[This Transcript is Unedited]
Room 425A,
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC
Introductions - Mark A. Rothstein, Acting Chair
Discussion of HIPAA Privacy Regulation - Linda Sanches, OASPE
Discussion of Future Subcommittee Plans
MR. ROTHSTEIN: My name is Mark Rothstein and I am the acting, interim, temporary, pro tem chair of this subcommittee. In the absence of a quorum, this will be an international meeting. I think that there are a number of very interesting things to discuss.
For the benefit of those who may be listening to us, we will have very brief introductions, just who is in attendance.
MS. HORLICK: I am Gail Horlick from the Centers for Disease Control and Prevention, lead staff to the subcommittee.
DR. COHN: For the record, I am Simon Cohn, member of the committee.
MR. SCANLON: Jim Scanlon, HHS.
MS. GREENBERG: Marjorie Greenberg, NCHS, CDC and executive committee to the committee
MR. FANNING: I am John Fanning from HHS.
MS. FYFFE: Kathleen Fyffe. I am a member of the subcommittee.
MS. SANCHES: Linda Sanches, HHS.
[Introductions off microphone.]
MR. ROTHSTEIN: Welcome to everyone. I think you all have seen an agenda, which is rather flexible. We are fortunate today that Linda Sanches has agreed to be with us and answer questions and to participate in a discussion that we can have as a follow-up to yesterday's presentation on the HIPAA privacy regs.
Just to get things started, I would say that there may be two main issues that we want to talk about today and certainly there are many others that you may have on your list. The first one is the possible role of this subcommittee and the committee as a whole in working with various agencies, OCR, et cetera, who are involved with the privacy reg. In other words, what can we do in terms of public education, policy, recommendations, hearings, et cetera.
The second broader issue is now that we have the privacy regs on the book, what gaps will exist out there, what more remains to be done in terms of protecting the privacy and confidentiality of medical record based information? Has this solved whatever problems were perceived to be out there or are there other things that we need to focus in on.
We can talk about that both in the first session, that is, the first hour, in which Linda is here and certainly we invite you all to remain for our meeting. And in the second hour of the subcommittee meeting, we are going to talk about future plans for the subcommittee. Those, of course, will be shared with our absent committee members, who I am sure are regretting not being able to be here, but who are anxious to be filled i on what we come up with.
I want to welcome John Lumpkin to the meeting.
DR. COHN: As you are talking, you are reminding me of an item that was referred over here, actually two items, one from the full committee and one from another subcommittee yesterday and sort of reference, I think, some of what you are describing.
There is an annual report that the full committee produces on HIPAA and as we look at that, we need to reflect on specific areas related to privacy and I think we need to reflect our views about whether the privacy rule is sufficient as it is or whether it still would need to call for federal legislation or other things to handle gaps. They were looking for leadership from the subcommittee in terms of how that should be worded and what the sentiments were.
The other piece was that there is a brief document -- there is a four page summary document that has to do with the committee is all about so that we can document that at some point we need to look at either here or the staff later on, to identify that it needs to be augmented some in the relationship to privacy.
Just add those items to the agenda because they go along with what you are describing.
MR. ROTHSTEIN: Okay. So, the floor is open for discussion on the privacy regs and follow-up to yesterday's discussion.
Jim, you looked like you were just getting ready to say something.
MR. SCANLON: Well, one of the places to start might be the GA -- for a hearing, I guess, there was a hearing, I guess, by Senator Jeffords on the health committee and as part of that hearing, they asked GAO to look at some of the issues with the proposed rule. That actually was a pretty good objective as opposed to one sided testimony one way or the other.
If the subcommittee is going to offer its services in terms of helping to work through some of these issues, that might be a place to start in terms of what the issues might be.
MR. ROTHSTEIN: Can we get copies of the GAO study?
MR. SCANLON: We actually have -- let me run back. I think we actually have copies there.
MR. FANNING: We are going to have copies at the full committee, will we not?
MR. SCANLON: We can do both.
MR. ROTHSTEIN: Oh, you mean this afternoon? Okay.
MR. SCANLON: The other thing, Mark, was just -- was everyone familiar with the full-blown regulation or I guess --
[Multiple discussions.]
MS. SANCHES: I actually left the diskette in the computer yesterday.
DR. COHN: Let me make a couple of observations from the testimony yesterday. I mean, I have read over the legislation -- actually not the legislation, the regulation, but haven't read the preamble and I keep meaning to but --
[Multiple discussions.]
But, you know, I was actually struck listening to your presentation, which is, you know, sort of the intent of the law versus -- we have lawyers back here -- you know, I am putting my hat on as Kaiser Permanente -- we are going through that and reading it verbatim, taking it literally, not understanding intent and all of this stuff. I was just struck by how different your interpretation was versus what we are hearing from our lawyers.
I mean, it isn't black and white. It is like --
[Multiple discussions.]
MR. FANNING: An example --
DR. COHN: Oh, minimum necessary is a good one. I mean, the implementation of minimum necessary can be, well, gee, you know, you need good policies and regs and to handle routine requests, dah, dah, dah, dah. Or it can be every physician is going to have to review every request that anything going out that is any way out of the norm because how could a clerk decide what is minimum and necessary for a specific purpose, going outside for billing or otherwise?
That is just an example, which I didn't hear you going to that extent. Maybe you did mean that. You just didn't say it to the group.
MS. SANCHES: I don't believe our minimum necessary policy says who should be making the determinations. Someone reasonable should make them. I will leave that up to you to say --
DR. COHN: Maybe the devil is in the detail. I guess I was struck first of all, though, that in all of this stuff that there is an absolute need for an education, which isn't really the role of the NCVHS or the subcommittee, as well as, you know, a whole bunch of FAQs and maybe this group may have some role in maybe reviewing FAQs to make sure they make sense, but that is part of the overall sell.
But certainly the -- you know, I mean, that was just sort of a comment. There is a great need for lots and lots of FAQs to address all the vexing issues that the industry has, lest things get overblown.
Beyond that, the NCVHS, the role so far with the HIPAA regulations and final rules has been to help identify issues and identify sort of barriers and ways to mitigate the issues around implementation and I think there is actually a good role for the subcommittee to consider, assuming that HHS is interested in having us pursue that role. I mean this is, obviously, sort of a big one for this area. So, we have to pick our battles carefully, but that sort of framework would work well.
MR. ROTHSTEIN: Well, that raises an issue that was raised on the conference call and that refers to the timing question because is it ripe, as we say, to discuss the issue of implementation before the rule actually goes into effect. Do we have to wait until we find out what the problems are actually trying to comply or is it appropriate now to look into what are perceived to be the problems that are sort of ramping up for everyone to comply.
I think that is an important issue.
MS. FYFFE: I think there are two areas that ought to be hopefully addressed early on in the Q&As; one of the areas being the interaction between the compliance date for the final transaction rule and privacy because I sense that the industry will say, well, you know, we have to be in compliance October of 2002 for the electronic transactions and, yet, it is approximately six months later, compliance date for the privacy. There is some heartburn over that.
DR. COHN: We don't have security on the horizon yet?
MS. FYFFE: That is the other part.
MS. SANCHES: What is the heartburn?
MS. FYFFE: Well, I think the heartburn is in two areas. One is how can you fully implement electronic transactions if you haven't had sufficient time or you do not yet have to comply with the privacy rules because there could be some affect on your software. But that really also gets into the security issues and the affect on software.
The other one, I guess, also has to do with possible violations of some privacy principles that might inadvertently happen with the transaction rules because they are being implemented six months earlier.
The other area that is very confusing is the area of employers. Barbara Starfield touched on this yesterday and when employers are acting as plan sponsors, there is just a tremendous amount of confusion on how the privacy rules need to be complied with or not complied with depending upon what hat you are wearing as an employer.
MR. SCANLON: On your first point, Kathleen, what is the ideal, that there be one -- that there would be one effective compliance state for everything. I mean, that would be the ideal situation.
