staffs will be trained by us to any great extent. The rest are dependent on the professional organizations, consultants or seminars. As was expressed earlier today and I think in some of your other testimonies, there is a lot of concern about the accuracy of some of the information that is being distributed and the confusion of covered entities of all types as to what the regulations state and what they imply.
We believe that -- and I know it was discussed earlier, about providing public education. We believe that before you provide public education, it is imperative that providers have accurate and substantial education, or at best they will endure embarrassment when an informed public walks through the door, and at the worst they will endure lawsuits.
We also have a couple of requests that would at least make our efforts easier. We recommend that for public health or vital statistic disclosures or other routine disclosures mandated by law en masse, that the regulations allow us to educate the patient via a list of these routine disclosures required by law, rather than having a specific accounting every time we disclose their information, for these reasons. That would make the accounting provision less expensive and onerous, yet still educate the patient on where their information is disclosed and why.
The other suggestion that we have is perhaps a phased-in approach to the privacy regulations. We will certainly endeavor to be compliant by April 14. We have been working on this process formally over a year now. Informally we have been working on privacy and focusing on that for several years through our compliance department and our education, and even have completed an extensive disclosure document that was finished in 1998 that now has to be totally revised. We are still concerned that we have so much yet to do, however, such as the training, the minimum necessary protocols, the research procedures, and then developing or buying an accounting of disclosure software tool that will meet our needs.
I know that allowances were made for small health plans in the regulation, but it is large organizations that need time to assess the impacts on their policies and procedures, as well as to make the necessary cultural changes. As the saying goes, it takes awhile to turn an ocean liner. This would also allow vendors time to develop software solutions to assist in the privacy regulation implementation.
I have also included some separate documents that outline what we have accomplished in implementing the privacy regulation, but I want to thank you for this opportunity to present our major privacy challenges as a large and complex health system.
Thank you.
DR. ROTHSTEIN: Thank you. Any clarification questions?
DR. HARDING: Just one, briefly.
DR. ROTHSTEIN: Sure.
DR. HARDING: You mentioned that you would recommend for public health and vital statistics disclosures a list of the routine disclosures. How long a list is that?
MS. THOMASON: Well, I think that it shouldn't be that long of a list. It is what is required by state law, and it would be past disclosures, I think, rather than individual ones, somewhat similar to -- they have a different type of research disclosure accounting, if it is 50 or more, something similar to that kind of a concept. So perhaps not an individual calling in a communicable disease, but the Utah Health Data Commission or the trauma register disclosures that we were required to do by law that we do en masse, is what I had in mind.
DR. GREENBERG: Wouldn't these be included in your privacy notice?
MS. THOMASON: It doesn't matter. You can't cover that in a privacy notice, according to the regulation. They have to be an a separate accounting right now, the way it is written.
DR. GREENBERG: You probably would mention them though in your privacy notice.
MS. THOMASON: Yes, I'm sure we will mention that we are required by law to do certain disclosures. But then you have to specifically mention them.
DR. ROTHSTEIN: The disclosure accounting only is activated by a request from the individual, and we don't know how many requests you are going to have yet, right?
MS. THOMASON: True, but my reply to that is, it only takes one. It only takes one person to come in and want -- say it is six years from implementation date -- I want all my disclosures in the last six years. The idea of trying to reconstruct that at that point would be just overwhelming. So I think it is a good idea, especially knowing that we have to account for disclosures from CASHA in Idaho all the way to Dixie Regional in St. George, Utah. Some of the people do move around quite a bit, especially down in Dixie, because it is nice and warm. So we don't see how we can do this.
In fact, we don't really see how that provision for the research of 50 or more is too practical, either. We tried to look at that. Of 500 ongoing any one day times six years, where you know that you could possibly have accessed this information, the idea of time to track researchers, where are they, if you are supposed to help the patient when they come in and they want to know, was I in this study, where can I contact these people to find out for sure. At least at this point, we don't think that it is real helpful to use that alternate method. So we are not real sure how we are going to do that right now.
DR. ROTHSTEIN: Thank you, and we will have more questions I'm sure during the panel discussion. Mr. Riopelle.
MR. RIOPELLE: Thanks. Mr. Chairman, members of the subcommittee and staff, my name is Chris Riopelle. I am chief privacy officer at Gambro, Inc, the holding company for Gambro Health Care. I wanted to thank you for the opportunity to be here today to talk to you about privacy, and how we as a company are addressing it.
In lieu of written testimony, I have elected to use a Power Point presentation. With the subcommittee's indulgence, it may be easier for me to use the remote mike and stand up and address that presentation. Is that all right with you?
DR. ROTHSTEIN: Please.
MR. RIOPELLE: Here is the agenda I am going to go through today, an introduction of what we are, who we are as a company, what we have done to date in HIPAA, the impact of that on our organization, and then talk about -- as I think one of the requests from the staff was -- some of the challenges that we are having in implementing the privacy rule in our business. Then I will give some conclusions as well.
First, let me say that I thought I had a very difficult job, until I heard Mary testify. Now I feel like this is a cakewalk for us. Fifty-three different specialized groups who need training.
Now, for those of you who don't spend time in the health care space, that is something that would keep me awake at night for months and months. That is an unbelievable task that, I wish you guys well, and I would be interested in to see how you do.
Let me tell you about Gambro. Gambro Inc. is the holding company for Gambro Health Care, Inc. We are a dialysis provider. I know the committee was focusing on small providers, but we are not a small provider. We have 530 clinics across the country; 40,000 people depend on us to receive their regular dialysis treatment. We operate in 32 states.
I have had a chance to speak to the Subcommittee for Electronic Transactions, and understand that our objective as a company, whether small or large, in this business of delivering the very best dialysis care that we can. Anything that impacts that is something that we take very seriously.
Activity for us as a company. Transactions. We have a field for the extension, obviously. We are currently involved in implementing changes for that purpose for us as a company, again much smaller than Intermountain's challenge, 30,000 hours of professional time, a seven-figure total cost, a huge drain on one year at least of our IT budget. But as a proprietary system user, we couldn't call Fred's company or one of his related companies and ask for an update to our version. It was simply something we had to build and modify of our own accord in order to be complaint.
Privacy. Right now we are deep in that implementation, as everybody else is in this room. We estimate about 18,000 hours of professional time to get that effort accomplished. Again, both initiatives are significant seven-figure total cost to the company.
In corresponding with staff on the committee, we wanted to address some of the specific questions. One was, what are the areas that are especially in need of guidance from OCR, what difficulties are providers and plans experiencing coming into compliance.
There are four that I will highlight. There are many. I know our time is limited, but there are four that I think are worth mentioning today. One at least was addressed by Mary.
One that we really would like to see more guidance on is the idea of incidental disclosures. The only guidance I have seen in a lot of information out there is the example -- those of you who read the preamble to the August modification -- of the physician and the nurse at the nurse's station. Very, very valuable. If I am in a hospital, I say I have clear guidance. If I am not in a hospital, it gets a little harder.
Let me tell you about the dialysis business. In the outpatient setting, we operate in a bullpen environment. We will have a room of this size, perhaps. There will be stations set up all over the room, lined up with a comfortable chair and a dialysis machine next to it.
Curtains and private rooms don't work for us. It is critical for our nurses to be monitoring what is happening in that room. We are taking peoples' blood out of their body, we are cleansing it, and we are putting it back in. Fairly important to see how their color is, listen very closely for any monitors going off on the machines. We need to see these folks. We don't have the resources from the reimbursement standpoint to sit an RN in front of every dialysis station to watch how a dialysis patient is doing during their session. So bullpen environment is critical, has to happen.
This is a chronic illness. People come in three or four days a week, three or four hours a day. A lot of time interacting with our staff, a lot of time to talk about their health care. A lot of time for our required social workers to spend time with them.
Information is overhead. Common situation. Fred, I'll use you as an example, I apologize in advance. He is a dialysis patient, I am a social worker. There is another patient sitting right next to me. I sit down and say, Fred, how is the Prosac working? I say it discreetly, I say it quietly, but yet, I can't disconnect him from his machine to address this psychosocial issue. This patient has heard it probably. How do we handle that? Because they are all in a treatment environment, is that an incidental disclosure? What are reasonable safeguards to make those incidental disclosures acceptable to OCR? Are we going to have patients sign a confidentiality agreement that says, look, folks, you are going to hear stuff as you dialyze in our facility. Maybe that is a solution. The problem is, if we can get some more specific guidance outside of the hospital environment that allows us to address that, it would really give us some comfort level as it relates to the Office for Civil Rights and their enforcement activity. In this area, we really need more guidance.
Amendments. I don't know that I can say much more than what Mary addressed. I'm sorry, question, Dr. Zubeldia?
DR. ZUBELDIA: Yes. When you say that the dialysis is three or four hours per day, three or four times per week, are they on the same schedule and it becomes a social event, where they all become friends?
MR. RIOPELLE: Yes, and I am going to get to that in a minute when I address one of our other concerns. The familial nature of this, similar to what one of the other persenters had addressed, is a real concern for us, but I will address that in a minute.
Amendments. Really easy concept in the paper world. You want your medical record amended, we can have an exchange about that. We document that exchange, and we have an obligation perhaps to send that exchange along with further disclosures to the medical record. In the electronic environment, it is very, very costly and very, very difficult to adhere to this requirement.
We don't know how we are going to do it frankly, at this point. We are again a proprietary user. We develop everything we can in house because we are a unique user and that is how our company has done it. We are not sure how we are going to handle this. How am I going to append in our real information management system a request for amendment, all the documentation about that, rejection of that, the rebuttal statement? How are we going to amend that electronically? We just don't know, and we would love some additional guidance from the government in this area, because frankly, I think we are struggling the same way that Intermountain is to try and figure out what to do in this area.
It could be a multi-million dollar undertaking to modify our internal systems to accommodate this requirement, and we don't have an answer to the best way to do that.
Here is another issue that we have to struggle with as a company because of our environment. Because of the chronic need for dialysis, as Dr. Zubeldia pointed out, people really get to know each other. If Fred and I spend five years, which is very common, dialyzing next to each other on the same shift Monday, Wednesday and Friday every week, three hours, four hours at a time, we are going to become friends. He is going to know everything about me, I am going to know everybody about him.
Strong relationships between patients and between staff develop. His wife may come in and help him get set up on his machine, and his wife knows the center director. Same for my folks, and friends and family.
What happens one day when I don't show up for dialysis? God forbid, I have died? Fred says, center director, Mr. Rothstein, where is my buddy Chris? What our people do now is, Mr. Rothstein breaks down in tears because he has known me for five years, and he says, I'm really sorry, he passed away last night at the hospital. But now, our center director is going to say, Fred, you'll have to call his wife. He says, this is my best friend. I talked to him yesterday afternoon, I haven't heard from him, where is he?
That is really something that is going to take a lot of adapting, and is going to take away from the familial environment, and it ultimately is going to take away from the quality of care we deliver to our patients. That could not have been an intended consequence of this regulation. It doesn't make sense for us.
How do we address that? How do we implement this regulation without taking away what is a necessary part of health care, and that is the care part? You tell my center director he can't do that or she can't do that; it is really going to take away from their ability to deliver high quality care to patients.
Do we get authorization? Do we say to me when I check in, Chris, when you die, is it okay to tell Fred? Mary, do you want to be the person as the center director to ask the patient who is coming here for this chronic life-threatening illness, when you die, can we tell people in the clinic? I don't want to be that person. If we had an authorization, we would be fine pursuant to the reg.
I know what is going to happen. I am going to get up and tell our 500 center directors, they can't do that. You know what hey are going to do? They are going to keep doing it, because you know what? That is in their heart the right thing to do. I don't have an answer for that, but it is something that we would love more guidance on.
In this environment for us, there are dozens and dozens and dozens of more examples where this regulation is going to have negative -- unintended, of course -- consequences on our business of caring for people in the health care business.
Last one in this area deals with something called CMS Form 2728, which we fill out on all our patients. Renal Networks, we report to them and they monitor the ESRD providers.
They also, the networks, call us and say, we are doing a research project on this drug, please send us information. We say, we don't have the HIPAA compliant authorization form for research. Oh no, but you've got the 2728, that will work.
The federal form cannot, the way I read it, be used as a valid research authorization, but we are being asked by this oversight agency, which is quasi-governmental, to provide research information, or information for the purposes of research, under that authorization. What do we do? Tell the government agency, no, you can't have it? We have an obligation to report to them.
A specific issue for our business, worth some discussion with CMS to see if there is a way around this issue.
Training. Again, I thought I had a training challenge until I heard Mary talk. Let me tell you, it is costly for us. Our challenge is, we are in 32 states, and a lot of this training changes how people do their work every day. It is different enough that we have to do it in person.
So the month of January, I am going to kiss my wife and my dogs goodbye, and I am going to be gone for a month, going to every one of our states, every one of our clinic directors, and in person for four hours with a team of people educating them about our privacy policies and procedures. Then the other 12,500 employees of the company are going to do a web-based computer training. We may have five or six different groups instead of 53. Huge cost to us, not millions, but close.
It would be really great if the government would give a little more guidance than to say, it is just training, get it done. Frankly, we will get the training done. We will be -- on this item alone, I am confident I can say we have made every effort to be HIPAA compliant on April 14 of '03. I don't think for a minute that the people who have been trained to meet that one-time compliance date have really been trained.
They are going to meet the requirements of the reg, but they are not going to be living it and doing it because frankly, there isn't time to get them to do that. So it would be great to see a little more guidance from the government about training.
One of the items we have is, who do we include on our workforce? It has been very explicitly written in the reg what workforce is, but frankly, we still have some concerns. We have physicians coming to our clinics. I can do an analysis on the other side of the fence; are they part of the workforce? They don't work for us in the layman evaluation of it. They are credentialed by us, and we are going to do what Intermountain is going to do; we are going to educate them, but we are not obligated under the reg to train them. That is a problem.
These physicians, 2000 of them, come to our clinics, they have intermittent -- like they would at a hospital -- interaction with patients who they are rounding on, but they are never really plugged in to our privacy practices. It is going to take some time. I don't expect any industry to accept this change overnight, but I would be very encouraged to hear from the OCR some guidance that says, get your training done, but we understand this is evolutionary, it will take some time.
I think in four or five years, our center directors are really going to have this be part of their daily habits and daily routines, to the extent we are changing their behaviors. But overnight? It is not going to happen.
Pre-emption. This is one that frankly, I think to be very candid, is probably the most significant failure of this regulation. I think as I understand the history here, the intention was to create a national standard for privacy which absolutely we need. That didn't happen.
I think that we have some challenges complying with the reg. Training is tough, incidental disclosures is tough. The one that keeps me awake at night are the plaintiffs' lawyers who gathered two weeks ago at an island off the coast of South Carolina and had a three-day seminar on how to sue health care companies for privacy violations under state law.
I am very pleased there is no private right of action in HIPAA. I have fines to worry about; we will do our best to mitigate those, but when the plaintiffs' lawyers of the world move from tobacco to asbestos to Aetna and Gambro and Intermountain to fill their pockets, that is what keeps me up at night.
In Georgia, there is an HIV law where we operate. In New York there is an HIV law where we operate. They are different. Are they more stringent than HIPAA? I don't know, I don't think so. We have to follow all three and HIPAA, or both and HIPAA.
One small example. Cost. It is going to cost us to do six states, a six-figure number. We have 32 states that we are going to have to try and do internally. A full comprehensive analysis for our business is going to be in excess of a million and a half dollars.
There are some tools out there. Georgetown Privacy Project, great start, is not something that as a provider we can rely on. We have to go deeper. Health Care Leadership Council is working on a project right now, about a million, million-two, in their effort. It appears in their scope of work, very comprehensive. I had a law firm look at their scope and say, give me a price, they said five million dollars. They have done it before, they understand the complexity of it; five million dollars.
So there is the up-front cost of figuring out what to pay and how to get the analysis done, but the downstream risk of the state pre-emption is the one thing that really could take all of the good that this legislation was intended to make, and ruin it. That is my concern. That is going to take away resources from doing what we are supposed to be doing every day, which is delivering high quality patient care.
If I have to take hundreds of thousands or millions of dollars and give them to an injured party, a third of that going to their plaintiff's lawyer, take money out of research and development, out of improving our staffing, out of improving our care, that is not why I am in this business. It is not why we are in this business.
This really is something that I would ask the subcommittee to address, hopeful change. We will be at the table asking for those changes as things go forward, but this issue alone is very, very frightening.
Let me conclude quickly. No question, we are committed to improving privacy and security of patient information. We have to do that as a provider. Agree with the subcommittee's letter of September, which said that the HIPAA privacy rule gave some regulatory support to an ethical imperative, no question. But we need to be very careful to make sure this legislation does not unnecessarily drain resources from what we are supposed to be doing eery day, which is taking care of patients.
I was told a long time ago by a professor who had a big impact on me, you say something three times, people listen. We need more guidance, more guidance, and more guidance. We need more examples of what will and won't fly. We need to be told what the prudent professional standard means, what is reasonable. The fear here is the unknown, and there is too much of it.
Finally, I will close with this. We the company are going to continue to deliver high quality care to our patients and follow the requirements of this reg, and we are going to work real hard to make sure it fits our business better.
Thanks.
DR. ROTHSTEIN: Thank you. Any clarifications?
DR. HARDING: Just that last comment. As a non-attorney, the private letter ruling is the prudent professional standard? Or the private letter ruling is a ruling from the federal government?
MR. RIOPELLE: Right. What I am likening it to is in the tax environment. If you are taking an aggressive tax issue and you get a private letter ruling from the government saying, here is our interpretation of that. If there was that clear question-answer function, that would give us some comfort level.
