[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705-A
200 Independence Avenue, SW
Washington, DC 20201
Agenda Item: Welcome and Introductions
DR. ROTHSTEIN: Welcome to the Committee on Confidentiality of the National Committee on Vital and Health Statistics. Welcome to Day Two of our three days of hearings on implementation strategies and other issues related to the HIPAA privacy rule. Yesterday, we had so much fun that we had a hard time quitting at the end of the day, and I'm sure today will be equally enjoyable. I want to also welcome those of you who are listening to us live on the Internet, and I'm told that the banging that's some type of construction on the floor, will be over shortly.
Before proceeding further, I think it's appropriate for us to have introductions of the subcommittee members and staff and we also, then, will invite the panelists and members of the audience to introduce themselves, and also for the subcommittee members to disclose conflicts of interest.
I'm a Professor of Medicine and the Director of the Institute for Bioethics Health Policy and Law at the University of Louisville School of Medicine, and I have no known conflicts of interest.
DR. HORLICK: I'm Gail Horlick and I'm from the Centers for Disease Control and Prevention, and I am lead staff to this subcommittee.
MS. FYFFE: Kathleen Fyffe. I work for the Health Insurance Association of America. I also represent HIAA on the National Uniform Billing Committee, the National Uniform Claim Committee, and the National Council for Prescription Drug Programs. In addition, this morning I'd like to point out that a representative from HIAA is testifying before this subcommittee.
DR. ZUBELDIA: I'm Kepa Zubledia with Claredi Corporation. I'm a member of several standing subcommittees, one of them NCPDP. And I also chair the Association for Electronic Healthcare Transactions.
MS. GREENBERG: I'm Marjorie Greenberg from the National Center for Health Statistics, Centers for Disease Control and Prevention and I'm the Executive Secretary to the Committee.
MR. FANNING: I'm John Fanning from the Office of the Assistant Secretary for Planning and Evaluation of HHS and I'm staff to the Committee.
DR. HARDING: I'm Richard Harding. I'm a child psychiatrist from Columbia, South Carolina at the University of South Carolina. I'm a member of the Committee and the subcommittee. I'm also President of the American Psychiatric Association and for a period of about eight months, the CEO of that organization.
DR. COHN: I'm Simon Cohn. I'm a member of the subcommittee and full committee. I'm the National Director for Health Information Policy for Kaiser-Permanente, member of the CPT Editorial Panel, and the National Uniform Claims Committee.
MR. BLAIR: Jeff Blair. Vice President of the Medical Records Institute and member of the Committee.
MR. SCANLON: Jim Scanlon, HHS Office of Planning and Evaluation and I'm the Executive Staff Director for the full committee.
DR. FITZMAURICE: Michael Fitzmaurice,Senior Science Advisor for Information Technology, Agency for Healthcare Research and Quality. I'm Liaison to the National Committee and staff to the Subcommittee on Standards and Security.
DR. DESMARAIS: I'm Henry Desmarais. I'm the Senior Vice President for Policy and Information of the Health Insurance Association of America.
DR. BUSSEWITZ: Roy Bussewitz with the National Association of Chain Drug Stores.
DR. BAILLIE: I'm James Baillie. I'm a pathologist from the Anderson, South Carolina, and Vice President of the American Society of Clinical Pathologists.
MR. FODY: Ken Fody. I'm the HIPAA Project Executive with Independence Blue Cross of Philadelphia, Pennsylvania.
MR. WEICH: My name is Ronald Weich. I'm an attorney at Zuckerman & Spader and a legislative consultant to the American Civil Liberties Union.
MS. ROLLISON: Marietta Rollison, NCHS.
DR. KLEPINSKI: Bob Klepinski, Medtronic.
MR. BOUNJONEAU: Phil Boungoneau with the College of American Pathologists.
MR. RODEY: Dan Rodey with the American Health Information Management Association.
MR. HAYWOOD: N. Haywood, Verizon.
MS. WILLIAMSON: Michelle Williamson, CDC, NCHS.
MS. BLITZ: Mary Ellen Blitz, AARP.
MR. DESANT: Chris Desant with MarLabs.
MS. BEEBE: Lucy Beebe, NCHS.
MS. STOMLER: Robin Stomler, American Society of Clinical Pathologists.
MS. PERKINS: Nancy Perkins, Orlin Reporter(?).
MR. WOOD: Bruce Wood, American Insurance Association.
MS. SCHAFFER: Gretchen Schaffer, American Insurance Association.
MS. HOUSTEAD: Joanne Houstead with the Health Privacy Project at Georgetown University.
MR. RENNICK: Joe Rennick, American Association of Health Plans.
MR. ALI: Tom Ali with the American Association of Health Plans.
MS. HENDERSON: Mary Henderson, Kaiser-Permanente.
MS. JONES: Katherine Jones, National Center for Health Statistics.
DR. ROTHSTEIN: Thank you. The purpose of these hearings is to provide guidance to the Office for Civil Rights and the Secretary of HHS on practical issues or concerns on implementation of the Rule. We are interested in possible unintended consequences, overlaps, and inconsistencies, and areas in need of clarification. Concrete suggestions and recommendations about successful implementation strategies are especially welcome.
Because of the large number of witnesses that we have, five on the first two panels on Minimum Necessary, and the narrow focus of the hearings, I would strongly encourage that witnesses follow the following rules:
Number one. Invited witnesses will have 10 minutes to give their prepared testimony and a one-minute notice will be provided. A clock is being kept at the registration table. It will beep at the end of your time. You'll get a one-minute warning, a notice that your time has expired and then a 10-second notice that the trap door is open.
Second. After each witness, subcommittee members will have an opportunity to ask questions of a clarifying nature to each of the particular witness who has testified. After all of the witnesses of the panel have completed their testimony, then we should have approximately 20-30 minutes left for discussion of the issues raised by the testimony. Witnesses and other individuals will have until Monday, close of business, August 27 to send written testimony if they so choose, to Marietta Rollison who's address is in the FEDERAL REGISTER and available at the table.
In addition to the invited testimony, there is time scheduled at 4:00 o'clock this afternoon for public testimony. Three minutes will be given to any member of the public who wants to discuss any one of the four issues that we have on our agenda for this meeting which includes consent, minimum necessary, research and marketing.
Sign-up sheets for the public testimony are available at the registration tables and witnesses will be taken for the public testimony in the order in which they sign up. Also, if you have a cell phone, I would appreciate it very much if you would turn off the ringer. If there are no questions or remarks from members of the subcommittee, we'll proceed with the first panel on Minimum Necessary and the first witness, please.
Agenda Item: Minimum Necessary - Panel 1
DR. DESMARAIS: Chairman Rothstein and distinguished members of the Committee, I'm very pleased to be here today on behalf of the Health Insurance Association of America to talk about the minimum necessary portion of the privacy regulation.
I want to start by emphasizing that HIAA supports strong confidentiality standards and our members really are committed to maintaining the confidentiality of the health information entrusted to them. Quite frankly, however, we would much prefer nationally uniform standards for privacy and we're very concerned about the fact that we have major difficulties due to the diverse state and federal policies in this area which are continuing to grow and to be added to. I know that the whole issue of federal pre-emption is far beyond the scope of this meeting, but I would be remiss if I didn't mention it.
With respect to the minimum necessary standard, we've been encouraged by recent statements from the Department indicating that they intend this standard to be applied with flexibility taking into the account the capabilities of the health plan, the healthcare provider or other covered entities involved.
Nevertheless, we still have problems. What I would like to do in the time allocated to me is briefly describe the problems that we see. There is much more detail in the written statement that I submitted this morning.
Our first concern is the legal uncertainty and vagueness created by the minimum necessary standard and we're fearful that that will lead to defensive information practices and will restrict the appropriate and beneficial flow of information within the healthcare system.
Health plans, our member companies, must have access to protected health information (PHI) that is maintained by physicians, other practitioners, hospitals and others to do quality assessment and improvement programs, utilization review, disease management, case management and a host of other functions that are aimed at maintaining the afford ability of health coverage and also improving outcomes.
So, if the minimum necessary standard has the affect of diminishing the flow of this kind of information for these purposes, we're going to have a problem with prospected quality and afford ability of healthcare.
The Department itself has acknowledged that the minimum necessary standard is inherently subjected and highly fact-based. The guidance that was issued in July states among other things that covered entities, that the Department expects covered entities to exercise substantial discretion as to how to implement the minimum necessary standard and appropriately and reasonably limit access to the use of identifiable health information.
The guidance goes on to say that the standard "requires covered entities to make their own assessment of why PHI is reasonably necessary for a particular purpose given the characteristics of their business and workforce and to implement policies and procedures accordingly."
So, on the one hand, our member companies welcome the flexibility that's being discussed and described in the guidance and elsewhere in the regulation. On the other hand, the flexibility, we think, introduces a great deal of uncertainty and we're concerned that covered entities will seek to minimize their exposure to potential financial penalties or potential liability by erring on the side of being overly restrictive in what they share.
The second point I'd like to make is our members believe that the minimum necessary standard inappropriately places covered entities receiving requests for information in the position of evaluating whether the requested information is the minimum necessary for the purpose involved.
We think that only the entity that's making the request is in a position to decide what is necessary. We think this aspect of the standard will almost certainly lead to inappropriate restrictions on the disclosure of health information. I'd have to add that the standard could even be used to shield wasteful, abusive, and fraudulent activities.
Because the standard is highly subjective, we think it's going to be easy for bad actors to use it to justify withholding information that would provide evidence of upcoding, misdiagnosis, over treatment or outright fraud. We think our concerns are quite justified in light of a number of reports recently issued, documenting the pervasiveness of fraudulent, abusive, and questionable practices in the healthcare system, including recent reports issued by the General Accounting Office with regard to practice management consultants that are offering programs all around the country that are attended by physicians and others.
Third, we're concerned that unless the Department clarifies the application of the minimum necessary standard, the uses and disclosures authorized by the individual, the regulation could compromise the ability of health plans, for example, a disability insurer, to assess risk and obtain information to evaluate and process claims.
Proper assessment of risk, what we describe as underwriting is essential to setting premium levels that are fair and sufficient to cover the expected claims. In addition, efficient and timely processing of claims, something we hear a great deal about, of course, is an equally important function and requires complete information.
My fourth point is a very simple one, our members are having some difficulty proceeding with confidence in trying to implement the minimum necessary standard without having the benefit of another regulation and that is the final rule on data security.
Now, the Department published the proposed rule just slightly more than three years ago in August 1998. A final regulation, though, has still not been issued. There are many areas in which the requirements of the minimum necessary standard and the proposed security rule would substantially overlap. Unfortunately, there remains considerable risk that our member companies will start down one path based on the privacy reg and find that they will need to make adjustments as a result of the security regulation.
Last, but not least, the minimum necessary standard will be very, very costly to implement. The Department determined that the standard would be among the most costly requirements of the privacy rule. According to the Department, the total cost of implementing that standard over 10 years will be $5.75 billion.
We believe this estimate is very low and underestimates the true cost that our member companies, physicians, and hospitals are going to face. A recent study by First Consulting Group that was prepared for another organization, the American Hospital Association, found that implementing the minimum necessary standard could cost as much as $19.8 billion over five years for hospitals alone.
In sum, we believe that even without the minimum necessary standard the privacy regulation contains considerable restrictions on the amount of information and the types of information that can be used and disclosed by covered entities. We think these other restrictions are far more amenable to objective and consistent application by covered entities than the minimum necessary standard, and we believe they would be sufficient to create strong safeguards for confidentiality while avoiding the potentially serious complications of the minimum necessary standard.
I'd like to close by making one generic comment about the confidentiality regulation and that is a plea, and that's a plea for this committee to encourage the Secretary to move along in making further adjustments in the regulation. Our members are already beginning the process of spending time and energy trying to deal with a reg that was published last December because they can't wait until the last minute.
We know the Department has already signaled its interest to make further changes, and we applaud those. We think there are a number of changes that need to be made and I haven't even addressed many of them this morning. But we do think this has to be done in a very timely way that recognizes that downstream, there's a lot of work that will need to be done to make this workable. With that, let me close and I'll be happy to entertain your questions at the appropriate time. Thank you very much.
DR. ROTHSTEIN: Thank you. Any clarifying questions from the subcommittee members?
DR. BUSSEWITZ: Good morning. My name is Roy Bussewitz. I'm a pharmacist attorney with the National Association of Chain Drug Stores. The National Association of Chain Drug Stores' membership consists of about 180 retail chain community pharmacy companies. Collectively, chain community pharmacy comprises the largest component of the pharmacy practice with over 100,000 pharmacists.
The NECKTIES membership base operates over 33,000 retail community pharmacies and fills nearly 63 percent of the more than 3 billion prescriptions dispensed annually in the United States. I should mention at this point, that the third-payment claims for most of those prescriptions is done on-line with a standard that we have from NCPDP; 3.2 is what we're using now and 5.1 is a little bit about what I'm going to be talking about.
I'm going to begin on the top of page 6 for those of you who are following along, and get right into our problem. Our problem really is that the interface of the implementation of Version 5.1, the HIPAA-adopted pharmacy transaction standard for payment and also the minimum necessary provision.
The relationship between the HIPAA privacy minimum necessary disclosure requirement and Version 5.1 was first identified by HHS in the HIPAA privacy regulation in response to a comment to the NORM. Let me quote, "We make an exception to the minimum necessary disclosure provision of the is rule for the required and situational data elements of the standard transactions adopted in the transaction rule. Because those elements were agreed to through the ANSI accredited consensus development process. The minimum necessary requirements do apply to optional elements in such standard transaction because industry consensus has not resulted in precise and unambiguous situations, specific language to describe their usage.
This is particularly relevant to the NCPDP standards for retail pharmacy transactions referenced by these commenters in which the current standard leaves most fields optional. Let me just tell you that no consensus has been reached. We're obviously trying to convert those optional fields into situational, mandatory required or not used fields.
But, again, unfortunately, industry consensus has not been reached to yield the required precise and unambiguous situation-specific language. In general, the problem has been that pharmacies contend that the PBMs or claims processors are requesting more information than is reasonably necessary and the PBMs and claims processors believe that pharmacies now want to disclose less information than they do currently.
The most contentious issue has been how to really adequately identify the patients so that pharmacies can be paid without incurring the legal liability for non-compliance with either the HIPAA privacy regulations or the more stringent state privacy laws. I think it's important to point out here that our pharmacies are not only concerned with the HIPAA privacy regulations, but also possible more stringent state laws that could certainly be developed.
PBM's claims processors want pharmacies to disclose the patient name before they'll pay the claim. Pharmacies refuse to disclose the patient name because they believe such a disclosure is unnecessary and that such a disclosure, if it was the direct cause of a breach patient privacy, could greatly increase their legal liability under both, again, the HIPAA privacy regs and the more stringent state privacy laws.
Pharmacies argue that disclosing a patient name is unnecessary and will be unlawful because the PBMs and processors already have that information from their clients or 70-75 percent of the claims and should be able to get the remaining 25-30 percent from their employer payer clients.
The HIPAA privacy regulation that the pharmacies are relying upon is Section 164.514(d)(3) p. 82,819. Let me quote again, "For any type of disclosure that it makes on a routine or recurring basis," and, again, the payment claim is certainly routine and recurring to the tune of about $3 billion per year, "a covered entity must implement policies and procedures which may be standard protocols that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure."
Pharmacies also argue that it is also unreasonable and will be unlawful for PBMs and processors to request information that they already have or should be able to obtain from their employer payer clients and let me quote again. This is from the same section, different subpart.
"A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made when requesting such information from other covered entities."
Chain pharmacies' fears about future increased legal liability is the huge issue here. The payers, PBMs, claims processors, agents have been incredulous when they hear that chain pharmacies no longer want to disclose the patient's name, and they ask, what has changed?
Chain pharmacies' response has been, the federal privacy laws have changed and state privacy laws are also very likely to change. We don't want to be sued for a breach of patient privacy under either again or the more stringent state privacy laws. Not only do we not want to be sued, but we also don't want our chain name associated with any allegations of a breach of patients' privacy, on the page of any major newspaper in the country. That is potentially, of course, more damaging than is a lawsuit.
There currently exists an electronic minimum necessary financial disclosure model that is used millions of times a day, the ubiquitous credit card. Consumers use credit cards every day to authorize purchases which require only the cardholder number and the expiration date on the card.
It is unnecessary to disclose the cardholder's name. The minimum necessary credit card payment authorization is frequently compared to what should be an adequate patient identification to authorize payment of an electronic healthcare claim. It will not take the average consumer or average attorney long to question whether or not it is reasonably necessary for a pharmacy to electronically disclose a patient's name to get paid by a third party.
Another question that's often raised is the chain pharmacy's fear about future increased legal liability. Is it real? How real is this? The major reason again that pharmacies have taken a position of not wanting to disclose the patient's name is their belief that unnecessary access to the patient's name will increase the chances of breaches of patient's privacy.
Pharmacies fear being sued by both the HIPAA privacy regs and the more stringent privacy laws for any breach of patient privacy that results from disclosing more than the minimum information reasonably necessary to achieve the purpose of the disclosure.
Widespread pharmacy concern for this issue is evidenced by the August 3, 2001 retail pharmacy position paper which I have attached. The first position set out at the bottom of the page one, states that, and again I quote, "to provide sufficient information to allow a claim to be adjudicated and paid while disclosing only the minimum information necessary for the following reasons: a) protect patient identifiable information, b) to limit the liability of retail pharmacies for the disclosure of information on retail pharmacy billing claims, and c) to minimize the states' concerns that more stringent privacy regulations are necessary that would supersede the HIPAA privacy regulations."
You may be interested just to take a quick look and to see all of the folks who are supporting that position. That's on the last page of my testimony. Two groups that I would like to particularly indicate are supporting is the National Community Pharmacists Association which is all the independent pharmacies. We represent all the chains at NECKTIES.
So that's virtually all the pharmacies in this country in retail, and also a group that you had here yesterday, represents the pharmacists, the America Pharmaceutical Association. They also have the American Society for Automation in Pharmacy which are the pharmacy software vendors supporting the same position. They feel they have legal liability here for disclosing more than the minimum necessary information.
Another reason the liability is certainly real is that the HIPAA fines certainly have got everybody's attention. What you have there is fines up to $250,000 and 10 years in prison for knowingly disclosing individually identifiable health information. Those are very real fines and very serious and have gotten everybody's attention or at least they should.
The next question is: Why are pharmacies concerned about the HIPAA legal liability provisions for wrongful disclosures when all they have to do is reach industry consensus by agreeing with the payer's, agents, PBMs, claims processors to earn the HHS 51 exception to the HIPAA minimum necessary requirement.
Bottom line basically is that that exception is not going to be adequate. In fact, in disclosing more than the minimum necessary, we believe that state laws more stringent that HIPAA are going to pertain and we're going to have legal liability there.
Also, one suggestion that's been made is don't worry about the legal liability, you can cover it under the business associate contracts. Our guys said, you don't understand, we just don't want to be sued. Period. It may be a great defense in court, we just don't want to be sued nor do we want that headline in the major newspapers.
What have the pharmacies offered to disclose on the 51 to break the adequate patient identification impasse. Those 70-75 percent of claims where the PBMs and processors already have dependent level patient names, pharmacies have offered to submit the person code assigned by the PBM claims processors and date of birth as a check. A person code would even identify same sex, multiple births on the same day which I understand is problematic.
For those 25-30 percent of the claims other than same sex multiple births where a PBM claims processor has not requested or has not been provided dependent level information necessary to assign a person code, pharmacies have offered to submit the cardholder ID sex indicator and date of birth.
In conclusion, it sounds like it's just in time, addressing the possible solutions here. The solution that is necessary to resolve the issue of whether or not sending the patient's name on electronic payment claim which occurs about 3 billion times a year is reasonably necessary, is the availability of a patient number that can be used in place of the patient's name.
The solution could take at least two forms: a number for every patient assigned by the payer's agent, PBM's claims processor, which they have the information to do for 70-75 percent of the time or the national unique individual identifier that was required in 1996 by HIPAA. We would request that whatever you folks can do to either require the payers or the employers to convey sufficient detailed patient data, dependent name, date of birth, relationship code to their PBM, claims processors, clients so they, in turn, can assign a person code, would be greatly appreciated or try to promote the unique individual identifier. We have privacy regulations. We have penalties and fines that would protect that number from being misused.
That concludes my formal remarks and I'll try to answer any questions you might have.
DR. ROTHSTEIN: Thank you.
DR. COHN: I just have a question of clarification. Since you're referencing the NCPDP standard so extensively, is the patient name optional for the NCPDP transaction?
DR. BUSSEWITZ: It is currently mandatory.
DR. COHN: That's all I needed to know.
DR. ROTHSTEIN: Other questions? Dr. Baillie.
DR. BAILLIE: Again, my name is Gene Baillie. I'm a pathologist at Anderson Area Medical Center in Upstate South Carolina. I'm here today representing the American Society of Clinical Pathologists. I serve as their Vice President.
I'm going to pretty much follow the handout that you were provided and to have a context for my comments this morning, let me first explain the American Society of Clinical Pathologists (ASCP). The ASCP is a non-profit medical specialty society. It's organized for educational and scientific purposes. It has 75,000 members and they include board-certified pathologists, other physicians, clinical scientists, certified technologists and technicians.
I'd like to start with an overview of our thoughts on the HIPAA rule, give a couple of examples of our concerns, and then would be happy to address questions. The proposed rule suggests that healthcare providers release the minimum necessary information when performing healthcare services.
ASCP offered several examples of why this proposal was problematic. For example, in order for physicians to examine, diagnose, and review an individual's health history, it is imperative for physicians to obtain the individual's complete health history. Also, staff members that are in charge of handling disclosure requests are not adequately trained to decipher what minimum information will satisfy a particularly disclosure request thus causing a delay in providing timely care to patients.
The final rule appears to address these concerns by stating that a covered entity may use or disclose protected health information to the individual to carry out treatment, payment or healthcare operation. The minimum necessary requirement does not apply to disclosures or request by the healthcare provider for treatment.
While improvement over the proposed rule, the provision needs further clarification. Providers must be able to share information among other healthcare providers so that patients obtain appropriate care. For example, pathologists may receive a uterus to examine. The surgeon has informed the pathologist that a hysterectomy was performed on the patient. However, no other information is released on the patient's history since the pathologist, a provider in the same covered entity is subject to minimum necessary standard in using and not just disclosing this protected health information.
If in this instance the patient also had an unrelated diagnosis of sarcoidosis and it was not reported to the pathologist, an additional testing for fungus and tuberculosis may have to be performed on that patient to further explain the pathologic findings that he saw in the lymph nodes.
To take this example a step further, you've got a medical technologist working in the chemistry laboratory performing tests and they note an elevated calcium level, an occurrence on individuals with metastatic cancer, parathyroid gland abnormalities and some other conditions that include sarcoidosis as well.
If the medical technologist is not informed of the patient's medical history,confirmatory testing may be needed to be performed to determine what is going on. This confirmatory testing could have been avoided if it was communicated that this patient had already been tested six months previously at another facility. Provider-to-provider communication is critical in patient care and should not be impeded. This information needs to be shared.
The July 6 guidance document states that the rule provided the covered entity with substantial discretion as to how to implement the minimum necessary rule. The guidance suggests that covered entities may develop role-based policies that allow its healthcare providers and other employees, as appropriate, access to patient information for treatment purposes.
While this discretion is appreciated and the intent to clarify is genuine, the guidance creates too much ambiguity. For a pathology laboratory that services several hospitals and physician offices, and our particular practice has seven outlying smaller hospitals and one main large hospital in two different states and they're not in the same entity, we have approximately 100 offices that we get specimens from.
This has the potential to create confusion and potential safety concern. The laboratory will need to recall when determining when a particular office or institution gave them all the medical information or only a portion of it when making diagnoses.
Again, while improvements have been made in this area, we believe that said clarification belongs in the final rule and not only in the guidance document where misinterpretations may occur. Frankly, with the guidance document giving so much discretion, we question whether the minimum necessary provision as it applies to healthcare providers needs to appear at all within the regulation.
In the questions posed to me prior to the hearing,
there was an inquiry as to the cost of applying the minimum necessary standard. We've heard some of that discussion already this morning. It's difficult for me to quantify this on a national level. However, there are several direct and indirect costs involved. There's more than just dollars.
For example, there's the cost of employing either part-time or full-time employee to handle privacy compliance within the laboratory. There is the cost of continual training of staff at all levels to decipher what is the minimum amount of information necessary. There's the cost of slowing turnaround times of reports or at a possible cost of patient safety if wholly necessary information is not disclosed to the laboratory.
For more specifics, I can put on my other hat, not as a representative of ASCP, but as president/CEO of INREACH Corporation. My company specializes in customized software designed to augment access to healthcare information. For approximately $60,000, and that's only the software cost, this will monitor the access and disclosure of health information. Software currently in use at our institution at Anderson, South Carolina and also at the University of Texas Medical Branch in Galveston.
The software allows the institution to track who is looking at what data and provides a trail for investigating any privacy transgressions. In my institution, the clerks need to access all laboratory information to provide it back to the medical record or for Medicare audits. The system permits that access, but would be able to find easily any adherence from appropriate use or disclosure. I'd be happy to provide a demonstration of this software at another time, but I mention it today just to explain that there are costs involved with the minimum necessary standard.
On another issue, the definition of healthcare operations, includes conducting training programs for healthcare students and trainees. Yet, these individuals are exempt from the minimum necessary requirement. We believe that in order to learn what healthcare information is needed in specific circumstances, these medical students, residents, and allied health trainees should be exempt from the minimum necessary rule.
Again, in the July guidance document, there was an explanation that minimum necessary requirements do not prohibit medical residents and trainees from accessing patients' medical information. Yet, it does not specifically exempt them from the minimum necessary provision.
The guidance allows for each institution to shape its own policies. The minimum necessary uses and disclosures, again, while the intent it positive, the guidance provides latitude and ambiguity that is not clearly explained in the rule. We suggest it be clarified in the rule.
I hope this information has been helpful to you this morning and I thank you again for the opportunity to address you on the minimum necessary provision as it applies to pathology and laboratory medicine. I'd be happy to take questions.
DR. ROTHSTEIN: Thank you. Questions from the subcommittee?
MR. BLAIR: Should I understand that the gist of your comment is that if a strong comprehensive software is available to audit access to information, that that would be a sufficient deterrent and that minimum necessary is not necessary? Is that what you're saying?
DR. BAILLIE: In part. Let me give you a specific example of the Medicare audit thing that I referred to. We have people who are minimally trained and have minimal education, but they are to review Medicare pathology reports for the purpose of various audits whether it be proper billing or proper information and that sort of thing.
They are instructed and trained that the software will be watching every keystroke, and if there should be something that is brought up against them at a later time, then the record is there and it can be documented; what they actually tried to look at, whether they were able to look at, and whether they actually physically opened it. Does that help?
MR. BLAIR: Thank you.
DR. HARDING: You're recommending that there be a trainee's exemption from minimum necessary?
DR. BAILLIE: Yes.
DR. HARDING: In all levels of medical education?
DR. BAILLIE: That's my personal feeling about it that we need to have it wide open so that a trainee has the ability to look at the whole scope of things and then they are able to, as they go through their training, they're able to narrow it down what they need to have as necessary information as they go forward.
DR. HARDING: The final rule at this time says that that's an institution by institution decision and you would like to be an over-arching rule?
DR. BAILLIE: Yes, sir.
DR. HARDING: Thank you.
MR. FODY: Good morning. My name is Ken Fody from Independence Blue Cross. I'm here today representing the American Association of Health Plans. And just a little bit about my company, Independence Blue Cross also trades with the Blue Cross markets in Puerto Rico and the US Virgin Islands. We also do unbranded business in Delaware and New Jersey, and we have a third-party administrator which is a subsidiary of ours. We insure approximately 4.5 million people.
I've been asked to comment on the minimum necessary provision of the health privacy rule. In the interest of brevity, I will summarize some parts of my presented materials. For routine operations, a covered entity must establish policies and procedures that help indicate what health information is the minimum necessary.
For non-routine operations, this determination may be made on a case-by-case basis. The requirements affect not only a carrier's internal operations, but also the flow of information between entities covered by the privacy rule.
Looking at one of the benefits of the requirement, the primary benefit occurs when a covered entity requests protected health information. Today, entities can request whatever information they choose and the process for making those requests can be ill-defined.
The privacy rule require entities to create policies and procedures that provide guidance to employers and what PHI should be requested, disclosed or used in particular situations. Requests not covered by these policies and procedures will have to be reviewed before they are made in order to verify that the minimum necessary requirement is satisfied.
Ultimately, this may not reduce the amount of protected healthcare information that is used or disclosed, but it will ensure that entities are constantly aware of these uses and disclosures. What are the burdens of the requirement?
First of all, drafting the policies and procedures. The minimum necessary requirement is problematic for a number of activities typically undertaken by health plans. The functions that are categorized as healthcare operations under the privacy rule present a special challenge.
For these functions, a range of information require and the ways in which that information is used varies both within entities and between entities. Many of these uses and disclosures can not be anticipated in advance. Due to the diverse nature of these operations, a health plan is likely to encounter non-routine functions that require case-by-case determination of what information is minimum necessary.
Even routine functions that appear standardized can be complex undertakings. Routine functions can require different information from one moment to the next. The example I use here is the claim processor may be looking at a claim for a routine office visit one minute and a claim for open heart surgery the next.
They're processing claims that are presented to them either on paper or screen. The variation becomes even greater when the standard is applied to healthcare operations such as underwriting, authorizations or disease management. Health plans face the problem of either developing many different, specific policies and procedures covering minimum necessary information or adopting very broad policies that covered categories of uses and disclosures.
Going back to my example of a claim's processor, a plan could conceivably adopt a specific policy for every diagnostic and treatment code or it could formulate a very broadly worded policy that applies to all claim processing. If the plans do the former, it becomes a very time consuming and expensive process to create and maintain the policies.
If they do the latter, they expose themselves to charges that the policies they've created failed to satisfy the requirement. Our recommendation is the HHS should provide guidance making it clear that entities may develop policies and procedures that broadly describe the types of PHI necessary for categories of operations that a covered entity may perform.
The next issue that I've raised here is varying interpretations and the impact on the data flow which I believe has been addressed by some other speakers this morning. The reality is that different covered entities, providers, group health plans and carriers, will have different interpretations of what is the minimum necessary information for their purposes. It is natural for them to use these interpretations to evaluate requests for PHI received from others.
The problem is that the PHI or protected health information that covered entity A needs is not the same PHI that covered entity B needs or believes is necessary for the same operation. My definition is not the same as your definition. This discrepancy is harmless so long as the definitions do not conflict.
They can conflict, however, when one entity has formulated a request for information and another entity is evaluating that request as often occurs when a carrier requests information from providers. If the entity providing the information uses a more restricted definition of minimum necessary, the party making the request may be deprived of information that it needs.
The entity receiving the request for information in the case of a carrier asking for information from a provider will be seeing a provider receiving a request for information naturally is going to be inclined to be conservative. Unfortunately, given the increased pressure on carriers to process claims and authorizations quickly and provide greater oversight of quality from our perspective, greater information is important and is critical that such bickering over what is the right amount of information not impede the flow of information and not disrupt the operations that make up the entirety of the healthcare system.
The privacy rule does provide that a covered entity that has received a request for information from another covered entities may rely, if such reliance is reasonable under the circumstances, on a requested disclosure being the minimum necessary.