MS. FYFFE: Well, the ideal would be that there be one, but when we look at all of the rules that have not yet been finalized. I think that you could stratify the critical rules that should have the same compliance date and those would be the electronic transactions, privacy and security, but not necessarily employer I.D., provider I.D., plan I.D. I think you could proceed without that, but I think that security, privacy and electronic transactions, there could be a good argument that those should have the same compliance dates.
MS. SANCHES: And the assertion is that having different compliance dates means they might have to change their software from one moment to another.
MS. FYFFE: Yes, that is part of it.
MS. SANCHES: They might have to make additional changes and they would rather make all the changes at once incrementally.
MS. FYFFE: Right, which is a more cost effective way of doing it.
PARTICIPANT: [Comment off microphone.]
MS. FYFFE: That way I understand it, when you look at the privacy rule -- and I am going to oversimplify here -- maybe 20 percent of the privacy rule is software and 80 percent of it is policy and procedure.
PARTICIPANT: Yes, but that is my question. I read --
[Multiple discussions.]
-- and in my review of the document I saw two places where there were possibilities of software changes being required. One was in the confidential address and as I heard you talk yesterday, I think I can withdraw that as one of the requirements.
The other one was basically an electronic in/out card so that you needed to know who you had disclosed electronic information to so that there needed to -- on possibly some modification to the software that would allow you to track disclosures. I am not even sure with the reasonableness issue that you brought up and Simon brought up today, that that is even something that we need to take a look at.
So, in my review of the document, I did not see software changes. I hear what you are saying and we are really asking the same question on our forum and by our compliance, but I don't see software changes being required for privacy. Security is another issue, but we don't have a hope to get that into any kind of time frame. I hope you are not saying to billing transactions until --
MS. FYFFE: No, I am not saying that. I am saying that some of the feedback I have heard is that it would make more sense from an administrative cost point of view to have one compliance date for the critical three rules, which is electronic transactions, privacy and security.
MS. SANCHES: Since transaction rules are already out and security isn't, I mean, the implication would be that you would hold transactions for security and is that something you think is better? I mean, is that --
MS. FYFFE: I think that a very rigorous look needs to be taken on the costs of having to touch software more than once. I have heard this from industry quite a bit and it is primarily a cost issue.
DR. LUMPKIN: You know, after having gone through this process for awhile -- when we first started this process everybody said we shouldn't have the transactions come in effect at the same time as Y2K because everybody is spending money on doing Y2K. I am thinking from our experience in Illinois, you know, we are going to the belly of all these programs. It would have been a perfect time to make any other changes. So, now we are getting exactly the opposite argument that we got about the transactions in Y2K, which is they should all be done -- all the changes should be done at the same time.
So, I am a little bit skeptical, but I think to answer the question that was raised about the issue of when we should start commenting -- I think Simon's question that came up in his shop is a very important argument for us to do as soon as possible because the hazards are that when people don't know how far to go, there will be those who will go and carry it almost to the point of absurdity. Then that will be the cost point that will be established for this process.
I don't think we want that to be the cost point. So, I think that identifying those kind of issues and getting some reasonable answers out on how far people should l go and what are the issues may save literally a gazillion dollars from those people who would look at the early adopters who have gone too far and that, therefore becomes a standard when, in fact, privacy -- and those kind of changes.
MR. ROTHSTEIN: There is sort of, I suppose, another side to that, there may well be vendors out there, who would profit from selling more extensive systems than are legally required and we should -- I think to the extent that it is possible, clarify the minimum amount of expense.
DR. COHN: Not to mention consultants.
MR. ROTHSTEIN: Not to mention consultants and lawyers and everybody else.
MS. FYFFE: John, are you referring to the example of what happened in Maine with the state confidentiality laws that seemed to go to far or they were interpreted as going too far?
DR. LUMPKIN: If I knew about them, I probably would.
[Multiple discussions.]
MS. FYFFE: They had to retract the regulation, I believe, and --
DR. LUMPKIN: I just know from 15 years of enforcing regulations in Illinois that there are -- you know, when you read the industry's media and their newsletters and what was intended, the people sitting in the room, they deserve all of this and this and this and sometimes it is useful to break that vicious cycle and say "no," we don't need to go that far.
MR. SCANLON: Kathleen, I thought, had a -- I mean, aside from a unified compliance thing, which may or may not be possible, but I think people are thinking about staging, your main point, I think, was knowing what the requirements of the security regs were going to be so that when you were planning systems and at least interacted, you would at least be able to do it once, not necessarily bringing them on the same compliance standard.
MS. FYFFE: Now, there is another question that comes to my mind here. If you provide in your Q&A what the limits are and we try to give sort of a sense of scope, how does that affect, if at all, your eventual enforcement? See what I am saying? Because people could look at the Q&A and say, well, you know, you said this was the scope and so I followed this. That ties in very closely to enforcement.
[Multiple discussions.]
MS. SANCHES: It is one reason it has taken us awhile out the FAQs because we are looking them over very carefully from a legal standpoint
PARTICIPANT: Kathleen is right that, you know, everybody is concerned that we are going to touch the same programs twice in order to do that transactions and then to turn around and do the content for the security.
In my review of this, the stuff that is going to have to be done within security, with the exception of passwords, is not -- we are not talking about the same programs that we are going to have to touch with transactions and code sets, Kathleen, because the stuff that we have to touch with security is all of those operating system kinds of things, the networking and so on and so forth. That is that 20 percent technical kinds of stuff. The stuff we have to touch with transactions is only HIS stuff that is going to have to be effective.
I can also tell you that everyone of the vendors that we have been able to survey at this point are taking the security rule -- the proposed security rule -- and they are programming to the proposed rule because --
MS. FYFFE: That is all they have.
PARTICIPANT: Well, but the word on the street that -- and NCVHS and Bill and company have said that there are not going to be that there are not going to be that many changes to the security final rules. So, they are programming for that.
In fact, the security final rule is determined in the industry to be best practice anyway. Those vendors that didn't have any security on their system are saying whoops and they are pushing security in their systems now. So, everything that I have from the major vendors of hospital information system software is they are attacking it from the point of the NPRM, as far as security goes.
DR. COHN: I was just sort of observing the -- we were having two conversations here and just let me observe that there really are sort of two streams that we are having and I guess I had some thoughts about both. One is we have this privacy final rule, but what in the heck are we going to do for it, to it, with it? How are we going to be helpful or whatever?
Then there are these sort of broader issues of how all the timing goes together. There are two elements to an ideal timing. I mean one is, you know, I mean, sort of a strategic focus. I mean (a) we have an annual report on HIPAA that has in bold on about page 4 saying like let's get these things out as quickly as possible and if you will observe in there, it is like bolded. It will be, I think, in probably the chairman's letter to the Secretary, I would hope anyway, that goes along with that. So, that is sort of like a statement of like let's get as many of these things out as quickly as possible because the industry really does need them to do comprehensive planning.
We can argue about whether it is security. I mean, I am providing a provider I.D. Gee, if we are going to get and do transactions, you are not going to deal with provider I.D. at the same time. That doesn't make a whole lot of sense. So, we can argue about what comes together and what comes separate, but we are, obviously, making a -- we are intending today to make a statement in that direction about let's get all these together.
Now, the issue about whether we are recommending that every thing come out together, to my view is sort of a premature discussion, though maybe something we want to put on for a June full committee -- by that time, I think the industry may be a little more mature around all of this stuff and there may be some better thinking. We may want to do a panel or two to get some thinking about that or even have subcommittees look at that issue.
You know, there are a lot of letters going around now saying, you know, hold -- you are describing hold for two years, hold for 20 years. I mean, there are all sorts of things going around. My general view is a lot of that is just really -- it is premature because the industry is still evaluating all of this.
