[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington , DC 20001
Agenda Item: Introductions and Opening Remarks - Mr. Rothstein
MR. ROTHSTEIN: Good morning, my name is Mark Rothstein, I'm the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, and chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. The NCVHS is the statutory federal advisory committee to the Department and the Secretary of HHS on matters of health information privacy.
I want to welcome you on behalf of the subcommittee and its staff to the second day of hearings that we're holding on possibly extending the coverage of HIPAA or some HIPAA like rule to currently non-covered entities. And yesterday we heard from the life insurance and related insurance industries and today's two panels are employment and schools, and we may in the future look at other applications of the privacy rule.
As we customarily do we will begin with introductions by subcommittee, staff, witnesses, and guests, and subcommittee members should disclose any conflicts of interest, others need not do so, and I will begin by noting that I have no conflicts of interest. I'll ask Dr. Tang to go next.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the subcommittee, no conflicts.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the committee and no conflicts.
MS. HORLICK: Gail Horlick, CDC Atlanta, staff to the subcommittee.
MS. BERNSTEIN: Maya Bernstein, I work in the Office of the Assistant Secretary for Planning and Evaluation, I'm the lead staff to the subcommittee.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the committee, no conflicts.
(Introductions around room.)
MR. ROTHSTEIN: Welcome to all of you and I also want to extend a welcome to those who are listening to our hearing on the internet.
Invited witnesses for both of our panels this morning have been asked to limit their remarks to 20 minutes and after both witnesses on each panel have testified we'll have I think ample time for questions and answers which is always I think the more interesting part of the program. Witnesses may submit additional written testimony within two weeks if they want to Marietta Squire or to Maya Bernstein. I would ask that witnesses and guests please turn off their cell phones if they have them or other electronic devices that could interrupt the hearings.
Let me backtrack a little bit and put into context if I can the purpose of this hearing. In our June 22nd letter to the Secretary dealing with a privacy and confidentiality issues in the Nationwide Health Information Network one of our recommendations, R-12, reads as follows, HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting including employers, insurers, financial institutions, commercial data providers, application service providers and schools.
And the purpose of this is to try to reassure individuals that information that they disclose to a non-covered entity will not be redisclosed without their consent and so that comparable provisions will apply to all holders and users of personal health information.
In advance of the hearings and to focus our discussion the subcommittee distributed to each of the witnesses a list of three questions which we look forward to hearing the views of the witnesses on these three questions. And for the benefit of those listening in on the internet let me just briefly mention what those three questions are.
Number one, what federal and state laws currently regulate the privacy, confidentiality and security of individually identifiable health information used by your organization or those you represent?
Second, if HIPAA were extended or some comparable legislation were enacted to regulate your use of health information what affect do you think the law would have on your operations?
And third, if instead of receiving all of an individual's health records pursuant to an authorization you received only those relevant to your needs how would this affect your operations?
Now the first panel this morning dealing with employers, have you arranged between the two of you the order you want to go in? Okay, not having done so we'll go by the order we have on the schedule with Ms. Sharara going first, yesterday's witnesses had a clearer idea of the order they wanted to go in and it wasn't ours so I just wanted to make sure I wasn't offending your sense of logic.
So please, welcome, and we're anxious to hear your testimony.
Agenda Item: Panel II - Employers - Ms. Sharara
MS. SHARARA: Thank you, good morning. My name is Norma Sharara and as I mentioned I am a lawyer in private practice in the Washington, D.C., law firm of Luse Gorman Pomerenk & Schick but I am appearing today on behalf of the Society for Human Resource Management, SHRM. SHRM is the world's largest associated devoted to human resource management representing more than 210,000 individual members. The society's mission is to serve the needs of HR professionals by providing the most essential and comprehensive resources available. As an influential voice the Society's mission is also to advance the human resource profession to ensure that HR is recognized as an essential partner in developing and executing organizational strategy. SHRM was founded in 1948, we currently have more than 550 affiliated chapters within the United States and members in more than 100 countries. So when we're here speaking with the subcommittee today we feel that we have the best interests of our membership which is a very broad cross section of human resources professionals in mind and speaking on behalf of how employers view health care privacy.
HR departments are involved in very critical and personal decisions that employees make about health coverage, retirement, and other benefits. In providing information, guidance and materials to employees on these issues human resources understands the importance of maintaining the confidentiality of employee's employment and medical information, this is not a new area to professional human resource career developed individuals. SHRM is pleased to have the opportunity to explain how employers use medical records in the employment context and offer suggestions on how best to protect the confidentiality of medical records of employees and health plan participants.
My comments today will focus on three areas, the use of health information in the workplace, concerns about the expansion of mandated rules regarding health information and privacy in the workplace, and protecting the confidentiality of personal information in the workplace.
One of the questions that the committee asked us to answer has to deal with use of medical records. As you probably know, everyone here being gainfully employed, you filled out your own human resources forms, you've met with your own human resources department, you know what it is like to be hired, maybe to be fired, and to transition to a new job. You know all of the paperwork that's involved in the employer/employee relationship.
Medical records come into the hands of employers in a variety of ways. In designing health care plans human resource professionals depend on access to health information in order to figure out the features and the level of benefits that they ought to be offering their particular workforce. For example in setting annual out of pocket limits the employer needs access to aggregate health care claims experience based on its own workforce's information. In addition an HR professional in many instances will need similar cumulative health data to obtain premium bids for health insurance coverage or to set health insurance premium rates.
Employers use health information to determine eligibility for non-health benefit programs such as disability, workers compensation, wellness benefits, and employee assistance plans. We also are responsible for tracking compliance with substance abuse treatment. In these health benefit programs employee health information often must be shared with others involved in those programs in order to allow the employer to design, manage and tailor their health benefit plans more appropriately to meet the needs of their employee population, also to improve health benefits effectiveness and quality and to manage the costs of these programs.
Keep in mind it is a voluntary system, employers are not legally required to offer health care and if too much regulation or too much emphasis is put on compliance with laws that get in the way of operating a business the owner of the business might make a business decision not to offer health care.
Employers are subject to a variety of laws currently, I'll summarize them briefly. The Family Medical Leave Act allows employees to take up to 12 weeks of unpaid leave for their own serious health condition or for that of a spouse or family member. The employer must collect relevant medical information on the nature of the serious health condition. An employer may require a doctor's written certification before an employee can take FMLA leave for the employee's own serious health condition or that of a spouse, child or parent. For example most employers who provide employees who request leave under FMLA with the certification of the health care provider form that must be completed by a physician or health care professional in order to determine if the individual qualifies for the leave. This information although not mandated to be kept confidential is kept confidential by human resource professionals.
In addition workers compensation laws bring health care issues into play. Workers compensation insurance statutes establish a process through which employees who are injured or contract a work related illness on a company's premises or performing duties within the scope of employment are covered from medical costs in any related disability. Medical information is necessary to file a claim and is used to determine whether or not an injury is work related.
The Americans with Disabilities Act is another federal law where medical records may be used to help determine if an employee has a "impairment" that substantially limits one or more major life activities, or has a record of a substantial limiting impairment. Moreover medical information is often an integral part of determining a reasonable accommodation for disabled employees. Since employers are required to determine whether or not an employee or an applicant has a disability covered within the meaning of the Americans with Disabilities Act the individual's medical information is often required. HR professionals and employers would face an insurmountable challenge in making proper decisions without that information.
Occupational health and safety, which Jim is going to talk about later, is another area that employers must collect information about, medical information.
SHRM is concerned about expanding the federal mandate for health insurance privacy. Currently at least a dozen different federal laws impose recordkeeping and retention requirements on employers. We've named the Americans with Disabilities Act, the Family Medical Leave Act, workers compensation, and of course HIPAA. Each law has its own retention period and its own recordkeeping requirements and its own and different levels of protection. Employers routinely maintain a personnel file for each individual containing those records relating to employment, your application for the job, your resume, your transcript, your job description, hiring, promotion, transfer, a layoff, firing, performance evaluations, educational records, those are all in your human resources file, go back to your office and check, it is.
There's a separate file, the separate file your employer maintains for you has your medical information, it's not mixed in with your job review, it's not mixed in with other things. HR professionals routinely maintain separate confidential files for information, the EEOC records are kept separate, immigration forms are kept separate, invitations to self identify a disability or veteran status, safety training records under OSHA, and other rules that apply to federal government contractors who do work with the Department of Defense. HR is charged with keeping confidential all of this information and they do.
In addition every state has its own set of rules, in addition to workers compensation, varying from state to state, different levels of statutory rights of individuals to have access to medical information, restrictions on disclosure of information by the record holder. Most states lack a comprehensive medical privacy law but have statutory privacy protections that apply to certain entities or certain conditions. HR routinely handles all this, it's what we do and we think we're good at it.
The administrative burden, however, including oversight, reporting, disclosure, tracking, legal and staff training, and expense, of compliance with all of these numerous federal and state laws that govern employer's use of health information can be overwhelming for employers, especially small employers which as many studies show that is the growing sector of the economy.
Employers are in the process of complying with HIPAA security but it's a very time consuming and costly effort. According to SHRM's 2006/2007 workplace forecast one of the most important HR trends is the impact of the workplace's growing complexity of legal compliance, so the increased burden of legal compliance is the number one issue that our members have identified as something that needs to be addressed.
SHRM concurs that safeguarding employee health information in the workplace is a high priority, frankly I don't think that employers are abusing the information that they get, they're hardly making it available on the street corners and they're not talking about it at the water cooler. HR professionals know how to keep information confidential.
SHRM and its members have serious concerns about any proposal that would mandate new requirements for employers regarding the privacy of health information. SHRM recognizes that health information should not be disclosed for unlawful reasons such as a decision to hire where a candidate is otherwise qualified to perform the essential functions of the job, or to terminate employment because of a perceived or actual disability. Unlawful disclosures of protected information should be punished appropriately. SHRM believes that the current law adequately protects the privacy of employee health information. SHRM members already are subject to the numerous laws regarding privacy and confidentiality.
In addition as a matter of best practices human resource professionals have adopted policies and procedures designed to safeguard individual health information within the sphere of their own workforce. Even prior to HIPAA privacy rules employers had taken numerous steps to safeguard employee health information.
In conclusion SHRM believes that a voluntary common sense approach built on best practices and current law represents the most appropriate approach to the issues surrounding protecting the confidentiality of health information in the workplace. Current federal medical record privacy law does not apply to all employers or even to all holders of personally identifiable information, expanding current federal medical records law to all employers is one way to create uniformity, expanding the coverage of existing rules however is likely to result in additional recordkeeping burdens on employers without improving privacy.
If expansion in this area is deemed necessary, whether it is an expansion of the number of entities covered, or an expansion of the number of rules, SHRM respectfully suggests that the following issues be taken into account.
First, employers already operate under numerous federal and state laws, lack of harmonization of these requirements can lead to confusion and unintentional errors coupled with significant penalties.
Second, in addition to various federal laws states law have specifically addressed privacy of medical records. While many of the state laws track HIPAA employers are nevertheless obligated to conduct a thorough review of all applicable law to ensure that they are in compliance. To avoid the expense and possibility of error state laws on medical record privacy should be preempted as part of any expanded federal privacy regime.
Third, any expanded federal regulations should be carefully targeted to address existing harm. SHRM agrees wholeheartedly that harm done through illegal disclosure of medical information should be punished. SHRM has serious reservations however about provisions designed to control the flow of information in the workplace. Employers and HR departments assist employees with many work/life balance issues, health care billing disputes, any number of things on a day to day basis that may result in the employee's disclosure of health information. It's critical that the mere possession of information be separated from the use of the information for discriminatory or other illegal purposes. Best practices and model protocols based on existing procedure and current law should be encouraged to protect information coupled with appropriate punishment for intentional acts.
I'd like to thank the committee for this opportunity to appear before you today and SHRM looks forward to continuing to work with you on this issue. I'd be pleased to answer any questions.
MR. ROTHSTEIN: Thank you very much for that testimony, you've raised a number of questions for us I'm sure that we'd like to probe with you at the end. But we're going to defer that for just a minute and hear from Dr. Tacci, welcome.
Agenda Item: Panel II - Employers - Dr. Tacci
DR. TACCI: Panel members, good morning, my comments have been submitted in written form. My name is Jim Tacci, I wear several professional hats, I'm an assistant professor and residency program director at the Department of Community and Preventive Medicine at the University of Rochester Medical Center. I'm also a site medical director for one of upstate New York's largest manufacturing facilities and perhaps most applicable to these proceedings I'm an attorney and co-author of a HIPAA compliance manual that was published back in 2003 when HIPAA was on everyone's absolute front burners --
MR. ROTHSTEIN: It's still on some of us.
DR. TACCI: Among other activities I serve as the co-chair for the American College of Occupational and Environment Medicine's Committee on Ethics and the co-chair for their Health, Law and Policy Section. And I'm here today representing ACOEM and on behalf of ACOEM and its members thank you for this opportunity to provide comments on the possible expansion of protections afforded by the HIPAA privacy rules. My comments will in large part be restatements of prior ACOEM positions which promote the protection of individual's health care information, seek to limit the inappropriate use or disclosure of such information, reiterate the logical role of physicians as gatekeepers of that information, and seek to minimize any undue influence that is sometimes placed upon physicians to inappropriately disclose health information.
At times I may intersperse personal or anecdotal experiences in this regard but I'll always try to make a distinction when I'm speaking on my own behalf or speaking on ACOEM's behalf.
By way of background as many of you may know ACOEM represents approximately 6,000 physicians and is the world's largest and preeminent organization of physicians specializing in the practice of preventing, assessing, and treating occupational health problems. Occupational and environmental medicine seeks not only to prevent and manage occupational and environmental injury, illness and disability but also to promote and health and productivity of workers, their families and communities.
As I think you also know occupational medicine physicians not only interact with patients, their families, other health care providers and health insurance carriers but also in somewhat uniquely tend to routinely interact with employers including CEOs, general counsel, human resource personnel, plant managers, etc., as well as other health and safety professionals including industrial hygienists, safety engineers, ergonomists, etc., workers compensation, disability carriers. Our members provide clinical or consultative services in a wide variety of practice situations including clinical services, medical surveillance, fitness for duty examinations, pre-placement examinations, independent medical evaluations, disease and disability management, analysis of aggregated clinical data, health promotion and wellness programs, occupational illness prevention programs, and employee assistance programs. These activities are performed in the context of myriad federal and state health and safety regulations many of which have already been noted. I will probably list them in the context of my comments but I will forego the detailed descriptions of them since you've already heard that testimony this morning.
Now these activities and programs can result in the prevention, early diagnosis and treatment of disease and encourage employees and their families to practice healthier lifestyles. If medical information gathered from such programs is not kept private participants in these programs may be in greater jeopardy and may be at greater risk for not participating fully in them. Protecting confidentiality and privacy is imperative to preserving patient trust and employee trust in the workplace.
ACOEM has a longstanding record of advocacy in support of the preservation of the privacy of medical records, particularly employee medical records. This has for many years been a fundamental tenet of ACOEM's Code of Ethical Conduct. Since 1994 ACOEM has called upon Congress to ensure the privacy of employee medical records. On several occasions since 2001 it has been ACOEM's privilege to provide this committee and other committees of the Department of Health and Human Services with suggestions as to how the long awaited HIPAA privacy rules might be improved to better protect individual's health information or to better equip our physicians to safeguard that information. And as previously noted we appreciate that opportunity to do so again today.
As was noted by our subcommittee chair today we've been asked to address three distinct but related questions dealing with the possible expansion of the protections afforded under the HIPAA privacy rules.
First, what federal and state laws currently regulate the privacy, confidentiality and security of individually identifiable health information used by your organization or those you represent?
Two, if HIPAA were extended or some comparable legislation was enacted to regulate your use of health information what effect do you think the law would have on your operations?
And then third, if instead of receiving all of an individual's health records pursuant to an authorization you received only those relevant to your needs how would this affect your operations?