While helpful, this provision does not go far enough. There is ample room for the entities to disagree over whether reliance is reasonable under various circumstances. The recommendation is that ideally the privacy rule should be modified so that the recipient of a request for information made by another covered automatically relies on that request unless it is clearly inappropriate.
Absent that change, HHS can help to prevent disagreements by issuing guidance emphasizing that the fact privacy rule currently allows the covered entity to rely upon a request from another covered entity. This guidance could go on to specifically enumerate some disclosures that should be presumed appropriate. For example, a request for HEDIS data made by a health plan subject to NCQA accreditation or which may need that information for some purpose responding to a government agency.
Another issue involving varying interpretations involved enforcement. Overshadowing all covered entities' deliberations about the minimum necessary requirement is a concern about those who will "enforce" the privacy rule. As a practical matter, this "enforcement" will not only be by HHS, the Office of Civil Rights, but also by from our perspective, plaintiff's lawyers.
It is very easy for someone coming into this field to look at all of the comments and concerns being expressed from every corner of the industry as somewhat reactionary and/or knit picking. However, I believe this is a reaction to the potential for class action litigation. The creativity of the plaintiff's bar in seeking new causes of actions -- they are a very creative group -- and the current hostile climate that exists will develop different criteria for minimum necessary information and that are covered in these organization procedures and information infrastructures will be factors in determining what information is necessary.
The guidance should also clarify that the standard is satisfied so long as the covered entity reasonably believes that the information is necessary to perform the task at hand. Does applying the minimum necessary internally in an institution make sense?
Requiring all covered entities including institutions to review uses and disclosures of information outside of the workforce and outside of their business associates is indeed valuable. It requires covered entities to review whether they really need to ask for all the information that they collect today.
Once a covered entity reduces the intake of protected health information to only that which is minimally necessary, however, it does not make sense to apply the minimum necessary standard to the entities' internal use of that PHI. If the covered entity only requests information it needs, why then go through all of the trouble and expense of repeating that same operation each time it uses the information.
Our recommendation is that HHS should issue guidance that establishes the minimum necessary requirement does not apply to a covered entities' internal use of PHI if the information used has been obtained from another covered entity. Where should the line be drawn in determining what is reasonably necessary?
The recent agency guidance on the privacy rule indicated that the minimum necessary requirement is not a rigid technical standard, but rather a common sense approach to prevent a covered entity from accumulating information that it clearly does not need.
The line for determining what is reasonably necessary, should be drawn in a similar fashion. Our recommendation is that the privacy rule should make clear that covered entities are allowed to develop a common sense approach to determine what is minimally necessary and it should recognize that different covered entities require different amounts and types of information.
We do provide, in response to the question of how can the concept of minimum necessary be explained with greater clarity, we do provide some specific examples of that. A concern that we do express here is that it's important that consumers not come to the conclusion that the privacy rule is some kind of magic bullet with regard to privacy.
Doctors need to have access to an exchange of information to better treat patients. Carriers need information to properly adjudicate claims and benefits. Information is critical to the healthcare system that we operate today.
Hearing the buzzer, I will go to the conclusion. One of the things that we found amazingly was the first business day after the privacy rule took affect, I received a call from one of our folks doing a HEDIS quality audit saying that the provider's office was denying them access to information because of the HIPAA Privacy Rule.
Needless to say, if people in anticipation of a rule that was not in effect for two years were already starting to deny access to information, our concern is that we will see confusion going forward. Our evolving healthcare delivery system is one that increasingly relies on the team approach for delivering care.
This team approach demand that health information be shared responsibly through improved quality and reduced errors. It is imperative that every effort be made to avoid placing providers at odds with plans and impeding the functioning of the healthcare system as a whole. The only way to ensure this is to make sure that the rules are clear and easy to apply. So far as the minimum necessary requirement is concerned, HHS must ensure that the privacy rule in conjunction with the guidance provided by the agency accomplishes the goals outlined in my presentation.
Finally, it is important to remember the historical back drop that led to the enactment of HIPAA in general and administrative simplification standards in particular. A key goal of HIPAA is to make health insurance more available. The administration simplification standards themselves were proposed almost 10 years ago as a response to help control health costs that were spiraling upwards, not unlike the increases that we see today.
It would be ironic and tragic if we were allowed though HIPAA standards which have such promise, to provide more coverage and more better care to individuals to become the cause for higher costs rather than the solution.
A balanced reasonable approach can provide individuals with greater privacy protections without creating or causing the harm that HIPAA was intended to prevent. The rules promulgated by HHS are an important step in providing and protecting the privacy rights of individuals.
HP and it's member plans like Independence Blue Cross have long been committed to protecting the confidentiality of personal health information. We commend the Department for its efforts to date and encourage it to consider the recommendations presented here as it develops further guidance. Thank you.
DR. ROTHSTEIN: Thank you. Questions, clarification.
MR. WEICH: Thank you, Mr. Chairman, members of the subcommittee. My name is Ron Weich and I am a practicing attorney and a legislative consultant to the American Civil Liberties Union, an organization of nearly 300,000 Americans concerned about and dedicated to enhancing privacy in American life.
When Gail Horlick contacted me and asked me to testify at the hearing on behalf of ACLU, I was very pleased and was hopeful to have the opportunity to talk about CENT or marketing or one of the other areas in which the ACLU has spoken quite vocally with great concern about aspects of the final regulation.
And Gail ultimately assigned me to speak on minimum necessary and I was disappointed because I didn't know if there was enough to say. After preparing for this hearing, I want to thank Gail because I know realize that the minimum necessary requirement in the final regulation is, in many respects, the heart and soul of the rule. It is a microcosm of the rule and gives life to the presumption in the rule that medical information is private unless there is a good reason for it not to be.
It's very important that the minimum necessary requirement be interpreted in a robust way that gives it life, that ensures that information is not disseminated without a patient's consent and without good reason. And so I'm very pleased to speak on the subject today.
In my written testimony, I have outlined the ACLU's views on some of the other issues that the subcommittee is considering, including consent, marketing and some areas that the subcommittee was not specifically addressing, including law enforcement, access to medical records, the rights of minors and the rights of domestic violence victims. I submit that set of comments for the subcommittee's deliberations and way to address the considerations in general.
I think it's important when talking about medical privacy to return to first principals. The first thing I want to observe is one that this subcommittee hardly needs to hear which is that medical information is among the most sensitive and intimate information that human beings have about themselves.
A doctor's office is a place where we undress in front of a stranger, we provide bodily fluids that tell enormous secrets about ourselves, especially in the age of the human genome. People are very concerned. You look at public opinion polls. The American public is deeply concerned that that information not be disseminated inappropriately.
Everybody, including the 300,000 ACLU members is a patient and wants high quality medical care, but nobody wants their medical information to be disseminated unnecessarily, unreasonably. These are words that appear repeatedly in the regulation and in the guidance explaining the regulation and I think that they have important meaning in the day-to-day operation of the healthcare system. Given proper light, we can ensure that information is disseminated appropriately for treatment and not disseminated inappropriately for commercial or other unnecessary purposes.
My fellow panelists painted many horror stories about information not being disseminated in a way that would somehow impair treatment. I went back to the regulation. I think it's always important to go back to first principals and the source of law and in 45 CFR 164.502(b)(2), I observed that the regulation states "the minimum necessary requirement does not apply to disclosures to or requests by a healthcare provider for treatment.
It's simply not an issue when a doctor is seeking medical record for a treatment. That information can be conveyed without whatever constraints may be placed on the dissemination of information otherwise by the minimum necessary requirement. So that is what the minimum necessary requirement is not.
What is it? It is a requirement that healthcare providers and other covered entities think twice about the dissemination of information. Is it necessary to disseminate the patient's entire medical record when one portion of the record will suffice for the purpose at hand?
I point out in my testimony that really what this requirement entails is compartmentalization of the medical record and that's a big word and it may sound scary or costly, but it really needn't be. Each of us as individuals go through life compartmentalizing our private information. I have a professional biography that's on numerous electronic databases, it's available to any member of the public. It says where I went to school, my professional explique and so forth. That's information that I want the world to have.
Then there's a set of information that I don't put in that biography, that I save, and I share it with my friends; information about where I grew up and my relationship with my parents. And then there's still another layer of information that I share only with my family, more private information, and some information that I don't even share with them.
There's medical information that I share only with my doctor, legal information that I share only with my lawyer, and I intend the information, I parcel out the information with the very conscious intention of having it used only for certain purposes. That model which each of you utilizes as you go through life, whether you realize it or not, is one that can be easily transported into the healthcare system through the use of policies and procedures.
What the minimum necessary requirement entails is that such policies, procedures, and protocols be developed and followed by entities. It doesn't require anguished deliberation every time a doctor wants to see a medical record. The standard policy will likely say that a doctor is entitled to see as much of the record that he believes necessary to carry out his duty as a doctor.
The protocol will likely say that if an individuals has received treatment for a broken arm and is now submitting a claim for insurance reimbursement, that the insurance company does not need to see and, therefore, should not see information about the patient's treatment five years before for mental illness or sexually transmitted disease or some other sensitive condition that the patient does not want disseminated into the world.
The policies and procedures and protocols should not be unduly complex. They should, as the guidance ably sets out, allow for substantial discretion so that in individual cases healthcare can be provided effectively and information can flow freely as needed, but we do see that the bar should be set high for privacy because as a practical matter, there's only going to be slippage here.
This is an aspect of the rule that's going to be very hard to enforce in day-to-day practice. It's not going to be as easy as a healthcare plan that's selling patient's records without consent. This is going to be in the interest of the healthcare system and hard for HHS to discern when there is a violation.
It's important that the policies and procedures and any modeled policies that HHS develops be phrased in a way that errs on the side of privacy because, as I say, in practice we would expect that there would be slippage an more information will get through than is probably needed.
What does the rule mean? You have to give meaning to each of the two words in the key phrase: minimum and necessary. Minimum, you have to ask the question, how much of this information is needed to carry out the task at hand? If it's determining reimbursement for a condition, then it's not necessary to provide more information about other conditions.
Similarly, the word necessary has a common sense meaning. We do not expect this requirement to limit the flow of information to the extent that would in any way impair either the provision or healthcare operations. The question was posed, what are the costs and benefits of the rule?
I say legally that the costs are minimal because the requirement is a common sense one. Surely there will be some administrative cost. We don't deny that, but the healthcare privacy rule itself is going to require that plans hire staff to monitor and carry out privacy policies. This will be an additional duty of the privacy officer within a healthcare entity.
There may be some measurable cost associated with that, some portion of the person's day to carry out this aspect of the regulation, but it's not going to be a very significant cost. It's going to be, in our view, a barely discernable add-on to the old world cost of privacy.
Does the implementation of the privacy rule in general carry a cost? Of course, it does. We don't deny that. We believe, however, that the benefit of privacy is so significant in terms of patients having the assurance of confidentiality that allows them to speak frankly with the doctors and seek healthcare for sensitive conditions, conditions that may impact public health, that we believe that the cost of carrying out the privacy rule in line with the minimum necessary requirement, in particular, are justified by the benefits.
As I say, in my testimony I set out our significant concerns about other aspects of the regulation, but in this area, minimum necessary requirement, we think HHS got it just about right in saying there has to be a minimum necessary requirement otherwise it won't be meaning to the basic presumption in the rule that information is private unless issued consent, but in raising the rule in fairly general terms and flight in guidance that provides discretion in individual cases. We think HHS has ensured that the rule can be implemented in a common sense way. I thank you.
DR. ROTHSTEIN: Thank you. Any clarifying questions for this witness? Then the floor is open for more general questions and discussion.
DR. COHN: First of all, I want to thank the panel for a fascinating set of presentations. I really appreciate the illuminating comments. I want to start with a question to Henry to just give me more understanding of your position. I was struck that as the first speaker you said you're against minimum necessary concept.
Obviously, this subcommittee is considering all sorts of options of ways to mitigate untoward affects, make things easier for implementation. Unfortunately, you didn't mention anything other than milk in terms of things that could be done to make implementation easier.
I was actually curious since Ken Fody came up with a number of specific recommendations, not all of which I agree with, but generally those are things that you think would make implementation in HIA member plan easier if many of them were accepted.
DR. DESMARAIS: They would. I think what we've seen is that the Department as it's gone forward on minimum necessary from where it started, we've seen tremendous evolution away from where it started certainly in the area of treatment as it was pointed out. There have been a number of other adjustments. Our concern is this bar is just not very stable.
There is some real risk with that kind of uncertainty that it almost becomes meaningless. We're spending a lot of money and time and energy on something that's hard to adjudicate, hard to enforce, and will be open to abuse.
We're already seeing anecdotal reports of people using the rule as justification for withholding information that our plans feel is necessary to properly adjudicate claims and make other judgments and to run other kinds of utilization review. I certainly thought Ken's comments were very similar to the ones we were making.
DR. ROTHSTEIN: I have a follow-up question on something you just said. The sources of those anecdotal reports, is it your belief that the people who are withholding information in reliance on the supposed restrictions of HIPAA that they are in error of what the rule requires, they just have it wrong? If that's true, would you see that dissipating over time as there are more educational efforts made to inform providers and other groups exactly what the rule requires?
DR. DESMARAIS: I have limited information and I suspect what's happening is happening for a wide variety of reasons. I do think some people, as you know, the insurance is not necessarily the most popular industry in the United States. I think some people may be using this as a way of hassle factor back to the insurance company saying, just pay the claim. We don't need to give you any information. Just pay the claim and if you don't pay it promptly, we're going to run to the Governor and get a new state law to require you to pay the claim promptly.
I think from what I've heard from our plans, the limited information, they do believe the information that is being withheld is necessary for doing the job. Why it's being withheld, I'd be hesitant to say too much more than I've already said.
DR. HARDING: I have two questions, one for Jim and John. Roy brought up the issue of unique patient identifiers which had been stopped temporarily by Vice President Gore I believe about a year or two ago and no funding for that. What's the status of that at the present time?
MR. SCANLON: The HHS budget included for this year included a prohibition on spending any HHS appropriations related to the development and promulgation of a unique identifier. So we are not doing anything in HHS and we'll see what the '02 budget says similarly.
DR. HARDING: That was from the Bush?
MR. SCANLON: It started with the Clinton/Gore Administration, but it was actually included in Congressional appropriation. So, clearly, it had the support of Congress as well. We'll shortly see what the FY 02 budget brings.
DR. HARDING: The other question was more to the panel in general was that private health information, the difference that I heard was that private health information could be determined some were saying by the request door and some by the person who is receiving the request. Do you all feel that we should have a minimum amount, the determiner what that amount that we issue?
MR. FODY: I think that was the point that I was trying to make in the testimony that I was presenting was that it would seem to me that responsibility lays clearly in the regulations on an entity requesting information to ensure that it's only asking for what it needs.
Therefore, from our perspective, we would like to see a line drawn as to who's making that judgment. When we make a request to another party, is it our judgment that counts, their judgment that counts? Clearly, from our perspective, it should be the responsibility of the entity making the request that they're the ones that have the judgment. They understand their business needs, their processes and what information they have to have.
DR. HARDING: That they should self-regulate that process I think you testified to.
MR. FODY: The initial step would be self-regulation, but clearly, there is enforcement provisions that if they seek more information than they need, there is the avenue for enforcement.
MR. WEICH: We believe that both the requestor and the requestee should have to determine that this is the minimum necessary information. There can be some reasonable reliance on the assertion that it is and maybe a requestor in a particular situation knows best, but there should be some opportunity and I think Mr. Fody articulated the concept that the requestee would be able to say, look, this is crazy, this is too much. You couldn't possibly need that. There has got to be some opportunity for the recipient of the request to say, no, that doesn't seem right.
MR. FODY: There are provisions for both in the law, parallel provisions that the requestor has minimum necessary to request and also that the person disclosing has minimum necessary. I think the only way we get out of this box about other people trying to make a determination in the patient's best interest is to have the patient be the ultimate source of that consent, get the consent from the patient of what information should be conveyed to them.
Patients don't have that face-to-face relationship like they do with pharmacy for example. We have a sensitivity like the ACLU said of holding back as much as we can to protect the patient. However, the patient with whom we don't have a face-to-face relationship, they're not even aware of some of these things that the plans are doing with their information.
A lot of the things they may like, some of the things they may not. Let's put that decision in the patient consent not for providers and plans to be trying to make decisions in their best interest. Let them make it themselves.
DR. ROTHSTEIN: I have a general question for anyone on the panel to answer. It seems to me that the recurring costs of complying with the minimum necessary standards after you've got the policies and procedures is mostly the labor cost of making a determination of what in the record is appropriate to send or whatever that is and who's going to do that, et cetera. Is it your sense that as clinical records become increasingly computerized that the unit cost will go down over time because the clinical records which then can be aggregated very easily to different fields can be, with a couple of keystrokes, only that corporate information sent, in the example of only the broken arm and not the prior medical conditions. Is that your feeling?
MR. WEICH: Yes, I think this is a case where technology aids in the goal of enhancing privacy with precisely the reason you say, Mr. Chair, that you will be able to label and categorize information through the computer fields and then only send the following three fields and not the other ten. We're hopeful that the cost will diminish over time.
DR. DESMARAIS: I think that problem is we have a long way to go. We're still getting a large number of paper claims from physicians. In fact, that's the more common way in which claims come to us from physicians. In the case of hospitals, it's mainly electronic. I understand in many physician's offices they don't even Internet access yet.
So while this is all changing and evolving, what you're talking about will certainly begin to happen. I think there are other costs. There are training costs, there is turnover in employees. There are a lot of costs that will continue to have to be borne and as I said in my testimony, the other problem is what other states are going to do.
If State X has a different definition of minimum necessary than the federal government does, then we have that overlay that will cause further problems. I think companies are already struggling with what's out there now and they recognize there is lots of pressure to adopt more privacy standards all across the country.
DR. BAILLIE: Sorry. If you leave the discretion wide open, and I would just echo that a little bit, it wouldn't matter what kind of computer program you had because it would have a different set of front ends. A small hospital in North Carolina versus a larger institution somewhere else.
MR. FODY: The comment I was going to make is a couple of years ago, I was evaluating information management systems for our legal department and found there were some off-the-shelf solutions for under $10,000 with multiple-user licenses, and there were other solutions that were literally hundreds of thousands of dollars.
The problem that technology brings is that in some respects it drives down cost. In other respects, depending on how much functionality you want to buy and how far you want to go down to the data element level of limiting who gets access to what data, it costs money to build that into the program.
Then you have to update that on a periodic basis and you have to hire staff to maintain that and administer that on your behalf. You literally can spend anywhere from hardly anything to a whole lot of money. With paper files, obviously, that's all there in one place or maybe scattered around in different places, but with technology, you pay for the additional functionality you get.
DR. COHN: I have a slightly different question and it's for Roy. I do apologize for cutting you off in that clarification earlier. I just want to make sure I understood your position since you're bringing up an issue that is somewhat different than everyone else here.
As I listen to you let me tell you what I think I'm hearing, is that it's an issue that we probably should be deferring to such time as we hold a hearing on unique health identifiers, but I'm hearing you as bringing up a potential privacy issue that has to do with unique identifiers that has not been resolved in the standards group in NCPDP, but is a required field, patient name, and is, therefore, covered by the minimum necessary requirement already and is not really a minimum necessary issue. Am I missing something?
DR. BUSSEWITZ: Unfortunately, I left my copy of 5.1 this morning so I could carry the 50 copies of the testimony here. The main thing that has got us looking is the minimum necessary provision at the entire, every data field in 5.1 and there's a lot of data fields in 5.1.
When we were putting 5.1 together, the preceding HIPAA privacy regulations, everybody that wanted anything of patient information in the payment claim in 5.1 got it no matter if it was some oddball thing that only one person wanted, in it went.
All of a sudden after minimum necessary came along, we said wait a second. Is all of this really necessary minimally necessary or reasonable? From the pharmacy point of view, we've gone through the entire 5.1 and we said, this is what we think is minimum necessary for you folks to pay the claim. The PBMs and claims processors have developed their own 5.1.
I'll tell you something. They don't look alike at all. No surprise. The biggest issue that came up was why are you asking for the name? You've got it in 70-75 percent of the cases and you can get it in the rest. This certainly should be necessary. We think that the breach of patient information with the patient's name smack dab in front of you is a whole lot easier than if they had a patient code number which the PBMs do give if they have that depth of information from the payer or employer.
DR. COHN: Just to follow up. I think you're agreeing with me. If it's a mandatory field on the NCPDP transaction, my understanding is that it is not a minimum necessary issue. It is an ongoing issue for discussions within NCPDP to come to resolution about whether it really is necessary for the transactions, but I don't think it would need any further clarification or changes in the federal legislation.
DR. BUSSEWITZ: We've revisited every section in our own mind of minimum necessary.
MR. FODY: Dr. Cohn, if I may just get one point. We were originally thinking about putting in the testimony and took out because it really wasn't relevant. There is protection in the regulation for this, but I think the point that's raised is a good one that you get competing or colliding public policy here.
You have standard transactions that require certain data elements and then you have covered entities and making decisions on what information you need. The reality is that in those standard transactions, there are data coming in, there are data in the claim transactions that I don't need, I don't want, but I must take and the provider must send because it's a required field.
I think from that perspective, it has to be kept out there as an issue of you've got competing public policy. Which is more important, standardization of transactions and what that brings you or privacy or both? The overlaying all of that has to be what happens if a state enters a field and passes a law that says pharmacy should not give that information on the transaction.
How do we resolve that type of pre-emption issue where you've got a competing perspective that's more stringent on privacy, but it impacts in the transaction? I think it is an issue that sort of has to remain and people need to be aware of it as we move forward with it.
DR. ROTHSTEIN: Thank you and I want to thank all five witnesses for your excellent testimony. We will take a brief recess until 10:05 am and then we'll have the next panel.
(Short break.)
DR. ROTHSTEIN: We are ready to begin our second panel of the day on Minimum Necessary. I assume that all the members of the second panel were here for the prior panel and heard the instructions on the testimony in which you were advised to give the minimum necessary testimony. You'll get a one-minute notice. So, we'll begin with Mr. Rode.
MR. RODE: Thank you, Dr. Rothstein, members of the panel, ladies and gentlemen. Good morning. I'm Dan Rode. I'm Vice President for the American Health Information Management Association also known as AHIMA or A-H-I-M-A, however you pronounce it. I want to thank you on behalf of our 40,000 members for the opportunity to comment this morning.
Some of you may not know who AHIMA is. I will refer you to the testimony. I know my predecessor, Kathleen Crawley, chaired this committee at one time and some of you are familiar. I do want to note that AHIMA members have confronted and addressed the functions and activities incorporated in the issue of minimum necessary on a day-to-day basis for many years through functions commonly known as medical correspondence and release of information.
Over the years, our members have endeavored to ensure that privacy and confidentiality on patient information through a myriad of state laws, constant demands by third parties and others, and we believe that there needs to be a limit to the access on personal health information.
Testifying on one of these is like working with a house of cards. You hear other things going on and you want to comment on things you've already heard. I think I'll have a letter to the Committee by Monday and my remarks this morning will not follow the handwritten notes that you have inside. Rather, to try to reach this matter in the 10 minutes, you have a copy of the testimony and if the attachments aren't there, they're on the Web page.
I will try to address the questions that you raised. The first one was the anticipated benefits on minimum necessary. The fundamental benefit on the standards is the tools that it provides to our professionals, to keep PHI out of the hands of those who don't need to see it, who don't need access to it, and to let the patient know that they can rely on a professional to make the decision on what to release and what not to release.
The testimony we just heard from the ACLU expressed that situation. Our professionals need to have that allowance and we believe that the rule allows us to have that. The rule is beginning to sound, in the last couple of days, like the proverbial elephant. Depending on which piece you look at, there seems to be a different interpretation and I hope one day we can all interpret some of these rules the same.
It does give us the clout to say no. It does give us a situation in which we've got additional reason to say, no, and someone behind us. There have been concerns about the rule restricting treatment in operations. We do not believe that that is the case for treatment for payment and for some operations.
The rule does permit some exceptions and we've actually heard two ways of looking at those exceptions. I want to address those, not that I'm sure you can't address those. The first is the fact that the rule does not address the great demand for personal health information beyond that carried on the current UB92 and the 1500.
Some professional offices and some hospitals have had to go to outsourcing groups to keep up with the constant demand to copy records that are necessary to provide information beyond the basic claims function. We heard some discussion this morning that that information is necessary.
We heard also two reasons why we should be doing it. It is rather routine or we wouldn't be outsourcing it. I'd like to think that we ought to be looking at some type of industry task force or some group working with the department to address this issue. We've addressed other issues before.
I think the speakers this morning are correct. Those who seek the information have a right to do so under the rule. We also have the right to restrict it under the rule. I think we need to work that out and it's obvious we haven't. It's a lot of money being involved with a lot of cost.
The second area that we need to look at is something I will speak on a little later. The cost of applying this is going to vary greatly. We believe that many of the standards that are in the rule already exist. They're already in place in hospitals and clinics and it's not going to cost the amount of money that the Secretary projected.
If an entity had no protection, was not looking at any of this, then obviously it's going to cost quite a bit. We believe that the plan is flexible enough to allow for these costs to be a little bit different. Most of our facilities on a provider basis are still dealing with paper-based records. We're not dealing with computerized records or we have some of the data on computer and some on paper.
Only the most advanced facilities have the ability to have a complete electric medical record and as we discussed a couple of days ago, our quest for the electronic medical record that we can all exchange is still a little bit further off than we have right now.
Smaller facilities have different problems. It's not unusual in a physician's office that everyone has access to the record and that's probably okay. The rule heightens the awareness of what the requirements are. Certainly, if I've got a six-person or eight-person physician office, my ability to train my staff and let them know what the rules are is not that hard of a problem.
The need to restrict staff in that record is a little different than a university teaching hospital where I've had my experience where we have 4,000 employees and you cannot tell me that every person ought to be accessing or have access to the record. On the other hand, right now with a paper record, our ability to restrict access to the paper record at times cannot be as strict as some would like. As we move to computerized database, that will change.
AHIMA has suggested for years that the way to deal with some of these problems is to centralize the release of records. When I say centralize the release of records, I mean the record going out of the institution or the information in the record leaving the institution beyond the basic claims form.
Obviously, one of the biggest functions in their jobs is to work in that centralized function or, if you were in a physician's office, to centralize the function so that when a request for information comes in and a decision has to be made on minimum necessary, our members are schooled in the various laws and regulations, and everything else, accreditation requirements that work on the release of that information.
We believe that function, whether in a hospital or a physician's office or anywhere else needs to be centralized so that those requests that come in can be evaluated, again, beyond the normal TPO uses. Then let the professional make the decision.
Again, I believe the rule allows that to happen. We think that that if that could be implemented as part of the recommended guidance and it also is part of what is put in place, this will work very well. This also answers the question of where do we draw the line on minimum necessary?
The practice briefs that I attached to the testimony are some of the things that we have been doing for years on letting people know how to design policies and procedures and where that line is drawn. If you look at the dates on those policies, you'll see that we updated those and actually printed those in our journal in May and June to give people a heads up on how to address that.
We're going to continue to address that until we have total pre-emption on this. We're going to have to address every state rule, every accreditation rule, every rule from every federal program, court orders, consent and what have you under that purpose and that's the reason for centralizing it as well.
This is where we draw the line in favor of the patient as was suggested by the last person to testify. You've given us the right under the rule to look at May vs Musk. Our members take this rule and this obligation very seriously and we believe professionals need to do that as well.
I have given you some examples in the testimony of generic ways of talking about how to explain minimum necessary and we're going to have to explain this. It's one that I don't want to review this morning, but will suggest that we'll be happy to work with anyone to come up with ways to explain this and turn this to English. We've held consumer conferences and other things in the past and we think this can be done.
The last question was applying the standard internally to an organization. Again, the size of the organization is going to be a problem. We believe that right now most of this is going to be addressed with policies and procedures and practices and training, paper makes it harder.
In our letter to the Secretary, we did make some recommendations we think will make this a little easier. We recommended to the Secretary that the right to request privacy protection for PHI as in Section 165522 be modified. We're not suggesting an entity not grant such a right, but that requiring special procedures for certain subsets of the health records is clinically and administratively ill advised.
HHS has made a similar comment in the preamble to the testimony, page 59919 in Volume 64 and our letter to the Secretary which is attached, goes into the clinical reasons why we should look to change this. The reason is very simple and it has already been addressed. We don't have the ability to segregate parts of the record internally in paper form.
We have to try to restrict the record, but when we give the record, we can't restrict it. If someone comes in and says, I don't want my cousin in the surgery department to see anything in my record, we'll do our darndest. But if we give the record to the surgeon who needs it, and he gives it to that cousin because that's the person that processes it, we don't have a lot of control in that right now.
The physician may have a different situation in an office. As we move to computerization, our ability to restrict that will be much easier, not total, but a lot easier. Our ability to restrict information per episode will also become easier, but we're caught in the middle right now. The technology doesn't fit with this.
To continue the right means that we're going to tell a patient, here's the right. We cannot grant it to you because we don't have the ability. We would rather say, when we can grant the right, we will do so and not explain why we can't grant the right. We think it puts providers in a very bad framework with patients as they have to take this right-of-way because we don't know very many that could actually pre-empt it.
We also made a three-part recommendation. We recommended that the responsibility for disclosure of health information be centralized as I already covered. We recommended that the requestor of personal health information present or sign a statement stipulating that the requested information is limited to minimum necessary for the stated purpose, and patently it must be understood that we're not talking about situations related to emergent or urgent treatment or customary exchange of information on the HIPAA transactions.
Third, we recommended that a statement prohibiting the use of information for other than the stated purpose are required to structure the information after the stated need has been fulfilled within law should accompany any disclosure of health information to external requestors.
Just to conclude, we think the rules basically are very good. I would think they're very misunderstood depending on who seems to be reading them. We think we need to come together on what those understandings may be. We're concerned with the right of the individual to request restrictions and disclosure of uses at this point in time. There are a lot of challenges ahead and we're ready to work with you at any time to meet these challenges. Thank you.
DR. ROTHSTEIN: Thank you. Clarifying questions from the Committee.
MS. SERKES: I'm Kathryn Serkes here for the Association of American Physicians and Surgeons. I think that for some of you, this may seem like letting the inmates run the asylum for the day letting us testify. Just think of me as Bob Gelman for the day. On that note, I would like to thank the Chairman and the subcommittee and in particular, the staff, Ms. Horlick and the old congenial and competent staff for having me here and allowing me to speak today.
I do have a written statement, but I'm going to deviate some from the written statement just to make you pay attention. What I would like to start out with is a little bit of background and a couple of statements before I get into the specific questions.
I would like to reiterate that the Association of American Physicians and Surgeons is a professional association, a non-partisan professional association of physicians whose mission is the preservation and protection of the sanctity of the patient/physician relationship from intrusion of third party.
Given our mission, I am here not just representing physicians and the problems that physicians see with the implementation of the privacy regs and the minimum necessary
standard in particular, but also patients.
I think that that is a voice that quite frankly has not been well represented in the entire process. All of my colleagues on this panel and on the previous panels as well talk about the issues of operations, streamlining operations, reducing cost, centralizing records as opposed to the issue of protecting privacy. I think Sue Leven addressed the actual issues of privacy and confidentiality I think in the most thorough way so far.
Given that, I will remind you that AOPS has been a very vocal opponent of these regulations for some specific reasons as well as general philosophical grounds which we have outlined in our written statements previously particularly those submitted on March 26 of this year which I include and incorporate into this my written statement of this for the record.
