[This Transcript is Unedited]
Salt Lake City Marriott
City Center
220 South State Street
Salt Lake City, Utah
Agenda Item: Welcome and Introductions
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein, I'm chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics, and I want to welcome you to the final panel of the final day of our final hearing in our set of three hearings devoted to implementation issues under the Health Insurance Portability and Accountability Act and in particular the privacy rule. Today's panel consists of only two individuals, dealing with the issue of health plans and clearinghouses, and for those of you who are listening to us via the internet, I want to welcome you as well and tell you what the schedule is for this morning. We will proceed with the panel from 9:00 to 10:00 and then we will immediately move into the subcommittee discussion of possible findings and recommendations based on our three hearings to bring to the full committee when it meets later this month.
As you know, the hearings that we've held have had a limited scope dealing with the implementation issues and we will address some additional issues this morning. The schedule after we finish our hearings this afternoon is to prepare a document for discussion by the full committee on November 19th and 20th at it's regularly scheduled meeting. And if the full committee agrees with our recommendations, or develops it's own recommendations, those will be presented by letter to Secretary Tommy Thompson by Dr. John Lumpkin, chair of the NCVHS. Because there are only two panel members this morning, we can provide you with additional time, meaning that we'd like you to spend 15, perhaps 20 minutes at the most giving your presentation. I will hold up a one minute sign when you're time is nearing the end, and then we will have discussion with the members of the subcommittee.
Now before we go to the testimony I think it's important and our custom to have introductions. I'll begin, my name again is Mark Rothstein and I am the Director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine, and I have no conflicts of interest with the subject matter that we are discussion this morning. Kepa?
DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation, member of the committee and subcommittee.
DR. HARDING: I'm Richard Harding, I'm the interim chair of the Department of Neuropsychiatry at the University of South Carolina and my only possible conflict of interest is immediate past president of the American Psychiatric Association.
MS. GREENBERG: I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and I'm the executive secretary to the committee.
MS. KAMINSKY: I'm Stephanie Kaminsky from the Office for Civil Rights of the U.S. Department of Health and Human Services, and I'm lead staff to this subcommittee.
MS. HORLICK: I'm Gail Horlick from the Centers for Disease Control and Prevention and I'm staff to the subcommittee.
MS. SQUIRE: My name is Marietta Squire and I'm with CDC, NCHS, and I'm staff to the subcommittee.
MS. ALRED(?): Mary Lynn Alred, I'm a compliant specialist with Deseret Mutual Benefit Administrators.
MR. CULL(?): David Cull, vice president of welfare benefits at Deseret Mutual.
MS. JUNIUM(?): Katie Junium, Inter Mountain Health Care.
MS. THOMASON: Mary Thomason, Inter Mountain Health Care.
MR. ROTHSTEIN: Thank you and welcome to all of you. I would ask anyone who has a cell phone to please turn off the ringer and I would also ask that our speakers speak clearly into the microphone so that those on the internet can hear them. If there are no other matters, I'd like to move right to our panel on health plans and clearinghouses and recognize Mr. Michael Stapley
Agenda Item: Michael Stapley, Deseret Mutual Insurance Company
MR. STAPLEY: Thank you very much, we appreciate an opportunity to spend a little bit of time with you today. I'm sure that you've heard a lot of information that's been duplicated several times, and I'll try to focus my time on those things that may be a little bit unique, except in one situation, I'll probably repeat something you've heard a lot about.
I serve as the president and chief executive officer of a company called Deseret Mutual, which is actually a consortium of four companies. We have primary responsibility for administering benefits for the LDS church and all of the entities that are affiliated with the LDS church, both for profit and non-profit, including the institutions of higher education, Brigham Young University, Brigham University Idaho and Hawaii, and LDS Business College. We also do some voluntary plans on behalf of missionaries of the LDS church.
Together we've got about 130,000 plan participants that are broadly dispersed in every state in the United States. We also do some benefit administration in about 80 different countries in the world, so we kind of have an interesting perspective. One last thing is we do have a supplemental accident policy that has about two and a half million people enrolled here in the United States. So we come with the perspective that probably has a lot of concerns related to the fact that we have participants broadly dispersed into every nook and cranny of the United States and have some concerns with respect to how the privacy rules might affect us.
I might mention one other thing by way of background. I was heavily involved as one of the founders of the Utah Health Information Network and served on a default basis as initial executive director, and currently serve as the chairman of the board of directors of the Utah Health Information Network. We were heavily involved in the development of standards and ultimately the regulations that pertain to the transaction rules that were recommended I guess by the National Committee on Vital and Health Statistics and promulgated by the federal government.
I want to say one thing. From my perspective, the privacy issue is very important and we're very supportive of the attempts to move forward, somewhat aggressively in terms of the establishment of privacy rules and regulations. I can remember, I don't know how many years ago, but it was a prominent plan in the state of Utah, got a notification from the dump here in Salt Lake City that they had thousands of medical claims that had been dumped at the dump. And there was all kinds of information, if somebody just wanted to start pulling those aside and start looking at names of prominent citizens of our state and so forth, and I think what they reflected, I mean that was carelessness obviously that caused that to happen, but the realities are that there was kind of a cavalier attitude with respect to privacy related issues and how these privacy related issues might affect individual citizens. I'm not, I'm pretty certain that was not unique to our state, I think that was kind of an attitude that existed across the United States. From the perspective of a health plan administrator, with fairly significant background in my case in public health, I think that attitude existed with most health plans. You looked at how they processed claims, and how they talked about it and how claims were left laying around and so forth, there was just an insensitivity with respect to the fact that for some individual person, this was a very important issue and the way that they're personal private health information was being treated was just downright wrong.
Now when I say that, we do have some concerns about the regulations as they are currently promulgated but I say that in the context of recognizing that this is not an easy task, I know it's extremely, it's extraordinarily difficult to kind of come to a consensus with respect to what ought and what ought not to be done. I commend you for your efforts, I know the challenges that you face are very difficult. I'd like to just move, and I'm going to move, I'm not going to read this, the document that you have here, I'm just going to focus on the things that I think are important.
The first question, what outreach, education, and technical support programs are needed from OCR, including suggestions for OCR priority setting. I think that at the end of the day, the biggest challenge that we face is there are just too many unanswered questions and I think there's a little bit of a concern that there are a lot of people, it's like nobody's taking this seriously, these are not answered questions, they're big deals to some organizations, and their ability to implement a privacy policy within their own organization is affected by the fact that they just flat out don't know what to do.
And many of these questions, they're not little questions, they're big questions, and it's having a dampening affect in terms of the attitudes of people with respect to what everybody's trying to accomplish. I guess retrospectively, we all have 20/20 hindsight, it would have been nice if a lot of these questions could have been anticipated earlier and dealt with in more of an incremental fashion that would have allowed them to have been answered by and large. There needs to be a process to catalogue these questions and then put something in place that systematically goes through and figures out how we're going to respond. I think most organizations, I mean everybody said that the enforcement is going to be soft, we're not going to come by and throw you all in jail and so to speak, but there's still a little bit of fear associated with what happens if they find that you have violated some provision of the regulation of the statute. So I think that's really important, there are just too many unanswered questions, in some cases very important questions. It's like someone said, there's just a tremendous amount of misinformation and simply desperate guessing with respect to what these regulations mean for different entities that are affected by them, and somehow that needs to be changed.
One thing that we're particularly concerned about is that, as an organization, is that we have some concern that the regulations have been drafted more broadly than the statute. For example, in our own organization, it was pretty clear what a group health plan was when we were looking at transaction standards. As the privacy regulations were adopted, they defined group health plan more broadly and we think more broadly than the statute permits, which affected some administrative arrangements we have with Missionary Medical that we did not anticipate, which is interesting. Our Missionary Medical program is really, we provide medical services for missionaries of the LDS church that serve in the United States, and we also provide services for missionaries in the United States, that lived in the United States that are serving abroad. It's a gratuitous program, there's no premium charged, it's charitable contributions that are used to support that, and all of a sudden it looks like the regulations bring that within the purview of HIPAA. So you ask the question, was that anticipated in law? And it looks to us like it was not, and we wonder whether or not there's really the authority to define health plan that broadly in the statute.
The secondary question that relates to that is that if all of a sudden you're included, in terms of the privacy regulations, does the reverse hold true that if you're included by virtue of the privacy regulations, does that make it still the first part that relates to pre-existing conditions and portability also apply to you? That would be a major concern to us if all of a sudden this gratuitous program that we administer on behalf of missionaries of the LDS church, all of a sudden becomes subject to portability and pre-existing and other related issues.
I'll talk later about the state preemption issue, let's go to the second question, what areas are especially in need of guidance from OCR? What difficulties are providers and plans experiences coming into compliance? The preemption issue, I'd probably have to say is our number one concern. I know it's been discussed literally for years and I will talk to that later, but it's, as a plan that administers benefits in all 50 states, and we're used to operating under the jurisdiction of ERISA, where we have at least some uniformity to deal with, this is pretty scary when you start thinking about the regulations might mean in terms of how we administer our health plans.
We're concerned about training regarding the simple issue, this is the third bullet on the second page, the simple issue such as what is a covered entity under HIPAA privacy regulations. While HHS has put out a tool on this issue it seems to be that answering questions from a transactional perspective, and that's kind of a general compound, we've got a lot of experience in developing the rules related to transaction standards, and they seem to have had a pretty strong impact on the privacy standards. And privacy standards is really a different issue.
The employer issue is a big deal. Employers are really confused, and I think sometimes we underestimate how confused they are. We put together a pretty structured training program, we're trying to be proactive, we're trying to help the employers who are affiliated with our organization understand what they're requirements are, and I can tell you that when you first initially sit down with them and review this with them, their jaw drops to their ankles, and they say you've got to be kidding me. Then they start raising things that we didn't even anticipate with respect to how these regulations might impact them.
Let me just read this fifth bullet on the third page. Employers and plan administrators are having particular difficulty understanding the applicability of the HIPAA privacy regulations to, among other things, administration of medical savings accounts; flexible spending accounts or health care accounts; on-site and off-site company-sponsored health clinics; flue shots; pre-employment physical examinations; fitness centers; health promotion and health risk assessment programs; disease management programs; health surveillance activities (toxic exposure, drug use, etc.); employee assistance programs; leave share programs; acting as an advocate of employees, etc. While the primary purpose of many of these activities is not to provide treatment, under certain circumstances they can lead to treatment or to the collection of information later used to provide treatment. Therefore, do employers become covered entities by providing or promoting these various programs? If so, then HIPAA's impact on public health and employee relations could be enormous. The regulations could have a dampening effect on these traditional employer functions and an employer's ability to continue to offer group health plans to its employees. Additional clarification and guidance on these and other employer-specific issues would be extremely helpful.
It was interesting, in a meeting that we held earlier this week, we had an employer that has, they have a job share program and it's a really good plan. What it's designed to do is to say ok, if you've reached a point in your life, if you've got something that's happened to where you're not able to work full time, so they work out a job share arrangement to accommodate their health circumstance so that they can work maybe 20 hours a week instead of 40 hours a week. In order to qualify for that you have to submit documentation that you have a disability that meets their standards and allows you to go into this job share situation. And all of a sudden you throw all of this privacy information at them and they say, whoa, do I really want to do this? Just a lot of uncertainly with respect to what it means and it kind of scares them.
Another thing that I think is really important, historically we've kind of looked to employers, employers performed a really valuable role in being advocates for their employees as they interface with administrators of employee benefits, particularly those that administer welfare benefit plans. In so doing you might have a human resources department that, in preparing documentation to support their interaction with the Blue Cross Blue Shield for example, they collect information that's clearly private. You can see the potential of this saying ok, I know that I can get a release authorization the time that I'm helping, but if I keep this and stick it in a file or something like this, what does that mean to me and eventually they just get frightened and say well, call your health plan, we're not sure we want to intervene and help you in terms of the issues that you're concerned about.
Let's see. Another concern we have related to this, and this is somewhat unique to our organizations, but not totally, is the fact that there is inconsistency between HIPAA and Gramm-Leach-Bliley. We're an organization that administers, we broadly administer benefits. We do all of the welfare benefits, medical, dental, life insurance, disability and so forth, but we also do financial benefits. We have 401(k) plans, 403b plans, we administer a defined benefit master retirement plan and so forth. And our concern is that we have a centralized enrollment function, that this information is being collected for both purposes of administering a financial benefits program as well as a welfare benefits program. Does that mean that the information that we collect is subject, when we're using it for purposes of the financial benefits programs, is it still subject to the provisions of HIPAA? That's really problematic to us.
I can give you a real interesting example. We have a major employer that has a practice of sending Thanksgiving and Christmas gifts to all their retirees. They depend on us to keep track of the retirees, because retirees move and we have to send them a retirement check every month, so we know where they are. And so the question gets raised, can we give them this information? Under HIPAA you could not, unless you had specific authorization. Under Gramm-Leach-Bliley, you can. And so, as we've sought guidance on that, there's a lot of confusion.
In fact, I think most recently they said well, the higher standard applies. That really puts us at a disadvantage. If you're in a competitive environment, which we're not yet, you had two plans competing with each other, and one said I'm only subject to Gramm-Leach-Bliley because I don't do welfare benefits, and the other one says well I'm subject to HIPAA because I do, that's a big deal. And so I would hope that we not underestimate the impact of that, it's really important to us. It would seem to us that if you're using the information for purposes of financial benefits, that Gramm-Leach-Bliley ought to apply, not HIPAA. But that's inconsistent with some of the guidance that the uninformed experts I guess would give us with respect to what we do.
The explanation of benefits issues, this kind of relates to another thing that I'd mention later, just as you administer, we have a provision in our plan that is good for our plan participants, we cover their dependents to age 26. In so doing, you have a contract holder that pays premium. It's to their address you send explanations of benefits. When you send an explanation of benefits by definition, there's certain information that you have to provide to allow them to know what you did, to allow them to know what their co-pay's might be, or their co-insurance might be. Now you can delete ICD-9 and CPT codes and so forth off the explanation of benefits, but it doesn't solve the privacy issues, you're still saying your 15 year old daughter went to an OB-GYN. I'm not sure we've, we don't really have answers with respect to how you do it. The answers that we have really don't help because the fact that you send an EOB is going to generate issues with the contract holder and the practicality of sending EOB's to different addresses, it's just not practical to keep track of those kinds of addresses and so forth. So that's a concern that we have.
Best practices. We don't know of a lot of best practices. I might mention something that I think is particularly useful that we've done at UHIN that relates to the security issue under HIPAA. We developed a tool we call USET which stands for the Utah Security Education Tool, and it's just a, you know Jan Root(?), some of you might know Jan Root over at UHIN that kind of helped us put this together, but it's basically computer generated training that goes through all the issues that we could possibly think of that relate to security. We developed this for providers, because providers, especially those that are in small practice, they really get frustrated with these kinds of things, they don't know how to get answers. We put this onto a CD, we copies 2000 copies, and we sent it out to every physician in the state of Utah basically.
It's been enormously helpful. In fact, if you're to talk to most physicians that are having to relate to the security issue that have used that tool, they've basically said that's kind of eliminated the issues as far as we're concerned, because we know what to do. Well it wasn't expensive to do, you needed to have some people who had some expertise to develop the foundation for doing that, but it's a great tool, and something like that might be considered with respect to the privacy issues as well.
I mentioned several other things here that, under the fifth question, the NCHICA's Early View Privacy Tool, and the AMA has written a book, actually Jan Root was one of the principle authors of that book that I think has been somewhat helpful.
A training mandate that you reference in question number five, we put together a pretty structured program that's directed to our participating employers and one that relates to our new employees and then train all employees with respect to the work processes and how they might be impacted. My feelings are that if you we're to talk to our employers, the efforts of Deseret Mutual on their behalf have probably been more useful than anything else that they've experienced. We've been very proactive, we've considered that it's our responsibility to help them be successful in terms of the things that they're trying to accomplish.
So we're feeling pretty good about that except for the fact that there's so many unanswered questions and it seems like when you get with another employer, they've got five more that we didn't anticipate, that we just simply cannot answer. And as you sit down to talk with people that are supposed to be experts, even people who are involved in drafting the regulations, drafting the law, they can't answer them either, which is a major concern.
Models for public-private, federal, state and local partnership, I would say UHIN. I think UHIN is an outstanding of a public-private partnership that resulted in something that's been really good for not just Utah, but for the United States. UHIN is owned by insurance companies, by physicians, by hospitals, by the state of Utah. Our board of directors has basically every affected party in terms of the transactions issues that we're dealing with on the board. What we did early in the game, we recognized that standards were the foundation to EDI. You couldn't start with EDI, you had to have standards to be successful in terms of electronic data interchange. We developed a standards committee, we had a very bottoms up approach, in fact I would have liked to have seen this happen with respect to the privacy regulations.
