[This Transcript is Unedited]
Marriott Hotel, Waterfront
Baltimore, Maryland
Agenda: Welcome and Introductions
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I'm the Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine and I'm Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
For those of you who are not familiar with the National Committee on Vital and Health Statistics, it is a federal advisory committee consisting of private citizens which is charged with making recommendations to the Department of Health and Human Services on health information policy including, of course, matters related to HIPAA.
On behalf of the Subcommittee and staff, I want to welcome you to the second of our two days of hearings here in Baltimore dealing with implementation issues under HIPAA and specifically the HIPAA privacy rule.
I also want to extend a welcome to the listeners who are listening to us live via the internet.
Before proceeding further, as is customary, we begin with introductions of the subcommittee members as well as witnesses and guests in the room and so we'll do that at this time. I also will invite members of the subcommittee who are present to disclose any conflicts of interest that they have.
I'll begin first. As I mentioned earlier, I'm a professor and I have no conflicts of interest.
DR. HARDING: I'm Richard Harding. I'm a child psychiatrist from the University of South Carolina where I serve as interim chairman of the Department of Neuropsychiatry and the only potential conflict of interest that I have is serving last year as President of the American Psychiatric Association and I continue to be on the board of trustees of that organization.
MS. KAMINSKY: I'm Stephanie Kaminsky, lead staff to the Subcommittee on Privacy and privacy policy specialist at the Office for Civil Rights.
DR. DANAHER: My name is John Danaher. I'm a member of NCVHS and also a member of the Subcommittee on Privacy. I am the President and CEO of an e-learning company that's targeted at the training of compliance, in particular HIPAA.
I don't believe that my presence here today represents or will be a conflict of interest.
MR. STONE: I'm Walter Stone, a representative from the Centers for Medicare and Medicaid Services.
MR. HOFFMAN: Hi, my name is Ron Hoffman. I'm a legislative and regulatory analyst that serves on our corporate privacy team for Mutual of Omaha Insurance Company in Omaha, Nebraska.
MS. WILLIAMS: Good morning. My name is Christine Williams. I'm an attorney with the firm Gordon, Feinblatt, Rothman, Hoffberger & Hollander located here in Baltimore.
I represent Group Health Plans and TPAs who provide services to group health plans.
MS. GRIMES: Good morning. My name is Colleen Grimes. I'm the AVP of HIPAA compliance for Amerigroup in Virginia Beach, Virginia. We are a health plan that serves state sponsored programs, Medicaid lives, approximately 572, 000 lives in five states.
MR. DALEY: I'm Jim Daley. I'm the HIPAA program director for Blue Cross Blue Shield of South Carolina which carries private insurance and immediate care and tri-care insurance and I'm responsible to make sure that the whole corporation abides by the HIPAA rules.
MS. SQUIRE: My name is Marietta Squire. I'm with CDC, NCHS and staff to the subcommittee.
MR. KNETTLED: Hi I'm Anthony Knettled. I'm the Vice President of Health Policy for the ERISA Industry Committee. I'm here to assist Kevin Fitzgerald who should be here momentarily.
MR. WESTFALD: Doug Westfall, Blue Cross Blue Shield of South Carolina, director of the HIPAA Project Office.
MR. DECARLO: I'm Michael DeCarlo, the director and counsel for policy development with the Health Insurance Association of America of Washington, D.C.
MR. ALDER: I'm Tom Alder with the American Association of Health Plans.
MR. BIRNBAUM: I'm Adam Birnbaum with Amerigroup Corporation.
MS. BARTLETT: Melissa Barttlet, AAHP.
MR. SIVERTSON: Eric Sivertson with Amerigroup Corporation.
DR. COHN: I'm Simon Cohn. I'm the National Director for Health Information Policy for Kaiser Permanente and a member of the subcommittee and committee.
DR. ZUBELIA: Kepa Zubelia with Claredi Corporation, a member of the committee and subcommittee.
DR. GREENBERG: Marjorie Greenberg from the National Center for Health Statistics, CDC and executive secretary to the committee.
MR. ROTHSTEIN: Thank you and welcome to everyone.
The subcommittee has scheduled three panels of invited witnesses today and the first panel deals with health plans and group health plans; the second one state agencies and public health authorities; and the third one with coalitions and partnership building.
In addition, we have scheduled public testimony from 3:00 p.m. and 5:00 p.m. today. Any individual who is not an invited witness may sign up to testify for five minutes. The public testimony slots are on a first come, first served basis and they are going quickly I understand.
Let me emphasize the limited scope of the hearing. As covered entities and other parties are gearing up for compliance with HIPAA, we scheduled these hearings to find out how they were doing, what problems they were encountering, and in particular what recommendations they would like to see the NCVHS make to HHS to improve the implementation process so please keep in mind the purpose of this hearing is to develop recommendations that we can make to the Secretary.
In particular, as detailed in Federal Register notice announcing the hearings, we are interested in witnesses addressing the following questions:
What are the available resources for HIPAA compliance including those from professional organizations and trade associations?
Are compilations of best practices available and how are successful implementation strategies disseminated?
Are there any models for public-private partnership development?
How should covered entities go about coalition building and developing consensus procedures?
What outreach, education and technical support programs are needed from the Office of Civil Rights including suggestions for OCR priority setting?
What areas are especially in need of guidance from OCR?
How should we address the integration of HIPAA and other federal and state laws?
And can you assess the accuracy and quality of the information and services of vendors and consultants, especially as they pertain to small providers and health planners.
You need not address all of those issues, of course.
This is the second of three sets of hearings that the subcommittee has scheduled. We met September 10th and 11th in Boston and we will meet again next week, November 6th and 7th in Salt Lake City. After our final hearing the subcommittee will submit its recommendation to the full NCVHS which meets next in Washington on November 19th and 20th.
If the full committee adopts the recommendations of the subcommittee, then they will be transmitted by letter to Secretary Thompson by Dr. John Lumpkin, chair of the panel.
As you can see from our schedule, it's a very tight schedule and therefore I would ask the witnesses to observe the following rules.
First, invited witnesses will have 10 to 15 minutes to give their prepared testimony. I will supply you with a one minute notice. That's it.
After each witnesses, subcommittee members will have an opportunity to ask questions of a clarifying nature only. After all the witnesses of each panel have completed their testimony, the members of the subcommittee and the witnesses will then use the remaining time to have a discussion session.
Witnesses may submit additional written testimony within ten days to Marietta Squire. I would ask anyone in the room with a cell phone to please turn off the ringer, especially with respect to our viewers on the internet so they can hear better and also please speak clearly into the microphone.
So with those introductory remarks, we are ready to move to panel number one on health plans and group health plans and I welcome Mr. Hoffman.
Agenda item: Health plans and group health plans.
Panel 1 -- Ron E. Hoffman, RLU, Corporate /K-PL privacy Team, Mutual of Omaha Insurance Company.
MR. HOFFMAN: Thank you. Good morning. My name is Ron Hoffman. I'm pleased to be here today on behalf of mutual of Omaha Insurance Company in Omaha, Nebraska where I'm a member of our corporate privacy team. I'm also pleased to be here today on behalf of the Health Insurance Association of America, the nation's most prominent trade association representing the private health care system.
The nearly 300 members of HIAA provide a full array of health insurance products including medical expense, long term care, dental, disability and supplemental coverage for more than 100 million Americans.
Mutual of Omaha and the HIAA supports strong nationally uniform privacy standards. We thank the committee for holding these hearings, and are grateful for the opportunity to testify before you.
Before I focus on HIPAA itself, I want to talk for a moment about Mutual of Omaha so that there's a context in which I can set my remarks.
Mutual of Omaha is one of the largest providers of health insurance in America. We are also one of the nations largest administrators of Medicare Part A claims.
As our name reveals, we are a mutual insurance company meaning we are operated for the benefit of our policyholders and beneficiaries. In 2001 we processed nearly 16 million health insurance claims totaling more than $3.4 billion in benefits. This averages nearly 63, 000 insurance claims resulting in nearly $13.5 million in benefits every working day.
In the context of HIPAA and compliance with privacy initiatives in general, mutual of Omaha's perspective comes from being a multiline insurance company -- we offer both covered and non-covered lines of business -- an affiliated covered entity, a hybrid entity and a group health plan.
We also administrate, we are an administrator of group health plans where we are a business associate. We offer organizations, we offer coverages to FEHB plans and administer health plans to non-federal government entities.
We a financial institution and a licensee under Graham H. Blily(?) and related state initiatives. We are a national company, subject to state regulation in state insurance departments and in the latest privacy twist, more than likely a commercial business subject to the new privacy ordinances currently being passed or considered at the local level in several California cities and counties.
Given the complexity of coordinating compliance activities associated with a patchwork of federal and state privacy laws, Mutual of Omaha authorized creation of a corporate privacy team in 2000 and assigned ten associates to work full time on this team.
The first project undertaken by the team was a privacy impact assessment with the focus on Graham H. Blily. Though the project was led and managed by the team, we did utilize the services of a major consulting firm with whom we had previously engaged to perform similar assessment for our EDI and security project teams.
The assessment took approximately 12 weeks to complete. While the consultant brought value to the project for security and transaction and code set requirements, it was obvious that both of us were underestimating the complexities of privacy.
With the compliance implementation work completed on Graham H. Blily, our corporate privacy team focus turned to HIPAA privacy in July of 2001. Our original project initiation reports estimated the total human resource effort needed to implement all the HIPAA privacy requirements would be approximately 10, 000 workdays and that's one full time employee times 7.75 hours per day.
As our project management work flows have evolved that estimate is now approximately 8,000 workdays, lower than our original estimate but a significant undertaking nevertheless.
Through September of 2002, our HIPAA privacy compliance project cost has now surpassed $1 million. By April 2003, we estimate our initial one time compliance cost will exceed $2.75 million. When you add the one time cost associated with bringing HIPAA EDI standards online by October 16, 2002, and complying with the GLB privacy mandates, our initial one time cost to comply with GLB and HIPAA by April of 2003 will be about $11 million.
Given the amount of work that we have completed and the amount of work that we have left it is beyond my comprehension how any covered provider or health plan who has not yet begun their formal compliance efforts will be able to meet the 2003 compliance deadline.
With regard to HIPAA privacy rule training mandate, Mutual of Omaha is in the process of developing its own computer based privacy training module lessons.
When considering whether to seek outside vendors or perform work in-house, we considered the multitude of federal and state privacy laws affecting our collection, use, storage and disclosure of personal, financial and medical information, concluding it would be more effective and less costly to develop our own training material.
Since our associates were given training on privacy policies and procedures established to comply with Graham H. Blily, we concluded that will it would not be sufficient to simply develop HEPAA privacy training to place over top of Graham H. Blily.
Rather, there could often be the need to explain relationships between these and other applicable privacy related policies and standards so associates are able to distinguish between requirements as applicable.
Our outreach for privacy training will be limited to our work force and captive agency force. We have released come general HIPAA awareness newsletters to our group offices for distribution to the group health plan clients.
You have also requested information on the availability of compliance resources from trade associations. The HIAA has a rich tradition of insurance education resources and publications. Earlier this year, HIAA published to four part series on HIPAA privacy rules.
The first publication was entitled HIPAA primer, an introduction to HIPAA rules, requirements and compliance. I have followed the primer with three separate publications offering implementation guidance: HIPAA action items for physician offices, home care providers and insurers.
HIAA also offers an education opportunity for individuals to earn a designation as a HIPAA associate or HIPAA professional based on the successful completion of course work derived from its published materials.
However, HIAA's attempt to provide reasonable and accessible HIPAA privacy rule education has been a frustrating experience for the certain.
The August changes to the privacy rule set back HIAA publication distribution efforts until a compatible update for the series can be developed.
For education purposes, the lack of clarification available from the Office of Civil Rights on fundamental interpretations of the standards and requirements creates uncertainty in the design of educational material beyond the basic content level.
No trade association should be asked to serve in the role of interpreting the privacy rule for its covered entity industry segment as a substitute for OCR's failure to provide compliance. OCR should have a covered entity industry team in place to assist each industry with its own unique implementation issues.
With regard to employers and other plan sponsors of group health plans, I must echo many of the comments and concerns voiced by the health plan panel presenters during your previous hearing in Boston. Though we plan to offer sample documents such as plan document language, certification and notices, we will encourage the plan's sponsors to review these documents with their own legal counsel and then personalize them to fit their specific circumstances.
Mutual of Omaha has just begun to contact its groups but we anticipate that employers will request or expect formal guidance from us and we are comfortable in providing or should be responsible for providing.
Reliable resources to assist employers as sponsors of health plans appears to be scarce. Certainly, the covered entity decision tool posted on the OCR web site is helpful; however the OCR provides no clear direction and need a clarification once a plan sponsor determines they are a group health plan.
Clear direction from the OCR is needed to insure that plan sponsors acknowledge their responsibilities under the rule.
Numerous law firms, consulting firms and employ benefit organizations are sending client alerts and other public documents summarizing the impact of HIPAA on employers and the group health plans that they sponsor.
The information communicated from these sources regarding the requirements from a plan sponsor who wants to be involved in the plan administration and receive PHI appears generally consistent.
However, information on the requirements for group health plan sponsors who are willing to accept only the summary or de-identified information does not appear consistent. For example, some of those sources conclude self-funded group health plan's sponsors always receive PHI and therefore must fully comply with HIPAA while other sources do not reach that conclusion.
The private sector advice on the requirements for insured group health plans, health plan sponsors, is for less consistent, ranging from advising plan sponsors that they can avoid having to comply with HIPAA if they don't receive PHI to advising the plan sponsor they still must perform nearly all the group health plan requirements other than plan document revision and certification.
Our efforts to educate employers as issuers or administrators of group health plans is further complicated by the fact that a large number of plan sponsors will offer more than one type of plan such as a combination of self-funded and insured plans and often these may come from more than one issuer or administrator.
Interestingly, however, no publication that I have seen to date has addressed non-federal government groups. For example school districts and municipalities who offered self-funded health plans and who elected to opt out of certain requirements of HIPAA title one health insurance reform provisions. Some of these groups believe because they opted out of complying with certain HIPAA title one provisions, they are also exempt from HIPAA title two administrative simplification provisions.
Further complicating this issue is the fact that CMS administers the annual HIPAA exemptions elections of non-federal government plans while the OCR will enforce the HIPAA privacy rules. To the best of my knowledge, neither office has addressed or clarified this issue for these governmental plans.
Other issues that need to be addressed is the dichotomy of practical compliance for insurers and covered entities in their relationship with small health plans. The recent CMS QNA clarification aimed at assisting health plans determine whether -- what receipts to use to decide whether they qualify as a small health plan is very helpful and appreciated.
As you know, small health plans receive an extra year to come into compliance with the rule until April of 2004. This extra year to comply with HIPAA's privacy rule will benefit qualifying small health plan sponsors.
There is, however, current confusion about the potential inconsistent implementation of HIPAA privacy compliance because these small health plans, insurance issuers and third party administrators will need to be in compliance by April of 2003 as covered entities in their own right.
You might assume that issuers' and administrators' compliance in 2003 would ease the compliance burden for their small health plans. In fact, the industry has begun to encounter resistance to its cooperative compliance efforts from the small health plan it fully insures or administers.
Anecdotal evidence suggests that many small health plans have not yet begun to focus on their HIPAA privacy responsibilities. Some expect to continue business as usual through 2003 and resent insurers' efforts to meet the requirements and obligations of implementation and compliance as it changes an insurer's standards and methods of operation.
For example, a small health plan may expect to continue to receive protected health information from their insurers and TPA's after April of 2003. Conversely, insurers and TPA's may feel compelled to require proof that the privacy rule requirements, the group health plan requirements can be met before releasing any PHI to a small health plan sponsor.
Other issues will undoubtedly rise during the transitional years as insurers attempt to follow and implement their own compliance policies and procedures at the same time their small health plan business partners' compliance programs are still under development.
OCR's guidance and encouragement in these areas, engagement in these areas will be crucial to encourage small health plan compliance and assure consumers their privacy rights are being appropriately protected under the HIPAA privacy standards.
I now would like to address federal preemption, an issue of major importance to insurers. Congress chose not to give HIPAA privacy full preemption status. States are free to establish privacy standards more stringent than those of federal privacy rule. Most states already have a multitude of laws and regulations dealing when and how and what personal information may be used or disclosed including health information and identifier information.
Much of it is not traditional insurance regulation but now it necessarily affects insurance operation. And more such legislation and regulation is considered in the past in-state legislatures and state agencies every year.
To assist insurers with the preemption question, the HIAA and other industry associations jointly commissioned a national HIPAA privacy rule preemption analysis by the Washington, D.C. law firm of Shaw, Pittman. This analysis is accessed through the internet and is available on a subscription basis.
It provides a comprehensive overview of each state laws and regulations that directly affect the application of the federal privacy rule standards to operations of health insurers and PHI issuers, insurers create, obtain and hold, use and disclose. This preemption analysis took five months to complete and cost well over, well in excess of $1 million and must be continually updated and revised.
Even so, this analysis is only a starting point for insurers who must subsequently apply its findings to their products and operations. The industry is spending exorbitant amounts of money, time and money, addressing inconsistent state and federal privacy requirements.
The industry cannot overemphasize the scope of the administrative burden stemming from this lack of federal preemption. For a local physician, it may be burdensome to change and a notice or authorization form, be more discreet with a subset of information or offer certain patients more privacy protection than others.
For a health insurer, with health insurance products that are sold or subscribed to on a nationwide basis, such diversity and constant change can be overwhelming. For covered entities with multi-state operations such as health insurance issuers, this state-based diversity is the antithesis of administrative simplification. Again, much of this state individual health information privacy protections are not specifically insurance regulation.
On settling decades of industry work with organizations such as the National Association of Insurance Commissioners to develop and implement standard laws and rules to regulate insurance.
The health insurance industry needs full federal preemption of the HIPAA privacy standards and we encourage you to recommend it.
Finally, for the benefit of directly addressing the questions that you were seeking to answer here today, I would like to list our specific recommendations.
The National Committee on Vital and Health Statistics should urge Congress to provide full federal preemption for the HIPAA privacy standards.
OCR needs to provide more interpretive and interactive guidance. The Department of Health and Human Services must delegate more resources in this area.
OCR should provide specific guidance to health plans and the health insurance industry on the following issues:
Specific HIPAA privacy responsibilities of health plan sponsors, obligations of plan sponsors recording the use and disclosure of some identified information; requirements of fully insured plan sponsors to requirements of fully insured plan sponsors to an individual's request for access to PHI in the sponsor's possession; application of the HIPAA privacy standards to governmental health plans including the non-federal governmental health plans that I spoke of earlier.
HIPAA compliance obligations for an insurance issuer in its relationship with a small health plan during the additional transition year, available to small health plans for compliance and assistance with a standardized notice, with standardized notice and authorization forms for health plans and insurers that address the preemption questions.
To facilitate the agency's response in this, OCR should establish an internal covered entity compliance issue teams preferably by industry segment to respond to each industry's unique issues.
On behalf of Mutual of Omaha and the HIAA, I thank you for the opportunity to present this testimony to the committee. If you have any questions regarding my remarks or recommendations, I would be happy to entertain them at this time.
MR. ROTHSTEIN: Thank you very much, Mr. Hoffman. Are there any clarification questions? If not, we'll proceed to our second witness and we'll be back with questions for you later.
Ms. Grimes?
Agenda item: Colleen Grimes, Amerigroup.
MS. GRIMES: Good morning. My name is Colleen Grimes and I'm the Assistant Vice President for HIPAA Compliance in Amerigroup corporation in Virginia Beach, Virginia. Just to give you a little background on me, I have over 20 years of experience in a variety of positions, integrated health systems provider groups and health groups.
I'm appearing today on behalf of the American Association of Health Plans to highlight how health plans are working toward implementation of the HIPAA privacy rule and I would like to discuss how the office's overrides can assist health plans and health care providers to prepare for compliance, how we can work together in order to achieve HIPAA compliance.
I'm not going to read my testimony. I would just like to summarize some of the issues that we've experienced and although Amerigroup is a government-sponsored program, I believe we are experiencing the same implementation challenges that commercial plans are experiencing nationwide.
I would like to focus my remarks on three areas -- the challenges faced by health plans in implementing the privacy role, efforts by AHA and other industry and professional groups to assist with compliance and ways the OCR can help covered entities to implement the rule.
Amerigroup and AHAP's health plan strongly support the goal of protecting confidentiality of health information. The issues that we are facing right now are important to consumer protection but we need to arrange the delivery of high quality, cost effective care and to do that, we need to do it effectively.
The HIPAA privacy rule impacts almost every aspect of health plan operations. When you take these rules and you look at what we do on a daily basis in health plans, all we do is handle protective health information at all our departments.
We've been making great progress towards the implementation of the privacy rule by April 14, 2003, for small health plans, April 14, 2003. These efforts involve a substantial financial and administrative cost for the industry.
As an example, at Amerigroup, we have 24 FTE's working full time on HIPAA. We love them. We call it the HIPAA war room. It's a multi-functional team of IT and business process people that are working to analyze the regulation with our legal and then implement it, not only within our organization but to work with our providers and on educating our provider community on HIPAA.
Amerigroup really started working on the HIPAA privacy rule in late 2000. We estimate that by the end of 2002, we will have invested approximately $5 million in associate resources, business process re-engineering and technology to support the HIPAA regulations.
We have finished, at Amerigroup, finalizing our privacy rule, our rule policies and procedures and training. We are currently training our non-HIPAA associates and developing administrative systems necessary to support compliance with the privacy rule such as the notices, business associate agreements.
Similar efforts are underway across the country with health plans. The challenge for health plans is taking these extensive and comprehensive requirements and applying them to what we do on an operational level on a daily basis.
One example of the challenge involves the privacy rule provisions regarding access and amendment to PHI. We all know that members and patients have new rights under this rule. They have the right to access, the right to amend, the right to request confidential communication or obtain an accounting of disclosures concerning health information contained in the covered entities' designated record set.
A covered entity is required to identify the records which comprise the designated record set and I'm really astounded, ladies and gentlemen, that we are participating in seminars and such and there are still health plans out there and providers that believe the only thing that is impacted by this rule is medical records and really don't understand what a designated record set means to a covered entity.
So as a covered entity, we are required to identify these records and then define what the group of records mean. They are included but not limited to enrollment, payment, claims, case management, quality management, record systems that are used in whole or in part to make decisions about members. This could mean any item, collection or grouping of information that includes PHI which is maintained, collected, used or disseminated by or for the covered entity.
And there's a downstream impact with this because that downstream goes to the very heart of your business associates. If a member would make a request and we would grant confidential communication or restriction, the covered entity would be required to contact all business associates that are handling PHI on their behalf.
All of the member records identified as part of the designated record set will need to be tracked by the covered entity and made available to members who choose to exercise one or more of these rights.
For many health plans, the designated record set includes PHI that is located in a variety of different departments, applications, data bases, systems and sometimes in different geographic locations.
Health plans will need to develop extensive tracking mechanisms that will enable them to link and centralize all of the members' PHI in the designated record set and to make the amendments as appropriate according to the time frame of the rule.
This is a real challenge, ladies and gentlemen, for health plans that are trying to set up these systems and there is no one application that I have found that can centralize all of these information systems together at one point.
Amerigroup and other health plans are also undertaking comprehensive outreach efforts with employers and health providers to educate them on the requirements of the privacy rule. This outreach includes providing or participating in educational seminars, provider and employer newsletters, development of business associate agreements and information on using disclosures regarding contract provisions.
When health plans change policies and procedures -- and this is really a key that we are finding in Amerigroup, this impacts provider and facility manuals, contracts and in turn will result in front and back office changes for providers.
Now, think about it. We are crafting these policies and procedures according to our business process in each plan. There is no standardization because the policies are toward how you do your business. If a provider has 14 different contracts with 14 different payers, they are going to have 14 different business associate agreements or whatever, 14 different ways of how this rule is going to be applied in their offices.
In addition, plans are drafting all the necessary documentation needed to carry out the provisions in the privacy role. Again, we are developing the member notices, authorization forms, business associate agreements, policies and procedures, training manuals, data use agreements and other materials that will be used to implement the rule.
Health plans and providers are developing and implementing policies and procedures based on their own interpretation of the privacy rule and modeled on their own specific business processes. The risk here is without guidance, the result could be the very lack of standardization we are trying to achieve. The only example that I can think of is when I was in California, the providers there were complaining loudly about having 14 different contracts with 14 different HMO's with QA studies and audits. They would have HMO's and payers in their offices constantly.
Fourteen payers came together and we standardized QA audits for the providers where they only had to submit standardized QA audits, standardized appointments and so on and so forth, and this really went a long way to standardizing their operations and not impacting their daily procedures that were going on in their offices.
So if you can see what we are building with privacy based on our own modeled operational policies and procedures, the same effect would happen in the health care industry when we go forward with privacy.
There are a number of efforts underway by industry associations and business groups to assist covered entities in complying with the HIPAA privacy rule. Over the past two years, the AHAP has sponsored a series of educational seminars and audio conferences to highlight various aspects of the rule.
In addition, AHA has regularly scheduled conference calls two times each month with its member plans. These are very unofficial. Over approximately 90 health plans could be on this call at any time with multiple people in the room. I can't tell you how far that goes to assist health plans to really make this real within their business processes.
The association has also published a series of regulatory briefs on the privacy rule compliance issues and is developing a model notice form that plans can use to inform members of the plan's privacy practices and member rights.
Amerigroup is involved in local partnerships and I really think these groups are very important. The Mid-Atlantic Health Initiative, MAHI, we are involved in the southern HIPAA administrative regional process, SHAR, and the newly formed New Jersey SHOR. WEDI-SNIP regional initiatives. These groups serve a very important role in conducting a series of regional seminars, in-person audio conferences, web sites, to educate health plans, health care providers, hospitals, physicians and their office staff on compliance issues.
MAHI, SHAR, New Jersey SHOR, as you know, are part of a number of groups that are formed as a part of the Strategic National Implementation Project, SNIP, through the efforts of the Work Group on Electronic Data Interchange, WEDI. WEDI-SNIP involves health care providers, health plans, clearinghouses and vendors who work together to provide educational materials, best practices white papers, discussion forums and other programs to bring together interested parties on implementation issues.
Currently -- I hope I'm quoting this right -- there are about 25 regional SNIP affiliates in operation.
I would like to give you an example. I was recently here participating in a seminar in Washington, D.C., at MAHI, and there were approximately 90 providers in the room, and we have open forums where we were discussing the impact of HIPAA and I asked the providers in the room how many of them -- the physicians and their office staff -- this was their first HIPAA conference and over 90 percent of them raised their hands.
That really goes to the fact of writing this, of the industry regarding HIPAA. I believe that many of the providers and even some of the health plans were waiting for the final rule to be published in August. If you think about it, we only have six short months to implement this rule. That, in and of itself concerns me and I believe concerns all the panelists on the group.
I would like to briefly highlight the work of the Oregon Payers' Cooperative that is developing an authorization form for the release of PHI that will be used for providers and health plans.
We really need to standardize more of these forms and have the OCR look at the forms and say what is the minimum standard. This will be in part of the testimony and attachments I would like to briefly cover with you.
Attachment A in the testimony is a model authorization form for use in disclosure of PHI. Attachment B is the model authorization form for use in disclosure of psychotherapy notes and model C is the model authorization form for individual use in disclosure of PHI.
We really need more of these forms and more of these standards that can be shared with the health plan community and the provider community. The Oregon Payers' Cooperative has also drafted a matrix template to help health care providers and health plan staffs in determining if and when PHI can be shared without prior authorization. That's attachment D. The authorization form and the template are currently being reviewed by the Oregon Medical Association and the Oregon Hospital Association and Health System Association for their members.
The Office of Civil Rights has been given a monumental task to interpret and enforce the rule that will protect the confidentiality of PHI maintained by hundreds of thousands, if not millions of covered entities.
The entities subject to the privacy rule cover a broad spectrum from the solo health practitioner in the rural community to a large multi-health plan health care organization such as Amerigroup, Aetna Pacific Care.
Over the past three years, the Department of Health and Human Services has worked to draft a comprehensive set of standards for the use and disclosure of PHI and the final modifications to the rule that were announced this August.
The next task for the OCR is to work with covered entities to help them prepare to implement the privacy rule on April 14, 2003.
There are two ways that the OCR can best accomplish this goal. First, through providing more guidance and technical assistance regarding the rules' application to business operations of health plans and health care providers and second, expanding the work they have already done with interested parties and educational and outreach efforts.
I would like to discuss a few of these.
The OCR needs to assist health care providers and health plans in working through the regulatory gray areas of the privacy rule. OCR has released very helpful guidelines through a series of frequently asked questions and answers. This guidance, however, does not address a number of the significant questions about compliance with the rule. I'm just going to outline a few of these.
What's a covered entity for the purpose of the rule? There's still a great deal of uncertainty among those involved with health care services such as ambulance companies, fire and rescue units, rural providers, so on and so forth, whether they are covered by the rule. In addition, many state and local government agencies may not realize they need to comply with the privacy rule.