Just to summarize some of those oppositions, we believe that the regulations do violate the Paperwork Reduction Act and the Regulatory Flexibility Act and I'll say a little bit more on that later, as well as the First, Fourth, and Tenth Amendments. In the interest of full disclosure, I will also tell you that the association along with a number of co-plaintiffs is filing a legal challenge to the regulations.
With that on the table, one of the things we haven't talked about a little bit is the physicians' opposition to the regulation, not the organizations that represent physicians, but the physicians.
We have polled physicians, and our numbers, a poll of 344 physicians shows that a whopping 96 percent and this pertains to the chilling effect that we think will happen in the patient/physician communication. Physicians already believe that third parties ask for information they believe to violate confidentiality, with 51 percent reporting that those requests come in from government agencies and 70 percent coming from health plans.
Now, nearly 87 percent report that a patient has asked already that information be kept out of the record and nearly 78 percent of information report that they have done so, kept information out of the patient's record due to privacy concerns. Even 19 percent admit to actually lying to protect patient privacy. They said that 74 percent actually then were withheld.
I think that we will need to think about this as we move further along the implementation is that the conclusions that we reached is that the rules with exacerbate the situation to the point of distorted and incomplete medical records. Physicians are already telling us that we know that patients are withholding information because of their privacy concerns. Because of the disconnect we see about the government access to the information and these concerns over information and costs, we think that the regulations will make that worse.
Just in brief, our problem with the implementation is that there is a backwards assumption here on the minimum necessary standard. That is the assumption that the information is needed under a public health need and that that public health need trumps the individual's rights. We disagree with that because as we talk about the standard, you'll see that the problems with the definition standard, the fuzzy nature of the standard, the lack of definition, the lack of delineation of who these professionals are who can decide what's minimum necessary, means that physicians who have to respond to the requesting entities' request for information, usually the plan or the government, have to contort themselves and jump through hoops to provide what those plans have deemed minimum necessary.
Physicians at the same time as a covered entity will be subject to the criminal provisions of the act itself. It's a game of regulatory roulette. If the providing entity guesses wrong on what's minimum necessary and what will fulfill that, they face the possibility of the criminal prosecution, fines, et cetera. So we don't see a way that physicians can win in their attempt to fulfill this requirement.
Now, given all of that, let me give our best faith efforts to answer some of the specific questions as they are in practice. That is, the anticipated benefits of the necessary standard. The purported benefits as we hear from everyone else is to prevent the widespread dissemination of sensitive information that could harm the patient without providing any advantage.
However, there is no benefit evidence to us that there is anything other than a hypothetical benefit in this because where do you draw the line and for some patients, information that will be detrimental is not detrimental to another patient even though they would fit into the same definition of minimum necessary.
For example, say that a coverage decision requires information about a patient's gynecological history. This might reveal that the person had had an abortion. Release of this information might harm a patient or the patient might perceive a risk of harm. On the other hand, the patient's race probably has no bearing on the coverage decision. In fact, that information is probably illegal by civil rights laws and its not part of the minimum necessary data set.
There is probably no rule or perceived time in conveying that information, the data on race and it is probably already known, but the minimum necessary information might be just a prejudicial perhaps more so if out of context to the total chart as we talk about segregating the charts.
It is of no help in allaying the patients' concerns. For example, the presence of a diagnostic code for anxiety or depression could be prejudicial, whereas an understanding of the likely non-recurring circumstances and the response to treatment, would show the patient's generally excellent mental status.
Our concern here too is that the agencies with the greatest power to do actual harm also have the power to define minimum necessary for their purposes and that includes government agencies that might use the information for planning purposes under the guise of quality or cost containment is there would be an element of government rationing as opposed to the marketplace.
Another factor that greatly diminishes the effect of the minimum necessary is the recipient of the information who may have a vested interest in obtaining the information. The covered entity plan is to get as much information as necessary, as much as they can get.
On the other hand, it is the plan that is the requester, the covered entity who is coming to the physician's office and essentially defining what is minimum necessary to them. Again, there is a conflict of interest on the part of the requester and that has not been addressed.
I want to talk for a moment about the law enforcement as well. Law enforcement is exempt from minimum necessary standard and you'll see in our recommendation that we feel that law enforcement agencies should be subject to the same Fourth Amendment protections, that people be subjected to the same protections even when the requester is a law enforcement agency.
Number two, first of all I'm shocked to hear Dr. Blair yesterday mentioned, I'd like to see some numbers of implementation. At this point, it should have been done. Under the Paperwork Reduction Act and the Regulatory Flexibility Act, those numbers should have been crunched and that's one of our concerns that the regulatory agencies are in violation of those acts because that has not been done.
Now, according to the numbers from the government, the compliance costs for small business are $40,188 of establishment in the first year and approximately $2,217 thereafter. However, that does not take into account the social costs as well as the continued cost of compliance.
According to our research, regulations for most offices would include $8,000 for hardware, $12,000 for new software. And then there are the seminar fees and lost time from work for compliance and that's just off the bat. We're being inundated with people who promise to make us HIPAA-compliant.
Then there's $3,000 here and $3,000 there, you too can go to a seminar and become compliant which we find particularly interesting because the Committee can't figure out the definitions of what would make it compliant. So we're not sure that people who want to charge us $300 are going to make us compliant as well.
You can look at our written statement to explain the process of why the costs jump up so much higher for a smaller office particularly, particularly an office that has been paper-baked has to really contort itself and jump through some hoops to get into compliance here.
I will fill that out a little bit more for you. I don't have the time now, but since you were asking me for numbers, I wanted to make sure we had that in there. For example, I have consulted with the State of California. Their Senate committee on privacy has extreme concerns that the state will not be able to be in compliance because once they get into the implementation out in the Hinterlands that the smaller clinics that serve under served populations will not be able to afford the implementation.
In conclusion, I would like to point out that our recommendations are that the Committee define minimum necessary which has not been defined. It is mentioned 33 times in the regulations without a definition. We recommend that the professionals who are allowed to decide the minimum necessary be defined because it says it could be this, it could be that without really defining it.
Somewhere there needs to be some sort of menu to explain these terms so that we're not all second guessing. As it was pointed out yesterday by Dr. Harding, at this point down the line with final regulations, the Committee itself is still asking questions like I heard conflicting testimony and I'm not sure which is correct.
I think we have a lot of intelligent, well-educated people who are well versed on these issues and we're reading them differently and we're coming up with different interpretations. And either we're all wrong or there is an inherent problem in the complexity of the regulations that is making it almost impossible to move into implementation and enforce. Thank you.
DR. ROTHSTEIN: Thank you.
MS. FYFFE: Thank you for that spirited testimony and the fond reminder of Bob Gelman. Two specific questions: How many physicians does your organization represent? You note here in your testimony these physicians have millions of patient visits, but who many physicians are part of your organization?
MS. SERKES: We represent about 4,000 physicians in regular practice.
MS. FYFFE: You further say that you mailed a survey out to 344 physicians. Please tell me this was a random survey and not a self-selected group of only your own physicians.
MS. SERKES: No, it was a random survey from a mailing list provided by the AMA.
MS. FYFFE: Thank you very much.
DR. ROTHSTEIN: Any other clarifying questions?
DR. GUIDOTTI: Thank you. Members of the panel, my name is Dr. Teel Guidotti. I'm Chair of the Department of Environmental and Occupational Health in the School of Public Health and Health Services at the George Washington University. I also hold the post as the Director of the Division of Occupational Medicine and Toxicology in the Department of Medicine at GW.
I'm here today representing the American College of Occupational and Environmental Medicine (ACOEM). On behalf of ACOEM and its members, I thank you for this opportunity to provide comments on the minimum necessary standard and the new medical privacy rule.
Our interest in this comes from a particular standpoint of our members being at the center of complicated issues involving employers, involving workers compensation carriers, involving individual workers as patients. ACOEM represents over 6,000 physicians and is the world's pre-eminent and largest national organization of physicians specializing in the practice of preventing and assessing and treating occupational and environmental health problems.
Occupational and environmental medicine which we call OEM is the medical specialty devoted to the prevention and management of occupational and environmental injury, illness, and disability and the promotion of health and productivity of workers, their families and the communities in which they live.
Our members provide health services in a wide variety of practice situations. These include clinical services, medical surveillance, fitness for duty examinations and pre-placement examinations. These are conducted in connection with a myriad of state and federal health and safety regulations.
Our member serve as gatekeepers to the health and medical records of our nation's workforce and of their families. We routinely deal with issues or rights of access and use of information in legal disputes, workers' compensation, human resources and employee benefits issues. We are not usually in the middle of such matters.
ACOEM appreciates the efforts put forth by the Department to develop a regulation that accounts for the complex nature of protecting personal health information and for issuing the recent guidance documents. These clarifications will serve as a starting point for our members as they continue their efforts to interpret the rule and prepare for compliance by April 2003.
Although the new rules are a positive step in protecting information, they do fall short of eliminating all risk to employees of disclosing health information to their employers. These risks are real, they are commonplace, and they interfere with management of occupational health problems and the cooperation of workers necessary for prevention.
We're encouraged, however, by your commitment. Issuing modifications through new rule makings and how that many were raised today and in our formal comments will be resolved by such rulemaking. We strongly urge the Department to use such opportunities to close the existing gap and to clarify areas that remain vague for occupational physicians who are on the firing line.
Protecting confidentiality and privacy is imperative to preserving patient trust and employee trust in the workplace. ACOEM recognizes the minimum necessary standard by establishing certain levels of control over a patient's medical record which should help to preserve the confidential relationship between patients and physicians.
It will help to reassure patients that they're most personal, private information will not be given inappropriately to their employer or to their company representative who have hiring, firing, and promotion authority. Overall, ACOEM is pleased with the general principle in the proposed standard, that a covered entity must make reasonable efforts to provide this information to the minimum necessary to accomplish the intended purpose, when using or disclosing such information.
We are also pleased that the final rule extends the minimum necessary standard to covered entities' requests for the identifiable information from other covered entities. This will place the accountability with the covered entity requesting the information. It will receive some of the burden from physicians and other healthcare providers to determine what is the minimum necessary.
It may also help to identify unreasonable requests for information before they are made. In addition, ACOEM appreciates the application of he minimum necessary standard. In most disclosures allowed by the rule where authorization by the patient/worker in our case, has not been obtained for future use. The physician would then exercise discretion in the interest of the patient and society which we believe to be a legitimate public health function of occupational health protection.
For most disclosures allowed for purposes such as health oversight, research, and others the entity making the disclosure is required to limit the information disclosed. Under this approach, we believe physicians will retain their fiduciary role as the ultimate protector of the patient's record and will be in a position to challenge demands that in their professional judgment are excessive.
Retaining this ability to challenge overly broad requests will keep the system fair and provide for some productive internal tension to ensure that the standard is honored. ACOEM does, however, remain concerned with some provisions of the rules that apply to medical records and employment situations.
Our members differ from the rest of the medical community because of the nature of our work. Most physicians interact primarily with their patients, other physicians and insurance carriers who are covered by the rule. In contrast, however, occupational environmental medical physicians also interact with employers, representatives of the employers which may include anyone from the CEO to general counsel, human resources personnel, particularly sensitive, plant managers, et cetera.
We interact with occupational safety and health professionals and increasingly with environmental managers. These may include occupational health nurses, hygienists, safety engineers, environmental engineers and we interact regularly with workers compensation carriers, none of whom are covered by this rule.
We are of necessity the interlocutor among the parties to occupational health protection. We are involved in employment benefits, we are involved in workers compensation issues, all of which require and retain the individual health status. As a result, the occupational and environmental health professional becomes a gatekeeper for protected health information.
And the physician, arguably the person with the narrowest discretion and the narrowest capacity to act, now bears the entire liability and under the rule bear the entire liability if he/she released more than the minimum necessary. This is patently unfair.
Furthermore, physicians practice in a variety of practice settings. In addition to clinical services, and ACOEM physician may engage in any of numerous activities such as placement examinations which are not really triggered by clinical problems, they're triggered by employment actions, disease and disability management, medical surveillance, fitness for duty evaluations in which the employer needs to know if an individual is fit for duty, but nothing more and analysis of aggregated data for prevention purposes.
The minimum necessary test provides a factor in each of these activities that allows decisions to be made and physicians are required to report information back to the employer or, for example, to a workers compensation insurance carrier.
The minimum necessary standard does present many challenges to our members. First, the rule places the burden on the physician of deciding on a case by case basis what is the minimum necessary amount of information to disclose. In other words, to challenge the requesting party.
For example, in the performance of the medical surveillance examination, a physician may find that a hazardous waste worker has abnormalities in liver function. What is the minimum amount of information that has to be released to the employer? What is the minimum amount if the worker has signed an authorization? What is the role of disclosure on alcohol intake? What is the minimum amount of information in screening for occupational illnesses when false positive evaluations are inevitable and may be on the medical record?
Medical surveillance of hazardous waste workers is further complicated, for example, by a range of hazards to which the workers may be exposed. Liver function tests may be affected by many factors: alcohol, infections, as well as exposure to toxic substances. This information can be used in litigation and in challenging workers compensation claims. In this instance, how should the minimum necessary standard be applied?
Another example. If a work-related illness or other occupational abnormality is noted, should the employer be informed? We believe that the employer should be informed, but not given specific diagnostic information. The rule, however, provides no guidance on whether diagnostic information is considered to be in the scope of the minimum necessary standard.
Without such guidance, physicians may well be strong armed into releasing diagnostic information because the physician uniquely has the narrowest capacity to act and the narrowest discretionary authority of the players in this system.
If there are, for example, abnormalities that are the result of alcohol abuse, previous hepatitis infection, for example, or medications or some other factor, should the employer be given such information? In this case, we believe the employer should not be informed, that this exceeds the minimum necessary.
If the liver function abnormalities are permanent, if they reflect the non-occupational hepatitis, for example, or some other hepatic disorder, should the employer be informed? In this instance, the minimum necessary becomes highly problematic for the occupational/environmental physician.
To share this information with the employer may protect the employee from further liver damage, from exposure to hepata toxins or as a result of providing the information, the employer may take action which may be unjustified or illegal or dismiss the employee which happens or to prevent further healthcare or workers compensation problems.
In this example, the occupational physician may act in ways that he thinks is most protective of the employee by advising the employer of potential exposure while withholding other information that is not necessary. If they do, they may potentially violate the rule. Secondly, the occupational physicians are placed in the position of having to defend their position.
DR. ROTHSTEIN: Excuse me, Dr. Guidotti. Time has expired. I wonder if you could summarize. We've got your testimony in front of us.
DR. GUIDOTTI: Okay. Great. Then I would say that a specific problem exists with regard to workers compensation. The rule permits a physician to disclose more than the minimum amount of information to the extent necessary to comply with specific state laws. This is a problem with regard to the state-based nature of workers compensation law.
The rule does not address what the physician should do as the state law permits disclosure. As a side note, we believe that the minimum necessary requirements of the ruble will impede processing of workers compensation claims. So this is an issue that needs to be addressed.
The practical problem for the occupational physician is where to set the bright line test for deciding what is the minimum necessary. We recommend that HHS develop a standard protocol for use by occupational physicians in implementing the minimum necessary and ACOEM would gladly work with the Department to develop such a protocol.
And as always, we're happy to assist the Department in developing a sound policy to protect this most sensitive area of private information for our nation's workforce. Thank you.
DR. ROTHSTEIN: Thank you. Clarifying questions from the committee members?
MS. FOLEY: Good morning. I'm going to work from my written testimony, but we do have copies here for you. I'm Mary Foley, President of the American Nurses Association. We're the only full service professional association that represents the nation's registered nurses throughout our 54 state and territorial associations.
I'm very pleased to be here this morning to offer our views and the views of the profession of nursing on the patient privacy and confidentiality regulations issued by the Department of Health and Human Services according to the Act of 1996. I will direct my comments, as you've requested, to the question of minimum amount of necessary information.
I am a healthcare practitioner and until I became president of the American Nurses Association a year and a half ago, I was a nursing executive in a medium-sized hospital in California. Before that, I spent 17 years as a staff nurse in the same hospital and I've also served as a nursing instructor.
The third charge of code of ethics for nurses states "the nurse safeguards the patient's right to privacy. The need for healthcare does not justify unwanted intrusion into the patient's life. The nurse advocates for an environment that provides for sufficient physical privacy including auditory privacy for discussions of a personal nature and policy and practices that promote the confidentiality of information."
"Stemming from a right to privacy, the nurse has a duty to maintain confidentiality of all patient information. The patient's well being could be to have the fundamental trust between patient and nurse destroyed by unnecessary access to data or by the inappropriate disclosure of identifiable patient information."
That's a statement and an obligation that the nursing community takes very seriously and that is why I'm here today. Virtually, all of ANA's members are involved in creating, transmitting, and safeguarding patient records on a daily basis as an integral part of their professional practice.
Working on the front line of healthcare, registered nurses are well aware of the concerns the patients have regarding their privacy and confidentiality and we remain professionally committed to strong, enforceable standards to protest the confidentiality of the healthcare information of our patients.
This commitment has always been a part of professional practice, but the need for federal law is, in large part, a function of the momentous change in our communications technology. Healthcare professionals have always been aware of and have been instructed in the importance of confidentiality and the possibilities for carelessness and the need for that reminder in the code of ethics is real.
But the complexity of the healthcare system means that transgressions of confidentiality, intentional or not have much broader consequences than ever before because the information travels further and faster, cannot be retrieved and can be used in many ways not intended for healthcare services.
In my testimony, I will focus on the two aspects of this issue that I can speak to as a nurse and as a representative of the nursing profession. First, it is the necessity to keep our focus on what is best for the patient. Second, it is the practical application of this standard in healthcare setting that we're here to discuss.
The most important test that these regulations must meet is whether each patient's reasonable expectations for privacy and confidentiality are addressed. Can I assure my patients that when they are describing the most intimate, troublesome, embarrassing, frightening aspect of their lives to people who will treat and care for them, that there will be safeguards for maintaining the confidentiality of this sensitive information, but using it appropriately for the intended treatment?
If I can't do that, many of my patients will go without treatment or will disclose only some of the information, a dangerous proposition which we know can lead to improper diagnosis, improper treatment, and complications in an illness or injury and even death.
It is hard for patients to talk about a whole range of sensitive issues which might include mental illness, sexual practices and physical abuse just as examples. It will not happen at all if you think your story is going to be the grist for the local gossip mill because the people who treat you are careless.
It will not happen if you know your records may be made available to your employer who will then have the opportunity to consider the implications of a prescription for anti-depressants. This concern for our patients must be our overriding concern, not whether the rule will be inconvenient for practitioners or staffers who handles the insurance paperwork.
The minimum necessary standard requires covered entities to make reasonable efforts to limit disclosure of protected health information. The minimum necessary to accomplish the intended purpose of its use doesn't apply to disclosure for providers for treatment, to the individual patient or entire specifically authorized by the patient or of enforcement of the HIPAA statute of other law.
I believe it's very important that we convey, as dos the Department's guidance document which contains very sensible and very supportable explanations, and a useful question and answer section. Ways in which normal practice will continue without change.
What then is left to be regulated? In ordinary terms, the rule speaks to carelessness and insensitivity, but a subtler, in some ways, more important issue is the need for institutional systems that support practitioners and other health staff in methodological applications about the decision making.
This regulation requires that a covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. Of course, they must. Accrediting body for hospitals is already required. This really is not a new expectation.
Any suggestion that it's new or burdensome is really unfounded. Watch your voice, don't talk about patient's by names in the hallways, post prominent notices for patients informing them that staff will work to meet their requests for greater privacy, inquire about the hope for that and then do it.
These institutions are the staff of daily wok in a hospital setting. Every nurse is trained to be tuned to the importance. In any hospital or practitioner that isn't already doing it and doing it seriously is a menace. A systematic approach to privacy and confidentiality would look at everyday devices.
For example, intercoms that carry some very personal and private information into the entire departments and ask physician questions and convey patient's name or the colonoscopy in Room 6. Information that is transmitted widely because of the ease of the electronics has overridden the sensitivity of the patients, their complex needs and we really need to think about how the system could be improved.
How about personal handsets? You don't transmit by intercom into an entire room a question of whether Kathleen can have Demerol rather than Morphine for pain. No one else needs to know that that's what her need is and it should be handled much more sensitively.
Another example, very simple, the closing of doors when there are health inquiries being made. We had our own staff experience that just recently in and OB/GYN office where health histories were being taken and doors were wide open. Simple practices, very simple implementation.
One of the core issues around this controversy that's been raised by these regulations aside from the money is the extent it may require practitioners and institutional providers interact among ourselves and our patients. It's understandable in an environment that may already be seen as burdensome for practitioners that another layer of regulation could be seen as intrusive and unnecessary.
Our response, ANA's response was that these regulations have, as we must have, the patient's best interest at heart. The public expects nothing less. If we are already careful, and these rules give us a framework for making sure that our safeguards are consistent and reliable. If we can't bother to be reliable, the rules will force us to change our ways and we think they should.
A few years ago, the chief medical officer in my hospital was himself a patient in the hospital. It was my first Christmas as Chief Nurse Exec and it wasn't great to have your Chief of Medicine admitted to the hospital over the holidays. I was on duty the entire time.
While he was a patient any number of physicians, none of whom were his attending physician, stopped by to offer him advice and comment on his condition and his family matters from information they felt free to glean from his medical record.
I will tell you that that physician when he came back to work made known in no uncertain terms, the way a leader should, what he thought about this casual breach of privacy and he realized if it could happen to him, it will happen to anyone and that it was unacceptable.
The minimum necessary rule requires that a hospital have in place a policy identifying which practitioners and staff will have access to patient information and under what circumstances. It doesn't prescribe the policy, only that it must be clear, that it must be in place, it must afford the patient a reasonable expectation that the records will be treated with respect and confidentiality and it must be enforced.
Every day there are practitioners who as a matter of ethics and successful treatment must be able to assure their patients that there records are protected. We have a patchwork of state laws that provide some protections to some people, some of the time, in some places. The ANA welcomes this new national standard of basic protections for all of our people, all of the time, every place in this nation. And we thank you for the opportunity to testify and I'd be pleased to answer any questions. Thank you.
DR. ROTHSTEIN: Thank you. Clarification questions from the subcommittee.
MR. WOOD: Thank you, members of the subcommittee. I'm not Bob Gelman either. Let me start off by saying that we appreciate the opportunity to testify here this morning before you. The American Insurance Association is a major provider of all property and casualty insurance benefits including workers compensation benefits in this country.
First, what workers compensation is not a medical program and some people confuse it with that. It is a disability program with a medical component, a critically important medical component because the objective of the workers compensation system is not only to heal an injured worker, but to get him back to work.
Inherent in that objective is the need for sound disability management practices. This is where the minimum necessary standard runs aground. I would respectfully disagree with Dr. Guidotti and actually think that implicitly, though not intentionally, he helps to make our case. More on that in a minute.
Property and casualty benefit providers, as we are generically known, are not covered entities under the rule, a legal position that HHS took with which we agree. We believe that it is a sound legal decision However, we believe that the rule's application of the minimum necessary standard to workers compensation is inherently flawed, it will impeded the communication of information needed to evaluate workers compensation claims and thereby threatens the independence of the state-based workers compensation system, an issue which goes far beyond this committee's consideration.
For those reasons, we have urged HHS on repeated occasions to not apply the minimum necessary standard to P&C benefit providers and we reiterate that recommendation to this committee. The conceptual problems we still have with the HHS rules and though we believe that they have taken an honest stab at addressing our concerns still lies in ambiguities throughout the rule of which minimum necessary is one of the ability of non-covered entities to get information in the first place from covered entities.
It doesn't do us too much good to be able to disclose downstream information we can't get to begin with. Secondly, and this is where the minimum necessary standard is in direct conflict. We believe the superimposition of what is a federal information disclosure standard on the state-based workers compensation system which for as long as it has existed, since the early part of the last century, has been a state-based system.
I would say that the exclusion of P&C insurance in workers compensation has been consistent throughout. Congress has consistently excluded them throughout in legislation governing health insurance not only with respect to ARISA, but with respect to the Public Health Service Act as well.
Congress has consistently determined not to interfere with the carefully constructed regulatory system developed by the states which reflects the delicate balancing of the rights and needs of workers and P&C benefit providers. I might add in a footnote that Congress fairly recently we'll all recall, had another occasion to opine on this and that was with respect to the ergonomic standard which included provisions which would flatly contradict state workers compensation systems.
Under the current system, when an injury occurs, a a claim for benefits automatically places the claimant's health status and medical history at issue giving the defending party, in this case the employer or its insurance carrier, access to full medical records is an elementary legal principle because this information must be fully available to both parties to ensure a fair and equitable result.
Full disclosure is also particularly important with respect to comp because state law reflects a careful balancing of worker rights and employer obligations holding the employer liable for all workers compensation benefits prescribed by statue even if the worker were negligent himself.
The obligation is very significant because workers compensation laws provide first dollar coverage, first dollar medical benefits for all reasonable and necessary treatment of all of the claimants, no duration limitation, no dollar limitation and replaces a substantial portion of last wages. One way in which state law effectuates the balance of worker rights and employer responsibilities is providing an informal, largely self-executing administrative process for benefit delivery. Requiring physicians to make selective disclosures of medical information needed to evaluate a claim will frustrate the self-executing objective by creating and incentive against cooperating with the workers compensation provider thereby damaging the latter's ability to effectively determine liability for payment and to manage distractibility.
Liability for payment and to manage disability. That is the objective of a property and casualty insurance carrier, that is the objective of a workers compensation benefit provider. The result will be significantly increased administrative burden, more litigation. You heard Dr. Guidotti suggest there ought to be an action against carriers for inappropriate requests to disclose information more than what is deemed minimum necessary, higher medical costs, longer duration of disability benefits, certainly high indemnity costs and decreased worker productivity.
Prohibiting covered entities, particularly medical providers from disclosing to property and casualty insurance carrier benefit providers information beyond what the medical provider deems minimum necessary puts medical providers in an unwarranted and untenable position of making what essentially are legal judgments about the relevance of particular information for claims determination purposes. It's a highly inappropriate obligation. It will hinder the workers compensation administration process and put an unfair and undue burden on medical providers.
Contrary to state comp law and procedure, use of the physician's opinion for determining what is the minimum necessary in connection with a claim in converting a medical judgment into a legal judgment because the information received has a direct bearing on legal rights and obligations of claimants. This is where property and casualty insurance carrier differs from health insurance.
There is a third party claiming benefits against someone else, and employer, someone who is hit in an automobile accident. If a federal minimum necessary standard is allowed to take effect with respect to comp, many medical providers unknowingly or even intentionally will withhold relevant information on prior and concurrent medical conditions as well as information collected in connection with a claim.
It may not even appear to the provider to be necessary, but it is necessary in order to make a legal judgment about the claim. I listed in my testimony some bullets as to where this conflicts. A typical example is diabetes. If that information isn't disclosed, certainly having diabetes will impact the recovery, have an impact on the duration of recovery, thus the payment of indemnity benefits, the establishment of insurance reserve.
There are certainly significant financial implications if an insurer does not have full information about the individual's medical history. I'd cite another example, that many medical providers do not realize that a workers compensation insurance may also pay for treatment on an unrelated medical condition that is retarding recovery.
I just came across an example yesterday of this that makes this case. This is an actual case in the Florida workers compensation system where an individual injured her knee and the knee had to be replaced. The estimated cost was $40,000 for this claim, medical as well as lost wages.
What the doctor even without the minimum necessary standard did not tell the insurer did not tell the insurer was that there a psychological overlay to this claim that developed. Because of that, the insurer who thought this was a $40,000 claim and reserved as that was very surprised to learn upon settlement of this claim that it settled for $4 million.
Now that's just one case, but if you multiply that and that may be an extreme case, those kinds of circumstances across the spectrum, what you have are significantly higher costs to the workers compensation system. What it will do is drive up the cost to employers who pay for the system and it will create system instability. Carriers can adjust reserve, but it's going to create a lot of instability if a lot of $40,000 cases suddenly end up being million dollar cases.
I know my time is almost up, but let me make one other key comment with respect to that. In applying the minimum necessary and establishing a federal disclosure standard, what HHS is doing is establishing a federal rule for state workers compensation and I don't believe that HHS clearly understands the implications of that.
I think that employers are going to be very surprised when they discover that the information that they disclosed in a case or that their property and casualty insurance carrier disclosed in a particular workers compensation case is being second guessed by someone in the Office of Civil Rights.
Where there is a proceeding and ultimate enforcement action in the Office of Civil Rights ultimately in federal courts. What we have here is for the first time in this country, a federal rule governing state workers compensation. That is a significant departure. With dual jurisdiction and dual enforcement, it is going to confuse matters more, drive up dispute in litigation, and it is going to drive up costs significantly in the workers compensation system. With that, I will conclude.
DR. ROTHSTEIN: Thank you. Clarifying questions? It certainly was a spirited panel and now I'll open the floor to general questions.
DR. COHN: I was astonished, Bruce, by your testimony. First of all, the testimonies were generally excellent. So thank you. Bruce, I wanted to get a slightly better understanding of your position just to make sure I understood it. I'm reflecting a little bit on my own experience.
I'm a practicing physician. I have a little bit of additional training in occupational medicine although I'm not board certified. I spent a number of years as Chief of Medicine in a medium-sized medical center a number of years ago. I can remember when there was a request for information on workers compensation generally going and reading the chart and saying, yes, this is relevant, that isn't relevant and sending it off to the workers compensation insurance carrier.
In my state, this was the standard of practice. Is your position that in all cases of workers compensation that the entire medical record should be requested and sent? That seems to be where we're going with your testimony. Is this your position?
MR. WOOD: Let me suggest a nuance here. What I'm suggesting is a disclosure standard should not be a federal standard for this because of interference with state comp. Secondly, to draft a disclosure standard into a regulation or into law, I think is a step beyond even a judgment that a physician may make in consultation with a workers compensation carrier about what information might be wanted.
My point is that you're an experienced doctor. You have made some internal adjustments in what information you might and perhaps it had no kind of prejudicial impact on what that case was. In my Florida case that I mentioned, the doctor there certainly in hindsight should have let the carrier know that there could be a potential psychological overlay and that this case could cost a lot more than the carrier thought. It points out the severe complexities with a disclosure standard like this.
DR. ROTHSTEIN: May I follow up on that question? Is it your position that the minimum necessary standard is a more limited standard in terms of disclosure obligations than the current relevancy standard that is standard in state workers compensation laws? Or are you saying that the standards are equivalent, but you don't want it to be a federalized standard that applies?
MR. WOOD: I think I would beg to differ with you with respect to your premise that there is a relevancy standard in state workers compensation laws. It's fair to say that in state workers compensation that it has been to this point the exception to the rule that there have been expressed medical privacy provisions in the statute.
It's only in recent years with heightened interest of privacy that we have gotten this push to incorporate those kinds of provisions and that the system pretty much a self-executing system has operated without formal kinds of procedures that govern the disclosure of information or for that matter govern a lot of what happens in the workers compensation system.
I guess I have to differ in the premise about relevancy. They think that if state laws, if there were to be state laws adopted as some have been proposed, that would incorporate a minimum necessary standard, we would have almost all the same concerns there that we have expressed here.
MS. SERKES: I have some information on that that might be of interest. I sit on the task force of American Legislative Exchange Council's HHS subcommittee and this is a national association of state legislatures. Just this month, they passed model language to take back to the states that would exempt workers compensation programs from state medical privacy controls. I'm certainly not an expert on this, but it just muddies the picture a bit because you have state legislators who are working at the state level to change the workers compensation rules on privacy.