The standards committee was made up of people that were affected by these standards, so you had somebody who was running a billings office in a physicians office, you had somebody that was running a billings office in a hospital. You had people that were running claims shops with health plans. We had a representative from the insurance department of the state of Utah. We had Medicare, we had Medicaid represented in this subcommittee. Then we had a smart person by the name of Jan Root who ran the process, but when we started talking about a standard, a person could look at it and say I can tell you how this affects me. I'm not speculating, I know. They had that level of expertise, it was where the rubber met the road.
As a result of that, when we finally promulgated a standard, there were virtually no unanswered questions, they'd all been dealt with because it was bottoms up process. And you probably all well know that that process, the process that we went through in conjunction with about five other states that we affiliated with, had a profound impact on the national standard. The national transaction standards had very few problems. Now, granted, the transaction standards are a lot simpler than privacy standards, that's true. But I think the process is an outstanding model with respect to how you deal with these sorts of things. Get the people involved that are affected at that level where the rubber meets the road and get some smart people working with them in terms of how you move that forward.
The next issue, the state preemption issue, I guess my summary comment would basically be why isn't anybody listening. This is a big, big deal. In fact as I sit back, I'm a person who's an advocate of privacy standards. I felt for a long time that this is something that needs to happen. I can remember the hearings that I participated with that were sponsored by George Washington University, or was it Georgetown University, about four years ago. Same issues were talked about, but it's like we don't care what the practical implications are in terms of state preemption issues, we are so focused on what we want to accomplish you can just hang it in your ear. That's basically what it sounds like.
Health care is not something that is bounded by state boundaries. We're a state that receives people from all of the states around us. It's not unusual to have a person in a single episode of care receiving care in three different states. That's not an exception. You might have somebody that comes from Wyoming to a Utah based facility, and within our Mountain Health Care for example, they could be referred to Arizona to the Mayo Clinic down there. Same episode of care, three states, three different standards. And where you go to the higher standard rule for a plan like us that we're involved in all 50 states, you look at the combinations of things that we have to keep track of to determine which standard applies in a given situation, it is impossible. It cannot work.
Somebody's got to recognize, I'm also a states rights guy. I think states should do the things they're supposed to do. But this is one that begs for a national standard. On our knees for a national standards, maybe prostate, we've got to do something different than we're doing, it just is not going to work, and somebody's got to recognize that it's not going to work and quit trying to shove a square peg into a round hole. It just is not right, it is wrong. And we would appreciate somebody taking some initiative and going out and saying we got to change the law. We've got to have a federal standard and I'm supportive of a federal standard, I think at the end of the day it's the only thing that's really going to work and the states that are concerned about that, they've got to recognize the same thing.
Lastly, I think I dealt with most of the issues under question number eight. There's a misspelled word that incidentally, it's the accuracy and quality, not qualify, quality of information and services of vendors and consults, especially as they pertain to small providers and health plans. And it's just the same issue basically, is answering questions that appear to be unanswered. What's a covered entity? What's a business associate and how are they affected by the regulations? And generally speaking, even the most expert of consultants don't know the answers to these questions.
Thank you very much.
MR. ROTHSTEIN: Thank you very much. Are there any clarification questions? Kepa?
DR. ZUBELDIA: Can you tell us the UHIN effort to draft the standards, was that years before the HIPAA standards were drafted or where does it fit?
MR. STAPLEY: Yes. It was a process that went in a different sequence, when dealing with the privacy it was we had back in 19, I'm not going to get my dates right but it was probably clear back in about 1994, the idea of what if we had a uniform method for handling EDI with respect to health care transactions in Utah. So long before the HIPAA standards became an issue, we started the process of developing standards in the state of Utah. When we did that we recognized that we're a little teeny state out here, there's no way that, we've got to be involved in the national process or we're going to get down the road and have to change everything that we've done. So we were way down the road by the time that the HIPAA issue became real and we had developed coalitions with about five states, Washington, South Carolina, Minnesota, I think Maryland, and Utah, so it was different than this. But it just seems to me like as you deal with all of these questions that seem to be unanswered that still in dealing with those questions, that's a good process. Get people where the rubber meets the road. They can tell you what the questions are. They can inventory your questions then you can start to deal with them in a systematic and logical process.
MR. ROTHSTEIN: If there are no further clarification questions, we'll be back to you on the panel discussion portion. I'd like to proceed to Mr. John
Casillas.
Agenda Item: Mr. Casillas, The Medical Banking Project
MR. CASILLAS: Mr. Chairman and members of the subcommittee, unlike by predecessor I'm going to go ahead and stick to script and we'll be following my outline pretty rigidly.
Thank you for this opportunity to testify before you regarding HIPAA implementation in what we are referring to as medical banking. While the components of this industry are well established, it is the rearrangement of core competencies between banks, their medical clients and technology partners, to create new digital networks - in conjunction with HIPAA-derived market pressures - that forms the basis for medical banking.
This emerging segment is primarily, but not exclusively, driven by the implementation of HIPAA's privacy rule in medical payment channels. This fact should be highlighted for while banks and EDI industry groups focused on implementation of HIPAA's transaction and code sets rule, the application of HIPAA's privacy rule fell underneath the radar. This has resulted in a narrow window for gaining industry consensus on impacts and appropriate implementation procedures. My work in this area started in 1996, when I tried to articulate HIPAA's impact in the marketplace. Since that time, my work at the Medical Banking Project has been acknowledged and one large health care trade association, the Healthcare Financial Management Association, delivered a wake up call to the industry that I'd like to summarize and enter into my testimony this morning:
"The role that HIPAA plays in the relationship between banks and health care entities has been largely overlooked - providers must take an active role in ensuring that the banks they do business with fully comply with HIPAA's requirements." Richard L. Clarke, FHFMA, President & CEO, Healthcare Financial Management Association.
While it is clear that the impact of HIPAA on banking partners was overlooked, I want to urge this subcommittee not to overlook the critical opportunity HIPAA's privacy rule represents for demonstrating to banks and the medical community, that the way in which we move $1.3 trillion itself, affects health care efficiency and provides fertile soil for supporting HIPAA policy. The technology that bridges banks with their medical clients is often fragmented, inefficient and not without privacy risks. To be fair, there are payment channels that do offer more security than HIPAA requires, however, our research, and HHS guidance, suggests this is not true across the majority of medical payment channels. My hope is that this testimony will bring this often misunderstood area into the arena of policy inspection.
By way of background, I founded the Medical Banking Project to research, document and facilitate medical banking convergence. I am the HFMA subject matter expert in medical banking and have authored eLearning modules to assist in their education efforts. I have a clinical background and co-founded a firm in '94 to support patient accounting operations for academic health centers. Where the rubber meets the road as my predecessor was talking about is the environment where I grew up in terms of health care administrative operations. This firm was sold to a national firm that provided accounts received financing for community banks, and this was where I started to gain some I guess you would call them unique insights in how health care administrative operations and banking infrastructure meet and what can be done to make that process much more efficient.
I learned about the Berlin Wall, which we call between banks and their medical clients, namely a misunderstanding of the basic financial unit in health care, the medical receivable, and will see that this understanding is one of the critical path issues in implementing HIPAA privacy rule today.
Most banks and hospitals are found in small towns in main street America. These two entities form a critical axis for supporting the local economy. They want to help each other and fortunately, as HIPAA converts paper to electronic processes, this fictitious Berlin Wall is falling. This is good health care policy. Since '94, except for a period of time where I worked for ENVOY/WebMD, my sole career focus has been on helping banks, to help medical providers.
I want to take this subcommittee on a tour of HIPAA privacy rule implementation issues in medical banking using our roundtable framework. But first, I want to describe the research behind this framework. In '98, I visited 50 lock-box facilities, talked to bankers, banking associations, and technology firms, and drafted a largely ignored white paper that identified HIPAA's privacy rule impact on lock-boxes. After President Bush let the privacy rule stand, the white paper began to resonate in the industry and was published in the trade journals. By October 2001, a wave of questions coming into our offices, led to seek definitive guidance from HHS, and we organized a roundtable in Washington, DC. Invitations went out to banks, American Bankers Association, NACA, Robert Woods Johnson Foundation, and other groups as well. We used this framework to explain our research. HHS unofficially concurred with our findings, however, the issue met with considerable resistance among banking groups present and new workgroups resulted that continue to meet today.
HHS confirmed that where there was access to PHI by covered entity partners, a business association is formed; notwithstanding whether that entity is a bank or other type of entity. In addition, if any entity is performing covered entity functions, the HIPAA privacy rule applies. The concept of functional analysis in HIPAA policy, versus naming a particular industry, was further developed at a speech given by Donna Eden, senior general counsel for HHS at the HIPAA Colloquium. Stanley Nachimson, senior technical advisory for CMS' HIPAA Project Team, confirmed at our recent Medical Banking Institute, held at the 5th National HIPAA Summit in Baltimore, that the current working proposal on the issue delivered by a banking industry task group may not be correct. In other words, the impact of HIPAA is no longer at issue. We are not examining the extent of impact.
There are positive signs of progress and we are seeing business associate model contracts for banks being posed on web-sites. Banking associations acknowledge that in fact most banks will be considered business associates for their medical clients. But they have not fully come to terms with their potential status as HIPAA clearinghouse covered entities. To explain this, I tried to follow the outline, but it's hard to do that when we're trying to assess what is a covered entity in the industry as well, and this is a subject of concern in the banking community.
MR. ROTHSTEIN: Excuse me, I understand the complicated issue of covered entity and we will certainly raise that, but we're not really focusing on what I would consider to be substantive issue, so much as the kind of the what are the technical assistance issues, the areas in need to guidance, OCR enforcement policy, things of that sort, and if you could help us in that area, that would be extraordinarily helpful.
MR. CASILLAS: In terms of HHS guidance, I would say that we need to become much more proactive in meeting with the banking associations. They have developed position or working papers that describe a certain position that has not been generally agreed to by leading experts and that's not all of their position, just portions of their position, and I think that --
MR. ROTHSTEIN: Excuse me, when you say they, who do you mean by they? HHS?
MR. CASILLAS: The American Bankers Association and NACA developed a working paper and it was a broad based attempt by them to try to identify and isolate the issues. However, their conclusions have not been verified or confirmed and as a result there is on-going confusion about when a bank is a covered entity. That's a serious issue, there are other serious issues with respect to business associates, particularly when a bank is a business associate of a health plan. They have to represent that they're network that supports the medical payments process, to the extent that that network has access to PHI, are also compliant with HIPAA's rules and regulations and that is very difficult to do when you're taking remittance information in an 835 for instance and sending it to the ACH network. The ACH network itself, being comprised of four major associations, or four financial clearinghouses, including the federal reserve, as well as perhaps as many as 36 to 40 other types of financial clearinghouses, the payments information moves through these clearinghouses and these entities have access to PHI in some instances. This creates a privacy issues throughout the entire network. This is strictly within the ACH network.
There is a section 1179 in the HIPAA privacy rule which appears to exempt payment processing. However HHS provides guidance that when that payment is accompanied with the protected health information, or the EOB, which many 835's are, but they don't have to be, HHS considers the ACH network an open network. In that case, encryption is required although that's in the perspective security rule, and that would create a great hardship for banks because that type of technology isn't currently available today, just for moving the payment.
When the providers banks receives those remittances coming from the ACH, that bank may in fact convert the CTX transaction, because that's a transaction that's used in the ACH network, and create an 835 file for the medical provider. Here again, the receiving depository financial institution, which is that entity right there, could be considered a covered entity, and they don't understand that. The great majority of RDFI's are community banks. Because there has been a latent impact, I would call it, in this industry, most community banks aren't even aware of HIPAA. There are a number of community banks who understand Gramm-Leach-Bliley, however, the categories of information that Gramm-Leach-Bliley protects is different than the categories of information that HIPAA protects. And as a result, when we speak to a number of these community banks, they say they're already implementing privacy but they are referring to Gramm-Leach-Bliley. So there's an acute need for awareness in this segment and the way that we've chosen to enable that is through roundtable web casts, much like this, where we speak with industry experts and have banks come in and call us to address the issues.
We think a lot more web casts need to be happening in the banking segment just to make them aware of the issue. And some of those web casts are being developed and designed by the American Bankers Association and others.
MR. ROTHSTEIN: I want to see if I'm clear on which banks are doing what in your testimony. Undoubtedly, there are certain health plan clearinghouse functions that are obviously covered by the privacy rule and I assume that you have no problem with that. And then are these, I'll just call them gray area functions, that are not clear and so on. What can you say about the level of compliance planning and implementation as to the health clearinghouses themselves? Are they pretty much on track and it's just sort of the gray area people who don't know what to do or if they're covered and that sort of thing? Am I correct in that?
MR. CASILLAS: I really can't testify as to, you are talking about clearinghouses. Although I meet and greet with them regularly, my understanding with that segment is that they are well, that they understand the issues well and they're implementing them, but I can't really comment on them because my focus strictly is on the medical banking community.
MR. ROTHSTEIN: So your focus then is what I term this gray area, exclusively. So when you use, that's very helpful. Kepa?
DR. ZUBELDIA: I'd like to ask a little more about the gray area. How gray is the gray area? Because what I'm hearing you say is that the bank, any bank, when they translate from a CTX transaction to an 835, that they will be a clearinghouse and I'm not sure that that shade of gray is gray enough to make them a clearinghouse. The CTX transaction is essentially an encapsulation of the 835 and there is not real translation of the contents, it's the 835 gets wrapped with the CTX to be sent through NACA, but it's the same 835 that was sent by a payer that gets received by the provider. So the clearinghouse concept only would apply if there is conversion from a non-standard format into a standard format or vice versa and in here, my understanding is that that's not happening, it's a standard format that gets delivered to the provider as the same standard format and for transit it has been encapsulated in a CTX transaction. The same as it could have been encapsulated in a FedEx envelope, but the content has not changed, and has not been translated. Will you help clarify that gray area?
MR. CASILLAS: The only issue, and in the scenario that you outline, there probably would be no impact, which is one of the areas of confusion. There are many banks that provide full accounts payable outsourcing services. What they do is they actually receive the health plans payment file, proprietary payment file, and take that file and reduce it to an 835 transaction, actually creating the 835 transaction from that non-standard file, and then enveloping it in the CTX for delivery through the ACH, as well as taking other payments and doing inter-bank transfers, or developing checks and creating the EOB's, the paper EOB's, that belong to those checks, and then sending them through to the provider. So there's a whole series of banking activities in accounts payable outsourcing that lie outside of the scenario that you just spoke of.
DR. ZUBELDIA: But those are banks that have chosen to be in the clearinghouse business, as opposed to all banks that handle 835's. Right?
MR. CASILLAS: That's correct. But with respect to even --
DR. ZUBELDIA: It's self inflicted.
MR. CASILLAS: Good point. There is an issue though in the average community bank, receives the ACH transaction, and they take the CTX component and credit the funds to the providers account, or truncate or delete the remaining part of that transaction. The issue is how is that process occurring because in the remaining part of that transaction, it could and often does, have PHI. So I'm sure that you've read reports, one by the Georgetown Privacy Project, where a bank did in fact use that data for credit determination processes. There is definitely an impact of HIPAA's privacy rule in the financial spectrum and again, what we've been trying to do is isolate it. Where does it impact?
I want to go to page seven of our testimony where it talks about industry readiness. We did a survey, and basically we concluded that there's an acute need for awareness. The banking industry, like most impacted segments, has passed from denial to gradual acceptance only recently, and as a result, the need for awareness is acute.
There is myriad legal interpretations, and you said that we don't want to go into substantive issues, but it's almost impossible --
MR. ROTHSTEIN: Well, we understand that you can't get away from them, but that's not our primary focus.
MR. CASILLAS: There's also confusion with Gramm-Leach-Bliley, which we had pointed out. And there's a serious impact on standard loans. And I want to turn to that in page nine of my testimony, also I want to mention that there was a magazine that was delivered out there, that I want to enter into my testimony, it's the article on this issue.
To put this issue in simple terms, when a bank loans money to a medical provider that does not necessarily establish a pretext for developing a business associate contract. When I give you money for your operations, under the privacy rule, if you give me access to PHI through the medical receivable, which is an asset that collateralizes that loan, that would be illegal. The problem is a number of providers do go bankrupt or other things that violate that loan document and as a result the bank has no recourse, they cannot attach that receivable. The issue goes much further than that. This is caused, we are actually developing a workgroup on this but when the bank does provide its receivable as part of the bankruptcy to the bank, without a business associate contract, the privacy rule actually indicates that that's punishable by the worse fines under HIPAA, $250,000, up to, and up to ten years imprisonment.
