[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Room 705A
Washington, DC
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703)352-0091
Agenda Item: Call to Order, Introductions
MR. ROTHSTEIN: Good morning. My name is Mark Rothstein, and I'm the Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville, School of Medicine, and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics.
The NCVHS is a federal advisory committee consisting of private citizens, which makes recommendations to Congress and the Secretary of HHS on health information policy, including issues related to HIPAA.
On behalf of the subcommittee and its fine staff, I want to welcome you to our second in a series of hearings on implementation issues under the HIPAA privacy rule.
I also want to welcome those of you who are listening to our hearings on the internet.
Before proceeding further, as our custom, we will have introductions, beginning with members of the subcommittee and staff.
I would invite subcommittee members to disclose any conflicts of interest they might have. I will begin by noting for the record that I do not have any conflicts of interest, and we can start with John Houston.
MR. HOUSTON: I'm John Houston from the University of Pittsburgh Medical Center. I am a member of the committee as well as a member of this subcommittee.
MR. FANNING: I'm John Fanning from the Department of Health and Human Services, and I'm staff to the committee.
MS. FYFFE: Kathleen Fyffe with the Department of Health and Human Services, and I'm lead staff to the Subcommittee on Privacy and Confidentiality.
MR. REYNOLDS: Harry Reynolds, Vice President, Blue Cross and Blue Shield of North Carolina and a member of the committee.
MR. SCANLON: I'm Jim Scanlon with HHS. I'm the Executive Staff Director for the full committee.
DR. COHN: I'm Simon Cohn. I'm a practicing physician and the National Director for Health Information Policy for Kaiser Permanente and a member of the committee and subcommittee.
MR. STONE: I'm Steve Stone. I'm a Senior Vice President from P&C Bank in Pittsburgh. I'll be presenting on behalf of the American Bankers Association and the National Automated Clearinghouse Association.
MR. CASILLAS: I'm John Casillas founder of the Medical Banking Project.
MS. PRITTS: I'm Joy Pritts. I'm Assistant Research Professor at the Health Policy Institute of Georgetown University.
DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation.
MS. SQUIRE: Marietta Squire, CDC, NCHS.
MS. NASER: Cris Naser, American Bankers Association.
MR. DEAN: Tom Dean with the Medical Banking Exchange.
MR. ZELMAN: I'm Jeffrey Zelman with the Office of Civil Rights.
MS. KING: Mary Lou King, Office of the General Counsel, Civil Rights Division.
MS. GOLDSTEIN: Jody Goldstein-Daniel, Office of the General Counsel, Civil Rights Division.
MR. ZIRIKOWSKI: Art Zirikowski, FDA.
MS. APPLEBY: Julie Appleby with USA Today.
MS. CATCHMAN: Pat Catchman, FDIC.
MS. WOOK: Nancy Wook, ICC.
MS. MOYEN: Mary Moyen, NCHS.
MS. WATTENBERG: Sarah Wattenberg, Substance Abuse and Mental Health Services Administration.
DR. SLOMOVIC: Anna Slomovic, Electronic Privacy Information Center.
MR. MC COY: Ian McCoy, National Automated Clearinghouse Association.
MS. HOLLAND: Priscilla Holland, National Automated Clearinghouse Association.
MR. BRAITHWAITE: Bill Braithwaite, an independent consultant in Washington, D.C.
MR. RUDY: Dan Rudy, American Health Information Management Association.
MR. ROTHSTEIN: Thank you, and welcome to all of you.
In our first round of hearings in November, we heard testimony on public health, research and other issues under the Privacy Rule.
The subjects of the hearings today and tomorrow are banking, law enforcement and schools. We will hear from two panels of invited experts on each of these three topics, and I will, throughout the day, give you updates, as necessary, on last-minute changes to our schedule.
In addition, from 3:45 to 4:45 this afternoon, members of the public may testify on these issues. If you are interested in testifying, please see Marietta Squire at the registration table.
I would remind our witnesses and listeners that the purposes of the hearings are to consider whether the Privacy Rule strikes the appropriate balance between health privacy and other important concerns to determine whether there are practical problems or unintended consequences that have arisen as a result of the Privacy Rule and to ascertain whether there are areas in which additional clarification, education or outreach efforts are needed to facilitate compliance.
Witnesses are asked to please limit their initial remarks to 15 minutes. After all the witnesses on each panel, we will have time for broader discussion and questions.
Witnesses may submit additional written testimony to Marietta Squire within two weeks of the hearing.
I would also request that witnesses and guests turn off their cell phones, if they have not done so already.
And, finally, if all witnesses will speak clearly into the microphone, it will be greatly appreciated by those listening on the internet. It is, I assume, hard enough as it is without straining to hear what people are saying.
So having dispensed with all those preliminaries, we are now ready to ask our first panel of witnesses to testify, and we will go in the order that is listed on the agenda, if there are no objections from the subcommittee members or requests from the panelists, and that means that, to begin with, we are very happy to welcome our former member and friend, Kepa Zubeldia, to testify first.
Agenda Item: Banking - Panel 1
DR. ZUBELDIA: Thank you very much.
My name is Kepa Zubeldia, and I'm coming here more than representative of Claredi, as a former member of the subcommittee. Because I did a lot of work in this area while serving the subcommittee, I'm trying to bring an overview of the work that I have done to see if it can help frame the issues and help the rest of the testifiers today and the subcommittee members.
I bring a lot of questions and I bring very few answers, and the intention is that the answers will come from the rest of the panelists today.
I'm going to be talking about two different issues. The first is what is the status of the financial institutions under HIPAA? Are they clearinghouses or business associate, and what are the different roles that they play?
And second issue is the privacy of protective health information in the banking system, and the healthcare payment chain.
The clearinghouses under HIPAA are defined as a public or private entity that does either of the following: Process or facilitates the processing of information received from another entity in a non-standard format or containing non-standard data content into standard data elements of a standard - or a standard transaction or receives a standard transaction from another entity and processor or facilitates the processing of information into non-standard format or non-standard data content for a receiving entity.
And I have highlighted a few key words in this definition for the purpose of these hearings.
First, the definition of the clearinghouse is based on the functions performed, not the existence, but the functions performed, and the information handled by the clearinghouse is coming from one entity to another. So a billing service that uses the information for their own purpose would probably not fit this definition of clearinghouse. Let me say I am not a lawyer, so I can't tell for sure. I'm not sure if the lawyers can tell for sure.
Another key component of this is that a clearinghouse converts from standard into non-standard either the format and/or the data content of the transactions, and we'll see more of that in a minute.
A clearinghouse in healthcare performs multiple activities: Connectivity among trading partners, data-content validation and rejection, data-content conversion, converting code sets and identifiers, transaction format conversion between Legacy and HIPAA formats, transaction aggregation and/or distribution among multiple trading partners, systems integration, customer support, and, then, even for clearinghouses, there are value-added functions that are not part of a traditional clearinghouse, such as different kinds of reports, patient statements, other management reports, followup tracking transactions and payments, accounts receivable, management, collections, et cetera.
I want to point out that out of all of these functions that a clearinghouse performs in healthcare, only two are considered in the HIPAA definition of a clearinghouse: The data-content conversion and the transaction format conversion. Everything else, even though in healthcare we call it a clearinghouse, is not what constitutes a HIPAA clearinghouse.
Under HIPAA, there are two financial transactions, the 820 and the 835. The 820 is a premium payment. Typically, the 820 flows from the employer to the payer. Could also flow through the insurance broker. The employer could be paying the broker and the broker paying the payer. In that case, is the broker a business associate? Is the broker a covered entity? We'll talk about that a little bit later.
A clean payment and remittance advice, the 835, typically goes from the payer to the provider, either directly or through a clearinghouse or through a payer's bank, but, in that case, the payment doesn't necessarily go with the remittance advice. The payment could be by check, by wire transfer, ACH transfer, separate from the remittance advice. So there is the possibility of a dual path.
In addition to the HIPAA transactions, the banking system uses other financial transactions that generically are called Electronic Funds Transfer, but there's different kinds of transactions.
The CCD is what is typically called AFD or wire transfer, although there are some nuances that the bankers were able to explain between wire transfers and EFT and all of that.
There is a version of the CCD called the CCD+, CCD+ addenda, that has an 80-byte addenda record that, in essence, is a very brief one-liner explanation of what is being paid.
And then there's another version called the CTX, which is essentially the same as the CCD, but with up to almost 10,000 addenda records, and those addenda records is with the banks and include a complete description of what is being paid. Typically, the addenda will encapsulate a full 820 or the full 835.
So if you look at the transactions structure of this HIPAA transactions, they have two tables, Table 1 with the payment information, and Table 1 describes the payer, the payee, the amount, the trace number, the date of payment, effective date, all of this banking information.
Both the 820 and the 835 have this exactly the same Table 1 informations, payment information, and the CCD, CCD+ and CTX contain the equivalent of the data in Table 1. The format is different. The content may be slightly different, but it is functionally equivalent to Table 1.
Then, the payment could be as part of Table 1, or, like I said before, the payment could go by check and Table 1 would refer to the check by check number and check date and so forth.
Table 2 of the transaction contains what we know as remittance advice, and it could be the premium payment explaining what premiums are being paid, the claims that are being paid, appended or denied, and what are the adjustments to those claims; and Table 2 is the part that contains DHI, if the claims are being paid.
So whenever a payment goes in a remittance advice, with payment of claims, they have the - at least the potential - to contain the provider information and the procedure codes, and, of course, the patient information for the claim that is being paid.
So if you look at that diagram on the right-hand side, where I have the structure of the 835, you see Table 1, Table 2. The whole thing is called the 835. I'm going to reuse that diagram.
I'm going to describe five different methods of payment that happen in healthcare today. The simplest one, the one that is probably used the most today is where the payer sends a paper check and a paper remittance advice to the provider through the mail. The check is processed through the bank, and in the check, you have the payer information, the provider information, but there is no PHI. It will say, we are paying Dr. Jones $55, and it doesn't say for whom.
Typically, the banks offer lock-box services, where the banks aggregate on behalf of the providers the checks coming from multiple payers and enter them into some sort of magnetic media or some sort of telecommunications to the provider system or a consolidated report to the provider system.
These lock-box services typically will receive not only the check, but also the remittance advice that goes along with the check, and they enter that remittance advice into a system that the provider can use electronically. That is a possibility for the lock-box services to get in contact with PHI.
The second method of payment is when the payer sends a paper check and an 835, an electronic-remittance advice, to the provider, either directly or through a clearinghouse.
In this case, there is a dual path. The payer sends the check in the mail and the provider, or the provider's clearinghouse, an electronic-remittance advice. The check is being processed by the bank, and in that check, there is no PHI. The electronic-remittance advice typically doesn't go through lockbox, although there are some lock boxes that also process electronic-remittance advice.
The third method of payment is when the bank sends an electronic-funds transfer of some sort, typically with a CCD or CCD+, to the bank and an 835 to the provider. This, you can see, is almost identical to the previous one, except that instead of being a paper check, it is an electronic-funds transfer. The EFT still doesn't have any PHI in it.
A fourth method of payment - and here is where it gets a little more involved - is when the payer sends the payment instructions to the bank as an electronic-funds transfer, using the banking transaction - not a HIPAA transaction, but a banking transaction - and inside that CTX, the payer includes the 835 itself, and I'll show you a picture of what it looks like. The addenda contains a complete 835. Typically, these transactions follow a single path. The payer reduces the 835 and either the payer or the bank drop the 835 with a CTX transaction that flows through the banking system. The provider gets the 835 from the provider's bank after unwrapping it out of the CTX, but that CTX actually contains PHI inside the addenda, because it contains an 835 inside the addenda.
And, finally, the HIPAA transaction, the HIPAA way of doing things, is where the payer sends an 835 to the bank, and the bank uses the Table 1 from the 835 as the payment instructions and Table 2 is sent to the provider.
Now, again, this is a single path, from the payer to the bank and the bank to the provider, or it could be a dual path, from the payer to the bank, and the payer could be sending the 835 Table 1 only to the bank, which is equivalent to a CTX, equivalent to CCD - where the bank would effect the payment instructions, based on Table 1, I would not have access to PHI - or the payer could send to the bank the Table 1 and Table 2, and then the payer could send to the provider the 835 or the payer could let the bank send the 835 to the provider.
So I'm giving you all of these variations because all of this is happening under HIPAA today.
Now, when the 835 flows through the banking system, typically, it flows as a part of a CTX - as the addenda of record for the CTX - and you have an 835 with Tables 1 and 2 - Table 1 has the payment instructions, Table 2, remittance advice - encapsulated inside the addenda records of the CTX. The CTX has payment instructions that are identical to the payment instructions in Table 1 of the 835, but the banks - most of the banks - process CTXs by the millions every day and don't process very many 835s yet. So they prefer to get this kind of combination.
I want to point out that the 835 is actually encapsulated inside the CTX. There is no translation or reformatting or conversion. It is an envelope, and on the envelope is the payment instructions, and the banking structure is called the CTX. Okay? So it is not a conversion between one format or another. It is two parallel versions of the same payment instructions.
Common Data Flow is the payer prepares an 835. The 835 is encapsulated into a CTX, typically by the payer, but it could happen at the clearinghouse or the payer's bank. The CTX is sent through the automated clearinghouse to the provider's bank. The provider's bank will make the payment from the CTX, unwraps the addenda records of the CTX to get to the 835 and delivers the 835 to the provider or to the provider's agent, provider's clearinghouse, perhaps.
So is the bank a covered entity? If we look at the definition of a clearinghouse, out of all the things that the clearinghouse does, only two are considered by the HIPAA definition of clearinghouse, Data Content Conversion and Transaction Format Conversion, none of which are done when the CTX is merely encapsulating an 835. The 835 is not converted. It is just encapsulated inside the CTX as an envelope. So according to that functionality, I would say the bank is perhaps not a clearinghouse.
So is the bank a business associate? Well, it depends. Which bank? What are they doing? Is the payer's bank acting on behalf of the payer? Perhaps. If the payer bank is doing some work on behalf of the payer, they would be the payer's business associate. Is the provider's bank acting on behalf of the provider? Well, if they are, they would be the provider's business associate.
Is the automated clearinghouse a HIPAA clearinghouse? Is it acting on behalf of other banks? Are other banks covered entities?
I said I bring a lot of questions and not answers.
Then there is something called Value-Added Banks or Value-Added Networks, HIPAA Banks, healthcare banks. What is their role in all of this? Do they perform this data-format conversion or data-content conversion that would constitute them into a HIPAA clearinghouse? So we need to look at the HIPAA clearinghouse functions.
We asked the Privacy Rule and we go back to the preamble of the Privacy Rule. The Privacy Rule has an interesting statement on page 82,476 in the third column. The preamble says, we do not consider a financial institution to be acting on behalf of a covered entity, and, therefore, no business-associate contract is required when it processes consumer-conducted financial transactions, blah, blah, blah. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to 164-514.
So the preamble of the Privacy Final Rule clearly says that financial institutions are not considered to be business associates. They are not acting - let me go back to the previous slide. They are not acting on behalf of the payer. They are not acting on behalf of the provider.
So what does the banking industry say? The banking industry HIPAA Task Force has a working paper that is available through the website of the - I think all of the associations - NACHA, ABA, Medical Banking Project. Everybody has access to this website.
And there is a couple of determinations that the task force made that are very interesting. The task force determined that the majority of health banks are not healthcare clearinghouses and not covered entities under HIPAA, as a result of payment-processing activities. A small number of banks are healthcare clearinghouses and covered entities under HIPAA as the result of value-added services - value-added is my addition - provided in addition to their payment-processing services. They don't have these additional services, they would not be clearinghouses.
They also determined, in the task force white paper, that the banks providing service to the healthcare industry may often be business associates of health plans and providers. It seems to be contrary to what the preamble of the Privacy Rule said.
Banks have a long tradition of protecting confidential financial information and have security practices that meet or exceed many HIPAA requirements. This is a determination of the task force, the banking industry HIPAA Task Force.
Section 1179 of HIPAA excludes these financial activities from HIPAA. Section 1179, in part, says the extent that an entity is engaged in activities of a financial institution or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments for a financial institution, this part - which is Part 2 of the administration - this part and any standard adopted under this part shall not apply to the entity with respect to such activities, including the following, and there describes the activities are a part of financial-institution payments and so on.
The impact of this is that a covered entity may discuss PHI to financial institutions for purposes of payment. That's part of treatment payment at healthcare operations. Is this subject to the minimum necessary? Well, actually, the content of the 835 is not subject to the minimum necessary requirements, because it is one of the HIPAA standard transactions. So once the PHI is properly disclosed by the covered entity to the financial institution, is it still protected health information under HIPAA?
The banking industry says it's protected by banking regulations. It is not protected by HIPAA.
The banking regulations - I am going to address one of them, although there are more ,okay? I'm going to address Gramm-Leach-Bliley. Gramm-Leach-Bliley protects consumers and customers of financial institutions. Therefore, the payer and the provider, as customers of the financial institutions, are protected by Gramm-Leach-Bliley. Gramm-Leach-Bliley protects information collected about individuals. It doesn't apply to information collected in business or commercial activities. That sentence comes directly from the FTC website on Gramm-Leach-Bliley.
So does Gramm-Leach-Bliley protect information collected about individuals that are neither consumers nor customers of the financial institution? The 835 contains patients, and inside that 835 there are patients that are probably not consumers nor customers of the financial institution. The payer and the provider are the consumers and customers of the financial institution. The patients inside the 835 are probably unrelated to the financial institutions, unless, by coincidence, one of those patients happens to have an account with that particular financial institution. So there could be a problem here.
Of course, the banking system is also protected or regulated by Regulation E, Regulation P and many other banking regulations that I'm sure that they will describe in this hearing.
So let's take a look at some of the potential issues.
Routine payments. The patient makes a check or a credit-card payment to provider. This is the kind of payments that are specifically excluded by Section 1179. The banks are not HIPAA business associates, according to the preamble of the reg. The patient's bank must protect the patient's information, and if the patient makes a payment to a cancer center, an AIDS clinic, an abortion clinic or any of those other sensitive providers, the patient's bank has to protect that patient information, and that is part of Gramm-Leach-Bliley.
But what other privacy protection is applicable at the provider's bank? Since the patient is not the customer of the provider's bank, the provider's bank protects the information about the provider as an individual, and the provider's bank used the patient information when the patient is not the bank's customer. So this is for the rest of the panel to answer.
Lock-box services. The provider typically contracts with a bank for lock-box and other value-added services. The lock box receives paper payments and paper-remittance advice, because most of the payers will send both of those together. The lock box may also receive HIPAA I-35s on behalf of the provider, and then the lock box consolidates the paper and/or electronic-remittance advice for delivery to the provider. As the lock box is converting the 835 to another format or different codes, the lock box is not a clearinghouse. Now, the lock box is probably a business associate of the provider. So can the lock box mind the patient information and datastream? Is the paper datastream considered PHI when it is never a HIPAA standard transaction? Remember the consideration of PHI has a linkage to being in standard transactions or being electronically. So this is paper. Do these business-associate contracts between the provider and the lock box contain minium necessary clauses? This is between provider and lock box.
The banks also act in a function of accounts receivable. Sometimes the bank offers services to a provider such as a loan, and a loan between the provider and the bank may be secured by accounts receivable, and that accounts receivable security of the loan may have to be exercised if the bank needs to collect from the collateral because the loan is in a default situation.
Section 1179 excludes from HIPAA financial-institution activities for collecting payments. So do the minimum necessary requirements still apply? Seems like Section 1179 excludes any standards under this part, including minimum necessary. So once the bank has a loan with accounts receivable as collateral, in order for the bank to collect on that accounts-receivable collateral, they may have to invoke Section 1179, excluding all of it.
There is a new topic, health-savings account. This is part of last year's Medicare bill, and there's similar issues with something a little bit older called medical-savings accounts. Only legitimate healthcare expenses can be paid with these pre-tax HSA, MSA monies. So in order to justify that they are legitimate healthcare expenses, there is an administration of the health-savings account that has to occur.
In addition, health-savings accounts typically are backed by high-deductible coverage. So in the third-party administration of the health-savings account, there has to be documentation and an audit function through the receipts - typically, the receipts from healthcare payments or expenses being paid, and that has to - there's two functions to that. One is to make sure that only legitimate healthcare payments flow through the health-savings account, and second is to find out when you are reaching the limit, and when you reach the high deductible, then it triggers the secondary coverage policy.
There has been a lot of announcements lately of extensive use of debit cards to pay for the HHS expenses. Introduces and simplifies the - requirements, but the credit card has to contain enough health information to make sure that the documentation requirements of the health-savings account are met. The debit-card transactions are not HIPAA transactions. You don't pay a debit card with an 835. The debit-card transactions are just like credit-card transactions flowing through the credit-card system, the financial system. So are these totally excluded from HIPAA? And, obviously, those credit-card transactions must have enough healthcare information to know that it is a legitimate health-savings account expense.
We have seen an announcement - I think in today's paper - that United Health Care is opening a bank in Utah just to do health-savings-accounts type of activities. They chose Utah.
Rural banks. Rural banks have limited technologic capability. It is a very special environment. It's a low-privacy environment. Everybody knows everybody else in town. In fact, they probably don't mail anything. They just hand-deliver it to their customers.
The NACHA rules require that the banks have to have the capability to convert 835 to what they call Human Readable Methodology, and Human Readable Methodology are things like fax, email, print advice, bank statements, software that can be given to the provider and so on.
The payer, in sending the 835 cannot predict that this will happen at the provider's end. The payer sends a payment to - provider. The payer doesn't know how the provider's bank is going to handle the 835, and, therefore, the payer cannot restrict to the minimum necessary, since the remittance-advice information will be necessary either by the provider, by the lock box or by somebody at the receiving end. Besides, the 835 sent by the payer is exempt from minimum necessary anyway. So what is the provider's responsibility in this environment?
I have a couple of other additional issues that are not banking issues, but are related, because they are part of the payment chain.
Insurance brokers. Insurance brokers get copies of the claims in order to perform their services. They have to measure utilization. They have to calculate the risk. They have to establish and renegotiate contracts on behalf of their clients, and when they get copies of the claims, they have fully-identifiable health information in their hands. Are they a business associate? Of whom?
The employer is certainly not a HIPAA-covered entity. So they can't be a business associate of the employer. They get the claims from the payers, but I doubt that the payers would say the brokers are their business associate.
