[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 505A
200 Independence Avenue, S.W.
Washington, DC 20201
Call to Order, Welcome and Introductions, Review of Agenda - Dr. Harding
Agenda Item: Status of Plans for November 2003 Hearings - Ms. Fyffe
Agenda Item: Welcome and Introduction - Dr. Harding
MS. FYFFE: Stanley, hi, Stanley, good morning, it's Kathleen Fyffe.
MR. NACHINSON: Good morning, Kathleen, how are you? I haven't spoken to you in quite a while.
MS. FYFFE: Right, how have you been?
MR. NACHINSON: Oh, just fine, excited about October 16th and beyond.
MS. FYFFE: Stanley, your voice sounds a little bit garbled, is there anything we can do here technically, it's not you but I'm looking at our technical folks.
MR. NACHINSON: It may be that I'm using the speaker phone, let me switch to the handset and see if that helps.
DR. ZUBELDIA: That's it because this is a big speaker phone with the entire room and the microphones.
MS. FYFFE: Hi, Gail?
MS. HORLICK: Hi Kathleen.
MS. FYFFE: It's Kathleen Fyffe.
MS. HORLICK: How are you?
MS. FYFFE: We also have Stanley Nachinson on the line this morning. Stanley you want to say something again please?
MR. NACHINSON: Yes, is this any better?
MS. FYFFE: Yeah, it has improved. Can you turn the volume down a little Stanley? On the speaker phone.
MR. NACHINSON: I'm on the handset, I'm not using the speaker phone anymore.
MS. FYFFE: Okay, Stanley, this morning we have here so far in the room the acting chairperson of the Privacy Subcommittee Dr. Richard Harding, myself, also Kepa Zubeldia and John Fanning. One of the other Privacy Subcommittee members, John Houston, I think has stepped out of the room for just a moment, and we're also expecting to join us this morning, Sue McAndrew from the Office for Civil Rights and hopefully Simon Cohn, who's also a member of the Privacy Subcommittee. So Gail, and Gail Horlick is one of the staff people to the Privacy Subcommittee. If you don't mind we're going to wait for just a few minutes so that hopefully John Houston and Simon can join us.
MR. NACHINSON: That'll be fine, I'll just put you guys on speaker and wait for when you want me to participate and then I'll pick up the handset again.
DR. HARDING: Stanley and Gail, do you have any time limitations on your time? Would you like us to move things up to the front for you, that kind of thing?
MS. HORLICK: I'm fine with this block of time.
MR. NACHINSON: I'm good until about 9:30 if we can take care of everything by then.
DR. HARDING: We will have it completed by then I think. Thank you.
MR. NACHINSON: You're welcome, thank you for asking.
DR. HARDING: We'll wait just a minute or two. Do any of you have any agenda items that you'd like to when we walk out of here at 9:30 or 9:40 would like to have covered?
[Brief pause.]
MS. FYFFE: What kind of information would you like us to talk about? Are there certain questions that you'd like answered? And if that's the case please let us know what they are and perhaps we can poll this, do a poll, do a survey, pull the information together and at some point in the future have testimony. So that's what we need to find out.
DR. HARDING: John Paul, do you have any things that you'd like us to when we walk out of here have discussed a little bit?
MR. HOUSTON: With regards to privacy specifically?
DR. HARDING: That's the subcommittee, Privacy and Confidentiality.
MR. HOUSTON: I think the one point that I think is problematic with regards to privacy, in addition to the meetings, is this is sort of out of my question I had yesterday for what's her name from OCR, Linda Sanchez, is the issue of guidance to providers, guidance to covered entities. The reason why I asked the question yesterday was I had actually asked a related question of OCR regarding their position on a certain fundraising issue.
MS. FYFFE: Okay, did you ask this through a letter to them?
MR. HOUSTON: Actually I hadn't, I'd actually asked it through --
MS. FYFFE: You did.
MR. HOUSTON: I never even got a follow-up saying please write it in a letter, do anything like that, they didn't even acknowledge it.
MS. FYFFE: Okay. Alright --
DR. ZUBELDIA: [Comment off microphone.]
MR. HOUSTON: I forget exactly who I, I sent it through, I just called their hotline and haven't gotten any response in probably a month.
MS. FYFFE: Then Sue McAndrew from the Office for Civil Rights is supposed to be at this meeting, you need to tell her that.
MR. HOUSTON: Okay, and by the way even if it is you need to put this in writing, could you give us more clarification, I gave my contact information, anything, I had just again, there are a variety of ways that, put it in a question, but I hadn't gotten any response back, and frankly this is an issue that there's nothing on, there's no guidance whatsoever on this program, it's a fairly detailed fundraising issue and there's no guidance on fundraising to begin with.
MS. FYFFE: So that's something we should discuss.
MR. HOUSTON: I am concerned that we need, OCR needs to step up some of its guidance, especially some of the more problematic and weighty issues. I mean it's great to know that 60 percent or 70 percent of the calls have been for privacy and that their, what they called closure rate in terms like that --
DR. ZUBELDIA: [Comment off microphone.]
DR. HARDING: Let's hold on and then talk about that during --
MS. FYFFE: Maybe we should get started.
DR. ZUBELDIA: One topic I'd like to address --
DR. HARDING: We have Gail and Stanley Nachinson on the line and we're going to start up here, but you had one more thing you'd like on the agenda, Kepa?
DR. ZUBELDIA: In the last meeting we talked about the Gramm-Leach-Bliley and the banking industry, and I think Sue was going to research that, somebody from OCR, Stephanie was going to do some of that, I'd like to --
DR. HARDING: We may not have anything today but remind them.
Okay, are we on? We'll get started then, we'll call to order the meeting of the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics, we are not on the air, we're not on the internet, but we do have two phone members and guests, Stanley Nachinson from CMS and Gail, are you there? Gail?
MS. HORLICK: Yes, I'm here.
DR. HARDING: Good, welcome. We'll go around and have everybody that's here just say who they are for the sake of the record, John Paul, you want to go first.
MR. HOUSTON: John Houston from the University of Pittsburgh Medical Center and a member of the subcommittee.