Obviously, that wasn't an intent of HIPAA, but it is a serious issue in routine lending between banks and their medical clients. I want to suggest that it's an issue that this committee look at further.
There is also a number of entities that sell their receivables. It's a typical business practice to sell your AR in order to finance or to add to your cash flow. The privacy rule, and we talked to HHS at our Medical Banking Institute about this, doesn't address this. It does address it in one limited area, which we show here, that you can do that if the entity itself becomes a covered entity after they acquire the receivable, or the HPI. In other words, the privacy continues after the transfer is made. But a bank isn't a covered entity, nor are all the specialized investment banks that provide these services. And as a result, this is becoming an emerging issue.
In terms of securitization, a true sale is necessary in order to give the investors the confidence they need in order to invest in specialized, what they call SPV's. And if that true sale does not happen, investors will not invest in SPV's. Securitization is a very large industry segment that finances health care in this country.
Finally I want to look at, just point you towards the regulatory conflict that occurs with revised UCC Article 9, which makes transfer receivables much easier for banks but is diametrically opposed to the requirements of HIPAA. The UNICITRAL conventions put out by the United Nations, which are followed in developing securitizations, and the new bankruptcy reform laws, if passed, would be diametrically opposed to transfer PHI in a bankruptcy situation.
In closing I just want to say that I think the subcommittee should initiate general hearings on health care credit practices, initiate cross industry dialogue where you have banks and their medical clients in the same room discussing their concerns. One will provide one perspective, another, another perspective and it's important to develop a cross dialogue between the groups. And I would also suggest that if there is a way that you can organize or support demonstration projects that show how medical payments efficiency can occur in the marketplace, that that would be very useful to this industry.
MR. ROTHSTEIN: Thank you for your testimony. Any other clarifications? Let's open the discussion to both speakers and so do we have subcommittee members with questions?
MS. KAMINSKY: I have one. This is for Mr. Stapley. I want to thank you for your testimony and I really appreciated your broad perspective that you bring to the privacy question and your respect and appreciation for the difficulty and balancing all of the competing interests. The area that really caught my attention was your discussion about the explanation of benefits with regard to, I think you were talking about non emancipated minors who would be seeking some kind of confidential, who were able to seek treatment without parental involvement. We heard that same issue raised at the Baltimore hearing that we had last week and I guess my question would be, I sort of tried to think through a little bit, what the alternatives are. Clearly somebody in that situation can sort of pay at time of service or I guess there's also, the rule, the privacy rule allows for seeking confidential communications, which you said is impractical to implement, so what would you suggest as a way to protect confidentiality or privacy in that situation?
MR. STAPLEY: I can raise questions, I don't have all the answers. To me, the challenge you have, you have a contract holder that's agreed to pay the premium. They're the one that's financially responsible for paying the bill. It doesn't just relate to non emancipated minors, I mean you could have somebody on our plan that's age 25 and going to Harvard to school, it's affected the same way. And that is that your system automatically generates an explanation of benefits. Now we can change the explanation of benefits to delete the information, we can delete CPT, we can delete ICD-9 and those sorts of things, but the realities are the mere fact that you're generating an explanation of benefits and sending it to the policy holder raises the question.
So in reality you haven't accomplished a whole lot. There's still enough information on the explanation of benefits if the person is going to see an OB-GYN for example, that says ok, something is going here, that maybe I did not anticipate. I don't know exactly what the answer to the question is unless you go to the extreme and basically say, you're not going to like this, but say that if you've got a contract holder that has financial responsibility for paying the bills, that you're going to have to have some exemption process associated with it. I don't know what else to do.
The EOB is a very very important part of control in administering a health plan. When I send an EOB to somebody, I expect them to look at it and say did this actually happen. And if you eliminate the EOB, you eliminate a critical part of control in terms of preventing fraud and abuse. So you're still going to have to do the EOB, and I just can't think of a good way to say ok, when you've got dependents out there that are seeking health care under that persons contract, irrespective of what information you delete, the mere fact that you're sending an explanation of benefits raises questions. You may not explicitly answer those questions in terms of providing personal and private health information, but you've raised the questions. And the policy holder might go and say what's going on here. I don't know how you answer the question unless you go to the extreme and say ok, somebody's going to pay for your health care, they're probably going to have to know something about what's going on.
DR. ZUBELDIA: I think that we've discussed this a long time, back about four years ago. If the person is seeking benefits under a health plan, at some point the entity or person that is paying for that health plan contract is going to know that there was some benefits drawn from the plan. The policy holder will have to know there were benefits drawn from the plan by one of the dependents. I think that the only practical solution is going to be like you said, cash payment at the time of service, because if you draw benefits from the plan, even if the details of that EOB was to be sent to the patient, the person that is paying for the plan will end up knowing. I don't think there's any practical solution to that.
MR. STAPLEY: That's the point I'm making, the generation of the explanation of benefits raises the question, even if you delete all the personal health information off of it, but it still raises the question. And to eliminate an EOB to me is irresponsible, it's your basic control mechanism to prevent fraud. Happens all the time, we have people call and say I got an EOB that says I received care from so and so on such and such date and I didn't. If you actually publicize that in a given situation, you're not going to generate and EOB, guess what you're going to do? You're going to generate a lot of fraud.
MS. KAMINSKY: Given the array of state law out there on privacy, this can't be a new issue.
MR. STAPLEY: It may not be a new issue but the practicality of it is kind of a new issue, it's something that people have not thought about in a real sense in the past. I don't know that we've sat down and contemplated the implications of what's on the books in Utah state law until we saw what's happening with respect to the HIPAA privacy rules. But it's, just from a practical perspective, you're going to ask somebody to pay the bill, eventually they're going to find out that a transaction occurred. Once that questions raised, the subsequent questions naturally follow.
DR. ZUBELDIA: If one of my children uses my credit card, they may tell the merchant I don't want you to send a receipt to my parents, but I'm going to find out. The analogy is pretty much the same.
MS. KAMINSKY: I understand, I'm just looking for solutions.
MR. STAPLEY: I don't know that there is a good solution. I think what Kepa said is probably valid. It's just, the contract holder is going to find out.
MR. CASILLAS: On the EOB, from a patient accounting perspective, that information is critical to update the financial records, from the providers perspective. I don't know if the EOB's that are going out to the patients and the EOB's that are going out to the providers can be different.
MR. STAPLEY: Oh yes, they can. They are different. An EOP and an EOB are different in terms of what you do.
MR. ROTHSTEIN: Other questions from the subcommittee members? Well I want to thank both of you very much for your testimony. I appreciate your coming today and also appreciate your written comments, which we will certainly consider. Now we will move on to our subcommittee discussion of our potential recommendations and drawing things together. Are we ready to get John on the phone?
DR. HARDING: Mr. Chairman, do you expect that we will go straight through between now and 12:30? I'm just thinking of checking out of the room.
MR. ROTHSTEIN: Well, then I suggest we take a ten minute recess and check-out and then come back so we can go straight through.
[Brief recess.]
Agenda Item: Subcommittee Discussion on Recommendations
MR. ROTHSTEIN: We are back on the record so to speak and this is the portion of the subcommittee hearing when we are going to be discussing potential recommendations and matters to bring forward to the full NCVHS. For the benefit of those listening to us on the internet, we now have a speaker phone where we can reach another one of our subcommittee members who is not able to be at the hearing. So John, would you please introduce yourself?
DR. DANAHER: My name is John Danaher. I am a member of NCVHS, I'm also a member of the subcommittee on privacy and I work as the CEO of a eLearing company that provides training on health care compliance, including HIPAA, I do not believe my participation in these discussions and in this meeting represent a conflict of interest. Thank you.
MR. ROTHSTEIN: Thank you John. I have distributed to the subcommittee members some notes that I made and let me make some suggestions and see how the members feel about this. I don't want to be prescriptive or direct our discussion on these issues but we have heard so much testimony and over a hundred recommendations that I counted, that I thought it might be valuable to kind of sort them, categorize them, and extract some of the more interesting ones and put them in categories.
Here is basically what I was thinking. Marjorie made what I think is a great suggestion and that is that we separate, basically have two documents that we submit, assuming that full committee agrees. One would be a rather short letter, and in addition to that then there would be an attachment where we could go into greater detail on the particular recommendations that we want to put forward. I think that's valuable because on the one hand, it's generally not been our practice to have these very detailed to the Secretary. On the other hand, OCR really is looking to us for specific guidance based on the hearings. And I think we can satisfy both of those concerns using that format.
What I would propose and see what you think of this, is to in the introductory letter, put things such as that we have heard from various witnesses who supported the testimony in a general sense that we received in Boston and our conclusions that we put in our September 27th letter, that there's general support for the goals of HIPAA and the privacy rule; that there is support for the August 2002 amendments to the rule; and that there have been positive reactions to the guidance, to the FAQ's and the publication of the integrated text in October. And indicate that some of the specific findings that we learned from the witnesses would be included in the letter but we would save as an attachment the recommendations.
So in other words, some of the findings you see on the findings sheet that
I've distributed and we can talk about that, subtractions, additions, etc., but
we could say, for example in the letter, just to pick one, there is continued
confusion and misunderstanding and so forth.
Those kinds of comments would be in the letter and then when we got to the
attachments, we could go through some of the suggestions. For example, just to
pick the first one on the list from what I put as education outreach. The
recommendation that OCR needs to prepare a one page handout on HIPAA, etc. So
that's my sort of starting point suggestion on how we might want to proceed and
the floor is open for comments.
DR. ZUBELDIA: My reaction to that is that there is a lot of recommendations that are going to come in the full report. And it's going to be very difficult to summarize them into one page, or two pages, we're going to have to pick and choose and just have very very brief summaries with, there will be a lot that we can't even touch on, on that page. I'm wondering if it would be just easier to have a full report with a cover letter.
MR. ROTHSTEIN: That's another option but as I envision the actual letter to the Secretary, we wouldn't even be commenting on any of the recommendations at all, or attempting to summarize them, because there are so many of them and they're so complicated and so forth. The only thing that I thought might be valuable is to include the findings, because we had in our first letter things that are, for example, the problem with vendors and consultants. To the extent that we could put in our follow-up letter information that related to what we said earlier, I think it would be valuable. So the findings that I've distributed that are things such as, I mean we heard some very powerful statements that I would not like to see buried, such as some providers who are trying to comply have become so frustrated that they're going back to paper. And that is just so contrary to everything that we're trying to do, or Congress is trying to do with this law, that the fact that we heard that and similar things, I think we ought to highlight in the letter and then get to what we can do about it in the recommendations. So that's just an explanation but you're alternative is certainly, we could do it that way as well.
DR. DANAHER: Mark, I'd like to put a suggested out. I liked your idea of a short form kind of summary letter, not weighing in one way or another on the recommendations, then a larger letter than kind of really tries to capture essence of what we've heard. I would create in that larger, and I would make reference to it in the cover letter, in the shorter two-page letter, I think what we heard really falls into two categories. I think one category, and I mentioned this to Stephanie last time when we were together in Baltimore, one bucket of things is kind of tools or mechanisms to facilitate communication and to facilitate adherence to the regulation. And everything from sample authorization forms to calls with OCR and meetings with the regional medical societies, etc., so that's kind of one bucket I see. Tools and mechanisms to facilitate communication and to enhance adherence to the roll out dates, etc.
The second bucket I thought were more kind of here's the advice or concerns that we're hearing from the provider community and the covered entity community or the hybrid entity community. For example, state preemption analysis is just killing us, there's no way around it. Research, we just really aren't able to make heads or tails of research and this is what we recommend, etc. So I just would conclude my remarks by saying I like your idea of your initial format, I would just then break it down into kind of these two categories because I think that one category are very actionable, easy to decide things. Yes, we can do sample forms, or no we can't do sample forms. And then the others are things that require much more deliberation and are more HHS or driven and would require much more discussion and debate.
MR. ROTHSTEIN: Well, actually, that's the way I started. I originally only had two and I wound up with six. We might want to chop the six back to four or five or three but there are certain things that we heard that only Congress could do. And there are other things that we heard that would really require kind of HHS-wide efforts, because it involves CMS and so on. And then there were other things that were kind of, OCR could probably do tomorrow if they wanted. And then there were the substantive areas, lots of areas in which people have said we need guidance on X, Y, or Z. Marjorie?
MS. GREENBERG: Well, I probably support the recommendation that I made to you, at least over a two day period I'm being consistent. But because I do think that something shorter that conveys kind of overall findings will be read by everyone but I think obviously there's so much richness that we've heard in the testimony plus the Department is really looking to the committee I think to be as specific as possible, and I think it does work better in kind of an attachment, which is like a report. It's also semantics at this point, so it's not that different from what Kepa is suggesting although I think he was talking about maybe even kind of a shorter cover letter, but I think we should try to get the essence at least of the findings into this letter, the cover letter or the letter.
On the other hand, I think if there are any conclusions that the subcommittee has drawn about the way forward, it would be good to get those into the letter as well, anything that you really don't want buried, there's so many specific things and they can all go into the attachment.
I think this first one, and we heard it I thought fairly eloquently this morning as well, about this continued confusion, I think it behooves the subcommittee to come to some conclusion as to whether you feel there can be adequate implementation and compliance by the current deadline, given what you've heard. You may want to punt on that but that's the bottom line isn't it? There are six months, no matter how many recommendations are made, there are only so many that can be followed through. Even if you had ten million dollars, it's just so much time people have, and when they get guidance they then have to implement it into their systems. I think the bottom line is where you come out on that given what you've heard and then depending upon where you come out, what you'd recommend.
So if there's any kind over arching kind of conclusions, then I think those should be in the letter, in the short piece, and I think it'd be useful just to have some brief discussion about that right now. I'm kind of conflicted on the subject because, and I don't even know whether delays are possible. Certainly people have talked in terms of at least delaying any kind of heavy enforcement but then also we've heard testimony that people feel that even if the Department takes a soft approach, there are litigaters, etc., out there ready to pounce.
So I think what we have heard is definitely sobering about the ability of even I'd say where people really have their act together about people to comply with everything by the deadline. There were some recommendations that at least the Department should put out, these are the things that they really have to have by, and I think that something worth thinking about and again, at least referencing that could be in the letter.
The other thing I think that we have heard and again, this is not something that can be easily addressed in the short time period, but it seems that where there are coalitions at the state or regional level, they've got a much better chance at least of having a coordinated approach and of being able to help people who need help in complying, etc.. Massachusetts, UHIN, North Carolina, etc., but I think we've heard from the major ones and frankly there are a whole lot of parts of the country where I don't think there are coalitions like that.
I feel that really to make the whole, it may be true with the transactions, too, but probably more with privacy, it's true with both, but to make this really work and be successful, you're going to need those types of coalitions really throughout the country. And what can be done to encourage their, I mean this is what kind of has really been striking me as I've been coming to all three hearings, what can be done to encourage that kind of development, throughout the country, grants, whatever, I don't know that these are realistic thoughts, but I've concerns on two parts about this.
One is just the ability to really get everybody into compliance. But the other is the consumer out there who if they start getting different privacy, notices of privacy practices and different things from every different provider they go to, etc., and there's no coordination, this is just going to be chaos for the consumer and it's going to undermine I think what's intended. As well as issues related to research projects and public health, there's just so many areas that if there isn't a coordinated approach across a region, it's going to be kind of chaotic.
Anyway, those are areas that I'd like to hear your thoughts on and also if you had conclusions on them I think would belong up front rather than buried.
MR. ROTHSTEIN: Well one thing that we might do is as we go through all these various recommendations we heard, if the subcommittee thinks that something is really important we can sort of pull that out and move that forward as the top three things that we heard. And I'm certainly willing to discuss the issue, I don't think we can get away from it, on whether we should recommend some sort of delay in the implementation date or say something --
MS. GREENBERG: Phased, or something, I don't know. It definitely is questionable what kind of level of compliance we can realistically expect by April.
MR. ROTHSTEIN: It's certainly implied in what a lot of people said. Richard?
DR. HARDING: I think one of the things that indirectly talking to your point about the delay, is the sea change that I perceived in what's truly motivating people all of a sudden to change, that's it's gone from trying to do what the law requires, to what I heard during much of this was more covering themselves. Clearly that its changes, and of course that may increase the compliance, that may speed things along during now and April, but it is terrible for the way people will see, it will become like emtala(?), where it is a burden and not the positive protection of our patients and citizens that was intended originally. And I'd put that into the equation, too, when you talk about delay or not.
MR. ROTHSTEIN: Well I think certainly fear of enforcement is one of the things we heard repeatedly, or perhaps over zealous enforcement is a fear and I think you're right, that it's becoming a prime motivator when it should be kind of an ancillary motivator.