These questions will addressed in the context of either our member physicians, their employers, or perhaps both. For each where applicable I'll try to point out potential advantages, potential disadvantages, and possible unforeseen or unintended consequences of those changes.
In terms of question number one, what federal and state laws currently regulate the privacy and confidentiality and security of your organizations members or those they represent personal and protected health information, those have been again nicely described but just in summary, on a federal level many but certainly not all of our physician members and/or their employers, based on their activities and the type of transactions in which they are engaged, are considered covered entities under the HIPAA privacy rules and/or security rules, and are therefore governed by the HIPAA privacy rules.
In addition and apart from HIPAA nearly all of our physician members and/or their employers operate within a regulatory framework that requires and governs the use and exchange of individually identifiable health information including but not limited to the Occupational Safety and Health Act, or OSHA, the Americans with Disability Act, the Family and Medical Leave Act, the Mine Safety and Health Act, etc. In addition occupational medicine physicians and their employers have obligations under other federal standards such as those issued by the Department of Transportation as with commercial driver's license, the Department of Energy as with nuclear operators, and the Environmental Protection Agency just to name a few.
Again, I'll forego detailed discussion on any of those at this time.
On the state level as has been noted our member physicians are generally bound by rules of professional conduct typically with oversight by their state medical licensure boards, state health departments, or state education departments. Also on the state levels our member physicians and their employers typically operate under rules governing exchange of medical information and/or mandatory reporting that are promulgated by state health departments, state insurance agencies and state workers compensation boards, again just to name a few. In addition the labor and employment laws of a state may also typically contain rules governing the handling of employee medical information.
The examples that I listed here were meant merely to provide a sense of the myriad federal and state laws or agency rules that typically speak to the handling of individually identifiable health information in the context of occupational medicine, and under which our member physicians and/or their employers typically operate. As noted this is not intended to be an exhaustive list but perhaps just a representative or example list.
Question number two was if HIPAA were extended or some comparable legislation were enacted to regulate your use of health information what effect do you think the law would have on your operations. As noted in the response to question number one many, indeed more likely the vast majority of ACOEM's physician members are considered covered entities under the HIPAA privacy rules. Similarly many of it not most of their employers may be considered at least in part for example the so called hybrid entity covered under the HIPAA privacy rules as well. As with any regulatory compliance it would entail an expenditure of time and energy on the parts of the newly covered entities for any expansion of the HIPAA privacy rules to put their operations into compliance. Cost estimates for this may be modeled based on the past experience of the health industry, presumably the cost of compliance per covered entity would be less at this time then it was for initial compliance with the HIPAA privacy rules because for many currently covered entities and/or their compliance consultants the steepest part of the HIPAA learning curve has come and passed and people are familiar with the rules, regulations and the nuances therein along with various forms of interpretative guidance and frequently asked question and answers, etc., that have been issued since the implementation of the privacy rules. It should be noted however that while there should be some efficiencies derived from past experience in the context of extension of the coverage of the current rules thereby reducing the per unit cost of compliance if you will, or per covered entity cost of compliance, the overall cost to industry for compliance would likely be substantial due to the fact that the number of individuals or business entities requiring compliance plans could depending on the scope of the proposed expansion be many fold higher than the number originally covered under the HIPAA privacy rules. Also it would stand to reason, although not specifically substantiated by my comments or my written remarks with precise mathematical modeling, that the more closely any new or expanded rules matched the original privacy rules in content and form the greater the cost savings would be gleaned through prior health care industry experience, conversely the less that any new or expanded set of rules resembled the current rules the greater the learning curve for the implementation of that new set of rules and therefore the increased sort of per unit cost of compliance.
Institution of the original HIPAA privacy rules carried with them the promise of ultimate cost savings due to efficiencies and uniformity in information technology, billing codes, medical records, etc., some derived from the privacy rules, some derived from the security rules, and those cost savings were to offset and be realized over the first ten years or so of implementation of the new rules. The speed and the magnitude of the realization of these cost savings has been a matter of some debate which is beyond the scope of my comments today. However it is reasonable to assume that since these cost savings were purported to be derived from enhanced efficiencies in the transaction of health care business that said savings might be of a lesser magnitude for physicians or employers who are not regularly engaged in the delivery of health care or for newly covered entities who are not regularly engaged in the delivery of health care unless of course there were some parallel efficiencies that could be derived related to their regularly transacted business.
Perhaps the greatest negative impacts of the operations of ACOEM member physicians and/or their employers who are not currently or wholly covered by the HIPAA privacy rules are the above referenced compliance costs and logistics of implementation. However there are several potential positive aspects and implications as well, they include but are not necessarily limited to enhanced privacy protection for people's health information, an expanded scope of said coverage or protections which has long been advocated by the American College of Occupational and Environmental Medicine beyond that which was provided merely by the business associate construct under the HIPAA privacy rules, and an enhanced awareness by those who are not currently covered entities of the special status and therefore requisite special handling of medical records and protected health information.
Of course as previously noted physicians are held to rules and ethical professional conduct that are not necessarily shared across professional disciplines and as was the case with the HIPAA privacy rules not necessarily shared with everyone holding covered entity status. It would be hoped that any expansion or extension of the definition of covered entity under the existing rules or creation of new rules that expanded the scope of those covered under some sort of medical privacy rules would also carry with it an expansion of the legal responsibility for compliance with the privacy rules, much of which currently rests inordinately with physicians and/or health care providers and that expansion of the legal responsibility would apply to all of the newly covered entities which in turn might help drive development of enhanced rules of ethical and professional conduct in the information handling for those disciplines as well.
One potential pitfall of course would be a false sense of security that could come from an expansion of the coverage of the privacy rules that is not in turn accompanied by enhanced professional standards in records handling by non-physicians and non-health care providers. This risk could be significantly mitigated by strong adherence to the so-called minimum necessary standard discussed in my response to the question number three below.
Question number three read if instead of receiving all of an individual's health care records pursuant to an authorization you received only those relevant to your needs how would this affect your operations. It has long been the position of ACOEM, pre-dating the advent of the HIPAA privacy rules, that communicates related to employee medical conditions should always be limited to the so-called minimum necessary standard.
Indeed ACOEM's longstanding and consistent positions can be accurately summarized as advocating for the following, stronger adherence to principles of the minimum necessary standard, a two-way responsibility as previously alluded to on the part of both the requestor and the supplier of health records, and not merely the supplier, in restriction the scope of communications to only the minimum necessary, and finally more clearly defined, perhaps through standard protocols developed by the Department of Health and Human Services, parameters of what the definition of minimum necessary is for use by occupational physicians in implementing the minimum necessary standard with respect to work related personal health information.
ACOEM does appreciate and applauds the efforts of the Department in furthering adherence to the minimum necessary standard as the gold standard for communication of employee health information.
To be sure adherence to a minimum necessary standard is much more labor intense, particularly during the initial implementation phase, than merely transmitting an entire medical record upon authorization. However the benefits of adhering to a minimum necessary standard are multi-fold and truly create a win-win-win scenario for employers, employees, and occupational health physicians. First and foremost, the risk of unnecessary or inappropriate health information about an employee being communicated becomes significantly reduced.
Second, as a benefit to employers, the less medical information they possess about employees the less exposure the employer will have to accusations, true or false, of having made adverse employment decisions based on an employee's health status.
And finally, with allowance for some requisite variation, of course, based on the context of the information quests, workers compensation versus ADA versus FMLA versus OSHA, etc., the more universal and standardized the approach to adherence to a minimum necessary standard for exchange of employee health information the less likely it is that physicians will be put under pressure from employers, insurers, third party administrators, etc., to go beyond this minimum necessary standard in their role as gatekeeper of the employee medical records.
That concludes my prepared comments but in closing on behalf of ACOEM and its members I thank you once again for the opportunity for participating in this hearing and as always ACOEM is happy to assist in the development of the sound policy to protect employee medical records.
MR. ROTHSTEIN: Thank you, Dr. Tacci, that was very interesting testimony that I now there are several lines of questions that I would like to follow-up on but I'm going to first recognize my colleague Mr. Houston and then Dr. Tang and Mr. Reynolds, and then I'll go last.
MR. HOUSTON: Thank you. I just wanted to clarify just one thing in my understanding, a lot of different statutes were identified and I know that Norma, your comments, see if I can find it specifically, I know you were talking about FMLA and I know that again there were a number of other ones so I'll just use that as an example, you spoke to the, you had a discussion about FMLA and you sort of insinuated that FMLA had provisions in it which required the confidentiality of information. Is it fair to assume all the different statutes that have been cited here today all have provisions in them that expressly require the receiving entity to keep confidential information that it acquires through the process of abiding by those laws?
MS. SHARARA: Unfortunately that's not the case. HIPAA was the first time that we had a statute that specifically included mandated privacy requirements. FMLA and ADA and the other laws that we spoke about imply that that information should be confidential and private but there's not a matrix necessarily that shows you exactly how to comply.
MR. HOUSTON: So therefore you could conclude them that there is under these statutes a right to have access to the information, or need to have access to the information for purposes of complying with the statute but there's nothing other then an implied obligation to keep the information confidential.
MS. SHARARA: That's right.
MR. HOUSTON: Okay, I just wanted to make sure I was clear on those things, throwing a lot of statutes out there and I just wanted to make sure I didn't miss something. Thank you.
MR. ROTHSTEIN: And in fact, John, the case law holds that FMLA requests are considered to be an exception to the ADA's requirement that information has to be maintained in separate files and in separate form and HR people normally don't get to see health information, get to see requests for leave filed under the FMLA, so your point is well taken.
MR. HOUSTON: I do find it interesting that there's all these rights to get at information but there isn't a corresponding obligation set forth in a statute and I think it's an interesting hole.
MR. ROTHSTEIN: Thank you for that question.
DR. TACCI: In fact in several regulations both on the federal and state level the obligation to maintain confidential the information might be limited to an implied obligation because the lines of communications may be delineated for the process of communication but they're silent on anything else so the greatest strength of any obligation for confidentiality is just the absence of any specific language to the contrary.
MS. SHARARA: And that goes for recordkeeping, forming a record, record retention policies, etc.
MR. HOUSTON: Not to ask the obvious, do you think there is value in expressly providing confidentiality protections for the data, the information that is being conveyed under these various statutes you referenced?
MS. SHARARA: Privacy is a good thing, John, but imposing penalties for doing something slightly different --
MR. HOUSTON: Well not even necessarily imposing penalties as much as at least expressly stating that there is a confidentiality obligation, I don't know how far it goes so I don't want to assume that either but I guess you have to have a penalty if there's going to be a statutory obligation.
MS. SHARARA: It would not be a bad idea to say which is obvious that this should be kept private, my concern though is the rules and regulations that would be promulgated underneath that general obvious statement would create additional burdens for employers.
MR. ROTHSTEIN: Thank you. Dr. Tang.
DR. TANG: I appreciate the testimony because it was very illuminating. You probably have one of the few sectors that have maintained even more separate on a given individual than we do.
So I have a two part question, one is in health care you probably know that we have about five percent of our hospitals, ten percent of our docs have full electronic health record systems. Are you better off or worse off then we are in terms of recordkeeping on employees?
MS. SHARARA: Well, it really depends, SHRM represents all size of employers, obviously the larger employers who have resources have intranet capabilities and electronic records are de rigueur. Small employers, Joe's Plumbing, probably doesn't. So SHRM speaks with a voice of 210,000 members nationwide, it's hard to make a generalization.
One thing though I would like to comment on is SHRM has sent a letter to the members of the House of Representatives in support of a pending bill, HR 4157, which is the Health Information Technology Promotion Act. There essentially the idea is to accelerate the process of shifting the health care system from a paper based format to a secure electronic format by developing standards for transmission and storage of health information. Electronic health information record system would help the human resources profession with their job.
DR. TANG: So the number of records, so the FMLA and the ADA, workers comp and the employment records, for example, in the larger organizations they potentially could be all electronic?
MS. SHARARA: Yes.
DR. TANG: Okay, and then now one of the security provisions we have, which is a good thing, is that there be roll based access, so you can imagine that especially to try to keep the firewall going, an employer that the person, the receptionist at the front desk would be able to know that yeah, Norma is employed here, have no idea whether you've ever had an FMLA, etc., etc. Is that standard or is it codified anywhere?
MS. SHARARA: It is standard best practices but it's not codified.
DR. TANG: So I guess the final question or suggestion, in an ideal world, and I'm very sympathetic to the burdens side of it, first of all it sounds like occupational health is more or less covered by HIPAA as a practice so it's more on the employer/HR side. If you had uniform rule, like in a sense we do because HIPAA sort of covers all of this stuff, if we could give without, and take away, any duplicate or conflicting and you had to live with the privacy as John was alluding to and the security thing that we just mentioned, things that support the privacy policies, would that be a better world? And I understand that's ideal because it would have to preempt some of your existing laws but from a health record kind of --
MS. SHARARA: I think that would be a definite plus for the industry. As I mentioned in my testimony the health care system right now that employers provide health care is entirely optional and often driven by the tax benefits. If burdens become too complicated, if penalties become too onerous, employers don't have to offer health care and we'd hate to see that happen. So I think a uniform system that takes the patchwork we have now, consolidates it into one system, here's the gold standard for privacy rules, that would help employers feel more comfortable about doing the right thing for their employees.
DR. TANG: It seems like you have implicit rules that many of your employers would follow anyway, codifying it wouldn't change their practice, it could only make things clearer.
DR. TACCI: Can I just add one point of clarification? I think it would be too much of a generalization to just assume that occupational medicine is covered by the HIPAA privacy rules, in fact a significant percentage of our members do not fit squarely into covered entity status under HIPAA and in fact that's where some of the greatest tensions perhaps are derived because they help form our code of ethics and there are state licensing rules, etc., they're held to a certain level of activity and behavior yet they're not technically covered entities under the HIPAA privacy rules.
DR. TANG: Would you mind elaborating on that just for my edification?
DR. TACCI: For instance as a corporate physician I can be employed by a company, see employees every day for their health care needs, so I'm a practicing physicians yet I don't engage in any of the transactions under the HIPAA privacy rules that would make me rise to the level of a covered entity status. That's one easy example. Another one might be someone in private practice who may see people under workers compensation scenarios, may see folks under general practice medicine scenarios, and then may be receiving requests for information for the same person from health insurance carriers, workers comp carriers, perhaps third party insurers for accidents, etc., and it's sometimes for those members confuses the records handling because they're wearing several different hats and they're wondering if that particular information exchange is governed under HIPAA or not.
DR. TANG: Is there a ruling on that? Who knows the answer to that question? Sue?
MS. MCANDREW: It would depend on, I mean generally if it's just a general physician's office and that physician is covered by, is a covered entity under HIPAA then all of the records regardless of whether or not an electronic transaction is engaged in with respect to that particular patient or treatment event would become HIPAA covered. That being said there are disclosure permissions for that information to flow in a workers comp kind of scenario as necessary to carry out that workers comp obligations on the part of the physician.
DR. TANG: I mean that was very helpful and thanks for your clarification, so probably the last question I asked Norma might apply to you then with the caveat you suggested, so to the extent that it really is just the HIPAA, the same provisions of HIPAA that you've already started to understand and train on, if that were to apply to your function as a provider in the setting despite the fact that you don't do transactions, would that make sense?
DR. TACCI: Yeah, I'll take the liberty of answering both that question as well as the part about the electronic records that was asked. For both I would say that like any new set of rules that need to be complied with or new sets of technologies there's a very steep learning curve. In occupational medicine circles just like health care circles in general the steepness of that learning curve tends to be more onerous for the smaller providers then it is for the larger entities. Once obtained however I think that uniformity presents tremendous transactional efficiencies and once everybody is brought up to the same whether it's electronic page or a set of rules, gold standards in terms of record handling, I think that there are tremendous efficiencies and that was in fact taking off my ACOEM hat and putting on my attorney hat, our sort of somewhat conservative advice to clients as the HIPAA privacy rules were being implemented was that perhaps the safest and best thing for you to do since these are largely your practices anyway is to govern yourself under these most protective rules, do it now and you can spend much less time later on trying to figure out am I a covered entity, am I not a covered entity.