Re-insurance and stop loss. Almost the same issue as the brokers. They have to get copies of the claims in order to perform the services. They have to do actuarial risk assessment. They have to identify the high-deductible trigger point where the stop loss kicks in. They also renegotiate their contracts based on utilization. Are they a business associate? Of whom?
Again, the employer is not a covered entity. Health plans contract with the stop loss as part of their operations. They get the claims from the health plan. Are they a business associate of the health plan? Maybe. That is not for me to answer. That's for the rest of my panel. So if you have questions, I may have to deflect most of the questions to the rest of the panel, but I may be able to answer some of them.
Thank you very much.
MR. ROTHSTEIN: Well, thank you, Kepa.
The good news is that is the clearest, most comprehensive presentation of the issues surrounding banking that I have ever heard, and the bad news is I am now much more confused than I was to begin with, and I regret that you are sitting on the other side of the table now and can't work with us on these issues, but thank you so much.
We'll have our questions at the end.
Ms. Pritts.
MS. PRITTS: I'll be just a minute as I set this up.
Good morning. I'm Joy Pritts, and I'm an Assistant Research Professor with Georgetown's Health Policy Institute.
I would like to say that I could answer some of the questions that Kepa raised, but I am probably just going to raise some more questions, unfortunately. I think this is a very complicated area, and it is one that a lot of people are very concerned about.
There is a survey done in 2000 that showed that 95 percent of adult Americans don't want their health information - banks to have access to their medical information, record information, without their permission.
So against this is you have a public that is not quite sure how they feel about banks having access to their medical-record information, and I think that is primarily just because people don't like organizations that have some kind of authority over them to have access to this kind of information.
So against that background, you have a series of laws and regulations that are in place that attempt in various methods to protect that information as it flows through the system.
The ones I am going to talk to today - although there are a host of other ones - are HIPAA, the Health Insurance Portability and Accountability Act of 1996, Gramm-Leach-Bliley Act, which is also known by many people as the Financial Services Modernization Act, and the recent amendments to the Fair Credit Reporting Act, which has been called the Fair and Accurate Credit Transactions Act, also known as the FACT Act. We have to get all of our acronyms in there.
What you have at least two of the statutes doing is creating these kind of networks of information for very different purposes. You have the network that HIPAA attempts to create, which is that - and this is just a small part of the network that is shown on this slide - but the network is that you are going to have, ideally, this National Health Information Infrastructure, and within it health information is going to flow electronically between payers, providers, hopefully patients and a lot of intermediaries who are going to help make this system work, including banks.
In contrast to HIPAA, the Gramm-Leach-Bliley Act also encourages networks for a different purpose and with different organizations.
Gramm-Leach-Bliley was intended to be the - to encourage one-stop financial shopping. So what it does is it encourages banks and other financial institutions to affiliate with each other, and one of the ways that you get one-stop financial shopping is by sharing information with each other, and that is a large part of what Gramm-Leach-Bliley Act is really about. So you can see they are overlapping systems in some ways with what I consider to be kind of different purposes.
And there are some concerns about this, because, in a lot of ways, banks are in an ideal position to make this system work very well. They have already got this wonderful capacity, a national capacity, for you to go to any bank and get your money out of your account. There is really no - there is a lot to be said for that, but as they position themselves to participate in this system, they will have increased access to identifiable health information.
I would also like to point out that this identifiable health information, we are at least thinking that at some point it is going to have a unique health identifier associated with it, and so it will have the equivalent of an account number, a Social Security number on it. It will be very easily identified with a particular individual.
There is - although there hasn't been a whole lot of - I would say, there hasn't been a whole lot of affiliations between banks and health insurers yet. There has been some, and there is reason to believe that there will be more as time goes on. There is an increased sophistication in computer technology as to how you can use and manage data, and people feel - whether they are right or wrong - that there is a potential financial incentive for using this information. That is where you get that 95-percent figure from is that your average consumer is very concerned about these things, and the reason they are concerned about it is they don't want the information used against them. It is the same reason why you have healthcare consumers not wanting employers to have their health information. At the bottom of it all is a concern of being discriminated against.
So the goal, at least from a healthcare consumer's point of view, is to make sure that the health information is protected adequately as it flows through the system, and, as Kepa pointed out, one of the questions is are banks even covered by HIPAA. They are part of this network. Are they covered? And one of the - in particular, one of the issues is if - what activities do they do, if anything, to make them a healthcare clearinghouse?
For a long time, while this issue has been debated - and I have heard this not only from like people who are outside of HHS, but also a lot of people who have been inside HHS. There was a real belief that if banks did certain functions, they would be covered as healthcare clearinghouses, and I think we have seen a little bit of shift in that belief in recent times.
I don't think that there has been any controversy that when a patient submits payment - a patient submits a check, it goes to the healthcare provider, and that goes through their bank, that activity does not make somebody a healthcare clearinghouse, and I don't think that there has been much dispute about that. I don't think that people have been disputing the fact that if you have this kind of electronic funds transfer that that would also make a bank a clearinghouse. I don't think that those are - those are not really issues. I think those are fairly settled, but I - again, I may be wrong on that.
But where people seem to be having a bit of dispute is whether - and I am going to use this one transaction, because I think it is a kind of easier one to understand, because if a bank does this - if somebody else did the same thing and a bank does it, the other person would be covered by HIPAA as a clearinghouse, and the question is if a bank does the same thing, which is kind of clear, would they be a clearinghouse? And this is when the bank processes the remittance advice, the electronic remittance advice, they take that advice out of the standard format that it has arrived at the bank in, so it is in HIPAA standard format, and they put it into - I think what Kepa called a human readable form. Yes, a human readable form. I would call it into plain language, so that the provider knows what is going on. So they take it, they convert it, and there is no question, at that point, that they are converting from a standard format into a different format, and many believe that if anybody else did that they would be covered by HIPAA.
In a letter that the ADA sent to the HHS, they have taken, I think, a slightly different position than the task-force paper and said that under Section 1179 that they would not be covered by HIPAA as long as they are engaged in an activity of a financial institution.
It is worthwhile going to look at the definition of financial institutions, the Right to Financial Privacy Act. It is defined differently than it is in some of the other acts that you may look at. It is definitely defined differently than it is in Gramm-Leach-Bliley Act. It is a much narrower definition.
And the second part of this analysis is - all right - if we are engaged in an activity of a financial institution, we are not covered by HIPAA, so any activity that has been approved by OCC for a bank is a financial activity, and that is pretty accurate. I mean, the OCC tells the banks, you can engage in certain activities because they are related to banking, and it is kind of a gross simplification, but when you look at the examples that were in the ABA's letter and then you go and look at some of the activities that were, this definitely is broader than when we process a payment - what most lay people would consider to be a payment, when we process a check, when money flows. It's a financial - an activity of a financial institution is much broader than that.
And I am not going to - as I said before I agreed to come here, I'm not really going to get into the issue of whether they are or - whether 1179 exempts banks or does not, because I think that kind of - I'm happy to discuss it, but that is not what I wanted to talk about really. I wanted to say, well, if it doesn't - because other people have their positions on that, which I think they will adequately represent, but the question becomes, all right, let's assume that they are exempt from HIPAA or if they are exempt from HIPAA, then the question becomes is the medical information that banks process adequately protected by other laws, and I think that this is something worth looking at.
Kepa talked briefly about Gramm-Leach-Bliley Act. It is primarily designed to facilitate affiliations. It applies only to consumer and customer financial information. It does not apply to commercial transactions, and the privacy provisions in GLBA establish limits on sharing financial information, which may contain medical information.
What GLBA does is it limits the sharing of consumer payment information. So when we went back to that first picture where we said everybody said that HIPAA would not cover that, GLBA actually does cover some of that. It imposes some restrictions on how a bank can share that information with others. It includes notice in op-out provisions. As someone who does a lot of work in the consumer area, of course, I'm sure everyone has heard that most consumers do not like the notice and opt-out structure of things, because we don't feel that that is very protective of the individual, but it does have that, and that is more than what is available under HIPAA.
It doesn't prohibit banks from using consumer payment information, because that is not what GLBA is about, and it doesn't prohibit banks from using or sharing information from commercial transactions, because this isn't the kind of information that is covered by Gramm-Leach-Bliley Act.
In response to that, there was - after Gramm-Leach-Bliley became law, there was almost immediate dissatisfaction - well, there was immediate dissatisfaction with the law, including by some of the people who wrote it originally, and there were a lot of attempts in Congress to go back and recraft parts of the privacy protections.
Everybody pretty much agreed that reopening Gramm-Leach-Bliley Act was not politically feasible. I mean, it took a lot to get that act out of Congress, and so after a couple of tries of doing it independently in 2003, there was a piece of legislation that clearly was going to move through Congress.
We are all familiar with what happens often in Congress is if you get a piece of legislation that is moving, then you try to attach things that you want to happen to that, and what was moving in Congress were amendments to the Fair Credit Reporting Act, and that is because - not to go into great detail, but there was a sunset provision in there that a lot of people did not want to see sunset. So it had to be reenacted, and within that context - this is all within the Fair Credit Reporting Act, but with a little different context from Gramm-Leach-Bliley, and a different context from HIPAA. It is within the context of consumer credit protections. That is what the Fair Credit Reporting Act is about.
What the FACT Act does is it prohibits a bank and other creditors, in this case, from obtaining and using medical information for consumer-credit-decision purposes, except where the banking agencies determine, if necessary and appropriate, to protect legitimate operational transactional risk, consumer and other needs; and when they make this determination, they are to make that consistent with the intent to restrict the use of medical information for inappropriate purposes.
So that is where we are now. The banking agencies will be making these regulations to implement this, and they have the power to make exceptions. We don't know where that is yet. It's only in the developmental stage. They may craft these exceptions very narrowly or they may be broad. They may be somewhere in between. This is a totally unknown factor at this point.
But the statute itself, given the breadth of it and what its intent to do is to make sure that - to cover one of the things that consumers have been concerned about, which is that their information not be used for making decisions about very important things in their life, their medical information not be used for making those decisions.
The FACT Act doesn't prohibit using payment information for other purposes. Again, this is partially because of what this - you know, the structure of the bill. The bill is a credit that is consumer - you know, Fair Credit Reporting Act is all kind of designed around that. So it is possible that there may be other things out there, but the FACT Act itself, which was designed to plug some of these holes between Gramm-Leach-Bliley and HIPAA, isn't designed to protect against or to prohibit against any particular uses, particularly marketing, which is another thing that consumers don't like. I would say it is not as important as making credit decisions, but it is one of those things that consumers generally are not happy about.
The limits on sharing medical information under the FACT Act are not clear, and if I were to try to analyze this for you here, I would confuse everybody, because it took me a long time to get to this, but let's just say, under the best circumstances, it appears to permit banks to share medical information with affiliates for any purpose that is either permitted without authorization under the Privacy Rule or that is referred to under Section 1179. So I see this as being a potential problem, and when this part of the act was written, which was back in - I think - June of 2003, I'm not sure that the public position had been taken that anything that banks can do under 1179 would be exempt from HIPAA. I'm pretty sure at that point we were still under the - if banks are engaging in really what most lay people consider payment activities, then that is what 1179 was referring to.
So what you have is you have HIPAA saying if a bank is doing something - if a bank is doing a financial activity - engaged in a financial activity, it is exempt from HIPAA, and then when you go to the FACT Act it also seems to incorporate that. So this does not add any additional protection. It just kind of loops back to HIPAA, and so I am not exactly sure how that is going to play out. As I said, I was just going to raise more questions rather than answer them.
But what it looks like is if the banks are fully exempt under Section 1179, then the medical information that they receive isn't fully protected by other laws, and you still have these other uses other than for credit that can go on. You still have the potential for sharing, particularly with affiliates that might happen, and we still don't know to what extent the use of medical information for credit purposes will be allowed under the regulations.
People, of course, have the ability to comment on those when the proposed rules come out and try to make those as tight as possible.
That is only part of the issue, though, and I think this is, again, what - picking up what Kepa was talking about, which is even if banks aren't fully exempt under Section 1179, which there's been a lot of focus on this, that doesn't end the discussion, because you have these intermediaries who are handling medical information, and you are not really sure what their role is.
So this is - you know, when we are talking about the national health information infrastructure in protecting health information as it flows through it, it is still very much a work in progress. We are not anywhere near there yet. We haven't begun to answer the questions.
MR. ROTHSTEIN: Thank you very much. I was afraid we were running out of questions, and you've added some more to our list.
Mr. Casillas, would you like to add some additional questions?
MR. CASILLAS: I would love to.
(Pause).
MR. CASILLAS: Okay. Experiencing some minor difficulties. My computer is now hibernating. Can I do it back over here? Just switch chairs, I guess.
MR. ROTHSTEIN: For those of you on the internet, we are working on our computer presentations, and we'll have audio shortly.
MR. CASILLAS: First of all, I want to thank the National Committee on Vital and Health Statistics for hearing all the issues in the banking space. There are numerous issues, and they are complex.
Unlike my predecessors, we have made some technical conclusions in these areas that, admittedly, are in a state of flux and have been for quite some time. We have held 12 HIPAA-policy roundtables over the last 24 months.
MR. ROTHSTEIN: So they are not sure what the answers are. You are sure, but your mind is continually changing, is that -
MR. CASILLAS: You know, when Kepa says something - and Joy - I have to listen, and Steven Stone. So, you know, you are in a state of flux, but I will say that I think what we will find is that banks are business associates, many times, of covered entities and that, in some cases - and this is a very limited number of cases - banks do perform clearinghouse services that are defined under HIPAA.
I want to just start with what is medical banking. You know, there is an academic way of looking at it. It really is the convergence of banking infrastructure with healthcare administrative operations, and when that happens, there is data - protected health information - which can flow between the two structures, and which has been acknowledged not just by banks, but also my colleagues here.
Boy, this is not good.
In layman's terms, it is utilizing bank IT and knowhow to manage medical transactions.
The remittance transaction is uniquely suitable for banking infrastructure. Banks have been managing payments for many moons and there is a very large value that the remittance brings to the provider when you consider that you really don't know what happens to your claim until you actually get the remittance back, to know whether or not your procedures were paid, partially paid or fully paid or not paid at all.
The remittance itself becomes a very valuable and powerful transaction for the provider and has the potential to literally transform the way the providers do business, and to do that in a very cost-effective way. We estimate that using banks as processor remittances will save this industry at least $35 billion annually, and we don't have to go too far to look at case study in this area. Medicare, when it initiated its electronic-remittance transaction in 1992, really started a whole new niche industry where providers went out to the fiscal intermediary, grabbed the remittance information and automatically posted that into their patient accounting system. We break down the aspects of that - and we'll do that in subsequent slides - to show what that value really represents.
In our mantra, Medical Banking Project, since hospitals are delivering at least $21 billion annually in charitable care, in uncompensated care, we think that digital savings can be converted into charitable resources, and it's really - interoperability is our key focus and not necessarily privacy, although privacy does have an impact.
What kinds of services are banks providing? Well, there are specialized cash-management services, managing cash disbursements for a health plan, for instance. One of the models that is emerging is taking the PHI component - as Kepa was showing the transaction, there's Table 1 and Table 2 data. The Table 1 data, which is the payment information, can be executed through the banking clearinghouse network. The Table 2 data can be removed and introduced or given to the provider in separate channels.
Lock-box specialization is accelerating in the medical-banking space. We have seen a number of press releases - latest one was actually yesterday - where there are banking organizations that are creating specialized remittance - we'll call them remittance clearinghouses for the providers - and, interestingly, the product pathway for this would involve not only sending the remittance to the provider electronically, but also taking that remittance and comparing it with the original claim. In banking parlance, that is called AR matching, but when you do that, what you actually get to see, in as real-time as possible, which is not the current practice today, is all the areas that the provider has to follow up with in order to get what they are expecting as a payment on that claim. So the whole denial-management process becomes automated as well as you cannot issue a secondary bill until your primary has paid.
The area of secondary billing is now becoming more automated, not just for Medicare, now. We are talking about for all the other payers.
I don't have it with me, but I was reading a clearinghouse that submits primary and secondary claims, that does eligibility searches. The clearinghouse performed patient-statement processing with a self-paid deductible. It also permitted you, through a terminal - Okay. This is a little credit-card terminal that can be placed in the provider's office to do credit-card processing. All of those functions are being offered by a national bank. So are banks providing clearinghouse services? Obviously, they are.
There is another bank - I won't mention them, but they are in Puerto Rico - that does eligibility, claims processing as well. So we see this as an emerging area, and there's good reasons why.
We have been talking a lot about how it is going to cost a lot of money to get providers up to steam with IT - administrative IT. Banks have decades of investment in administrative and transactional architecture, which can be leveraged by the providers to really ramp into a national health-information infrastructure. So we see more of this happening, not less. We are certainly tracking more of it happening and not less.
Other areas are card processing and actually leveraging the bank-delivery system to reach all those providers that actually are not even submitting claims electronically by bundling cash-management services.
How does this work? Well, ABC Community Bank concentrates payments and remittances, two separate things. They are concentrating funds - that is, actual dollars - and they are concentrating the data related to those funds. Okay? And it is the data related to those funds that the traditional health-data clearinghouse provides businesses or has a business with for remittance processing.
What does that do? Well you can automate claim functions. In other words, you can automate cash posting, contractual-allowance processing, reject-note posting and a whole series of other areas. The total savings to do that manually versus digital is about $10 per transaction, which is substantial. In this environment, banks can save the provider industry $35 billion. We call it IOS, Inter-Organizational System. Basically, in today's world, the health plan or the health plan's bank is actually creating the 835. They are distributing it electronically through the ACH network or via paper, through lock boxes or directly to the healthcare provider, and getting that information into the patient-accounting system is happening, for the most part, manually for commercial and self-pay dollars. Okay?
In tomorrow's world, what we see is specialized outsourcing channels that remove the PHI component, possibly - okay? - from the 835 and moves it through specialized banking networks.
There is also the possibility - and we think it is a good one - that banks can take both the data - the payment and the data and move it simply through the ACH network. If that happens, we believe that that should be done under the cloak of privacy, HIPAA privacy.
And, finally, to integrate that data requires point solutions at the provider site that picks up the remittance information and automatically posts it into their patient-accounting system. Those back-office processes are that mountain of paper that we are trying to reduce into a digital stream. Okay?
So - and the actual movement towards this in the banking world is called straight-through processing. The clearinghouse drafted a report talking about straight-through processing in which they did a survey, over a period of time - I think it was like over 12 or even 14 months - where they determined that in order for banks to protect their payment franchise, they need to move data and dollars together through the banking network. So it's a competitive mandate, a strategic mandate for banks as well, and we think it is a positive one for the industry.
In a survey that we did with 53 of the top banks, we found that 50 percent said that they actually provide accounts-payable services for health plans. Accounts-payable services, meaning that the bank is taking in the remittance information from the health plan and creating the 835 that will be sent through the ACH network.
Another question in the survey we asked what percentage of payments do you process for health plans that contain individually-identifiable health information? And in that, the basic metric here is 14.3 percent of those responding said none, that 14.3 percent of the banks that responded said that none of those payments contained protected health information. So the vast majority do.
On the medical-banking horizon, we see the implementation of these models fueling credit access. Right now, there's a lot of non-productive AR assets sitting in medical providers' books and records. In fact, one large healthcare services organization that is very well respected estimated that that was $200 billion annually.
By automating the remittance, we can see the value of a receivable much quicker, and if we can see the value of a receivable much faster, it is possible that we can use that data - I say we, as an industry - we can use that data to actually increase our credit access. I think banks are looking at that.
There are some like boundary-spanning areas, such as how do you ramp healthcare providers into the national health-information infrastructure? Who will be the holder of the keys, let's say in the Santa Barbara County model where there is actually - a public utility was created to hold the master-patient index? Who will do that? Okay?
The ATM network is very sophisticated. It allows me to go to my bank and pull out money out of my account and not HIPAA's account, for instance. Okay?
The administration of the master-patient index would require much of the same types of technologies, and, yes, there are banks and banking organizations that are looking at this as a possible model for implementing the national health information infrastructure.
What are the loopholes in the HIPAA armor? There are some critical-path policy issues that we see, and I explained some of them before, and I am not going to go over those again.
I have seen security of PHIs move to the banking system. That is one area, and Section 1179 exemption. The two critical areas are banks exempted from HIPAA under Section 1179.
I want to first talk about Section 1179. We have all heard and read that it was intended to exempt the processing of consumer-conducted financial transactions. We have heard from people that have actually crafted and drafted the regulations that it was not intended to exempt banks. We think even this small loophole, if you will, for consumer-conducted transactions will emerge as a more important issue as we get into how banks are implementing HSA strategies; that is, for the health-savings account. Will the bank get more involved in claims processing? And we think banks, likely, will get more involved with claims processing.
Another aspect of this debate is what is called the payment theory, and I credit Oliver Ireland for verbalizing this, and it is really interesting, and in Section 1179, it talks specifically about payment activities. Okay? Does that payment represent dollars and data or does it represent just dollars? Because we can take all of the functions in Section 1179 - processing, collecting, clearing, settling. They all refer to the movement of dollars and not data. So Section 1179, in our view, exempts payment, not remittance processing. Remittance processing is an entirely separate channel.
Can the business-associate contract alone work? This is a good question. The issue here - let's say that Section 1179 exempts banks altogether. Okay? We still have the business-associate contract which was implemented in the statutory scheme, so that if a covered entity provided protected health information to a bank, it would be protected. We have that still, whether or not we exempt banks. The question is, if that is the case, then why did we name the clearinghouse as a specific covered entity in the rule? Because every clearinghouse would also be a business associate following that logic. It's a question. If we exempt all clearinghouses, maybe that is a solution or we can make sure that all clearinghouses comply.
The provider's bank, in our reading of the NACHA operating guidelines, is not required to convert incoming remittance data into the HIPAA standard, but required to convert it to a mutually-agreed-upon electronic format. So there has been some talk that HIPAA automatically makes some RDFIs clearinghouses under the HIPAA rule. We don't think that that is the case.
If we expand the loophole - okay? - from consumer-conducted financial transactions, what is the macroeconomic impact? We see banks acquiring clearinghouses. I will tell you that we see that happening whether or not we exempt banks or not from Section 1179. What HIPAA has done is it has turned the spotlight, in terms of processing, into this area, and it is revolutionizing medical-remittance processing.