So what's the wish of the subcommittee? Actually one of the things that we can do, I hate to, we can defer for a while the question that, whether we want to go with the Kepa, very brief model, or the Mark, little longer model for the letter. Maybe we can put that off until we go through the sort of substantive. Would that be ok?
MS. GREENBERG: I think we can work through this and see where we end up.
MR. ROTHSTEIN: Marjorie, do you want to put your issue on the table first or last?
MS. GREENBERG: This is your call, I just wanted to --
MR. ROTHSTEIN: Well, maybe that would be, maybe it would be better to do that last, once we figure out all the things that we've heard.
DR. DANAHER: Marjorie's issue is whether there should be an extension?
MR. ROTHSTEIN: Correct, whether we should recommend an extension. We might say something, there are all different ways we could do it. We could say we have serious questions about whether compliance can be achieved by April without saying that we're recommending some extension or whatever. I don't know what sort of power we have to do it anyhow.
MS. GREENBERG: It is just there's so many unanswered questions. The question I think the bottom line is, do we want implementation with all these questions unanswered? And then can we just kind of slide into further implementation as the questions get answered? I mean you never have all the questions answered and to some degree you don't get questions answered until you actually implement. Of course there are the issues with the security rule as well which I think are non trivial. But nonetheless, you can delay things forever and I'm definitely against that, but I think you owe it to the Department to just tell them what you think having heard all this.
DR. ZUBELDIA: With the transactions, there was this issue with the addenda. And the addenda actually modify probably less than five percent of the transaction content and after the addenda are published, then people still have probably eight months or more to implement the addenda. Probably more close to ten months to implement the addenda. On the privacy rule, the modifications in August were pretty substantial, affecting consent, pretty substantial change, and there's only six months to implement those changes.
DR. DANAHER: Marjorie, I think one of the most confusing things about the roll out and implementation of certainly of the privacy portion of HIPAA has been the extensions. I think the extensions have really had the net affect of causing great confusion certainly in the covered entity community.
MS. GREENBERG: You mean the transaction extension.
DR. DANAHER: The transaction and code sets extension. And as you know, we heard a bunch of times, very learned people come in and say they made the mistake of thinking that there was also, in the testimonies, thinking that the extension also applied for the privacy regulation. I guess my, there are two things that I would like to just say about an extension. I really do think it would have, it would further dilute the effect that we're trying to have, number one.
And secondly, I think it would only create further confusion and I just worry that the net effect if we were to any way shape or form kind of proposed that would be to in one way or another kind of kill a lot of what we're trying to accomplish. And I refer to the patients' rights movement in terms of managed care how everyone is saying now that that appears to be dead. I just think that what could kill HIPAA is for us to be continually issuing extensions and then confusing the message and really only confusing the covered entity or the hybrid entity community.
So I guess I think what I would, and I know perhaps Mark we're getting ahead of ourselves here, but I think what we need to do is to really strongly recommend to OCR and to NCVHS and HHS that we need to do a whole bunch of outreach things which haven't been done yet. But I think the big mistake is the message that we've got to send is that April 14, 2003, is not the end all of this, it's just the start of this. And the point is, is that this is a wonderful good thing despite a lot of the criticisms. I really didn't hear that many people saying oh, this is the wrong thing to be doing. They were just saying boy it's difficult to do.
So I guess what I would just suggest is rather than extension, we just need to kind of change the mind-frame and the mindset of what we're communicating to the constituencies and say this is something that's going to be with us forever, this is good stuff to be doing, April 14, 2003, rather than being the drop dead date is actually the official launch of what we will be doing going forth, which is providing you with all kinds of, and we'll do it between now and the next six months, all kinds of great resources, all kinds of great tools, because we don't, just like TQM or something like that, you never quite get to ok, we're in compliance with privacy, it's always a goal that you're striving to, it's a process enhancement thing.
So that's why I think if we kind of say oh, we've got another year in which to get into compliance, we're just going to really confuse everybody and risk really diluting and killing the message.
MS. GREENBERG: I don't disagree with you and I'm not arguing for an extension, I love what you articulated. I'm just saying that I think the bottom line is the extent to which you feel that there is enough information out there now, or could be enough between now and then, for realistic compliance or whether they're, if you look at the way you've put it sort of this is not the drop dead date, which I think the way people are seeing it right now and they expect to drop dead actually, potentially at that time, or they fear that that will happen, that this be an evolutionary kind of process, is very good. And again, maybe setting those priorities and saying there's really no reason why everybody, particularly if appropriate tools are provided, can't have done A through X or A through J by April 2003, but maybe M through whatever, this is obviously going to take longer.
DR. ZUBELDIA: That may be the trick here. One of the common themes that we've heard is the fear of enforcement because it's the unknown to how the enforcement will happen and perhaps we could make some specific recommendations that would include kind of a plan of action and a plan of enforcement as guidance to the Secretary for a future enforcement rule and how they should be looked at. And rather than an extension, just make recommendations on enforcement.
MR. ROTHSTEIN: I think we've got several to discuss that are coming up later. Gail?
MS. HORLICK: I was going to suggest, what would be considered acceptable for a good faith effort for a first step so you can work out standards. We will probably never answer all of the questions as you said, but it's so difficult to implement when there are these unanswered questions. So maybe we could put examples in that fashion about what would, the speaker said just tell what I need to do, and so would at least OCR consider the basic things they'd be looking for until all the questions are resolved or some intermediate stage.
MR. ROTHSTEIN: I think we run a risk of having sort of the integrity of the statute undermined by another extension given that we've had the transactions extension, the delay in the standards, the security rule, I think it would be, it really would undermine the ability of HIPAA to ever get off the ground if we recommended that. Also I think there are a lot of covered entities that have devoted a tremendous amount of time and effort to come into compliance and relative to their competitors, we are in effect punishing them saying well, you didn't have to do it anyhow, if you'd just said you can't do it and whined enough, you would have been given additional time. And it also, we have sort of the consumer concern, and there was a law enacted in 1996 and people expect that heightened standards of protection are going to apply to their protected health information. And because of sort of technical or logistic financial problems, I think we'd have a hard time justifying saying well, you're not going to get this protection for maybe another year. Stephanie?
MS. KAMINSKY: I agreeing with a lot of the points that are being made. I guess my, it seems to me that some of the frenzied activities, especially since the final rule was put into place and the seriousness with which people are taking the privacy reg right now, are tied to the April compliance date. I think though, to the extent the subcommittee can focus on what those concrete recommendations should be for OCR or the Department with regard to education outreach and technical assistance, that would be probably the most helpful thing right now.
And I guess what could be wrapped in that would be a recommendation that the Department or OCR is very careful to be clear, to communicate to the covered entity community some of their enforcement strategy to alleviate some of the fear and misinformation or sort of questions that are out there. So that if the approach that I've heard articulated by our director, which is a very covered entity friendly technical assistance oriented cooperative approach, is part of the outreach education and technical assistance communications that we are recommending, it can just be sort of folded in.
And I'm a little concerned about our, the Department and OCR's short resource, small amount of resources, and I wouldn't want a preoccupation with hammering out enforcement issues right now to take away from the need to do all of this outreach education and technical assistance. So I would just try to fold into that a commitment to be clear in communicating to the country what the approach will be with regard to enforcement.
MR. ROTHSTEIN: Richard?
DR. HARDING: We can move on on this, but my concern, one of my concerns, is that if we maintain the drop-dead or launch April 2003, that there is a tremendous reservoir of doctors and hospitals and CE's that are going to throw money at this between now and April to non accredited vendors and that's going to lead to a very cynical group of people following that if those vendors don't give them what they "paid their money for." Because we don't know what --
MR. ROTHSTEIN: Because we've seen that already.
DR. HARDING: Right, and they're going to do it between now and April, I can tell you, they're going to be compliant because they don't want to go to jail, so they're going to pay $500,000 dollars like that oncologist said for something, and they're going to be cynics from that point forward if that's not what they need. That's a concern. And I like the idea that John is talking about the launch, some how to do that, but I don't know if the resources are available to educate people as to whether this is a launch or a drop-dead in the next few months. That's what I'm really ambivalent about whether to go forward, or to recommend, not that we're going to decide that, but ambivalent about that because of those competing factors.
MR. ROTHSTEIN: Well everyone has had a chance to weight in on this general issue, which is an important one. And I'd like to take the prerogative to the chair to move us forward so we'll just recognize that we're going to need to come back to this and probably, even undoubtedly, the full committee meeting people will want to bring this up. So I'd like to see if we can get agreement, at least on some of the items that I've put in here, we can make additions, subtractions, modifications.
So I'd like to ask you to take out the sheet that's called findings. Now keep in mind that these are in no particular order, they're based on whatever sheet of paper happened to be on top when I went through this. These are things that I pulled out from the testimony that we heard and they are obviously subjective in the sense that I made some judgment as to which ones were more important, but they're simply recasting things that we heard. And for the benefit of the people on the internet, I will read the short list of nine and then we can see whether we want to add them, or highlight some. Let me just read my nine and I'll get to additions and stuff.
First, continued confusion, misunderstanding, lack of guidance and technical support. Second, well under half of small providers have made any effort to comply, and that's an estimate of course that we heard in Baltimore. Third, vendors and consultants continue to prey on covered entities.
?? That's a little heavy maybe.
MR. ROTHSTEIN: Well, yes, some vendors lacking the ability that they ought to have and consultants have done that of course, it would never be written in these terms.
Fourth, many rural providers have given up on the idea of compliance saying in effect I can't do this, let them catch me. Fifth, the difficulty and expense has forced some providers to abandon EDI and go back to paper. Sixth, Medicaid providers may drop out of the system because they can't afford to comply and can't pass on the added costs to Medicaid.
MS. GREENBERG: I would just say Medicaid and other safety net providers to broaden it beyond Medicaid, but clearly we've heard concern about --
MR. ROTHSTEIN: And that's something that was from the Baltimore hearing. Medicaid and other, I'll just put safety net for now.
DR. DANAHER: Hey Mark, may I comment on one or two that you've just read?
MR. ROTHSTEIN: How about if I get through them all. Seventh, the fear of violating HIPAA is leading to adverse health outcomes. For example, failure to share health information about one patient where it would help with the treatment of others, lack of public health reporting, etc. Eighth, it's been estimated that there are nine to 15 million health care workers who will need to be trained, and there is a shortage of training materials and funding. And ninth, there is a great fear of over zealous enforcement that will be costly to defend against so even if you're in compliance and you're going to have to hire legal counsel to defend against this.
So those are nine and Kepa has three more that he wants to add.
DR. ZUBELDIA: Ten, without preemption, compliance with multiple state requirements simultaneously may be impossible. Eleven, the multiple preemption analysis by multiple covered entities in the different states are wasteful, difficult, non definitive and very expensive. I think everybody has agreed on that. Twelve, state or regional coalitions are very effective.
MR. ROTHSTEIN: Ok, John, I'm sorry I cut you off before.
DR. DANAHER: No problem, Mark. The two that I just want us to be cognizant of because I know that the, I want us to be careful that we don't pass around urban legend, or pass on urban legend to the Secretary. And the two that I'm referring to are the one about providers not submitting claims electronically and doing it in paper to get around being classified as a covered entity. That was an initial concern and fear voiced by a lot of the payers. I don't believe that there is any evidence of that, and I know that they were reacting to that and concerned about that, but I don't know of any actual cases --
MR. ROTHSTEIN: Excuse me, John, the oncology group, the woman who was the administrator from the oncologists, specifically stated that in her testimony.
MS. KAMINSKY: This was during the public testimony in Baltimore, John, I'm not sure if you were there.
DR. ZUBELDIA: Was it that they're considering going to paper or that they're actually going to paper.
MR. ROTHSTEIN: No, she said they're actually doing it. And also there was testimony by the rural health guy from Oklahoma, and I can't remember his name, who made the statement about the, they're losing their Medicaid providers.
DR. DANAHER: Those are the two ones that I would, I guess here's what I would say. I think that, my suggestion would be that we validate and verify some of those before we put them in a letter to the Secretary just because I've heard those things also, I'm not sure that, in health care as we all know there's a lot of fact from fiction so I guess before we say there are a significant or whatever, we just need to be very careful of the adverb or the adjective that we use. I guess my take on it is, is that I've heard a lot of those stories, point in fact when I've gone back to kind of figure out whether they were true or not, I did not find them to be as credible as people had them be. So I just ask that we just be careful and validate some way.
MR. ROTHSTEIN: I think your point is well taken and what I would propose to do when writing this up would be to put it in phrases like at least one witness testified, we heard testimony that, without drawing any sort of conclusions as to the veracity of the testimony or the wide-spread nature of the problem.
DR. DANAHER: I think that would be good. Or something such as concerns were raised that providers, to skirt the covered entity designation, would move, you know what I'm saying, just something that doesn't, that protects us a little bit. Point in fact, if we can document this three or four big groups that actually did, then I'm all in favor of saying, I just want our credibility to stand sterling throughout this process.
MR. ROTHSTEIN: Well, we're just going to report what we heard and not try to draw any conclusions that are not warranted by the testimony. The one thing that we obviously can't do, both because of lack of time, lack of resources, etc., is to try to track down and double check whether what people told us is in fact true.
So we've got three more from Kepa. Anybody want to add more, or take more out, or make some sort of amendments?
MS. KAMINSKY: I would do two. One is, and these are really small things so maybe they're not worth at this level of discussion, but in your first point, your very first point, I think that we heard a fair amount of frustration as well and I think it would be --
MR. ROTHSTEIN: Confusion, frustration.
MS. KAMINSKY: I think frustration, there's some pent up --
MR. ROTHSTEIN: Well, we also heard anger, too.
MS. KAMINSKY: Well, depending on how you want to phrase it, I think that those are important sort of pieces of this whole process that should be communicated. The other thing I would say, and this is also a small point, is in your point number seven about the adverse health outcomes. You talk about failure to share health information about one patient where it would help with treatment of others. I'm not sure what that is.
MR. ROTHSTEIN: There was one witness who testified that there were two patients, I think Baltimore as well, there were two patients that came in to the ER, separated by some amount of time, and they couldn't get information on what was done to the first patient because of HIPAA concerns and that would be helpful in treating the second patient. I think that's based on misunderstanding of the rule and in fact you can get that, but the point is in number seven, is fear of violating HIPAA is leading to this.
MS. KAMINSKY: I also think we heard and I'm trying, and I'm trying to go back now and sort of skim over some of these agendas and have my brain sort of jostled, but from some of those government entities there seemed to be problems with sharing information outside of the covered entity when sort of social service organizations were involved with the care or treatment of a particular individual, so that wasn't --
MR. ROTHSTEIN: That was Boston.
MS. KAMINSKY: Yes, we heard that in Boston. Although I thought we heard that yesterday from Burt Cohen from California. So I don't know if that falls in that same category and I don't know if anything can be done about that, although I think maybe it should be looked at, that's all.
MR. ROTHSTEIN: Ok, thank you.
DR. ZUBELDIA: So how would you express that finding?
MS. KAMINSKY: Let me think about it. I don't have an answer right now, I just wanted to put it on the table, I'll think through and I'll look back at the testimony and see if there's a way.
MR. ROTHSTEIN: Let me ask a question. I got this nine to 15 million figure from one of our witnesses. Is that accurate? Does anybody know the number?
MS. GREENBERG: Well millions we know.
MR. ROTHSTEIN: Yes, that's true. We could just say millions of health care workers will need to be trained.
MS. GREENBERG: There might be better estimates, I don't know.
DR. ZUBELDIA: I think I heard that they have to be trained probably more than once.
MR. ROTHSTEIN: And in different ways. And I think that's one of the things we heard repeatedly is that you can't use a one size fits all approach, you might have 12 different training systems for a large health care institution.
MS. KAMINSKY: And along the same lines, I don't know if it's worth mentioning, the lack, the shortage of funding is not just for developing the training materials, but it seems to me that there are serious costs with taking folks out of the workforce and we certainly heard about that in the long term care industry especially where there are staff shortages. I don't know if that matters, that level of detail.
DR. ZUBELDIA: Training materials and the training itself become very expensive. If you want to add another finding, you said it, it's that one size does not fit all, one size of training. Or one version of the preemption analysis does not fit all either.
MS. GREENBERG: Kepa, your first and second both had to do with preemption, right?
MR. ROTHSTEIN: And maybe we can combine them somehow.
MS. HORLICK: Kepa, could you read your preemption --
DR. ZUBELDIA: Ok, what I have number 10 is, without preemption, compliance with multiple state requirements simultaneously may be impossible.
MR. ROTHSTEIN: Without federal preemption.
DR. ZUBELDIA: Without federal preemption. We heard that if there is a single episode of care delivered in multiple states, it may be just impossible because of conflicting state requirements.