DR. HARDING: I'm Richard Harding, member of the subcommittee, and acting chair in the place of Mark Rothstein who is away today.
MS. FYFFE: Kathleen Fyffe, lead staff to the Privacy Subcommittee.
DR. ZUBELDIA: Kepa Zubeldia, Claredi Corporation, member of the subcommittee.
MS. KLOSS: Linda Kloss, observer, AHIMA.
MR. RHODE: Dan Rhode, observer, AHIMA.
MR. FANNING: I'm John Fanning from HHS.
DR. HARDING: And we'll introduce others as they come.
Welcome, everybody, we have I think a relatively light agenda items for today, although we have some important ones, as we talk about the testimony and the hearings that are coming up during this month. I think that the task of the subcommittee has been set at the present time on something like this, that we are to track and consider implementation issues in the privacy rule that came out, when it came out this year. I get the dates mixed up a little bit here in October, when did the, was it April? April 14, right. And we have had just to review in the last year three sets of hearings, in Boston, Baltimore, and Salt Lake City, and we have heard from a diverse group of individuals about the issues leading up to the privacy rule implementation and we are expecting to have our first group of hearings to talk about the tracking and implementation issues that we done here in November, six months after the implementation of the privacy rule.
I think that we've heard a number of things from a number of very dedicated and good people trying to make the privacy rule work. We have heard everything from it's the best thing that has come along to we had a gentlemen in Salt Lake City that I was afraid was packing heat as he testified to us about his small hospital, there was a concern that he might have a weapon on him as he gave his testimony out there. He was an administrator of a small hospital that felt under tremendous amount of pressure, that kind of thing. So it's been an interesting series of hearings and we're sure that it will continue to be.
Simon, do you want to introduce yourself? Simon Cohn just came in.
DR. COHN: Yeah, member of the national committee.
DR. HARDING: Gail and Stanley Nachinson are on the phone and will be participating fully. So we've had the three hearings, we have hearings coming up in three weeks or so, there have been recommendations made as you all remember, in June we made recommendations to the Secretary asking for, through the full committee asking for measuring efforts on the privacy rule and plans to address implementation, and asked that and we got a good response from the Secretary. And now we have the hearings coming up in two weeks, three weeks, about the implementation issues and we're going to talk about in the agenda today the status of the hearings. We're also going to talk about types of information that we would want from physician groups as they begin implementing in their offices and practices. Also going to talk about the issue of opting out of HIPAA, which a letter to the editor of the American Medical Association News to physicians were saying that doctors should opt out if they didn't have ten employees in their practice, or ten employees in their practice and something else, and just wanted to talk about the policy and reality issues of that with the help of Stanley and others on the line.
With that, we'll get started and Kathleen, maybe you could go first a little bit and talk to us about the upcoming hearings that we have for November 19 and 20 here in Washington, and some of the people who are going to be presenting at that.
Agenda Item: Status of Plans for November 2003 Hearings - Ms. Fyffe
MS. FYFFE: Yes. We are going to be holding hearings on November 19th and 20th in Silver Spring, Maryland, and I have invited a number of representatives from various parts of the health care industry and let me run through the list. As a reminder to you all the topics that are going to be covered at this first set of hearings are public health, health care research, and also what we are calling an open session of invited health care industry reps.
For public health we have invited Dr. Katherine Bert(?), who is the chief of ambulatory care statistics at the National Center for Health Statistics. Also Dr. Jerry Gibson, who is from the South Carolina Department of Health and Environmental Control. Also Michael Lundberg, who is with the National Association of Health Data Organizations. Also Gail Horlick from CDC, who's on the line with us, who will be talking about immunizations. David Orrin, to give us information about the State Public Health Department perspective, he is from Minnesota I believe. To talk about newborn screening and research Dr. Cecelia Larsen. And to talk about mental health aspects of public health a woman named Laura Van Tosh(?). And I'm waiting to get confirmations back from each of these people as to whether or not they formally accept the invitations to testify.
For the research testifiers or witnesses we have Marcia Gonzales, we've invited Marcia Gonzales who's the compliance officer and privacy officer at the Indiana University School of Medicine. Susan Erringhouse(?), who is with the Association of American Medical Colleges. We've also invited Dr. Martha Linette(?), who is the president-elect of the American College of Epidemiology. Dr. Linette also works at the National Institutes of Health. We also are inviting Dr. James Roberts, who is a senior scientist and director of McGhee Women's Research Institute at the University of Pittsburgh. Also John Lawsnak(?) who's with Academy Health, I can't pronounce his last name. Also Joanne Bowman, who's the executive vice president of the American Society of Human Genetics.
For the open session of invited health care industry representatives as we're calling it, Jan Lorie Goldman of the Health Privacy Project. Lawrence Hughes of the American Hospital Association. Mark Hill, who's with the Principal Financial Group, will be representing the American Association of Health Plans. Dr. David Kibbe(?), who's with the American Academy of Family Physicians. Dan Rhode, who is with AHIMA, and Dan is here as an observer this morning. From the American Health Care Association, which is a long term care organization, Donna Mason. And from the National Association for Home Care and Hospice William Donbe(?).
DR. HARDING: That sounds like a very qualified good group of testifiers that I think will do themselves proud as well as help us in the evaluation of implementation. Could we get a copy of that before we leave today? I understand that some of them are still --
MS. FYFFE: Right, yes, I will get you copy of that.
DR. HARDING: -- in process, but that would be helpful. Any thoughts or questions about that group? That is November 19th and 20th, and it's in Silver Spring --
MS. FYFFE: 19th and 20th and it's at the Silver Spring Hilton Hotel, Silver Spring, Maryland.
DR. COHN: I think the only question I had in terms of the testifiers, is there anybody dealing with the ambulatory health care sector, either in GMA or AMA or something in terms of the general testimony or is it all other areas?
MS. FYFFE: Simon, you weren't in the room earlier this morning, I invited the American Medical Association, they declined. I invited the Society or the Academy of Pediatrics, they declined. I invited the group from Philadelphia that represents the internists, they declined. And they all told me that they didn't have any data or anything specific other then anecdotal stories that they could tell us about during testimony.
DR. COHN: MGMA?