Clearinghouses may change their charters to become banks. In that case, you would have clearinghouses that are regulated under HIPAA and bank-owned clearinghouses that would not be regulated under HIPAA, and in that uneven statutory terrain or regulatory terrain, how do these few market structures align with each other? And, really, is that really going to happen? There is a strong possibility that it would if we exempted banks under HIPAA, which presents the potential for a two-standard system for HIPAA, one non-HIPAA.
We also think that the progress that we have made may be solved, and we have made significant process in this area.
The reason why I would stall is because banks may consider, well, if we are exempt, then do we want to align with a HIPAA clearinghouse? Maybe we want to do that by ourselves. So there is reason for consideration from a macroeconomic viewpoint on this issue.
Medical-records privacy is another issue, and there's panelists here that I think I'll let take that issue further, but both electronic and paper remittances do have protected health information. In all cases, paper - well, most cases - and electronics sometimes, sometimes not. When lock boxes are processed, these payments for a healthcare provider, lock-box personnel, you have access to protected health information. Many times, they are taking that information. They are putting it in rubber bands. They are putting it into filing boxes and getting it off to the provider, so that they can manually post that information.
Other lock boxes have specialized to they are actually taking pictures and they are imaging all the remittance information so they can provide a CD back to the provider, and some lock boxes are actually trying to create and creating the 835 from all that information that is coming to them manually. In that case, there is a non-standard to a standard conversion, and that may qualify as a HIPAA clearinghouse.
And there are other lock boxes that go beyond paper. They are actually collecting the ACH transactions or it is going to an EDI department in the bank for conversion.
There are ACH issues. The 835 may contain Table 2-protected health information. When the ACH manages the remittance transaction, will the ACH be considered a clearinghouse or a business associate? As a result, many banks are business associates.
And then we talked about the whole area of intermediaries; that is, you have the health-plan's bank and the provider's bank and all the financial clearinghouses in between, and do they fall outside of the web of protection provided by HIPAA?
We think that the best thing that could happen is if we encouraged the bank-based healthcare stakeholder in American healthcare, because we believe that is how much value banks do bring to this equation. So we think policy in this area should be created so that it does encourage the stakeholder.
However, there are special cross-industry issues, and there needs to be a panel, I think you will discover, after you have gone through these two panels, to discover what these unique policy issues are.
The clearinghouse debate, it would be great if there was a HIPAA gap analysis of the ACH network. Maybe there are no issues, but we don't know that, and that creates a problem for privacy advocates, and probably for the typical consumer.
Also, healthcare credit practices. This was an area that we brought up some time ago at our last time when I spoke at a hearing here, where you have banks that have assets which are secured by the provider's medical AR, which, under a bankruptcy situation or under a violation of a loan document, automatically bring those receivables into the bank. Absent a business-associate contract, the extension of credit isn't necessarily a pretense for establishing a business-associate contract.
The other issue is how does one who is - if someone's PHI is disclosed, do they go to the OCC? Do they go to HHS? How do they file or cast a complaint on that, and how is that followed up?
And, finally, I want to applaud the regulators, because HIPAA has energized the medical-banking industry. Even with these loopholes, we consider this a major policy success, because banks are involved, and the macroeconomic effect of that is we will see reduced healthcare administrative costs as a result of the banking stakeholder.
MR. ROTHSTEIN: Thank you very much.
Let me just advice people about the change in our schedule, at this point. We will not be taking a break. We'll be going to Mr. Stone as soon as I finish describing this.
We had a change in our afternoon schedule, and the two law-enforcement panels have been combined into one, which will be from 1:30 to 3:00. We'll have our lunch break from 12:30 to 1:30, and then the public-comment period will be moved forward from 3:45 to 3:15, after a brief break. So we are actually ahead of time, in case you thought we were behind schedule.
And so now we'll go to Mr. Stone. Thank you.
MR. STONE: Mr. Chairman, members of the committee, thank you very much for the opportunity to speak here today.
My name is Steve Stone. I'm a Senior Vice President at PNC Bank in Pittsburgh, and I'm here today representing the American Bankers Association and the National Automated Clearinghouse Association.
At PNC, I am the Director of Product Management, and I have responsibility for our product development and delivery and distribution, all of our cash-management services, and that includes our suite of healthcare products.
Today PNC has over 1,100 healthcare customers, and in December of 2003, we processed more than a million claims on behalf of those customers. So we have some experience in the area.
Before I begin my prepared remarks, I would like to actually comment on a couple of things that previous presenters spoke about. Mr. Casillas mentioned the notion that clearinghouses might become banks. I find that a bit difficult to understand, particularly given the additional regulatory burden that they would be exposed to, the capital requirements, the governance issues, the public accounting, the oversight. It would be an enormous burden for a clearinghouse to move from a fairly unregulated environment to a highly-regulated environment. So while it is possible, it strikes me as highly unlikely.
Several of the commentators have mentioned that the ACH transactions, an 835 payment could contain PHI going through the ACH system. That is absolutely a possibility. We think in reality, however, that happens relatively infrequently today, frankly, because the payers are uncomfortable about whether or not that is, in fact, an accepted practice.
So while we can support it, as can a number of financial institutions, we have no customers at the PNC Bank today who are using that particular payment methodology, nor have we talked to any of the major cash-management or healthcare originators who are using it, but there probably are some out there.
However, most of the payers that we have talked to are taking a very conservative approach until they understand whether or not this is an acceptable practice, and that is part of the reason we are looking for some support from HHS.
And, finally, I guess just to kind of clarify some issues regarding the ACH process - I apologize. I wish I had brought a Power Point. I normally love Power Points. If I get to come back, I'll bring a Power Point next time.
We did bring some handouts, and, frankly, at a high level in an ACH transaction perspective - I think the committee members may have a copy of this attachment - the ACH process is really fairly straightforward. The number of intermediaries that may be introduced in the ACH process are actually relatively few. There is an originating customer. There's an ODFI, originating depository financial institution. There is an ACH operator that sits in the middle of the transaction that is generally either the Federal Reserve or the Electronic Payments Network in New York is a receiving depository financial institution, and there is a receiving customer, and, by and large, those are the participants that are defined under the ACH rules, and those are the participants that normally are going to handle an ACH transaction.
We have also provided to the committee - and, Kepa, you can check me on this to make sure that we did this correctly. If there is a mistake, it is mine, not one of our EDI people. This is actually what an 835 that contained a healthcare transaction would look like. The yellow information is the ACH information. The blue information is the Table 1 information, which actually has specific payment guidelines on it, and the green information is the Table 2 data, which would be the PHI.
Now, lacking a translation utility of some type, the PHI in this transaction would be difficult for anybody to decipher. It is not easily read in this format, which is why so many people are looking for some human-readable or more understandable plain English version of what a healthcare transaction would look like. So we provide that just for your information.
Let me jump back into my prepared remarks here for a few minutes, and I'll be fairly brief here, I think.
We do appreciate the opportunity for the banking industry to state its case directly to this subcommittee. A lot of people outside of the industry have attempted to speak for us, and we feel it is important that we be heard directly.
And, at the outset, we would like to make the following points which we will elaborate on further as we get to the rest of the testimony.
First, financial institutions are not trying to avoid the privacy and security requirements contained within the HIPAA regulations.
Second, the ABA and NACHA are unequivocally opposed to data mining ACH or other financial institution records for medical information.
Third, only financial institutions are examined for compliance with numerous privacy and security regulations, and those examinations occur on a regular basis.
And, finally, the processing of electronic remittance advice is just one of two parts of a payment, along with an electronic-funds transfer. Those two parts together are, in fact, the definition of a payment, an electronic funds transfer and a remittance advice together. As such, it is part of the payments process, and banks engaged in the payment processing are, we believe, exempt from the HIPAA transactions standards rules under Section 1179.
The banking industry fully supports the protection of consumers' private medical information under HIPAA, and, indeed, consumers' sensitive financial information of any sort.
First and foremost, we understand, and we appreciate the sensitivity of protected health information. Indeed, the personal financial information that financial institutions have long protected is equally sensitive. Financial institutions exist for one reason, because the public trusts us to protect and preserve their assets, their information. If we fail in that mission, if we violate that trust, we will not be in business for long.
So let me state for the record that financial institutions are not trying to avoid the privacy and security requirements contained in the HIPAA regulations.
Our critics have misconstrued our position on the scope of the exemption for financial institutions in 1179 as meaning that the HIPAA Privacy Rules will not apply to banks' handling of PHI, and that is simply not the case. We fully expect that financial institutions that have access to PHI will be business associates under HIPAA, because they have customers that are covered entities, and, as business associates, will be subject to HIPAA's privacy and security rules, and although we may not be covered entities, our responsibilities, particularly in the area of privacy, will be virtually the same as the duties of any covered entity.
In 2002, the ABA and NACHA formed a committee, the Banking Industry Task Force to address HIPAA's impact on financial institutions and worked with HHS and groups across the country to help financial institutions prepare.
As part of that effort, we modified the HHS model Business Associate Agreement to take into account the many different laws that apply to our industry. The Task Force also developed a privacy checklist for financial institutions that are or that will be business associates, to coordinate that work with their Gramm-Leach-Bliley Act privacy, and a copy of that document has been attached to this testimony as well.
Recently, there have been some unsubstantiated allegations concerning financial institutions' use of consumers' private medical information. The most notorious example is the one referenced in the preamble to the first HIPAA privacy proposal describing the banker who, when he learned at a county health-board meeting that certain individuals had cancer immediately called their loans.
However, according to the Wall Street Journal, the government's source of this anecdote, C. Peter Waegemann, Executive Director of the Boston-based Medical Records Institute, acknowledged recently that he heard the story from a source that he trusts, but was never able to verify it, and I quote, AI tried many times for many organizations to retrace it, but I never found the banker.@ This story may well be apocryphal.
Privacy advocates have alleged that financial institutions have expressed strong interest in data-mining information they obtain through transactions and in using this information for marketing to their existing customers, finding new customers and evaluating credit risks. As we have stated previously, there is no evidence of strong interest in data mining of personal health information by financial institutions.
Moreover, the ABA and NACHA wish to go on record as stating that we unequivocally oppose data mining of ACH or other financial institution records for medical information.
Concerns have also been raised that credit-card users must have data-mined credit-card information in order to provide their customers with annualized, individualized categories of credit-card spending, including medical products and services. In fact, credit-card companies merely aggregate such charges based on the merchant category codes that are assigned to those merchants when they apply to accept credit cards initially. Credit-card issuers send these statements to their customers as a convenience, particularly at tax time, so that card holders can have a consolidated list of various types of expenses.
Financial institutions are currently examined for compliance with the privacy provisions of the Gramm-Leach-Bliley Act covering nonpublic personal financial information and its implementing rules on a regular basis. In addition, financial institutions have long been subject to the highest standards of information security. Particularly in areas where funds are actually being transferred, the availability of information and equipment is strictly limited to those who must have access to it to perform their jobs. Failure to do so - failure to restrict that access could provide enormous opportunities for theft of funds, and any third parties to whom banking functions are outsourced must agree to the same security and confidentiality requirements as the financial institution itself. In addition to the banking agencies' rules, NACHA's rules separately require that ACH departments be regularly audited.
In June 2004, regulations implementing the medical information provisions of the recently enacted Fair and Accurate Credit Transactions Act, or the FACT Act, will become effective. The FACT Act prohibits creditors from obtaining or using consumers' medical information, as that term is broadly defined, when making a determination of initial or continuing eligibility for credit, other than as exempted by federal regulators. The agencies are currently drafting these new standards and are considering the appropriate use of medical information generally in the form of debts to medical providers received in applications for credit. Thus, in June, financial institutions will be prohibited from improperly basing credit determinations on medical information, if they ever did, which we strongly doubt.
Section 1179 says, in essence, an entity that engages in the activities of a financial institution is exempt from the HIPAA transactions, privacy and security rules. Congress placed no limitations on these activities, but rather enumerated certain payment-processing activities to ensure they would be covered by the exclusion. The provision of the regulation has caused considerable speculation among members of the healthcare community. Would this give financial institutions an unfair advantage? We think not.
A payment is composed of two parts, according to the regulations- an electronic funds transfer, or EFT, and an electronic remittance advice, or ERA. A number of people want to use payment and EFT synonymously, but they are, in fact, different. A payment, as its name implies, there is a known debt between two parties, and the funds are being exchanged to reduce or to eliminate that debt. For the party receiving the payment to recognize it and apply it properly, it has to be accompanied by some level of remittance information, and the more complex the relationship between the parties, the more remittance information is needed for the payment to take place. A funds transfer without explanation does not constitute a payment because the receiving party cannot apply it.
Moreover, the Office of the Comptroller of the Currency, or the OCC, as long ago as 1988, determined that transmitting patient-treatment information between insurers and providers was Aincidental to the business of banking@ under the National Bank Act. Since that time, there have been many other OCC precedents related to healthcare insurance-support services. In addition, in 1994, the Federal Reserve Board determined that the operation of a medical-payments network, including the processing and transmission of medical and coverage data, to be a permissible activity for bank holding companies. As a result of this history, we can only assume that Congress must have been aware of these interpretations when it enacted HIPAA in 1996.
We believe that the exemption from the HIPAA regulations when engaging in payment activities, such as the processing of 820s and 835s, clarifies some oversight and some enforcement issues, but it does not diminish the protections of PHI that are required under HIPAA. Moreover, in terms of volume, the 820s and the 835s are but two of the eight approved transaction types, and not even the most numerous of the types of transactions that might be handled under HIPAA.
Importantly, financial institutions that venture into areas of eligibility testing, claims submission, et cetera, have moved outside of the protected payments space created by Section 1179 and would be subject to applicable HIPAA regulations like any other clearinghouse.
In summary, the ABA and NACHA wish to reiterate that financial institutions are not trying to avoid the privacy and security requirements contained within the HIPAA regulations. Moreover, ABA and NACHA are unequivocally opposed to data mining of ACH or other financial institution records for medical information. Only financial institutions are routinely examined for compliance with numerous privacy and security regulations, and are subject to significant penalties for failure to ensure compliance. Processing ERAs is a part of the payments process and is exempt from HIPAA transaction standard rules under Section 1179.
And, finally that exemption confers no competitive advantage on financial institutions vis-a-vis other healthcare clearinghouses. In fact, our responsibilities with respect to privacy and security will be virtually the same as any other covered entity.
We think Congress and the drafters of this legislation recognized rightly that financial institutions play an integral role in payments processing and wanted healthcare payers and providers to be able to retain those relationships.
Again, we thank you for the opportunity to present our views.
MR. ROTHSTEIN: Thank you very much, and we will begin our questioning now. So members of the subcommittee? Anybody have questions?
Mr. Reynolds.
MR. REYNOLDS: No one on the panel seemed to state - why wouldn't it be good for banks to be included in the HIPAA law? We hear all the discussion and - you understand the 835, looking at your chart. The 835 contains everything that came in on the 837, which is different than the current remittance processing that is going on in most of the industry now. So it's just a question. Everybody raised a lot of questions, but why wouldn't that just be the easiest thing to do?
MR. STONE: Let me take a shot at that, since I represent the banking industry here.
As we have looked at the issue regarding banks as clearinghouses and banks being covered under HIPAA, there are a couple of difficulties in terms of reconciling regulatory positions that we would have to deal with to make that operable. We have a question of who has regulatory preeminence, whether it is going to be HHS, and/or OCC and the Federal Reserve, in the case of state-chartered banks, and so there is still a regulatory oversight coordination effort that has never been resolved. We think having banks excluded from HIPAA, frankly, takes that issue off the table, eliminates that question as to who has oversight responsibility for financial institutions.
There are also a couple of areas in the requirements for clearinghouses that a bank may not be able to honor, and, at the same time, fulfill its other fiduciary responsibilities as a bank.
For example, there are situations where a clearinghouse, because it may be the holder of a designated record set, has to make amendments to certain records that are in its possession.
A financial institution, on the other hand, because it is handling payments, cannot really amend the record of a payment that has been previously processed. A clarifying or correcting entry could be submitted and the bank could process that as well, but the bank cannot go back and historically change the record of a payment that has been successfully handled already.
So there are several other examples like that. There are some notification requirements that clearinghouses may be required to make that financial institutions either would not normally make or might be inconsistent with other reporting requirements that financial institutions have. So there's a lot of work that would need to take place there.
Then, I guess the last issue is a quick reminder here. On the receiving depository financial institution side, that last party in the transaction that gets the data, that party has a responsibility for making that data available to the ultimate customer in a format that is mutually acceptable. Now, that may be, in the case of a sophisticated customer, a straightforward 835 non-translated original-form transaction, but for many providers, particularly smaller providers, that is going to take some other form. It is going to be a simplified record, a human-readable record. That would potentially put that bank in the position of inadvertently becoming a clearinghouse and the bank is basically going to be caught in an untenable situation if the bank is kind of stuck between these competing sets of rules - I've got to provide this information, but doing so makes me a clearinghouse. Making me a clearinghouse, then, makes it impossible for me to meet other responsibilities that I have.
MR. ROTHSTEIN: Mr. Stone, let me follow up on that by asking you a couple of questions, based on your testimony.
As I understand your written and oral testimony, some banks, in your judgment, perform in the role of a business associate or as a clearinghouse, and I believe that was Mr. Casillas' testimony as well.
The question that I have is when those banks assume those roles, is it your information that they comply with all of the requirements under the Privacy Rule that apply to covered entities, in the case of clearinghouses, or do they execute business-associate agreements when they act in those roles?
MR. STONE: We have recommended to financial institutions that they participate in and execute business-associate agreements when they are engaged in healthcare processing. The responsibility for obtaining a business-associate agreement lies with the covered entity. So the payer or the provider really has the responsibility of soliciting and obtaining that information prior to the release of PHI to its business-associate partner, financial institution or otherwise. So we recommend it. We strongly recommend it. We have drafted language to help financial institutions understand what they should be prepared to commit to if they are going to be a business associate.
In terms of what those organizations have to do if they are a clearinghouse, there are only a couple of banks in the country that have kind of voluntarily declared themselves to be healthcare clearinghouses. As to what those banks have done for their own compliance, I cannot speak to that directly. I can speak to what we have done from a compliance perspective, but I have no idea what the other banks have done.
MR. ROTHSTEIN: Well, let me open it up to the other panelists, and I'll repeat the question. From your experience, the banks that engage in practices that would make them business associates, are they asked to? Do they, in fact, sign these business-associate agreements, not who has the responsibility for soliciting it? Is that a common practice or is the concept of business associate sort of alien to the banking industry?
DR. ZUBELDIA: We just came from Puerto Rico a couple of weeks ago, from a clearinghouse that has been acquired by a bank, and they are fully cognizant of HIPAA, and because they have a clearinghouse, they have set up the barriers to separate the clearinghouse from the bank, and it is an arms-length relationship with the full HIPAA protections that a clearinghouse has to make sure they have in place. HIPAA says that when a clearinghouse is part of a larger entity, they have to have the barriers between the clearinghouse and the rest of the entity, and we know that is, in fact, the case, in this specific institution in Puerto Rico.
MR. CASILLAS: That is also the case for another large bank that classifies themselves as a hybrid covered entity, where they are implementing the policies and procedures of HIPAA for that entity, creating sort of like Chinese firewalls between them and the rest of their operating units, so that they will comply fully with the HIPAA regulations for that entity, but they don't have to - the whole bank does not have to do that.
Just to follow up on the business-associate question, there are a number of banks that have called the medical-banking project about the business-associate contract, and my sense from listening to them talk is that they are executing and signing business-associate contracts when asked to do so.
MR. ROTHSTEIN: Okay. I have a couple of questions for Ms. Pritts as well.
I know that your organization routinely gets inquiries and complaints and the like, questions from consumers, and the question is do you have any evidence of the improper use or disclosure of protected health information by anyone in the banking system?
And sort of the second part is even if the first answer is no, do you have any evidence that consumers, fearing the misuse of that information, are reluctant to undergo medical procedures because they are afraid that this information would be available?
Sort of the background of that is we know that from various consumer surveys that 70 to 80 percent of people say they would be reluctant to undergo genetic testing if their employer could get access to the result.
Has this banking issue reached consumers, patients, to the extent that they might act on that in their healthcare decision making?
MS. PRITT: Well, I am going to answer your first question first, which is I don't think that there are any documented stories out there of banks misusing people's medical-record information. I have - other than the one that had been used in the Senate - in the hearing that was - Wall Street Journal fellow followed up on. That is the only story that I am aware of, and that proved to be - they were not able to document it.
But I will say that I have a few points to add on to that. One is that I think that sometimes perception of people is almost as important as reality, and I would be - I tell you, when you talk to people - you know, they did this survey and they say 95 percent of adults don't want banks to have access to their medical information without their permission. People have a very visceral reaction to anybody who is in a position to make very important decisions about their life having access to their medical information. They don't want their - they don't even want their health insurers to have all the information, and they are an integral part of the system. They don't want life insurers to have all the information. They don't want banks to have the information. They don't want their employers to have the information, and the reason is that these are institutions that they perceive as being able to make really important decisions about their life.
So I think that sometimes when you are dealing with the public, you need to recognize that their perception is very important to them, and although I think people trust banks in certain ways, in certain aspects, they trust them to handle their financial information, but they also trust them that they are going to get - you know, when you're dealing with a credit-card company you are going to get 10 solicitations in the mail for other products, and they are not so sure they want their medical information treated quite the same way.
You had a second question. I'm sorry. I went on so long, I forgot about it.
MR. ROTHSTEIN: Oh, you were actually answering the second question.
MS. PRITTS: Okay.
MR. ROTHSTEIN: (Laughter).
MS. PRITTS: The other thing is that most people right now don't know that banks may be in a position in the future to be processing health claims, and I think that takes it to a different level for most people.
You also had asked, I do recall this, about whether people avoid treatment.
MR. ROTHSTEIN: Right.
MS. PRITTS: I don't know that they avoid treatment. I think they might avoid - they are very careful how they phrase things, and I have heard this from a number of different sources. I have dealt with a number of different what I would call consumer-disease organizations of people who have certain diseases, and what they almost - whether or not they need to do this is, again, the question, but what they do is when they tell somebody, oh, you're refinancing your house? Whatever you do, don't tell them you've got cancer. So this is what is the kind of thing that is out there. It makes people anxious. Whether or not they are avoiding treatment, I don't know. I think it is more likely that they are very careful with how they treat their health information when they apply for a financial product.