Who is a business associate? Although recent guidelines from the OCR's provided come clarification, there are still many health care providers and employers who believe they are the business associates of the health plan in which they submit claims to. Also, what's very difficult to determine with business associates, especially with health plans is when you have delegated contracts, where you are delegating utilization review and you are delegating claims payment.
The health plan still has the fiduciary responsibility under these contracts for the privacy piece, at least, that's how most health plans believe. So I believe that we need more guidance on what a business associate is and what, when a covered entity is a business associate.
What is minimum necessary use and disclosure of PHI? Even with the recent guidance, many providers are refusing to release medical information for member authorizations and referrals for treatment, believing it is prohibited under HIPAA. Some high schools are refusing to release PHI or allow on-site activities that are a normal part of health plan operations and should be allowed under treatment, payment and health care operations under the rule.
These activities include but are not limited to quality improvement, utilization review, health promotion and claims auditing activities for payment.
How can individuals best be informed of their privacy rights? The average privacy notice ranges from five to six pages in length and, ladies and gentlemen, if anyone has a shorter one, please see me after this presentation.
Health plans that do business in states that require privacy notices to be sent in more than one language will be mailing privacy notices more than 12 pages long to each member. The length and content of the privacy notice will generate thousands of calls to health plans for members who do not understand the notice of privacy.
Confused members and increased call volumes will equate to increased administrative costs and decreased member satisfaction. I just ran some preliminary numbers. A medium sized health plan with approximately 700,000 members could have a mailing and printing expenses in their initial mailing in excess of $350,000.
Additionally, if the privacy rule changes in relation to the privacy notice, the health plans will be required to re-mail in the instance of providers they would be required to give it on the date of service.
One is state law -- preempted, that was covered.
One of the major problems with the privacy rules, it does not create a federal standard for uses and disclosures of health information.
And how will the rule be enforced? OCR needs to quickly issue a notice of proposed rule making to describe how it intends to enforce the provisions of the rule.
And we need more outreach and education. The Office of Civil Rights should engage in the same types of outreach and educational efforts that are currently being under taken by health plans and by business, professional and state industry groups.
One approach is to work with the regional WEDI-SNIP affiliates and help develop best practices and to educate covered entities on how to successfully implement the rule.
An advisory board or consortium which incorporates business, industry groups and professional groups has been proven to be an effective means of education and outreach.
In addition, OCR should review the forms and mail documents such as business associate agreements, notice of privacy authorization forms that are being developed by these groups and indicate when such materials meet the minimum standards of the privacy rule.
Finally, OCR needs to develop a series of brochures and other educational materials that will help covered entities understand how the privacy rule works in the real world. Amerigroup and AHAP member health plans are deeply committed to protecting the privacy of its members and patients. When compared to other entities, health plans are out in front in terms of the implementation of the privacy rule.
Nevertheless, outreach, education, and technical assistance is greatly needed for health plans and all covered entities and OCR is best positioned to undertake this critical task.
Therefore, we strongly urge the government to provide any and all necessary resources to support OCR so that it may develop an implement tool so needed by the entities it serves.
Additionally, we ask that this subcommittee consider its role in the outreach and education of covered entities and urge it to develop best practices than may be uniformly used by covered entities.
Thank you.
MR. ROTHSTEIN: Thank you very much for that detailed testimony. Any clarifying questions? No. We'll be back with questions, I'm sure. Mr. Daley.
Agenda item: Jim Daley, HIPAA Program Director, BCBS South Carolina.
MR. DALEY: Good morning. My name is Jim Daley. I'm HIPAA Program Director for Blue Cross Blue Shield of South Carolina, for BCBSS State.
BCBSS is a member of the Blue Cross and Blue Shield Association of BCBSA. The association is comprised of 42 independent locally operated Blue Cross and Blue Shield companies that collectively provide health care coverage for 84.4 million or nearly 30 percent of all Americans. BCBSSC provides innovative health plan benefits, dental and vision benefits, pharmacy benefits, life insurance and worker's comp benefit management.
We also are the nation's largest Medicare and Tri-care administrator. We provide Medicaid services to the state of South Carolina. Our subsidiary offers software products and clearinghouse services to providers.
Because of our span of interest, we view the requirements of the Health Insurance Report ability and Accountability Act of 1996, or HIPAA, from a variety of perspectives.
We would like to thank you for the opportunity to offer our comments on the implementation issues associated with HIPAA privacy.
As background, the health care industry continues to focus on the need to safeguard individual health care information. BCBSSC fully supports this goal.
It's important to note that implementation of all the current HIPAA rules represents a significant challenge to the health care industry. According to a recent report from Gartman Incorporated that studied a representative sample of payer and provider organizations, the average payer will spend over $14 million to comply with HIPAA while the average provider will spend over $5.6 million. I quote the report as follows.
The total compliance costs may be staggering for many health care organizations that are still recovering from the US Balanced Budget Act and other financial pressures. After removing several responding payer outliers that reported using HIPAA to completely transform their operations around e-business, having budgeted up to $300 million for that effort. Payers still report an expected total HIPAA cost that exceeds $14 million on average.
Although providers expect a total cost of relatively less, at more than $5 million on average, it should be noted that many of these respondents are 250-bed community hospitals that have substantially smaller operating budgets than a typical HMO or PPO. And I should note this study did not include the individual physicians practices in groups of 30 or more and the hospital groups.
The current anticipated HIPAA initiatives, including transactions and code sets, privacy, security and employer, provider and health plan identifiers call for substantial dedication of resources for the health care industry. It is therefore important to identify measures that can ease the burden of compliance and allow covered entities to allocate resources to serve the consumer in other ways.
BCBSSC fully supports the efforts of NCVHS in this regard and we appreciate the opportunity to share with you our thoughts regarding how to facilitate implementation of the HIPAA privacy requirement.
BCBSSC began addressing HIPAA in 1999 though our privacy efforts at that time were limited since the proposed rule for privacy had not been published. We currently have a HIPAA privacy task force consisting of representatives from loss, plans and operational areas representing all lines of business to review existing corporate life, privacy policies and practices and to adjust them as needed to accommodate HIPAA specific requirements.
The members of this task force are responsible for assuring that privacy requirements are addressed within their respective areas. During the course of our efforts we found two areas to be particularly trouble some. Our remarks today will focus on these two areas -- federal and state law preemption concerns and awareness and outreach concerns.
Federal and state law preemption concerns. The subject of preemption continues to be troublesome from two perspectives. First, there are numerous state laws associated with privacy; second there are other federal laws on privacy with additional legislation under discussion.
As an example, South Carolina presently has over 70 statutes that address confidentiality of health information, including some so specific that they apply only to health records of state employees. Based on the preemption criteria, covered entities must decide on a provision by provision basis which parts of state law would be retained and which would be preempted by federal law. This becomes an even more complex task for entities doing business in multiple states.
Since there is not currently a centralized analysis of preemption, this analysis must be accomplished by each covered entity. That means every payer, including employer health plans, provider and clearinghouse must perform this task. The redundant effort of these covered entity uses valuable resources that could be spent in other ways to safeguard protective health information and could benefit the consumer.
At BCBSSC, we have joined with a coalition of other Blue plans and have hired outside counsel to assist with the preemption analysis. Unfortunately, many smaller rural providers do not have and will not have access to legal staff with the expertise to conduct this analysis. Furthermore, each time the privacy law changes or a new one is passed, this analysis will need to be revisited by all covered entities, and a personal note, if I walk into a doctor's office, I would be much happier if I saw them reading a medical journal than if I saw them reading the state laws in the Federal Register.
The preemption issue is compounded by section 160.204 of the federal rule that describes a process where by a state can apply to accept a provision of state law from preemption. While this may help accommodate certain specific needs, how covered entities and consumers know which exceptions have been requested and approved, will state insurance departments be expected to provide preemption guidance?
The preemption process will be very frustrating and confusing for consumers. It will be difficult for them to determine which provisions apply to them. Instead of promoting an individual's ability to know his or her privacy rights, the preemption process will only confuse them. It would be helpful for HHS to prepare and maintain an up-to-date detailed privacy guide that would show covered entities and consumers the privacy provisions that apply to each state across the country. This would alleviate the need for tense of thousands of covered entities to perform this analysis and would eliminate potentially conflicting determination of which provisions apply within a given state.
Other federal law. There is other existing legislation on privacy, for example, Graham H. Blily, the Privacy Act of 1974, the Federal Substance Abuse Regulation, etc. Additional privacy legislation has also been discussed at the federal level.
With the passage of each new bill, there's a potential for requirements to change and previous efforts by covered entities to be legislated out of compliance.
The preemption analysis would need to be conducted each time a new privacy law is passed. Covered entities in compliance with HIPAA should be deemed to be in compliance with other federal privacy requirements. This would avoid conflicting or fluctuating requirements and provide a clearer statement of federal privacy laws for consumers to understand.
Awareness and outreach concerns. Even as the HIPAA deadline approaches, we've become increasingly aware of the lack of understanding of HIPAA within the provider and employer community. As a result, payers are finding it necessary to create awareness programs for these covered entities.
At a recent conference in California, one provider made reference to the fact that no one sent a letter to the providers telling them they needed to comply with HIPAA.
At an awareness program held in South Carolina, one provider commented, even though mandatory, we really didn't know much about it.
While some providers have made significant strides towards compliance, others are still asking very basic questions. As a result, payers are finding it necessary to develop material to fill this gap. This presents a few potential problems.
First, it's conceivable that the information provided may differ slightly depending on which payer or other consulted expert offers the material, thus creating uncertainty among providers over the specifics of the HIPAA requirement.
Second, creating these awareness programs, diverts payer resources that could be spent to benefit the consumer in other ways.
Some providers are beginning to question what information is allowable to share under HIPAA. While this does indicate a step forward in protecting the privacy of consumers, it may also impact the consumer if required and allowable information is with held due to misunderstanding of the HIPAA provision. Such impacts may include delays and authorization for services or determination of the amount of coverage.
It would be helpful to have a national, plain language HIPAA guidance for providers that explains their basic requirements provide a reference for the sources of additional information. It would also be helpful if this guidance could be accessed via the internet. Although the FAQ section of the HHS-CMS web site is a valuable source of information for specific questions, it doesn't require the higher level of explanation of requirements that many covered entities might need.
A WEDI-SNIP work group has drafted a white paper to address provider awareness, but the value of this is dependent upon a provider becoming aware this resource exists.
Employer health plans must comply with HIPAA requirements. While many of these plans may use a third party payer to handle transactions and code set requirements, the same cannot be said for privacy. These plans must be made aware of their obligations under the privacy rule. At present, this awareness is often dependent on information provided by payers, business associates, vendors and consultants. The amount and quality of this information varies.
The level of awareness will influence the amount of protection PHI receives within the employer health plan. This, in turn, affects the privacy of consumers.
A related concern is the potential impact to employee benefits if the flow of PHI is impeded due to lack of understanding of the HIPAA privacy requirement. This disruption could inhibit the ability of consumers to obtain coverage or to have their claims processed.
Some payers are taking steps to create awareness material for employers, but this action is subject to the same issues described above under providers. The consistency of information may vary and these awareness initiatives divert resources from other essential activities.
It is important to emphasize that HIPAA compliance is a responsibility of the covered entity. BCBSSC recognizes that vendors offer services that can be of great assistance to help covered entities address HIPAA requirements. However, vendor statements would lead other covered entities into thinking that compliance can be achieved merely through purchase of a product or service.
Vendors and consultants have seized upon HIPAA as a lucrative new source of revenue that some vendor literature contains phrases that imply HIPAA compliance can be achieved solely through their product when in realty the product is only a tool or service that can assist the covered entity to become compliant.
Since all the HIPAA rules have not yet been published, even the use of the phrase HIPAA compliant may be premature without sufficient qualifiers describing which aspect of HIPAA is being addressed.
BCBSSC feels it would be beneficial to have HHS prepare guidelines that describe how vendor services may assist covered entities in their HIPAA efforts and clearly describes what covered entities may still need to do on their owns.
Conclusions and recommendations. In conclusion, it is our view that the industry can benefit significantly by having access to a centralized preemption analysis and by having access to standardized awareness and outreach materials.
We therefore recommend that HHS do the following:
First, focus on development of standard and uniform guidance on preemption.
Second, allocate additional resources for outreach and prepare awareness and outreach materials for providers and employers.
And, third, make available on the HHS web site a list of publicly available HIPAA information along with links to other sites found to contain suitable HIPAA information.
Thank you for the opportunity to testify and this concludes my statement. Any questions?
MR. ROTHSTEIN: Thank you very much for that testimony. All three of you have been extremely focused which really helps us when you give us specific recommendations. I'm sure the members of the subcommittee would like to probe later. Any clarification questions? Okay, thank you.
We'll move onto our next witness. Mr. Fitzgerald.
Agenda item: Kevin J. F. Fitzgerald, Esquire, Health Care Counsel, General Electric Company.
MR. FITZGERALD: Thank you. Good morning. My name is Kevin Fitzgerald. I'm the Health Care Counsel of General Electric Company. I'm located at our corporate headquarters in Fairfield, Connecticut. I'm also the HIPAA privacy leader for our corporate operations, and it is a result of both of these capacities that the ERISA Industry Committee asked me to speak with you today.
Now, unlike my distinguished colleagues here, I'm kind of more of a mechanic. I'm kind of the guy who gets in the machine and writes these things so my nails are a little dirty.
But let me start by reflecting much of the sentiment that's been expressed by the panel as well as what's expressed in Dr. Lumpkin's September 27th letter to the Secretary Thompson.
Until the promulgation of the final regulations on August 14th, there really was no sense of urgency amongst much of the health industry regarding the privacy rule deadline. I believe this is due in great part to an unwillingness by the industry to be the first to dip their toes into the compliance -- we'll let somebody else go first -- as so much has been in flux since the first set of proposed regs came out in 1999. After August 14th, people saw the light at the end of the tunnel and it's an oncoming locomotive.
A good deal of the confusion in the employer community is driven by the fact that HHS had no authority to regulate employers directly. As a result, we are regulated as group health plans which are the employee welfare benefits plan which are created and operated under ERISA.
But there's no such entity within GE or any other employer known as the group health plan. It's a contract between the company and its employees to deliver benefits. It's not really an entity of its own. There's no group health plan department. What it is is there's a nod of distinction in the privacy rule or the privacy rule actually operates in the distinction that the group health plan and the plan sponsor of an ERISA plan are different people or different entities.
They are not, in fact because the people who know what the plan sponsor is, tend to be the same folks who know what the group health plan is and the plan sponsor function makes little practical differences and drives considerable confusion. The plan sponsor almost uses a proxy for the employer rather than the creator of the ERISA benefit plan which is really where plan sponsors, the creator or trustor function is really the essence of what plan sponsor means so it has caused a lot of confusion within the industry.
And add to that fact the simple truth that employers, particularly large employers, come in a large variety of flavors. For example, I believe the structure and operation of the group health plans we operate at general electric are relatively well-suited to the HIPAA compliance regime. About 90 percent of our approximately 170,000 domestic employees are in benefit plans operated centrally from corporate on a self-insured basis. This gives us a great degree of organizational and related physical segregation from the non-covered aspects of GE's operation which, of course, includes making light bulbs, locomotives and must-see TV.
In so many words, our plan sponsor knows where our group health plan is and resides and vice versa so it's easier for us to make the distinction but other employers my base their benefits strategy on a more localized basis, permitting regional operations to select and manage the offerings.
This puts compliance decisions at a local level with a necessary compliance sophistication may not reside. I spend a lot of time coaching our affiliates on, for example, with the transactions application extension a couple of weeks ago, we scrambled through a lot of our affiliates and said, you know what this is? Do you know you are supposed to be doing this? It's an easy form, can you handle this?
And I think we did a pretty good job but again, that represents the small minority of our insured population, much different when you are talking about 200 HMO's which is not an uncommon kind of play in the large employer community.
But from a HIPAA standpoint, whether you are designed like GE, essentially centralized, or whether you are not, the group health plan concept in the regs encompasses all the operations and functions even if it's not monolithic, it's fragmented so that means you have got to -- the employer must try to link together all these locally managed programs within the firewall or multiple firewalls but in the end it's one firewall and one compliance regime. This is not an enviable task and will take some time and effort to bring all the players up to speed.
On a related note, most of the training programs I have reviewed are focused on what a provider or health plan needs to do to comply with the privacy rule, not what an employer needs to do. Most of the support for employers comes in an extensive customized format by a retained law firm so the consulting houses, of course, have no monopoly on the information available or its interpretation.
In that regard, I can certainly do no better than echo other comments expressed in Dr. Lumpkin's September 27 letter. Covered entities are at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees and scare tactics. It might be a little over the top, but it's not too much and there's a lot of desperation for knowledge out there, and the bottom line is that we are all groping forward at this stage and the written testimony that will accompany my remarks will demonstrate many of the open or ambiguous issues.
All I can ask from this issue is for the department to realize that while large employers have been long aware of the importance of confidentiality, working out the details under privacy rule is complicated, especially when overlaid by the preemption issue.
The suggestion made in my written comments would also help settle employer and ERISA plan questions and concerns. Of particular importance is the need for affirmation of ERISA preemption of state privacy laws.
I also want to second Mr. Daley's point on preemption and real time research. Gene any has signed onto a national law firm resource which ostensibly sorts out state privacy laws versus the HIPAA four. It's a laugh riot. I'm sure the eager Allie McBeals and JAG types who are working day and night to make these analyses are trying to make them as clear as possible but almost all of them end with statements like well, this state law doesn't appear to conflict and looks good to me so it doesn't really provide a lot of guidance and the real time aspect is very important to mention because if you look at something that says last updated in March or April, you are not sure that's exactly the way that a later law hasn't come out and we are all going to be struggling with that state by state, especially those of us with operations in all 50 states, to make sure we are not tripping over ourselves or just completely missing something.
Many of you are probably familiar with the fact that Texas has basically passed a law that says if you touch PHI, you are a covered entity.
Well, that's pretty simple, at least understand the problem is chasing that one down and I wouldn't be surprised if they might reconsider that when they consider how many, they are going to have enough business associates, Texas agreements to fill Texas stadium at least from what I have understood at least from just internally at GE.
An issue that I do want to specifically discuss is the controversy that exists between the retail drug industry and the pharmaceutical benefits management industry over the proposed previsions of the community pharmacy guide which would be inconsistent with all the other transaction standards is alluded to in the August 14th final rules.
I believe the panel is familiar with the pharmaceutical care management industry's October 17 letter on the issue and I would like to echo some of the arguments presented in that letter.
It would be the only standard that does not allow basic data fields such as patient name, Social Security number, address, etc. In most standards, these fields are not only allowed but they are required for the very reasons health plans require them and would like them in the pharmacy transactions.
The HIPAA goals of administrative simplification and uniformity would be achieved by making its optional fields mandatory or situational in the same way they are addressed in all of the other standards.
The retail pharmacy industry has expressed a concern that PVMs or other carriers will be able to use this data for their own or unrelated purposes including selling it to manufacturers or other -- you know, you will get a pop-up on your internet screen result of them.
But since PVMs will act as business associates of group health plans such as GEs they will be legally bound to use and disclose the information they obtain from pharmacies solely for the purposes of performing their contracted-for services in a manner consistent with the privacy rule.
And I can assure you that the absence of the privacy rule, GE contracting specifications would not permit marketing or other extra contractual use of employee data.
MR. ROTHSTEIN: Kevin, I'm sorry to interrupt you. Is that written, is that testimony that you just gave -- I don't see it in your written testimony. Is that follow-up that you wanted to provide us.
MR. FITZGERALD: I do have additional copies.
MR. ROTHSTEIN: Oh, okay, because -- thank you.
MR. FITZGERALD: Moreover, nothing in the privacy rule including the necessary copy, a standard prevents pharmacies from including these basic deals in pharmacy transactions. Since these fields are required for clinical and payment verification purposes, they meet the minimum necessary standards.
Moreover, pharmacies are not even required to apply the minimum necessary standard when responding to a reasonable request for data from health plans for their business associates.
Finally, if the minimum necessary standard is truly the concern, this concern can be eliminated by changing these optional fields to require the situational fields. That way the minimum necessary standard would not apply.
Making sure the pharmacy standard transaction parallels the identification data field of other health claims transactions is important to self-insured plans such as GE's since we have a fiduciary obligation to make sure that all claims dollars are paid appropriately.
Putting all your identification eggs in one data field basket will certainly lead to late, incomplete or rejected claims which will serve no one's interest, namely that of the patient and provider. This situation without any exaggeration could lead to a wholesale shut down of the retail pharmacy sector after April 14th because you are going to have a ton of rejected claims and the phone lines are going to go ballistic red in no time at all and there will be considerable noise over claims simply not being paid and people not able to get their prescriptions.
More over, proper identification enhances the effectiveness of patient safety features such as drug utilization review and interaction analysis that is done the pharmacy counter right now. Name relationship code, complete data person, gender are some of the strongest types of confirming data and it is critical for the effective management of the benefits that such information continue to be provided by retail pharmacies as part of any claims submission.
The transaction standards for pharmacy must take into account our fiduciary responsibility and maximize patient safety. This will not permit the expensive privacy and confidentiality but rather be consistent with the group health standard.
NCPDP 5.1 should be modified to include name, complete date of birth, relationship to patient and gender, member identifying number, and other key identifiers as required fields. This would be consistent with the treatment of such information of standards adopted for medical and other clients.
Now, switching topics a little bit, as indicated in the written remarks, there's existing great confusion amongst employers regarding the reach of the privacy rule beyond group health plans.
One area to highlight in particular are in-house medical clinics which GE operates as do many other major employers. We have something like 50 to 100 clinics across the country, some staffed only by nurses and some with full time physicians or a number of full time physicians.
These clinics do not, on the whole, engage in electronic standard transactions, even though they use many types of electronic communications in dealing with colleagues and provider community and patients. It would be of tremendous help to the current defined transactions list which focuses essentially on group health insurance information, remains static with no others added and in the case of first reported injury, a deletion of that term from the regulation.
The FROI is commonly understood as a worker's compensation term and since workers comp is explicitly excluded from the regulations, it should be excluded from the transaction list. No single line item has proven more confusing to explain in my travels within and without GE and this deletion would remove unnecessary ambiguity from the regulation.
A further complication comes with outsourced clinics, either operated by local health care providers such as hospitals or larger national concerns. Many of these entities have deemed themselves covered entities and we are currently engaged with a number of these providers in deciding how to allocate responsibilities without causing confusion, especially concerning employee communications.
My suggestion is that a covered entity performing non-covered functions for a non-covered entity should be exempted from the regulations if that position is consistent actually and by policy with the other operations of the non-covered entity.
Another area that is producing high volumes of work which results in little actual value is the business associate agreement requirement. Most large employers will end up doing something over 100 agreements. GE will be in the area of 200. In fact, we are doing yours next week.
South Carolina is our TPA.
What will we attain for these provisions over what we have previously used in our contracts to protect employee information? Literally another five pages to our already lengthy administrative service agreements. Virtually everything that we have previously addressed under confidentiality, security, no marketing provisions, web security provisions and other standard contractual terms are now reformatted into the model language, the lengthy model language to which most employers and suppliers will add their own twist to expand or limit responsibilities and risks.
A preferable alternative would be a one-page statement that the party will comply with HIPAA as expressed in the regulations, not dissimilar to the notice of privacy practices for providers.
By the same token -- I want to echo something that Ms. Grimes said. A simple standardize model form such as the Oregon authorization project would materially help in reducing the re-making of the wheel that's going on on a national basis -- the Allie McBeals and the JAG folks -- but also provide a commonly accepted floor that will reduce the apprehension that's in the provider community.
An example of this is in the world of other benefits. For example, we administer our disability benefits centrally and obviously you need to have medical information to properly process the disability benefits which are not themselves a covered entity.
But right now we use the standard authorization form essentially on a national basis. We don't know how many flavors of those we are going to end up using after April 14th, and frankly we don't know how skittish the provider community is going to be if we send our standard authorization out and they say, huh, doesn't look good to me. Missing a semi-colon that our state medical society recommended and it's going to stop the flow of information or threatens to stop the flow of information and resulting the disability payments to employees so the more standardization we can achieve, the less friction there's going to be in the system outside of things like health information, including things like, again, disability or life insurance benefits.
And the same with the sample provider, notices of privacy practices. Of I would imagine, I think many of you probably recall from Graham H. Blily, you counted how many of those notices you got from various providers. I probably got six, eight, or ten and I'm guessing that our employee are going to see probably about the same amount of notices of privacy practices from various vendors even though at GE we will try to centralize that and make sure that our vendors don't send whatever we are sending out because we have the responsibility.
But there's only so much you can do so I think it will drive all volumes saying I just got one of these and then I got another one of these. Is there something I'm missing here?
So to the extent we can simplify these, make them standardized, it will make it easier for us to say, we are sending this, is that okay to make up the list? And that would help an awful lot in terms of reducing the confusion that's going together on between essentially December and April when people really would rather get Christmas cards.
Back on the business associate agreement, I just wanted to mention that if it is possible to come up with some kind of reference or one or two paragraph model, that would really be the best thing, the idea with the consensus, anything you can do in a couple of paragraphs that didn't take six pages will help a lot.
But obviously time does not permit a complete discussion of the ambiguities and complexities facing the employer community under the privacy rule. I would like to emphasize again that ERIC and its members take a confidentiality of employee data, medical or otherwise, seriously, and we will work to achieve compliance by October 14th of next year.
You look to this commission and the department to give guidance in our stand with the issues that face us as well as the health care industry as a whole and we certainly have an offer here by ERIC to work with the commission and the department to help make things simpler.
Thanks.
MR. ROTHSTEIN: Thank you. Any clarifying questions?
DR. ZUBELIA: In your last sentence you said you are trying to achieve compliance by October 16 of next year. Do you mean April 14 of next year?
MR. FITZGERALD: Did I say that -- I thought I said April 14th but we'll get October 16 in the transaction lines, too.
MR. ROTHSTEIN: Ms. Williams, please.
MS. WILLIAMS: Good morning and thank you for the opportunity to address the Subcommittee on Privacy and Confidentiality.
My name is Christine Williams and I'm a shareholder with Gordon, Feinblatt, Rothman, Hoffberger and Hollander, a firm of 80 lawyers located here in Baltimore, Maryland.
I practice exclusively in the area of employee benefits and many of the clients I represent are employer sponsored group health plans and third party administrators that provide services to group health plans and my testimony this morning will focus very narrowly on prior sponsored grouped health plans.
Over the last two years, I've worked with group health plans and TPAs to provide them with advice on HIPAA administrative simplification and to assist them in preparing them to comply with the administrative simplification requirements, including transactions, privacy and security.
All of the group health plans with which I've worked are committed to protecting the privacy of the health information of their participants and all of the TPAs with which I've worked are committed to protecting the privacy of their clients' information.
All of them already have procedures in place to help insure that sensitive information is not disclosed improperly and all of them view the protection of sensitive information as a high priority.
Most of the group health plans and TPAs with which I've worked are also committed to achieving compliance with the HIPAA administrative simplification requirements. However, achieving compliance with the privacy and transaction requirements is proving to be difficult for reasons which I will discuss shortly.
Perhaps more worrying, however, is what I believe to be a significant number of group health plans that have never heard of HIPAA administrative simplification or that do not yet recognize that they are, in the language of administrative simplification, covered entities or that believe based on blind faith that an insurer, a TPA, a broker or another service provider can and will take care of everything that needs to be done to comply with the administrative simplification requirements.
Some anecdotal evidence illustrates my point. About a week before the October 15th deadline for filing a model compliance plan with CMS to obtain the one year extension of the transactions deadline, a Gordon, Feinblatt paralegal identified approximately 15 group health plans for which the firm had done work in the past but with which we had not recently been in touch.
The paralegal called a representative of each of the plans to remind them that if they were not small health plans and they had not yet filed a model compliance plan, the deadline to do so was coming up.
Over two-thirds of the plan representatives had not heard about HIPAA administrative simplification and had no idea that the plans were covered by it. A few of the plan representatives asked us to assist them in filing the model compliance plan but were unaware of the nature of the administrative simplification requirements and were obviously unprepared for compliance.
One plan representative stated flatly that the plan was not covered and later called back to say that she had called the HIPAA hot line at HHS and had been advised that the model compliance plan was only for doctors and hospitals that bill Medicare. I assume that she spoke to someone who is thinking of the provider compliance plans that many physicians and hospitals have in place in order to assist them in accurately billing Medicare. I should add that the plan in question is not one of those few plans that have fewer than 50 participants and are administered in house and therefore are excepted from HIPAA compliance.
Obviously, the first step in achieving group health plan compliance with administrative simplification would be to make group health plans aware that they are covered entities. Part of the confusion around this issue stems from the close relationship that most group health plans have with the employers that sponsor them.