MR. ROTHSTEIN: Mr. Reynolds.
MR. REYNOLDS: Thank both of you. I want to take apart a word that both of you used because maybe you didn't parse it as far as I would like it and that was employer. Both of you talked, actually mentioned the word employer a number of times. Under HIPAA there is employer and then there's the employer's health plan. Norma you mentioned the HR departments but nobody ever said the employer's health plan area which is kind of the coveted place in HIPAA where this stuff was supposed to reside in an employer's environment to be protected and dealt with, that's the firewall, that's the firewall from the hiring and firing, that's the other thing where this data is kept. I'm not familiar with how these other laws parse employers which HIPAA kind of put a wall in there. So if you could help me understand whether or not these other laws actually separate sections of an employer ands ay they can have this and it can't go to the CEOs and it can't go to others who would decide, because again, I think one other thing, as you move down to the smaller employers the risk of somebody having an issue as you mentioned, Norma, can drive them clear out of supplying health insurance but it can also create that opportunity for aberrant behavior based on the fact that it could jeopardize their company in other ways, that's the reality of health care these days. So if you could help with me that then I think I would feel much better about what I think I did or didn't hear.
MS. SHARARA: Now Harry raises a very good point, HIPAA does create a firewall between the group health plan that the employer sponsors and when the source of health care information is coming from the plan that is subject to HIPAA. But if the employee walks in to the HR department and says my kid just broke their arm that information is coming from a source that's not the health plan. And so the collection of medical information comes to the HR department through different channels, when it comes from the health plan clearly it is subject to the HIPAA privacy rules, when the employee walks in and tells you something that's not. And the difference there is that the HR function keeps both types of information regardless of source confidential in its own way, the HIPAA rubric provides particular guidelines, the best practices where HR governs the information that you get from your individual employee coming in and telling you something.
MR. REYNOLDS: Disclosures are fine, I'm well aware of those, if somebody comes in and tells you all bets are off, they're the ones that gave it up.
MS. SHARARA: Exactly. So one area that I think what you're asking about is how would an additional privacy rule expand HIPAA from just the source of the information being the plan to the source of information being something else. Is that what you're asking?
MR. REYNOLDS: No, I'm just making sure that when you say the word employer you are clearly considering that that firewall exists.
MS. SHARARA: Oh yes.
MR. REYNOLDS: Okay, but again, having heard both of you testify and never say group health plan it just struck me as I just wanted to make sure I understood.
MS. SHARARA: Oftentimes what happens with self insured plans in particular when you are figuring out how much to charge as a premium, when you're doing experience rating on getting quotes for your insurance policy, again if you're a small employer and they say here's on an aggregate basis your claims experience and you've got one outlier out here, it's a cancer claim, and you've got six people who work for you, you kind of know who that is I mean even though they don't identify it specifically. So yes, there are reasons when you have to get information under the HIPAA rules for health plan operation and experience and cost.
MR. REYNOLDS: But what about these other laws, do they, they don't differentiate --
DR. TACCI: They do not and in fact I would argue that there's several firewalls in employment settings. Certainly in all of my comments the term employer referred to the employer proper and not the group health plan that the employer might sponsor and indeed that's what typically drove the sort of hybrid covered entity concept where the employer is a widget manufacturer and that's what they do, that's what their 99 percent of their operations are geared towards, but one percent of their operations is geared towards administration of a health plan and that is walled off and treated, operates as a covered entity but the firewall is there.
Interestingly as I'm sure all of you know, as they were rolled out the HIPAA privacy rules allowed for the same person in the covered entity part, the group health plan, to have several other functions within the HR department but they have to sort of keep an internal firewall in their brain in terms of not impacting any other employment related decisions or insurance rated decisions or benefit decisions.
Speaking to the other point though from the occupational medicine perspective there are several firewalls in place and we hold out all the time, again and also going to the minimum necessary standard, is that when the occupational medicine department or your occupational medicine physician makes a determination truly the information that will pass over to HR or to anyone else in the company, it could be a supervisor, it could be a production manager, etc., has to be distilled down to that minimum necessary that needs to be communicated to that person for that purpose.
So if we're doing a new hire physical examination or a return to work examination or a fitness for duty examination basically the information that we should be communicating is yes or no, this person is physically capable of performing these job duties based on the essential job functions, yes or no they can do it with a reasonable accommodation, yes or no they need some measure of restrictions and this is the date and the duration that we anticipate that they can do it and truly the information communicated should stop at only those things that are directly related to the person's ability to do their job. So the firewall not only exists with the benefits plan but with the occupational medicine department or a consultant.
MR. REYNOLDS: Mark, one other quick follow-up. So as you --
MS. BERNSTEIN: You say should, when you say there's a firewall you said it should be separate but as I understand your previous testimony there isn't really, I mean if you're not a covered entity, some of you are not covered entities, you're not transacting claims and so forth and so HIPAA isn't covering that, HIPAA isn't causing a firewall in that case that you just described. What is requiring that separation? Is it just your ethical responsibility or is there some other legal or regulatory requirement that would require that disclosure not to happen?
DR. TACCI: Typically that would come from, when HIPAA is not governing it would come from other sources, examples would be our own, ACOEM's code of ethics which tells us what we should and should not share in that regard, state licensing, and physician professional practice standards, various federal or state labor and employment regulations but those vary obviously state to state. So there are other either voluntary such as codes of ethics or mandatory such as licensing and professional oversight provisions that would dictate that communication. That is a prime example of why sort of a uniform gold standard would be very beneficial I think and I think that it's beneficial to as I stated in my comments both our member physicians and also their employers who are in turn the employers of the folks whose medical records we're talking about because that helps eliminate A, any undue pressure on the physician, B, any incorrect or inappropriate sharing of information, and lastly, from the employer's standpoint it helps minimize any likelihood that they could be accused of making adverse employment decisions based on information, based on health information, etc.
MR. REYNOLDS: So basically since our focus as we've reviewed this and really did it under the guise of the new electronic world that is approaching quickly with EHRs and PHRs and every other HR you can come up with, we're really, at least I think we're really just talking about making sure that if you touch it, you see it, you have it, you protect it, and so a lot along your lines, Jim, of what you had to say and which basically back, wouldn't necessarily add any more significant burden on employers unless they were passing it around electronically and we all have somewhat of an uncertain feeling to the depth of business, the whole business associate thing. So that's where we're trying to head and I haven't necessarily heard or seen anything from either of you that says that's an overly burdensome direction.
MS. SHARARA: I think it would be wonderful to clean up the current patchwork that we have now of all the different requirements, of all the different laws, the FMLA, the ADA, they're wonderful laws for helping the workplace environment but the burdens that we see as human resource professionals currently is that there isn't a standard set and we do the best we can on best practices, state law, federal law, etc., etc. If there were to be one uniform rule that would certainly make life easier. In a world where every high school kid has an iPod and knows how to download ring tones, I mean even for the small employers electronic technology is affordable and available and it is something that would make good sense.
DR. TACCI: My two disclaimers in that regard is first of all I'm here today speaking on behalf of ACOEM not Delphi which is my occupational medicine employer. Second is that I'm not an IT guy so I'm not really tech savvy, I know how to turn on an iPod but I don't know what makes it tick. We have over the course of this past year been rolling out a new electronic health record format for our company and this speaks to the notion of keyed access and appropriate access to records and we're rolling it out literally this year, it certainly as with any technology had growing pains but it does underscore the facility and the ease of use once it is in place to have a single source record base and then your access to that record, I as the plant physician obviously have relatively unfettered access to the medical records, our safety personnel will have access to safety specific information, perhaps clearances for safety sensitive job titles, etc., but they don't have access to the medical record, other folks on a very specific need to know basis, return to work dates for our HR folks, restrictions for our HR folks who are supervisors, but again, no access to the actual clinical medical data.
So in a perfect world when you can have that sort of rolled out uniformly and have the access keyed towards exactly what type of access folks should have it helps eliminate a lot of these concerns in terms of what should be photocopied and sent over, what needs to be redacted.
MR. ROTHSTEIN: I have a few questions that I want to see if I can get some closure on some of the things that have already been discussed and one important one that Harry just brought up of course is within employers there's this sort of bifurcation where the benefits information is covered and the other information is not covered. And I assume it's your position that the non-covered area, which has health information, is currently now protected by the ethical principles, professional codes and whatever of the HR or whoever is handling that, and I gather that it's your testimony that the level of protection of even the non-covered stuff is basically the same as the covered stuff which is subject to HIPAA, in other words the confidentiality controls that apply to the covered material currently through other means now apply to the non-covered material. Is that your testimony?
MS. SHARARA: That's right, essentially in practice when you wake up in the morning and come to work and have your cup of coffee and you sit down in the HR office you think about all the things you need to get through during the day and if you can come up with a uniform way of doing things then even though it's not required for the things that aren't covered, if it works then it's often adopted defacto --
MR. ROTHSTEIN: So that if HIPAA or some HIPAA like regulation applied to both worlds that would not be too much of a burden as long as we took into account your suggestions of the need for harmonization, preemption analysis, and so forth.
MS. SHARARA: Yes, harmony is a good thing.
MR. ROTHSTEIN: Well, that's one of our guiding principles.
The second question, even though you represent here SHRM there's a bigger world out there of smaller entities without professional HR people and even though I will assume or concede that your members are doing everything great there are lots of non-members where the boss's secretary keeps the health records. Do you think that life would be better for employee privacy and uniformity in a sense, harmonization, if the same requirements that you go by would be applied to all employers who use health information?
MS. SHARARA: In a perfect world I believe that is true but I think what would happen is if there was a significant bite attached to the bark then employers may think twice about offering health care, if they're a small employer it's a big ticket item --
MR. ROTHSTEIN: Well it wouldn't necessarily be benefits stuff, it could be workers comp claims, it could be the results of pre-placement examinations done by some contract physician and so forth.
MS. SHARARA: I think it's a good idea to have a uniform system that everyone can point to one set of rules that's workable and live under.
MR. ROTHSTEIN: Okay, thank you. I want to go back to the ACOEM issue that you talked about before and as you discussed ACOEM members basically fall into two camps, the ones who work in house and the ones who work as contractors or independent and they see a few patients or whatever --
DR. TACCI: We have a governmental and an academic camp too --
MR. ROTHSTEIN: Right, and only one of these camps is now generally covered by HIPAA, sort of the private practice group as opposed to the ones who are working in house --
DR. TACCI: I would hesitate to make that generalization also because there are folks, even the in house folks if they're providing primary care and doing billing to the health insurers, so there will be exceptions --
MR. ROTHSTEIN: There are a few exceptions. My question then is would life be easier and from a privacy standpoint arguably better if the same privacy and confidentiality rules that HIPAA mandates on the covered entity physicians would be applied sort of across the board to all physicians who deal with employee health information.
DR. TACCI: Coming back to Norma's bark and bite thing, I think that perhaps yes, the uniformity and the simplicity is a good thing, I think if the HIPAA tail started to wag the rest of the dog that might not be a bad thing as long as the dog didn't bite too fiercely. So I think that yeah, having a uniformity or a gold standard if you will would probably be a good thing in that it would simplify operations.
Candidly, the distinction, even though there is a distinction, the distinction made between those of our members who are covered entities versus those who are not is a bit of an artificial one and as I mentioned before the more conservative advice that I gave as an attorney to folks or that I have given as an attorney to folks is that the easier and best practice might just be even though it's not technically legally required but would be to follow the privacy rules whether or not they apply to you because that is the sort of new gold standard or community standard of handling medical records, so that's one consideration.
Another piece of advice that I gave in terms of implementation of the privacy rules to those who knew they were covered entities and presumably it would be the same for those who are currently not but may become covered entities in the future was that the truth is even though there were some 58 or so new policies and procedures, etc., that folks were required to have under the privacy rules the truth was that folks were probably doing 80 or 90 percent of those things already just because that was what their code of ethics required them to do or their professional practice required them to do, and really my job at that time as a compliance consultant if you will was just to inform them of what the ten or 20 percent of new things were and to make sure that their 80 or 90 percent of the activities that they were already doing just as best practice was documented and was raised to the level of regulatory compliance. So I would guess that for the vast majority of our members they're already doing, as was the case with the comments with HR professionals, they were already or they are already doing the activities that would bring them into compliance with any new set of rules, it would just be a matter of documenting and codifying.
MS. SHARARA: Mark, what we're looking for is a set of short, simple, easy to follow rules. If I had a dime for every HIPAA privacy notice that I personally threw away when I went to the pharmacy, when I went to the doctor, when I went to, and my doctor sends them to me in the mail once a year just to remind me about what they're doing, and I'm the professional in the field, I can't imagine what my mom and dad and brothers and sisters and cousins and grandma and grandpa, how many HIPAA privacy notices have they thrown in the trash bin --
MR. ROTHSTEIN: We'll be sure to invite you back when we talk about that issue next year.
I want to focus on the minimum necessary principle that you talked about and see if we can translate that into the legal requirements, the non-HIPAA legal requirements. And I was very pleased to see in your testimony about ACOEM's commitment to minimum necessary standard. Under the ADA, and both of you are lawyers so it makes this question easier, section 102-D-4, which governs medical examinations of current employees says that current, when you do a medical examination of a current employee it must be limited to either job related matters or it has to be voluntary on the part of the employee. So the statute already builds in essentially the minimum necessary standard and I gather from your testimony that not only is this achievable it's desirable from ACOEM's perspective.
By contrast section 102-D-3 of the ADA applies to medical examinations that are done after a conditional offer of employment, what the statute refers to as employment entrance examinations. And this provision is not so restricted and therefore there's no requirement that it be "job related" or that it be minimum necessary and as a result of that individuals can be required to sign an authorization of unlimited scope, and that's where I'm going to get to eventually.
But my initial question is based on ACOEM's testimony is it your view that if those two provisions of the ADA were somehow harmonized so that the 102-D-4 provision saying that it has to be job related and consistent with business necessity were applied to 102-D-3 as well, the post offer examination, you'd be perfectly happy with that because that's basically what you're suggesting here, that you shouldn't get information that you can't use, don't need, and so forth.
DR. TACCI: Not having kept the section numbers of the ADA straight in my head I will say that harmonization of those two provisions would be desirable, I don't know that it would necessarily require a limitation in scope of the information that one would obtain during the course of a post-offer pre-placement physical. In theory I think that that distinction was an artificial one too because a post-offer pre-placement physical is actually keyed towards the essential job duties --
MR. ROTHSTEIN: Ideally but not necessarily.
DR. TACCI: So I think that you could harmonize the two without necessarily having to limit the scope of the information gleaned during the course of the post-offer pre-placement exam. So I think that --
MR. ROTHSTEIN: Okay, I'll come back to that and give you a chance to follow, I want to ask Ms. Sharara what SHRM's position would be on that. In other words would the HR world be willing to or is the HR world in alignment more or less, I note all your footnotes and asterisks, with the ACOEM view of minimum necessary should apply wherever possible.
MS. SHARARA: Yes.
MR. ROTHSTEIN: Okay, that's very helpful to know that because in the HR standpoint and from I would say the corporate counsel standpoint why do you want your company getting HIV status information when you can't legally use it and it might lead to a lawsuit if you decide this guy that you hired was just really not doing a very good job, now he knew that you had this information, so these sort of lawsuits are brought all the time, if you never had that information there's no lawsuit.
MS. SHARARA: Right. You raise a good point, ignorance is often bliss and sometimes it's better not to ask the question if you don't know what the answer is going to be as they teach you in law school. In the HR world though human beings being what they are they traipse on in to the HR office, plunk themselves down and spill their life story including divorces and everything under the sun. So while it's a lovely idea to think that we wouldn't know that I bet you we already do.