MS. FYFFE: I did not invite MGMA.
DR. COHN: They might be somebody to just ask, I mean I don't, It's hard to know what data anybody has but I mean I'm just sort of thinking of somebody, and David may very well be a good person to talk about this, but I tend to think of him as a lot more on the informatics side of the world as opposed to the practical how in the heck do you run a clinic in the world of privacy reg.
MS. FYFFE: Dr. David Kibbe I believe testified before in front of the subcommittee and he was very enthusiastic about being invited again.
DR. COHN: I think it's great to have him, I was just suggesting maybe somebody --
PARTICIPANT: Can everybody talk into the mic when you're talking so that the group on the phone can also hear us.
MR. HOUSTON: Some of these, how did we come upon some of these other individuals? I mean I hate to say it, somebody from the University of Pittsburgh, I didn't even realize that, that's frankly part of my shop in a sense, I didn't even realize they had invited somebody from the McGhee --
MS. FYFFE: Actually some people heard by attending our meetings or listening over the internet that we were having hearings and they contacted me.
DR. ZUBELDIA: Do you have questions that you're asking them?
MS. FYFFE: What we are asking them, let me get my notes on that, is very, we're going to be putting a notice in the Federal Register and what we are asking them, and this was approved by Mark Rothstein, is for these folks to come in and provide information about how the regulation has effected the level of privacy and confidentiality for protected health information, best practices for implementation of the regulation, and information that might help to identify and resolve barriers to compliance.
DR. HARDING: To avoid the chilling effect that some people have said, I mean yesterday it was interesting when Ed was talking about a decrease number of survey responses, now you wonder if that has anything to do with it, those kinds of things are kind of troubling when you're talking about public health. But the implementation issues and the impact of the rule on collection of data as well as the chill of research, we want to see if the people are seeing that or if that's not the case.
MR. HOUSTON: Is there anybody from OHRP or otherwise on the list for the research side?
MS. FYFFE: I contacted the OHRP folks early on and they said that they could be present but could not officially or would not be able to officially testify. So they are going to be present at the hearings.
MR. HOUSTON: Is there anybody who is an IRB as part of the research subgroup?
MS. FYFFE: I'm not certain.
DR. HARDING: It would be a suggestion to have that.
DR. COHN: How about that person from the University of Pittsburgh?
MR. HOUSTON: Well, we already have somebody from McGhee, which is part of the University of Pittsburgh, so their IRB is separate then the IRB from the University. I'm just trying to make sure we have a balanced discussion here because I think there's some, there is some tension with regards to the common rule and with regards to HIPAA, regarding research, and I know I am personally embroiled in it and I have been for a number of months now, it's become more, the issue has become more and more pronounced and I've been involved with the University of Pittsburgh and the Chancellor and the School of Medicine and trying to sort some of these things out. And there's clearly a tension between the common rule and HIPAA and it's not being handled well by a number of IRBs and I think again, at the University of Pittsburgh there's a real question as to what can and can't be done and I think a lot of things are being blamed on HIPAA which frankly are more properly issues with the common rule. And I think, that's the reason why I asked these questions, I hate to hear sour grapes about HIPAA, or concerns about HIPAA, when the reality is is that the actual enforcement of the common rule is more, in my mind more stringent in such areas as granting waivers and things of that sort, and research recruitment.
DR. ZUBELDIA: I'm wondering if at some point we would benefit from hearing from some of the people there have been complaints against, perhaps after the resolution of the complaint, for them to give us feedback on specific things like not only the complaint or solution process or the complaint process, but also what were the reasons why there was a perception of non-compliance. I'd like to hear from some people that have gone through that experience and that perhaps did not implement HIPAA correctly, why is it that they didn't implement correctly. And I know that it could turn emotionally very disturbing like an inquisition or something, so we need to avoid that --
DR. HARDING: Like when they're packing heat --
DR. ZUBELDIA: So we need to avoid that, but if there is a way to do that perhaps indirectly through their association or something like that.
MR. HOUSTON: Let me give you some anecdotal evidence because again we're a very large health system, we've had a number of complaints through OCR and they've all been handled reasonably, I mean I haven't, just first hand experience is is that the process is, in my mind, is done very professionally and non-adversarially and the outcomes have always been very good. So personally I'm not sure we're going to hear any sour grapes or concerns out of people regarding the complaint process. Maybe consumers would feel like the complaint process doesn't serve them but I can tell you on the other side that the OCR has handled things very well from my personal experience and where there hasn't been issues they've acknowledged it or where there have been issues and we've put a plan of action in place or explained what happened or whatever, they've been very good at acknowledging what we've done in assessing whether it's appropriate. So I'm not sure whether we're going, at least on my experience we're going to see too much in terms of people having concerns.
DR. ZUBELDIA: I'm not thinking about having concerns or problems, I'm thinking maybe if it's working well we probably ought to hear that it's working well. And perhaps through an association or an indirect type of testimony, it may be good, I don't know.
DR. HARDING: So in future hearings during 2004 that would be one of the topics.
DR. COHN: Maybe it's a more general question that we ask the industry association representatives and others, maybe not at this testimony, it seems to be a little bit early for us to be getting a lot of experience with all of this, recognizing I think yesterday what we heard was that there had been a lot filed, a lot had been just sort of dismissed almost immediately and everything else is still open. And I don't think anybody would really want to be testifying about something that's open currently, and anything that was dismissed was dismissed because there was very little grounds to go forward on it. I think it would be useful, I don't know at this session maybe it's something we can hear, begin to ask.
MR. HOUSTON: The other way to accomplish that is to see if OCR is willing to entertain a survey process of individuals who filed complaints, I don't know.
DR. COHN: Filed complaints or had complaints filed against them?
MR. HOUSTON: Filed complaints as well as, I mean either way I think that you could ask, I mean hopefully we have that information.
MS. FYFFE: Stephanie is here from the Office for Civil Rights, do you want to make any comment about that suggestion? I'll make a comment. I'm not certain that it would be the role of an enforcement office to do that kind of an --
DR. COHN: -- satisfaction --
MS. FYFFE: There's also a budget issue for that. Now it strikes me that perhaps some of the associations or other organizations might want to be involved in that, that's just my observation.