MR. ROTHSTEIN: But I think in - probably in the normal course of medical treatment, I would guess - and I'm happy to be corrected - that in the standard notice of privacy practices, few healthcare providers disclose that information, you know, PHI could be revealed in the payment chain. Kepa, is that your sense?
DR. ZUBELDIA: The ones that I have seen say that the information will be used for payment -
MR. ROTHSTEIN: But not necessarily to a bank. I mean, assuming that it would be like the health-insurance company or HMO or -
DR. ZUBELDIA: Yes, they don't specifically go into the details as to what happens and who will have access to it as part of the payment process.
MR. ROTHSTEIN: I have one last question, and this is a legal question, and that is do you think - suppose that we wanted to ensure that the banking system, in all of its permutations, would be clearly subject to HIPAA, given the language of 1179, do you believe that it is possible for the department - that is, HHS - to construe 1179 as limited more narrowly to the consumer side - you know, consumer pays with a credit card, et cetera, et cetera - or do you think it would require an amendment by Congress to 1179 to have a broader coverage of banking transactions - I don't want to get into exactly what I'm talking about - within the ambit of HIPAA?
MS. PRITT: And you're asking that question to me -
MR. ROTHSTEIN: Well, this is a legal question, so -
MS. PRITT: Well, okay. I am a lawyer. I have looked at 1179, and, in all honesty, I think that it depends on what legal hat you want to put on.
If you were Justice Scalia and you read Section 1179 - for those who are not into the judicial scuttlebutt, Justice Scalia is a very strict constructionist, and he would look at this and he would say, there is nothing on the face of this statute that indicates that it is limited to consumers, and he may stop right there.
If you were before Justice Stevens or Briar, they would look at this and say, when you look at the whole schematic of how this works - and there are some additional problems with the way 1179 is written that causes additional problems, because it doesn't say to the extent you are engaged in the same financial activity for which you originally received the information, for example.
So the exemption, when you read it, is really very broad, and they could say, this doesn't really make sense. To read it on its face does not make sense, and, at that point, you get into the legislative history of it, and I think if you get to that point, it is pretty clear that - well, I won't say it's clear. Everybody has their opinion, but there is a significant indication that it was meant to be read as being consumer-oriented transactions and that when financial institutions were doing some other sorts of things that they would be subject to HIPAA.
Following that up, I have a question here that I wanted to ask about that, because I've got this letter that ABA sent to HHS where it says, as clear from the above, the plain language of the statute exempts from any regulations promulgated under the admin - any entity engaged in the activities of the financial institution. Nothing in Section 1179 restricts exempted activities to those involved in the payment system.
So, to me, that statement was a lot broader than what I heard today, and I would be really curious to hear a clarification of it, if I could.
MR. ROTHSTEIN: Well, we may get that for you from one of these witnesses, but I would like to give Mr. Casillas and Mr. Stone an opportunity to comment on the original question that I asked about, whether you think that there is sufficient statutory authority - depending how you construe 1179 - to more closely regulate the banking transactions. Mr. Casillas?
MR. CASILLAS: We believe - and we have taken each one of these words, literally, and have plotted them. You cannot clear and settle a remittance. A remittance is - you can clear and settle a payment, but clearing and settling is not done with remittances.
So if you look at the statute in aggregate and look at all the functions that are listed, I can show you where each one of those words in the financial arena - okay? - means something with respect to processing dollars - okay? - and not the remittance that accompanies those dollars, and it is the remittance that accompanies those dollars, obviously, where we have this problem with privacy.
So we believe that you can - it is a view - you can take Section 1179 and exempt just consumer-conducted financial transactions.
MR. STONE: We went back and looked at this. We tend to think that literal constructionist versions, strict interpretation, would, in fact, suggest that there can be no limits placed on banks in their ability to process payments under HIPAA. The banks should be - payment processing should be excluded from the regulation.
If, in fact, that interpretation were to change, that - my opinion - I am not an attorney, but in my opinion, they would need to modify it or amend Section 1179.
We actually engaged Peter Schwayer(?), who is today a partner of Morrison and Forester and a professor of law at Ohio State University, and formerly was Privacy Counsel in the Clinton Administration, when this regulation was passed, to ask him his interpretation, because he was at the table; and his interpretation is, frankly, consistent with the banking industry's interpretation that this was not - while it may have originally been initiated by advocates who were trying to exempt certain kinds of consumer payments, in its final writing, the intention was that financial institutions would be exempted from this legislation.
So his participation in the process would tend to support our general conclusion from having read the language of the legislation.
MR. ROTHSTEIN: Well, lucky for us, we actually have the drafter of 1179 here who has graciously agreed to explain what it was he had in mind, and with the consent of my colleagues, I would like to ask -
MR. GILLIGAN: Excuse me. I'm the person who worked on Section 1179, then had it - was instrumental in getting it included in the -
MR. ROTHSTEIN: How do you know I wasn't referring to you? (Laughter).
DR. BRAITHWAITE: I'm Bill Braithwaite. I was working for the -
MR. ROTHSTEIN: If you would like to comment, we certainly would appreciate your comments as well. So if you would like to come to the table, we'll hear from you next.
DR. BRAITHWAITE: I was working for the professional health staff of the Senate Finance Committee at the time that this language was drafted in 1994. It, along with most of administrative simplification language, finally got attached to HIPAA when it was passed in 1996, and as Tom has sort of mentioned offline, the original language was proposed by him representing the Visa and MasterCard organizations that he was lobbying for, and, after some negotiations about the actual words, was adopted with the intent to exclude consumer payments, either those by credit card or those by check, from the standards being set by HIPAA. It was not intended to exclude anyone else for any other purpose.
MR. ROTHSTEIN: Okay. And could you identify yourself for the record, please?
MR. GILLIGAN: My name is John Gilligan, and, at that time, I represented MBNA, which is a credit-card company based in Delaware. With MBNA came Visa and MasterCard, and we lobbied Congress and the Administration on this issue for several years.
One of the other things that is in the legislative report language is that it refers to an individual making use of the payment system, the credit-card system, what have you, in the use of the word individual, rather than the word person. Definitely, person would have meant - could have included a corporate person, but individual, definitely, in my mind, and I believe the mind of others, it's clear that this was consumer personal use of the payment system.
MR. ROTHSTEIN: So am I correct in saying that the two of you agree that it was intended to be for individual credit transactions? Is that your -
MR. GILLIGAN: Credit cards and checks.
MR. ROTHSTEIN: Credit cards and checks.
MR. GILLIGAN: In other words, a transaction in the financial institution where the consumer signed the bottom of the check -
MR. ROTHSTEIN: Right.
MR. GILLIGAN: - or signed a credit card transaction -
MR. ROTHSTEIN: And that's -
MR. GILLIGAN: - authorizing a use of the payment system to get his bill paid.
MR. ROTHSTEIN: Okay. So -
DR. BRAITHWAITE: And I agree.
MR. ROTHSTEIN: All right. So we have a difference of opinion from people who were at the table when that language was drafted, and the subcommittee will take note of that.
We have a few more questions. John.
MR. HOUSTON: Yes. Get down to brass tacks. I'm still trying to search for what - are there any changes required to the Privacy Rule? Obviously, 1179 might require some clarification, but I'm still trying to understand whether there are specific issues that we need to make recommendations regarding with respect to the Privacy Rule. Is there something else broken that needs to be dealt with, and are there ways to deal with 1179's unintended consequences with regards to having some type of a recommendation with regards to increasing the scope of what a business associate is or a clarification of a what a business associate is to cover this gap?
DR. ZUBELDIA: My first recommendation would be that until this issue is settled, there should be a recommendation to healthcare providers and payers to consider the financial system as potentially not in accordance with the spirit of HIPAA privacy, and perhaps a requirement that there be business-associate agreements to protect the privacy or they would have to avoid sending PHI through the financial system.
MR. ROTHSTEIN: Is there any way that the banking industry and the payment chain can do what it needs to do with less PHI, in your judgment?
DR. ZUBELDIA: I believe they can. It's only in those value-added services, such as lock box and value-added clearinghouse services they need the PHI. I believe that in order to accomplish the payment purposes of those transactions, they don't need the PHI part, and that is why, for instance, the CCD and CCD+ which effect the majority of the electronic-funds transfer in the country don't have addenda records - more than just one addenda record, and they can effect payments with the Table 1 of the 835 and Table 1 of the 820 without ever seeing Table 2, and that would work perfectly well for the banking system, except that if they want to get into value-added services, which would perhaps classify them as clearinghouse services, they would need those Table 2s.
MR. ROTHSTEIN: John, did you have further questions?
MR. HOUSTON: Just for a followup, though, I mean, I thought the designation as a clearinghouse is a fairly specific event, though, in a way. So I can't imagine a bank sort of on an ad-hoc basis sort of expanding its role without some type of agreement from the covered entities on which they are performing these transactions that that is, in fact, what they are. So -
DR. ZUBELDIA: The definition of clearinghouse is strictly data conversion or format conversion. So you have lock boxes that get paper remittance advice. You have banks that could be getting 835 with Table 2, just to route the table to a provider without converting anything, that would be exposed to PHI without ever being a clearinghouse.
MR. HOUSTON: Right. But they could always be a business associate, even if they do certain functions that could be characterized as clearinghouse functions, correct?
DR. ZUBELDIA: Yes.
MR. HOUSTON: And so, therefore, it would still keep them within the framework of being a business associate and put the agreements in place, appropriately control and protect PHI on behalf of the covered entity.
DR. ZUBELDIA: So perhaps guidance to the providers and the payers would be appropriate, that they have to have those business-associate contracts in place in order to use these non-HIPAA clearinghouse services that are value-added services that are very efficiently done by the bank.
MR. ROTHSTEIN: Okay. Mr. Reynolds.
MR. REYNOLDS: Yes, we have noticed that as the states recognize what would be considered loopholes in HIPAA they are passing law. Have any of the panelists seen implementations across the country that would relate to this subject of states stepping up and doing something differently than what we have talked about here this morning?
MR. CASILLAS: Yes, we actually did a little study, actually, on a state-by-state map on protected health information as HIPAA defines it and have found a very - it is very uneven in terms of what a bank can even when you sell a receivable or you hold it - you collateralize a loan against it, the transferring of that receivable would not be allowed under some state regulations.
So another aspect of your question, though, which is interesting in this area, is you cannot stop a bank from accepting deposits - okay? - it's almost constitutional theory. You cannot do that, and to the extent that HIPAA's preemption scheme permits all these different regulations across the state or the country and that does impact deposit taking, it would be very hard to implement HIPAA for those banks, if that makes sense. I mean, in other words, a bank will always be able to accept deposits, according to that interpretation. I guess that is all for that.
I would say one other thing, that I think that if you just affirmed - if CMS simply affirmed the current regulation as is, I think all the other difficulties would take care of themselves in our study, but what we are being asked to do is exempt banks - okay? - and we think that is where we run into difficulties.
MR. ROTHSTEIN: Well, I want to thank all of the witnesses and our extra unscheduled guests for sharing their expertise with us.
We will take a break until 11:30, and then the second panel, which only has three witnesses, will go from 11:30 to 12:30 and then we'll have lunch from 12:30 to 1:30.
So we are in recess.
(Brief Recess.)
Agenda Item: Banking - Panel 2
MR. ROTHSTEIN: Having raised a number of fascinating issues in Panel number 1, we are going to be able to solve all of them in Panel number 2, and our first solver of issues is Mr. Tom Dean.
MR. DEAN: My name is Tom Dean, and I am here to further muddy the waters, I think. I'm not sure.
Let me just tell you my background is I have a lot of experience in the processing of payments. I have held various management positions at a number of companies that service banks and help them to process payments.
Most recently, I hold a position as Executive Vice President of Advanced Financial Solutions, and Advanced Financial Solutions processes payments for and/or facilitates check processing for 7,500 of the 20,000 banks in this country, and we have a subsidiary organization, Medical Banking Exchange, that I am the President of, and so I come to you today as neither a privacy expert or - in the banking industry or the medical industry, per se, but, really, in hopes - what would be my purpose then? I'm hoping that I can help frame the discussion a little bit and to try to help you understand the growing role that I think banks are playing in the whole administrative - process, and hopeful that the framing of your discussion and thought processes related to privacy, business-associate agreements, covered-entity status will be framed properly, given the role that I see banks playing today and in the future.
One of the disadvantages of following people like Kepa and John Casillas is they have already said most of what you are going to say, and they have articulated it better than you can. So I'll try to be brief on some of the things that have happened, but, essentially, one of the things that we see happening is a great focus on the remittance area. There has been some administrative simplification related to electronification of claims, automatic adjudication, and, now, what is the big next step is to simplify or automate the whole remittance side of the world.
And, in doing so, we need to realize - and I think it is inherently obvious - that financial institutions are the entities that get to transfer and settle payments, and payments are inexplicably attached to the remittance data; that is, the patient-accounting data, the private-health information that we are all concerned about, when it is attached to a remittance is also attached to the payment or the transfer of funds, and the only entities that can do that are banks. So banks cannot be necessarily excused from the discussion, regardless of even if you separate the private-health information and the payment and they take different paths, because someone has to reconcile the money in the bank to the remittance data that is received by a provider, and the only entity that really could do that effectively, is a bank.
Banks are, today, performing clearinghouse functions. Again, the best example of that is a lock box that opens a paper remittance, deposits the associated check and then is asked by a provider to extract the detail, data from that paper and put it into a format, when that provider says, well, gee, since I get electronic remittances in an 835, 40-10 format, why don't you just take that data off of the paper, extract it off the paper, and then present it in the same format? Banks are transferring, and this is happening today, and there are many different banks that are doing this today. They are taking that information for some of their provider customers, and they are formatting it into an 835.
In addition - and Kepa explained the ACH transactions very well - one form of an ACH transaction is a CTX. In a CTX, you can encapsulate an entire 835. However, many providers - and providers come in all shapes and sizes - are not equipped to handle the 835 EDI data.
If you look at other industries - that is, industries that have effectively used EDI for quite some time - many of them are going to - the trend is towards XML formats. XML formats are just a new way to format data that is more easily handled by - from one system to another system. So, for instance, we have customers of ours that are today taking in 835 data and reformatting into XML formats for their provider customers. That is a case, obviously, where a bank is converting non-standard data to - or standard data to non-standard data, and that is a clearinghouse function under HIPAA.
What gets to be more interesting is the natural evolution, in my mind - if that place of business can give me an electronic version as a bank, an electronic version of the invoices that they send, then when I process the remittances, I will attempt to match the invoices and the remittances and report on the discrepancies for that entity.
Given the difficulty that providers have in properly posting their remittances, providers are great candidates for this, what in banking terms is AR magic. Okay? A claim is the invoice in the provider world, and those claims are electronified, for the most part. So the bank simply says, boy, if I could get a hold of that claim data in electronic form, and I could match it with the electronic remittance data and then report to you on the dispensation of the original claim as versus what was actually paid against it, would not that be a good service to offer you? And the answer is yes. Providers could use that service.
So when I describe these things, I am an advocate for leveraging infrastructure that exists in banks to help the providers, but when that happens, the bank will find that it is not so easy, necessarily, to get the electronic 837 data. So more and more what banks will do is suggest to providers why don't you somehow or other process that claim through the bank so that I can get a hold of it first? Doesn't mean the bank is actually going to act as a clearinghouse per se. That bank may go ahead and pass that information through some clearinghouse, but that is going - in our mind, that is going to happen more and more. So we are talking about banks potentially processing claims as well as remittances, in my mind, in the very near future.
There is a movement afoot. The suggestion is wouldn't it be great - and I think the answer is certainly yes - if we could do what is called real-time claim processing, and most of the focus thus far has been on the idea that if I am a patient, I go to my doctor, and before I leave the office, that doctor is able to submit a claim in an electronic form to an insurance company in some format where in real time they could adjudicate that claim, and my suggestion is that if, in fact, that occurs, we are sort of halfway through the process. Why wouldn't - if I can adjudicate it and I know what I am going to pay, why wouldn't I then automate the process in real time and make the payment in real time? But in order to do that, I have to make the payment in real time, and I also have to submit back the remittance data in real time in some format that can be handled by the provider and automatically entered into their practice management system or patient accounting system.
Banks are the only entities that would be able to facilitate that transaction, because there is a payment associated with it, and banks are the only entities that could associate the original claim, the remittance data that contains the private health information and the payment. So there is no other choice, in my mind, my humble opinion, that would allow for that to take place, except to include banks.
I think Mr. Casillas also mentioned briefly - and I will just echo his sentiment - there are point-of-sale devices that - you know, not too long ago, in the credit-card world, we had to deal with paper or credit-card slips, and then someone said, well, why would you do that? Why don't you just put at the point of sale some small terminal that allows for that credit-card transaction to be recorded and hook it to an electronic network? And many providers are able to take credit-card payments from their patients.
Someone then said, well, why can't we explain the functionality of that small point-of-sale device to include things like eligibility checks and claims? And so that with one small device, I have helped a provider - especially a small provider - electronify their world in more than just the payment side of things. Okay? So the natural distribution of such a device is through the banking network. Okay? And that device exists today and is being distributed by, I think, around 200 banks.
In addition to processing payments, banks do make loans. I think this is very important, because, from my point of view, the practical tradeoffs here are we need to experience the savings as a country that administrative simplification can give us. At the same time, we need to be very aware that there are real private-health-information issues, and how can we reconcile the two? But involved in this whole equation, when you get involved with it, and, certainly, if you look at the banks, is this whole idea of the fact that - unlike other businesses, providers have the same issues - they face the same issues as other businesses; that is, they need to make capital investments to improve their business, but the problem is that a good segment of the providers' receivables cannot be accurately valued, and so, therefore, a bank has a challenge as to how to properly make loans against the asset that a provider has, and a great deal of the total assets a provider has is wrapped up into their receivables. Okay?
My suggestion is, as banks get more involved in processing both the claims and the payments, it is natural that they have the information. It would allow them to properly model what the real value of any given claim is because, over time, historically, they can warehouse that data and then they can mine that data. From a privacy standpoint, when people talk about data mining, they always view it as some kind of a bad thing. In this case, it's some kind of a good thing. Okay? It's really good, because if, in fact, a bank could do that, then they could properly value receivables, then there would be more liquidity, and there would be more of an opportunity for doctors to do things like invest in technology that is necessary for administrative simplification, and the whole country is better off. Okay?
So this is a big issue, but the point is how do banks do this in other areas? How do they value and what banks typically call score receivables? Well, they do that by getting historical data and analyzing it. Many times what they do is they share that data amongst themselves, so that they can build even better models, because this is all about predictive modeling, and the more information I have, the better I can model. Okay? So if you said to the banking industry, how are you going to do this? That is essentially the answer that they would come up with, but there's all kinds of issues related to the sharing of that information when it contains private health information.
We touched a little bit on clearinghouses becoming banks, and I would just say this: I don't believe that clearinghouses would want to subject themselves to all of the overhead that is required by banks - the regulatory overhead - and I agree with that assessment, except if the tradeoff was that in some ways it helped me streamline my business.
So involved in the discussion related to different states in different statutes - Let's assume for a second that different states have different statutes related to mandating what clearinghouses must do and must not do. Okay? In fact, the State of - I think the State of Maryland says if you are a clearinghouse in this state, then you have to be certified by certain organizations, as an example, but other states don't have that same requirement.
If it helps me as an entity to become a bank, so that I can streamline my business and maybe adhere to one specific set of requirements, then I might just do that, and examples exist out there, and probably the best example I could just think of off the top of my head was that many department stores and oil companies and consumer-credit organizations have become banks in this country, and the reason why is because if I am not a bank - a nationally-chartered bank - then I have to deal with every different state's usury laws, but if I am a bank, then I have one set of - a nationally-chartered bank - I have one set of laws I have to adhere to. Okay? So as a matter of convenience, let's call it, it is conceivable and possible that clearinghouses would either decide to become a bank or decide to have some kind of specific and special relationship with a bank, so that somehow their transaction part of their business would be simplified. I do believe that is possible.
Banks are important stakeholders, in my mind, and so that is where this gets, I think, even more interesting, and I have just listed a few reasons why I believe that is the case. If the medical community can leverage the infrastructure that exists in the banking community, I believe that some very important things can happen.
First of all, not just one, but many different interoperable infrastructures and networks exist for banks to be able to communicate with other banks, all kinds of different data, mostly related to payments, but those infrastructures already exist.
In addition, if you look at the volume of transactions, we have - banks have made large investments in high-speed transaction processes and databases and et cetera, and, finally - and I think this is very important to note - healthcare is local. There is a local bank everywhere where healthcare is dispensed. Okay? Physical presence of a local bank, and I think that that is very important when we frame the discussion.
Thank you.
MR. ROTHSTEIN: Thank you very much.
Dr. Slomovic.
DR. SLOMOVIC: Thank you for the opportunity to testify before you as you consider issues related to banking and health information.
My name is Anna Slomovic. I am a Senior Fellow at the Electronic Privacy Information Center in Washington, D.C. EPIC is a public-interest research center established in 1994 to focus public attention on emerging civil-liberties issues and to protect privacy, the First Amendment and constitutional values. EPIC has a long-standing interest in privacy protection for health information handled by the financial industry and has testified in Congress on the subject.
In September 2003, a coalition of privacy groups, including EPIC, sent a letter to Secretary Thompson to express concern about discussions being held between the banking industry and the department about a proposal that would permit banks to handle and transmit protected health information with what, in our view, are inadequate privacy protections. These discussions involved the status of banks under HIPAA and permissibility of sending PHI via the ACH network without encrypting PHI, so that it can be accessible only to the final intended recipients.
It is our view that banks which handle PHI contained in a premium-payment transaction and the remittance advice should be covered healthcare clearinghouses as defined in the Privacy Rule and that PHI should be additionally encrypted, so that it cannot be accessed by those with access to the ACH network, but only by the final intended recipient. These issues are gaining in importance as the banking regulators prepare to write the new regulations under the FACT Act.
I will briefly address our concerns as described in our letter and the response provided by the ABA and NACHA as well as some additional issues.
First, on banks and HIPAA. We have heard quite a bit about it this morning. Applicability of the HIPAA Privacy Rule to banks arises from the fact that HHS has adopted a transaction standard in which banks normally not regulated by HHS engage in activities which could make them, by definition, healthcare clearinghouses within the scope of HHS regulation.