MR. ROTHSTEIN: Okay, so now let me connect the last dots which gets back to what we are about primarily and that is health privacy in records especially now in electronic health records. We are exploring, and in our letter of June 22nd invited, recommended that the Secretary explore researching new computer technology that would somehow filter the information before you got it, so in other words if you got a release for information it would be limited to job related stuff. Now we talked to the life insurance people yesterday, life insurance is a much easier case because you only need to know about 12 or 15 different fields to figure out whether someone's mortality risk is above normal. In employment I would argue it's most difficult because you get so many different job categories and people do so many different things, how do you know what to send. So leaving that aside the principle is that if you could have some sort of computer algorithm where you pressed a button and you got all the information that you needed to make a decision in terms of history, but you don't get the irrelevant stuff, the sensitive stuff, the stuff that people are worried about disclosing, at least in theory does that sound like something that you could live with?
DR. TACCI: It does but I would qualify the answer and I'll go back to your HIV example, if I'm a medical director for a widget manufacturing company someone's HIV status will have nothing to do --
MR. ROTHSTEIN: We're not talking about surgeons --
DR. TACCI: Making Styrofoam cups let's say, will have nothing to do with their ability to help me manufacture Styrofoam cups so as part of their post-offer pre-placement exam, now they've already been offered employment, there will be no basis to deny them placement on my cup manufacturing machine based on their HIV status. That said given that their initial physician examination for better or worse in most setting typically evolves into their baseline history and physical examination for their company medical record, there will be a value to me in knowing that in three or six or eight months if they come to me either in a primary care setting with hey doc, I've had X, Y, Z symptoms, what do you think they are, that will help my medical decision making, or even if they come to me in a work related injury setting and the question is whether or not a minor abrasion or a laceration rises to the level of needing an antibiotic, well, if I know that they're more prone to infection so based on immune compromise that will be valuable information for me.
MR. ROTHSTEIN: I think those are very good examples but what I was --
DR. TACCI: But it would never impact their --
MR. ROTHSTEIN: What I was limiting my question to is the narrow pre-placement question of can Joe Smith do whatever the job requirements are of a particular job.
DR. TACCI: And that's why we so strongly adhere to that minimum necessary standard that says that when I draft a memo or a note to Norma about Joe Smith whose just undergone his pre-placement examination, all that memo will say is yes or not he can do the job and these are the restrictions or accommodations if any that he might need.
MR. ROTHSTEIN: See as I'm sure you know there are two states now, California and Minnesota, that already have laws that require that all medical examinations and inquiries no matter what time, which includes pre-placement, have to be strictly limited to job related criteria. But we have no way of collecting only that information so that as a routine practice in both of those states the custodians of health information just send the whole record anyhow because they can't comply with it. Ideally at some point in the future we might be able to comply with laws that mandated that, either state laws or maybe a federal law where you just press three codes and you get what you need but that's down the road. And it's valuable for us to hear that with all your reservations and exceptions so noted at least in sort of broad strokes I get the sense that sort of conceptually you don't have a problem with that.
MS. SHARARA: No, I think conceptually it's an excellent idea because it limits the exposure to the employer's liability, I see a lot of JDs on people's name cards around the table, we live in a litigious society, negligent hiring cases, if somebody did something wrong and you knew that they had a heart condition and you let them fly the plane anyway, whatever example you can think of, some clever plaintiff's lawyer is going to come back and find fault with what the employer did somewhere along the way to right a perceived wrong. So health information if you can give us a standard and we can say hey we followed the rule, that would be great for employers, I think it's hard to actually implement in practice.
MR. ROTHSTEIN: Well I want to thank you all very much, are there other questions from staff? We appreciate your testimony, its been very helpful to us and I hope we can possibly call on you in the future to maybe answer questions or even come back here.
MS. SHARARA: Of course, thank you.
MR. ROTHSTEIN: We're going to take a 15 minute break and then our next panel on school health records will begin at 10:45.
-- [Brief break.] --
MR. ROTHSTEIN: Good morning, we are set to resume our hearing on the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics, I want to welcome the members of our third panel to deal with school health records, and I have your testimony and we will plan to hear from each of you for about 20 minutes and then we'll have I'm sure several questions to ask you. So let's see what the order was on the list, it's alphabetical, unless you, that's fine, we'll go in reverse alphabetical order. Dr. Kiel, please.
Agenda Item: Panel III - Schools - Dr. Kiel
DR. KIEL: Good morning, my name is Joan Kiel and I'm the designated spokesperson for the American College Health Association regarding the application of HIPAA and medical record privacy protections to colleges and universities. In addition of the chairman of University HIPAA Compliance for Duquesne University in Pittsburgh, Pennsylvania. And lastly I'm the chair of the American College Health Association HIPAA Committee.
Since its inception in 1920 the American College Health Association has been dedicated to the health needs of students at colleges and universities where the vast majority of the students are over the age of 18 and thus are considered adults. ACHA is the principal leadership organization for the field of college health and provides services, communications, and advocacy that help its members to advance the health of their campus communities. ACHA's membership has grown from the original 20 institutions of higher education to more than 930. These member institutions represent the diversity of higher education, two and four year, public and private, large and small.
Today I'm going to limit my discussion to three topics, first, the use of medical records in colleges and universities, second, suggestions for how the potential expansion of protections for medical records might affect colleges and universities, both positively and negatively, and lastly, recommendations on the adoption of medical record protections.
Regarding the first issue, colleges and universities are a community of people. Therefore the student health service functions as a community-based health care provider practice. The medical records at the student health service may serve a varied population. Medical records are maintained for ongoing treatment and evaluation of students, and in some cases family members, faculty, and staff.
Student health services frequently refers students to specialists in the community. If a student is a commuter or their health care provider is nearby the student health service will be in communication with that health care provider. And these external providers, they simply assume that the student health services are under HIPAA. When these health car providers request the medical records for treatment purposes the student must now sign an authorization for this release. And this is often confusing for the student and the college health service staff as well as a possible barrier to efficient communication to the staff to which the student is referred.
Second, medical records are kept on immunizations for state immunization laws. And when students participate in practicum or internships, especially in a health care setting, the student medical record is referred to.
Third, faculty often desire information from the medical record. They may want to verify why a student is not in class and determine if the illness is chronic or long-term. They may need to know what the ultimate effect will be on the student's performance in the class. Now under FERPA regulations student health services could theoretically release a student medical record to a faculty member without obtaining the student's consent. However, FERPA will not allow release of a student medical record to another health care provider for treatment purposes without a patient authorization. So thus, considering clinic records maintained by the student health service education records under FERPA, instead of medical records under HIPAA, is confusing and unsubstantiated and must be further analyzed. And I will talk about that in the third part for recommendations.
Some health services work with their Department of Athletics to provide pre-screening physicals for athletes and monitor follow-up care. Health services also provide treatment for faculty and staff for on the job injuries. And here is where confusion may also arise, if the health service engages in one of the HIPAA electronic transactions then the employee records are under HIPAA and the student records are under FERPA, and the confusion arises when the individual is both a student and an employee. And again I will focus on that in recommendations.
Regarding the second issue, when we talk about the potential expansion of protections for medical records, they could have positive or negative effects for colleges. On the positive side, under HIPAA, people who do not have a need to know will not be able to access the record, nor have a right to the information contained herein. The law also protects the student health service staff as they can simply say the law says you can't have the record. The students' confidentiality is protected and the potential for discrimination is mitigated. And the health service must respect students' right to privacy or they won't use the health service even in emergency situations, and that certainly can then cause further harm.
On the negative side, even the cases that have gone to court have not resolved the HIPAA/FERPA intersection. In Shin v. MIT the case was settled out of court and thus the court had no occasion to rule on the HIPAA/FERPA issue. In Allegheny College v. Mahoney the college was found not negligent and the only mention of the HIPAA/FERPA intersection was that the policies will be looked at, but that is on a voluntary basis not via a court order. So thus it is imperative that if the courts cannot settle the HIPAA/FERPA intersection then the laws need to be rewritten for all to clearly understand because as of now under HIPAA information is shared for treatment, payment and health care operations, or if the patient consents. But under FERPA the information can be shared if the student's life is in danger and that's the gray area, so the question arises as to at what point does one tell another. If that person is right then they may the student's life but if they are incorrect this can upset the student and break their trust so it really is a tough judgment call.
Regarding the management of student health records, many student health services receive legal opinions regarding compliance with FERPA and HIPAA that informed them that the student health services must ensure compliance for student records under FERPA or state law and non-student records would be governed by HIPAA. So many student health services are now in the unenviable position of having three different standards with which to adhere to. Student records that are maintained and accessed solely by the health care provider are governed by state law. The student records released for any reason including patient authorization are governed by FERPA. And non-student records, such as university employees, faculty, non-student spouses, they are governed by HIPAA. So an option then is for the college health service to discontinue providing services to non-students, such as the spouses, the summer camps, the visiting scholars, the athletic interns, J-1 visa scholars, but this option only allows them to follow FERPA or state law. But it's not an optimal solution as it decreases health care access and services to the campus community, not to mention lost revenue.
Another potential negative aspect concerns accreditation for college health services. There are many college health services that are accredited by JCAHO and the Accreditation Association for Ambulatory Health Care. And both of these organizations are now moving toward HIPAA regulations as part of the general survey requirements. So will college health services not be accredited because they are not able to meet the HIPAA requirements if they do not engage in one of the electronic transactions? And accreditation is important to student health services as it does indicate a commitment toward excellence in health care that parents expect for their students attending a college or university.
Regarding the third issue, adopting protections for medical records, we don't see them as being easy or burdensome but more so as necessary to ensure quality care and protect patient privacy. It needs to be reconciled that if HIPAA is the national privacy standard in health care as it has been deemed then why are student medical records exempt under HIPAA?
So it is the request of the American College Health Association to specifically address the implementation issues of HIPAA, FERPA and state laws in our college and university health centers, and I have two changes that are recommended. The first is to change the FERPA's regulation's definition of exception to education records, for the exception to education records for medical records held at institutions of higher education, it needs to be broadened in scope beyond the patient/provider relationship. The exception needs to include the records even if they are released outside of the patient/provider relationship and that change in definition would exempt any medical record created by a college of university health service from FERPA thus leaving the institution to comply with the state law if they do not perform any of the listed HIPAA transactions or solely to comply with HIPAA if they do submit any of the listed electronic transactions.
The second recommendation is to change the HIPAA regulation's definition of protected health information, PHI, to include medical records held by colleges and universities. The definition of PHI in HIPAA needs to be changed to eliminate the FERPA exception of medical records held by institutions of higher education.
These two changes would allow medical records held at institutions of higher education to be included under HIPAA and would remove their coverage under FERPA and this would eliminate what we call the dysfunctional intersection of these two regulations. And we believe that this would meet the intent of both of the regulations to protect the privacy of medical records held by colleges and universities and the end result being that any college or university health service falling under the HIPAA regulations by virtue of the performing any of the listed electronic transactions would automatically treat all of the medical records under one privacy standard, HIPAA.
Thank you for the opportunity to present our concerns.
MR. ROTHSTEIN: Thank you very much. We're going to take a 30 second recess and then we'll be back with Dr. Bergren.
We're back after deciding on our lunch orders, Dr. Bergren, thank you.
Agenda Item: Panel III - Schools - Dr. Bergren
DR. BERGREN: Thank you, good morning Mr. Chairman and members of the subcommittee. My name is Martha Dewey Bergren, I'm a doctorally prepared nurse working at the University of Illinois, Chicago, I am a HIPAA/FERPA expert, I've been a consultant to the National Task Force for Confidentiality for School Health Records, which we did share with the committee a copy of the booklet that we put out last year. And I'm representing today the American School Health Association which is a multidisciplinary organization of school administrators, counselors, health educators, physical educators, psychologists, school health coordinators, school nurses, school physicians, and social workers, who oversee health education and health services in schools and who oversee school health programs at state agencies.
I'm first going to talk about school health records and I'm going to be talking about those records that are maintained by schools, preschool through 12th grade, that are maintained by school personnel for health and education services. I'm not going to be talking about school based primary health care clinics who are almost exclusively run by outside agencies and that those records are not education records, they are covered by HIPAA and not covered by FERPA.
So school health records are any personally identifiable student health records maintained in schools which are covered by the Family Education Rights and Privacy Act, and that means that FERPA covers all health records in public schools or any private school that receives federal funds which is most private schools. So therefore the health record is just one part of the whole health, whole education record. FERPA was enacted in 1974 prior to the Individuals with Disabilities Education Act and therefore FERPA does not address health records, privacy or the sensitivity of health information maintained in schools. IDEA completely changed the nature of school health from one that addressed communicable diseases and prevention of communicable diseases to that which covers also acute care including tracheotomy care, ventilated students, catheterizations, medications including injectable medication, gastrostomy feedings, etc., plus many therapies that are administered in schools, physical therapy, occupational therapy and speech therapy just to name a few.
Student health records are very, very similar to acute care records and ambulatory records in that they contain complete health histories, a lot of information about non-students, family members, that's pertinent to that child's education plan. They also frequently contain third party records from hospitals, primary care providers, consultants, counselors, psychiatric records, lab records, and genetic testing.
Just to give you an idea of the pervasiveness of acute care that's provided in schools, not every state maintains records on schools but Florida does maintain very good records. They know that they have 100,000 office visits every day, 80,000 medication doses daily, a million nursing assessments annually, two million consultations, 180,000 complex medical procedures are performed annually. I'm sorry?
MR. HOUSTON: What's a complex medical procedure?
MS. BERGREN: A complex medical procedure would be like a gastrostomy feeding, ventilator maintenance, suctioning, catheterization, peritoneal dialysis, I mean pretty heavy care.
And in 1999 the GAO reports that $2.3 billion dollars were spent on school health services and that doesn't even include the services that are non-reimbursable.
Health records are maintained in schools both in electronic and paper form and I was able to get some definite numbers from several states prior to today's testimony and five states were able to give me actual numbers, Wisconsin, greater than 25 percent of the records are electronic, State of Washington is 26 percent, Iowa 32, Massachusetts 58 percent and Delaware requires that school health records be maintained in an electronic form just this year so therefore it's 100 percent. And then four other states were able to give pretty good estimates of over 50 percent of school health records are maintained in electronic form.
Those records are maintained both on non-networked free standing desktop computers, networked computers that where the records are maintained on a schools server with other records. Laptop and PDAs, many school nurses serve multiple schools and serve well more than the 750 to 1 ratio, the average school nurse serves about 1700 students.
Health records software that's developed specifically for health records, so it's a product that's restricted to health record software for the school health office, usually includes most of the standard security requirements, individual password protection, authentication, audit capability partitioning and override protection. However when there's a health module that's part of the school wide enterprise system even the most rudimentary protections do not exist, in fact many of the home pages of the students' health records will have a list of the students' health conditions.
There's also a departure from standard privacy and confidentiality in the paper record practices in schools and this is because many of these practices pre-date FERPA. What you see on the screen is a book that's sold at most school health conferences which is a multi-student daily log, which means student health records are maintained sequentially as the students come to the health office on a common record. And we only have statistics for one state and 53 percent of the nurses notes maintained in the state of Iowa are maintained on this sequential multi-student record which not only violates HIPAA it also violates FERPA which is the law that covers these students. And I believe that that ratio, that percentage is accurate, I believe that the national ratio would range between 40 and 60 percent so I think that that is accurate.
I did speak to some suppliers of this particular book and they do report that sales are down 30 percent since 2001 because of the increased attention paid to privacy because of HIPAA, however they do estimate that 4,000 to 5,000 of those books are sold, will be sold this year and many schools produce this type of record on their own, they print their own copies.
Anther traditional --
MR. ROTHSTEIN: So they violate HIPAA, FERPA, and copyright law --
DR. BERGREN: And I hate to say this on record but also the professional standards of our profession.