MR. RHODE: We're discussing right now, Dan Rhode, AHIMA. We have a small internal group discussing this same thing right now and we're doing some work in preparation for the testimony but looking at it a little longer term as to the kinds of questions and other things that need to be asked. How do we get them to the people who need to answer them because it only represents a small sub-section and I think Simon points out we know there are a lot of providers out there who are not in associations or the folks who are working on this are not necessarily the association member, they're in small physician offices, very typically staff aren't involved in any of these so it takes a much broader survey process and I don't know if we have a sponsor read to do something on that size quite yet.
But certainly the associations that have been involved can do some of this.
We probably need a little more time from the standpoint that if we're six months out, and I'm not sure all the questions can even be answered quite frankly, we discussed asking what the cost was but we're not sure that most privacy officers probably even know what the cost was across the organization, an organization like John's is so big that you may never know quite frankly what the costs are. But we certainly want to entertain that.
We also would like to look at milestones, what milestones could be suggested that perhaps we could all track over a period of time. Certainly we're getting some from Office for Civil Rights but are there other ones. One of the things we've discovered already this year are best practices that we didn't expect to do but came out of the process of implementing privacy, in other words in looking at the work flow and other things that were going on --
PARTICIPANT: Unexpected reengineering and management processes.
MR. RHODE: So there's a variety of those questions and it might be helpful to have the committee think, even if after the two hearings, to think about the long term questions are that you want to monitor and look at because I think, this is one of those things it's hard to see the benefits but if we can begin to look at the milestones we might be able to come up with some good feedback for you.
DR. HARDING: What are the questions? I mean that's kind of where we are and how do we evaluate and so forth, just as you were saying, what are the questions that we need to ask? It's kind of like a research subject. We aren't going to do that this morning probably, but I think with the testimony that we get I think we can sort that out a great deal.
MS. FYFFE: And as a reminder, one of the reasons that we decided to have "an open session" whereby members of the, invited members of the industry could be present is they may surface issues or bring up issues that we hadn't even thought about, so we wanted to have them in on the first hearing to help us with our thought process going forward.
DR. HARDING: Okay, any other thoughts or questions? Gail or Stanley, any thoughts about this topic?
MS. HORLICK: I don't have anything to add.
MR. NACHINSON: Nothing from here.
MR. HOUSTON: I have nothing.
DR. HARDING: And we welcome Stephanie to the group and glad to have you. Let's move along to another item that I promised Stan that I would bring up before he needs to get off the phone, and that's an issue that has come up recently in the American Medical Association News, which was a letter from two physicians who said that they for various reasons don't approve of HIPAA --
MS. FYFFE: Can I read the letter? It's short.
DR. HARDING: Yes, ma'am. That would be probably very helpful.
MS. FYFFE: From the American Medical News --
DR. COHN: This is a letter to the editor?
MS. FYFFE: This is a letter to the editor last week. The title is Opt Out of HIPAA. Regarding "CMS Gives Doctors More Time to Meet Latest HIPAA Rule," which was in the American Medical News of October 6, coverage of the Health Insurance Portability and Accountability Act regulations has been lacking in one very important aspect. AM News seems to take HIPAA compliance for granted rather then informing and encouraging physicians to opt out of HIPAA. HIPAA is far worse then the governments usual unfunded mandates, the amended HIPAA regulations reverse 2400 years of Hippocratic oath. Far from serving as a privacy rule in fact HIPAA is a disclosure rule. Over 70 percent of American physicians qualify to opt out of HIPAA via the country doctor loophole. As long as the doctor employs fewer then ten full time employee equivalence and submits no electronic bills the physician can continue to submit paper bills to Medicare and Medicaid and need not comply with the time, expense, or unethical requirements of HIPAA. We would like to encourage those hundreds of thousands of doctors to make their voices heard in Washington, opt out of HIPAA. Signed Janice Chester, MD, and Robert Piles, MD, Dover, Delaware.
DR. HARDING: Thank you. So taking the affect out of that letter, what they are saying is that they are suggesting that people have the right, and in their opinion the responsibility, to opt out of their involvement with HIPAA as if that were a viable option. And so what I wanted, this type of thing of course is in the AMA News, which is read by probably 50,000 physicians in the country I would say each week, so that type of a statement can disseminate the possibility that what, well, why don't we just opt out or something along those lines. And what I would like to do is just hear a little bit from our experts what is the policy issues, is that a possibility, and then, what's policy and then is there something that the subcommittee or committee should do to help other then a FAQ help this type of a rumor from getting started.
MR. NACHINSON: And this is Stanley, if you don't mind I'll try and give a little background and explanation --
DR. HARDING: That would be very helpful Stanley, we appreciate you being here with us.
MR. NACHINSON: There's some sort of misstatements in here. First, I think it's fair to say that these people probably come from the Association of American Physicians and Surgeons, which has been trumpeting this country doctor opt out option loophole for HIPAA for quite a while. In fact probably since the ASCA legislation was passed and gave folks their one year extension. It really revolves around the definition of a covered entity in HIPAA, which says that covered entities are health plans and clearinghouses and providers that transmit electronic information in conjunction with a standard. So HIPAA gave providers the option of becoming a covered entity, if they choose to engage in electronic transactions they become a covered entity. If they are not engaging in electronic transactions they're not a covered entity and not subject to the HIPAA rules. So that's the genesis of this, they're calling it a loophole, I certainly wouldn't call it a loophole, I think it was a legitimate and purposeful move on the part of Congress to give providers the option of doing or not doing electronic transactions. That's number one, so providers have always had the opportunity to choose whether or not to become a covered entity.
MS. FYFFE: We have a question here Stanley.
MR. HOUSTON: This is John Houston, my understanding is it wasn't really, that the issue of electronic versus paper transaction was one of, that HHS didn't have the authority to impose rules on these practices or on a covered entity, or what would otherwise be a covered entity, if they were not electronically transacting business. That electronically transacting business was the, that was sort of the bounds of it, if you didn't electronically transact business then you couldn't be covered by this simply because that was the maximum scope of the rule. So it wasn't a matter of giving these people an opportunity to opt out by not electronically transacting business but rather the scope of authority only extended to covered entities or otherwise covered entities who electronically transacted business.