A single employer group health plan is usually nothing but a document. The plan has a separate legal identity under ERISA but no practical separate existence. The plan's decision makers are employees of the employer. Many plan administrative functions are handled by the employer and the employer pays some, most or all of the costs associated with the plan.
Under these circumstances, it is understandable that most employers that sponsor group health plans do not think of the plans as separate entities and instead think of the plans as just another of many administrative and management functions that the employer performs.
The magnitude of this problem may be a surprise to those who tend to think of HIPAA administrative simplification as affecting health care providers and insurance companies. Based on figures used by the United States Department of Labor in November, 2000, and these figures are reflected in the final claims and appeals regulations that DOL issued in November of 2000, there are approximately 2.8 million group health plans in the country.
In the preamble to the final privacy regulations, HHS uses a figure of 2.125 fully insured group health plans and a few thousand self-insured group health plans. In the same preamble, HHS states that there are approximately 7,000 hospitals and 630,000 non-hospital providers. Thus, regardless of whether one accepts the DOL number of 2.8 million plans or the HHS number of 2.1 million plans, that number exceeds the total of other covered entities by a factor of more than three.
Even if many or most of the group health plans are small health plans and therefore have an extra year to comply with HIPAA administrative simplification requirements, they are still virtually all covered entities and will have to comply eventually. The problem, of course, is that they do not know that they are covered entities.
The preamble to the final privacy regulations indicates that HHS was under the impression that someone other than the group health plan sponsor, that is, the employer, would take care of privacy compliance for group health plans. For example, at page 82-765, the preamble states that there are approximately 12,200 health plans that will best implementation costs under the privacy regs.
However, in footnote 45, HHS clarifies that the 12,200 plans are, quote, licensed insurance carriers who sell products, third party administrators that will have to comply with the privacy regulation for the benefit of the plan sponsor and self-insured health plans that are at least partially administered by the plan sponsor.
To date, at least in my experience, many insurance carriers and TPAs have not been taking a leading role in group health plan compliance. I think the speakers on the panel this morning probably represent the exceptions rather than the rule in that they do appear to be taking a good leading role in helping their customers toward compliance.
But in many instances, insurers filed model compliance plans for themselves, but not for the group health plans they covered. Similarly, many TPAs did not file for themselves because they are not covered entities, nor did they file for their group health plan clients.
The insurer and TPAs my perhaps be faulted for not taking very good care of their customers but they are probably on solid legal ground. It was the obligation of the covered entity to file the model compliance plan, not the obligation of an insurer or business associate of the covered entity unless the insurer or business associate had assumed that obligation by contract.
The October 15th deadline to file a model compliance plan would have been a golden opportunity for HHS to make a concerted effort to alert group health plans to their status as covered entities and to begin the process of educating group health plans about the administrative simplification requirements.
Instead, the HIPAA administrative simplification grapevine reports that approximately 500,000 model compliance plans were filed by the deadline. Depending on whether one sees the glass as half full or half empty, this leaves us either in awe that all of the other covered entities, including group health plans, are prepared to comply with the transaction standards or suspicious that all the other covered entities don't know that they are covered entities.
Personally I suspect that most of the non-filers are group health plans and they didn't file simply because they do know they are covered entities.
Of the group health plans that know they are covered entities, I believe many are multi-employer plans. Because of the nature of multi-employer plans, they typically have a structure and a real existence that is entirely separate from that of any of the contributing employers.
Multi-employer plans are administered by boards of trustees; the trustees usually know that the plan is an entity separate from any of the employers and the plans usually have their own counsel. Again, based on anecdotal evidence, I believe that multi-employer group health plans are, in general, far ahead of single employer group health plans in awareness of HIPAA administrative simplification and are farther down the road to compliance, precisely because they are treated as entity separate from employers and they have legal advisors to focus on plan issues.
Of all the group health plans that recognize that they are covered entities, there is a great deal of concern about the cost of complying with the HIPAA administrative simplification requirements as well as concern as to whether the April 14, 2003, deadline for privacy compliance, for group health plans that are not small health plans is realistic.
The privacy regulations include 58 separate standards and 60 separate implementation specifications. In many cases, compliance must be tailored very specifically to the plan's individual operations and in some cases, the standards and implementation specifications were modified in August of this year, leaving plans with only eight months to comply with those modifications.
In my view, the heart of compliance with the privacy requirements is the creation of policies and procedures appropriate for the covered entity. Policies and procedures that not only reflect the requirements of the regulations but that also reflect the covered entity's structure and business operations and policies and procedures that the covered entity can live with from an operational standpoint and can live up to, from a compliance standpoint.
In the preamble to the final privacy regulations, HHS seems to indicate its believe, the privacy policies and procedures will come in packages and that a few sizes will fit all. For example, at page 82-769, the preamble states, the final rule is designed to encourage the development of policies by professional associations and others that will reduce costs and facilitate greater consistency across providers and other covered entities.
The development of policies will occur at two levels. First, at the association or other large scale level and second at the entity level.
Because of the generic nature of many of the final rules provisions, the department anticipates that trade professional associations and other groups serving large numbers of members or clients will develop materials that can be used broadly.
For larger health care entities such as hospitals and health plans, the department assumed that the complexity of their operations would require them to seek more customized assistance from outside counsel or consultants. Therefore the department assumes that each hospital and health plan, including self-administered, self-insured health plans will, on average require 40 hours of outside assistance.
My experience in advising group health plans on HIPAA privacy compliance is not at all in keeping with the HHS expectations as evidenced in those sections of the preamble.
I've been led to the conclusion that a generic set of policies and procedures is not designed for the average group health plan, would probably sit on a self-and gather dust instead of being used by the plan to achieve compliance with the requirements.
If policies and procedures are not designed with the group health plan's specific operations in mind, and if there's not an understanding by the group health plan of what needs to be changed and why, the policies and procedures are worthless.
To take one example of the difficulties facing group health plans, the privacy regulations impose very strict limits on what information may be disclosed to the sponsor of a group health plan. In order for the plan to disclose anything more than enrollment and disenrollment information and summary health information for limited purposes, the regulations require that the plan document be amended to include specific provisions that the sponsor provide a certification to the plan that the amendments have been made and the sponsor will abide by them and that the sponsor insure adequate separation between the health plan administration functions that it performs and its other functions.
However, in most businesses, the health plan administration functions are performed by -- the health plan administrations functions that are performed by the sponsor are housed in the HR department which also receives much non-PHI medical information from employees and which has employment related functions as well as plan administration functions.
In addition, in most businesses, decision making power relating to both employment related functions and plan administration functions is often vested in the same individual, such as a vice president for HR.
This structure often makes it difficult to achieve adequate separation to realistically, few businesses will undertake major structural changes to the decision making hierarchy. This means that complying with the privacy regulations requirements for disclosure of PHI by a group health plan to the plan's sponsor cannot be done by merely printing to set of documents from a HIPAA for Dummy CD, an imaginary product, at least so far as I know.
Instead, it requires understanding the operations and structure of the plan and the business and within the existing structures and hierarchies, finding a way to comply with the privacy regulations without turning the plan and the business upside down.
This is usually not a task that can be achieved in a one or two hour meeting, and it is not something that an insurer or a TPA can effectively manage for its plan customers.
With these issues in mind, I would like to make a couple of suggestions.
First, many of the group health plans that are required to comply with the HIPAA administrative simplification requirements are also required under ERISA to file an annual form 5500 with the US Department of Labor. The 5500s are a matter of public record. It would seem to be possible for HHS to obtain the names and addresses of the group health plans that filed 5500s within the last year and send each of them a notice that the plan may be a covered entity and should contact a qualified professional for additional information and to determine whether it is a covered entity.
Alternatively, the notice could direct the recipients to the CMS web site and the covered entity decision tools or HHS could establish an "Am I a Covered Entity" hot line staffed by trained counselors who can assist group health plans in determining whether they are covered entities and, if so, what their compliance deadlines are.
Second, an extension of the privacy compliance deadline may prove to be necessary. It seems unrealistic to expect group health plans that do not yet know they are covered entities, to have policies and procedures and other compliances mechanisms in place by this coming April.
Third, if, as HHS, expected, trade professional associations and other groups serving large numbers of members or clients have developed materials that can be used broadly, HHS should undertake to make those sources known to covered entities.
A data base of such sources with information on the type of covered entity for which the materials are designed, the price of the materials and any membership or other criteria for obtaining access to the materials could be made available on the internet so assist covered entities in simply finding those materials.
HHS would probably object that establishing such a data base would be expensive and time consuming and would place HHS in the role of passing on the quality of materials created by others. Those objections are valid. However, as things stand right now, virtually every group health plan in the country has to do exactly those things.
In conclusion, I believe that group health plan compliance with the HIPAA administrative simplification provisions will take longer than was predicted, largely because most group health plans are unaware of their compliance obligations and will cost much more than was estimated.
Group health plans as the most numerous of the covered entities need more than they have been offered by HHS to achieve compliance. HHS should make group health plans a major focus of its efforts during the next few months.
Thank you.
MR. ROTHSTEIN: Thank you very much. Any clarification questions?
I want to thank all five of the panel members. Really excellent testimony, and were there last questions that the subcommittee members have, so the floor is open. Dr. Danaher.
DR. DANAHER: Thank you. I appreciate the testimony very much.
I would like to direct this question to Mr. Hoffman and also to Ms. Grimes, a bit in your capacities as representatives of HIAA and AAHP, if that's okay.
I personally am a big believer in kind of the James Madison federalist papers and believe that states should have the ability to have their laws and rights supersede the federal government's.
Having said that, in my experience as health plans work to implement the HIPAA privacy standards, what causes them to come to a screeching halt is the state preemption analysis issue, especially with the larger health plans that have multistate operations.
As the committee knows in previous remarks that I have made, I believe that there's a hierarchy in terms of how health professionals are getting into compliance and I think health plans tend to be on the higher end of hierarchy.
And I just want to interject this and then ask the question. I think that your provider networks, your doctors, etc., have not even grasped the concept of what state preemption analysis is. I mean, it's enough for them to be grappling with the whole idea of developing policies and procedures for their offices and what is HIPAA, blah, blah, blah, blah, blah. What alone even thinking about state preemption analysis.
So having said all those things, I guess what I'm putting to you is that what I'm, and help me reconcile kind of a recommendation to OCR, whatever, would seem to me that HIAA and AAHP would be supportive of some suspension or some of the state preemption. In other words in seems that if we could go with an endorsement of the federal HIPAA regulation superseding the state preemptions, number one, it seems like your organizations would be supportive of that and I guess, is there a way that it could be kind of layered in?
I'm not big on the extensions, contrary to the last speaker. I think the extensions have really been part of the confusion because, you know, you don't have to do this until -- you know, so -- I guess I would like to just get kind of your views on how best to eventually get us to organizations being able to deal with the state preemption analysis given that it is such a tough issue. Thank you.
MR. HOFFMAN: Well, in Nebraska, we have is very active state initiative tied with the WEDI-SNIP process, a Nebraska SNIP privacy work group and we also have entities that are working with the EDI and security.
But on the privacy side, one of the legal counsels that support the Nebraska Hospital Association, that is in charge of the local SNIP work group, they have done a very, very comprehensive preemption analysis for the benefit of the work group and they have just updated it or are in the process of finalizing their update with the August rule changes and that's been very helpful.
In addressing the rule, I go back to the NAIC model, the 2000 NAIC model that many states were offered with regard to complying with Graham H. Blily. That model included a health privacy component but there was a provision within the health provision in the health component that said if you comply with HIPAA, then the requirements of the rules for health privacy relating to that model were no longer applicable.
That was beneficial because we knew we were going to become compliant with HIPAA. The problem is you have so many different interests at the state level, the state attorney generals, you have the political process, and, quite frankly now, the state insurance departments are starting to look at HIPAA.
South Dakota met on Monday and to entertain different avenues of health privacy rules because they are concerned about being able to enforce standards for their constituents and they are concerned about losing the enforcement ability so they are looking at adopting one of five different options which we are going to comment on as well at the state level.
We would support a recommendation that the HIPAA privacy standards, because we do support a strong national uniform standard, and that's what we had hoped to have gained back in 2000 when the NAIC adopted their model and most states adopted that, but, again, it didn't lead to complete national uniformity but it was a step in the right direction.
We are very concerned now about potential state activity with regard to adopting their own HIPAA-like privacy rules and all the other influences that are associated with that. Then, attorney generals, legislators, legislative process, etc.
MS. GRIMES: I'm in agreement with Mr. Hoffman's comments. We know there was good intent with making HIPAA the floor but trying to operationalize that and keep current on all of the regulations, if you do business in more than one state is an impossibility and a risk beyond compare because if you look at what we do on a daily basis -- a call center, I'll give you an example that is taking calls from multiple states, those folks on the line, those member service folks and medical management folks are going to have to know these rules and if you can't keep current on it, you are going to be at risk of breaching member confidentiality so we must come to some consensus and I know there's political issues and everything else has to be dealt with about what we are going to do with the state preemption issue.
Mr. Fitzgerald made reference to the Texas law that was just passed. Amerigroup does business in Texas and I can tell you that that law is not aligned with HIPAA. We are going to deal with all these different, more stringent rules that the states are passing, with good intent, and it's going to increase our costs and confuse our members and have an impact on the industry that is insurmountable if we don't address it now.
MR. HOFFMAN: I might add, too, the Nebraska preemption analysis done by the law firm of Barrett Home is available on the Nebraska SNIP privacy work group web site so it is publicly available and as I recall that preemption analysis is 50 pages long and this is for the state of Nebraska. This is not California, New York, New Jersey, what have you. That's 50 pages long and it analyzes the laws and regulations that are applicable to the provider and the payer.
DR. DANAHER: If I may make just one follow up comment.
In my experience, and this is not to knock any of the work that has been done by any of these law firms, it truly is only the -- let me put it this way -- the national state preemption analysis that has been done by very small firms, etc., or even the state by state efforts done by bar associations, etc., is by no means the panacea to this issue or this problem and I think your, Ms. Grimes, your example of a call center nurse that works for a national managed care company in fielding or handling calls from members in multiple states really is about the most illustrative point I can think of to show how difficult it is to deal with this issue.
MS. GRIMES: I think the issue goes to, at Amerigroup, and my background is medical management operations, I'm a nurse, is how, you don't drive the HIPAA truck up -- I try to explain to senior executives and superimpose HIPAA on how you do business.
You really need to take, there are very, very good parts of HIPAA that are really going to streamline how we do business, how we do business on a daily basis but when I look at some of these issues that operationally are really going to be challenging, if not impossible, the state preemption piece is really troublesome and if you, all of us on the panel, had the same input as far as state preemption goes, something must be done.
If you go to the state preemption analysis that I reviewed, you have to take those analysis and put them into a format where folks on the line can understand. If you have run any of these analysis, the attorneys have done very good jobs but they are not translated into a format where people that do the business on a daily basis can understand what an emancipated minor is and in the state of Texas when a 16-year-old has a right to go to an abortion without her family knowing it, you have to translate that into the EOB that's being sent by the carrier to the subscriber which is the mother and father.
So I really hope the committee, I would stress to the committee to take the state preemption issue forward, not only for the fact of the impact on the industry and the provider and the health plans, but also on the costs that are going to be incurred if we don't do something.
MR. ROTHSTEIN: Let me see if I can clarify for the subcommittee members as well as the panel, the relationship between the NCVHS and the preemption issue.
The preemption language is set into statute and therefore the Department, the Department of Human Services is basically stuck with that language.
The committee has the opportunity to make recommendations and Congress and, in fact, we submit an annual, a report on HIPAA, a directed by Congress for us to do so we certainly have heard what you are saying as well, as other witnesses, but it's unlikely to be reflected in our recommendations to the Department because there's really nothing the Department can do at this point except provide guidance and so forth.
So I just wanted to clarify that I appreciate your comments on the issue and we hear what you are saying.
Other questions by subcommittee members? Dr. Harding.
DR. HARDING: I have just a brief one. I very much appreciate the testimony of all of you. It was very enlightening and clear, very appreciative.
This is just kind of a sidelight here. Mr. Daley, in your testimony you talked about HIPAA compliant and the problems that we are facing with the definition of that and the use of that by vendors and so forth. Should that be a patented term by somebody or what do we do with I am sure that at this HIPAA summit is going on in the next few days that there will be an extraordinary number of things that are, quote, HIPAA compliant, and as you mentioned in your testimony, that's not always a clear definition or an accurate one.
Is there anything that we could do to help that or that the HHS or OCR could do to help clarify that issue?
MR. DALEY: That's a tough one. Actually, the awareness and outreach is where I think that's best addressed. The term HIPAA compliant as we just discussed, what is HIPAA compliant when you have got preemption issues with the state that we can't figure out? We get conflicting interpretations at certain aspects. Again, this is privacy related, but on the transaction side, implementation of those IGs, people are having problems with it.
So the question is what is HIPAA compliant? No one knows for sure. We'll know when it comes down to the court cases or enforcement and someone says that wasn't compliant, this is. That's the issue we are facing.
So I think it's important to do, is to say, HIPAA is very complex. Here's where you can find out information. Here's what you need to do the areas you need to address and then at that point you are down to taking your best guess.
Where I have concerns is some of the literature that crosses my desk related to the privacy might be from a vendor that says my product will help solve your HIPAA compliance problems when in reality it turns out it's an encryption tool that may help one aspect of security or privacy. It won't make you HIPAA compliant.
That's where some of the information is misleading. Someone could get that, maybe an employer plan, and say, oh, there it is. Somebody research that, buy that tool and we are good to go.
That's why I think some of that misinformation is out there. We need to break the awareness to say HIPAA is more than buying one product. It's more than a one time compliance with part A, part B, part C, whatever it is of HIPAA, it's an ongoing compliance effort that includes the privacy, security, the identifiers, transactions, addended to transactions, a multitude of things, maybe claims attachments and whatever rules come down the pike in the future.
We need to educate people. That's what HIPAA is all about.
DR. HARDING: And when you say we need to, OCR? HHS? Is that a federal statement that should come out from an enforcement body like OCR or how would you suggest that -- or any member of the panel.
MR. DALEY: I would suggest it would come out from the federal government in some way, shape or form. It's a federal law and education as to what this law means, would be most appropriate from there. That's my personal opinion.
MS. GRIMES: I would also suggest expanding the outreach and tapping into the groups that already exist unlike MAHI and others. CMS has been active, some of the states have been active and really tapping into the American Association of Health Plans and the American Hospital Association and the medical associations because I found, at least in my experience, to get to the physician, work through the medical associations, the American Medical Association and the associations in each state.
I really believe that a multi-functional advisory board with the OCR and the HHS involved is keen and critical in that outreach. There are many groups out there that could be tapped into to centralize some of this information and get the word out.
MR. FITZGERALD: If I may say something on compliance, I think what compliance is going to mean, hopefully will mean for some amount of time after April 14th is good faith compliance and we are all going to do our firewalls, we are going to circulate our notices, we are going to try to touch everything we can touch but even, preemption being the greatest example, there may be just something where an interpretation is off or we either, there's is technical violation of some kind. I think we are all counting on some, a soft implementation, as we say in the benefits biz, of compliance and good faith being touched down until there's some degree of mastery within the industry.
MR. HOFFMAN: I might also add it would be helpful with some of these publications coming from the federal government, especially also targeted to the media. I was around and worked HIPAA portability and the majority of the consumer questions and compliance and issues that I had were misinformation from various media articles and even from the perspective we try to send information to our agency force, etc., but they read something in our local newspaper.
I know you can't help, you know, a writer's interpretation of the law but even from major national publications, there were errors found in the interpretation of the requirements and I'm anticipating when April 14th comes along next year, there's going to be a tremendous amount of interpretation at the media level that is going to confuse consumers and the more information that's available to the media to understand truly the rights and requirements of HIPAA, the better off we'll be.
MR. ROTHSTEIN: Well, I appreciate those comments and, in fact, we had an entire panel yesterday on how to reach consumers and tell them about HIPAA.
I have a series of rather specific questions and in the interest of time I would ask that you try to keep your answers brief.
I wanted to follow up with Mr. Daley on the issue of HIPAA compliant. Do you think it would be valuable if OCR issued a statement in some form that the Department of Health and Human Services does not certify any products or services or plans and therefore there is no, anyone who uses the term HIPAA compliant, it should not be taken as any sort of guarantee that it's, in fact, meets the standards requirement of HIPAA? Would that help at all?
MR. DALEY: I think that that would be very helpful. One of the things, again, HIPAA, it's a journey, not a destination so we really need to stress that it's an ongoing process and the requirements are being sorted out as we speak and will continue to be sorted out over the next few years. I think that will be a very helpful thing to do.
MR. ROTHSTEIN: Mr. Hoffman, you said in your testimony and also it's in your written testimony, you made the recommendation that OCR should have covered entity industry teams in place to assist each industry in its own unique implementation issues and I think that's a very personally attractive suggestion and I was wondering if you had any details that you could add to that in terms of what you had in mind.
MR. HOFFMAN: Well, the foundation of that recommendation is perhaps some frustration, personal frustration in reviewing the Q and A's, the guidance issued in July of 2001 and various Q and A's which tend to be directed primarily at the providers. Understandably so, because the number of providers outnumber the payers substantially.
However, the health insurance industry because of the complexity, especially without a full preemption, is just almost, it is overwhelming and the fact that we have some very specific issues, there are a number of rules and regulations that appear to be geared towards a provider type of arena that have unintended consequences on the health insurance arena.
And as such, we have some specific issues and concerns that clarification from the OCR level would be very helpful and I don't know that we have gotten our message across to the members of HHS when we've met with them and the OCR when the industry, the HIAAA has met frequently with members of HHS and I just don't know that our, we're in an education process. We are teaching them about our business to identify and tell them how these unintended consequences occur.
So yes, that's one of the reasons why we made that recommendation.
MR. ROTHSTEIN: One of the things that strikes me, of course, is that if OCR staff, increased by 100 tomorrow, that would be within the possibility. I don't make policy for HHS. I don't see that happening tomorrow and so the question is how do we get to the ability to provide industry-specific information without the resources at the federal government level and just to try out an idea, in terms of getting drugs approved through the FDA, one of the things that we have done over the last decade is increase the industry responsibility for funding new drug analysis and evaluation by the FDA.
And I was wondering what the industry views would be, just to try out an idea, instead of spending all this money that you are spending on your own projects, to sort of contribute in some way, and, of course, it would probably take legislation to do this, to set up the ability to man or to staff these positions that would provide industry-specific HIPAA guidance for you.
MR. HOFFMAN: That's an interesting suggestion. We do, you know, the trade associations, such as the Health Insurance Industry of America, is in operation today because we, as members of that company support and pay annually for the support of that so there's resources from any number of insurance or insurance-related trade associations that certainly can offer support and assistance.
It would not be unprecedented that the industry would come together in some way to fund some, you know, some type of special research project or special function like that.
MR. ROTHSTEIN: Dr. Danaher.
DR. DANAHER: I just have a quick practical question. Ms. Grimes, I know of what you speak when you talked about the health plans all coming together to agree on common disease management programs instead of having their own asthma programs, etc.
Could HIAA and AAH come together and come up with some sample authorization forms, notice of privacy practices consent forms that could be passed by OCR and OCR not actually endorse them but just say, you know, kind of, say this is what we had in mind in putting forth this.
Is there a way to achieve some element of harmonization or standardization?
MS. GRIMES: I really believe these forms already exist -- the AAHP and others have been working on model forms. I think what would be very beneficial is if the OCR would review and say these meet the minimum standards because everyone is out there creating their own forms according to their interpretation of the standards.
If we had the ability, working through these organizations like AHAP, you know, the American Hospital Association, American Medical Association, and so on and so forth, for the regulators, OCR, HHS, to look at these forms and say they meet the minimum criteria for what the rule was intended would be extremely beneficial.
DR. ZUBELIA: I have a question, perhaps along the same lines. The largest payer in the country, Medicare, with operations in all 50 states and Puerto Rico, which speaks Spanish, has published, and we found these yesterday, in their Medicare manual for beneficiaries, a two and a half page notice of information privacy practices, just two and a half pages. It's not 12 pages.
Is that something that could also be used by the private industry? Have you looked at that.
MS. GRIMES: No, we haven't specifically looked at that. When you look at the criteria of what's required in the notice for the health plan versus a provider, the health plan notices that I have seen, I haven't looked at that information that CMS has, again, have been a minimum of five pages along. So we could look at it as a model but it has to be crafted, the notice has to be crafted base on your business and health plan operations are different than provider operations. I don't know if anyone else --
DR. ZUBELIA: That is pretty large print, about 12-point. I mean, it's for, I wouldn't say for visually handicapped but it's pretty large print and it's just two and a half pages. Mr. Daley, since you are a Medicare contractor, I'm sure you have looked at some of this.
MR. DALEY: I'm not aware of that particular document at this point but we definitely look at what Medicare does and we figure if it's good enough for Medicare, that's the baseline standard we should apply across our company so that we'll definitely look at that and determine how it folds into our plan.
Right now, we are looking at trying the condense the privacy notice into something like maybe a four page or something like that, that's easily mailed, hopefully look at that and compare it.
DR. HOFFMAN: I might caution. I had the opportunity last month to present the health plan perspective on HIPAA compliance to a group of Medicare contractors here in Baltimore.
There was a presentation by a representative of CMS regarding their HIPAA privacy compliance activities and when he went over the notice requirement and advised that they were going to go with the bare bones type of notice, I was a little surprised at some of the parts of the notice that they did not intend to include the we field that if we excluded those, I don't know that it would pass our legal counsel.
So we would be very concerned that all the rights, all the requirements that are associated with the notice are not associated with that notice. I'm not saying that it's not HIPAA compliant, but I don't think it would pass our legal counsel's test.
MS. GRIMES: You also have to take into account that states have different criteria. There's also state preemption requirements on the notice. If you do business in more than one state and that the HIPAA rule did not -- I can't remember exactly the wording -- but it doesn't have criteria on what grade level is required. Different grade levels in system states and so on and so forth so that drives the length of some of our notices but I'll be looking at that, Kepa, document that you referenced from CMS.
MR. HOFFMAN: And on a preemption basis, states are dictating, California is an example, states may be dictating certain flush scores and that's going to be --
DR. ZUBELIA: Supposedly this is good for all 50 states and Puerto Rica.
MS. GRIMES: Yes, but we are required under state law to submit any member information and that includes our notices so our notice of privacy will go into our states for approval and they have specific criteria that are more stringent than HIPAA that need to be applied to the notices.
MR. ROTHSTEIN: I want to thank the panel members for their excellent testimony and we will stand in recess until 10:50 and I would ask the second panel to be ready to resume at that point.
(Brief recess.)
MR. ROTHSTEIN: Welcome back to the hearing of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. We are ready to begin with panel number two on state agencies and public health authorities.
Let me just welcome our new panel members and tell you that you will have 10 to 15 minutes to give your testimony. I'll give you a one minute warning and after your testimony, we will ask you questions of a clarifying nature only if we have any and then at the end of all of your testimony we will have our open discussion. So, with that, let me see who we will begin with. We'll begin with Kim Barnes.
Agenda item: State Agencies/Public Health Authorities.
A. Health Authorities - Panel 2 - Kim Barnes, HIPAA Compliance Director, Office of Family Health Services, Virginia Department of Health
MS. BARNES: Thank you for the opportunity to testify. My name is Kim Barnes. I'm the HIPAA Compliance Officer for the Virginia Department of Health, but I also staff the Secretary's initiative on HIPAA compliance.
My testimony today will be in two parts, primarily looking at the complexities of implementing within different structures of state government. The second part of my presentation will be our solution on how to accomplish the goals of HIPAA compliance.
I wanted to explain what, in our state, what the Secretary of Health and Human Resources is. We do not have the advantages of other states in which their Medicaid department is combined with health or mental health into one organization.
As you can see from this list, each one of these different functions is segregated in its own department under the Secretary of Health and Human Resources. If you follow that through, it means that each of these eight had to staff up and try to accomplish HIPAA compliance within their own silo.
To compound the difficulties, our Bureau of Insurance resides within the State Corporation Commission which is not even part of the executive branch of government.
As you have heard from providers and from insurance companies, the determination of covered entity status was very difficult. It certainly became more difficult within state government.
It's easy to assume that the Medicaid Department of Medical Assistance Services was a covered entity and Department of Health is a hybrid entity but within that, what I wanted to discuss with you was the problems of looking at a hybrid entity and then making the determination by a program of what was covered and what was not covered.
These are just some examples. I'm not asking you for a determination because we've already done that. For example, if the program pays a capitation rate -- some breast and cervical cancer program -- to area providers to do screening of whether these are eligible participants, are they then a health plan?
For example, in mental health and in Department of Health, the Department of Health owns their local health district delivery units. They are not part of local government. However, in mental health, the local governments own those and central office has no control.
So in that, if you are doing centralized claim processing for an affiliated entity that you do not own, are you then construed a clearinghouse?