MR. ROTHSTEIN: Just checking.
DR. BERGREN: Another traditional practice in schools is the annual back to school health concerns list which we do have national on this and that 41 percent of nurses reporting to a national survey distribute a health concerns list. This is a list of all students in the school who have a health condition and the list contains the student's name and the associated health condition, for instance asthma, seizures, food allergy, etc. So 41 percent of the nurses provide this list for every student with a health condition and I don't know how to interpret that 14 percent provide some information and nine percent provide a little information, but 33 percent of the nurses reported that they never distributed a list. This is against best practices, again against FERPA, etc. --
MS. HORLICK: To who are they provided?
DR. BERGREN: Teachers, bus drivers, administrators, playground aides --
MS. BERNSTEIN: They're collecting the information from families and disclosing it to other professionals in the school setting?
DR. BERGREN: Whoever they feel needs to know, that needs to know.
MS. BERNSTEIN: But they're surveying the families --
DR. BERGREN: This information comes off of the form that's returned at the beginning of every year from the families that list the child's health conditions.
DR. TANG: How does it violate FERPA in that case?
DR. BERGREN: It's a multi-, any record that's covered by FERPA needs to be provided to a parent yet should not contain more than one students' information --
DR. TANG: So had they passed out a binder with individual sheets that would be totally okay.
DR. BERGREN: And actually we recommend that because it's not from a practice standpoint it really isn't sufficient to provide asthma or seizures without telling a non-health professional how to recognize when a child needs assistance and then what one should do should the child exhibit those symptoms. So just by providing a label of a diagnosis really doesn't give these people the information they need anyway.
So what I'll talk about next is what the impact of increasing privacy protections would be on the maintenance of health records in schools, I'll talk about positive effects, negative effects and negligible effects.
First of all definitely it would decrease the confusion of where FERPA ends and HIPAA begins in schools. Every state is doing something different, a consortia of school health associations requested two years ago technical guidance on how to manage the issues where HIPAA and FERPA overlap and we've yet to receive that guidance. The exemption of school health records from the HIPAA regulations did not take into consideration that FERPA does not address health records, that common practices in schools are more of a sharing climate rather then a privacy climate. But it didn't acknowledge the acute level of care and the volume of care that's provided in schools today. Also does not address electronic maintenance of health records or electronic billing of school health services and does not acknowledge that many schools are clearinghouses for multiple districts for health billing, a larger school district will often handle the billing for several other school districts in order to save costs, it's a very common practice. Whenever you use any of the algorithms on Health and Human Services websites that helps one decide whether one is a covered entity, it doesn't apply to people working in schools and just leads to the additional confusion of whether or not one is covered by FERPA or HIPAA.
An application of HIPAA to school health records would also increase communication between primary care providers and school health providers because FERPA has no treatment payment or operation exception, and it would allow nurses and other health providers in schools who are administering treatment to have open communication with the prescribing physician and health provider.
Also many HIPAA covered entities, personal physicians, hospitals, are very hesitant to share information with schools knowing that schools do not provide HIPAA level privacy to those records and I do think that it would make providers more comfortable sharing the kind of information that schools need to provide this level of acute care.
Also it doesn't acknowledge that schools have always had a traditional role in public health. FERPA does not have a public health exception so therefore according to letters of memorandum on the Department of Education website schools may no longer, well they never should have but as of 2004 when these memorandums were written schools no longer report communicable diseases, they are not able to provide personally identifiable information in immunization reporting to the state department of public health, they cannot provide personally identifiable surveillance information which in light of a possible flu pandemic or other type of crises would be significant, and also does not allow sharing with the CDC for the registry of congenital and chronic diseases which has always been communicated between schools and the CDC.
FERPA also does not provide privacy training and by covering schools with HIPAA type privacy regulations would require that schools provide this type of annual training. When I do seminars to multidisciplinary groups and I ask who in the room would feel comfortable explaining FERPA in a paragraph only the superintendents are comfortable, really have a working understanding of FERPA. And it would lead to changes in traditional practices simply because most people are not aware of FERPA and what it requires of those that work in schools. Just simple things like locks on file cabinets, locks on doors, would be enacted pretty easily and many schools combine the education and health record into a common cumulative record and this would automatically require a separation of those two records.
It would require commercial vendors of school enterprise systems to enact standard privacy and security safeguards for student health records. They'd also be required to have some rudimentary theft proof prevention and password protection on school computers and also local school information technology professionals would need to invest in encryption and password protection, just basic security and privacy protections.
A privacy office would need to be identified. Right now in schools in addition to those that provide health care health information can be found throughout the school, the health office, main office, classrooms, buses, cafeterias, gyms, the sports fields, warehouses. Within the school health information moves throughout the school via fax, interoffice mail and emails, and licensed school health providers have no authority or accountability for records that are not under their own control. So by naming a privacy officer you would be able to have that accountability where someone with some authority would be able to create limits that control the access to student health records and protect student privacy, they would have the authority to enact changes in practice and procedures and they would be able to establish some consequences for breaches, whether they be intention or unintentional, and that there would also be procedures in place for external sharing of health information.
Some positive effects would be that when a student is transferred to another school FERPA does not require parental authorization to release the student's health records. A school can transfer all of an education record to a new school without parental permission and in fact the Individuals with Disabilities and Education Act actually requires that all records of students who receive special education must be transferred with or without parent authorization. Many parents share information with school health care providers early in the preschool and young child period that later they may not want to share, for instance genetic testing, parents who don't know what their child's diagnosis is are very open about sharing information when the child is very young yet later when the child is older they may want to restrict some of the information that's shared. So by having HIPAA type protection and requiring parent authorization to share with another educational agency would be a positive result.
Negative impacts, one thing that we do need to remember is that schools have an educational mission, not a health mission, and right now there is a strain on resources in the educational system due to No Child Left Behind and continued decreased funding to schools. The costs of the changes would involve both labor and materials, software, updating, the training would come with some cost, locating and training a privacy officer, changing all the policies and procedures that have to do with health records and the attorney and consultant fees that may go along with that.
Another negative is that presently there are no penalties for, I mean the penalty for violating FERPA is to withhold federal funds, the possibility of withholding federal funds, that is a very rare occurrence that schools receive any penalties for violating FERPA and in fact the Supreme Court decision Doe vs. Gonzaga found that FERPA does not create any federal rights and that Congress did not intend FERPA rights to be enforceable, so by having the greater HIPAA penalties that would create quite a bit of consternation in the school setting, that they might be subject to those substantial penalties.
Also negative would be possible decreased and delayed communication for education planning, the type of over zealous concern following HIPAA in that even information that should have been shared was not shared could also happen in the school setting. And it would be I think important that the educational team be considered equivalent to the health care team in acute setting in that the persons who are responsible for providing the health and safety and the education of a particular student be taken into consideration, that information could be shared within that team.
There's also a negative that if a parental authorization was required when a student transferred to a new school that it would delay the information that's needed to provide care and education in that new setting. It's not uncommon at all for children to show up at a school without any notice, without any records. But it would also not solve all of the problems. Right now schools and primary providers cannot share immunization information because immunizations do not fall under the treatment, payment and operations exception. Schools are also not recognized as public health entities even though they've always been, had a strong role in public health, and that physical exams also don't meet the definition of treatment.
There are many commonalities between HIPAA and FERPA so there are areas where there would be no impact. The annual notice of information practices, although HIPAA is very prescriptive about what's required, is required under FERPA and it also includes the right to inspect records, to request an amendment, a record access log is required for special education students, directory information is allowed to be released. It has no pertinence in an emergency situation, judicial order or subpoenas, research, and federal and state officials for auditing purposes are all common to both federal laws.
I am not a billing expert but from talking to people that commonly bill for school health services all of the billing, all of the people that I talked to so that their billing vendors are already designated as business associates under HIPAA and are compliant with the privacy, security and transaction rules so there shouldn't be a big change should the law change.
I would like to suggest that from ASHA and other school health organizations that we would prefer that health information maintained in the school setting be maintained as it would be in any other setting and that also the role of schools in public health be recognized with any changes in the regulations.
Thank you very much, we really appreciate the opportunity to share this information with the committee.
MR. ROTHSTEIN: Thank you both very much, that was really excellent testimony and I know the subcommittee members I'm sure have questions, I've got some but first I'll ask Mr. Houston.
MR. HOUSTON: Thank you very much, I appreciate your testimony, I thought it was really helpful. I do have a couple questions and I wanted to sort of focus first off on something that Joan had said, and I guess to clarify because my understanding of the privacy rule is that unless you declare yourself as a hybrid entity as soon as you start to, as soon as HIPAA applies because of you doing some type of billing under an electronic transaction HIPAA applies to everything that you do. Is that, with that understanding are you saying that a lot of your member institutions are declaring themselves as hybrid entities and carving out the FERPA function so that HIPAA doesn't apply?
DR. KIEL: Some are doing that and some college health services are doing one of the electronic transactions so that they then would fall under HIPAA, but yes, what you are saying is correct.
MR. HOUSTON: Okay, then I guess another question that I also have to Martha's testimony, one of the earlier issues that we had seen with regards to HIPAA in schools, and this isn't necessarily directly related but I think it sounds like there might be a solution in the works, is one of the problems I know that some schools that identified was is that it's very difficult to get immunization records due to the fact that covered entities would say you're not, we're not entitled to provide them to you absent an authorization and parents would go through great pains to try to get an authorization and drive potentially hours to a physician and all of that. Is that still an issue?
DR. BERGREN: It's still an issue but it's not as severe as it was the last time we testified. I think schools have adapted and are getting authorizations for the immunizations, it definitely slows down the process and it does result in increased costs in time and effort to get the authorization, faxing to the physician, etc. I haven't heard as many stories where the physicians and acute care providers are requiring parents to physically drive to the acute care agency. They are still requiring that their own HIPAA form be used even though most schools are using HIPAA compliant authorizations.
MR. HOUSTON: Assuming that a school becomes a HIPAA covered entity obviously I guess it would either fall under treatment or health care operations or something that would allow the disclosure absent an authorization. Do you see that as being --
DR. BERGREN: Actually what we've been told is that immunizations don't fall under the treatment payment --
MR. ROTHSTEIN: John, if I can interrupt for a second, based on your testimony before the subcommittee about two years ago I think we recommended that the Secretary either interpret the privacy rule or amend the privacy rule to say that disclosures of immunization records from a primary care provider or a care provider to a school would constitute a public health disclosure and therefore there would be no requirement that the parent actually execute an authorization. So it wouldn't have to be, it wouldn't be TPO it would be considered --
DR. BERGREN: And that's why we are asking that schools be recognized as public health, an agent of the public health system.
MR. ROTHSTEIN: See we considered doing that but we didn't want to do that because not all schools have nurses and so on, so instead of calling the school a public health agency we recommended that the disclosure be termed a public health disclosure.
DR. BERGREN: We can live with that.
MS. BERNSTEIN: So I have our immunization expert and our HIPAA expert over here, is that actually happening now? That that data is moving in the way that Mark said that the subcommittee had recommended two years ago? It's not moving now that way --
MS. MCANDREW: No, the rule would need to be changed in order to accommodate that redefinition of, to broaden the definition of public health disclosure to include immunizations, but it is under consideration by the department.
DR. BERGREN: If I could comment, by calling it a public health disclosure and by not calling schools public health entities it doesn't help with the sharing of information by the school with the state public health departments and the CDC, which has been a longstanding traditional role in order to monitor the public health. And that would be whether or not the school employed a nurse or not by monitoring --
MR. ROTHSTEIN: See but the school is not a covered entity and they could do that without regard to HIPAA.
DR. BERGREN: They can't because FERPA does not allow it.
MR. ROTHSTEIN: FERPA doesn't.
DR. BERGREN: And those memorandums on the Department of Education website that have come out since the last testimony in 2004 that specifically state schools may not share information with public health entities without parental authorization and their definition of an emergency does not include public health emergency, it would only be an emergency of that particular student.
MS. BERNSTEIN: It affects the health and safety of that particular student and not the general population.
DR. BERGREN: That's correct.
MS. HORLICK: Actually I would disagree because on the Department of Education website there are some letters that I could refer you to where they have defined a public health emergency, that exception under FERPA, and it's not limited to the child. There are two separate letters, one they talk about sort of anthrax, the other one came up with the recent mumps epidemic, outbreak in the Midwest, and it basically says it's a definable imminent threat and they can rely on public health.
DR. BERGREN: Okay, thank you for that.
MS. HORLICK: Again, it's not the routine disclosure of immunizations, it's emergency.
DR. BERGREN: And then the routine reporting of chronic diseases.
MS. BERNSTEIN: So this is also just on that particular point, I'm recalling I came across since I've been here in the last year a half a situation where CDC wanted to conduct a study of for example the prevalence of autism in schools, am I talking out of school if I talk about that? It's a research study, but that we're having trouble getting access to the information because FERPA, because autism is something that's often diagnosed in a school setting rather then in a health care, a more traditional health care setting, so CDC wants to be able to get access to that information but they're having trouble with the FERPA --
MS. HORLICK: They had access, there was an MOU for five years that where CDC was an authorized agent of the Department of Education and they were able to access the information that way, that MOU expired in December of 2005 and has not been renewed.
MR. HOUSTON: Two other questions and they're sort of related. Back to one of the things, recommendations that Joan made, obviously you seem to be in favor of carving out of FERPA medical records, medical information, and that make HIPAA applicable to the educational setting as it relates to medical information. Martha, I think you sort of stopped short of ever saying that and I was wondering whether you shared that sentiment.
DR. BERGREN: The sentiment of most school health organizations including ASHA is that health information should be protected in schools the way it is in other settings.
MR. HOUSTON: But I'm going to drill down on that point for a second, so you're saying that HIPAA should apply or that something equivalent to but not necessarily having all of the rigors of HIPAA should --
DR. BERGREN: I think, and I'm going to give you my opinion as a representative of the organization but I don't know what the organization's opinion would be --
MR. HOUSTON: You can supplement your testimony --
DR. BERGREN: I do think it's important to recognize in schools that the team isn't the same as it would be in a hospital, the team is a combination of health and education professionals. I do think it's important that many of the students with serious health problems have educators who need to know what the health implications of their illness is. So if a new regulation took into consideration the differences in the setting and recognized a team as the team of individuals that care for that student most health professionals that work in schools believe that HIPAA type privacy and protection is necessary.
MR. HOUSTON: I think that's a great nuance and I guess it's one we have to make sure we're mindful of.
And I had just one final question as it relates, you had discussed things that would fall under, appear to fall under the HIPAA security rule and we really have been talking about the privacy rule. If HIPAA would apply are you saying that the security rule should apply also or are we really still just primarily talking about the privacy rule in this discussion today?
DR. KIEL: This again as Martha said before would be my opinion but given what people have talked about at ACHA yes but with the security rule having the required and the addressable standards it could be made more amendable to the smaller colleges, the two versus the four year, the academic medical center colleges, so I think it would be fine, I think it should all apply.
DR. BERGREN: I absolutely believe security should apply in a school setting, I think it's one of the, it's where FERPA does not provide any type of guidance and common practices are not to provide a very secure environment, especially because the number of students in a school setting as opposed to a primary care setting, you're talking about a population of students where many students, I believe that the trend is going to continue towards electronic records. I've worked in schools, I've been a school nurse, I saw a student come into a library and within ten seconds was into the mainframe, students have a great deal of time on their hands and therefore I believe that health records maintained in schools should definitely have the same level of security that they would be maintained in in any other setting.
MR. HOUSTON: I have no other questions.
DR. KIEL: Schools and colleges and universities are moving more toward electronic medical records and they would need technical security under the HIPAA security rule.
MR. ROTHSTEIN: Dr. Tang.