I guess the question is that there might be some research needed to see how some of what the legislators are doing would interface then with the enactment or implementation of these regulations.
MR. WOOD: I would like to comment on that. There haven't been, to date, laws enacted that we think would significantly impair the transmission of information under the workers compensation system with one partial example. That's in California. We have the same discussions on a state level that we have around this table.
And the need to obtain information in the first place and fairly evaluate what are someone's legal obligation to pay is the critical issue in all of this. We find, quite frankly, that a lot of these privacy bills, most aren't workers compensation specific. Most are drafted with health plans in mind. There is a real disconnect between that kind of construct and a property and casualty insurance carrier and particular a workers compensation construct.
DR. GUIDOTTI: If I may, I find that as well. I'm not going to attempt a rebuttal of my earlier position. I just want to interject a note of reality here. The primary information problem in the workers compensation system is access to reliable and accurate and timely information on the basics, that the additional information that is so often required is irrelevant in terms of the theory of the particular claim.
The individual bits of data that are in the medical record are irrelevant in terms of the theory behind the claim. This information can be used to judge whether a particular data or set of information is minimum necessary or not. I think that leaving aside the question about whether or not my comments imply a grounds for legal action, I see no reason why a workers compensation carrier should not be held to the same accountability as other players in this system.
In other words, justifying the need for information which is almost extraneous, sometimes prejudicial and usually highly sensitive to the individual. Without such safeguards which lay the groundwork for accountability that we will get what, in many instances we have right now, and that is a biased medical record, one that does not record important information because of legitimate fear and distrust on the part of the worker disclosing it and on the part of the other person reporting it.
DR. ROTHSTEIN: Dr. Guidotti, I applaud the statement in the testimony that the organization now supports the concept of minimum necessary. That is a radical departure from their position forever on this issue. Specifically, the law in 48 states, that is, every state with the exception of Minnesota and California is that after a conditional offer of employment, pre-placement examinations may be of unlimited scope.
As a condition of employment, the employer and the employer's examining physician may require that the individual execute and unlimited authorization of disclosing everything that is in the individual's medical record. Your organization has consistently opposed any restrictions on these blanket authorizations.
I take it from your testimony that it has reversed its position and is now going to lobby for new legislation as well as amending its code of ethics to make these unlimited authorizations both illegal and unethical now?
DR. GUIDOTTI: My own history with policy evolution with issues like this is limited. I can say that there is a subtle distinction here. Information needs to be disclosed and interpreted by the medically knowledgeable provider. The person in the best position to do this is the person with the background in occupational exposures and environmental circumstance that may produce illness.
The physician needs to have sufficient information to decide that the information is irrelevant to come to a legitimate conclusion. The issue here is the minimum necessary data that can then be shared.
DR. ROTHSTEIN: You want us to ascribe to what you disclose, but not to what you get?
DR. GUIDOTTI: That's correct.
DR. ROTHSTEIN: So it applies to everyone else, but you?
DR. GUIDOTTI: I think what it does is since we are in the gatekeeper position anyway, it provides some rules of the game and welcome relief from the pressures that the occupational/environmental physician is under to fly by the seat of their pants and to make those decisions without a framework. This provides a framework.
MS. SERKES: Our position is we support the minimum necessary, but then would take the reverse position that it is indeed the role of the physician to be the gatekeeper and the one who is willing to take that burden on.
DR. HARDING: I have a question, but it's completely off the subject we're talking about. We've been talking about protected health information and then we get into TPO where you talk about treatment, payment, and the operations.
It seems like we have pretty good consent on the treatment as taken care of in the rule. There is some problem with payment it's pretty clear, but that operations is the issue that gets us into all kinds of difficulty. Would it be helpful to have a group or task force or somebody look into that area more than just the whole TPO or do you think that's not? I'm just trying to think of some things we can to here pulling together various things and would ask your advice on that.
MR. RODE: We've had some experience before with some industry commission to look at some of these issues where the payer and the plan can't agree. It sounds like from yesterday's testimony and today's that we've got another one of those. It's hard to do it in a testimony situation when you've got your testimony, you've got your 10 minutes and the ability to negotiate and to look at that is an issue.
Obviously even in the workers compensation situation which was created for all sorts of reasons that I won't go into and we've run into this problem. I don't think we can answer this in time for this committee to make recommendations to the Secretary, but certainly with involvement on an industry basis, we certainly could take on something like this. I won't guarantee you will have an answer.
But it sounds like we've got to look at this issue and try to determine what's reasonable and what's practical given where we are right now. We have not done that, and as someone mentioned, the patient is out of the picture on this one. This is how do we trade the data back and forth and how much is there. I think we could potentially arrive at some guidelines.
I have to say that because as an industry, this is the best we can do. Some guidelines would give us a better picture of what should be coming back and forth and under what circumstances.
MS. SERKES: The problem on that goes back to the Act rather than the regulations because the Act is the use of the term healthcare operations within the Act has really not been defined. I think from your perspective it may be out of your scope or your ability on the regulations.
DR. ROTHSTEIN: Other questions from the subcommittee? If not, then I want to thank the members of this panel for their excellent testimony and we will take a 10-minute recess, reconvene at 11:35 for the subcommittee discussion of minimum necessary.
(Short break.)
DR. ROTHSTEIN: There is a document which includes a summary of the recommendations that were made by the panelists in their written testimony as well as in their oral testimony is prepared as we speak. With the consent of the subcommittee, what I would like to do is to flip the order in which we will be discussing those issues.
In other words, I propose taking up the issue first of consent which we said we will do during lunch and then once we finish that then break for a brief period of time to get your lunch, bring it back and then we will have a lunchtime discussion of minimum necessary. Hearing no squealing objections, we'll proceed. Let me give each of you a few minutes to look over the documents.
MR. SCANLON: Mark, can I just tell people what they have?
DR. ROTHSTEIN: Please.
MR. SCANLON: What you have before you relates to the Recommendations on Consent from Testimony to the Committee. All this is is an attempt to pull together from the written testimony anything that looked like a recommendation whether it was a formal recommendation or an implicit one and we simply followed here the order from the panel and the members on the panel. We didn't have time to organize it much beyond that, but I think it is a fair overlay.
DR. ROTHSTEIN: Let me thank you for pulling this together and recommend that for the rest of the documents which will be on research and for marketing, Michael, are you with me? Instead of bullets, we'll just use numbers because it will be a lot easier to refer to them. We're going to review this now until lunchtime which is after we finish reviewing. Do you have another option?
DR. HARDING: Are we going to have a special meeting on minimum necessary?
DR. ROTHSTEIN: That is our lunch discussion, minimum necessary. The reason we're switching is that the minimum necessary is not printed up yet. These are the recommendations. While you're thinking about which ones you want to support and so forth, we need to address one question. That is whether we are going to recommend or take a statement on recommending support for any existing measures that are in the rule.
In other words, is this simply going to be a recommendation of changes or some people may have recommended that we change something and we reject that notion, should we put forth our support for the way it currently exists? I'll just leave you with that.
I suppose what we can do is to go through in order and we will open the floor to someone who will move that we adopt a bullet and then we can discuss that and if no one moves to adopt any particular one, we will just assume that there is no support for it.
DR. HARDING: Point of information before we start, do we feel that our charge is to look at major policy issues and say yea or nay or is it to help with the implementation or finding and correcting unintended consequences of the policies that have already been selected or given out in the rule?
DR. ROTHSTEIN: That was as point of contention yesterday.
DR. HARDING: So have we come to any thoughts on that or still in the middle of that?
DR. ROTHSTEIN: I suppose I'm willing to entertain a motion. Maybe we ought to have one just so we can get a vote on the record and then proceed however the majority.
DR. HARDING: It would seem to me that the rules have been handed down and that we are here to help with implementation and finding and correcting unintended consequences of what has come down. That would be my understanding.
I would present that as a motion, but that isn't what I had in mind when I did that originally, but I will present that as a motion that we not be spending our time discussing the changes and major policy issues, but that we instead talk about issues of implementation and correcting unintended consequences of the rule.
MS. FYFFE: Richard, if that's a motion, I'll second it.
DR. ROTHSTEIN: Okay. Is there any discussion on the motion? I suppose one thing we might add to that is that it is the subcommittee's intent to continually monitor all issues large and small although perhaps your motion contemplates that for the current purposes.
MS. GREENBERG: Just to buttress that. I think that I defer to the group, but what Richard has suggested is probably most practical strategy in the short term available. I think it's important for people to recognize that the committee has heard testimony at a broad nature as well as a specific and that the committee is open to receiving that and to evaluating it over time because it's appropriate for the committee and does have the role to suggest that they got something big all wrong. But I don't think you're constrained in that. I think currently what you're really trying to do is help with the more specific unintended consequences, how can things be clarified, et cetera.
DR. ROTHSTEIN: Ultimately, what gets done with whatever the subcommittee recommends or has to be approved by the full committee anyhow and the full committee may decide to see things differently and put a different spin or emphasis on whatever.
MS. GREENBERG: I think that's why it's important that the letter capture the broader issues as well as the more specific and put it in context.
DR. ROTHSTEIN: Are we ready to vote? We've got a motion and a second. All in favor, raise your hand. It's four. All opposed. It's four in favor and all abstaining. Four to one, Chair not voting. It's four to one and that will be the ground rule.
We can take each of these and either accept them, reject them, or put them in the category of broad issues to consider, but beyond the scope of what our immediate letter will entail. Will that be acceptable as a suggestion, either we endorse a bullet point, we just don't and we move to the next one or we say that we'll defer on this and we'll recommend further study to the full committee.
DR. COHN: I probably agree with it listening to what Marjorie was saying that there are some areas that probably need to be in the body. Is that what you're saying as opposed to saying there are things showing up in the recommendations as options?
MS. GREENBERG: In the body of the letter, yes.
DR. COHN: I think a lot will be heard about X, Y, and Z as opposed to, Mark, I think what you're talking about is whatever shows up as options or recommendations. Is that the distinction that we're making there?
MS. GREENBERG: I don't think what you just agreed to precludes capturing the broader issues that you heard.
DR. ROTHSTEIN: I think we'll certainly want to summarize the testimony that we have heard, indicate the kinds of issues we explored and the tenor. I think I have the license to say that we heard some disquietude and some support for further clarification, et cetera. Further, we can hear things based on the testimony that the subcommittee recommends and ultimately the full committee would recommend that as well.
We are now ready to proceed on the list and the first one, let me just suggest that this would be a defer as a big issue. I'm sorry, Jeff, I apologize. This one is "we strongly urge the HHS to delete the consent requirement."
The Chair's first cut is that that this is a deferral because it's a big issue that we will continue to take a close look at consent. Any objection to that? Hearing none, we'll move to the next one.
DR. COHN: I need to publicly recuse myself on that issue.
DR. ROTHSTEIN: The second bullet, barring that, "we ask DHHS to mitigate the unintended consequences to patient care and healthcare." That's just an introductory. It goes into the following specifics. Allow continued use of the
data collected before the April 14, 2003 compliance deadline and require consent only for data collected after that date. The current rule makes no distinction among time collection. The rule would apply to whatever is in the file.
MR. SCANLON: Let me make some further discussion. I think there was a fair amount of confusion yesterday about what the current rule says. I think as the effective date of the rule, all information is covered under the privacy reg. I don't know what this recommendation would do exactly.
MS. MC ANDREW: I think what this recommendation goes to is not so much the consent provision itself, but to the transition provisions. Essentially that would replace the current transition provisions which require some sort of prior legal permission with just a general blanket grand fathering in of all existing data. So you could continue to use and access all of that data regardless of whether you had any legal permission in the past.
DR. ROTHSTEIN: The rule would apply prospectively only.
DR. HORLICK: Where are the transition provisions?
MS. MC ANDREW: They're at the end of the rule, 164.532.
DR. ZUBELDIA: I think that the data being collected now is being collected either under consent like in California or implied consent. From what I'm hearing, it's a problem to segregate this data with the data that's collected after the deadline. Would it make sense to recognize that it's being collected now under either statutory consent or implied consent and that consent continues unless after April 14, 2003.
DR. ROTHSTEIN: I think that's similar to the essence of this proposal.
DR. HARDING: You're not making any assumptions about how that information or what the informed consent elements would be.
MS. MC ANDREW: I think the difference between that position, this position, and the current rule is really with the area of implied consent. Some information is being collected absent any legal permission because the state law does not require any legal permission where that implied consent is currently a practice, our transition provisions would say you must get some sort of consent before you can access that data. Your position is a middle ground between grand fathering everything, adding implied consent to the current transition provisions.
DR. ZUBELDIA: That's how it's being collected and used now with some sort of implied consent which is probably no consent at all, but people know that the data is going to be used.
DR. ROTHSTEIN: I would raise a question of whether we think this comes within our definition of an implementation or whether this is big issue, a deferral issue or whether you want to proceed with it anyhow. If you don't want to proceed with it, then we'll reject it.
DR. ZUBELDIA: I would like to see a recommendation to take care of this issue now rather than defer it.
DR. HARDING: This is certainly an important issue for researchers and a number of people who are looking and doing research.
DR. ROTHSTEIN: But on the research, we do have a mechanism in the rule to continue using extant records with privacy committee approval. I think the main motivation is for other purposes other than research. Does the subcommittee think that we have enough information about this recommendation and sufficient diversity of viewpoints to make such a recommendation.
DR. ZUBELDIA: If you go down two more bullets, there is another bullet that says allow the continued use of data until the patient makes a physical appearance and is able to sign a consent form. That could be an additional requirement to the use and it's under implied consent now, but you do have to get a consent and until you have the capability of getting the consent because the patient shows up, the implied consent continues.
DR. ROTHSTEIN: Can you clarify the situation in which you would need to use it? How would this provision help or is better than the current rule?
DR. ZUBELDIA: I think the example from Kaiser and maybe someone can clarify this. One year they had to recall a pharmaceutical product. They had to go through 35 million patients to see who has got it. I think that was the example.
DR. ROTHSTEIN: This is a very, very broad change. If that is the concern, then we could say in the event of medical necessity where the health of the individual is at risk, then the healthcare provider notwithstanding the lack of prior consent can use records that were generated before 2003. Maybe there are other problems I'm not thinking of, but this was a very broad answer to what so far has been described as a very narrow problem.
DR. COHN: I need to recuse myself from this conversation, but I would comment that if you heard later when you look at the NCQA recommendations, I think they and others have significant issues around healthcare operations issues in relationship to abstracting data.
MR. SCANLON: I think what Sue said is probably the best way to think about this recommendation. I think it's intended to be a transitional recommendation, an implementation issue when addressing a practical issue. I don't think it means the information could be used forever. Presumably at the next encounter or the next opportunity for consent, that would be expected.
DR. ROTHSTEIN: Suppose you had a former patient that you were never going to see anymore and never get a consent from them, wouldn't this allow you to use their records in perpetuity?
MS. MC ANDREW: The recommendation would permit you to do that.
MS. GREENBERG: How does the current rule restrict that?
MS. MC ANDREW: The current rule would allow you after the compliance date to use that information only if prior to that time, you had some sort of expressed legal permission from the individual that permitted your use of that date for treatment, for payment or for a healthcare operation.
We have clarified in the guidance which you would only need if you have the permission for one of those purposes and the most common would most likely be a permission for payment. Once you had a legal permission for payment, you could then rely on that legal permission, post the compliance data to access that information for all those purposes, all TPO purposes, not just payment purposes.
DR. ROTHSTEIN: I'm sympathetic to the individual problems. This is remarkably broad answer to that problem. Are we ready to take a vote? We're going to discuss this again. Should it get a positive vote or negative vote in the full committee as well. That's the escape hatch for my rushing us through these.
All in favor of recommendation 3. Jeff, this is to allow continued use of the data collected before the April 14, 2003 compliance deadline would require consent only for data collected after that date. All in favor, raise your hand. All those opposed, one. All those abstaining, one.
DR. ZUBELDIA: Let me clarify something. As stated, this is a very, very broad recommendation. That's why I'm opposing that. I think this needs to be corrected with some additional protections and not just allow continued use of all the data. I think that's where the discussion was going.
DR. ROTHSTEIN: Kepa, that's a wonderful point. We're not bound by what this says. This is a recommendation to us and what I hear is some widespread agreement among the members of the subcommittee that in certain circumstances, people who own the medical records or have them in their possession ought to be able to use them notwithstanding the authorization or consent form. Maybe we could develop a recommendation that gives some consideration to those views. Would that be okay?
The next one, allow use and disclosure of data collected before revocation for continuing TPO.
DR. HORLICK: I didn't quite get it.
DR. ROTHSTEIN: The committee is going to recommend that OCR explore ways in which specific kinds of records can be accessed such as for, and we're going to fill that in later, which would include medical emergency, perhaps other things that we come to on the list.
MR. SCANLON: With refinements.
DR. ROTHSTEIN: Those are our recommendations to the Secretary. The next bullet point, allow use and disclosure of data collected before revocation for continuing a treatment payment and operation. Anyone who wants to move that one forward for full consideration?
MR. BLAIR: There are so many considerations on that. I would either abstain if we vote or I'd wind up indicating that that's preferred.
DR. ROTHSTEIN: Under the ground rules, without someone bringing something forward, it dies. No one is bringing this one forward? Next. Allow the continued use of data until a patient makes a physical appearance and is able to sign a consent form. Perhaps this is subsumed within the prior one under the continued use of previously collected data. We're going to explore that. Let's combine those.
DR. HARDING: It also involves the minority becoming a majority.
DR. ROTHSTEIN: Do we get to that later? Yes, we have another one later on that. Next bullet. Make the HIPAA consent requirement inapplicable to states that have statutory authorization for the use and disclosure of EHI. I would suggest that that is a deferral issue as a major thing because it involves the whole notion of federalism. Are there any objections to deferring that?
Speaking of deferral, the next bullet, defer the consent requirement for five years and then access whether the other HIPAA tools provide adequate protection. Do you think we have a recommendation to defer on that bullet as well.
DR. ZUBELDIA: My recommendation would be not to defer it and say, no.
DR. ROTHSTEIN: All right. We have two options then. All in favor of deferring, raise your hand. That was you, Jeff. All opposed to deferring? So it's not deferred, it's gone. One abstention and one non-voting.
Next bullet. Reconcile conflicting laws such as those that do not permit disenrollment upon the revocation of consent. This is something I don't think we talked about specifically yesterday. There are apparently laws that prohibit you from disenrolling someone even though they're saying that you can't submit information for claims payment?
DR. ZUBELDIA: The discussion was about HIPAA itself.
DR. COHN: HIPAA itself in earlier discussions did that.
DR. ZUBELDIA: HIPAA itself doesn't allow the plan to disenroll a person.
MS. MC ANDREW: I think this is a limited problem for those entities that are both plans and providers such as Kaiser and perhaps VA where the rule would generally not require a plan to not have consent. By not requiring the plan to have consent, it simply avoids this issue by not voluntarily getting into a consent situation where this could arise.
In the Kaiser situation and the VA situation where they are a provider and subject to the consent requirement, they have difficulty distinguishing their plan functions from their provider functions and may wind up in situations where the rule is somewhat contradictory with regard to the statutory requirement to provide benefits versus failure to obtain consent.
DR. ROTHSTEIN: There is a current problem in the rule and this recommends that it be cleared up somehow. All in favor of this bullet point, raise your hand. I believe that Sue said there is currently a problem and this would urge the Secretary to address the problem that exists. Is there anyone opposed? Is that approval?
Next. This comes to Richard's concern. Rely on parental consent for a child who reaches the age of majority until that new adult comes in for care. Currently, a young person who just turns 18 would have to execute a consent form. Barring that, they could not be treated. Should we put an upper limit on this?
DR. HARDING: It is possible that somebody could be 22-25 without an encounter from a doctor or more. There is some, but on the other hand, they need to be taken care of. I don't know what kind of limit to put on it. I think until their first medical encounter.
MS. MC ANDREW: In the rule if the information or disclosure is being authorized with an authorization that has been signed by the parent, that parental consent for that disclosure remains valid on behalf of the minor even after the minor reaches the age of a consenting adult.
The fact that the child has reached the age of majority does not invalidate that authorization. We did not have that kind of policy with regard to the consent. We were essentially silent on whether or not a consent that has been signed by the parent on behalf of the minor remains valid or not after the child reaches the age of majority. It may be essentially a state law.
DR. ROTHSTEIN: I don't recall the rule expressly addressing this, but that is the minor revoking the parents' consent upon reaching the age of majority. Is that in there?
MS. MC ANDREW: Yes, once the minor reaches the age of majority, he becomes solely responsible.
DR. ROTHSTEIN: I figured they could do that.
MS. MC ANDREW: They can revoke the authorization or consent.
DR. ROTHSTEIN: But it doesn't say that expressly.
MS. MC ANDREW: No.
DR. ROTHSTEIN: I'm turning 18 and I want to make sure my pediatrician, who I'm never going to see again, doesn't send anybody anything without my authorization.
MS. MC ANDREW: You could do that.
DR. ROTHSTEIN: You can do that now although it's not explicit in the rule.
MS. MC ANDREW: You would seek the child's consent rather than relying on the parents' prior consent.
MS. GREENBERG: This may go under privacy practices or what people have to go through, but it does seem like this is an area where education is needed and young people who are adolescents and at risk, it just seems that most young people probably don't have any idea about this, but since it's an issue on whatever is allowed and what their options are, it seems that educating kids on the privacy rule is needed.
DR. FITZMAURICE: This may be a situation where some clarification by the Department and some additional guidance could take care of the problem explaining what the avenues are as Sue just explained it here.
DR. ROTHSTEIN: Are there any objections to that motion?
DR. COHN: I abstain.
DR. ROTHSTEIN: We have a rule, once you abstain three times in a row, you're barred for the rest of the day.
(Laughter.)
DR. ZUBELDIA: Sue, does it mean that a minor that turns 18 can revoke an authorization or consent that was not given by that minor, was given by a parent? If that is the case, can that minor revoke that consent before he/she turns 18? We may not want to get into that.
MS. MC ANDREW: I think the parent is in the position acting as the personal representative of the minor, retains that status until the minor does reach the age of majority. The exceptions for certain special services aside when the parent is not acting as the personal rep of the minor.
But, basically, the minor would only be in a position to exercise that right of revocation upon reaching whatever age of majority is effective in the state and that the actions of the entity on reliance of the authorization or consent would remain in place, would protect the entity for the reliance on that.
DR. ROTHSTEIN: Keep in mind the time is 12:24. We a panel at 1:00 o'clock. We're going to have to break at 12:30 to make sure we're back here. As soon as everyone is back, we will resume our discussion for any amount of time we have. We're not going to be able to get through this document let alone even start the minimum necessary document.
So what we're going to have to do is finish this up and then minimum necessary after the research panel and then do research and marketing tomorrow. So we've got time for a couple, I know you're paying close attention to all the witnesses, but maybe during the break period, go through these recommendations and pre-read them, start the ones you want to support, X the ones you don't, so I can just go down and it will go more quickly. We can do one more.
Guidance is needed to clarify that under the rule a healthcare provider may, without individual written authorization, disclose to a health plan, protected health information necessary for the plan's healthcare operation. Clarification is needed to ensure the privacy regulation does not prevent plans from getting information from providers that they need for accreditation and other healthcare operation.
DR. COHN: I would mute that one.
DR. ROTHSTEIN: Okay. Discussion?
MS. GREENBERG: My question is, is this true? Is this clarified that it was my understanding that I heard yesterday that the rule does not allow.
DR. COHN: I don't know whether this is clarification or a change to the final rule.
DR. ROTHSTEIN: It's not a clarification.
MS. MC ANDREW: This would require a rule modification.
DR. ROTHSTEIN: So let's just change the wording from clarification in the second one to amend the rule before we vote on it. This is not ratifying or explaining, this is changing. Even with that, I assume you're still moving forward. Discussion on the proposal which is to amend the rule to say that the reg does not prevent plans from getting information from providers that they need for accreditation and other healthcare operation.
MS. GREENBERG: Is authorization the correct word there or should it be consent?
DR. ROTHSTEIN: They and get authorization now, but I take it that what the spirit is, is that consent would include the use of records for this purpose; is that right, Simon?
DR. COHN: Yes.
DR. ZUBELDIA: The comment I would like to make is that it's not just accreditation. It seems like encounters could not be reportable because they're not for payment. Encounters could not be disclosed from providers to health plan because they're not for payment. In the arrangement, encounter is not a payment.
DR. COHN: If I can clarify that, acaudal the encounter transaction is either for payment or for other encounter transactions. There are situations where the encounter is part of the actual contract and activity. Other times where this has really been the issue is it's not. It's purely a capitated environment which removes any ambiguity in the relationship to that.
MS. GREENBERG: In a capitated environment, the plan could require it as part of the environment which would be for payment. If the plan says we're capitating these members, but if you expect to get capitated, you have to submit encounters. That's the case I know.
DR. COHN: It depends on the arrangement.
MS. GREENBERG: It's interpretation the rule. You're suggesting that if you're not actually paying on the encounter, then that encounter information is not being submitted to payment so it can't be requested. It would go with what the plan gets for payment.
DR. ZUBELDIA: It could be part of the contract of the capitated agreement that you have to submit encounters and maybe they could $1/encounter or something. In some cases, it's not part of the contract.
MS. GREENBERG: So if it's not part of the contract, then but it could be part of the contract.
DR. ROTHSTEIN: Are we ready to take a vote? I propose that we separate the two within this one bullet and vote on each of them separately. The first one being, guidance is needed to clarify that under the ruling the healthcare provider may, without individual written authorization --
MS. GREENBERG: We changed that.
DR. ROTHSTEIN: It's got to be consent, amend the rule so that a healthcare may disclose --
DR. FITZMAURICE: Mark, this isn't for the provider's operation. It's for the health plan operation. I think authorization is the right word. Provider gets consent for the treatment or payment of operation. It's extending it to use of the provider's PHI of the patient to the operation of the health plan. I think that's what Kepa wrote could be handled under a business associate contract, if the provider were willing to do it.
DR. ZUBELDIA: Michael, then who gets the authorization, the provider or the health plan?
DR. FITZMAURICE: The provider has to see the authorization of the patient in order to turn the data over to anyone. Who gets it is probably not a big point. If the health plan wants it, then maybe the health plan writes a letter to the patient asking for this authorization.
DR. ZUBELDIA: And the patient will have to show proof to a provider that they've given the authorization to the health plan?
DR. FITZMAURICE: I think the provider would have to see that. I'm guessing. I'm not the legal expert on this. I certainly bow to Sue, Lewis, and others in OCR to do interpretations.
DR. ROTHSTEIN: We're not bound by this because we're going to redo it anyhow, would permit the disclosure to a health plan PHI or the plans of the operation. All in favor of that proposal, raise your hand? Four. Opposed? Abstaining? So that's four, zero, zero abstaining and one non-voting.
The second part, another amendment, to ensure that the privacy regulation does not prevent plans from getting information from providers that they need for accreditation and other healthcare purposes. A similar proposal. All in favor raise your hand? That would be three. Opposed? One. Abstentions, zero. Non-voting, one. Confused, one.
DR. FITZMAURICE: Mark, could I interject something here. I don't know if there is anything that prevents from getting the information. Really can a provider disclose it?
DR. ROTHSTEIN: In the wording, it should be something like providers disclosing information to plans that plans need for litigation, et cetera; is that what you said?
DR. FITZMAURICE: That's my suggestion, yes.
DR. ROTHSTEIN: It's lunchtime. We are going to recess until at the latest 1:00 o'clock because that's the next panel. If people come back before then, we may be able to go over another bullet while you're eating.
(Recess for lunch at 12:32 pm.)
DR. ROTHSTEIN: We are resuming our hearings on the HIPAA privacy regulation. I want to announce for our subcommittee members some changes in this afternoon's schedule. Mr. John Lawniczak will not be testifying this afternoon. Therefore, we have asked Donna Boswell to move from Research Panel 2 to Panel 1 and she has graciously agreed to. Thank you very much. There will be only one panel on research.
In addition, Dr. Welles from Genentech has to leave after her testimony and so that we will have the full discussion and time with her after her testimony, but for the other witnesses, we will follow our standard procedure which is, the witnesses have 10 minutes to testify. You will get a one-minute sign held up by Ms. Rollison. A beeper will go off when your time has expired. After each of you testify, we will have a brief opportunity for subcommittee members to ask clarifying questions about your testimony and then once the entire panel has completed its testimony, then we'll have a general discussion with all the panel members. With that, I will ask Dr. Welles to proceed.
DR. WELLES: Thank you. Good afternoon, Mr. Chairman, and members of the committee. Thank you for inviting me to testify today regarding Genentech's concerns for the privacy rule published by DHHS. My name is Bernice Welles. I'm head of product development at Genentech, one of the nation's leading biotechnology companies.
Over the past several years, Genentech has been uniquely involved in the debate regarding the confidentiality of patient health information. As such, we appreciate this opportunity to share with you our experience and our serious concern for the impact of the HHS privacy rule on biomedical research.
We have submitted for the record a copy of our official comments on the interim final rule along with specific recommendations for modification of the rule. We have spent innumerable hours analyzing this rule and preparing for our compliance requirements.
While Genentech is able to comply with the letter of the rule, the scope and structure of the rule could make this fact moot. Simply put, Genentech believes that as currently written, the HHS privacy rule will have a detrimental impact on the ability of researchers to pursue our critical mission, that is to research, develop, and test breakthrough therapies for serious unmet medical needs.
Without swift and significant modifications, patients will unavoidably be denied access to these medical breakthroughs causing harm overall to the nation's health and healthcare system. Specifically, we are concerned about the following: first, the overall structure of the rule; second, the definition of de-identified; third, the conditions relating to patient registries; fourth, the minimum necessary requirements; lastly, the rules modification to the existing common rule.
I'll now address these in greater detail. Overall structure of the rule. Our primary concern with the rule is that it appears to have placed all of the obligations, responsibilities, and liabilities associated with disclosure of protected health information for research purposes on the wrong entities.
Specifically, the rules all apply to HIPAA covered entities with some obligations placed on researchers themselves. In light of these obligations and potential liabilities, we're concerned that covered entities which are important data sources for research companies will be less willing to share with us this rich resource for data.
Such a chilling effect on the willingness of District Branches to disclose PHI to researchers would seriously undermine biomedical research nationwide. To remedy this potential affect, we recommend revising the rule to include as an activity for which covered entities are allowed to disclose PHI without patient authorization along with treatment, payment and healthcare operations.
As researchers, we would remain obligated to protect this information and limit our uses of the information consistent with that that is otherwise allowed by the rule. In addition, we believe that IRB would still be necessary to determine whether the patient's authorization would be required to use the data for research or whether the circumstances warrant waiver of such authorization. In so doing, access to the data would be allowed, yet use of the data by the researcher remains under the control under the rule to ensure its confidential and responsible use.
Next, I'll turn to the definition of de-identified. Although many point to the rules reliant on de-identification as the way to circumvent the myriad requirements necessary to obtain PHI for research purposes, our literal reading of the definition of de-identified is that it is too restrictive to meet.
Specifically, Method 2 requires that the PHI be stripped of each of 18 kinds of identifiers and that the entity does not have actual knowledge that the data could be used alone or in combination with other information to identify an individual.
First, stripping the data of the types of identifiers specified in the regulation would render a data set essentially useless for research purposes. For example, knowledge of a patient's age and gender are very relevant when researching the association between age and sex with risk for heart attack.