Last, if a program is using honorarium contracts with outside physicians who see our recipients in their physician offices, as a business associate agreement, does that construe that administration, central office administration of those honorarium contracts -- is that a covered entity or a non-covered entity?
Clearly, if you think about the complexities of making these covered program decisions, within eight separate discreet entities, the complexities become fast.
One of the things that we did want to testify that we felt that state government clearly needed assistance on, and I'm speaking from a group of 20 states who joined together last week under the banner of the National Governors' Association to discuss problems that we were having with implementation, the federal preemption analysis is a very costly undertaking for those of us in state government who have just had to consume 15 percent budget cuts.
We were really hoping to take with you the suggestion that that federal preemption analysis be done for all 50 states instead of relying on 50 different interpretations that had to be paid for in each of the 50 states.
The other thing that I would like to bring forward is a couple of situations where I call these tangential relationships. For example, the new HUD regulations regarding section eight housing which is voucher housing, require the administrators of that money to try to identify houses where it may pose a risk for lead poisoning.
Well, the state health department holds the addresses of all children who have been tested positive for lead poisoning under a state reported mandate so the question then becomes is state mandated reporting therefore carved out of the privacy rule but how can we facilitate the sharing to meet the HUD regulations?
In addition, for example, the WIC program under the Department of Agriculture. Certainly that that's been determined an exempt entity except in the fact that a number of the nutritionists who are performing services within the WIC department also do medical nutrition therapy which is an allied health professional activity devoted to a patient so in that area what then becomes covered and what is not when it's funded by a separate discreet organization.
Now, articulating some of these complexities and some of the problems, I would like to tell you how the Commonwealth of Virginia has posed itself to help implement HIPAA to the best of our ability.
These are the regulations up there for the determination of an organized health care arrangement. The Secretary of Health and Human Resources is forming an organized health care arrangement within the eight organizations, the agencies that I identified at the beginning of the speech.
Clearly, when we have common patience, which is the Commonwealth of Virginia, particularly those of lower income status, we are looking at the ability to fall under bullet number two for quality assessment and improvement activities within the organization. As you can see by the names of those organizations, recipients are receiving services in a number of different silos of the Commonwealth of Virginia and not only do we choose to see how those services are being delivered but to work amongst ourselves to make sure that not only are recipients getting the proper services between mental health rehab, department of health, but those services are going to be improved by looking at patient flow.
Functionally, there's key efficiencies to having this type of organizational structure. One of the things that we thought would make it much easier for our recipients and address what you have also heard of before is how to inform recipients when they are of lower educational levels is to have a joint notice of privacy practices and a joint consent.
Therefore wherever a citizen of the Commonwealth may enter the system, they are not going to be confused with multiple different explanations of the same point.
In addition, we going to use standardized business associate agreements that have been reviewed on the federal and on the state level to that each one of the individual silos are not creating their own and we are talking to our vendors in the same method.
MR. ROTHSTEIN: Excuse me, when you say joint consent, do you mean a joint acknowledgment?
MS. BARNES: No. What each organization will have their own but the verbiage will be the same and it will also include the provision that you have to notify the individuals that they are part of an organized health care arrangement.
We just -- achieving a literacy level which would be understandable by our participants was clearly what we were interested in and that we wanted to have every department using the same type of notice so that they could clearly understand and not be confused if they received services at mental health and services at the health department and felt like they were being told different things. We wanted it to look all the same.
I wanted to speak a moment on shared human resources. The Secretary's council on HIPAA Compliance is the impetus to building the organized health care arrangement. That is the key experts within each organization who are responsible for their organizational complexities with HIPAA compliance.
The shared resources is not only could we share expertise between ourselves but when we were seeking assistance from the attorney general's office on physicians, we were asking them to come to the group, therefore only performing that service once instead of the potential for them to perform reviews or give advice to eight different agencies that may be asking at eight different times.
So our preliminary analysis of building the structure and sharing human and financial resources gives us the feeling that to implement start up costs we are going to save the Commonwealth about two and a half million dollars by sharing the resources amongst the group.
The one question that I did have before I concluded that we are very much wanting you to be aware of is the state mandatory reporting of public health information, of protected health information.
Clearly for our Department of Health, that's key because, as you know, we have immunizations, STD, lead poisoning prevention and a number of other activities. Without the final security rule being issued, the question is now that they are carved out of the privacy rule, will they make, be carved out then of the security rule?
And that concludes my presentation and I would also request your opinion on the validity of an organized health care arrangement to solve these types of public problems with HIPAA implementation.
MR. ROTHSTEIN: Thank you very much. Any clarification questions from the committee members? We'll move to Ms. Correll.
MS. KAMINSKY: While you are setting that up, I would like to ask the members of the audience and panelists, we have our sign-up sheet for the public testimony has some how disappeared so if you inadvertently picked that up, and locate it, we would appreciate it very much. It will be chaos this afternoon. It may be chaos with that.
MS. CORRELL: Good morning. I am Deborah Correll from the Department of Medical Assistance Services, otherwise known as Virginia Medicaid. I'm the training manager for DMS.
I would like to thank the National Committee on Vital and Health Statistics for providing DMS the opportunity to present a front line perspective regarding difficulties, providers and plans, specifically DMS, are experiencing in coming into compliance with HIPAA.
To assist us in gathering information for this succinct presentation, we conducted an informal telephone survey to identify if HIPAA information is being disseminated through provider health associations in the state, and to assess specific problems being encountered in implementing the privacy and other portions of HIPAA.
As we were identifying associations to contact for this telephone survey, many associations had invalid points of contact information available. We identified 36 provider health associations and began to survey with these 36 associations.
Of the 36 associations, only 25 were successfully contacted. Some of the questions that we were asking were: Is your association familiar with HIPAA? Out of 25 individual responses, there were 23 yes responses and two no responses.
Has HIPAA been addressed at your statewide conference? There were 18 yes responses, five no responses and two unsure responses.
MR. ROTHSTEIN: Ms. Correll, is that supposed to be on the screen?
MS. CORRELL: I apologize for that.
If not, do you plan on addressing HIPAA in the future at your statewide conference? Of the two in question two that had said they were unsure, they said yes, they planned to address HIPAA in their future statewide conferences.
We also wanted to know how many regional associations there were from these specific health care associations. Thirteen of the 25 health care associations identified 97 total regional associations.
We then wanted to know if each of the regional associations provided information regarding HIPAA to association members. Six said yes, ten said no, five were unsure and four said some.
If they didn't provide information, do you expect to have all regional associations providing HIPAA information in the future? Three said yes, 11 said no, three were unsure and eight said some.
And then we were wanting to know whether specific problems that members were encountering in implementing the privacy portion of HIPAA. We did graph responses as well, but we thought in hindsight that it was better that you had the information regarding what we were asking versus how we graphed the information.
These are some of the specific concerns the association providers provided for the Department of Medical Assistant Services in encountering the HIPAA privacy and other aspects of HIPAA as were identified from the survey.
There were 15 respondents who vocalized concerns. The primary issues were: There was confusion and lack of understanding in regards to the privacy regulations; the providers didn't understand how to implement the scalability of HIPAA; it was misinformation, they thought it didn't apply to them and they also wanted to know how to we insure we were making a good faith effort.
Some of the respondents requested that they be provided with specific checklists to assist them in implementing the HIPAA standards. They wanted clarification on the key points and direction as to where to go for answers, and, of course, everyone wants templates.
We did find that there were other problems that were directly identified from the field and these problems, I'm sure you know, I have seen some of these problems listed in some of the other hearings.
The computer literacy challenges for the providers in the field, they are trying to transfer from paper to electronics. Office managers are having problems managing due to the limited or no computer experience.
For some individuals, filing for the extension, there was no internet access because they didn't have computers in their offices. We had to have them go to the local libraries and say we are waiting until the 15th to actually file for the extension.
And as far as testing, there's a lack of or no understanding of the testing requirements.
Other problems identified directly from the field: Expectations of the regulations seem to be unclear. They identified more training necessary for providers to understand the requirements in the same so that all the providers would understand the requirements in the same way.
There were concerns with FERPA, the Federal Education Rights to Privacy Act or the Buckly Amendment. FERPA versus HIPAA requirements for privacy and yet they were still trying to build electronic transactions.
Most of these problems that are identified directly from the field or from this survey were verbatim.
I have identified some provider concerns as related to HIPAA. As you know, plans have difficulty as welcoming into compliance with HIPAA. I would like to address the difficulties CMAS is experiencing in coming into compliance and to share with you some solutions we are utilizing to managing the difficulties.
Our new Medicaid Management Information System is under development simultaneously with the implementation of HIPAA. CMS has under taken this development effort in order to improve customer service, comply with HIPAA requirements and meet future initiatives required by changes in legislative mandates in the health care delivery system.
Our new MMIS has a data base architecture that will provide for enhanced flexibility and cost effectiveness in making future modifications to our system. We are trying to comply with the HIPAA required transactions and code sets including the ASC versions 40-10 and the NCPDP versions 5.1.
We are replacing our new, our paper ID cards with permanent plastic cards. The new plastic cards will utilize electronic capabilities for immediate access to eligibility and benefit information including prior authorization and service limit status.
The providers will also have access to eligibility and benefit information through a secure internet connection. There will be new provider enrollment forms and increased flexibility and provider addresses. We anticipate the release of our new system in June of 2003.
Much of all of these changes that impact providers is influencing the way that we do business with our providers and it also will influence the office practice management.
Since our new MMIS system is scheduled to be implemented for the extended mandatory HIPAA, compliance date, DMS will continue to accept electronic media claims until compliance becomes necessary.
DMS has considered various options to ease the burden of testing on enrolled providers. The work group for EDI has recommended third party certification for HIPAA compliant transactions and code sets, and DMS has decided to follow their lead.
We are requiring that those individuals submitting electronic transactions directly to our physical agent provide proof of transaction testing and certification through level two as outlined by WEDI and that they are certified prior to full scale open training partner testing April 16th of 2003.
Certification of transactions recommended by WEDI will cause challenges to DMS if providers have not done preliminary testing. Most of the changes within the new MMIS are related to a HIPAA transaction so a significant portion of the communication in regards to our MMIS is related to the MMIS as well as --
With the simultaneous implementation of the HIPAA in the MMIS, it is very necessary for DMS to have an extensive communication plan for our HIPAA initiatives to be successful. We have developed a HIPAA web site to assist our providers and business associates and other interested groups.
Regarding information and resources needed to understand HIPAA, this site will serve as a reference for Virginia Medicaid related provider information on HIPAA.
We also have Medicaid memos, we have implemented two Medicaid memos. They are on the web, and this information is telling the providers about the implementation of HIPAA as related to our MMIS.
Provider trainings. All provider trainings from March of 2002 forward have included HIPAA related information along with the program being trained. We do have a strong training infrastructure supporting the delivery of training of any programs which includes HIPAA. We are also working collaboratively with the Mid-Atlantic Health Initiative, otherwise known as MAHI. That's the regional WEDI-SNIP in providing HIPAA 101 sessions to our providers, clearinghouses, vendors and other payers, other state agencies and managed care organizations.
MAHI has provided expertise from its board of consultants which we have valued.
We have collaborated and participated with five sessions with MAHI between March and September, and these session have been held regionally.
Our business associate agreements. We have those out on our web site. Our business associate agreements chain of trust, our data security plan attachments, our scope of work attachments, data security plan exhibit A and the work force confidentiality agreement, all of that can be found on our web site. We are working with our contract monitors in order to help implement the business associate agreements.
Our templates for our business associate agreements have been reviewed by the Commonwealth of Virginia's Office of the Attorney General and they meet the privacy rule definitions as set forth by the Code of Federal Regulations.
We are also working with the organized health care arrangement. Our privacy officer is participating with the organized health care arrangement.
We are working with our call center and customer service unit. That's a monumental effort because of all the changes that are coming about with the implementation of our new MMIS and also with HIPAA.
We are developing an employee awareness in online training program which meets the training requirements and we are using a blended approach as far as instructor led and on-line e-learning.
Lastly, but not least, of our communication initiatives, we are utilizing our internet to assist in distributing provider manuals so that we can update our provider manuals in regards to HIPAA as needed.
And we are distributing our provider manuals to approximately 45, 000 providers. Since August of 1999, the Department of Medical Assistance Services has been recognized for the implementation of this best practice and has assisted in reducing the cost savings for our department and improving the overall efficiency of operations and enhancing the goal of electronic government.
Thank you very much.
MR. ROTHSTEIN: Thank you. Any questions from the subcommittee members? We will get back to you during the discussion session after all the witnesses have testified. Ms. Rose.
MS. ROSE: Good morning. Thank you very much for allowing me to testify for you.
The comments that I'm going to provide are more Medicaid administration oriented but I did try to go after the questions that you put down in the little e-mail that you sent out and address those issues first.
In Maryland, we actually, in 1991, promulgated the Maryland Confidentiality and Medical Records Act and in that we established how medical records were going to be used, maintain, disclosed, authorized or released. We established definitions on how records, what records were, including oral, written and transmitted in any fashion and established rules regarding, regulations regarding individual's rights to inspect, amend and correct information.
So, as a result, the Maryland current law, the Confidentiality and Medical Record Act is very similar to what is proposed in the HIPAA privacy. The difficulty is that we run into the details that HIPAA requires and the prescriptive requirements in HIPAA that are different than the Maryland statutes.
But as a result we have already done a great deal of the work and changes that had to occur. One of the bullets that was asked for was looking for best practices, ways to implement things to you can do to try to help move things along and when we enacted the Medical Records Act, we developed something that was called a rights advisor and they still function today and I would imagine it's very similar to what the privacy officers, will be inclined to do.
The rights advisors are established in all of the major hospitals, whether that be the state hospitals or some of the community-based hospitals and their functions are to provide information and education to staff and residents on their rights and responsibilities and to collect patients' opinion, concerns and grievances and investigate, mediate, negotiate, resolve complaints and provide information and assistance to patients regarding their health care and civil rights.
The most important aspect about this was that it was a very local approach to being able to provide information about the changes in the privacy law that was enacted as a result of the confidentiality act.
It was a helpful way for us to be able to disseminate information to resolve issues before they escalated to be clear and concise about front line application of law so we have something sort of in place that I'm sure that we will also be working from when we go to implement further the HIPAA requirements.
The major area which HIPAA exceeds the Maryland law involves the administrative simplifications requirement. We have done most of the state, federal preemption analysis and have found that the most complicated thing for us to do is determine what you are and how you interact with one another, what type of designation do you have under HIPAA and that's a very complicated process for people.
And as a result that sort of is the one that gets people stuck in the middle not knowing which way to go and how to determine and you have to weave yourself through this little maze and figure out, once as a result of making that determination, then all of the requirements and responsibilities that you then have to enact as a result of the designation that you have.
We have to be, personnel then has to be trained and we have to have appropriate administrative and technical physical safeguards must be put in place to protect the security of the health information.
Those are some of the difficulties that we have seen in the analysis that we'll have to deal with. Certainly the notice of privacy practices are going to be very complicated for all of us and trying to make that determination, that designation as to how far the scope has to expand, Maryland Medicaid actually falls under the Department of Health and Mental Hygiene so it includes all of our public health issues, all of our mental health issues, all in the scope.
Do we assume that everyone is under the umbrella of public health or do we limit it to those people who are actually receiving services? So there's some other little things to we have to tease out as far as the administrative requirements are concerned.
In 2000, Maryland created the Maryland State Advisory Council on Medical, Privacy and Confidentiality and the purpose of that group is to try to assist in both the public and the private organizations, community hospitals, doctors' organization, associations, the standard of how we are going to apply an approach, all of the requirements and that council functions meet regularly and teases out a lot of the issues and applicability of the HIPAA requirements.
We have been working in conjunction with the Maryland Attorney General to complete our analysis on preemption.
And then the other thing is the health law section of the Maryland State Bar Association has been working with the subcommittee to try to develop materials to assist health entities in determining which laws apply to govern a particular health disclosure situation.
The biggest problems that we have with the Department of Health and Mental Hygiene has to deal with provider basis and, as you know, Medicaid only providers tend to be very small providers and provide services to a special population or group of people.
I'm especially most concerned and certainly in Maryland, we are very concerned about what will happen to our provider base of these small providers who are often providing services in regards to unmet social or medical needs that are not picked up by the large insurance companies and so the impact of the requirements on HIPAA are significant to providers, especially the small ones with limited resources.
They usually do not belong to large organizations. They don't have the infrastructures. They are mom and pop kind of organizations that provide services because they know that someone needs to meet the services.
Those are people that we have traditionally brought up and nurtured as a provider base and are very concerned of what the impact will be. A lot of them have reached a level of electronic submission in claiming and we know that HIPAA will probably drive them back down to paper unless we are able to try to find some other avenues to do their billing for them.
One of the practices that we have as far as provider education that has worked very well, especially with small groups of people is partnerships. As Medicaid gives special consideration to special populations, we try to gear our education and training programs that are tailored to those specific providers.
In the past we have accomplished this by partnerships with the advocate organizations and private and public organizations that serve these organizations.
By training, that is tailored specific to that group of providers' needs. This way you can make HIPAA more applicable or the privacy rules more applicable. What's the difference between when you have a situation some what in a home and you are providing services for an individual in the home as opposed to providing services for a person in a hospital. There's a big difference in that so this way we are able to tailor, specialize the training needs to that.
It's also often incorporated with the training needs given to the consumers or the patients. The positive aspect of that is that you have everybody learning similar information about how their life is going to be affected by HIPAA and that's helpful.
The training goals are often supported by advocate groups which are very important for us and we have to use as many resources as possible to be able to get the word out, get everybody to understand what's necessary and to have as much collaboration and cooperation as possible.
We have been able to obtain funding through one of the foundations to design a HIPAA training for providers and consumers in our, for individuals with developmental disabilities. We were very pleased about that relationship and so that will take care of a very large number of our vulnerable providers and patient population.
The positive aspect of taking these kinds of approaches and that you share the responsibility, you share the burden of all the educational needs at the same time you are able to maximize on resources but financially and in staff.
Also provide provider education through the Maryland Health Care Commission which is a commission that's under the Department of Health and Mental Hygiene. It's been very active in the large organizations for doctors, hospitals, those kinds of things and they provide a guide to privacy readiness on a web page. Also the state advisory council on privacy and confidentiality continues to disseminate information and is there for people to give testimony and comments to.
The approach to actual training within the Department of Health and Mental Hygiene is that we contracted with a vendor. That was the only way we were going to be able to actually carry it out and we took a train the trainer approach and trained a hundred-plus agency trainers. These trainers go out into the Department of Health and Mental Hygiene and includes all of our local health departments.
And in that we've also included as many, when we go to a certain county or jurisdiction, we are doing it as part of the department but we also invite other people from other groups, whether it be education or human resources that mean the Department of Social Services, anybody who may need that information are invited to attend.
And also we have also added internet web based modules to be able to get the same information for it.
There were several questions that were in the e-mail that I was talking about what kinds of outreach efforts, education efforts. We would like to see from OCR. That was something I didn't think I wanted to approach but I thought, oh, well, let's be daring.
One of the things I think that's important is that there's a lot of misinformation about what HIPAA is and what HIPAA isn't. We had the same problem when we did the medical records and privacy about in 1990.
I actually was working as a social worker in a psychiatric facility, and it was amazing the changes that you would hear needed to take place but when you actually read the law or could find the law, that it wasn't quite exactly so a lot of times there's a lot of misinformation and overreaction within the health care industry that's going on about HIPAA.
And I think that a lot of people are looking for OCR to be able to do this or to do that or we are waiting for this like I keep watching the lists or reading things -- well, we are waiting for you guys to do this and HHS is going to do that and when is this coming out.
I think probably the most helpful thing is to provide people with on idea of what we really could expect, whether or not we could expect certain assistance or what's feasible. This is a massive undertaking and a lot of times we look for other people to try to help solve some of the problems for us and sometimes it's important for people to recognize, no, you are going to have to get in there and pull up your sleeves and you are going to do it on your own.
I think it's helpful for people to hear that information on what you do have available. Lots of times we've talked about gosh, gee, couldn't you do templates and these kinds of things.
I think you should set up a national standard for this and that and it may not be that it's feasible given that it's November and we have to be ready in April. I think that information would help people move on to the next step and say no, you are going to have to do this on your own.
So that would be one thing ask to help provide some clarification of actually what the role will be.
Technical support, it would be helpful if we could get a model of trying to identify designations and where it applies in the requirements as a result, sort of like a little maze to move through, a little HIPAA maze. It would be helpful if we could get some standardized examples of documents, templates of privacy and policies and procedures, what kinds of things are you looking for in those things.
That's a massive undertaking. We did the Confidentiality Act and made the changes and put requirements but to go through and list all of our policies and procedures, all the things that HIPAA needs you to do. That in itself is just a massive undertaking.
Assist in developing notices that are clear, readable and in multiple languages. I know in Maryland we have to provide all of our notices in multiple languages for Medicaid and the public health systems and it would have been helpful if we could have shared the financial and resources needed to develop those kinds of things.
I've seen everything from one page to twelve pages in the notice of privacies. It's unfortunate and some are written simply technical and some of them are written in just bullet form that misses the point totally and it would have been helpful, I guess to try to see if we could have put together a group that would have gotten some standards for what that should have included.
It would have helped as far as making sure that everybody across -- I mean, we have a floor is it would be helpful if everybody across the nation sort of knew just specifically what that the floor is and then you build on that if your states have additional requirements and make those differentiations where one state has a requirement.
The other request that we would have for technical support would be some types of inexpensive and easy training material because we do have tons of training that has to go out and if people have at least information, if we can share information for where those resources are available that would be great.
And sort of my personal request when we talk about HIPAA privacy implementation.
When we did the change over to the Medical Records Privacy and Confidentiality Act, we realized that the biggest change that has to occur is a cultural change. People have to start thinking about how you are protecting information differently than what you have done before and try to integrate that into their every day type activity.
That takes time. It's not going to help in April right on the dot, right at the hour when the clock strikes midnight. It's going to be a transition and I would really encourage that we need to continue our education and we need to be clear about what our message is in that interpretation about HIPAA in that I guess even though Maryland I think, not that we are that far ahead because we have tons of work that we have to do but I think as far as the understanding, the philosophy and the principles behind HIPAA, I think we are in pretty good shape but at the same time if we could recognize that enforcement for HIPAA needs to be sort of balanced with the weight of the task that we are asking everybody to do so we are sort looking for compassionate disciplinarian approach when we get into enforcement.
Thank you.
MR. ROTHSTEIN: Thank you. Any clarifying questions from the subcommittee?
DR. ZUBELIA: Did you have established rights advisors in the hospitals, are those employees of the hospitals or the state.
MS. ROSE: In the state hospitals, certainly, they are employees of the state. We actually have the whole, the administration that deals with rights advisors and the standards of rights advisors.
In the general hospitals it sort of got merged in with rights advisors and risk managers I guess or the similar names and those would be employees of the hospitals themselves but the standards for their function and the services that they are to perform, and the responsibilities that they are are more state directed as a result of the privacy and confidentiality act.
MR. ROTHSTEIN: Okay, thank you. And now, Ms. Prescod please.
Agenda item: Marian P. Prescod, PMP, Director, HIPAA DC Program Management Office
MS. PRESCOD: Does everyone have a copy of the hand out?
Good morning. The District of Columbia is pleased to present to the subcommittee this morning and I bring you greetings from the Deputy Mayor for Children, Youth, Families and Elders. Miss Graham is the executive sponsor of the HIPAA program for all of the components of the District that are, as part of the government, are going to be implementing compliance.
What we will talk about today generally are the steps that have been taken by the District of Columbia for compliance and some of the challenges that we are facing and how we are planning to deal with that and perhaps some technical assistance that might be requesting from the subcommittee during this discussion.
On the first slide, on number three, we talked generally there about how the District has taken on the HIPAA challenge. The District early on, about a year ago, and we kind of started this process late, about a year ago realized that there was nothing that would prevent HIPAA from coming to be. So everyone got very excited in that time frame and we decided that we would form an executive steering committee.
Everyone that we thought would be impacted by HIPAA, whether it looked like it, we had a feeling about it, had any information, whatever, we put everyone together and developed the executive leadership in the District and formed an executive steering committee.
Out of that process came the start of a program management office of which I am the director that we can have a coordinated effort across all of the District and, as you might be aware, the District has one plan which is the DC Medicaid office and we also have a lot of other agencies performing in the capacity of a provider component.
So the program office tried to manage all of that effort so we could come out with one predictable kind of outcome at the end of the effort of HIPAA.
We had several cross functional advisory teams as well -- technology management, business process issues, and then, of course, the legal issues through the Office of Corporation Counsel for the District of Columbia. Out of that, the first activity that we performed was to put out an instrument that was a self-assessment for northeast agency and administrations that we felt were going to be covered.
In that, very similar to what one of the presenters here described, we asked people in their best judgment to tell us if they felt that they were covered, if there was anything they needed to worry about and we got back from them a synopsis of what they felt and what we felt and came up with the groups that we would go forward with for an in-depth and independent assessment that was done by a vendor.
We've gone through all of that and we are at a stage now where we are implementing compliance.
In slide four, you can see that we looked at 16 agencies and administrations. The plan, as well as all the others -- Department of Health, Mental Health, the Office on Aging, Metropolitan Police Department, Department of Corrections, public schools to name a few.
When we looked at all of them, we went through the assessment phase. Coming out of that, we found that six of the groups that we went with initially had no concern with HIPAA. We would still institute a basic privacy kind of training for them so that they could understand and if their operations changed that they would understand what needed to happen for them to comply but coming out of that, we found that there were a few other groups that we needed to include.
Contracts and procurement. They, in the District, this group is very intricately involved in the provider community in terms of contracts that we have with them as business associates and other partners.
What was raised to us, the potential for a request from these groups for equitable adjustment. This is a federal mandate that there was no money for. The District didn't have money and neither do they.
If we say now that we are going to put clauses in your contracts to say that you have to comply, who is going to pay for this so that was a concern that we had and included the Office of Contracting and Procurement in the debate.
The Chief Financial Officer also was included so that we could figure out with all the budget pressures facing the District, as you all may have heard, it was very public, how can we make this happen with no monies available to do this? The Corporation Counsel, as you would imagine, as it would relate to the legal side of it, to make sure that we were also looking at other titles and statutes that have legislative requirements for privacy and confidentiality to make sure that we were doing what we needed to do and were not overlooking anything.
After that, we decided that it was in the best interest of the District to take on the designation of a hybrid entity. We have a lot of components that are just a small part of a particular agency that would be covered. And as a result we went through and really picked out only those groups within some of those agencies that needed to comply and as a result we came up with an even smaller set and that the District believed would be a little more manageable.
What we hoped to get from the designation as well was that we could, through a central forum, that at the District level, standardize policies and procedures and say significantly on what we have to deploy, how much we would have to invest, the spill off from the training part of that as well as really localized to those groups that needed to do that.
We also found that as a result we were able to purchase the policies and procedures very detailed from a vendor that had some for sale, a vendor that worked very closely with the Blues and that's pretty much what we used as a stepping stone and modeled, will be modeling all the policies and procedures that are required by the rules for compliance.
Our internet site we used from a central location so that we could share these policies, disseminate the training, the documentation and manage compliance at a centralized location wherefore and whenever probable.
That really changed the dollars that we had initially put on our books in pencil for what the cost for HIPAA might have been so the designation of a hybrid entity for the District of Columbia was very helpful to us.
On page eight, or slide eight, you get a chance to see how starting up with all the agencies that we believe to be affected got streamlined to just those components that will be implementing compliance.
The challenge that that presents for us is how do you in an agency with perhaps ten different administrations organizations have only two implementing compliance and with the burden and the sentiment of spirit of the privacy rule, make operations go smoothly. How do you cordon off one part and tell which group whom they can share with and whom not in the same environment and all that so we are working through the challenges that that brings but we do believe that that will, that's manageable and that the benefit of focusing on those groups that have to comply will be accrued to the benefit of the overall program for the District.
One of the things for the plan -- I'll talk a little bit about the health plan and some of the challenges we have there.
D.C. Medicaid implemented a new MMIS system. The system came online in July of this year, a little bit unfortunately for us, through the process of the implementation and the acquisition, the system was not HIPAA compliant. As a result, we are in the process of making our brand new MMIS HIPAA compliant. That in itself is a task.
Fortunately because it is new and there's, you know, it's a good time to throw in all the new things -- problems, benefits and all, so we are working aggressively in that. There's nothing that tells us at this point that we will not be able to meet the deadline.
There's a lot of stuff to be done there. Retirement of the local codes -- that presents a challenge in itself.
The plan, however, will have a couple of solutions that they will be using. Remediation of the MMIS system is one. But there will be a combination of the translation services as well as a greater in-house benefit.
We are particularly concerned with the vulnerability of the provider community. We have a very fragile provider community in the District of Columbia. We are very concerned about that.