MS. HORLICK: We also heard that it would be helpful to get at least the federal preemption analysis done.
MR. ROTHSTEIN: We have that coming later.
DR. ZUBELDIA: The second one that I added is the multiple preemption analysis by multiple covered entities in the different states are wasteful, difficult, very expensive and non definitive, because you're going to have to look at them constantly.
DR. DANAHER: Kepa, on that point though, we're in a little bit of a bind because these state privacy regulations already exist. So to say that they're, and these organization ostensibly are supposed to be abiding by them, so there's an element in me that kind of says that they're looking -- I think HIPAA's the first time that they've ever tried to accurately adhere, or felt that they were forced to accurately adhere to a state privacy regulation that are currently in effect. So I think what the difficulty they're having is working through operationally how to begin that process of adhering either to a state or federal standard.
DR. ZUBELDIA: John, what I'm trying to express with that point though, is something very different. If you have the state hospital association doing a preemption analysis, and the state medical association doing a different preemption analysis, and each of the payers that operate in the state doing their own different preemption analysis, it's very wasteful and at the end there's no concordance between the different preemption analyses and I'm just stating this as something that we've heard.
DR. DANAHER: I agree with you, sorry, I misinterpreted.
MR. ROTHSTEIN: There's a number 14 that we can add and that is that --
MS. GREENBERG: What was 13?
MR. ROTHSTEIN: 13, one size of training does not fill all.
MS. GREENBERG: Oh, I just added that to nine, or eight.
MR. ROTHSTEIN: And 14 is that consumers have no idea about the rule and they're first exposure is likely to be the notification and they're not going to be able to handle it.
MS. GREENBERG: I think what we heard, we heard more about this in Baltimore, but that there is a need for consumer education but there is also risk if you come out too strongly with consumer education, when the physician provider community is not adequately educated, this could really undermine relationships, too.
MS. KAMINSKY: There is that but I do think it would be important to emphasize how little has been done to educate the consumer, when this whole rule is supposed to be for the benefit of the consumer.
MS. GREENBERG: Oh absolutely. Obviously you just have to do both.
MR. ROTHSTEIN: Ok, any other additions? We'll put the findings aside for the time being, we can come back to that.
The largest list is on education outreach and technical assistance and I will run through those for the benefit of those who do not have copies in front of them. And I apologize for the fact that they are not in any particularly logical order and that will be cleaned up at some point.
First, OCR needs to prepare a one page handout on HIPAA for providers to give to their patients.
MS. KAMINSKY: There's the consumer problem right there.
MR. ROTHSTEIN: Two, outreach efforts need to be segmented beginning with those most vulnerable to discrimination and hardest to reach, such as the chronically ill, the mentally ill, and substance abusers. Third, technical support needs to focus on "fragile providers," rural doctors, Medicaid docs, A&P's, etc.
Fourth, OCR should establish covered entity industry teams to assist each industry with its unique issues. Fifth, the OCR web-site needs to be revamped, segmented by industry and other classifications, and containing norse(?) links to professional and other groups, such as provider associations.
DR. ZUBELDIA: I would like to make sure that we say that the current OCR site has been praised by many of the testifiers, let's not give the impression that it's a piece of junk.
MR. ROTHSTEIN: Praised but it could be improved with the following focus. Six, OCR should publish a list of topics on which vendors and consultants may be valuable, and the areas that covered entities can do on their own. Seven, OCR should contact those filing for extensions to inform them that they are covered entities for the privacy rule.
MS. KAMINSKY: That they may be covered entities.
MR. ROTHSTEIN: That they may be.
MS. GREENBERG: What, for transaction extension?
MR. ROTHSTEIN: That was a suggestion I think that was made in Baltimore. Eight, OCR needs to train regional OCR staff and speak at professional meetings. Nine, state specific notices need to be developed so in other words, because of more stringent privacy laws in state X, they're notice is going to have to be different. Ten, OCR should have regular conference calls on compliance issues. Eleven, OCR should have web seminars. Twelve, OCR should start a monthly newsletter, for example, to all Medicare providers.
Thirteen, OCR should sponsor a train the trainer programs. Fourteen, physicians have never heard the message that the privacy rule is part of an effort to save ten percent or more on billing and transactions. Fifteen, public education needs to proceed along many tracks, including editorial briefings, extended radio and TV interviews, feature articles, town meetings, etc.
Sixteen, there is a need to promote consumer acceptance of information interchange. Seventeen, OCR should pursue mail out to all 35 million Medicare recipients by the annual CMS guide. Eighteen, FAQ's are not responsive to the needs of specific entities and professionals and industries. For example, the long term care industry and the academic medical centers.
Nineteen, answers to questions should be posted within 30 days. Twenty, OCR needs to provide more examples, decision trees, such as the CMS coverage decision tree, etc. Twenty-one, education need to address defensive practices.
MS. KAMINSKY: What does that mean?
MR. ROTHSTEIN: Providers who are erroneously fearful of violating HIPAA are refusing to disclose mandatory disclosure information or permission disclosure information, etc. OCR should establish a toll-free help line to answer questions. OCR should provide on-site consultation, like OSHA, that was one we heard yesterday.
DR. ZUBELDIA: That wasn't on-site assessment of compliance.
MR. ROTHSTEIN: Right, under OSHA it's called an on-site consultation, but we can make it an on-site assessment.
MR. ZUBELDIA: If we are going to recommend that OCR should do that I don't know where the money is going to come from.
MR. ROTHSTEIN: Oh, I don't know where the money is going to come from for a lot of these things, but these are just recommendations.
?? Put Stephanie in charge.
MR. ROTHSTEIN: Yes, she's got back sales lined up. And twenty-four, OCR should publish a list of no-cost and low-cost compliance measures.
MS. HORLICK: Mark do we have on here about the sample forms? Authorizations.
MR. ROTHSTEIN: That's on the next one. And there may be no reason to --
MS. HORLICK: To me that's technical assistance, because I haven't read the whole document.
MS. KAMINSKY: Should we just go through the whole thing?
MR. ROTHSTEIN: Would that be helpful?
MS. KAMINSKY: Let's just hear all the things.
MR. ROTHSTEIN: The next topic is called Regulation and Enforcement. There are ten of these. One, OCR should review and approve model forms, and of course we heard many times that they should issue those as well. Two, OCR should issue a statement that it does not certify any products or services as HIPAA compliant. Number three, OCR should set minimum standards for training. Number four, OCR needs to communicate with providers and other covered entities about enforcement and penalties.
Number five, central preemption analysis is needed. Six, OCR needs to reassure providers that reasonable efforts to comply will not lead to enforcement actions. Seven, privacy notice should include a list of mandated disclosures and then these need not be included in accounting. Eight, OCR should publish a federal preemption analysis. Nine, OCR should extend the 30-day cure period to at least 90 days and for complicated matters, up to six months. Ten, enforcement for security and privacy should be in the same agency.
DR. ZUBELDIA: Number eight, to publish a federal preemption analysis, I know we've heard that, but we've also heard that the states should do their own preemption analysis.
MR. ROTHSTEIN: This is like FRPA(?), Gramm-Leach-Bliley.
MS. HORLICK: We might even reference that much of it had been, or some of it had been done in the preamble. I mean they do talk about, they take FRPA out of it and talk about the privacy act.
MR. ROTHSTEIN: Yes, see, the problem, to take FRPA, the rule, the privacy rule takes FRPA out ok? But as a practical matter, if you're running a university health service, and you've got students that come in there and faculty and staff that come in there, you've got two different sets of rules. So the students now are not under HIPAA because they're under FRPA, but the faculty and staff are under HIPAA and now you've got a system that is trying to comply with two different sets of requirements. So that was the point of that. Yes, you're right, the rule is clear, but only in the abstract.
MS. KAMINSKY: This is a sort of more general point about how we're going to communicate all of these recommendations. I think it might be appropriate to delve to that level of granularity in certain instances.
MR. ROTHSTEIN: To really, to explain.
MS. KAMINSKY: I do believe that, I really do believe that, I don't know how everyone else feels but --
MS. GREENBERG: To what?
MS. KAMINSKY: To explain --
MR. ROTHSTEIN: Go through the explanation I just gave.
MS. KAMINSKY: For a lot of these recommendations we heard so much rich testimony, we heard so many specifics, and if they could be organized in a way where they're sort of drop down points somehow to kind of flesh out so that the people who are going to need to make some decisions about which of these recommendations to go forward with understand where they're coming from and what needs to be done. I think the more that that can be explained to that level the better, but that's just me.
MR. ROTHSTEIN: I think you're absolutely right but I'm forced to raise the practical issue and that is according to my time table here, to get this on the agenda for the meeting on the 19th and 20th, here is the schedule that we will have to keep that I've proposed. A draft letter for circulation to the subcommittee, I have down would have to go out by the 12th, which is Tuesday. And then a conference call, if we can schedule it, for say Thursday, with all the subcommittee members to comment on the draft that would be circulated. And then that would give me until the following day, Friday, to make all the changes.
DR. ZUBELDIA: Marjorie, when are you sending the books for the full subcommittee meeting?
MS. GREENBERG: The books are being mailed on the 14th. On the other hand, we can always email this to people.
MR. ROTHSTEIN: So this would have to be out by the 15th because people are leaving town --
MS. GREENBERG: They need to see it by Friday one way or the other.
MR. ROTHSTEIN: Stephanie, you're absolutely right, I don't know how we can do that and still make the November meeting.
MS. GREENBERG: I agree, and I've been thinking about this, I was thinking about this after the Baltimore hearing that, as Stephanie pointed out and as we all agree, we just heard so much. Not only about problems but even about solutions, best practices, etc., there's just a wealth of information here. And I think given the time, it's impossible to pull it all out and organize it, etc. So I think one of the things that should be said in the letter is that the committee has gathered a tremendous amount of information. In the time available, since the last hearing was today, the committee is putting forward its major findings, its major recommendations, but there is tremendous more detail in the testimony, all of which is available, etc., and that we -- I mean one of two things. We either commend it to OCR for further analysis or we offer in some way to harvest the information further, which could possibly be done through a small contract with somebody or something.
And I guess what I was kind of thinking back and forth about this was well, is this really the role of the committee or is this now, we've done this for you, we've done as much as we can, now you need to take it. Then realistically would, are the resources there at OCR or should we try to provide further help. I do think that there's a lot there that needs, that could be pulled together as I said on best practices and other issues that would be helpful.
MS. KAMINSKY: I don't even think on best practices, I think on specific areas that people were looking to guidance.
MS. GREENBERG: That also.
MS. KAMINSKY: We heard some very sophisticated testimony.
MS. GREENBERG: It needs to really be analyzed and I don't, there's obviously not adequate time to do that --
MS. KAMINSKY: Unless every subcommittee member took a day of testimony, we have five subcommittee members and we have five days of testimony.
DR. ZUBELDIA: We're going to get some more written testimony. I know there is some that is coming, I got an email from Milan(?) Gover(?) this morning saying that he was disappointed that he couldn't testify in Baltimore.
MR. ROTHSTEIN: And the cut-off date is the 11th for people to send in additional comments.
MS. KAMINSKY: I don't want to take valuable discussion time on this except to say that as you were fleshing it out for Gail it struck me that that kind of fleshing might be necessary and it could be just as simple as what Marjorie said. We recommend that you, OCR, you Stephanie Kaminsky, review all the testimony, summarize it, and deliver it up the line. I'm just saying that I'm concerned that in our effort to summarize, and I know I've been accused of missing the forest for the trees, but there were a lot of really good trees.
MR. ROTHSTEIN: And what I would not like to happen to this is for someone in the Department to read a summary that says we need to do something with FRPA and they say we already took care of that, what's they're next thing.
MS. HORLICK: I think the same thing could be true with the confusion about the covered entity designations. They say well we put out a covered entity decision tree, well that is helpful to a certain extent, but it's not going to answer the question about those social service agencies with foster care in that level of detail. I think it's very important, and that's just one example.
DR. ZUBELDIA: Can I say something on that covered entity decision tree? I've heard some rumblings that it's pretty flawed. For example, if you say that you convert data from non standard to standard, regardless of what else you do or say, in that decision tree you are a clearinghouse. And that's not necessarily the case, so there may be some issues with that, too.
MS. HORLICK: I just wanted in a way to say, recognize where they have attempted to provide guidance.
DR. ZUBELDIA: At the end, that decision tree is just a help tool, and it's not definitive, if it comes down to it.
DR. KAMINSKY: I think that's exactly Gail's point, though, that's the exactly the point here. That the Department can say well, we've done that already and the truth of the matter is there are lots of levels of detail and questions and gray areas that have not been addressed that we've heard about that we would want to make sure we can communicate, not just that it's gray but maybe even in some way some of what that is.
MS. GREENBERG: I think we're all in agreement, the question is how does that get done. At a minimum we commended all to OCR but whether there's anything more the subcommittee could do following the letter, because I think we're going to do as much as you can with this letter but there are limitations. Then I think, it's just something for you to think about.
MR. ROTHSTEIN: If I may, I'm going to go through the last two sheets and then we can go back and see what we want to do with these. On the guidance issue, OCR needs to work with industry groups in developing guidance. And then we were specifically asked to recommend that OCR come up with guidance on the following topics: health plan sponsors, business associates, self funded benefit providers, the privacy rules applicability to long term care facilities, who provides HIPAA to residents and other medical trainees, the training of health workers who work at multiple sites, for example social workers, home health care records, what is a good faith effort, what are non routine disclosures, hybrid entities, the FRPA/HIPAA overlap, facts phone and email of protected health information, providing notice when the first contact is not in the doctor's office, incidental disclosures outside of the hospitals, for example in a dialysis setting which we heard yesterday, amendment of e-records, notification to other patients of a death, HIPAA's relationship to federal alcohol and drug abuse regulations, fire walls for covered entities and hybrid entities, and public health disclosures. Those were some of the areas that we were asked to recommend guidance on.
And the final sheet deals with issues that I class together because they would either require Congressional action or some major action at the Department level. First, Congress should consider HIPAA user fees like those under the FDA to generate the money to use for HIPAA outreach and education. Two, HHS should consider separating the education, outreach and technical support functions of OCR from its enforcement, possibly creating a new Office for HIPAA Information and Outreach, OHIO.
Third, Congress should resolve ambiguities and inconsistencies between HIPAA and other federal law such as FRPA, Gramm-Leach-Bliley, privacy act, etc. Fourth, Congress should create tax credits for HIPAA compliance, at least for certain providers, such as rural providers. Fifth, Congress needs to provide compliance grants to the states. Sixth, Medicaid needs to recognize HIPAA compliance costs. Seventh, the privacy rule should be extended a year, we've talked about that. I put this here as sort of a major issue. And eight, Congress should fund $42.5 million dollars for technical assistance authorized by ASCA. That's something that we heard yesterday.
DR. ZUBELDIA: Something else that we heard for us as a recommendation to for Congress to consider changing the law so HIPAA privacy is preempted.
DR. HARDING: Unfunded $42.5 million, where is that in the legislation to go? To be used by. Do we know?
MR. ROTHSTEIN: I don't know and I don't remember which one of the witnesses commented on that so I don't know whether that figure is accurate. Is that correct?
DR. ZUBELDIA: Yes, it's for HIPAA implementation, it's part of ASCA, but I don't think it specifies what part of HIPAA implementation.
DR. HARDING: I'd just never heard of it before actually.
MS. GREENBERG: Well, it was included in the law and it would go to the Department I guess but then they would spend it. It was more, obviously since it was concluded in the law related to an extension for the transaction code set standards, that seemed to be its purpose, but it could I supposed be used for privacy as well.
DR. ZUBELDIA: I understand that the Department wants to use at least some of that money to implement the provider ID.
MR. ROTHSTEIN: So we've got all the lists and there are a couple things to keep in mind. One is that some of these are mutually inconsistent, if you did one you couldn't do the other. And the other thing that we might want to think about is our position on this. In other words, are we saying what we're recommending, or recommendations that we have heard? So in other words, for example, Kepa's last one that he is suggesting, that several people testified before us, and in fact even this morning, that HIPAA should preempt all state laws dealing with health information. Do we want, by putting this in the document, are we saying that this is the sentiment of the committee or are we just passing along some views that we've heard? If the former, that's going to be a tremendously long meeting of the NCVHS because we're going to have to debate 65 different things.
On the other hand, if we just say some of the recommendations that we have received include the following, then it doesn't have as much ummph behind it, so I just want to put that on the table and see how we should proceed.
MS. GREENBERG: Well, I think generally you should include things that people suggested but that you don't really, aren't prepared to support, would be more findings. I think you really shouldn't include in recommendations things that you feel are reasonable. On this preemption one, which is going back to I think the committee's original report on privacy back in '97 or whenever it was, I think there was kind of support for states having stricter views and so that would, there probably isn't time or even there hasn't been enough testimony maybe to try to have a definitive position on that.