In addition, the second test and method to establish is an impossible standard. In reality, researchers are almost always aware that a particular data set could be used or combined with other data to ultimately identify an individual. By relying on what could be done with the data rather than what is actually could be done, will arguably establish an impossible standard to satisfy.
Alternatively, Method 1 which calls for a subjective review by a statistician is equally unrealistic in that it will prove costly, time consuming and administratively burdensome in practice particularly for large-scale studies involving review of thousands of archive records. For these reasons, we recommend amendments be made to the definition of de-identified under the rule which are attached.
Next, I'll be addressing marketing surveillance and patient registers. The rule allows for disclosure of PHI without an individual's authorization for use in patient registries and post-marketing surveillance studies, but only where such registries or studies are required by law.
To date, the vast majority of registries are not required by law, but are strongly encouraged by the FDA as an effective tool for monitoring ongoing safety and efficacy of drugs already approved by the FDA. The ability to obtain specific patient authorization for these large-scale studies is impossible and if in force will dramatically limit the scope and quality of information obtained for this important aspect of the research continuum.
Accordingly, we recommend that the existing language of the rule be replaced with language with allows disclosure of PHI to conduct post marketing surveillance using procedures and formats for registries and reports that do not identify patients by name or with identifiers such as address, phone numbers.
Next, I'll address the minimum necessary requirement. The rule's minimum necessary requirement which limits the PHI for that which is the minimum necessary to achieve the specified purpose is particularly problematic when applied to research uses of data.
Specifically, should a covered entity decide to disclosure PHI to a researcher pursuant to the versions requirements imposed under the rule, the covered entity is further limited to disclose only the minimum amount of PHI necessary for the performance of the particular research goal.
Researchers typically obtain information from multiple sources, each under the minimum necessary obligation. The different individuals responsible for each making subjective determinations regarding the minimum necessary requirement, researchers will inevitably receive disparate data sets.
As such, researchers will be unable to establish a reliable baseline from which to study the data as there will be no way to ensure that the data sets received are comparable. This requirement will undoubtedly introduce bias into records-based research making the results of such research questionable at best. Considering the unique needs of researchers, we recommend that the minimum necessary requirement be waived with PHI is lawfully disclosed for research purposes.
Next, I'll address modification of the common rule. Finally, we are troubled that the rule directly modifies the existing common rule which we strongly believe is beyond the scope of the HIPAA mandate. Specifically, it imposes a specific mandate, an unprecedented new set of privacy conditions on research conducted in concordance with the research on the common rule by requiring investigators to obtain an individual's authorization or waiver of authorization in addition to the informed consent obtained under the common rule.
Further, the rule added to the existing criteria and IRB are now a privacy board are directed to consider when reviewing the research protocol. These new criteria go well beyond the arguable authority of an IRB by directing them to consider the overall merits of a particular research project.
Until now, such judgments about what research has societal value are left to physicians, to patients, and to the marketplace. These new criteria suggest that the government should now play a role in directing the areas worthy of research.
We strongly believe that these substantive modifications to the common rule are well beyond the scope of HIPAA. As such, we recommend that the rule be amended to exempt from the authorization and waiver of authorization requirements, all human subjects subject to review by properly constituted IRB acting in accordance with the common rule. In addition, we recommend that the new IRB review criteria added by the rule be deleted leaving IRB subject to the current common rule mandate.
Thank you all again for your time and consideration of these matters. We would be happy to discuss with you any questions that you may have.
DR. ROTHSTEIN: Thank you. As I mentioned earlier, due to schedule problems, we're going to have our general discussion regarding the subjects raised by Dr. Welles' testimony now. The floor is open for clarifying questions and questions of any nature.
DR. ZUBELDIA: I notice in the attachment when you're talking about de-identification that you're asking for the five-digit zip code and the date be left in tact. Would a three-digit zip code work or age or date-of-birth work? Or you think that it's important to have the exact dates?
DR. WELLES: Dates are critical in terms of age of the patient and as I mentioned an example of many diseases, you're at greater risk as you get older. So that's an important identifying piece of information for a researcher. Zip code is important in terms of a regional affect which there may be. For example, if you're a researcher who's looking for whether there is a cluster of cancer cases somewhere, that may be an important way to localize such a cluster.
DR. COHN: Dr. Welles, I actually don't have a copy of your testimony. So I was just sort of listening. I was having a hard time with your first point which had to do with the disclosure issue I believe around research and getting access to it.
Between changes that you're recommending versus what is really in place in the world now, and perhaps you can clarify your view of the differences. It sounded to me that that is what the rule says at this point as long as you do a business partner relationship with an external research entity.
DR. WELLES: One of our serious concerns is that some of these other partners who had been partners in the past will find it less desirable to do research because of the restrictive nature of the rule. While we can set up our own privacy board, it could be that their legal counsel may not desire now to enter into these relationships because of years of liability. It's not each part of the rule, it's the aggregate structure of the rule that's making it extremely cumbersome to do research on our part.
DR. FITZMAURICE: My question about the minimum necessary requirement from your very cogent testimony. You talk about the covered entity is limited by the minimum necessary and disclosing research information. It was my understanding and correct me if I'm wrong that the covered entity could rely on the request of the researcher to have requested only the minimum necessary like a lot of other requestors.
But yet, even with out minimum necessary, people who give data to researchers are still going to make different judgments about what to get. I'm not sure that taking away the minimum necessary application to research, it may have already been done or at least the covered entity can rely on the researcher's request as requesting the minimum necessary, but I don't know how we get around people not wanting to disclose some things and not wanting to disclose others.
DR. WELLES: That hasn't been our experience and as a company we've had registries that have now enrolled 30,000 patients. Typically, we would ask them to fill out a simple form to follow to track these patients linearly over time. One example is our growth hormone registry in which we've tracked over 30,000 pediatric patients who might ask for age, height, weight.
I'm giving you a real-life experience of what we've done. As a company, we are actually renowned for having very good registries to track patients after a drug has been approved. Our flagship registry is our growth hormone registry in which we've enrolled 30,000 patients.
We have a huge database that we can rely on to look at outcomes of both efficacy and safety outcomes of treatment with growth hormone. This is just a specific example. Typically, we will give the physicians who are following these patients a very simple tracking tool and ask them to fill it out in its entirety.
One could imagine that if one institution decides that minimum necessary means that they should leave out the weight and other concominent medications or something like that, that we'll end up with holes in our database which will render any analyses of the database not usable.
DR. FITZMAURICE: If, in fact, the covered entity could rely upon the researcher's request as requesting the minimum necessary, would that solve a good deal of this problem?
DR. WELLES: As long as everybody agrees that that's the case and they give us the data that we need, I don't see an issue, but if it's left to the subjective opinion of Dr. X at Site X and Dr. Y and Site Y, what you have is you have data sets that aren't consistent across the board and that would render the research useless.
MR. FANNING: I have a question about you're observation that the rule adds to the existing criteria that IRB must consider when waiving the normal requirement for authorization. You say it directs the IRB to consider the overall merits of a particular research project.
Would you talk a little bit about the extent to which IRB is now considering the overall merits of a research project particularly when waiving informed consent and how the regulation would change it?
DR. WELLES: From my experience, the IRBs that we've interacted with, and we often do research in large multi-center trials so we can have 80-1,000 sites and we have to go through that many IRBs. It's already cumbersome. Typically, they look more at the integrity of the protocol, the research protocol, the protection of the subjects, the informed consent and how clear and explicit it is and with the data that we've established to date.
If IRBs were now asked to weigh in on the merit of the research itself, I would have to question first whether the IRBs, as they are now constituted, have the capabilities of doing that and as a company that's involved in doing research on medical needs, it seems redundant to me. I think we've done our homework to understand what an unmet need is, what gaps there are in the healthcare system.
I'd be hard pressed to say that an IRB could do this better. If you're leaving this up to hundreds of IRBs, in a large study for each of them to weigh in, we'll just collapse under the weight of that kind of a system.
MR. FANNING: Do you think that it's appropriate for the IRB to consider the importance of the knowledge that will be derived as contrasted, let's say, to the risks that are involved either in waiver of informed consent or any other factors?
DR. WELLES: I actually think it's important for them to focus on the risks and safety for the patient and leave the knowledge to be derived up to the researchers.
DR. ROTHSTEIN: Just to follow up on that question, in weighing risks and benefits, IRBs often consider the merits of the protocol. If the protocol is just total garbage, then no risks would outweigh them. Even though you may not go into the nth degree of analysis of whether X is better than Y and which route of drug targeting should follow, you still need to make some assessment that this is a worthwhile enterprise.
DR. WELLES: I think when you say the merits of the protocol, you could distinguish that from the actual merit of the research. Let me give you an example, we're developing a drug for psoriasis. One could argue that we have a number of therapies out there. We don't need another therapy and IRB could argue that and that's a subjective opinion.
I think it's fine for them to say the protocol as written won't give you the answer you're looking for, and further more you'll harm the patient and not offer them any benefit. That's a different idea than saying we don't need another therapy when, in fact, we believe we do because the current therapies cause renal failure and liver failure.
Someone on the IRB may feel that that's not a major issue and, therefore, that's not necessary to have a new therapy that is safer. To me, that's very subjective. I appreciate what you're saying about the integrity of the protocol and it being well written, but let me remind you that we have our own internal reviews. It goes to FD as well and then it goes out simultaneously to the IRB. So there are multiple layers of integrity for the protocol as well.
DR. ROTHSTEIN: Let me ask you to clarify for me what your recommendation is, your first one. Am I correct in saying that your recommendation is that when an individual signs a consent that instead of just TPO it's now TPO and R; is that what you're suggesting?
DR. WELLES: Yes.
DR. ROTHSTEIN: If that were the case, would that mean that a private researcher who is not subject to common rule would have access to individually identifiable patient medical records without any further review or any further scrutiny?
DR. WELLES: Wouldn't that individual researcher still have to go through an IRB?
DR. ROTHSTEIN: No.
DR. WELLES: I need to look to my advisor.
DR. ROTHSTEIN: We need you to come up.
MS. WAGNER: Heidi Wagner with Genentech, that still the point of the recommendation was that then the focus would be on the use of the information, that if Genentech had access to data that was lawfully disclosed to us from a covered entity, we would still have to go to review in terms of whether or not the research use was appropriate.
DR. ROTHSTEIN: What I'm saying is Genentech would be required to go through an IRB because your research is in furtherance of an FDA application. You would have to get IRB approval. Some other researcher who was not subject to the common rule either by NIH or the FDA, there would be no further safeguards.
MS. WAGNER: It would be what exists today which is that access to the data, if they're not already subject to the common rule, they would not be.
DR. FITZMAURICE: The rule changes the status quo.
DR. ROTHSTEIN: That's right. The privacy rule changes and basically going to go back. I just want to be clear on that. Other questions? I know you have to leave. Thank you very much. Now, back to our original guidelines.
DR. KULYNYCH: Mr. Chairman and members of the committee, thank you for the opportunity to testify today. I'm Jennifer Kulynych, Director in the Division of Biomedical and Health Sciences Research of the Association of American Medical Colleges. AANC membership comprises medical schools, teaching hospitals, academic and professional societies to the nation's medical students and residents.
Our members conduct much in this nation's biomedical and behavioral research and share a profound interest in protections for research participants, including protections for the privacy of volunteers and the confidentiality of research data.
The AANC strongly supports the capacity of human research participant protection programs to safeguard privacy while retaining the vitality of the research enterprise. We believe, however, that the final medical privacy rule is not such a measure.
The rule needlessly intrudes upon the current IRB system of research oversight, burdening biomedical research with procedural requirements, ambiguous US regulatory standards, and extensive new liability concerns. Today, I'll focus on impediments the rule creates, research that is overseen by an IRB acting in accordance with federal research regulations known as the common rule.
The AANC's over arching concern is that the privacy rule imposes new civil and criminal liability upon hospitals, health plans, and providers who use or disclose data for research purposes. Even when such uses are approved by an IRB, a covered entity must shoulder this additional legal risk whenever it makes research-related determinations regarding minimum necessary and de-identification, whenever it provides an accounting of research disclosures, and whenever its IRB or privacy board acts to waive the rules' authorization requirements.
The new liability under the rule is above and beyond the legal consequences that flow from an entities' failure to reserve research regulations. Increased liability particularly when coupled with the compliance burden imposed by procedural requirements creates a substantial disincentive for covered entities to accommodate the needs of researchers.
As Dr. Munkin(?) noted in a February 2000 letter to the Assistant Secretary concerning the NORM., "disincentives caused by the rule may well cause covered entities for whom research is not a core mission to conclude that the costs and the risk of disclosing data for research are simply too great. The threat is most severe to research that requires access of large numbers of medical records.
For example, public health and epidemiological studies, health services research, post approval assessment of the safety and effectiveness of drugs and medical devices, and retrospective studies of the systemic causes of medical error.
As you weigh the costs and benefits of the rule, please keep in mind that current federal requirements do address the privacy of participants in common rule research. IRBs reviewing research must evaluate all risk to participants including risk to privacy.
The common rule grants IRBs the flexibility to determine on a case by case basis which physical, procedural, and technical safeguards are necessary to protect participants' privacy and confidentiality. An IRB may not approve research unless it finds that such safeguards are adequate.
Because an IRB may not waive consent unless it documents that the research is of normal risk and the waiver will not adversely affect participants' rights and welfare. And IRB must also review and approve the content of all information provided to the participant during the informed consent process.
The privacy rule would supplant IRB discretion in these matters by overlaying complex authorization requirements and new waiver criteria, some of which are hopelessly ambiguous and likely to promote gridlock with an already overburdened IRB system.
It may be argued that the common rule requirements are insufficient to address privacy risks. However, as this committee saw in its 1997 report, you received new evidence of documented breaches of privacy resulting from researcher's use of medical records.
Notwithstanding the lack of evidence or threat to privacy arising from research, additional safeguards are deemed necessary. A more appropriate remedy would be to modify the common rule criteria. In 1998, the AANC endorsed the vision of objective privacy review criteria to the common rule.
Specifically, when reviewing research and IRB should be required to document than when identifiers will be retained, research will be impracticable without the use of identifiable information. The IRB should also be required to review the physical, technical, and procedural safeguards for participating confidentiality.
With respect to the privacy rules authorization provisions, the AANC believes that these new requirements are unnecessarily burdensome and likely to display participants. Once the privacy rule is implemented, a clinical trial participant would be asked to sign as many as three research related forms in addition to the consent.
These forms per the rule's mandate must contain lengthy, precisely worded disclosures. The authorization provisions also appear to preclude investigators from retaining identifiable health information obtained in a trial for future research not yet envisioned at the time of authorization.
AANC believes as well that at least some of the new waiver criteria are unnecessary and problematic for IRB review research. Federal research regulations contain criteria and IRB must satisfy waiver to waive consent. The privacy rule, IRBs must consider document findings for yet another set of criteria.
Certain of these such as the requirement that the research for minimal research or practicable without the waiver are duplicative of the criteria already found in the common rule. Others, such as the requirement that the research not adversely affect privacy rights and welfare or that privacy risk be reasonable in relationship to anticipated benefits, are inherently ambiguous.
Although an IRB can evaluate safeguards for confidentiality, there is no agreed upon normative standard by which to make determinations about privacy rights or privacy risks. Particularly in research it deems minimal risk as threshold criteria.
We fear that an IRBs review of waiver request will easily become a large irresolvable debate over privacy rights based on little more than personal belief. The privacy rule exempts from this requirement that the identify has successfully been de-identified.
In the preamble to the NORM., the Department expressed the wish to encourage use of de-identified medical information in research. AANC enthusiastically supports this objective, but we are dismayed that the Secretary has set a single standard for de-identification. Although it may serve other purposes, it is so high as to render the data useless for most epidemiological health services and other population-based research.
The de-identification standard provides that information is preemptively identifiable unless there's no reasonable basis to believe that de-identification is possible. As a legal matter, this standard is difficult to meet. Even under the rule's safe harbor provisions, a covered entity may never be entirely confident that the information meets the regulatory requirements.
Catchall provisions and unrealistically broad list of specific identifiers undermine the basic utility of the safe harbor and make it likely that many covered entities will decline to de-identify data for research purposes. Since the release of the NORM. in 1999, AANC has worked diligently to raise awareness within the Department and the Congress and our membership about the rule's serious negative consequences for research.
We continue to urge the Department to modify the rule to create an exception for uses and disclosures of information in common rule research. Such uses and disclosures should not be subject to the minimum necessary or accounting for disclosures provisions.
IRB should continue to apply the common rule, modified if necessary to incorporate necessary corporate review criteria when determining the form of consent both for participation and for the use of PHI and when granting waivers.
Similarly, the IRB should be permitted to determine when information has been sufficiently de-identified to researchers without authorization or waiver of consent. In the alternative, the rules of de-identification standard should resemble the standard articulated in Representative Greenwood's Information Protection Act which would require the removal of direct identifiers.
Concerns about inappropriate secondary use of research data should be addressed by requiring IRBs to obtain written assurances from investigators that data will not be used. Thank you.
DR. ROTHSTEIN: Thank you. Clarifying questions? Hearing none, we'll go on to Dr. Klepinski.
DR. KLEPINSKI: Good morning, Chairman Rothstein and committee. I'm Bob Klepinski from Medtronic. Medtronic had not planned to submit written testimony. We greatly appreciated Ms. Horlick inviting us to come to make comments and to be available for your questions. I will try to answer the questions that related to burden on your list. I cannot answer the IRB ones from my position. I would like to discuss the issue of unintended consequences that Chairman Rothstein had posed earlier.
There's a lot of medical device research going on. Advised, an industry organization, indicated there's $99 billion worth of private research and devices. Medtronic has spent 10 percent of its revenue on research consistently over the years which means over $.5 billion. It's a massive issue.
We're in the business and we intend on making many miracles. Devices that are really changing people's lives, extending their lives. We hear about things such as Vice President Cheney's IDC, these did not spring full from somebody's mind. They're the result of long cooperation between a device company and physicians on studying both the early stages all the way through human tests, all of which involve PHI.
I'm here to say that we can talk about specific languages in the regulation and I have a couple of specific regulations, but the most important thing that has happened is an attitudinal shift. HHS has had to weigh the privacy versus research and you have made your call. Research is lost. I just want to make you aware that everything we do is going to be more expensive, slower, more difficult.
This may be a sensible choice in the balances you have to make, but I want to make you understand that research has lost. Each time I work with the government, I primarily work with the FDA, everybody understands the emotional factors behind the regulations that are established as well as the explain wording.
You've heard from Ms. Kulynych about the reaction to this and whether they like, and this is what we fear most. Whenever the bureaucracy instills fear in citizens, the natural reactions are to one, pull back and not take risks, two, cover themselves with paper and, three, try to spread it elsewhere.
All those things are going to happen. We have also received multiple requests from purchasing departments to certify their products are HIPAA compliant. This is the ultimate legal non-sequitur. There is nothing we can certify, the products aren't covered by HIPAA. But everybody is out there looking for ways to cover themselves and slow down the process and pass risk.
Why is this? Because you've opened the door to a whole round of plaintiff's attorneys and litigation on this issue. In the medical device world, no issue is ever gone. Everything we ever do with the FDA is on the table for 20 or more years. Our devices may last up to 15 years or more.
Things we did 20 years ago with the FDA and they accepted are now being second guessed in litigation daily. You've just opened another chapter in that book. The hospitals are going to be cautious. The first thing I want to say is that we're going to have a problem convincing people to be a cooperative as they have in the past.
We're going to be dealing with teaching institutions where research is done and they're going to have legal staffs so you're going to be saying to them, why take risk if you don't have to. There's an emotional factor. Second, the de-identification rule has taken away what researchers have relied on for decades in the medical device area.
I'm going to talk about three different types of research. IDE research they commonly think about, early research in the product development and post marketing research and problem solving and tracking devices. In all of these, researchers truly believed in the past they're not dealing with identifying data.
Our clinical people are very jealously protective of their patients. The researchers have no interest in getting identifying data. In all the steps that we've made in the past and medical devices, they believe they're working with non identifying data. That is no longer true.
The standard as such is that we cannot actively do the type of research we did on a de-identified basis. I'll discuss that going forward with each of the three types. The first type which is a human controlled trial under investigational device exemption(IDE). Those are going to have to rely on authorization.
You cannot de-identify. HHS has decided through its other arm that the requirements are such that I contend that de-identify research is impossible in IDE situations. This will come as a surprise to the physicians that are involved became the hospitals believe they have been de-identifying for years.
Hospitals provide identifiers for patients and not include name, address, phone number, social security number, zip and they believe they've de-identified and they've protected their patients. FDA requires that we monitor clinical studies. They expressly require that we go on and look at the patient charts.
We have to look at the patient charts and compare it to the actions of the investigator and the study coordinator. We have to look to make sure every adverse event on the chart was written down on the report form. Second, we not only have to look at medical records for the current, we have to look at the past to make sure the patient was properly selected to fit the protocol.
We're going to look at a patient's past medical history. AS the study goes on, we're probably going to have to look at future things depending on what requirements the FDA puts on for continued monitoring. The FDA rules require first of all, you can't de-identify, you can't satisfy the other arm of your agency without going into the personal identifiable information.
Second, many of the things that are required as identifiable data in your definitions are explicitly required by the FDA and their regulations. We have to track for devices where every device is at every time. We have to have people. Not only does the investigator have to track once a device comes into his/her institution, but we have to know where they are.
The FDA will come to us decade after a study and ask for an accounting of where every device went by serial number and we can't do that without knowing the serial number, date of implant, and all this other identifying information. All the things on your list are things the FDA wants us to collect.
We've got a direct conflict. De-identifying information is out in any IDE study. Just playing God, absolutely impossible, no joking around. The next question is moving on, what kind of authorization do we need? When you talk about multiple authorizations, to comply with the FDA, we have to have authorization for past medical records to know if they qualify for study.
We have to have authorization for the current medical records under the study to make sure its conducted properly. We then will have to have records after the study if the FDA requires post market surveillance to see if there are adverse events following on. It's a very common requirement to add post markedly look at those clinical patients.
Fourth, that data is going to be around forever. When you file an FDA device and get a premarket approval
(PMA), every device is an PMA supplement and depends on that data. The FDA expects it to be around. We're obligated to keep that data as long as it may form the basis for one of those supplements.
The patients' data is going to be there for 20-30 years, as long as there are incremental devices in that field going on. The FDA has required an enormous swath of controls of the patient's medical history. We're obligated to keep it all and your regulations are putting the squeeze on that.
Authorization is our only hope and it's going to be very complex. And when you try to find ways to simplify this, you're going to have to find an individual whether it's a single IRB or a group of them that's going to say, I'll make the call and justify how we're going to do this and I realize we may be sued anytime over the next 20 years, but I'll stand up and volunteer.
It's not going to be an easy thing to do. There are going to be complications out of those. These, however, I contend are easy compared to the two other classes of research. When early research goes on, researchers will go and ask for data.
In the ICD days, they would go and say, give me strips or patients with this syndrome. They need electrogram and they need to know what devices they had in their body and when they're implanted so they could trace the history.
This is now going to be identifying data. When I told our researcher in the ICD area, I said I suspected, I bet you're going to tie my hands behind my back and now you're going to come and tie my feet too. We cannot go on a de-identified basis on the very simplest basic things we thought that de-identified for decades.
Second, and even more difficult problem is post market issues. When there's follow up, there's hard core research that's done not just problem solving, but there can be materials issues that can't predict in a device.
When issues come up, we have to go into a hospital and look at the patient to see what their history was. If there are allergies or whatever and start working the problem, then we may have to look at all the other implants in that center to see if it was technique related or somehow center related. Then we have to go to other centers and ask for information on similar devices to see if there is a trend and a problem.
None of these things can be done on de-identified basis because the date of implant and its age, the serial number so we can trace the lot and what's in it are critical. All of these things are required by the FDA and none of them are written down.
When we go to a hospital and say the FDA has required this research, here is the FDA exception in the HIPAA regs, they're going to say, show me. We're going to show them a regulation that says you must follow up. They're going to say, where does it say we have to do anything?
Where is the detail? The FDA hasn't written that part down, but believe me, trust me, it's required. As a hospital, I'd say unless you can show me the regulation, I'm going to violate this other with a criminal penalty, I'm not going to cooperate and that's the third issue we're going to see is post market issue. I'll be glad to talk about it further in questions if you wish, but I'm out of time. Thank you.
DR. ROTHSTEIN: Thank you. Clarifying questions from the subcommittee?
DR. FITZMAURICE: Just one, but it's probably not a clarifying question of Robert, but it's my understanding that if FDA has rules or laws pertaining to this data that the privacy rule does not conflict with those laws. If the law requires it, then you have to follow the other law.
DR. KLEPINSKI: That's exactly true, but what does the law require? We continue to have this problem because most of these things are based on the FDA's quality systems regulations which is short and general in nature of an aspirational statements of what you're supposed to achieve.
All of the detail has been filled in by years of practice which isn't written down, by standards organizations which have developed techniques and by the FDA inspectors who imposed ways of doing things. None of it's written down. We continue to have this problem with foreign governments where we'll say we're doing something because the FDA requires it and they say show us.
You cannot go to the rule and show it. If I pull out your hospital or quality system regulation and follow up on complaints, it's going to say just that, you're required to follow up complaints. It will not say what data you have to gather. It will not say how deep you have to go, it will not say you have to get identifying information. None of that is written down. When you say to a hospital, I need this for the FDA, they're going to say, show me and I cannot.
DR. FITZMAURICE: So you're sending a message more the FDA to be more specific than you are to us to change the privacy rule or make recommendations; is that right?
DR. KLEPINSKI: I would prefer it was the other way around because moving the FDA on a two-decade old rule has been in place so long and it's not going to be an easy thing. If it were simple to change that, I would have done it before.
DR. BOSWELL: I'm sorry to break protocol, but if I can add something to what Bob is saying. It's not just that the FDA is not specific about what is required, it's that the privacy rule only says that the covered entity may disclose to a person who is required to report.
All of the FDA requirements apply to him. There is nothing in the FDA that really covers the covered entities. The covered entity may disclose. It's all permissive if I'm a risk adverse lawyer for a covered entity.
DR. ROTHSTEIN: Isn't that a redundancy? Risk-averse lawyer?
DR. BOSWELL: Yes.
DR. FITZMAURICE: Hasn't that always been the case that the covered entity could always decide what to give you?
DR. BOSWELL: It has never been enforceable with civil and criminal penalties.
DR. KLEPINSKI: Let me take the example of a post-market study that we've commonly done where we've taken a studied a device at a number of centers and collected information on every one that was implanted. This is not the kind of thing where you pick a statistical sample of 100 and follow them, but rather, in order to know device life whether it's predictions of any issues, you take a number of studies of large volume, follow every one of their devices so you have a good sample of everything that happened.
Nothing in there was ever thought of as identifying in that we'd never identify any patient's name, address, any of the direct stuff, but we collect the implant date and every adverse event that happened and then when the device reaches end of life.
You determine if there is immature end of life. None of those were ever thought of as requiring FDA approval because no humans had anything done to them. Nothing was every identifiable. So it's not a privacy issue until today. Today, I don't think you can do one of those under the HIPAA regulations.
If we go to institutions that have always cooperated with us in the past, they're going to say, well, why should we risk it? The very things that we want in that kind of study are the things that listed as identifiable pieces of information. It's like a one on one correspondence with the data sets we collect and your list of identifying information.
DR. ROTHSTEIN: Great. Ms. Pollak.
MS. POLLAK: Mr. Chairman, members of the committee, I appreciate the opportunity to come and speak to you today. I am going to highlight four very practical issues that arise a result of the regulations that every medical center must address if it is going to comply with the HIPAA regulations.
Two of them are impossible to comply with. We could do it, but I guess what I'm here to say that it's an importance in weighing the protection of privacy against the burden on the research organization.
Just as in research one makes that balance and the IRB has that responsibility, I think there's a responsibility on government to say here's the end we're trying to foster and here's the means we're going to use to get there. I've given four practical solutions to the four issues that I've raised by giving you regulatory language that I think will meet the issue.
The first is the accounting requirement. As you know, regulations provide the right to an individual to come in and ask for 6-year retrospective accounting of all disclosures outside of the organization for non-routine purposes. This research is a non-routine purpose.
You go down the list, the name of the person's information that was disclosed, the purpose, to whom it was disclosed, the general purposed of the disclosure and the information that was disclosed. It looks very reasonable. The purpose of it was so that people could understand who got their information. If they didn't authorize that disclosure, then they could protest and that is a good objective.
The problem is that in an institution that might have 3,000 protocols and 75,000 research subjects in a year, and that does thousands of disclosures every day in multiple center trials, if you wrote down those 8-9 items for every single disclosure for every single person, what objective is that meeting?
The regulation attempts to address this and I believe that this was a concern. There's a section that says if you make more than one disclosure to the same party regarding the same subject, you then only have to do that recording once.
If I'm subject A, I'm in a six-year lunch two-deal study and there's 1,000 disclosures to Duke University site of my information, Johns Hopkins only has to record that information once. That sounds reasonable. The problem is that if you've got 75,000 people and that might go year after year after year and you're trying to not only do that, but you're supposed to show the frequency of those disclosures, the last disclosure that was made and to whom it was made and so you've got to keep a record of that.
I would like to propose is what is the purpose of this. If someone enrolls in a research study, they know that that information is going to be used for that research study and they have every right to know who's in that multi-center trial. They can ask for any information they want at the time they enter into it.
If it's waived research, then the IRB are now under these regs. The privacy board will have made these determinations. So whether they're the 4-5 that are under the common rule or whether they're the expanded criteria that are under the HIPAA regulations, an objective body will be looking at that and saying is the privacy protected or to the extent necessary, valued against that research end.
A person should have the right to know that we're involved in research. They should have the right to know in a multi-center trial who's involved in it and they should note in the notice that we give to every single person who comes in, that we engage in research and that we may have waived research. Therefore, other researchers may get the information.
We believe that the burden that is imposed by the regulations, this is one where I do believe it is impossible to do this. We would have to have a room full of people like this every day monitoring the information. It's snot comfortable knowing that there is a regulation out there with civil and criminal penalties that we do not think that we need. I do commend to you the change that would look at this as a new way of exempting research from that accounting requirement.
The second is information necessary for recruitment of subjects. It has been a long practice of researchers through the years that in particular for very unique studies where there might only be 10-20 people in a region with a particular condition or disease, to look through as part of their preparation for research to see if there are volunteers or possible recruits out there who could be contacted to see if they could participate in the research protocol.
Under the regulations, it is not clear that in the preparation for research one of the regulations which is there, a researcher may use PHI in preparation of a protocol, but it says that no PHI may be disclosed outside of the organization during the preparation.
That doesn't give me comfort that what they're talking about is recruitment of subjects. I've talked to various people in the government about this and they believe that this section does address the issue I'm raising. I am uncomfortable as a lawyer that it doesn't address that. You might call this an amendment, a clarification.
I have suggested to you on page 4 of my testimony a modest amendment to that regulation that would make it clear that if a researcher wants to use PHI to identify recruits, that researcher could not disclose that to any person including the subject until the IRB or privacy board approves that research.
That is very important. If it's not considered worthy research, even the contact of the subject would be inappropriate. If this is approved as valid research and good research, then if there are 10 people that have been identified, I believe it was within the meaning of this section. It just needs to be clarified.