DR. TANG: This may be redundant but because it's been such an illuminating testimony to me, I really appreciate the testimony, the education and your recommendations. So sometimes by drawing contrasts you can get clarity so the last panel on employers basically told us that there's a lot of regulations that cover their line of business and maintaining the records of their employees and that either implicitly, which is mostly the case, or explicitly, there are things they do to protect the confidentiality of their employees' health information yet with some caveats if there could be uniform regulations they felt that actually would help codify and make streamlined their operation.
In contrast I think what I heard is that we have not only no regulations but explicit exclusion of a regulation, HIPAA, because of FERPA, and that FERPA explicitly does not protect, does not offer any guidance in the protection of health information and that common practice again in contrast to what we heard in the previous panel is that actually the practices are not at all consistent with what one would expect for careful use, storage and protection of health information of individual students in your case so that you are not only asking for or perhaps begging for HIPAA to be applied both the policies and the way to implement those policies, i.e., the security rule, so that you can properly store and use and protect health information for your constituents which are students.
Did I get that right?
DR. KIEL: No, you are correct Dr. Tang, it does then fall to state law, medical record state law, and then depending on who the health service is treating, so if they are treating the spouse of a student that then could fall under HIPAA, so some of the categories are covered but you're absolutely right, we do want one that will say this is what you must follow because in following state laws students who are coming from other states, what law are you ascribing to, they're going to college in one state, their primary care provider might be in another state, so more confusion there. So yes, you are correct.
DR. BERGREN: Can I respond to that? What I wanted to say is that FERPA was designed to protect student and family privacy, that was the initial intent of FERPA back in 1974. It does not cover health records specifically but that any student's education record of which the health record is a part of is supposed to be maintained with privacy considered. However FERPA does not have any specific prescriptions, it has no direction, it doesn't give any guidelines and in addition to that no training is required so many practices in schools today violate FERPA because no one is familiar with the law.
DR. TANG: Okay, the follow-up question was going to be what do you think the motivation, and that's speculative, motivation was for excluding FERPA from HIPAA? And presumably it was because they thought it was already covered. Are you then saying that actually FERPA is adequate provided people would be trained on provisions of FERPA?
DR. KIEL: I think you said the key word, FERPA is not prescriptive as HIPAA is.
DR. TANG: So although you could interpret FERPA to protect all information including health you think that one, we would require, it would be beneficial to be prescriptive and to even prescribe the training associated like HIPAA does.
DR. BERGREN: Yes, I don't think FERPA is adequate and I think because it was designed for records that were not as sensitive as school health records are today, it was designed for a very benign record that might have IQ testing in it and in fact in most schools IQ testing, standardized test scores, and whether or not a child qualifies for federal lunch program is considered more sensitive than health information.
DR. TANG: And then what would be the motivation for the MOU that ended up excluding schools from public health disclosures? Just to help understand that.
MS. HORLICK: I'm sorry, I didn't get your question.
DR. TANG: She said that schools could act as a public health agent up until whatever it was, 2004 when the MOU came out prohibiting that.
MS. HORLICK: It wasn't a comprehensive, anything that we've been talking about disclosures as a public health entity was a specific MOU relating to access to, it was actually autism data and it was specifically addressing certain data for a certain period of time.
DR. TANG: So how did that go to immunization?
DR. BERGREN: There was a different letter of memorandum that said that schools can't release personally identifiable immunization information to the state public health departments.
MS. HORLICK: State health departments have made various inquiries, can we do this, and the Department of Education every time you ask you get the guidance but they have spelled out what's not permissible and also what is permissible like the health and safety exception.
DR. BERGREN: We didn't expect health records in schools to be exempt from HIPAA, all the drafts of the regulations up until the final draft, until the final regulation, included school health records. We were actually undergoing training within the professional organizations to prepare for HIPAA and then when the final regulations came out we were blindsided. I don't know why school health records were excepted.
MS. BERNSTEIN: Let me ask a little bit, was it your, I guess your prediction at the time before it came out that you would be covered both by HIPAA and by FERPA --
DR. BERGREN: Prediction, no, we believed we would be covered by HIPAA.
MS. BERNSTEIN: And no longer covered by FERPA? My question is really if you were in fact to be covered by both laws at the same time and you had to comply with both of them, for example there are some federal entities that are covered entities under HIPAA, CMS, the Indian Health Service, the Veterans Administration, Department of Veterans Affairs and so forth, they're also covered by for example the Federal Privacy Act and they have to comply with both of those laws simultaneously. Would it be possible or were there, I guess I'm asking what would the significant conflicts be if you were covered both by FERPA and by HIPAA simultaneously, if that exemption didn't exist to the law?
DR. BERGREN: Well obviously there's some disclosure exemptions in the two laws that are different so one would need to determine which of those disclosures could be made without authorization and probably what would happen is that you would get authorization for any disclosure that could be covered under both laws.
MS. BERNSTEIN: So you were saying that treatment payment, operations, are not covered under FERPA but since they are under HIPAA you'd still have to get an authorization for example.
DR. BERGREN: I don't know, I don't even know how we would approach it, we were prepared to.
MR. ROTHSTEIN: Well I have a couple of questions. First of all you have to bear with the members of the subcommittee, it's not the usual case where people testifying before us are asking us how can we possibly be covered by HIPAA, so it's sort of an adjustment for us.
But I did want to follow-up on both of your points relative to this, I think I hear what you're saying but I want to know who you're speaking for, in other words if we had college administrators would they agree with what you're saying, if we had school principles and school boards would they agree with what you're suggesting. Is this the view of the educational world or is it more narrowly the view of the school health, college health world? Maybe you don't know, can you help us with that?
DR. KIEL: I believe that it is the view of the entire college or university and the reason being when there is this as the American College Health Association calls it, this dysfunctional intersection with HIPAA and FERPA, what does it lead to, more questions, more unanswered questions that then go to administration versus if we had one standard that was very prescriptive there wouldn't be that need to have this confusion that could potentially lead to lawsuits, lost time, do we say something, do we not if a student's life is in danger, so I think it would make people's lives easier.
MR. ROTHSTEIN: So a university counsel, college administrators would agree with you on that?
DR. KIEL: I would say so. Of course we would have to look at the cost --
MR. ROTHSTEIN: What about for schools?
DR. BERGREN: I can't really say, I would say that most educators don't see this as an issue, they're not socialized in a health care setting as you're educated as a health care professional to value privacy, the entire confidentiality understanding as a health professional that you only share information with those that are providing treatment, that's not a concept that most educators are oriented to. So I would think that in administrators, and I did review the school board's testimony in preparation of today, that they are content for the most part with FERPA but would like some direction on then how does one work with this with the intersection with HIPAA. However for professional health care providers who have a code of ethics and standards that require confidentiality and whose socialization is that this information should be held very privately, they're in a very difficult position in schools where information is shared sometimes in a way that they're not comfortable with.
I also come from the perspective of the consumer, I have children who have been in schools and I want their information protected. So I'm providing testimony from associations, specifically the American School Health Association who's predominantly an association of health professionals, school health professionals, who understand the importance of privacy in any setting.
MR. ROTHSTEIN: Paul, you wanted to follow-up on this or had --
DR. TANG: Did you hear the panel before this by any chance?
DR. KIEL: Part of it, yes.
DR. TANG: So there was someone representing the occupational and employee health association and he also used to do consulting for HIPAA, and his advice to his organization and people in his profession was even though HIPAA does not apply to them because they don't do the transactions it's conceivable that it would apply at some time and actually it's going to be cheaper for you, cheaper in the broad sense of just go figure out how to implement these principles and if it came then you would actually be a long way there. Again, it applies directly to your comments, as health professionals that's sort of you wont to do this and would it make any sense, especially in your profession, well actually both of yours, to start advocating for that position within the association because change is hard in terms of how long it would take yet you're saying that you actually have somewhat of a crisis, there's stuff that either is shared or there are things that are happening in current day standard practice that are not comfortable and in your minds not right for the students, your constituents, and should your profession start looking towards just adopting the principles that you had anticipated in fact as a way, as an interim step before any other kinds of actions could take place.
DR. KIEL: That would be amenable and the American College Health Association, we have looked at FERPA from the point then it's from 1974 and I'm sure that Martha, I am not a clinician so I'm sure Martha can comment on this, student health services based on what we have discussed as an organization are seeing students on college campuses, residing in the residence hall with many, many diagnoses that were simply not seen 32 years ago and that is becoming a very, very big issue, and that is why we are looking for HIPAA to address some of these, even not only diagnoses but the number of students who are on prescription medications and need to have that medication monitoring.
DR. BERGREN: One of the issues is that health care professionals are the minority in an educational setting, we're considered support staff, we rarely have any type of line authority, there's rarely a health professional at the level of even assistant superintendent where you would have any kind of power to make that type of change and that's why the possibility of a privacy officer in a school setting would be ideal. And that originally when we testified two years ago we had hoped that FERPA would start to address some of the practical situations in schools and take into account the pervasiveness of health care that occurs in the school setting and that has not occurred. So the invitation today to talk about well what would happen if HIPAA was to cover schools, then that was an attractive possibility for those who really value privacy in the school setting.
MR. HOUSTON: I just wanted to follow-up regarding Paul's comment, I think it sounds like part of the tension is that there's a conflict between FERPA and HIPAA and if you try to apply one over top of the other without trying to, what's the word, harmonize them, you would have a real problem, so you just can't, it sounds like voluntary compliance with HIPAA would really be frustrated by the fact that there sounds like there's some incompatibility there. Is that the case?
DR. TANG: One sounds quite permissive and the other you're asking for is more prescriptive, how could the prescriptive be --
MR. ROTHSTEIN: There are situations like the release of medical records that you could do under HIPAA from one provider to another you can't do under FERPA, so there would, in a sense if you just lumped them both together that's sort of the worst of both worlds.
DR. BERGREN: Well the other thing is that FERPA is not permissive, it's just not prescriptive, it says be good people and if you're not --
DR. TANG: Maybe I should have used the word tolerant.
DR. BERGREN: Okay, it's just not very specific, it's very vague.
DR. TANG: That's why I had trouble figuring how prescriptive, voluntary prescriptive behavior would be overruled by the tolerant provisions but I can see the specifics --
MR. ROTHSTEIN: Dan, Dan Rode had a comment.
MR. RODE: I do but you may want to finish your discussion first.
MR. ROTHSTEIN: I have one more question. There's a sentence in here, in your testimony, Dr. Kiel, that just sort of jumped up at me, on page two it says under FERPA regulations student health services could theoretically release a student medical record to a faculty member without obtaining the student's consent. In a practical sense does that happen?
DR. KIEL: I know not at my institution but I can't really answer for others. I can tell you that as the compliance officer for my university I have been pestered by faculty members for the record because they wanted to know why the student is out, so yes, it certainly could.
DR. BERGREN: In the school setting frequently the records are not locked, they're open to anyone in the building that might need it for a particular purpose, and also FERPA doesn't cover oral sharing of data. So yes, teachers and other types of professionals very often do access school health records.
MR. ROTHSTEIN: At the university level there's a lot of health information in places that are not defined as student health services, for example in admissions applications student often indicate well the reason I haven't been in school for the last two years is because I whatever, had a certain illness, now how is that protected and who gets access to that information? Can any faculty member go into the admissions file and read a student's personal statement, etc.? I think it's a very important issue, I think it's one that needs to be sort of tightened up but I would suggest that it's not just the health service that might be the problem, maybe that's even a minor part of the problem, is just that health information in all sorts of contexts are not being protected at the college and university level. Maya?
MS. BERNSTEIN: Sort of on the same issue I wanted to ask you to talk a little bit about, Dr. Bergren was saying that there's this team approach in a school where you've got minor children who have a series of adults who are managing their care and their education and so forth as a team and we didn't talk too much but obviously in the college and university setting where the students are adults, that that same kind of team approach, it's not quite the same, that is there's not, even though you have the sort of collegial atmosphere and goal of promoting education in general, can you talk a little bit about how that environment differs from, because the students are adults?
DR. KIEL: In the college health setting the health services truly functions as a physician practice, in fact that is one of our, it would function as a community health practice so the health services really sticks to that need to know and minimum necessary even if they are not under HIPAA, they don't want the information out because who knows where it goes to, it goes to a faculty member, they then talk to an advisor, so it is in a sense all over and that is one of the issues that at my university we have about 10,000 students, well that health service is larger then many physician practices in terms of patients but yet we are not under HIPAA and a smaller practice is, so absolutely. The woman who was sitting in this chair with the employers, she said something else very similar, many times a student will simply come in to an advisor, the admissions office, and spill everything, a teacher, a professor, so it is very, very difficult.
MS. HORLICK: I wanted to ask for some clarification, I think early in your remarks, Dr. Bergren, you said that you weren't going to address school based health clinics and I just wanted to, its never really been clear to me, I understand that FERPA applies to any institution that receives funds from a program from the Department of Education, at least I think that's correct, so what I'd like to understand is these school based health clinics, not really so much looking at the universities now but at a school, is that a clinic that is totally funded by public health and they just set it up, how many clinics are we talking about?
DR. BERGREN: I can't really speak to the numbers, I do know where I'm working in the City of Chicago definitely new school based health clinics are opening every year and they are usually funded with either health care dollars or community dollars, or philanthropic dollars. They're run by corporations that are not educational entities and they're, even if they're housed inside the school they're completely separate from school health operations.
MS. HORLICK: It can be physically inside the school but not --
DR. BERGREN: I know that occasionally the school based health clinics will hire a school nurse that does the traditional school nursing function but that would, then you're into a hybrid situation where those records would be maintained separately.
MS. HORLICK: What I'm thinking of just for example is let's say now there are a lot of recommendations now for new vaccines for adolescents, so if public health would set up a clinic on a school and whether or not there was consent and so forth, but if that was not, I mean that information would not be covered by FERPA, am I correct in assuming that?
DR. BERGREN: That's correct, should another acute or public health entity come into a school building and simply use the facility for a function in their province then that would be covered by HIPAA, it would be covered by their operations. Now if schools hired an outside agency, and this actually happens, they frequently will contract with the local public health department to come in and conduct hearing and vision screen, then they're a contractor of the school and those records are covered by FERPA. However those are difficult issues and many people in schools don't read this entire book and understand where the line begins and ends and we've just given our best recommendations as to how we think some things should be handled also but I'm confident that the answers that I just gave you are correct.
MS. HORLICK: That's consistent with what I thought but it's never been really clear to me, people are always looking for an understanding.
MR. ROTHSTEIN: Dan, you had a comment or a question?
MR. RODE: I have a comment, my comment is for me personally as the father and as a guardian of four children, two of these children are autistic, one child has behavioral health problems, one has a speech therapy problem, and my own children over the time in life had various problems. If this subject does not get recognized by this subcommittee, and we've had testimony, a couple of years ago I remember very vividly the testimony, I'm not sure it's going to get a hearing anywhere else. And I hope that even though trying to look at how we deal with HIPAA and FERPA is not an easy task I think it needs to at least be highlighted and brought to the attention of those folks who can begin to deal with this.
As was testified, between my children and the children I now have guardianship of, health care in schools has increased significantly and there is the need for teams and there is the need for various people to be involved in the system but there's also a desperate need for the privacy that HIPAA provides. And I've had enough experience with HIPAA to feel comfortable in making that recommendation but I also think that if you all can't move this forward, maybe as a stand alone compared to the other topics that you're discussing, it's not going to be heard because of all the reasons that have been explained that the schools have to face, it's not the top issue in the schools but it sure is for those of us who are parents of chronically ill children and children who need this extra assistance and whose life and reputation is going to depend sometimes on the privacy but sometimes just in making sure their records are in the right place.
Thank you.
MR. ROTHSTEIN: Thank you, Dan.
MR. HOUSTON: FERPA is out of Department of Education, correct? So I guess the one rub on all of this, and I agree with Dan, is that you have to deal with two agencies now. Is this on the radar screen of the Department of Education? Do you know whether something has been brought up as an issue to them or would this be coming in, would they be coming in blind to this if somebody from HHS said there's an issue?