I think what the subcommittee or ultimately the full committee could say is, although, obviously there are reasons for this and there are pros and cons, that what Kepa said, articulated, became extremely clear. And that is that this makes things extremely difficult if not almost impossible in some for organizations that deal in many states. I mean this already is a problem for them but the current, the situation is clearly problematic and needs to be revisited. Rather than saying Congress should make HIPAA preemption because I'm not sure that you agree on that or that you could get the agreement, but I think there's a heightened understanding of just how difficult this situation is. Maybe you could all agree, I don't know.
DR. ZUBELDIA: In that situation of multiple states that have conflicting laws, without HIPAA, let's say that a provider is operating in several states, the provider is subject to the state law of that state. And there may be some fines or something in that state. But with HIPAA, that provider is now subject to federal law that has fines and a jail term potentially, if they're not handling it correctly. So the level of pain has increased substantially.
MS. GREENBERG: I agree, it's complicated the situation.
DR. ZUBELDIA: Going back to what Mark was saying what to do with the recommendations from the testifiers, I think we need to summarize the recommendations from the testifiers and then have a separate section of the letter that says and these are the recommendations from the subcommittee in support of the recommendations of the testifiers. So there may be some recommendations from the testifiers that we choose to include in the summary that we don't fully support, or we don't put as much weight on and then subcommittee says these are the things that we support, the recommendations that we support. And that can be a smaller summary or a smaller set than everything that was recommended by testifiers.
MR. ROTHSTEIN: Should we have separate sort of rules for the big recommendations in terms of like amend the statute kind of things than the education and outreach? In other words, are we going to list, we heard, we have 25 recommendations on education and outreach, we're not going to comment, we didn't vote specifically except for the following five, do you know what I'm saying?
DR. ZUBELDIA: Yes, but I don't know how to address it. I know what you're saying.
MS. HORLICK: I think in the past we really just wrote a lengthy letter sort of just outlining, we heard this and we heard this, some said it was too strict, some said it wasn't, but we said what they suggested, what they recommended, but then the recommendations in the letter were the ones the subcommittee supported.
MR. ROTHSTEIN: Stephanie, not to put you on the spot, but there are millions of people out there who want to know, in what form do you think it would be most useful to OCR?
MS. KAMINSKY: I'm not sure I have a form, I do think it will be very useful for us to prioritize, that's all I can say. That I think that the subcommittee must prioritize what it's sort of top five or top ten recommendations are, period. We can sort of parse this out, re-categorize it, etc., but at the end of the day, given the limited resources, you must choose your top ten recommendations, period. That's all I can say. The resource issue is so severe that the best favor you can do is to help decide the priorities.
MS. GREENBERG: I couldn't agree more, but it goes back to the September letter which said you just don't have enough resources put to this and I would say, you want to confirm or not confirm whatever you said in the September letter, possibly.
MR. ROTHSTEIN: We want to reaffirm clearly the September letter.
MS. KAMINSKY: In fact, along those lines, this is sort of an aside, to the extent that there is any opportunity for additional hiring, one thought that has crossed my mind in the last several weeks is the notion of hiring somebody who is a compliance expert because people who wrote this regulation and the folks who have been involved so far have been doing it from the perspective of setting policy and not from the perspective of the real life implementation issues that so many people have talked about. That's really an aside, but it's along the same lines, if resources are a topic to be revisited in this whole set of recommendations.
DR. ZUBELDIA: Well resources have to be addressed, the lack of resources is something that we need to emphasize again, that there's not adequate resources.
MS. KAMINSKY: Well, as I've heard Jim Scanlon say, to some extent that is the reality of the federal government and the reality of HIPAA, the way it was legislated, and I think that it behooves the subcommittee to be very creative and facile about thinking through what the low-cost high efficiency sort of biggest bang for buck recommendations could be. I know that it's hard to think like that because we want to kind of put forward ideal recommendations, but there are the real world constraints. I am not privy to, I don't have additional information about what kind of latitude there is with regard to resources, I don't know.
MR. ROTHSTEIN: I just find it so frustrating to try to develop recommendations that will get this law working the way it was intended and to provide the assistance for the covered entities and for the consumers and all this other stuff which is difficult enough with sort of a blank check, and then to say ok, now what can six people do in the next six months.
MS. KAMINSKY: Yes, but it's important for you to think about that for a little bit of time if these recommendations are going to be slotted into structure where they can be followed.
DR. ZUBELDIA: What happened nine years ago with the report was that there was an estimate of $42 billion dollars in savings if you spend $26 billion dollars in cost. So there would be a $16 billion dollars net. What's happening now is that people are saying well I really don't have the resources to spend $26 billion dollars, so I'm not going to spend $26 billion dollars. I'm just going to reap the net savings without spending the cost involved and it just doesn't work that way. I'm totally powerless to change that concept but I think that's where we're going and people are saying I want to spend the minimum amount to do HIPAA and still want to get the savings and it just doesn't work that way.
MS. KAMINSKY: You're talking about now the covered entities, not necessarily OCR or the Department.
DR. ZUBELDIA: I'm talking about everybody.
MS. KAMINSKY: The whole world, everybody's approach to HIPAA.
DR. ZUBELDIA: The whole world. And the sad part is that the Department has savings zero. The Department is going to have to spend all the cost and OCR doesn't save anything with HIPAA, because OCR doesn't do the transactions. So you have a 100 percent of the costs and zero of the savings.
MS. GREENBERG: But the overall budget, presumably Medicare will have savings.
DR. ZUBELDIA: No, Medicare is in the same situation. They get 98 percent of the claims electronically today. So they're going to have to spend all the money and get very little of the savings.
MS. KAMINSKY: Given that we can't address the money issue, really, do you think we can address picking some priorities here from this whole?
MR. ROTHSTEIN: Ok, I've got a plan. We start with the education, outreach and technical assistance. And there are six of us, and seven counting John, John you still there?
DR. DANAHER: I'm right here.
MR. ROTHSTEIN: Ok. Everybody gets one pick and we'll just go around and those will be our top seven and then we can adjust that afterwards. What else can you do?
MS. KAMINSKY: It's a start, I don't think it's a bad start, I think it's a good start.
MR. ROTHSTEIN: Ok, you're first.
MS. KAMINSKY: No, no, I have to read them again, I know which one I would want though, I don't know if it's on here, so I can just say it. National conference calls on a monthly basis.
MR. ROTHSTEIN: That's number ten.
MS. KAMINSKY: I want it.
MR. ROTHSTEIN: Ok, you got it.
MS. GREENBERG: Is that different than a hot-line?
MS. KAMINSKY: Yes. I think you get enormous bang for buck, I think OCR would be receptive to it. CMS is doing it for other topics. I think you get the best privacy policy expert in the country available to the entire country for an hour a month. Whatever, that's mine.
MR. ROTHSTEIN: Ok, you got it. I'll let you look through the list.
MS. GREENBERG: Are we going in some order here?
MR. ROTHSTEIN: Yes, you're next.
MS. GREENBERG: I would say these model forms that at least include the minimum necessary.
MS. HORLICK: But they're not on this list.
MR. ROTHSTEIN: That's actually on the next one.
MS. HORLICK: But to me that's technical assistance so we might want to --
MR. ROTHSTEIN: We might want to revisit the issue, we might want to combine those two.
MS. GREENBERG: Was this one page handout --
MS. HORLICK: That does say state specific notices need to be developed on this list, but the next list is the model forms.
MR. ROTHSTEIN: Ok, we'll come to that in a second. Your vote is recorded for future use.
MS. GREENBERG: I'm voting for model forms. I did want a clarification though on this OCR needs to prepare a one-page handout. Is that, you're not recommending that the privacy notice that providers give to their patients should be one page, you're just saying a kind of like a fact sheet.
MR. ROTHSTEIN: Right, so that the docs can give it out to their patients and it will have just the very basic --
MS. GREENBERG: And it can be posted, given to the press, and all sorts of things.
MR. ROTHSTEIN: Right.
DR. ZUBELDIA: I like 24.
MR. ROTHSTEIN: 24. Ok. Give that one to Kepa, you can save one for yourself. John, do you have anything there?
DR. DANAHER: Where's the one about, I'm kind of reading through the list, where's one about coalition building with state societies and professional associations, is there one that kind of says something about that?
DR. ZUBELDIA: I thought that was in the next page.
MS. GREENBERG: There is one on that somewhere.
DR. ZUBELDIA: Well, we have that as a finding, John.
MR. ROTHSTEIN: That was one of our findings that --
MS. GREENBERG: You could have a recommendation that OCR and partnerships to encourage that.
DR. DANAHER: Something to the extent that, if it's not specifically one of these, that OCR should encourage through workshops, phone meetings, and some other vehicles, strong coalition building with state medical societies and other professional societies, on a monthly basis.
DR. ZUBELDIA: How about OCR having a liaison with each one of the coalitions or at least with one state coalition in every state?
MR. ROTHSTEIN: Well, we have, number four says OCR should establish covered entity industry teams to assist each industry with its unique issues. So in theory --
MS. GREENBERG: That's a different one though, because those would be individual teams, but then you're talking about coalition building across those industry components of those stake holders at the state level, which seems to me to definitely be a best practice.
DR. ZUBELDIA: So OCR should participate in those state level coalitions.
DR. DANAHER: Hey Stephanie? What if earlier when you were talking about the hiring of that person when we've been talking about this $42.6 million or whatever, is there anything we can say in terms of OCR should appoint a liaison officer whose specific responsibility is to nurture relationships with state coalitions, state professional and medical coalitions, for the purpose of, or something like that?
MR. ROTHSTEIN: I would suggest that we phrase it as OCR needs to do this, without putting the hire in.
MS. GREENBERG: Let them decide how they want to --
DR. ZUBELDIA: And I think to foster the relationships, it's kind of a vague term, I would say participate in the coalition.
MR. ROTHSTEIN: OCR should support and participate in state-wide coalition building.
DR. ZUBELDIA: Yes.
MS. GREENBERG: If only that means maybe sending a speaker to their meeting, it's hard to participate in 50 coalitions on a regular basis.
MS. HORLICK: Well maybe that could be a conference call.
MS. KAMINSKY: Are we talking about WETE-SNIP here or something else?
DR. ZUBELDIA: Well, WETE-SNIP has been building some of those coalitions, but some of them existed before WETE-SNIP.
MS. KAMINSKY: And they're not part of the WETE-SNIP? They're not affiliated?
DR. ZUBELDIA: NEHIN(?) in Boston, that's been going on for years. UHIN has been going on for years.
MS. KAMINSKY: UHIN is now a WETE-SNIP affiliate I believe.
DR. ZUBELDIA: Yes, now a WETE-SNIP affiliate, but not all of them are WETE-SNIP affiliates yet.
MS. KAMINSKY: I'm sorry, were other ones chosen while I was out?
MR. ROTHSTEIN: Well you did ten, Kepa did 24, and John, 25.
MS. KAMINSKY: Which was the state coalition stuff?
MR. ROTHSTEIN: Correct. And we'll get back to Gail. Richard?
DR. HARDING: I was going to take 24 but I'll take three.
MR. ROTHSTEIN: Number three.
DR. HARDING: I've been impressed with the direct fragile providers.
MS. KAMINSKY: Can I ask a little, this is an aside, a little question on that though. Well, this is a big, maybe I shouldn't, but my thing is, are those the folks who were the most concerned privacy violations as opposed to some of the other entities out there? Yes, ok, never mind, bad question, go on.
DR. HARDING: By their culture, we are.
MS. KAMINSKY: Well, but we've heard that that's not going to change.
DR. HARDING: By volume maybe not.
MS. GREENBERG: But also they have the least infrastructure, so they're at greatest risk to go under almost.
MR. ROTHSTEIN: Remember the woman from the Advance Nurse Practitioners? She made a very compelling case for technical assistance for them because they work in rural areas and so on.
DR. ZUBELDIA: Rural areas have a different cultural standard of privacy.
MS. KAMINSKY: I guess I come back to being struck by even the medical banking stuff we heard this morning, when a bank has access to PHI, and it misuses it, the repercussions to me may be in some respects more significant, but I appreciate the funding issue, the cost issue of training and supporting the rural providers, I just try to think through the privacy, the bang for buck and the privacy concerns and worries.
DR. ZUBELDIA: I think that the concern with this fragile providers is it because they have a different cultural standard of privacy. All of a sudden they are being forced to change their cultural standards, and that may be more than what they can handle.
MS. KAMINSKY: Well, do we have a position on that?
MS. GREENBERG: My concern I guess, I mean that's an issue and it has to be worked through, but that if even respecting their different cultural standards, they don't have the resources to comply, to adequately comply, than this could jeopardize their ability to continue providing services.
MS. KAMINSKY: I don't want to dwell on it, I guess I just wanted to raise the idea that if in fact it's a cultural thing that we're trying to change there, the ramifications I think are different than in other situations.
MR. ROTHSTEIN: Marjorie, you have a pick coming.
MS. GREENBERG: I think this whole area of employers and ERISA really needs to be addressed.
MR. ROTHSTEIN: In guidance.
MS. GREENBERG: In guidance.
MR. ROTHSTEIN: We're going to get to that. What about one of these 25? Gail do you have one? I've got two see and I'm hoping that someone will get one so I can get the other.
MS. HORLICK: I like the toll-free help line but I do wonder about if that's feasible. So I'm reluctant to make, the toll free help line, but I'm reluctant to waste a recommendation that just may not be feasible, if they can't answer the questions that were typed into the web-site --
DR. ZUBELDIA: More feasible may be to answer the questions within 30 days.
MS. GREENBERG: Well but you could take them on the hot-line.
MR. ROTHSTEIN: No, they've got 50,000, a backlog of 50,000 questions.
MS. GREENBERG: Doesn't CMS have a hot-line?
DR. ZUBELDIA: Yes.
MS. KAMINSKY: I think we have a hot-line too, I think, we have a hot line, there's a 1-800 number.
MR. ROTHSTEIN: Well how hot is it?
MS. KAMINSKY: It gets a lot of calls.
DR. ZUBELDIA: Well here's the thing. You can ask questions, it's not a hot-line to get answers, just to ask questions. If they're frequently asked, then there's an answer that appears in the web-site, that's frequently asked questions.
MS. HORLICK: So I need to find another one.
MR. ROTHSTEIN: Well, that's one of my top picks, but I got another one. Number four. I'll tell you the other one that I like and maybe somebody will pick. The other one is 21, I'm very concerned about defensive practices.
DR. ZUBELDIA: That's a free one.
MR. ROTHSTEIN: A free one.
DR. ZUBELDIA: No, what I'm saying is that's a bonus point because it doesn't cost anything. Education is going to happen so whether you address on thing or another.
MS. HORLICK: Would that be different than 24, no- cost and low-cost compliance?
MR. ROTHSTEIN: Yes, see 21 goes to the issue of making sure that for example hospitals know that HIPAA does not prohibit them from sending vital records. And where as the other one is a list of what they can do.
DR. ZUBELDIA: These are the things you can do that won't cost you anything. These are the things you can do that will be minimal costs. These are the things you can do for which you have to hire a consultant and it will cost you half a million dollars. They'll be none on that list.
MR. ROTHSTEIN: Ok, so let's back up and see where we are. We have six picks. Technical support needs to focus on fragile providers. OCR should establish covered entity industry teams. OCR should have regular conference calls. Education needs to address defensive practices. OCR should publish a list of no-cost and low-cost compliance measures and OCR should support and participate in state wide coalition building.
MS. GREENBERG: Do you think we should have one in this top ten related to public education? That's number 15.
MS. HORLICK: Well, number one, didn't we do --
MS. GREENBERG: Well, that would almost be a subset of public, it's like a means for public education but I think --
MR. ROTHSTEIN: Public education is essential and I think we need --
MS. GREENBERG: I think one of the top ten.
DR. ZUBELDIA: One and 15 go together.
MS. KAMINSKY: It would be 15 that you choose, the more broad concepts right?
MR. ROTHSTEIN: Ok, let's go with number 15.
DR. ZUBELDIA: Essentially it also includes one.
MS. GREENBERG: It can include one and it could also include 16 because in educating the public you want to --
MS. HORLICK: Well when we write these we're going to flesh them out.
MR. ROTHSTEIN: Well not only that but what we have is 25, may come down to 19 by the time we put some together. And I know the committee will be on me like stuff if I miss that.
MS. KAMINSKY: So in other words, the point is we're going to leave the rest of them but we're just going to highlight the ones that we think are the --
MR. ROTHSTEIN: Correct. So the ones that we've selected are the ones that we feel most strongly about but the others we, and we may have a paragraph that says some of these others we would love to be able to do but we don't think that we have the resources available, such as the help line and 30-day response to FAQ's and all that sort of thing.