The third is in the area of non-profit organizations that collect important epidemiological data that our researchers use all the time. Under the regulations, these organizations that collect data and make them available to researchers are not our business associates. They are not doing it on our behalf.
Accordingly, I have found no way that I can give them anything but de-identified information unless I have the patient's authorization to do so. It had been suggested to me that one way to do it would be to have the Heart Association come to our IRB and get a waiver and, therefore, then we could release the information to them.
But what is the research study that the IRB is reviewing? It's not a particular research study. It's the making available of epidemiological database that is very important and has been historically.
On page 5 of my testimony, I have offered a modest amendment to the section of the regulation that allows disclosures allowed by law and this would be one that would not be required by law, but as long as there was an assurance that that information would be used only for the public service purposes for which it was disclosed, that that would be an appropriate disclosure on behalf of the covered entity.
Last is an issue of fundraising and you say why am I bringing this up in evidence on research? At Hopkins, 99.9 percent of the research dollars that are raised in the hundreds of millions of dollars through the years is raised by the departments.
People come to the Department of Oncology and so on, they think that's a separate hospital. Under the regulations, our fundraising people may not follow up and contact someone who came to the Wilmer Clinic because we can only use their name, their address and their date of service.
The fact that they came to Wilmer Clinic is PHI and we would have to have their authorization to be able to contact them to even be able to say I don't want you to contact me or I do want you to contact me about fundraising.
If this regulation allowed contact for marketing purposes, you can have a full profit entity get the covered entities send something out as long as you feel it's to the benefit of the patient. That's okay. It's not okay for your own fundraising arm to contact somebody who came to the Wilmer Clinic and said would you like to give a gift to the Wilmer Institute.
We think that needs to be addressed somehow. There are two solutions I've provided in my testimony. The first is to add in the permissible use of PHI the department or division that someone comes to in the hospital or the name of the doctor. That would be an amendment to the regulation.
The second amendment would be to have a modified authorization form that just says is it okay to contact you for fundraising purposes? Nobody else is going to get this information other than our in-house fundraising arm. We're not going to disclose it to anybody. We can't guarantee that this won't get redisclosed to the whole world. It's pretty scary.
Very practically, in your packet I've given you two examples, Exhibit A at the end is what is now required under the regulations for an authorization in order to contact somebody about fundraising. It is a pretty daunting form. I've given you the section of the regulation for every single section.
The last piece of paper is a very simple form, may we contact you? I've given you the regulatory language on page 7, the actual amendment that would be necessary in order to accomplish modified authorization form to that effect. Thank you very much.
DR. ROTHSTEIN: Thank you. Clarifying questions.
DR. ZUBELDIA: In all the pages where you have made changes to the regulatory language, you have underlined the additions. Is page 7 all new?
MS. POLLAK: That was a sample of what you could do based on regulatory language on page 7. It is the regulatory criteria that I then applied in drafting a sample authorization form. You will need to amend the reg to allow that simple form of authorization to be used.
MR. FANNING: You spoke of disclosing information to organizations. Could you tell us a little bit more about how that works and what they do with it and so on.
MS. POLLAK: I think that if you asked a researcher if they gave identified information to the Cancer ASSOCIATION, they would say they don't because they have de-identified when they give it to these organizations.
But under the criteria, we would have destroyed the value of the information to these organizations if you took out all the criteria. We either would have to have an expert certify that it's not identifiable and I'm not sure if what is required. Zip code is a very important part of that analysis. Sex, race, age, all of those things are very important for epidemiological research.
MR. FANNING: I understand that it may be identifiable, but what is it used for and what kind of judgment goes into the choice of your organization to give it to them?
MS. POLLAK: I am not an epidemiologist. However, I've met with them and they are apoplectic over this rule. I don't want to say don't obey the law because that's not my job as counsel. I'm telling them they must obey the law and we will have to figure out a way.
If they study a population in East Baltimore and they have a sample of 30,000 individuals that have been studied, that is information that may be given in a de-identified form to the Heart Association. Their interest is maybe a researcher in the Heart Association that has a specific study that wants to study urban climate, diet, what is that impact on heart disease. That information becomes a database which then is available to researchers all over the country including our own researchers if they want to do a study.
MR. BLAIR: Why do you not consider that a research disclosure that's permissible under the provisions for waiving authorization in the regulation?
MS. POLLAK: When I go to get a waiver, if you look at those criteria, it relates to an individual protocol that is being brought before the IRB. The Heart Association doesn't even know what protocol it might involve. If they were to come to an IRB and ask for an exemption, they wouldn't have a particular protocol.
If it could be clarified that that section doesn't relate to individual protocols, but could mean any valid and appropriate public interest research, then that would solve my problem if you want to go the exemption route. That's pretty burdensome. It means the Heart Association has to go to 125 major research centers, 5,000-6,000 hospitals. It's not impossible, but it's a big job for them to actually prepare and present the four IRBs.
DR. ROTHSTEIN: Thank you. Dr. Boswell.
DR. BOSWELL: My name is Donna Boswell and I'm a healthcare attorney. I'm a partner at Hogan & Hartson here in District of Columbia. I want to say that as healthcare lawyer, I have the privilege of working on issues for many of the industries and hospitals and researchers as well as academic medical centers that you've heard from here. I have not cleared my remarks with any of them and you should not assume that I am speaking on any of their behalf.
I have very strong views on this because since 1996, I've been working with a number of clients to try to help figure out how to better address research and balance the needs of protecting privacy while not completely re-organizing the structure of how research is done in this country. We're very frustrated.
The list of issues has not changed one bit from the first time we discussed it. We heard them recite it again here today. They're exactly the same issue and exactly the same problems. I believe it stems from a tendency in this debate to look at the regulation or the statute that you're crafting and try to elaborate it as a structure for everybody to follow rather than looking at what we have in the research community and seeing whether we protect privacy, whether these solutions are needed.
Rather than going on with that, I'd like to flip to what I've been spending my time on since last year. I've been spending my time trying to help academic medical centers, hospitals, implement this regulation. I'd like to show specifically what kinds of things I've come up with.
To better clarify what the problem is, I want to ask you to categorize the research in three groups for me. One, I want to talk about data research which is both research that the not for profit associations do, the registries that Dr. Welles mentioned, as well as the databases that are created. I want to set those aside for a minute. Part of the problem in the regulation is that we didn't set them aside and the regulation has a one size fits all.
I want to talk about two other categories. One is research that is already subject to regulation under the common rule, where already you have many individual IRBs reviewing and weighing and balancing all of the risks to the individual against the value of that protocol and the knowledge to be gained.
In the context of evaluating risks, it's appropriate for the IRB to weigh those things. In the privacy context where we're only talking privacy, we're talking about a slightly different thing. The risk to the individual is always the same risk, somebody will screw up and the data will get released.
In a privacy context, if I'm participating in research or if a researcher has access to de-identified data that doesn't quite meet it, the only risk to me is that somebody will hack in and mess up. There's never different research based on a different protocol. The value of the know to be obtained, the specific thing I want to look at is really quite irrelevant in terms of weighing and balancing what's going on.
It's quite a different kind of thing. In common rule research, we've already got a system of protections in place. What Dr. Welles suggested with leaving that alone, letting it proceed if approved research were understood to be under the common rule, would be a very doable thing for most of the medical centers and hospitals.
They know the system, the IRBs know how to evaluate risks and I would argue that their IRBs are going to already have to import minimum necessary amount, all the new requirements of the privacy rule into their IRB proceedings in any event in addition to the new requirements.
I want to take off the table the third category of research, the research where somebody is physically doing something to a human being in the name of science and they're not getting any ethical board review. Some kind of intervention is taking place.
There is no IRB review. I want to take it off the able because I'm deeply disturbed about what the privacy rule authorizes with respect to that research. Currently, it's unregulated. What the privacy rule does is that it blesses that research. Now the cart is completely before the horse because we've got a privacy rule, a limited blessing on research that otherwise would not pass muster on the ethic codes which have dominated research in this country.
I want to take it completely off the table. I'm not sure the privacy rule sure be authorizing a waiver of an individual's consent to that, be involved in that kind of research. If we take it off the table and we get rid of that piece of the regulation, that research would be subject to the prior approval and authorization of the individual under the regulation as it stands.
There's no need for new procedures. I have the right to give my authorization if somebody is going to do something to me without any ethics board review without any procedures for looking after my rights. What has the regulation actively regulated in addition to creating this quasi authorization in the name of privacy for this intervention research?
It's created a whole set of new requirements that now apply to the authorizations that you must get when your research protocol is approved by the common rule. There are 12 new requirements that have to be in this authorization. The regulation is quite specific that it is not the same review that the IRB is doing in the context of the informed consent.
It's talking about an authorization to disclose information to a researcher whether a third-party researcher or somebody within the institution itself and it's talking about the use of data already in an academic medical center by its own affiliated researchers. Even the specific use or research within the organization now must be subject to this new authorization or this new waiver of the authorization of the 12 requirements of the IRB.
What are the 12 requirements? Most of them are exactly the same requirements that you have in the common rule or informed consent except that now as a legal matter, they apply to this different kind of authorization not just to the common rule. So as a lawyer training my IRBs, I've got to the IRBs ready and finding about waivers in this situation and a finding about waivers in that situation.
The second set are not duplicative, but they're just wrong. The regulation requires the authorization in research to tell the participant that the data disclosed a researcher may not be protected by the regulation. That's just wrong. The IRB requires the researcher to protect the data.
They don't get to disclose. They're not usually getting identifiable data. They're not permitted to disclose it. I must tell the subject that it is subject to redisclosure and then what I've got is a researcher having to explain to a participant that this isn't one of those nice legal technicalities.
It's not protected by the regulation. It's protected by the privacy board. Nice discussion to have in the context of research. Finally, I have to tell them, I'm required to include a statement that their data will be available to them as provided under 24 CFR 164.524. If I say it that way it's a true statement legally.
What it means is the researcher doesn't have to disclose anything that's in the researcher files because that's a designated record set. All the patient is going to get is all the data that would otherwise be in the hospital's file. It looks like I'm giving them something else, it's really a bait and switch.
I'm not really giving them anything more than what they get under their ordinary rights, but I got to put it in my research authorization so they can later complain that they can't get the researcher to give them the data. I want to go much farther than what your esteemed other folks have suggested with de-identified.
The regulation says that any information created by or received by a covered entity is PHI and subject to the rule unless it fits in de-identified. You strip off the identifies or you get a statistician. It doesn't say strip the identifiers about a specific case.
Suppose I have the number of admissions by zip code to a hospital. Bingo. It's identified data because I have zip codes. Even if I have 6,294 cases from zip code a-d to a given hospital in a year, it's identified data because it has zip code unless I get a statistician to say no way that you could identify patients from this.
I've got hire a statistician even for my aggregate stats. If I had data on the number of cases admitted on a specific date of the year, I've got identified data, gone way too far unless I get a statistician to opine. I've either got to get my IRBs trained and ready to waive authorization or I've got to hire an army of statisticians that will go around and evaluate the data sets I'm creating and every research report associated with what my covered entity wants to publish.
Any table of data reported by date or any other thing that's in the list of identifiers as a technical matter is still PHI unless I get a statistical blessing. I'm delighted to answer any questions that you might have.
DR. ROTHSTEIN: Thank you. Specific clarifying questions for Dr. Boswell? The floor is open for any sort of response.
DR. FITZMAURICE: Just a question. What do you recommend be done with the identified data in the privacy rule, with that section?
DR. BOSWELL: I think we need a better definition that sticks more closely to the statutory definition. I think the regulation slipped the statute. The statute says it's individually identifiable is there's a reasonable basis to believe that what I'm looking at could be used to identify an individual.
The regulation has said could anybody somewhere use this to figure out who this is? This is flipping the thing. If I had a data set that could be made available to the Heart Association or use by qualified researchers, why isn't that and the promises they make in connection they make with the use of that data part of what informs our judgment about could it be used?
If the researcher who's accessing the data has allowed itself to use it only for this purpose and not to do anything else, why should I worry about whether it has a zip code, date of service, last onset of illness or any of that kind of stuff? The researcher is saying I'm willing to be bound. I'm willing to accept penalties and protect this information. We've gone way overboard in creating the safe harbor in this context.
DR. ROTHSTEIN: You could disclose the information of the 6,000 people in a zip code because it would be above that regulatory number, right?
DR. BOSWELL: What am I going to do about the strip printouts that Mr. Klepinski wants for his people to just look at this non-identifying information. It's case specific. It's unique. It happens to have the date that the strip was printed.
DR. ROTHSTEIN: That's a separate issue. I'm trying to get a sense of how we can make life easier for research and still protect the privacy rights of any individual. I'm sure that may well may have been considered by the department and rejected for some reason. The thought is that maybe if we came up with a number, some statistically based number, that would be a rough way of knowing what to use.
DR. BOSWELL: It's a pretty heavy set of data analyses I'm going to have to do on the database in order to figure out if there's any characteristic.
DR. ROTHSTEIN: The more fields you use, it gets very impossible, but if you have the single field, the zip code to use your example and we had a number, that would be very easy for you to say.
DR. BOSWELL: It still would require me to hire a statistician to analyze the database.
MR. BLAIR: I think you said you had some suggested wording for us.
DR. BOSWELL: For example, if the data are going to be used under a very precisely defined set of purposes, why can't we say that the kinds of de-identified data that have been made available before would meet the requirements of the regulation. There are other circumstances in which the regulation permits the disclosure to others for specified purposes.
I don't understand why the suspicion about making data available for controlled purposes to researchers many of whom are associated with covered entities and who would be obliged not to disclose it in any event. I'm troubled by continuing to rely on the statistics and probability measure as if all research involves electronic data.
If I get a solution that deals with electronic data where somebody can do a lot of statistical runs, that one piece, but that's not where the bulk of the research gets done. It's much more on a focused level of individuals looking at data and trying to get a feel for how the data works which does not ordinarily involve a computerized run of bin sizes and cell sizes an other things. You could create safe harbors for that kind of research, but it would not fix the fundamental problems that the lack of de-identified option.
MR. BLAIR: More specifically, when you divided the research into categories, I think you had specific recommendations for wording modifications that would be appropriate to the three different categories.
DR. BOSWELL: I favor the discussion talked about earlier which was if we define research as research approved under the common rule, there's no reason why an organization like Hopkins shouldn't be waived to operate just under the common rule. I don't see why we need all the new requirements.
With respect to data research, I do think there are problems because the regulation does not allow this kind of controlled contractual use for research, limited uses for research. Because we don't have any mechanism for a privacy board or something to bless the creation of the database, we need something which would allow the databases for research purposes,
We're going to need to do lots of big number database research as we plow through the genomic information. I'm not sure if you're ready for that in the regulation, but I would love to see something which would authorize a privacy board to create access to a database being subject specific limited access, held accountable for the use of the data in the public interest. It's keeping it within the rule to assure that privacy is protected by controlled, more limited access to the data.
As I suggested before, I'm not comfortable with anything other than authorization for research that is going to involve interventions and not be reviewed by an ethics board.
DR. ZUBELDIA: It sounds like for the de-identification of data, you're proposing three different types of safe harbor. The safe harbor we have today for data that would be released to the general public and a less safe harbor for data that will be released to qualified researchers.
DR. BOSWELL: That's one way of looking at it. That would work.
DR. ZUBELDIA: I assume that you would want to have full disclosure as to what is in the safe harbor and would you want to have authorization or consent?
DR. BOSWELL: If you rely on patient authorization, you might as well forget it. It's not possible to get authorization in those circumstances.
DR. KLEPINSKI: A large number of these things are retrospective. I talked about the problem solving one. When you find a complaint from a hospital that a device is not working as they expect, you have design experiments. You have to gather data on what happened and go back and look at other patients who were implanted commercially to look at those and see if there's a trend within that hospital. Those people never sign authorization. In the past we've been lucky that it's de-identified.
DR. ZUBELDIA: How safe is that safe harbor?
DR. BOSWELL: It's as safe as the trustworthiness of the relationship between the researcher and the clinician, something that we've relied on for years. It's a relationship that forms the context.
DR. KLEPINSKI: That data is going into an FDA controlled entity. The analysis is controlled either the quality systems regulation or the clinical regulations in the FDA. There is a well established set of processes that have been set up over the decades for handling these issues under FDA control.
DR. FITZMAURICE: I'd like to ask Jennifer Kulynych a question about one of the proposals you made on the de-identification of protected information. As I understand it, you would have the researcher state that the information was only for research purposes and the researcher would not contact the individuals, and you define it somewhat like a restricted data set that there are some variables you would take out of the data set. What's left is restricted and an agreement between the researcher and covered entity; do I have that right? You propose that this be done without an IRB or privacy board review.
DR. KULYNYCH: There are several possible routes to addressing de-identification for research. One route would be to simply say the standard for research is a safe harbor, but require that there are contractual agreements. The other would be to allow for research that is IRB reviewed to allow the IRB to say the information you're receiving is de-identified to a standard appropriate. In the case of setting up a registry and you give us your assurance that you won't release it for other purposes.
DR. KLEPINSKI: I want to mention one more thing in the area of unintended consequences. There's a line in the preamble saying one of the goals of the reg was to encourage de-identified research. There couldn't be anything further from that result that's actually happened.
If that was a goal when these were established, it's time to go back and look from the beginning because we've gone the direction that's seriously discouraged or made it impossible in some cases rather than encouraging it.
DR. KULYNYCH: We have just heard from community hospitals who consulted with their counsel. Some have reached the conclusion that won't be possible to de-identify data. All their research disclosures are of identifiable data.
DR. ROTHSTEIN: I have a question for Ms. Pollak. It involves the recruitment issue you raised. I want to be clear on what it is you're recommending. I'm a researcher at Hopkins. I'm thinking about doing something. What do I have to do under your proposal before I get access to medical records of all the people in the institution?
MS. POLLAK: As provided in the current regulation that's adopted, you don't have to do anything if you are preparing for a protocol. In other words, a researcher would have full access to all PHI for all patients past and present to be able to prepare a protocol for IRB review. The regulations require that that researcher only use that information for purposes of preparing the protocol and that none of that information will be disclosed to anyone for any other purpose.
I'm not changing that for the recruitment. You would have access to all those files under the regulation as adopted. You don't get any more access than they've already got, but it needs to be that as you're looking through those files, if you can find six adults who had this rare cancer and the study is approved, you are allowed to call them and ask them to participate in this research protocol.
MR. FANNING: How does this occur now? Suppose the researcher finds a number of people who are likely to be approached, is a protocol prepared and then reviewed by the IRB before the researcher approaches the individuals?
MS. POLLAK: Yes. In other words, nothing would be done until you get that approval in at Hopkins. We approve all federal and non federal research protocols through IRB so there can be no research approved by their organization that wouldn't have had that review.
MR. FANNING: Do you have some standard set of procedures or specialized review questions when individuals are to be approached cold as it were?
MS. POLLAK: Yes. There are privacy protections under the common rule. One of those is that you're supposed to be looking at what it would be mean to even be identified. That needs to be part of what you bring to the IRB. If the value of the study is determined there are only six of these people and this is the only way you can do the study and this is an important study, we believe that that phone call is an appropriate concern. Person has an objective right to say yes or no.
MR. FANNING: I take it that the method of contact is one of the aspects that's reviewed by the IRB?
MS. POLLAK: It is and sometimes the written is not approved because it may be something that would disclosed to another person. Sometimes it is determined it is a phone call between researcher and individual.
DR. ROTHSTEIN: I have another question for you and that is this: The way the rule currently reads, when someone checks into your institution, they sign a consent for a TPO, but presumably for all these other things, they need to sign authorization.
The problem is that as a theory wouldn't be so bad if we didn't have so many things that had to go into each
authorization that it's a big stack of paper. In theory, at least, if we could reduce the kinds of information disclosures to get authorization, you could have check boxes on one sheet of paper where hypothetically you would check, do I consent or authorize fundraising from the hospital where I'm treated? Do I authorize disclosure to the Red Cross and Cancer Society, if we could get to that stage, would you feel more comfortable with the distinction between authorization and consent?
MS. POLLAK: I think that's a less desirable solution and here's why. Let's say that of the 300,000-400,000 people that come to Hopkins this year, 150,000 mark no on may you use my information for research. That's kind of scary without anybody there to explain to you how the information is going to be used.
If you follow the suggestions that I'm making, there would have been a whole process of review under the common rule before that question ever gets asked and then when that call comes, it's for a very specific purpose and that person will know what they are disclosing that information for.
It's one of the points I make in my testimony that is given an authorization form that says this may be redisclosed, that's kind of scary. My solution on fundraising is different. People know what that means. People know I'm going to get a call from someone who wants money for the Wilmer Institute. Do I want them to call me? No, I don't. X. That doesn't change the database for research.
For many types of epidemiological research that would be difficult and then we have to keep track of all those people who said yes and all the people who said no. We would have to redesign our computer system to be able to track those responses with respect to all of those research issues.
DR. KULYNYCH: We feel that wouldn't address our concern about covered entities that are not research institutions and that's a discretionary activity. As long as there is that liability for research disclosure and as long as authorization provisions apply in any form, there is a substantial disincentive to make those disclosures.
DR. ROTHSTEIN: Further questions?
MR. FANNING: There's been a certain amount of question raised about record-based research where access is going to be given to a researcher, a number of questions raised about the additional criteria set out in this regulation above the ones that are in the common rule. Tell us what's wrong with those criteria and why an IRB wouldn't consider them anyway in making the judgments they have to make under the common rule now to waive consent?
DR. KULYNYCH: I would say the liability concern and the substance concern with the criteria. Whatever the criteria are, the fact that there is this parallel new regulation with all its associated liability is a concern and we feel for R&D research it's unnecessary and a disincentive for research, but we're concerned about debates over privacy rights and privacy risks.
We feel that that is a very amorphous criterion. What are privacy rights in this context? It's a broad spectrum of views. We're not sure how RVs are going to be handle that. The focus should be on what are the protections for the confidentiality of the data and does the research have scientific merit?
MR. FANNING: Are not those things that the IRBs are taking into account now in making judgments that the consent requirement should be waived?
DR. KULYNYCH: Yes, we would argue that they are, that they should be.
DR. BOSWELL: But this requires an independent weighing, a weighing of the privacy risks versus the value of the research. You're asking for a separate evaluation independent of all of the research risks that the IRB are weighing. It's now weighing all the research risks and whether or not that level of risk if warranted by the value of the research to be gained.
What the new waiver requirement says is you take just privacy risk. What is privacy risk? Subjective. Take privacy risk, especially in the context of this research where the identifiers are going to be protected and weigh it against the value of this study.
In effect, because you don't know what the privacy risk is, other than it's the same for everybody. If it got out, people wouldn't like it. It might harm them. It might be misused by someone. Those are the privacy risks. They're always going to be the same.
In the research context, you can control those by saying you can't have the identifiers, you can't contact people, you're under contract, and so forth. You're asking people to weigh privacy risks in the absolute versus, do I like this research protocol, do I think it's worth subjecting people to that kind of risk. It's a different weighing than currently occurs.
DR. ROTHSTEIN: Other questions? I want to thank panelists for a very lively presentation. I want to thank you, Dr. Boswell, for appearing with this earlier group. We will recess until 3:00 o'clock. From 3:00 to 4:00, the subcommittee will consider the consent provisions.
At 4:00 o'clock, we'll have our public testimony and then after the public testimony has concluded, then the subcommittee will take up the issue of minimum necessary from this morning.
(Short break.)
DR. ROTHSTEIN: Go back and try to make some head way on going through the recommendations. I would ask you to get out your consent recommendations. We had not done the three bullets on the bottom of page 1 and I will begin reading those and also I had a chance to take a look at them and I will make some suggestions which members of the subcommittee may or may not agree with.
The first one, permit providers to share individually identifiable health information to support treatment payment without obtaining a written consent and part of that will place a requirement for written notice at the provider level to ensure that individuals are educated about the use of their protected information for treatment, payment, and healthcare operations.
This would replace the consent requirement with a notice and you'll note that we deferred on the very first recommendation and I would say this is quite similar to the first one. Unless I hear otherwise, I will think that this is a deferral.
Second bullet from the bottom. The requirement for prior individual consent to use or disclose information for treatment, payment, and healthcare operation should be eliminated as was the case in the original HHS proposal. I would again say that this is subsumed within the first recommendation and the most recent one which we agreed to defer.
The last bullet on the first page. We recommend that the right to revoke consent not apply to categories of information that are necessary for treatment and certain healthcare operations. A long list follows. If you'll note, we had on the right to revoke consent.
The fourth bullet on the page said allow use and disclosure of data collected before revocation of TPO which we rejected. I think that's similar to one that we've already rejected.
DR. COHN: Without looking at the list, it's hard to know what this means. Maybe this is an approach for finer than a blanket. I don't know exactly what it means.
DR. ROTHSTEIN: If somebody can find what was recommended, we can reconsider it at some time in the future. Top of the next page --
DR. COHN: I just want to clarify, the first one you said many different. You mean like this we're basically --
DR. ROTHSTEIN: We're going to table this and subject to reconsider, if we find the list, it's not on our deferral list.
DR. COHN: Okay. Thank you for the clarification.
DR. ROTHSTEIN: Top of the second page, first bullet.
MS. GREENBERG: I think I found it. We recommend that the right to revoke consent categories not apply to categories of information that are necessary for treatment and certain healthcare operations. Those categories would include patient and employee safety, quality, certain population-based activities, peer review, employee performance review, education and training, accreditation, certification, licensing, credentialing, medical review, legal services, auditing, compliance, resolution of internal grievances and similar activities that require complete information. I guess this was such an extensive list why I said a long list follows.
DR. ROTHSTEIN: Is there anyone who wants to move that forward?
DR. COHN: I think it should be moved forward, but I'm not sure whether this is substantially different from the Kaiser position and if it is, I'm going to have to recuse myself. It seems like a reasonable set of issues that we need to somehow address one way or another. You may need to revoke, the use is really the healthcare or access to the provider, but the NCQA has a legitimate set of issues around revoking access information and quality measurement. Is this really the intent of what we mean by revocation here?
DR. ROTHSTEIN: Unless we start parsing out all the individual items, the net effect would be if we bought into that long list, there would be no right of revocation. You'd have to start a separate list of the things you could revoke.
MS. GREENBERG: I wondered what was what.
DR. COHN: I thought healthcare delivery was not on that list.
MS. GREENBERG: The provider has the right, as I understand it, if someone revokes consent and say I can't treat you anymore. That seems to be the information necessary for treatment that already seemed to be covered. If you revoke consent, then you don't have treatment anymore. I understand. If they revoke consent, you're diluting your database for quality purposes. It's understandable why, but it dilutes revocation also.
MR. BLAIR: Would you mind rereading the statement?
DR. ROTHSTEIN: I'll read the first part and Marjorie will read the second part. We recommend that the right to revoke consent categories not apply to categories of information that are necessary for treatment and certain healthcare operations.
MR. BLAIR: That clarified it for me. Thank you.
MS. GREENBERG: You don't want me to read the list?
MR. BLAIR: You don't have to. Thank you.
DR. ZUBELDIA: In that list of categories, maybe I don't understand it, but it sounds very disturbing that you cannot revoke consent for employee performance to you.
DR. ROTHSTEIN: Of course you can. You can make a condition of employment that the individual sign an authorization to review that. That's how it stands now.
MR. FANNING: Is it about that as distinguished from reviewing the conduct of the employees of the health institution?
MS. GREENBERG: Exactly. Let's say you bring harm to some patient and then get the patient to revoke consent.
DR. COHN: Without trying to solve this problem, I would observe that if I were the patient and I had an untoward event or problem, that would be an occasion where I might be likely to say I don't want to deal with you anymore. I revoke all access for you to use my data.
If by doing that, we mean that all that information is stricken and any performance measures or ability by that employer to identify that that ever happened, I don't know that that's what we want to do in the healthcare system. I'm thinking as an individual patient why I might revoke access. I don't have an answer to this one.
DR. ROTHSTEIN: Would the subcommittee be willing to put as a recommendation that we would recommend that the circumstances surrounding revocation be reconsidered and clarified by the Department because we've heard testimony that there are many different ramifications and circumstances surrounding revocation and we want to make sure they're all considered. Would that be okay? I don't think we have the time or wherewithal or testimony to.
DR. HORLICK: Recommend that the circumstances surrounding revocation be reconsidered?
DR. ROTHSTEIN: Yes, and clarified in its many forms. The second bullet on page 2 says records created before the implementation of this rule should be exempt from the consent requirements until patient encounter occurs after implementation of the rule. You'll see that we had already agreed to bullet 3 to some discussion of that already.
MR. BLAIR: No one on the committee is allowed to revoke their consent to the prior agreement.
(Laughter.)
DR. ROTHSTEIN: I'm sorry. I skipped a bullet. The first bullet is, we believe that revocation cannot be applied to information that has migrated into various systems beyond the individual record. I don't know what the word migrated means whether that's within the institution or to third parties.
MS. GREENBERG: I guess they don't want to have to be accountable for data in other systems that they don't have control over.
DR. COHN: I think if we approach the use issue, we'll probably safer than if we approach the information system issue because everybody has different information systems.
DR. ZUBELDIA: Is this migrating to a different system or to a business associate?
DR. ROTHSTEIN: I don't know.
MS. GREENBERG: There's an example here. At Mayo, we have a number of registries for various diseases and procedures. These registries are used for quality control and improvement purposes. It would be extremely difficult to go into all these types of systems to extract information after revocation of consent and we would also dilute the usefulness of the registries for quality purposes.
DR. ROTHSTEIN: If, as I understand the proposal, if you got a central medical record and some information in it and that information may now be in 10 other departments at a large institution, the revocation only applies to the main, central repository and not all the other 10 places.
MS. GREENBERG: Only what applies in the context of being in the record as opposed to use of information from the record that got into some other database like a registry.
DR. FITZMAURICE: I'm trying to puzzle this through. If I'm a patient and go into the provider, my agreement is with the provider. If I revoke it, that means the provider can't use that data. If the provider put that data in other repository subject to his/her control, he can't use those repositories either.
If it's migrated to a business associate, get it back from the business associate. If it's gone to another covered entity that's beyond the first covered entity that I'm seeing, I'm not sure what the implicit agreement is that would govern the use of my data by another covered entity with whom I have the consent.
It seems to me that you can't just get by, by saying it's in another system. If I want them to take it out of this one system, you got to get it back out according to the privacy rule. I'm proposing that as a question.
DR. ROTHSTEIN: Maybe what we need to recommend is a clarification on the duty of the individual provider once they receive a revocation, what does that extend to? Do they have a duty to notify all the people that they've ever sent medical records to that it's been revoked or do they not have a duty to do that?
DR. FITZMAURICE: Want is it you want the answer to be? I'm not interpreting it. That would have to go to OCR.
MR. BLAIR: The idea that revocation means that we would be responsible going back and removing consent to all prior information and to all information that may be shared, it seems to me to be impractical and beyond the scope that we could ask a provider to be able to track even with the best information system.
My thought would be that if revocation is simply saying from this date forward I revoke any new information that I have from this point on, at least that's manageable. That's my thinking on it.
MS. MC ANDREW: Just a couple of clarifications on the migration of the data. Because the consent is for the entities own uses for treatment, payment, and healthcare operation that when that consent is revoked, that that is the universe and is affected as a whole and cannot then be used by that entity for treatment, payment, and healthcare operation because they no longer have consent to do that.
If it has migrated to another covered entity, that covered entity's either on its own consent to that data or it may be a plan where no consent was required and it has that regulatory authority for treatment, payment, and healthcare operation.