MR. NACHINSON: Well, that, well that I think was an early interpretation, later on it was determined that the Secretary did have the authority to apply standards to paper transactions and that's why, for example, the privacy rules apply to information on paper and other non-electronic forms, though the law in the applicability sections says very clearly that covered entities are health plans, clearinghouses, and providers that transmit electronic information. So that's the applicability section, once you transmit information electronically you're subject to all of the HIPAA standards.
MR. HOUSTON: Right, but that was sort of the threshold test, as soon as you electronically transacted business then the Secretary had the authority to --
MR. NACHINSON: To impose standards.
MR. HOUSTON: Yes, to impose standards, not only on electronic information but on paper, any type of information, but I still think that it was an issue of if you don't electronically transact business then there was no authority to impose these rules on you.
MR. NACHINSON: That is accurate, if you do not electronically transmit, you're right, we don't have any enforcement authority, or we can't impose these rules on you.
MR. HOUSTON: I think the way it was said before was that this was sort of a discretionary --
DR. ZUBELDIA: John, what Stanley is saying is if you don't electronically transact business a provider is not a HIPAA covered entity.
MR. NACHINSON: Absolutely, but it wasn't one where there was a decision simply to allow covered entities or otherwise covered entities to opt out of HIPAA simply because they didn't electronically transact business.
MS. FYFFE: Stephanie wants to say something please.
MS. KAMINSKY: I agree with your explanation and understanding that the scope of authority only runs to a provider that is electronically transmitting a transactions, if you are electronically transmitting you must do it in the standard format. However, I kind of disagree with your characterization that that means that there's no opportunity to opt out because obviously, well, not obviously, but it's my understanding that a provider has the discretion to choose whether or not to be conducting business electronically or not.
DR. HARDING: Let's get back to Stanley's presentation and then we'll probably have lots of questions. Stanley, go right ahead.
MR. NACHINSON: So there is this discussion about providers as covered entities, that was in HIPAA. What confused things and provides some material for confusion in this letter is the Administrative Simplification Compliance Act that was passed and required transactions, excuse me, claims to be sent electronically to Medicare.
DR. HARDING: And that was 2000? That was about 2000?
MR. NACHINSON: Yeah, and so by October 16th of this year, the same as the HIPAA compliance date, all providers that submit claims to Medicare had to do so electronically except for certain situations.
MS. FYFFE: Stanley, when was ASCA signed into law?
MR. NACHINSON: I can look that up, I believe it was --
MS. FYFFE: It was December, 2001.
MR. NACHINSON: You got that date? Okay, so we now have a requirement that providers that do business with Medicare, and this only applies to Medicare, must send their claims electronically except if they're a small provider, less then 10 folks if you're a doctors office, less then 25 if you're an institution like a hospital, and there's some other situations where claims don't have to be sent electronically but that's primarily the exception, the small provider exception. So that meant that anyone that does not meet that exception that must send claims to Medicare electronically then becomes a covered entity, so the option that providers had, the discretion that they had as to whether or not to do business electronically goes away for Medicare unless you're a small provider.
DR. HARDING: Okay, could you take some questions Stanley just on that topic?
MR. NACHINSON: Sure.
DR. HARDING: Simon?
DR. COHN: Well, I'm just, and probably Stanley you may be already intending to cover this, I was just trying to think hypothetically, obviously what you're doing so far is agreeing with this whatever we call it, that set of providers is not covered, but let me just give you a hypothetical and ask you how you would interpret this. I'm a provider, one or two people in my office, I actually have a computer that I use internally for billing but I print things out at the end of the day and I don't really send anything electronically but have a billing service that I contract with and I hand that stuff over to them and they sort of -- [tape change] -- in some fashion or other. Am I a covered entity because of that or am I because I, I don't do anything myself, let Stan answer that question, do I inadvertently even though I thought I wasn't doing anything electronically, am I really doing something electronically?
DR. HARDING: Or a transcription service or any other kind of thing.
MR. NACHINSON: If the billing service or clearinghouse or other vendor is conducting those electronic transactions on your behalf you then become a covered entity. And I hope that we've been in some of our frequently asked questions clear on that. Those providers that engage in electronic transactions either directly or through a business associate then become, then are covered entities.
DR. HARDING: Then please continue then Stanley.
MR. NACHINSON: And I think the problem comes with the distinction that these people make --
MS. FYFFE: Stanley we've got a question, sorry to interrupt you.
DR. ZUBELDIA: Before you get much further I have a question on the ASCA exemption. Are providers required to file claims to Medicare in the first place? Can a provider say I'm a non-participating provider and even though I'm a pediatric group that has 20 pediatricians and 200 employees I don't file claims to Medicare. Can they do that?
MR. NACHINSON: Absolutely, a provider has the choice of whether or not to do business with Medicare.
DR. ZUBELDIA: But can they still see Medicare patients and not file the claims?
MR. NACHINSON: I believe there's an obligation on the part of providers to file claims for Medicare beneficiaries.
DR. ZUBELDIA: Even on non-participating providers?
MR. NACHINSON: That's correct, even if you're non-participating. I believe once you treat a Medicare beneficiary you have an obligation to file that claim.
DR. COHN: Stan, my understanding of a non-participating provider does not mean that they don't see Medicare members, but only that they don't agree with all of the terms and payment policies of Medicare, isn't that correct? So they're still billing Medicare but they may also be doing other things to derive their appropriate income.
MR. NACHINSON: That's correct.
DR. ZUBELDIA: Are they not billing the patient and letting the patient deal with Medicare? Because in that case it's the patient that is billing Medicare, it's not the provider.
MR. NACHINSON: I'm not an expert on this but I do believe that even non-participating providers are required to file claims to Medicare on their patients' behalf.
DR. HARDING: Stanley, I know this is kind of difficult for you with the number of questions that arise on each phrase, but could you go ahead and continue on with your discussion and we'll try to save things for the end and ask you a series of questions.