It exists in every other part of most other parts of the federal regulatory environment. If we have an issue with the OIG or with HCFA, there are functions for us tog get more guidance from them on, and this is missing here. I understand from Mr. Campenelli's testimony a few weeks ago in Washington when I was there that there is no intention to have a private letter ruling function as part of the enforcement or support.
DR. ROTHSTEIN: Thank you. Mr. Wunderli.
MR. WUNDERLI: Thank you, Mr. Chairman, panel. I am John Wunderli. I am general counsel of Valley Mental Health. Valley Mental Health is a 501-3c not-for-profit corporation. It used to be the division of county mental health. In Utah, the counties are the local mental health authorities, with the responsibility of providing services to the seriously mentally ill, who are at or below poverty level.
Valley Mental Health has contracted then with three of the counties in Utah to be the local mental health authority. We are in Utah also the substance abuse -- the counties are the local substance abuse authority, and with a similar type operation, where they will provide substance abuse services to those with substance abuse problems and also are at or below the poverty level. Valley Mental Health does also the substance abuse and mental health.
We have over 60 different locations in the three counties. We serve about 20,000 clients a year. We are also the sole capitated Medicaid provider for these three counties. We also serve Medicare clients.
In describing our involvement with HIPAA, I like to call it an involvement of one of discovery. When the first regulations came out in 2000, we jumped on top of them. Our transactions and our security functions are moving along. The privacy functions were such that in the mental health field, we have always been very protective of confidential information. We have in the state already numerous laws. In our company we have a huge confidentiality policy, and we spend a lot of time protecting information.
What you are doing is very important in a national privacy law. In the privacy area, as I say, one of discovery, the first regs came out, then we had the changes, all the time knowing that in the back of our mind, whatever was going to come out, there was this pre-emption analysis that has been referred to. In this pre-emption analysis, we would go to many conferences, we would learn a lot about the privacy area, all the while knowing that there were going to be amendments to it that even when they did come out, we still didn't really know which laws we were going to be following until we went through the pre-emption analysis.
This was made I think even more difficult in the mental health field, in that we waited until August for the final privacy regs to come out. We received 450 pages on the Internet. Nowhere in these 450 pages was the actual regulation, so that we knew what was going. We could go back and we could take the comments out and we could go back to the old ones and do the correlation ourselves, but we waited until October basically, until we knew exactly what we were dealing with.
Just two weeks ago I was able to download the final privacy regs. Since that time, the discovery has been exciting. I have focused primarily on the pre-emption analysis, both in my comments and in dealing with the regulations, because it is that pre-emption analysis -- because in mental health we have so many state laws here that before you can really do anything in the privacy area, you have to know which laws you are going to be following. So for purposes of my comments today, I have focused on the pre-emption analysis.
I would just like to go through a few of the areas that I have discovered. I'm not certain, because we have had a couple of weeks, that my discovery is going to even be correct at this point, but this is what I discovered for how this is going to impact us in our privacy area.
Generally, with the pre-emption analysis, if you have a more stringent state law that will then be the one that pre-empts, as I read through the more stringent, one of the definitions is the form, substance or the need for expressed legal permission from an individual for use or disclosure of individually identifiable health information, which provides requirements that narrow the scope and increase the privacy protection afforded.
Now, with only a few exceptions, all disclosures in the mental health field require consent or legal permission. It seems to me under HIPAA, with consent being an option for GPO, and an authorization required for other disclosures, it seems to me that mental health then continues to follow the state's substantive law, as opposed to the procedural area that we have in HIPAA, i.e., the accounting notice, business associates, release of information procedures. So I think that for those purposes, the substantive law, we will change the forms to follow more with HIPAA, but the idea is going to be the same, and we will follow that.
Under deceased individuals, we have an interesting situation. Under HIPAA, you treat the person who has authority to act for the deceased person, is the personal representative to whom we give the PHI. Under state law, in Utah the privilege dies with the person. So therefore, you are able to give information to a personal representative anyway, because the information is dead, the privilege is dead. In A and D regulations, the personal representative must qualify, then get confidential information.
So as I look at it, I believe that with deceased individuals, all three of them really in effect have the same effect. So I don't believe that we are going to have a great deal of problems there.
With child abuse, we come into a real problem. In child abuse, as I read HIPAA, it becomes a permitted disclosure if it is required by law, if the individual agrees to disclosure, and the disclosing entity believes that the disclosure is necessary to prevent serious harm to the individual or other potential victims. Law enforcement believes that the disclosure is not intended to be used against the individual, and would be harmful to the individual if not reported immediately.
In the state law, we have in Utah an absolute duty to report child abuse. There is no qualifying reason, such as to prevent serious injury. If it happens, we report it. Under the federal alcohol and drug regs, we are exempted from confidential requirements and report according to state law.
So the way I analyze this is, we are allowed under HIPAA to use the state law, but with the state law we have to get -- according to the way I read HIPAA, we have to still get an individual agreement to disclose it, and we have to have this qualifying reason to report, which takes us right out of the state law. Now, I believe that this might be an area where we write back to the Secretary and ask for mercy under this one.
I have picked here the areas that are really hot topics in mental health law for disclosure. The next one then would be the subpoenas, where we are constantly getting subpoenas for information in mental health areas. I believe this is going to change. I think we can use our Rule 45, but again, I think it is almost the same thing as the child abuse reporting law. We can use the state law, but we have got to change the state law, the way I think HIPAA requires us to do some of these things.
As I search through the privacy regs, I looked and I looked and I looked for the requirement that we have in Utah and in many states about a duty to warn. That is a situation where, if a therapist receives information that the client is going to do serious harm to somebody else -- and you can identify that client -- then the therapist has a duty to warn the client and the police.
Upon first reading of the regs, I didn't find it. I believe I have found the duty to warn in the regs. I believe it is probably the same as our state, which I am pleased to find out.
My time is getting short. The big area in the field in both medical and mental health deals with consent with minors, both consent for treatment and consent for disclosure to parents and others in treatment of minors.
I don't believe in the interest of time I will go through the whole analysis I went through, but it is a multifaceted analysis in both federal regs, in state regs, in state law and in HIPAA, as to just what you do with the minors.
My initial conclusion is basically, as you can see on the chart on the next page, the question about, you give records to the parent or guardian, I think that at least in all three of these, we are probably tracking each of these laws. So I think that we are probably able to follow HIPAA A and D regs and state by doing the same thing, without having to do any changes.
Some further analysis that I have gone through on the relationship of HIPAA to the drug and alcohol regulations generally. The HIPAA regs do give means to analyze that, and in a chart that I followed, in an analysis with the underlying philosophies and policies, it appears to me that in almost eery instance, the federal A and D regs will trump HIPAA and we will continue then just to follow the federal A and D regs. That is with respect to the substantive type law.
I know there are the procedural stuff we will have to be changing, and it is the procedural stuff that, you just have to know what you're doing and you do it, but it also takes in the administrative problems that both previous speakers have talked about.
Thank you.
DR. ROTHSTEIN: Thank you. Any clarification questions?
DR. HARDING: Just a quick one.
DR. ROTHSTEIN: Richard.
DR. HARDING: Then it is your interpretation -- just trying to read your graph here, the last page.
MR. WUNDERLI: Right.
DR. HARDING: A minor has access to his own health information?
MR. WUNDERLI: If he is able to consent to it. In Utah, we have only limited areas where they can consent and limited areas where they are emancipated.
DR. HARDING: Thank you.
DR. ROTHSTEIN: Thank you. Now, Mr. Schade.
MR. SCHADE: First off, thank you to the committee for the opportunity to testify regarding the privacy rules.
Before I get into my main presentation, I'd like to echo this morning's Drs. Kalm and Borgenicht regarding small health providers. We have been travelling across the country, learning a lot about how people are doing regarding the regulations, and have found a couple of things. One is that small providers often do not even realize that HIPAA applies to them. They don't even know about HIPAA. I have had many small providers tell me that the HIPAA privacy rule really applies to hospitals and not to individual clinics and doctors. So there is mis-information out there. Dentists, optometrists and so forth often have no clue about what HIPAA even is.
Secondly, many of the covered entities we know have waived until the final modifications were released in August before they began to delve into HIPAA, so there are many people who are ill prepared, and desperately need education and information regarding HIPAA.
My subject today is regarding an area that both Mary and Chris have identified as an issue for covered entities regarding the accounting of disclosures. One of the core provisions in HIPAA that generates something of a conflict between the patient's right to know who their protected health information is being disclosed to, and the covered entities' new burden of having to track that information.
As we have been working very closely with many large organizations of covered entities across the country, we have found that the state mandated disclosures, as Mary pointed out, --
MS. KAMINSKY: Excuse me, Mr. Schade. Can you for the benefit of the panel as well as the Internet listeners tell us just a little bit of background about Mediconnect and your work on the task force, so we can have some context, please?
MR. SCHADE: Yes, I'd be glad to do that.
MS. KAMINSKY: Thank you.
MR. SCHADE: Mediconnect provides software solutions for HIPAA compliance. It is what we do as a company. We are working on the Utah state informatics task force, which deals with health information, providing jobs and so forth in the state of Utah.
Continuing on, what we found is that nearly 80 percent of disclosures that are going to have to be covered under the accounting of disclosures provision are going to be those that are going often electronically to the state. That is a large number of disclosures, when you look at an entity like IHC, where there are literally millions being transmitted to the state every year.
These disclosures include things like inpatient registry, cancer and trauma registry and so forth that again, the state mandates, but HIPAA would require that they be tracked under the accounting of disclosures provision. So if a patient presents and asks for their accounting of disclosures, these would have to be reported to them in some detail.
I wanted to talk a little bit about how disclosures are made to the state today, what we found in our research. This certainly does not cover every single state, but in general, what happens is, states often provide systems a computer literally and the software installed on that system, which has been developed by the state. They provide that to a covered entity, and then that covered entity is required to enter in that data into that software system, often manually, using clerks. Then periodically, those data are transmitted to the state, usually electronically, and then stored in the repository at the state for whatever purposes the state uses that information.
The problem that we are finding out there is that there are literally few or no interfaces into these state systems. Some states do have some interfacing capabilities, to be able to -- and what we are going to propose here in a minute is that there needs to be a way to pull out that data so that they don't have to double-account for potentially millions of disclosures using manual systems.
There are few electronic interfaces to these state registries. If there are interfaces to these registries, they tend to be disparate and non-standard. They are difficult to get one's arms around.
In some states, the different registries -- inpatient, trauma, cancer, et cetera -- are different software products, which causes yet another level of complexity for getting these disclosures.
Secondly, state agencies that oversee these registries are often unaware of HIPAA and the requirement that covered entities like IHC and others have to account for these disclosures that are being made to the state by law. And some agencies are reluctant, when they do know about HIPAA, to allow interfacing into their registries. They are concerned about privacy obviously, and they don't want any tampering with that information, and so are hesitant to allow the interfacing into the registry systems. Without these kinds of interfaces, or without a change like Mary proposed generally that we can talk about disclosures to the state, it significantly adds to the burden of large complex providers to manually double-enter that information into some other system for an accounting of disclosures.
We believe that an ideal solution, bar changing the law, would be to provide some electronic interfacing into these systems, so that when they go to dump that data into the state registry, it could be electronically dumped into the covered entities' accounting of disclosures database or other reporting system.
We recommend that the OCR consider looking into some resources to create a common interface into these electronic systems across the country. We are even prepared to assist in that kind of a task force to come up with a standard that every state could implement to make that job easier, of getting that data out, realizing that this is not necessarily a large task like an HL-7, but a smaller interface that would allow for simpler capturing of that data.
We also believe that the state agencies need to be educated about accounting of disclosures in particular, but HIPAA in general. We have found that some portions of the state will understand HIPAA, but many parts of the state will have no idea about HIPAA or whether that impacts the state or any of their people in the state.
We also believe that there should be some sort of pressure, for lack of a better term, from the OCR or HHS to these states to understand the burden that is being added to covered entities, to help them open up and work in conjunction with the covered entities to get data into their systems, the covered entities' systems, for accounting of disclosures. We also believe that there could be some opportunities to even create some global databases that smaller entities that don't have IT type of resources could use to get their accounting of disclosures for state mandated data dumps, without having to generate their own systems for this information.
That is the end.
DR. ROTHSTEIN: Thank you.
DR. ZUBELDIA: In your recommendations, are you assuming that these recommendations would be undertaken under the authority given to the Secretary under HIPAA?
MR. SCHADE: Potentially, yes.
DR. ROTHSTEIN: I have a question about your recommendation. Is this purely an IT problem? In other words, should the software exist, should the states suddenly become willing to open their systems and so on, can this problem be eliminated through technology?
MR. SCHADE: I believe so, in most states. I know that there are some states that don't have this kind of solution in place that may need to be looking at that. But certainly in the larger states, Texas, California, et cetera, yes, their IT systems and solutions should make a significant inroad to solving this accounting of disclosures problem.
DR. ROTHSTEIN: I want to ask Miss Thomason, because you mentioned the accounting issue as well, do you think that this is an issue that over time -- and I recognize the size and complexity of your organization -- will get easier as you become more electronically compatible at all your locations?
MS. THOMASON: I think that our plan is to either make or buy a tool that will allow an automatic download into an accounting of disclosures software database for these large ones, as well as having -- in our case, we need an Internet solution so that we can provide the ability to enter individual disclosures one at a time wherever they occur, in whatever clinic and whatever place.
I think that it is going to be a major training issue, especially in the clinical areas, because they have never done this kind of thing before. For them to realize that, oh yes, I need to put that in there, is going to be a large piece and be difficult. Initially it will probably be a focus for us, once HIPAA goes into effect, to follow up and see if this is actually occurring appropriately.
So in some ways, if we design the system right, I agree with Fred, it will be easier for us if we incorporate interfaces to these large ones, but the disclosure piece is very different. The disclosure piece -- and I think it was modelled originally, I suspect, based on the experience of medical records departments, who do enter a tremendous amount of disclosures normally in their software and in the process. However, the way HIPAA is written, it largely excludes those types of accounting to even be in there. So they do it for authorizations, they do it for treatment, they do it for payment, so all of those are excluded. So most of what is included in the accounting are not currently being tracked by anyone.
Does that --
DR. ROTHSTEIN: Yes, that's helpful, thank you. Questions from the subcommittee members? Any questions at all? The floor is open. Richard.
DR. HARDING: Just a brief question of Miss Thomason. What do you do in a large hospital system with the education of volunteers? That is something that I haven't really thought about. Those are turnover, in and out, thousands of people probably. What are you planning?
MS. THOMASON: That is one of our 53 goals. What we are planning on doing is having online modules. So at the time a volunteer comes in, they are given an orientation right now to meet joint commission standard. So we will also define for the volunteer group what pieces of the privacy -- which modules they will have to view and sign off on.
Media is a good one, or the facility directory is one thing that they are involved in. So they will need to understand some of these things, definitely.
DR. HARDING: But by definition, they would not have access to a great deal of personal health information?
MS. THOMASON: Well, it depends on where they work. Most of ours just work at a front desk type thing, but they do have access to like the facility directory. Sometimes they do filing or some other things in some of the departments, so they might have more access. So we are trying to figure on volunteers to say to a supervisor, you define what your volunteer needs to know about before they can actually come and start work.
It has to be something ongoing. We can't just say one time and then that's it.
DR. ROTHSTEIN: But I would assume that is not unique to HIPAA, and you have probably been doing that for years and years and years. Anyone who works in a health care institution, from a student to a resident to a secretary is told about the confidentiality restrictions.
MS. THOMASON: Yes. As a matter of fact, we have had confidentiality agreements that everyone in our workforce has had to sign. It pretty much outlines a lot of what is contained in HIPAA; you don't share information and if you do, you can be in great trouble, and goes on in great detail about this.
I know it is not required by the regulation, but we fully plan on retaining that piece for our own policy, because then at least we know that you have at least a basic knowledge of what we expect as far as privacy is concerned.
But you are correct, we have been doing a lot of this all along. It is just, some of the individual details they may not know.
DR. ROTHSTEIN: Now that it is required, it suddenly takes on this higher level of anxiety, I suppose, about not being able to do it, and whether what you are doing is satisfying the legal standard and so on. Kepa, and then we will get back to Richard.
DR. ZUBELDIA: Not being a lawyer, I would like to take advantage of the opportunity to get some education from Mr. Wunderli on the subject of pre-emption.
My understanding was that when one law pre-empts another, you comply with the one that pre-empts. If HIPAA pre-empts state law, you have to comply with HIPAA, unless in cases where state law has a higher standard, in which case it is not pre-empted, and you have to comply with the state law.
Perhaps I'm wrong, but what I am hearing you presenting here is that there are three laws, and there is really no pre-emption. You are saying you have to comply with all three, and find the highest common denominator to comply with all three. Could you educate me a little bit on pre-emption and what does it really pre-empt?
MR. WUNDERLI: You are correct. What I am talking about in complying with all three is, we can do it with all three. We tweak a few things, and we then by doing that are able to comply with all three without saying one pre-empts the other. What we are really doing is, we are saying, this is our practice, and in this practice we are not going to violate either one of the three, and we are going to keep a high standard.
That type of analysis is particularly set forth in the HIPAA regs with respect to the federal A and D regs. You say, look, what we want you to do is comply -- what we are setting out to do is to have you comply with both laws. So you go through the analysis the way I read HIPAA, and you figure out a way to do something that complies with both laws.
Now, the other part of your question also with respect to child abuse, I thought where you were going is, if state law pre-empts, how then do you modify state law to comply with HIPAA? The way I read HIPAA is, you are permitted to disclose with child abuse if required by law, but in doing so, you are to do this. I think we can talk after.