There still is -- Elaine has commented -- sort of trying to figure out how all of these pieces fit together. So, I guess, as I talk about all of these things, I am sort of struck that we probably need -- I mean, we need some help to figure out how to handle the overall strategic issues but we also need to figure out what to do with privacy today. I actually like what John was saying, which is we had better shine a spotlight on some problematic issues so that HHS can hear them well to make sure that they are drafting FAQs to the right issues and have brought about all of the problems the industry is identifying that maybe -- maybe they are in all the letters you are getting or maybe they are not.
That might be a very useful thing to do.
MS. FYFFE: Do the frequently asked questions, is it considered a communication vehicle to the public? Because if it is, then I don't know how you say this, but you might say, well, it is not likely that the dates will change. I mean, I don't know. I am being very oversimplistic here, but there is that question out there, okay, about the coordination of dates and I don't know if FAQ is the place to put that or if somebody has to look at the minutes of this meeting that will be published three or four months down the road on the Internet.
MR. SCANLON: Well, coordination or an agreed-upon staging. It doesn't necessarily have to be the same date. I thought WEDI was actually thinking about that. What would you need to succeed. It doesn't have to be the same date necessarily.
MS. FYFFE: The further you get away from the Beltway, the fuzzier, the muddier, the murkier --
DR. COHN: I am pretty far from the Beltway.
[Multiple discussions.]
DR. LUMPKIN: I got three separate e-mails yesterday from three different sources about the date change and they were all from a number of list serves from comments that were made at our meeting yesterday morning.
[Multiple discussions.]
So, I suspect that, you know, again, you know, statements by the Department here at this meeting or other locations, I can't tell you how many times I have gotten different e-mail sources from different list serves and things I am on about statements by Bill Braithwaite about when the privacy rule is coming out. So, I think that there are a lot of people watching and it is -- it is the media, too. It is useful because I think that to the extent that when someone like Bill or somebody has a statement at a conference and everybody hears it, it is no longer like it used to be. It is not like, you know, the old days when we relied on the newspapers to learn everything.
Everything is going around much, much quicker that we used to think or are ready to necessarily accept.
MR. SCANLON: In terms of options, just process wise even, are we still in a formal rulemaking process or have we -- you can only do certain things -- or are we sort of in betwixt and between?
MS. SANCHES: The rule was put out in final form and I am sure as was talked about yesterday -- I am sorry -- as Robinsue Frohboese mentioned yesterday, there will be a different effective date. It has been moved to April 14 or April 15. I am actually a little confused on which one of those two days it is.
[Multiple discussions.]
I don't know what that means, therefore, in terms of whether we are actually in rulemaking. My gut would be no, but since we know that we are changing the date, I don't really know what that means.
[Multiple discussions.]
PARTICIPANT: We are not in rulemaking now. It is possible -- people are asking for that. I think the dates are still up in the air.
MS. SANCHES: It is somewhat up to the Federal Register in terms of the actual date.
[Multiple discussions.]
PARTICIPANT: -- because two years from now every single health care facility and location is going to get visited to see if they are complying. Or we will start receiving complaints.
MS. SANCHES: I can assure you that every single facility will not be visited.
PARTICIPANT: I think that that is a very important point, that there is a perception that -- are going to show up on everybody's doorstep on that particular day. Obviously, what we have initiated is a transition and a process that will begin to move us towards our ultimate goal, which we have been talking about in other documents.
Again, part of the issue -- and this will probably come out when the enforcement regulations come out. You know, the industry has its perception of the ability, I think, of the Department to enforce these and we don't want to dissuade that too much. We want them to make the changes, but we also don't want to create the perceptions that there is going to be this draconian police state --
MS. FYFFE: Part of that perception has come from the anti fraud and abuse stuff at the hospitals.
MS. SANCHES: I do want to point out that the Office for Civil Rights really puts a strong focus on technical assistance and wants to be spending these next two years, whatever date that actually starts for the two years, April now, providing technical assistance and working with groups, state associations and others, to try to get out the word on how to come into compliance.
Even once the rule is -- even past the compliance date, while they will certainly be doing enforcement activities, part of that suite of activities will be continuing to work with people to come into voluntary compliance without necessarily dragging in justice and starting on criminal proceedings. I mean, they really want people to be in compliance and working them to do that without necessarily going the way of other enforcement activities.
MR. SCANLON: It is a longstanding enforcement -- they don't want to close people down.
MR. ROTHSTEIN: John, did you have a --
MR. FANNING: No. Jim made the point.
MR. SCANLON: So, we are more or less -- we are now in the implementation planning phase. Usually the first phase there is awareness. Do people even know there are such requirements? What are they? It is like Y2K. And there is the stage of denial and five stages of warning. The awareness stage clearly -- there are clearly various stages of awareness and I think everyone is saying there is a lot of confusion about their role actually says and the need for more --
MS. FYFFE: I just was on the telephone yesterday and found out that there was an organization that was a business, considered to be a business associate, that was clueless, who said we don't have to worry about that. You know, our counsel says we don't have to worry about those privacy rules and I was saying, hand on, you know, where have you been.
MR. SCANLON: There is some problem with the transaction statement still for some segments, but at any rate, if it is an awareness issue, then there are certain ways to try to address that and the committee usually --
MR. ROTHSTEIN: Are there plans to produce guides to compliance? When you think of the different players who are having to comply with the rule, they are so varied from huge Kaiser type organizations to community hospitals to the doc on the corner. And the issues are quite different and if there were a series of guides, people who are unsophisticated, unless they hire consultants, they don't have any idea of how long it takes.
I mean, two years sounds like a huge length of time, but if you are going to have to decide on what software options are available and how to test stuff before you actually put it on line and so forth, guidelines in terms of, you know, it is going to take you x -- don't d this April 13th, 2003 or whatever.
Could you tell us about whether -- what is in the works for that?
MS. SANCHES: Well, we are spending a lot of thinking through our outreach strategy and at the moment we are hampered by the fact that we just got started. There isn't a huge staff as yet. But we do have a good budget for this year and we are certainly hoping to put together a method, whether we use contractors or hire the people to do it for us, get out guidances for the different groups. I can't speak to exactly what we are going to get out.
But, I agree, we need to get out the word to various types of agencies and various types of entities and to a certain degree we can use existing associations to product some of this material and work with them. For a certain extent we will need to do it ourselves with input from other groups.
We need to figure out that should be and certainly we are open to advice to you all on that.
DR. LUMPKIN: And the other thing is is that -- state government. We are in a contract with a lot of folks either through licensing agencies or other regulatory agencies at the state level.
DR. FROHBOESE: I am Robinsue Frohboese. I am so sorry I had another meeting this morning that started at 7:30.
PARTICIPANT: As one of the associations that would be happy to work with the Department, one of the things that we would need as well is to have the Department look at the kinds of things that we want to use and make sure that we are saying the same thing. The thing I worry about is we all in this room probably come up with different interpretation of all those 400 pages of rules. If we are going to get information out and I think a lot of this is very workable if we can translate it to English and piecemeal it, what we are going to need is the ability to work with the Department to make sure that we are all speaking out of the same hymnal or at least if translated into another language, we are still giving the same interpretation.
That is going to be very important. Otherwise, the Department is going to be -- I got this thing from AHA. Is it right or is it wrong? I don't know if you can have -- but at least something that can allow us to do that because we have got the expertise of how to implement it. You have got the expertise of what it says and what you expect is going to be the outcome. By blending those two together, I think we can make it work quite well. But I think that takes kind of a cooperative activity and I think we can help you and you can help us. It is just a matter of when do we start.
MS. SANCHES: That is really the point. I think that you raise a really important issue because it is unlikely we can actually be certifying, yes, this meets the privacy standard, but we do need to find out more.
PARTICIPANT: One of the issues that has come to me from my clients is the issue and I know it is an issue that you guys have thought about a long time is the issue of the privacy -- their question to me was what do I do? Do I have to abide by -- because my corporate office is in Kansas, do I follow the Kansas rule, do I follow the privacy regulations or do I follow Missouri's rules?