MR. NACHINSON: Okay, that's fine. The real problem here is when folks talk about opting out of HIPAA, our policy to date has really been that once a provider engages in electronic transaction they become a covered entity and we've not determined any way that a provider can say oh, well, I don't feel like doing electronic transactions anymore therefore I'm going to stop doing electronic transactions. And therefore, at least in the provider's mind, I'm no longer a covered entity. We've not come to that conclusion, basically once you, as of April 14th, 2003, have engaged in electronic transaction you've become a covered entity and then are bound by the HIPAA requirements.
It is a question that's been under some discussion in the Department and I don't believe there's been anything issued that specifically states one way or the other. But the gist of it has been once you're a covered entity you're a covered entity. And the folks from OCR that are there certainly are free to kind of confirm or talk about some of the discussions that we've had but basically we've felt that you've become a covered entity you cannot opt out and uncover yourself. So the decision basically had to already have been made for providers on April 14th and the decision has essentially been made for those folks except the small providers that deal with Medicare. So the opportunity to opt out if we say or choose not to become a covered entity is left to anyone that does not participate or does not bill Medicare or these small providers, if they continue, if they have not done electronic transactions and continue to not perform electronic transactions with Medicare they are not covered entities and are not subject to the HIPAA standards.
That's sort of the logical progression here, there is an intertwining of both the HIPAA and the ASCA requirements that tends to confuse people and in fact the statement that says here in this letter as long as the doctor employs fewer then ten full time employees equivalent and submits no electronic bills, I mean it's accurate but a little bit narrow. If the doctor does not bill Medicare and does no electronic transactions no matter what size provider they are they're not subject to the HIPAA standards. If they submit to Medicare and if they are a small provider they can continue submitting paper bills to Medicare.
MS. FYFFE: Does that clear --
DR. HARDING: That does, so there are, at the present time there are two sets of people who, that we're talking about. One is somebody who has never participated, never has done things electronically and therefore does not come under HIPAA regulations. And then there's the other group that has since April of '03 used some electronic means in their practice, there is not opt out at this time for anyone who has done that. Is that correct?
MR. NACHINSON: As we see it that's correct, yes.
DR. ZUBELDIA: Let me clarify that because you said used some electronic means. Using electronic means is not the qualification, you have to use specific HIPAA transactions. You can have a computer in your office to keep all your medical records and do electronic billing but don't do electronic transactions, so if you don't send the claims or you don't eligibility, etc., then you're not a covered entity. As long as you're doing the transactions you're a covered entity. If you are not doing these specific transactions you're not a covered entity.
MS. FYFFE: That's true. As a practical example one of my providers uses a computer in his office for scheduling, etc., etc., and then they print out the bills and put them in U.S. postal mail every day and they are not covered.
DR. HARDING: Okay, Stephanie, did you have a --
MS. KAMINSKY: No, I agree with everything that Stanley said, especially the comment that the Department, there are some discussions going on right now about this, it is a little bit of a tricky question about this opting out or what happens to any provider that ceases to be covered or wants to cease to be covered in some way after April of '03 and also his final word about the statement in the article because there is an inaccuracy there.
DR. HARDING: The inaccuracy is --
MS. KAMINSKY: I don't have it in front of me but it seemed to not take into account that the analysis is sort of two pronged, it's about your relationship with Medicare as well as your relationship to every other health plan out there. Is that right, Stanley?
MR. NACHINSON: That's right, I've got the paper in front of me and it's too limiting, it says as long as the doctor employs fewer then ten full time employee equivalence and submits no electronic bills the physician can continue to submit paper bills to Medicare to Medicaid and need not comply with HIPAA. Although that statement is accurate it's too limiting, it's as long as, if the doctor does not submit, does not do business with Medicare, if they submit no, if they do no electronic transactions then they can submit paper bills. Or of they do business with Medicare and they have fewer then ten full time equivalence they can continue to submit paper bills. The exception so to speak is a little bit broader then this letter states.
MR. FANNING: I think I understand it, I think Stanley was quite clear, if you don't engage in electronic transactions it doesn't make any difference how many people work there.
MR. HOUSTON: But I think the other part of it though is unless you're under, if you're a physician office and have less then ten employees then you don't have the right, if you do Medicare, if you do bill Medicare you do not have the right to paper bill, so it's, you've got to also fall within that, so if you're doing Medicare work and you have less then ten employees then you may be able to just do paper bills, otherwise you're precluded from doing that also.
MR. FANNING: That's right. But the other point I guess that might be made, if you use the standard electronic transactions with anyone you're covered.
MS. KAMINSKY: Right, and this statement seems to be focused on the ASCA Medicare relationship.
DR. HARDING: Would it be helpful to have an FAQ on the --
PARTICIPANT: I think it's already there.
DR. HARDING: Is it there? That would answer this question?
MS. FYFFE: Stanley is there already an FAQ on either the CMS website or the OCR website about this? I believe that there's at least one FAQ I recall.
MR. NACHINSON: There are a number of FAQ's about ASCA and the requirements, let me get to the CMS --
MR. HOUSTON: While you're doing that, there is a specific FAQ on who is a covered entity and it's very clear as to who is a covered entity and the requirement that you do, that somebody who electronically bills using a standard transactions, so one piece of it's already there and then he may find the other part.
DR. HARDING: But the other side is the exit issue, is at the present time is it possible to bail? Because that's the question that these kind of letters will create in the mind of doctors how there, you mean I don't have to do this? And then how do I get out of this or something along those lines. And at the present time what I heard said was that at the present there is no opting out after the fact, and that that's the way it is right now and it's being thought about and discussed from Stephanie's statement, that at the present time there is no opt out.
MR. NACHINSON: There are a number of questions regarding this on the CMS website, in particular there's a question that says I'm a provider who bills electronically, do I have to implement HIPAA if I go back to submitting claims on paper? And it says as a provider who bills electronically you're be required to comply with HIPAA unless before that date you stop conducting any of the HIPAA transactions electronically. So we have stated there that that's sort of the only way to opt out. There's also a question, are small providers exempt from HIPAA, where we discuss the relationship between ASCA and HIPAA and the exception and what it applies to. So we do have a number of frequently asked questions in regards to small providers in ASCA and HIPAA and who's a covered entity and things like that.