MS. KAMINSKY: I think there is another provision, which I really wanted to point out before the end of this panel, particularly about child abuse. I just want to highlight for everybody, I think there is another provision that may be useful to you. But I would like to just wait until after we have finished.
The other piece I wanted to add to this dialogue though, and this is pretty important, is that the only time that pre-emption comes into play is if the two laws are contrary, if you cannot possibly abide by both. Therefore, if you can abide by both, if you can comply with both the federal and the state law, you are to do that.
So it is not like one will trump another in every situation. There are many, many situations, because of the way the privacy law is written, which permits -- doesn't require, doesn't prohibit -- permits certain uses in disclosure in certain situations. That can dovetail very nicely -- and that was the plan -- with the way state law requires or prohibits certain types of uses in disclosures.
So when it is possible to comply with both, you comply with both. In the preamble to the December 2000, about the A and D regs interfacing with the HIPAA privacy regulation and when you can comply with both, you comply with both.
MR. WUNDERLI: Right.
DR. ROTHSTEIN: Thank you.
MS. KAMINSKY: With regard to the child abuse piece, which I did want to point out, the public policy disclosures which are long and very detailed and sometimes a little tricky to read, but it is my reading that in Section 164.512b, you are permitted to disclose under part one 2ii, under a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
The reporting for abuse and neglect is handled in two places. That is one place, and then it is also handled in 512c. I think the elements that you are bringing up are for other situations which are described in 512c. But the allowance to report for child abuse to an authority that is in place for that purpose is absolute. There is no qualifier there.
MR. WUNDERLI: What do these qualifiers then apply to?
MS. KAMINSKY: I knew you were going to ask me. The qualifiers are for not child abuse, other types of abuse and domestic violence situations. If you read them carefully, they are only in certain situations. If the disclosure is required by law nd the disclosure complies with and is limited to the relevant requirements of such a law, then it is allowed.
It is one of those or versus and issues. There are a number of clauses in 512c that talk about when you can disclose. One of them has those qualifiers that you are talking about. So I don't mean to delve -- and it certainly points to how complicated it is to figure out where the answer is, but I think at least in the child abuse case, there were provisions built into this regulation to allow that disclosure to happen.
DR. ZUBELDIA: Stephanie, those are all qualifiers. The last one in the or list says, to the extent that the disclosure is expressly authorized by statute or regulation. So that would cover it 100 percent, since it is authorized and required by state law. The little number three.
MR. WUNDERLI: That is tied together with an and. That is the problem I have, because that is tied together with an and.
DR. ROTHSTEIN: We will work on this and get it straightened out over lunch. I can't imagine anything more exciting to do over lunch. Dr. Harding.
DR. HARDING: Mr. Riopelle, were you here in the room when the first group went forward?
MR. RIOPELLE: Yes, sir.
DR. HARDING: I brought up the issue of Dr. Borgenicht's concern about the formality of procedures changing the culture. You brought that up that same issue, especially around the notice of death and so forth within your unique culture that you have developed over the last decade.
Everybody would have a different opinion, I'm sure, and that is one of the problems, of course, in the reasonableness issue. But it would seem to me that your concern about informing friends and informing the staff or informing the group about the death of somebody, the reasonableness issue to me is, as a person, I don't want HIPAA to mess with your culture. HIPAA is to try to improve confidentiality and improve the culture, eventually.
So I guess my short answer would be something like this, that I would think that the rules would apply that you could inform people of his death, but you couldn't tell people that he blew his brains out the night before, or some similar kind of thing that is not -- the minimum necessary, I guess, that something did happen here, but we don't get into the details.
MR. RIOPELLE: First of all, that is great guidance.
DR. HARDING: That is my guidance.
MR. RIOPELLE: Understood, but I would guess that we could ask the rest of the room, and we could each come up with a reasonable way to inform Jeff of my untimely expiration, but is that going to satisfy the Office for Civil Rights? Do I think it is defensible? Absolutely. Will I stand up and beat my chest and say you are impacting patient care? Absolutely, but will I still get a fine? Maybe. That is the unknown that is the concern.
I think these are surmountable, and I think we are going to as an industry in dialysis create solutions with defensible positions in the event of an inquiry by the OCR. I would much rather do that in conjunction with guidance about it than on the world according to Chris Riopelle and his team.
Thank you.
DR. ROTHSTEIN: Other questions or comments? Marjorie.
DR. GREENBERG: I was just interested in asking Mary maybe a difficult question to answer. Obviously, Intermountain is a large respected organization, and you have as you said a lot of policies, and you may have stricter policies than are required under the rule.
But I wondered if you could identify what you would consider as the privacy officer something that is really positive about this rule to an organization such as yourself. The flip side is that particularly brings new protections into areas where they haven't formerly existed, unlike your organization, and yet those new areas are small organizations that are having a hard time getting their arms around it.
In the case of your organization, I don't know if it brings anything new, or if you see what is a positive aspect of having this regulation or this rule.
MS. THOMASON: First, to clarify, I am not the IT privacy officer, I am the project leader. But personally, I think that Intermountain has done a lot already. I mentioned that they have tried to have many of the things that I think HIPAA represents.
I am glad personally to see protections for patient information that don't end with the state line, because information flows everywhere. So I am very, very positive about having national regulation on privacy of health information.
I think that yes, we are struggling with some of the details of this, but the concepts are excellent. I truly believe in the philosophy that patients do need some additional protections, and they need more control over their information, and they should have rights of access.
We didn't specifically have in this state an access right to information. Our attorneys might with an authorization from us, but we didn't necessarily have access rights. But HIPAA brings that forward. I think that was one of the purposes of it, that it would at least establish a minimum set of protections for a person.
DR. GREENBERG: Thank you. Also, Chris, you probably know this, but I wasn't quite clear. The decision to allow state laws that are stricter to pre-empt was not one made by the Department. This is Congressional. So as I understand it, the Department didn't have any discretion in that area.
I know you said that it was a disappointment that you had with the rule, but I don't think it was optional. I think that was what was given to the Department, if the Department itself ended up doing the rules rather than there being Congressional action.
MS. THOMASON: Could I comment on that, too? One thing that we are looking at in this state, and I think there may be other states as well, they are looking at seeing if they can identify for a particular state where state laws would provide extra protections, like HIV or genetics or things like that.
But we are looking at possibly introducing some legislation that will say, unless specified such as this type of records, that HIPAA would be what we would follow in this state. Hopefully Doug and others will talk about that a little bit more when their part comes to testify.
But that may be one solution that doesn't necessarily involve OCR, but instead the state should take an initiative to say, here is the baseline, and anything above that will specifically state.
MR. RIOPELLE: I wish we had clinics in Utah. Many states have taken this as a mission to create brand-new aggressive comprehensive state related privacy legislation. It may be more contrary and more stringent, which I think is great for patients, but for a company operating in many states, increases the complexity, A, and the risk, B. I hope they all follow your lead.
DR. HARDING: I would agree with you on that. Just to finish here, sorry I am asking so many questions, but the issue that you raised -- I think two of you raised, about the integrity and uniformity of electronic amendments to a patient's record. The patient has the right to access, the patient has a right to request an amendment and so forth.
In your hundreds, many databases that you have, how do you guarantee the integrity and the uniformity across all those databases?
MS. THOMASON: That is definitely one of the challenges. A lot of times, an interface is written to do an initial dump into a clinical data repository, but they may or may not do -- if there is a change made in the Sunquest lab system, it may or may not be written to update the other.
So what we have tried to define is by policy. If there is an amendment made, it will be made in the designated record set. So the one that will be the major source of information on the patient. So maybe we are going to have to have a procedure where if you make a change in Sunquest, you manually notify so that the change can also be made in the clinical data repository.
That is all the complexity that we will get into with these.
DR. HARDING: Any suggestions as to how that could be helped?
MS. THOMASON: We are open to suggestions.
DR. ZUBELDIA: Chris, you mentioned that Gambro hasn't figured it out yet. And we are only five and a half months away.
MR. RIOPELLE: Our challenge as a company is between the transaction standards, the changes that have to be made to a proprietary system. We are not unique as a company with proprietary systems. It has absorbed a great deal of our dedicated and contracted resources.
When you sit down with them and say, we finished our privacy assessment just after the August guidance and new rule came out, here are the changes we need to make to the systems for privacy. You had better be wearing a Kevlar jacket when you tell them that, because there just isn't enough time and resources for them to in the proprietary system comply with transactions, and comply with trying to find a way to make sure that amendments are tracked and they have integrity and they follow.
But we hope we are going to find a solution, but right now it is tough to get to the top of the priority list, because frankly, if we don't get our transaction standards in place by October, we can't bill at all. In order for us to exist as a company, we have to bill and get paid, so we can spend some of those dollars on changing our IT systems to comply with the reg.
MS. THOMASON: I suppose one benefit to all this, we are hoping that we don't see a drastic increase in the number of amendments. I have been in this business a long time, and we did not have a tremendous amount of people asking for access. I think that will definitely increase,especially as this is published more. But amendments have been fairly rare in the paper world.
We do have corrections, so we have processes to make corrections, but to actually attach amendments, I'm hoping that that will not be similar to the credit report industry, where they have the opportunity to make that. I think this may have been modelled off of that.
DR. ROTHSTEIN: I want to thank all four panel members for their excellent testimony. Every time we have another panel, we have more issues that we didn't think of before and that we will definitely have to take into account.
So thank you once again. We will stand in lunch recess until 1:30, and then we will have our panel on rural hospitals.
(The meeting recessed for lunch at 12:36 p.m., to reconvene at 1:30 p.m.)
DR. ROTHSTEIN: Good afternoon. We are back with our third panel on rural hospitals. Our second witness is on his way, we are told, so we are just going to ask our first witness, Pam Mitchell, to speak for an hour or two, and then when Mr. Sinclair arrives, you will be off the hook.
MR. SINCLAIR: I'm Mr. Sinclair.
DR. ROTHSTEIN: Oh, great. So we are back on schedule. Welcome to both of you. Please take your ten, 15 minutes, and I will give you a one-minute warning if needed. Then after the presentations, we will have questions and discussion with the subcommittee members. So please begin.
MS. MITCHELL: Thank you. My name is Pam Mitchell. I am responsible for implementing the HIPAA compliance and IT security program across Banner Health System.
Thank you for the opportunity to share Banner's perspective on rural privacy regulation compliance. I would like to cover three items in these opening comments today. First, I'd like to share Banner's perspective on the privacy compliance challenges facing rural hospitals. The second area I would like to speak to is to introduce some items for consideration for all of you in the Office for Civil Rights and the Department of Health and Human Services in general. Lastly, and this is my starting point actually, is to provide enough of an overview about Banner so that there is a context for the rest of my comments.
Banner Health System is a two billion dollar health care organization that resulted from the merger between the Lutheran Health Systems in Fargo, North Dakota and the Samaritan Health System in Phoenix, Arizona. We have over 22,000 employees. We have over 30 facilities across seven states. We interface with over 5,000 physicians. Some of these facilities are large metropolitan hospitals, and others are small rural facilities. In slide three I have profiled some of the facilities.
Banner organized a central HIPAA compliance office in June of 2000. The HIPAA compliance office provides support for all of the Banner facilities. The facilities however are responsible for implementing the remediation plans.
The relevance of this point is that my comments are based on our experience providing HIPAA guidance for all facilities. There are certain nuances that I am going to highlight in today's discussion that are specific to our rural facilities. So we do have a single process.
We have applied it a little bit differently to our rural customers. The point about this is that some of the services that we provide to the rural facilities would provide the most challenge to those facilities if they were operating alone, as stand-alone facilities. So if Banner wasn't there, then these would be I think some of the challenges they would face as stand-alone facilities with their HIPAA compliance effort.
We have identified roles and tasks at three levels, the corporate HIPAA compliance office level, the regional level and the facility level. While we have broken out the roles into these three categories, there are a couple of universal truths.
First of all, all the work to varying degrees that I have listed on this slide needs to get done. In the rural facilities, in a stand-alone rural facility, it might be a little smaller scale, but the work still needs to be accomplished.
The second quote-unquote universal truth is that regardless of who does the up-front planning, and the who may be at the facility level, it may be someone from a corporate body, or it may be a consultant that they bring in, regardless of who does that up-front work, the actual implementation of privacy rules and regulations is the responsibility of those facilities. That is not something that someone can do to them; it is something that they ultimately have to absorb and own.
The HIPAA compliance office at Banner has performed the majority of the tasks through phase one and part of phase two of our remediation effort. What we have done at this point is tasked our rural facilities with what is outlined in the shaded box. That includes things such as implementing the communication program, which is actually reaching out to the department heads, setting expectations for the education program, both with the department managers as well as the workforce that they supervise.
We have asked them to implement an education program for the physicians, which we have tried to provide them as much support and guidance on their actual implementation. We have asked them to implement the corporate policies and procedures, which is no small feat. There are about 45 different policies that affect varying degrees of every employee in those facilities, and in many instances have significant practice changes required to insure that there is compliance.
We have asked them to implement the business associate agreement analysis and contract changes for those contracts that are performed at a facility level.
I have spoken to not only our facility contacts in our rural hospitals, but I have also talked to the Arizona Hospital Association hospital membership, many of which are small facilities, and received some guidance or some lessons learned regarding the challenges that they face.
The first is, rural hospitals are amazing places. There is not a single individual in a rural facility that doesn't wear multiple hats. The challenge there is that regardless of the size of the facility, if they admit two or 20 patients a day, they have to comply with the same core or essential functions for HIPAA. When we talk about identifying people to allocate to the remediation efforts, it is not a small request for those rural facilities, because they are so stretched from a resource standpoint.
The second point is that while there is some high anxiety by the HIPAA contact at each of these rural facilities, there isn't a huge sense of urgency yet. Part of that is because they are stretched so thin in their day-to-day operations of patient delivery; patient care delivery has to take precedence. So that is a bit of an uphill battle for those project managers to get the support from the organizations they need.
The third area has to do with just understanding the regulations, and there has been discussion and testimony about that already today. Specifically, the legal interpretation of what is reasonable, what is a covered entity, who are our business associates and how do we apply the OHCA designation, not to mention the state pre-emption analysis, which I think we have talked quite a bit about today already.
We had a situation where we had two internal lawyer, one external lawyer who is very well versed in the HIPAA regulations, and two HIPAA folks sit down and spend about two hours just talking through the 48 entities that are part of Banner, and determining what their categorization is under HIPAA. So having a single facility think about some of the relationships they have I think will be equally challenging.
While we have been trying to figure out some of the legalese, we also recognize that the HIPAA project coordinators are overwhelmed with the sense to demonstrate some sense of progress. There is a lot of buzz and hype out there. A lot of it is generated by the vendors and consultants that are trying to sell product and services. The rural facilities sense this, and they feel like they need to move.
Part of the problem though is, they don't know where necessarily to move. There is not a good reference source to say what exactly they need to do, when and in what order. So what I have found in a couple of instances when I have talked to colleagues in other organizations is, they have had some false starts. They have done things in the name of HIPAA remediation that didn't necessarily contribute to the overall compliance. That is a high risk for a rural facility, because their resources are stressed, so there is a high cost.
One of the last points I want to mention on the challenges have to do with the physicians. In the rural facilities and the rural communities, a higher percentage are not covered entities. They are not covered entities because they don't do electronic billing, and their practices are too small to be required to comply with the Medicare electronic submission. So the additional challenge those rural facilities face is being the source of HIPAA education. Whereas in the metro areas, those physicians have to be compliant in their offices and that compliance extends to the hospital, in the rural facilities, they are asking the physicians to be HIPAA compliant in their facility when they don't necessarily have to be in their private practices.
I mentioned briefly that there are a lot of people that pose as experts out there. I get four to five calls a week from people that are trying to sell me something, that pose as experts. I ask them what do they know about my facility, what more do they know about HIPAA, since we started in mid-2000, and what really can you offer me. There is a place and a time for the vendors and consultants, but differentiating where the need is versus what they are trying to sell is again a risky proposition for a rural facility, because their resources are limited.
The privacy rule refers to safeguards. I think most people would say that is the underpinning of our security regulation. The security program in and of itself that we are implementing across Banner is more capital intensive and requires longer lead times than in some degrees our privacy compliance regulation does.
Without defined regulations, it is again a risky proposition for the rural facilities to invest in any of those safeguards, because they don't know what the alternate regs are going to be. So I think that is another challenge.
What I would like to offer are a couple of recommendations or considerations. The first set is really focused on my peer rural facilities. The first is to leverage your state based health care organizations. In Arizona, for example, the Arizona Hospital Association has been a very powerful facilitator in getting peer hospitals together. We approached it very collaboratively. We didn't view it as a competitive initiative. We have shared policies, procedures, best practices, insights into vendors, and we have used that as a forum to coordinate with MGMA, with the Arizona Medical Association, with the Arizona Physician Licensure Board in how to reach physicians, and we have also used that as a form to reach some of the media, so that it is not an individual hospital that is communicating to the media that we are not going to be disclosing quite as much as we might have in the past. The media then doesn't pin it on a particular facility.
So I would offer that as something for consideration. The first two sub-bullets here address the challenges listed on the previous page, number three, number four, six and eight. So what I am trying to do is give you challenges and then hopefully some solutions.
The other thing I would recommend for my fellow rural facilities is to perform some sort of outreach to the physicians. That does not mean performing compliance activities in their offices. What I am suggesting is that they use general HIPAA information and privacy milestones as a way to connect with the physicians and ultimately to establish the entree for educating those physicians on hospital based compliance issues.
For the Department of Health and Human Services and the Office for Civil Rights, I would ask you to consider the following. First, to help the rural facilities perform that physician outreach by synthesizing that information you think the physicians need to know. That might be a monthly newsletter. That might be something that is downloadable from the web that the facilities could then take, package and then redistribute out to their physician community.