MS. FYFFE: We need to talk to the counsel.
PARTICIPANT: Yes, but, you know, as Simon says when they talk to their counsel, then they get layer upon layer upon layer of you must do this and you can't do this. That becomes an issue for them. This is something that Linda and I spoke this morning about an issue of cost containment. There are some states that have legislation that requires cost containment information. Some don't. This is going to be a nightmare for institutions, this whole thing of where do they draw the line. What they are probably going to draw the line on is more rigid regulations.
MR. SCANLON: What do they do now?
PARTICIPANT: Well, there is nothing out there for them to do at this point.
MR. SCANLON: But they have state requirements.
PARTICIPANT: Because it is not really enforced --
MR. SCANLON: So, they don't pay attention to the statutes --
PARTICIPANT: They don't even know for the most part. That was the first time that I was asked that question.
MR. SCANLON: California has a statute actually that has a lot of provisions like our own and, Simon, I don't think the well came to an end because California passed the medical confidentiality statute. There are --
PARTICIPANT: They just lost all their power.
MR. SCANLON: Maybe it is just that we are at such a low level that --
MS. SANCHES: One of the things that I think would be helpful --
DR. COHN: -- sorry that the federal statutes didn't more closely mimic --
MS. SANCHES: One thing I think would be really helpful for us is -- as you noted when we first started -- we have gotten a lot of letters, a lot of issues have been raised and some may not be mature, as you put it earlier, but in a few months I think we will be needing some help sorting out what issues are out there and what things we may need to take another look at. Are there things that are really unworkable that we need to reexamine?
Are there things where we can provide some more assistance and clarify how to make it work? I think that this committee could be very helpful for that kind of work, for bringing in people to talk about those things because there are a lot of issues swirling around now. I don't know if they will be the same issues in a few months.
DR. COHN: It is interesting -- bring it up to the full committee having to do with the future, which you are describing, around administrative and financial transactions with the NDC codes, which need to be brought to the attention of HHS, that this was sort of the approach they had taken in the final rules is really not workable.
So, I think it is that sort of thing that could be very helpful. We do need to pick our time and not a month after the final rules.
Everybody is putting a lot of energy into analysis and consulting firms, I mean, of the kind that was being described, right now we are in a situation where consulting firms have one thing, while others have another. The government is -- depending on how we interpret what Linda Sanches may say, you know, different view and what is an organization to do because -- I mean, privacy, even though it isn't a lot of software changes, there is some software and it is a lot of training and it is a lot of process redesign and it is a lot of sort of thinking through all the implications for an organization.
DR. FROHBOESE: We are very cognizant of the need to get technical assistance material out as soon as possible for precisely the reason that you have described, that we are concerned about the conflicting information that is out there, misconceptions.
Any ideas also that you have about outreach and the best way for us to go about in an organized way for getting information out that will be helpful.
MS. FYFFE: I think that the trade associations and the professional societies, especially out in the states, are very, very important. I know the American Medical Association a few years ago published and I would imagine they have updated it, a booklet, an informative booklet about electronic transactions.
It was so good, in fact, that I used it for my members in one of my seminars about four years ago. So, some of the trades that professional societies use for a long time and they have -- you know, they have the pipeline for the publications and the distribution and so forth. So, I really think that those organizations can be very helpful.
MR. SCANLON: The model that the committee has followed for the transactions part of HIPAA and the other standards was really to bring in at various times representatives from the industry, provider groups, advocacy groups and so on and I guess after the transaction reg is out, essentially to look at any obstacles or implementation issues and to sort of get -- the good thing is it is sort of a two-way. It is not the worst case presented. It is actually people questioning each other.
It actually identified some good issues and it sort of identified where there was agreement or where it was sort of a fringe issue. I think it has proven to be very helpful because it sorts of directs the light on where you do need to prove it is more -- you know, where it is less of an issue.
The only question I guess you had was sort of the timing again. You know, when would it be right to look at potential implementation issues. Here, the role of the trade associations, the role of the various sectors of the industry and outreach and other things and where there are areas that really do need some further work. But, again, I guess timing is an issue. When would it be appropriate? When is it premature?
This is the capability of the committee that it avoids other fact issues because it is a fact. It allows everyone to come in and it allows for cross examination so that you don't just take the -- you try to see exactly what the issue is. But I guess we still have the question of selected issues and timing and --
DR. FROHBOESE: Is this less formal than an actual hearing? Are you talking about getting together in a more informal manner?
MR. SCANLON: It could be both. It could be a hearing. It could be an information session.
DR. FROHBOESE: For the transaction reg --
MR. SCANLON: The transaction regs, we have already had several of those.
DR. COHN: We talked to the industry earlier and they said that they wanted hearings about every three to six months to have a chance to bring forward issues and concerns that they had.
Once again, I am not sure what a -- I don't know what you mean when you say formal hearing because I am
-- but typically we sometimes do where actually there is testimony that you have. Other times we bring together people to talk in panels, where they start off by talking and more of give and take session, where you may sort of talk through some of the issues. The latter sometimes is more helpful, but it is nice to also have things written down.
MS. FYFFE: Help me with my memory, Jim. When was the last time that this committee had a meeting or a hearing outside of Washington, D.C.?
[Multiple discussions.]
MR. SCANLON: Other subcommittees have had them.
DR. COHN: Patient I.D. in Chicago.
[Multiple discussions.]
MS. FYFFE: In all seriousness, we have to take a hard look at I think some regional meetings of the subcommittee or even -- I don't know if it is possible -- the full committee because we have to get the word out there. There is no doubt in my mind about that.
MR. SCANLON: Well, you could even have a hearing here where you bring in the professional associations and others and you ask them to testify about outreach efforts and their assessment. I think one question is timing and I think timing here is everything.
If it is premature, then it --
MS. SANCHES: You could have an outreach session right now. You are right. It is just the topics that
get --
MR. SCANLON: But you could ask AMA, AHA and others. I mean, that is just one issue, the outreach issue. The other would be, you know, with general -- what do you think the readiness is and the general areas that need attention or areas where the committee could help areas where further development is needed, question and answer periods where people could try to get some consensus answers about -- or at least we would look and we would let them know.
Then, again, timing, I guess, is critical because if it is too early, it is almost --
MS. FYFFE: I do not think it is too early. I think when you consider the planning pipeline for this type of thing, we need to get started right away.
MR. ROTHSTEIN: Would it be valuable for us to solicit from the various trade associations and professional organizations areas of concern so that we could help to frame the topics to be discussed at one of these meetings and make it, you know, the most relevant to their concerns?
MS. FYFFE: I think so.
Let me throw out another idea and this may see -- I don't know how it is going to be taken, but because I have seen so many different interpretations from attorneys and consultants, shall we do some outreach to some of the bar associations?
[Laughter.]
I mean, I am serious because, you know, there is
-- what we have here is a marketing force out there that can help spread the word and if you do outreach about this vast new law on privacy to bar associations, then they say, ah, I can go and market my services to various organizations all around the country and it becomes a multiplier effect, so to speak.
MR. FANNING: There is the Health Lawyers Association and the relevant section of the ABA.
DR. FROHBOESE: We do have a presentation planned for the Health Lawyers Association next week. And unfortunately had to cancel a session with the American
Bar Association a couple of weeks ago, but certainly they are key among the --
MS. SANCHES: We have actually already done and I am sure we will continue to do outreach for the APA and some other groups, getting out basic information about the fact that the rule was out there.
I have been on a few panel discussions already. So, the word is getting out there, but you are right, more is good.
PARTICIPANT: [Comment off microphone.]
PARTICIPANT: There is a major conference in D.C. this week, the HIPAA --
MR. FANNING: I was just going to make the same point. A great many people are speaking there, of course.