Once the covered entity, a plan is not bound by consent whether it has the information and consent is revoked by the original provider or not is irrelevant to the plan's continued use of that information. They have regulatory authority for treatment, payment, and healthcare operation. Consent is really between the individual and that particular covered entity and its own uses and discloses of the data. The revocation then affects only the activities of that covered entity with respect to that data.
DR. COHN: I think what you're saying is that literally there could be the situation where the insurer or health plan could have a whole lot more information about what the provider is doing than the actual provider assuming that there are revocations that occur in the provider environment.
MS. MC ANDREW: We do have a provision that permits continued use based on reliance factors and there are some legal room within that, but it can't be expanded infinitely or it loses all meaning.
MR. SCANLON: I thought there was the concept of a time limited consent anyway or is the initial consent for infinity?
MS. MC ANDREW: The initial consent does not expire.
DR. ROTHSTEIN: With your consent, I would like to have Gail read the last thing that we agreed to with regard to consent. I think it generally would cover this issue as well on revocation.
DR. HORLICK: We would recommend that the circumstances surrounding revocation be reconsidered and clarified.
DR. ROTHSTEIN: I think we can give some examples of the things that we were concerned about and we can include this issue as well. We had already done the second one out of order. It's a combination of bullets 3 and 5 on the first page.
The third bullet on page 2, a revised rule is necessary. Guidance alone cannot fix all the problems. It's also important that change could be made quickly. That's not a recommendation. It's an opinion.
Fourth bullet. It should be up to individuals not the government to decide to whom they want to disclose personal information. Individuals and their doctors and other individuals should be free to enter into private agreement and disclosure of patient information including genetic information which I take it as another statement urging the deletion of the consent requirement which we have already previously deferred.
It should be up to individuals not the government to decide to whom they want to disclose personal information. Individuals and their doctors and other individuals should be free to enter into private agreement and disclosure of patient information including genetic information.
DR. FITZMAURICE: Point of clarification. Does that mean either individuals or their doctors or jointly with dual signatures?
MS. MC ANDREW: This was Ms. Blevin's and she was envisioning and actual contractual agreement between the doctor and the patient concerning the permissible releases of the information and actual negotiation. It is not a contract that would necessarily be enforceable under the rule. It would have whatever enforcement rights that a state would grant such a contract.
MS. GREENBERG: That was in looking through her testimony as close as I could get.
DR. ROTHSTEIN: That was a way of providing additional protection to the patients where they could agree with their doctors to give them greater protection which in many instances does exist where there are private agreements not to include certain things in records and so forth.
MS. GREENBERG: When you're done with this one, let me just ask you about the previous one. This one was stated as a recommendation.
DR. HORLICK: The agreement was stated as a recommendation.
DR. ROTHSTEIN: I think part of her position was that the whole privacy rule.
DR. BLEVINS: It was for the individual to be able to have consent, but consent on the terms that they would like to have and not to have the rule dictate the terms of the consent form. I call it a private agreement because that's more extensive than just the consent form that's outlined in this rule.
DR. ROTHSTEIN: Would another way of putting it be that HIPAA provisions protecting privacy serve as a floor for protections that could be then negotiated between the physician and the patient; is that what you're saying?
DR. BLEVINS: No, because I'm saying that if you don't want what this has to offer, that you can have a private consent form that the doctor can have a form that's not outlined by this. As we've heard, there are a lot of different opinions about it. So if you would like to have a simple clean contract, it's a doctor/hospital form.
DR. ROTHSTEIN: It's an alternate arrangement.
DR. BLEVINS: Yes.
MR. BLAIR: Did I remember incorrectly, I thought one of the examples you were giving was to be able to enter into a contract with your provider so that you could explicitly exclude access by law enforcement agencies, by employers, by others. Do I remember your testimony correctly>
DR. BLEVINS: I didn't give a list that would be excluded because the contract would have to be a literal contract and whatever that state law is or federal law so that the doctor couldn't write a contract that would override a law that said law enforcement could get a subpoena and come in if they think the doctor is improper.
I didn't say what it could exclude or cover. I just said that it should be the individual and the doctor together, that they should jointly decide. If the patient doesn't say you must sign XYZ, the doctor doesn't' get to say patient you have to sign XYZ, but together, they can have a private agreement.
If they don't like what this rule is offering because it's so complicated and it doesn't offer all the protection that I would want, that I could still go do that. It's not saying that you still have to abide by this. I'm saying, you can go off and do this on your own and it's just another option to consider so that every citizen in this country doesn't have to abide by this rule if they don't think it does enough for them.
DR. FITZMAURICE: The physician can choose not to agree to this, right?
DR. BLEVINS: Yes.
DR. ZUBELDIA: You can say this is the list of elements that I want released to my insurance company and the doctor agrees to that, that's what they release?
DR. BLEVINS: The rule is you'd be happy -- submit to the subcommittee actual sections of the code. I'd be happy to submit actual sections because there is a section that says even if a doctor agrees, this rule is going to preempt that agreement. That's what really concerns me more than anything. I'm not saying the doctor has to agree because the doctor has to abide by the minimum necessary laws and regulations that apply in his/her state.
DR. FITZMAURICE: Is what you're getting at is an agreement that the doctor will not abide by the exceptions of privacy rule, the 512 exceptions?
DR. BLEVINS: I just know that technology is being involved and that we're not going to be able to know. I don't know what kind of protection I'm going to want five years from now. I don't want to have to be locked into this agreement. I want to be able to have a private contract and I do want consent to stay, but I also want to be able to have that private agreement. I can't list the laundry list of what I would want to stay and go. I don't know what kind of technology we're looking at five years from now.
DR. FITZMAURICE: I'm not sure that the doctor has to abide by an agreement that is signed that says I won't use my data for research or for law enforcement purposes.
DR. BLEVINS: I'm not sure I understand the question.
DR. FITZMAURICE: I'm not sure the doctor can sign away the ability not to abide by those exemptions. The doctor can refuse to give information, but if you send an agreement, I'm not sure the agreement is valid. The doctor may break that agreement legally because of the privacy rule. You're saying he could be sued under the state contract law.
DR. BLEVINS: It's actually the privacy rule does not allow him to sign a contract that says I'm offer you confidentiality. The section of the rule says that if the doctor agrees to that, this rule says that that is an invalid consent. I'm concerned about that. I want to be able to have a valid consent. I called it agreement because it could be a contract or consent. It's just to be futuristic that five years down the road something that I signed two years ago, I don't know if I would like what I signed then. I want to have that freedom.
DR. FITZMAURICE: The thing that concerns me is I think you're not going to the rule. You're going all the way back to the law passed by Congress. I don't think we have the ability to abrogate what they've written.
DR. BLEVINS: I read the statute and it does not say this. In fact, this was basically unconstitutionally delegated. Congress never voted on what privacy rights should be. They just said if we don't pass along, I think for civil rights and everything else I had to do that. There was no clear definition of privacy rights in that statute and there was no clear definition of contract was to be offered to individuals.
So if you have the ability, Congress said do what you want. There were some other provisions of who would be a covered entity and fines and penalties. I don't want to take your time.
DR. ROTHSTEIN: Now that we have a clearer understanding of this, is there someone who wants to move this as a recommendation? Hearing none, it goes in the other pile.
MS. GREENBERG: Could I go back to the previous one. You said this isn't a recommendation, but in a sense it is.
DR. ROTHSTEIN: The third bullet? Okay.
MS. GREENBERG: I know that the Secretary has said that he intends to revise the rule, but it is within the committee purview to say we don't think it's a good idea to revise the rule or we think it is a good idea. There is the issue that we think guidance alone could fix the problems that we've heard about. That is a recommendation. I'm not arguing for or against it. It is something that you might want to take a decision on.
DR. ROTHSTEIN: Let's put bullet 3 back on the table and bullet 3 says, a revised rule is necessary. Guidance alone cannot fix all the problems. It is also important that the changes be made quickly.
DR. COHN: I would support that. I wold make sure the second part of it gets included which is that whatever direction needs to occur, needs to occur before people start getting themselves all set up to do whatever from before. I'm not sure it needs to be an actual recommendation. It needs to be in the body of the text for the change and that we should be moving speedily to implement it.
DR. ROTHSTEIN: Other sentiments on this?
DR. ZUBELDIA: I would line up with Simon that if there is a change, I think the recommendation that should come out of here is that if there is a change, that change should be made quickly.
DR. ROTHSTEIN: I have no problem with incorporating that into our letter. That's the second part about the changes made quickly. What about the issue of a revised rule is necessary. Guidance alone cannot solve the problems?
DR. HARDING: THAT's getting into defining the revised rule which would take us a great deal.
DR. ROTHSTEIN: We don't know what revisions that could entail.
DR. HARDING: It may be better to focus on any changes you think should be made rather than say overall it ought to be revised.
MS. GREENBERG: The way Simon put it combined the two. If a revision in the rule is necessary, then it should be done expeditiously.
DR. ROTHSTEIN: Everyone have that. Moving now to Bullet Number 5. In a comment letter to HHS also recommended several different modifications of the prior consent requirement. First, we strongly recommend that the prior written consent requirement revert to the statutory authorization concept that was in the proposed rule.
Next, alternatively, the regulation could be modified so that the act of bringing a prescription to the pharmacy or having a prescription called in qualifies as implied patient consent. This issue is already in the process of being addressed by OCR. Do we need to endorse that or let it go?
DR. FITZMAURICE: Have we described that as a scenario that needs to be addressed or clarified? If so, then we've already covered it. If not, I would propose that the subcommittee might want to call on this as something that needs to be clarified as opposed to taking a standard position on it.
DR. ROTHSTEIN: We could raise the issue of first encounters generally and not that OCR is working on it and we support the need for revision.
DR. ZUBELDIA: There are two concepts that we were getting a little bit mixed. The concept of consent and the concept of prior consent. In this case, I don't see how the fact that the prescriber calls the pharmacy constitutes consent from the patient. There are some cases where consent is required, but it may not have to be prior to the service.
Specifically in the case of pharmacies, if a patient doesn't consent, you cannot dispense the product and wipe the information off the computer. I think that somehow the word prior is getting in the way. I don't know what the solution is. There may be a way to separate prior consent from consent.
DR. ROTHSTEIN: There is a recommendation two bullets down that takes a look at that.
DR. FITZMAURICE: There is a concept in the privacy rule that if a physician refers a patient to a radiologist and they get an x-ray, the radiologist may not see the patient, but is an indirect provider. That radiologist can build on a consented report.
You might think of a pharmacist as an indirect provider before he sees the patient. The patient is referred to a prescription to the pharmacist and the pharmacist delivers care like the radiologist did. Here is medication to the husband or wife, bills the PBS and my never see the patient, but works under the consent received by the referring physician.
DR. ROTHSTEIN: The only different is in the true indirect provider situation, you've got the other provider working with the initial provider and with the pharmacist they actually go to the pharmacy if only to pick up the prescription where you've got a consult essentially and it's a different story.
DR. HARDING: What if the husband goes there?
DR. ROTHSTEIN: We're addressing that. What I'm saying if there is a prescription written that says you need to go to some imaging center, now that's a separate provider and they're going to have to get their separate consent. They're going to be allowed to set it up because they're an indirect provider. They have to share the records.
DR. HARDING: This is the question I was trying to ask the pharmacist yesterday. You send that prescription in. I haven't gone there yet. They take that and put it on the database and bill me before I ever get there. Maybe I'll go or not, but it's already gone and entered. It's troubling to me to go and have all that happen and I may never go and pick it up. There are a number of people who don't.
DR. ROTHSTEIN: What is your pleasure on this bullet?
MS. GREENBERG: Clarification there. That's what I heard yesterday. The current procedure is that the medication is actually billed before the person shows up.
DR. HARDING: What they testified yesterday.
MS. GREENBERG: If the person never picks it up --
DR. ZUBELDIA: The reverse transaction where you can revert the dispensing of the medication back and it's the cancellation of the claim.
MS. GREENBERG: If the person doesn't come within a reasonable time, they cancel it.
DR. FITZMAURICE: I'd like to interject that one or two days ago, there was a question about one of the testifier=s asking is the patients name in the NCPDP standards for a claim, is it a standard element? I got an e-mail at noon today that said it was not a required element on the claim.
MR. SCANLON: There are three bullets that try to get to the same issue. We should deal with them as a family. I think HHS has already committed to resolving this situation. I think the committee would like to say we see this as an issue to and here are a couple of possibilities for resolving it.
The next bullet says modify the rule to provide one consent form for all treatment, payment, and healthcare operation and this would extend to the pharmacy as well. You'd be asking the physician to call in your pharmacy as well. The problem is that the pharmacy then makes inquiries about your health insurance information as well.
DR. ROTHSTEIN: It's not the disclosure to the pharmacist. It's the disclosure from the pharmacist.
MR. SCANLON: These are a family. I'm not sure which is superior, but that's the way it was testified yesterday.
DR. ROTHSTEIN: Would it satisfy the subcommittee members if we put in our recommendation we recognize that the issue of pharmacy dealings is something that needs to be clarified and we recognize that OCR is already giving this some attention and we want to support them in their efforts to resolve this issue.
Moving on the next area where we're going to help provide guidance, the last bullet on the page, the APA agrees with Secretary Thompson when he stated in the guidance we will be proposing modifications to allow direct treatment providers receiving a first time referral to schedule appointments, surgery or other procedures before obtaining the patients signed consent thus clarifying a statement in regulation. Patient consent should not be required for treating physicians to consult with colleagues or medical students to establish patient referrals or to begin indirect treatment relationships with others.
For some of these concerns, they're already addressed in either the reg or the guidance. Certainly the issue of consultation with colleagues and medical students is expressly discussed. The issue of course is what the referred physician may get. The authorization has already been given for the referring physician to disclose information. What information may be redisclosed somehow by the referred physician?
MS. MC ANDREW: Conceptually, yes. It's both a use and disclosure limitation on the provider receiving the referral.
DR. ROTHSTEIN: Perhaps what we can do is make the prior agreed to statement broader, including pharmacies and other referral services. Would that be okay?
MR. SCANLON: Mark, I think we skipped the second from the last bullet that had an implicit recommendation for delay.
DR. ROTHSTEIN: The one that begins in conclusion? In conclusion, it is imperative that the compliance data delays compliance date until two years after the final modifications have been made to the rule. Requirements in the final rule will substantially alter pharmacy operations and the compliance will take two years of preparation. Any one supporting that one?
DR. FITZMAURICE: It would take an act of Congress.
DR. ZUBELDIA: It would take an act of God.
(Laughter.)
DR. COHN: If you'd like some language around this, you can refer to some letters from the standards and securities.
DR. ROTHSTEIN: Moving on to the next proposal, healthcare plans in clearinghouses should be required to obtain a patient's meaningful consent before their medical records can be disclosed for treatment, payment, and healthcare operation. The regulation should not be limited to only healthcare providers obtaining consent.
DR. COHN: I think that's intriguing especially the clearinghouse part, but I think realistically, it's probably unworkable.
DR. ZUBELDIA: I don't think clearinghouses have any way of getting patient's concerned.
DR. ROTHSTEIN: Is there anyone who wants to move adoption of this recommendation? It's not adopted.
DR. HARDING: Mark, I'm recusing myself on discussion of the next ones.
DR. ROTHSTEIN: The patient should have the freedom and the ability to revoke the consent at any time. The APA is concerned that the rules do not adequately give protection to the patient. We already have addressed revocation I think. Unless somebody wants to discuss the language, we can just say we have already addressed it.
Third bullet on the page, as you recall, there are provisions in the regulation regarding comatose patients. We suggest these have a relationship to the patient's unique with respect to health information of involuntary patients being treated for mental illness or substance abuse pursuant to state law. The privacy rule does not make an exception for involuntary patients who refuse to sign a release permitting the use and disclosure of their medical information. Would comatose patients be covered under the emergency provisions? They would.
DR. FITZMAURICE: What about involuntary?
DR. HARDING: If you have a patient who has been committed to a mental institution and is competent because many of them are competent to give consent, say, they're a danger to themselves but they're competent, they're sometimes in a perverse way because they don't want to be in the hospital, say I don't want any treatment. I refuse. Is their consent there allowed or is it automatically granted to treat that patient refusing treatment, but who desperately needs it.
DR. ROTHSTEIN: Isn't that beyond the privacy reg? More general?
DR. COHN: I don't think you're talking about the competency treatment that you're seeing now is competency. That's a whole other issue with state laws and 36-hour holds and all that. Am I wrong about that?
DR. HARDING: That is true. That's a state law, but this has to do with the person who is competent, is being held in an involuntary situation and is, therefore, also refusing to sign things for information and consent. That is a very legitimate issue. If they're being held in an involuntary manner, you should have the right to have access to information for treatment.
DR. ROTHSTEIN: Is there further action on this recommendation?
DR. COHN: I would move it.
DR. ROTHSTEIN: Simon wants to move this Bullet 3.
MR. BLAIR: If there's somebody who takes a position one way or another, it would be helpful to me to hear their rationale. I don't know what to do.
DR. COHN: Maybe I can clarify this further. Under normal circumstances, if a patient refuses to sign a disclosure treatment, payment, and healthcare operation, a provider says, it's an emergency situation where a provider doesn't have an option. Patient no longer has control over their healthcare. Under those circumstances, you need to have access for treatment, payment, and healthcare operation.
MS. MC ANDREW: There are three exceptions to the consent which are emergency treatment, required by law to treat or substantial communication barrier to obtaining consent. This would fit into required by law to treat. The rule would already permit a waiver of the consent requirement.
DR. COHN: I would like a comment from Richard on that.
DR. HARDING: There are people who are committed who refuse treatment, but it could be fit in that second category.
DR. COHN: I'll withdraw it and review it.
MS. GREENBERG: It just requires clarification then.
DR. ROTHSTEIN: We are going to request clarification on involuntarily committed patients who refuse to consent to treatment who are competent. Is there also a regulatory waiver of the requirement of consent for disclosure of their information?
We will have to hold up on our consent discussion and pick up with that after the public comment period which is now ready to begin. Each of you will have three minutes and we will address questions as necessary. You will be requested to testify in the order in which you signed up. The first witness is Andrew Beato.
MR. BEATO: Andrew Beato. I'm here on behalf of ACA International.
DR. ROTHSTEIN: Could you move the microphone closer, please?
MR. BEATO: ACA International. We are an international trade association of credit and collection specialists. It will all be clear to you in a second. I thank you for the opportunity to present testimony on some of the unanticipated consequences of the privacy rule for the small business members of our association.
At the outset, I refer you to ACA's August 9 written submission to the subcommittee as well as our comments to the Department in 2000 and 2001. ACA is an international trade association of 5,300 trade and collection specialists.
We provide account receivable to the healthcare industry. Our members are regulated by the Fair Debt Practices Act or FDPA and the Fair Credit Reporting Act. These federal statutes are at base privacy laws that contain detailed legal requirements for the collection of debts and reporting of consumer information to national consumer reporting agencies.
Under the privacy rule, the majority of ACA members are business associates or healthcare clearing houses. We work directly with healthcare providers to recover the outstanding patient pay portion of receivables. In 1999, hospitals wrote off an estimated $23 billion to bad debt. Through our services, providers were able to recover million of dollars annually otherwise lost to bad debt.
This helps control healthcare costs. We believe that the privacy rule has unanticipated consequences affecting our ability to collect debts for the healthcare industry. Based on the time limit today, my intention is to briefly summarize our position and refer you to our written comments.
First, we are concerned that the rule conflicts with the Fair Credit Reporting Act which imposes an affirmative duty upon data furnishes to update peroneal information reported a national reporting agency. If they come into possession or more accurate information.
This can and does occur in the process of collecting healthcare receivable. The rule impacts our ability with information services including an address telephone number of place of employment as permitted by the Fair Credit Reporting Act.
Healthcare providers rely on our members for this information for patients that inadvertently provide wrong demographic information. Third, the rule's sweeping definition of PHI which includes credit related demographic information places into serious question a business associate's use of this credit information for payment purposes.
Sharing this information with a business associate is dependent on consent. At the same time, other federal statutes allow this credit information to be exchanged for credit purposes. In light of these conflicts, we respectfully request that the subcommittee consider three narrow modifications to the rule set forth in our written comments.
Minor language changes would permit business associate to report medical debts to consumer reporting agencies. Clarify that location information services are permitted under the rule and third, remove certain demographic information from the definition of PHI when used for the limited purpose of conducting payment activities.
I stress that ACA members only seek information that is minimally necessary for sufficient collection under the payment activities under the rule. Our members are committed to protecting the non-payment or treatment information in fulfillment of this function.
We appreciate the department's effort to address our concerns in the July 6 guidelines. The subcommittee should be aware that the guidelines do not carry the force and affect of statutory or regulatory law. This means that our members and their healthcare clients are in the untenable position of reconciling the conflict with practices permissible under other federal law. We believe narrow modifications are required and appreciate your consideration.
DR. ROTHSTEIN: Thank you. Questions from the subcommittee.
DR. HARDING: Would you briefly repeat the three things you wanted?
MR. BEATO: We want to be able to permit business associates to credit report medical debts to national consumer reporting agencies.
MS. GREENBERG: We have written comments.
DR. HORLICK: Could you just say who you want to report to?
MR. BEATO: Three main national consumer reporting agencies.
DR. ROTHSTEIN: Other questions. Thank you very much. The College of American Pathologists.
DR. RADA: There's a little half page handout in the stack that was given you. I'm Roy Rada, speaking as Chair of the Healthcare Information and Management Systems Society, HIPAA special interest group. It is a 16,000 member professional society whose members serve covered entities in the area of information and management systems.
Many of the 500 plus members of the special interest group play a prominent role in implementing HIPAA covered entities. In the comment period the special interest group focused its energies on communication with others its conviction that the privacy rule should go into effect as originally published.
The members highest priority has been to share best practices. Entities may be expected to have similar practices. If entities can share their experiences and recognize a consensus among themselves, among their peers, they will achieve economies of scale and help operational define the meaning of the privacy rule.
The DHHS has encouraged such self organization of the health care industry via the identification of the best practices among peers. We are requesting that this subcommittee recommend that units of DHHS that have available R&D funding to support the discovery of best practice, use the money in that way. Professional societies would be candidates to apply for such funding. Thank you.
DR. ROTHSTEIN: Any questions?
DR. FITZMAURICE: Are you talking about best practices for implementing the privacy rule?
DR. RAPA: Yes.
DR. ROTHSTEIN: Any other comments? More money to HHS and then from HHS to all needy academics.
MR. SCANLON: We would like to hear about some of those best practices.
DR. RAPA: I wasn't suggesting that there be new Congressional budget. I'm talking about seed money to have a conference for some group that has members and want to comply with HIPAA. If there was some seed money, they could better share their information and publicize it.
DR. ROTHSTEIN: Thank you for the suggestion. Mr. Jim Pyles.
MR. PYLES: Thank you. I appeared yesterday. I have a written statement. I'm here on behalf of the American Psychoanalytic Association. Before I speak, I would like to make one comment about the first encounter issue. It is not one just characteristic of pharmacies. There is a whole world out there of medical equipment and suppliers who have equipment for delivery to a patient's home and they often have to do that and make those determinations based on the medical record before they see the patient and get their consent. I think you're on the right track if you broaden that request from OCR to cover more than just pharmacies.
On the question of consent that a pharmacy might obtain before providing a service or filling a prescription. A patient may well want to pay out of pocket and not then have his information go into a data base. Only by the mechanism of consent would the patient exercise that option. If you allow that information to go before consent is given, the patient does lose that option.
Section 264(b) of HIPAA has set forth the rights an individual should have and that's what we're talking about. On April 14, those rights become effective. Every citizen in the country has rights that vested in them as of April 14th. These are rights they now posses.
The compliance dates are off, but the rights are vested. Think carefully when you recommend changes in the regulations that you will be rescinding rights that folks already enjoy. If you do not permit patients to have the power to give and withhold consent, the communications will not be made.
The physicians will not have the information they need to make diagnosis and treatment. When the researchers tell you they need this information and consent should be necessary, unless you give the patient some control, the information will not be available for research or it will be corrupted data.
Protections need to be certain. Patients need to know that the information won't be disclosed later. The supreme court considered this decision and decided that the free disclosure was so important, the patient had to feel comfortable about no disclosure without his consent.
The protection should apply to all communications just as the psychotherapy privilege. Exceptions should be made clear and they should be very narrowly defined. There are special protections that are intended for psychotherapy notes and we ask that there be clarification and that convention not be permitted.
DR. ROTHSTEIN: Question.
MS. KAIGH: My name is Robin Kaigh, a private citizen. First, I want to underscore and make sure that those listening on the Internet understand what the common rule allows. In plain English it allows actual research to be done on patients without patient consent if an institutional review board decides it will pose minimum risk to the patient. That is already law.
Why should any citizen be a guinea pig without his consent. I think that needs to be underscored since it has been mentioned today. It should be up to the patient, not someone else what poses a minimal risk to him.
In response to Dr. Welles for Genentech and the other panelists, a patient should be asked before his medical information is used for research. That is just on a common sense basis necessary for privacy.
The privacy rule as currently written requires consent for research, but allows consent to be waived by an institutional review board or privacy board. That is already pushing the limits of privacy, taking away the choice from the patient and letting other decide how his information should be used. It would be extreme to automatically include research as a consented-to item along with healthcare treatment, payment, and healthcare operation.
In terms of a de-identification, there is a fallacy in the Genentech presentation. On the one hand she says they need all identifying information if possible. On the other hand, she says even de-identified information is always reidentifiable.
It is ridiculous to suggest that five-digit zip codes and all dates should be supplied without a name. Either the zip code or birth date alone is a powerful identifier. I object to the panelists presented so far. There is not a balance of views here.
There are almost no speakers protective of privacy. Almost all invited guests represent doctors' groups, hospitals, researchers, insurers. Frankly, all groups that want maximum patient information. Where is equal representation by those who want patient consent before information is used for patient research other uses?
Where is opposing testimony saying that patients only want minimum necessary information to pass if such information must be shared at all. As an aside, Dr. Healy, a former director of the NIH in an op ed for the NEW YORK TIMES said that according to the Nuernberg Code no research should be done without patient consent even if it entails using someone's medical information.
What of the traditional Hippocratic oath of the doctor holding sacred the patient's information? There is a flagrant abuse of that doctor/patient trust occurring here with almost no representation by patient's rights groups. It seems that there will be a free for all within insurers getting the encounter information from the doctor's visit without the need for separate patient consent according to the recommendation decided by the subcommittee today.
That is hardly a small change or modification or clarification to this rule. It is a major change to the rule and it my hope that the OCR and Secretary will view it as a major change.
My father, in his desire to help research as physician who wanted to help mankind. He agreed to let his cancer cell slides be used at a teaching hospital as long as his name was removed and he would be completely anonymous.
Unfortunately, they forgot to remove his name and on an overhead projector, his name appeared on a slide with the late stage of his cancer. Pretty soon many of his colleagues called him to say they were sorry he was dying.
To such a private man who was fighting for his life, this was devastating. There is a risk that researchers will not de-identify properly and therefore the patient should decide if he is willing to accept that risk.
Another concern is that with advancements in genetic research, tissue can provide clues to a person's likelihood to get cancer or other diseases. Such information does pose a risk of discrimination. So, again, the patients should decide what information he wishes to share. Would you want someone searching your house without your consent? Why should your medical records be given any less protection?
The Fourth Amendment drafters would wish our most private information to be included in its protection against unreasonable searches and seizures. I implore the subcommittee to acknowledge that these discussions have been predominantly one sided in favor of non disclosure of medical information without patient consent and the subcommittee should have further meetings in which patient's rights groups can attend and give opposing views protective of every citizens' privacy.
It is only fair to consider both sides or points of view before making any decisions on important matters. Again, remember the thousands of public comments wanting no access without patient consent. Thank you.
DR. ROTHSTEIN: Thank you. We appreciate that input. Questions.
MS. GREENBERG: I want a clarification on a particular recommendation had made that you objected to. Could you identify specifically which one that was?
MS. KAIGH: I had gone over to Susan from OCR and asked her to verify that my understanding was correct. Perhaps you could just speak to that since you are better prepared than myself.
MS. MC ANDREW: It was essentially the recommendation to permit a provider to give information to a health plan for that health plan's operations.
MS. GREENBERG: This is part of the rule so that health care providers made without individual authorization disclosed to a health plan PHI necessary for the plan's healthcare operation?
MS. KAIGH: Yes. When I spoke to this lady from OCR, she did verify for me that that would include encounter information which would be information in addition to the diagnosis that transpired between the doctor and patient. It might be the substance of the entire discussion that took place in that office.
MS. GREENBERG: It would go beyond the information necessary for payment.
DR. ZUBELDIA: We've clarified, but when we're talking about encounter, the finding, the transaction.
MS. GREENBERG: I actually think there was a misunderstanding. One member voted for that, but against the next thing whish appeared to be more restrictive. You just might want to revisit that in light of the confusion I had when the vote was taken.
DR. ROTHSTEIN: Let's take that up first in the next round of our review. Finally, Sue Blevins.
DR. BLEVINS: Thank you. This afternoon we've heard a lot about balancing privacy right with researcher's needs to conduct research. The panelists today represented academic medical centers and researchers who clearly want and need access to patient's medical records without getting patient's consent.
Today patient's voices were not heard, but 89 citizens across the country, not myself, national polling data feel about researchers having access to their medical records without their consent.
The Gallup survey that was conducted last August, 67 percent of Americans don't want researchers to have access to their medical records without first obtaining their consent. When it comes to genetic testing, genetic research, 93 percent of Americans say that researchers should first have to obtain permission before studying their genetic information.
I would be happy to share this with the committee and I would like to request that HHS make available to the public and accounting disclosure of the comments. Citizens back in December 2000 and this past March took their time to send in comments. They greatly opposed research without their consent.
At one point, six of us were at HHS for almost five days going through the comments and the public is strongly opposed to what's going on here. I would for HHS to present to the public, an accounting of the comments from both comment periods. Thank you.
DR. FITZMAURICE: Sue, what do you mean by accounting? What form would the accounting?
DR. BLEVINS: You've actually counted in other regulations and said how many comments have been received for and against. I care about healthcare. My heart is with you and I feel like I'm being a barking watchdog here. I say that in kindness to you, but HHS had a checklist in the binders and then I think they took them out.
People are concerned about the Constitution, and Big Brother. This is about the public and they should know if HHS listened to us. President Clinton did a good thing before he left office by putting in a consent provision because that's all I saw on those comments.
Overall, an accounting of how many people were in favor and how many people don't want it. It falls into three categories: industry absolutely doesn't want consent, people who favor the rule say keep it. They're more social left wing types. They said keep the rule, but keep consent, make is stronger. The right wing say -- if you take away consent, the people you're hurting is the people and you're helping industry. I would like to see an accounting.
MS. FYFFE: Is there a requirement or normal procedure that allows an accounting as this lady has mentioned?
MS. MC ANDREW: When we issued the final rule we addressed the public comment that we received on the notice of proposed rule making. The additional public comment that was requested in March because it was on a final rule and was not a notice of proposed rule making, there really is no APA provision for that kind of public comment. Basically, we are dealing with those comments on a less formal basis as general guidance to the Secretary to inform his decision prior to the April decision to allow the rule to go into effect and now in the process of considering where guidance is needed and modification to the rule may be needed.
DR. BLEVINS: Does the APA require in the first round of comments to give an accounting?