Provide some additional legal guidance. I think you have been very comprehensive and thoughtful in providing as much support as you can, and I recognize that it is difficult to balance between the government dictating specifically what we do and leaving us some latitude to manage the remediation in light of our operational process. But I think there are some areas where clarity would be helpful, many of which we have already talked through.
Publish the security rule. I'll leave that at that.
Consider providing privacy compliance assistance. Earlier this morning one of the physicians brought up what OSHA does. That was one of the recommendations from the Banner senior management to allow the rural facilities to ask for some assistance that would result in a checklist or a hit list of things that they should do to get to compliance.
Last but not least, be gentle with us. Several of the rural facilities that I spoke to, both within Banner and across Arizona and Colorado spoke about their concern to be fully compliant. I think they took the effort seriously. I think they are working very hard on it, but they felt that they were still at the mercy of learnings that were going on at some of the larger facilities and the communication of those learnings from the facilities to them.
The issue there is, they don't have the resources to participate in a large investigation, and in many instances they are the sole provider in that community. So if we jeopardize their ability to deliver care too greatly, we have affected a much larger population of people.
Thank you.
DR. ROTHSTEIN: Thank you very much. Any clarifications?
DR. ZUBELDIA: I have a question. When you say OCHA, is that OSHA?
MS. MITCHELL: Yes.
DR. HORLICK: I have a question. The physicians that you mention that don't use electronic billing in their practices, do they use clearinghouses?
MS. MITCHELL: No.
DR. HORLICK: No?
MS. MITCHELL: In fact, I found a few even in metropolitan Phoenix that subscribe to the government conspiracy theory. They don't want to do anything electronically, because they think somebody is going to grab that information. It is a very curious perspective, but it is more pervasive than I would have imagined. But they don't do anything electronically.
MS. KAMINSKY: I have one clarifying question. Is Banner going to designate itself as an affiliated legal entity?
MS. MITCHELL: Banner has designated itself as a covered entity. We are viewing -- I think I am going to answer your question but I'm not positive -- we are viewing the physicians as part of an organized health care arrangement. Is that the question you are asking, or not?
MS. KAMINSKY: I just would assume that these various facilities are separate legal entities, and so I would think that Banner might qualify as an affiliated legal entity.
MS. MITCHELL: Most of those entities that are doing business as Banner Health Systems, so the hospitals are covered entities. Again, legally they are doing business as Banner Health Systems, so Banner Health Systems becomes the covered entity. We aren't designating ourselves as an affiliate.
DR. ROTHSTEIN: Thank you. We will have some further discussion after Mr. Sinclair's presentation. Welcome, and we are anxious to hear from you.
MR. SINCLAIR: Thanks. I am Mike Sinclair. I am the administrator of Kane County Hospital in Kanab, Utah. I reside in a community that has the third least dense population county that has a physician in it.
I think a lot of the comments that Miss Mitchell made, you really need to pay attention to. They are very accurate. I think she understated some of the problems with them.
When I left this morning to drive up here, and it is 340 miles up here, I drove for 50 miles before I seen a car. I don't know if all of you can relate to that, but the distance we have causes unique problems. We have an interstate that goes down a mountain range to the west of us; we happen to be on the east side of that mountain range, while all the infrastructure, your telephone companies and your utility companies, have strong support on the west side. We don't get it. I really think this is an unfunded mandate that in the long run is probably going to close a lot of rural hospitals.
We run the ambulance service. Because of the ambulance service, the size of it, we have our dispatch system going through the sheriff's office. If we dispatch out -- I'll give you an example, and I'll use myself and my own home address. If the dispatch goes out and says we have a 53-year-old white male at 1073 South Kane, I can guarantee you that probably half the community is going to be able to identify the patient as myself, because all they are going to do is pick up a reverse telephone book in the area, they are going to go to the address and they are going to look, or they are going to know me.
We have an ambulance service that is run by volunteer ambulances, or volunteers that run it. We have to have two crews. The first crew is for emergency, and the second crew is for transports out of the community, so that we always have somebody for emergencies in the community. That second crew, if they don't go out on a run and they hear that information, they have already picked up enough information to determine who the patient is and what the situation is, and they probably know the condition of the patient from the information given out.
If I have got a neighbor down the street that hears who it is, knows the situation, goes and makes a casserole and then says, this is to feed you while your husband is sick, she is in violation of the HIPAA regulations. If I have got somebody else that is down the street and comes in and says they're going to take care of my kids because they heard the information on the radio, they are also in violation.
I see some smirks, but that is a real concern to me. You can't isolate HIPAA from the other regulations. Basically, what you have done is, you have criminalized compassion. In a small town, I guarantee you, everybody knows everybody else that is going on out there, and you cannot isolate it and prevent one hundred percent of that information from being locked up. It is just not going to happen.
I think the only thing that this whole act is going to do, it is going to basically fund trial attorneys. I have gone to probably six seminars now, some of them put on by the state, some of them put on by supposed experts. We have called Medicare in particular to get information to make sure we are going to be compliant on the HIPAA regulations. The comment they always make, guarantee done hundred percent of the time is, ask your attorney.
Well, I can't afford it. I can't afford to put an attorney on staff. It has been one hundred percent. I have sent employees out for medical records, I have sent employees out from the business office. I have sent nurses out. Guaranteed, that is the majority of the most important thing that they have brought back from any of the seminars, is ask your attorney, because nobody understands it.
I am a free-standing facility. I am one of three truly independent facilities in the state. I don't have a corporate office to go back to to ask questions on. I think the only way that we are truly going to en dup in compliance with HIPAA is when we get surveyed, and somebody comes in and cites us with deficiencies and we try to correct them. That is going to be a problem in itself for us.
The training for rural facilities is not readily available. It is very confusing. I really have a problem with what they are trying to do as far as separation. I can go back repeatedly with regulations that do not involve HIPAA. In 1960, they built the hospital in Kanab. They built it with a business office that basically had three people working in it. 1965, Medicare regulations come out, and we ended up putting a double-wide trailer with 1600 square feet and 11 employees working in there since 1965. We are treating the same number of patients.
In 1995, we started planning a replacement hospital. We went from a 20-bed acute care hospital with 13 long term care. We downsized to a nine-bed acute care hospital, 26 bed long term care facility. We deliberately made an open office for medical records in the business office, so that we can communicate.
We have got people crossed-trained in both departments, so that they are always running back and forth. I really think that after these HIPAA regulations are in effect, we are going to have to go back in there and rebuild the business office to make small compartments so that the people that aren't working on an individual account do not have access to a second or third account. We have the same problem with our physician's office.
We have problems that I see coming out, because right now there are six providers in the area. Four of them are employed by the hospital, two of them are independent. The independents we fax lab results to, and I don't see any other way to do it, but I also see a whole lot of privacy issues with that practice, and I don't see an alternative out there.
I think we are going to have problems because of our size and the way we are structured, with just the location of how we can figure where people are working in the hospital. Right now with our emergency room, our standard practice has been, if we have a patient come into the emergency room, if it is at night we do not have an office personnel there. We call them in for when the emergency is in. It is a low-volume facility.
They come in, and if we need a medical record, they walk down the hall to medical records, they pick up the record, they bring it back for the physician to review. If we don't have a medical record on them and they want to see the clinic record, then we have to call somebody in from the clinic, which is attached to the hospital. So we bring in a second person to come in and get the clinic record. The question I've got is, if the physician is in our clinic, I think there is no question that they have a right to see that record. If that physician is one of the independent physicians who has taken an ER call, does he have the right to see that record? Or are we going to have to break it out? If a person comes in with chest pain, do they have the right to see the record if it is for -- say it is a gentleman and they are giving him Viagra?
I don't think those are silly ideas and problems, but I think they are real issues in a small facility like ours.
The other problem that I see is really with just the cost of this. We have been looking at changing on our computer system. Everybody that we have talked to, when we ask them about bringing our computer system into compliance, they are talking about $150,000 to $200,000. The problem that I have with that is, September 11 there wasn't anybody in this room responsible for that act, but one of the implications that happened to us is that I had 50 percent of my medical staff leave because the spouse decided she had to be close to family members.
I replaced those physicians. We recruited them, and they started. Since July 1 when we brought in the new physicians, I have not been paid for a single Medicare patient or Blue Cross patient, because Blue Cross is the intermediary.
We have to have provider numbers for Medicare and all the other insurance companies. We have to have a UPIN number so that we can submit the information electronically. The providers and the insurance companies have not been able to process that information yet.
The result of that is that a month ago, I made payroll. I paid two-thirds of my vendors and put the other third on hold. Two weeks ago, I paid my employees. I paid half my vendors and put the other half on hold. I have payroll coming up again next Friday. I will probably make payroll, and my vendors are going to be less, or paid less.
I don't have $150,000 to put into this computer system. On October 6, I had a CT where I lost the tube. We had a power outage. We had the first rain that we had in 12 months; we ended up with an inch and a half of water. Great for us, bad for the utility company, and we ended up with brownouts, and that fried my CT tube. That tube is going to cost me $35,000.
Now, I have a choice. I can't pay my vendors now. I can buy a CT tube which can be used to save somebody's life, or I can pay $150,000 to be in compliance with HIPAA. Who is going to make that choice?
I think it is a rotten piece of legislation. I think you are not going to get full compliance in the rural facility because of the financial needs.
I'll end.
DR. ROTHSTEIN: Thank you very much. Any clarifications?
MS. KAMINSKY: I actually have one. I'm curious what that $150,000 computer upgrade is that you think you need to make, and why you think you need to make that.
MR. SINCLAIR: Because I don't see how we are going to -- right now we have a combination of hard paper medical records, but everything that we transmit to Medicare and Medicaid and insurance companies has to be done electronically or we don't get paid. As long as we have those paper medical records and paper files, I think it is going to be too easy for simple access to them.
I realize that HIPAA doesn't require that, but the same thing is true -- and part of it is just paranoia. We had an NTALA investigation that started from one incident. The feds came in, they exonerated us. So I asked them, can I get a written report on it, and they said no. But what they did was, the basically went back and they created a secret file, wrote it up and said, we didn't do anything, we have no violation. They come back about six months later and they investigated the same incident because somebody said, you investigated, now we are going to inspect you. So they come back and they did it.
That happened to us three times. The fourth time, there was a complaint filed by a trial attorney, and the same people came back and they investigated it again, and they were critical of us. So now we have a public record, because then we ended up with some deficiencies, and now the trial attorney is using it in a case against us.
NTALA came out as a result of the omnibus reconciliation act of '96. HIPAA is from that same omnibus reconciliation act of '96. We are going to be surveyed. The same people are going to survey compliance with it. You are shaking your head. I don't know if you disagree with me, or if you know something I don't. But it is the same people for everything that is going to be investigating this. The only people that are going to end up with it are going to be the trial lawyers. I am very concerned.
That is why we need to do everything we can to upgrade our computer system. One of the things that a computer does is, it makes you fill in all the blanks. I think when you have got the paper medical record, there is going to be too many chances where they take it for granted and don't put it in.
DR. ROTHSTEIN: Mr. Sinclair, I have a question. I am trying to get a sense of your -- you certainly have very passionate views, but I am trying to figure out exactly how they fit into what we are doing here.
Is it your opinion that the problem with HIPAA and its implementation is, it was a mistake to do anything at all in this area? Or is your view that the economics of running a rural hospital today make compliance impossible because even assuming that the goal of this legislation in terms of protecting privacy is a worthwhile goal, you just don't have the resources. So is it the first or the second?
MR. SINCLAIR: A little bit of both. One, I know I don't have the resources. I cannot envision it at all, as far as having the resources to ever be fully compliant. Part of it is, it is nice if -- I'm not sure exactly what you are trying to stop. Keeping medical records in rural hospitals, we have always tried that. We have a unique problem, because we are so small.
It is just like when you dispatch the ambulance. Everybody in town knows who showed up and why. That is a unique problem that they don't experience in a larger metropolitan area.
We have the same problem if we have a patient that is admitted to the hospital with all the visitors that walk in. If they walk in, they are going to know the person, so they are going to walk in and walk out, and they are going to end up hearing more information than they probably should. Some of it is going to come directly from the patient, some of it they are going to overhear.
DR. ROTHSTEIN: But I don't think either of those examples would be in violation of HIPAA.
MR. SINCLAIR: Well, it is nice that you are saying that. But my experience with the feds, and when they come down and survey other things, I think I am going to be in violation. We are trying to stay out of the way of the feds. Maybe it is simply paranoia, but I haven't seen anything come out that would alleviate that fear.
DR. ROTHSTEIN: Other questions? Would you like to weigh in, Miss Mitchell? You are different in terms of scale, but certainly deal with a lot of rural hospitals, and maybe even several that aren't affiliated with your company. So do you get the same sense that rural hospitals are under the gun as a result of this?
MS. MITCHELL: I think they are under the gun, but I also think that the regulations provide a fair amount of latitude in terms of how you address some of the requirements. There are ways to do it procedurally with some level of education, with some level of audit that may at least minimize some of the higher cost solutions that you may find in the larger metro facilities expending.
In terms of the privacy issues -- and I had this conversation with our general counsel, what is curious about the rural facilities is, we can talk about scaling down, because of the tight resources, et cetera, but the culture is very non-private. The culture, because the community basedness of it is very conducive to wanting to know if Mrs. Smith is in and Mr. Jones is in, and the breaches that occur tend to be of your general population.
In downtown Phoenix, the breach that occurs is when Senator McCain checks into the hospital. It is for either employees, physicians or well-known public figures. But the breach is no more, no less. So it is not as if the violation isn't as significant in a rural facility as it is in a downtown large metropolitan area. It is the culture of those two entities that I think create some of the complexity and where you draw the line.
So on the one hand, you can say it is a community and we want to support our community. On the other hand, you could say those people have a right to protection and they have a right to some privacy. If you didn't want your name to be known for an emergency visit, you should have a right to protect that. It does offer a really unique challenge.
So we didn't come down on one side or another except to acknowledge some of the differences and the challenges. I think fundamentally we recognize that there is probably a need for what you are doing with the regulation, and hope to qualify or manage some of the more challenging parts of implementing it.
DR. ROTHSTEIN: Other comments? Dr. Harding.
DR. HARDING: There are a couple of things, Mr. Sinclair, that really concern me. I think we share the concerns. One is the issue of unfunded mandates. I see what you mean, and understand the appearance anyway, if not the reality, of that.
I'm not saying that it doesn't cost to go along with HIPAA standards, it does. I think that the mutual agreement that I hope we could come to would be that we are trying to help assure as much privacy as is, as the term says, reasonable, and that you be at least as private in your operation as a peer operation would be.
Now, I hate hearing you mix two groups, NTALA and HIPAA, because I know the affect, the feelings of NTALA. I am a doctor, and that has been probably the most destructive issue in professional hospital and doctor associations with the federal government. Nothing has been more destructive than NTALA. So I am hoping that HIPAA will in the long run not have that course, but will have more of the helpfulness issue, and would like to help rural hospitals and other hospitals work with HHS and so forth to not be a financial burden and not be a legal burden, but have it somehow or other be directive and helpful in maybe finding a way to handle the admission process so it doesn't get announced over the radio, the receivers and so forth in the community or something that might be more helpful. But I also don't want it to be a anti-cultural issue that changes the culture of every little town. That is not its purpose.
But I think I am with you on your concerns, and certainly don't want to have it be an unfunded mandate, and certainly don't want you to spend money on that when you have other things that are of a higher priority in your business.
Some of the examples that you gave made me wonder if you had gotten advice from somebody who was being too strict in their interpretations. Of course, then you say, who should we get the interpretations from, and that is something that we are working on at the present time. But I worry when you say that you -- you gave several examples like you are going to go to jail or whatever for various infractions, and then you associated it with NTALA. I hope that doesn't turn out to be reality at all. I hope that is a fear that you have that we can stop.
MR. SINCLAIR: When you talk about the costs and fears, and she mentioned the difference in culture. The size makes a big difference. If I bring somebody in for surgery, regardless of who it is, I get two nurses that know who the patient is. I know the surgeon and his assistant, the admissions office and housekeeper. So we have got maybe 15 people that have access to that information. If you go into a large hospital, just because of the size of the hospital you probably have 15 people that also have -- it is the same number. The difference is, those 15 people in a small town probably talk to half the community.
The other problem is, when you try to control costs -- and I am not the only one out there who is paranoid. One of the largest cost increases is health insurance. You control health insurance -- one of the ways we have done is, if you find a physician where half your employees are going to it, and the only thing they get out of it is Lortabs, there is something wrong there. All they are getting is a drug. Well, the easy way to control that is just go in and take that physician off the provider list. You go to the insurance company, you say I want a list, I want to see who all the patients have gone to, I want to know which hospital they have gone to, I want to know what the cost is. If there are three hospitals out there that are doing the same procedure, you can go and negotiate with a reduced rate.
If I go out and ask for that information now, the insurance companies are telling me no, you can't have it because of HIPAA regulations. That is the response I'm getting. I can't find out where my health dollars are going. I am a hospital, and in a rural facility, ten percent of the population is going to use 75 percent of the resources. Those ten percent I guarantee you, went to a tertiary care hospital, and I didn't do it. So I sent 75 percent of my health care dollars out of the community. Drugs are going to take about 20 percent of it, and by the time you are done, we are treating about 90 percent of the population with ten percent of the health care dollars. Those are just how the health care dollars are spent.
You have also got between 17 and 23 percent of the premium that is going to the insurance company to cover their administration. They get more than I do for providing 90 percent of the care. Yet, when I go to the insurance company and say what can I do better, they are saying no because of HIPAA. That has been going on for over a year now.