MS. KAMINSKY: That's great, because then it shows a sensitivity to the constraints, I think that would be welcome.
MS. GREENBERG: I think you should at least feel that it's a reasonable recommendation. If someone made a recommendation and you just can't support it, then it's got to be qualified in that way.
MR. ROTHSTEIN: Ok, let's move to what I call regulation and enforcement and I'll re-open the issue as to whether we need to combine this with something else or whether it should stand alone or whatever. Marjorie already has a early ballot in for model forms.
MS. GREENBERG: I would include develop in there, not just review, actually it would be a better use of their time to say these are the minimum things that need to be in a model form, rather than reviewing ten million of them.
MR. ROTHSTEIN: So should develop model forms.
MS. KAMINSKY: I would collapse this whole section with the guidance section, I'm not sure that these, the difference between developing model forms and issuing guidance, it seems like they're variations on a theme.
MS. GREENBERG: I feel that does go with guidance, the issues about being clear about the way enforcement will be approached is a separate issue I think.
MS. KAMINSKY: Yes, I agree, so some of these I think need to be pulled into technical assistance.
MS. GREENBERG: That's why I voted for it.
MR. ROTHSTEIN: So one should go into technical assistance which goes with model forms?
MS. HORLICK: I think that we really are saying they should either develop model forms or specifically, I think they have listed what goes in the forms, I actually think they should develop model forms. What one says is what the doc said yesterday is well I'd like to modify a little and have you look at it. I think that would be nice but that to me is less of a priority than developing a model.
DR. ZUBELDIA: And that's very resource intensive.
MS. HORLICK: Right, but if they put the model out there --
MR. ROTHSTEIN: And it also to be most effective ought to be industry specific because you can't have this generic model form that's going to be very valuable.
MS. KAMINSKY: I don't think OCR would, no I don't think they would make a generic form, I think they have resisted that all along with the idea that that's useful, or very, low utility.
MS. HORLICK: It needs to be a form, not a list of what should be in the form because the rule already has what should be in it.
MR. ROTHSTEIN: So I'm not exactly clear on what you want to do. You want to collapse guidance, regulation and enforcement into one thing that's called education, outreach, technical assistance, guidance and enforcement?
MS. GREENBERG: No, just pull a few things out of regulation and enforcement and put them in with guidance, like this thing on model forms.
DR. ZUBELDIA: We'll end up with more than seven guidance recommendations, but that's ok.
MR. ROTHSTEIN: Ok, so which ones, other than number one, do you want to move to guidance?
MS. KAMINSKY: It looks like number four is also a kind of --
MR. ROTHSTEIN: What about number three?
MS. KAMINSKY: Well, I don't even understand that one all the way.
MS. GREENBERG: That could be, it's like model forms in a way.
DR. ZUBELDIA: There is a risk though if you have minimum standards for training as regulation, that can be reducing the flexibility of the implementation.
MR. ROTHSTEIN: That was a suggestion, we could, I think in the guidance thing, we could just put more guidance on training.
MS. KAMINSKY: I really don't understand what that one means, the minimum standards for training. I know John we discussed it in Baltimore a little bit, it came up as a recommendation, if somebody could make a concrete statement on what a standard for training would look like, what would be a standard for training.
DR. DANAHER: Stephanie can I give it a try? I think that how people are approaching this is that, and again I live in this world and know Kepa is living in this world, what happens is that organizations, hospitals and health plans, are trying to make a sweep through their organizations to take, to demystify and introduce some basic HIPAA understanding and lingo. So for example what they are trying to say is ok, we need to have everybody know that HIPAA requires us to have a privacy officer and we want you to know who that person is and what their responsibility is. We want everybody to know some simple concepts that HIPAA talks about which are verify the requester, and minimum necessary disclosure, and we want you to understand what is PHI. We've all been used to talking about medical records but now we're all talking about PHI, what is it? What is HIPAA? So I think organizations across the country, greater than 100 in size are embarking on some effort to understand just the basics of what HIPAA is all about and to demystify it.
And then the second thing is, is again there are people, and I use that artificial gradation, small physician offices and medium size physician offices don't realize that HIPAA is requiring them to have a set of policies and procedures. And so there is that education component and then there is assisting them in developing those policies and procedures. And then again what they all kind of are working through is based upon those policies and procedures, who has to be trained on what? How do we make sure that the fundraiser at Hopkins, as we heard in our testimonies, or at Yale or wherever, knows what he or she can and cannot do? How do we let all people in an organization know that we now, that Care Group now has a non retaliation policy so that everybody knows that if they witness a PHI violation, and report it, they're not going to lose their job.
I guess what I heard and what I would suggest is, that I think some guidance could come from OCR that would be not endorsing any product or whatever, that would basically say these are things that we think would be worthwhile for people, employees in a covered entity, employees in a hybrid entity, to understand to be able to master, whatever, so that they can understand how to appropriately handle patients protected health information. People across the country don't even know what the word PHI means, so that's part of the education process that's got to occur.
MS. KAMINSKY: So it does seem to me that it's guidance on training is what we're talking about. So this would move into the guidance.
DR. ZUBELDIA: Let me give you a little different perspective of how I understand this. There is, for the last four or five years there has been ten thousand different courses on HIPAA 101. And HIPAA 101 tells you very high level concepts of what HIPAA is about. If a hospital says well I'm going to train everybody in the hospital on HIPAA, and I'm going to give them a HIPAA 101 course, I say they are not doing what they need to do.
DR. DANAHER: Exactly.
DR. ZUBELDIA: Because HIPAA 101 is not enough. They need to have a HIPAA 305, because they are involved in the hospital, they need to get really trained on specifics, not generalities. So there has to be some kind of HIPAA curriculum that has to have a minimum, some points that have to be trained on.
DR. DANAHER: I totally agree.
MR. ROTHSTEIN: But the HIPAA 101, as you described it, is probably under inclusive for many people, but over inclusive for others, who may have only incidental contact with PHI, I'm thinking of maintenance people, and they don't need the whole course, but they do need some instruction about what they are and --
DR. ZUBELDIA: The things that they need to do.
MR. ROTHSTEIN: Exactly.
DR. ZUBELDIA: So there has to be some guidance on what is HIPAA training. Is HIPAA 101 enough for everybody or there should be some things that are specific to the job that you're going to do, to the environment you're going to be in.
DR. DANAHER: To Kepa's point, which I think, one big wave of misperception that has swept through the covered entity community, was a belief that just kind of 101 level was sufficient to be what was required. But in point of fact, just as Kepa said, because I couldn't agree more with what Kepa said, the regulation says some very specific complex complicated things about marketing and about research. And the people who need to know that can't take a 101 course and expect that they'd know it. To your point Mark, you're right that there's a lot that janitors and food service people don't need to know, but at the same time, you'd be surprised at how much there is that they do need to know, because they are, not that it's part of their specific job, but food service people do go into Mariah Carey's room at the Mass General.
MR. ROTHSTEIN: I understand that, all I'm saying is they don't need to know about billing.
DR. DANAHER: No, absolutely, exactly, of course not.
DR. ZUBELDIA: So there has to be some guidance on how this training is going to, what would be the minimum requirements for training. And I think the minimum requirements of the training needs to be specific to the industry that they're in, specific to the job that they're doing. I think those are two minimum requirements. And there has to be some overview of HIPAA, not just, not the details about your focused area and nothing else, you have to have a general understanding.
I think a lot of the providers, they know that they have, if they know anything about HIPAA, they know that they have to do some training for their employees. They have no idea where to start.
MS. KAMINSKY: I think that number one, number three and maybe number eight are all various pieces of guidance, so should be moved to the guidance.
MR. ROTHSTEIN: Well, if you're going to move preemption we need to move five as well.
MS. KAMINSKY: I don't know. The federal preemption analysis is so much more within HHS's purview as something that it really might be able to accomplish, whereas that state thing, that is so big, that is just, that's a concept --
MR. ROTHSTEIN: I understand that, but we could make it OCR should take steps to facilitate preemption analysis at the state level and to eliminate duplication and to coordinate efforts and that sort of thing, without actually doing it because we heard testimony, there are ten people in state X that are doing this, if they would just take the lead and it wouldn't even have to be from Washington, it could be the local people.
MS. KAMINSKY: This is just how you categorize it, I just don't think that that would be considered guidance then if that's what OCR were doing, I think it would be more kind of overview kind of activity.
DR. ZUBELDIA: What if we say that OCR or HHS should leverage existing resources in the preemption analysis to come up with a central repository of state preemption studies?
MS. GREENBERG: Or a database.
DR. ZUBELDIA: Or a database of state preemption studies. The privacy, is it Georgetown Privacy Project has already started and it's not deep enough --
MR. ROTHSTEIN: It would be very valuable even if OCR didn't do anything themselves, if they had on a web-site preemption and you had a drop down menu and you hit Oklahoma, and it linked you to whoever did Oklahoma.
DR. ZUBELDIA: You hit North Caroline and you go to NCHICA.
MS. HORLICK: A lot of that is already on the web like on the HIPAA Gives web-site, so it would be just more like a clearinghouse or something.
MS. KAMINSKY: So if we take out, I mean if we're in agreement that one, three and eight belong in the next section on guidance, then that leaves us two, four, five, six, seven, nine and ten to choose from here?
MR. ROTHSTEIN: And we don't even, we might need to decide whether we want to actually recommend these. The fact that somebody said we should extend the 30-day cure period, we may need to decide whether that is something we want to do. All I did was scoop up these recommendations.
MS. GREENBERG: Did you say, one and three clearly go over with guidance. But we should put the preemption stuff in with guidance.
MS. KAMINSKY: I thought eight, eight is different than five. Eight was the one where you're looking at Gramm-Leach-Bliley and you're looking at --
MS. HORLICK: But that is guidance, if they could do that would be such guidance to the people that are struggling with doing it.
MS. GREENBERG: It provides guidance, but I almost feel like there should be a separate topic, separate category of this whole preemption area because it's so complicated.
MS. KAMINSKY: I just think that the state preemption issues are slightly different than the federal preemption issues.
MS. GREENBERG: I agree, they are different.
DR. ZUBELDIA: OCR should do the federal preemption.
MS. KAMINSKY: I don't even think it's called preemption when you're talking about coordinating two federal laws. It's not even the right term.
MS. GREENBERG: I think what you were recommending about sort of trying to coordinate or provide information on the state preemption studies is more of a guidance issue. No? Well, I mean this is maybe semantics. They both need to be in here and how you want to categorize them --
MR. ROTHSTEIN: Let me raise the issue of putting it on the table, are there any of these recommendations here that people are uncomfortable with that you think we should strike?
MS. GREENBERG: Well, on this issue of preemption, and I think the preemption stuff I would recommend all be in one place, to be clear about it and make clear that these are two different things. An analysis of federal laws, which maybe isn't so much preemption as you said, something else. I would recommend a separate category on preemption issue but is the subcommittee recommending number five, that a central preemption analysis is needed?
MR. ROTHSTEIN: I would recommend that OCR coordinate existing resources and facilitate access to them.
MS. GREENBERG: Ok, that's a different thing though than a central preemption. You could say although it's been recommended that a central preemption analysis is needed, this may not be feasible plus the expertise in the state laws may not exist at a central, so we are recommending this coordination approach and links and all of that, and then also by this other recommendation of encouraging strong coalition building at the state and regional level, then that would maybe encourage what I think Denise Love proposed was that there should be, what was it, collaborative preemption analysis done at the state level rather than lots of different people doing them.
DR. ZUBELDIA: And OCR should participate in that somehow, at least reviewing it.
MR. ROTHSTEIN: There are three recommendations on here that are very sweeping, and would make major changes in the rule and they are seven, nine and ten.
DR. ZUBELDIA: I'm very uncomfortable with ten.
MR. ROTHSTEIN: So I think we need to discuss those. Again, I'm not, I'm just collecting what we heard.
MS. KAMINSKY: Well seven seems to me might even need a reg change, I think that that policy was looked at in this last modification and the decision was made that accounting for disclosures needed, I mean that public policy disclosures needed to be accounted for. I think that was considered so this is a slightly different kind of recommendation than the other ones --
MR. ROTHSTEIN: That's why, put that in regulation, I think it would require a rule making for sure. But the question is, do we want to recommend that? We could recommend that, were you persuaded that we need to do that?
MS. GREENBERG: This is number seven? I think this relates to this chilling effect situation that --
MR. ROTHSTEIN: They don't want to do it because now they have to account for it.
MS. GREENBERG: Right. And yet I think the recommendation that this should fall on the public agencies isn't realistic either.
MR. ROTHSTEIN: I agree.
DR. ZUBELDIA: The problem is it's not only the mandated disclosures. I think it was pointed out that the immunization registry in Utah is not required.
MS. HORLICK: That's a different, I think that's a different, one was understanding whether that authorization to disclose to public health, did that encompass voluntary disclosure.
DR. ZUBELDIA: So if they're going to have to track some of the disclosures to state agencies that are not mandated, that are voluntary disclosures to a state agency for immunizations, for instance, that's a problem. I don't know if there is much we can do about that.
MR. ROTHSTEIN: Would you be willing to accept number seven with language that says something like we recommend that OCR revisit the issue of whether privacy notice, blah, blah, blah, because we heard testimony to the effect that one of the consequences of the current rule is the following.
MS. KAMINSKY: Yes, except I wouldn't dilute the recommendation by pulling in the privacy notice piece. The privacy notice piece is separate, it's not the issue I don't think.
MR. ROTHSTEIN: Well instead of accounting, you put in the privacy notice --
MS. KAMINSKY: It's there now anyway, you have to do that anyway now.
MR. ROTHSTEIN: Ok, we'll take that out then.
MS. HORLICK: If they have to develop, if we were to omit the accounting for mandatory disclosures, wouldn't they have to develop the same mechanism to account for the other disclosures?
DR. ZUBELDIA: They're going to have to develop a mechanism to account for disclosures, period. That has to be in place. The question is, is that going to be, that accounting log, is that going to be 80 and 90 percent state mandated disclosures that have to be logged, or is it only going to be the exceptions? If you start tracking all the state mandated disclosures, then the exceptions drown in the morass and you may never be able to make any significant sense out of that law because there's so much noise in it out of the state mandated disclosures.
MS. KAMINSKY: Didn't we heard that some of that is communicated in a more, like a not completely identified format?
MR. ROTHSTEIN: Is number seven now, just to make sure I have this correct, is that we want to recommend that OCR reconsider deleted mandatory disclosures from the accounting requirements because, blah, blah, blah, this is the effect.
MS. KAMINSKY: Is the point mandatory disclosures or public health disclosures?
DR. ZUBELDIA: Ideally, public health disclosures will be better than mandatory. If we say mandatory, what's going to happen is that the states that don't require some of these disclosures will have a lot of pressure to require them.
MR. ROTHSTEIN: But, if we make it as public health disclosures, that I'm not sure apprises consumers of when their stuff has been released.
DR. ZUBELDIA: Well, they're going to be appraised by the notice of privacy practice, it has to be there.
MR. ROTHSTEIN: No, not if it's just sort of public health, they're permissive disclosures for public health that are not specified in the notice.
DR. ZUBELDIA: Well they have to be specified.
MS. KAMINSKY: They have to say what disclosures they are making of the --
MR. ROTHSTEIN: It says that we may make disclosures for public health purposes, but it doesn't say exactly what that means. And what I'm concerned about is, if you don't get an accounting, how are you going to know exactly when they send your stuff for "public health purposes" if it's not spelled out?
DR. ZUBELDIA: Maybe the guidance should be that the notice of privacy practice should identify the mandated disclosures as such and say we may make disclosures for public health and we are required by state law to make this kind of disclosures.
MS. HORLICK: You're going to get a long list.
MS. GREENBERG: And then others that are more under the permissive, you'd still have to account for.
DR. ZUBELDIA: You have to account for them.
MS. HORLICK: As the immunization registry as an example, some state laws mandate reporting, others don't, so then it's permissive.
DR. ZUBELDIA: But if a state mandates it, you have to keep track of it, it's a state mandate.
MR. ROTHSTEIN: I'm willing to go as far as the mandatory stuff, I think the other stuff raises some problems.
MS. HORLICK: I think there's also some question about authorized, that's just a separate issue. Is it the legally authorized public health agency, is it authorized to report? But I think mandate, people know that means report communicable disease, I mean it's clear.
DR. ZUBELDIA: I feel comfortable with saying that if it's state mandate, you don't have to account for the disclosure but you do have to state in your notice of privacy practice that these are the state mandate requirements that you will disclose. I think you have to balance it.
MS. HORLICK: I don't know if it's clear how much detail that has to be in that.