In the spring there was a summit that DC held at the University of the District of Columbia, intending to bring the provider into line and in understanding what the challenge is for HIPAA. That has sparked a lot of interest in that community and we are working with them very aggressively to make sure that we bring them along with this, that no one, none of our providers is left behind, equitable adjustment and all.
On the other slides that you have, I won't go through those, but it will give you an idea of all the groups that are implementing compliance and what some of them are trying to do.
In addition to having the plan and the provider components, we now have one hospital, Saint Elizabeth's Hospital, that is in the midst of this as well. That hospital campus -- I don't know if you are familiar with it -- is due for extensive renovation. There are brand new systems that are going to be needing to be implemented there.
They have unfortunately not started that process yet and I know that it is November and we are supposed to be testing in April but we will have very long days and nights, I assume, in the District -- for the months ahead but we do intend that all of our operations will be compliant by the deadline.
If we move on to slide number 14, I just wanted to quickly just show how we were organized as a District government. There is, as I mentioned, the executive steering committee chaired by Deputy Mayor Graham.
The Program Management Office is managing all of the compliance implementation for the District and the committees that we mentioned or the subcommittees, are managing at the level of all the areas that we feel are potential bottlenecks for the process for the government. Policies and procedures, technology management, agreements and contracting, training and legal resources.
So we do have, in addition to all the effort that's going on at the agency level, a substrata, if you wish, of committees that are moving the agendas for the District as a whole to make sure that we have the benefits that we hope to realize from HIPAA are realized.
If we go to slide number 17, that gives kind of a pictorial view of how the District has set up under the level of the executive leadership to have HIPAA comply. Most of the agencies in the District have HIPAA compliance implementation effort undergoing with a project through the instrument of a project office.
We have combined some where the effort is small. For example, the public safety group will all be combined in one organization from a project office standpoint. And all the committees that you see there just service these project offices to make sure that they comply. And that's pretty much how the District is run.
There is a partnership that we have strung up on the training side where we are using a combination of approaches -- the internet, the intranet, classrooms and we are working with the University of the District of Columbia as well to make sure that we have an ongoing learning environment in place for the provider community, for administrations within the District government as well.
So that gives you an idea pretty much of how the government of the District of Columbia is proceeding with HIPAA.
You can imagine all the challenges that are resident with that. We do not have a lot of time. For all intents and purposes, the District started a little late. We have gotten a lot done in the time frame. We have an assessment, we have used the results of that to organize how we are going to forward and we are trying to partner with other jurisdictions to make sure that are in the right ball park, that we are leveraging lessons learned by similar jurisdictions and to make sure that we are all, at the end of the day, compliant.
The District is, there are a few challenges, I think, that are unique to the District. We are not state, we are not, you know, we are local, we are federal, we are all combined and then we have a community in the provider side and the population side that is, in some cases, largely indigent.
Our provider community has voiced on very numerous occasions and forum, their willingness to participate but they are also very clear that we as a public entity stands out very, very exposed in terms of people dropping out of the system from a care provider perspective as well as from a population patient perspective so we are working very closely with the legislative body of the city council and all that to make sure that whatever we do that we put our public health infrastructure first, not that we are putting HIPAA second, that we put that first and make sure that whatever we do, aligns and has the correct focus in mind.
The cost of this is very high to the District. We are, right now, we've put in two requests for federal contributions and we have heard nothing back. I don't know in any of you have been fortunate -- please let us know, but we have heard nothing back and we are very concerned.
We are wondering whether the subcommittee can, as a collective voice and close to the Secretary advise that there is an inordinate amount of work to be done in a short period of time.
In many instances it requires the total revamping of business operations and the business process that governed the health care delivery system for vulnerable and invulnerable entities alike.
How do we find a way at the federal level to fund some of this? The cause is good, the spirit and the sentiment of HIPAA is also good but it will take a lot of money.
Many jurisdictions, like the District, are grappling with significant budget shortfalls on the local level. We are desperately grappling with that.
On top of that, how do we put monies back, monies into a program like this that we have no choice over, but that we have no support for.
So those are the kinds of challenges that we are grappling with and we are hoping that any support that we can get in terms of information sharing, basic tools for implementing and monies, of course, would be very helpful to the effort that we have in the District of Columbia.
Thank you.
MR. ROTHSTEIN: Thank you. Any clarification questions?
DR. DANAHER: Miss Prescod, would you explain -- it's a minor point, but it almost seems counter intuitive to me. I would have assumed that the office of the Chief Medical Examiner, you know, had contact with BHI. Why are they not one of the agencies that were viewed to have, you know, that was viewed to have an impact upon it.
MS. PRESCOD: We have the Chief Medical Examiner, when we go to the letter of the requirement, for those groups that need to implement, the Chief Medical Examiner did not meet the requirement in terms of billing, in terms of the global definition for those required to comply.
However, although all of the agencies that we looked at and I mentioned earlier, although you notice that we do not have a full blown effort going on in these agencies, because of their contact with health information, we will be instituting a base level of privacy for them. They will not be required to do all of the notification and the more, you know, the other things that are required by the law but they will be trained.
If, in the future -- and there are discussions for some of the groups that have fallen off the list, so to speak, if they do change their operations, that raises them to the level where they meet the requirement, they will also be, will come into the streamlined operations for the more formal treatment of HIPAA but as it is right now, the Office of the Chief Medical Examiner will receive some of the -- or will be doing some of the things that we require for HIPAA implementation -- training, some of the procedures for safeguarding the information as well.
DR. DANAHER: Could I just, follow up just because I find this interesting?
Is there, and I don't know the answer to this, is there a different designation for the deceased in terms of -- I'm just thinking of the medical examiner. I'm thinking also like coroner, which -- how did -- in going through this kind of assessment of the various agencies, was there, is there different designations or handling for information associated with the county's handling of the deceased?
MS. PRESCOD: Actually, I don't know that I can answer you really accurately on that but I do know that the Office of the Chief Medical Examiner, what we decided for their office was that they did need to institute better practices for safeguarding the information that they do have so we did treat them whether the people were deceased or living, as far as the treatment of their medical records and the safeguarding of the information pertaining to the deceased or live individuals, that they would institute the same basic practice in terms of safeguarding of the information, that we did treat them the same way as we would live people.
DR. DANAHER: Thank you.
MS. ROSE: One of the things that you have to remember is that a lot of people take the impression or interpretation that if you are not performing one of the HIPAA transactions, then privacy does not apply. That's an interpretation that you have to start from -- are you a covered entity and you are a covered entity as a result of performing one of the transactions and as a result of that, then these are the privacy regulations or rules.
As you were saying, of course, the office of the Medical Examiner would not be someone who conducts any kind of claiming or billing or benefits or any of those kinds of transactions that would be covered under HIPAA.
Of course, our organizational structure is a little bit different because it falls under the department so it's just included under the Department of Health and Mental Hygiene but I could see where they would carve them out as not being a covered entity.
DR. DANAHER: You know, that was helpful and I agree with you. One you are kind of bestowed with that covered entity designation then that, in terms of oral, electronic and paper --
MS. ROSE: It makes it, that's the problem, that it makes it so difficult in getting through the maze of figuring out whether or not, what your designation is, whether you are covered, whether you are not covered and then as a result of what do you then have to do. What kinds of contracts and arrangements and notices do you have to give us as a result of it.
People can go in this level as this part. Do they need a data set here, do they need training departments, it just gets very complicated.
MS. BARNES: To follow up on that, the Medical Examiner's Office is part of the Department of Health. There's a difference between having, holding PHI and performing a covered function which is what she was just talking about and as part of the security system, as part of our hybrid organization, we consider their holding of PHI to provide us the opportunity to enhance their security of that PHI but then again, it is not shared. What is shared and made public information is notice of the decedent but not notice of the rational in which he was deceased so not carrying that diagnostic code, then that's not PHI that's transferable out.
DR. DANAHER: I have another one. I may have missed this point.
So are most public health agencies, I mean, you know, kind of aggregating you all together, are you taking upon the title hybrid entities, are you taking upon covered entities?
The District of Columbia, if I understood it right, is a hybrid entity.
MS. BARNES: From the National Governors' Association of the 20 states that were represented there, the majority of them were designating their Department of Health as a hybrid entity but understanding that the majority of states are organized where their Medicaid is part of their Department of Health and it would be easier to determine that whole organization as the covered entity.
And, as I told you, in the Commonwealth we are broken out and so then the hybrid entity status was more appropriate.
DR. HARDING: Thank you all for your testimony. It was very informative and I have just kind of a general question that I would like to get your thoughts about.
Certainly in listening to your testimony, there have been several things that have kind of stuck out in my mind. That is, that some of you -- in Virginia you are using this opportunity to upgrade your information system along with the HIPAA implementation; that transaction set requirements are going to be a real problem for some of the Medicaid only kind of people in Maryland. Talking about the revamping of business operations in the District of Columbia.
We know that HIPAA has are a ripple effect. Tell me just a little bit about the good news and the bad news of what that effect has been on your operations. I mean, there must be some good news but what is more or less than you expected in either direction, good or bad and on a state level.
MS. PRESCOD: To tell you about the District of Columbia, we've been grappling over some time with the issue of a base premise for privacy and confidentiality and data sharing across agencies and all that. We've seen this as a tremendous, in the good side, opportunity for us to standardize and to bring some kind of solace to our patient population as well as intra agency to solve some of that problem of information sharing and data sharing, you know, something to hang our hat on that says, you know, that we can do this. So that has been one of the great benefits to us here in the District.
The other thing is that it has forced us to look at the way that we even bill for services, the way that we standardize the whole health care delivery system so that has been a very big benefit to us in the District of Columbia.
DR. HARDING: Any of the opposite?
MS. PRESCOD: The bad side, the money part. I can't leave that enough. I think the cost that, you know, even though it will be very good in the long run, the up front cost to me has been the greatest detriment to the District.
DR. HARDING: Any estimate of what that is?
MS. PRESCOD: The cost? We have right now put out dollars any where up to about $40 million for all of the District of Columbia.
DR. HARDING: The District of Columbia, $40 million to this point. Okay, thank you very much.
MR. ROTHSTEIN: I have a question that I would like to ask to Ms. Barnes and Ms. Correll. Our other two panelists provided some specific recommendations for us and we appreciate that. I wanted to give you an opportunity to answer the following question: What recommendations would you like to see the subcommittee and the full committee make to the Department of Health and Human Services with regard to the privacy rule that would make your lives easier going forward?
MS. BARNES: In talking with somebody from the legal office of HHS, they describe the privacy rule as salable and employing the due diligence provision which I think in our case of understanding our move toward compliance with the privacy rule has given us some latitude in how we can re-trench the current functions that we do in order to meet that but we as District of Columbia and a number of others in administrative simplification are very concerned about our fragile providers and the fact that they may indeed drop out or become non-HIPAA compliant going back to paper.
Certainly, we are trying to protect them as best that we can and through our community health centers but I think that's a real point that may be dropping out of HIPAA compliance just in order to maintain their practices of medicine and we certainly need them to continue that practice.
So the flexibility in terms of our implementation is something that I think we would all very greatly appreciate and when you look at the intricacies in state government, the ownership of these local providers of care, some respects being owned by the state, some respects being owned by the localities, it becomes very difficult in standardizing an educational plan that will meet the requirements of having every single staff member trained in that.
So if you can acknowledge some of the factors of in-state government of having multiple owners of different treatment facilities it would certainly give us some sort of protection from penalties.
MS. PRESCOD: I would like to add to that, building on your provider issue. If there's any way in your work that you can give more attention to education and training at the provider level just so that they have on understanding that it's not just all a federal mandate, that they have no hope of or prayer of coming into compliance with.
I think training and instruments that they can use at low or no cost to help them cut through the maze I think will be very helpful. Technical assistance to the provider community.
MS. CORRELL: I would just like to talk a little bit about the technical assistance portion. As we can see from being out there in the field, there is that need for the technical assistance. It's not that the provider is not getting the information. We understand that the provider is getting the information.
A lot of it is the transference of the information from where they are receiving the information to the practical applicability within the office so when you are writing regulations and guidelines or having the template, please make sure that this information is at the readability scale for the individual who is going to be using the information besides the provider.
In our smaller provider practices, when you see just one, two or three individuals within the office, the provider is taking care of the patients and the person who is trying to implement the standards of compliance is probably the individual who perhaps did not go to college so please keep that in mind.
MR. ROTHSTEIN: Thank you. Other questions? Kepa?
DR. ZUBELIA: Along the same lines, how important is it to have training materials or educational material for the patients, that perhaps the provider can distribute to the patients. Is that something that should happen or is that not a necessary stop? Where do you see that.
MS. CORRELL: We feel that it's very necessary. At the Department of Medical Assistant Services, what we have or we had handbooks for our Medicaid recipients and in our handbook we are placing in their our notice of privacy for those recipients.
MS. BARNES: And in terms of Virginia, I think that we are very fortunate in having a HRSA grantee in Northern Virginia who was given money in order to create a privacy notice that was not only in multiple languages but at a readability level for our current client population. That assured our organized health care arrangement so in terms of having, we have already achieved that but that's speaking from the Commonwealth of Virginia, not for other states.
MS. ROSE: We have already rights booklets for individuals, patients, in place that have been in place for ten years or more as a result of the confidentiality act and it details specifically what they can do, what they can expect from their health care provider, how their medical records are going to be used and any variations from what their expectation is, what the rules are involved in that.
I think that it's very important to, that everybody be able to share the same information. I mean, you're patient, I'm a patient and even though we are all one side, trying to implement the HIPAA rules and regulations, we have to recognize that on the other side it actually has impact on us also.
And so I think if everybody has the information and it's helpful, the challenge is to make sure that that information is consistent and clear so that you don't have people who are saying, oh, no, you have to implement it this way, oh, no, it has to be implemented that way. I mean, there's one principle guiding rule through HIPAA and I think that that's what we have to try to encourage everybody to understand. The more people who understand it, the better off you are going to be.
DR. HARDING: I'm always struck by the fact that HIPAA seems to be received very ambivalently by people as was stated by this District of Columbia representative.
It can be an unfunded mandate or it can be an incredible tool for improving the privacy and uniform transmission standards and so forth. We, of course, feel that's the real benefit. How can we help people see it in that light as opposed to another dog gone unfunded mandate that I have to carry out at the state level and even in the rural level, especially, I think, when people have a lot of difficulty seeing the benefit perhaps.
MS. BARNES: I'll take the first crack at that. In this current economic climate, I don't think you are going to achieve that, to be perfectly frank.
In the Commonwealth of Virginia, we are looking at across-the-board agency cuts of up to 15 percent. So these activities in particular are not going to be viewed as anything else but an unfunded mandate but for the good news side, I will tell you what it has done in the Commonwealth for the positive.
And in that, that is bringing the agencies of the Secretariat together. It's one of the first rare times in which we are looking at interagency collaboration, not only to make HIPAA compliance but to look at other efficiencies that we can accomplish for the citizens of the Commonwealth as a whole so it's given us a real springboard to look at collaboration and to try to break down those silos that had existed previously and over the last year, just in terms of sharing between Medicaid and the Department of Health, we can demonstrate in the next biennium that we are saving up to $2 million on things that were non-related to HIPAA coordination.
So that's been a very positive. Secondly, in light of the security and our own MIS history as well as what Medicaid has done, it has really prompted us to review even our carved out data bases under HIPAA so what we are employing is those types of security provisions regardless of whether it's under HIPAA coverage or not so there has been some really good news, but I'm skeptical as to whether you can, you know, this is a soling point. Is this suddenly going to look like a sun and not like an unfunded mandate and I think that's going to be a very hard PR spin to put on it at this point in time.
MS. PRESCOD: I would like to add, though, two ideas that have always been very good for people generally -- health care reform and patient's rights have always seemed to rung true to people. If there is a way that you can get a message out that beside the pain, the initial pain of implementing this and putting this in the spirit of this is privacy. Your involvement in your rights and your involvement in your health care delivery, you know, patients' rights and health care reform.
I think the tie has to be made there and start the groundswell from there, got to put in the federal contributions part as well.
But if you can tie it to that, get a message out tying it that way, then I think that will help. A lot of the noise that you hear is around the burden of change and the burden of new things. You know, money aside. The money is important but if we had the money, quite frankly, you'll probably still hear the noise so it is the money but it is also the burden of new things and the burden of breaking down barriers and the kind of change that this inspires in health care delivery.
So if you can tie health care reform, patients' rights, greater control of your care so as the spirit behind HIPAA and just get that kind of message out, I think you'll go a long way for selling this and putting a different spin on it.
DR. ZUBELIA: I'm going back to a different topic that's still kind of nagging me a little bit and that's the medical examiners.
The recent activity that is potentially covered -- and I don't know the answer to this but maybe you ought to explore this and that's the harvesting of organs for transplants.
If the medical examiner's office was to harvest the organs for transplants, then that would be reimbursed by the insurance of a recipient of the transplant and I don't know if that would be covered or not. I have no idea. It's something to look into.
MS. PRESCOD: And we will be happy, Kepa, to look into that.
MR. ROTHSTEIN: Okay, well, thank you all for your fine testimony. And we will break for lunch and we will resume promptly, as usual at 1:15.
(Whereupon, the meeting recessed for lunch.)
MR. ROTHSTEIN: Good afternoon, everybody. Welcome to the afternoon. We are back with the final invited panel of the second day of our hearing on HIPAA implementation before the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
Before we get started with this panel, I have a few announcements.
This panel will run until approximately 2:45 and then we will break until 3:00 and from 3:00 to 5:00 we will have the public testimony session. The original sign up sheet for the public testimony session has disappeared and so we have a second version of the sign up sheet and so if you were planning to testify, I would suggest that you make sure that you are still on our list and then we will call you as the time comes for your testimony.
Before we start this final panel, I want to thank some people who made these two days of hearings possible.
In particular, Stephanie Komensky, our lead staff. And Debbie Jackson who assisted in lining up panels. Marietta Squire and Cheryl Wilhite for making all of the fine arrangements. We expect similar arrangements for Salt Lake City and our crack AV staff, Donald Washington and Chanda Chhay. We thank you for your assistance as well.
So we are now ready for the panel that is devoted to coalitions and partnership building. Let me welcome all the panelists and remind you that you have been asked to testify for 10 or 15 minutes. I will give you this very fancy one minute notice as needed. After your testimony, if there are any clarification questions from subcommittee members, we will take them then. If none, then we will wait until everyone has presented and have our discussion.
So, with that, I would like to first call Mr. Val Schott.
MR. SCHOTT: Thank you very much. I want to thank you for the opportunity to be here. I'm the Director of the Office of Rural Health for the state of Oklahoma and also President of the National Rural Health Association.
It really is important, I think, that we bring a rural perspective to these issues and I would like to tell you a little bit about rural to begin with, about why it is important.
Obviously, health care is important from a health and human services perspective, the ability of Medicare beneficiaries to access care and services as well as other services within rural communities. I think we all understand that.
I don't think we understand the distance that people have to go to receive those services. I think also we've forgotten how important on economic impact those facilities are within our rural communities. The health care engine, if you will, generally employs 15 to 20 percent of people who are employed in rural counties across America and it represents about 15 to 20 percent of the salary base so it's important from an economic perspective as well as the health and human services perspective.
I'm a recovering hospital administrator. I'll tell you that right to begin with. But it was in a big city. When our Medicare population jumped up to 22, 23 percent, we all got real excited and had to rush out and find some more commercial insurance patients.
The Medicare percentage in most rural community hospitals is 70 to 80 percent so every time we tweaked Medicare, the consequence has been, the unintended consequence has been is that we've hurt rural providers. Specifically, rural hospitals.
I thought that we ought to talk about that just initially to give you a perspective of where we are coming from within rural communities. Also, if you don't have health care within your rural community, you can't do any economic development. Nobody is going to move a company or expand a company where they don't have access to good schools and good health care, at least good primary care.
So those are really important issues for us in rural America. HIPAA and specifically the privacy issue are issues that we are very concerned about. We've said that this legislation is the right legislation for all the wrong reasons I think. But still, we are in support of HIPAA and we are in support of implementation.
There are a couple of things -- electronic transmission requirements are problematic for rural hospitals. It's not that vendors can't handle that, it's simply that there are not vendors available at a reasonable cost to provide those services to rural hospitals across this country.
Privacy is a great concern for us in rural America. Not only for rural hospitals but also for other providers. This is a classic example in our view of a one size fits all. Just as we have, for years struggled with the idea that health care for a child is not the same as health care for an adult, the rural delivery system can't be just a downsized version of the urban system and specifically that's what this seems to me to be.
Many rural providers are simply throwing up their hands insofar as the privacy issue is concerned saying I can't comply with this so I'm going to stop trying and let them catch me if they can. That is absolutely an inappropriate response but there simply are not resources to solve those problems.
When I go out and talk to the staff at a rural hospital and talk to the administrator, the CFO, the compliance officer and the privacy office, there was me and one other person at that meeting and that the person may sweep out at nights and probably drives the ambulance an Saturday as well.
And I think people don't understand that. There simply is not the resource base available to expand staff in rural communities, in rural community hospitals and when they have done so, it has been for their medical staff, their treatment side and their administrative said.
There are also a variety of providers in what we call the safety net. Rural hospitals certainly, many are tax supported, many see patients, 70 to 80 percent of their patient base will be Medicare; another maybe 10 personality will be state Medicaid and the rest are the dreaded self-pay or no-pay. That's the patient base for rural hospitals.
Then we have doctors and clinics that also are faced with the same issue as well as rural health clinics. Health departments are another issue in rural communities as well as community health centers. Insofar as rural health clinics are concerned, privacy is a significant concern there and, in fact, we hear talk on the national level about a tax credit to help with implementation for rural health clinics specifically.
A minor issue is these privacy issues are changing the structure and the culture of rural health, of rural communities if you will. One very brief story.
My wife and I have been married a little over eight years. She lived in a town in north central Oklahoma. When she moved to Oklahoma City with me, we had an expense that we didn't plan for when we sold our home. We had to buy a lock for our front door. No one could find a key. She had lived there eight or nine years and simply, that's the way it is in many rural communities -- a very safe environment, a very trusting environment.
So these regulatory processes, although they are well-intended, are going to change that culture within rural communities in our view.
There are enforcement issues that we are concerned about. There are simply not adequate guidelines from the feds on enforcement, and the rules keep changing. I think we've all said that and that's not a criticism, it's just a state of fact.
Is the Office of Civil Rights the appropriate place to have that enforcement agency located? I think there has to be some reasonableness standard instead of a drop dead date. For instance, when we look toward compliance, we need to make sure that providers are making reasonable efforts to comply and then we ought to reward that process instead of punish those that didn't quite meet the bar.
We see that this is really an unfunded mandate in many rural communities. Funding is grossly inadequate. Most rural providers are struggling to keep their doors open. They don't have computer systems so it's not a matter of upgrading systems. In many of our hospitals, they are still using DOS-base systems. They are not to the Pentium level yet.
I think it's significant that when we first started this process we had a lot of consultants that were sending out information. You can buy a disk and a computer for $18,000 that will make you HIPAA compliant. Nothing could be further from the truth and incidentally, with the SHIP grants, since most rural hospitals now get about $9,700.
The price on that has dropped to $9,800 from $18,000. SHIP planning is simply not significant. The Small Hospital Improvement Project, we support that, we supported that at the $50 million a year level for four years versus the $15 million that we got. We think the $15 million is, in fact, laughable.
In fact, in Oklahoma we say that this was such a cowardly attempt by Congress to solve this problem that we call it the chicken SHIP program. It simply will not pay for the cost for implementing HIPAA in rural hospitals.
The deadline for compliance for rural providers needs to be extended. Like we said before, we have to use some sort of reasonable effort standard in making progress for compliance.
The Rural Policy Research Institute or RPRI is working on the study to see how rural hospitals are doing. We expect those results to be available some time in December. That study is significant because I think it would be carefully watched by policymakers and members of Congress or carefully read by policymakers and members of Congress to see how we are doing in this process.
In conclusion, we simply have to remember one size does not fit all and rural providers are structured much differently than urban providers are.
For many rural hospitals this really has been an unfunded mandate. There simply is not enough money available to keep the doors open in many cases, much less for additional expenditures as far as HIPAA and privacy are concerned.
The critical access hospital designation helped some hospitals. We did a study of those in Oklahoma, those are the smallest of our hospitals. The year before they converted they lost an average of $394,000. A pretty good sized hit for a small community of, say, 2,500. A year after they converted, they lost an average of about $70,000 so they are still losing money but they are not bleeding quite as quickly as they did before.
So financial assistance is absolutely necessary and critical if we are going to be able to implement the provisions of the privacy provisions and other provisions in HIPAA.
We have to have a realistic implementation schedule in this process and enforcement must be reasonable and must be geared for making progress toward compliance.
Again, I want to thank you very much for the opportunity to bring that perspective here. I think my ten minutes are about up.
MR. ROTHSTEIN: Thank you very much. We appreciate that. Any clarification questions.
MS. KAMINSKY: I have one actually. Maybe you said this in the beginning and I apologize if I missed it but I'm interested to know how you are defining rural providers throughout your discussion. Are you talking mostly about the critical access hospitals or are you talking about something much broader than that?
MR. SCHOTT: Certainly broader than that. Critical access hospitals are just the smallest of those hospitals. There are about 2,500 hospitals that we would consider to be rural. About 1,400 of those we would consider to be small, that is, under 50 beds.
In addition to the hospitals, there is a myriad of providers -- doctors, nurse practitioners, physician assistants, and all that other process that goes along. Pharmacists, for instance are an important part of the delivery system in rural communities but essentially, the smallest hospitals are about 700 critical access hospitals across the country now. We would consider that hospitals under 50 beds or about 1,400 or 1,430 of those I believe was the count that we had last and for those people that were eligible and received a SHIP grant.
MS. KAMINSKY: I guess I'm asking because throughout, you talked about looking for special sort of rules or dispensation or something for rural providers and it would be important to be able to wrap our hands around who specifically you are looking for that additional assistance for.
MR. SCHOTT: I didn't hear the first part of your question but certainly, you know, we have not defined rural very well in this country. We haven't defined that provider base. You can go to med pack, for instance, and med pack doesn't have appropriate data to tell you what rural is. You can ask the Federal Office of Rural Health Policy.
I think we are using currently about 19 different definitions of what rural is, but from our perspective the rural environment would be all of those hospitals that serve rural communities and they would be categorized as the larger hospitals, probably about a thousand of those, the smaller hospitals, under 50 beds would be about 1,400 and then all the providers to go with that base.
MS. KAMINSKY: Thank you.
MR. STONE: Let me just ask one question. With respect to your organization, how many members do you have?
MR. SCHOTT: We represent, let's see, how do we answer this? We have about 2,200 dues paying members and we represent much larger numbers in rural communities. We have affiliated groups of state rural health associations of another 10,000 members.
MR. ROTHSTEIN: Okay, thank you very much, Ms. Pritts.
Agenda item: Joy Pritts, J.D., Senior Counsel, Health Privacy Project, Georgetown University.
MS. PRITTS: Good afternoon. I would like to thank you for the opportunity to testify before NCVHS today.
My name is Joy Pritts. I am a research assistant professor at Georgetown's Institute for Health Rare Research and Policy. At Georgetown, I have spent a lot of my time, all of my time actually, researching and analyzing privacy laws as they pertain to health matters.
My particular area of focus in the last few years has been studying state health privacy laws and more recently how they will interact with the Federal Health Privacy Rule.
I have been asked today to focus on the preemption issue and how it may play in the implementation process. I think that in some ways I'm particularly, not to toot my own horn or anything, but I'm particularly a good person to testify on this topic because I have actually done the preemption analysis for certain state laws in California.
Last year I wrote three guides, one for providers such as hospitals and doctors, one for pharmacists and another one for health plans in California. So I have been down this road and have been able to see where some of the pitfalls are.
When you are thinking about preemption analysis, I think it's important to realize that the states have been around regulating in this area for 40 years so there's a lot of law on the books already. The implementation of the federal health privacy rule is going to drastically change the landscape of privacy in many states.
It's going to do this because the privacy rule, as you all know, sets essentially a federal floor that's uniform throughout the nation for protecting the privacy of people's health information. It's a fairly complicated preemption schematic. The law generally preempts state laws that are contrary to the federal privacy rule. To be contrary it means that either a covered entity can't comply with both of them, it's impossible to do that, or that the state provision of law stands as an impediment to accomplishing the goals of the federal privacy rule.
Even if a law is, is state law, is contrary to the federal privacy rule, it will not be preempted if it is more stringent, a standard I'm sure we've heard a lot about. To be more stringent in a very general sense means that a state privacy law either gives a person more access to their own health information or it imposes additional restrictions on the use and disclosure of that information.
In addition to the more stringent exception to the general rule of preemption, there are also other exceptions, carve-outs, as you will, that have been created for public health and also for health plan reporting to their regulatory bodies. In light of this framework, you can see it's a fairly complicated procedure.
It is, I think it's safe to say, an arduous process. It is time consuming, it is complicated and I think when you put those two factors together you will conclude that it is probably very expensive for most people to undertake.