DR. HARDING: If I could just make a comment. I don't know how to say this, I'm not a lawyer or anything like that, but the insurance company does not have -- if that is identifiable health information that you are asking for, patients' names and so forth, that is one thing. If you are asking statistics, that is different. That is why I wonder if you are having your leg pulled. But I won't get into that because I'm not an attorney. But I don't need that to make a business decision.
DR. ROTHSTEIN: Let me just ask one final question. That is, from your discussions with colleagues or in similar positions at other rural facilities, is it your sense that rural hospitals like yours are saying there is absolutely no money to pay for this, and I can't afford it. I'm not going to stop treating patients in the emergency department to comply with HIPAA. Therefore, the response is basically to do nothing. Or is the response, HIPAA is too expensive, and anything that is going to cost me money to comply with I'm not going to do, but things I can do that won't cost me money, I'll do?
MR. SINCLAIR: With the hospitals that are with a group like Banner, I think the small rural hospitals, the administrators are relying probably 90 percent to get directions from the corporate office. In the smaller facilities like mine, the things that we can do, we are doing, but we have taken basically a defeatist attitude. We know we are not going to do enough, and somebody is going to come in and just beat the snot out of us. That is how we feel, because we have done this before with other programs. After it is done, and they have come in and they have embarrassed us enough, and they have taken resources from direct patient care so that we end up with a larger outward migration of patients going someplace else because we can't provide that service, because we have found someplace else to cut to be in compliance. In three to five years, we might get back to where we were before we started.
I don't know of anybody out there who is not going to try and be in compliance. I think it is universal out there. Everybody is going to try. I think it is universal that everybody has got this fear in the back of their head that no matter what they do, it is not going to be good enough.
DR. ROTHSTEIN: Just thinking out loud, maybe it would be valuable for the Department of Health and Human Services to break down the compliance costs, not with dollars because it is going to vary by institution, but here are the ten things you can do that aren't going to cost you anything. The next professional staff meeting, remind them of their ethical obligations, blah, blah, blah. You can put these signs up, and that will cost you a negligible amount of money. I'm not talking about the whole computer system.
But it seems to me that we are deluding ourselves to think that by April 14, every health care provider and facility in the country is going to do 100 percent of what the rule requires. Maybe we ought to facilitate the providers and covered entities, at least to get the low-hanging fruit that is available at no cost.
MS. MITCHELL: If I could just make a comment on that, I think that is an excellent suggestion for a couple of reasons. One is because all facilities are getting bombarded with recommendations on how to respond. A lot of that information is driven by someone's desire to sell versus their desire to help you become compliant.
You are a source of truth, because it is ultimately the interpretation of what is deemed right or wrong or reasonable is going to come from you or the folks you are working with. So to give that hit list of things that would be a low-cost starting point for showing some due diligence in privacy remediation I think would be very helpful for everyone, and certainly for the rural facilities.
I know in Arizona, we share the information amongst ourselves as a hospital membership group, and can cut through some of the hype. But when push comes to shove, Yappapi Valley is on its own. They don't have a hospital association or Banner to work with them if someone were to launch an investigation. But if they did have that list, that reference list, it may give a sense of comfort on what truly is reasonable. So I would reinforce that as a potential action.
DR. ROTHSTEIN: Kepa.
DR. ZUBELDIA: As an advisory committee, one of the things we are looking for is how to advise the Secretary to use the resources within the Department to provide technical assistance to the covered entities. What would be your recommendations for technical assistance that would help you the best, other than give me half a million dollars?
MR. SINCLAIR: I'll take it.
DR. ZUBELDIA: What kind of technical assistance would you be looking for from the Department?
MR. SINCLAIR: I think when you ought to survey and evaluate compliance, you are going to have trained those people in specifically what they are going to look for.
From my point of view, the thing that I need before they show up is, I need to know exactly what they are going to be looking for, and I need it in a ten-point bullet list that is in English. Then I need the interpreted guidelines, how the surveyor is going to look at it. If the surveyors come out -- and I found this with other agencies that we have interacted with -- the surveyors come out, and they are all looking at the same thing, and they are all looking in the same area, but they have got different interpretations of how they are going to judge compliance. I need consistency from one year to the next, from one surveyor to the next. I'd like to have that before they showed up, so that we have at least got half a chance to be in compliance.
DR. ROTHSTEIN: Marjorie?
DR. GREENBERG: I just wanted to ask Mr. Sinclair, if any professional associations or the office of rural health in the Health Resources and Services Administration, either or both, had provided you with any assistance that you found was useful, any technical assistance or any resources.
MR. SINCLAIR: They have sent information out. We have used it. But a lot of what they have sent out has been copies from somebody else. Most of the time it is copies of the Federal Register.
DR. GREENBERG: Has it been tailored to hospitals such as your own, or has it been more general?
MR. SINCLAIR: It has been more general, I'd say. I know there has been nothing specific to small rurals.
MS. MITCHELL: The AHA has organized a monthly conference call with rural facilities. They do it in a couple of different instances during the month to allow a maximum number of people to participate. We have participated a couple of times. Again, it is a mechanism to talk about some of the unique implementation considerations in a rural facility.
I haven't seen any specific deliverables or action items out of that, but it is a forum to collaborate.
DR. HARDING: One of the reasons that HIPAA got started and administrative simplification came into existence was to save money. We haven't heard much about that. I think Marjorie asked someone this morning about the positives of that.
Do you foresee an end point or a point at some time where what you are going through could, because of quote administrative simplification and uniformity of transmission of electronic medical data and so forth, save?
MS. MITCHELL: Yes, I do. It is in two different areas. One is grounded in the transaction standard in code sets. If that vision is truly realized, and there is indeed a single standard and payors and clearinghouses are held accountable to receiving that information and turning around those claims, et cetera, I think there is opportunity there.
It is something we are tracking, although we are a little bit cautious, because we don't necessarily see a downside for the health plans yet, although actually, I think the Office for Civil Rights is now responsible to make sure of those. So there is an opportunity with transaction standards and code sets.
Being a little bit of a pessimist and working probably too closely with their general counsel, frankly we feel like we are either going to get sued into submission for both privacy and security, or we are going to do it. So I wouldn't necessarily talk about pure cost savings so much as perhaps cost avoidance.
As sometimes burdensome as the privacy regulations seem, they do give us a vehicle to address a federal regulation for privacy and confidentiality that at some level is defensible. It still doesn't mean that the civil actions won't occur on a state basis, but it does give us a forum for showing some due diligence in that arena. I think if you play that scenario out, there may be some opportunities for cost avoidance or legal fee avoidance down the road if we do what we need to do on it.
DR. HARDING: That is not cost reduction.
MS. MITCHELL: No, exactly.
DR. HARDING: Would you -- just speculating here about Mr. Sinclair's hospital, he has 11 people working in his Medicaid double-wide at this time. Is there any possibility from your standpoint that that number could be reduced to six if all those things -- you don't feel so?
MR. SINCLAIR: Never happen.
DR. HARDING: Are you counting on your billing procedures being simplified, so to speak?
MS. MITCHELL: We are certainly hoping. What we are hoping for is, instead of having to comply with a dozen or two dozen different proprietary standards for electronic transmission, we are dealing with one. Instead of having an equal number of people that manage those proprietary standards, we may get down to half or a quarter of that number.
So I think the essence of the administrative simplification is indeed simplification, and we may be able to achieve some economies, although there are a lot of dependencies associated with that -- vendors, clearinghouses, payors, and of course our own diligence in achieving those efficiencies from an operations standpoint.
So it is an opportunity. I can tell you that I certainly won't, and i'm not sure our finance department will make any definitive statements on cost savings. I think they will talk about it in terms of cost saving opportunities.
DR. HARDING: Why do you say that?
MR. SINCLAIR: I have to have just the front desk, the reception area, I have to have covered so many hours. While those people are there, they are working on other things if a patient is not there. So you could actually come down and save me 30 seconds per claim that we file, and it is not an amount that is going to permit cutting a staff person.
DR. ZUBELDIA: Have you looked at the other transactions, like posting remittance advice electronically or doing referrals electronically, or claims status or eligibility electronically? How much time would that save?
MR. SINCLAIR: We actually transmit our claims for Medicare and Medicaid, IHC, which is the largest insurance company here in Utah, and Blue Cross electronically now.
I really can't say that that is a savings in time over sending it out by mail. The difference is, the insurance company, if I send it electronically, they pay me faster than if I send them a hard copy. But as far as the work that we do in house, it is almost -- right now it is an extra step we do. I haven't seen any savings at all going electronically with it.
DR. ZUBELDIA: That is interesting, because you must be using UHIN in Utah, and UHIN has a tool to calculate the savings on the transactions that they posted on their website. The reports we have had from savings in the transactions is that they are substantial, even for a small practice or small hospital.
MR. SINCLAIR: I don't see how they think there is a savings.
DR. ROTHSTEIN: I want to thank both of you. It seems like at the end of each panel I say that it is a perspective that is absolutely essential for us to consider, and raised issues that we hadn't thought about before, and this is no exception. I appreciate your testimony, and also both of you coming a great distance to speak with us. We will certainly pay close attention to your remarks in our recommendations.
Our schedule calls for us to have the next panel begin in three minutes, which we will not do. We will take -- how about if we take a ten-minute break, and we will resume at roughly 2:50.
(Brief recess.)
DR. ROTHSTEIN: We are back on the record and back on time, and ready for our panel number four, which deals with state agencies, public health and research. I want to welcome all five panel members.
For those of you who have not been here before to see some of the other testimony, I want to remind you that you will have ten or 15 minutes. I will give you a one-minute warning if you are getting close to the end. After the conclusion of all five witnesses, we will have a panel discussion of the issues that have been raised.
I would like to begin with Mr. Burt Cohen.
MR. COHEN: Thank you, Mr. Chairman, members. I am Burt Cohen, Acting Director of the California Office of HIPAA Implementation. I appreciate the opportunity to provide testimony to your Subcommittee on Privacy and Confidentiality today.
Let me just say that in testifying before the state legislature, they very much appreciate people talking to them rather than showing up and reading their testimony. If I can reveal a piece of personal health information, when I was cleaning my eyeglasses this morning, they broke right in half, and so my level of spontaneity will be somewhat increased thereby.
California welcomes the opportunity to work with NCVHS and with HHS in this very important undertaking of HIPAA implementation. We hope that this will be the beginning of a dialogue that will continue for some time.
I have been asked specifically to provide testimony on our report to the legislature entitled Statewide HIPAA Assessment, which I will do. Time permitting, I would like to also comment on what I consider to be the unique issues that states have with HIPAA implementation, and how OCR and HHS can be helpful to the states in that regard.
Let me say also that I hope -- and certainly my remarks are intended to be constructive rather than critical. As someone who has been a state administrator for a long time, I realized the challenge that HIPAA presents to everyone, including our partners on the federal level. I would hope that my remarks are interpreted in the vein of, rather than revisiting past history, really focusing on how we can make the best use of our resources as we go forward.
The report that we did, the assessment that we did, was mandated by state legislation, which required all state entities, departments, boards and commissions, to complete an assessment by January 1 of '02 in a form specified by our office, which was also created by that legislation.
The assessment then was performed based on information, based on status as of the end of '01, and then was reported to us at the beginning of '02. Then the legislation further required our office to summarize this information and report it to the legislature, which we have done.
The report in its entirety is available on our website. I understand you have a copy of at least the executive summary.
Let me just highlight some of the information from that report. Of more than 200 assessments that were sent out, we identified 49 government programs in 23 departments that were impacted by HIPAA, the largest of course being the Medicaid program, which in California is about a $30 billion program. Many of the other programs covered though are also federal grant in aid programs, which I understand is one of your specific interests.
Of the 23 departments, 11 were identified as covered entities and 12 were identified as having another HIPAA impact such as being a business associate or someone who exchanges information with a covered entity or a business associate.
Uniformly, departments have been at the early stages of HIPAA implementation, and because of our budget situation in California, where we have experienced about a $20 billion shortfall, a $20 billion gap that we have to overcome, there wasn't a lot that was done during the last fiscal year on HIPAA implementation.
Also, this year the budget was late in getting signed. Our fiscal year begins July 1. The budget wasn't signed until September. So even though there is money in the budget this year for HIPAA implementation, there was that delay in getting started, and departments are now going through the process of getting contractors, getting staff, getting their plans in motion again.
Essentially, what we identified -- and I think where departments were was that there was a pretty good level of HIPAA awareness. In fact, the assessment process that we went through I think facilitated that process of HIPAA awareness. There was even some preliminary assessment that was done, and some preliminary planning.
Right now, we are going through the process of getting more specific plans and schedules from departments. Then that is something we will use to monitor and to track the implementation process and to again summarize and report the results to our agency, secretary to the governor's office, and to the legislature.
At the time of the assessments, no departments though had begun the remediation process, the specific changes to their IT systems or business processes. We hope to reach that stage this year.
Generally, I'll just highlight some of the concerns and challenges to us. HIPAA is very complex, very far-reaching. It is a unique combination of very specific detailed changes and also a cultural change, a way in which people view their jobs differently. Coming at a time of fiscal stress for our state and other states, this is quite a challenge for us, and I think takes a very strategic focus to address.
The complexity in any area is driven by the number of governmental programs affected. Some departments have many. The different ways in which HIPAA impacts those programs, be it as a covered entity, a business associate, or someone who exchanges data, the number of information technology systems impacted, and the number of new federal rules that come out and the frequency with which they are revised.
The other dimension for state departments is implementing standard transactions and codes with private providers. We hope to do this in a way that minimizes the impact on providers, the claims they submit, and of course, above all we want to avoid the disruption of services to the clients they serve, even in more subtle ways such as increasing paperwork or making the provision of health care more bureaucratic in any way. But certainly at a time when both our departments and the private providers are trying to implement HIPAA, trying to meet federal deadlines and avoid sanctions, it is a little bit like drilling a tunnel through a mountain from both sides, and you just hope you are going to meet in the middle there.
To address some of these challenges, we have organized a number of work groups, working on things such as county-state issues, legal issues, communications with private providers, research and interpretation of each of the rules. We also have an advisory committee where different elements of private providers are represented, and where we hope to make communication one of our main themes for HIPAA implementation this year, if you are drilling those tunnels from two sides, you need to keep talking to each other if you have any hope of meeting in the middle.
We also started a pre-emption analysis. There was quite a bit of discussion so far today about pre-emption. It is a huge issue for us, if only because I think California probably has one of the larger volumes of state law. So just as a workload area, it is one of the bigger areas for us.
Our role as the statewide HIPAA office is to provide leadership, direction, oversight, monitoring. So we are going to continue to work with departments as we go through this process.
If I may, I'd like to turn now to specific comments related to how I think we can most constructively work with our partners at the federal level on these issues.
Let me start by saying that California comes into this with a very positive, a very supportive attitude toward HIPAA implementation, and in particular the privacy aspects of HIPAA. California has been a state that has prided itself for a long time on protecting personal privacy. This is a right that is guaranteed in our state constitution, and is part of the political and administrative culture in California.
Therefore, we fully support the goals of HIPAA. California is recognized as one of the leading states in protecting privacy, and we see HIPAA, the privacy rule, as an extension of what we have done already.
The other side of the coin though is that HIPAA imposes many new administrative requirements, administrative activities, documentation and tracking activities. This in itself creates new workload, new resource demands and new personnel demands for our departments.
Just two weeks ago, I attended a meeting at the National Governors Association in Washington. Doug, another member of your panel this afternoon, was there. We talked about some of the unique issues that states have in implementing HIPAA, and I'd like to try and summarize those quickly if I may, and I'm sure Doug will have his perspective on them also.
If there is one main theme that I would strike -- and I think you have heard this from other panels today, too -- it is that certainly, HHS has tried to be helpful and has been helpful in terms of advice and technical assistance where they can, given their limited resources. But I think one thing that you are getting a flavor for today is that different constituencies have different needs. A one-size-fits-all approach only goes so far. Certainly that is true with states. States have some unique issues that other groups may not have. I think for HIPAA to be successful, it is important for OCR and HHS to be able to address those issues.
The first one that I would list is recognition that states are administering government programs, in many cases HHS' own programs. HIPAA is something that evolved out of the private health care arena, and in many ways the concepts and terminology that is used in HIPAA reflects that history. When you use terms like provider, health plan and clearinghouse, I may be underestimating the situation, but I think it is relatively clear in the private health care world what those mean, and I think you know when you are out in the private health care world, when you have encountered one of those.
In the arena of government programs, it is far less clear. For example, our foster care program that provides new homes to abused and neglected children has a very important health care component to it, in terms of providing, case managing, tracking and reporting health care.
Now, in the terminology that HIPAA uses, health care is not the primary purpose of the program, but it certainly is more than incidental to the program. Foster care is one of those programs that is funded by the federal government under Title 4E of the Social Security Act. Is that a covered entity or not? It is not clear. This is one of the areas where we would benefit from continued dialogue and continued assistance from HHS.
The same is true in our welfare program. The temporary assistance to needy families, our TANEF program, which provides mental health services and alcohol and drug treatment services if those are necessary for a case plan. We use Medicaid funds to provide case management in our adult protective services program. We also use Medicaid funds under the personal care option to provide in-home supportive services, which I would emphasize are provided by non-licensed personnel. This is not a health care service per se; it is provided by non-licensed personnel.
So I think things like this fall into a gray area, where it would be very beneficial to have a dialogue at the front end and come to some consensus about what is covered and what isn't.
I think the alternative is to roll forward past the deadline into a complaint-driven process, which I think would be far less productive, far less desirable. At this conference in Washington, what we were hearing from both CMS and OCR is that the good news on both transactions and privacy is that it is going to be a complaint driven process. So don't worry, we are not going to come after you, at least right away.