MR. ROTHSTEIN: Well, we can make it anything we want.
MS. HORLICK: Exactly.
DR. ZUBELDIA: I think that if it's a communicable disease, and one state has a requirement to report and another state doesn't have a requirement to report, a patient may make a choice to go to one state or another based on that and that needs to be open --
MR. ROTHSTEIN: I think Kepa's suggestion actually provides more privacy protection to consumers than the current rule because you can't find out until after the fact that they made, when you ask for an accounting. And here you sort of satisfy the consumer interest in knowing before hand and also the provider interest in not being burdened by having to produce the accounting for these mandatory disclosures.
MS. HORLICK: Well that assumes that people aren't notified in other ways. That a physician says I have to report this or that there's a notice about a registry and the person has the opportunity.
MS. KAMINSKY: Obviously notice is back into the recommendation. Sorry about that.
DR. ZUBELDIA: One of the privacy concepts in Europe is that there can not be a database that contains any of your information that you are not aware of. And with these disclosures, what happens is that I'm not aware as a public citizen down the street that there is a cancer registry, I'm not aware that there is an immunization registry. If I go get treated for cancer, it's going to be disclosed to the cancer registry, I may never find out unless I ask that provider for a list of disclosures. And by forcing this to be in the notice of privacy practices, then all of a sudden then I'm aware that there is a cancer registry, and that my data is going to go to the cancer registry regardless of whether I want it or not. I don't need to ask for an accounting of disclosures, I know it's going to happen.
MS. HORLICK: I can't speak to the cancer registry but we would have to really think about how long and detailed that notice would have to be.
MR. ROTHSTEIN: We don't need to resolve that because we are recommending that OCR reconsider, so we've raised the issue. We have just a few minutes left and I know Richard and Gail have planes to catch. I propose on this one that we delete number ten. I don't see that, I see that, it might be defensible but I don't know that we have the opportunity to defend it.
DR. ZUBELDIA: I don't think that that was the recommendation either. I think what we heard was that there was a potential problem with two different agencies enforcing the rule in different ways.
MR. ROTHSTEIN: The argument could well be made that given resources, CMS would be a lot better to do it than OCR, they've got this massive education campaign already in --
DR. ZUBELDIA: Another solution for that potential problem would be for those two agencies to coordinate the enforcement that they're going to do on privacy and security without having it under the same agency.
MS. KAMINSKY: I think there should be a strong recommendation for tighter coordination with CMS, not just on enforcement but also on outreach, education, and technical assistance.
MS. GREENBERG: Also, if this is the only recommendation on security, I do think even though it may fall on deaf ears, that there does need to be a recommendation or a finding at least that it would be extremely helpful to get that final rule out on security.
DR. ZUBELDIA: We've been saying that for four years now?
MS. GREENBERG: I know. You did hear that, it's got to at least be a finding.
MS. KAMINSKY: It's almost irrelevant at this point, Marjorie, with an April deadline of the compliance date for privacy, the security rule is going to have two years between when it gets published and when the compliance date is, and whatever training is required --
MS. GREENBERG: Two years?
MS. KAMINSKY: Isn't it?
DR. ZUBELDIA: Twenty six months.
MR. ROTHSTEIN: Ok, what about number nine? Do we want to leave that in?
DR. ZUBELDIA: Which one?
MR. ROTHSTEIN: Number nine, the cure period.
DR. ZUBELDIA: I think they should consider it.
MR. ROTHSTEIN: Should consider? Ok, we've now added one to the guidance. We've added three to the guidance, and the question then is, this is a massive list, are there things that we want to highlight?
MS. KAMINSKY: Marjorie had the thing about the employers.
MR. ROTHSTEIN: Ok, employers.
MS. KAMINSKY: And I would go as far to say that there are two pieces on that, one is the group health plan issues and the other we heard touched on by just this morning, Deseret Mutual talking about all the kinds of health activities that employers do for their employees that make them confused about their covered entity status. It's slightly different and less pressing in some respects than dealing with some of the real legal issues around the group health plans.
DR. ZUBELDIA: Also, the mall up the street has cholesterol screenings periodically. What does that happen, is the mall now a health care provider?
MS. HORLICK: I think it goes to who's providing. I think a covered entity designation is --
MR. ROTHSTEIN: With my pick, I would like to go with the fire walls because we have people electing to be covered entities so that they can disclose everything they want to each other and nobody's --
MS. HORLICK: So are we saying we're not going to do this long list?
MR. ROTHSTEIN: Well, the question is whether we should pull out some and save it. We shouldn't pull them out, just leave them all in?
MS. KAMINSKY: In this case, I told you to prioritize but I just think, I don't think we should present it like this, it needs to be organized with regard to topics and stuff, but I think it should be even more fleshed out.
MS. HORLICK: The covered entities like we heard with social services --
MS. KAMINSKY: And I'd like to add to it --
MR. ROTHSTEIN: Why do you keep saying more fleshed out? You're just piling this on.
MS. KAMINSKY: Ok, I'm going to work on it on Veterans Day, I promise.
MR. ROTHSTEIN: Last items are sort of the big ones. We all agree that this is within our mandate to recommend, conceivably even amendments to the statute?
DR. ZUBELDIA: I don't know about eight.
MS. GREENBERG: Well, you can recommend that HHS seek amendments.
MS. HORLICK: Number three is a little bit, if they do the preemption analysis, do you think?
MR. ROTHSTEIN: Ok, we can take that off there. Here we asked Congress, because it might require some statutory tweaking.
MS. HORLICK: And of course we don't know if the Office of Civil Rights will do the preemption analysis or not.
MS. GREENBERG: After the Department does the analysis then it should determine whether it needs to seek Congressional release.
MR. ROTHSTEIN: I think at this point I would be inclined to delete three unless anyone feels --
DR. ZUBELDIA: No, why delete it?
MR. ROTHSTEIN: Why delete it?
DR. ZUBELDIA: Congress should resolve inconsistencies.
MR. ROTHSTEIN: Well, but the way they would resolve it would be amending one or more of the statutes, and we don't know how that would --
DR. ZUBELDIA: But that's fine, but they need to resolve it. If there are inconsistencies they need to be taken care of, I don't know how they do it. So in our annual report to Congress, we tell them hey guys, you need to look at this problem.
MR. ROTHSTEIN: Maybe we can go back to the OCR one and say and where necessary, seek amendment through Congress.
MS. KAMINSKY: Can we separate out on this final list what's going to Congress and what's just, what we're saying HHS should go to Congress with and what HHS can take care of itself? For example, number one is obviously Congress, but two is something that HHS could take care of itself and I don't know if this list should be those things.
DR. ZUBELDIA: Two different lists, one for regulations --
MS. KAMINSKY: The stuff that HHS can take care of itself for example, point number two seems to me to belong in your regulation and enforcement list.
MR. ROTHSTEIN: I think that's probably true. We can move it but the question is what about the concept? In number two. I think that covered entities and this is, nobody said this in so many words, would feel more comfortable in having the enforcement agency separate from the agency in the Department that they need to work with on training and education and outreach and all these other things.
MS. HORLICK: Then who's going to know it and understand it best, it's the people that are giving the guidance.
DR. ZUBELDIA: They are coming to OCR with a draft of a form that they're going to use and they say could you review this to see if it's good? They want a statement that they can take to the bank that says yes, OCR reviewed this and it's good and we're not going to be penalized because they've already done it.
MR. ROTHSTEIN: Ok, well, there are some political considerations in why I think this might be a good idea. And that is we all recognize that there is a need for a tremendous increase in the amount of resources committed to outreach, education and guidance and so forth. I don't think those resources are going to be coming as long as the Office for Civil Rights is responsible for administering that program. I just think that as a political matter, more funding might be given to an agency that's not OCR within the Department that had a title of something information and outreach.
DR. ZUBELDIA: Well, that brings another question. Should we recommend the creation of a HIPAA office at the HHS level? There is one at the CMS level, should we have a HIPAA office at the HHS level?
MS. KAMINSKY: Wait a minute, CMS is part of HHS, so a HIPAA office at the HHS level would encompass both OCR and CMS.
DR. ZUBELDIA: Yes, that's what I'm saying.
MS. KAMINSKY: That is something that probably deserved serious discussion.
DR. ZUBELDIA: A HIPAA office above and beyond what is at CMS because the HIPAA office at CMS is centered on transactions and security only, and perhaps there should be a HIPAA office for everything.
MS. KAMINSKY: Well, this goes to the coordination issue that I raised earlier, whether it's dealt with with two separate agencies, with two separate offices within HHS, or whether it's dealt with a sort of pivotal umbrella overseeing HIPAA piece, is sort of a strategic question. Certainly, though, the testimony that we heard seemed to indicated that many, many, many, especially smaller providers and other covered entities out there have been very confused by messages coming from different parts of HHS.
DR. ZUBELDIA: At one point that task was being conducted within ASPE.
MS. GREENBERG: Yes, well, kind of by one person, Bill --
DR. ZUBELDIA: By one person. And that person is gone so there's a big gap there and it probably should be formalized in the HIPAA office, maybe in ASPE, maybe somewhere else, there should be a HIPAA office that coordinates both sides, privacy, security, transactions, identifiers.
MR. ROTHSTEIN: Let me suggest something. I think this is a very important issue but I don't think we have the time either here or probably at our next meeting in two weeks, or ten days, whenever it is, to give it the attention it needs. We're undoubtedly going to respond once the security regs come out.
MS. GREENBERG: No, because it's a final rule, so it doesn't require any response.
MR. ROTHSTEIN: What I'm trying to do is table this to some time --
MS. GREENBERG: Well, I think you could at least say the Department should seriously consider at a minimum a HIPAA focal point office or something at the Office of the Secretary level to assure coordination among the different components dealing with HIPAA. I mean one of the things, I've asked several people in testimony, the relevant ones, about what is HRSA doing, that's where the responsibility for rural health is and they also have responsibility for safety net providers and the community health centers who we've heard from, and I'm sure they are doing some things. I think they have a HIPAA focal point, but again, maybe that's just not being coordinated enough with OCR or with CMS or whatever and that some focal area that kind of overlooked all of it might be helpful.
MS. KAMINSKY: Although, obviously this again would go under the regulation enforcement recommendations, not under what should be recommended to Congress, just in terms of categorization.
MS. GREENBERG: Right, but if in fact you feel that this represents a problem or an opportunity, because it is true that I think when Bill was there, and he was very involved with the privacy stuff, too, so it wasn't that he was totally transaction, but I mean he was only one person.
DR. ZUBELDIA: It wasn't just Bill, he was the focal point, but John Fanning(?) was working hand in hand with Bill.
MS. GREENBERG: Well, John still is involved.
MS. KAMINSKY: I think the absence of that has created some of the unfortune that lack of communication, and even people talking about the fact that that admin-simp web-site is really no longer updated, that was Bill Braithwaith's(?) I understand and there is just a need for better, tighter coordination and without somebody sort of taking that on I don't know how it gets done.
MR. ROTHSTEIN: How about if I say something like this. The Department should seek additional funding from Congress for HIPAA implementation guidance, etc., etc., such as --
MS. GREENBERG: We can't wait for that, though.
MS. KAMINSKY: You think it should go into that regulation and enforcement category?
MR. ROTHSTEIN: All of these suggestions, for example, tax credits for HIPAA compliance, compliance grants to the states, allocating $42.5 million dollars, all these things Congress has to do.
MS. KAMINSKY: But creating, HHS has the discretion to create an office.
MR. ROTHSTEIN: I've got that. I'm moving on.
DR. HARDING: I think that's good. I'd leave off the user fees because you tell Mr. Sinclair and his peer group that they're going to have to pay user fees to --
MR. ROTHSTEIN: No, no, I wasn't thinking of that group, I don't want to tell him anything of a regulatory nature. All that I'm suggesting is and this was my suggestion in Baltimore, I was discussing with some industry people, and I can't remember who it was, how much money they were putting out for this and they were getting nothing of a definitive nature in response. And it seemed to me that for the same money or maybe less because of eliminating duplication, if the government were spending that money, they could say here's what will meet our requirements. But you're probably right, Richard, it's probably a non starter politically, although it did work on FDA drug approval. But it was a much more unified industry.
DR. ZUBELDIA: There's a direct financial repercussion if your drug gets approved or not approved.
MR. ROTHSTEIN: Exactly. Well, we have a couple of last, what about tax credit? Are we going to support that?
MS. GREENBERG: Should be considered.
MR. ROTHSTEIN: And compliance grants to the states? I think that's really essential. The $42.5, what about increased Medicaid compensation to recognize the HIPAA compliance costs of Medicaid providers?
DR. HARDING: It's a nice thought, but boy getting more money out of Medicaid right now.
MR. ROTHSTEIN: Getting money out of Congress for anything right now is, I think it doesn't hurt to just put that in as one possibility.
MS. GREENBERG: The way it's said, Medicaid needs to recognize that, they could say yes, we really recognize it --
DR. DANAHER: Mark I've had my hand up for the last half hour and you haven't called on me.
MR. ROTHSTEIN: John I am so sorry, I was looking in the opposite direction.
DR. DANAHER: Could we make, I'm a little bit more sanguine about tax credits, etc., and I'm just wondering if there is a message that we, I have been surprised that the traditional sources of funding and education have really in my estimation have been kind of silent. Who I mean by that is RWJ, Kaiser Family Foundation, Pugh, etc., and I'm just wondering if there is any kind of outreach or overtures to them that we can make to kind of help them realize the importance of this effort and see whether they'd be willing to jump on the bandwagon to help us. Because they're so good, RWJ is the best in the world in terms of giving kind of C grants to people to come up with innovative ways of addressing so on and so on.
DR. ZUBELDIA: Well, HRSA has some money for hospitals. RWJ, they did the private public key encryption stuff with the five state project, but I think this is just overwhelming for them. I think they see this as too big.
DR. DANAHER: There's like the California, but see that's against what I'm suggesting Kepa. If the committee, if OCR, if somebody could, if we could have a bunch of meetings with the California Wellness Foundation, with Kaiser, etc., I think that maybe we could tell them of the crying need in the provider community and it might strike a chord and could lead to some funding.
MR. ROTHSTEIN: Well, maybe what we can do is get them on the agenda for our next meeting which is January, February but I don't think this letter is the place for that.
MS. GREENBERG: It's an interesting idea.
MR. ROTHSTEIN: The last two items on the list are privacy rule extended one year and amend HIPAA to preempt state law and --
MS. KAMINSKY: I thought we already sort of crossed out number seven.
MR. ROTHSTEIN: Ok, so we crossed that out, the one year extension, and amend HIPAA to preempt state law, I think we've dealt with the preemption issue, unless we want to --
MS. KAMINSKY: This is a Congressional thing. This is a bigger deal.
MR. ROTHSTEIN: Well, I understand that.
MS. KAMINSKY: Sorry, I don't mean to, I'm not sure we've dealt with it.
DR. ZUBELDIA: Should we recommend that Congress pass a law that amends HIPAA --
MR. ROTHSTEIN: I couldn't support it at this point, I would have to think about it. It has so many ramifications.
DR. DANAHER: Or I wouldn't be able to support it.
MR. ROTHSTEIN: He said he would not be able to support that. I mean you're telling a state like California that we're basically repealing your law in all these areas.
DR. ZUBELDIA: It's not going to work.
MR. ROTHSTEIN: So we'll take that out and I think I've got my marching orders. Let me reconfirm for all of you what my plans are. I'm going to go on vacation, I'll be back in January.
MS. HORLICK: Mark, would it be helpful for us to stay, maybe even off-line, to schedule that conference call?
MR. ROTHSTEIN: Yes, after we're off-line, I'd like to schedule the conference call. The plan is to have a draft letter out on the 12th, conference call if possible, and we'll talk about that, on the 14th, a revised draft to the full committee by email on the 15th, and then Richard will present that on the 19th at the first day of our two day meeting because I can't make it that day and I will be back on the 20th for the vote.
DR. ZUBELDIA: I can't be in that meeting either, at all, 19th or 20th.
MR. ROTHSTEIN: Well, that's our regular meeting. So that is the schedule, and we'll talk off-line about coordinating a time. Is there any other business that we need to take care of while we're officially on-line?
Well, I thank all of you for your tremendous help. I was remiss earlier, I want to thank Stephanie and Gail for putting together this hearing and Stephanie for a tremendous job in putting those three hearings together over the last six or seven weeks and I want to thank OCR for allowing her to spend so much time on this. I want to thank Cheryl and Marietta for all the work they've done in getting our arrangement set up. And Debbie Jackson as well. We appreciate your efforts one and all. Thank you and the subcommittee meeting is adjourned.
[Whereupon, at 12:47 p.m., the meeting was adjourned.]