DR. BERGREN: They were actually here two years ago.
MR. ROTHSTEIN: Yes, they testified before us, the FERPA people from Department of Education --
MR. HOUSTON: Why don't I remember that? I was there, I was probably there for the meeting, I don't remember it now.
DR. BERGREN: They are getting a lot of requests for clarity, some of them they respond with the letters on the website and others you get no response.
DR. TANG: So is the easier regulatory route to add to FERPA versus extend HIPAA? At a distance it sounds like that's something easier if they were sympathetic and would accept advice.
DR. KIEL: Or removing the FERPA exemption from HIPAA because HIPAA is the more prescriptive.
DR. TANG: I was just asking your opinion on which one is harder to do.
DR. BERGREN: I think it's priorities --
DR. TANG: So FERPA would be the keep it in one agency.
DR. BERGREN: I think the issue is priorities and the priority of the Department of Education in no way is health care privacy and the priority right now is No Child Left Behind which has definitely overwhelmed at the national, state and local levels, that is the number one consideration in schools, I mean this is not on the radar and for us to request changes in FERPA as health, the minority employees in a school setting, I don't believe will occur, I mean we've asked for that and it's not a priority to them, therefore I believe that because schools really are agencies that provide health care that from my perspective it would be better to have it covered by HIPAA.
MR. ROTHSTEIN: Thank you very much for that testimony, both of you, and it's on our agenda, it's really never left our agenda but we've had other things as well, but I do want to thank you and it you have further comments you want to submit we're happy to receive them and we hope we can contact you later if we need more information.
On our schedule now is subcommittee discussion time up to 1:00 and before that we will have a brief recess until 12:15 and then we'll have a subcommittee discussion until 1:00.
[Brief break.]
Agenda Item: Subcommittee Discussion
MR. ROTHSTEIN: We're now ready to resume our subcommittee discussion following our three panels of hearings over the last two days and the first question is now what? I mean seriously, there are various ways that we can proceed, we can decide that we want to take on this non-covered entity issue in kind of a global way and get testimony from the financial institutions and other non-covered entities and find out what their views are. We did have trouble getting lots of people to come here and talk to us --
MS. BERNSTEIN: Well, there were others that we were going to try to get and I sort of think, I was of mixed mind, when I first started doing this I thought we need three or four witnesses on every panel but it turns out the last time when we had just two I thought, we had time to talk and the discussion was more lively and okay so I really would have liked to have got a union representative for the employer panel and as the discussion in the last panel I'm thinking well maybe I should have gotten the person from the Department of Education to come back, they had appeared once before but maybe our witnesses would have been inhibited if the regulator was sitting there, it's enough that Susan is sitting there, or the rest of us from the department are sitting here, to have your regulator of which we're all members of the department, whether or not they actually know what your particular job is --
MR. ROTHSTEIN: The other way that we can do that, what I'm saying is going forward we can either sort of stack all these issues up or break them apart and I'll be interested in your views. Paul?
DR. TANG: I like the direction we're going in terms of your stacking them together or break them up. I think the theme, and we talked about the theme before but I think with the passage of time it actually just becomes both more important and more urgent and that theme is, I'd rather call it uniformity then the non-covered entity, but the uniformity in protection of information wherever it resides and whoever has access to it as well as the use of that information. So we heard today a lot of the exchange of information, information passing to various parties, the other side we've touched on again, secondary use, but it's almost as if I think we should consider both sides of it but the same solution, i.e., uniform protection, is a direction we seem to be headed towards and understanding the implications to the various groups I think is very helpful. So I found these three panels we've heard from today, these past two days, very helpful.
MR. ROTHSTEIN: So who else is on your list as to who else you would want to hear from?
DR. TANG: You already said you scheduled researchers for the next panel, you just mentioned --
MR. ROTHSTEIN: No, no, not researchers, we'll talk about that --
DR. TANG: So you mentioned financial and I think there's a different complexion to financial then whenever you heard from them before because of for example HSAs and 835s, so their role, the intermediaries, health savings account and all of a sudden you're going to be, 835 as Harry was explaining to me this morning is a HIPAA form, it attaches with the remittance that goes through banks, so banks are not just processing your credit card purchases, they are credit card purchase "with the accompanying reason for that transaction" --
MS. MCANDREW: It's the explanation of the billing. It's not the claims attachment, it's an explanation of what each financial transaction, what's all bundled into that financial transaction and the codes.
MR. RODE: It actually is the remittance, 835 is a two part transaction, it includes the money itself and it includes, in some situations it includes the remittance itself, in some banks it goes right through the bank, they strip off the money, it just keeps on going to the health care entity. In other banks they actually store the whole thing depending on what the agreement is between the entity that's receiving the payment and the bank that's essentially serving as their lockbox. And we've been working since about 1996 at least with Medicare under just an agreement with Medicare to do that but we've never addressed it full blown, it's just kind of something that's sitting there.
DR. TANG: So in other words the world has changed just in two years and I think we need to, I mean certainly HHS came on the scene within the past two years but the dimension and the scope of the risk in our work I think has changed.
MR. RODE: Within the last six months there have been seven banks that have taken over health care entity activities and the question is is the activity one of those that's covered under HIPAA or isn't it, and I think to some extent you're looking at both.
MS. BERNSTEIN: So we did actually start originally by thinking about having a financial institutions panel of some sort and that didn't work out, basically the answers I got back, and I wasn't focusing on this issue because I wasn't aware of it actually but the idea that we had written about in our June 22nd letter that the use of health information for making financial determinations about consumer's loans or mortgages or other sorts of things like that and they sort of, the response was just sort of pooh pooh that and say well we don't really use that, it's not really that big an issue for us and we don't have so much to say about it. So they kind of declined our invitation and I went on to other sort of industries that were more interested. There were a couple of other places where I thought we could get more information even on the same areas so for example I was hoping to get, on the recommendation of one of our witnesses actually, to get the actuaries in here, because a lot of the questions that we had to the insurance companies were about things like well how relevant is 20 year old information that the person used to be a smoker 20 years ago and the insurers don't necessarily know what the answer to that is but the actuaries are the ones who think about that kind of stuff. And they couldn't get someone here but they were very interested in talking to us and were happy that we were interested in them and sort of had thought of them and so I'm disappointed that I hadn't gotten to them earlier. But there are certain other pockets of expertise that we might hear from that could further illuminate what we've already started on now so I have I mind some of these other ones, I'm not sure how I'd put them together in panels but we could talk about that.
MR. ROTHSTEIN: Are there other people that we need to hear from to complete our knowledge set on the school and college health issue?
MS. BERNSTEIN: Yeah, I think your question in particular about the administrators, the counsels of the universities, those sort of folks, especially when we heard Dr. Kiel's testimony that she does get requests from faculty members, from administrators and so forth which she has to deflect, it seems to me that there are categories of people who would not like it that rules would apply to them that would prevent them from, I mean right now in practice they're prevented from getting the information but as she said legally they could get the information because they're part of the same educational institution and it's by practice or custom that they don't get that information and she also said that that's in her university but she's not aware of what may happen at other universities. So I think that there are communities within the university setting or school setting in terms of administration that might be useful to hear from.
DR. TANG: Another group, actually Dan's comments stimulated me to think that another group potentially are families of people with either chronic conditions or disabilities to hear from them on either their needs, or it's very interesting, in a Markle survey concerned about privacy and security one of the questions he asked was if you had medical records online what groups would you feel comfortable sharing it with, and of course the primary doctor was at the top of the list, insurers were at the bottom, but next to the bottom was family. So it would be very interesting to hear from folks who have concerns or have health information that could be sensitive and hear what their thoughts are, so that could be another --
MR. ROTHSTEIN: As well as maybe special ed people.
DR. TANG: All the people who have special needs but also might have special concerns.
MR. HOUSTON: With regards to that first group that you discussed, the family group, HIPAA as is already provides for that --
PARTICIPANT: Not for schools --
DR. TANG: And my context was more where Maya was going, in other words tell me about the banks, from those groups tell me about the banks and the schools and the employers, I mean we are also employees so we have our own view but I'd like to hear the views of people with special needs.
MS. BERNSTEIN: The consumer population --
DR. TANG: It's not even the broad consumer, the people with special needs.
MR. HOUSTON: We have to be very careful about that and what I mean is that I think there's also an opportunity, unfortunately I'm going to sound mean spirited about this but there's an opportunity for people to come in and whine about the few, their vision of the horror story, their own case which may or may not be as egregious as it sounds --
MR. ROTHSTEIN: That's all right, we're used to whining.
MR. HOUSTON: I mean being a privacy officer for a very large institution a lot of what I sometimes have to deal with are the cases where we did everything right, the person had a generalized complaint that again we did everything correct and yet they still aggrieved and there's nothing you're going to do to change your opinion and you did nothing wrong.
MS. BERNSTEIN: But we do generally get our witnesses from organizations, representatives of policy organizations so you could patient advocacy organizations or special ed advocacy community, that sort of thing, we're not talking about individual people who don't have a record of thinking about policy but people who are, organizations that are --
MS. HORLICK: We could look at kind of asking them what kinds of sharing information would be helpful for them to be shared among what different parties and what kind of information they would not want shared without authorization --
MR. HOUSTON: Why can't these groups I guess asking for additional testimony or supplementary testimony, to ask those types of questions so that we can hone in on, because I'm sure that they have come in contact with just these situations in the course of, or their members have in the course of them performing their jobs and obviously have practical solutions, or maybe don't have solutions or they have concerns.
So I think a way to address the situation may be to ask supplemental questions of these two individuals, I thought it was very good testimony today and I thought it worked very well and I think they could, especially Martha because I think a lot of what they're talking about is, what you're asking, Paul, really isn't probably in the primary and secondary school setting. Let's ask them and see if they're willing to submit more, do a little bit of research for us to give us some additional guidance on these types of things.
DR. TANG: I mean I found Dan's comments very helpful.
MS. BERNSTEIN: In the first panel for example I don't think you could ask either of those representatives to properly represent union opinions about the use of records by employers, you need to have representatives of employees properly representing that. And I think in the same case these are people who work in a school setting and yes in general if they are health care professionals they are on the same side as their patients but there are places where they're not, or they might not be. And we heard in a previous hearing from sort of patient advocacy type organizations as opposed to physician organizations and they had different opinions. I just think we could find non-whining representatives of those organizations that give us a more fulsome report on their position.
MR. HOUSTON: I still believe there is great value in asking these for supplemental testimony regarding these situations.
MR. ROTHSTEIN: Let me just see if I have your wishes, collectively, and on each of the three topics that we heard yesterday and today it's your sense that we want to take additional testimony? For example we did not hear from several different insurance lines, we had the NAIC guy testify about all sorts of things but we didn't actually have a disability or long term care insurance and so forth, we didn't have an actuary here, in the employment area we did not have any representatives of big companies, little companies, unions, I mean there are lots of additional people you could imagine testifying as well as in the third panel. So my question then is, I'm happy to do that but we need to recognize that the cost of doing that is delay and that if we have let's say one more hearing on each of these topics now we've got three more panels and we're thinking maybe okay we want to do financial institutions and so on and so forth. I'm happy to do that but we're now committing to something that's going to take maybe a year before we get a letter out.
MS. HORLICK: All of the things that we just mentioned, this 835 is really new to me and maybe before when we were, Maya, I don't know when you were trying to go to the banks and you were saying how do you use the information, that's different, but maybe asking them about this form, I never heard about tearing it off and some of them keep the information and some of them don't, I mean I would really like to know more about that.
MS. MCANDREW: That has been, I mean that's a transactions and code set conversation which has been going on since the beginning of their regulations, it is not a new thing --
MS. BERNSTEIN: Is that something being taken up by Standards and Security, by another subgroup? Does anyone know?
MS. MCANDREW: I mean there is no privacy aspect to it except to the extent of a conversation as to whether or not any of that activity spins out into a clearinghouse function and/or converts the bank by how they handle that information into becoming a covered entity and/or a business associate of the covered entity on whose behalf they do it. And again that's not a new issue --
MR. HOUSTON: But HIPAA applies is basically what you're saying --
DR. TANG: So far it doesn't apply.
MR. ROTHSTEIN: I think there's a view that it could be, depending on what they did they could be considered a clearinghouse, they could be considered a business associate or they could be considered nothing and not covered, but we don't know exactly --
MR. HOUSTON: I would love to know how they're not covered, in some way shape or form either there's a BA, business associate or as a covered entity, I'd love to know how.
MS. MCANDREW: HIPAA has an 1179, they have a carve out for financial institutions who are performing financial transactions. And the question is to what extent does the processing of this information as part of the remittance advice come within the rubric of the simple financial transaction or when does it step over into an actual function that is separate from the traditional banking financial transactions and becomes an extra service, non-banking service, that's being provided by that financial institution which then engenders either looking at this activity as a clearinghouse function and/or something that requires a business associate contract.
MS. BERNSTEIN: I hate to put you on the spot, is that being looked at in some other forum or is guidance forthcoming on that issue or is it something that's worth taking up by this subcommittee? You seem to be saying it's not really because it's being taken up elsewhere, or that the question is at least well defined.
MS. MCANDREW: The question, it was probably about the same time that you all last heard from the banking folks, there was a lot of discussion around this issue, it involved us, it involved GC, it involved CMS, and I believe with time that the heat on that discussion has tempered off and how actively a solution is being pursued I can't say --
MS. BERNSTEIN: And then the question is just in the industry is the practice, or the interpretation in the industry to consider themselves not covered, or to consider themselves a business associate or to consider themselves on the hole, do you have any sense of that?
MS. MCANDREW: I mean it really depends, I mean it has been a tradition within the industry that they do perform these lockbox kinds of activities on behalf of customers and those everyone is accepting I think. The general practice is that that is a business associate function that they are performing outside of their traditional financial activities but much of the processing, the routine processing of the 835, whether it's a flow through function or whether at the end of the day there is some translation of that information in order to match it up to statements that they are providing to the entity, the provider, as part of their banking function, that the banks are still looking at that as a financial transaction that is exempt from HIPAA.
DR. TANG: I'm trying to bring some closure to your question, where do you want to go from here, I think right now we're on a path to exploring the costs and the risks of the non-uniform application of HIPAA rule across all people who touch health data, and it would be worthwhile to hear from the banking, the financial industry that processes these 835 transactions and perhaps one or two other panels but all in the scope of one day of hearings and move on towards deliberations and formulation of our recommendation on this issue.
MR. HOUSTON: I said this offline yesterday and I still have the opinion though I know I'm not in the majority that I heard nothing in yesterday's panel that leads me to believe that there's anything additional for us to do with regards to the things like life insurance and the like, that's my opinion, my opinion, I'm allowed to have one, and I think that these two panels today were very clearly a case where I think there is something that we can and should do and I would, my personal opinion recommendation is that we should focus on these two panels.
MS. BERNSTEIN: May I say something about timing? I'm not sure exactly how to put this but if you think about the, if we wanted to make, if the subcommittee wants to make recommendations to the department that are going to be useful to the department in the next little while, and you think that the subcommittee would recommend changes to the HIPAA rule or to some other legislation or regulation, there is a limited time in the current Administration for when that would be most useful. So you might keep in mind the timing of how long that kind of a process if that is your intention to actually try to get some action out of them. But on the other hand the subcommittee is a long term 50 year thing and you can be thinking in a longer term but just in terms of strategy you should consider the timing of your recommendations.
MR. ROTHSTEIN: My opinion is that I haven't heard anything discussed in the last three panels that could be addressed by HHS itself and that Congressional action would be necessary. Certainly in the area of employment and certainly in the area of the FERPA/HIPAA problem I think clearly there is going to be need for Congressional action and it's not something that can be fixed internally and so I don't think we're under the gun in terms of we have to get it in the pipeline because this Administration ends in two years. But on the other hand it's something that would be good for us to document because we do have a recommendation, recommendation 12 in our June 22nd letter, and what we are basically doing now is sort of fleshing that out and giving more examples as to, Harry's not here but it's the you touch you own it principle that he often talks about it and so that I would think that it's, I would like to think that by spring or summer at the latest we can get out a letter to the Secretary on this issue. And what we should be looking to do is have another maybe day and a half, between a day and two days of hearings, sometime after the 1st of the year to get more information from those areas that we think we don't have enough now.