The way the privacy regulation is structured, the preemption provisions are structured, it requires, there are a number of different ways people can undertake a preemption analysis. And I want to say that any one way of approaching the issue is more appropriate than another but I will say this. Uniformly you cannot get around the fact that it is a comparison, a provision by provision comparison of federal and state law.
This leads to a number of different challenges. First and foremost is the lack of familiarity with the laws that you are comparing. We have found oftentimes when I go out -- I do a lot of speaking to consumer groups, including provider groups and other organizations such as that and I have done this just speaking on just what a state's health privacy laws are. Many providers are not familiar with what the regulations and the statutes are on privacy in their own state.
This doesn't mean that they are not in compliance with them. They may be doing things that are in compliance just because that's the way they have done things but they don't necessarily recognize or can't identify what statute or regulation they are acting under but that kind of general knowledge is not going to be sufficient for determining what you need to do after HIPAA comes really into effect because you need to comply with specific provisions.
One of the positive consequences of HIPAA I believe is that providers are actually starting to review and learn more about their own state health privacy protections.
On kind of the flip side of that equation is that many are not familiar with the federal health privacy regulations. I think the HIPAA standards for transactions are very well embedded in everybody's conscious by this point. Privacy is beginning to make an inroad but I have spoken to a number of provider associations who have told me that the preemption issue in particular has not even reached the radar screen among their members.
A fairly, a different aspect of this is even if somebody is really well steeped with their state law and they are very familiar with HIPAA, it's still complicated because HIPAA, in particular, has a lot of provisions in it that are somewhat ambiguous. They can be interpreted in more than one fashion and we have received a number of phone calls with people asking us, well, what does "as authorized by law mean when you are talking about the public health exception?" So that we can continue to share information by that.
Does it mean that it has to be authorized, this kind of disclosure has to be specifically authorized in a statute? The answers to those questions are not easy to come by, even if you actually read the preamble.
Even if you are familiar with your state law and the requirements under the HIPAA privacy rule, another issue which quickly comes to mind is how broad are the comparisons between state and the federal statute.
HIPAA says that it is a provision of state law that is contrary, then it will be preempted. It's not a section, it's not a sub-section, it's some smaller unit than that.
This is in accordance with how courts normally treat preemption analysis. They like to see law remain in place so you try to reconcile the differences between the statutes so that you don't knock one statute out.
The result of this, though, is that it becomes a very detailed analysis. You can see on attachment eight of my testimony here a very brief discussion of the interaction of one section of HIPAA with one section of the California Patient Access to Medical Records Act. And all it deals with is denying a patient access to his own health information.
You need to -- in order to do this analysis which is essentially one sentence long, you need to look at a minimum of four different provisions, the type of health information to which access can be denied, who makes the determination whether it can be denied, the standard of risk that has to be present in order to make the denial and who is subject to the endangerment? Is it just the patient? Or is it a patient or another individual?
So you can see this is just one little tiny sentence in HIPAA and when you have to do this type of analysis for all these separate provisions, it becomes a very lengthy undertaking.
This is one area also where we see frequent misunderstanding. We have received a number of phone calls from people who think, oh, I live in X state. We have really strong privacy laws to I don't have to worry about HIPAA because our state's law is more strong.
No, that's not how it works. They are fairly surprised and disappointed to find out that they actually need to do a provision by provision analysis. And we've seen similar difficulties in dealing with the implied repeal analysis between two federal statutes. We had a call very recently from a clinic that told us that their state agency had told them all you have to do is comply with the regulations for federal substance abuse. They are very stringent, don't worry about HIPAA.
That's not how it works, but unfortunately this is the type of information that's out there.
One of the -- an additional problem when you are comparing a state law to the HIPAA privacy regulation is in many circumstances you are comparing apples to oranges.
When you are comparing the access provisions, it's a little bit easier because they are often structured fairly similarly but once you get to the restrictions on use and disclosure, it becomes very complicated. Many people use the side by sides to do this and it's difficult to do because HIPAA uses terms like health care operations. Many states don't use that broad a term. They use isolated activities or disclosures that may be permitted under their statutes. Doing the comparison becomes very difficult.
I was specifically asked today to discuss how hard this analysis is and it is hard. I think you can tell that from some of the challenges that I've already mentioned but it also becomes more difficult within a state depending on how complicated this law is.
One area is, that complicates matters quite a bit is how a covered entity, how broad a covered entity's practice is. If a covered entity covers what I would call sensitive medical conditions, sexually transmitted diseases, they deal with minors, they deal with mental health conditions -- any of those conditions in almost every state are subject to additional laws so you are not just comparing your general health privacy laws in this state, you are comparing all of these condition specific requirements, too.
These comparisons can vary greatly from state to state. Some states have few statutes and regulations that govern the privacy of medical information and other states have very comprehensive provisions. I think it's fairly ironic that the states that have protected their patients' health information in the most comprehensive fashion are the ones where the costs for implementing the privacy regulation are going to be the highest because they have the most law to compare and their preemption analysis is going to be the most complicated.
Another question that I was asked to address was how much state law will really be preempted by HIPAA and there has been some speculation that a lot of state law will not be preempted by HIPAA because of the structure of HIPAA. It's, for uses of disclosures, it's largely permissive. It doesn't mandate many disclosures or uses.
And I think that there's some validity to that argument but the only way you get to that conclusion is to go through the preemption analysis. You cannot get around it and the fact that a, many state laws will not be preempted does not simplify compliance.
The reason for this is because of what happens. If a state law is not preempted, it remains in effect. State law does not preempt HIPAA. That means you now have two requirements. Sometimes, when you are lucky, the covered entity can comply with both of those requirements by complying with the one that, for better words, I'll use the word more stringent.
An example of this in California is California says a provider has only got 15 days to produce medical records once they have requested. The federal regulation says 30. Well, if you produce them within 15 days, you have complied with both. That one was easy.
It becomes -- but that's not always the case and often it's not the case. The requirements aren't the same. They are slightly different and so you end up with dual requirements. And I think a very good ample of this is the situation in New York. When a person is denied access to their medical records, they have a right to review by an independent, three-person board that's appointed by the health department, or health commissioner, excuse me. The right of review under the HIPAA privacy regulation is with a person that's designated by the covered entity.
So you have these two different mechanisms. They are both in place. If you comply with the state law, that doesn't mean -- and you will not be in compliance necessarily with HIPAA if the covered entity wants to designate their own representative.
So it becomes dual tracks. It doesn't necessarily simplify things any.
I think a natural question to ask after you have heard what I have had to say on this topic is, is this preemption schematic worth the effort? This issue preemption, is it worth it because it's very complicated and I understand that there are a lot of people what think that it's not and that simplifying and having a universal standard would be a good course of action here.
However, I think it's important to recognize that the states have been active in this area for 40 years. They have fine tuned their statutes in response to what their citizens think is appropriate and, in fact, there are a lot of statutes that the more stringent than HIPAA, that either give people more access to their own health information or they put greater restrictions on how it may be used and how it may be disclosed and they will not be preempted under the current framework but if you had a uniform preemption, all of those higher protections would be lost and when I look at this I see HIPAA asseting a floor but there is a lot above that floor right now and we would lose that if there was full preemption.
Having said that, I think that it's important that we make this process as simple as we can for people and there are a lot of people -- well, there aren't enough people out there trying to simplify this process right now.
There are some preemption analysis that are available on web sites. There are some that are commercially available. I have attached to my testimony as attachment B a very brief list of some of the preemption materials that are available, easily available on the web that are free or low cost because that was, I was asked to concentrate on things of that nature that might be available to people but there really isn't a whole lot out there from a provider's perspective.
And it's difficult to judge whether it's useful or not because oftentimes you don't get a sample provision analysis on the site so you can't tell without buying it whether it's worth buying to begin with.
This lack of guidance from anyone is fairly disturbing. There is a lack of guidance also from the provider associations. I have spoken with a number of them and some of the responses I have gotten, I think, are very telling.
They don't have any money either. There is this severe lack of resources. They are losing members. They don't have the financial resources to engage in a preemption analysis. As I have said, it's an expensive undertaking for them to go to their members and ask them to contribute for this. As I said earlier it's not on their radar screen to they are not even sure. There's a disconnect between what the members think they might need and what they really need so it becomes a difficult sell for them.
Equally crucial, I think, is that for most of the preemption analysis that I have seen, it's just a first step or it's compliance but what providers say that they really want and need on just the bottom level is they want a compliance handbook, a guide that's text written and tells them this is what you need to do in your state after HIPAA goes into effect. Here is how you have to respond to a request for access to records. If you get a subpoena, this is how you respond.
Now, there's always going to be some room for policy judgment in responding to these kinds of issues but that's the kind of document that we are hearing that people want and need. They don't have the time to read a statute by statute comparison so when people, some of these organizations think about investing in some of these products, they are also looking at, okay, now I have gone the first step but I have all of this other work to do and I still don't have the resources to do it.
I have a number -- do I have time for my recommendations?
MR. ROTHSTEIN: Please.
MS. PRITTS: Okay. I have a number of recommendations. They are fairly general and I have focused on things that I think that HHS can do to help simplify the preemption analysis process. I apologize if HHS is already doing some of these but I'm not so well-connected that I know everything that they are doing.
I think it's important that HHS publish guidance or frequently asked question information sheets specifically addressing some of these preemption issues. It would be good to have some of these notions like your state law can preempt HIPAA dispelled. And these are on just are very general basis but that's the level we are at in a lot of state.
It's important for HHS to continue to respond to questions interpreting the HIPAA privacy rule because, of course, that helps people to compare the federal law to their state laws.
HHS should work with CMS and other state agencies to determine how HIPAA interacts with these other federal laws and publish guidance on these issues. This is something that we hear repeatedly, not only from providers but also from some of the state agencies that have CMS oversight.
They have received some publications that say this is what the privacy rule requires you to do but that really doesn't answer the question for them. It's the interaction of the state regulations and laws or -- excuse me, it's the interaction of HIPAA and the other federal statutes that they are governed by and there just is not a whole lot of material out there on that topic.
I think it would be very useful -- this is kind of my wish list and I'm going to be a little Pollyanna here and hope that it would actually happen but it would be very useful if on a 50-state basis, HHS could engage in coalition building with each of those states.
I think that when you are looking at there and you realize that the greatest familiarity with state law is within the states, and HHS and some collected others have the greatest familiarity with the federal privacy regulations.
To simplify the process, if you can bring them together so they can share their knowledge, it would be very beneficial. I do not think that HHS has the resources to do this type of analysis on its own. It certainly does not and I'm not even sure if that would be appropriate, given the way that these issues are often challenged.
They are often challenged in state court so it would be good to deal with, for instance, the National Association of Attorneys General. They have a privacy working group that may be able to assist or disseminate information. The National Governors' Association, state Medicaid agencies I have heard are very active in HIPAA analysis and are often leading the charge within their state as to get this preemption analysis done.
The state-based provider organizations I think could be a very good resource. Some of them, but not many, do have guides that they have already written for their members that are based on existing state law. And if you could take that kind of a guide you would know these are issues that are important to providers today and just overlay the HIPAA privacy requirements on top of that it would really simplify the process for those providers.
In conclusion I would like to say that preemption analysis is complicated and it's time consuming and that sole practitioners and providers in small organizations, they need a lot of assistance and it just isn't there right now.
Thank you.
MR. ROTHSTEIN: Thank you very much. Any --
DR. DANAHER: Just a quick comment and a clarifying question. I just want to acknowledge the work that the Georgetown Privacy Project has done and is doing and I think it's the best and most publicly accessible work out there in the area of state preemption analysis so I would like to thank you for that.
You neglected to mention yourselves in the -- your site, etc., in this list of resources.
MS. PRITTS: Well, one of the reasons I didn't mention our site as a source is that we really haven't produced a preemption analysis.
DR. DANAHER: That brings me to my question. What you have produced there in terms of the 50-state commentary or whatever, how is that, how do you envision that to be used.
MS. PRITTS: It's just a starting point. It is just absolutely the first starting point when I was discussing about that a lot of people are not familiar with their own state laws. That's what we are trying to do right there. I can tell you just from doing that analysis how time consuming it was, just from not even putting the federal overlay on it, of identifying state laws and putting them into a format that people could actually read that's available to people who are not lawyers.
DR. DANAHER: I think there's -- this is my last comment -- is there is such a dearth out there of good preemption analysis that your site is often, even though you are not meaning it to be a true, in-depth preemption analysis is often utilized and referred to as --
MS. PRITTS: I realize that and it does concern me a little bit because we have heard people what use that and they think that even though it says right at the front of it that it is not a preemption analysis, they think the work does not need to be done because it has already been done and it's freely available and that's not the case. It's merely the first step.
DR. DANAHER: Thank you.
MS. PRITTS: And thank you for your compliments.
MR. MERTZ: Thank you I moved to be near my computer here. My name is Alan Mertz and I'm with the Health Care Leadership Council in Washington. The Health Care Leadership Council is an organization of 150 CEOs of the leading health care institutions, organizations in the country and I also chair what's called Confidentiality Coalition which is a coalition that was formed in 1995 and it's virtually the entire health care delivery system. We have 130 trade association members and it really represents the entire spectrum of the health care community.
It's interesting. After hearing Joy, we've had our differences with the Georgetown Privacy Project over the substance of the HHS rule but I think we are in virtual agreement with her on the need to do a comprehensive global analysis and one that -- a state preemption analysis and one that's available to all the covered entities and one that's accessible to them and usable to them.
My experience with HIPAA actually dates back to 1995. I was the chief of staff to the Congressman, he was one of the six chairmen in the House what actually drafted HIPAA and we were involved in the administrative simplification provisions.
What I would like to -- there are really three things I would like to do in my testimony and I've submitted a longer written statement to you.
But first of all, I want too talk just a little bit about what Congress did intend in terms of the preemption framework of HIPAA.
Number two, I'm going to talk about the need for a global study and how complicated it is to do such a study and number three talk about the -- we actually have, for the last six months, been trying to piece together such a study, to do a study on behalf of the entire health care industry and to raise money for that and it has been an extremely difficult challenge and that will lead to some recommendations at the end which can basically be summarized as we need HHS's help and we need it urgently and it will directly impact how well entities are able to comply with the regulation with the state laws.
The need for a global study actually was first recognized by HHS and the proposed rule in 1999, they said, quote, the private sector will need to complete a state by state analysis to comply with the rule.
And the things that need to be done in order to be in full compliance, there are sort of four things that need to be done.
Number one is what the Privacy Project has tried to do and that is just first identify the body of state privacy statutes that are out there but it's not just privacy statutes because when it gets to privacy, you are dealing with statute, common law, constitutional law, case law and then, of course, there's a vast body of regulatory things that the states have done.
Number two, you have to determine which of these statewide rules actually relate to the HHS rule.
Number three, determine which of the state rules are preempted.
And then four, where state law is not preempted, which will likely be most state law, determining how entities, as Joy referenced, how you can comply with both.
Well, that sounds pretty straightforward. It's unbelievably complex. Let me start just talking a little bit about what really HIPAA intended.
Congress did intend to pre-create some national uniformity and, as has been said, a federal floor in the privacy standards and this means that a floor would be up here somewhere. Most state laws it was intended would be preempted but essentially those that were the small body of state law where they have decided to exceed HIPAA's requirements go above them more stringent, those would not be preempted.
Unfortunately, because of the way that HHS in the rule interpreted HIPAA -- and I have to give some blame to Congress, frankly, to us drafting it, some of the lack of clarity in the law itself of what they meant by contrary -- the HHS regulation is probably going to preempt a few laws.
When the administrative simplification provisions were debated among the six house committee chairman, six subcommittee chairman, what was intended was that it would be a federal law, that those that were less strict would be preempted by federal laws, were more stringent state laws would not be preempted.
There is no legislative history in terms of debate on this provision. The Senate didn't even have an administrative simplification provision. This all same out of the House. However, in preparation for this meeting today, I went back and talked to the three counsels from the three House committees that did it and they remember very clearly that it was meant that it was the less stringent -- what they meant by contrary were the state laws that were different, that would be difficult to comply with, both, those were supposed to be preempted.
And this is why the actual language in HIPAA was written the way it was. What it says is a provision or requirement under this part of this rule shall supersede any contrary provision of state law. And then there was provided on exception for the more stringent lawns.
However, when HHS issued the proposed rule in 1999, it completely flipped the burden of proof by saying that as we read this provision, the standards do not supplant state law except to the extent that state law is contrary. A very different burden of proof.
So that is what Congress intended. Perhaps contrary wasn't the best word. What HHS did, though, in defining contrary was to mean that contrary meant that you had to prove that it was impossible -- that's the direct quote -- impossible to comply with both state and federal law. That's an unbelievably high standard.
They could have just as easily have said it contrary meant different, conflicting, difficult to comply with both. And we believe that actually it will be very difficult for Congress to come back and pass this statute. We would like them to have total uniformity. We support that, but short of Congress doing that, in further modifications, HHS could re-define contrary such that it really is a floor and that laws that are difficult to comply with, burdensome, that those laws could be, state laws could be preempted.
I want to talk about the law and how complicated they are. Joy has hit on this so I don't need to go on too long but the states do not have 50 neat and tidy health privacy laws. They are buried in thousands of bewildering and conflicting rules.
In my experience with identifying these and uncovering these it would be a challenge for those who map the human genome project, let alone lawyers on K Street. It's almost impossible to do but not quite.
My first experience with this was in 1998. We had a state, a total preemption analysis done for the chairman of the Ways and Means Committee. We did it privately. They did a test state of Florida. What they found was you can't do a Lexis search of this.
It doesn't uncover most of the laws. They found 13 different statutes in Florida. The summary goes on for 35 pages. Georgetown Privacy did Florida and did 60 different state laws. In the study we did nationwide of state law, you would be amazed where we found laws that affect privacy of health information.
Just a few examples. Library code, food, drugs and cosmetics, family code, revenue and taxation, general school operation, state of the government printing and documents, adoption code, alcohol, drug abuse, communicable diseases, business and professional codes, probates, trust, fiduciary, I mean, it just goes on and on.
I think Joy hit why we need to do these determinations but in the areas -- I'm just going to note one. Take notification -- as you know, the HIPAA requirement or the HHS regulation requires that providers and plans provide notification of privacy practices.
There are over 30 states that have different notification requirements and that the federal form that they will have to give, it could be any where from two and a half pages to eight pages long.
Because we don't have this federal form, because we don't preempt a similar state, it's not contrary to, but they require a four page notification. What that means is you are going to have a federal notification and on top of that you have to provide a state notification form.
Just think of a pharmacy where you have millions of people picking up prescriptions to get forms that could be eight or ten or twelve pages long, different in every state, incredibly difficult.
Let me just touch on this question of HHS and whether they would actually assist us and whether they should assist us in unraveling the complexity of this in helping us do the privacy analysis and unfortunately, and I understand they don't have the resources, but they have steadfastly resisted doing, helping us with this and I've put up some of the quotes from the proposed and final rules.
While they acknowledge the complexity of state privacy requirements, they actually say it would be more efficient for professional associations or individual businesses to complete this.
I would respectfully disagree with that. There are literally thousands and maybe even millions of covered entities under this rule and to suggest that every single one of those should do their own preemption analysis would seem to be the most inefficient way to do it.
They do recognize that a global analysis is necessary but they have actually said they don't think it would be unduly burdensome or unreasonable for us to have to undertake that study.
As Joy mentioned, there have been a number of attempts to do a study of a state preemption analysis. However, none of them are a global study, not yet. So far all the studies that have been done have been either of one entity or of one state which where organizations operate in several states is not useful, very useful.
In addition because of the integrated nature of health care, you can't just look at one entity because you have business associates who also are under the rule. You have to know what the requirements are for your business associates and the other people you do business with, not just for yourself.
Many of the providers, I have been out speaking as well. The small providers, the specialty societies, they cannot afford to do this on their own and they are the ones that need it the most.
The costs of doing these studies, there are many cases where organizations, it's cost them $50 thousand to do a study of a single state. One of the largest studies just done by the health plans, it's almost completed. It's between $1.5 and $2 million, just to have the information on the state law on how they affect health plans and that will not help providers or other covered entities.
Beyond this, because there's no consistent methodology in all these studies, there are a lot of gray areas, there's no consistency. So there's nothing to go by.
That's what brought our coalition to the conclusion that if HHS wasn't going to help us with this, we better try to do it ourselves, to do it collectively. We need a comprehensive collectively funded study.
We have selected a law firm to do it. It would be the only study. It would include all of the covered entity, affected entities by HIPAA and it would cover all 54 states and jurisdictions. We would use consistent standards and the end product would be user friendly.
It's going to actually be on a web based, something that someone can go in on the web, search their particular state or states, they are what type of entity they are and it will have checklists and so forth and then it would be updated on an annual basis to reflect changes in state law as well as any further modifications to the HHS reg.
The cost of this study is actually surprisingly low, given the complexity of it, and I'm not even really sure the firm is going to be able to do it for this, but they say they can do it for $1.15 million. The updates will be about $100,000. The cost per user of this, it could be anywhere from $5,000 to $50,000 but as I mentioned, that's going to leave out a lot of, there are a lot of specialty societies with providers who will not be able to participate in the study because they don't have the resources.
We need to start this study today. The law firm is ready to go. We have total commitments to fund it at $700,000 and we cannot start the project until we have pledges for another $400,000 because of the compliance deadline.
So this brings me back to HHS. We would have preferred that HHS had done this analysis themselves and provide a road map to us on where state law is preempted, what the state laws are and so forth.
That not being the case, we need their help and we need their partnership to include the design of this study -- we would like to be working with them right now to have them tell us what our standards should be in the study to help us complete it to certify the findings of the study so that we have some certification and we can tell covered entities that HHS agrees this is a valid interpretation and then, of course, finally is funding.
We are not asking them to pay for the whole study but perhaps one-third of the study, $300,000 or $400,000 would actually put this over the top, enable us not only to proceed with the study but it would also probably we would agree to just make it in the public domain and anybody could have it if they would provide some limited funding.
We need their time, and then finally to help us with the cost of the updates when we have to do them.
The benefits of this are not only to us as covered entities but I think it would really help meet the goals of the privacy regulation in the first place. Congress, believe me, intended that HHS help with compliance and this is a very important part of compliance in addition to education, this is a very important part of education, compliance with the reg.
It would also greatly improve the covered entity's compliance not only with the federal reg, but with the state privacy regs because of the complexity of the state laws, you can imagine that a lot of the state laws are unbeknownst to a lot of folks out there. They don't even know what they are so it would help with compliance with state laws.
And it would help smaller entities in particular who couldn't help and finally it would save some of the health care resources having to have this done a hundred times over by so many different organizations, so many different state medical societies, to have it done once it would save millions and millions and millions of dollars to have it just done once.
I'll be glad to answer any questions.
MR. ROTHSTEIN: Thank you, Mr. Mertz. Any questions of a clarifying nature? We'll get back to you during the little discussion and now we'll ask Mr. Stone, please.
Agenda item: Elliot Stone, Executive Director and CEO, Massachusetts Health Data Consortium.
MR. STONE: Mr. Chairman, members of the subcommittee, good afternoon, my name is Elliot Stone. I'm the CEO of the Massachusetts Health Data Consortium and thank you for this invitation to testify.
I'm pleased to update the National Committee on our coalition and partnership building activities to implement the HIPAA privacy regulations in Massachusetts.
From your first hearing in Boston I know that you heard a range of views on the industry's readiness to implement the provisions of the HIPAA privacy regs and your letter to the secretary addressed the urgent need for resources to assist covered entities.
Today I would like to emphasize the community collaborative approach that's going on in Massachusetts to deliver those resources. And this approach has been taken by our organization, the Massachusetts Health Data Consortium as opposed to waiting and expecting full reliance on the federal government.
Our three premises for delivering these resources are simple. First, that most solutions will be local as we've heard today. A lot of the expertise, whether it's about preemption analysis, is at the local level and this is where services are rendered.
Second, there is rarely one solution to any of these problems, to any of the resources that are needed or to any of the issues that need to be resolved.
And third, collaboration is not anti-trust and these issues about coming to some consensus about how to interpret the privacy regs are not competitive issues and they afford an opportunity for more collaboration, more coalition building around privacy protections.
The Massachusetts Health Data Consortium evolved as the appropriate local convenor and resource for HIPAA much as the National Committee on Vital and Health Statistics was the logical choice at the national level.
As with NCVHS, no other entity covered that niche. Nobody else seemed to want to do it and we, as a result watch what NCVHS does, what your activities are, whether it's around privacy or any other activities and we plagiarize everything we can get our hands on that the National Committee is doing and try to replicate to our local activities.
The consortium, we collect large data sets from providers and from government agencies and that's why, from the beginning, even before or as Congress was drafting Kennedy-Kassebaum and then HIPAA, we have been an advocate for the standards around data transmission and protection.
One of my slides talks about who some of the possible convenors could be at the regional level. We are not for profit, health data organization, been around close to 25 years but convenors could be other provider associations, hospital associations, health plan associations.
Many convenors are IT consultants. Some are the WEDI-SNIP regional affiliates of the non-profits. But they could also be some of the usual suspects such as the fiscal intermediaries for Medicare.
We've seen them play a role recently when CMS went out to talk about the transactions, that the fiscal intermediaries were there and part of the presentations on the transaction side.
As you have heard Joy say, Medicaid, the Medicaid privacy officer in our region is very active in coalition building. We are unique in our region in that most of the health plans have their headquarters in our state and so many other data organizations around the country have also taken on this role.
With regard to the question you asked about OCR's priority setting, our local expertise leads us to recommend four areas for OCR.
First, obviously, we think that OCR should continue to be a resource for frequently asked questions and that these FAQ's lead eventually to more frequent clarification pronouncements that come out of OCR and I think there's consensus that those clarifications that have come out from OCR have been very, very useful but many times they are derived from the frequently asked questions.
Third, we would encourage OCR staff to meet more frequently to get out of the trenches, or into the trenches, get out of their offices, get out to the regional folks who are working to build these coalitions and to speak at other privacy forums, especially to these designated agencies, perhaps official agencies who have some standing in their regions and this way, the OCR, central staff, perhaps, could work to train regional OCR staff.
We do see that they are, every time we've asked for a speaker, there's a little bit of red tape involved to getting a speaker and I sense some reluctance for OCR to participate in a lot of different events. We've been fortunate that they have participated but there is a little red tape involved.
Fourth and most importantly, we think that OCR should link to and encourage HIPAA-specific web pages to the covered entities' usual and trusted sources. That is, as we just heard, that we think there should be more links to the provider associations. We think there should be more links to health plan associations. We think that there should be more links to the usual trusted sources that the covered entities are used to.
In our view, we don't think there would be an enormous amount of effort for the at least the local associations, and I'll give you some examples of some that have done it in our state. We don't think it's a great leap for the provider associations, health plan associations, other trade associations to begin to be a resource for their own members.
They are tremendously talented at advocacy and we think that without too much effort they could be a resource for sharing some of the policies and tools that have to be done.
In our region some of them have already done that. The Massachusetts Medical Society has a web site, MassMed.org which is a very helpful resource for the physicians, large group physicians, small group physicians who are trying to comply with their regulations.
My own personal belief is that OCR will be in a no win path if it tries to develop model forms, model policies, model notices for the wide variety of covered entities that will be in need. In our view, again, there's no one of anything. One size will not fit all.
The trade organizations and expert groups such as the Georgetown Privacy Project guides that they have done, they are more likely, trade associations are more likely to be able to get examples of notices, examples of the acknowledgment forms, examples of policies -- they are more likely to get them from their own members rather than generic documents and to share these actual documents with their members on their web site.
It has to be done by April anyway. We know in many cases it's in the works. And it only takes one member out of maybe a 2,000 member association to donate something that could be useful to the others who have to comply.
So in my view, OCR should spend a lot of time encouraging resource sharing and we believe that it would stimulate sharing by being a repository at least for the criteria. That is, if OCR could highlight portions of the regs that say here is the checklist, here is what the notice must include. Now, it's not hard to dig that out of the regs and highlight that and make it very well known that the notices must conform to that OCR checklist.
And secondly, before anything is put on an OCR web site or put on a trade association web site it would certainly have to have the approval of the entity's chief privacy officer or counsel and demonstrate to OCR that those sign offs have been done before the links can be made.
We have about 70-plus privacy officers in our regional group. They are mostly larger entities, the hospitals, the health plans, but almost universally, these privacy officers have rejected the generic forms that have been out there.
And what they prefer instead of these non-productive generic things that are out there, they prefer to see something that's an actual piece of work done by an actual provider labeled as such and donated as such and I'll show you some things that have been donated by providers in our region.
Granted, there are going to be a large number of providers who are going to be waiting for these things to show up on the shelf at the local stationary store and just waiting for when they are just going to be there and you just go buy the pad and you stick it on the wall. There's going to be that and maybe some data that will happen in our lifetime.
Until then, real people have to do real work and we'll rely on their good will to share that work.