DR. HARDING: Simon:
DR. COHN: Stan, thank you for the clarification, certainly I'll be curious to see what the Department decides to do over the longer term though. Certainly as you look at the Medicare Reform legislation and at least one version I saw was mandating e-prescribing by the end of this decade. One would think that opting out of even the most basic electronic interactions for health care is probably not the direction that the country is going in. Having said that let me just ask, I mean this is probably a peculiar question but a lot of people here have made the reference to the standard HIPAA transactions, and I was just reflecting on the fact that many entities are now currently using contingency plans, so we're past obviously October 16th, we're into really the world of HIPAA administrative and financial transactions, but they're using "non-standard" transactions under the contingency. How does that play out in all that? Is that really, for the purposes here really considered to be a HIPAA transaction because it's under a contingency plan?
MR. NACHINSON: Well, in terms of whether or not you're a covered entity I have to get the exact language but I believe it says that as a provider you're covered if you submit information electronically in regards to any of the transactions that we standardize. So it's not if you do a HIPAA transaction, it's if you do electronically one of the transactions that have been standardized. If you do an electronic claim you become a covered entity.
DR. HARDING: Stanley, you mentioned that at 9:30 you had another appointment and we very much appreciate you being on the line with us to help clarify this issue that I think, I feel a little more clarified although I'm sure that there will continue to be discussions about this issue.
MR. NACHINSON: And we've certainly gotten a number of questions about it and I can offer if the subcommittee or folks feel that the frequently asked questions that we have are not clear or there are some additional ones that you think would be useful to the public I'm sure we'd be happy to add them to our website.
DR. HARDING: Thank you very much.
MR. NACHINSON: And thank you very much for the opportunity to provide the clarification. Take care.
DR. ZUBELDIA: Simon made a very good point, if you're not using electronic transactions you probably don't have access to the FAQs on the internet.
DR. HARDING: That's probably right.
MS. FYFFE: No, you have access to the internet at home, or your kids have access.
DR. HARDING: Your kids can look it up for you. Okay, we have a couple more items on the agenda, it's 9:30, we just have about ten minutes or so to go before we have to break to get ready for the main committee meeting. Kepa, you had asked about GLB, do you want to talk about that with Stephanie being here?
DR. ZUBELDIA: Stephanie, a couple of meetings ago we talked about GLB and the interface between GLB and HIPAA and are the banks covered entities, are they required to protect the information that flows through the banking system and you were going to do some research on that. Have you found out something? Not yet?
MS. KAMINSKY: I was?
MS. FYFFE: Actually I think that there was a letter from --
DR. ZUBELDIA: Medical Banking --
MS. FYFFE: The American Banking Association or the --
DR. ZUBELDIA: No, the Medical Banking Project.
MS. FYFFE: The Medical Banking Project that went to CMS a few months ago and I know that it made it's way into the Office for Civil Rights and I'm wondering if the issues raised in the letter have been resolved or if you can make any comment about that.
MS. KAMINSKY: They're being very closely looked at, hinges on legal interpretations of the scope of Sec. 1179 in HIPAA which gives the exemption for any financial transactions that are banking related as you probably are well aware. I'm not necessarily sure I know what the GLB question is although obviously there's some concerns about or questions about how GLB would interface and/or protect protected health information if it was in the hands of a bank and it was also subject to GLB I suppose, but in terms of that letter it's certainly being looked at very carefully right now.
DR. ZUBELDIA: The issue that has been presented to me by the Medical Banking Project is that the Gramm-Leach-Bliley protects the information that flows through the banking system for the banks customers or prospective customers, so the banks cannot disclose information about their customers or prospective customers. However, when the bank gets an 835 from a payer to be sent to a provider information in the 835 is about people that are not bank customers, they're patients that were seen by the provider that have no relationship to the bank. Perhaps some of them by coincidence may be customers of the bank but in general they would not be. And apparently some banks feel that information is flowing through them, they have access to it, and they can use it for marketing because it's not about their customers. And since they're exempt from HIPAA by 1179 and they have this information that is not protected by Gramm-Leach-Bliley, it seems to fall into a black hole and apparently according to the Medical Banking Project some banks are actually using it for marketing, direct marketing to those patients. And they have enough health information in there to target the marketing very specifically to the patient.
MS. KAMINSKY: We're aware of the issues and the Health Privacy Project has also submitted a letter outlining a lot of those issues, looking at scope of when a business associate agreement is required and how that would protect information in the scenarios that you're describing, have not that much, we don't have a lot of information about how common or frequent this mining kind of activity is, it would be interesting to have more information about whether or not that's, how sort of pervasive that activity is, but nonetheless we understand that the concern is the potential for that activity and as I said the Department is looking very carefully at the questions.
MR. FANNING: May I ask whether any effort is being devoted to restructuring the process so that banks do not get patient information?
DR. ZUBELDIA: At this point I think there's no effort to do that. The 835 allows for that restructuring and allows for the payment information to be sent separate from the remittance advice information. Technically it's there, it's the choice between the payer and the bank on how to do it.
MR. FANNING: Well, may I suggest that the most protective thing for privacy is not to have the information flowing, a statute or regulation is a protection if the information is really needed, but the best protection is that it not be passed around.
DR. ZUBELDIA: The banks are also apparently claiming to not be clearinghouses and this is another very, very technical issues, is that when 835 flows through the banking system it gets wrapped inside a CTX transactions, but it never gets translated into anything, it's just wrapped inside the transaction and sent forward. So they're saying they're not clearinghouses because they're not converting it into a non-standard format.
DR. HARDING: Dan, did you have a comment?
MR. RHODE: Yeah, when we first established the 835 with Medicare, this is prior to HIPAA, the agreement at the time was to allow the information to flow through the bank and essentially a predecessor to a business associate agreement would be written between the receiver of the money who has the bank relationship and the bank itself. The reason that this agreement had to be there was so that Medicare could send an 835 through the bank and essentially what you've got is an EFT transaction and an X-12 transaction, you siphon off the money and you send on the transaction to the provider, or as Kepa indicates you could separate the transactions.