The bad news is that we always have a lot of people lining up to file complaints. So what we are subject to then in a pretty litigation-driven world the government lives in now is that the agenda will be driven by other people. It would be far more desirable to sit down with OCR and CMS and agree on some priorities and some interpretations, rather than getting whipsawed around later on by other people who determine for both of us what the priorities are going to be by the complaints they file, where they file them, and the particular way that they address and frame those complaints.
Also, getting some assistance on the front end about what is covered and what isn't would allow us to avoid spending some of our very scarce resources in areas where we don't need to. It would allow us to focus those resources in areas where we do need to meet HIPAA compliance requirements, and even beyond that, it would be very beneficial to have a discussion about what some of the priorities will be. In the absence of an enforcement rule, we have lived so far in the absence of the security rule also.
It would be very good to know from HHS' perspective, from OCR's perspective what are the priorities, what are the most important things for states that have scarce resources, which I think is just about all of us. Some states are even laying people off; where should we focus those resources, what is going to matter to you when the complaints start coming in.
One option would be for states to amend their state plans. For all these federal grant programs, there are state plans that are required. They are on file and they are approved by HHS. So one option would be for states to amend their state plans in these areas, and indicate based on our interpretation whether a particular program is covered by HIPAA or not. That way, HHS could either approve or deny those state plans, and we could get an administrative determination and reach an administrative agreement before we go into an adversarial complaint-driven process.
Mr. Chairman, let me say we really need more than that. Right now, given the divided administrative structure within HHS, we are subject to having different interpretations made by CMS than those that are made by OCR. So it is conceivable in one of these gray areas, after a sufficient number of complaints get processed, that CMS decides that something is a covered entity, and OCR based on dealing with different complaints decides that it is not a covered entity.
There is no mechanism, no administrative mechanism now for resolving that. I would suggest to you that it would be far easier on all of us if this were capable of being resolved at the front end.
I think also that HHS as an organization itself has a stake in this. In administering these grant programs, states are an extension of the federal government. We are doing their work, we are administering their programs. In many cases we are dealing with the neediest, the most disabled people in our society.
Am I running out of time already?
DR. ROTHSTEIN: Yes.
MR. COHEN: If we fail in our endeavor, then they have failed also.
There are other issues that need to be addressed. You talked about pre-emption. There is also an issue of pre-emption within federal law, when there is a conflict between HIPAA and another federal statute. It would be far more efficient if the federal government itself took on that responsibility rather than risking states making different interpretations of that.
There are funding issues. I think NCVHS has already recognized that states and other entities need help in terms of the technical infrastructure for implementing privacy. I think California may need some additional consideration just based on the sheer volume of state law that we have in terms of the time it takes to do a thoughtful pre-emption analysis.
In conclusion, Mr. Chairman, let me go back to our main theme. We are at a stage of implementation where very specific but different specific issues come up for different constituencies. I think the one-size-fits-all approach doesn't work here. We are ready to meet with OCR and with CMS to continue the dialogue that has been started both in Washington and here. We hope that they would work with us cooperatively, with an understanding that we both have a stake in what we are doing.
Once again, I want to thank you for the opportunity to participate in this very healthy process that you have. Let me be clear, we support HIPAA. We support the goals of the HIPAA regulations and the privacy rule. If our office can be of any further assistance to you in the future, please don't hesitate to call on us. Now or later on I'd be very happy to answer any questions that you may have.
DR. ROTHSTEIN: Thank you very much. Any clarification questions?
MS. KAMINSKY: I have one. I know that your time is tight. I don't know how long you have to stay with us during this panel right now.
MR. COHEN: I've got awhile.
MS. KAMINSKY: Okay, good. I was grateful for the explicit examples in your testimony of where you are running into a gray area and trouble interpreting whether you have got covered entities or not, your foster care program and some of the Medicaid services that are handled by the Medicaid agency, et cetera.
Just for followup in this very voluminous report that you have created for the state legislature, are more of those examples highlighted so that the department can take a closer look at some of these governmental programs that you said HHS has a stake in, to try to see where some of the questions are arising?
MR. COHEN: I don't think the report goes into any more detail than what I have said and what is contained in my testimony. However, if that would be helpful -- generally, let me say I think the grayest areas are in the social services area. I would be very happy to provide additional information, or come to San Francisco or come to Washington to discuss these issues further.
DR. ROTHSTEIN: Thank you. We will now move to our next witness, Jean Wylie.
MS. WYLIE: I am going to really shift gears here, so bear with me. When I read the directions, you asked me to specify which question I was going to speak to. I think I am speaking to the one that everybody is speaking to, for slightly different reasons.
I am the Director of the Resource for Genetic and Epidemiologic Research at the University of Utah. I am speaking not on behalf of the university, but just from what I represent. This is my contact information.
RGE was established by executive order of the governor of Utah in 1982 as the data resource of those collection, storage, study and dissemination of medical and related information for the purpose of reducing morbidity and mortality, which means research in this case. It governs access to the Utah population database, which is only used for biomedical research.
I want to call your attention to the second bullet. We are talking about six and a half million people, probably 13 million records, because we have multiple records on a given individual.
The records come from a variety of sources. The first one was the family history library of the LDS Church. In the late '70s, Mark Skolnick got the brilliant idea that if he computerized the family history records, he could create what you could now get online, computerized genealogies. At that time, there was none, it simply didn't exist.
He then linked those to death certificates in our statewide cancer registry, creating large families with some medical information. We have now gotten more information, thanks to Barry. We have birth certificates back to 1960, death certificates back to 1904, cancer registries of Utah and Idaho go back to the '60s. We have driver license data and some CMS followup data.
This is the kind of research that is done. You can see that it focuses largely on cancer, given that we have a statewide cancer registry link to it, but other diseases and conditions are being or have been studied using this resource.
This is what we can do. This data does not come from any individual. You would never get this from one person. But if you were looking for a breast cancer gene, you would want to talk to the people in this family, because there is a much higher incidence of cancer than you would normally expect.
How do we work? We have contracts with our data contributors, don't we, Barry? Barry is a data contributor, so I wanted to confirm that. That specifies which data the provide to us and how we can use them. Perhaps the most important one is that each data contributor reviews and approves or disapproves every single use of their data. They have an absolute veto right. If they say no, we have to find another way to do it.
Use is project specific only. There is no data mining, nothing. The researcher submits an application to us. Our review committee and our data contributors review the application. Sometimes they ask questions, sometimes they don't. The project must have an independent IRB approval. By independent, I mean it is a review independent of us.
We require annual renewal of the project; we don't just give them data and let them run off, and they must have a data disposal plan for what they will do with the data at the end of the project. They basically have two options; they can destroy it or they can return it to us. They can't keep it after the end of their project.
For epidemiology types of studies, that is, where de-identified data is sufficient, we provide data sets to researchers. So for example, the fellow who is looking at cancer risks in the mothers of twins and their offspring, we just pull that data for him. He can analyze them however he wants. However, if you looked at that pedigree, that family history, you would understand that a lot of people use the database because they want to identify potential subjects for research projects.
The way those people are contacted about being in the project is by a third party, either my office, the cancer registries do it, or if the information on the people who are to be potentially studied came from a doctor's records or something, those are brought to us and we link them into the database. The potential subject receives a letter from us saying why we have their information, and that a researcher would like to contact them about participating in the study. if the potential subject says okay, I am willing to be contacted, then and only then is the identifying information provided to the researcher to contact them.
The strengths of our database are that between our family history data and our vital records data, we have pretty much covered the state of Utah. Granted, it is a small state, but it is a fairly contained population. That makes it very useful for research studies.
We do have a statewide cancer registry, so we get all incidences of cancer. We do a lot of cancer research. The BRAC-1 gene, the first one identified, was identified using this resource. The limitation is that our health data, medical data is limited to what comes from the cancer registries and what we get off vital records. We do not have any medical data from either HCFA data nor from the driver license people.
For those cases that are non-cancer, those studies that are non-cancer, usually researchers bring data sets to us. The statewide autism registry, for example, which is a voluntary registry, or a researcher may get together with a group of peers and bring all of the cases of laterality defects in newborns. That is another project people are looking at.
So to address what we consider to be a limitation, we have a project ongoing now to link our family history records to the medical records in the University of Utah Health Sciences Center data warehouse. They have demographic information which we refer to as linking that is name, address, social security number, birth date, et cetera, on approximately 1.3 million people. Then they have the associated medical information that you see on this screen. This gives us about 21 percent of the Utah health care market, which gives us a whole lot more data on lots more conditions, lots more people.
It is also true that for some conditions, given that the University of Utah Hospital and Health Sciences Center is a major research center, sometimes for some conditions it is pretty much all of the cases. The linking is within one covered entity, so we have now HIPAA issues.
So why am I here? The reason I am here is that 21 percent of the health care market is not population-based, which has led us to recognize that in order to make maximum use of this research resource, we would like to at some point in the future, money being an issue there, get more data on more people. That means we face the HIPAA issues, and this is why I was asked to come talk to you today.
If we were to get data from a non-university provider, anybody, Intermountain Health Care, somebody else, we would require patient consent or authorization in order to include those people in some kind of research. At a population level, that is simply not possible; we are talking about millions and millions of people.
Furthermore, if we were to proceed that way, we would have people who would choose not to participate or who could not be found, at which point we would not have population level data.
There is as you all know a waiver possible of this requirement. The two ways that waiver can come about is the IRB, and the IRB can waive consent authorization, or HIPAA provides for the researcher to state that he or she is only reviewing records preparatory to research.
The problem is, we are not a research project. We don't conduct research. We are like your library. We have stuff that you use for research. In order to deal with this, I tried reading the HIPAA requirements and provided a comment last April about this, which I think you have in front of you. I gave several examples, none of which are my entity, because I wanted to point out that I am not the only type or institution that might be affected by this.
The responses came out in August, and that response essentially pointed me to the OPPR report on use of stored tissue or stored data. The problem with that one is that they don't actually talk about data alone. As far as I can tell, and I have read it several times, it has to do with tissue repositories in which the tissue and the associated data come from consented subjects. They have very small samples, and those aren't linked to anything else. So it doesn't seem to fit in any way with what we are.
Furthermore, when the IRBs evaluate those tissue repositories which the OCR said was how we should proceed, they look at the use of the data and the tissue, the potential uses of those, because most tissue repositories are for fairly specific purposes, certainly more specific than ours.
So my questions to you today are, is an IRB or a privacy board waiver of consent the most appropriate method of managing these kinds of resources? I have no clue what criteria they would use. Having dealt with IRBs in the past, we couldn't tell them how many subjects we were going to recruit. We couldn't tell them what procedures we were going to use. We would have no hypotheses, we would have none of the things that they would use to evaluate. I also wondered then, is the preparatory to research avenue one to take.
These are my proposed solutions. I was told if I came to you with questions, I should come with proposed answers. I honestly feel that this area of research resources, data alone, I'm not talking about tissue, but where we take data from large data sets and link them to make research resources, should be considered separately.
I don't believe that they should be completely exempt from HIPAA. I believe that the disclosing entity should maintain a record, that the records were disclosed and to whom, that there should be IRB approval of all research using those resources, and that there should be some kind of institutional oversight for the operation of those resources.
I just had a discussion yesterday with our newly appointed associate vice president for research integrity, Dr. Jeffrey Bodkin, about how we would do this. His initial response was, it would be something the IRB would do. I said, okay, and who is going to be the computer expert, who is going to be the database
expert, at which point we backed up a little bit and are now looking at how are we going to manage these kinds of research resources.
We know of three or four of them at the University of Utah alone, which brings me to my final point. This is my little joke. I am always saying UPDP is unique, so this is my chance to say, in this case it is not unique. Linking data is something that over the last ten years has become tremendously easy to do. There is software that will do it for you. You don't have to write it as commercially available.
People link data sets all the time. The examples I gave in my comments last April are not far-fetched; they are based on reality. However, linking data, particularly if health data is involved, raises really significant privacy and confidentiality issues, and we would like some guidance as to how we should manage these kinds of data resources. We don't know.
DR. ROTHSTEIN: Thank you. Questions? Kepa.
DR. ZUBELDIA: You say there are three or four resources like this just at the U?
MS. WYLIE: Not exactly like this, but where data sources from a variety of sources have been linked together for research purposes only.
MS. KAMINSKY: A clarifying question. When you were going through your proposed solutions, your third point was that IRB approval is in all research resources. So you are suggesting that that should just be automatic?
MS. WYLIE: No. What I am saying is that it should be like we do it now. If a project comes to us, we do not release data to it until we have approved the project, and they can document that an IRB has reviewed and approved their project. We don't review for all of the issues that IRBs review for.
DR. ROTHSTEIN: She is suggesting that there be no IRB approval required in collecting the data, only in using the data for research.
MS. WYLIE: Right, which would be project based.
MS. KAMINSKY: Okay.
DR. ZUBELDIA: But you release de-identified data sets?
MS. WYLIE: Sometimes, if that is appropriate.
DR. ZUBELDIA: Without IRB approval?
MS. WYLIE: No project gets data from us without IRB approval.
DR. ROTHSTEIN: Thank you very much. I'm sure we will have some questions for you during the regular discussion period.
Our next witness is Denise Love.
MS. LOVE: Thank you so much for inviting me to present to the subcommittee today. Thank you all for coming to Salt Lake City. It is a treat to testify to NCVHS subcommittee and also in my hometown.
I am Denise Love from the National Association of Health Data Organizations, NAHDO. NAHDO is a nonprofit membership and educational association, and we represent private and public health data agencies across the country, those that maintain statewide or large health care utilization databases for purposes of research, public health, public policy and market purposes.
NAHDO is actively involved and has been for some time with standards initiatives at the national level. We have been evaluating the implications of these initiatives for our members and state health data agencies.
I have written comments, but I have some revisions I need to do, so I will submit those later to the committee. I will also keep my remarks brief, so you can have time to hear from the state representatives here.
My comments really are culled from conversations that I have in real time from my members almost every day around HIPAA. So I will start out with some recommendations for OCR, recognizing the magnitude of the work before them. I am also very much aware, and I want to say that I personally think some of this is going to have to be worked out in dribs and drabs as we move forward. There is no grand scheme. I also might suggest how associations and professional societies might help in HIPAA implementation efforts.
My members repeatedly would love to have a consistent message from OCR in the form of guidances and opinions. I will mention a couple of things in a moment.
Also, we feel that a framework for communicating about personal health information issues to our general public, state legislators would be most useful, because we don't know really who is leading that conversation, both nationally and at the state level. We are looking for some assistance there.
One example of a fact sheet that made a difference is this one here that Marjorie might know about. This was drawn up by the CDC about a year ago. I don't know exactly how long. We were able to get this out to our members at the time when people were trying to figure out public health exemptions, and would public health reporting be preserved under HIPAA.
OCR did endorse this at one time, but I know for a fact this has made a huge difference. We have distributed about 300 or 350 of these, and sometimes it is just before a meeting with an attorney general's office or with a provider association. We get this in the hands of our members, and it has resolved many issues on the front end in a very timely way. I think that kind of tool for other issues would be most helpful, and the associations can get them to the folks that need them at the right time.
One of the priorities right now, and Burt mentioned it a little bit, there seems to be a lot of round-robin on entity designation. I read listserves and I talk to members, and we poll members, and out of 32 state data agencies, -- and I just got this information yesterday -- four of the data agencies reported that they would be considered covered entities, four said that they will be hybrid entities, and 24 said they weren't covered entities, but we weren't sure what their umbrella legal entity really was. But one of the comments that came up over and over, my question is, why would a public health agency with pre-emption exemptions want to be a covered entity over the whole department. That might be my ignorance, but what comes back is, well, we don't want to spend the money to put firewalls between every person and every program within an umbrella agency that would be very costly. So those firewalls we want to avoid.
I am just thinking that maybe we need to talk a little more or have a short guidance about firewalls. I don't think that being designated a covered entity gets you away from due diligence of policies and procedures, and I don't think OCR and HHS mean brick and mortar firewalls. So there seems to be some confusion just as to what a firewall might be. That is just one example of what I think is clouding this discussion.
I also think that in conversations I have had with my NAHDO members that ultimately it may not make a difference if they are a covered entity or a hybrid in the end with those exemptions, but it seemed that a lot of energy and time is going into that discussion at the expense of perhaps other implementation efforts.
Several of my mentors have suggested that maybe OCR look to other parts of government like the IRS or the FTC and the antitrust models for issuing private interpretations or letters that aren't regulatory and are not law, but it does inform folks as to where they might be headed in some of these gray areas.
Again, Burt mentioned challenges and priorities. I don't have to sit here and tell you about state and local budget cuts.
Another area that we are struggling with is how to standardize training. We have got provider systems, we have got local health departments, we've got state health departments, and there is a lot of privacy information out there. I went to the HIPAA summit, and I was overwhelmed with options of vendors and training manuals, but I don't know how to make that alive for the state person that is answering the phone or out in the field or with a laptop. I don't know how those materials are going to translate effectively.
Again, we recognize that training is not a one-time effort. It is going to have to be a continuous ongoing effort.
I don't have an exact answer, but I will get to what I think might be helpful later.
Some of the local health departments are hoping that the state health department will help them with their HIPAA implementation. But I hear from states that might have three people working on HIPAA that they cannot always meet the local provider or local health agency HIPAA needs. So that is a concern, because they don't have the infrastructure in place that some of the larger entities have.
Another priority topic, state pre-emption, I am sure you have heard plenty about that and will continue to. NAHDO has been recommending to its members that a collaborative or community wide pre-emption analysis be conducted, and that the players work together on that. I am just wondering if OCR making that recommendation to communities and recommending this collaborative approach to pre-emption might be more useful than each entity conducting its own and may not match. I don't want to say deem it as a community standard, but encourage that pre-emption analysis be conducted across a community.