I just want to use the Powerpoint to just show you some elements of what our coalition and partnership is doing in Massachusetts and what we would recommend to other local convenors. There's about seven highlights for what we do as a local group.
First of all, every group we work with, whether it's a privacy offices our security officers, our chief information officers, every group has a mission statement, every group has a co-chair. We have a provider co-chair and we have a health plan co-chair so there's coalition building from the beginning and we listen to its perspectives.
Our privacy officers then break up into separate groups. The provider have about 30 or 40 provider only privacy officers, the health plans have their own group, a dozen or so health plan privacy officers only but we meet as a group of the whole to understand the needs for Massachusetts.
And I didn't include in this testimony but quite a bit of work has been done on preemption analysis in Boston by the Boston Bar Association and we have a speaker every meeting from the Boston Bar about how that preemption analysis is going in Massachusetts. We think it's a wonderful template that they have created. We recommend it highly to the leadership council and others. I'm sure Joy and her staff have looked at it as well but it's a terrific template. We think it's a good model. They have dug up every regulation, every state law and put it into, we think, is very useful format.
So again, this is all done as a voluntary. I think the Boston Bar is trying to recover its work from trying to sell that as we can see from other talks on this topic.
Our coalition is covered entities that are payers and government agencies and providers and the third thing that we do is regularly survey the privacy officers and other groups to understand where their priority is now.
So we knew what their priorities were back in October 2001, things like this associates preemption and whatever. But it evolves, we go through our meetings, we go down the priority list, we have speakers and topics. But then the priorities have changed. Since then there are high priorities designated record sets.
The other thing we do with the privacy officers is we routinely publish and talk about what the lessons learned are from the group. They learned a lot in some of the presentations on business associates to realize maybe some obvious things now but the health plans would not be business associates of the providers. And they are covered entities on their own and that was what we called an "aha" moment and it cut down the number of business associate agreements that they thought going into this that they were going to have write.
The other subtle comment here about the "aha," the "ahas" and the lessons learned and this is part of the trust aspect of HIPAA and that is when providers get requests from health plans, the consensus is as they talk with one another now, we will respect that as coming from a covered entity that realizes that they are subject to the pains and penalties of the law and do a lot less I doubt you when receiving requests for disclosures from covered entities.
The other things that we do a lot of is sharing. This is a partners' health care system which is sharing all of their training work plans, partners is made up of Massachusetts General Hospital, Brigham and Women's Hospital, a multi-hospital system, physician groups and they share their time lines, this is their training modules that have been shared by partners, for example talking about when they are training physicians, when they are training employees, what are the common elements among all of their training documents.
So hospitals like partners have shared their policies, have shared their work plans, have shared forms, Powerpoint presentations by all of these experts whether they are from the Boston Bar or from a hospital or health plan sit on a web site available to all.
The sixth point that we recommend to other coalitions is that there be more cross-reference from privacy to transactions. We honestly think that, with all due respect, that there's too much play on privacy right now and not enough discussion about the transactions and we have put a lot more focus on the last few months since the, just before the deadline for the extensions to emphasize privacy is terrific and privacy is important but we have the floor now for privacy but HIPAA is also about getting paid and we want to make sure that I think providers in the end will, the small provider, you think they are going to be a little more upset about HIPAA when they find out that the check is not going to be in the mail than if they are not complying in someone's mind with the privacy rates.
They know there wouldn't be any HIPAA privacy police out there except for their patients probably but the check not being in the mail is the ultimate reminder that you need to comply with other aspects of HIPAA in addition to privacy.
So my board of directors is committed to this role as being a resource in our community. We are going to continue to try to find creative ways for our non-profit organization to stay in business, to continue to be a resource and be able to encourage others to share these resources.
We think this idea of sharing actual resources can be accomplished at the national level and by national trade associations.
So, in closing I think it's important to note that when they have the time to be thoughtful and reflective our members are privacy officers, are security officers believe, and I think there's a true consensus that HIPAA gives our health care industry on opportunity for collaboration. It's collaboration among covered entities and it's a collaboration that we think will establish trust among the consumers, the providers, the employers and the health plans, not just to collect the data accurately in a stated way and consistently but to treat our employees, our patients consistently in our community, for them to know that in our community we are treating everyone with dignity in a consistent way.
Thank you for the opportunity to speak to you today.
MR. ROTHSTEIN: Thank you. Any clarification questions initially?
Okay, well the floor is now open for general discussion. Okay, I'll recognize myself. Oh, you have a comment?
MS. PRITTS: I would just like to throw in -- it's not exactly an afterthought, but I think it's an important thing that we are not yet focused on which is if you think this is complicated for the providers and the ones who have to comply, wait until we get to the point where need to deal with the consumers because they are not in the picture yet and at a certain point we are going to have to address that because a consumer is going to have no clue who to go to or what section of what law that they might have a complaint about or they might have a concern about.
MR. ROTHSTEIN: Well, that certainly is a good point and that was the topic of one of our panel discussions yesterday.
MS. PRITTS: Ah, I missed it.
MR. ROTHSTEIN: We got a lot of very interesting suggestions on how to do that.
I have a question for Mr. Stone. I want to follow up on your comment that in your view you don't think it would be productive for OCR to produce the model forms. That's a rather unusual statement in the sense that it departs from some of what prior witnesses have told us, especially those who represented small providers, small practice groups, etc.
They seemed to be crying for this stuff and I wonder if you could expand on the reasons why you think that would be not as productive as using the links to real existing norms.
MR. STONE: I just want to emphasize that it is our belief that OCR should be a resource of actual forms and encourage actual sharing and I'm reflecting the views of our privacy officers who have gone to the web sites for other model forms put out there to say these were, these generic forms were just not useful. They did not reflect what the culture was in their facility.
It just needed a total rework. They said it would be more helpful to say to them that your form should have some criteria for what should be in your notice, some criteria for don't forget to include these kinds of things and that sort of thing and that kind of guidance from OCR perhaps would be useful.
But to me, to say that you can't find one example in the entire United States of how a small provider group has done a notice or a hospital has done a notice or how a psychiatric facility has done a notice, the idea of a model form, one size fits all, for all the variety of covered entities is just, you know, I think it's a non-starter and I think it puts the OCR into doing work that it's not necessarily suited to do.
Obviously, they could outsource it and that sort of thing but we would rather see and encourage the resource sharing and use and put the burden on the trade association, sort of trickle down. OCR put out a call for resources to the trade associations and trickle that down to the entities that have already done the work.
There's going to be one of everything, one covered entity around the country who could probably, with their good will, put it up and have it be available to others to use.
MR. ROTHSTEIN: Well, let me suggest a possible way of doing this and see what you think of this.
Whatever earlier witnesses endorsed the idea of OCR slash covered entity industry teams so that in other words there would be presumably at least one person at OCR who is responsible for working with X industry and someone else who is directly responsible for working with Y industry, etc.
Taking that a step further in terms of the web site and materials, it seems to me that if you were a rural health plan or a subset of providers, you were dentists, or advanced nurse practitioners or whatever, the best thing for you to do would be to, once you get to the site, now you can go to sort of a sub-level of that site and click on information that is specially tailored for people who have your particular needs.
And then within that, you could have the links but it really couldn't matter at that point whether you had a model form or a sample form. It would be basically the same thing.
MR. STONE: Right. I think the team, the OCR covered entity-industry teams, is a terrific idea. I think that's a good way to start again. I think that every trade association at the national level should have a dedicated HIPAA web page that links to their state level members perhaps and we just keep trickling down and to the point where at the state level there will be actual examples and so once it can trickle down, it can certainly bubble up as well so if you are looking for something very specific, you are looking for psychiatric facility notice, why not start with the National Association of Psychiatric Facilities or whatever they are called.
And then they help guide you to somebody among their membership that's done that. But then it's also just as easy to, for OCR to be able to find those things, either from the top down or the bottom up. In other words, I don't think it's one entity's, I don't think it's OCR's entire responsibility to facilitate this.
I think a lot of responsibility has to come from the associations who advocate for their members. The organizations who wanted to see these regulations in place to help facilitate it.
MR. ROTHSTEIN: Then ideally as well, you could sort of click onto California and find out specific problems associated with covered entities in California.
MR. STONE: Right. I mean, we have, this is what our web site looks like and you can see there's a column there, well I guess you can't see it but we have, there's four columns for each of the four aspects of the regs. So for the privacy regs, there's resources, there's references, there's things about education and training so who to contact, what to read, how to comply and then regional initiatives, what's going on in our area or other areas.
We talk about, we give as much play to what's going on in North Carolina as we do to our own activity so if we see something going on somewhere, we'll point our people to it because we haven't invented, as smart as our folks are in Boston, we haven't invented everything that there is to invent yet.
MR. ROTHSTEIN: That's the first time I've ever heard that from someone.
MR. STONE: So I'm probably in big trouble for saying that we haven't thought everything out but I think if you look at the, the Massachusetts Medical Society is an example, our hospital association, each of our health plans, we have encouraged every one of our health plans, local health plans to have a specific HIPAA web site and they have done it.
MR. ROTHSTEIN: Okay, other questions?
MS. KAMINSKY: Question for Mr. Schott. We are attempting, we are having another hearing next week and when we do, it will be in Salt Lake City, Utah and we are attempting, I think we have lined up a testifier about telemedicine, telehealth, provision of medicine through telecommunication sources, etc.
My sense is that those kinds of innovations are going on probably, maybe more in rural communities because of a lack of provider quantity and so there's just been a natural need there and that's where that has popped up and I'm wondering if that's an area that your association has been looking at in terms of special privacy concerns or challenges that have arisen and whether you have some concerns about that.
MR. SCHOTT: We certainly do have concerns about that. Telemedicine or telecommunication process brings the hope of extending service to many rural communities. We simply do not have an answer at this time for those issues.
This is just another one of the myriad of problems that we face in trying to use telemedicine. For instance, the requirement that the physician be registered within the state where the service is actually offered is another issue as well.
But no, we understand that there are going to be some special challenges with the privacy requirements, with telemedicine, I don't have an answer for you, quite frankly.
MR. STONE: One note on that, receive any, is that our, in Massachusetts the entity that oversees some of those aspects is the Board of Registration and Medicine and they are looking very closely at those issues when physicians practice across state lines.
MS. KAMINSKY: I'm familiar with the licensure issue but I was looking for whether there were special concerns about the application of the privacy rule to that context. I would assume that there certainly will be security rule applications and I just was trying to --
MR. SCHOTT: There certainly are and I think that's one of the things that the RPRI panel is going to address in their report that comes out in December, the Rural Policy Research Institute out of Nebraska.
MS. PRITTS: I'm going back a few steps here, but I would like to throw my two cents, for what it's worth, into the notice issue.
I tend to agree with Elliot on this point which is the point that I think Alan also made is that the notices are going to have to be tailored to fit both state and federal law and so they may not be that useful for people in a loot of states if it's just a one notice or, one uniform notice.
MR. MERTZ: One of the recommendations we made in our comments actually on the final rule was that the federal, the notice required by HIPAA, you could actually say at the end of that notice that state laws may vary and that would be, you wouldn't be responsible for reprinting the state notice and the federal notice. It doesn't mean you don't have to give them the state notice.
It really doesn't make sense after we print the whole state notice but then the federal notice as well so that was one idea we had. You could have a simple notice federally and then it would just say state laws and rules my also be applicable and vary.
MS. PRITTS: What we found is that when you talk to providers, they say, well, that's really not very helpful from that. They want the end product. They want to see a notice that they can actually use. They don't want to see the disclaimer at the end.
MR. MERTZ: And they know their state laws and you can have your form that maybe came from the industry team that just says insert state regs here where they differ, put insert state law here where it differs because they know that. I mean, they know their existing laws. They know what they are dealing with rite now and you can have examples of how state law or state regulation might differ.
MR. STONE: I would beg to differ that they know what the state laws are. We can't, we're having a heck of a time uncovering what the state laws are. I would question how many --
MR. MERTZ: There's at least one lawyer who travels around the state who knows the state law, speaks at all the meetings.
MR. ROTHSTEIN: Well, I want to thank all the members of this panel for excellent testimony. It's been very helpful to us.
We will take a break until 3:00 sharp and we'll begin the public testimony at 3:00.
(Brief recess.)
MR. ROTHSTEIN: We have had seven extremely interesting and provocative panels and now it's time for the public testimony stage in which any individual who has not testified can sign up for up to five minutes of testimony and we have a new list and if, I call a name and someone doesn't respond because they are not here, I will give you another chance. I know people are coming in and out from other meetings.
First person we invite to testify is Diane Kube.
MS. KUBE: Good afternoon. I first would like to thank you for giving me the opportunity to testify before this committee.
I regret that I wasn't able to testify during the practice time yesterday but we will get past that. I also regret that this committee wasn't put together two years ago when many of us were starting to face the long, arduous road of HIPAA compliance.
I would like to tell you, first of all, that I'm sort of representing three separate components. I wear a number of different hats in my daily life, the first of which is I'm a practice administrator for associates in oncology and hematology in Montgomery County in the Maryland suburbs of Washington, D.C.
I have five physicians, two practice, PAs. For those of you who don't know what a PA, a physician assistant, we have 50 employees. We see between 150 and 200 patients a day. So we have a lot of issues when it comes to privacy and security issues for our own individual practice.
I'm also a member of the Montgomery County Medical Society. I serve on their board of directors and I'm chair of the administrative group for that county society and I'm also part of the state health care commission of Maryland's work group for HIPAA and I have been a member of that for two years.
I would like to very, I know we've a very limited amount of time to I would like to get a few points very quickly off the top.
There are four main issues that I am representing wearing all of those hats. Number one, there has to be some consideration for cost containment on all of this. Physicians, practices and everyone is just totally overwhelmed, from the one doc shop to the big groups that I represent.
The second thing is there has to be clear education on what we are expected to do. We can't have 2,000 pages of regulation and expect overwhelmed administrators, managers and physicians to read every page of it and understand what the regulations mean.
The third thing is we need to do something about the fear factor. There are so many things out there that are absolutely misleading and they are overwhelmed and when most of the physicians heard that the privacy issues were going to handled under the Office of Civil Rights, they panicked. They thought, oh, my god, big brother is going to come in here, we are in a real mess.
So there has to be clarification on what the law actually means.
And the fourth thing is clarification of all the general information. I cannot stress that, and I think the combination of the education with the cost containment can help in that.
Very quickly, as my practice, we started looking into this two years ago and will because we were growing and remodeling suites, we were able to actually get into compliance. We are about 98 percent there as far as our security and privacy issues. We have locked files, we have dropped computer screens. We actually had the state health care commission's office come in and look at our practice and we've been actually noted as a model for the state of Maryland.
I feel very fortunate to be in the state of Maryland because we've been able to, ahead of the game, ahead of the federal government, put some packets together, get information out there to the different people in our community and they actually have come in and looked at my office and said we are fine.
The only component that is a problem is what we are dealing with with our vendors and that's on the EDI side and I have to tell you I was a little bit of a heretic and I'm probably within some violation here, but I refused to submit the extension to the government for my physicians. We instead dropped paper and we did it for a number of different reasons.
One was I have been given bids anywhere from $300 to $30,000 to get my software into compliance. And still would not be guaranteed that it would be covered. We have done everything we can humanly possibly do to get our office into compliance and we are at the mercy of software vendors that have told us six months ago, nine months ago, that everything was going to be compliant and it's not.
We still have not gotten some straight issues on how to do this. I have notified CMS, our local trailblazers. I also sit on their provider board which is a provider education training board and I told them at the last board meeting in August that we were going to do this and they said it was fine with them because they could handle the paper load.
We put $15 million through our practice last year in drugs and services so we are not a small entity and we have a four week turn around for our cash flow so this was a big decision to do this for us.
But there was another problem in the state of Maryland as far as our referral base system. We get referrals from HMOs, from treatment plans from different companies such as MDIA, Blue Cross Blue Shield. Those things have to be attached to a form so the majority of our insurance claims were still sent by paper and cannot be sent over either the internet or through any other type of computer mechanism because they need to have that attached form so we've kind of hit a block here.
And the federal government, under the CMS, under trailblazers, were the only ones that we were actually able to send electronically. But now, because of all the shenanigans that's gone on with all these compliances and the lack thereof of vendors to provide us with the things we need, we decided we were going to go backwards so that's one thing I just wanted to let you all know and that's happening outside in other parts of the community.
We've done a number of things. We are starting to do training for our staff. We've done officers, we've put our security officers into place but I have to tell you, I'm a rarity out in the field. The majority of practices are one and two doc shops. They don't have the staff, they don't have the time to be able to handle all of this and that's where we need help from you as the cost containment and as to what we actually really need to do.
My second component representing the medical society, I will tell you that as a chair of my committee, we have 130 members of just administrators and we represent over 1,500 physicians in the county.
We have put together compliance tools. We haven't waited for the government to help us with this. We've actually put together outlines of how to do your compliance contracts and to put together manuals for our members and we are doing this free of charge.
There are people out there that feel that oh now you can't have sign in sheets which we know that law was thrown out and yes, you can. There is so much misinformation. There's actually a pediatric group in Montgomery County that a parent told me that when they went in to take their child to be seen that the child is appointed the name of an animal -- you are a dog, you are a cat, you are a lion so that when they call them, they are not calling the name of the child.
This is the kind of nonsense that's going on so we are trying to get the education out there. We are trying to let people know what's going on and, you know, there's not a lot of money. Remember, our reimbursements have been cut. We struggle day by day to keep things open, to keep things going and take care of patients in the meantime and I have to tell you, living in the Washington suburbs, I live in fear of what's going to walk in my door. I have got CLIA, I have got OSHA. I have got everybody in my backyard, they are my neighbors, my friends. We keep things above board and in compliance.
The third thing as far as representing the Health Care Commission, I'm going to submit two forms to you all for review. They are both drafts. One is a security assessment guide. The other one is a guide to privacy readiness. These are the things that this work group has been working on for the last two years. We have made quick and dirty assessment for practices to be able to go through, have definitions of terminology as well as questions to say, you know, have I done this, have I done that. Yes and no. So that they can ready their offices and this is a big help for smaller practices.
And one other thing I really want to get a point across to you is that physicians, managers, people, allied health care professionals, we truly believe in the spirit of this law. We are not here to say oh, my god, we don't want to do this. We are here to say we hold this in highest regard. People's safety, their privacy, security. That's what we are all about.
We have argued for years that there's been too much access to medical records from insurance companies, from other entities trying to get into things. We've always guarded our patients and respected them for their privacy.
We don't need 2,000 pages of regulations to tell us to do this. We do this already so we just feel that there hasn't been any common sense in all of this. We need to take care of the patient, not just protect their records, but to take care of them also and one real quick thing to close up with.
I spent my morning on the phone trying to get a patient surgery through Blue Cross Blue Shield. We've spent two weeks trying to get them cleared. This will just give you an example of computerization.
This gentleman, because of his illness, because he has cancer, ended up quitting his job and was put into COBRA. The checks went in October 1st. He will not be in their computer system for 60 days.
The surgery that he needs, if we don't get it within the next week, the man is probably not going to live. We have to send him out to the University of Indiana for the type of surgery that he has to have.
We have spent ten days trying to get through. I finally got through to the medical director's office and I said you either call us back today, we get this straightened out or I'm going straight to the insurance commissioner's office because this is ridiculous.
So what my point is, is computers are not always the answer on all of this and it doesn't always work and for a company as ours that is overregulated and guidelines that you just wouldn't believe the things that we have to follow, we need your help, we need clarification.
We need someone to get some reason over the cost containment and the next bill that Senator Kennedy has introduced, that everyone is calling HIPAA II, it has to do, as far as my understanding is with putting things online as far as medical records and all the rest, we've been looking for five years for my particular practice to put our medical records on a computer based program.
It doesn't exist yet, the ones that we need to get everything that's in there and the minimum cost for my practice alone is half a million dollars, just to get started.
So this is going to cost not millions but billions of dollars to get the health care industry in this country to be compliant with this and I feel that probably the majority of physicians from lack of understanding are not going to be able to do this and I just want you to know we are encouraging every member, even if they are exempt under ten laws and all these over kind of things, to follow the spirit of this law and to follow the regulations.
We just need help in enacting this. Thank you.
MR. ROTHSTEIN: Thank you very much. I have got one quick question. What do you mean by cost containment?
MS. KUBE: Cost containment meaning that -- the only way I can put it is after the Civil War when the carpet baggers went into the South and tried to sell everybody everything and make a buck, that's what's going on.
There are vendors -- I cannot tell you the amount of phone calls, mail, e-mail, faxes and every one of us receive with someone trying to sell us something to make us HIPAA compliant.
MR. ROTHSTEIN: It sounds like an army.
MS. KUBE: Oh, it's unbelievable and then, the vendors -- the other thing we are seeing, too, happen is that some of those small software companies because they can't figure out how to get everything in compliant, they are either going out of business, they are selling out.
And what we are envisioning, what we are guessing is going to happen is there are going to be maybe four different companies as far as the billing systems and all of these different types of things that are going to be out there selling software and we are at their mercy, we are absolutely at their mercy to pay whatever they say we have to pay to become compliant with the federal government regulations.
MR. ROTHSTEIN: So you were not specifically advocating that HHS say you only have to spend X number of dollars. This is basically trying to prevent the people from taking advantage.
MS. KUBE: Exactly, that's exactly what I'm saying. I mean, I don't think you probably can do that because I think there's a lot of unknown factors out there and when you start getting into sending this data over line and it goes to these clearinghouses -- and that's the other problem we are dealing with, you know, we've actually, with some of the companies, that's another reason we dropped a paper is that we had heard so many horror stories that as the insurance companies were trying to change their programs, their software programs, that things were actually getting lost.
There was one practice that had five week's worth of claims, and that can put a lot of people right out of business, that were lost in the cyber system because of the conversions.
So we just thought, you know what, it's a lot safer, we have something in our hand, we have, it's not only in our computer, but it's also in paper and we can send it in so there's going to be a lot of nightmare over the next 12 months until all these conversions happen and, you know, with Medicare not even being in compliance, there isn't anyone that's compliant under the EDI and now that's not even under control and we are onto the next step with the privacy and the security.
So I think that there's, you know, some of these clarifications needed to happen a while ago but since they haven't, let's move on, let's get a common sense way of handling this so that we can take care of our patients as well as protect their privacy.
MR. ROTHSTEIN: Thank you very much.
MS. KUBE: Thank you.
MR. ROTHSTEIN: Our next witness is Barbara Seitz? Or not. Rick Hughen.
MR. HUGHEN: Good afternoon. May name is Richard Hughen and my background and experience is 20 years of enterprise class learning systems with large enterprises like Johnson and Johnson and Abbott laboratories.
Today I represent as a principal of a health care learning firm, part of the dark side recently referred to by the name of Acumentor. Our efforts are focused on providing turnkey health safety quality assurance and regulatory compliance, learning and performance support solutions.
We design, build, implement large scale adult learning systems that are standards conformant, typically web based and offer continuing education credit.
I'm not here to promote a company or a specific commercial product or service but rather to discuss the need for learning solutions related to HIPAA implementation.
Depending upon the source you go by, somewhere between nine and 15 million people need to be educated on HIPAA privacy regulations.
Let me first address two definitions that I think are critical and that is the difference between training and learning.
Training is generally instructor focused, usually involving a trainer determining what another person needs to learn in prescribing what will be learned and how.
By contrast, learning is typically learner centric, focuses on promoting acquisition of a defined body of knowledge, typically defined by on expert or a regulatory agency but in the manner that's determined by the learner and accommodates the personal needs of that learner.
Thus, we champion ourselves as a learning organization. However, learning does not, by its definition assure behavior change and that's the key point is behavior change, the application of the knowledge and skills on the job.
It's only with general win behavior change that laws and rules will take effect in practice in the workplace and really bring about results.
Without workplace behavior change, the return on the substantial investments in HIPAA security and privacy will be greatly diminished.
We believe that there's a significant risk that the spirit and intent of HIPAA privacy could be compromised if systems and resources are not available to enact real behavior change by the 9 to 15 million health care workers affected.
The aggressive deadline, the current lack of support and resources could propagate a check the box type approach, not out of fault by the covered entity but out of necessity and a need to comply in an effort to show compliance on paper.
This will create a nice paper trail, but will do very little to effect behavior change and performance on the job.
Equal concern should be placed on compliance in daily practice and behaviors on the job, every job, every day. Considering the vast quantity of people affected and the great diversity of job functions and health care, the need for learning, not training should not be underestimated.
Add to this the additional complexity of profession specific and institution specific policies and procedures that challenges grow log rhythmically. It's a huge undertaking requiring a well thought out approach to the many facets of adult learning because these are adults we are dealing with and an equally well thought out plan for delivery and implementation.
Though the learning problem has great breadth, 9 to 15 million people, and great depth, the plethora of job categories, it's actually a chore of some redundancy when you look at the repetition needed from physician to physician, nurse to nurse, hospital to hospital, practice to practice, to name a few. There's an opportunity to furnish some of those efficiencies of redundancy with a coordinated approach that takes advantage of the technologies available today.
Yesterday we heard from Jean Shandly and Rita Bowen who touched on this briefly in their testimony. The market is quickly filling with products of very diverse quality built on no accepted standards and some with just factually incorrect information. We've heard quite a few testimonies to that effect.
We suggest that OCR work with private industry to establish a minimum standard of acceptability for the products targeted toward HIPAA learning and testing.
We approached DHS and HS and OCR with this concept this past summer, but the weight of assimilating the comments during the comment period was too great and it precluded our active engagement on the issue.
Precedent currently exists for this type of public-private collaboration and working relationship on standards conform answer within the FDA's work on good manufacturing processes in the pharmaceutical and medical device industry. There are numerous examples of not endorsement but standardization and guidance.
We suggest developing a standard of competency testing that a covered entity can use to measure understanding and mastery of the material. Currently quantitative testing of HIPAA knowledge could actually increase one's legal exposure as there is no agreed upon or accepted standard, clearly not the intent or spirit.
We would encourage NCVHS, DHHS and OCR to explore this learning challenge in more depth along with the potential for workable solutions and we are at your disposal.
MR. ROTHSTEIN: Thank you very much.
MS. KAMINSKY: Can you expand a little bit about the FDA's work on good manufacturing processes? I'm not at all familiar with that and if you are using that as a model, it would be useful to have better explanation.
MR. HUGHEN: Sure. If you look at the rules of the manufacturer that a pharmaceutical or medical device company must go by to develop their products, they are expansive, there are many more pages than the 2,000 pages of the privacy rule is so to that effect they have worked with industry.
A company by the name of Eduneering(?) for one, where they have actually established some minimal acceptable criteria of training and they do not endorse the product but at least the end user, the covered entity, in this case being a pharmaceutical company knows if they use that product, that it's not wrong, that it covers the bare minimum.
Am I answering your question?
MS. KAMINSKY: I'm just trying to think through and translate that into the HIPAA privacy world, what you are talking about with the standard of competency testing. Can you maybe expand on that a little bit more, what you have in mind, what your vision is?
MR. HUGHEN: Yes, I can. I think you can identify in the rules and regulations what it is that would be the minimum for an awareness course, what would be the minimum knowledge needed nor a physician specific module or a nurse specific module or an occupational therapist specific module. What are the bare minimums because right now if you are a consumer trying to cure that, it's all over the map, the quality is all over the map and there's some good information out there and there's some really horrible, incorrect information out there so if there were a channel within OCR, a filter, if you will, someone to review the material and say something shy of an endorsement, that it is correct, that it is a good product.
I think that would help the buying community greatly.
MS. KAMINSKY: I think what's -- I mean, it's an interesting idea. What's hard for me to kind of think through all the way is how that would work given the fact that a lot of training that's required by the rule is based on each covered entity's own policies and procedures which, you know, clearly will have to be tailored to their specific functions and business models so just as we have heard testimony today saying that, you know, differing opinions about whether a sample or model forms could be useful, it's a little bit difficult for me to think through how this kind of training or whatever would have applicability to all the covered entities.
MR. HUGHEN: I don't think at that level of granularity when you deal with specific policies and procedures that it's realistic. That would be the eventual enforcement arm, if you will, whether it be through OCR or just through the jurisprudence system but at a higher level before you get into institution-specific policies and procedures.
I think the testimony that we are hearing is that the community is struggling a few thousand feet above that which is just the basic awareness, basic physician-nurse-therapist-tech-lab tech, etc. Specific HIPAA awareness and job function specificity at that level, I think you very well could at an institution specific policy or procedure level, probably not.
DR. DANAHER: If I could comment on that, would the presenters, this relationship between the FDA and engine nearing, is just as he presented it. They went to the FDA and said look, we'll develop all your training for free if we can then take these courses and commercialize them and sell them, etc., and, you know, it's not as endorsement but clearly if you guys are using it.