MS. MC ANDREW: The APA requires that the comments be considered. It doesn't require a count. We did provide a count of the number of comments we received. We may have on certain topics given accounts, but basically a single comment may have merit. Ten thousand comments, it's not an election and the position that gets the most votes does not win, but all of the comments are considered.
One of the reasons the preamble is so lengthy is that we had extensive response to the comments we received and we tried to summarize in the response to comments the major positions that were presented, but we did not enumerate.
MS. FYFFE: You're not required to slice and dice?
DR. ROTHSTEIN: I also think it's necessary to put one other thing on the record. That is the response to the comment that the make up of the panels was not representative of all interests. That's an accurate assessment.
The make up of the panels was deliberately selected because the purpose of the hearing was to get insights into the most efficient and effective strategies for implementing the privacy rule. It was not to do a total reconsideration of the philosophy or merits underlying the rule.
In that regard, we wanted to invite people who are actually in the process of implementing the rule to find out what are the problem areas they had, what areas there were needs for clarification or additional guidance. That is the nature of the make up of the panels.
Whether the committee in its deliberation goes beyond the scope of the purpose of the hearing in formulating recommendations is a separate question. I wanted to be clear that it was a deliberate action on our part to try to get as many people who are out there to deal with the implementation issues and to find out what the practical problems were that they have. I think our lead staff person, Gail Horlick, did an excellent job of getting those witnesses together.
MS. KAIGH: May I reply to that.
MS. FYFFE: Representatives of the covered entities who were heard from.
MS. KAIGH: My problem with that is that there is a semantics difference between clarification, modification which is more of a slight change rather than a major change which is what's been contemplated by some of the groups with considering removing the consent provision.
Once we get into that, it's not implementing the rule because we're talking about a major change to the rule as it was presented. I take exception to your representation is what you've done is invite people who are going to help make suggestions for implementation of the rule and you're only going to slightly clarify or modify the rule itself.
Once you talk about removing that consent provision, you're talking about changing the heart of this rule. How can you call it privacy rule if you're removing the consent provision as was contemplated yesterday by the panelists? You're no longer really protective of patient privacy. You've gone to the heart of the matter. If you're gong to do that, it's only fair to have patient's rights groups come in and testify.
DR. ROTHSTEIN: Thank you for your comments. We will take a 10-minute recess, reconvene at 4:50 for 55 more minutes of reviewing the consent.
(Short break.)
DR. ROTHSTEIN: Before we get started, we have to back up and take a second look at the issue that we approved which is on page 1. The provision that we agreed to was something like amend the rule to provide that a healthcare provider without written authorization may disclose to a health plan PHI necessary for the plan's healthcare operation.
DR. COHN: I was just going to make a comment on that. This provision means that everybody can send all information for whatever purposes. It's the minimum necessary for the intended purpose. We're focusing on the ability of the health plan for HEDIS measures which does require more than electronic encounter information with the intent of ensuring quality of care. Charts will have to be looked at, but that's the current environment. That's the rationale and reality as we know it.
DR. ROTHSTEIN: This proposal would continue the status quo and undo the HIPAA with regard to these uses by health plans.
MS. MC ANDREW: Currently if the health plans operations are not interwoven with the providers own operations, the health plan would need an individual operation for the provider to give information that the health plan needed for it own. The rule as is. This would allow that information to flow without that individual's written authorization. It would flow pursuant to consent.
The plan would not have a consent. The provider would have the consent. We'd have to modify the rule so that the consent under the consent that the provider gets with the individual that allows the information to be shared not only for the providers operations, but the provider to share with the individuals' plan.
The disconnect comes in that the notice provisions that are provided to the individual at the time the consent is entered into is to the provider's uses and disclosures and will not encompass.
DR. ROTHSTEIN: The question I had on this was whether there's any evidence, whether we heard any evidence or there's been any evidence introduced that were there a requirement that specific authorization be obtained to do this that a substantial number of people would refuse to authorize it and that the result would be an impairment of the ability to provide high quality care by looking into HEDIS measures. Do we have that evidence?
MS. GREENBERG: I have a related question because what isn't clear to me is how at least half of the physicians are getting consent. Are any plans getting consent from patients? How would the plan get this consent? Does it have any real contact with the individual? I think the point that you just made is a good one too. Clearly, information is going to the plans and a person needed to know what the practices are. If they gave consent, they could find out and that disconnect is a problem.
It's not clear to me that the plans have a practical way. If they had to send something out in the mail, with mail surveys, I don't know if there would be any evidence because I don't think it's a current practice or requirement.
If you look at when things are sent out to people in the mail, the response rate is pretty poor. We've got those statistics. Unless it is obtained by the physician at the same time as the person is signing this other consent or time of enrollment.
DR. ZUBELDIA: That's the conversation that the plan is having a mailing list, if the plan needs to get consent, they get it at the time of enrollment. They can say if you don't give us your information, we can't service you.
MS. GREENBERG: They have that right?
DR. ZUBELDIA: Under HIPAA, you can't do that. We heard that a plan cannot dis-enroll a beneficiary because of lack of consent.
DR. ROTHSTEIN: We had the statement of the issues and the question is whether we want to revisit the vote that was taken earlier. It was four in favor, none opposed.
DR. ZUBELDIA: I can tell you that the information I had in mind that it was going to flow from the provider to the plan for the plan's operations was the encounter information.
MS. GREENBERG: That's already allowed by the payment.
DR. ZUBELDIA: That's what was not allowed because it's not for payment, it's encounter. We need to remove that barrier.
DR. ROTHSTEIN: It seems there are two ways of getting at what you want. If you're saying that a health plan can't operate unless they have access to all the information, then one is to do is this way and the other is to say that you can de-certify people who won't sign it.
MS. GREENBERG: At the time of enrollment?
DR. ROTHSTEIN: At the time of enrollment and say we're not going to take you unless you sign this authorization. One is to presume they've consented to that. The other way is to give them the choice and give you the choice.
DR. ZUBELDIA: That would mean that the plan would have to get the consent. This is proposing that the plans don't have to get the consent and just by getting the encounter information from the provider, they could still use that information.
DR. ROTHSTEIN: This way it will be easier for the provider.
MS. GREENBERG: Encounter information doesn't include everything.
DR. ROTHSTEIN: What I'm trying to figure out is a way that we can protect the patient's interest because if we go to this, they won't even know what's being disclosed and won't have a choice. If you gave them a choice, they might be able to find a provider and plan that's willing to take them without these disclosures that you need.
MR. SCANLON: This is not the Kaiser case where the doctors are employees of the plan. It's a different situation. A case where the plan enters into contracts with providers throughout an area, institutional and professional.
Is it not part of the provider's informed consent procedure to indicate that I am also obligated to share information with the plans I am affiliated with and make that part of the notice that he does or does that require written authorization? Why is it not the provider to provide this information and notice?
DR. ROTHSTEIN: It would need an authorization.
MR. SCANLON: Is it not a part of healthcare operation?
DR. ROTHSTEIN: Not of the provider.
MS. GREENBERG: There is a disconnect between allowing to send to the plan for payment purposes without the patient having the plan for payment practices and what they're going to go with that either and yet not allowing it for healthcare operation. Where you've got plans as opposed to individual providers, most of the healthcare operations are done by the plan. That's the whole point of the thing. There's a problem and some type of remedy is needed.
DR. ROTHSTEIN: Does anyone have a motion to reconsider this point?
DR. HARDING: I voted affirmatively. I guess I can move to reconsider.
DR. ROTHSTEIN: Let's re-vote on both parts of this bullet and let me read what that would be. The first part is to amend the rule so that a healthcare provider may without individual written authorization disclose to a health plan PHI necessary for the plan's healthcare operation. That's what we are re-voting on.
DR. ZUBELDIA: Any PHI?
MS. GREENBERG: The minimum necessary rule kicks in.
DR. ROTHSTEIN: The purpose might be operations and it could conceivably mean a broad range of things.
DR. FITZMAURICE: This is permissive. The provider doesn't have to do it.
MR. BLAIR: It's still within the context of PPO; is that correct?
DR. FITZMAURICE: No, if it were, it would be already covered. It's the health plan's operation.
DR. COHN: Extend it to include.
DR. ROTHSTEIN: PPO and HCO.
MS. MC ANDREW: It's for your own operation and operations of other covered entities.
DR. ZUBELDIA: Without knowing what the information practices of the plan would be?
MS. GREENBERG: They're already doing that for payment.
DR. ZUBELDIA: You know it's going to be used for payment only.
DR. ROTHSTEIN: Time to vote. We're going backwards. All in favor of this proposal as clarified, please raise your hand? That would be one in favor. All opposed, raise your hand. Two opposed. Abstaining? We're now at 1, 2, 2 and Chair not voting. It is defeated.
The other half of this was, amend the rule to ensure that the privacy rule does not prevent plans from getting information from providers that they need for accreditation and other health care operations. It would be similar, but more narrowly limited to accreditation related operations. It's not assumed in the first one?
MS. MC ANDREW: Unless you want to redefine other as the HEDIS indicators. Quality measurements which is only one of a long list.
DR. ROTHSTEIN: Let's make this for accreditation and healthcare quality only. Amend the rule to ensure that the privacy rule does not prevent plans from getting information from providers that they need for accreditation and healthcare quality purposes.
DR. ZUBELDIA: Can you add encounter to that list?
MR. BLAIR: What does encounter have to do with this?
DR. ZUBELDIA: If you have encounter information then it covers the healthcare operation that would be expected on indemnity equivalent environment.
MR. BLAIR: A lot of the pieces I don't understand. I could set forth a vote of support for accreditation and quality measurement purposes. I really need to make sure I understand how open this gets before I slide from an approval into abstain. I really want to support the need for this information to be shared within health plans. If it starts getting too ambiguous, I don't know what I'm voting for.
DR. COHN: I may have something that gets us out of this predicament and slides over to HHS to figure out how to implement. Rather than being more specific, we should be less specific and we're really talking about accreditation and other legitimate healthcare needs. We're not defining.
I think everybody is probably comfortable with health plans doing things that are really legitimate, quality, accreditation, but we're all against inappropriate access to wholesale information.
MR. BLAIR: I really feel comfortable when you wind up listing those.
MS. GREENBERG: Look at that Mayo list again.
DR. ROTHSTEIN: Ladies and gentlemen, we have 30 bullets and we have finished the first of the four sections.
MS. GREENBERG: This is an important point.
MR. BLAIR: You may choose to say yes this is the right way to go and we'll ask our staff to develop a list we can then discuss.
DR. ROTHSTEIN: The Mayo list was huge laundry list.
MS. GREENBERG: Could we try to go through it quickly and if we can't -- I have to admit I'm a population health person from day one, but it says certain population based activities, that's pretty broad.
Patient and employee safety.
DR. ROTHSTEIN: Marjorie, I have to intercede becasue we can spend the next 40 minutes talking about that list. We need to is put it down over various conference calls and further revisions as well as some independent thought. We can decide individually what should be on that list and what shouldn't. This is a place holder.
MS. GREENBERG: Let me just say, if we're going to schedule a conference call, we have to have maximum participation, a quorum. We are going to need to provide public notice so the public can participate.
DR. ROTHSTEIN: If we're going to get to that, we might as well do it right now. We are not going to finish any of the other sections today or tomorrow. We'll be lucky if we finish consent. We need to get distributed to everyone the notes on minimum necessary research and marketing.
We will need a minimum of four hours conference call time, two two hour conference calls to get through the rest of the issues in minimum necessary and research. The question is, when --
DR. COHN: When are you back from vacation?
DR. ROTHSTEIN: We're going to have one of the conference calls without me. I'm not back until the 10th of September.
MS. GREENBERG: Until when?
DR. ROTHSTEIN: September 10th which is probably too late for our purposes. We have to give notice. Let's work it this way. Is September 10th, 1:00 o'clock Eastern time for a two-hour conference call?
DR. COHN: If you could make it earlier or later, that would be better.
DR. ROTHSTEIN: Two o'clock Eastern time. Would thjat work for you, Kathleen?
DR. HARDING: I have an airplane that leaves at 2:45 that day. We can do it at 4:30.
DR. ROTHSTEIN: What about in the morning?
DR. COHN: I'll defer to you on that one.
DR. ROTHSTEIN: Would 10:00 work for you, 11:00?
DR. COHN: I have another meeting, but I could be there for part of it.
DR. ROTHSTEIN: What would be the best time for you?
DR. HARDING: I have a meeting from 8:00 to 12:00.
DR. ROTHSTEIN: A plane at 2:00?
DR. HARDING: A plane at 2:45.
DR. ROTHSTEIN: How about if we did it from 11:00 to 1:00?
DR. HARDING: I would do my best to be on as long as I could.
DR. ROTHSTEIN: We'll have our conference call at 11:00 eastern.
MS. GREENBERG: Monday, September 10th.
DR. ROTHSTEIN: We're going to do it 11:00 to 1:00.
DR. FITZMAURICE: What is the date again?
DR. ROTHSTEIN: Monday, September 10th.
DR. COHN: Can I propose we do whatever has to be done the next day?
DR. HORLICK: I'm not available the rest of the week. I'm going to New Jersey the following day. That day is pushing it for me. I also have Rosh Hashana is the following week and I have another in two weeks.
DR. ROTHSTEIN: How about Thursday, September 20th?
DR. HORLICK: That's fine with me.
MS. GREENBERG: That is like three days before the meeting.
DR. ROTHSTEIN: We have no other days. What about Wednesday the 19th?
DR. HORLICK: That's fine for me.
MS. GREENBERG: I have a suggestion here. See what you can get, prioritize now what you're going to get through the next half hour and tomorrow. Then prioritize what you need to get through before the conference call on the 10th. Have the conference call on the 10th.
Go ahead then with whatever you've been able to get to by then and that goes into the letter. You have the entire afternoon on the 24th for the full committee. Tell them what other issues you're going to be discussing that afternoon. Bring additional issues the following day to the subcommittee. You could get quite a bit done. I know you wanted to talk that afternoon about future plans, but that could be deferred. I think any conference call after the 10th, is going to be very hard to schedule and very hard to incorporate into a letter.
DR. ROTHSTEIN: One conference call and do the rest at the full committee meeting?
MS. GREENBERG: On Monday the 24th. Right now we've blocked the entire afternoon for the subcommittee to meet.
DR. HORLICK: We did talk about using that time. This was when we thought we were going to have a full letter done.
DR. ROTHSTEIN: We can only do what we can do. I think one other way of looking at it is to say that the whole purpose of this hearing process was to provide OCR with in-person opportunity to hear from various witnesses and we've done that ane we should declare victory. Anything that we are able to come up with in addition to that, is just gravy on the cake.
Let's move now back to page 3, Bullet 4. This is a long one and I'll read it for you.
MR. BLAIR: Can we approve the last item that we were --
DR. ROTHSTEIN: We can vote on the last item. The last item was amend the rule to ensure that the privacy regulation does not prevent plans to get information from providers that they need for accreditation and healthcare quality purposes.
All in favor of that proposal, raise your hands. 3. Opposed. 1. Abstention. It's 3,1,1,1. Last time, it was 3,1,0,1. We picked up an abstention in the last hour.
MS. GREENBERG: Where does that leave us?
DR. ROTHSTEIN: Approved and for us to put that on the agenda for the full committee.
Bullet 4, page 3. Patient should have the right to consent to or refuse participation in disease management programs. An individual's enrollment should not be affected if he declines to participate in the plan's disease management program.
We oppose any disclosures of health information for disease management activities without the coordination and cooperation of the individual's position. There is not such requirement in the final rule. We believe disease management needs to be defined narrowly to prevent inappropriate use and disclosure. For marketing purposes, it's health information without the patient's consent.
MS. FYFFE: People are currently put into disease management without the physician's coordination or cooperation?
DR. ROTHSTEIN: That is the statement here.
DR. HORLICK: We're going to have two people from the Disease Management Association tomorrow. I don't want to keep tabling things.
MS. FYFFE: Let's table until tomorrow.
DR. ROTHSTEIN: Can we table this tomorrow?
MS. GREENBERG: And bring this up with him.
DR. ROTHSTEIN: Yes, we're all on notice to ask the witness this question. Next bullet. The APA is concerned about the disclosure of medical records for judicial and administrative proceedings. Patients will lose some existing privacy protection because the current practice of hospitals and doctors generally requiring patient consent before disclosure will change as a result of the regulatoin.
MS. MC ANDREW: Because of all of the 512 disclosures including the one for judicial proceedings are permissive, the entity that has a stricter policy for information, there is no impediment in the rule for them to apply that practice.
DR. ROTHSTEIN: That would protect the institutions who want to have a stricter rule, but not necessarily the patients who wanted to take advantage of the permissive natuer of the rule, right?
MS. MC ANDREW: Right. We don't perceive anything in current practice that would provide that so it's not that they arent' losing anything. If there is some other law that is extant that gives that protection, our rule would not supercede that more protective law. If an institituions has adopted that practice now, there is nothing in our rule that would require them to abandon that practice.
DR. ZUBELDIA: The patient could get mokre protection if th eprovideer agrees to it.
MS. MC ANDREW: In theory, yes.
DR. ROTHSTEIN: So we're clear on what the proposal is. Is there someone who wants to bring this one forward. Richard, you're going to recuse yourself from this.
MS. GREENBERG: Does this just require clarification?
DR. ROTHSTEIN: It wouldn't mandate the change of the practices of hospitals. Perhaps we need clarification of what the existing rule does.
MS. MC ANDREW: We have heard a similar comment from a number of sources. It could be something we could clarify in a FAQ mode to give assurances that everyone is able to have stricter practice in that.
DR. ROTHSTEIN: Is the sense of the subcommittee that we're going to request additional clarification? Okay.
Next bullet. But the new regulation would allow providers medical records to subpoena, medical request or other lawful process not accompany by an order of the court or administrative tribunal as long as reasonable efforts are made by the party to give notice to the patient or to secure a qualified protective order.
DR. COHN: It's the same.
MS. MC ANDREW: It's the 512.
DR. ROTHSTEIN: Next bullet. We believe that it is essential that the definition of psychotherapy notes needs to be expanded. While the APA is presently developing a formal policy position. There is an overwhelming consensus which has already developed among our psychiatric physicians about the critical need to include the medication prescription and monitoring, counseling session start and stop times, modalities, results of clinical tests and any summary of status, treatment plans, symptoms, prognosis and treatment plans today.
Let me also mention that similar proposal or recommendation was put forward by the American Psychoanalytic Association in their testimony yesterday and today. Is everyone clear on what the proposal is? It would extend the protection for psychotherapy notes to all communication with mental health professionals.
DR. ZUBELDIA: How are they gong to do the billing? That can't communicate the treatment furnished, it's going to be tough to do the billing.
DR. ROTHSTEIN: That was exactly the question I asked and I think the answer was that they would still complete a form indicating what the diagnosis was and the care rendered. They would do that and nothing else. That was the answer I got.
Richard, is that the position?
DR. HARDING: Treatment code and diagnostic code.
DR. ROTHSTEIN: Right. So they would supply codes, but that's it.
MS. FYFFE: Some of those codes are pretty general.
MS. GREENBERG: We didn't have it before this hearing.
DR. ROTHSTEIN: You think that's inadequate for payment purposes?
MS. FYFFE: Yes.
DR. ROTHSTEIN: Is there a middle position?
DR. FITZMAURICE: The purpose of extending the psychotherapy notes is to guard against someone who has these notes from unethically releasing them to somebody. All of this is voluntary on the part of the psychiatrist, right?
DR. ROTHSTEIN: As I understand, the payer wants to verify the claim, why does this person need 10 sessions or all these medications? We want to see more than just the box that you checked and the psychiatrist would be obligated to turn over everything but the psychotherapist notes.
DR. FITZMAURICE: If the same request came in after this, the psychiatrist would have to go to the patient and get authorization for billing purposes.
MR. BLAIR: We've heard several times that many patients are very concerned about sharing this information with doctors because of the effect it might have if they were diagnosed with depression or bi-polar. If it's simply a treatment code, why does a payer need to know?
MS. FYFFE: I believe that psychotherapy notes should be private. I don't believe that it's unreasonable for a health plan to know if medication was being prescribed and monitored, that there were counseling sessions with a certain beginning and ending time, results of clinical tests, treatment plan.
The health plan should be able to know that information to adjudicate the claim. That's different than a narrative description of notes that gets into stuff that I would regard as very personal. I don't agree that these other elements should be included in an expanded inclusion of notes.
DR. ROTHSTEIN: Do you see any room for expansion that you would be comfortable with?
MS. FYFFE: On the fact of it, I don't see that these other items are unreasonable for health plans to see.
DR. FITZMAURICE: My only point was let's expand the definition of notes to include them. The psychiatrist goes to the health plan and says, I want to get paid and her's the diagnosis code. The health plan says I'm not going to pay on the basis of that. Got to go back to the patient and get an authorization.
MS. MC ANDREW: I would just note that this is a very interesting topic that providers and plans are not currently in agreement. It's not a consent issue. If you want to dodge this as not relevant to the topic of consent, you can dodge that bullet.
MS. GREENBERG: I was going to say something similar.
DR. ROTHSTEIN: Payment issue?
MS. GREENBERG: It's outside the scope and relates to the broader issue that was dealt with.
MS. MC ANDREW: These were included in the testimony as additional areas of interest for the APA. They were not part of the scope.
DR. ROTHSTEIN: Hearing no objection to dodging an issue. Additional protections consistent with the Supreme Court's Chaffer(?) v Redman, information are essential. Is that covered by the last set of comments?
We also believe that language needs to be added to clarify the privacy protections covered treatment and modalities rather than psychotherapy and patient's medical record. Same?
DR. HORLICK: I have a question. Didn't we want to say anything about that we received comments and they were beyond the scope?
MS. GREENBERG: This letter is going to be long enough.
DR. ROTHSTEIN: On Bullet Number 2, I think that's subsumed within the jurisdictional issue. The APA also wants all Americans to be free from unreasonable police access to their most personal medical record information.
DR. FITZMAURICE: Beyond the scope.
DR. ROTHSTEIN: Next. We believe that the protections of the Fourth Amendment for all requests should apply to a person's medical history as it applies to their household possessions. That's a scope issue. We are hopeful the commission will agree with the APA that marketing endeavors have a patient opt in before the activity occurs rather than the regulation that the patient should opt out of any fundraising endeavors.
I'd like to table this. We're doing marketing tomorrow. Next bullet. The AMA believes that to obtain consent before any use of disclosure of an individually identifiable health information honors the rights of the individuals and the primacy of patient consent. Mere notification does not rise to the level of respecting the autonomy of the patient. This is the other side of the issue that we deferred.
Next bullet. We believe that a consent requirement that accommodates the needs of patient care and is workable for providers is preferable to patient autonomy in the name of convenience. The same principle applies. Yell if you think I'm in error.
Next bullet. The rule should allow reasonable and limited uses or discloses to carry out TOP before obtaining patient consent. There are these three exceptions.
MS. MC ANDREW: I think this is a way of capturing the pharmacy and the referral, first contact.
DR. ROTHSTEIN: So this is first contact issue which we've already addressed, correct?
MS. MC ANDREW: You put in a little grouping of possible solutions.
MS. FYFFE: First encounter is in with that pharmacy.
DR. ROTHSTEIN: Next bullet. We're going to finish this page and then quit for the afternoon. Uses and disclosures of protected health information created or prior to the compliance date of the privacy rule should be allowed to continue as prior to the effective date without regard to content. We already voted on that one, correct. That's a repetition.
Finally, thus many physicians would not have a written authorization on file for their patients. The AMA would urge HHS to treat all covered entities in the same manner with respect to this issue. I don't understand.
MR. BLAIR: That may have been with the previous bullet.
DR. ROTHSTEIN: So let's delete that. Let's keep going until we run out of recording. The privacy rule should qualify the right for patients to request restrictions on exclusions with good faith for enforcement purposes. We already are addressing the issue of restrictions and revocations.
MR. BLAIR: They're adding this concept of a good faith standard.
DR. ROTHSTEIN: I see. The providers should be judged by a good faith standard in instances of revocations or restrictions. That goes with the next one, the right to revoke consent should also be qualified with a good faith standard.
DR. ZUBELDIA: Are we addressing the restrictions or revocations?
DR. ROTHSTEIN: The first one has both and the second one only revocation. Let's take them separately. The first one would be apply a good faith standard to patient restrictions.
MR. BLAIR: Is this going to wind up causing us to get in conflict with the law where it has the right to look at a record?.
DR. ROTHSTEIN: With a restriction, it's a question of what the healthcare provider would agree to.
MR. BLAIR: Can a doctor make an agreement for the whole institution? I don't know.
DR. ROTHSTEIN: They probably don't have the authorization to do that, but the patient wouldn't know it.
MS. GREENBERG: I don't see how you can restrict the right of the patient to request anything. They can request anything.
DR. COHN: Mark, you might understand this better than I do. The whole issue is good faith standard and what that means. You can already to the first one. What does that mean?
DR. ROTHSTEIN: What the suggestion is, is that in evaluating whether the provider has complied with the request or the agreed to restriction or the revocation that some degree of deference will be given to the provider who acts in good faith.
DR. FITZMAURICE: This is probably an enforcement issue and would come up when the enforcement would hit the streets and hit our eyes. It may not be a privacy issue per se, but how do you enforce it? Postpone consideration until you see the enforcement rule.
DR. ROTHSTEIN: Table those two on revocation and restriction until the enforcement rule is out.
DR. COHN: We may want to say that we heard testimony on this. Just mention it in the body of the text.
DR. ROTHSTEIN: We can raise that issue with the full committee. Bullet 3, therefore, the current definition must be narrowed to only include necessary and critical business operations, some covered entities are not required to obtain consent.
MS. GREENBERG: This is health care operations.
DR. FITZMAURICE: It's 3 and 4 together.
DR. ROTHSTEIN: Number 4, the definition of healthcare operations must be narrowed.
MR. BLAIR: I thought that was tied to if we were not going to require consent, we would narrow healthcare operations. It was not standalone.
DR. ZUBELDIA: Not for the one we voted twice.
DR. ROTHSTEIN: With your agreement, we'll skip over these two. These management and marketing activities we tabled until tomorrow. Moving to the next one. It is clear that a patient's enrollment in a healthcare plan or treatment by a provider -- it's another one. We're going to table. That's marketing also.
Next bullet. Authorization should be required for non-routine, non critical uses and disclosures of protected hearth information. That's a statement of the rule.
MS. MC ANDREW: That's an outgrowth of you dropped certain non routine elements out of healthcare operation then you wind up in an individual authorization mode for those uses and disclosures.
DR. ROTHSTEIN: We didn't do that. We don't need to adopt this unless someone feels like they need to bring it up. The AMA believes that covered entities should have to obtain authorization for non routine, non critical uses separate and apart from the consent required under the privacy rule. Goes to the same issue.
Next bullet. If the requirement to obtain consent is removed from the regulation, well, hasn't been.
MS. GREENBERG: What did you decide to do with these two?
DR. ROTHSTEIN: We said they we were not going to bring those forward.
Health plans should be required to obtain patient consent for payment and healthcare operation, which they are. That's the one we discussed.
DR. COHN: We may want to bundle it up with that other one because it's another option. You have to sign for health plan operations. You might as well have them sign for payment too. It's another way to go.
DR. ROTHSTEIN: Does anyone want to bring this one forward?
DR. ZUBELDIA: This ties with tyhe opportunity to review health information practices of the health plan. If the plan has to require consent, then they also have to disclose their health information practices to their members. It all ties together there.
MS. MC ANDREW: The plans do have a notice requirement even though they have no consent requirement. DR. ROTHSTEIN: The recommendation is to extend it to a notice requirement to consent requirement.
MS. FYFFE: That's a big change.
DR. ROTHSTEIN: Is this one that we should apply our referral rule as a big change. You can't do it at 5 of 6. So we're going to defer on that.
Most health plans require signed paperwork by enrollees. Privacy rule requires they provide a notice of privacy practices. Consent can easily be included. That's in favor of that, but we've deferred on that.
The AMA urges HHS to incorporate all possible improvement so it will not impede patient care or healthcare delivery. Of course, OCR will be doing that.
To this end, the rule should allow reasonable and limited uses or discloses to carry out treatment before obtaining consent.
MS. GREENBERG: Been through that.
DR. ROTHSTEIN: Been through that. Moreover, to futher protect patient privacy, the definition of healthcare operations should be narrowed so the patients will not be forced to consent to non-routine, non-critical uses of their confidential information especially when de-identified information could be used.
DR. ZUBELDIA: We went through this twice.
DR. ROTHSTEIN: We've gone through that already? The American Psychoanalytic Association -- I think we've already considered their proposals in the context of the APA where they had recommended an expansion of the protection beyond psychotherapy notes to include all sorts of information.
In addition, they have a request that we define the ten exceptions --
MS. GREENBERG: Where are you?
DR. ROTHSTEIN: I am on where it says American Physicians Association. The proposal was to define the exceptions so the patients will know what's in them. This is a request for OCR to clarify and set forth what it means by medication prescription and monitoring, counseling, all those things we went through so that the patient will know that that information is being transmitted. If they want, they can pay in cash or use an alias.
MS. MC ANDREW: These are the items that we exclude from the definition of a psyche note.
MS. FYFFE: It's listed in testimony.
MS. MC ANDREW: We have meetings with them about ways to define each of those elements.
DR. ROTHSTEIN: Would the subcommittee be in favor of recommending that there be additional clarification of these 10 exceptions of what is not included in the rules for notes.
MR. BLAIR: I would like to hear Richard's opinion on this.
DR. HARDING: Since I'm not a member of the American Psychoanalytic Association. That's a completely separate group. It's not an affiliate or anything. Psychotherapy notes are a narrowly defined entity that is completely separate than a medical record. A medical record has medications, history and so forth.
This is what a psychoanalytic therapist would sit and think about and write down as process notes in therapy. You speculate about the patient to yourself. That isn't a medical record. It's speculation and so forth. He's asking that they be given privilege like a lawyer with that information. That=s interesting, but we got off the psychotherapy thinking that that's what you write down what people are talking about. It's a whole different thing.
DR. ROTHSTEIN: It's what you think the significance of what they're saying as opposed to blood pressure or their stated depression. It's privileged, but not covered by the rule.
DR. HARDING: By state law for testimony which is important in divorce proceedings and so forth where they look at what somebody is speculating. I don't have a lot of wisdom on where to go with that in this case. Defining exceptions would be helpful.
DR. ROTHSTEN: There are actually two things. One is whether notes should include these other progress notes or process notes.
DR. HARDING: Or some part of them. That was the issue you were struggling with.
MS. FYFFE: Are you talking about these items?
DR. ROTHSTEIN: No, I'm talking about the item that Richard described. We might want to recommend that the definition be broadened to include these kinds of --
According to your view, these kinds of impressions would not be coverred by the notes protection of the current HIPAA rule.
MS. FYFFE: I thought they were.
DR. ROTHSTEIN: They are?
DR. HARDING: They're covered by federal court.
DR. ROTHSTEIN: But the assertion was that they --
MS. FYFFE: Does the rule define psychotherapy notes?
MS. MC ANDREW: Yes, there's a definition in the rule. It refers to notes that are recorded by the healthcare provider documenting or analyzing the content of conversations during private counseling sessions or a group family counseling session and that are kept separate from the medical record.
DR. ROTHSTEIN: In conclusion, is it the sense of the group that we would request further clarification in terms of these 10 exceptions and the process notes? Is that agreed to? Further clarification? We stand adjourned until tomorrow morning.
(The session was adjourned at 6:05pm.)