Although some banking activities were explicitly exempted under HIPAA in Section 1179 of the HIPAA statutes, there is obviously disagreement about the extent to which this exemption applies.
The HIPAA Banking Task Force, a joint initiative of ABA and NACHA, has asked HHS to agree that all activities of a financial institution are exempt under Section 1179. Under this interpretation, banks would not be designated healthcare clearinghouses, even though they convert ACH transaction data from standard to non-standard format for their clients. ABA and NACHA have further stated that banks should not be considered clearinghouses because they perform such conversions only because their clients do not have their own conversion capabilities.
Privacy groups and the Medical Banking Project, as you heard this morning, have taken the opposite position on the basis of our reading of congressional intent behind Section 1179. As stated in the conference report on the security and electronic signature standards, the Congress intended to apply the exemption in Section 1179 only to consumer-oriented payment transactions, such as credit- and debit-card transactions.
The ABA and NACHA have rejected this interpretation because they believe the statute language is clear on its face. They have also rejected the notion that clearinghouses exist precisely because some providers and health plans do not have their own capability to convert data between standard and non-standard formats.
The ABA and NACHA have stated that as long as business-associate agreements are in place between financial institutions and their covered-entity clients, bank will meet their obligations under HIPAA.
We do not believe that business-associate agreements provide the same level of protection for health information as covered-entity status.
While covered healthcare clearinghouses must comply with the privacy rule as spelled out in paragraph 164, 500-B, business associates must comply with the rule only to the extent of their business-associate agreements. As a result, permitting banks to be a business associate would create a situation in which potentially different tones govern the same transaction at the originating end, where a bank might be a health plan's business associate, and on the receiving end, where a bank might be a provider's business associate. Depending on the terms of the two contracts, permitted uses and disclosures might be quite different, and the terms of the contract would very much depend on where the power lies in a particular negotiation.
Additionally, if banks are business associates, individuals who believe their privacy has been violated would have no recourse, because they are not party to business-associate contracts between covered entities and the financial institutions.
Furthermore, banks would not be subject to oversight by the Office of Civil Rights, and would be exempt from civil and criminal penalties under the Privacy Rule, complicating enforcement actions based on complaints about violations of privacy.
Now, on transmitting protected health information via the ACH network, the HIPAA Banking Task Force has requested HHS permission to move PHI through the ACH network without additional encryption to make PHI accessible only to the final recipient. This, in spite of clear statements in the preamble to the 2000 Privacy Rule that requires additional encryption of PHI as it moves through the ACH system.
If permission is granted, large amounts of PHI would potentially be available to those with access to the ACH network and could be subject to abuse. Our greatest concern is that ACH transactions would be subject to data mining for marketing and credit evaluation, and we focused our concerns, our discussion in our letter to HHS on this specific concern.
We heard today that ABA and NACHA are unequivocally opposed to such use of health information and transactions, but there are two additional issues. The first is the problem of network security breaches, and the second is the problem with ACH transactions being captured and stored in the intermediary codes of the ACH network.
ABA and NACHA have stated that ACH network is encrypted and secure. However, there is increasing evidence that the amount of fraudulent activity on the ACH network is rising as criminals become increasingly familiar with all networks and with the ACH network in particular.
The problem is compounded because banks are generally reluctant to report security breaches of their networks, so as not to undermine the faith in the soundness of the financial system.
If banks transmit PHI through the ACH network without additional encryption, and if they are designated as business associates, they would have an obligation under the privacy and security rules to inform their covered-entity clients about inappropriate uses and disclosures of PHI, including network security breaches. This would be a significant change in the way they do business today.
Our final concern has to do with the fact that as transactions go through the ACH network they are captured in stores in intermediary codes. As I understand, this is necessary in order to trace network problems and verify transaction integrity for financial transactions.
Unfortunately, it also means that PHI that is part of those transactions will be captured and stored in the intermediary codes as well. This PHI will not be protected by the Privacy Rule either through the direct application to covered entities or through contract business-associate agreements. Additional encryption is the only solution that would protect PHI in this instance, should a break occur someplace in an intermediary code.
As we heard, the ABA and NACHA have stated that they oppose the use of personal protected health information for any purpose other than that for which it was obtained, and that they oppose data mining of health information for marketing and other purposes.
It seems to us that this position would be considerably strengthened if they also agreed with the need to provide additional encryption to PHI flowing through the ACH network, given the number of potential problems that could come from within and outside the banking system.
In summary, different groups disagree about the interpretation of Section 1179 of the HIPAA statute and the preamble to the December 2000 Privacy Rule. These disagreements take on greater importance as the banking regulators and the National Credit Union Association prepare to issue rules for use and disclosure of medical information under the FACT Act.
In light of this, we recommend that this committee take the following actions: We ask the committee to recommend that the Office for Civil Rights and officials with responsibility for HIPAA transactions and codes work with the banking regulators to resolve questions about the applicability of HIPAA to banks and on the permissibility of sending PHI through the ACH network without additional encryption.
We also ask the committee to recommend that the Office of Civil Rights work with the banking regulators and the National Credit Union Association to ensure that the rules promulgated under the FACT Act are consistent with the HIPAA Privacy Rule and provide an appropriate level of protection to PHI after the PHI enters the banking system.
Thank you.
MR. ROTHSTEIN: Thank you very much.
Mr. Gilligan.
MR. GILLIGAN: God love you.
Good morning. My name is Tom Gilligan. I deeply appreciate the opportunity to be with you this morning to testify on the subject of medical banking.
I currently represent the Association for Electronic Health Care Transactions. I have also represented MBNA, the credit-card company based in Delaware. In the mid-90s, I represented MBNA on healthcare privacy issues. Visa and MasterCard worked with us closely. Together, we figured prominently in the effort to include Section 1179 in the HIPAA statute.
For MBNA, we also lobbied healthcare privacy legislation on Capitol Hill introduced by Senator Bennett and others. That legislation died because of abortion-related issues.
Not long after the enactment of HIPAA, MBNA, Visa and MasterCard also visited the department - I think Bill Braithwaite was here at that time, as was John Fanning and Jim Scanlon - about the subject of the HIPAA privacy regulations and how Section 1179 could enter them.
A word about AFEHCT. AFEHCT is a healthcare IT vendor-industry advocacy group with a focus on federal public policy as it relates to the application of EDI, Ecommerce, the internet and healthcare IT software to the solution of problems associated with the delivery, financing and administration of healthcare in both the public and private sectors.
We were founded in 1992, basically, to give the vendor community an energetic voice for advocacy with respect to HIPAA. AFEHCT serves software vendors, healthcare clearinghouses, healthcare IT companies, remediation companies and others who share the goal of promoting the application of healthcare IT, et cetera.
AFEHCT members have been working with providers and payers to make the implementation of HIPAA a reality. AFEHCT members are also actively involved in a wide variety of other healthcare-related activities.
AFEHCT's interest in this particular issue is, first and foremost, the privacy of the protected health information, and, second, a level competitive playing field for the participants in processing and transmitting the information.
Section 1179 actually opens up and says, to the extent that an entity is engaged in the activities of a financial institution, as defined in the Privacy Act, or is engaged in the authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting payments for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, and then there is more language that goes beyond that.
The conference report clearly alludes to consumer-related activities where such a payment is made by a debit or credit card or other payment card or electronic-funds transfer, and it references - in the second paragraph there are when an individual utilizes a payment system.
It also states, in the last part of the paragraph, this part does not apply - if a company clears healthcare claims, the healthcare claims activities remain subject to the requirements of this part.
The ABA posits that because of the language that says to the extent that an entity is engaged in the activities of a financial institution, period, that any activities of a financial institution do not apply to HIPAA. I disagree. When lobbying for this language before Congress, the position of MBNA, Visa and MasterCard was that the exemption applied only to the functions listed, and once a credit-card company or a bank stepped outside of these functions that that activity was fully covered.
The report language goes on to, again, document that what was being referenced here were made by check debit or other payment card or account activities or such other means, which are traditionally consumer-conducted transactions, and, again, when an individual - it also references when the individual utilizes a payment system that makes it clear that the exemption applies to consumer transactions, because if the word individual is used and not person, which could be interpreted to be a corporate person, then the language makes it clear that this exemption was directed at consumer transactions.
If the ABA's supported interpretation is allowed to stand, it would apply to more than just the HIPAA transaction and activity, and the remittance advice, which is being the focus of much of today's conversations. It would exempt financial institutions from having to apply HIPAA privacy protections to PHI when financial institutions refinance accounts receivable, collateralize loans or letters of credit with accounts receivables, and, in many instances, when they go into this collateralizing of loans or refinancing accounts receivable, they take physical possession of the PHI and then do their own analysis of it. That was alluded to earlier. All of that would be exempt from the HIPAA - all that activity would not be protected by HIPAA, if the interpretation that the ABA supports is allowed to stand.
The report language also makes reference to claims activities. It says, however, this part does apply. If a company clears healthcare claims, healthcare claims activities remain subject to the requirement of this part.
If the definition of the term payment in HIPAA regulations is so broad - and it is very broad. It includes claims. It includes utilization review. It includes a whole host of things not necessarily thought to be part of the payment process. Could the term claims activities be construed so broadly as to include payment and remittance advice?
Let me deal with the clearinghouse issue. Although the ABA posits that a total exemption from the administrative simplification provisions is warranted, this is not the relief we are seeking from HHS. The relief the ABA is seeking is not to have receiving depositary financial institutions deemed to be clearinghouses when they receive a remittance advice and translate that remittance advice into a format of content that can be dealt with by the client provider.
The argument put forward that an RDFI is not a clearinghouse under HIPAA, and, therefore, not covered by HIPAA privacy and security standards, is a tortuous one, but at least three elements - three threads are present in the argument. One has to do with payment in the statute among the list identified transactions is the healthcare - is at Section 1173A, 2E, healthcare payment and remittance advice.
An argument is made that the definition of payment in HIPAA rules includes - check payment and the remittance advice, and, therefore, the idea if I should be allowed to process both without becoming a HIPAA clearinghouse. They can process both without becoming a HIPAA clearinghouse. It is when they change, when they translate the data of the format they become subject to the definition of a HIPAA clearinghouse.
The payment that is dealt with by the department in the preamble to the final rules says that the payment and remittance advice are part of the payment process, but the two transactions are separable, and we agree with that, and, as it seems, so does the ABA, because in a letter to the Secretary, it says if financial institutions are prohibited from sending PHI through the ACH network, the only beneficiaries will be those institutions in business to be healthcare clearinghouses and who are not authorized to send electronic payments along with remittance advices. So the ABA is agreeing that they are separable.
Another element in this argument is that HHS couldn't possibly have intended to include financial institutions in HIPAA. The argument is in diametric opposition to the structure of the definition of a clearinghouse and the structure of the privacy regulations.
The definition of a clearinghouse is - just lays out a set of functions, and if you perform those functions, you are a clearinghouse. You don't perform those functions, you are not a clearinghouse.
Much of the privacy regulation is set up the same way. If you receive information from a private entity and do certain things with it, you are covered as a covered entity, and the functions you perform - the regulations, in many cases, do not specify by name which entity has to do with.
A third element was that just because an RDFI has no control over whether or not they received admittance advices - Financial institutions should not become healthcare clearinghouses just because they receive payment and a remittance advice. A healthcare clearinghouse in an identical situation would have to comply with the healthcare privacy and security regs or go out of business.
To answer a question you asked at the end of the last panel, perhaps the best way to handle this would be to ask the banks to lay out the specifics of where their problems lie and then deal with those specifics in the privacy regulations.
I believe Mr. Stone mentioned having to amend certain pieces of information. Banking institutions - if the department were presented with those kinds of situations, I'm sure the department could be flexible with respect to the banking community.
Thank you.
MR. ROTHSTEIN: Thank you very much, Mr. Gilligan.
And the floor is now open for questions from colleagues on the subcommittee.
Dr. Harding.
DR. HARDING: Thank you all for very good testimony this morning.
One of the reasons that we are having hearings - one of them - is to look at unintended consequences of HIPAA and of the privacy regulation. Do any of you - I mean, I'm kind of hearing that it hasn't had much consequence on the banks and so forth because they have chosen to say that that is not really a part of our problem in some way. It's not quite put together that HIPAA really applies to all these transactions. There is a debate about that.
I'm wondering if you all have had any unintended consequences in your experience of HIPAA in the areas that you all represent?
And then I would ask Dr. Slomovic if you really feel that encryption is the answer? You mentioned encryption and improving that. Is that the answer that we are looking for to safeguard HPI and so forth in the future?
MR. DEAN: I can answer unintended consequences of a minor degree, but I think it cumulatively could be fairly significant.
I mentioned that healthcare is local. That means that a lot of providers provide services in very small communities and they deal with the community banks. So were they all just to deal with someone as learned as PNC or someone like that, that would be one issue, but they are not, and those community banks and the indecisiveness related to what do they have to sign, what kinds of business-associate agreements do they have to sign, et cetera, when they are faced with trying to figure out how to help those providers with the EDI information that might come in in an ACH, and I could give several examples - I won't - of situations where those community banks are smaller. Medium-size banks have been asked by both providers and payers in a particular community can you help facilitate these transactions, and part of the reason that they are not doing it is not because they are not technically capable of doing it. It has more to do with they really don't understand the nature of what they have to do in either a BA agreement or if they are a covered entity what does that really mean to them, how will they be regulated, all that.
You know, banks are very highly regulated, and one of the things that occurs to me is that somehow a reconciliation where the banks' already existing regulatory agencies adopt standards so that there is no discrepancy between what is expected under HIPAA and what the bank needs to do in order to facilitate the payment and the handling of the remittance data. It seems to me that somehow if that could occur that might be the answer, not a separate organization with a somewhat separate set of rules. The privacy issues are real, but the banks, right now, I think, cumulatively, across the country, there is less administrative simplification, because this issue exists than there could be, let's put it that way.
DR. SLOMOVIC: Let me start with the unintended consequences question, and I am actually not sure whether this is intended or not intended, but prior to coming to EPIC, I was a privacy officer for a large healthcare company, and I can tell you that the vast majority of people outside the industry have absolutely no idea what happens to their health information. When they see a privacy notice that says, we will use your PHI for payment, they don't have any idea that that could mean that the PHI could go to medical transcription companies, to billing companies, to mailing houses, to all kinds of places under business-associate agreements, and that is even before we get to banks and what the banks do with PHI.
So whether intended or not, the Privacy Rule seems to have institutionalized our current system and done it in a way that it doesn't add a whole lot of transparency from the consumer's point of view, despite the notice provisions that I think were intended to clarify what actually happens to PHI.
As to whether encryption is really the answer here, it would certainly help, because if PHI is not additionally encrypted, we have a system which can be compromised both from the inside, which is what happens most often, and from the outside, and both financial information and PHI would be at risk.
In the preamble to the December 2000 Privacy Rule, OCR already stated that they want PHI to be additionally encrypted, whether or not it goes through the ACH network. Why not simply affirm that guidance and put in an additional layer of protection? It's simply setting up a system with better social hygiene.
MR. GILLIGAN: On the issue of encryption, what is the risk? And there are a lot of instances where healthcare clearinghouses and healthcare providers transmit data over dial-up lines, and the department currently does not require that data which is going from point to point to be encrypted, and we would encourage you to keep that policy in place, because there are no examples where that data has been intercepted, and the likelihood of it being intercepted is really rather remote when you consider that in order to intercept the data, you would have to know where the person - what provider an individual went and saw, hospital, a doctor, what time that doctor or hospital is going to transmit that data over a telephone line, and then you have to have all the equipment that the receiver of that information has in order to intercept that data and then make the data in a form that is useable for you. It is easier to take $5,000 and bribe a clerk to get you the data. So I don't think encryption would help in that kind of a situation.
MR. ROTHSTEIN: Other questions?
Please identify yourself for the record, please.
MR. STONE: Mr. Chairman, my name is Steve Stone from PNC Bank, an accredited ACH professional, former Treasurer of the National Automated Clearinghouse Association.
The question regarding encryption in the ACH network is a bit of a misnomer. In the original proposed document, the preamble to the Privacy Rule, there was a comparison of the ACH network to an open network like the internet. In subsequent meetings with HHS, we reviewed with them the controls that are around the ACH network, how transactions are routed, the control points, the validation steps, and HHS acknowledged that the ACH system in no way resembled an open network like the internet, and, consequently, dropped that requirement from the final rule. That is why it is not in the final rule anymore. So it's a little bit misleading to talk about encryption in the ACH system as a solution.
I will acknowledge, and Dr. Slomovic is correct, that ACH data, when it is stored in certain depositories, including the Federal Reserve, and/or electronic-payments network, it is stored in a non-encrypted fashion, but we showed you a sample of what a non-encrypted CTX would look like. It is not anything that would be easily read or interpreted or understood. It is not casually translatable. One would have to do a tremendous amount of searching. It's a needle-in-a-haystack kind of a phenomenon. There are over 500 million ACH addenda records, I think, that are processed annually, billions of ACH transactions processed annually. So to find among those billions of items and hundreds of millions of addenda records the record or records that pertained to healthcare activity would be exceedingly difficult. It would take a massively-large computing effort to locate those.
So there is no encryption while it is stored, but we are not sure that encryption is warranted. The system is highly secure. There has never been a reported incident of a breech of network security in the ACH system.
MR. HOUSTON: Let me ask -
MR. GILLIGAN: Could I add to his -
MR. HOUSTON: Well, I wanted to follow up a relevant question here.
Is there, as part of being a member of the ACH, is there an agreement that obligates a member to keeping information confidential, whether it be in transit or at rest within their environment?
MR. STONE: Yes, the ACH rules obligate financial institutions to protect the confidentiality of the information. So that is already incumbent in the ACH rules. The ACH rules are incorporated into Federal Regulations, as part of 31 CFR 210. They are recognized by the Federal Reserve as the rules that govern the payment network. So they are - the NACHA-operating rules are widely recognized as the rules that govern this transaction.
MR. ROTHSTEIN: Mr. Gilligan, you had a point.
MR. GILLIGAN: In earlier conversations about this, I was told that it takes as long to decrypt an incoming transaction as it does to process it, and then as long again to re-encrypt it, and I know you are only talking about seconds, but these things go through at the speed of 1.5 seconds or 1.2 seconds. If you add encryption to the mix, you are not just adding two more seconds on there, because if you run into killing(?) theory, this thing - a bottleneck starts to be - then you are into multiples of resources needed along five, six or seven times the resources you have now. So -
MR. HOUSTON: Was there ever any study done to determine what the cost would be from a - even from a computational perspective to just -
MR. GILLIGAN: Not by us.
MR. STONE: Data that is in movement between a financial institution and its ACH operator is already encrypted. So all data that is in movement is encrypted. It is only non-encrypted when it is stored position.
Frankly, you can't process the data unless the data has been unencrypted because you need to be able to see it to process it. So the step that is not taken is the re-encryption of stored data and nobody has ever studied that. That is correct.
MR. ROTHSTEIN: Well, I want to thank this panel, and please be available if we have additional questions for you. I know it is going to take some effort for the subcommittee to sort these things out, and we can - I hope - rely on your additional expertise.
The hearing is adjourned for recess, and we will resume promptly at 1:30 with the combined law-enforcement panel consisting of Mr. Gellman, Williamson and Calabrese.
Thank you.
(Whereupon, a luncheon recess was taken at 12:30 p.m., to reconvene at 1:30 p.m.)
MR. ROTHSTEIN: Good afternoon, everyone. We are back with the third of our panels.
Agenda Item: Law Enforcement Panel
MR. ROTHSTEIN: The third of this afternoon's panel is on law enforcement, and for those of you checking your agendas, Mr. James Polley was unable to testify today. So we have combined Panels 1 and 2, and so we will have Mr. Calabrese as part of the first panel.
So without any further ado, I want to welcome our former member of the subcommittee and friend Bob Gellman, who will be our first witness on the issue of HIPAA and law enforcement. Bob.
MR. GELLMAN: Thank you, Mark.
I have been asked to sort of provide an overview of the law-enforcement provisions, and I will do that and add a few teeny-tiny comments of my own about what I think of the rule in this regard.
However, to begin, I just want to - I was at one of the hearings of - I think this committee - this subcommittee anyway - on some of the implementation of HIPAA, and I just want to offer a couple of comments which actually go to some of the law-enforcement things, although not directly, and that is it seems to me all of the complaints about HIPAA fall into one of four categories.
The first are transitional problems. These have to do with people not understanding the rule, not being up to speed, getting bad legal advice, all the usual things. This happens with every privacy law everywhere around the world. Indeed, it happens with every law of any sort everywhere around the world, and it takes a long time before people get used to it. These are things that are effectively not problems, but it will take a while before everybody gets used to it.
Secondly, there are problems that are the result of poor drafting and poor guidance or inadequate guidance, and these are things that are probably a little bit easier to fix, especially on the guidance side.
Then you have a set of problems that are - really reflect policy disagreements. People say that the rule has bad policies. It doesn't require consent or it doesn't preempt state laws or whatever you happen to think. These are the hardest things to try and deal with, because there are often significant fundamental disagreements and lots of hard choices are involved.
Finally, the fourth category is the one that I really want to emphasize, and that is changes that have been made as a result of HIPAA. The world has changed because HIPAA came along. Until HIPAA, for the most part, the medical establishment paid only lip service to privacy and did nothing - or very little - to protect the privacy of patient information, and just to illustrate my point, I don't think you found very many hospitals that had privacy policies before HIPAA came along or that trained their staff or that did any of the things that HIPAA has required.
And one of the things that has changed as a result is that many covered entities have looked at their policies, they have looked at HIPAA, they have said, the requirements of HIPAA are not very strong and that we can do better in protecting privacy, and institutions, covered entities, IRBs, others have established policies that are stronger than HIPAA. If you repealed HIPAA tomorrow, I doubt many of these policies would change, because once you focused on privacy issues and you raise questions about the respective rights of the various parties and the liability of the various parties, all of a sudden you don't go back to the policies of the past, which were basically giving records out to almost anybody.
So I think that all of the complaints that you guys are likely to hear through these hearings will fall in one of these categories, and I think probably it is perhaps the task of this subcommittee to figure that out and decide which things are higher priority and which aren't.