We run into issues of vendor credibility and product reliability. We recommend to our members caveat emptor. There is not enough history with these vendors and some of the work they are doing, and especially there is no such thing as HIPAA credentialling or HIPAA certification. That has come up on several occasions with small hospitals and small providers, and so as these things sort out, we are not recommending any vendors.
One of the suggestions that came up through my member conversations was the suggestion that OCR conduct a federal pre-emption template and analysis for the federal laws as a model for the states to do. Then we wouldn't have states worrying as much about 45 CFR substance abuse laws and others in relation to HIPAA; they would just be concentrating on their local pre-emption analysis.
Again, following the guidances and the questions provided for this subcommittee, we do identify out there several best practices. I'm sure you have heard from them, the North Carolina Health Information Communications Alliance, Sharp, Utah Health Information Network, UHIN. We have a HIPAA Gives listserve that my agency is sponsoring right now for states to discuss HIPAA related issues. I look at these as best practices of building HIPAA infrastructures and cultures in a region and in a state.
Again, I would recommend that OCR work with the associations, not only mine, but professional societies and others, hospital associations. We feel that we are potential partners with OCR. We can share tools and guidances with our members effectively and efficiently. Sometimes it is a just-in-time distribution. We also can serve as a conduit of information from OCR, but also filter or reduce some redundancy or synthesize some of the questions back up to OCR. The specialty societies, the governors associations and others, we speak the particular language of our members, we could maybe help get the messages out as OCR produces them. Again, any help in training that we can offer to our members under the guidance of OCR, we are happy to entertain.
So I will stop there. Again, thank you for the opportunity to present to the subcommittee.
DR. ROTHSTEIN: Thank you very much. Clarifying questions?
MS. KAMINSKY: Just one. I missed in the beginning as you gave your intro explaining your organization, are all of your members state agencies?
MS. LOVE: No. We have private sector organizations such as 3M and health information companies The core of our membership are state-based organizations, so state data organizations, some local health department organizations that maintain large databases, but also we have private sector organizations who are operating without a state mandate.
For instance, 37 states have mandates to collect health care data, but about a dozen states have statewide data collection efforts without mandate. I wanted to commend HHS and OCR and others for responding to their needs by presenting another option for data dissemination that included the limited data set. That was hugely important. That is one example of working with the associations and finding solutions.
MS. KAMINSKY: Thank you.
DR. ROTHSTEIN: Thank you. Now we move to Dr. Barry Nangle.
DR. NANGLE: I want to thank you for the opportunity of letting me address the subcommittee. I am with the Utah Department of Health, where I have responsibility for several offices that have functions in data collection and statistics. That includes the immunization registry. My comments today are restricted to that. My remarks will be brief.
I want to describe immunization registries and talk briefly about how they work. I want to explain the legal authority under which we manage information, and then I want to discuss a couple of concerns that have arisen with the implementation of the privacy rule among our partners.
First, the purpose of immunization registries. I don't know if people are familiar with them. They are basically to improve vaccination coverage, especially among children less than two years of age. Immunization registries essentially solve the problem of fragmented childhood immunization records due to administration of vaccines at different sites. If all vaccines for a child were administered through the same provider, the provider would have the full immunization record, but immunizations are administered in -- it depends on the community, but in some communities by quite a variety of providers. So the immunization registry provides a single computerized repository for all the children's immunization records that can be accessed by authorized users.
We have an administrative rule, a section of the Utah administrative code, that provides the legal authority for us to share immunization records, to do what we call immunization coordination.
This rule -- I am not providing the full text of it; this is essentially what it does. It provides for sharing of immunization information through the state health department and the immunization registry among participating providers, schools, daycare centers, public programs.
The rule provides that immunization records of all individuals in Utah may be included in the registry, and there is a procedure by which individuals can opt out, or say they don't want their immunization records shared in this way.
Participants report immunizations voluntarily under the Communicable Disease Reporting Act, and then participating physicians, providers who have a provider agreement with the immunization registry can access the patient information for the purpose of assuring adequate immunizations.
DR. HARDING: Is that the only reason they can access the information?
DR. NANGLE: Yes, it is. Because immunization registries are computerized resources, are computer systems, they have the core function of being a centralized repository of the child's record. But they have evolved with a number of functions that grow right out of them being a computerized information resource. So immunization registries help to consolidate and automate the immunization recordkeeping for private and public clinics. They typically have the function to forecast immunizations due at a scheduled provider visit, so that complicated recommendations of immunizations is programmed. The way our users use it in practice, many of them get the charts ready in the morning, and all the people coming in for a visit, they do forecasts, so they know what shots to provide.
Immunization registries typically generate reminder postcards to families when a child's immunizations are due. In Utah we only bear the cost of this for public clinics, but the software, the function is there if private providers want to avail themselves of that function.
Immunization registries support health plan HETUS measure reporting, so that is a specialized function of the general idea that health plans are in many ways like public health agencies; they have an interest in the overall immunization rate of the population that they serve. So immunization registries are a computerized way of measuring that.
Immunization registries produce a number of reports that assist at the state health department in surveillance of immunization levels statewide.
Utah's immunization registry is a public-private partnership. That is one of the issues that you wanted to have addressed. It is a cooperative effort among government agencies, health plans, private immunization providers. About 50 percent of the funding of the Utah immunization registry actually comes from health plans. Use's governance reflects that funding structure. It is governed by an oversight committee that is made up of private sector people who are the representative of the health plans, private providers and public health authorities.
Actually, in Utah, more than 40 percent of the private providers use an application, computer application, which is a web-enabled -- those functions that I described before, they are embodied in an application that providers can get access to in their offices.
As far as the privacy rule implementation in this context of a public-private immunization registry, the department of health is a hybrid entity with covered/non-covered functions. The department legal department found the immunization registry to be a non-covered function. USIS intends to continue to generally do what we do now, to disclose immunization records to immunization providers for this purpose, with exceptions for patients who opt out.
I do understand that agencies that have made a different determination, they are not a non-covered entity, have other issues in disclosing immunization records. It is not clear under what basis they do that. I'm not completely familiar with that issue, but I know that is one of the issues that my colleagues have. If they have somehow decided they are a covered entity exactly, they are not a provider, they disclose for treatment but they are not really a provider. Anyway, I know there are issues there the subcommittee may want to discuss, but it is not our issue. Except for people who opt out, we will continue to disclose.
The implementation issues we think have arisen is that the USIS provider agreement with our largest private partner actually only covers the period prior to HIPAA implementation. So the legal staff of the health plan is not entirely convinced that we are a non-covered entity with a public health exemption. They have said at times we look like we could be a business associated to them, even though our own counsel makes the case to them that we are not. It is just a concern on the horizon. Our agreement really does not go into the period of HIPAA implementation.
So along these lines, my recommendation is that nearly all states have immunization registries; this is not something unique. HHS recognition of the public health function will greatly increase the comfort level of private partners. I'm not asking for something specifically. I know our partners are asking for predictability.
A second implementation issue in a registry that is in a hybrid organization like us is this. Immunization registries are integrated information systems. They depend on -- they are a lot like genes resources in a way. They depend on the massive flows of information, so that you get all the immunizations from different sources.
To do that, we have built up a culture of data sharing and data going over the firewalls. We have noticed a chilling effect during this period as our people who are data with us, particularly the Medicaid program, for example, which is a covered entity, needs to do a full evaluation of what the implications are going to be for them. We think this will be temporary, but it has put a chill on data sharing among the various agencies in public health that -- again, we think it will go away.
So those are my comments.
DR. ROTHSTEIN: Thank you very much. Any clarifications? We'll have some questions later on, I will guarantee that.
Finally, last but not least, Mr. Doug Springmeyer.
DR. SPRINGMEYER: Thank you, Mr. Chairman. It is a pleasure to be here. I appreciate the opportunity to give comments.
Many of the areas that I will cover have already been covered by Burt. As he indicated, I was there at the roundtable in Washington, D.C. These were the key sponsors. HRSA sponsored and paid for. We were able to contact PHSS HIPAA staff as well as OCR staff.
I left Utah feeling that certainly I must be the only state with few people and no money to implement HIPAA, came back finding out that there were perhaps three or four states that were the exception, and the federal government was not an exception, that their resources were severely limited in the implementation of HIPAA, a much greater appreciation of the incredible commitment by HHS and CMS and OCR and all the federal staff to make HIPAA work on very limited resources. I just came away with an immense appreciation that this is a collaborative effort, and that there is a true spirit of partnership between the government and private parties, including state government, if you consider us a private party, as someone who must implement HIPAA, as opposed to the federal government, who has the charge of interpreting and regulating.
So I certainly share the comments that have been made about our commitment to privacy, our commitment to making sure that data is secure. Our Utah population database has been successfully administered. The state contracted with the University of Utah to perform that RGE function, the cancer registry function for the state. We have monitored very carefully the implementation of that contract, and I am pleased to report to you that their record has been impeccable in the protection of the confidentiality of that data, and at the same time making use of what is truly a unique international resource, and how tragic it would be if HIPAA was to be the reason that we were unable to discover important linkages to disease and use genetic codes to be able to eliminate suffering because we can't figure out a way to protect confidentiality, but at the same time to make use of technology and data that is available to us. So we certainly hope and are confident that that kind of collaborative effort will continue to lead to that.
One of the earlier commenters said we had to repeat things three times. Well, I am here to repeat things 19 more times. California has already said it, Utah and 18 other states are all saying this, and I think it is largely what the USIS said.
These are the states that participated in that roundtable. We are truly in the midst of significant fiscal shortfalls throughout the country, and I really think that we are unnecessarily duplicating the resources that we have, and that some delegation of responsibility between federal and state and private parties will avoid unnecessary duplication and maximize our ability to come into compliance.
The state-federal pre-emption analysis is a massive undertaking. I am pleased to report to the subcommittee that Utah appears to be following the best practice. We do have a collaborative task force with private, public, state and all other players that are willing to come with their legal bag of tricks along with them, and are willing to accept part of the state statute and rules, and attempt to come up with the blessing of our attorney general with a conclusive comprehensive state pre-emption analysis that every covered entity can then build into their notice of privacy practice.
One of our great fears, and one of the caveats to what Mary mentioned this morning, that statute that we might pass in Utah that would defer to HIPAA unless we specifically notify, is that as we complete our analysis and then add five, six, seven, eight, nine, ten exceptions, every covered entity potentially has to modify their notice of privacy practice and send that out again. So our hope is to complete this pre-emption analysis before the NPPs have to go out, so that we avoid -- in the case of Medicaid, we are estimating $500,000 to distribute our NPPs to all of the covered lives in our plan. Massive expenditure that we don't want to have to duplicate, even if it ends up only being half of that. Who knows whether my people are over-estimating the time and resources that will be involved in mailing out that NPP to every family that currently receives services in our state Medicaid plan.
We would echo again, the federal government should step up and do federal law pre-emption analysis for the country. There is no reason for 50 states to do an analysis of federal law and HIPAA pre-emption. You already did most of it, I think, in the preamble to the original rule, and you gave us assurances that you thought that there was little conflict between various sections in federal law. We would ask that that be formalized and issued by the Office of General Counsel in HHS and become a document upon which all covered entities can rely.
Obviously, if a court is called upon to interpret that and renders a contrary interpretation, we have no control over that. But it would certainly bring a calming effect to the waters We would ask you to consider devoting some very scarce federal resources to that project quickly and immediately, so that states and other private entities would have the benefit of that prior to the April 14 deadline.
Covered entity determinations are an incredibly difficult area. Let me talk about uses. The basic tension between the private provider in the state is the issue of whether or not the disclosure is required by law under 512a, or whether the use of the term in 512b, in the context of public health disclosures and the term there is unauthorized, rather than required, was intentionally different, as I argued that it was, and that a voluntary disclosure authorized by state law is equally exempt from HIPAA as a mandated report under state law.
Our private providers quite frankly don't trust me. If we could get guidance from HHS that Doug Springmeyer is not out in left field on that issue, then we could put our USIS determination on covered entity status for pre-emption purposes to bed. Those entities would then be far more comfortable continuing to report to us.
Our analysis is that once we get the data pursuant to an exception, it is no longer HIPAA data. If we choose to in turn consistent with state law share it appropriately with covered providers, that that is not a HIPAA issue, and our USIS registry can continue to function in the way that it has in the past.
Certainly again, if I am in left field on that, I would appreciate being brought back to home base as quickly as possible.
I am very troubled by the interaction between the administrative provisions of the privacy rule and the lack of a final security rule. I am told that HHS, when the final security rule is issued, will be streamlined, that it will be explicitly scalable as with the privacy rule.
All of us who have been taking to the bank the idea that the NPRM is largely going to be exactly what the final security rule will be may be mistaken in some significant ways and therefore we will have unnecessarily spent very scarce state resources to implement the privacy rule on the basis of the NPRM, and find a year from now that we could have saved ourselves a great deal of money potentially, had the security rule been finalized before we had to implement privacy.
So I am going to suggest that consistent with the transaction rule, the privacy rule implementation be postponed until one year after the security rule becomes final. That would require statutory action by Congress, I believe, but I think that what we have seen happening with the transaction rule would also happen with privacy.
You have got our attention on transaction, folks. We filed our extensions, we all had to come up with plans. We now have concrete efforts that are moving toward October 2003. I am pleased to report to you that I think that all of the major Utah state health plans including Medicaid will be fully compliant with the transaction rule come October of 2003. I commend HHS on the flexibility that it was able to encourage in Congress.
So I am asking that this subcommittee recommend to the full committee and then the committee and HHS and the Administration go together to the Hill and recommend a postponement of the April privacy deadline, until the resources become available to make the security rule final, so that we truly know what the ground rules are going to be in the very close interaction between privacy and security.
I would hope that some kind of formal binding process similar to what Burt was talking about could be developed between state and federal regulators on conflicts of interpretation, whether it be covered entity or pre-emption. And I would ask that CMS and OCR implement an explicit written staged enforcement process, particularly if the privacy rule implementation cannot be postponed.
I don't think from what you heard this afternoon from one of my rural Utah hospitals -- not mine in the sense that I have any legal control, but certainly part of my safety net in Utah, as the health department, as we administer the Medicaid program. We are very fearful that our safety net is going to be disrupted come next October if payments are not appropriately funneled to the various providers.
You heard the Kanab hospital talk about the difficulty in getting their new providers credentialed and how that has interfered with their payment flow. Well, the same thing could happen in October.
So if you can give us guidance as to what is most important, whether it is getting our notice of privacy practice just right, whether it is getting our training just right, whether it is getting our policies just right, something short of 100 percent.
What are you going to be looking for when you come out in response to a complaint? Is it substantial compliance, as we have been told? Are you going to be understanding of the fiscal restraints that are being imposed on states? As you impose penalties, will you be creative in allowing us to enter into compliance plans that you will supervise, rather than imposing civil money penalties? Any concrete written signals that we can receive from the federal government on enforcement strategy short of an enforcement rule would also be extremely helpful.
We understand that there is $42 and a half million authorized but not yet appropriated for technical assistance. We call on the subcommittee to work closely with HHS to make sure that a budget is adopted and that this technical assistance money is appropriated, and that it becomes available both to HHS, CMS and OCR to assist states and private providers to come into compliance.
Right now, the statute says that we only have 30 days to respond unless in the Secretary's wisdom additional time is granted, in the event we are found to be in non-compliance. Folks, I don't know where that came from, but that is woefully misunderstanding the complexity of what a major change to an IT structure might require. It simply sets up a standard and unnecessary fear, and we would ask that you work with Congress to recognize that 30 days is just unreasonable in the vast majority of the circumstances where a non-compliance finding would be issued by OCR.
I think I am repeating myself there. We would also ask, it may be just invisible to us as states, but we don't see clear collaboration between the Department of Education, the Department of Agriculture, Department of Labor, Department of Justice on the various HIPAA implicated issues that are involved in the health care system. We would like to have knowledge that we are not going to be asked to do something inconsistent by a separate department of the federal government. We would hope that if it isn't already in place, that some kind of explicit federal coordination would be put into place and would be visible and well published to the provider community, so that we have that assurance.
Those are my comments. I look forward to your questions.
DR. ROTHSTEIN: Thank you very much. Any clarification questions? Kepa.
DR. ZUBELDIA: In extending the 30-day cure period, you said you want that extended to something reasonable. What is your recommendation of a reasonable extension for a cure period?
DR. SPRINGMEYER: Minimum of 90 days, with the recognition that if it involves a fundamental change to a state program, that perhaps six months is a minimum. That is certainly something that we see in other areas of federal regulation, the recognition between a non-substantial and a substantial change to a fundamental state program.
DR. ROTHSTEIN: Any other clarifications? I want to thank all five panel members for bringing up such a diverse set of issues for us to discuss. So the floor is open for my colleagues to raise questions.
DR. HORLICK: I have a question. It actually might be a clarification, something I heard before. This is for Mr. Springmeyer. You mentioned there was some concern about covered entities disclosing to public health under that 501-2b exception, which seems to me clear. I certainly think it was the intent of HIPAA that it be clear.
Could you state again what the concern you are hearing is, and if you have a recommendation for what OCR could do to provide additional clarification on that point?
DR. SPRINGMEYER: Yes. There are probably two areas of concern. There is mis-information. There has been training that has been non-specific, that has beat the drumbeat of, give nothing to anyone without some kind of explicit authorization or prior to the amendment, consent, which didn't indicate the presence of exceptions for law enforcement, public health, et cetera.
We have a set of seven letters that we have drafted. We have had several providers call us and say we have diagnosed this communicable disease, we're sorry, the patient won't let us send it to you. I say, uh-uh, doesn't work, and I send out my letter and so far, once educated, we have had no problem with that.