So I think to your point, Stephanie, there's a lot of just, in terms of training HIPAA, there's a lot of fundamental, you know, what is the minimum necessary disclosure to verify the request, what are the fundamental concepts if you could, you know, work hand in hand with HHS and OCR, etc., to kind of help define those and maybe, you know, how does, you think part of what he's getting at -- but you are absolutely right about the PN's, what does HIPAA mean for fundraisers.
What does HIPAA mean for marketing folks? What does HIPAA mean for whatever, if some private company were to work with us to kind of create that and then on top of that superimpose a rendition, then that health plan would have to come up with their own policies and procedures.
So it would, probably it would be at a 40,000 or 20,000 level. You could do it in conjunction with a private-public partnership could do that and then at the ground level you would actually have to have that specific organization say, you know, this is how our nurses are going to deal with white boards or whatever.
MR. ROTHSTEIN: Mr. Hughen, thank you very much. Appreciate it. Mr. Holt Anderson. Okay. Let's see, Antonia Scarlotta. Sherree McKnight. Abigail Ryan.
MS. RYAN: Good afternoon. I'm Abigail Ryan and thank you very much for giving me the opportunity to speak.
I have -- I'll tell you a little bit about myself just a second. I have, wear three different hats. One of them is with a company called DKCS, an information assurance company that has recently been acquired slash merged because they are a small business and can't make it as a small business so they are forming a course of four other companies. They have been in business for nine years and since 9-11, between getting paid for federal contracts and secures federal contracts, it has been a disaster on all fronts as I'm sure you have heard from small businesses. That's number one.
I'm also a presenter at the HIPAA conference, the summit tomorrow with Al Schott. I have been studying Indian health services and rural health for some time. When the SHIP grants came out, they are announced in June. I had three interns working with me. I had gone to the medical college of Georgia, got a degree in endocrinology and also a degree in finance and accounting and I'm on the faculty at Northern Virginia Community College so I have been acutely aware of how health care is just grossly under funded and the problems that physicians have because physicians in most physician entities have no training in business nor do they have any training in finance.
In calling these hospitals one at a time, we went through, we were initially told that there will be somewhere between 700 and 800. There were 1,400. All of them were called, all of them were contacted and all of them received help to get these grants in place.
One of the things that came out today that I really wanted to mention was the preemption. Joyce spoke about this and I want to address this in particular.
Every profession that's considered to be truly a profession has some kind of internship that goes along with it. In medicine you go to school for four years and if you go into just general practice or primary care, you have a one year internship for general practice, three years for primary care and then your specialties go up, whether it's general surgery, five years, and then another two years for cardiovascular specialties or Hemac or anything else.
The same is true for finance and accounting. In order to get a CPA, you have to go to school, you have to have the courses in general. In most states you have a two year internship.
This is not true for law and I really, in addressing the issues today about cost and preemption and how costly it is and please, HHS, give us the money, we need this, we need that, medical schools recognize you can't learn medicine without hands on. Accounting and finance realizes you can't have it with hands on.
Law schools, particularly those that take state monies, need to institute some kind of internship program. It is these interns that can then be responsible for going through the tedium of comparing state regulations with federal regulations. There needs to be some kind of change in the law school education at the state level.
Bars should not be passed -- they shouldn't pass the state bar unless they have done some kind of internship. One year for general practice, three years for health care finance. It definitely needs to be done.
That's my first suggestion and I'm hoping that somebody will take the ball and run with this because I believe from my heart of hearts, having dealt with HIPAA for many years now that HIPAA is being ruled by the legal profession and it is more evident now in a it has ever been as you listen to it get more and more and more competent.
With business associates, contracts and people refusing to sign and then show it to your lawyer at $250 an hour, when you give a small hospital $9,000 to implement HIPAA a year, you can be guaranteed that $8,999 of that is going to go to legal consulting fees.
Please help here. Please hold the legal profession accountable and say you need to give back. Law schools are not just money generating vehicles. You need to learn to give back. Every student in a state funded institution must give back. That's number one.
Number two, HIPAA would never have come into place had it not been an issue of national security and everyone forgets about this. They choose not to talk about it, it's not comfortable.
National security is really what the core of this. The company that I work with deals with national security on a daily basis. We know that the medical records of the VA were broken into. We know that blood types were changed. We know that one year after 9-11, computers were found in the Demster dumpster of the VA hospitals with medical records still intact on the hard drives.
This is an abomination. In order to get the people who were so upset and so angry and to vehement and at the last HIPAA conference, there were physician after physician, hospital administrator after hospital administrator stood up and said we have DOS-based systems. I have three kids in college. There is no way I'm going to be able to spend $60,000 to re-do my computer systems and you know what they were told at the HIPAA summit -- and you can go back and look at the tapes.
They were told too bad, you must. This is not way to run the circus and that's what this is turned into, it has turned into a circus.
People are trying in the state of Maryland. I think that one of the most exemplary people is David Sharp. He has been giving lecture after lecture after lecture on a talk circuit, going to physicians, telling them, look, you need to comply, you need to comply, you need to comply.
The worst part is that in his efforts, he has been telling them that it's going to be approximately $8,000 for each physician. The physicians are angry. They are angry because it's a lie. Eight thousand dollars doesn't even begin to touch what the vendors are charging to become theoretically HIPAA compliant so I ask again with the cost containment issue, please consider the fact that everyone, the perception is that we are being ripped off.
And the last thing is, please do make some effort to help the small businesses. The small businesses are trying to contain costs and unfortunately, they are being gobbled up. AAs are lying. They are not AA companies. They hide behind their wife's name and everybody knows it and everyone looks the other way. That's all I have to say, thank you so much.
MR. ROTHSTEIN: Thank you very much. Katherine Delair.
MS. DELAIR: My name is Katherine Delair. I'm the HIPAA privacy officer for the University of Wisconsin Hospital and Clinics in Madison, Wisconsin. We are a large academic medical center and what I am here to talk about in the brief time that I'm allowed is just to give you guys a sense of some of the difficulties with the implementation of some of the specific provisions, especially for a larger academic center.
I will just kind of touch briefly on each one of them. The first one is the whole preemption issue. I'm not going to go into any details. You already know that it's very time consuming, it's costly, etc. I just wanted to offer two possible suggestions for dealing with the preemption issue.
One is to either require that each state's Department of Justice conduct a preemption analysis and make it available to all the constituents in the state.
Alternatively, have a state's collaborative create a preemption and submit it to the Department of Justice and ask them to give up an opinion and/or endorse certain interpretations of the regulations.
The next issue I want to talk about is the privacy notice and the acknowledgment of the written privacy notice. The first point I want to make there and first of all I actually agree that the privacy notice does provide some privacy or patient in that it provides them with information that gives them knowledge as to how the information is used and what rights they have.
However, and I'm sure this has been said in previous testimony, I believe that what we need to have in the know sis is way too long. It's too confusing. It's very difficult to try to get the content down to an eighth grade level. We've tried numerous times to do that. We are still stuck at a tenth grade level even though we've simplified it as much as we can.
Even with the layered notice option, I believe that the privacy notices is going to confuse patients, it's going to frustrate them, it's going to make them mad. It adds to the paperwork, the time of admission and registration and etc.
The second point I want to make about the privacy notice has to do with the actual implementation of it and the burdens on the provider for obtaining them.
I see the burden in sort of two different ways. One, looking at the access points in your system, whether it would be your hospital registration administration area or your actual clinic sites. Identifying all of those sites and developing processes to provide the notice and obtain the acknowledgment.
The second one, and this is one that I find the most troubling or problemsome is determining what other kinds of activities constitute the point of service which would trigger the need to provide the notice and get the acknowledgment.
In the preamble to the recent publications, there's a suggestion that the other ways of providing service is either by providing some sort of electronic services or community occasion and then also providing some sort of phone service. What I have a problem interpreting and really defining is what actually constitutes a point of service which would trigger this requirement.
We have over 80 clinics in our institution and each one of those gets well over 100 phone calls per day asking a variety of things from when is my appointment to, oh, I heard my lab values are this. Should I take this medication and we are providing some sort of over the phone treatment.
The way I interpret the regulations right now which, of course, could change two weeks from now or even after the summit, is that any time we have any kind of communication over the phone that constitutes some sort of provision of advice that would require us to send a notice and someone in the mail the next day.
In effect what that means is that from an operational standpoint, we have do develop a process for identifying all of the phone calls that come in each day, determining which of those phone calls constitute a point of service or treatment and then having someone go through our computer system and determine which of those patients did or did not give the privacy notice and then send it out and watch for it to come back.
That's how my interpretation of this is right now and so what I'm asking is for some sort of clarification as to that exact issue, what constitutes a point of service, when we would have to send the mailing out and when we don't.
There is, in the preamble a specific example where we don't have to and that would be for appointment reminder type questions. Alternatively, I would love to see the regulations clarified that the acknowledgment only has to be obtained at the first face to face service. That would eliminate a lot of the problems with those telephone call kind of communications.
The last point I want to make, and I just want to make this briefly also is the difficulty implementing the accounting of disclosures requirement.
The first problem with it is that it requires us to do a preemption analysis of what HIPAA requires us to account for and what state law requires us to account for. Under Wisconsin state law right now it appears that we would have to account for things that HIPAA couldn't have us account for, basically TPO type activities.
It appears that state law requires us to account for it so it's very difficult trying to determine or coming up with a rational for whether HIPAA or state applies.
The second problem with that provision is trying to actually ID all those kinds of, identify all those kinds of disclosures that we would have to account for. It requires us coming up with some kind of list and then taking that list and identifying where those disclosures come from and developing some sort of process to make sure that we have the ability to account for each one of those and the problem with that is that these kinds of disclosures would literally come from anywhere, from any one of our 5,000 employees in our system.
A lot of the disclosures could come from clinical staff who are reporting infectious disease to the state as required. There could be disclosures coming out of our IS department that is related to research studies. Our health information systems could be making a lot of the disclosures.
My point is that there's no one easy process for implementing this regulation that would require us to develop many different processes in order to implement it correctly.
That's all I wanted to say.
MR. ROTHSTEIN: Thank you. Any questions?
MS. RYAN: Stephanie, I saw you shaking your head when I was talking about the phone call and the privacy notice. Is that an incorrect interpretation or is that just a --
MS. KAMINSKY: I didn't work on that piece. It sounds -- it's something I would like to go back and look at and if your interpretation is correct, it sounds like it's certainly going to be an operational challenge.
MR. ROTHSTEIN: Thank you. Mr. Anderson.
MR. ANDERSON: Thank you, Mr. Chairman and members of the committee. I appreciate you staying late on this day.
I'm going to talk about NCHICA as one case study, an effective HIPAA collaboration. I noted the comments this morning about local efforts that are underway with HIPAA and certainly a portion of NCHICA's activities are as a regional key /TKEU-snip affiliate. We are a 501-C-3 that was established in 1994. We have over 300 institutional members and our mission is to figure out ways to implement information technology and secure communications in health care and we've done a variety of projects related to clinical uses of technology.
HIPAA, we began in 1999 of establishing a task force, 40 months ago with the goal and we've never changed to develop an overall strategy for addressing HIPAA compliance and an orderly and most efficient manner possible. We currently have over 350 individuals working in six different work groups who have produced awareness educational sessions.
The work groups themselves are a professional development opportunity. We put on workshops, we developed training materials and white papers. We have done a preemption analysis for the state of North Carolina and I'll mention we are creating sample documents that can be model agreements so that they can be adopted broadly across the state so that we don't have attorneys negotiating endless varieties of agreements that then have to be managed.
And then we've done some gap analysis, some planning tools which are available, we then developed our membership which allowed a fairly easy way of going through what the regulations are and developing a compliance plan and figuring out what the gaps are to supplement that.
We developed a set of sample documents which are available to the public free on our web site, including an analysis of the HIPAA privacy rule in collected North Carolina statutes. There are 143 statutes in the state of North Carolina and just analyzing those and setting aside the regulations and headsets, it takes object 83 pages of analysis for this.
We have a business associate agreement that is being adopted by the medical society, the hospital association, the major academic medical centers as sort of the model agreement.
It took 13 months to negotiate because there were probably a dozen people involved in it and everyone wanted to tweak it to their perspective and they finally just got it down the middle. What does HIPAA require, no more, no less and if you want to negotiate some special provisions, put them in another agreement and let's try and minimize the amount of effort necessary.
The notice of privacy practices is another document that's taken 15 months and we have not yet gotten to the point of incorporating state law so I would suggest those entities who have to implement a notice and then build around it their internal policies, their internal training, have got to have first done the state preemption analysis in order to incorporate that in the notice.
I think the core central document around HIPAA privacy. We have a security and privacy officers' work group and these are folks who are charged with implementing HIPAA. These are different from the lawyers and the policy people you talk about and so they came together and said on this notice, let's just find out from each other what are we doing so over a period of a month we developed a questionnaire and it includes things like are you going to provide copies of your N to the local media, to the press. Are you going to put it in Braille, are you going to put it on video tapes? What about the handicapped? How many different languages. How are you going to get the acknowledgment?
All these questions. And they are trying to develop a consensus way of approaching the notice in North Carolina.
The preemption analysis that you talked about so much this morning and I see around the country, the AG's office in many states are participating in the development of these. We had a broad based group that did it, that the lists the state statute, sites that HIPAA regulation it compares to that does the analysis, figures out a summary, conclusion, and I can tell you, most of the summary conclusions are -- we don't know. It takes further analysis and we are going to see case law determine it.
These regulations are very complex. The preemption analysis is difficult but it's not always clear. The fact that we spent 13 months and we didn't get to the regulations and AG's opinions and case law, we are told the value of this, is about three-quarters of a million dollars or what's just been done already.
And we haven't re-done it to change it based on the modification or changes in state law because of the last general assembly. We've got to include that preemption in the notice.
Another issue is defining the entities and the relationships within an enterprise and outside an enterprise. Both the state government or local counties, they are going through an amazing amount of agony to try and figure out what parts are subject to HIPAA, what parts aren't, what's an organized health care arrangement. It's amazing.
Managing the implementation is a major issue. This NPP and acknowledgment. It was mentioned this morning, what grade level. Apparently Medicaid has to write it to a sixth grade level. The 15 months we've done is to try and get it to an eighth grade level. All you have to do is use the checker in Word and there's certain words you can't put in there which are required by HIPAA so its an amazing --
One of the things we are finding out is because of North Carolina law, we are going to continue to use consents. Almost everyone is. Even though it's optional, state law requires it in so many cases, it would probably continue to use consents so it didn't go away so if that's the impression you have, consents are going to go away, it didn't, not in North Carolina.
Business associate agreements, trying to get a standard agreement is going to save a lot of money and a lot of agony. If we can standardize documents, we can save a lot of pain, agony and cost with HIPAA. Provider implementation, from our vantage point, we see the larger enterprises, academic medical centers, they have got the intellectual resources and the other resources to invest in understanding HIPAA and trying to reach compliance.
The individual practices, I'm sure you heard yesterday, are very frustrated and I would have used other words but they are not willing or able to invest resources or to get intellectually involved with HIPAA. They grab a notice form -- oh, there's a notice I need and they say here's our notice. They don't really understand it or how to apply it to their practice.
Who do you trust? I don't know how they judge what a good form is or a bad form is, where am I getting good information or bad information? There's a real concern.
One recommendation I have, the CMS just had their fifth in a series of implementation round tables and Jared Adare, Stanly Narkinson and others from CMS take conference calls, they publicize it and they take questions from the public and they answer them.
I would say 25 percent of the questions had to do with privacy and they had to say I'm sorry, that's a privacy question, here's the toll-free phone number or OCR.
I think it's a very effective way of getting the public's input and getting their questions answered and I would urge OCR to join in a series of these conference call round tables and to see if you couldn't coordinate with CMS so that a similar format, a similar look and feel so that the department looks like it's got its act together or appears to have its act together.
That would be a very important thing.
The regional SNIP affiliates are in about half the states. And they are trying to form these in all the states, use them as a gateway to the providers as a way of getting information out and collaboration. They are in various degrees of organization and they are not all run exactly the same but they are an on-the-ground resource for that.
I would be happy to respond to any questions should you have any.
MR. ROTHSTEIN: Any questions for Mr. Anderson. Thank you, Mr. Anderson. We appreciate it. Barbara Seitz.
MS. SEITZ: I would like to thank you for the opportunity for being here today. Stephanie actually contacted me a few weeks back and I work at a small organization in rural Alaska. She had provided us with a list of eight questions that I sent out to all the privacy officers and CEOs across the state and I was somewhat surprised by the responses that I got because even though there are eight questions, all the answers came back to a similar solution.
As you know, we are a large state. Many of our providers are in extremely rural areas. We use telemedicine, teleradiology, a lot of technology, just to provide good care to our patients and the biggest concern that I heard from my peers is that there isn't one authoritative web site to provide resources.
So whether they were from Anchorage, which is our big city, all of 600,000 people, to the villages of 50 or 100 people, I mean, we all have to comply by the same guidelines and regulations.
So what we heard was that we would like to see on approved site that would give not only approved but certified links that would have a true and accurate interpretation of the guidelines but also the resource on best practice. I mean, I know it's a little early to have a best practice established but we are all asking the same questions.
Certified vendors. Is there a way to look at vendors and what they are putting out there as far as training material, services that they are providing that they have to meet some standard to provide that service. What we found is a year ago, two years ago, we are contracting, looking at vendors, whether it's for a computer systems, whether it's for draft policies that we could look at and revamp to our specifications, training materials and everything we purchased and year, year and a half ago, has been outdated due to changes in the regulations.
Well, you know it would be like software where you can just pay for an upgrade. That's not the case with most vendors. You have to repurchase the whole binder, a new video, all the new training materials.
We are in a very small hospital. We only have, you know it's 15 beds of acute care, 25 long term care, we do hospice, home health, so we have about 260 employees, but we are community based. All of our funding comes out of rural taxes and rural funding.
It puts a big burden on us as well as I'm sure the big providers have the same issue. So if there was some way to look at vendors specifically and meet some standard, I think everybody would benefit.
Some of the other suggestions that we had were web seminars. You know, in a remote area, to travel is an extreme cost, not to mention a delayed flight and a cancelled flight yesterday. It actually took me about 19 hours to get here. It's a little hop to Anchorage and then the hop to Minneapolis and from there to Baltimore, I know it's being reimbursed and the hospital is willing to do that because this is a great opportunity to learn and to be heard on our issues, but if you look at your staff and you have to train everybody -- and the other issue is there are no standards for training.
I sat and listened to a conference this morning. I'm like, boy, am I the only one that heard that? All you have to do is train your staff. There are not guidelines other than it needs to be a yearly or when something comes up new. So I'm sure some organizations will have the minimum video and a little certificate, another will do the interactive on-line and truly invest in our staff.
So if there were some models out there or tools, some sort of guidelines for the training specifications, I really think the whole health care organizations community would benefit from that.
One of the speakers was talking about the state of Wisconsin and the extreme amount of state laws that provide to health care and privacy and confidentiality. I worked in Wisconsin. I grew up there. It is, it is so nice and standardized, easy to follow.
The state of Alaska has little to none. There is no law about juvenile records. You follow the standards or the federal laws. There is not a lot of detail in any area of health care privacy.
So, I mean, I'm very appreciative that this is happening. For me, it makes a big difference up there. There are things that we are already doing that just need to be documented and carried on but many of the facilities don't follow the federal -- and I think some of the mentality is we are in a remote area, let them come and get us and force us.
Yes, Stephanie, I'm shaking. I told her on the phone I'm not the public speaker bit I did want to represent the organizations by us.
I don't know how realistic it is to ask for such a thing, that all the links be standard and certified and approved and I know it would be very costly as far as the OCR to do that.
But I think what they would say on the back end as far as enforcement and leasing people, it would offset that if not pay for that and right now, for every organization, large and small, to stumble through those guidelines and those regulations and interpretations, what do we really need to do?
It is very costly. We are doing it. We have a lot of resources out there but nothing is standard and you network with other people, you network with other organizations. We've tried to pair up with a large hospital in Anchorage and actually share information and use the resources we do have but it still doesn't give you that self-assurance that this is what we need to be doing.
These are the true interpretations. So I'm hoping that our recommendation is seriously considered and I know by talking to other people here this morning, they said the same thing. Why can't there be one site that we go to to get reliable information that actually says this vendor meets the standards, this training program meets the standards.
As far as language for agreements that the other speakers were talking about, there needs to be more standardization in order for people to comply.
Now that I'm done rambling, are there any questions?
DR. ZUBELIA: Yes, what do you mean by certified links on the web site?
MS. SEITZ: I mean, could there be a tool that's used to, I mean, set a standard. If you have a vendor, could there be an organization that actually looks through their training material that, A, our marketing, to say it's accurate because we've found things that we've purchased through some nationally known vendors.
They are inaccurate. I sat through a seminar through AHIMA which is my national credentialing association, on privacy, ready to take the exam for new credentials and the questions that they provided in the exam were prior to the August 14th changes. They could not even update their exam.
So I mean, these are national professional organizations even that are inaccurate so if there was some way to have a committee or someone look at what's out there and maybe every vendor couldn't ask you to do that or every association wouldn't ask you to do that but it would be like the Good Housekeeping seal, something that means something to the people purchasing that or the people that need to write the policy, for a certified, for better use of a term, that's what I'm using.
MR. ROTHSTEIN: Thank you very much. Okay, we are going to go over the list again and see if any of the people who we may have missed earlier may have come. Antonia Scarlotta. Cheryl McKnight. Ellen Goldberg. Richard Marx. Is there anyone who wants to speak?
MS. KAMINSKY: I did say to Alan Goldberg that we would be available to hear his testimony as late as 4:30. I don't know if that's going to be an issue, if we should break and come back. What to do in this situation, I was just anticipating that we would have -- or if we wanted any discussion time ourselves. There's no other people who are testifiers.
MR. ROTHSTEIN: Well, I don't see how we can just hang around. I'm not sure that it's feasible, especially he might not come either. We have a track record -- I guess there's a lot of weather problems, people getting here.
DR. GREENBERG: Is there anything we need to discuss about next week's hearing?
MR. ROTHSTEIN: Well, we can move to that. Do we have the schedule?
MS. KAMINSKY: I'm happy to update people on where we are at. I'm a little behind schedule.
What we are planning so far, it will be a more abbreviated hearing than this one. We will start, as we have with all the hearings to speak with, we will start by hearing from small physician and other professional practices and have some physicians lined up for that and working with the MGMA or a practice manager for that and you may be hearing from the ACOAM which is the occupational, environmental medicine, American College of Occupational and Environmental Medicine. They wouldn't necessarily be small practices but it's related.
We also have an array of other types of providers. We will have another panel on afterward. At this point I have entitled it integrated health systems and complex organizations because the first one in that group is Intermountain Health Care which, as I understand, is sort of the health provider and health plan in Utah. It seems to be a very complex system that has undergone quite a bit of privacy analysis and we will have a lot of implementation issues to discuss.
We are trying to get some representation from the Indian Health Service. It's unclear whether that's going to pan out or not. For a variety of reasons, but we are working on that.
We have somebody coming from Gambro which is the dialysis company to talk about implementation from that perspective.
We have somebody coming who will be discussing telemedicine issues. As I understand, Ed has a number of tele, telepharmacy and other types of telemedicine entities and he will be coming to discuss that and then we have the general counsel for Valley Mental Health which apparently does a lot of contracting with the state so it will be sort of an array of other types of providers.
The next panel which will be the first panel after lunch will be rural hospitals. We have somebody from Banner Health, I guess, in Arizona and we found them through the American Hospital Association so that should be interesting and we have somebody from Cane County Hospital which I think is in southern Utah, a pretty rural hospital I understand and we found them through UHEN which is the WEDI-SNIP affiliate in Utah.
And then somebody from the Governor's Task Force on HIPAA contacted me and asked if we could hear from an active member on that task force which is Mediconnect. I don't know if you are familiar with them or not but they are a vendor to a lot of these systems and I think I may have them speak to the hospitals too because they were talking a lot about their clients problems with coming up with mechanisms for the accounting for disclosure requirement and some other operational issues that might apply to come of those types of facility.
Then, in the late afternoon on the first day, we have state agencies, public health and research. Gail Horlick was kind enough to line up Barry Lengel(?) From the Office of Vital Records and Statistics in the Utah Department of Health so I think that she's done a lot of work with the registry issues and I'm sure he'll be talking a little bit about that.
We have a woman named Jean Wiley coming from the University of Utah Resource for Genetic and Epidemiological Research. This is going to be a little bit of an interesting discussion. She has a data base, an enormous data base and I think it takes advantage of, she will have to explain it, but there's, it is, I think it was formulated originally using a lot of Mormon genetic information.
MR. ROTHSTEIN: Right, they have tremendous genealogical data base in Utah and it has been very valuable for genetic research.
MS. KAMINSKY: Right, well, there are a lot of, they want to do even more powerful linking of this data base to other sources to match up the data bus because of the privacy rule, therefore probably going to be some significant obstacles for doing that and because they are not a research study themselves, they don't get like a waiver for authorization.
Those are specific to research studies. They are just a data base and she's going to come and talk a little bit about that which will sort of hopefully enlighten us on some research issues.
We have Denice Love coming from NAHDO, National Association of Health Data Organizations and I think that she will be talking a little bit on research and public health issues as well. I would assume. That's all for that panel at this point.
And then on the second day, we have some potential testifiers right now and things are not quite lined up yet. We'll have a health plan, another health plan panel and we are looking at some health plans that Kepa has recommended. Specifically, Provident Health Plan from Oregon and also Deserit(?) Mutual Benefit Association which also that is some links to the, well. I'm sure it will be explained.
We have an inquiry into Utah Medicaid as well. So there is more to be done this week to finish up the panels but if anybody has any specific requests or interests, I'm happy to try to follow up with these.
I also didn't know, Marjorie, whether we have to have public testimony at the Utah hearing. We need to reserve some time for that.
I have reserved most of the second day for subcommittee discussions so that we can kind of pull together our thoughts about all that we have heard over the last couple of months so we can come up with our game plan.
MR. ROTHSTEIN: I think we could provide 30 minutes for public testimony.
MS. KAMENSKY: I know that Mark mentioned yesterday on interest in hearing from malpractice insurance companies.
There was so written testimony that was submitted by an osteopathic doctor and for me, who I think mentioned in his written testimony something about increased cost for malpractice insurance because of potential HIPAA liability.
So that was an area, I don't know if people have specific malpractice insurers that they could recommend that I try to hunt down, but if not, I'll my best.
MR. ROTHSTEIN: Well, I think it's an interesting issue as to whether malpractice insurance companies are adding on sort of a privacy surcharge to policies to try to anticipate potential HIPAA liability and I want to explore those issues. That was raised by a few witnesses yesterday and I think that's something worth considering.
DR. ZUBELIA: I met last week or the week before last with the SPBA, the Society of PPAs and one of the common practices that PPAs have is that they have stop loss insurance and then that has dree(?) insurance. The stop loss insurance kicks after a certain point and for the stop loss to know that they have reached that point, they get a copy of all the claims that the PPA processes and pays so absolutely everything that goes to a PPA also going to a stop loss and it's not clear how that works as far as HIPAA is concerned so we may want to take a look at some stop loss insurance and see if there is a clear understanding of how that works.
MR. ROTHSTEIN: Another possibility, I have heard that credit card issuers are concerned about their possible HIPAA responsibilities because if you go to the doctor and pay for your medical services with your VISA card, they get information and if may go beyond, the information that may go beyond medical services and certainly if you go to a particular type of physician, in other words, if you go to a psychiatrist or you go to some other specialty group, that it's clear why you are going there, now they are receiving, arguably, protected health information so that might be something to pursue because I understand that some of the credit card issuers are now looking into their HIPAA compliance.
But certainly by the close of the meeting, and we plan to adjourn early, given the plane schedules flying west to east, at that point we should have reach some consensus at least on the areas that we want to go into on the draft privacy letter that we are going to prepare in advance of the full committee meeting and my hope is that based on the discussion that we have on Thursday morning of next week that I can prepare a draft for circulation to the subcommittee by e-mail and then we can arrange a conference call to discuss that so we have something that's kind of semiready to go by the 19th.
DR. ZUBELIA: If you are going to look at credit card issuers, then maybe also you could look at banks.
When they process the 835 for payment, they are acting as a clearinghouse. They are converting from the standard transaction into a CTX banking transaction and so on.
MS. KAMINSKY: I can't hear you.
DR. ZUBELIA: The banks, they had a meeting here this morning. They act as a clearinghouse in their process so it may be good, if you are going to talk to the credit card issuer, maybe to get a bank at the same time.
MR. ROTHSTEIN: Under some sort of financial -- any other suggestions of people we need to hear from?
I think this hearing was excellent and I expect the Salt Lake City hearing to be equally good so I thank you, Stephanie, for all your hard work.
If there is no other business and no one that has rushed in at the 11th hour, I want to thank all of you for attending and those of you on the internet or staying with us and we will reconvene next week, November 6, and 9:00 in Salt Lake City.
So this meeting is adjourned.
(Whereupon, the meeting was adjourned at 4:18 p.m.)