I want to turn now to the law-enforcement provisions. HIPAA provides for disclosures for law-enforcement purposes in a variety of ways, and Section 164.512 F of the rule has a variety of specific law-enforcement disclosures, disclosures to law-enforcement officials, and I want to start with the definition of law-enforcement official, and there it is up on the screen. I am not going to read it, but you'll notice that it is extremely broad. Virtually every federal, state and local government agency qualifies as a law-enforcement official if they have the authority to investigate or conduct an inquiry into any potential violation of law. There is no differentiation in the definition between a Medicare fraud investigator and a school crossing guard. They are both law-enforcement officials at the same level under this. There is nothing in this definition that creates any nexus to help. So anybody who is conducting any law-enforcement activity of any sort qualifies.
There are six subdivisions of 164.512 F that allow law-enforcement disclosures without patient consent. I am going to go through them.
The first is the worst. The first one has a couple of sub-elements. It allows disclosures for gunshot-wound-reporting laws. I don't think those are controversial, at least not if the laws aren't. It allows disclosures for judicial subpoenas and warrants. Those tend to be not controversial. Even those who want all disclosures to be done with subpoenas want them to be done with judicial subpoenas, and if there is independent involvement and review of what is going on, that is generally viewed as less controversial.
Another area are grand-jury subpoenas, which I think are more controversial, because grand-jury subpoenas are abused by prosecutors, and it would be nice if there were more controls, but I have to say that I don't expect the rules to tackle the grand-jury subpoena problem which is much broader than this.
My real focus of attention is on the administrative-request part of the rule. An administrative request includes an administrative subpoena, a civil investigation, investigative demand or virtually anything else. I am about to give you an example of an administrative request.
I am a cop. I qualify under HIPAA for getting records. Turn over records to me. That is an administrative request. Nothing more than that is required. The rule does not require a subpoena. It does not require that the request be made in writing. It does not require that the request be approved by a supervisor of the law-enforcement official making the request. It has no requirement or provision in here for there being an emergency or for there being a lack of other procedures to follow.
The rule, I don't believe, has any meaningful standards, and there are no procedures at all. All a law-enforcement official seems to have to do is to say, I qualify under the rule. You do not have to provide a showing to the covered entity that the information is relevant and material, specific and limited in scope and that you can't use the identified data. All you have to say is, I qualify, and I think that that is - I would like to say that is the worst single feature in the rule, but it is probably only in the top three. (Laughter).
Number two, the second category has to do with identification and location for locating a suspect, fugitive, material witness or missing person, and the disclosures are limited, as you can see. I think the limits are good. I think the predicate here of suspects, fugitive and missing persons are a little easier than material witness. We have seen some abuse of the material-witness authority in connection with some of the terrorism investigations, and I am not sure exactly what a material witness is under this.
I think what is missing here is any sense of urgency or emergency in the rule. If I am looking for Judge Crater - a person who disappeared, I think, 100 years ago - it is exactly the same. I can make the same request as if I am looking for a child who was kidnaped an hour ago. There is no distinction in this rule - in this provision with respect to that. There is no administrative process required. There is no writing, and I think that more could be done in this rule to strike a balance, although I readily admit that I think that in emergency conditions there needs to be greater flexibility in providing limited access to medical information for suspects or fugitives or perhaps even missing persons, but there's got to be an element of urgency to it.
The third category has to do with information about the victim of a crime, and there are two parts to this. One is with consent, and consent cures all, and the second is without consent, and I think this is a very interesting provision.
In order to make disclosures without consent, law enforcement has to represent that the information is not intended to be used against the victim. This is a very important limitation, and I am going to come back and talk about this again at the end and emphasize the importance of it.
Law enforcement has to represent that the delay would materially and adversely affect the activity that they are engaged in, and it says expressly that disclosure has to be determined by professional judgment - meaning by a physician or other medical professional - that the disclosure is in the best interests of the patient.
Now, what is important here is that this provision illustrates three crucial things. One, limits can be placed on whether information can be used against the victim. This is a limitation that is absent in the rest of the rule.
Second, it illustrates that disclosures can be regulated, based on the presence of emergency situations, and I think there needs to be more of that in the law-enforcement provisions.
And, finally, it illustrates that the rule can say that medical judgment can override law-enforcement requests, and, indeed, the entire rule, the entire law-enforcement section is discretionary. None of these disclosures is mandatory, and so medical judgment is relevant in all of these. This is the only one that emphasizes that. I think that is something that needs to be said in other contexts as well.
The fourth provision allows disclosure in the case of suspicious death. I think this is just a fine provision with a small caveat that the policy in the rule is that dead people have privacy rights that last until the sun runs out of hydrogen, and I think that is a policy that doesn't make much sense, but, notwithstanding that, I don't have anything much to say about this provision.
The fifth provision allows disclosures in the cases of crime on the premises of a covered entity, and I think this is a perfectly fine provision that is basically okay.
The sixth provision is sort of the same thing, but it is when there is a medical emergency that did not occur on the premises of the facility, and this thing really has to do with 911 calls when information - you get a 911 call and you have to disclose information or you have a reason to disclose information, and I notice that this is something that is contingent on an emergency circumstance, which I think is a valuable thing. So I don't think that this is as controversial as others.
Having gone through all six of the law-enforcement provisions, I want to emphasize that those are not the only provisions of the rule that allow disclosure to law-enforcement agencies. Here is a list of some of the other non-consensual disclosure provisions that allow law enforcement of various sorts to get access to the records.
So we have to be careful not to look at any one law-enforcement provision and evaluate it solely on its own. When you evaluate it in context, you may discover that the overly-broad access that HIPAA allows for law enforcement might already be covered somewhere else and that a narrowing of the law-enforcement provision would not necessarily unduly undermine an important law-enforcement activity, and, in many cases, there is a particular kind of law enforcement request for information that will fall under several of these, and let me give an example.
If you are doing a fraud investigation, you may be able to get non-consensual access to records under the payment provision, under the healthcare-operations provision, under the health-oversight provision, under the law-enforcement administrative-request provision or under the required-by-law provision. So if you are a law-enforcement official of the right type and you want to get records for fraud investigations, you simply sort through the rule and find the one that is easiest. One of them has a procedure or a standard that you don't want to deal with, well, just use another one. I think that this gives law enforcement too many bites at the apple and that for people who are engaged in the same kind of activity, they should have one route and one standard for getting access.
That sort of summarizes the basic provisions, but there is one more thing that is not in HIPAA that turns out to be particularly relevant here, and it is Executive Order 13181.
Bill Clinton, on his way out of office, signed this Executive Order, and what the Executive Order does is it recognizes that there are many times when records are obtained for health-oversight purposes, fraud investigations, where the subject of the investigation is a doctor or a hospital or a health plan, and the patient is not involved in whatever health-care fraud is alleged or occurred and is a wholly-innocent bystander. Yet, every law-enforcement official I have ever met when posed this question - namely, if you get records in this fashion and you discover that the patient is, independently of what you're doing, engaged in some kind of criminal activity, say abusing prescription drugs or taking illegal drugs, do you also want to prosecute the patient? And the answer from everyone is yes.
So what the Clinton order does is it says - it recognizes that health-oversight investigators may uncover information about wrongdoing that is unrelated to what they are doing and it establishes a procedure that requires a review and an approval before the information can be used against the patient, and the procedure is that you've got to get approval from the deputy attorney general in order to do it, and there is a standard here that the public interest and need for disclosure clearly outweigh - a pretty strong standard - the potential for injury to the patient, to the physician-patient relationship and to the treatment services. This provision - this Executive Order really helps, to a significant degree, to make the law-enforcement provisions in the rule fairer and better and more protective of privacy.
So we've got a standard in the Executive Order that isn't terrible. The most important thing in the Executive Order is that there is a formal procedure. When you say to people, you've got to go to the deputy attorney general and get approval, that means you've got to wade your way through a number of levels of bureaucracy, and that, by itself, dissuades people from making requests that are trivial, and there is also in the Executive Order a requirement for an annual report, and I would recommend that this committee get that report when it comes out - presumably in a couple of months - I don't know how long the report will be delayed after the one-year anniversary - and see what it tells us about what is going on in this area. I have no idea what the facts are.
However, there are some bad things about this Executive Order that really limit its effectiveness.
First of all, it only applies to federal agencies, federal activities. So if you are a prosecutor and you discover that a patient is engaged in some kind of illegal activity and you try and get approval from the deputy attorney general and you fail, you simply pick up the phone and you call a state official and give them the information, they are not bound by this, and they can go prosecute the person. So you end up with the same result you were trying to avoid.
Secondly, the Executive Order expressly provides that the provisions of the Executive Order are not enforceable by the individual. So this means that if the deputy attorney general's auto pen makes all of the decisions and simply every request that goes to the deputy attorney general is approved by his auto pen, there is no appeal, there is no right to question that. This is not enforceable.
And the third point is that the procedure is really not as good as it is in 18 USC 3486. Now, 18 USC 3486 is a provision that was added to the code in HIPAA. It is a HIPAA provision. It is not related to the privacy stuff, and this provision says the Attorney General of the United States can get access to every healthcare record in the country for health investigations, period. You go to your doctor and pay cash, the Attorney General can get your record. You go to a free clinic, the Attorney General can get the record. There is no limit to the Attorney General's ability. This is why these protections against using records against individuals are so important.
In the statute, in the statutory provision, if the Attorney General wants to use information against the individual, the Attorney General has to get conditional approval, and that is a very important difference. It means that the law-enforcement community is not making the decision wholly on its own. When you are making a balance between privacy and law enforcement, you would like to have a neutral decision maker here, and that is what the courts are for. Under the Executive Order, the decision is made entirely by the Attorney General, a deputy attorney general, who, of course, is a principal law-enforcement official. So whether you will get an even break out of this remains to be seen.
On the other hand, the standard in 18 USC 3486 is not quite as strong as the standard in the Executive Order. So there are some - there is at least one difference there where the Executive order comes out a little better.
And I think this is a very important issue, and I think particularly for NCVHS, considering and working on all of the electronic healthcare and national health-information infrastructure stuff, you look down the road, and we are going to have a healthcare system that is going to turn out to be a law-enforcement surveillance system, because disclosures to law enforcement for fugitives or suspects or witnesses are always authorized under this, and when we have everything computerized, those law-enforcement people - especially people like the Medicare IG - are going to be directly plugged into the same computers that everybody else is. They will be able to run programs and look for evidence of illegal activity by patients, and any time a patient goes to see a doctor, there may be a flag that goes up, says, this is someone who is wanted for not returning a library book in St. Louis, Missouri, and they can come down, notify the police in real time and, without better protections here, we run the risk of having an electronic medical-record system, and an NHII becoming a surveillance system for law-enforcement purposes, and if we don't have better standards than we have in HIPAA, that is probably what is going to happen.
Thank you.
MR. ROTHSTEIN: Thank you, Bob. Gives us a lot of things to think about and to discuss with you during the question phase of the hearing.
We'll proceed now with Mr. Williamson.
MR. WILLIAMSON: My name is Bob Williamson and I am from the Drug Enforcement Administration.
I think I had made some notes and I will go into the things that I have prepared for today's meeting, but I think maybe I'll spend a little bit of time, first of all, to tell everybody in the audience what the DEA does and how we get involved in healthcare oversight.
Talking to some of the planners and people that kind of got us involved in this, I learned that probably most of this audience doesn't know what we do in Diversion, really doesn't know the difference between a DEA Special Agent and a DEA Diversion Investigator. We have at least Dr. Harding. Dr. Cohn is not here. I would imagine Dr. Harding would know what a Diversion Investigator does, because we get involved with position oversight. So I want to talk a little bit about what we do and how we do business, and then I will make the few comments that I have in terms of how HIPAA has influenced and impact our program and what we do in the DEA.
Everybody knows about the DEA. Of course, you know DEA is a fairly visible organization, mostly populated with DEA special agents, and DEA special agents are law-enforcement officers, and they work primarily investigations of illegal trafficking on a global basis, and the paradigm, the image of the DEA agent that you will see in movies or whatever else is, of course, not exactly right, but they are federal police, and I'm not a DA agent. DA agents do not usually get involved in doing investigations of physicians or pharmacists, and DEA, by and large, does not, even, in my program, does not get involved in investigations of individuals, unless the individuals are involved in something that is fairly well organized and are involved in an organization to traffic drugs - prescription drugs illegally.
Within the DEA, there is a small component of investigators that are specifically trained to enforce federal laws and regulations that pertain to the legal use of controlled substances.
Now, we are going to have to talk a little bit about terms. Viagra is not a controlled substance, okay? Propecia is not a controlled substance. There are a lot of problems with exchanging these drugs and buying them over the internet and all types of problems with legitimate oversight, but they are really not DEA problems. We have no jurisdiction, and I have no real expertise in the movement of these drugs.
We all do know the controlled substances. These are the drugs of abuse. These are the hard narcotics and the soft narcotics. These are drugs like Xanax. These are depressants or sedatives and they are stimulants.
These drugs are regulated by the Federal Government, and we, the Diversion Investigators, are the guys that do the regulation. There are about 500 Diversion Investigators in the United States - really, around the world. We do a number of things in the program.
Like to talk a little bit about the types of records that we would normally want to take a look at, and I would like to mention and underscore that many of these records are required under the statute to be maintained and accessible to DEA Diversion Investigators. Now, we will talk, I suppose, if you would like, or maybe I will a little bit, about entry and how to get the records and how we do business, because how we do business is how we do business. There could be other ways, but we have a culture and a way of doing business in the DEA that I think is relevant.
There is a concept in the laws - the Controlled Substances Act, the Harrison Narcotic Act, before it, going back almost 100 years - and this concept is is that individuals - businesses, corporations, researchers, anybody that would like to or intends to use a controlled substance in a legitimate fashion - has to come to the Federal Government and get a registration, and we do register doctors. Dr. Harding may have one. If not, he probably would like to have one, because it's a big deal to have a DEA number. Register about a million docs a year. We register companies. We register pharmacies, not pharmacists, and we register importers, exporters, manufacturers.
Once you are registered with the DEA, if you are a doctor, you can prescribe drugs and you do not need to keep a record for us of the prescription, but the pharmacist has to keep a record for us for the prescription. It's in the law. Okay?
If you are a doctor and you buy drugs and decide to dispense drugs or be a businessman and have inventories of drugs and get involved in distributing them here and maybe sending them overseas, all of these increases and decreases to inventory, you have to have a record of those things. You have to take an inventory of the drugs every two years. You have to use special forms for like your Percodan that you might want to ship overseas. Dr. Harding wants to order some Percodan for his office, he is going to have to use a special form issued by the DEA. Again, these are concepts that go way back. I used to have yellow-carbon order forms. Now, in DEA, we have green-carbon order forms, and we are going to get rid of the order forms and do it all electronically, but these are concepts that are out there.
So I say all of this to tell you that in the DEA, in the Diversion Program, we have always sought to look at these records that are required to be kept anyway.
I wanted to mention also - and I will get into a little bit with this - the impact of HIPAA on the way we do business. Diversion Investigators in the DEA, we have been around for 30 years, and we do have certain health-oversight qualities to our program, and what I mean by that is that we do some auditing and some simple accounting of registrants to make sure that the drugs that they have ordered and dispensed or distributed that they can account for them. This is not a law-enforcement activity, not usually done at the practitioner level, not usually done at the pharmacy level, but there could be many reasons that a Diversion Investigator would want to go into a pharmacy and take a look at all the Schedule 2 prescriptions. Maybe we want to see how many prescriptions for a certain drug are in a locality or maybe we would want to see who the prescribers were or maybe we would want to see whether the pharmacy was accounting for their drugs.
These things do not present themselves through a Diversion Investigator in the field as a law-enforcement activity. However, there are those times and those days and those situations where that evidence that is kind of looked at for a regulatory function gets hot. You know, you find out that the records show a particular doctor or a patient or whatever is getting drugs in a way that you think is suspicious, and DEA Diversion Investigations do, fairly routinely, jump around within the following categories: We have investigations that are regulatory in nature, where we might think that initially we were going to just see if the registrant was handling the drugs in a way that made sense, and if they weren't really doing it exactly right, we would send them a letter, you know, and you always get nasty letters from the DEA. We would call that a Letter of Admonition, and it would scare him, but it's really just a kind of a wake-up call that, you know, take it into consideration, do a better job.
Then there could be situations where the evidence that gets developed is - it shows evidence of impropriety with the doctor, primarily, to a lot lesser extent with the pharmacy, and then we might decide that there is a kind of a public-health problem with the way that the registrant is doing business and we might then go after that DEA number. Now, that is a very big thing, but it is not a criminal thing. Call it administrative inspection or administrative investigation, and you have a right to a hearing before an administrative law judge, if we go at you like that, and standards of law are a little different, you know, whatever, but it is one of the things that we do.
And then there is the situation where the target of the investigation becomes really a target of a criminal investigation. In this particular instance, the authorities, the DEA, usually we work with other agencies. We're too small to work with ourselves most of the time. We will have concluded that there is diversion, that there is trafficking. If it is a physician, the physician is just a pill pusher. He is no longer practicing medicine, or she is no longer practicing medicine, and then we will go to indict them in federal court, and this is a very big thing, just for the record, because this comes up a lot.
Out of the million doctors that we have registered with the DEA, one fraction of one percent of them will ever be indicted in the federal system for drug violations. That is one quarter, maybe one half of one percent. So that is a very small percentage. Most of them will actually - and very few of them are actually investigated, really, by us, but most of them will end up having a licensing restriction.
That's a brief overview, and I feel like, you know, I could go all day talking before this audience a little bit more about what we do and how we get involved in this law. So I don't have a lot of time, and I don't want to overstep my time, and, hopefully, maybe I can refine some things with the Q&A.
I want to move from there a little bit or not - I want to move from there into how HIPAA has impacted our program.
From the outset, I think the DEA Diversion Investigators that became exposed to HIPAA and these provisions to get into these records, we were kind of confused. We found it to be a confusing law.
The two areas that I think, early on - I have actually had some access to comments that were made by people that work in my shop before I got up there - but the DEA wanted the Diversion Program to be listed as a health-oversight program and to be kind of named, to kind of be placed there, rather than characterized as a law-enforcement program, but we were unsuccessful.
I will tell the end of my story not at the end, because it really fits in here, but right now, while I am here testifying or talking or discussing about these things with you all, we have a lady from HHS that is addressing all of our senior program managers on HIPAA rules because we needed to get them on the agenda. Part 3 asks about outreach, is there need for more outreach. Well, there certainly is over at the DEA. I'm over here and she's over there. So I would like to be over there, so I could learn more about HIPAA, but I'm over here telling you all the things we don't know about HIPAA.
One of the things that happened, though, is, in typical DEA fashion, I sent an email up to a couple of the bosses to just let them know what I was going to kind of talk about, and she ended up getting the email and called me last week, and so I learned a little bit from her, but one of the things that I think is becoming more clear to me now is that the Division Program probably needs to operate within both the health-oversight category and the law-enforcement category, technically. We are there to do some health-oversight operation. We can probably go in like that. If it becomes criminal, then we have to start acting like we are law-enforcement officers, which is okay.
But let me tell you what has happened. It really doesn't matter, because in the industry, DEA Diversion Investigators, whether they are doing anything related to regulatory activities or not, are really being treated as if they are law-enforcement officers. It is not the end of the world. The way we have done this is we have used what they call administrative subpoenas to satisfy their request and to get access to the records that we need to have access to.
Administrative subpoenas are government subpoenas. They are - I don't know, we did have an attorney do kind of a legal background on them. DEA is one of the first and fewest modern agencies to have administrative power. They are usually used for things like telephone records, third-party types of things, and we have been reluctant to abuse the right to use administrative subpoenas, and they are still used for basically third-party types of things where we would like to maybe take a look at prescriptions in a pharmacy that we would have a right to get anyway, and so we would use an administrative subpoena. They can be challenged. There are some approval requirements that the Diversion Investigators need to go through in the field to get the subpoenas, but it is not catastrophic. We are not losing investigations because of the subpoenas. So that would be the main point, I guess, that I would make about the impact.
There are some concerns, too, like I mentioned about prescription surveys, where we would routinely go into a pharmacy to take a look at what drugs were prescribed - maybe it's the new diversion trend - and we would need to do more work to get the administrative subpoenas to do that.
So that is basically, I think, the way it has impacted our program is that there has been a reluctance to provide DEA Diversion Investigators with records that we have a right to under the law without some sort of paperwork, and we can provide the paperwork. We are kind of covering everybody's you-know-what. That's what they want.
And, you know what? If I were them, I would be the same way. I would be worried about it. So we are doing that.
Let me talk about the unintended consequences or perhaps they are not. One of the things that we have - and maybe this is legally okay - but we have a program called the Prescription Monitoring Program, which we encourage state governments to adopt. We actually are in the process of administering a federal grant program jointly with BJA, Bureau of Justice Assistance, to give the states money to implement these programs. There's about 20 of them in existence right now. Over half of the doctors in the United States and over half of us as patients are treated in states that have prescription-monitoring programs. Been around a long time. I think some of the first ones go back almost 1940.
These are programs, now, that are handled electronically and, really, the way it works is that when a prescription is filled for a controlled substance, pharmacies have all this information electronically in their pharmacies one way or another, and under a prescription-monitoring program, they would have access to a software package that would transmit a certain variety of data elements to an agency in the state. The state agency would then evaluate the information in terms of patients that were doctor shopping - going to more than one physician - and sometimes they would evaluate the information to talk to a physician about his prescribing practices.
They vary from state to state. They are not federal programs, but they have been supported by the DEA, and they are becoming more and more supported by the DEA and the DOJ and others that are concerned about prescription drug abuse, because there are lots of correlations about the way drugs are prescribed in states that have prescription-monitoring programs. Abuse of certain substances seems to be less in those states, as opposed to states that do not have these programs, and the concern has come up from time to time as to whether or not these programs - whether the people that are participating in these programs are violating some HIPAA rule by telling a state agency about them.
I did hear about this exemption, I believe, that, you know, you can tell an agency something if it is required by law. So that probably is the ticket that would allow the state governments to escape that, but, in this world - this HIPAA world - everybody is nervous and nobody really feels like they know it all exactly. So that could be a concern, if, indeed, there is a prohibition that would effect these programs, and, meanwhile, the DEA and the Department of Justice and everybody is out there, you know, saying, yea, let's go ahead and do more of these things. We don't want to encourage people to break another federal law.