The process is a business transaction, it's associated with every check that a bank sends through, so what you're claiming is that we've got banks that are now taking information off of individuals checks to do marketing and it would seem to me that there may be other banking regulations that would be involved in this as well, I don't think any of us think that as our check goes through the banking system that our checks could be mined for this purpose. But what I hear you saying Kepa, and I think it's important, is that the banks are themselves identifying certain contractors if you will, let's say a hospital, and they're checks are getting extra scrutiny to be siphoning off this data, so they're deliberately looking at specific checks to do this?
DR. ZUBELDIA: The banks cannot look at your checks because you're a customer of the bank. And since you're a customer of the bank it's protected by Gramm-Leach-Bliley and they can't look at it. But when a payer sends to, say an oncology clinic a payment to the bank, the bank doesn't have a relationship with the patients inside the remittance advice so they can mine that information inside the remittance advice.
MR. RHODE: So it would be akin to my looking at the check and down in the right hand corner where that line is for memo I've got the name of the individual patient that that payment relates to, certainly have a lot more information then that on the 835, and we have banks deliberately now going in and siphoning that data off is what you're telling me. That's the accusation.
DR. ZUBELDIA: That's the accusation, that's what the Medical Banking Project is reporting. I'm not saying they're looking at the memo, they're looking at the entire check and seeing everything.
MR. RHODE: So I think there's a question of if that's a Gramm-Leach-Bliley violation or if it even goes further into some of the other banking rules, and the Federal Reserve rules. I really think the Department needs to look at it for all the banking rules and not just Gramm-Leach-Bliley, because I think there's other violations there.
DR. HARDING: Could someone help me on a process here as to what we should do as a committee, are there questions that we should ask of Stephanie's group or where should this go process wise? It sounds like a very important concern.
DR. ZUBELDIA: I think OCR needs to look into it, and we need to, if they determine it's in fact happening and it's not just something that the Medical Banking Project has made up, if it's happening perhaps we need to ask some of the banks that are doing it what is their understanding of things. And perhaps there should be appropriate guidance to those payers that are using the banks like that that they have to have a business associate relationship with the bank that precludes the bank from disseminating this information.
DR. COHN: I guess I'm, it's hard to know what sort of guidance you give to an entity that's not covered by a law but I guess OCR could certainly do that, and I think the question is is there a loophole here. Stephanie I guess the question I'd ask you is when do you expect to have this evaluation completed? And the reason I'm asking is because one of the other things that can be done is to talk to the standards organizations because I think as at least one person here commented, that one other response would be to change the nature of the standard or the implementation guide to sort of deal with this if there's no regulatory authority that exists to deal with this issue. So when are you going to have the, when do you think OCR will have this issue evaluated and have a better understanding of it?
MS. KAMINSKY: Well, it's not just OCR, it's a Department issue and I can't even begin to guesstimate although it's really front and center presently so I would assume in the not too distant future but it's very difficult to, I know it's been lingering for some time, it's always been in the background but it's sort of come to a head and there are a number of letters that the Department needs to respond to at this point.
DR. COHN: Just from NCVHS business I think there's a hearing in late January that will include a meeting with the DSMOs.
MS. KAMINSKY: Who is having the hearing?
DR. COHN: This is actually the Subcommittee on Standards and Security and so this would be something where depending on what you, I mean if we knew by that time it could be a conversation, I mean if there is an issue here and there is a hole in the relationship to the regulations and all of this, and legislation, then another answer here is to sort of say geez, do standards need to be modified to prevent this from happening.
DR. HARDING: We need to finish in just a minute so go ahead.
DR. ZUBELDIA: Simon, I don't think that the DSMOs can fix that, I don't think that the standard can be changed to do that. One of the reasons why some payers feel like they have to send the 835 through the banks is that the 835 has to have the trace number for the electronic remittance advice and that trace number is only assigned by the bank. So the bank has to take the 835 and plug in the trace number. There is all kinds of technical issues, I don't think that a technical solution will work.
MS. KAMINSKY: And also just one last thing, I'm sorry, Richard, but it's my understanding that this is a business practice, that this is not a question of what the standard requires because the standard is about the transaction between the payer and the provider or the provider and the payer and that that this is a value added service that the banking industry has offered to these players on both sides of this transaction and to the extent that that's sort of driven by that value added incentive I'm not sure that, I don't see it, as Kepa just said, I don't see that the question is what's in the standard.
DR. HARDING: Kathleen.
MS. FYFFE: One final point. As announced during our last NCVHS committee meeting on September 24th we will be having Privacy Subcommittee hearings on February 3 and 4 and the topics are schools, law enforcement, and something that we sort of called the payment chain, which involves TPAs, employers, health plans, brokers, and reinsurers, so again it's schools, law enforcement, and the payment chain mechanism.
MR. HOUSTON: Was there another open session?
MS. FYFFE: An open session?
MR. HOUSTON: Was there? I wasn't --
MS. FYFFE: The details of the agenda itself have not been worked out, what we agreed upon were that those would be the three topics but I think we could probably because we're still in the planning stages of the hearing have some flexibility.
MR. HOUSTON: The other question, what was the date of the security, end of January was the security, what was that 28th and 29th? We've got two weeks back to back.
DR. ZUBELDIA: Is there a way to change that date from February 3 and 4 to another date?
DR. HARDING: I don't know, Mark set that up, I'm not sure. Do you have a problem with 3 and 4?
DR. ZUBELDIA: It's the X-12 meeting.
MS. FYFFE: We had a tremendous challenge in scheduling this, these February hearings and we polled all of the subcommittee members and so forth but it seemed that the best dates were February 3 and 4. Now we can talk with Mark about revisiting the hearing dates --
MR. HOUSTON: My concern is we have the security stuff the week before.
DR. COHN: And we may have a meeting of the full committee attached to that. We can revisit it --
DR. HARDING: And then we will, on the 19th we can revisit that. Any other items for the agenda? Any comments? We appreciate everybody's participation and we will report to the full committee the items from this morning. Hearing no other things we'll adjourn.
[Whereupon at 9:50 a.m. the meeting was adjourned.]