PARTICIPANT: That was the point that I was going to make, John, was that if you think you are speaking there, there is going to be a tremendous amount of consultants speaking there also. It would be interesting to hear what is being said not just by you all, but to get a bunch of people to go to all of the sessions to hear what all of the consultants are saying. That is what I am going to do.
PARTICIPANT: We have been doing that. We are actually trying to make sure that somebody is represented at as many of the sessions as possible so that we can get that feedback.
PARTICIPANT: The other thing is that some of those sessions, which are not necessarily billed as privacy, the last session, some of the sessions were billed as transactions, but they actually --
[Multiple discussions.]
-- something has to go into these fields. So, it is not as defined. You may want to be advised that it is not just those sessions on privacy that you need to get to.
DR. COHN: And actually AHP is having a meeting earlier.
PARTICIPANT: [Comment off microphone.]
DR. COHN: The meeting is full time, I think.
Getting back to the -- I mean, when we should do something. It is premature before the final rule is out. I don't think there is going to be any great value to us trying to do hearings before the final rule --
PARTICIPANT: Even if we started today, we couldn't --
DR. COHN: -- effective date or whatever. But certainly my view is is that we probably ought to plan at least one hearing before the next full NCVHS meeting and certainly sometime between April 15th and early to mid-June is probably a time to at least -- I mean, you brought up a number of issues, Jim, which I think are all pertinent, recognizing that it may be even a little bit early to start getting people to focus on the issues. It may be a question of letting people from industry segments come in and tell us what their issues are as they begin to analyze it might be just a very useful piece, as well as getting some FAQs out, having them tell us why they aren't effective, why they don't help or why they are confusing or why they didn't address the issues.
I mean, it is just --
MS. SANCHES: It depends on how wonderful and helpful they are.
DR. COHN: But for that you could stay home.
MR. ROTHSTEIN: I would like to second Kathleen's suggestion that if at all possible we have it outside of Washington. Chicago would be a good place because AMA, AHA all these groups are based there and it is easy to get to in terms of flights and stuff.
But, Marjorie, I don't know what the restrictions are --
MS. GREENBERG: I think it is a good idea to have some of these -- you know, outside of Washington. It is just if we are going to do that it always takes even more advanced planning. So, we need to identify a date and a place.
DR. COHN: I have a question on that. I agree that it should be -- that there should be one out of town and there probably should be a couple out of town. The question is whether the first one should be out of town.
Usually it takes everybody outside -- it takes people a little more time to sort of figure things out and typically when we have done things out of the Beltway, we discover that people know less and are more confused about things.
So, if what we are trying to do in the first hearing is to really understand the people that are clearest about things, how confused they may be, I think that is our first job is the people that should understand it, how well do you really understand or are you confused about it still.
Then the question gets to be more, gee, for people that are not quite as clear, what are you still confused about. So, it may be that sometime in the summer when we would want to start going to Atlanta or Chicago or --
MR. FANNING: Simon, it strikes me -- the professional associations are there.
MR. SCANLON: If the purpose of the first one, and particularly in terms of timing and biggest impact and sharing information and trying to get some guidelines around what really is here, I mean, again, I just don't think -- I think you would probably want to do Washington. Doing San Francisco or Chicago or Atlanta, it is nice and it is regional, but you usually hit state folks and regional folks. The national folks come there anyway and they can't come. I think really again if you want to achieve the most efficiency and get the most information out to try to verify some things, I can't imagine you would want to go anywhere else.
After that, I think, then it is another issue.
MR. ROTHSTEIN: This may be sort of naive, but I think having done this in other contexts, there really is some public value in having meetings outside of Washington. I mean, it is not -- it is like the government sort of in a sense is coming to you and one of the problems with this regulation and many others is there is -- people view it in the worst possible terms and Washington is forcing all this stuff that we don't understand and they are going to put everybody in jail and so on. An informational meeting in your part of the world, I think, in my experience has been very helpful in these kinds of situations.
So, we probably need to follow-up on that suggestion. We don't have a quorum here. Maybe the Executive Committee would take up the issue of -- I mean, who would decide on doing that?
[Multiple discussions.]
Oh, this afternoon. Okay. I can propose that or raise it in my report.
MS. GREENBERG: Then we can poll the members and staff and I would hope whether we have it in Chicago or Washington, I guess that would be a question to Robinsue and Linda, whether, you know, you would be able to participate. Obviously, that would be of value to us, to the committee and to you. So, I don't know whether you would have any preference as to --
PARTICIPANT: Hawaii.
[Multiple discussions.]
MS. GREENBERG: But, you know, if you want to have something before the June full committee meeting, then, you know, we need to get started on that both from the point of view of logistics and, obviously, Gail's -- and from the point of view of identifying organizations and the questions you want to pose.
I think really it is, I think, an example or kind of a model that was set by the Standards and Security, the types of questions are very similar. In a way I think it is a -- although I know you have a hotline and it sounds like you are doing a lot of good outreach already, but still I think it does provide a certain amount of -- I don't know whether it is comfort or whatever to the industry to know that there is going to be this hearing, that there is going to be this opportunity for them to come forward and raise issues that the advisory group will be working with the Department. I mean, I think all of that has a very positive response in the community at large.
MS. SANCHES: Absolutely. And we can certainly make ourselves available wherever it is. This really will be critical.
MR. FANNING: Exactly what is this activity going to be? Are we going to present questions to the public and then have them come and answer or are we going to say to a series of groups come and tell us what is troubling you or what? What is the exact --
MR. ROTHSTEIN: I think the latter --
MR. SCANLON: Within some structure. I don't think we want it to be a venting session.
MS. GREENBERG: No, no, but asking those groups --
[Multiple discussions.]
MS. SANCHES: I think that would be helpful.
MS. HORLICK: Whenever I have arranged a panel, we have always tried to stick with each person and in this case it might be very much the same questions for all the different representatives, but we try to come up first with what we would like them to address.
MR. FANNING: And would that be substantive to the regulation, like minimum necessary or would it be to that level of substantive detail?
[Multiple discussions.]
DR. COHN: I think if you ask them questions like, you know, have you evaluated the regulation? If so, what problems do you see organizationally in terms of implementing it? What sort of questions -- I think there are a lot of organizations that would probably come with some testimony as well as other things to try to identify for you the problems that they are beginning to have and it could get relatively specific, which will be fine.
DR. FROHBOESE: It really is that technical workability that we need the feedback on because I know that already with some of the workability issues that have been identified. They are things that need to be addressed. As Linda said, I think, also to the extent that this can be focused on problem solving as well, we have concrete solutions of this is how we can address this issue.
But you are right, I don't think we want to reopen the rule, but with the confines of the rule, what are the actual implementation --
[Multiple discussions.]
MR. SCANLON: And there are possibilities for structure. It could be a panel. It could be an opening presentation. It could be Q's and A, you know, ask HHS or ask --
[Multiple discussions.]
MS. FYFFE: That is very painful, but it is very effective.
MR. SCANLON: -- interprets it, until Robin says
-- Robinsue says -- I mean, ultimately, there is one voice on enforcement ultimately in implementation. So, what everyone else thinks doesn't matter until then --
MR. FANNING: Presumably by that time there will be some FAQs out and some kind of guidance and that will allay some fears or may raise others. So, there will be something to work from beyond the regulation. I am assuming that.
MS. FYFFE: Is there an appropriate link between some of the correspondence that has been coming into the Secretary's office and these hearings so that --
[Multiple discussions.]
DR. FROHBOESE: It is a tricky thing because the Secretary has been briefed extensively on the privacy rule but as all of you know, it is a really difficult rule to get your hands around. I think that there are still -- the Secretary, as well as his staff, and the White House have questions and we are still providing information and I just think we are in an active stage right now of actively providing information and active deliberations.
So, it might be that the timing would be better a little bit more in the distance. I am cognizant of the need to get the information out as quickly as possible, but I think we have to be realistic about the fact that we have had a change in the administration. We are going through a transition right now and we have our own internal needs to be able to make sure that people are up to speed.