Here's one that I got caught with. I was in San Diego. This is an aside, but it is relevant and probably - I imagine everybody is sensitive to it, but pain management is a very big medical thing right now in terms of the use of narcotics to more aggressively handle pain, which is under-treated, mistreated. It's a real thing. DEA understands all of the medical dynamics that are in place.
So there is a growing number of physicians that treat pain more aggressively, and they have a really tough situation, because even the most legitimate, the brightest of the brightest, the most proper of the most proper, if they prescribe hard narcotics aggressively they may see somebody from the DEA. They may see somebody from the Medical Board, and let me assure you, they do not want to see anybody from the DEA. Dr. Harding is probably comfortable seeing me today like this, but he would not like to see me in his office, and so they are constantly preparing - the legitimate chronic-pain specialists - and we talk about the legitimate ones and the ones that aren't legitimate in the DEA. We know what we do for a living and we know the ones that we go out in a big way and they are not legitimate, but the legitimate ones they may see us, and we need to clear a path for them, and we need to be able to say, it's okay. We need to be able to do the right thing. They are constantly, constantly trying to make sure that they don't get in trouble with us - with us or the Medical Board or whatever else. One of the ways that they might do that is that when a patient they are treating aggressively with narcotics becomes suspicious, they will not be part of drug abuse. They will make provisions for the patient to get drugs in another area or whatever, but they will turn them away.
And I had a doc ask me at a conference, he said, can I call the DEA to report a suspicious patient? And me, you know, I said, well, of course. You know, there's a long body of feeling that DEA, we never encourage any registrant to become part of drug abuse. Now, you can have problems with the authorities if you turn that blind eye to something that everybody and their brother would know it was not a correct situation.
But I don't know now. I read through some of these complicated laws, and I said to myself, if it's a suspicion, if that is all, he is suspicious about a patient, if I were him, I don't know that I would call the DEA. Of course, then, he might have the DEA coming in and saying, why didn't you tell us about this guy? You know, he's got a ring. He's distributing drugs in three states. So how do we handle situations like that? You know, I really don't know. I don't think that this law was intended to harm well-meaning health-care professionals that want to do the right thing.
We have a similar thing with pharmacists. Pharmacists provide tremendous amounts of leads to the DEA. They know a lot. They see the prescriptions come in. They have groups sometimes that will communicate among themselves. So that is another unintended consequence.
The outreach thing, I've already said. There's a lot of need for more outreach. We have had a lot of questions that have been unresolved, and we are really trying to have them resolved, really work with the HIPAA people.
Thanks.
MR. ROTHSTEIN: Than you very much. I'm sure we'll have a number of questions for you.
Mr. Calabrese.
MR. CALABRESE: Thank you.
Chairman Rothstein, members of the committee, thank you for giving the ACLU the chance to come and talk about the law-enforcement exemptions.
My name is Chris Calabrese. I am the Program Counsel for the Technology and Liberty Program. The ACLU, as you know, is a nationwide, non-partisan organization of almost 400,000 members dedicated to protecting the principles of liberty, freedom and quality set forth in the Bill of Rights.
For more than 80 years, we have fought to strengthen and preserve privacy for all American citizens, most recently for Rush Limbaugh in the State of Florida, and his - well, his dispute with the state over gaining access to his medical records.
My testimony today is divided into two parts. First, I am going to talk about all the things we think are really bad about the HIPAA regulations and law enforcement, and then I am going to give you a real-world example of how far you can go and still be a law-enforcement agent and still be within the HIPAA regulations. I am also going to talk a little bit about changes we think should be made.
The law-enforcement exemptions promulgated by HHS under HIPAA appear to establish limits on law-enforcement access. Those limits, frankly, are illusory.
We believe that government agents should have to obtain judicial approval and have a meaningful probable-cause standard before they are granted access to a patient's medical records.
If the police want your medical records and they are sitting in your desk drawer at home, in your house, they have to get a warrant. It has to state why they want the records - i.e., that they have probable cause that they display evidence of a crime - before they can come and get them. We think, pretty simply put, that that same standard should be in place for doctors and insurance companies. This type of Fourth-Amendment-like protection enhances both patient privacy and engenders trust between doctors and patients.
There are cases when law enforcement is going to have a compelling need and they are going to have to gain access to these records. Nobody disputes that. The Fourth Amendment doesn't say that - it is not a bar to law-enforcement investigations. It simply says that we have to balance the interests of individual rights with those of law enforcement. The current regulations don't reflect that balance in any way.
I have six specific areas where we have problems. The first is there is no meaningful requirement of judicial review. As Bob noted, I mean, the regulations give law-enforcement agencies the choice of obtaining records through a warrant or a court order or a grand-jury subpoena or - and, of most interest to us - through an administrative subpoena, summons or civil investigative demand. These last three legal instruments are issued without judicial review.
Naturally, law-enforcement agents, especially in the beginning part of their investigation, are going to use the least restrictive means to gain access to records.
As Bob noted, I mean, essentially, you are talking about here is my badge. I want the records. I mean, that is how unrestrictive we are talking about.
As Justice Cardozo noted, the often-competitive enterprise of ferreting out crime means that law enforcement has a lot of incentive to push the envelope in this area. It is impossible for them to neutrally balance the competing needs of law enforcement and privacy.
Even when judicial review is sought, the standard is not meaningful or not adequate, excuse me. It's meaningful, but it's not adequate. Regulations would need to assert probable cause that the records are relevant and material to a legitimate law-enforcement inquiry, specific and narrowly drawn as is reasonably practicable, and de-identified information could not reasonably be used. This standard, obviously, falls short of the traditional probable-cause standard, namely that the records contain evidence of a crime. They don't call for balancing, and, frankly, the bar is set too low.
Third, the regulations do not require individuals whose records are about to be searched to receive notice. This kind of notice is consistent with due process and our ideas of an adversarial proceeding. If there is any risk, of course, that this notice is going to result in records being destroyed, notice could be waived, but, in an ordinary investigation, an individual should receive notice, either in the case of a court order or a law-enforcement warrant to let them know that their records are being searched.
Fourth, the proposal contains an over-broad identification exemption. The regulations allow for release of patient information any time the police are trying to identify the suspect or fugitive. Bob did a good job sort of elaborating on what the specifics are of that, but I think he made the most important point which is that once records are computerized, it is no longer an individual flipping through paper. It's a search run by either the doctor's office or law enforcement. So when standards are as weak as these, we have a blood type for a suspect, we want to do the search for everybody who has that blood type. These don't have to be narrow. They don't have to be practically drawn. They just have to say, we are trying to identify a suspect. There's no - I mean, these types of databases are not law-enforcement databases. They are databases of private law-abiding citizens, and they shouldn't be turned into databases.
Fifth, and this is something Bob didn't touch upon, but the regulations contain blanket exemptions for these very minimal procedural requirements for intelligence and national-security activities.
Current law enforcement already provides special procedures for intelligence-gathering activities, but there is no precedent in the code for a blanket exception for law-enforcement procedures for agencies engaged in domestic law enforcement. This kind of carte-blanche authority is unnecessary and inappropriate.
Six, evidence obtained in violation of the legal standard of regulation should be inadmissable at trial. HHS may not have the authority to mandate such a rule, but we think this approach should be endorsed in the preamble to the regulation.
It's always nice when we can talk a little bit of real world at some point. So I am going to try to do that a little bit. This lack of appropriate privacy controls leads to disturbing and dangerous results.
For almost three years an initiative named the Strategic Medical Intelligence Unit has operated out of Pittsburgh, Pennsylvania. This group of volunteer doctors is a pilot program that operates as a conduit between local doctors and law enforcement, specifically the FBI. Their stated goal is to act as an early-warning system in cases of bioterrorism. The SMI doctors possess security clearance and are briefed by the FBI. Under the system, local doctors notify the SMI when they encounter a suspicious event. This term is completely undefined, but seems to run the spectrum from an unusual rash to a loss of limb due to explosion.
The SMI team then determines if the event is a potential terrorism event and refers such events to the FBI. The SMI receives one to two referrals a week and has forwarded the individually-identifiable information of at least three people to the FBI. Patients may or may not be told that their medical information is being forwarded.
Senator Arlen Specter has stated that he will seek federal funding to expand SMI. We are mystified by the rationale for this dramatic violation of patient privacy. We can only assume that SMI and the FBI believe their actions to be covered by the law-enforcement or national security exemptions.
It is an understatement to say that this type of information sharing has a chilling effect. An individual who knows that a doctor visit may trigger an investigation by the FBI is less likely to go to the doctor. I mean, this is common sense. No one wants to be under the law-enforcement microscope whether they are guilty or innocent.
The problem is exacerbated by the complete lack of standards in this program. A very limited type of similar communication is currently allowed in the case of gunshot wounds and suspected abuse, but this type of program dramatically expands reporting and turns doctors into government informants.
Further, the program is completely unnecessary. This same type of information could be compiled in a de-individualized manner. The reporting of a certain number of similar symptoms from different patients would trigger a bioterrorism investigation without violating the privacy of individuals.
SMI is a perfect example of what is wrong with the law-enforcement exemptions to HIPAA. The state has abdicated its responsibility to balance privacy and security. Naturally, in such an environment, law enforcement chooses security, even if there is an equal or better alternative that respects individual rights. The police rightly expect us to be the ones making the public-policy judgments. Their job is to catch lawbreakers. They are going to do that with whatever tools we give them.
At minimum, the HIPAA regulations must be strengthened. Medical records should only be released in the face of a warrant or a court order with notice asserting that the police have probable cause to believe that the requested records contained evidence of a crime. While some provision may have to be made for national security, we believe access to records under this provision should still be subject to independent oversight. The current HIPAA regulations assure that the flimsiest security rationale trumps personal privacy. That harms patients, doctors and public health.
Thank you.
MR. ROTHSTEIN: Thank you very much. I'm sure my colleagues all have questions, and who wants to go first?
MR. HOUSTON: Interesting that I'm from Pittsburgh and I never knew about SMI. That's -
MR. CALABRESE: Need to get more press, obviously.
MR. HOUSTON: Excuse me?
MR. CALABRESE: We need to obviously do a better job of promoting it in the press or -
MR. HOUSTON: That's right.
I would like to say, though, that, interestingly enough, though, that there is actually a program that was developed at the University of Pittsburgh that does, on a de-identified basis, do bioterrorism monitoring.
MR. CALABRESE: And it is very interesting, many of the articles that discuss this program discuss that program as well, and the connection hasn't really been made that I think that that de-identified program may perform a better function than the SMI program.
MR. HOUSTON: Right.
MR. CALABRESE: I'm sorry. Please -
MR. HOUSTON: No, but I just wanted to say that because that was sort of interest.
One of the things I guess I'm very concerned about, because it is something that I have had to deal with very directly has been - and this seems to be on the rise - is the concept of doctor shopping, a patient going to multiple doctors to get prescription drugs, often the same ones. Obviously, there is some type of dependency going on, and, frankly, it is an area that I know within my whole system there is great turmoil. What can we do? What are we supposed to do? And, frankly, at this point in time, I don't think that there is adequate guidance as to how to react. We've gone to the various sources and asked what our rights were and what we should do and haven't gotten good answers. I would sort of like to understand exactly what everybody sees as the balance of patient privacy versus patient safety and what is appropriate in terms of reporting in order to ensure that that patient isn't abusing medications. It's a complex issue, which I'm not sure I understand how we should view those types of situations.
MR. CALABRESE: Well, I think it is interesting, because we think, obviously, that there is not a lot of meaningful protection here, but your question highlights a very important byproduct of the lack of meaningful protection, and that is that hospitals, I think, and doctors tend to sort of recognize that and be concerned about it. So, in some ways, they retreat to sort of bureaucratic - we don't know what we should release. We're not sure what to do for law enforcement. So if there are very real problems like doctor shopping, they get obscured in this - we are not sure what you - you know, what you want this information for, and we're not sure it is really legitimate.
MR. HOUSTON: Well, it's us actually knowing that a patient has shopped for multiple doctors and saying, do we have the - is there that right or is there that obligation to, say, go to law enforcement with that information -
MR. CALABRESE: And that is precisely my point is that you lack - really, you lack very real guidance on these kind of important issues because it is lost in the thicket of these sort of over-broad regulations.
I mean, specific exemptions can be created, specific situations can be addressed within the regulations, I think, without - sort of without these over-broad provisions. I mean, I know I haven't answered the specifics of your question. I just sort of - that is the ACLU's take on some of these specific inquiries.
MR. ROTHSTEIN: Mr. Williamson, would you like to comment?
MR. WILLIAMSON: I would like to talk a little bit about that, because that is really in my backyard, not only being in the DEA, but being a DEA Diversion Investigator, and I did mention this briefly in my presentation, but this is a hard nut to crack under HIPAA, and, you know, some of these doctor-shopping organizations are organized.
The DEA does not usually investigate individuals. They can be subpoenaed. They can be witnesses in trials, and they can get a little bit damaged, you know. I mean, if somebody - if we're working a doctor and then we have somebody that was going into the doctor to get drugs and then they're dealing with the drugs, they can become a witness and turn state's evidence, et cetera. So it's not like it's never going to happen, but that is not what the DEA is about. We just don't have the manpower to do those investigations.
MR. HOUSTON: That is what we have heard, and that's unfortunate, because there is a patient-safety issue that is really quite important.
MR. WILLIAMSON: Well, and it is a major way that drugs are diverted. These drugs are becoming more and more typical law-enforcement drugs, where it's not the prescription drugs that were just kind of like for the Diversion Investigators. These drugs, you have state narcotics units, and it will leverage out, and the way these cases are put together, they generally do require, what? A suspect, some sort of evidence that the suspect was going to multiple doctors. Well, how do you think you establish that? You go to the doctors and say, was this patient a patient of yours? What time did he come here? Did he come here yesterday? Because he went to Dr. Smith's office yesterday, too. So these are kind of common-sense things that the investigators need to be able to do. They need to be able to pick up those prescriptions. They need to be able to do a time line and a spreadsheet, et cetera, and if we are not going to be able to do that or if the state police officers and the locals in the working partnership - I mean, I kind of perceive this as a bigger problem for them.
You know, what we do in the DEA, we will never go to a doctor's office and try to get a medical record under an administrative subpoena. I mean, we would get that under - it is just not the way we do business. I thought all of that stuff was protected anyway. We would use a search warrant or we would do a lot higher, go get an individual record.
Now, the medical boards, they can go. They have a right to get individual, but we really don't. So I'm not familiar with people just going to do that, but if, indeed, you know, there is going to be more protections, this is the place to have the exemptions and to have them spelled out, and, really, to facilitate the local police officers be able to do their job on something that is really a very simple investigation. It just requires a little bit of an operational procedure.
MR. ROTHSTEIN: I would like to follow up. We can come back to - on the prescription-monitoring issue.
Kentucky is one of the 20-or-so states -
MR. WILLIAMSON: Yes - (inaudible) - program - the money that is coming in from that.
MR. ROTHSTEIN: - and I think there are some clear privacy issues raised by prescription-monitoring programs.
Our state, the way it works is something like this - and there is legislation pending in the legislature to actually expand it, but when a scheduled substance is prescribed for a patient, that information will, in real time, go to - at the moment, it is the health department. Now, there's some consideration about moving it to the state police to -
MR. WILLIAMSON: What state are you from?
MR. ROTHSTEIN: Kentucky.
MR. WILLIAMSON: Okay.
MR. ROTHSTEIN: And the physician also has the opportunity to get software to actually check on the patient's history. So I have a patient in my office, and he is complaining about back pain and wants Vicodin, I say, well, excuse me a minute. I'll be right back, and I go in and, now, I can find out the prescription-medication history of that individual.
So there, I think, are two sets of - besides the privacy issue - disincentives.
Number one is the disincentive to the physician to prescribe this, knowing, as you described earlier, the physician is now being monitored in the system for writing these prescriptions for painkillers.
And second is possibly a reluctance of individuals to seek medication knowing that they are automatically being put in the system, and it seems to me that we need to try to explore alternatives to weigh the - or balance the legitimate interest in avoiding the diversion of drugs and the doctor shopping, et cetera, and, on the other hand, protecting the legitimate interests of both physicians and patients.
One thing that I would like to ask you to comment on is whether, in fact, it is necessary to report physicians by name when you already have DEA numbers for all these prescriptions. So, in other words, from the doctor's point, why do you need to send Dr. Harry Smith from such-and-such town in - we can just put the prescription was issued by Dr. 23579?
And another possibility is to also assign a DEA-like number to each patient who receives these medications. So, in other words, I would have my own prescription med number for only prescribed - for scheduled substances, and so when I get a prescription for a painkiller - Dr. No. 5 prescribes a drug for Patient No. 7 - then the computers can match that and find out if there is a problem with the doctor prescribing or the patient shopping or maybe somebody trying to get a duplicate number, and, now, you can do - or the state can do its own investigation, but I am troubled by the fact that every single prescription for every scheduled narcotic or controlled substance is now automatically in the system. I would like you to comment and then maybe the others.
MR. WILLIAMSON: Yes, first of all, the programs are not uniform among the states, because it is not a federal program. They have been around long before this grant money was available, and I think what stimulated an interest in the grant program was the abuse of Oxycontin in Kentucky.
They are gaining a head of steam. A number of things. Number one, the chilling effect of the doctors and the patients. That has really not been corroborated in terms of the numbers of prescriptions that are written. In fact, most of the time, these programs become fairly popular with the physicians, and the reason for that is that they can find out where their bad apples are by looking at the program themselves. They can find out where their patients have been doctor shopping.
In every case, the privacy issues are debated in the state legislatures as the enabling legislation comes forward to provide for these programs, and they do differ among the states in terms of how much access law enforcement would have or does have. I do believe law enforcement has access to the programs in each and every state. There's a permission, a threshold, and that does vary a little bit from state to state in terms of how it is designed.
In terms of de-identifying the data, I don't believe that that would matter to anybody in terms of assigning a number. The mechanics, the technology - right now, we are talking about technology a lot in DEA, because there is a lot of talk about doing a national program, and the DEA kind of feels like it would be kind of heavy handed. We don't know how well it would be administered. We really like these state programs. They tailor their program to their drug-abuse situation. Obviously, there is a lot bigger prescription drug-abuse problem in Kentucky than there is in someplace like Montana.
And I can't shut up once I get to talking, but I will tell you this, I had to go down to Florida and make a presentation on these programs, and, fortunately, I followed a doc from Kentucky that was an oncologist and he was talking about how great that program in Kentucky was, and I was able to get up and say, if it was really a bad program, he wouldn't like it because oncologists are going to have some problems with law enforcement. So some of these dynamics can be taken care of.
Again, the technology about one of the things that we are talking about, making sure the programs can communicate with each other across state lines, so that the program in Kentucky, there are people who go to Tennessee, they can find out about it in Kentucky. So we really don't have any problems with a lot of the concepts. They just need to be worked out.
MR. ROTHSTEIN: Well, let me ask Mr. Gellman and Mr. Calabrese if they would want to comment on this aspect of the drug-diversion programs and whether you might have separate objections to the reporting by numbers or other issues.
MR. GELLMAN: Well, let me make a couple of comments in response to your question and John's.
First of all, I think that - I don't mean to suggest that any of this is easy or that there aren't conflicts between different principles here, but the provision in HIPAA already says that if you believe, in good faith, that you have information that constitutes evidence of criminal conduct that occurred on the premises of the covered entity, you can disclose it to the cops. That is what HIPAA already says. Unless state law says otherwise, then, if you have evidence -
MR. CALABRESE(?): The argument - it isn't on the premises of the physician office -
MR. GELLMAN: And what is evidence?
Well, I understand, and that may be -
MR. CALABRESE(?): And by the way, the other issue is forging of scripts, which is also something that is an issue that doesn't happen on physician premises, but is a growing - a trend that's -
MR. GELLMAN: But it happens. If you turn in a forged prescription to a pharmacist, you now have evidence that occurred on the premises of a pharmacist -
So, anyway, I am not saying that this is a complete solution or easy to apply. There is a provision in here that deals with it, and if you don't meet the standards of this, then maybe you shouldn't be disclosing it.
Secondly, if physicians - and they do - if physicians are going to rat on their patients to the cops, then I think there ought to be better disclosure. I think there ought to be a sign in a physician's office or an express box and a notice that says, if you come in here and we find evidence of child abuse, we will, and are compelled by law, to turn that information over to various authorities. If we are going to do that for drug abuse, fine. Let's make a decision and do that, but tell people what we are doing. I don't think - I want to know exactly what is going to be reported and what qualifies here.
Secondly, with respect to your suggestion for - you know - making this more anonymous in some fashion, I think that that - in some ways it helps and in some ways it makes it worse.
I want to look at the comprehensive fair-information practices that apply to this information. If it is being collected for a very express limited purpose, let's have a set of rules that say it is going to be used only for that purpose. It is not going to be available to anybody else for any unrelated purpose, and that the data that we collect will be discarded after a suitable period of time when it is no longer relevant, and I think that is more important than having some kind of quasi-anonymization process which will be easily seen through when we find somebody who we have agreed - either a physician or patient - who is clearly abusing the law and needs to be investigated further.
And, finally, with respect to the idea of some kind of patient identifier, I don't know if you remember, but, you know, the issue of patient identifiers has come up before this committee in the past -
MR. ROTHSTEIN: I understand. This would be a very limited use.
(Laughter).
MR. GELLMAN: I believe - that, of course, is what they all say, and as soon as you create a new patient identifier, everybody would want to use it, and I might remind you that there is an appropriation rider I think is still in the law that prohibits HHS from spending any money to adopt - in the direction of adopting a new patient identifier, and I don't know whether your proposal violates the -
(Laughter).
MR. ROTHSTEIN: No, no - Thank you for that insinuation, but - (laughter) - this would be pursuant to state law. I think the states are free to set that up, but I'm not sure, and before I advocate something like that, I just wanted to see whether people are comfortable with it.
Personally, I would have a problem, and do have a problem, that every prescription that I get in Kentucky goes not only to the health department, but to the contractor of the health department, who is the IT person who puts together looking for matches and patterns and all this other stuff, and who knows who they are, and as well as the - you know - the state law-enforcement people. I just think that we are paying a tremendous civil-liberties price for I'm not sure how much payoff, in terms of law enforcement with regard to Oxycontin or any of the other problems that are especially difficult in our state, but -
MR. GELLMAN: Can I just make one more point?