MR. HOUSTON: What are we doing between now and the end of the year? Is there anything --
MR. ROTHSTEIN: I want to talk about our June 30th hearing as soon as we wrap this up.
MS. BERNSTEIN: November?
MR. ROTHSTEIN: I'm sorry, November 30th hearing.
MS. BERNSTEIN: I don't know, does anyone have the schedule, or Marietta do you have the schedule for the upcoming hearings of the full committee? Because in order to get a letter out of course we would have to get it through the full committee --
MR. ROTHSTEIN: There's a June 20th meeting of the full committee.
MS. BERNSTEIN: There's a November meeting?
MR. ROTHSTEIN: There's a November meeting, those are the two days before our regular, there's a February meeting and then June.
MS. BERNSTEIN: So when you say spring --
MR. ROTHSTEIN: So our goal would be to have a letter for the June 20th full meeting and if that doesn't work out then it would be September.
MS. BERNSTEIN: Okay, in the process we began with the last letter which frankly I thought was quite useful to give the full committee a heads up on the issues that we're considering and the type of letter that they would see we would want to make some kind of presentation at the February meeting even if it's like we did last time short and highlight major themes or something.
MR. ROTHSTEIN: I think that's a very good idea, what we can do is even make a short presentation at the November meeting telling them this is what we're looking into now even though we don't have any sort of --
DR. TANG: I would strengthen that suggestion which is June 1 target for final approval, November give them the heads up on what we're planning, and schedule the hearings such that we could have the draft principles, following our last path, available for the February meeting to basically elicit comments on, not just that we're doing something.
MR. ROTHSTEIN: Well February is the 13th and 14th so we would have to have --
DR. TANG: December or January.
MR. ROTHSTEIN: We'd have to have a late January hearing, or mid-January hearing, that's cutting it a little close, I don't know that we could have the principles to them but we could certainly outline some of the issues that we were wrestling with, for example the FERPA/HIPAA issue, we can lay that out without giving sort of principles.
MS. BERNSTEIN: And I'll ask Sabrina to circulate a calendar then right away because you guys are all very busy people and it's difficult to get on your calendars all on the same day so if you want a mid-January date we should start thinking about it now. Yes? Okay.
MR. ROTHSTEIN: Okay, we'll start working on that and I want to just take the rest of our time to talk about the November 30th hearing that we have scheduled. Do you have something else --
MS. BERNSTEIN: We were going to talk about this topic that we talked about, I was thinking that if you really want to get a letter out you want to consider whether there's anyone else on the topic that you want to write about that you would want to hear from and postpone this one, I don't know, let's talk about it.
MR. ROTHSTEIN: I don't want to postpone this, it's too important.
The topic for the November 30th hearing you'll recall from our conference call is how would you go about designing a research strategy to measure the effects of the HIPAA privacy rule, and not do the research but to just see whether research is feasible and if so what kind of research that would entail. And at the moment I have been sort of playing around with the idea of having three panels, the first panel would be survey research experts who could tell us what a survey or focus group of patients for example, do you feel like your health privacy is protected now, is it better then it was before, do you know what protections are in effect as a result of the HIPAA privacy rule, etc., etc., etc., and there are various possible names under the survey research heading.
The second would be national organizations which might have an interest in or access to, or might want to help us collect data for this research, for example JCAHO, what questions do they have that ask about these sort of things, the Federation of State Medical Boards in terms of complaints relative to alleged privacy breaches by physicians and the licensing processing, AAMC, to what extent are medical schools and residency programs training people in privacy and confidentiality, etc.
And then the third group would be study design people, in fact I talked to Ed Sondik this morning and he is going to search around for somebody at NCHS who was a study design person, and I also talked to Gene about somebody from the Urban Institute and maybe somebody from RAND, etc., to see if they can give us some broad ideas, and any suggestions that you have would be wonderful, about this.
I also met with Marjorie and she thinks that there would be money to hire a contractor for this project and I think this would be very valuable because the role of the contractor would not be to do any of the research, just to prepare a document that would be sort of like a feasibility study that yes, research could be done along these dimensions and to do that we would need some individual or entity with expertise that I certainly don't have and also someone who would have the time to devote to putting together a report for our consideration and then possibly endorsement by the full committee. And at that point depending on what people came up with and how good it was and whether you would want to disaggregate the parts or whatever, either HHS might decide they want to fund it internally or Congress would want to give it an extra appropriation or NLM or NIH or AHRQ or who knows, IOM. But I think this is a topic that we've talked about for a long time doing this kind of research and taking the first few steps to kind of outline what it might look like I think would be very helpful.
MR. HOUSTON: Can I make a suggestion on another panel or panelist? You and I have talked about the fact that one of the problems we're going to have in trying to measure this is that unfortunately there was no measurement done prior to the privacy rule and as a surrogate for that I think maybe one of the things, and I don't know if this even exists, but if there is somebody who is some type of anthropologist, somebody who could go back and infer privacy perspectives information pre-HIPAA from publicly available surveys that maybe had been done through the course of the last decade. I don't know how this person would do this but it might be interesting to see if we can track somebody down who is able to try to --
MR. ROTHSTEIN: Well, an example would be the California Healthcare Foundation has done pre- and post- privacy world surveys.
MR. HOUSTON: Right, but I'm talking about somebody, one of my fears is depending on who's doing the survey and what their perspectives are you're going to get some bias, I'm thinking of somebody that, finding somebody who is skilled at looking at multiple surveys, maybe that would be just one, who could take that information and in a way normalize it so that we can say okay, I'm going to use that information against the backdrops of the surveys that now we're going to do in order to infer back --
MR. ROTHSTEIN: But keep in mind, John, what we want is not someone who is going to do the study that you suggest but someone who could describe the methodology of the study --
MR. HOUSTON: I understand, I understand, but if there was somebody who could testify as to maybe the approaches to do it or whether this is something that could be done, I think it would be valuable to hear because that would tend to shape and inform our discussions about how to do it and what to do in terms of a study.
MR. ROTHSTEIN: Absolutely but we're not going to be evaluating any studies --
MR. HOUSTON: I understand, we're talking about putting together an agenda, I mean you're talking about making, basically at the end of the day almost what you really want to do is form a proposal in order to do studies and all I'm saying is part of that I think could be having somebody who could provide us guidance as to how to scope this to make it --
MR. ROTHSTEIN: I agree. We have over the last several years and including in our June 22nd letter recommended that the Secretary engage in all sorts of research activities and now to sort of push the ball forward a little bit we're going to say well and this is what we have in mind and here are the experts who told us that. Paul?
DR. TANG: I completely agree with the need and the value of such a study, I don't know that I agree that that's the best use of this committee's time, in other words that sounds tactful in execution but as you've said we've put words down in recommendations to say that we'd like this to happen, I could see hiring a contractor like you've used Margret A. to do certain projects to come up with it but I don't know that having a hearing on various methods is the purview of this group, I mean I think you can act out on some recommendations by hiring a contractor.
MR. HOUSTON: I recognize the point about the methods issue, I'm just trying to, my purpose is to understand the feasibility of even, I don't want to make a recommendation for which isn't feasible, I think we need to at least get enough information on whether it's possible and appropriate before we make a recommendation to do it or not to do it.
DR. TANG: That's why I like the idea of engaging a contractor, a well selected contractor to ferret that out. But we just finished talking about something where we have a very sense of urgency, where we said we didn't have time to complete a phase of it by February, why wouldn't we use that time to act on that, to provide input to formulate a recommendation for our June meeting that does seem like it involves committee work, subcommittee work and then committee work.
MR. ROTHSTEIN: The advantage of doing this in the sequence is that we might give the contractor six months to do it and take up the issue again after we have finished this, there's going to be some lead time in actually doing the work by the contractor. So if we didn't sort of, if we put this on the back burner and dealt with the uniformity issue first by the time we could get to it again, let's say next summer or fall, then we'd have to start all over again and six more months would go by before we could get anything in hand.
DR. TANG: But I'm not sure why you need to put it on the back burner, I'm saying the committee is useful to hearing input and formulating recommendations about policy, I don't know that we need the committee to hear different study methodologies.
MR. ROTHSTEIN: Because we can't just hire, A, we don't know what contractor to hire and B, we don't know what to tell them we are looking for, and so that is really the purpose of the hearing, to try to get a sense of where in the universe we're going to find information and talking to senior staff on NCVHS I raised the question of hiring the contractor first and it was suggested to me that we should have the hearing first and then the contractor because we wouldn't know what to tell the contractor to do and wouldn't be skilled enough to evaluate who to ask.
MS. BERNSTEIN: That's sort of the problem, I feel a little uncomfortable because I feel like I wouldn't know how to evaluate what I was hearing because it's not my expertise and I'm not aware of how much expertise there is in the subcommittee, probably more then for me about this kind of thing. I wonder if what we could do is, if there is contract money, is basically draft an RFP which would result in a bunch of proposals coming in that could be evaluated as opposed to doing it by hearing although that's the usual way we do our work, I don't know if we have the authority to do that but if we know the questions that we want answered, we know we want to somehow evaluate HIPAA, we could either, if we have contract money for NCVHS itself we could somehow draft an RFI or an RFP that would get us the same result without doing it by hearing.
MR. ROTHSTEIN: The committee can't do it, I mean we can't send out RFPs --
MS. BERNSTEIN: The department, because the contract money has to be overseen by the department but in the same way that AHIC has, it's not AHIC's contracts but there are contracts put out by the department that are designed to give input into that advisory committee process --
MR. ROTHSTEIN: See, I think this issue can be studied but I don't know, I'm not an expert, and I would love to hear from three people who say you can't do this for the following five reasons and the only thing that you can do is this little subpart of this and here's why and that would be very helpful tome.
MR. HOUSTON: I would tend to agree with Mark, we don't know what we don't know and therefore taking a little bit of time to understand it and then put the RFP or RFI out I think would at least give us some basis what we're going to ask in those.
MS. BERNSTEIN: Did you happen to talk to Harry or Simon about it?
MR. ROTHSTEIN: Did I? No. Well, I did talk to Simon generally about it and he was supportive but I have not talked to Harry in detail about it.
DR. TANG: Of course I don't know what Harry would say about this idea but I do know how strongly he believes about the uniformity and so I am only talking about timeliness and impact and I believe that the timeliness is much higher for dealing with the uniformity and I would guess but do not know how he would compare this, that Harry does feel very strongly about that as well.
MR. ROTHSTEIN: Well an option is, first of all I feel very strongly that we ought to have a hearing before we start marching down here because I don't know what I don't know. But I'm open to the idea of having a November hearing if that's feasible to sort of plug gaps in our knowledge base relative to the uniformity issue.
MS. BERNSTEIN: Well the January, if we set on a January hearing, if we don't think it's going to deter our getting to the June recommendation and you want to have a January hearing, I mean we have then two shots at it basically to schedule however you like with whatever topics you want, one in November and one in January, and in fact we could have, we can have meetings of the subcommittee, you guys are going to be here for the committee meetings anyway, we can certainly have meetings in between by phone but at the meetings that you're already planning to come to for the full committee that will give us time to discuss the matters that we're talking about getting on the agenda for the June meeting, both in February and then like we did the last time by conference call. The question is whether doing what Mark wants will deter the timing and I'm not sure that it will, like they would defer is the word I mean, is it going to cause a problem with us getting to our June goal.
DR. TANG: So I don't have any problem with doing the hearing before trying to engage in a contractor, can we work on the higher timely proposal first, ensure that it gets scheduled, and if there's a contingency schedule like January where we don't know, we already have a November scheduled and as long as we can get the other one scheduled --
MR. ROTHSTEIN: Let me see if I can have a recommendation that we can live with. We'll shift the November 30th hearing to the uniformity issue, we will try to schedule a mid to late January hearing and leave the topic open for the moment where we can use it for a second additional uniformity hearing if necessary and if we think we have enough information we can then make that hearing over into the initial one for the research methodology. Would that work?
MS. BERNSTEIN: Yeah, and another advantage which is there's not that much time between now and November, probably easier to get people on the uniformity issue then to have researchers think about a new issue that they might, a survey design for something they haven't thought about, and I can start on that now whereas starting in December to find witnesses is not going to work because people are going to be away. So the question though then is left okay well we still don't have that much time between now and November, who do you want in November? Who do you want me to track down and I'll be happy to do it.
DR. TANG: I can't make the November meeting.
MR. ROTHSTEIN: Now you want to go back to the other topic.
MS. BERNSTEIN: So you won't be here, okay. I'm waiting for suggestions on what you want me to track down for the November meeting.
MR. ROTHSTEIN: Well, I think in the interest of completeness we maybe ought to try to fill in the gaps of the people that we haven't heard from, so for example in the school issue we might want to hear from NACUA, the National Association of College and University Attorneys, who would have --
DR. TANG: I don't know that we need to go back to other insurers or other schools, I think we get domains, so we got schools because it has a FERPA, we get banks because it has an 835 --
MR. ROTHSTEIN: So other then financial institutions who do you want?
DR. TANG: I don't know.
MS. BERNSTEIN: John was saying that he thought that the schools, I know there's this interest in the financial stuff, we heard a couple of compelling arguments that the school issue even if it needs legislation is sort of reasonably well defined, and if you think that that's, if you think that's an area you want to pursue we could fill in the gaps on that.
MR. HOUSTON: Might I suggest, I agree with Paul, maybe what we do is we do a single panel related to banking and that we then use the rest of the time to do work on the research.
MR. ROTHSTEIN: What do you mean by do work?
MR. HOUSTON: Well I mean get a panel together on the research, we may find that, how much time do we have in November?
MR. ROTHSTEIN: We've got a whole day?
MR. HOUSTON: Why can't we hold three panels and have one for banking and two related to developing a research strategy and do it all in one day?
MS. BERNSTEIN: We could have four panels, it's a long day but you could do it.
MR. ROTHSTEIN: We could do it, yeah, we could do it, one in the afternoon --
MR. HOUSTON: Personally I was satisfied with what I heard today --
MS. BERNSTEIN: It's a 9:00 to 5:00 meeting for us?
MR. ROTHSTEIN: Yes.
MR. HOUSTON: I think we can draw the conclusions that we need to draw at the level we need to draw them at based on what I think we heard today and I think that it does allow us to move both forward.
MR. ROTHSTEIN: I'm happy to do that.
DR. TANG: I'd actually prefer the uniformity stuff for the afternoon.
MR. ROTHSTEIN: Okay, so we need to find out what time the second day adjourns, that is November 29th, to see whether we can get a panel to begin that afternoon like we did yesterday, and then have two or three panels the following day.
MS. BERNSTEIN: So you want to do them both in November, and you're done with schools and employers --
MR. HOUSTON: Again, I think we have the opportunity to ask for supplemental testimony if we need to if you think there's areas we need to try and dive into a little more and ask them even for recommendations if there are additional testifiers that --
MR. ROTHSTEIN: We've heard from employers at least five times already, that I can think of.
MS. BERNSTEIN: And we heard from employees once that I know about.
MR. HOUSTON: We can always supplement as we see fit.
MR. ROTHSTEIN: We did invite several employee groups and we can invite them to submit comments to us.
Well if that's it I know there are people with planes to catch and I want to thank the staff for facilitating our meeting and we couldn't do it without you and I want to thank our AV people and Maya for putting the hearings together and my colleagues for being here and both of you folks on the internet, we'll talk to you next time. The hearing is adjourned.
[Whereupon at 1:11 p.m. the hearing was adjourned.]