MR. SCANLON: I think we would like to see this as sort of a -- not the committee over here and HHS over here. I think we would like to see --
MS. SANCHES: Depending on when the hearing is, it may be that the questions in the letters are still relevant and it may be that those organizations actually have worked out those issues and -- what I am saying is it is unclear if they had to write a letter in three months for the hearing, whether they would write the same questions. So, I am not sure -- I mean, it is for you all to figure out but I don't know if those letters are where you would start from. They may be or it may be that organizations have different issues at that point.
MR. SCANLON: -- little different, too, because, hopefully, you will have -- have the opposite view and you actually get a little if not cross examination, at least what set of questions would have been more -- it is not just the worst case presented.
MR. FANNING: That the purposes of the types of communications are quite different.
MR. ROTHSTEIN: John's point is a good one, though. We need to set the tone for this meeting as this is not the oral appeal of your comments that --
[Laughter.]
-- what we are trying to figure out is how to make this work.
MR. SCANLON: I think we feel better. We may need to get a reading -- we don't want this to actually hurt the overall effort. We may have to get a reading from the leadership about what would be most useful in terms of timing. We don't want to be working at cross purposes.
DR. COHN: I guess I am sort of struck. I don't think we should have a feeling before the final rule is effective -- I am not a lawyer -- the effective date of the final rule.
MS. SANCHES: -- what term to use.
DR. COHN: But having said that, it is hard for me to imagine that providing people a public forum where HHS is listening to discuss implementation issues and questions is that something that disturbs HHS or the public interest. I guess I am sort of struggling here a little bit that it doesn't seem to me that -- it is hard for me to imagine that us having a hearing at a time after the effective date could do anything but help. It allows people to express their concerns. It says that HHS is listening and all of those things.
It starts a problem-solving dialogue. So, I am sort of going with, gee, why should we wait until September and give people six months to stew in it, which I don't think is valuable at all and I could argue sometime in May as opposed -- you don't want to do it April 17th, but May or June. I guess I am feeling sort of pretty strongly that we ought to have something before -- the next full meeting of the NCVHS is late June --
MS. GREENBERG: The very end of June.
DR. COHN: -- and we probably ought to plan within that sort of May 1st to June something or other context to do something. That is sort of my view.
MR. FANNING: May I also suggest that we can always make plans later, but the simple mechanics of setting it up are sufficiently complex that you need to start now. It is easy to cancel.
MR. ROTHSTEIN: With your consent, I will include this in my report this afternoon to the full committee and then we can have whatever discussion John thinks is appropriate at that time, giving the committee support for that.
Are there any other specific HIPAA questions? We also have on the agenda the discussion of the committee's sort of plan of work in a general sense. Our guests have, you know, day jobs and they like being here, but --
DR. COHN: I was going to recommend -- we have about half an hour left and we actually do have some things around that HIPAA implementation plan and other things, substantive issues I don't want to have us miss. I don't know that our expert, resident experts here need to be around for that one, but I guess to quickly question about our plans for the subcommittee, it seems like we have a plan. I guess I would question given the fire power we have, is there anything else that we need to be doing this year, other than focusing on trying to help with this implementation, which we could easily buy a house in Washington and live here to help it.
So, I guess the question I have for you is is, you know --
[Multiple discussions.]
MR. ROTHSTEIN: I would be remiss if I didn't put that on the table because it was raised in the conference call and one of the purposes of the meeting is to sort of get our plans going and to hand them off to whoever the next permanent chair is so that we can get going.
MS. HORLICK: John, you had mentioned last time, I guess, on our conference call about hearing from the Office of Human Research. I don't know if that is something --
MR. FANNING: At some point, it would be desirable for this subcommittee and possibly even the whole NCVHS to hear from the new head of the Office of Human Research Protection, Greg Koski, and to be briefed on their activities generally because it is of general interest to the research community and also to sensitize him in that office to the special issues in the use of data.
Now, I would see that as a briefing, an informational session, rather than much more than that.
DR. COHN: Is that something for the full committee or for subcommittee briefing?
MR. FANNING: Well, I don't know. My instinct is it would be helpful for the full committee. This is pretty important. He is making fairly substantial changes in the way that whole process works. We also have at the same time -- I don't think this can be covered in any detail -- the work of the National Bioethics Advisory Commission, which is proposing, at least at the draft level, extending protection of human subjects rules to the whole populace, not just research from federal funding.
So, that is in the background.
DR. COHN: Is that like the privacy board or are you talking about something else?
MR. FANNING: It is something quite different.
MS. FYFFE: John, that is a small bombshell you just dropped.
MR. FANNING: I did not drop it. NBAC has had this and if people have been paying attention, they know what is there. In fact, they have a detailed draft report, which comments were due about a week or so ago, easily downloadable from their web site. But they made a formal statement sometime back that they felt it was undesirable, that there were people who were research subjects, who were not covered by the same type of protection.
DR. COHN: Oh, you are talking about research. You aren't speaking of like any time one sees a patient, one has to have them sign a treatment plan.
MR. FANNING: No, no.
MR. ROTHSTEIN: -- in Congress over --
MR. FANNING: No. That is a separate matter, but I think an important bit of background for all concerned is to at least know how the present system is working and being expanded and so on. So, I think it would be very helpful to have Greg at a full committee meeting.
MS. GREENBERG: He is at the Secretary's office or NIH?
MR. FANNING: No. That office is now in the Office of the Secretary. It is part of the Office of Public Health and Science.
MS. GREENBERG: The subcommittee can recommend that as well then.
MR. FANNING: I might point out that we may want to in this committee talk to him or more likely his staff about some of the specialized issues involving information within the Department. We are planning to have our privacy committee and HIPAA implementation forum meet with those people at the end of April to discuss the special research issues under the regulation we have just been discussing, as it intersects with the common rule and whatever plans they have.
MR. ROTHSTEIN: I think those issues are extremely ripe now.
PARTICIPANT: These are emergent issues.
MR. ROTHSTEIN: Especially in light of the Burlington Northern case.
MR. FANNING: Would you care to tell us what the Burlington Northern --
MR. ROTHSTEIN: That was where the railroad allegedly was performing genetic testing on workers without their consent or knowledge.
MS. FYFFE: Related to carpal tunnel.
MR. FANNING: Yes. Although I don't think anyone claimed that was research.
MR. ROTHSTEIN: Well, yes -- no. I am claiming it is research. They were claiming it was public service.
MR. SCANLON: Well, actually, the Bioethics Advisory Committee is actually separate from Greg. I mean, you would almost want to -- what they may be recommending is expansion --
MR. FANNING: Oh, absolutely.
MR. SCANLON: -- which is a little different than what Greg --
MR. FANNING: Oh, yes, they are different. I just wanted to indicate that it was a developing field. I don't think -- let's see what they come out with, but Greg is operating --
MR. SCANLON: Apparently, they are thinking that public health is research, too. So, we have to be --
DR. COHN: Public health is research?
MR. SCANLON: Well, some of it is and some of it isn't.
MR. FANNING: I might just make the observation that the way public health people -- protection of human subjects people and data protection people, like me, look at issues are really quite different, different vocabulary and so on. Part of the problem will be working those things out and getting them closer together.
MR. SCANLON: Just one more word in terms of work planning for the year. We do have some funding for analytic support to the committee and the subcommittees for this year. So, to the extent that any contracting or analytic work is necessary to support the activities.
DR. COHN: I have a big project to recommend.
MR. SCANLON: Let's not use it all here. We are not talking seven figures, Simon.
[Multiple discussions.]
MR. ROTHSTEIN: John, did you want to comment --
MR. FANNING: Oh, yes. In the announcements category, I have given out to everyone the new report of the ethical force program of the American Medical Association with a set of standards for the protection of health information, with measurable expectations against which various performers can be evaluated. That is a useful thing. It can be found on the AMA web site for others who don't have the text.