MR. ROTHSTEIN: Sure.
MR. GELLMAN: Before I went down that road, I want to make sure that I know what the costs are and what the benefits are of this and if there are other ways of solving the problem, if there are other ways of creating non-identifiable identifiers, if you will - I can take your name and put it through a one-way hatch(?) that I can match up different prescription records on that basis, so that the person doing the matching doesn't know who it is, just knows that these three prescriptions have been given to the same person, and we haven't created a new identifier -
MR. ROTHSTEIN: Yes, wouldn't necessarily have to be a permanent identifier. What I am saying is some sort of encryption or something, because just - I don't want my name floating around there as a potential drug diverter.
MR. CALABRESE: Mr. Chairman, you have so aptly encompassed the civil-liberties concerns that I don't have a whole lot to add, except to say that there is always creep on this type of program. Whenever we collect information, it seems like it never gets thrown away. It just gets aggregated with other information, and I think that with the increasing computerization of medical records, you are going to see that to a greater and greater degree, and I think that means we have to be really careful about what it is that we collect and what it is that we hold onto because it is very rarely only used for what it is collected for in the long run. I mean, everything from Social Security cards to a million things.
MR. HOUSTON: I have never personally heard of - and working for a large health system - of cases where the authorities have come in and the purpose - you know, for the express purpose of culling through our records to find information -
MR. CALABRESE: Well, can I - Sure.
MR. HOUSTON: - and I think that there's - I'm also concerned, because we are moving down the path of creating a - purely a paperless environment, which - you know - very advanced clinical-decision support, very advanced clinical-information systems, which we think is absolutely vital for improving quality of care, and, clearly, it sounds like there are some - things are at odds here, because we will absolutely want to collect more and more information about patients and have - you know, not just episodic data, but across - you know - cradle-to-grave data for the purpose of delivering as good a quality care as possible, and yet -
MR. CALABRESE: I am a patient, too, you know. I go into hospitals, and I want them to have my information, so I don't - you know - or my son's information, so I don't have to explain to them again that - you know - what condition he may have had when he was three months old, and I understand, and I understand that that is a lynchpin to providing quality health care, but it only underscores why we need better protections, because when you have all this information, you're right, it is incredibly rich. It is incredibly detailed and it is incredibly valuable. That makes it a magnet for law-enforcement investigations when there is no, what we would consider to be, adequate probable-cause standards in place to protect it.
I mean, it is only going to take - I don't want to speculate, and I don't want to - but I believe that it is going to take a limited amount of time before a law-enforcement officer realizes how useful this information may be, and once that happens, you know, their first stop for a crime where they have biological evidence may be the local hospital, because that is the best place to match up biological evidence with individuals.
MR. REYNOLDS: First, I'd like to thank the panel. Very enlightening. I thought I understood privacy in looking at it from the industry, and it's pretty amazing what you all have covered.
But I think with the idea that HMOs tend to have failed in the United States, so we are going more to everybody going to whatever doctor they want to, obviously opens a door, the fact we're using more PBM, Pharmacy Benefit Managers, to consolidate data. I know there are pilot projects for medication lists, wherever you go for care, as drug costs rise, we are all looking closer and closer at those things. So you raised an awful lot of issues, and then how the data is available.
Mr. Williamson, I wanted to ask you a question. You mentioned that the DEA would have rather been a health-oversight group, not part of law enforcement and I didn't understand what that was -
MR. WILLIAMSON: In the Diversion Program, we felt like it was a better fit for us to be as a health-oversight group rather than law enforcement -
MR. REYNOLDS: What would that give you - a different capability or a different way of doing -
MR. WILLIAMSON: You would be allowed to have access to the records without having to use process. I think that's what they call it. It's just - it would be nice for them to have laid out - include this group DEA Diversion Investigators, as opposed to the DEA Diversion Investigators and the industry, you know, having to guess what we are. In practice, we are law enforcement. That is the way they are treating us and that is the way we are doing business.
MR. REYNOLDS: Mr. Calabrese, from the standpoint of these new things that are coming along, the medication lists that emergency rooms would get an access to, electronic medical records, where do you see a line being drawn for that use as care versus use for other reasons?
MR. CALABRESE: The Fourth Amendment, I guess. I mean, that is a very glib answer, but the probable-cause standards that exist right now, and those are not - you know, pretty simply put - evidence that I have - what I am looking for, the record, the information is specific evidence of a crime. All right. I mean, we have no problem with that, and we think that - I mean, that is very important that police have access to that information, but not for fishing expeditions, not to troll through the records, looking to see if we can match up something we found from a scene with something in a medical file. Have a specific evidence of a crime, put it in a warrant, take it before a judge and then give it to the doctor or hospital.
MR. ROTHSTEIN: I would like to try to get a bigger picture of where we are in the law-enforcement area, and it seems to me that there is an unusual aspect to this whole area. Under HIPAA, the general principle is that federal law applies, unless there is a state law that is more protective of privacy rights. In the law-enforcement area, it seems just the opposite. In other words, under the provisions of 512-A, which allows for disclosures required by law, states can enact laws that are restrictive of privacy rights under the theory that they are law enforcement, and they are, in effect, exempt from HIPAA, and so that the states have a very wide leeway to enact all sorts of law-enforcement-type provisions and thereby cut into the protections that normally would apply.
Let me give you an example. Suppose that California decides that because of their high number of plastic surgeons in the state that they might become a haven for terrorists who want to change their identities, and, therefore, they enact a law that says that every plastic surgeon in the state must get before and after photographs of every patient undergoing plastic surgery in California for possible law-enforcement use. I believe that under 512-A, that would be a lawful disclosure of PHI, and yet it seems to me that individuals in the state who are contemplating - you pick the surgery - might be rather reluctant to have their before and after photographs taken by their plastic surgeons now in some file somewhere for law-enforcement purposes and shared who knows with what agencies, and that seems to me a rather sort of unusual twist on the general provisions or principles underlying the kind of federalism involved in HIPAA, and I was wondering if anyone on the panel wanted to comment on that.
MR. GELLMAN: Well, yes, I think your analysis is exactly right, and if the California law required that the pictures be printed in the local newspaper, that would also not be inconsistent with HIPAA.
However, just to point out, the plastic surgeons of California would probably lobby very heavily against that law. Patients would go to another state to have plastic surgery done, and I don't know whether the political process of California would support the passage of that law, but even if it did, the real problem here - and I think you have put your finger on a real issue - is that in constructing a policy here that interfaces both a federal standard and state law, there are a large number of state laws that go all across the spectrum that require the disclosure of some health information or some program. Most of those laws probably have a pretty good justification, because they're - you know, DEA is a good example. There are state programs that require all this kind of stuff. The prescription-drug-reporting stuff we just talked about is an example of a required disclosure, and if you are writing a policy and you are trying to develop a standard here, other than required by law, you have a hell of a problem figuring out which laws you are going to allow and which laws you are not going to allow, and it is really hard to do that generically. You almost have to do it on a case-by-case basis. Finding all of the state laws that require some disclosure of some PHI to somebody would take an enormous expenditure of resources, and then you have all of these really difficult decisions to make, and so from a policy perspective, you are almost forced to come to this general standard of saying required by law and saying let the political process in the states deal with this kind of concern, and if you can get enough votes in a state just to require a disclosure, so be it. We are not going to get in the way.
MR. WILLIAMSON: I might just comment.
You know, there is tremendous diversity in this country about the way people have attitudes about things, and you will see it in the state laws. We do in the DEA. Believe me, sometimes, the way people feel about things in Georgia is really a lot different than the way they feel about things in California, and so it is kind of hard sometimes to cover all of the bases in a country like this.
MR. CALABRESE: - it's hard for me to get up and say that - you know, to talk about the example where maybe they are infringing more on privacy, and I guess I would just say that we think these current laws are pretty lax as it is, and we are much less concerned about small ways that states can make them less lax than we are about generally making the federal standards stiffer, and whether we do that through changing the federal laws or changing the state laws, that is kind of more our concern.
MR. ROTHSTEIN: I have shared what is at the top of my list with you. Bob Gellman gave his list of things that he was concerned about.
I would like to ask you, Bob, if you could give us some recommendations about how the administrative request provision could be tightened up to take care of the - what you perceive to be the sort of the looseness in it.
MR. GELLMAN: Well, I would like to agree with the ACLU that you gotta require a judicial warrant before the cops can ask for records. I don't think that is practical in all circumstances, unfortunately, and I don't think it is politically possible to establish a standard like that for a whole variety of reasons.
I think the interim step is to say that if you are making an administrative request that you have to make a written request to the institution from the law-enforcement agency, that it has to be signed by a supervisory personnel of the law-enforcement agency making the request. I'm not saying it has to be signed by the FBI director or by the head of the state police, but by a supervisor. It might be a desk sergeant or a lieutenant, but something that says this isn't just some cop off on his own asking for records.
I think those two steps - they are not the only ones. I might tighten up the standards. I might require some kind of - there are standards in the administrative-request section. I might require some kind of evidence, not necessarily - whether it is offered to the hospital or not, I'm not sure, because some of this gets very complicated about disclosing the internals of law-enforcement investigations - that there be some kind of evidence to support the assertions that the information is really needed, that we can't use the identified data and whatever the other standard is.
I would also suggest that the odds of this rule changing are very low. If I may report on a rumor that I heard from several sources many years ago, HHS wrote a better rule, when they were writing the HIPAA rule originally, and the Justice Department, according to this rumor, objected very strongly to it and the issue went to OMB to be resolved, the difference between the agencies, and OMB ruled in favor of the Department of Justice, and the issue was then appealed further to the White House and the White House, in resolving this, gave the Justice Department everything it wanted and then some. Gave it stuff it didn't even ask for. So I think this is an issue on which HHS - that was the Clinton administration.
I think HHS will be very hard pressed to change this rule, and I would suggest instead or in addition to asking for that, that this committee make recommendations to covered entities and to tell them this is what the rule says, but you are not required to turn information over, and that you can, on your own motion, say if you want to make - if you, Mr. Law Enforcement Official, want to make a request, you must make it in writing. You must have it signed by a supervisor - and perhaps I have exceptions for emergency circumstances where an instant request may make sense - and I would also suggest to covered entities that they have an internal procedure within the covered entity so that not every person within a hospital is authorized to turn information over to the cops, but there be a process whereby you have to talk to a supervisory official or a lawyer or somebody within the medical facility before information is turned out.
Institutions can do that right now on their own and have higher standards than HIPAA requires, and you don't need to change the regulation.
MR. ROTHSTEIN: Well, I think, in fact, many of them do.
And Mr. Williamson will comment on this and then -
MR. WILLIAMSON: Yes, I did want to jump in here.
First of all, I would like to reaffirm that I am with the DEA. I'm a Diversion Investigator, and I'm - I don't know how many law-enforcement people you have here, but inferring everything about law enforcement from talking to me would be a mistake, okay? I mean, I just know what I know.
But I would hope that we do not have to go to a judge or a magistrate to get types of information that we would routinely consider somehow third party. It would be a tremendous inefficiency. It would be very expensive, very problematic in the way we do business. I don't have any problem having supervisors to look for things. I don't think investigative prerogatives should be abused, and I do think that there should be safeguards, that the evidence should be thrown out, but in the world from beyond a reasonable doubt to probable cause to simple suspicion or whatever else, I mean, when you say you have to have evidence of something that means something to me, that police should not have to have evidence of something, because, by God, if you have evidence of something, you can indict them, you know, you can go forward with a reasonable suspicion or something lower like that. So I just wanted to kind of throw in my two cents pretty much with Bob, I guess.
MR. CALABRESE: If I might, just briefly, I mean, I don't want to touch on Bob's we-are-not-going-to-change-this, because that would be sad.
But I would just say also the standard could be higher as well, the standard for what type of information you are going to get and how you should get access to information, and, again, this is outside of the rule, but if that standard is violated in getting the information, the exclusionary rule should apply and we should urge courts to apply an exclusionary rule. I think that that's provided - that has proved to be an effective deterrent in the past in keeping law-enforcement officials from going and doing fishing expeditions, knowing that it is not going to be admissible in court.
MR. HOUSTON: I just had a comment. I mean, I think we're still - unfortunately, the gentleman from the National District Attorneys Association was not able to be here, and I think that we are sort of - I mean, though Mr. Williamson is here from the DEA, I think we are sort of still missing a perspective or two on this, and I think I would be interested in seeing if we could try to arrange some testimony, maybe a single panel, at some later date to help speak to some of the issues of the - you know, from the District Attorneys' side as well as maybe some other law-enforcement perspectives.
MR. ROTHSTEIN: Well, we did make - I believe - rather strenuous efforts to get additional witnesses from various law-enforcement community groups, professional groups, government agencies and the like, and they were all busy today, and so were unable to attend, but, clearly, we do need their input and will have an opportunity, I think, should the subcommittee or the committee come up with any recommendations that would effect their interests.
MR. HOUSTON: Not to minimize anything that was said here, I just - I think even if it could be done by some type of agreement to get some type of written statements in lieu of testimony, I think that would be important. I mean, I read through the one testimony from Mr. McCullough(?), and it might be helpful to at least get some thoughts from others, too.
MR. ROTHSTEIN: Well, just to remind the panelists and the subcommittee members and others that the purpose of this hearing today and the whole series of hearings is not to get the total body of information that exists on every problem. It's a way of generating some areas in which further fact finding is necessary to identify problem areas that individuals effected by the rule or other commentators want to address, and so I appreciate your statement.
MR. REYNOLDS: Nobody mentioned accounting for disclosures. Maybe, Mr. Gellman, you could - because my understanding of covered - if a covered entity releases information, other than for treatment, payment, healthcare operation, then they have to account for that as a disclosure, and I haven't heard that brought up. So I would - why wouldn't these administrative requests fall into that type of a category where you would notify the person that you have -
MR. GELLMAN: Well, an accounting for disclosure is not the same thing as notice to the person. An accounting for disclosure is simply a notation somewhere in a file that records have been disclosed. If the person asks for the record - for the record of the accounting, they may be entitled to get it.
Now, for law-enforcement disclosures, the law-enforcement agency can ask that the record of the accounting not be given out for a period of time. That has to be done in writing, under the rule. However, just in general, with respect to accounting for disclosures, there is, in the Privacy Act of 1974, a very comparable provision that applies across the board to disclosures and has been on the books and in effect since September of 1975, and I can tell you that an awful lot of federal agencies don't do it, and how much compliance there is with accounting for disclosures out there in the real world I really wonder about, and it's a very difficult thing to do -
MR. REYNOLDS: It is a difficult - right.
MR. WILLIAMSON: In our administrative subpoenas, we would ask them not to disclose for a period of time to track the intent of the law and also allow us to do our investigation.
MR. ROTHSTEIN: If there are no further questions from the members of the subcommittee, I want to thank the panel members for their excellent testimony.
MR. ROTHSTEIN: According to our schedule, we were scheduled to take a break and then have public comments, but we only have one public commenter. So with the consent of the subcommittee, I would invite Kathryn Serkes to come to the table, give her remarks and then, following that, we will adjourn for the day.
Okay. So, please proceed, and you've got five minutes, as you know.
MS. SERKES: Pardon me?
MR. ROTHSTEIN: You've got five minutes, as you know.
MS. SERKES: Thank you.
I am Kathryn Serkes, S-E-R-K-E-S, for the Association of American Physicians and Surgeons.
Just to refresh all of your memory, APS was founded in 1943. It is a non-partisan professional association of physicians in all practices and specialities, dedicated to the protection of the sanctity of the patient-physician relationship.
We have also filed an amicus in the interest of disclosure. We have also filed an amicus brief in the State of Florida, urging the state to comply with its own laws in the Rush Limbaugh case as well.
I don't have any prepared statements. I would like to respond to some of the things that we have heard today, and specifically want to reiterate what we have heard from both Mr. Gellman and the ACLU in terms of the concerns that we have in the problems, and I don't need to review those, but we echo those same concerns, and I may be able to help you with some specific examples.
We are, indeed, particularly concerned about the administrative requests, the administrative subpoenas, the grand-jury subpoenas. This is a big problem, because, as you know, physicians - and, again, I am looking at the side of the individual physician, rather than the hospital, the institution - but the physicians are subject to state licensing, and because of the fraud investigations, in particular, are subject to these administrative investigations and administrative reviews. So this is where it is of particular concern for the physicians.
I will give you an example - I wanted to say something in the front as well, that even though, for example, we have filed in the Rush Limbaugh case, APS also filed an amicus brief supporting the partial-birth-abortion ban, but, in that case, for example, we do not agree with those who are opposing the disclosure of the records by the physicians who have filed objection to the ban that they are resisting disclosing the records, if those records can be - and, particularly, the judge used HIPAA as the reason for that, and we disagree with that. If the records can be identified, that is a different situation, where there is a civil suit and the parties who initiated the civil suit are not willing to reveal records, as opposed to being the subject of a federal investigation, for example. There is a clear distinction there, so that we were not always - it is not always an issue of no disclosure whatsoever, you know, and to make that very clear.
But let me tell you, for example, of how these administrative requests - and one of the areas that we have a great deal of experience, unfortunately, in the past year or so, is on the drug-diversion and the pain-management issue. APS has filed several amicus briefs in this, and we have several members who have been prosecuted by the Department of Justice, both at the state and federal level, but DEA sat in on a medical-licensure-board administrative hearing of a physician in Tucson, Arizona, and then they use the information - and that was without the knowledge or consent of either that physician or the physician's attorney - and the physician had no legal representation in that one, because it was an administrative proceeding. In fact, not all members of the state licensing board knew that the DEA was monitoring that, sitting in the other room watching - listening to that. The information obtained at that hearing was then used as part of the indictment against the physician, 160-something-count indictment against that physician. So that is a case where the administrative process is being invoked in a law-enforcement environment.
To respond to the prescription-drug monitoring, I get your newsletter, Mr. Rothstein, so I am familiar with all the work that you do in Kentucky. Kentucky is considered the gold standard of the prescription-drug monitoring, and yet Kentucky still continues to be the state with one of the biggest problems in drug diversions. So we are not seeing the correlation between the reporting and clamping down on the true diversion.
We have recently held a town meeting in Florida where that bill is being considered. There are some problems with that bill that have nothing to do with HIPAA. In fact, the state senate staff has already suggested and analyzed the bill and said that they believe that it will be found unconstitutional.
The problems with a prescription-drug bill like that, I think, as Mr. Gellman has pointed out, that this is moving to the surveillance society. That Senate bill, there is no control on who gets the information. The bill does not spell out who gets the information, who can receive the information in that database, nor does it control what data goes into that database, nor the duration, because you raised the issue of how this floats out there forever, and as you correctly raised, anyone getting a controlled substance, from an antidepressant to Tylenol 3, is going to be in this, who there's no suspicion of any wrongdoing on their part and yet they are into this database. So that people who are - by just the fact of receiving a prescription for a controlled substance then have given up part of their privacy rights in exchange for receiving a prescription. So we are making those into a different class of patients.
The physicians - you are talking about some of the problems - the gentleman from the DEA is talking about some of the problems that doctors are having, problems justifying their prescribing without being able to reveal the records, and that is correct.
The other hand in this is that physicians, in fact, are choosing to stop prescribing controlled substances because they are in a bind about being able to document their records and reveal patient records or withhold them and be subject to prosecutions or suspicion, and so many physicians have written letters and they just are not prescribing. So the chill is happening.
Then the other extreme is that some pain specialists are having patients sign contracts that say specifically that they have the right - that the physician can reveal their patient records to anyone that the doctor sees fit, and I have a copy of one of these contracts from a physician in Florida who specifically asks - now, one patient I know signed it, initialed it and asked him to delete it, but he is asking to be able to do it. So that is the other extreme. We have doctors going both ways, trying to figure out how to do this.
You talk about, too, the information flow, and doctors ratting on patients. Dr. Hasman(?), in Tucson, Arizona, who is just in the process of negotiating a plea deal and her sentencing will be in a month, I believe, she received an anonymous call saying that her patient - talk about doctor shopping - received an anonymous call that she had a patient who was diverting drugs, diverting controlled substances. That was one of the things that she was cited for in her indictment, that she should have reported that.
What is a doctor to do? What is a physician to do. An anonymous phone caller reporting drug diversion, is that enough to compel a physician to report patient medical records? We don't think so, but that's the bind. That's the bind.
The DE information flow - this is the dilemma. We can't figure out how to solve this either. We have come up with a program project called Communication and Cooperation, because, now, the information is flowing to law enforcement in one direction. Physicians are asked to report criminal activity as allowed in HIPAA, and, yet, the information doesn't come back to physicians, and you are concerned - the DEA has expressed concern about what can you disclose, what can be disclosed back to physicians, because perhaps the drug diversion could be stopped if the physicians knew who was under suspicion, what people were under suspicion of drug diversion, then the doctors could stop it and not write the prescriptions, but, in the meantime, the physicians are supposed to be putting the patient information out, but not getting anything back.
And, frankly, we have been working on state legislation, model legislation. We have worked with the pharmaceutical industry on writing the federal legislation on prescription-drug - and we have not come up with language that will work that we don't feel would compromise the privacy issues. This is a very difficult one, but I hope that some of these examples have helped you to understand how difficult this is that the law enforcement has created a chill. It is sending terror throughout the physician community, as well as patients.
We put out a packet of HIPAA FACS and one of the things that we have is a - Mr. Gellman mentioned something like ratting on - were doctors ratting. We put out a position that says you have the right to remain silent, anything you say can and may be used against you. We call it the Miranda Doc, is that to the point where every physician is going to have to put this poster up in his office that you have the right to remain silent when you come into this office, because what you say may be used against you. We had requests for about 40,000 of those posters from physicians.
So we are very concerned of the chill that this has had, and we are struggling, too, to figure out what is going to work to stop the drug diversion, in particular, in these issues.
Thank you very much. I appreciate the time.
MR. ROTHSTEIN: Well, thank you for your testimony, and I thought banking was difficult - (laughter) - and - well, that will give us something to chew on for this evening.
I want to remind everyone that we will begin at 8:30 tomorrow morning, and we have two panels on the topic of HIPAA and school records.
Thank you.
(Whereupon, the meeting adjourned at 3:17 p.m., to reconvene tomorrow, February 19, 2004.)