So I don't see that as being a national issue. I think your FAQs and other things on your website, you have been very clear on that point. So I think that is a problem with education not being well done by some providers.
The bigger question for us is a voluntary disclosure, pursuant to a public health authorization as opposed to a requirement, subject to the public health exception, as we believe it is. So our USIS reporting is voluntary. A provider is not in violation of law if they choose not to participate in the USIS registry. But our rule explicitly authorizes them to release the information and gives the patient the opportunity to opt out. So it is not the traditional consent that you would expect for an authorization for release, is the terminology in HIPAA.
So that is the tension. If OCR or CMS agrees that Section 512b was intended by the use of the term authorized to encompass voluntary authorized releases, clarification on your frequently asked questions site or some other authoritative guidance would be very helpful for me to be able to point skittish providers to, so they know that it is just an attorney general interpretation.
DR. ROTHSTEIN: Mr. Springmeyer, I wish it were simply a Utah problem. Unfortunately, we have heard repeatedly from public health officials throughout the country that essential disclosures, lawful, authorized disclosures, required disclosures, are not being made because of some misunderstanding about the requirements of HIPAA.
You are absolutely right about the need for education. I am wondering if -- and I believe Mr. Nangle also referred to this issue. I'm wondering if you had any specific suggestions for us in terms of recommendations that we could make to the Department about how to tackle that problem of what we call defensive practices under HIPAA that are having adverse public health effects.
DR. SPRINGMEYER: You of course share a perspective. I was not aware that it was more than a Utah problem. I assumed it probably was, but it was all anecdotal.
I believe that your website devotes an appropriate amount of time to the public health exception, the law enforcement exception. My personal gut feeling is that it is just a learning curve that is an unfortunate unintended consequence of alerting people to the need to be more aware of privacy and confidentiality. Then they have to begin to learn what the exceptions are after they become comfortable with the rule.
So certainly any kind of reinforcement, including it prominently in all of the training that CMS and OCR may do would be much appreciated. I just tell you though that we have been able to very quickly turn around any instances of misunderstanding simply by use of these letters that we have drafted, citing to the specific statute and the specific rule.
The guidance in the original statute is very clear; there was no intention to interfere with traditional public health functions. That language right out of Congress' enactment is extremely helpful to give it credibility.
DR. ROTHSTEIN: Other questions? Richard.
DR. HARDING: I was interested with your comment, Mr. Springmeyer, about, there has been no misuse of RGE information, and that that has been held sacred.
In other testimony, we have similar kinds of things, that there hasn't been major problems with that. So the question then comes up, why get into it? It is not broken.
MS. WYLIE: Well, it's not broken as it stands. However, if we choose to expand it beyond its utility in cancer, then it won't be broken, but it will become subject to HIPAA at that point. Right now it is not.
DR. HARDING: But your point was that you were wanting to make sure that collection occurred. Utilization was taken care of pretty much by IRB and so forth, but to have the data --
MS. WYLIE: But if I ask, for example, the Intermountain Health Care to disclose to RGE all of its records that we could link to the Utah database as we plan to do with the data warehouse, it is my understanding that that comes under HIPAA, and that they would technically have to get authorization from every single person to release the records to us for linking.
Now, if I am wrong about that, you can make me very happy.
DR. ROTHSTEIN: No, I will make you more unhappy. I think HIPAA is the least of your problems. What you are seeking to do is research accumulating a repository of medical records.
MS. WYLIE: No, I'm sorry. Let me explain how the linking works, because that is critical to this. What we do is that the data warehouse will provide to us information about individuals, name, address, birth date, no medical information. We will ink that, and we will create a file that has unique ID numbers from each data set, and then we will delete the information that they have provided to us. So what we have is a file that says, person with ID number one in the UPDB also is represented by person number 14 in the data warehouse.
So if a researcher wants to use it, it is fairly cumbersome.
DR. ROTHSTEIN: You are describing the current system, or what you want to do?
MS. WYLIE: What we want to do. Right now, we already exist. Everything is already linked in. We are talking about adding data.
DR. ROTHSTEIN: And you would not be getting any medical records?
MS. WYLIE: No. What we get is linking information. Here is an example of a use. Dr. Skolnick wants to study the genetics of interstitial lung disease. She would go to the data warehouse people -- this is after all the approvals and blah, blah, blah -- and say, pull up all the records of people who have diagnosis codes or whatever, however they determine these people, pull up all those records, give me the IDs of all of those -- give Jean the IDs of all those people who are in UPDB. We would then do a familial analysis of all the people in UPDB, and identify pedigrees that are most likely for her to be productive in terms of pursuing for getting them into a research project.
DR. ZUBELDIA: So you are building a master patient index between the medical records of the university and UPDB?
MS. WYLIE: Yes. We will not use a medical record number, though. We will require the data warehouse to assign a unique ID number that is only for use here, because we don't want to have to -- if it is a medical record number that is in there, that --
DR. ZUBELDIA: It is still a master patient index. I think it is contemplated as the key to link the records.
MS. WYLIE: You can't do it any other way. Doing it within house now, our legal counsel tells us we are all one covered entity. Therefore, HIPAA doesn't necessarily apply. Don't tell me that is wrong, because then I will really be unhappy. But if we wish to get beyond the 21 percent of the Utah population that is represented within the data warehouse's health information, then for sure, definitively, HIPAA comes into play.
DR. ROTHSTEIN: No, what I was going to say was, I would have to be convinced that what you are doing is not covered by a requirement for IRB approval.
MS. WYLIE: Okay, that is my question to you. What is the IRB approving?
DR. ROTHSTEIN: They are approving the facilitation of collection of individually linkable medical information for research purposes.
MS. WYLIE: You have sat on IRB panels, is that correct?
DR. ROTHSTEIN: Many of them.
MS. WYLIE: Many of them. I have not, but I have had to fill out the stupid forms -- excuse me, the forms, both for application and for renewal. I looked at that in terms of what we would do. I cannot answer their questions, and their questions do not get to the point of our security practices.
DR. ROTHSTEIN: I understand that, and we can talk off hearing about this issue that I have spent a lot of time on. What you are seeking to do is not in any way, shape or form unique. It is being done all over the country. In fact, it is being done all over the world. Everyone who has looked at this has said that IRB approval is needed for it.
MS. WYLIE: My question for you is, most of the ones I am familiar with, people gather data in the context of specific research. It may be used for other projects, but it is gathered in the context of specific research.
DR. ROTHSTEIN: No, even if it is not for specific research --
MS. WYLIE: So what you are telling me is that it is going to be an IRB-based --
DR. ROTHSTEIN: Correct, and if you are satisfying the IRB, you are satisfying HIPAA. So it seems to me that the hurdle is the IRB.
MS. WYLIE: The IRB doesn't have the expertise to evaluate it. But we will figure that out. That is a separate issue.
DR. ROTHSTEIN: Right, exactly. I wanted to ask Mr. Cohen a question, and give you a chance to respond to the issue of whether you in doing your HIPAA analysis in California, whether you have spotted the same problem that Mr. Springmeyer and I talked about. That is, this reluctance to share information, disclose mandatory information and so on that is essential to public health.
MR. COHEN: I think there is probably a different atmosphere, depending on where you go. I think among state agencies, you don't have the personal liability or at least the sense of personal liability that perhaps exists in the private sector. At least in California, people acting in the capacity of their office are personally indemnified.
Now, I think from private providers that I talk to, there is an overall questioning or perhaps chilling effect just emanating from the uncertainty of HIPAA. I have talked to doctors who say, -- like, an internist for example will say, I would like to send the whole patient record to a specialist that I am referring a patient to, just so even though they are treating a portion of the patient's problem, they know the whole background for the whole patient, and they can be aware of drug interactions and other things. People are wondering whether they can still do that.
I think they can, because it is treatment. But HIPAA is so new and so complicated, and the sanctions are serious, as they should be, but I think this creates a lot of questioning and a lot of hesitancy.
I think this ties into the statement that was made earlier that the history of medical practice in the last 20, 30 years is one of increasing paperwork and increasing regulation and increasing scrutiny. So I think in a sense, practitioners have become a little bit gun shy, and now the feds are in town, so what do we do now?
I think among state agencies, it is more a level of awareness and developing a specific strategy for how you implement these things. We are eliminating positions in California. People have multiple responsibilities, so it is like, how do I learn this, how do I change my business practices, how do I integrate this with other things that we are doing, probably more than the fear.
I think in the research community, there is probably a great deal of uncertainty, a great deal of questioning about how we do this. I think this probably extends from the University of California that does a great deal of research even into several state departments that are tied into some research activities.
DR. ROTHSTEIN: Yes, please.
MS. LOVE: We are seeing some pull-back in data release in a project that I am personally involved with, that have two public health agencies who are citing HIPAA as the reason that they will not release data. I look at it as perhaps HIPAA is being used as an excuse for things they don't want to do, anyway. The tools are out there. Again, the fact sheet has been helpful for us communicating to providers the public health exceptions.
DR. ROTHSTEIN: Any other suggestions besides the fact sheet? Do you incorporate this language into collaborative agreements or things of that sort?
MS. LOVE: The more consistent and pervasive the message, the better and the easier it will be. I go back to maybe a national framework, or framing the discussion from the top, that then could be carried through the various segments of health care collection and distribution.
Public health, many of the agencies that we have talked about today, their primary business is not service delivery, but information collection and dissemination, and we have been very concerned about the impact that HIPAA or the perceived impact of HIPAA might have on those agencies.
So I again go back, if we had a common framework for communications, that would be most helpful to my members, and to their partners.
DR. ROTHSTEIN: Thank you. Richard?
DR. HARDING: Something that was just mentioned briefly by Mr. Cohen brought it up. That was the administrative mechanism to resolve differences or conflicts between the two different groups who are implementing the -- security being with CMS and privacy being with OCR. You brought up that how is that going to be settled if there are differences between it.
Could you say anything more about that? It is a concern that I think many of us have, about how that is going to be divided and impartially dealt with.
MR. COHEN: I think in one sense, Doctor, the administrative separation of HIPAA is understandable, because each agency is responsible for different rules. CMS is transactions, codes and security, and OCR privacy. But in an environment where there is some uncertainty about what the covered entities are among governmental programs, there is always the possibility that some complaint will get to CMS, where they will say yes, foster care in California is a covered entity. A different complaint will get to OCR, where they will say foster care in California is not a covered entity. I am just being hypothetical here.
As far as I know, there is no administrative mechanism within HHS for resolving something like that. Maybe I need to be educated here, but short of the Secretary, I don't know that there is an office in HHS that is responsible for all of HIPAA. I think there are different offices that are responsible for different pieces of HIPAA. Nobody is dealing with the big picture.
More than that, there is nobody who is dealing with the unique issues that states have trying to resolve those issues in an orderly way, short of whatever comes out of the complaint process. There is certainly nobody there advocating for the states or even saying hey, these government programs are our programs, what are we going to do about it.
One example of this is that -- this meeting that Doug and I were at in Washington was very constructive. There were high-level people there, the tone was very positive. At one point, somebody from HHS said, we are currently doing an assessment of our own programs to decide what is covered and what isn't. We said, gee, that's great, can we have a copy, and the answer was, it may be required under some federal public records disclosure, but we don't know yet because we haven't looked into that. We said, even if it is not required, could you do it anyway, and the answer was, we don't know. We will have to go to some higher authority.
I think that is just an illustration of how minimal the communication is now, and how minimal the perception is of the huge obstacles that the states have, and the assistance from HHS that would be helpful to the states in a proactive kind of way.
DR. HARDING: Thank you.
DR. ROTHSTEIN: Kepa.
DR. ZUBELDIA: I have a question concerning the accounting for disclosures. I don't know if you have had the opportunity to listen to this morning's testimony, but we heard from several providers that about 80 percent of their accounting for disclosures -- or 80 percent of their disclosures that they have to keep track of will be to state public health agencies under state law requirements, that are required to report to, perhaps not Utah for immunization, but other places that are required to report to cancer registries, to all kinds of registries in the state.
They were proposing that the states should keep track of those disclosures, so when a patient comes back five years later and wants to know where all the data has gone, the providers could go to the state health agencies and say, give me all the disclosures that you have received from me for this patient.
What is your reaction to that?
DR. SPRINGMEYER: My first question would be, where would you get jurisdiction to impose a requirement on a non-covered entity, which most of those state health functions would be.
Secondly, what I heard the testimony to be was that a generalized inclusion in the notice of privacy practice of the types of disclosures required by law should be sufficient, as opposed to an itemization that on this date, this data was shared with this specific public health agency.
I guess the ultimate question is whether or not patient protection, to be able to go and take some action, is sufficient to justify the immense administrative burden that it is going to place on those parties that report to us as public health agencies. That truly is having a chilling effect on our ability to increase any kind of data gathering that we do that we are not currently doing.
The uniform comment back is, since HIPAA will require that we establish a data system to allow us to account for each disclosure, granted, there may only be one-tenth of one percent of people that will ask for the data, but because that one person in a thousand will ask, you have to keep track of all thousand, because you don't know which one of the thousand is going to ask for it.
So it is truly an immense burden. I believe that Utah, although I certainly have no authority to speak beyond my particular role, would feel that that would be a good balancing of the privacy versus the cost, and that patient protection would still be supported if a less specific accounting for release is required by law was deemed to be in compliance with HIPAA, as opposed to a full-blown accounting.
DR. ROTHSTEIN: Any other questions? Gail?
DR. HORLICK: I wanted to follow up with Denise Love. I know you said you just got the information on those entity designations. You said you had 32 state data organizations, and I think you said four were covered entities, four were hybrids and 24 were not, although they didn't know the legal entity above them.
I wanted to ask in particular about the four covered entities, because you said they were state data organizations. So were any of those -- do you know the types of agencies? Were any of those state public health agencies?
MS. LOVE: One was a center for health statistics, who responded as a covered entity. One was a division of administrative services information systems. So again, we are getting different levels of hierarchy in the organization, either responding or labelled as such. This one is another center for health statistics.
So I just thought it was curious, as I looked through this last night, that what I assumed were non-covered entities are saying they are covered entities. It warrants some research, but I think there is some confusion that has been expressed. Again, I'm confused, but I have members who are saying, our attorney general says the whole state is going to be a covered entity. Then someone else will say, we are going to be a covered entity, but so-and-so across the hall is going to be a non-covered entity.
So I think it is a reflection of, states are approaching HIPAA differently. Some states are at a fragmented approach, or it appears from the outside to be, others it is more centralized, and others are part of a pretty -- like, I always hold North Carolina out, of a collective approach.
DR. HORLICK: Thank you, that is helpful. It adds to my confusion, in that I am not clear -- and I'm not asking you to answer this -- on some of the implications for the traditional non-covered functions, when they are considered a covered entity. But you have said some of those are not -- the ones that have designated themselves covered entities don't appear to be at first glance providers or payors.
MS. LOVE: One umbrella agency, when asked -- I spoke to them, and I said I was curious, why -- given Medicaid, I can understand, but still, there are a lot of programs in his umbrella agency that are non-covered entities, and they bring up the cost issue. If we are all playing by the same rules, and we are all doing the same thing, and we all are doing the same training, and all the same requirements, then it is easier to administer from a state's perspective. Doug may have some additional insights.
But then I bring up, what does that mean for the center for health statistics? Does that mean that you will be held to minimum necessary? I don't think so. If you really drill down, you will see that there is public health exemptions, but it just makes some additional noise that I felt in my non-legal interpretation or my understanding, that HHS intended for public health to have a special exemption. It raised some possibility for flexibility for the agency. So you could have some more wiggle room, maybe less of a cost issue for training.
The bar seems to be higher for covered entities, and why would a small public health non-covered entity want to be a covered entity?
So I think there is some mis-perception on what the due diligence for firewalls are. I still am worried that an umbrella covered entity agency might think that they don't have to do their due diligence. I still want to see policies and procedures in data handoffs, just as good information practice, not that we are a covered entity, so we can exchange with anyone in the department.
I think the preamble is fairly clear, but I just think there is some areas of simple guidance that might go a long way. I don't know if Doug can --
DR. SPRINGMEYER: I apparently am reading the same listserves that Denise is. There is a scary trend that people think that access to PHI within a hybrid covered entity is free and open, regardless of whether you are a physician component of that covered entity or not.
I don't know where in the rule they get that. It has to be a superficial ignorance, but I haven't looked in the frequently asked questions to see if that specific issue is addressed. But if it is not, it comes up often enough that it might be helpful.
MS. KAMINSKY: I just want to respond to that. I do think that probably some guidance on what you mean by firewalls would probably be helpful. But the piece that I have heard in terms of a deciding factor is, once you are a hybrid, if you are going to disclose, you will need to do an accounting, because you are going from a covered to a non-covered, and that can tip the scales. That is one more factor in addition to the factors that you raised.
DR. ROTHSTEIN: If there are no further questions, I want to thank the panelists. I don't want to keep you any longer. I know there are planes to be caught. We appreciate your spending time with us, and sharing your views, and we will have much to chew on in the next couple of weeks.
For those on the Internet and those who are here for tomorrow morning, we will conclude our hearing tomorrow morning. We will begin at nine with a final panel on health plans and clearinghouses, which will conclude at ten. Then from ten to 12:30, there will be a subcommittee discussion of all three hearings, Boston, Baltimore and Salt Lake City, and a discussion of our tentative recommendations.
The subcommittee discussion is open to the public, and it will also be broadcast by the Internet. So we will stand adjourned until nine tomorrow morning.
(Whereupon, the hearings were adjourned at 4:50 p.m., to reconvene Thursday, November 7, 2002 at 9:00 a.m.)