Much of it is pretty much congruent with our regulations, is it not? Fair?
PARTICIPANT: I think that is fair.
MR. FANNING: Yes. The other thing I have given out just for information. We have an internal privacy committee as a feature of our Data Council and we have a web site and I have given out the page of that material. There are links to various bits of data protection lore and law.
MS. FYFFE: One of the members of the oversight body for the ethical force program is John Eisenberg.
MR. FANNING: Yes. And the -- okay. That is all I have.
MR. ROTHSTEIN: Other announcements or other issues?
DR. COHN: Do you have this? I know you weren't here yesterday. It is actually this is what we need to look at. This gets to be sort of to a fundamental question. This is Tab 4, which has to do with the annual report to Congress on the implementation of the administrative simplification provisions of HIPAA.
Now, previously, the committee had gone on record as always calling for legislation -- federal comprehensive health legislation to ensure the privacy of health information. So, that has been replicated in these annual reports. I am looking at page 4, third paragraph.
This year we obviously have a privacy rule, which we never had before and at least to my view, it was a lot more comprehensive than I had thought it was going to be initially, which I think is probably a feature. So, that question is is that we change the report and sort of the committee position a little bit, which is -- and the question is is this right or is this not right. So, we are bringing this before the subcommittee. Well, we say the NCVHS supports and applauds the progress of obviously the privacy rule, the committee views health information privacy protection as a foundation for the full complement of health care administrative simplification standards and for progress on additional health information technology applications.
Now, the question is that we are now calling for additional laws. Do we in this one need to once again be calling for additional laws or not or are we generally satisfied for the moment with the scope of the privacy rules. That is really the question before the subcommittee. I just throw that one in towards the end.
MS. FYFFE: I am reminded of the letter, the public comment letter that NCVHS sent on the proposed rule. Do we need to double back and take a look at exactly what we said in there?
MS. GREENBERG: Certainly the lack of coverage for paper was raised there.
MS. FYFFE: I don't remember the other issues.
MS. GREENBERG: I think employers may have been mentioned.
MS. HORLICK: But the fact that employers aren't mentioned was because of the scope of the rule that was limited by HIPAA.
MS. FYFFE: It was limited by the law.
MS. HORLICK: I mean, we were saying there was still a need for this protection, but recognizing that --
MS. GREENBERG: Right. That I think, the question is left to the criticism of what was done, but given the limitations of what was done does the committee want to make a comment that -- since this is particularly -- this is a report to Congress that, you know, legislation is still needed or --
DR. COHN: Yes. That is the question is do we add another sentence or two, which sort of calls for while we applaud the privacy rule and urge its implementation, we also note that there needs to be more done.
MS. FYFFE: Presumably we should be consistent with our prior letter.
MS. GREENBERG: Well, except that the prior letter was based on --
DR. COHN: Was in the absence of the final rule.
MR. FANNING: Yes, but had not the committee made some statement before the rule was published? Was there not a recommendation from the committee to the Secretary or the Congress?
DR. COHN: There was also a letter to Shalala two or three years ago. Do you mean that one?
MR. FANNING: Yes.
MS. FYFFE: Her recommendations?
MR. FANNING: I just want to sort that you may be talking about two documents, that and then the covenants of the NPRM.
MS. FYFFE: We need to be consistent with our previous message, if necessary.
MS. GREENBERG: The 1997 recommendations were based on an assumption that we want legislation, not regulation; I mean, that that would be preferable, the committee was saying, that we should have comprehensive legislation.
Now, I mean, you know, the dynamics -- I mean,
the --
DR. COHN: That is the issue, that dynamics have changed --
MS. GREENBERG: The situation on the ground has changed but --
DR. COHN: So, what do we want to do? I mean, the question is -- I mean, we referred this over to the Subcommittee on Privacy and Confidentiality to help us figure this one out.
MR. ROTHSTEIN: Well, my personal view is that we certainly ought to include additional language. I know that people are already having questions about implementing just this aspect of it, but we should be -- we shouldn't confuse the HIPAA regs with comprehensive privacy legislation, which it is not. It was not intended to be.
So, let me just give you a small example. In the final regs, as opposed to the proposal, there was a very important change made that one I think was mentioned by the committee and that was that no health care provider should be able to require a waiver of their HIPAA rights as a condition of getting treatment.
Because if we allowed that, that would be the end of the reg. But we allow that everywhere else. In other words, it is lawful to condition a job on waiving your rights. In other words, your employer can get any information they want at the post office stage. Insurance company basically can get any information they want, a mortgage company. I mean, there are no limitations on that elsewhere.
MS. FYFFE: A mortgage company?
MR. ROTHSTEIN: Yes. If you want to get a mortgage, they want to know if you are going to be alive to make the payments. There is no restriction on their requesting access to your medical records. As a practical matter, most of them don't do it, but they could.
Life insurance, long term care insurance, disability insurance, they all require --
MS. FYFFE: They have to ask for your consent
to --
MR. ROTHSTEIN: Sure.
So, I am not suggesting -- I have no --
MS. FYFFE: See, I thought you were getting into the Graham-Leach-Bleyly(?) Act provisions when you mentioned mortgage insurance.
MR. ROTHSTEIN: All that I am saying is that the HIPAA regs generally deal with regulating the unauthorized distribution of medical records. No one has focused comprehensively on the authorized or the compelled authorized use of medical records. Congress really to be aware of those issues and -- I mean, that is just sort of one now area. I mean there are so many other areas. There is another one. The amount of information that is of a medical nature that is given to self-insured employers, both self-administered employers and so that if I am a large employer and I self-administer my plan, the docs send the bills directly to me with the diagnosis and it is stored by who knows where in the company benefits department with who knows what restrictions on who gets that information and so forth.
MS. SANCHES: We do actually do with that in our rule.
MR. ROTHSTEIN: I am sorry. I --
MS. SANCHES: We agree this is an important issue and we tried to address it in the rule.
MR. ROTHSTEIN: But it does not -- it does not prohibit the use of individual identifiers. In other words, the information that is given from the provider to the company can be the name of the individual. Correct?
MS. SANCHES: Yes, for plan administration purposes.
MR. ROTHSTEIN: Right. And that is something that in my personal judgment is not necessary and could -- there are some companies, for example, you can buy the software. So, I mean,it doesn't have to be developed. It is off the shelf, that if you work for a company, you get a medical identification number that is a unique number. The bills come up with that identification number. It is cross listed to make sure that you are eligible for benefits and the people who are handling your medical records don't need to know your name because these are co-workers.
That is just an example of areas that might be involved.
DR. COHN: The first one I will agree with you. The second one you are sort of arguing -- the fact is is that there is an attempt to deal with this area. So, it is not undealt with. You just don't like the way they are dealing with it.
MR. ROTHSTEIN: Right.
DR. COHN: Let's make a distinction now between -- I mean, because, obviously, you know, you could still have broad comprehensive privacy regs or laws and you might not agree with them even after they are done.
MR. ROTHSTEIN: Right. And I certainly want to be in the category of people I described as the whiners that are at our hearings.
MR. SCANLON: Well, it is not perfect, but your point is that there are -- I mean, you may want to say while you support and applaud this as a major foundation, that I think as you have said in the past that because of the statutory limitations, there are some -- legislation may be needed to fill out or to reach the full grasp of privacy protection, something like that. You have said that in the past.
I wouldn't go into a lot of detail.
[Multiple discussions.]
The only worry is that people quote this committee as, you know, depending on where they want to go to the extent we say -- to the extent that we point out there are limits and gaps, it often is quoted later as a reason for not doing the right thing.
So, whatever we say -- I mean, whatever the committee says, you just have to say it. I mean, you have to say what you conclude, but you say it in a way where if you are really -- you don't want your language to be used against you, to then say the rights are not any good and some of that sort of thing. So, you have to choose your words carefully.
I have seen language from this committee used to argue points, yes.
MS. HORLICK: I think they couldn't assume that people understood what the statutory limitations were just by reading that sentence.
MR. SCANLON: But even in our press release, we acknowledge that.
MS. HORLICK: Right. So, we have to sort of spell out that that limited the coverage to, you know --
MR. ROTHSTEIN: Well, I don't know whether it is appropriate to include this, but one of -- I am a strong supporter of privacy and confidentiality, of course, but what people often don't understand is there are tradeoffs and there is a price that you have to pay for privacy and confidentiality. It is not free. There is a research price and there is a public health price and there is a clinical care price and there is a dollar price and all sorts of other costs.
Often times we act as if it is a good without the tradeoffs. That may be the kind of language that would be used against us in other contexts. I mean, the best way of ensuring the privacy or the confidentiality of medical information in research is to not do research.
MR. SCANLON: Is to not use identifiers.
MR. ROTHSTEIN: Right.
MR. SCANLON: I think for the purposes -- I mean, the committee may want to weigh in more generally on the privacy regs, but I think for the purposes of the annual report to Congress, you probably need a few sentences in support of the --
DR. COHN: Maybe we need to take a look at the last annual report and see what language we used and see if there is some way to meld this in.
MS. GREENBERG: Just in light of however you want to handle it and maybe just using something like the language from last year would do it, but this also, I think, is probably -- should be on the longer range agenda of the subcommittee to be -- because the committee and the subcommittee is more than HIPAA, although sometimes it doesn't seem that way -- that the subcommittee should be looking at down the road, you know, what other areas of privacy protection need to be addressed or couldn't be addressed by this regulation.
MR. SCANLON: I think that can come in the months ahead. I think --
DR. COHN: Maybe years ahead.
MS. GREENBERG: No, but I mean privacy has been a concern of the committee long before HIPAA and --
MR. SCANLON: But this is a much more --
[Multiple discussions.]
-- do we support this or not? We are reporting in an annual report to Congress and others that --
[Multiple discussions.]
MR. ROTHSTEIN: Simon, is this something that needs to be handled by the full committee or --
DR. COHN: Well, this is going to come up for action item later today.
[Multiple discussions.]
-- recommendation on how we --
MR. ROTHSTEIN: Given that there are three of us here and five or six members not here --
DR. COHN: Well, we are not voting. We need recommendations.
MR. ROTHSTEIN: I would strongly support an additional sentence or two to be crafted by you --
[Multiple discussions.]
MR. SCANLON: -- suggest some wording. The full committee can take --
DR. COHN: I think I am hearing that and we will see if we can pull out something for --
MS. GREENBERG: Maybe the Executive Subcommittee have the final --
DR. COHN: Yes, I think so but it is just we need to make sure that everybody is clear on what we are saying. I think we can do wordsmithing later on, but I think privacy is an important enough issue --
MR. ROTHSTEIN: I think just a general statement that HIPAA is not the end of the road for privacy.
DR. COHN: Exactly. And I did want to comment on what Marjorie was saying, which I absolutely agree with her comments that the subcommittee does need to look into things that are sort of beyond HIPAA issues. My main concern, though, is that recognizing the fire power of the full committee -- and I was reading the 50 year history and wishing that we had technical committees that we could spin off full of consultants that we hired to produce long reports and do hearings for us, but recognizing that that has not been the case since about 1970, I guess, or 1980 --
PARTICIPANT: Mid seventies.
DR. COHN: Seventies, whatever. The truth is is that there is just us. So, we need to be very careful about how we prioritize. Just as I have had to realize with the Standards and Security Subcommittee, I think I am also referencing here that, you know, if we don't get what is on the books now successfully implemented, the rest of it probably doesn't matter. I don't just mean that, but I mean this is such a big first step here, these privacy laws, that we really need to make sure that we are hoping any way we can to mitigate issues, ensure successful implementation.
And that is really our job for this year for this subcommittee.
MR. ROTHSTEIN: I think that is a fair comment because this subcommittee has not been charging ahead as of late and it is important for us to start generating some momentum and after a period of time, then we can, you know, find new worlds to conquer.
DR. COHN: There is another document here that we need to look at very quickly and we probably need similar sorts of -- I don't know if there is anything we can do about this today. It is the summary --
MS. GREENBERG: Tab 5.
DR. COHN: There is a report to the Secretary, activity summary for spring of 2001, NCVHS, a resource for health information policy. Now, this is a short document, which Mark had referenced yesterday as -- in fact, that was a feature of this particular document and it was meant to be something that potentially -- it started out I think originally as a vehicle to highlight the National Health Information Infrastructure report, PMRI report and health statistics work going on.
But I think as a we look at it and realize that with a little bit of work, it could actually be a -- is a pretty good vehicle for somebody high up in HHS needed to figure out what NCVHS was doing and its role, rather than leading to a hundred pages of stuff, might be able to very quickly get a view of what was going on.
I thought for the Subcommittee on Standards and Security, that probably an additional sentence or two, related to -- probably covered much of what we needed from that view to cover that activity, but that there needed to be something in here a little more about privacy and confidentiality. So, maybe ask Gail to look at -- somebody to take a look at that and see if we can come up with -- I am not thinking about a whole page. It can be a paragraph to talk about the role of privacy.
MS. GREENBERG: Populations talked about maybe doing a paragraph.
MR. ROTHSTEIN: I remember reading this and kept thinking where is the privacy --
DR. COHN: See, that was my thing, too. That is why I brought it up to the full committee yesterday.
MS. GREENBERG: I think right now the document is -- we can still keep it to around five, a little --
DR. COHN: Yes. We are thinking about something succinct and tight so if Thompson actually wanted to read something or somebody wanted to read something about the NCVHS, he would have a view but it wouldn't be so many pages.
MS. GREENBERG: Something probably about the work that the subcommittee has done --
MS. HORLICK: Are we talking about a paragraph?
[Multiple discussions.]
MS. FYFFE: Given that this is a five page document, I think you could keep it to five pages with one or two paragraphs.
MR. ROTHSTEIN: One paragraph about what we have been doing and --
MS. GREENBERG: And what you are planning to do in relationship to the regulation.
MR. ROTHSTEIN: What would the timetable be?
DR. COHN: We will be talking about this likely as an action item later today. It doesn't have to be written today. I think this will be something that will go with amendments and modifications through the Executive Committee. You can ask John what time frame, but -- I am thinking the next month --
MR. SCANLON: I guess the process will be that it will be discussed this afternoon. I think John would like to get it into --
MS. GREENBERG: And maybe whatever the subcommittees are recommending be added. It will be circulated to everyone and finalized by the Executive Subcommittee so everyone can see it. It would probably be nice, though, to get this out in the next month.
It is my understanding that John is going to try to abridge this whole meeting because of the weather. Well, Denise Koo is ill and she is not actually coming. So, we will reschedule her. She was willing to do it by phone from home but since that is less than ideal and given the weather and everything -- it is my understanding that Donna Pickett is still coming.
MS. FYFFE: In all seriousness, with the prediction of what, three to five inches this afternoon and this evening, three to five inches of snow --
MS. GREENBERG: Let's go to the meeting and get that --
MR. ROTHSTEIN: I am scheduled to give the subcommittee report at 1:45. So, you don't know what time that is going to be then?
MS. GREENBERG: Well, maybe I shouldn't have said anything, but I would assume we will go, we will have the presentation on ICD-10-CM. Then we would go to the action items. Well, we have the reports from the working groups, but they decide to abbreviate that in light of the fact that, you know, there is nothing that earth shattering for them.
We will probably go to the action items. What is the status of the NDC letter?
PARTICIPANT: We will have it ready for the full committee.
MR. ROTHSTEIN: Thank you very much. The subcommittee meeting is adjourned.
[Whereupon, at 9:58 a.m., the subcommittee meeting was concluded.]